Configure Your Network to Allow Cloud Identity Agent Traffic
If you have an on-premises Active Directory, configure
your network to allow traffic for the agent, your Active Directory,
and the Cloud Identity Engine.
If you have configured firewalls between your
on-premises Active Directory and the agent host, allow the traffic
for the agent, your Active Directory, and the Cloud Identity Engine.
The
Cloud Identity agent requires direct reachability to the regional
agent configuration endpoint and does not support proxy servers
between the agent and the endpoint.
If you have deployed a Palo Alto Networks
firewall between the agent and the Cloud Identity Engine:
Use the
paloalto-cloud-identity
App-ID
to allow traffic from the Cloud Identity agent to the Cloud Identity
Engine. This App-ID requires the
ssl
and
web-browsing
application
signatures.
Allow traffic from the Cloud Identity agent from the specified
ports to the following URLs.
http://crl.godaddy.com
on
port 80.
http://ocsp.godaddy.com
on port 80.
https://certs.godaddy.com
on port 443.
If you’re using Secure Socket Layer (SSL) decryption on the
firewall, exclude the traffic between
the agent and the Cloud Identity Engine from SSL decryption to allow
the mutual authentication between the agent and the service.
If you have deployed a Palo Alto Networks firewall between
the agent and the Active Directory:
Depending on which protocol you select when you Configure the Cloud Identity Agent, use one of the following
App-IDs to allow traffic from the Cloud Identity agent to your domain
controllers.
If the agent uses
the LDAP protocol, use the
ldap
App-ID.
If the agent uses the LDAPS or LDAP with STARTTLS protocol,
use the
ssl
App-ID.
If you are using a non-Palo Alto Networks firewall:
Allow traffic to the LDAP
or LDAPS port and protocol from the Cloud Identity agent to your
Active Directory or Domain Controller.
Allow HTTPS traffic from the Cloud Identity agent on port 443
to your Cloud Identity Engine destination URL. You need to allow
traffic only for the region that you specify for your instance and
you need to allow traffic for multiple regions only if you have
instances in multiple regions. For the region-specific agent configurations,
refer to Configure the Cloud Identity Agent.
Allow traffic from the Cloud Identity agent from the specified
ports to the following URLs.