Configure your firewall
You need to configure your enterprise firewall to allow or block specific domains and ports.
To configure your firewall, update your enterprise firewall to allow traffic to these domains and ports required for specific SIA features:
Hostname | Description | Protocol | Port | Direction |
---|---|---|---|---|
*.akaetp.net Note: For Security Connector DNS Forwarder, dot is the Application-Layer Protector Navigation (ALPN). | HTTP data path of SIA Proxy DoT connection for Security Connector DNS Forwarder and ETP Client 3.2.0 or later | Transfer control protocol (TCP) | For SIA Client, the port you need to allow depends on the port that’s configured in the policy. In a policy, you can select port 443 or 853 for DoT. For DNS Forwarder, the port you need to allow (443 or 853) depends on the port configured in Security Connector for a DNS Forwarder configuration. | Outbound |
etpcas.akamai.com | Control channel of ETP Client and Security Connector | TCP | 443 | Outbound |
sinkhole-etp.akamaietp.net | Control channel for Security Connector logs | TCP | 443 | Outbound |
amg.nevada.akamai.com | Control channel of Security Connector | TCP | 443 | Outbound |
dnsclient.etp.akamai.com | Connectivity probe for ETP Client | TCP | 443 | Outbound |
Full hostname of identity provider | Identity provider | TCP | 443 | Outbound |
*.dialin.go.akamai-access.com | Identity connectors | TCP | 443 | Outbound |
error.etp.akamai.com | SIA Error Pages | TCP | 80 | Outbound |
*.akamai.com or Any IP | Network Time Protocol (NTP) | UDP | 123 | Outbound |
Only allow the IPv6 server addresses if your organization uses IPv6. | SIA DNS Servers | UDP | 53 | Outbound |
<config_ID>.dot.akaetp.net where <config_ID> is the configuration ID. | Domain for DNS over TLS (DoT) | TCP | 853 | Outbound |
<config_ID>.doh.akaetp.net where <config_ID> is the configuration ID. | Domain for DNS over HTTPS (DoH) | TCP | 443 | Outbound |
You should also allow access to all hostnames that you or another administrator configured with the bypass action. Hostnames with the bypass action are directed to the Internet and do not go through SIA Proxy. For instructions, see the product documentation for your organization’s enterprise firewall.
If you want to prevent users from bypassing SIA and connecting directly to open recursive DNS servers on the Internet, block this port:
Hostname | Description | Protocol | Port | Direction |
---|---|---|---|---|
All | Port where DNS servers listen for queries | TCP / UDP | 53 | Outbound |
For instructions, see the product documentation for your organization's enterprise firewall.
Updated 3 months ago