Enterprise Node Communication Requirements

  • 2 minute(s) read
Prev Next

Enterprise Nodes must be able to continuously communicate with Catchpoint Command & Control (C&C) to retrieve targeted tests and to report test results. This article provides best practices for allowing traffic to and from Catchpoint's C&C servers.

Quick Allowlist

  • Allow outbound traffic from your Enterprise Nodes to:

    • *.3gl.net
    • *.catchpoint.com

  • No inbound rules required.

Recommended Policy

Catchpoint recommends allowing the Fully Qualified Domain Names (FQDNs) for communication between Enterprise Nodes and Command & Control (C&C). Hosts/IPs can change, so FQDN allowlisting is the simplest and most reliable method.

  • FQDN allowlisting (recommended):

    • Permit outbound HTTPS (443) to *.3gl.net and *.catchpoint.com.

  • IP allowlisting (last resort / resilience):

    • If your policy restricts the use of FQDN wildcards, or if you want added resilience against DNS issues, configure automation to pull the current C&C IPs via the REST API and allow outbound access to those IPs. (See Getting IPs Programmatically below for instructions.) If you are comfortable with the node pausing when DNS is unavailable, allowing only FQDNs is sufficient.

  • Automatic failover behavior:

    • Nodes try primary C&C FQDNs; if that fails, they try secondary FQDNs.
    • If DNS resolution fails, Nodes fall back to HTTP on port 80 using IPs so testing can continue (when permitted by policy).

Static, hand-maintained IP lists are brittle. Either allow FQDN wildcards or automate IP retrieval via the API.

Connectivity & Ports

  • Outbound only from Enterprise Nodes to C&C.
  • Primary path: HTTPS on port 443 to *.3gl.net / *.catchpoint.com.
  • Fallback during DNS failure: HTTP on port 80 to IPs (if allowed by your policy).

Getting IPs Programmatically (Optional)

Use the Catchpoint REST API to retrieve the current C&C IPs:

Sample Response (Illustration Only)

Note: This IP list is not live and may be out of date. It’s provided only as an illustration of the API response.

["64.147.163.212",  "las-syn-sch-01.3gl.net",  "64.147.163.54",  "64.147.163.55",  "64.147.163.56",  "64.147.163.57",  "64.79.149.218",  "64.147.163.53",  "las-syn-sch-02.3gl.net",  "64.79.149.202",  "swpt.webpagetest.org",  "3.22.10.38",  "139.178.87.138",  "139.178.87.142",  "64.79.149.104",  "las-syn-sch-07.3gl.net",  "64.147.163.213",  "64.79.149.217",  "147.75.46.198",  "147.75.46.194",  "147.28.148.242",  "147.75.202.214",  "147.75.202.218",  "145.40.97.166",  "145.40.97.162",  "23.92.67.138",  "195.242.152.2",  "8.134.149.27",  "147.28.148.246",  "47.242.152.170",  "107.155.109.98",  "74.177.169.33",  "20.26.76.1",  "172.212.66.210",  "34.48.10.113",  "34.86.197.139",  "48.218.233.197",  "48.218.202.175",  "4.145.24.152",  "144.202.14.34",  "9.141.22.100",  "13.76.140.21",  "172.211.42.108",  "45.63.94.40",  "135.149.76.49",  "64.147.163.58",  "64.147.163.59",  "149.28.223.76",  "las-syn-log-01.3gl.net",  "64.147.163.211",  "las-syn-log-02.3gl.net",  "64.147.163.52",  "dfw-eqx-sch-17.3gl.net",  "dfw-eqx-log-17.3gl.net",  "64.147.163.209",  "las-syn-log-07.3gl.net",  "sin-eqx-sch-01.3gl.net",  "sin-eqx-log-01.3gl.net",  "dfw-eqx-log-01.3gl.net",  "sjc-eqx-sch-01.3gl.net",  "sjc-eqx-log-01.3gl.net",  "ams-eqx-log-01.3gl.net",  "ams-eqx-sch-01.3gl.net",  "nyc-hv-capt-01.3gl.net",  "fra-hv-capt-01.3gl.net",  "dfw-eqx-sch-11.3gl.net",  "lhr-az-log-01.3gl.net",  "lhr-az-sch-01.3gl.net",  "iad-az-cc-01.3gl.net",  "iad-gcp-log-01.3gl.net",  "iad-gcp-sch-01.3gl.net",  "nrt-az-log-01.3gl.net",  "nrt-az-sch-01.3gl.net",  "phx-az-capt-01.3gl.net",  "sin-az-capt-01.3gl.net",  "sfo-az-cc-01.3gl.net",  "l11.3gl.net",  "s04.3gl.net",  "s05.3gl.net",  "l04.3gl.net",  "l05.3gl.net",  "s10.3gl.net",  "l10.3gl.net",  "s11.3gl.net",  "c04.3gl.net",  "d04.3gl.net",  "c05.3gl.net",  "d05.3gl.net",  "c10.3gl.net",  "d10.3gl.net",  "c11.3gl.net",  "d11.3gl.net",  "img.3gl.net",  "nyc-vl-capt-01.3gl.net",  "fra-az-capt-05.3gl.net",  "sin-az-capt-05.3gl.net",  "lax-hv-capt-01.3gl.net",  "ams-az-capt-01.3gl.net",  "sjc-vl-sch-06.3gl.net",  "sea-vl-capt-01.3gl.net",  "las-syn-sch-06.3gl.net",  "las-syn-log-06.3gl.net",  "sjc-vl-sch-01.3gl.net"]

Verify Your Allowlist (Simple Health Check)

Fetch robots.txt from allowed domains.

Example Health Check Request

curl -sSf https://s.3gl.net/robots.txt

Pass Criteria

A healthy response consists of HTTP 200 and exactly the following response body:

User-agent: *
Disallow: /

Note: Timeouts/name-resolution errors or intermediary 40x/50x usually indicate blocking.

Troubleshooting Tips

  • DNS errors/timeouts:

    • Allow FQDNs and ensure resolvers are reachable. If you intentionally block DNS, add IP allowlisting from the API so the HTTP/80 fallback can succeed.

  • HTTPS blocked:

    • Permit outbound 443 to *.3gl.net and *.catchpoint.com.

  • Intermittent success:

    • Often due to partial allowlists. Prefer FQDN wildcards or refresh IPs from the API on a schedule.

Change Management

  • Endpoints/IPs can change occasionally. Use the REST API to access the current IP list
  • Services will always live under subdomains of 3gl.net and catchpoint.com.

Support

Questions? Contact support@catchpoint.com or open ticket via help center.