Automation Remote

Automation Remote is an on-premises virtual appliance that enables your workflows to communicate with resources inside your network that do not have access to the public internet. Because many on-premises devices are not exposed to the internet, Automation Remote bridges the gap between those devices and the cloud so that they can be incorporated into your workflows.

Automation Remote can be used in many instances where a device you need to access is not available from the public internet. This keeps your on-premises devices safely behind internal network protections and also available as targets for Automation workflows. For example:

  • On-premises ISE deployments - You can use the Automation Remote to relay API calls to the ISE deployment on the local network. This is useful for tasks such as using a workflow activity to quarantine a device.
  • On-premises Secure Firewall Management Center deployments - You can use the Automation Remote to relay API calls from the Automation cloud so that workflow activities can run on the local Secure Firewall Management Center.
  • On-premises terminal or Unix/Linux systems - You can use the Automation Remote to automate shell/terminal commands to a specific identified host within your network.

The following minimum requirements must be met for an Automation Remote virtual appliance:

  • VMware ESXi version 5.5 or newer
  • 2 vCPU
  • 2 GB RAM
  • 30 GB Disk
Note: Setting up the Automation Remote virtual appliance requires advanced understanding of how to create and manage resources in VMware. If you encounter issues within the vSphere client, contact an administrator in your organization or VMware support.

v3 OVA-based Automation Remote Connectivity

For v3 OVA-based Automation Remotes to reach the Cisco XDR cloud, outbound TCPS connectivity on port 5671 is required to the following endpoints (depending on your region):

  • North America: automate-remote-v3.us.security.cisco.com
  • Europe: automate-remote-v3.eu.security.cisco.com
  • Asia Pacific, Japan, and China: automate-remote-v3.apjc.security.cisco.com
Note: To verify an IP address in the following table, we recommend that you perform an nslookup on the URLs before adding an IP address to your security configuration.
Region Source IP Addresses
North America (NAM) 3.233.211.155
34.199.110.239
100.30.115.2
Europe (EU) 52.50.65.119
34.243.51.166
54.195.125.191
Asia Pacific, Japan, and China (APJC) 35.72.84.129
57.181.54.53
13.192.127.178

v2 OVA-based Automation Remote Connectivity (Deprecated)

Caution: v2.16 and older OVA-based Automation Remotes are deprecated. For continued support, users should replace v2.16 and older OVA virtual appliances with v3.0 or newer OVA. (See Replace Virtual Appliance)

For v2 OVA-based Automation Remotes to reach the Cisco XDR cloud, outbound TCPS connectivity on port 8883 is required to the following endpoints (depending on your region):

  • North America: automate-remote.us.security.cisco.com
  • Europe: automate-remote.eu.security.cisco.com
  • Asia Pacific, Japan, and China: automate-remote.apjc.security.cisco.com
Note: To verify an IP address in the following table, we recommend that you perform an nslookup on the URLs before adding an IP address to your security configuration.
Region Source IP Addresses
North America (NAM) 52.55.127.225
52.70.148.202
54.161.88.3
Europe (EU) 52.51.152.29
34.249.103.5
34.246.59.230
Asia Pacific, Japan, and China (APJC) 52.196.74.21
52.192.183.139
54.178.93.69

To set up an Automation Remote virtual appliance, here are the summary steps:

  1. In Automation, create a new Remote and download its configuration file.
  2. Download the virtual appliance and use VMware vSphere to deploy it.
  3. In Automation, verify that the status of the Remote is now connected.
  4. Create or configure targets to use the Remote.

For a detailed walkthrough of the steps above, see the Remote Setup and Deployment Help topic.

By default, certificates in K3s expire after 12 months. So when the certificate expires on the VM, the Remote will be disconnected from it. You'll need to set up a new replacement virtual appliance for the Remote to connect to.

Replace Virtual Appliance

It is sometimes necessary to replace a virtual appliance when certificates expire or when virtual appliances are deprecated.

To replace a virtual appliance:

  1. Navigate to Automate > Targets > Remotes, and choose the Revoke action for the disconnected Remote to void the existing connection details. The status for the Remote will change to Revoked.

  2. Shut down the previously installed virtual appliance and delete it to free up network resources such as the IP address.

  3. Refresh the page, and choose the Regenerate action to download a new configuration file.

  4. Refer to the Remote Setup and Deployment Help topic and complete the Configure and Deploy the Virtual Appliance section.

  5. Verify that the status of the Remote on the Automate > Targets > Remotes page is now connected.

Note: On May 31, 2025, Ubuntu 20.04 LTS will reach the end of its standard five-year support window. Your existing Remote configuration will continue to work. However, we recommend that you redeploy your Remote VM by completing the steps above with our most recent OVA to maintain support using Ubuntu 24.04 LTS or newer.