Knowledge Base

Our dedicated Product Specialist team is always ready to help you when you need it the most. Contact Support

How to Configure a Firewall for Specops Authentication

Specops Authentication is the hybrid cloud platform which is the foundation for uReset, Secure Service Desk, and Key Recovery. This article will detail network requirements for connecting to the Specops cloud.

Customers are strongly encouraged to configure allowlists based on URL/hostname, as IP addresses are subject to change.

Gatekeeper Server URLs

The Gatekeeper server enables connections to your on-prem Active Directory servers by establishing an outbound TLS-encrypted connection initiated from your internal network. Each Gatekeeper server will need access to the following URLs in order to establish a connection to the cloud:

North America Data Center

URLDescriptionProtocolPort
https://gk.specopssoft.com
Service endpointTCP443
https://login.specopssoft.comWeb endpointTCP443
http://x1.c.lencr.orgLet's Encrypt CRLTCP80
https://download.specopssoft.com*Static software downloadsTCP443
http://crl.godaddy.comGoDaddy CRLTCP80

EU Data Center

URLDescriptionProtocolPort
https://eu.gk.specopssoft.com
Service endpointTCP443
https://eu.login.specopssoft.comWeb endpointTCP443
http://x1.c.lencr.orgLet's Encrypt CRLTCP80
https://download.specopssoft.com*Static Software DownloadsTCP443
http://crl.godaddy.comGoDaddy CRLTCP80

*IP addresses are dynamic based on CDN provider. You can use https://cachecheck.opendns.com to view many of the IP addresses.

Proxy/SSL Inspection Requirements

Gatekeepers can use a web proxy to access these URLs; if proxy authentication is required ensure both the administrator installing the Gatekeeper and the Gatekeeper service account are authorized and no captive portals are required.

SSL inspection/MITM certificates are not supported. If the certificate presented for these URLs has been modified in any way, the Gatekeeper server will refuse to connect.

In order to confirm your connection is properly configured, browse to https://login.specopssoft.com from a browser on your Gatekeeper server.

The steps here vary by browser. In Microsoft Edge, click the padlock in the address bar, then Connection is secure.

Finally, click the certificate icon to view the certificate details.

The certificate issuer should match what is shown here.

End User URLs

End users (including users of the Specops Authentication client), administrators, and service desk users accessing the Specops Authentication Web will need access to the following URLs:

North America Data Center

URLDescriptionProtocolPort
https://login.specopssoft.comWeb endpointTCP443
https://js.specopsauthentication.com
Web endpointTCP443
https://trust.specopsauthentication.com
Web endpointTCP443
http://x1.c.lencr.org/Let's Encrypt CRLTCP80

EU Data Center

URLDescriptionProtocolPort
https://eu.login.specopssoft.comWeb endpointTCP443
https://eu.js.specopsauthentication.com
Web endpointTCP443
https://eu.trust.specopsauthentication.com
Web endpointTCP443
http://x1.c.lencr.org/Let's Encrypt CRLTCP80

If end users/workstations are behind a proxy that requires authentication, it may be necessary to bypass authentication for these URLs so that end users who cannot authenticate due to a password issue can still access the Reset Password web page.

IP Address Allowlists

Specops does not recommend IP address based allowlists; if at all possible, please use the URLs specified in this article.

If you must use IP address rules, you must allow both Gatekeepers and End users access to the following IP address spaces. More granular filtering is not supported as exact IPs within these ranges are subject to change at any time.

These IPs do not cover the download.specopssoft.com URL (Geo Load Balanced) or the certificate CRLs.

North America Data Center

  • 52.180.65.88/29 (Azure US West)
  • 40.71.57.208/29 (Azure US East)

EU Data Center:

  • 13.79.75.152/29 (Azure North Europe)
  • 74.234.213.168/29 (Azure West Europe)

Multi Domain Environments

If you have a multi-domain setup that is firewalled, you will need to ensure that the ports listed are allowed from the Gatekeeper(s) to all of the DC’s in the target trusted domain.

ServiceProtocolPort
LDAPTCP389,636
SMB2TCP445
KerberosTCP88,464
DNSTCP/UDP53

Publication date: July 28, 2020
Modification date: November 5, 2024

Was this article helpful?

Related Articles