Update enterprise firewall, on-premise proxy, and allowlists

Depending on your organization's security infrastructure and what your company uses to restrict network access, you must configure your firewall, proxy server, or allowlists to allow access to specific ports, IP addresses, and ETP Client domains. An on-premise proxy server may require that you modify the proxy auto-config (PAC) file.

These domains, IP addresses, and ports are required to automatically upgrade from a ETP Client version that is later than 1.2.2.

How to

Update your firewall, proxy server, or allowlists to allow access to these domains, IP addresses, and ports.
Domain or IP Address Protocol Port Direction
dnsclient.etp.akamai.com TCP 443 Outbound
etpcas.akamai.com TCP 443 Outbound
*.r11.dot.dns.akasecure.net

This is the firewall setting for DNS over TLS (DoT).

 TCP 443 or 853

The port configuration depends on the port that’s selected for DoT in the policy.

 Outbound
  • <ETPDNS_IPv4_1>
  • <ETPDNS_IPv4_2>
  • <ETPDNS_IPv6_1>
  • <ETPDNS_IPv6_2>
where:
  • <ETPDNS_IPv4_1> and <ETPDNS_IPv4_2> are the primary and secondary IPv4 addresses of the ETP DNS servers.
  • <ETPDNS_IPv6_1> and <ETPDNS_IPv6_2> are the primary and secondary IPv6 addresses of the ETP DNS servers.

    These DNS servers are assigned to your ETP account.

UDP 53 Outbound

If ETP Client cannot forward requests to ETP because outbound UDP port 53 is blocked in your firewall, the local DNS server handles requests. The end user machine is protected only when it’s on the corporate network where the enterprise resolver is configured to forward DNS queries to ETP. ETP Client cannot report the machine name in this situation. As a result, threat events reported for ETP Client machines will not contain the machine name. To better protect end user machines and generate useful reporting data, in the enterprise firewall, make sure that you open outbound UDP port 53 to the primary and secondary ETP DNS servers.

Next steps

Install ETP Client. See ETP Client installation.