xMatters understands that security is extremely important to you - and that means it's extremely important to us. We strive to support your security initiatives, and some of you have asked how to explicitly allow only the IP addresses that xMatters uses to communicate so that you can filter out traffic from other addresses.
Why filter IP addresses?
Some organizations and IT security departments use a mechanism where firewall or proxy rules are designed to limit network traffic to only IP addresses associated with your xMatters service. This can help to prevent communication from being hijacked or rerouted to a rogue website.
That's a good thing, right?
In fact, xMatters strongly discourages the use of IP filters. Our experience with providing emergency communications for incidents of all types, including disaster recovery and business continuity situations, has taught us that any mechanism that restricts the immediate and critical flow of communications can be a hindrance - especially in a crisis.
Although IP filtering is often seen as part of a "Defense-in-Depth" strategy for traffic shaping, the dynamic services offered by cloud providers - including xMatters - may not perform optimally with these strategies. (This is why filtering is generally used only for our EPIC client or Integration Agent, and not for the xMatters service or web user interface.) In fact, the high-availability protocols used by cloud services, such as geographic and high-IP-range load balancing, can produce a denial-of-service (DOS) issue if the load balancing systems require an IP change.
To help provide the best security possible without impacting the free flow of events and notifications, we provide a full range of application-level access management and control, including native and federated secure login, and data-in-transit protection via HTTPS/TLS.
We also encourage customers to employ domain-based filtering (*.xmatters.com) instead.
What if this is a security requirement?
If you have stringent security policies (or anti-malware software - see below) that require IP filtering, we provide the xMatters IP ranges in a machine readable format, available at the links below.
This option does come with some caveats, however...
- You must explicitly allow ALL of the IP ranges provided. xMatters services can and will "move around" within the specified ranges.
- The list can change at any time, and you will need to implement a mechanism that either allows you to dynamically update your filters or notifies you when the list changes. (You can also "follow" this article using the button beside the title - we'll add a comment to this page whenever the IP ranges need to be updated.)
- We cannot tell when, how, or if you are filtering IPs on your system; you must be able to proactively identify whether you need to modify your own network settings.
- You must maintain and update this list in all applicable applications. If you are using IP filtering within an application that connects to xMatters (such as ServiceNow or another of our many available integrations), changes to the IP ranges could affect the ability to write information back into your application. You will need to make sure you handle these in-product lists over and above any filtering being performed at the firewall level.
There's always an exception: anti-malware software
Some anti-malware software can interfere with xMatters notifications, specifically anti-malware tools that inspect the links on incoming notifications. If your organization uses email scanning software such as Proofpoint, you may need to explicitly allow the xMatters IP ranges to avoid invoking the response URLs offered in email notifications.
Consult with your anti-malware software vendor to determine how to configure your settings to allow xMatters notifications.
Links to xMatters IP ranges
- All xMatters IPs:
- Inbound IPs only (from your system to xMatters):
- Outbound IPs only (from xMatters to your system):
xMatters Email Domains
Similar to IP ranges, some customers may need to implement catered mail server rules that only permit incoming messages from specific email domains. Also similar to IP ranges, we send emails that can be validated as coming from xMatters and highly encourage customers to trust those instead of a static list of IPs and domains.
But for those customers that require them, the email domains currently used by xMatters are as follows:
Filters should be based on the MAIL FROM header, and not the "From" field. Also of note: the xMatters email relay IPs are included in the list of outbound IP ranges linked above.
Should those domains change, we'll add a comment below, so be sure to "Follow" this article.