Prepare for ETP Client setup

Whether you plan to set up the desktop or mobile version of ETP Client or use the client on a user’s personal device, initial configuration tasks are required for ETP Client. Before you set up ETP Client, complete these tasks.

To prepare for ETP Client setup:

  1. Make sure your enterprise firewall allows traffic for endpoints that are required by ETPClient. For more information, see Update enterprise firewall, on-premise proxy, and allowlists.

  2. Assign a policy to the Off-Network ETP Clients location. For more information, see Assign a policy to the off-network location.

  3. To use ETP Client with the full web proxy, enable the proxy in your policies. Depending on whether your deployment includes an on-premises proxy, you can also configure ETP Client as a proxy on the client computer. For more information, see Enable full web proxy.

    📘

    If you do not install version 3.0.4 or later of the client, you cannot direct web traffic from ETP Client to the proxy. In this situation, the full web proxy is only available if you have an on-premises proxy that directs traffic from ETP Client to the proxy.

  4. To secure connections from ETP Client to ETP with DoT, select the DoT mode in the policy settings. By default, the mode is Always Attempt. You can change this setting and select the port that’s used. For instructions, see Configure DoT settings.

    📘

    Make sure you enable DoT in policies that are associated with the mobile client.

  5. Configure the behavior of ETP Client. For more information, see Configure ETP Client.

  6. Complete these steps:

    1. Configure the internal IP addresses and DNS suffixes that end users can access in the corporate network.

    2. If you plan to let users activate ETP Client on their device, you need to specify the corporate email domains that are associated with the users who will activate the client.

    3. Configure trusted Windows applications that you want users with the client to access in the corporate network. Traffic from these applications is not directed to ETP.

    For instructions, see Configure local bypass settings.

  7. To use ETP Proxy, you need to distribute the MITM TLS certificate to your devices. For more information, see Distribute the ETP Proxy certificate and Distribute ETP mobile client.

Next Steps:

Update enterprise firewall, on-premise proxy, and allowlists

Depending on your organization's security infrastructure and what your company uses to restrict network access, you need to configure your firewall, proxy server, or allowlists to allow access to specific ports, IP addresses, and ETP Client domains. An on-premise proxy server may require that you modify the PAC file.

These domains, IP addresses, and ports are required to automatically upgrade ETP Client.

To update enterprise firewall, on-premise proxy, and allowlists:

Update your firewall, proxy server, or allowlists to allow access to these domains, IP addresses, and ports.

Domain or IP Address

Protocol

Port

Direction

dnsclient.etp.akamai.com

TCP

443

Outbound

etpcas.akamai.com

TCP

443

Outbound

nevada.proxy.akaetp.net
Connections to ETP Proxy.

TCP

443

Outbound

Any other origin.

TCP

Configured with bypass action in ETP policy, with ports configured in ETP policy.

Outbound

*.akaetp.net
This is the firewall setting for DoT.

TCP

443 or 853
The port configuration depends on the port selected for DoT in the policy.

Outbound

  • <*ETPDNS_IPv4_1*>
  • <*ETPDNS_IPv4_2*>
  • <*ETPDNS_IPv6_1*>
  • <*ETPDNS_IPv6_2*>
where:
  • <*ETPDNS_IPv4_1*> and <*ETPDNS_IPv4_2*> are the primary and secondary IPv4 addresses of the <> DNS servers.servers.
  • <*ETPDNS_IPv6_1*> and <*ETPDNS_IPv6_2*> are the primary and secondary IPv6 addresses of the <> DNS servers.
These DNS servers are assigned to your <> account.

UDP

53

Outbound

Ports to use for localhost communications between ETP Client processes (no need to expose outside of the machine).

UDP

5560, 6000, 6005, 6500, and 7500

Inbound

If ETP Client cannot forward requests to ETP because outbound UDP port 53 is blocked in your firewall, the local DNS server handles requests. The end user machine is protected only when it's on the corporate network where the enterprise resolver is configured to forward DNS queries to ETP. ETP Client cannot report the device name in this situation. As a result, threat events reported for ETP Client machines will not contain the machine name. To better protect end user machines and generate useful reporting data, in the enterprise firewall, make sure that you open outbound UDP port 53 to the primary and secondary ETP DNS servers.

Next steps

Assign a policy to the off-network location.

Assign a policy to the off-network location

Before you begin
Make sure that the external IP addresses of all exit points or gateways in the corporate network are configured as locations in ETP. These locations allow ETP to determine when traffic is coming from devices that are on or off the corporate network. To add or modify a location, see Create a location.

An ETP administrator needs to assign a policy to the off-network location. This ensures that the appropriate security and access control settings are applied when end users attempt to access content outside the corporate network. If necessary, you can also create a new policy. For instructions on creating a policy, see Create a policy.

To assign a policy to the off-network location:

  1. In the Threat Protection menu of Enterprise Center, select Locations > Locations.

  2. Go to the Off Network ETP Clients location and click the chain icon.

  3. Select a policy from the menu.

  4. Click the check mark icon and select Save. To deploy the location with the save operation, select Save and Deploy.

Next Steps
If you haven’t deployed this update to the ETP network, make sure you deploy it. For instructions, see Deploy configuration changes.

Configure DoT settings

DoT secures DNS requests that are forwarded from ETP Client to ETP DNS. This traffic is protected with TLS encryption. By default, the DoT mode is set to Always Attempted. This mode means that ETP Client always attempts to use DoT. You can also select from these additional modes:

  • Required: Indicates that DoT is required. If the DoT connection cannot be established, the client shows that the device is not protected.

  • Disabled: Indicates that DoT is not used to secure DNS traffic from ETP Client.

When configuring DoT, you can also select the port that’s used for DoT. By default, ETP Client uses port 443. However, you also can select port 853. If you use port 853, make sure this port is available and allowed in your firewall.

To configure DoT settings:

  1. To edit a policy:

    1. In the Threat Protection menu of Enterprise Center, select Policies > Policies.

    2. Click the policy that you want to modify.

  2. Go to the Settings tab.

  3. In the ETP Client Settings mode:

    1. Select a mode from the DNS-over-TLS mode menu.

    2. Select a port from the DNS-over-TLS port menu.

  4. Click Save. If you want to save and deploy the policy, click Save and Deploy.

Next Steps

  1. If you haven’t deployed the policy, make sure you deploy it to the ETP network. For instructions, see Deploy configuration changes.

  2. Configure ETP Client

Configure ETP Client

An ETP administrator configures the behavior of ETP Client. These settings are applied in approximately 10 minutes to all distributed ETP Clients in your network. For more information on these settings, see ETP Client configuration settings.

To configure ETP Client:

  1. In the Threat Protection menu of Enterprise Center, select Clients & Connectors > ETP Clients.

  2. Take note of the entitlement code. You can use the entitlement code to activate the ETP desktop or mobile client that you plan to distribute with a device management solution.

  3. Select the Configuration tab.

  4. To forward DNS traffic to ETP, toggle Enable ETP Client to on.

  5. To allow users to disable the client, enable Allow Users to Disable ETP Client.

  6. To allow Windows users to uninstall ETP Client from their machines, enable Allow Uninstall on Windows. If you want to require that users enter an entitlement code to disable the client, enable Disable with Admin Approval.

  7. To allow automatic security patch upgrades to ETP Clients in your network, enable Automatic Upgrades for Critical Patches.

  8. Toggle the ETP Client Logging field off if you want to partially disable client logging so that the URLs and IP addresses accessed by the end users are not revealed.

  9. To have ETP Client intercept traffic, direct DNS traffic to ETP resolvers, and direct web traffic to ETP Proxy without modifying browser or operating system settings, enable Transparent traffic interception.

  10. To allow non-HTTP traffic to bypass the proxy, select Bypass Non-HTTP Traffic. When this setting is enabled, like all traffic directed to the proxy, non-HTTP traffic goes through the origin ports configured in the policy. However, ETP Proxy does not intercept, scan, or break non-HTTP traffic.

  11. To configure ETP Client as the local proxy on the user's machine, for the Configure ETP Client as local computer web proxy setting, select Yes. Otherwise, you can select Only if there's no local proxy or No.

  12. To configure the port that's used by ETP to listen for traffic, enter the port number. By default, ETP Client listens for traffic on port 8080.

  13. Click Save. To save and deploy the settings, click Save and Deploy.

Next steps

Configure local bypass settings

In the Local Bypass Settings page, you configure the traffic that you want end users to access while they are protected by ETP. This includes networks that are set up with ETP Client, DNS Forwarder, HTTP Forwarder, and ETP Proxy.

The traffic you specify is not directed to ETP cloud. This traffic bypasses ETP and is directed to another resolver, such as a local or public resolver.

These conditions apply when defining IP addresses and DNS suffixes:

  • If DNS suffixes are configured in ETP, the client does not check the threat status of domains with these suffixes because they are internal to the corporate network.

  • If internal IPv4 or IPv6 addresses are configured, these IP addresses are preferred over public IP addresses. For example, this applies if both internal and public IP addresses are returned by DNS servers in a split DNS network topology.

📘

HTTP Forwarder does not support IP addresses that are configured in the Local Bypass Settings. As a result, these IP addresses will not bypass HTTP Forwarder.

Options are also available for you to add the IP ranges or blocks that are reserved on the Internet for private or internal networks as defined by RFC 1918 and RFC 4193.

  • If an administrator selects to add RFC 1918 IP addresses, these IPv4 ranges are added: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.

  • If an administrator selects to add RFC 4193 IP addresses, the IPv6 block FC00::/7 is added.

For ETP Client, you can:

  • Specify your corporate email domains. These domains are used to authorize users in your organization who will receive an email invitation for ETP Client activation. Make sure you do not provide the domain of a public email provider such as Gmail.

  • Specify Windows applications that end users can access. Traffic from these applications is not directed to ETP.

📘

If you plan to enable walled garden for ETP Client when it's in an unprotected state, you must configure walled garden exceptions in the Local Bypass Settings page. For instructions on configuring these exceptions, see Enable walled garden and Configure walled garden exceptions.

To configure local bypass settings:

  1. In the Threat Protection menu of Enterprise Center, select Clients & Connectors > Local Bypass Settings.

    📘

    You can also access these settings from the ETP Client Configuration tab (Clients & Connectors > ETP Clients). In the Corporate Network area, click the Edit icon. You are directed to the Local Bypass Settings page.

  2. To enter the domains and DNS suffixes that you don’t want directed to ETP, expand the Domains section and enter domains and DNS suffixes in the provided field.

  3. To enter IP addresses of traffic that you don't want directed to ETP, expand the IP Addresses section and enter IP addresses in the provided field.

    • To add IP address ranges that are reserved for private networks as defined by RFC 1918, click Add RFC 1918 IPs.

    • To add the address block that is reserved for private IPv6 networks as defined by RFC 4193, click Add RFC 4193 IPs.

  4. To enter the domains that are permitted to receive one-time activation codes for ETP Client, expand the Email Domains section and enter the corporate domains used for email. Make sure you provide domains that are used by authorized users only. Do not enter public domains that are accessible to unauthorized users.

  5. To enter the domains and IP addresses that you want users to access if ETP Client is in an unprotected state:

    • Expand the Domains Allowed in Walled Garden section and enter the domains and DNS suffixes in the provided field.

    • Expand the IP Addresses Allowed in Walled Garden section, and enter the IP addresses in the provided field.

  6. To configure Windows application traffic you don’t want directed to ETP Client, expand the Windows Application section and complete these steps:

    1. In the Process Name, enter a name for the application.

    2. Enter the file path to the application.

    3. Select whether you want ETP to validate or not to validate the digital signature.

    4. If you chose to validate the signature, enter the Publisher name and the Issuer of the Signature.

    📘

    You can upload a CSV file that contains information for Windows applications. To download the CSV with the columns you need, click the download icon. Open the CSV file, enter Windows application information, and click the upload icon to upload the CSV file. The applications you provide in the CSV file are added to the Windows Applications section.

  7. Click Save. To save and deploy these settings, click Save and Deploy.

Next steps
If you haven’t deployed these settings, make sure you deploy them to the ETP network. For instructions, see Deploy configuration changes.


Did this page help you?