Samsung Knox firewall exceptions
Last updated July 26th, 2023
This page lists the firewall exceptions that your organization needs to use to securely reach and connect to the Knox server and its supporting resources. It includes the URLs and port numbers that you need to allowlist in order to reach the Knox servers.
These server resources can include the following Knox services:
- Samsung license Servers — When you activate Knox services, devices need to verify their license keys. Devices periodically check their licenses a few times a week.
- Samsung SDS IAM & EMM — If you’re using an EMM, devices will need to access web-based EMM consoles and storage sites.
- Samsung ActiveSync Server — If you’re using Exchange ActiveSync, you’ll need an ActiveSync Server connection so the email client can successfully reach the ActiveSync Server.
Note
If your organization doesn’t permit connections with external servers, you can request an on-premises Knox Server to handle license verification within your firewall. Samsung charges an extra fee for this service. For more information, contact your Samsung representative or reseller.
Ports 443 and 80 must be open within your local network domain to reach Knox server resources.
Note
Knox Cloud Services can utilize both Amazon Web Services (AWS) and Google Firebase. Both services may also warrant adding to the allowlist within your organization’s firewall policy.
For information on the AWS that may require allowlist inclusion, see https://ip-ranges.amazonaws.com/ip-ranges.json.
For information on the Google Firebase services that may require allowlist inclusion, see https://firebase.google.com/docs/cloud-messaging/concept-options#ports_and_your_firewall.
The following table lists the portal exemptions required for each listed Knox server resource:
URL | Port | Knox server resource |
---|---|---|
*.samsungknox.com* *.secb2b.com |
443/80 |
Knox cloud service Knox Identity Management Single sign-on (SSO) Knox Portal |
*.samsung.com | 443/80 |
Knox Partner Portal Samsung account |
License servers for Knox products
The following Knox license server resources may be required to add to the allowlist depending on your organization’s IT policies. Additionally, if your organization’s IT policy restricts the use of a wildcard (*) to abbreviate a domain name, the FQDN may be required to reach a Knox license server. Refer to the following for license server destinations per region:
Global
URL | Port |
---|---|
analytics.samsungknox.com | - |
prod-knoxlog.secb2b.com | - |
account.samsung.com | 80|443 |
Americas
URL | Port |
---|---|
gslb.secb2b.com | 443 |
gsl.samsunggsl.com | 443 |
us-elm.secb2b.com | 443 |
us-prod-klm-b2c.secb2b.com | 443 |
us-prod-klm.secb2b.com | 443 |
usprod-knoxlog.secb2b.com | - |
EMEA
URL | Port |
---|---|
gslb.secb2b.com | 443 |
gsl.samsunggsl.com | 443 |
eu-elm.secb2b.com | 443 |
eu-prod-klm-b2c.secb2b.com | 443 |
eu-prod-klm.secb2b.com | 443 |
euprod-knoxlog.secb2b.com | - |
China
URL | Port |
---|---|
china-gslb.secb2b.com.cn | 443 |
china-elm.secb2b.com.cn | 443 |
china-b2c-klm.secb2b.com.cn | 443 |
china-prod-klm.secb2b.com.cn | 443 |
Networking requirements for Knox cloud services
The following Knox network resources may need to be added to the allowlist depending on your organization’s IT policies. Additionally, if your organization’s IT policy restricts the use of a wildcard (*) to abbreviate a domain name, the FQDN may be required to reach a Knox network deployment resource. Refer to the following for per region:
Global
URL | Port |
---|---|
knoxservices.secb2b.com | 80|443 |
pinning.secb2b.com | 80|443 |
pinning-02.secb2b.com | 80|443 |
eula.secb2b.com | 80|443 |
umc-cdn.secb2b.com | 80|443 |
me.samsungknox.com | 80|443 |
configure.samsungknox.com | 80|443 |
custom.samsungknox.com | 80|443 |
kcc-prod-repo.s3.amazonaws.com | 80|443 |
klms-dev.s3.amazonaws.com | 443 |
eu-api.samsungknox.com | - |
Americas
URL | Port |
---|---|
us-kc-portal.samsungknox.com | 443 |
us-kc.samsungknox.com | 443 |
us-kcc.samsungknox.com | 443 |
us-segd-api.secb2b.com | 443 |
us-segp-api.secb2b.com | 443 |
us-segm-api.secb2b.com | 443 |
us-kme.samsungknox.com | - |
us-kme-api.samsungknox.com | - |
us-kme-api-mssl.samsungknox.com | - |
us-kme-reseller.samsungknox.com | - |
EMEA
URL | Port |
---|---|
eu-kcc.samsungknox.com | 443 |
eu-kc-portal.samsungknox.com | 443 |
eu-kc.samsungknox.com | 443 |
eu-prod-bulk.secb2b.com | 80|443 |
eu-segd-api.secb2b.com | 80|443 |
eu-segp-api.secb2b.com | 80|443 |
eu-segm-api.secb2b.com | 80|443 |
eu-kme.samsungknox.com | - |
eu-kme-api.samsungknox.com | - |
eu-kme-api-mssl.samsungknox.com | - |
eu-kme-reseller.samsungknox.com | - |
China
URL | Port |
---|---|
china-segd-api.secb2b.com.cn | 443 |
myknoxapk.blob.core.chinacloudapi.cn | 80|443 |
Is this page helpful?