Prepare for ETP Client setup

Whether you plan to set up the desktop or mobile version of ​ETP Client​ or use the client on a user’s personal device, initial configuration tasks are required for the client. Before you set up ​ETP Client​, complete these tasks.

To prepare for ​ETP Client​ setup:

  1. Make sure your enterprise firewall allows traffic for endpoints that are required by ​ETP Client​. For more information, see Update enterprise firewall, on-premise proxy, and allowlists.

  2. Assign a policy to the Off-Network ​ETP Client​s location. For more information, see Assign a policy to the off-network location.

  3. To use ​ETP Client​ with the full web proxy, enable the proxy in your policies. Depending on whether your deployment includes an on-premises proxy, you can also configure ​ETP Client​ as a proxy on the client computer. For more information, see Enable full web proxy.

    📘

    If you do not install version 3.0.4 or later of the client, you cannot direct web traffic from ​ETP Client​ to the proxy. In this situation, the full web proxy is only available if you have an on-premises proxy that directs traffic from ​ETP Client​ to the proxy.

  4. To secure connections from ​ETP Client​ to ​SIA​ with DoT, select the DoT mode in the policy settings. By default, the mode is Always Attempt. You can change this setting and select the port that’s used. For instructions, see Configure DoT settings.

    📘

    Make sure you enable DoT in policies that are associated with the mobile client.

  5. Configure the behavior of ​ETP Client​. For more information, see Configure ​ETP Client​.

  6. Complete these steps:

    1. Configure the internal IP addresses and DNS suffixes that end users can access in the corporate network.

    2. If you plan to let users activate ​ETP Client​ on their device, you need to specify the corporate email domains that are associated with the users who will activate the client.

    3. Configure trusted Windows applications that you want users with the client to access in the corporate network. Traffic from these applications is not directed to ​SIA​.

    For instructions, see Configure local bypass settings.

  7. To use ​SIA​ Proxy, you need to distribute the MITM TLS certificate to your devices. For more information, see Distribute the ​SIA​ Proxy certificate and Distribute ​SIA​ mobile client.

Next Steps:

Update enterprise firewall, on-premise proxy, and allowlists

Depending on your organization's security infrastructure and what your company uses to restrict network access, you need to configure your firewall, proxy server, or allowlists to allow access to specific ports, IP addresses, and ​ETP Client​ domains. An on-premise proxy server may require that you modify the PAC file.

If you have a web proxy or next-generation firewall (NGFW) deployed in your environment, you may also need to configure your network settings to bypass SSL inspection and authentication for ​Akamai​ domains. This ensures direct and uninterrupted connectivity to ​Akamai​ services.

These domains, IP addresses, and ports are required to automatically upgrade ​ETP Client​.

Update your firewall, proxy server, or allowlists to allow access to these domains, IP addresses, and ports.

Domain or IP AddressDescriptionProtocolPortDirection

dnsclient.etp.akamai.com

Connectivity probe for ​ETP Client​

TCP443Outbound

etpclient<configID>.akadns.net

where <configID> is the configuration ID.

📘

If you prefer, you can specify *.akadns.net instead.

​ETP Client​ DNS probe

TCP 53, 443 Outbound
UDP 53Outbound
etpcas.akamai.com

Control channel of ​​ETP Client​

TCP443Outbound
nevada.proxy.akaetp.net

Connections to ​​SIA​​ Proxy.

TCP443Outbound
Any other originTCPConfigured with bypass action in policy; ports are configured in​ policy.Outbound

*.akaetp.net

DoT connection for ​​ETP Client​​ 3.2.0 or later

TCP

443 or 853

The port configuration depends on the port selected for DoT in the policy.

Outbound

*.o.lencr.org

OCSP Servers used for DoT.

Allow this domain when DoT is enabled for ​ETP Client​.

TCP 80 Outbound

*.c.lencr.org

Used for CRL distribution.

Allow this domain when DoT is enabled for ​ETP Client​. This domain allows your system to access the CA distribution points.

TCP80Outbound
  • <SIADNS_IPv4_1>
  • <SIADNS_IPv4_2>
  • <SIADNS_IPv6_1>
  • <SIADNS_IPv6_2>

where:

  • <SIADNS_IPv4_1> and <SIADNS_IPv4_2> are the primary and secondary IPv4 addresses of the ​​SIA​ DNS servers.
  • <SIADNS_IPv6_1> and <SIADNS_IPv6_2> are the primary and secondary IPv6 addresses of the ​​SIA​​ DNS servers.

These DNS servers are assigned to your ​​SIA​​ account.

​SIA​ DNS Servers

UDP53Outbound

Ports to use for localhost communications between ​​ETP Client​ processes (no need to expose outside of the machine).

UDP5560, 6000, 6005, 6500, and 7500Inbound

If ​ETP Client​ cannot forward requests to ​SIA​ because outbound UDP port 53 is blocked in your firewall, the local DNS server handles requests. The end user machine is protected only when it's on the corporate network where the enterprise resolver is configured to forward DNS queries to ​SIA​. ​ETP Client​ cannot report the device name in this situation. As a result, threat events reported for ​ETP Client​ machines will not contain the machine name. To better protect end user machines and generate useful reporting data, in the enterprise firewall, make sure that you open outbound UDP port 53 to the primary and secondary ​SIA​ DNS servers.

Zero Trust Client

If your organization uses Zero Trust Client (ZTC) and has enabled the Threat Protection service, in addition to the domains that are required for ETP Client, you must also allow these domains.

To see a complete list of domains and IP addresses that you need to allow for other ZTC services, see the Zero Trust Client documentation.

🚧

The akamai-zt.com subdomains listed below are subject to change with little or no notice. Make sure you allow this wildcard domain: *.akamai-zt.com to proactively enable access to any future domains Akamai may add. This ensures that new or changed domains do not require that you update your firewall rules.

Domain or IP AddressDescriptionProtocolPortDirection
registration.akamai-zt.comConnections to ZTC registration serviceTCP443Outbound
epms.akamai-zt.comControl channel of ZTC configurationTCP443Outbound
client-inventory-service.akamai-zt.comClient inventory service for ZTCTCP443Outbound
client.akamai-zt.comCore client functionalityTCP443Outbound
ipinfo.ioIP address data. Used for diagnostic purposes when running a full diagnostic.TCP443Outbound
connector-repository.akamai-zt.comAccess connector repositoryTCP443Outbound

Next steps

Assign a policy to the off-network location.

Assign a policy to the off-network location

Before you begin
Make sure that the external IP addresses of all exit points or gateways in the corporate network are configured as locations in ​SIA​. These locations allow ​SIA​ to determine when traffic is coming from devices that are on or off the corporate network. To add or modify a location, see Create a location.

An ​SIA​ administrator needs to assign a policy to the off-network location. This ensures that the appropriate security and access control settings are applied when end users attempt to access content outside the corporate network. If necessary, you can also create a new policy. For instructions on creating a policy, see Create a policy.

To assign a policy to the off-network location:

  1. In the Threat Protection menu of Enterprise Center, select Locations > Locations.

  2. In the Off Network Client Policy setting at the top of the page, select the policy. The deploy window appears.

  3. In the confirmation window, describe the change you made and click Deploy.

Next Steps
If you haven’t deployed this update to the ​SIA​ network, make sure you deploy it. For instructions, see Deploy configuration changes.

Configure DoT settings

DoT secures DNS requests that are forwarded from ​ETP Client​ to ​SIA​ DNS. This traffic is protected with TLS encryption. By default, the DoT mode is set to Always Attempted. This mode means that ​ETP Client​ always attempts to use DoT. You can also select from these additional modes:

  • Required: Indicates that DoT is required. If the DoT connection cannot be established, the client shows that the device is not protected.

  • Disabled: Indicates that DoT is not used to secure DNS traffic from ​ETP Client​.

When configuring DoT, you can also select the port that’s used for DoT. By default, ​ETP Client​ uses port 443. However, you also can select port 853. If you use port 853, make sure this port is available and allowed in your firewall.

Before you begin:

For DoT on ETP Client, make sure you allow the OCSP server in your firewall. It is also recommended that you allow the CRL domains. For more information, see Update enterprise firewall, on-premise proxy, and allowlists.

To configure DoT settings:

  1. To edit a policy:

    1. In the Threat Protection menu of Enterprise Center, select Policies > Policies.

    2. Click the policy that you want to modify.

  2. Go to the Settings tab.

  3. In the ​ETP Client​ Settings mode:

    1. Select a mode from the DNS-over-TLS mode menu.

    2. Select a port from the DNS-over-TLS port menu.

  4. Click Save. If you want to save and deploy the policy, click Save and Deploy.

Next Steps

  1. If you haven’t deployed the policy, make sure you deploy it to the ​SIA​ network. For instructions, see Deploy configuration changes.

  2. Configure ​ETP Client​

Configure ​ETP Client​

An ​SIA​ administrator configures the behavior of ​ETP Client​. These settings are applied in approximately 10 minutes to all distributed ​ETP Client​s in your network. For more information on these settings, see ​ETP Client​ configuration settings.

To configure ​ETP Client​:

  1. In the Threat Protection menu of Enterprise Center, select Clients & Connectors > ​ETP Client​.

  2. Take note of the entitlement code. You can use the entitlement code to activate the desktop or mobile client that you plan to distribute with a device management solution.

  3. Select the Configuration tab.

  4. To forward DNS traffic to ​SIA​, toggle Enable ​ETP Client​ to on.

  5. To allow users to disable the client, enable Allow users to disable the client .

  6. To allow users to disable the client with an entitlement code, enable Allow disable action with an entitlement code.

  7. To allow Windows users to uninstall ​ETP Client​ from their machines, enable Allow Uninstall on Windows.

  8. To allow automatic security patch upgrades to clients in your network, enable Automatic Upgrades for Critical Patches.

  9. Toggle the Log Traffic setting if you want to partially disable client logging so that the URLs and IP addresses accessed by the end users are not revealed.

  10. To have ​ETP Client​ intercept traffic, direct DNS traffic to ​SIA​ resolvers, and direct web traffic to ​SIA​ Proxy without modifying browser or operating system settings, enable Transparent traffic interception.

  11. If you enable transparent traffic interception, you can block traffic that uses QUIC, a transport protocol that’s used by HTTP/3. To block QUIC traffic, enable Block QUIC. If this toggle is not enabled, the client bypasses QUIC traffic, and it is not directed to the proxy.

    This setting applies to Zero Trust Client 5.1 or later when it’s enabled for Threat Protection. It does not apply to supported versions of ​ETP Client​.

  12. To allow non-HTTP traffic to bypass the proxy, select Bypass Non-HTTP Traffic. When this setting is enabled, like all traffic directed to the proxy, non-HTTP traffic goes through the origin ports configured in the policy. However, ​SIA​ Proxy does not intercept, scan, or break non-HTTP traffic.

  13. To configure ​ETP Client​ as the local proxy on the user's machine, for the Configure client as local computer web proxy setting, select Yes. Otherwise, you can select Only if there's no local proxy or No.

  14. To configure the port that's used by ​SIA​ to listen for traffic, enter the port number. By default, ​ETP Client​ listens for traffic on port 8080.

  15. Click Save. To save and deploy the settings, click Save and Deploy.

Next steps

Configure local bypass settings

In the Local Bypass Settings page, you configure the traffic that you want end users to access while they are protected by ​SIA​. This includes networks that are set up with ​ETP Client​, DNS Forwarder, HTTP Forwarder, and ​SIA​ Proxy.

The traffic you specify is not directed to ​SIA​ cloud. This traffic bypasses ​SIA​ and is directed to another resolver, such as a local or public resolver.

These conditions apply when defining IP addresses and DNS suffixes:

  • If DNS suffixes are configured in ​SIA​, the client does not check the threat status of domains with these suffixes because they are internal to the corporate network.

  • If internal IPv4 or IPv6 addresses are configured, these IP addresses are preferred over public IP addresses. For example, this applies if both internal and public IP addresses are returned by DNS servers in a split DNS network topology.

📘

HTTP Forwarder does not support IP addresses that are configured in the Local Bypass Settings. As a result, these IP addresses will not bypass HTTP Forwarder.

Options are also available for you to add the IP ranges or blocks that are reserved on the Internet for private or internal networks as defined by RFC 1918 and RFC 4193.

  • If an administrator selects to add RFC 1918 IP addresses, these IPv4 ranges are added: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.

  • If an administrator selects to add RFC 4193 IP addresses, the IPv6 block FC00::/7 is added.

For ​ETP Client​ or Zero Trust Client, you can:

  • Specify your corporate email domains. These domains are used to authorize users in your organization when they request an activation code from the client. Make sure you do not provide the domain of a public email provider such as Gmail.

  • Specify Windows applications that end users can access. Traffic from these applications is not directed to ​SIA​.

📘

If you plan to enable walled garden for ​ETP Client​ when it's in an unprotected state, you must configure walled garden exceptions in the Local Bypass Settings page. For instructions on configuring these exceptions, see Enable walled garden and Configure walled garden exceptions.

  • Specify the network interfaces that you don’t want directed to the Zero Trust Client when it’s enabled for transparent traffic interception on Windows. A network interface can be a VPN that you want to coexist with the client. You specify the hardware IDs that are associated with a network interface.

To configure local bypass settings:

  1. In the Threat Protection menu of Enterprise Center, select Clients & Connectors > Local Bypass Settings.

    📘

    You can also access these settings from the ​SIA​ Client Configuration tab (Clients & Connectors > ​ETP Client​s). In the Corporate Network area, click the Edit icon. You are directed to the Local Bypass Settings page.

  2. To enter the domains and DNS suffixes that you don’t want directed to ​SIA​, expand the Domains section and enter domains and DNS suffixes in the provided field.

  3. To enter IP addresses of traffic that you don't want directed to ​SIA​, expand the IP Addresses section and enter IP addresses in the provided field.

    • To add IP address ranges that are reserved for private networks as defined by RFC 1918, click Add RFC 1918 IPs.

    • To add the address block that is reserved for private IPv6 networks as defined by RFC 4193, click Add RFC 4193 IPs.

  4. To enter the domains that are permitted to receive requested one-time activation codes for ​ETP Client​, expand the Email Domains section and enter the corporate domains used for email. Make sure you provide domains that are used by authorized users only. Do not enter public domains that are accessible to unauthorized users.

  5. To enter the domains and IP addresses that you want users to access if ​ETP Client​ is in an unprotected state:

    • Expand the Domains Allowed in Walled Garden section and enter the domains and DNS suffixes in the provided field.

    • Expand the IP Addresses Allowed in Walled Garden section, and enter the IP addresses in the provided field.

  6. If you’ve enabled transparent traffic interception for Zero Trust Client, you can enter the hardware IDs that are associated with network interfaces you don’t want directed to the client. A network interface can be a VPN that you want to use in the same environment as the client. This setting applies to the client on Windows only.

    1. Expand the Network Interface section.

    2. Enter the hardware IDs in the provided text box. To learn how to find this information, see Find the hardware ID of a network interface on Window.

  7. If you're using transparent traffic interception for ​ETP Client​, you can configure Windows application traffic you don’t want directed to ​ETP Client​. Expand the Windows Application section and complete these steps:

    1. In the Process Name, enter a name for the application.

    2. Enter the file path to the application. To find the full file path, you can view the application file properties.

    3. Select whether you want ​SIA​ to validate or not to validate the digital signature.

    4. If you chose to validate the signature, enter the Publisher name and the Issuer of the Signature. You can find this information by viewing Digital Signature Details of the Windows application. Digital Signature information is available in the application properties.

      You can enter the full name or the partial name of the Issuer. For example, if the Issuer is ​Akamai Technologies, Inc.​, you can enter ​Akamai​.

    📘

    You can upload a CSV file that contains information for Windows applications. To download the CSV with the columns you need, click the download icon. Open the CSV file, enter Windows application information, and click the upload icon to upload the CSV file. The applications you provide in the CSV file are added to the Windows Applications section.

  8. Click Save. To save and deploy these settings, click Save and Deploy.

Next steps
If you haven’t deployed these settings, make sure you deploy them to the ​SIA​ network. For instructions, see Deploy configuration changes.

Find the hardware ID of a network interface on Windows

If you enabled transparent traffic interception for the Zero Trust Client on Windows and your organization uses a separate VPN, you can have this traffic bypass the client. To do this, you need the hardware ID of the VPN. You then enter this information into the Local Bypass Settings.

To find the hardware ID of the VPN on Windows:

  1. Right-click the Start menu and select Device Manager.
  2. In the list, select the VPN, right-click it, and select Properties.
  3. Select the Details tab.
  4. In the Property menu, select Hardware Ids. The Hardware ID value or values appear.

Next Steps:

Add the hardware ID of the VPN to the network interface section of the Local Bypass Settings. For instructions, see Configure local bypass settings.