Configure your firewall’s allowlist

IMPORTANT

The procedure described on this page applies only to organizations that have not yet been onboarded to the Admin Console. If your organization has been onboarded to the Adobe Admin Console, you must perform this action through the Adobe Admin Console.

To configure your allowlist if your organization has been onboarded to the Adobe Admin Console, see Domains to be allowed for Adobe Apps and Services.

For a list of procedures that differ based on whether your organization has been onboarded to the Adobe Admin Console, see Platform-based administration differences (Adobe Workfront/Adobe Business Platform).

If your firewall or mail server is configured to allow access to only certain vendors, you must add certain IP addresses to its allowlist. This opens communication between your environment and the Adobe Workfront servers and allows the following processes:

  • Sending messages from the Workfront application

  • Using single sign-on (SSO) with Active Directory or Lightweight Directory Access Protocol (LDAP)

    NOTE

    This is not available if your organization’s Workfront instance is enabled with Adobe IMS. See your network or IT administrator if you need more information.

  • Using document webhooks when configuring custom document integrations

  • Using Workfront Event Subscriptions

    For more information, see Event Subscription API.

You also need to open certain ports in order for email messages to be encrypted when they are delivered.

Workfront allowlists you can use

If your organization has the Enterprise plan, you can also configure two Workfront allowlists:

IP addresses to add to the allowlist

The IP addresses that you must add to your allowlist on your firewall depend on the cluster where your Production environment runs. You can find out which cluster this is by viewing Setup > System > Custom Info. For more information, see the section Configure Basic Info in the article Configure basic information for your system.

IMPORTANT

Some Workfront integrations do not work when the allowlist is enabled because they can’t be configured with a static IP address. To use the following integrations, you must disable the allowlist.

  • Workfront for G Suite
  • Workfront for Outlook
  • Workfront for Salesforce

IP addresses to allow for Clusters 1, 2, 3, 5, 7, 8 and 9

If your Production environment is on Cluster 1, 2, 3, 5, or 7 you must allow the following IP addresses.

For SSO, document webhooks, or other functionality
  • 35.160.0.242
  • 34.213.36.118
  • 3.209.27.146
  • 18.205.251.4
  • 34.211.224.9
  • 54.218.48.56
  • 52.36.154.34
  • 54.244.142.219
  • 52.39.217.230
  • 44.241.82.96
To receive email from the Workfront application
  • 54.240.60.174
  • 54.240.60.175
  • 13.58.86.183
  • 34.209.181.84
  • 35.161.82.137
  • 52.14.70.114
  • 52.15.230.220
  • 54.71.252.65

For information about the following IP addresses, see New IP addresses for Adobe Workfront email with the 21.1 release

  • 23.251.237.107
  • 23.251.237.108
  • 23.251.237.109
  • 23.251.237.106

IP addresses to allow for Cluster 4

If your Production environment is on Cluster 4, add the following IP addresses for SSO, document webhook integrations, and to receive email from the Workfront application:

  • 52.31.132.175
  • 52.19.188.226
  • 52.28.49.94
  • 52.29.41.175
  • 52.29.197.69
  • 52.48.124.108
  • 69.169.230.231
  • 69.169. 230.232
  • 3.121.91.129
  • 3.122.11.35
  • 34.246.27.40
  • 52.208.123.166
  • 52.208.159.124
  • 52.17.130.201
  • 34.252.250.191
  • 52.30.133.50
  • 54.220.93.204
  • 34.254.76.122

For information about the following IP addresses, see New IP addresses for Adobe Workfront email with the 21.1 release

  • 23.251.239.98
  • 23.251.239.99

IP addresses to allow for Cluster 6

If your Production environment is on Cluster 6, add the following IP addresses.

To receive email from the Workfront application
  • 34.94.227.64
  • 34.94.227.65
  • 34.94.227.66
  • 34.94.227.67
  • 34.66.82.64
  • 34.66.82.65
  • 34.66.82.66
  • 34.66.82.67
To use the AWS email service
  • 54.240.60.174
  • 54.240.60.175
  • 13.58.86.183
  • 34.209.181.84
  • 35.161.82.137
  • 52.14.70.114
  • 52.15.230.220
  • 54.71.252.65

IP addresses to allow for a Test Drive

To receive email from the Workfront application when using a Test Drive
  • 69.42.126.188
  • 66.119.37.185
  • 66.119.37.186
For SSO and document webhook integrations when using a Test Drive
  • 69.42.126.188:

    This address must also be added to your allowlist in order for your users to receive emails from Workfront.

  • 66.119.37.186
  • 66.119.37.167
  • 54.244.142.219
  • 52.39.217.230
  • 44.241.82.96

IP addresses to allow when implementing event subscriptions

For all environments, add the following IP addresses to receive payloads from Workfront event subscriptions.

For customers in Europe
  • 52.30.133.50
  • 52.208.159.124
  • 54.220.93.204
  • 52.17.130.201
  • 34.254.76.122
  • 34.252.250.191
For customers in locations other than Europe
  • 54.244.142.219
  • 44.241.82.96
  • 52.36.154.34
  • 34.211.224.9
  • 54.218.48.56
  • 52.39.217.230

IP addresses to allow for enhanced authentication

Add the following IP addresses to use enhanced authentication for Preview or Production.

If your environment is on Cluster 1, 2, 3, 5, 7, 8, or 9
  • 35.167.74.121
  • 35.166.202.113
  • 35.160.3.103
  • 54.183.64.135
  • 54.67.77.38
  • 54.67.15.170
  • 54.183.204.205
  • 35.171.156.124
  • 18.233.90.226
  • 3.211.189.167
  • 18.232.225.224
  • 34.233.19.82
  • 52.204.128.250
  • 3.132.201.78
  • 3.19.44.88
  • 3.20.244.231
  • 54.244.142.219
  • 52.39.217.230
  • 44.241.82.96
If your environment is on Cluster 4
  • 52.28.56.226
  • 52.28.45.240
  • 52.16.224.164
  • 52.16.193.66
  • 34.253.4.94
  • 52.50.106.250
  • 52.211.56.181
  • 52.213.38.246
  • 52.213.74.69
  • 52.213.216.142
  • 35.156.51.163
  • 35.157.221.52
  • 52.28.184.187
  • 52.28.212.16
  • 52.29.176.99
  • 52.57.230.214
  • 54.76.184.103
  • 52.210.122.50
  • 52.208.95.174
  • 52.30.133.50
  • 54.220.93.204
  • 34.254.76.122

IP addresses to add for accessing Workfront Fusion

Add the following IP addresses to your allowlist to enable Workfront Fusion to access your system.

Adobe Workfront EU Datacenter
  • 52.30.133.50
  • 54.220.93.204
  • 34.254.76.122

Adobe Workfront US Datacenter

  • 54.244.142.219
  • 52.39.217.230
  • 44.241.82.96

Also, if your organization uses outbound network filtering, add the following domain to your allowlist to enable your system to access Workfront Fusion.

Adobe Workfront EU Datacenter

hook.app-eu.workfrontfusion.com

Adobe Workfront US Datacenter

hook.app.workfrontfusion.com

NOTE

Outbound network filtering is uncommon. Check with your network administrator to see if you need to update your allowlist to accommodate for it.

IP addresses to add for using Workfront for Jira

Add the following IP addresses to your allowlist to use the Workfront for Jira integration.

The jira.workfront.com domain must also be accessible from your corporate servers. This domain is required because it serves as middleware between Workfront and Jira.

For customers in Europe
  • 52.30.133.50
  • 52.208.159.124
  • 54.220.93.204
  • 52.17.130.201
  • 34.254.76.122
  • 34.252.250.191
  • 35.162.128.73
  • 52.42.25.64
  • 34.213.36.118
  • 35.160.0.242
  • 3.209.27.146

  • 18.205.251.4

For customers in locations other than Europe
  • 54.244.142.219
  • 44.241.82.96
  • 52.36.154.34
  • 34.211.224.9
  • 54.218.48.56
  • 52.39.217.230
  • 35.162.128.73
  • 52.42.25.64
  • 34.213.36.118
  • 35.160.0.242
  • 3.209.27.146
  • 18.205.251.4

IP addresses to add for using Workfront Ascent

To access Workfront training resources via Workfront Ascent
  • 18.223.140.34
  • 3.13.223.30
  • 3.13.19.112
To receive email notifications from Workfront Ascent
  • 23.251.227.75
  • 23.251.227.76
  • 23.251.227.77
  • 23.251.227.78
  • 23.251.227.79
  • 23.251.227.80
  • 23.251.227.81
  • 23.251.227.82

Domains to add for accessing Workfront

If your organization uses outbound network filtering, add the following domains to your allowlist to enable your system to access Workfront.

NOTE

Outbound network filtering is uncommon. Check with your network administrator to see if you need to update your allowlist to accommodate for it.

  • <your domain>.my.workfront.com
  • <your domain>.preview.workfront.com
  • <your domain>.sb01.workfront.com
  • <your domain>.sb02.workfront.com
  • events.split.io
  • sdk.split.io
  • auth.split.io
  • rum-http-intake.logs.datadoghq.com
  • mfe.static.workfront.com
  • https://app.pendo.io/
  • https://cdn.pendo.io/

URLs to add for all clusters Workfront

To allow help content to display in your Workfront environment
  • https://app.pendo.io/
  • https://cdn.pendo.io/
To allow Workfront Proof to access Workfront on any cluster, add these to all environments
  • *.workfront.com - Required to view proofs in Workfront
  • *.proofhq.com - Required to view proofs in Workfront Proof
  • *.proofhq.eu - Required to view proofs in Workfront Proof

NOTE:

We do not support adding IP addresses to your allowlist for Workfront Proof. They have been dynamic after Workfront moved to AWS. Instead, we recommend that you allow Workfront Proof domains only.

If there is an issue with adding these domains to your allowlist and you need an IP address instead, contact Workfront Customer Support.

IP addresses and URLs to add for accessing Workfront Proof

You must add the following IP addresses to your allowlist in order to use various functions.

For callbacks and webcapture proofs

Prod-US (Clusters 1, 2, 3, 5, and 7)
  • 34.213.36.118
  • 35.160.0.242
  • 3.209.27.146
  • 18.205.251.4
  • 35.165.152.202
  • 54.184.151.122
  • 35.84.40.190
  • 54.218.48.56
  • 34.211.224.9
  • 52.36.154.34
  • 34.232.138.38
  • 54.237.6.156
  • 54.237.12.32
  • 44.241.82.96
  • 54.244.142.219
  • 52.39.217.230
  • 52.207.47.153
  • 50.16.118.214
  • 52.54.180.191
Prod-EU (Cluster 4)
  • 34.246.27.40
  • 52.208.123.166
  • 3.121.91.129
  • 3.122.11.35
  • 34.241.103.51
  • 46.51.203.201
  • 54.247.174.227
  • 52.208.159.124
  • 52.17.130.201
  • 34.252.250.191
  • 52.30.133.50
  • 54.220.93.204
  • 34.254.76.122

NOTE: DNS server options are no longer supported.

For outgoing email

Prod-US (Clusters 1, 2, 3, 5, and 7)

  • 23.251.237.106
  • 23.251.237.107
  • 23.251.237.108
  • 54.240.60.174
  • 54.240.60.175
Prod-EU (Cluster 4)
  • 23.251.239.98
  • 69.169.230.231
  • 69.169.230.232

Ports to open for best Workfront Proof performance

Open the following ports if you are experiencing problems with proofs loading or not working in Workfront Proof:

  • 5671
  • 5672
  • 15671

Ports to open for encrypted email

Emails from the Workfront application are sent encrypted using ports 465 and 587. If your mail server does not support encrypted email, emails are delivered unencrypted using port 25.

Email notifications from Workfront Support

If you are not receiving emails from Workfront Support, ensure that you add the Salesforce IP addresses and domains that you need. For more information, see the Salesforce help article about Salesforce IP addresses and domains to allow.

On this page