Configure your enterprise firewall

You must configure your enterprise firewall to allow or block specific domains and ports.

How to

  1. Update your enterprise firewall to allow traffic to these domains and ports. This table lists the domains that are required for specific ETP features.
    Hostname Description Protocol Port Direction
    *.akaetp.net
    Note: For Security Connector DNS Forwarder, dot is the Application-Layer Protector Navigation (ALPN).
    		HTTP data path of ETP Proxy

    DNS-over-TLS (DoT) connection for Security Connector DNS Forwarder and ETP Client 3.2.0 or later

    		 TCP

    For ETP Client, the port you must allow depends on the port that’s configured in the policy. In a policy, you can select port 443 or 853 for DoT.

    For DNS Forwarder, the port you must allow (443 or 853) depends on the port configured in Security Connector for a DNS Forwarder configuration.

    		 Outbound
    etpcas.akamai.com Control channel of ETP Client and Security Connector 443
    sinkhole-etp.akamaietp.net Control channel for Security Connector logs
    amg.nevada.akamai.com Control channel of Security Connector
    dnsclient.etp.akamai.com Connectivity probe for ETP Client
    Full hostname of identity provider Identity provider
    *.dialin.go.akamai-access.com Identity connectors
    error.etp.akamai.com ETP Error Pages 80
    *.akamai.com or Any IP Network Time Protocol (NTP) UDP 123
    • <ETPDNS_IPv4_1>
    • <ETPDNS_IPv4_2>

    OR

    • <ETPDNS_IPv6_1>
    • <ETPDNS_IPv6_2>
    where:
    • <ETPDNS_IPv4_1> and <ETPDNS_IPv4_2> are the primary and secondary IPv4 addresses of the ETP DNS servers.
    • <ETPDNS_IPv6_1> and <ETPDNS_IPv6_2> are the primary and secondary IPv6 addresses of the ETP DNS servers.

    These DNS servers are assigned to your ETP account.

    Only allow the IPv6 server addresses if your organization uses IPv6.

    		 ETP DNS Servers 53

    You should also allow access to all hostnames that you or another administrator configured with the bypass action. Hostnames with the bypass action are directed to the Internet and do not go through ETP Proxy.

    For instructions, see the product documentation for your organization’s enterprise firewall.

  2. If you want to prevent users from bypassing ETP and connecting directly to open recursive DNS servers on the Internet, block this port.
    Hostname Description Protocol Port Direction
    All Port where DNS servers listen for queries TCP / UDP 53 Outbound

    For instructions, see the product documentation for your organization’s enterprise firewall.