Prepare for ETP Client setup

Whether you plan to set up the desktop or mobile version of ​ETP Client​ or use the client on a user’s personal device, initial configuration tasks are required for the client. Before you set up ​ETP Client​, complete these tasks.

To prepare for ​ETP Client​ setup:

  1. Make sure your enterprise firewall allows traffic for endpoints that are required by ​ETP Client​. For more information, see Update enterprise firewall, on-premise proxy, and allowlists.

  2. Assign a policy to the Off-Network ​ETP Client​s location. For more information, see Assign a policy to the off-network location.

  3. To use ​ETP Client​ with the full web proxy, enable the proxy in your policies. Depending on whether your deployment includes an on-premises proxy, you can also configure ​ETP Client​ as a proxy on the client computer. For more information, see Enable full web proxy.

    📘

    If you do not install version 3.0.4 or later of the client, you cannot direct web traffic from ​ETP Client​ to the proxy. In this situation, the full web proxy is only available if you have an on-premises proxy that directs traffic from ​ETP Client​ to the proxy.

  4. To secure connections from ​ETP Client​ to ​SIA​ with DoT, select the DoT mode in the policy settings. By default, the mode is Always Attempt. You can change this setting and select the port that’s used. For instructions, see Configure DoT settings.

    📘

    Make sure you enable DoT in policies that are associated with the mobile client.

  5. Configure the behavior of ​ETP Client​. For more information, see Configure ​ETP Client​.

  6. Complete these steps:

    1. Configure the internal IP addresses and DNS suffixes that end users can access in the corporate network.

    2. If you plan to let users activate ​ETP Client​ on their device, you need to specify the corporate email domains that are associated with the users who will activate the client.

    3. Configure trusted Windows applications that you want users with the client to access in the corporate network. Traffic from these applications is not directed to ​SIA​.

    For instructions, see Configure local bypass settings.

  7. To use ​SIA​ Proxy, you need to distribute the MITM TLS certificate to your devices. For more information, see Distribute the ​SIA​ Proxy certificate and Distribute ​SIA​ mobile client.

Next Steps:

Update enterprise firewall, on-premise proxy, and allowlists

Depending on your organization's security infrastructure and what your company uses to restrict network access, you need to configure your firewall, proxy server, or allowlists to allow access to specific ports, IP addresses, and ​ETP Client​ domains. An on-premise proxy server may require that you modify the PAC file.

These domains, IP addresses, and ports are required to automatically upgrade ​ETP Client​.

To update enterprise firewall, on-premise proxy, and allowlists:

Update your firewall, proxy server, or allowlists to allow access to these domains, IP addresses, and ports.

Domain or IP AddressProtocolPortDirection
dnsclient.etp.akamai.comTCP443Outbound
etpcas.akamai.comTCP443Outbound
nevada.proxy.akaetp.net
Connections to ​SIA​ Proxy.
TCP443Outbound
Any other origin.TCPConfigured with bypass action in ​SIA​ policy, with ports configured in ​SIA​ policy.Outbound
*.akaetp.net
This is the firewall setting for DoT.
TCP443 or 853
The port configuration depends on the port selected for DoT in the policy.
Outbound
  • <ETPDNS_IPv4_1>
  • <ETPDNS_IPv4_2>
  • <ETPDNS_IPv6_1>
  • <ETPDNS_IPv6_2>
where:

  • <ETPDNS_IPv4_1> and <ETPDNS_IPv4_2> are the primary and secondary IPv4 addresses of the ​SIA​ DNS servers.

  • <ETPDNS_IPv6_1> and <ETPDNS_IPv6_2> are the primary and secondary IPv6 addresses of the ​SIA​ DNS servers.
These DNS servers are assigned to your ​SIA​ account.
UDP53Outbound
Ports to use for localhost communications between ​ETP Client​ processes (no need to expose outside of the machine).UDP5560, 6000, 6005, 6500, and 7500Inbound

If ​ETP Client​ cannot forward requests to ​SIA​ because outbound UDP port 53 is blocked in your firewall, the local DNS server handles requests. The end user machine is protected only when it's on the corporate network where the enterprise resolver is configured to forward DNS queries to ​SIA​. ​ETP Client​ cannot report the device name in this situation. As a result, threat events reported for ​ETP Client​ machines will not contain the machine name. To better protect end user machines and generate useful reporting data, in the enterprise firewall, make sure that you open outbound UDP port 53 to the primary and secondary ​SIA​ DNS servers.

Next steps

Assign a policy to the off-network location.

Assign a policy to the off-network location

Before you begin
Make sure that the external IP addresses of all exit points or gateways in the corporate network are configured as locations in ​SIA​. These locations allow ​SIA​ to determine when traffic is coming from devices that are on or off the corporate network. To add or modify a location, see Create a location.

An ​SIA​ administrator needs to assign a policy to the off-network location. This ensures that the appropriate security and access control settings are applied when end users attempt to access content outside the corporate network. If necessary, you can also create a new policy. For instructions on creating a policy, see Create a policy.

To assign a policy to the off-network location:

  1. In the Threat Protection menu of Enterprise Center, select Locations > Locations.

  2. Go to the Off Network ​ETP Client​s location and click the chain icon.

  3. Select a policy from the menu.

  4. Click the check mark icon and select Save. To deploy the location with the save operation, select Save and Deploy.

Next Steps
If you haven’t deployed this update to the ​SIA​ network, make sure you deploy it. For instructions, see Deploy configuration changes.

Configure DoT settings

DoT secures DNS requests that are forwarded from ​ETP Client​ to ​SIA​ DNS. This traffic is protected with TLS encryption. By default, the DoT mode is set to Always Attempted. This mode means that ​ETP Client​ always attempts to use DoT. You can also select from these additional modes:

  • Required: Indicates that DoT is required. If the DoT connection cannot be established, the client shows that the device is not protected.

  • Disabled: Indicates that DoT is not used to secure DNS traffic from ​ETP Client​.

When configuring DoT, you can also select the port that’s used for DoT. By default, ​ETP Client​ uses port 443. However, you also can select port 853. If you use port 853, make sure this port is available and allowed in your firewall.

To configure DoT settings:

  1. To edit a policy:

    1. In the Threat Protection menu of Enterprise Center, select Policies > Policies.

    2. Click the policy that you want to modify.

  2. Go to the Settings tab.

  3. In the ​ETP Client​ Settings mode:

    1. Select a mode from the DNS-over-TLS mode menu.

    2. Select a port from the DNS-over-TLS port menu.

  4. Click Save. If you want to save and deploy the policy, click Save and Deploy.

Next Steps

  1. If you haven’t deployed the policy, make sure you deploy it to the ​SIA​ network. For instructions, see Deploy configuration changes.

  2. Configure ​ETP Client​

Configure ​ETP Client​

An ​SIA​ administrator configures the behavior of ​ETP Client​. These settings are applied in approximately 10 minutes to all distributed ​ETP Client​s in your network. For more information on these settings, see ​ETP Client​ configuration settings.

To configure ​ETP Client​:

  1. In the Threat Protection menu of Enterprise Center, select Clients & Connectors > ​ETP Client​.

  2. Take note of the entitlement code. You can use the entitlement code to activate the desktop or mobile client that you plan to distribute with a device management solution.

  3. Select the Configuration tab.

  4. To forward DNS traffic to ​SIA​, toggle Enable ​SIA​ Client to on.

  5. To allow users to disable the client, enable Allow Users to Disable ​ETP Client​.

  6. To allow Windows users to uninstall ​ETP Client​ from their machines, enable Allow Uninstall on Windows. If you want to require that users enter an entitlement code to disable the client, enable Disable with Admin Approval.

  7. To allow automatic security patch upgrades to clients in your network, enable Automatic Upgrades for Critical Patches.

  8. Toggle the ​ETP Client​ Logging field off if you want to partially disable client logging so that the URLs and IP addresses accessed by the end users are not revealed.

  9. To have ​ETP Client​ intercept traffic, direct DNS traffic to ​SIA​ resolvers, and direct web traffic to ​SIA​ Proxy without modifying browser or operating system settings, enable Transparent traffic interception.

  10. To allow non-HTTP traffic to bypass the proxy, select Bypass Non-HTTP Traffic. When this setting is enabled, like all traffic directed to the proxy, non-HTTP traffic goes through the origin ports configured in the policy. However, ​SIA​ Proxy does not intercept, scan, or break non-HTTP traffic.

  11. To configure ​ETP Client​ as the local proxy on the user's machine, for the Configure ​ETP Client​ as local computer web proxy setting, select Yes. Otherwise, you can select Only if there's no local proxy or No.

  12. To configure the port that's used by ​SIA​ to listen for traffic, enter the port number. By default, ​ETP Client​ listens for traffic on port 8080.

  13. Click Save. To save and deploy the settings, click Save and Deploy.

Next steps

Configure local bypass settings

In the Local Bypass Settings page, you configure the traffic that you want end users to access while they are protected by ​SIA​. This includes networks that are set up with ​ETP Client​, DNS Forwarder, HTTP Forwarder, and ​SIA​ Proxy.

The traffic you specify is not directed to ​SIA​ cloud. This traffic bypasses ​SIA​ and is directed to another resolver, such as a local or public resolver.

These conditions apply when defining IP addresses and DNS suffixes:

  • If DNS suffixes are configured in ​SIA​, the client does not check the threat status of domains with these suffixes because they are internal to the corporate network.

  • If internal IPv4 or IPv6 addresses are configured, these IP addresses are preferred over public IP addresses. For example, this applies if both internal and public IP addresses are returned by DNS servers in a split DNS network topology.

📘

HTTP Forwarder does not support IP addresses that are configured in the Local Bypass Settings. As a result, these IP addresses will not bypass HTTP Forwarder.

Options are also available for you to add the IP ranges or blocks that are reserved on the Internet for private or internal networks as defined by RFC 1918 and RFC 4193.

  • If an administrator selects to add RFC 1918 IP addresses, these IPv4 ranges are added: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.

  • If an administrator selects to add RFC 4193 IP addresses, the IPv6 block FC00::/7 is added.

For ​ETP Client​, you can:

  • Specify your corporate email domains. These domains are used to authorize users in your organization who will receive an email invitation for ​ETP Client​ activation. Make sure you do not provide the domain of a public email provider such as Gmail.

  • Specify Windows applications that end users can access. Traffic from these applications is not directed to ​SIA​.

📘

If you plan to enable walled garden for ​ETP Client​ when it's in an unprotected state, you must configure walled garden exceptions in the Local Bypass Settings page. For instructions on configuring these exceptions, see Enable walled garden and Configure walled garden exceptions.

To configure local bypass settings:

  1. In the Threat Protection menu of Enterprise Center, select Clients & Connectors > Local Bypass Settings.

    📘

    You can also access these settings from the ​SIA​ Client Configuration tab (Clients & Connectors > ​ETP Client​s). In the Corporate Network area, click the Edit icon. You are directed to the Local Bypass Settings page.

  2. To enter the domains and DNS suffixes that you don’t want directed to ​SIA​, expand the Domains section and enter domains and DNS suffixes in the provided field.

  3. To enter IP addresses of traffic that you don't want directed to ​SIA​, expand the IP Addresses section and enter IP addresses in the provided field.

    • To add IP address ranges that are reserved for private networks as defined by RFC 1918, click Add RFC 1918 IPs.

    • To add the address block that is reserved for private IPv6 networks as defined by RFC 4193, click Add RFC 4193 IPs.

  4. To enter the domains that are permitted to receive one-time activation codes for ​ETP Client​, expand the Email Domains section and enter the corporate domains used for email. Make sure you provide domains that are used by authorized users only. Do not enter public domains that are accessible to unauthorized users.

  5. To enter the domains and IP addresses that you want users to access if ​ETP Client​ is in an unprotected state:

    • Expand the Domains Allowed in Walled Garden section and enter the domains and DNS suffixes in the provided field.

    • Expand the IP Addresses Allowed in Walled Garden section, and enter the IP addresses in the provided field.

  6. If you're using transparent traffic interception for ​ETP Client​, you can configure Windows application traffic you don’t want directed to ​ETP Client​. Expand the Windows Application section and complete these steps:

    1. In the Process Name, enter a name for the application.

    2. Enter the file path to the application. To find the full file path, you can view the application file properties.

    3. Select whether you want ​SIA​ to validate or not to validate the digital signature.

    4. If you chose to validate the signature, enter the Publisher name and the Issuer of the Signature. You can find this information by viewing Digital Signature Details of the Windows application. Digital Signature information is available in the application properties.

      You can enter the full name or the partial name of the Issuer. For example, if the Issuer is ​Akamai Technologies, Inc.​, you can enter ​Akamai​.

    📘

    You can upload a CSV file that contains information for Windows applications. To download the CSV with the columns you need, click the download icon. Open the CSV file, enter Windows application information, and click the upload icon to upload the CSV file. The applications you provide in the CSV file are added to the Windows Applications section.

  7. Click Save. To save and deploy these settings, click Save and Deploy.

Next steps
If you haven’t deployed these settings, make sure you deploy them to the ​SIA​ network. For instructions, see Deploy configuration changes.