These are the lists of addresses that are accessed by Devolutions Server and the Devolutions Server Console during normal operation, as well as the setting(s) to disable/prevent this access.
We use a "best effort" approach to maintain this list, but it does not replace proper IT security practices. If security is paramount, it would be better to first block all internet access, then allowlist desired addresses as needed.
| DESCRIPTION | URL | RELATED SETTING(S) / ACTION | 
|---|---|---|
| Devolutions Server update check | https://devolutions.net | Devolutions Server Console – Support – Check for Updates | 
| Devolutions Server update - package download | https://cdn.devolutions.net | User action in the upgrade available dialog | 
| PAM - Provider Azure | https://graph.microsoft.com | Azure type PAM Provider | 
| Azure Authentication | https://login.microsoftonline.com https://graph.microsoft.com | Administration – Server Settings – Authentication – Microsoft Authentication | 
| Okta Authentication | https://< domain >.okta.com | Administration – Server Settings – Authentication – Okta Authentication | 
| SMTP, Authentication Azure | https://graph.microsoft.com | Administration – Server Settings – Email – Authentication type | 
| Slack Integration | https://slack.com | Administration – Server Settings – Logging – Slack Integration | 
| Licenses | https://api.devolutions.com (only applies to 2024.3 or earlier) quoting.devolutions.com | Administration – Server Settings – Features – Enable Internet Access. | 
| Gravatar | https://secure.gravatar.com | Administration – Server Settings – Features – Enable Gravatar | 
| Have I Been Pwned | https://api.pwnedpasswords.com | Administration – Server Settings – Features – Enable compromised (pwned) check | 
| Block Tor clients | https://cloud.devolutions.net | Administration – Server Settings – Features – Block Tor clients | 
| Telemetry | https://telemetry2.devolutions.net:9200 | Administration – Server Settings – Features – Share anonymous usage data with Devolutions | 
| Push Notification | https://login.devolutions.com https://api.devolutions.com (only applies to 2024.3 or earlier) quoting.devolutions.com | Administration – Server Settings – Features – Enable Workspace Push Notification. | 
| Devolutions Send | https://send.devolutions.com | Administration – Server Settings – Features – Allow users to send password with Devolutions Send | 
| Yubikey | https://api.yubico.com https://api2.yubico.com https://api3.yubico.com https://api4.yubico.com https://api5.yubico.com | Administration – Server settings – Multifactor | 
| Twilio | https://api.twilio.com | Administration – Server Settings – Multifactor – SMS | 
| Duo | https://api.<>.duosecurity.com | Administration – Server Settings – Multifactor – Duo | 
| Geo IP | https://geoip.maxmind.com | Administration – Server Settings – GeoIP Security | 
| DESCRIPTION | URL | RELATED SETTING(S) / ACTION | 
|---|---|---|
| Devolutions Server script installation | https://redirection.devolutions.com https://iis.net https://dotnet.microsoft.com | Devolutions Server service installation | 
| Devolutions Server (instance and scheduler) and Devolutions Gateway installation | https://devolutions.net https://redirection.devolutions.com | Create a Devolutions Server instance Devolutions Gateway configuration with Devolutions Server | 
Some URLs must be allowlisted in order for Entra ID authentication to work properly. Note that this list is based on Microsoft's current environment and may be subject to change, as it is outside of Devolutions' control.
- login.microsoftonline.com
- login.microsoft.com
- login.windows.net
- *.msauth.net
- *.msauthimages.net
- *.aadcdn.msftauth.net
- *.aadcdn.msftauthimages.net
- *.aadcdn.microsoftonline-p.com
- *.microsoftonline-p.com
These URLs are derived from the Azure portal URLs and Microsoft 365 URLs and IP address ranges articles.