Update enterprise firewall, on-premise proxy, and allowlists
These domains, IP addresses, and ports are required to automatically upgrade from a ETP Client version that is later than 1.2.2.
|Domain or IP Address||Protocol||Port||Direction|
Connections to ETP Proxy.
|Any other origin||TCP||Configured with bypass action in ETP policy, with ports configured in ETP policy.||Outbound|
This is the firewall setting for DNS over TLS (DoT).
|TCP||443 or 853
The port configuration depends on the port selected for DoT in the policy.
|Ports to use for localhost communications between ETP Client processes (no need to expose outside of the machine).||UDP||5560, 6000, 6005, 6500, and 7500||Inbound|
If ETP Client cannot forward requests to ETP because outbound UDP port 53 is blocked in your firewall, the local DNS server handles requests. The end user machine is protected only when it’s on the corporate network where the enterprise resolver is configured to forward DNS queries to ETP. ETP Client cannot report the device name in this situation. As a result, threat events reported for ETP Client machines will not contain the machine name. To better protect end user machines and generate useful reporting data, in the enterprise firewall, make sure that you open outbound UDP port 53 to the primary and secondary ETP DNS servers.