Configure your firewall’s allowlist

IMPORTANT
The procedure described on this page applies only to organizations that have not yet been onboarded to the Admin Console. If your organization has been onboarded to the Adobe Admin Console, you must perform this action through the Adobe Admin Console.
To configure your allowlist if your organization has been onboarded to the Adobe Admin Console, see Domains to be allowed for Adobe Apps and Services.
For a list of procedures that differ based on whether your organization has been onboarded to the Adobe Admin Console, see Platform-based administration differences (Adobe Workfront/Adobe Business Platform).
NOTE
The way an organization configures its allowlist is unique to each organization. Work with your IT team to identify your organization’s procedure and implement these additions.

If your firewall or mail server is configured to allow access to only certain vendors, you must add certain IP addresses to its allowlist. This opens communication between your environment and the Adobe Workfront servers and allows the following processes:

  • Sending messages from the Workfront application

    note note
    NOTE
    This is not available if your organization’s Workfront instance is enabled with Adobe IMS. See your network or IT administrator if you need more information.
  • Using document webhooks when configuring custom document integrations

  • Using Workfront Event Subscriptions

    For more information, see Event Subscription API.

You also need to open certain ports in order for email messages to be encrypted when they are delivered.

Workfront allowlists you can use

If your organization has the Enterprise plan, you can also configure two Workfront allowlists:

Locate your Workfront cluster

The IP addresses that you must add to your allowlist on your firewall depend on the cluster where your Production environment runs.

To locate your organization’s cluster:

  1. Click the Main Menu icon Main Menu in the upper-right corner of Adobe Workfront, or (if available), click the Main Menu icon Main Menu in the upper-left corner, then click Setup Setup icon .

  2. In the left navigation, click System, then select Customer Info.

  3. Locate the Cluster Setup field at the upper-right corner of the page. Your organization’s cluster is listed here.

    CL01 refers to Cluster 1, CL02 is Cluster 2, and so on.

For more information, see the section View your organization’s cluster and Workfront plan in the article Firewall overview.

IP addresses to add to the allowlist

IMPORTANT
Some Workfront integrations do not work when the allowlist is enabled because they can’t be configured with a static IP address. To use the following integrations, you must disable the allowlist.
  • Workfront for Google Workspace
  • Workfront for Outlook
  • Workfront for Salesforce

IP addresses to allow for Clusters 1, 2, 3, 5, 7, 8 and 9 ip-addresses-to-allow-for-clusters-1-2-3-5-7-8-and-9

If your Production environment is on Cluster 1, 2, 3, 5, 7, 8, or 9 you must allow the following IP addresses.

For SSO, document webhooks, or other functionality
  • 35.160.0.242
  • 34.213.36.118
  • 3.209.27.146
  • 18.205.251.4
  • 34.211.224.9
  • 54.218.48.56
  • 52.36.154.34
  • 54.244.142.219
  • 52.39.217.230
  • 44.241.82.96
  • 54.203.255.135/32
  • 35.155.2.51/32
  • 52.34.192.77/32
To receive email from the Workfront application
  • 54.240.60.174
  • 54.240.60.175
  • 13.58.86.183
  • 34.209.181.84
  • 35.161.82.137
  • 52.14.70.114
  • 52.15.230.220
  • 54.71.252.65

For information about the following IP addresses, see New IP addresses for Adobe Workfront email with the 21.1 release

  • 23.251.237.107
  • 23.251.237.108
  • 23.251.237.109
  • 23.251.237.106

IP addresses to allow for Cluster 4 ip-addresses-to-allow-for-cluster-4

If your Production environment is on Cluster 4, add the following IP addresses for SSO, document webhook integrations, and to receive email from the Workfront application:

  • 52.31.132.175
  • 52.19.188.226
  • 52.28.49.94
  • 52.29.41.175
  • 52.29.197.69
  • 52.48.124.108
  • 69.169.230.231
  • 69.169. 230.232
  • 3.121.91.129
  • 3.122.11.35
  • 34.246.27.40
  • 52.208.123.166
  • 52.208.159.124
  • 52.17.130.201
  • 34.252.250.191
  • 52.30.133.50
  • 54.220.93.204
  • 34.254.76.122
  • 34.242.62.80/32
  • 46.51.194.192/32
  • 54.229.129.66/32

For information about the following IP addresses, see New IP addresses for Adobe Workfront email with the 21.1 release

  • 23.251.239.98
  • 23.251.239.99

IP addresses to allow for Cluster 6 ip-addresses-to-allow-for-cluster-6

If your Production environment is on Cluster 6, add the following IP addresses.

To receive email from the Workfront application
  • 34.94.227.64
  • 34.94.227.65
  • 34.94.227.66
  • 34.94.227.67
  • 34.66.82.64
  • 34.66.82.65
  • 34.66.82.66
  • 34.66.82.67
To use the email service
  • 54.240.60.174
  • 54.240.60.175
  • 13.58.86.183
  • 34.209.181.84
  • 35.161.82.137
  • 52.14.70.114
  • 52.15.230.220
  • 54.71.252.65
To use the Mailgun email service
  • 143.55.228.56
  • 209.61.151.229
  • 69.72.43.7

IP addresses to allow for Cluster 10

  • 20.36.133.48/28
  • 20.81.156.240/28
  • 172.172.84.48/28

IP addresses to allow for a Test Drive

To receive email from the Workfront application when using a Test Drive
  • 69.42.126.188
  • 66.119.37.185
  • 66.119.37.186
For SSO and document webhook integrations when using a Test Drive
  • 69.42.126.188:

    This address must also be added to your allowlist in order for your users to receive emails from Workfront.

  • 66.119.37.186

  • 66.119.37.167

  • 54.244.142.219

  • 52.39.217.230

  • 44.241.82.96

IP addresses to allow when implementing event subscriptions ip-addresses-to-allow-when-implementing-event-subscriptions

For all environments, add the following IP addresses to receive payloads from Workfront event subscriptions.

For customers in Europe
  • 52.30.133.50
  • 52.208.159.124
  • 54.220.93.204
  • 52.17.130.201
  • 34.254.76.122
  • 34.252.250.191
For customers in locations other than Europe
  • 54.244.142.219
  • 44.241.82.96
  • 52.36.154.34
  • 34.211.224.9
  • 54.218.48.56
  • 52.39.217.230

IP addresses to allow for enhanced authentication ip-addresses-to-allow-for-enhanced-authentication

Add the following IP addresses to use enhanced authentication for Preview or Production.

If your environment is on Cluster 1, 2, 3, 5, 7, 8, or 9
  • 35.167.74.121
  • 35.166.202.113
  • 35.160.3.103
  • 54.183.64.135
  • 54.67.77.38
  • 54.67.15.170
  • 54.183.204.205
  • 35.171.156.124
  • 18.233.90.226
  • 3.211.189.167
  • 18.232.225.224
  • 34.233.19.82
  • 52.204.128.250
  • 3.132.201.78
  • 3.19.44.88
  • 3.20.244.231
  • 54.244.142.219
  • 52.39.217.230
  • 44.241.82.96
If your environment is on Cluster 4
  • 52.28.56.226
  • 52.28.45.240
  • 52.16.224.164
  • 52.16.193.66
  • 34.253.4.94
  • 52.50.106.250
  • 52.211.56.181
  • 52.213.38.246
  • 52.213.74.69
  • 52.213.216.142
  • 35.156.51.163
  • 35.157.221.52
  • 52.28.184.187
  • 52.28.212.16
  • 52.29.176.99
  • 52.57.230.214
  • 54.76.184.103
  • 52.210.122.50
  • 52.208.95.174
  • 52.30.133.50
  • 54.220.93.204
  • 34.254.76.122

IP addresses to add for accessing Workfront Fusion ip-addresses-to-add-for-accessing-workfront-fusion

Add the following IP addresses to your allowlist to enable Workfront Fusion to access your system.

Adobe Workfront EU Datacenter
  • 52.30.133.50
  • 54.220.93.204
  • 34.254.76.122
Adobe Workfront US Datacenter
  • 54.244.142.219
  • 52.39.217.230
  • 44.241.82.96
  • 100.20.126.137
  • 34.223.32.4
  • 52.39.176.220
Adobe Workfront Fusion on the Microsoft Azure cluster
  • 20.36.133.48/28
  • 20.81.156.240/28
  • 172.172.84.48/28

Also, if your organization uses outbound network filtering, add the following domain to your allowlist to enable your system to access Workfront Fusion.

Adobe Workfront EU Datacenter
hook.app-eu.workfrontfusion.com
Adobe Workfront US Datacenter
hook.app.workfrontfusion.com
Adobe Workfront Fusion on the Microsoft Azure cluster
hook.app-az.workfrontfusion.com
NOTE
Outbound network filtering is uncommon. Check with your network administrator to see if you need to update your allowlist to accommodate for it.

IP addresses to add for using Workfront for Jira ip-addresses-to-add-for-using-workfront-for-jira

Add the following IP addresses to your allowlist to use the Workfront for Jira integration.

The jira.workfront.com domain must also be accessible from your corporate servers. This domain is required because it serves as middleware between Workfront and Jira.

For customers in Europe
  • 52.30.133.50

  • 52.208.159.124

  • 54.220.93.204

  • 52.17.130.201

  • 34.254.76.122

  • 34.252.250.191

  • 35.162.128.73

  • 52.42.25.64

  • 34.213.36.118

  • 35.160.0.242

  • 3.209.27.146

  • 18.205.251.4

For customers in locations other than Europe
  • 54.244.142.219
  • 44.241.82.96
  • 52.36.154.34
  • 34.211.224.9
  • 54.218.48.56
  • 52.39.217.230
  • 35.162.128.73
  • 52.42.25.64
  • 34.213.36.118
  • 35.160.0.242
  • 3.209.27.146
  • 18.205.251.4

Domains to add for accessing Workfront

If your organization uses outbound network filtering, add the following domains to your allowlist to enable your system to access Workfront.

NOTE
Outbound network filtering is uncommon. Check with your network administrator to see if you need to update your allowlist to accommodate for it.
  • <your domain>.my.workfront.com

  • <your domain>.preview.workfront.com

  • <your domain>.sb01.workfront.com

  • <your domain>.sb02.workfront.com

  • events.split.io

  • sdk.split.io

  • auth.split.io

  • rum-http-intake.logs.datadoghq.com

  • mfe.static.workfront.com

  • https://app.pendo.io/

  • https://cdn.pendo.io/

  • *.static.workfront.com

    This is a static domain that excompasses all of the following domains. You may add the individual domains if you prefer:

    • mfe.static.workfront.com
    • mfe-c.static.workfront.com
    • mfe-preview-c.static.workfront.com
    • mfe-preview.static.workfront.com
    • mfe-review.static.workfront.com

URLs to add for all clusters Workfront urls-to-add-for-all-clusters-workfront

To allow help content to display in your Workfront environment
  • https://app.pendo.io/
  • https://cdn.pendo.io/
To allow Workfront Proof to access Workfront on any cluster, add these to all environments
  • *.workfront.com - Required to view proofs in Workfront
  • *.proofhq.com - Required to view proofs in Workfront Proof
  • *.proofhq.eu - Required to view proofs in Workfront Proof

NOTE:

We do not support adding IP addresses to your allowlist for Workfront Proof. They have been dynamic after Workfront moved to AWS. Instead, we recommend that you allow Workfront Proof domains only.

If there is an issue with adding these domains to your allowlist and you need an IP address instead, contact Workfront Customer Support.

IP addresses and URLs to add for accessing Workfront Proof

You must add the following IP addresses to your allowlist in order to use various functions.

For callbacks and webcapture proofs for-callbacks-and-webcapture-proofs

Prod-US (Clusters 1, 2, 3, 5, and 7)
  • 35.84.172.250
  • 34.213.36.118
  • 35.160.0.242
  • 3.209.27.146
  • 18.205.251.4
  • 35.165.152.202
  • 54.184.151.122
  • 35.84.40.190
  • 54.218.48.56
  • 34.211.224.9
  • 52.36.154.34
  • 34.232.138.38
  • 54.237.6.156
  • 54.237.12.32
  • 44.241.82.96
  • 54.244.142.219
  • 52.39.217.230
  • 52.207.47.153
  • 50.16.118.214
  • 52.54.180.191
Prod-EU (Cluster 4)
  • 34.255.252.190
  • 34.246.27.40
  • 52.208.123.166
  • 3.121.91.129
  • 3.122.11.35
  • 34.241.103.51
  • 46.51.203.201
  • 54.247.174.227
  • 52.208.159.124
  • 52.17.130.201
  • 34.252.250.191
  • 52.30.133.50
  • 54.220.93.204
  • 34.254.76.122

NOTE: DNS server options are no longer supported.

For outgoing email for-outgoing-email

Prod-US (Clusters 1, 2, 3, 5, and 7)
  • 23.251.237.106
  • 23.251.237.107
  • 23.251.237.108
  • 54.240.60.174
  • 54.240.60.175
Prod-EU (Cluster 4)
  • 23.251.239.98
  • 69.169.230.231
  • 69.169.230.232

Ports to open for best Workfront Proof performance

Open the following ports if you are experiencing problems with proofs loading or not working in Workfront Proof:

  • 5671
  • 5672
  • 15671

Ports to open for encrypted email

Emails from the Workfront application are sent encrypted using ports 465 and 587. If your mail server does not support encrypted email, emails are delivered unencrypted using port 25.

Email notifications from Workfront Support

If you are not receiving emails from Workfront Support, ensure that you add the Salesforce IP addresses and domains that you need. For more information, see the Salesforce help article about Salesforce IP addresses and domains to allow.

recommendation-more-help
5f00cc6b-2202-40d6-bcd0-3ee0c2316b43