Configure your firewall

You need to configure your enterprise firewall to allow or block specific domains and ports.

To configure your firewall, update your enterprise firewall to allow traffic to these domains and ports required for specific ‚ÄčSIA‚Äč features:

HostnameDescriptionProtocolPortDirection
*.akaetp.net

Note: For Security Connector DNS Forwarder, dot is the Application-Layer Protector Navigation (ALPN).
HTTP data path of ‚ÄčSIA‚Äč Proxy

DoT connection for Security Connector DNS Forwarder and ‚ÄčETP Client‚Äč 3.2.0 or later
Transfer control protocol (TCP)For ‚ÄčSIA‚Äč Client, the port you need to allow depends on the port that‚Äôs configured in the policy. In a policy, you can select port 443 or 853 for DoT.

For DNS Forwarder, the port you need to allow (443 or 853) depends on the port configured in Security Connector for a DNS Forwarder configuration.
Outbound
etpcas.akamai.comControl channel of ‚ÄčETP Client‚Äč and Security ConnectorTCP443Outbound
sinkhole-etp.akamaietp.netControl channel for Security Connector logsTCP443Outbound
amg.nevada.akamai.comControl channel of Security ConnectorTCP443Outbound
dnsclient.etp.akamai.comConnectivity probe for ‚ÄčETP Client‚ÄčTCP443Outbound
Full hostname of identity providerIdentity providerTCP443Outbound
*.dialin.go.akamai-access.comIdentity connectorsTCP443Outbound
error.etp.akamai.com‚ÄčSIA‚Äč Error PagesTCP80Outbound
*.akamai.com or Any IPNetwork Time Protocol (NTP)UDP123Outbound
  • <‚ÄčSIA‚Äč_DNS_IPv4_1>
  • <‚ÄčSIA‚Äč_DNS_IPv4_2>
OR
  • <‚ÄčSIA‚Äč_DNS_IPv6_1>
  • <‚ÄčSIA‚Äč_DNS_IPv6_2>
where:
  • <‚ÄčSIA‚Äč_DNS_IPv4_1> and <‚ÄčSIA‚Äč_DNS_IPv4_2> are the primary and secondary IPv4 addresses of the ‚ÄčSIA‚Äč DNS servers.
  • <‚ÄčSIA‚Äč_DNS_IPv6_1> and <‚ÄčSIA‚Äč_DNS_IPv6_2> are the primary and secondary IPv6 addresses of the ‚ÄčSIA‚Äč DNS servers.
These DNS servers are assigned to your ‚ÄčSIA‚Äč account.

Only allow the IPv6 server addresses if your organization uses IPv6.
‚ÄčSIA‚Äč DNS ServersUDP53Outbound
<config_ID>.dot.akaetp.net

where <config_ID> is the configuration ID.
Domain for DNS over TLS (DoT)TCP853Outbound
<config_ID>.r11.doh.dns.akasecure.net

where <config_ID> is the configuration ID.
Domain for DNS over HTTPS (DoH)TCP443Outbound

You should also allow access to all hostnames that you or another administrator configured with the bypass action. Hostnames with the bypass action are directed to the Internet and do not go through ‚ÄčSIA‚Äč Proxy. For instructions, see the product documentation for your organization‚Äôs enterprise firewall.

If you want to prevent users from bypassing ‚ÄčSIA‚Äč and connecting directly to open recursive DNS servers on the Internet, block this port:

HostnameDescriptionProtocolPortDirection
AllPort where DNS servers listen for queriesTCP / UDP53Outbound

For instructions, see the product documentation for your organization's enterprise firewall.