Configure your firewall

This page lists domains and IP addresses that must be accessible for basic product functionality and for use of more advanced features such as Security Connector, ETP Client, and Zero Trust Client.

Make sure you allow these domains and IP addresses in your organization’s firewall. For instructions, see the product documentation for your organization's enterprise firewall.

📘

If you have a web proxy or next-generation firewall (NGFW) deployed in your environment, you may also need to configure your network settings to bypass SSL inspection and authentication for ​​Akamai​​ domains. This ensures direct and uninterrupted connectivity to ​​Akamai​​ services.

SIA

To use SIA, make sure you allow these domains.

HostnameDescriptionProtocolPortDirection
*.akaetp.net

📘

For Security Connector DNS Forwarder, dot is the Application-Layer Protector Navigation (ALPN).

HTTP data path of the proxy
DoT connection for Security Connector DNS Forwarder and ​​ETP Client​​ 3.2.0 or later.

Transfer control protocol (TCP)

For ​ETP Client​, the port you need to allow depends on the port that’s configured in the policy. In a policy, you can select port 443 or 853 for DoT.

For DNS Forwarder, the port you need to allow (443 or 853) depends on the port configured in Security Connector for a DNS Forwarder configuration.

Outbound
Full hostname of identity providerIdentity providerTCP443Outbound
*.dialin.go.akamai-access.comIdentity connectorsTCP443Outbound
error.etp.akamai.com

​SIA​​ Error Pages

TCP80, 443Outbound
*.akamai.com or Any IPNetwork Time Protocol (NTP)UDP123Outbound
  • <SIADNS_IPv4_1>
  • <SIADNS_IPv2_2>

OR

  • <SIADNS_IPv6_1>
  • <SIADNS_IPv6_2>

where:

  • <SIADNS_IPv4_1> and <SIADNS_IPv4_2> are the primary and secondary IPv4 addresses of the ​​SIA​​ DNS servers.
  • <SIADNS_IPv6_1> and <SIADNS_IPv6_2> are the primary and secondary IPv6 addresses of the ​​SIA​​ DNS servers.

These DNS servers are assigned to your ​​SIA​​ account.

Only allow the IPv6 server addresses if your organization uses IPv6.

​SIA​ DNS Servers

UDP53Outbound

<config_ID>.dot.akaetp.net

where <config_ID> is the configuration ID.

📘

The configuration ID can be found in the URL of a ​SIA​ page. To learn how to find this identifier, see Get your configuration ID.

Domain for DNS over TLS (DoT)TCP853Outbound

<config_ID>.doh.akaetp.net

where <config_ID> is the configuration ID.

Domain for DNS over HTTPS (DoH)TCP443Outbound
nevada.proxy.akaetp.netConnections to ​​SIA​​ ProxyTCP443Outbound

You should also allow access to all hostnames that you or another administrator configured with the bypass action. Hostnames with the bypass action are directed to the Internet and do not go through ​SIA​ Proxy. For instructions, see the product documentation for your organization’s enterprise firewall.

If you want to prevent users from bypassing ​SIA​ and connecting directly to open recursive DNS servers on the Internet, block this port:

HostnameDescriptionProtocolPortDirection
AllPort where DNS servers listen for queriesTCP / UDP53Outbound

Security Connector

To use Security Connector, make sure you allow these domains.

HostnameDescriptionProtocolPortDirection

*.akaetp.net

📘

For Security Connector DNS Forwarder, dot is the Application-Layer Protector Navigation (ALPN).

HTTP data path of the proxy
DoT connection for Security Connector DNS Forwarder.

Transfer control protocol (TCP)

For DNS Forwarder, the port you need to allow (443 or 853) depends on the port configured in Security Connector for a DNS Forwarder configuration.

Outbound

etpcas.akamai.com

Control channel of ​Security Connector

TCP

443

Outbound

sinkhole-etp.akamaietp.net

Control channel for Security Connector logs

TCP

443

Outbound

amg.nevada.akamai.com

Control channel of Security Connector

TCP

443

Outbound

upgrade.terra.akamai.comUsed for Security Connector upgrades. Security Connector contacts this domain to complete the upgrade operation.TCP443Outbound
*.dot.tl53.net

📘

This domain is required only for DNS protection in China.

Domain for DNS over TLS (DoT) in China.

To learn more about DNS protection in China, see Enable DNS Protection in China.
TCP443 or 853. The port you need to allow (443 or 853) depends on the port configured in Security Connector for DNS Forwarder.Outbound

ETP Client

To use ​ETP Client​, make sure you allow these domains.

HostnameDescriptionProtocolPortDirection

*.akaetp.net

HTTP data path of the proxy
DoT connection.

Transfer control protocol (TCP)

The port you need to allow depends on the port that’s configured in the policy. In a policy, you can select port 443 or 853 for DoT.

Outbound
etpcas.akamai.com

Control channel of ​​ETP Client​

TCP443Outbound

dnsclient.etp.akamai.com

Connectivity probe for ​ETP Client​

TCP

443

Outbound

<config_ID>.dot.akaetp.net

where <config_ID> is the configuration ID.

Domain for DNS over TLS (DoT)

TCP

853 or 443
The port configuration depends on the port selected for DoT in the policy.

Outbound

*.o.lencr.org

OCSP Servers used for DoT on ​ETP Client​

TCP

80

Outbound

*.c.lencr.org

Used for CRL distribution.

Allow this domain when DoT is enabled for ​ETP Client​. This domain allows your system to access the CA distribution points.

TCP

80

Outbound

etpclient<configID>.akadns.net

where <configID> is the configuration ID.

📘

If you prefer, you can specify *.akadns.net instead.

​ETP Client​ DNS probe

TCP

53, 443

Outbound

UDP

53

Outbound

Zero Trust Client

If your organization uses Zero Trust Client (ZTC) and has enabled Threat Protection, you need to allow these domains in your organization’s firewall. To see a complete list of domains and IP addresses that you should allow based on the services you’ve enabled in ZTC, see the Zero Trust Client documentation.

🚧

The akamai-zt.com subdomains listed below are subject to change with little or no notice. We recommend that you allow this wildcard domain: *.akamai-zt.com to proactively enable access to any future domains ​Akamai​ may add. This ensures that new or changed domains do not require that you update your firewall rules.

HostnameDescriptionProtocolPortDirection

*.akaetp.net

HTTP data path of the proxy DoT connection. Transfer control protocol (TCP)The port you need to allow depends on the port that’s configured in the policy. In a policy, you can select port 443 or 853 for DoT.Outbound
etpcas.akamai.comControl channel of ​the clientTCP443Outbound
registration.akamai-zt.comConnections to ZTC registration serviceTCP443Outbound
epms.akamai-zt.comControl channel of ZTC configurationTCP443Outbound
client-inventory-service.akamai-zt.comClient inventory service for ZTCTCP443Outbound
client.akamai-zt.comCore client functionalityTCP443Outbound
ipinfo.ioIP address dataTCP443Outbound
connector-repository.akamai-zt.comAccess connector repositoryTCP443Outbound
dnsclient.etp.akamai.comConnectivity probe for ​the clientTCP443Outbound

<config_ID>.dot.akaetp.net

where <config_ID> is the configuration ID.

Domain for DNS over TLS (DoT)

TCP

853 or 443
The port configuration depends on the port selected for DoT in the policy.

Outbound

*.o.lencr.org

OCSP Servers used for DoT on the client

TCP

80

Outbound

*.c.lencr.org

Used for CRL distribution.

Allow this domain when DoT is enabled for the client. This domain allows your system to access the CA distribution points.

TCP

80

Outbound

etpclient<configID>.akadns.net

where <configID> is the configuration ID.

📘

If you prefer, you can specify *.akadns.net instead.

Zero Trust Client DNS probe

TCP

53, 443

Outbound

UDP

53

Outbound