Configure your firewall

You need to configure your enterprise firewall to allow or block specific domains and ports.

To configure your firewall, update your enterprise firewall to allow traffic to these domains and ports required for specific ​SIA​ features:

HostnameDescriptionProtocolPortDirection
*.akaetp.net

Note: For Security Connector DNS Forwarder, dot is the Application-Layer Protector Navigation (ALPN).
HTTP data path of ​SIA​ Proxy

DoT connection for Security Connector DNS Forwarder and ​ETP Client​ 3.2.0 or later
Transfer control protocol (TCP)For ​SIA​ Client, the port you need to allow depends on the port that’s configured in the policy. In a policy, you can select port 443 or 853 for DoT.

For DNS Forwarder, the port you need to allow (443 or 853) depends on the port configured in Security Connector for a DNS Forwarder configuration.
Outbound
etpcas.akamai.comControl channel of ​ETP Client​ and Security ConnectorTCP443Outbound
sinkhole-etp.akamaietp.netControl channel for Security Connector logsTCP443Outbound
amg.nevada.akamai.comControl channel of Security ConnectorTCP443Outbound
dnsclient.etp.akamai.comConnectivity probe for ​ETP Client​TCP443Outbound
Full hostname of identity providerIdentity providerTCP443Outbound
*.dialin.go.akamai-access.comIdentity connectorsTCP443Outbound
error.etp.akamai.com​SIA​ Error PagesTCP80Outbound
*.akamai.com or Any IPNetwork Time Protocol (NTP)UDP123Outbound
  • <​SIA​_DNS_IPv4_1>
  • <​SIA​_DNS_IPv4_2>
OR
  • <​SIA​_DNS_IPv6_1>
  • <​SIA​_DNS_IPv6_2>
where:
  • <​SIA​_DNS_IPv4_1> and <​SIA​_DNS_IPv4_2> are the primary and secondary IPv4 addresses of the ​SIA​ DNS servers.
  • <​SIA​_DNS_IPv6_1> and <​SIA​_DNS_IPv6_2> are the primary and secondary IPv6 addresses of the ​SIA​ DNS servers.
These DNS servers are assigned to your ​SIA​ account.

Only allow the IPv6 server addresses if your organization uses IPv6.
​SIA​ DNS ServersUDP53Outbound
<config_ID>.dot.akaetp.net

where <config_ID> is the configuration ID.
Domain for DNS over TLS (DoT)TCP853Outbound
<config_ID>.doh.akaetp.net

where <config_ID> is the configuration ID.
Domain for DNS over HTTPS (DoH)TCP443Outbound

You should also allow access to all hostnames that you or another administrator configured with the bypass action. Hostnames with the bypass action are directed to the Internet and do not go through ​SIA​ Proxy. For instructions, see the product documentation for your organization’s enterprise firewall.

If you want to prevent users from bypassing ​SIA​ and connecting directly to open recursive DNS servers on the Internet, block this port:

HostnameDescriptionProtocolPortDirection
AllPort where DNS servers listen for queriesTCP / UDP53Outbound

For instructions, see the product documentation for your organization's enterprise firewall.