Documentation

 

 

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Updated September 23, 2020

Understanding how SecureAuth cloud IP addresses are used

This document provides information on how SecureAuth cloud uses IP addresses to provide services to SecureAuth® Identity Platform (formerly SecureAuth IdP), end user browsers, and mobile devices registered to provide multi-factor authentication methods. Reference this information when configuring the Identity Platform, servers, and devices to communicate with SecureAuth cloud.

Allowed URLs and IP addresses

For the URLs listed in the Geo load balanced URL column, the DNS resolution for the URL returns one of the listed IP addresses, depending on the geographic location of the DNS resolver (client). All IP addresses for the URL must be allowed in the firewall rules to support cloud services site failover. These are used by the Identity Platform, browsers, applications, servers, and devices. 

...

208.82.207.89
146.88.110.112
162.216.42.110
Definition List
Certificate URLX.509 Certificate Services (SHA 1 and SHA 2) to issue user certificates.

...

Definition List
Telephony URL

Telephony Service (text-to-speech) to deliver one-time passcodes by voice call to user's phone number.

SMS URLSMS Service to deliver one-time passcodes by SMS / text message to user's mobile phone number.
Push URL

Push Service to deliver one-time one-time passcodes in any of the following ways:

  • Push Notification to user's mobile device
  • Deliver mobile login requests (Accept / Deny) via SecureAuth Authenticate App to user's mobile device 
Link-to-Accept URLLink-to-Accept to deliver SMS text messages to user's mobile device. The link in emails and SMS text messages points to SecureAuth cloud.
Phone Fraud Service URLPhone Number Fraud Prevention Service to retrieve user's phone number profile to use in phone number blocking.
Geo-Location URLGeo-location Service to retrieve IP address geo-location (known as Dynamic Perimeter) information to use in Adaptive Authentication analysis.
SecureAuth Threat ServiceSecureAuth Threat Service to retrieve IP address reputation / threat score to use in Adaptive Authentication analysis.

...

146.88.110.98
162.216.42.101

...

Definition List
Certificate URLX.509 Certificate Services for SHA 2 RSA (384) Certificates

...

us-services.secureauth.com

us-audit.secureauth.com

...

US-EAST-1                         US-WEST-2                         
18.208.0.0/13
52.95.245.0/24
54.196.0.0/15
216.182.224.0/21
216.182.232.0/22
107.20.0.0/14
99.77.128.0/24
67.202.0.0/18
184.73.0.0/16
3.80.0.0/12
54.80.0.0/13
3.224.0.0/12
54.221.0.0/16
54.156.0.0/14
54.236.0.0/15
54.226.0.0/15
162.250.237.0/24
52.90.0.0/15
100.24.0.0/13
54.210.0.0/15
54.198.0.0/16
52.20.0.0/14
52.94.201.0/26
52.200.0.0/13
54.160.0.0/13
162.250.238.0/23
35.153.0.0/16
52.70.0.0/15
52.94.248.0/28
99.77.254.0/24
52.54.0.0/15
54.152.0.0/16
54.92.128.0/17
52.0.0.0/15
184.72.128.0/17
23.20.0.0/14
18.204.0.0/14
54.88.0.0/14
162.250.236.0/24
99.77.129.0/24
54.204.0.0/15
52.86.0.0/15
52.44.0.0/15
18.232.0.0/14
54.174.0.0/15
50.16.0.0/15
35.168.0.0/13
99.77.191.0/24
3.208.0.0/12
174.129.0.0/16
72.44.32.0/19
34.224.0.0/12
54.224.0.0/15
75.101.128.0/17
34.192.0.0/12
54.208.0.0/15
54.242.0.0/15
216.182.238.0/23
54.234.0.0/15
54.144.0.0/14
52.2.0.0/15
184.72.64.0/18
204.236.192.0/18
15.193.6.0/24
52.4.0.0/14
208.86.88.0/23
44.192.0.0/11
52.72.0.0/15
52.95.255.80/28
50.19.0.0/16
54.172.0.0/15
52.95.255.112/28
99.77.253.0/24
52.94.249.64/28
52.94.116.0/22
52.40.0.0/14
54.214.0.0/16
15.193.7.0/24
54.244.0.0/16
52.94.248.96/28
52.32.0.0/14
52.10.0.0/15
54.200.0.0/15
35.160.0.0/13
35.155.0.0/16
18.236.0.0/15
70.224.192.0/18
52.46.180.0/22
54.68.0.0/14
52.95.230.0/24
54.184.0.0/13
52.12.0.0/15
52.88.0.0/15
100.20.0.0/14
18.246.0.0/16
34.208.0.0/12
54.212.0.0/15
54.148.0.0/15
99.77.130.0/24
52.36.0.0/14
54.202.0.0/15
52.75.0.0/16
52.24.0.0/14
54.218.0.0/16
52.95.247.0/24
54.245.0.0/16
44.224.0.0/11
50.112.0.0/16

Alternatively, you can view the IP addresses listed in the Amazon EC2 service table. Take note that it lists all AWS IP addresses, and you only want to allow the IPs within "EC2", "us-east-1", and "us-west-2" categories: https://ip-ranges.amazonaws.com/ip-ranges.json

The following URL configurations apply to all versions of the Identity Platform version 19.07 and later.

Definition List
Telephony URL

Telephony Service  (text-to-speech) to deliver one-time passcodes by voice call to user's phone number.

SMS URLSMS Service to deliver one-time passcodes by SMS / text message to user's mobile phone number.
Push URL

Push Service to deliver one-time one-time passcodes in any of the following ways:

  • Push Notification to user's mobile device
  • Deliver mobile login requests (Accept / Deny) via SecureAuth Authenticate App to user's mobile device 
Link-to-Accept URLLink-to-Accept to deliver SMS text messages to user's mobile device. The link in emails and SMS text messages points to SecureAuth cloud.
Phone Fraud Service URLPhone Number Fraud Prevention Service to retrieve user's phone number profile to use in phone number blocking.
Geo-Location URLGeo-location Service to retrieve IP address geo-location (known as Dynamic Perimeter) information to use in Adaptive Authentication analysis.
SecureAuth Threat ServiceSecureAuth Threat Service to retrieve IP address reputation / threat score to use in Adaptive Authentication analysis.
us.audit.secureauth.comUsed by SecureAuth servers to receive customer logs for dashboard and user risk services.

...

208.74.31.114
146.88.110.114
162.216.42.111

...

Definition List
Trx Log Service URLTransaction log service to deliver transaction operation communications to the SecureAuth cloud environment.
Trx Log Mode Code

Transaction log mode code automatically assigned to the appliance during the build process to indicate whether the logging mode is transaction  or user based.

Trx Log Disable Code

Transaction Log disable code provided by SecureAuth Support to temporarily disable transaction web service calls. 

...

srchttps://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips
width500
height380

Alternatively, to view the page of listed IP addresses, see http://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips

...

New Experience Web Admin user interface assets and storage configuration.

...

Image Removed

UI Text Box
sizemedium
typenote

Important information about MSG level encryption

The msg level encryption endpoints are deprecated (no longer appending /msg after .svc in the URL). Going forward, use https in the URL configuration. 

Test the Identity Platform endpoint availability

To verify that these endpoints are available from the Identity Platform appliance, browse (from the appliance) to the following URLs:

URLs in this list are slated for activation in the near future and should be allowed per your network requirements:

Update the Identity Platform appliances to use the latest Cloud Services information

...

  1. Run ACRU (full version) to update appliance(s) to SHA 2
  2. Upgrade appliance(s) to 8.1.0+ version through SecureAuth Support
  3. Run ACRU Lite to update machines to latest Cloud Services information

SecureAuth cloud overview

Hosted services for SecureAuth are located in two physical data centers, SecureAuth US-East and SecureAuth US-West; and are redundant at the site and service levels operating in SSAE16 Type II certified hosting facilities, providing a secure, highly available (redundant) infrastructure, which includes cooling, power, network, and internet connectivity.

Also implemented is an industry leading, cloud-based, redundant geo-location load balancing solution to ensure that the Identity Platform appliance and SecureAuth cloud access communications are routed to the most efficient facility and, in the event of a site level outage, all communications are seamlessly transferred to the SecureAuth hosted services backup facility.

Each SecureAuth hosted services facility includes load balanced web services hosting APIs providing SMS, TTS, Push, Push-to-Accept OTP services, Threat Intelligence Services, and X.509 certificate signing services; redundant HSM (hardware security module) protected certificate authorities; and clustered (fail-over) database services supported by redundant, back-end services (i.e. LDAP Directory, DNS, Firewall, IDS/IDP, content inspection, etc.).

Secure communications from the Identity Platform appliance, SecureAuth cloud access to SecureAuth cloud are enabled via TLS / transport-level encryption over TCP Port 443 for HTTPS.

Image Removed

Transport Layer Security

Transport Layer Security (TLS), a cryptographic protocol, is designed to provide communications security over a network. Using X.509 certificates, asymmetric cryptography is employed to verify the relationship between a certificate and its owner, and to negotiate a symmetric session key.

The most common implementation of this protocol can be found in the use of Secure Sockets Layer (SSL) to encrypt and sign contents of packets sent over Secure HTTP (HTTPS).

SecureAuth cloud services

The Identity Platform appliances and cloud access portals communicate with SecureAuth cloud for the following services:

...

SecureAuth Authenticate App v5.3

URLs supported for push notifications and device enrollment QR codes

A complete callback URL is included in the API payload for device enrollment QR codes and Push-to-Accept Notifications. When responding to either a QR code device enrollment request or Push-to-Accept request, the SecureAuth Authenticate App returns the URL with a DNS prefix such as "us1-". For example:

"https://us1-cloud.secureauth.com/mobileservice/api/v1/pushaccept"

Related documentation

SecureAuth IdP Appliance Certificate Renewal Utility (ACRU)

SecureAuth ACRU LiteThis page has moved to the new docs site: https://docs.secureauth.com/2104/en/secureauth-cloud-services.html