Guide

Prepare for Zero Trust Client setup

Suggest Edits

Before you install the client, complete these initial configuration tasks.

Update enterprise firewall, on-premise proxy, and allowlists

Depending on your organization's security infrastructure and what your company uses to restrict network access, you need to configure your firewall, proxy server, or allowlists to allow access to specific ports, IP addresses, and hostnames. An on-premise proxy server may require that you modify the PAC file.

If you have a web proxy or next-generation firewall (NGFW) deployed in your environment, you may also need to configure your network settings to bypass SSL inspection and authentication for ​Akamai​ domains. This ensures direct and uninterrupted connectivity to ​Akamai​ services.

These domains, IP addresses, and ports are required for ZTC components to communicate with relevant services.
Update your firewall, proxy server, or allowlists to allow access to the following domains, IP addresses, and ports.

To see a complete list of domains and IP addresses that you need to allow for other SIA and EAA services, refer to SIA documentation and EAA documentation.

Zero Trust Client

📘

Note that the akamai-zt.com subdomains listed below are subject to change. We recommend that you allow the following wildcard domain: *.akamai-zt.com to proactively enable access to any future domains ​Akamai​ may add. This ensures that new or changed domains don't require that you update your firewall rules.

Domain or IP AddressDescriptionProtocolPortDirection
registration.akamai-zt.com

Connections to ZTC registration service

TCP 443 Outbound
epms.akamai-zt.com

Control channel of ZTC configuration

TCP 443 Outbound
client-inventory-service.akamai-zt.com

Client inventory service for ZTC

TCP 443 Outbound
etpcas.akamai.com Control channel of the client TCP 443 Outbound
client.akamai-zt.com Core client functionality TCP 443 Outbound
ipinfo.io IP address data for diagnostic purposes when running a full diagnostic TCP 443 Outbound
connector-repository.akamai-zt.com Access connector repository TCP 443 Outbound

Threat Protection

Domain or IP AddressDescriptionProtocolPortDirection
  • <SIADNS_IPv4_1>
  • <SIADNS_IPv4_2>
  • <SIADNS_IPv6_1>
  • <SIADNS_IPv6_2>

    where:

    • <SIADNS_IPv4_1> and <SIADNS_IPv4_2> are the primary and secondary IPv4 addresses of the ​​SIA​ DNS servers.
    • <SIADNS_IPv6_1> and <SIADNS_IPv6_2> are the primary and secondary IPv6 addresses of the ​​SIA​​ DNS servers.

      These DNS servers are assigned to your ​​SIA​​ account.

SIA DNS Servers UDP 53 Outbound
nevada.proxy.akaetp.net Connections to ​​SIA​​ Proxy TCP 443 Outbound
*.akaetp.net HTTP data path of the proxy

DoT connection for the client.

TCP The port you need to allow depends on the port that’s configured in the SIA policy. In a policy, you can select port 443 or 853 for DoT. Outbound
dnsclient.etp.akamai.com Connectivity probe for the client when it’s enabled for Threat Protection TCP 443 Outbound
etpclient<configID>.akadns.net

where <configID> is the configuration ID.

If you prefer, you can specify *.akadns.net instead.

DNS probe for the client when it’s enabled for Threat Protection TCP 53, 443 Outbound
UDP 53
<config_ID>.dot.akaetp.net

where <config_ID> is the configuration ID.

Domain for DNS over TLS (DoT) TCP 853 or 443

The port configuration depends on the port selected for DoT in the policy.

Outbound
*.o.lencr.org OCSP Servers used for DoT.

Allow this domain when DoT is enabled in the SIA policy for the client

TCP 80 Outbound
*.c.lencr.org Used for CRL distribution.

Allow this domain when DoT is enabled in the SIA policy for the client. This domain allows your system to access the CA distribution points.

TCP 80 Outbound

Access

Domain or IP AddressDescriptionProtocolPortDirection
<Your_IDP_URL> Connection to your IDP TCP 443 Outbound
127.50.100.1

Device internal traffic control. Sends Access configuration information to ZTC.

Internal device traffic remains within your local network and doesn't require any firewall configuration changes.

TCP 9078 Inbound
100.64.0.1

Device internal DNS interception for Access.

Internal device traffic remains within your local network and doesn't require any firewall configuration changes.

UDP 53 Inbound
  • signal.dps.akamai-access.com
  • signal-t.dps.akamai-access.com
 Connection to Device Posture services TCP 443 Outbound

<Agent_Smith_URL>

agentsmith.akamai-access.com by default

Log reporting TCP 443 Outbound

FQDNs and IP addresses used by ​Zero Trust Client​

You may need to configure these FQDN (fully qualified domain names) and IP addresses into your corporate proxy, secure web gateway or similar equipment.

  • Authentication endpoint

    • Local system endpoint: 100.64.0.1

    • ​Akamai​ authentication portal endpoints. FQDN is the URL of the ​Akamai​ ZTC IdP. IP address depends on where the ZTC IdP cloud zone is. To have proper connectivity from ​Zero Trust Client​ Cloud to the connector, you should allow certain IPs. Please contact support to learn more.

    • Third-party IdP endpoint. Check with your vendor. For example, for Azure AD the FQDN is login.microsoftonline.com.

  • EAA Cloud log collector service endpoint

agentsmith.akamai-access.com: 13.57.60.83 and 13.57.46.53

  • Application endpoints

    • External application endpoints. FQDN is the application external hostname as configured in ​Akamai Control Center​.

    • Local FQDN: application internal hostname.

    • Local IP ranges that ​Zero Trust Client​ uses to intercept traffic for tunnel applications/wildcard domains: 100.64.0.0/11.

    • Local IP ranges that ​Zero Trust Client​ uses to intercept traffic for TCP applications: 127.[10-255].0.0..

  • ​Zero Trust Client​ network interface works with 100.64.0.1.

  • Device Posture. Allow the following static URLs if you use Device Posture with ​Zero Trust Client​:

    https://signal.dps.akamai-access.com
    https://signal-t.dps.akamai-access.com
    https://etpcas.akamai.com

Updated about 2 months ago