Prepare for ETP Client setup
Whether you plan to set up the desktop or mobile version of ETP Client or use the client on a user’s personal device, initial configuration tasks are required for the client. Before you set up ETP Client, complete these tasks.
To prepare for ETP Client setup:
-
Make sure your enterprise firewall allows traffic for endpoints that are required by ETP Client. For more information, see Update enterprise firewall, on-premise proxy, and allowlists.
-
Assign a policy to the Off-Network ETP Clients location. For more information, see Assign a policy to the off-network location.
-
To use ETP Client with the full web proxy, enable the proxy in your policies. Depending on whether your deployment includes an on-premises proxy, you can also configure ETP Client as a proxy on the client computer. For more information, see Enable full web proxy.
If you do not install version 3.0.4 or later of the client, you cannot direct web traffic from ETP Client to the proxy. In this situation, the full web proxy is only available if you have an on-premises proxy that directs traffic from ETP Client to the proxy.
-
To secure connections from ETP Client to SIA with DoT, select the DoT mode in the policy settings. By default, the mode is Always Attempt. You can change this setting and select the port that’s used. For instructions, see Configure DoT settings.
Make sure you enable DoT in policies that are associated with the mobile client.
-
Configure the behavior of ETP Client. For more information, see Configure ETP Client.
-
Complete these steps:
-
Configure the internal IP addresses and DNS suffixes that end users can access in the corporate network.
-
If you plan to let users activate ETP Client on their device, you need to specify the corporate email domains that are associated with the users who will activate the client.
-
Configure trusted Windows applications that you want users with the client to access in the corporate network. Traffic from these applications is not directed to SIA.
For instructions, see Configure local bypass settings.
-
-
To use SIA Proxy, you need to distribute the MITM TLS certificate to your devices. For more information, see Distribute the SIA Proxy certificate and Distribute SIA mobile client.
Next Steps:
- If you want to set up ETP Client on a computer or laptop, see Set up the desktop client.
- If you want to distribute the mobile client to mobile devices, see Distribute SIA mobile client.
- If you want to allow users to activate ETP Client on a personal device, see Bring your own device (BYOD) support.
- If you want to set up Zero Trust Client and enable it with the Threat Protection capabilities of ETP Client, see Zero Trust Client.
Update enterprise firewall, on-premise proxy, and allowlists
Depending on your organization's security infrastructure and what your company uses to restrict network access, you need to configure your firewall, proxy server, or allowlists to allow access to specific ports, IP addresses, and ETP Client domains. An on-premise proxy server may require that you modify the PAC file.
If you have a web proxy or next-generation firewall (NGFW) deployed in your environment, you may also need to configure your network settings to bypass SSL inspection and authentication for Akamai domains. This ensures direct and uninterrupted connectivity to Akamai services.
These domains, IP addresses, and ports are required to automatically upgrade ETP Client.
Update your firewall, proxy server, or allowlists to allow access to these domains, IP addresses, and ports.
Domain or IP Address | Description | Protocol | Port | Direction |
---|---|---|---|---|
dnsclient.etp.akamai.com | Connectivity probe for ETP Client | TCP | 443 | Outbound |
etpclient<configID>.akadns.net where <configID> is the configuration ID.
| ETP Client DNS probe |
TCP | 53, 443 | Outbound |
UDP | 53 | Outbound | ||
etpcas.akamai.com | Control channel of ETP Client | TCP | 443 | Outbound |
nevada.proxy.akaetp.net | Connections to SIA Proxy. | TCP | 443 | Outbound |
Any other origin | TCP | Configured with bypass action in policy; ports are configured in policy. | Outbound | |
*.akaetp.net | DoT connection for ETP Client 3.2.0 or later | TCP | 443 or 853 The port configuration depends on the port selected for DoT in the policy. | Outbound |
*.o.lencr.org |
OCSP Servers used for DoT. Allow this domain when DoT is enabled for ETP Client. |
TCP | 80 | Outbound |
*.c.lencr.org | Used for CRL distribution. Allow this domain when DoT is enabled for ETP Client. This domain allows your system to access the CA distribution points. | TCP | 80 | Outbound |
where:
These DNS servers are assigned to your SIA account. | SIA DNS Servers | UDP | 53 | Outbound |
Ports to use for localhost communications between ETP Client processes (no need to expose outside of the machine). | UDP | 5560, 6000, 6005, 6500, and 7500 | Inbound |
If ETP Client cannot forward requests to SIA because outbound UDP port 53 is blocked in your firewall, the local DNS server handles requests. The end user machine is protected only when it's on the corporate network where the enterprise resolver is configured to forward DNS queries to SIA. ETP Client cannot report the device name in this situation. As a result, threat events reported for ETP Client machines will not contain the machine name. To better protect end user machines and generate useful reporting data, in the enterprise firewall, make sure that you open outbound UDP port 53 to the primary and secondary SIA DNS servers.
Zero Trust Client
If your organization uses Zero Trust Client (ZTC) and has enabled the Threat Protection service, in addition to the domains that are required for ETP Client, you must also allow these domains.
To see a complete list of domains and IP addresses that you need to allow for other ZTC services, see the Zero Trust Client documentation.
The
akamai-zt.com
subdomains listed below are subject to change with little or no notice. Make sure you allow this wildcard domain:*.akamai-zt.com
to proactively enable access to any future domains Akamai may add. This ensures that new or changed domains do not require that you update your firewall rules.
Domain or IP Address | Description | Protocol | Port | Direction |
---|---|---|---|---|
registration.akamai-zt.com | Connections to ZTC registration service | TCP | 443 | Outbound |
epms.akamai-zt.com | Control channel of ZTC configuration | TCP | 443 | Outbound |
client-inventory-service.akamai-zt.com | Client inventory service for ZTC | TCP | 443 | Outbound |
client.akamai-zt.com | Core client functionality | TCP | 443 | Outbound |
ipinfo.io | IP address data. Used for diagnostic purposes when running a full diagnostic. | TCP | 443 | Outbound |
connector-repository.akamai-zt.com | Access connector repository | TCP | 443 | Outbound |
Next steps
Assign a policy to the off-network location.
Assign a policy to the off-network location
Before you begin
Make sure that the external IP addresses of all exit points or gateways in the corporate network are configured as locations in SIA. These locations allow SIA to determine when traffic is coming from devices that are on or off the corporate network. To add or modify a location, see Create a location.
An SIA administrator needs to assign a policy to the off-network location. This ensures that the appropriate security and access control settings are applied when end users attempt to access content outside the corporate network. If necessary, you can also create a new policy. For instructions on creating a policy, see Create a policy.
To assign a policy to the off-network location:
-
In the Threat Protection menu of Enterprise Center, select Locations > Locations.
-
In the Off Network Client Policy setting at the top of the page, select the policy. The deploy window appears.
-
In the confirmation window, describe the change you made and click Deploy.
Next Steps
If you haven’t deployed this update to the SIA network, make sure you deploy it. For instructions, see Deploy configuration changes.
Configure DoT settings
DoT secures DNS requests that are forwarded from ETP Client to SIA DNS. This traffic is protected with TLS encryption. By default, the DoT mode is set to Always Attempted. This mode means that ETP Client always attempts to use DoT. You can also select from these additional modes:
-
Required: Indicates that DoT is required. If the DoT connection cannot be established, the client shows that the device is not protected.
-
Disabled: Indicates that DoT is not used to secure DNS traffic from ETP Client.
When configuring DoT, you can also select the port that’s used for DoT. By default, ETP Client uses port 443. However, you also can select port 853. If you use port 853, make sure this port is available and allowed in your firewall.
Before you begin:
For DoT on ETP Client, make sure you allow the OCSP server in your firewall. It is also recommended that you allow the CRL domains. For more information, see Update enterprise firewall, on-premise proxy, and allowlists.
To configure DoT settings:
-
To edit a policy:
-
In the Threat Protection menu of Enterprise Center, select Policies > Policies.
-
Click the policy that you want to modify.
-
-
Go to the Settings tab.
-
In the ETP Client Settings mode:
-
Select a mode from the DNS-over-TLS mode menu.
-
Select a port from the DNS-over-TLS port menu.
-
-
Click Save. If you want to save and deploy the policy, click Save and Deploy.
Next Steps
-
If you haven’t deployed the policy, make sure you deploy it to the SIA network. For instructions, see Deploy configuration changes.
Configure ETP Client
An SIA administrator configures the behavior of ETP Client. These settings are applied in approximately 10 minutes to all distributed ETP Clients in your network. For more information on these settings, see ETP Client configuration settings.
To configure ETP Client:
-
In the Threat Protection menu of Enterprise Center, select Clients & Connectors > ETP Client.
-
Take note of the entitlement code. You can use the entitlement code to activate the desktop or mobile client that you plan to distribute with a device management solution.
-
Select the Configuration tab.
-
To forward DNS traffic to SIA, toggle Enable ETP Client to on.
-
To allow users to disable the client, enable Allow users to disable the client .
-
To allow users to disable the client with an entitlement code, enable Allow disable action with an entitlement code.
-
To allow Windows users to uninstall ETP Client from their machines, enable Allow Uninstall on Windows.
-
To allow automatic security patch upgrades to clients in your network, enable Automatic Upgrades for Critical Patches.
-
Toggle the Log Traffic setting if you want to partially disable client logging so that the URLs and IP addresses accessed by the end users are not revealed.
-
To have ETP Client intercept traffic, direct DNS traffic to SIA resolvers, and direct web traffic to SIA Proxy without modifying browser or operating system settings, enable Transparent traffic interception.
-
If you enable transparent traffic interception, you can block traffic that uses QUIC, a transport protocol that’s used by HTTP/3. To block QUIC traffic, enable Block QUIC. If this toggle is not enabled, the client bypasses QUIC traffic, and it is not directed to the proxy.
This setting applies to Zero Trust Client 5.1 or later when it’s enabled for Threat Protection. It does not apply to supported versions of ETP Client.
-
To allow non-HTTP traffic to bypass the proxy, select Bypass Non-HTTP Traffic. When this setting is enabled, like all traffic directed to the proxy, non-HTTP traffic goes through the origin ports configured in the policy. However, SIA Proxy does not intercept, scan, or break non-HTTP traffic.
-
To configure ETP Client as the local proxy on the user's machine, for the Configure client as local computer web proxy setting, select Yes. Otherwise, you can select Only if there's no local proxy or No.
-
To configure the port that's used by SIA to listen for traffic, enter the port number. By default, ETP Client listens for traffic on port 8080.
-
Click Save. To save and deploy the settings, click Save and Deploy.
Next steps
-
Configure the internal IP addresses and DNS suffixes that end users can access in the corporate network. See Configure local bypass settings.
-
If you haven’t deployed these settings, make sure you deploy them to the SIA network. For instructions, see Deploy configuration changes.
Configure local bypass settings
In the Local Bypass Settings page, you configure the traffic that you want end users to access while they are protected by SIA. This includes networks that are set up with ETP Client, DNS Forwarder, HTTP Forwarder, and SIA Proxy.
The traffic you specify is not directed to SIA cloud. This traffic bypasses SIA and is directed to another resolver, such as a local or public resolver.
These conditions apply when defining IP addresses and DNS suffixes:
-
If DNS suffixes are configured in SIA, the client does not check the threat status of domains with these suffixes because they are internal to the corporate network.
-
If internal IPv4 or IPv6 addresses are configured, these IP addresses are preferred over public IP addresses. For example, this applies if both internal and public IP addresses are returned by DNS servers in a split DNS network topology.
HTTP Forwarder does not support IP addresses that are configured in the Local Bypass Settings. As a result, these IP addresses will not bypass HTTP Forwarder.
- When configuring domains and IP addresses in the local bypass settings, keep in mind that the bypass proxy settings for an operating system allow only 2064 characters on Windows devices and 679 characters on macOS devices. This character limit does not apply if you've enabled transparent traffic interception for the client.
Options are also available for you to add the IP ranges or blocks that are reserved on the Internet for private or internal networks as defined by RFC 1918 and RFC 4193.
-
If an administrator selects to add RFC 1918 IP addresses, these IPv4 ranges are added: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.
-
If an administrator selects to add RFC 4193 IP addresses, the IPv6 block FC00::/7 is added.
For ETP Client or Zero Trust Client, you can:
-
Specify your corporate email domains. These domains are used to authorize users in your organization when they request an activation code from the client. Make sure you do not provide the domain of a public email provider such as Gmail.
-
Specify Windows applications that end users can access. Traffic from these applications is not directed to SIA.
If you plan to enable walled garden for ETP Client when it's in an unprotected state, you must configure walled garden exceptions in the Local Bypass Settings page. For instructions on configuring these exceptions, see Enable walled garden and Configure walled garden exceptions.
- Specify the network interfaces that you don’t want directed to the Zero Trust Client when it’s enabled for transparent traffic interception on Windows. A network interface can be a VPN that you want to coexist with the client. You specify the hardware IDs that are associated with a network interface.
To configure local bypass settings:
-
In the Threat Protection menu of Enterprise Center, select Clients & Connectors > Local Bypass Settings.
You can also access these settings from the SIA Client Configuration tab (Clients & Connectors > ETP Clients). In the Corporate Network area, click the Edit icon. You are directed to the Local Bypass Settings page.
-
To enter the domains and DNS suffixes that you don’t want directed to SIA, expand the Domains section and enter domains and DNS suffixes in the provided field.
-
To enter IP addresses of traffic that you don't want directed to SIA, expand the IP Addresses section and enter IP addresses in the provided field.
-
To add IP address ranges that are reserved for private networks as defined by RFC 1918, click Add RFC 1918 IPs.
-
To add the address block that is reserved for private IPv6 networks as defined by RFC 4193, click Add RFC 4193 IPs.
-
-
To enter the domains that are permitted to receive requested one-time activation codes for ETP Client, expand the Email Domains section and enter the corporate domains used for email. Make sure you provide domains that are used by authorized users only. Do not enter public domains that are accessible to unauthorized users.
-
To enter the domains and IP addresses that you want users to access if ETP Client is in an unprotected state:
-
Expand the Domains Allowed in Walled Garden section and enter the domains and DNS suffixes in the provided field.
-
Expand the IP Addresses Allowed in Walled Garden section, and enter the IP addresses in the provided field.
-
-
If you’ve enabled transparent traffic interception for Zero Trust Client, you can enter the hardware IDs that are associated with network interfaces you don’t want directed to the client. A network interface can be a VPN that you want to use in the same environment as the client. This setting applies to the client on Windows only.
-
Expand the Network Interface section.
-
Enter the hardware IDs in the provided text box. To learn how to find this information, see Find the hardware ID of a network interface on Window.
-
-
If you're using transparent traffic interception for ETP Client, you can configure Windows application traffic you don’t want directed to ETP Client. Expand the Windows Application section and complete these steps:
-
In the Process Name, enter a name for the application.
-
Enter the file path to the application. To find the full file path, you can view the application file properties.
-
Select whether you want SIA to validate or not to validate the digital signature.
-
If you chose to validate the signature, enter the Publisher name and the Issuer of the Signature. You can find this information by viewing Digital Signature Details of the Windows application. Digital Signature information is available in the application properties.
You can enter the full name or the partial name of the Issuer. For example, if the Issuer is Akamai Technologies, Inc., you can enter Akamai.
You can upload a CSV file that contains information for Windows applications. To download the CSV with the columns you need, click the download icon. Open the CSV file, enter Windows application information, and click the upload icon to upload the CSV file. The applications you provide in the CSV file are added to the Windows Applications section.
-
-
Click Save. To save and deploy these settings, click Save and Deploy.
Next steps
If you haven’t deployed these settings, make sure you deploy them to the SIA network. For instructions, see Deploy configuration changes.
Find the hardware ID of a network interface on Windows
If you enabled transparent traffic interception for the Zero Trust Client on Windows and your organization uses a separate VPN, you can have this traffic bypass the client. To do this, you need the hardware ID of the VPN. You then enter this information into the Local Bypass Settings.
To find the hardware ID of the VPN on Windows:
- Right-click the Start menu and select Device Manager.
- In the list, select the VPN, right-click it, and select Properties.
- Select the Details tab.
- In the Property menu, select Hardware Ids. The Hardware ID value or values appear.
Next Steps:
Add the hardware ID of the VPN to the network interface section of the Local Bypass Settings. For instructions, see Configure local bypass settings.
Updated 2 months ago