Configure your firewall
This page lists domains and IP addresses that must be accessible for basic product functionality and for use of more advanced features such as Security Connector, ETP Client, and Zero Trust Client.
Make sure you allow these domains and IP addresses in your organization’s firewall. For instructions, see the product documentation for your organization's enterprise firewall.
If you have a web proxy or next-generation firewall (NGFW) deployed in your environment, you may also need to configure your network settings to bypass SSL inspection and authentication for Akamai domains. This ensures direct and uninterrupted connectivity to Akamai services.
SIA
To use SIA, make sure you allow these domains.
| Hostname | Description | Protocol | Port | Direction |
|---|---|---|---|---|
*.akaetp.net
| HTTP data path of the proxy | Transfer control protocol (TCP) | For ETP Client, the port you need to allow depends on the port that’s configured in the policy. In a policy, you can select port 443 or 853 for DoT. For DNS Forwarder, the port you need to allow (443 or 853) depends on the port configured in Security Connector for a DNS Forwarder configuration. | Outbound |
| Full hostname of identity provider | Identity provider | TCP | 443 | Outbound |
| *.dialin.go.akamai-access.com | Identity connectors | TCP | 443 | Outbound |
| error.etp.akamai.com |
SIA Error Pages | TCP | 80, 443 | Outbound |
*.akamai.com or these specific domains:
| Network Time Protocol (NTP) | UDP | 123 | Outbound |
OR
where:
These DNS servers are assigned to your SIA account. Only allow the IPv6 server addresses if your organization uses IPv6. | SIA DNS Servers | UDP | 53 | Outbound |
<config_ID>.dot.akaetp.net where <config_ID> is the configuration ID.
| Domain for DNS over TLS (DoT) | TCP | 853 | Outbound |
<config_ID>.doh.akaetp.net where <config_ID> is the configuration ID. | Domain for DNS over HTTPS (DoH) | TCP | 443 | Outbound |
| nevada.proxy.akaetp.net | Connections to SIA Proxy | TCP | 443 | Outbound |
You should also allow access to all hostnames that you or another administrator configured with the bypass action. Hostnames with the bypass action are directed to the Internet and do not go through SIA Proxy. For instructions, see the product documentation for your organization’s enterprise firewall.
If you want to prevent users from bypassing SIA and connecting directly to open recursive DNS servers on the Internet, block this port:
| Hostname | Description | Protocol | Port | Direction |
|---|---|---|---|---|
| All | Port where DNS servers listen for queries | TCP / UDP | 53 | Outbound |
Security Connector
To use Security Connector, make sure you allow these domains.
| Hostname | Description | Protocol | Port | Direction |
|---|---|---|---|---|
*.akaetp.net
| HTTP data path of the proxy DoT connection for Security Connector DNS Forwarder. | Transfer control protocol (TCP) | For DNS Forwarder, the port you need to allow (443 or 853) depends on the port configured in Security Connector for a DNS Forwarder configuration. | Outbound |
*.dot.dns.akasecure.net | Outbound | |||
etpcas.akamai.com | Control channel of Security Connector | TCP | 443 | Outbound |
sinkhole-etp.akamaietp.net | Control channel for Security Connector logs | TCP | 443 | Outbound |
amg.nevada.akamai.com | Control channel of Security Connector | TCP | 443 | Outbound |
| upgrade.terra.akamai.com | Used for Security Connector upgrades. Security Connector contacts this domain to complete the upgrade operation. | TCP | 443 | Outbound |
*.dot.tl53.net
| Domain for DNS over TLS (DoT) in China. To learn more about DNS protection in China, see Enable DNS Protection in China. | TCP | 443 or 853. The port you need to allow (443 or 853) depends on the port configured in Security Connector for DNS Forwarder. | Outbound |
ETP Client
To use ETP Client, make sure you allow these domains.
| Hostname | Description | Protocol | Port | Direction |
|---|---|---|---|---|
*.akaetp.net | HTTP data path of the proxy | Transfer control protocol (TCP) | The port you need to allow depends on the port that’s configured in the policy. In a policy, you can select port 443 or 853 for DoT. | Outbound |
| etpcas.akamai.com | Control channel of ETP Client | TCP | 443 | Outbound |
dnsclient.etp.akamai.com | Connectivity probe for ETP Client | TCP | 443 | Outbound |
<config_ID>.dot.akaetp.net where <config_ID> is the configuration ID. | Domain for DNS over TLS (DoT) | TCP | 853 or 443 | Outbound |
*.o.lencr.org | OCSP Servers used for DoT on ETP Client | TCP | 80 | Outbound |
*.c.lencr.org | Used for CRL distribution. Allow this domain when DoT is enabled for ETP Client. This domain allows your system to access the CA distribution points. | TCP | 80 | Outbound |
etpclient<configID>.akadns.net where <configID> is the configuration ID.
| ETP Client DNS probe | TCP | 53, 443 | Outbound |
UDP | 53 | Outbound | ||
| 127.0.0.1 | Used for DNS intereception. Make sure endpoint security does not block the sockets. | TCP/UDP | 53 | Outbound |
| 127.0.0.1 | Used for SIA Proxy | TCP | Port is 8080 by default. However, the port you allow is based on the Proxy Port you configure in the Client configuration settings. Make sure there is no port conflict and endpoint security does block the sockets. | Outbound |
| Ports to use for localhost communications between ETP Client processes (no need to expose outside of the machine).
Make sure your firewall does not block these ports. |
UDP | 5560, 6000, 6005, 6500, 7500 | Outbound | |
Zero Trust Client
If your organization uses Zero Trust Client (ZTC) and has enabled Threat Protection, you need to allow these domains in your organization’s firewall. To see a complete list of domains and IP addresses that you should allow based on the services you’ve enabled in ZTC, see the Zero Trust Client documentation.
The
akamai-zt.comsubdomains listed below are subject to change with little or no notice. We recommend that you allow this wildcard domain:*.akamai-zt.comto proactively enable access to any future domains Akamai may add. This ensures that new or changed domains do not require that you update your firewall rules.
| Hostname | Description | Protocol | Port | Direction |
|---|---|---|---|---|
*.akaetp.net | HTTP data path of the proxy DoT connection. | Transfer control protocol (TCP) | The port you need to allow depends on the port that’s configured in the policy. In a policy, you can select port 443 or 853 for DoT. | Outbound |
| etpcas.akamai.com | Control channel of the client | TCP | 443 | Outbound |
| registration.akamai-zt.com | Connections to ZTC registration service | TCP | 443 | Outbound |
| epms.akamai-zt.com | Control channel of ZTC configuration | TCP | 443 | Outbound |
| client-inventory-service.akamai-zt.com | Client inventory service for ZTC | TCP | 443 | Outbound |
| client.akamai-zt.com | Core client functionality | TCP | 443 | Outbound |
| ipinfo.io | IP address data | TCP | 443 | Outbound |
| connector-repository.akamai-zt.com | Access connector repository | TCP | 443 | Outbound |
| dnsclient.etp.akamai.com | Connectivity probe for the client | TCP | 443 | Outbound |
<config_ID>.dot.akaetp.net where <config_ID> is the configuration ID. | Domain for DNS over TLS (DoT) | TCP | 853 or 443 | Outbound |
*.o.lencr.org | OCSP Servers used for DoT on the client | TCP | 80 | Outbound |
*.c.lencr.org | Used for CRL distribution. Allow this domain when DoT is enabled for the client. This domain allows your system to access the CA distribution points. | TCP | 80 | Outbound |
etpclient<configID>.akadns.net where <configID> is the configuration ID.
| Zero Trust Client DNS probe | TCP | 53, 443 | Outbound |
UDP | 53 | Outbound | ||
| 127.0.0.1 | Used for DNS intereception. Make sure endpoint security does not block the sockets. | TCP/UDP | 53 | Outbound |
| 127.0.0.1 | Used for SIA Proxy | TCP | Port is 8080 by default. However, the port you allow is based on the Proxy Port you configure in the Client configuration settings. Make sure there is no port conflict and endpoint security does block the sockets. | Outbound |
| Localhost communication for client. Make sure endpoint security does not block these ports. | UDP | 5560, 6000, 6005, 6500, 7500 | Outbound | |
Updated 2 days ago