Firewall and external IP address requirements

All connections to the internet made by Idaptive Identity Service (including Idaptive Connector and mobile management) are outbound in nature. No internet facing ingress ports are required. All outbound connections are made via TCP to either port 80 or 443 and should not have any restrictions.

To provide the redundancy and availability of an always available Identity Service, the destination resource, IP address, and host for outbound connections will vary over time amongst thousands of addresses. Additionally, the range of which also changes as new resources are provisioned or removed.

Use of deep packet inspection filtering of HTTPS or SSL traffic by web proxies or security software may cause connectivity issues with Idaptive Identity Service. In all cases, the ports and addresses discussed below should be excluded from packet inspection to allow for normal service operation.

Option 1: Whitelist Source

Given the variability of connection targets, the simplest whitelist configuration is typically one where filters are based on the traffic source. Specifically, it relates to configurations where you allow all outbound traffic from the host machine and account running the Idaptive Connector and for outbound requests made by iOS, Android, and Mac clients. This whitelist may be scoped at the machine, or machine + account, or machine + account + process level depending on the feature set of the security appliance or process in place.

Option 2: Whitelist Source Ports

You can also use a whitelist configuration where all outbound traffic on ports 80 and 443 is allowed from the host machine and account running the Idaptive Connector, as well as outbound requests made by iOS, Android, and Mac clients. This whitelist may be scoped at the machine, or machine + account, or machine + account + process level depending on the feature set of the security appliance or process in place.

Option 3: Whitelist Destination

If destination whitelisting is required, you can whitelist outbound ports or TCP Relay IP ranges.

Do not delete any Idaptive related IP and Hostnames until you are successfully up and running on the Idaptive cloud.

Port numbers Resource

443

*.idaptive.app

80

www.public-trust.com

80

privacy-policy.truste.com

80

ocsp.verisign.com

If whitelisting an entire domain (*.idaptive.com and *.idaptive.app) is not acceptable per security policy, then you need to whitelist the TCP Relay IP ranges for your relevant Idaptive Identity Service tenant region. Refer to https://www.microsoft.com/en-us/download/details.aspx?id=41653 for a list of Microsoft Azure datacenter IP ranges by region.

AWS Tenants

If your tenant is on Amazon Web Services (AWS) servers, then you need to whitelist the IP ranges for your relevant Idaptive Identity Service tenant region. Download the relevant file that contains the IP address ranges information from https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html.

Use the table below to find the AWS TCPRelay IP address ranges for each tenant's region:

Region IP Address Range
US East

3.14.30.0/27 (adding 4 May 2019)

18.216.13.0/26

34.236.32.192/26

34.236.241.0/29

34.214.243.200/29

US West

13.56.112.160/29

13.56.112.192/26

34.215.186.192/26

34.214.243.200/29

Canada

35.183.13.0/26

35.182.14.200/29

Europe

18.194.95.128/26

18.194.95.32/29

34.245.82.128/26

34.245.82.72/29

35.176.92.72/29

35.176.92.128/26

Brazil

18.231.105.192/26

18.231.194.0/29

Australia

13.211.166.128/26

13.211.12.240/29

Japan

13.231.6.128/26

13.231.6.96/26

Singapore

13.250.186.64/26

13.250.186.24/29