ºÚÁϺ£½Ç91Èë¿Ú

Create an Allow List for ºÚÁϺ£½Ç91Èë¿Ú Services

Firewall allow lists provides access to specific addresses and programs that would normally be disallowed depending on your security policy. If your security configuration allows all outbound HTTP/HTTPS communication to any IP address or domain, additional changes to allow for ºÚÁϺ£½Ç91Èë¿Ú traffic shouldn't be necessary. In scenarios where your security policy denies access to most (or all) external IP address or domains, you need to configure an allow list for appropriate functionality with ºÚÁϺ£½Ç91Èë¿Ú Services.

ºÚÁϺ£½Ç91Èë¿Ú Agent

Required Ports

The ºÚÁϺ£½Ç91Èë¿Ú Agent service uses SSL/TLS for all communication. If your security policy requires a port number, the standard HTTPS port 443 must be added to an allow list.

The ºÚÁϺ£½Ç91Èë¿Ú Agent also depends on NTP time services for installation and proper function of the agent.  If your security policy requires a port number, port 123 must be added to an allow list. If you are synchronizing with an internal NTP source, access to external traffic on port 123 may not be necessary.

Required Domains

If your company has an allow list of domains, add the domains listed in ºÚÁϺ£½Ç91Èë¿Ú Agent Networking and Port Requirements to your allow list.

Required IP Addresses

Due to the elastic nature of the ºÚÁϺ£½Ç91Èë¿Ú infrastructure, we currently do not publish lists of IP addresses for allow lists related to our ºÚÁϺ£½Ç91Èë¿Ú Agent service at this time. Our servers are load-balanced, as well as regionally dispersed, which can lead to a wide variety of source IPs at any given time.

Our Agent uses mTLS (Mutual Transport Layer Security), which allows it to verify that it is talking to a real ºÚÁϺ£½Ç91Èë¿Ú server and for ºÚÁϺ£½Ç91Èë¿Ú to verify that it is talking to a valid enrolled device. Unlike traditional TLS used in the browser, mTLS requires our own private Certificate Authority (CA) to generate a certificate for our Agent to handle provisioning and renewals.

If your firewall is showing warnings about the ºÚÁϺ£½Ç91Èë¿Ú CA certificate not being signed, or if you want to pin our CA certificates, you can download them using the command below and then upload them to your firewall (our Agent takes care of the device's certificate independently).

curl https://kickstart.jumpcloud.com/GetCACerts > /tmp/agent.jumpcloud.chain.pem

If your firewall is performing HTTPS inspection for all traffic, you will need to add exceptions for traffic going to:

  • agent.jumpcloud.com:443
  • private-kickstart.jumpcloud.com:443

Without the exceptions, the Agent will flag the different certificates that your firewall generates to be able to decrypt our traffic, and your devices will not be able to connect to ºÚÁϺ£½Ç91Èë¿Ú.

ºÚÁϺ£½Ç91Èë¿Ú LDAP-as-a-Service

Required Ports

The ºÚÁϺ£½Ç91Èë¿Ú LDAP-as-a-Service uses SSL for all communication when utilizing LDAPS, communicating over port 636. If your security policy requires a port number, port 636 must be added to an allow list.

The ºÚÁϺ£½Ç91Èë¿Ú LDAP-as-a-Service uses StartTLS for supported clients, and otherwise plain-text, for all communications over port 389. If your security policy requires a port number, port 389 must be added to an allow list.  

Note:

 It is suggested that port 389 only be used for clients supporting StartTLS.

Required Domains

If your company has an allow list of domains, please include the following domains to your allow list:

  • ldap.jumpcloud.com

Required IP Addresses

Due to the elastic nature of the ºÚÁϺ£½Ç91Èë¿Ú infrastructure, we currently do not publish lists of IP addresses for allow lists related to our ºÚÁϺ£½Ç91Èë¿Ú LDAP-as-a-Service at this time. Our servers are load-balanced, as well as regionally dispersed, which can lead to a wide variety of source IPs at any given time.

As an alternative option for additional security, you may inspect your firewall security policy for HTTPS inspection. Refer to ºÚÁϺ£½Ç91Èë¿Ú LDAPS SSL Certificate for the Certificate Authority, and your firewall vendor documentation for options and support for HTTPS inspection.

ºÚÁϺ£½Ç91Èë¿Ú RADIUS-as-a-Service

Required Ports

The ºÚÁϺ£½Ç91Èë¿Ú RADIUS-as-a-Service uses StartTLS for all communication via either EAP-PEAP/MSCHAPv2 or EAP-TTLS/PAP for inner and outer authentication. If your security policy requires a port number, the port 1812 must be added to an allow list.

Required Domains

If your company has an allow list of domains, include the following domains to your allow list:

  • US East - us1.radius.jumpcloud.com
  • US West - us2.radius.jumpcloud.com
  • EU - eu1.radius.jumpcloud.com
  • APAC - ap1.radius.jumpcloud.com

Note:

Many networking devices will only allow for RADIUS server configuration via IP address, so creating an allow list of domains may not be necessary.

Required IP Addresses

If your company has an allow list of IP addresses, please include the following IP addresses to your allow list. While the ºÚÁϺ£½Ç91Èë¿Ú infrastructure is elastic by nature, RADIUS clients generally do not support for domain addressing, so IP addresses are provided:

  • US East - 18.204.0.31
  • US West - 54.203.27.225
  • EU - 18.194.159.20
  • APAC - 18.182.131.248

As an alternative option for additional security, you may inspect your firewall security policy for HTTPS inspection. Refer to ºÚÁϺ£½Ç91Èë¿Ú RADIUS Certificate for the Certificate Authority, and your firewall vendor documentation for options and support for HTTPS inspection.

ºÚÁϺ£½Ç91Èë¿Ú Active Directory Integration

Required Ports

The ºÚÁϺ£½Ç91Èë¿Ú Active Directory Integration uses SSL/TLS for all communication. If your security policy requires a port number, the standard HTTPS port 443 must be added to your allow list.

Required Domains

If your company has an allow list of domains, please include the following domains to your allow list:

  • console.jumpcloud.com

Required IP Addresses

Due to the elastic nature of the ºÚÁϺ£½Ç91Èë¿Ú infrastructure, we currently do not publish lists of IP addresses for allow lists related to our ºÚÁϺ£½Ç91Èë¿Ú Agent service at this time. Our servers are load-balanced, as well as regionally dispersed, which can lead to a wide variety of source IPs at any given time.

Back to Top

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case