Configure your firewall

You need to configure your enterprise firewall to allow or block specific domains and ports.

To configure your firewall, update your enterprise firewall to allow traffic to these domains and ports required for specific ETP features:

Hostname

Description

Protocol

Port

Direction

*.akaetp.net

Note: For Security Connector DNS Forwarder, dot is the Application-Layer Protector Navigation (ALPN).

HTTP data path of ETP Proxy

DoT connection for Security Connector DNS Forwarder and ETP Client 3.2.0 or later

Transfer control protocol (TCP)

For ETP Client, the port you need to allow depends on the port that’s configured in the policy. In a policy, you can select port 443 or 853 for DoT.

For DNS Forwarder, the port you need to allow (443 or 853) depends on the port configured in Security Connector for a DNS Forwarder configuration.

Outbound

etpcas.akamai.com

Control channel of ETP Client and Security Connector

TCP

443

Outbound

sinkhole-etp.akamaietp.net

Control channel for Security Connector logs

TCP

443

Outbound

amg.nevada.akamai.com

Control channel of Security Connector

TCP

443

Outbound

dnsclient.etp.akamai.com

Connectivity probe for ETP Client

TCP

443

Outbound

Full hostname of identity provider

Identity provider

TCP

443

Outbound

*.dialin.go.akamai-access.com

Identity connectors

TCP

443

Outbound

error.etp.akamai.com

ETP Error Pages

TCP

80

Outbound

*.akamai.com or Any IP

Network Time Protocol (NTP)

UDP

123

Outbound

  • <*ETPDNS_IPv4_1*>
  • <*ETPDNS_IPv4_2*>
OR
  • <*ETPDNS_IPv6_1*>
  • <*ETPDNS_IPv6_2*>
where:
  • <*ETPDNS_IPv4_1*> and <*ETPDNS_IPv4_2*> are the primary and secondary IPv4 addresses of the <> DNS servers.
  • <*ETPDNS_IPv6_1*> and <*ETPDNS_IPv6_2*> are the primary and secondary IPv6 addresses of the <> DNS servers.
These DNS servers are assigned to your <> account.

Only allow the IPv6 server addresses if your organization uses IPv6.

ETP DNS Servers

UDP

53

Outbound

<config_ID>.dot.akaetp.net

where *<config_ID>* is the configuration ID.

Domain for DNS over TLS (DoT)

TCP

853

Outbound

<config_ID>.r11.doh.dns.akasecure.net

where *<config_ID>* is the configuration ID.

Domain for DNS over HTTPS (DoH)

TCP

443

Outbound

You should also allow access to all hostnames that you or another administrator configured with the bypass action. Hostnames with the bypass action are directed to the Internet and do not go through ETP Proxy. For instructions, see the product documentation for your organization’s enterprise firewall.

If you want to prevent users from bypassing ETP and connecting directly to open recursive DNS servers on the Internet, block this port:

Hostname

Description

Protocol

Port

Direction

All

Port where DNS servers listen for queries

TCP / UDP

53

Outbound

For instructions, see the product documentation for your organization's enterprise firewall.


Did this page help you?