Network troubleshooter guide

If Tresorit desktop and mobile clients indicate that there is an issue with your internet connection, yet it seems to work fine in your browser and other apps, there are a number of steps you can take to find and resolve the issue:

1. Check the service status page to see if there are any issues on our end
   When an incident affects the availability of our service, we will update the status page first. In the unlikely event of a service outage, there is likely nothing you can do to resolve the issue on your own - we will be working hard to get everything back up, so keep checking the status page for updates.

2. If you need to use a proxy server, check if the proxy settings in Tresorit are correct
   Tresorit will try its best to detect the correct configuration by looking at the proxy settings used by your browser, but this might fail. You can manually configure proxy settings (and disable using one altogether) both before and after logging in:

   • Settings tab
   • Login page

   1. Open your Tresorit desktop app.
   2. Head to the Settings tab.
   3. Navigate to Network.
   4. Under Proxy, select Manual.
   5. Change proxy settings on the pop-up. On this window you can configure your HTTP, Socks 4 or Socks 5 proxy. You can also add your username and password if your proxy requires authentication.
   6. Click Set proxy when you are done.

   1. Click Open proxy.

      

   2. Select Manual.

      

   3. Enter your proxy configuration.
   4. Click Set proxy when you are done.

    

3. Make sure outgoing connections are permitted
   Check if Tresorit works when firewall, intrusion detection and anti-virus software are disabled - if so, you will likely have to configure them to allow Tresorit to connect to remote servers. A detailed list of IP ranges and hosts to add to your allowlist are available in the next section, but for most consumer grade firewall software, simply allowing the application to establish outgoing connections is enough.

4. Disable TLS interception and similar features
   Tresorit is not compatible with firewalls and security software that perform TLS interception. We maintain our own list of trusted certificate authorities, and as such, enterprise certificate authorities imported into the system’s certificate store required for such security software to work have no effect. Our desktop and mobile clients use mutual TLS authentication when communicating with our servers, so even if such certificates were to be taken into account, interception would not be possible. This is by design. If for some reason you cannot disable TLS interception, you can still use our web client, provided that such software does not modify the actual requests and responses.

5. Contact our support team for help
   If everything seems to be set up correctly, but the issues persist, we are here to help.

Firewall settings

To help you configure firewall appliances on enterprise networks (and even some firewall software), we publish the list of IP ranges and hostnames you need to add to your allowlist in order to let Tresorit connect to our servers:

• List of hostnames

• List of IP ranges

These lists are published as UTF-8 encoded CSV files. Their URL is stable and may be used by scripts to update firewall settings automatically. The second column includes a list of tags that indicate which parts of our service requires that particular hostname or IP range to be allowed.

Our applications connect to these servers via the following TCP ports:

• HTTPS (443) - used for all communication between the application and our servers

• HTTP (80) - used to fetch Certificate Revocation Lists (CRLs)

Tresorit’s servers are hosted in Microsoft Azure. Many of the hostnames in the list point to services that have no fixed IP address, so the list of IP ranges is quite large. It is assembled by filtering the IP ranges published by Microsoft for specific products and regions, so these will include IP addresses that belong to other tenants of Microsoft’s public cloud. If you are able to, we recommend that you set up hostname based filtering (or a combination of IP and hostname based filtering). You can rely on HTTPS connections established by Tresorit clients to use server name indication.

If you have configured Tresorit to use single sign-on, you will also need to ensure that outgoing connections to your identity provider are allowed. Contact your identity provider for more information.

Frequently asked questions

Why are you using HTTP? Isn’t that insecure?

Almost all communication between our clients and servers use HTTPS, and are thus secured by TLS. There is one notable exception: certificate revocation lists (CRLs) are fetched over HTTP. These lists are already signed by the certificate authority, and fetching them over HTTP is actually considered to be standards-compliant behavior - for more information on the rationale behind this, read the “Security Considerations” section of RFC 5280.

Note: The end-to-end encrypted security model of Tresorit does not assume that TLS is secure - your data that is transmitted in the encrypted tunnel is already encrypted with keys only you and the people you have chosen to share your data with have access to.

Why does mutual TLS authentication prevent TLS interception?

Firewalls performing TLS interception break TLS connections in half: clients connecting through such a firewall are actually establishing TLS connections with the firewall, validating the firewall’s certificate (usually issued by an enterprise CA under the control of the organization operating the firewall), and the firewall establishes its own connections to the server. Mutual TLS authentication relies on the client presenting a client certificate to the server - but since there is no direct trust relationship between the server and the client if the connection has been intercepted, it cannot do so. Any certificate presented by the client would be seen by the firewall, but since the firewall does not have the private key for the certificate used by the client, it cannot present it to the server on the other side.

Network connection checker

To help diagnose network issues (such as blocked connections, TLS interception, etc.) we have created a small command-line utility you can run to check that connections to the required hosts can be made: