Configure your firewall’s allowlist
If your firewall or mail server is configured to allow access to only certain vendors, you must add certain IP addresses to its allowlist. This opens communication between your environment and the Adobe Workfront servers and allows the following processes:
-
Sending messages from the Workfront application
note note NOTE This is not available if your organization’s Workfront instance is enabled with Adobe IMS. See your network or IT administrator if you need more information. -
Using document webhooks when configuring custom document integrations
-
Using Workfront Event Subscriptions
For more information, see Event Subscription API.
You also need to open certain ports in order for email messages to be encrypted when they are delivered.
Workfront allowlists you can use
If your organization has the Enterprise plan, you can also configure two Workfront allowlists:
- Email allowlist: Lets you control where users can email data stored in Workfront. For more information, see Configure your email allowlist.
- IP allowlist: Limits access to Workfront to 45 IP addresses or IP address ranges that you specify, providing an additional layer of security for the Workfront application. For more information, see Restrict access to Adobe Workfront by IP address.
Locate your Workfront cluster
The IP addresses that you must add to your allowlist on your firewall depend on the cluster where your Production environment runs.
To locate your organization’s cluster:
-
Click the Main Menu icon in the upper-right corner of Adobe Workfront, or (if available), click the Main Menu icon in the upper-left corner, then click Setup .
-
In the left navigation, click System, then select Customer Info.
-
Locate the Cluster Setup field at the upper-right corner of the page. Your organization’s cluster is listed here.
CL01 refers to Cluster 1, CL02 is Cluster 2, and so on.
For more information, see the section View your organization’s cluster and Workfront plan in the article Firewall overview.
IP addresses to add to the allowlist
- Workfront for Google Workspace
- Workfront for Outlook
- Workfront for Salesforce
- IP addresses to allow for Clusters 1, 2, 3, 5, 7, 8 and 9
- IP addresses to allow for Cluster 4
- IP addresses to allow for Cluster 6
- IP addresses to allow for a Test Drive
- IP addresses to allow when implementing event subscriptions
- IP addresses to allow for enhanced authentication
- IP addresses to add for accessing Workfront Fusion
- IP addresses to add for using Workfront for Jira
- URLs to add for all clusters Workfront
IP addresses to allow for Clusters 1, 2, 3, 5, 7, 8 and 9 ip-addresses-to-allow-for-clusters-1-2-3-5-7-8-and-9
If your Production environment is on Cluster 1, 2, 3, 5, or 7 you must allow the following IP addresses.
IP addresses to allow for Cluster 4 ip-addresses-to-allow-for-cluster-4
If your Production environment is on Cluster 4, add the following IP addresses for SSO, document webhook integrations, and to receive email from the Workfront application:
- 52.31.132.175
- 52.19.188.226
- 52.28.49.94
- 52.29.41.175
- 52.29.197.69
- 52.48.124.108
- 69.169.230.231
- 69.169. 230.232
- 3.121.91.129
- 3.122.11.35
- 34.246.27.40
- 52.208.123.166
- 52.208.159.124
- 52.17.130.201
- 34.252.250.191
- 52.30.133.50
- 54.220.93.204
- 34.254.76.122
- 34.242.62.80/32
- 46.51.194.192/32
- 54.229.129.66/32
For information about the following IP addresses, see New IP addresses for Adobe Workfront email with the 21.1 release
- 23.251.239.98
- 23.251.239.99
IP addresses to allow for Cluster 6 ip-addresses-to-allow-for-cluster-6
If your Production environment is on Cluster 6, add the following IP addresses.
IP addresses to allow for a Test Drive
IP addresses to allow when implementing event subscriptions ip-addresses-to-allow-when-implementing-event-subscriptions
For all environments, add the following IP addresses to receive payloads from Workfront event subscriptions.
IP addresses to allow for enhanced authentication ip-addresses-to-allow-for-enhanced-authentication
Add the following IP addresses to use enhanced authentication for Preview or Production.
IP addresses to add for accessing Workfront Fusion ip-addresses-to-add-for-accessing-workfront-fusion
Add the following IP addresses to your allowlist to enable Workfront Fusion to access your system.
Also, if your organization uses outbound network filtering, add the following domain to your allowlist to enable your system to access Workfront Fusion.
IP addresses to add for using Workfront for Jira ip-addresses-to-add-for-using-workfront-for-jira
Add the following IP addresses to your allowlist to use the Workfront for Jira integration.
The jira.workfront.com domain must also be accessible from your corporate servers. This domain is required because it serves as middleware between Workfront and Jira.
Domains to add for accessing Workfront
If your organization uses outbound network filtering, add the following domains to your allowlist to enable your system to access Workfront.
-
<your domain>
.my.workfront.com -
<your domain>
.preview.workfront.com -
<your domain>
.sb01.workfront.com -
<your domain>
.sb02.workfront.com -
events.split.io
-
sdk.split.io
-
auth.split.io
-
rum-http-intake.logs.datadoghq.com
-
mfe.static.workfront.com
-
https://app.pendo.io/
-
https://cdn.pendo.io/
-
*.static.workfront.com
This is a static domain that excompasses all of the following domains. You may add the individual domains if you prefer:
- mfe.static.workfront.com
- mfe-c.static.workfront.com
- mfe-preview-c.static.workfront.com
- mfe-preview.static.workfront.com
- mfe-review.static.workfront.com
URLs to add for all clusters Workfront urls-to-add-for-all-clusters-workfront
IP addresses and URLs to add for accessing Workfront Proof
You must add the following IP addresses to your allowlist in order to use various functions.
For callbacks and webcapture proofs for-callbacks-and-webcapture-proofs
For outgoing email for-outgoing-email
Ports to open for best Workfront Proof performance
Open the following ports if you are experiencing problems with proofs loading or not working in Workfront Proof:
- 5671
- 5672
- 15671
Ports to open for encrypted email
Emails from the Workfront application are sent encrypted using ports 465 and 587. If your mail server does not support encrypted email, emails are delivered unencrypted using port 25.
Email notifications from Workfront Support
If you are not receiving emails from Workfront Support, ensure that you add the Salesforce IP addresses and domains that you need. For more information, see the Salesforce help article about Salesforce IP addresses and domains to allow.