How to Configure a Firewall for Specops Authentication
Specops Authentication is the hybrid cloud platform which is the foundation for uReset, Secure Service Desk, and Key Recovery. This article will detail network requirements for connecting to the Specops cloud.
Customers are strongly encouraged to configure allowlists based on URL/hostname, as IP addresses are subject to change.
Gatekeeper Server URLs
The Gatekeeper server enables connections to your on-prem Active Directory servers by establishing an outbound TLS-encrypted connection initiated from your internal network. Each Gatekeeper server will need access to the following URLs in order to establish a connection to the cloud:
North America Data Center
URL | Description | Protocol | Port |
---|---|---|---|
https://gk.specopssoft.com | Service endpoint | TCP | 443 |
https://login.specopssoft.com | Web endpoint | TCP | 443 |
http://x1.c.lencr.org | Let's Encrypt CRL | TCP | 80 |
https://download.specopssoft.com* | Static software downloads | TCP | 443 |
http://crl.godaddy.com | GoDaddy CRL | TCP | 80 |
EU Data Center
URL | Description | Protocol | Port |
---|---|---|---|
https://eu.gk.specopssoft.com | Service endpoint | TCP | 443 |
https://eu.login.specopssoft.com | Web endpoint | TCP | 443 |
http://x1.c.lencr.org | Let's Encrypt CRL | TCP | 80 |
https://download.specopssoft.com* | Static Software Downloads | TCP | 443 |
http://crl.godaddy.com | GoDaddy CRL | TCP | 80 |
*IP addresses are dynamic based on CDN provider. You can use https://cachecheck.opendns.com to view many of the IP addresses.
Proxy/SSL Inspection Requirements
Gatekeepers can use a web proxy to access these URLs; if proxy authentication is required ensure both the administrator installing the Gatekeeper and the Gatekeeper service account are authorized and no captive portals are required.
SSL inspection/MITM certificates are not supported. If the certificate presented for these URLs has been modified in any way, the Gatekeeper server will refuse to connect.
In order to confirm your connection is properly configured, browse to https://login.specopssoft.com from a browser on your Gatekeeper server.
The steps here vary by browser. In Microsoft Edge, click the padlock in the address bar, then Connection is secure.
Finally, click the certificate icon to view the certificate details.
The certificate issuer should match what is shown here.
End User URLs
End users (including users of the Specops Authentication client), administrators, and service desk users accessing the Specops Authentication Web will need access to the following URLs:
North America Data Center
URL | Description | Protocol | Port |
---|---|---|---|
https://login.specopssoft.com | Web endpoint | TCP | 443 |
https://js.specopsauthentication.com | Web endpoint | TCP | 443 |
https://trust.specopsauthentication.com | Web endpoint | TCP | 443 |
http://x1.c.lencr.org/ | Let's Encrypt CRL | TCP | 80 |
EU Data Center
URL | Description | Protocol | Port |
---|---|---|---|
https://eu.login.specopssoft.com | Web endpoint | TCP | 443 |
https://eu.js.specopsauthentication.com | Web endpoint | TCP | 443 |
https://eu.trust.specopsauthentication.com | Web endpoint | TCP | 443 |
http://x1.c.lencr.org/ | Let's Encrypt CRL | TCP | 80 |
If end users/workstations are behind a proxy that requires authentication, it may be necessary to bypass authentication for these URLs so that end users who cannot authenticate due to a password issue can still access the Reset Password web page.
IP Address Allowlists
Specops does not recommend IP address based allowlists; if at all possible, please use the URLs specified in this article.
If you must use IP address rules, you must allow both Gatekeepers and End users access to the following IP address spaces. More granular filtering is not supported as exact IPs within these ranges are subject to change at any time.
These IPs do not cover the download.specopssoft.com URL (Geo Load Balanced) or the certificate CRLs.
North America Data Center
- 52.180.65.88/29 (Azure US West)
- 40.71.57.208/29 (Azure US East)
EU Data Center:
- 13.79.75.152/29 (Azure North Europe)
- 74.234.213.168/29 (Azure West Europe)
Multi Domain Environments
If you have a multi-domain setup that is firewalled, you will need to ensure that the ports listed are allowed from the Gatekeeper(s) to all of the DC’s in the target trusted domain.
Service | Protocol | Port |
---|---|---|
LDAP | TCP | 389,636 |
SMB2 | TCP | 445 |
Kerberos | TCP | 88,464 |
DNS | TCP/UDP | 53 |