--- title: "Enterprise Node Communication Requirements" slug: "enterprise-node-command-and-control" updated: 2025-09-23T20:44:42Z published: 2025-09-23T20:44:42Z canonical: "docs.catchpoint.com/enterprise-node-command-and-control" --- > ## Documentation Index > Fetch the complete documentation index at: https://docs.catchpoint.com/llms.txt > Use this file to discover all available pages before exploring further. # Enterprise Node Communication Requirements Enterprise Nodes must be able to continuously communicate with Catchpoint Command & Control (C&C) to retrieve targeted tests and to report test results. This article provides best practices for allowing traffic to and from Catchpoint's C&C servers. --- ## **Quick Allowlist** - **Allow outbound traffic from your Enterprise Nodes to:** - `*.3gl.net` - `*.catchpoint.com` - **No inbound rules required.** ## **Recommended Policy** Catchpoint recommends allowing the Fully Qualified Domain Names (FQDNs) for communication between Enterprise Nodes and Command & Control (C&C). Hosts/IPs can change, so FQDN allowlisting is the simplest and most reliable method. - **FQDN allowlisting (recommended):** - Permit outbound HTTPS (443) to `*.3gl.net` and `*.catchpoint.com`. - **IP allowlisting (last resort / resilience):** - If your policy restricts the use of FQDN wildcards, or if you want added resilience against DNS issues, configure automation to pull the current C&C IPs via the REST API and allow outbound access to those IPs. (See [Getting IPs Programmatically](/v1/docs/enterprise-node-command-and-control#getting-ips-programmatically-optional) below for instructions.) If you are comfortable with the node pausing when DNS is unavailable, allowing only FQDNs is sufficient. - **Automatic failover behavior:** - Nodes try primary C&C FQDNs; if that fails, they try secondary FQDNs. - If DNS resolution fails, Nodes fall back to HTTP on port 80 using IPs so testing can continue (when permitted by policy). Static, hand-maintained IP lists are brittle. Either allow FQDN wildcards or automate IP retrieval via the API. --- #### **Connectivity & Ports** - **Outbound only** from Enterprise Nodes to C&C. - **Primary path:** HTTPS on port 443 to `*.3gl.net` / `*.catchpoint.com`. - **Fallback during DNS failure:** HTTP on port 80 to IPs (if allowed by your policy). --- ## **Getting IPs Programmatically (Optional)** Use the Catchpoint REST API to retrieve the current C&C IPs: - **Endpoint:** `GET https://io.catchpoint.com/api/v2/commandcontrol` - **Guidance:** Use the API as specified in the [Catchpoint REST API Documentation](/v1/docs/rest-api-guide). ### Sample Response (Illustration Only) **Note: This IP list is not live and may be out of date. It’s provided only as an illustration of the API response.** ``` ["64.147.163.212", "las-syn-sch-01.3gl.net", "64.147.163.54", "64.147.163.55", "64.147.163.56", "64.147.163.57", "64.79.149.218", "64.147.163.53", "las-syn-sch-02.3gl.net", "64.79.149.202", "swpt.webpagetest.org", "3.22.10.38", "139.178.87.138", "139.178.87.142", "64.79.149.104", "las-syn-sch-07.3gl.net", "64.147.163.213", "64.79.149.217", "147.75.46.198", "147.75.46.194", "147.28.148.242", "147.75.202.214", "147.75.202.218", "145.40.97.166", "145.40.97.162", "23.92.67.138", "195.242.152.2", "8.134.149.27", "147.28.148.246", "47.242.152.170", "107.155.109.98", "74.177.169.33", "20.26.76.1", "172.212.66.210", "34.48.10.113", "34.86.197.139", "48.218.233.197", "48.218.202.175", "4.145.24.152", "144.202.14.34", "9.141.22.100", "13.76.140.21", "172.211.42.108", "45.63.94.40", "135.149.76.49", "64.147.163.58", "64.147.163.59", "149.28.223.76", "las-syn-log-01.3gl.net", "64.147.163.211", "las-syn-log-02.3gl.net", "64.147.163.52", "dfw-eqx-sch-17.3gl.net", "dfw-eqx-log-17.3gl.net", "64.147.163.209", "las-syn-log-07.3gl.net", "sin-eqx-sch-01.3gl.net", "sin-eqx-log-01.3gl.net", "dfw-eqx-log-01.3gl.net", "sjc-eqx-sch-01.3gl.net", "sjc-eqx-log-01.3gl.net", "ams-eqx-log-01.3gl.net", "ams-eqx-sch-01.3gl.net", "nyc-hv-capt-01.3gl.net", "fra-hv-capt-01.3gl.net", "dfw-eqx-sch-11.3gl.net", "lhr-az-log-01.3gl.net", "lhr-az-sch-01.3gl.net", "iad-az-cc-01.3gl.net", "iad-gcp-log-01.3gl.net", "iad-gcp-sch-01.3gl.net", "nrt-az-log-01.3gl.net", "nrt-az-sch-01.3gl.net", "phx-az-capt-01.3gl.net", "sin-az-capt-01.3gl.net", "sfo-az-cc-01.3gl.net", "l11.3gl.net", "s04.3gl.net", "s05.3gl.net", "l04.3gl.net", "l05.3gl.net", "s10.3gl.net", "l10.3gl.net", "s11.3gl.net", "c04.3gl.net", "d04.3gl.net", "c05.3gl.net", "d05.3gl.net", "c10.3gl.net", "d10.3gl.net", "c11.3gl.net", "d11.3gl.net", "img.3gl.net", "nyc-vl-capt-01.3gl.net", "fra-az-capt-05.3gl.net", "sin-az-capt-05.3gl.net", "lax-hv-capt-01.3gl.net", "ams-az-capt-01.3gl.net", "sjc-vl-sch-06.3gl.net", "sea-vl-capt-01.3gl.net", "las-syn-sch-06.3gl.net", "las-syn-log-06.3gl.net", "sjc-vl-sch-01.3gl.net"] ``` --- ## **Verify Your Allowlist (Simple Health Check)** Fetch `robots.txt` from allowed domains. ### Example Health Check Request ``` curl -sSf https://s.3gl.net/robots.txt ``` ### Pass Criteria A healthy response consists of HTTP 200 and exactly the following response body: ``` User-agent: * Disallow: / ``` Note: Timeouts/name-resolution errors or intermediary 40x/50x usually indicate blocking. --- ## **Troubleshooting Tips** - **DNS errors/timeouts:** - Allow FQDNs and ensure resolvers are reachable. If you intentionally block DNS, add IP allowlisting from the API so the HTTP/80 fallback can succeed. - **HTTPS blocked:** - Permit outbound 443 to `*.3gl.net` and `*.catchpoint.com`. - **Intermittent success:** - Often due to partial allowlists. Prefer FQDN wildcards or refresh IPs from the API on a schedule. ## **Change Management** - Endpoints/IPs can change occasionally. Use the REST API to access the current IP list - Services will always live under subdomains of `3gl.net` and `catchpoint.com`. ## **Support** Questions? Contact support@catchpoint.com or open ticket via [help center](https://support.catchpoint.com/hc/en-us/).