1. Home
    2. Cloud Identity
    3. Cloud Identity Engine Getting Started
    4. Get Started with Cloud Identity Engine
    5. Plan Your Cloud Identity Engine Deployment
    6. Configure Your Network to Allow Cloud Identity Agent Traffic

    Configure Your Network to Allow Cloud Identity Agent Traffic

    If you have an on-premises Active Directory, configure your network to allow traffic for the agent, your Active Directory, and the Cloud Identity Engine.
    If you have configured firewalls between your on-premises Active Directory and the agent host, allow the traffic for the agent, your Active Directory, and the Cloud Identity Engine.
    The Cloud Identity agent requires direct reachability to the regional agent configuration endpoint and does not support proxy servers between the agent and the endpoint.
    • If you have deployed a Palo Alto Networks firewall between the agent and the Cloud Identity Engine:
      • Use the
        paloalto-cloud-identity
         App-ID to allow traffic from the Cloud Identity agent to the Cloud Identity Engine. This App-ID requires the
        ssl
         and
        web-browsing
         application signatures.
      • Allow traffic from the Cloud Identity agent from the specified ports to the following URLs.
        • http://crl.godaddy.com
           on port 80.
        • http://ocsp.godaddy.com
           on port 80.
        • https://certs.godaddy.com
           on port 443.
      • If you’re using Secure Socket Layer (SSL) decryption on the firewall, exclude the traffic between the agent and the Cloud Identity Engine from SSL decryption to allow the mutual authentication between the agent and the service.
    • If you have deployed a Palo Alto Networks firewall between the agent and the Active Directory:
      Depending on which protocol you select when you Configure the Cloud Identity Agent, use one of the following App-IDs to allow traffic from the Cloud Identity agent to your domain controllers.
      • If the agent uses the LDAP protocol, use the
        ldap
         App-ID.
      • If the agent uses the LDAPS or LDAP with STARTTLS protocol, use the
        ssl
         App-ID.
    • If you are using a non-Palo Alto Networks firewall:
      • Allow traffic to the LDAP or LDAPS port and protocol from the Cloud Identity agent to your Active Directory or Domain Controller.
      • Allow HTTPS traffic from the Cloud Identity agent on port 443 to your Cloud Identity Engine destination URL. You need to allow traffic only for the region that you specify for your instance and you need to allow traffic for multiple regions only if you have instances in multiple regions. For the region-specific agent configurations, refer to Configure the Cloud Identity Agent.
      • Allow traffic from the Cloud Identity agent from the specified ports to the following URLs.
        • http://crl.godaddy.com
           on port 80.
        • http://ocsp.godaddy.com
           on port 80.
        • https://certs.godaddy.com
           on port 443.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo