How to Configure a Firewall for Specops Authentication
Specops Authentication is the hybrid cloud platform which is the foundation for uReset, Secure Service Desk, and Key Recovery. This article will detail network requirements for connecting to the Specops cloud.
Gatekeeper Servers
The Gatekeeper server enables connections to your on-prem Active Directory servers by establishing an outbound TLS-encrypted connection initiated from your internal network. Each Gatekeeper server will need access to the following hosts/URLs in order to establish a connection to the cloud:
North America Data Center
| URL | IP Address | Protocol | Port |
|---|---|---|---|
| https://gk.specopssoft.com | 100.25.107.188 | TCP | 443 |
| https://login.specopssoft.com | 34.229.31.169 50.16.166.102 | TCP | 443 |
| http://crl.godaddy.com | TCP | 80 | |
| https://download.specopssoft.com* | Geo load balanced | TCP | 443 |
EU Data Center
| URL | IP Address | Protocol | Port |
|---|---|---|---|
| https://eu.gk.specopssoft.com | 40.115.100.238 | TCP | 443 |
| https://eu.login.specopssoft.com | 40.87.137.8 | TCP | 443 |
| http://crl.godaddy.com | TCP | 80 | |
| https://download.specopssoft.com* | Geo load balanced | TCP | 443 |
*IP addresses are dynamic based on CDN provider. You can use https://cachecheck.opendns.com to view many of the IP addresses.
Proxy/SSL Inspection Requirements
Gatekeepers can use a web proxy to access these URLs; if proxy authentication is required ensure both the administrator installing the Gatekeeper and the Gatekeeper service account are authorized and no captive portals are required.
SSL inspection/MITM certificates are not supported. If the certificate presented for these URLs is not issued by Go Daddy Secure Certificate Authority – G2 the Gatekeeper server will refuse to connect.
In order to confirm your connection is properly configured, browse to https://login.specopssoft.com from a browser on your Gatekeeper server. Click in the address bar to view the certificate details (steps vary by browser; in Internet Explorer you can click the padlock to the right of the address bar). Confirm the certificate issuer is shown as expected.
End Users
End users (including users of the Specops Authentication client), administrators, and service desk users accessing the Specops Authentication Web will need access to the following URLs:
North America Data Center
| URL | IP Address | Protocol | Port |
|---|---|---|---|
| https://login.specopssoft.com | 34.229.31.169 50.16.166.102 | TCP | 443 |
| https://js.specopsauthentication.com | 34.229.31.169 50.16.166.102 | TCP | 443 |
| https://trust.specopsauthentication.com | 34.229.31.169 50.16.166.102 | TCP | 443 |
| http://crl.godaddy.com | TCP | 80 |
EU Data Center
| URL | IP Address | Protocol | Port |
|---|---|---|---|
| https://eu.login.specopssoft.com | 40.87.137.8 | TCP | 443 |
| https://eu.js.specopsauthentication.com | 40.87.137.8 | TCP | 443 |
| https://eu.trust.specopsauthentication.com | 40.87.137.8 | TCP | 443 |
| http://crl.godaddy.com | TCP | 80 |
If end users/workstations are behind a proxy that requires authentication, it may be necessary to bypass authentication for these URLs so that end users who cannot authenticate due to a password issue can still access the Reset Password web page.
Multi Domain Environments
If you have a multi-domain setup that is firewalled, you will need to ensure that the ports listed are allowed from the Gatekeeper(s) to all of the DC’s in the target trusted domain.
| Service | Protocol | Port |
|---|---|---|
| LDAP | TCP | 389,636 |
| SMB2 | TCP | 445 |
| Kerberos | TCP | 88,464 |
| DNS | TCP/UDP | 53 |