Agent Network Requirements

The TATER endpoint agent talks to a small, well-known set of FQDNs. When customers deploy behind a Secure Service Edge (SSE) or SASE proxy — Microsoft Global Secure Access (GSA), Zscaler Internet Access, Netskope, Cisco Umbrella, or Palo Alto Prisma Access — those FQDNs typically need to be marked as bypass / direct-route / TLS-inspection-exempt. This page is the canonical list and per-vendor configuration walkthrough.

Required FQDN allow / bypass list

Every FQDN in the table below should be:

• Allowed outbound on port 443 from agent hosts
• Bypassed from any traffic forwarding profile (don't tunnel through the SSE)
• Exempt from TLS inspection / SSL bumping — the agent uses pinned cert chains for the TATER API and can't tolerate certificate substitution

FQDN	Required for	Why bypass
api.tatersecurity.com	Scan upload, evidence jobs, all REST API traffic	Agent uses bearer-token auth + JSON; TLS inspection adds latency on every poll. Cert pinning means SSL bumping breaks auth.
www.tatersecurity.com	MSI / binary auto-update + self-hosted speed test files (/Agent/speedtest/100mb.bin, /Agent/speedtest/50mb.bin)	Speed test accuracy is destroyed by tunneling — the SSE edge becomes the test target. Update download integrity is verified by SHA256, but tunneling adds 30–90 minutes to a 13 MB MSI download in some configs.
app.tatersecurity.com	Tray menu "Open TATER App" + auto-update fallback host	Confirmed in Agent/go/internal/updater/updater.go as an allowed download host.
speed.cloudflare.com	Upload-side speed test sink (path: /__up)	Same as www.tatersecurity.com for download — tunneling makes the test useless.

Microsoft 365 endpoints (Evidence Agent)

If you use TATER's Evidence Agent for browser-based compliance evidence collection, the chromedp-driven session also needs:

FQDN	Cloud tier
login.microsoftonline.com	Commercial / GCC
login.microsoftonline.us	GCC High / DoD
graph.microsoft.com	Commercial / GCC
graph.microsoft.us	GCC High
dod-graph.microsoft.us	DoD
entra.microsoft.com / entra.microsoft.us	Entra portal
security.microsoft.com / security.microsoft.us / security.apps.mil	Defender portal
compliance.microsoft.com / compliance.microsoft.us / compliance.apps.mil	Purview portal
portal.azure.com / portal.azure.us	Azure portal (Defender XDR, audit logs)

These are all covered by Microsoft's M365 endpoint allow-list. Most SSE products ship a pre-built "Microsoft 365" or "Office 365" application/service group — using that built-in group is the easiest path.

Certificate validation / module updates

The PowerShell remediation runner loads M365 modules at runtime. If module download is blocked, scans fail at module-load time before reaching Graph:

• *.azureedge.net — Microsoft Azure CDN (Defender, Intune content)
• *.windowsupdate.com — Windows Update / patch metadata
• crl.microsoft.com, oneocsp.microsoft.com, www.microsoft.com/pki/* — certificate revocation
• www.powershellgallery.com, psg-prod-*.azureedge.net — PowerShell module gallery (only required if your environment downloads modules at runtime; air-gapped + bundled environments don't need this)

Microsoft Global Secure Access (GSA)

1. Open Microsoft Entra Admin Center → Global Secure Access → Connect → Traffic Forwarding.
2. Open the Internet Access traffic profile assigned to the device group running the TATER agent.
3. Under Custom Bypass FQDNs / IPs, add each FQDN from the Required table above.
4. Verify the Microsoft 365 Traffic Profile is enabled and assigned to the same device group — it covers the Evidence Agent endpoints automatically.
5. Save and wait 5–10 minutes for policy propagation.

Verification: on a test device, run:

Resolve-DnsName api.tatersecurity.com | Select-Object NameHost, IPAddress

You should see an Azure Front Door / Function App IP (in the 52.x or 20.x range). If you see a 100.64.x.x or other GSA edge IP, the bypass isn't applied.

Zscaler Internet Access (ZIA)

1. Sign in to Zscaler ZIA admin console.
2. Policy → URL & Cloud App Control → create a new SSL Inspection Bypass rule (or extend an existing one).
3. Add the FQDNs from the Required table to the rule's URL Categories → Custom Categories → create category "TATER Agent" with the URLs.
4. Set the rule action to Do Not Inspect.
5. Optionally, also add the FQDNs to Tunnel 2.0 Bypass if your tenant uses tunnel-based forwarding — under Administration → Hosted PAC Files or Forwarding Profile.
6. Activate the policy change.

Netskope

1. Sign in to the Netskope admin console (or your regional console).
2. Policies → SSL Decryption → add a new policy or extend the existing one.
3. Set the action to Do Not Decrypt for traffic destined to the FQDNs in the Required table.
4. Settings → Steering Configuration → Default tenant config → under Bypass, add the FQDNs as Steering Bypass entries (this prevents the traffic from being intercepted by the Netskope client at all).
5. Apply the configuration.

Cisco Umbrella (with SIG / Secure Web Gateway)

1. Sign in to Cisco Umbrella dashboard.
2. Deployments → Configuration → Domain Management → add the Required FQDNs to the Internal Domains list (this prevents Umbrella DNS resolution from being applied).
3. If using SIG / Secure Web Gateway: Policies → Web Policy → add a Selective Decryption rule with action Do Not Decrypt for the FQDNs.
4. If using AnyConnect SBL with the Umbrella roaming module: confirm the FQDNs are in the roaming client allow list.
5. Save and wait for policy to propagate (Umbrella is generally fast, 1–2 minutes).

Palo Alto Prisma Access

1. Sign in to Palo Alto Cloud Hub → Strata Cloud Manager.
2. Policies → Decryption → create a No Decrypt rule for the Required FQDNs (use a custom URL category for cleanliness).
3. Objects → Custom Objects → URL Category → create category "TATER Agent" with the FQDNs.
4. Apply the URL category to the No Decrypt rule.
5. If GlobalProtect is in tunnel-all mode: under GlobalProtect → Gateways → Agent Config → Split Tunnel, add the FQDNs to the Exclude Domain list so traffic goes direct rather than via the tunnel.
6. Push policy.

Troubleshooting

"The agent's speed test reports the wrong number"

Almost always the SSE proxy isn't bypassing www.tatersecurity.com and speed.cloudflare.com. Verify with:

curl -o /dev/null -w "%{http_code} %{speed_download}
" https://www.tatersecurity.com/Agent/speedtest/50mb.bin

If speed_download is consistently <20 MB/s on a known-fast connection, you're hitting the proxy edge.

"Auto-update fails with TLS errors"

SSL inspection is intercepting www.tatersecurity.com. The Go agent uses the system root CA store; if your SSE proxy injects its own root cert into the system store, downloads will succeed but agent integrity verification will sometimes fail because the SHA256 of the post-inspection bytes differs from the published hash. Bypass SSL inspection for these hosts.

"Evidence Agent can't sign in"

The chromedp browser session is hitting the SSE proxy login page instead of the real Microsoft sign-in. Confirm the M365 endpoints in the table above are bypassed, and confirm the agent host's browser config doesn't have a proxy-PAC override that re-routes Microsoft traffic.

"Evidence Agent says 'authentication timeout' after 5 minutes"

The agent waits 5 minutes for the user to sign in via the Entra portal. If the SSE adds a click-through or re-auth step on every login, the user can't complete it in time. Either bypass the Microsoft endpoints (preferred) or extend the timeout (config option, but treats the symptom not the cause).

"Some scan controls return 403"

Graph permissions are correctly granted but the scan token request is being intercepted. This shows up as 403s on Graph API endpoints rather than 401s on the token endpoint. Bypass graph.microsoft.com (or the sovereign variant) and re-test.

Related

• Agent Deployment — MSI / Intune / GPO deployment of the agent itself
• Evidence Agent — the chromedp-based browser automation evidence collector
• Government Cloud Compatibility — sovereign-cloud endpoint variants for GCC High / DoD
• Settings — Tenants — where you mark a tenant credential as Commercial / GCC / GCC High / DoD