This page lists domains and IP addresses that must be accessible for basic product functionality and for use of more advanced features such as Security Connector, ETP Client, and Zero Trust Client.

Make sure you allow these domains and IP addresses in your organization’s firewall. For instructions, see the product documentation for your organization's enterprise firewall.

📘
If you have a web proxy or next-generation firewall (NGFW) deployed in your environment, you may also need to configure your network settings to bypass SSL inspection and authentication for Akamai domains. This ensures direct and uninterrupted connectivity to Akamai services.

SIA

To use SIA, make sure you allow these domains.

Hostname	Description	Protocol	Port	Direction
*.akaetp.net 📘 For Security Connector DNS Forwarder, `dot` is the Application-Layer Protector Navigation (ALPN).	HTTP data path of the proxy DoT connection for Security Connector DNS Forwarder and ETP Client 3.2.0 or later.	Transfer control protocol (TCP)	For ETP Client, the port you need to allow depends on the port that’s configured in the policy. In a policy, you can select port 443 or 853 for DoT. For DNS Forwarder, the port you need to allow (443 or 853) depends on the port configured in Security Connector for a DNS Forwarder configuration.	Outbound
Full hostname of identity provider	Identity provider	TCP	443	Outbound
*.dialin.go.akamai-access.com	Identity connectors	TCP	443	Outbound
error.etp.akamai.com	SIA Error Pages	TCP	80, 443	Outbound
*.akamai.com or these specific domains: clock-a.akamai.com clock-b.akamai.com clock-c.akamai.com clock-d.akamai.com clock-e.akamai.com clock-f.akamai.com clock-g.akamai.com clock-h.akamai.com	Network Time Protocol (NTP)	UDP	123	Outbound
<SIADNS_IPv4_1> <SIADNS_IPv2_2> OR <SIADNS_IPv6_1> <SIADNS_IPv6_2> where: <SIADNS_IPv4_1> and <SIADNS_IPv4_2> are the primary and secondary IPv4 addresses of the SIA DNS servers. <SIADNS_IPv6_1> and <SIADNS_IPv6_2> are the primary and secondary IPv6 addresses of the SIA DNS servers. These DNS servers are assigned to your SIA account. Only allow the IPv6 server addresses if your organization uses IPv6.	SIA DNS Servers	UDP	53	Outbound
<config_ID>.dot.akaetp.net where <config_ID> is the configuration ID. 📘 The configuration ID can be found in the URL of a SIA page. To learn how to find this identifier, see Get your configuration ID.	Domain for DNS over TLS (DoT)	TCP	853	Outbound
<config_ID>.doh.akaetp.net where <config_ID> is the configuration ID.	Domain for DNS over HTTPS (DoH)	TCP	443	Outbound
nevada.proxy.akaetp.net	Connections to SIA Proxy	TCP	443	Outbound

You should also allow access to all hostnames that you or another administrator configured with the bypass action. Hostnames with the bypass action are directed to the Internet and do not go through SIA Proxy. For instructions, see the product documentation for your organization’s enterprise firewall.

If you want to prevent users from bypassing SIA and connecting directly to open recursive DNS servers on the Internet, block this port:

Hostname	Description	Protocol	Port	Direction
All	Port where DNS servers listen for queries	TCP / UDP	53	Outbound

Security Connector

To use Security Connector, make sure you allow these domains.

Hostname	Description	Protocol	Port	Direction
*.akaetp.net 📘 For Security Connector DNS Forwarder, `dot` is the Application-Layer Protector Navigation (ALPN).	HTTP data path of the proxy DoT connection for Security Connector DNS Forwarder.	Transfer control protocol (TCP)	For DNS Forwarder, the port you need to allow (443 or 853) depends on the port configured in Security Connector for a DNS Forwarder configuration.	Outbound
*.dot.dns.akasecure.net		Transfer control protocol (TCP)		Outbound
etpcas.akamai.com	Control channel of Security Connector	TCP	443	Outbound
sinkhole-etp.akamaietp.net	Control channel for Security Connector logs	TCP	443	Outbound
amg.nevada.akamai.com	Control channel of Security Connector	TCP	443	Outbound
upgrade.terra.akamai.com	Used for Security Connector upgrades. Security Connector contacts this domain to complete the upgrade operation.	TCP	443	Outbound
*.dot.tl53.net 📘 This domain is required only for DNS protection in China.	Domain for DNS over TLS (DoT) in China. To learn more about DNS protection in China, see Enable DNS Protection in China.	TCP	443 or 853. The port you need to allow (443 or 853) depends on the port configured in Security Connector for DNS Forwarder.	Outbound

ETP Client

To use ETP Client, make sure you allow these domains.

Hostname	Description	Protocol	Port	Direction
*.akaetp.net	HTTP data path of the proxy DoT connection.	Transfer control protocol (TCP)	The port you need to allow depends on the port that’s configured in the policy. In a policy, you can select port 443 or 853 for DoT.	Outbound
etpcas.akamai.com	Control channel of ETP Client	TCP	443	Outbound
dnsclient.etp.akamai.com	Connectivity probe for ETP Client	TCP	443	Outbound
<config_ID>.dot.akaetp.net where <config_ID> is the configuration ID.	Domain for DNS over TLS (DoT)	TCP	853 or 443 The port configuration depends on the port selected for DoT in the policy.	Outbound
*.o.lencr.org	OCSP Servers used for DoT on ETP Client	TCP	80	Outbound
*.c.lencr.org	Used for CRL distribution. Allow this domain when DoT is enabled for ETP Client. This domain allows your system to access the CA distribution points.	TCP	80	Outbound
etpclient<configID>.akadns.net where <configID> is the configuration ID. 📘 If you prefer, you can specify `*.akadns.net` instead.	ETP Client DNS probe	TCP	53, 443	Outbound
	ETP Client DNS probe	UDP	53	Outbound

Zero Trust Client

If your organization uses Zero Trust Client (ZTC) and has enabled Threat Protection, you need to allow these domains in your organization’s firewall. To see a complete list of domains and IP addresses that you should allow based on the services you’ve enabled in ZTC, see the Zero Trust Client documentation.

🚧
The akamai-zt.com subdomains listed below are subject to change with little or no notice. We recommend that you allow this wildcard domain: *.akamai-zt.com to proactively enable access to any future domains Akamai may add. This ensures that new or changed domains do not require that you update your firewall rules.

Hostname	Description	Protocol	Port	Direction
*.akaetp.net	HTTP data path of the proxy DoT connection.	Transfer control protocol (TCP)	The port you need to allow depends on the port that’s configured in the policy. In a policy, you can select port 443 or 853 for DoT.	Outbound
etpcas.akamai.com	Control channel of the client	TCP	443	Outbound
registration.akamai-zt.com	Connections to ZTC registration service	TCP	443	Outbound
epms.akamai-zt.com	Control channel of ZTC configuration	TCP	443	Outbound
client-inventory-service.akamai-zt.com	Client inventory service for ZTC	TCP	443	Outbound
client.akamai-zt.com	Core client functionality	TCP	443	Outbound
ipinfo.io	IP address data	TCP	443	Outbound
connector-repository.akamai-zt.com	Access connector repository	TCP	443	Outbound
dnsclient.etp.akamai.com	Connectivity probe for the client	TCP	443	Outbound
<config_ID>.dot.akaetp.net where <config_ID> is the configuration ID.	Domain for DNS over TLS (DoT)	TCP	853 or 443 The port configuration depends on the port selected for DoT in the policy.	Outbound
*.o.lencr.org	OCSP Servers used for DoT on the client	TCP	80	Outbound
*.c.lencr.org	Used for CRL distribution. Allow this domain when DoT is enabled for the client. This domain allows your system to access the CA distribution points.	TCP	80	Outbound
etpclient<configID>.akadns.net where <configID> is the configuration ID. 📘 If you prefer, you can specify `*.akadns.net` instead.	Zero Trust Client DNS probe	TCP	53, 443	Outbound
	Zero Trust Client DNS probe	UDP	53	Outbound