Configure Specops Password Policy allowlists
This section describes the URLs that must be accessible through the firewall for Specops Password Policy (SPP) installation and Breached Password Protection (BPP Express and BPP Complete).
Note
It is strongly recommended to use URL or hostname-based allowlists, as IP addresses may change over time.
SPP Admin tools and BPP Express
Access to the following sites is required for installing SPP, the admin tools, and BPP Express. In addition, access is needed to the revocation checking endpoints that might be used.
| URL | Description | Protocol | Port |
|---|---|---|---|
| https://breach-protection.specopssoft.com | Web endpoint | TCP | 443 |
| https://download.specopssoft.com | Web endpoint | TCP | 443 |
To reach the above URLs, a CRL check is needed:
| URL | Description | Protocol | Port |
|---|---|---|---|
| https://*.c.lencr.org | Certificate CRL endpoint | TCP | 443 |
| http://*.c.lencr.org | Certificate CRL endpoint | TCP | 80 |
| https://crl.godaddy.com/ | Certificate CRL endpoint | TCP | 443 |
| http://crl.godaddy.com/ | Certificate CRL endpoint | TCP | 80 |
BPP Complete
All Arbiter servers need https access to https://breach-protection.specopssoft.com, and the revocation checking endpoints that might be used.
| URL | Description | Protocol | Port |
|---|---|---|---|
| https://breach-protection.specopssoft.com | Web endpoint | TCP | 443 |
To reach the above URL, a CRL check is needed:
| URL | Description | Protocol | Port |
|---|---|---|---|
| https://*.c.lencr.org | Certificate CRL endpoint | TCP | 443 |
| http://*.c.lencr.org | Certificate CRL endpoint | TCP | 80 |
It is strongly recommended to use URL or hostname-based allowlists, but if you have to use IP address rules, make sure you allow Arbiters access to the following IP address spaces. More granular filtering is not supported, as exact IP addresses within these ranges are subject to change at any time.
- 138.91.126.220/30