Configuring Firewall Whitelisting
If your server policy allows all outbound http/https communication to any IP address or website, you do not need to make any changes. However, if your server policy denies access to most or all external IP addresses and websites, you must configure a whitelist to enable some features to work. A whitelist provides access to specified IP addresses and programs when your Security policy would otherwise prevent that access.
For domain, port, and troubleshooting information, see Implementation Details below.
Okta IP Addresses
In order to ensure connectivity to Okta for all Okta agents and end users, please add the following Okta system IP addresses to your whitelist.
Production EMEA (Europe)
Preview EMEA (Europe)
The following information helps you configure whitelisting for your orgs.
Okta IP range notation
The IP ranges listed in this document are provided in Classless Inter-Domain Routing (CIDR) notation. For more information on CIDR, see the Classless Inter Domain Routing.
The Okta service uses SSL/TLS for all communication. If your policy requires a port number, port 443 must be whitelisted for the IP addresses provided in this document, unless otherwise noted.
Required Okta Domains
If your company whitelists domains, add the following domains to your list of allowed domains:
Content Delivery Network (CDN)
For most firewall or proxy systems, we recommend that you specify a whitelist of DNS addresses for Okta services so that outbound connections can be made. For a list of current IP ranges for the content delivery network (CDN), refer to the Amazon Web Services site.
Certificate Revocation Troubleshooting
Various problems can arise when attempting to revoke a certificate. For example, some clients will fail to connect to SSL/TLS endpoints when they are unable to reach a revocation server. If you experience trouble with certificate revocation, ensure that you have the following domain names whitelisted under port 80:
Third Party Services
Okta Mobile may require whitelisting of the following third party domains for outbound connections to these services: