Okta services, including <subdomain>.okta.com, require outbound internet access over HTTPS (TCP port 443) and cannot be reached entirely offline. For restricted networks, administrators must securely bridge connectivity using a firewall with IP allow lists, a VPN or reverse proxy, or Okta Access Gateway.

• Okta Identity Engine (OIE)
• Okta Classic Engine

How are Okta services reached from a restricted private network?

Okta services, including <subdomain>.okta.com, require outbound internet access over HTTPS (TCP port 443). The Okta cloud platform hosts services externally, so direct communication from an internal environment to Okta requires outbound internet access. Okta does not support connecting to <subdomain>.okta.com entirely offline or without some form of controlled internet exposure.

To securely bridge connectivity for a restricted network, implement one of the following methods:

• Firewall with IP allow lists: Allow outbound HTTPS traffic only to Okta IP ranges.
• VPN or reverse proxy: Use a secure tunnel or proxy that connects the private network to the internet, allowing Okta traffic to pass through without exposing internal systems directly.
• Okta Access Gateway: If internal applications require integration with Okta while remaining private, Okta Access Gateway acts as a reverse proxy between the Okta cloud and the internal network.