Configuring Firewall Whitelisting Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka02a0000005uhhsaq&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2fconfiguring-firewall-whitelisting-89944588
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Configuring Firewall Whitelisting
Published: Jan 31, 2018   -   Updated: Jun 22, 2018

 

 

okta-doc-source

Configuring Firewall Whitelisting

If your server policy allows all outbound http/https communication to any IP address or website, you do not need to make any changes. However, if your server policy denies access to most or all external IP addresses and websites, you must configure a whitelist to enable some features to work. A whitelist provides access to specified IP addresses and programs when your Security policy would otherwise prevent that access.

For domain, port, and troubleshooting information, see Implementation Details below.

Okta IP Addresses

In order to ensure connectivity to Okta for all Okta agents and end users, please add the following Okta system IP addresses to your whitelist.

Production

34.203.255.192/2654.197.192.181
52.14.242.0/2754.197.192.182
54.189.255.224/2754.197.192.183
54.197.192.160/2754.197.192.184
50.19.107.11654.197.192.185
184.73.186.6454.197.192.186
50.112.120.11254.197.192.187
54.235.64.85184.73.186.14
54.235.64.95184.73.186.54
54.235.64.96184.73.186.59
54.235.64.10050.19.107.162
54.235.64.10250.19.107.226
54.235.68.7250.19.107.73
54.235.68.7352.11.123.115
54.235.68.7452.32.146.132
54.235.68.7652.33.201.135
54.235.68.7852.34.8.197
54.245.89.2623.21.111.242
50.19.225.21423.21.113.84
54.197.192.16254.163.240.100
54.197.192.16354.163.255.229
54.197.192.16452.28.31.17
54.197.192.16552.28.130.50
54.197.192.16652.28.131.49
54.197.192.167 
54.197.192.168 
54.197.192.169 
54.197.192.170 
54.197.192.171 
54.197.192.172 
54.197.192.173 
54.197.192.174 
54.197.192.175 
54.197.192.176 
54.197.192.177 
54.197.192.178 
54.197.192.179 
54.197.192.180 

 

Production EMEA (Europe)

52.208.63.224/2754.154.145.217
52.58.255.160/2752.16.120.225
52.28.131.16552.17.176.69
52.28.130.5054.154.197.22
52.28.31.1752.28.131.49

 

Production HIPAA

34.223.206.0/2752.34.8.197
34.201.223.0/2752.11.123.115
52.33.201.13552.32.146.132

 

Preview

54.225.80.21054.225.80.174
54.225.81.8954.225.76.2
50.17.226.13934.236.241.32/29
50.17.226.14535.172.155.64/28

 

Preview EMEA (Europe)

18.194.95.40/2918.184.2.80/28

 

 

Implementation Details

The following information helps you configure whitelisting for your orgs.

Okta IP range notation

The IP ranges listed in this document are provided in Classless Inter-Domain Routing (CIDR) notation. For more information on CIDR, see the Classless Inter Domain Routing.

Ports

The Okta service uses SSL/TLS for all communication. If your policy requires a port number, port 443 must be whitelisted for the IP addresses provided in this document, unless otherwise noted.

Required Okta Domains

If your company whitelists domains, add the following domains to your list of allowed domains:

*.okta.com
*.oktapreview.com
*.oktacdn.com
*.okta-emea.com

Content Delivery Network (CDN)

Okta's static UI assets (JavaScript, CSS and images) can be delivered to browsers through an international CDN rather than dedicated servers located in the United States. This allows assets to download much faster, especially for customers outside of the U.S.

For most firewall or proxy systems, we recommend that you specify a whitelist of DNS addresses for Okta services so that outbound connections can be made. For a list of current IP ranges for the content delivery network (CDN), refer to the Amazon Web Services site.

Certificate Revocation Troubleshooting

Various problems can arise when attempting to revoke a certificate. For example, some clients will fail to connect to SSL/TLS endpoints when they are unable to reach a revocation server. If you experience trouble with certificate revocation, ensure that you have the following domain names whitelisted under port 80:

ocsp.digicert.com
crl3.digicert.com
crl4.digicert.com

 

Third Party Services

Okta Mobile may require whitelisting of the following third party domains for outbound connections to these services:

*.mixpanel.com
*.mapbox.com
Top