Prepare for ETP Client setup

Whether you plan to set up the desktop or mobile version of ETP Client or use the client on a user’s personal device, initial configuration tasks are required for ETP Client. Before you set up ETP Client, complete these tasks.

To prepare for ETP Client setup:

  1. Make sure your enterprise firewall allows traffic for endpoints that are required by ETPClient. For more information, see Update enterprise firewall, on-premise proxy, and allowlists.

  2. Assign a policy to the Off-Network ETP Clients location. For more information, see Assign a policy to the off-network location.

  3. To use ETP Client with the full web proxy, enable the proxy in your policies. Depending on whether your deployment includes an on-premises proxy, you can also configure ETP Client as a proxy on the client computer. For more information, see Enable full web proxy.

    📘

    If you do not install version 3.0.4 or later of the client, you cannot direct web traffic from ETP Client to the proxy. In this situation, the full web proxy is only available if you have an on-premises proxy that directs traffic from ETP Client to the proxy.

  4. To secure connections from ETP Client to ETP with DoT, select the DoT mode in the policy settings. By default, the mode is Always Attempt. You can change this setting and select the port that’s used. For instructions, see Configure DoT settings.

    📘

    Make sure you enable DoT in policies that are associated with the mobile client.

  5. Configure the behavior of ETP Client. For more information, see Configure ETP Client.

  6. Configure the internal IP addresses and DNS suffixes that end users can access in the corporate network. If you plan to let users activate ETP Client on their device, you need to also specify the corporate email domains that are associated with the users who will activate the client. For more information, see Configure internal IP addresses, DNS suffixes, and email domains.

  7. To use ETP Proxy, you need to distribute the MITM TLS certificate to your devices. For more information, see Distribute the ETP Proxy certificate and Distribute ETP mobile client.

Next Steps:

Update enterprise firewall, on-premise proxy, and allowlists

Depending on your organization's security infrastructure and what your company uses to restrict network access, you need to configure your firewall, proxy server, or allowlists to allow access to specific ports, IP addresses, and ETP Client domains. An on-premise proxy server may require that you modify the PAC file.

These domains, IP addresses, and ports are required to automatically upgrade ETP Client.

To update enterprise firewall, on-premise proxy, and allowlists:

Update your firewall, proxy server, or allowlists to allow access to these domains, IP addresses, and ports.

Domain or IP Address

Protocol

Port

Direction

dnsclient.etp.akamai.com

TCP

443

Outbound

etpcas.akamai.com

TCP

443

Outbound

nevada.proxy.akaetp.net
Connections to ETP Proxy.

TCP

443

Outbound

Any other origin.

TCP

Configured with bypass action in ETP policy, with ports configured in ETP policy.

Outbound

*.akaetp.net
This is the firewall setting for DoT.

TCP

443 or 853
The port configuration depends on the port selected for DoT in the policy.

Outbound

  • <*ETPDNS_IPv4_1*>
  • <*ETPDNS_IPv4_2*>
  • <*ETPDNS_IPv6_1*>
  • <*ETPDNS_IPv6_2*>
where:
  • <*ETPDNS_IPv4_1*> and <*ETPDNS_IPv4_2*> are the primary and secondary IPv4 addresses of the <> DNS servers.servers.
  • <*ETPDNS_IPv6_1*> and <*ETPDNS_IPv6_2*> are the primary and secondary IPv6 addresses of the <> DNS servers.
These DNS servers are assigned to your <> account.

UDP

53

Outbound

Ports to use for localhost communications between ETP Client processes (no need to expose outside of the machine).

UDP

5560, 6000, 6005, 6500, and 7500

Inbound

If ETP Client cannot forward requests to ETP because outbound UDP port 53 is blocked in your firewall, the local DNS server handles requests. The end user machine is protected only when it's on the corporate network where the enterprise resolver is configured to forward DNS queries to ETP. ETP Client cannot report the device name in this situation. As a result, threat events reported for ETP Client machines will not contain the machine name. To better protect end user machines and generate useful reporting data, in the enterprise firewall, make sure that you open outbound UDP port 53 to the primary and secondary ETP DNS servers.

Next steps

Assign a policy to the off-network location.

Assign a policy to the off-network location

Before you begin
Make sure that the external IP addresses of all exit points or gateways in the corporate network are configured as locations in ETP. These locations allow ETP to determine when traffic is coming from devices that are on or off the corporate network. To add or modify a location, see Create a location.

An ETP administrator needs to assign a policy to the off-network location. This ensures that the appropriate security and access control settings are applied when end users attempt to access content outside the corporate network. If necessary, you can also create a new policy. For instructions on creating a policy, see Create a policy.

To assign a policy to the off-network location:

  1. In the Threat Protection menu of Enterprise Center, select Locations > Locations.

  2. Go to the Off Network ETP Clients location and click the chain icon.

  3. Select a policy from the menu.

  4. Click the check mark icon and select Save. To deploy the location with the save operation, select Save and Deploy.

Next Steps
If you haven’t deployed this update to the ETP network, make sure you deploy it. For instructions, see Deploy configuration changes.

Configure DoT settings

DoT secures DNS requests that are forwarded from ETP Client to ETP DNS. This traffic is protected with TLS encryption. By default, the DoT mode is set to Always Attempted. This mode means that ETP Client always attempts to use DoT. You can also select from these additional modes:

  • Required: Indicates that DoT is required. If the DoT connection cannot be established, the client shows that the device is not protected.

  • Disabled: Indicates that DoT is not used to secure DNS traffic from ETP Client.

When configuring DoT, you can also select the port that’s used for DoT. By default, ETP Client uses port 443. However, you also can select port 853. If you use port 853, make sure this port is available and allowed in your firewall.

To configure DoT settings:

  1. To edit a policy:

    1. In the Threat Protection menu of Enterprise Center, select Policies > Policies.

    2. Click the policy that you want to modify.

  2. Go to the Settings tab.

  3. In the ETP Client Settings mode:

    1. Select a mode from the DNS-over-TLS mode menu.

    2. Select a port from the DNS-over-TLS port menu.

  4. Click Save. If you want to save and deploy the policy, click Save and Deploy.

Next Steps

  1. If you haven’t deployed the policy, make sure you deploy it to the ETP network. For instructions, see Deploy configuration changes.

  2. Configure ETP Client

Configure ETP Client

An ETP super administrator configures the behavior of ETP Client. These settings are applied in approximately 10 minutes to all distributed ETP Clients in your network. For more information on these settings, see ETP Client configuration settings.

To configure ETP Client:

  1. In the Threat Protection menu of Enterprise Center, select Clients & Connectors > ETP Clients.

  2. Take note of the entitlement code. You can use the entitlement code to activate the ETP desktop or mobile client that you plan to distribute with a device management solution.

  3. Select the Configuration tab.

  4. To forward DNS traffic to ETP, toggle Enable ETP Client to on.

  5. To allow users to disable the client, enable Allow Users to Disable ETP Client.

  6. To identify the user's device name in events that are reported to ETP, enable ETP Client Identity Reporting.

  7. To allow Windows users to uninstall ETP Client from their machines, enable Allow Uninstall on Windows.

  8. To allow automatic security patch upgrades to ETP Clients in your network, enable Automatic Upgrades for Critical Patches.

  9. Toggle the ETP Client Logging field off if you want to partially disable client logging so that the URLs and IP addresses accessed by the end users are not revealed.

  10. To have ETP Client intercept traffic, direct DNS traffic to ETP resolvers, and direct web traffic to ETP Proxy without modifying browser or operating system settings, enable Transparent traffic interception.

  11. To configure ETP Client as the local proxy on the user's machine, for the Configure ETP Client as local computer web proxy setting, select Yes. Otherwise, you can select Only if there's no local proxy or No.

  12. To configure the port that's used by ETP to listen for traffic, enter the port number. By default, ETP Client listens for traffic on port 8080.

  13. Click Save. To save and deploy the settings, click Save and Deploy.

Next steps

Configure internal IP addresses, DNS suffixes, and email domains

In the ETP network configuration, you configure the internal IP addresses and DNS suffixes that you want end users to access while they are protected by ETP. This includes networks that are set up with ETP Client, DNS Forwarder, HTTP Forwarder, and ETP Proxy.

These conditions apply when defining IP addresses and DNS suffixes:

  • If DNS suffixes are configured in ETP, the client does not check the threat status of domains with these suffixes because they are internal to the corporate network.

  • If internal IPv4 or IPv6 addresses are configured, these IP addresses are preferred over public IP addresses. For example, this applies if both internal and public IP addresses are returned by DNS servers in a split DNS network topology.

📘

HTTP Forwarder (beta) does not support IP addresses that are configured in the network configuration. As a result, these IP addresses will not bypass HTTP Forwarder.

Options are also available for you to add the IP ranges or blocks that are reserved on the Internet for private or internal networks as defined by RFC 1918 and RFC 4193.

  • If a super administrator selects to add RFC 1918 IP addresses, these IPv4 ranges are added: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.

  • If a super administrator selects to add RFC 4193 IP addresses, the IPv6 block FC00::/7 is added.

You can also specify your corporate email domains. These domains are used to authorize users in your organization who will receive an email invitation for ETP Client activation. Make sure you do not provide the domain of a public email provider such as Gmail.

📘

If you plan to enable walled garden for ETP Client when it's in an unprotected state, you also configure walled garden exceptions on the Network Configuration page. For instructions on configuring these exceptions, see Enable walled garden and Configure walled garden exceptions.

To configure internal IP addresses, DNS suffixes, and email domains:

  1. In the Threat Protection menu of Enterprise Center, select Locations > Network Configuration.

  2. For ETP Client:

    1. In the Threat Protection menu of Enterprise Center, select Clients & Connectors > ETP Clients.

    2. Click the Configuration tab.

    3. In the Corporate Network area, click the Edit icon. You are directed to the Network Configuration tab.

  3. In the IPv4 field, enter valid IPv4 addresses. To add IP addresses ranges that are reserved for private networks as defined by RFC 1918, click Add RFC 1918 IPs.

  4. In the IPv6 field, enter valid IPv6 addresses. To add the address block that is reserved for private IPv6 networks as defined by RFC 4193, click Add RFC 4193 IPs.

  5. In the DNS suffixes field, enter domains or the internal DNS suffixes for domains that you want to allow end users to access.

  6. In the Corporate Email Domains, enter the corporate domains used for email. Make sure you provide domains that are used by authorized users only. Do not enter public domains that are accessible to unauthorized users.

  7. Click Save. To save and deploy these settings, click Save and Deploy.

Next steps
If you haven’t deployed these settings, make sure you deploy them to the ETP network. For instructions, see Deploy configuration changes.


Did this page help you?