Configuring IP Addresses, Ports, and Domains
Overview
While most Sugar features are available to you and your team out of the box, several Sugar features require additional configurations if your Sugar instance is, for example, on-site or behind a firewall. This article aggregates all the various IP addresses, port numbers, and domains you may need to configure if you wish to use the specified Sugar service. The following topics are covered on this page and can be completed by your administrator or IT team depending on your needs:
- General Outbound Network Restrictions
- Sugar Updates and License Validation Servers
- Lightweight Directory Access Protocol (LDAP) authentication
- Email (outbound and inbound)
- Sugar email archiving (a.k.a. SNIP)
- Sugar Connect outbound email
- Sugar Market
- Report chart service
- Doc Merge
- Sugar Hint
General Outbound Network Restrictions
In order to promote a secure environment for SugarCloud customers, outbound network traffic is restricted to only allow connections to specific ports and common services:
| Port | Common Service |
| 21 | FTP |
| 22 | SSH (SFTP) |
| 25 | SMTP |
| 80 | HTTP |
| 110 | POP3 |
| 143 | IMAP |
| 389 | LDAP |
| 443 | HTTPS |
| 465 | SMTPS (SMTP over SSL/TLS) |
| 587 | Submission (SMTP with enforced STARTTLS) |
| 636 | LDAPS (LDAP over SSL) |
| 993 | IMAPS (IMAP4 over SSL/TLS) |
| 995 | POP3S (POP3 over SSL/TLS) |
| 2525 | Common SMTP alternative port |
If you have a specific use case that requires access to a port or service not listed here, please create a Support case outlining the details so our Cloud Operations team can review your request.
Sugar Updates and License Validation Servers
To communicate with Sugar's Updates and License Validation server, your local firewall will need to be configured to allow traffic to and from the following domain:
- updates.sugarcrm.com
Lightweight Directory Access Protocol (LDAP) Authentication
To configure Lightweight Directory Access Protocol (LDAP) authentication, you will need to set the default port numbers:
- Enter "636" if using LDAPS encryption.
- Enter "389" if using "StartTLS" or no encryption.
For more information on configuring LDAP with SugarIdentity, refer to the SugarIdentity Guide. For more information on configuring LDAP without SugarIdentity, refer to the Password Management page in the Administration Guide.
Active Directory Authentication With Firewall
SugarIdentity can be configured to accept Lightweight Directory Access Protocol (LDAP) authentication if your organization has implemented LDAP or Active Directory authentication. If the Active Directory authentication server is behind a corporate firewall and your instance uses SugarIdentity, you need to make sure the appropriate IP address range is open on your firewall to allow communication to the Active Directory server. A rule will need to be created allowing the LDAP bi-directional communication for the necessary IP range. This can be the standard LDAP port 389 or you can use LDAP over SSL. Please add the appropriate IP addresses to your allowlist according to the following table:
| Region | Outbound IP Addresses |
| Australia (ap-southeast-2) | 3.105.246.8 13.236.42.185 52.65.222.14 |
| Europe - Frankfurt (eu-central-1) | 3.124.84.100 3.121.108.6 52.58.11.13 |
| Europe - UK (eu-west-2) | 35.176.19.189 3.9.6.50 35.176.37.81 |
| North America - Canada (ca-central-1) | 15.222.160.94 15.223.58.20 15.223.144.228 |
| North America - US (us-west-2) | 52.40.34.59 52.88.151.74 52.43.45.176 |
| Singapore (ap-southeast-1) | 54.254.112.168 54.151.129.127 3.0.140.48 |
You can send and receive email directly in Sugar if your email server is appropriately configured. The following sections detail specific configurations that may be needed.
Configure Outbound Email Server
If your email service provider restricts access to their servers to a predefined range of IP addresses, you will need to determine which geographic location your SugarCloud instance is hosted in. Please refer to the Using the Case Portal article to confirm the geographic location. Once the location is confirmed, have the appropriate IP addresses added to your allowlist according to the following table:
Note: These IP addresses only apply to instances hosted on the SugarCloud service.
| SugarCloud Region | IP Addresses |
| Australia (ap-southeast-2) | 52.64.34.40 52.64.128.40 |
| Europe - Frankfurt (eu-central-1) |
52.59.58.195
3.122.45.38
52.58.98.157
|
| Europe - UK (eu-west-2) |
18.133.81.250
3.10.88.56
35.176.133.186 |
| North America - Canada (ca-central-1) |
35.182.68.172
35.183.168.13
|
| North America - US (us-west-2) |
52.10.234.30
52.89.22.243
|
| Singapore (ap-southeast-1) | 52.221.83.215 54.151.168.230 54.169.3.37 |
Connections from your SugarCloud server will be made from these IP addresses. Please be aware that these IP addresses may change in the future.
Verify Inbound Email Port Numbers
The Check Inbound Mailboxes scheduler automatically retrieves unread emails from the system inbound email accounts configured in Admin > Inbound Email. You must ensure that the port numbers specified in the Inbound Email settings are correct. Navigate to Admin > Inbound Email and open the affected inbound email account. Verify the port numbers according to the following tables, which list some common email and web port numbers.
Common Email Port Numbers
| Email Servers | Port Numbers |
| POP3 | 110 |
| POP3 over SSL/TLS | 995 |
| IMAP | 143 |
| IMAP4 over SSL/TLS | 993 |
| SMTP | 25 |
| SMTP Alternate | 26 or 587 |
| SMTPS (SMTP-over-SSL/TLS) | 465 |
Common Web Port Numbers
| Web Servers | Port Numbers |
| HTTP | 80 |
| HTTP over SSL/TLS | 443 |
| FTP | 21 |
| FTP with implicit TLS/SSL | 990 |
| SFTP | 22 |
| Webdisk | 2077 |
| Webdisk - SSL | 2078 |
| MySQL | 3306 |
| MSSQL | 1433 |
| SSH | 22 |
Sugar Email Archiving (SNIP)
Sugar's Email Archiving servers can work with your instance only when it can be reached over the internet. Specifically, the URL {site_url}/service/v4/rest.php needs to be accessible from our SugarCloud IP addresses:
- 54.153.90.191/32
- 54.153.90.96/32
If you have a 255.255.255.255 subnet mask, the IP addresses are:
- 54.153.90.191
- 54.153.90.96
Sugar Connect's Outbound IP Addresses
The following outbound IP addresses are used by Sugar Connect. For on-site hosted instances, please confirm that the IPs for your region(s) are added to the allowlist for your Sugar server for Sugar Connect to successfully make network calls to your Sugar database.
| Region | Outbound IP Addresses |
| Australia (ap-southeast-2) | 3.105.246.8 13.236.42.185 52.65.222.14 |
| Europe - Frankfurt (eu-central-1) | 3.124.84.100 3.121.108.6 52.58.11.13 |
| North America - US (us-west-2) | 52.40.34.59 52.88.151.74 52.43.45.176 |
Sugar Market
IP Addresses for CRM Integration
If your CRM web services are inaccessible publicly, they are most likely behind a firewall, which means that Sugar Market will not be able to connect to your web service. To enable the sync between your CRM and Sugar Market, please request your IT and/or CRM Admin to allowlist the following IP addresses. If your CRM web services are open to the public, then you do not need to allow any additional IP addresses.
The following are the outgoing IP addresses from Sugar Market servers that will be connecting to your CRM servers:
| Region | IP Address Range |
| 35.153.250.29 | |
| US | 34.226.3.118 |
| 52.90.37.29 | |
| 52.90.37.96 - 52.90.37.103 | |
| 52.90.37.108 | |
| 52.90.37.110 | |
| 54.72.85.124 | |
| 54.157.239.6 | |
| EU | 18.200.57.140 |
| 34.249.190.128 | |
| 52.214.82.207 | |
| 54.72.104.95 | |
| 63.35.114.131 | |
| APAC | 3.26.128.192 - 3.26.128.255 |
| 13.210.17.231 | |
| 13.236.250.138 | |
| 52.64.141.214 | |
| 54.66.117.148 |
Note: The ports are defined via the web service URL you provide. For example, if your web service URL is HTTP, it is port 80. If it is HTTPS, then it is port 443.
IP Addresses for Email Builder Tool
In order to ensure that internal notifications are delivered to your team, you must allowlist the following addresses for your region before you begin creating email campaigns:
| Region | Sending IP Address Ranges |
| US | 18.232.1.16 - 18.232.1.31 |
| 52.200.60.192 - 52.200.60.255 | |
| 52.73.255.192 - 52.73.255.255 | |
| EU | 3.251.152.64/26 |
| APAC | 3.26.128.192 - 3.26.128.255 |
| 18.232.1.16 - 18.232.1.31 | |
| 52.200.60.192 - 52.200.60.255 | |
| 52.73.255.192 - 52.73.255.255 |
If possible, we also recommend you allowlist all sending domains you will be using.
IP Addresses for Salesforce Connector
Salesforce requires that you add the following IP address ranges to your Salesforce instance for Sugar Market to sync with your database:
-
- 52.90.37.96 - 52.90.37.103
- 54.72.104.95
Elasticsearch
The communication between your web server and the DB server depends on your database flavor and is orchestrated through your PHP database driver module (MySQLi, ODBC, etc.). For the ES integration, there is no need to load an additional PHP module in the web server as all communication uses a REST API over HTTP. The REST API is accessed through TCP on port 9200 by default. The ES cluster utilizes node-to-node communication through TCP on port 9300 by default.
Report Chart Service
If you have an IP restriction on your server, you must add the corresponding IPs to your allowlist to include charts in scheduled reports. The IPs will correspond with the region's URL that you selected when changing the region. Add the IP addresses for your selected region to your allowlist according to the following table:
| Region | Outbound IP Addresses |
| us-west-2 | 52.40.34.59 52.88.151.74 52.43.45.176 |
| ca-central-1 | 15.222.160.94 15.223.58.20 15.223.144.228 |
| ap-southeast-2 | 3.105.246.8 13.236.42.185 52.65.222.14 |
| ap-southeast-1 | 54.254.112.168 54.151.129.127 3.0.140.48 |
| eu-central-1 | 3.124.84.100 3.121.108.6 52.58.11.13 |
| eu-west-2 | 35.176.19.189 3.9.6.50 35.176.37.81 |
Doc Merge
If you have an IP restriction on your server, you must add the corresponding IPs to your allowlist to use the Doc Merge feature. The IPs will correspond with the region's URL that you selected when changing the region. Add the IP addresses for your selected region to your allowlist according to the following table:
| Region | Outbound IP Addresses |
| us-west-2 | 52.40.34.59 52.88.151.74 52.43.45.176 |
| ca-central-1 | 15.222.160.94 15.223.58.20 15.223.144.228 |
| ap-southeast-2 | 3.105.246.8 13.236.42.185 52.65.222.14 |
| ap-southeast-1 | 54.254.112.168 54.151.129.127 3.0.140.48 |
| eu-central-1 | 3.124.84.100 3.121.108.6 52.58.11.13 |
| eu-west-2 | 35.176.19.189 3.9.6.50 35.176.37.81 |
Note: A valid SSL certificate is required for your Sugar instance for Doc Merge to work.
Sugar Hint
If your server has firewalls set up that block direct access to the internet, you must add the following Hint service URLs to your allowlist for Hint to work:
-
- https://hint-data-enrichment.service.sugarcrm.com
- https://hint-interest-subscription.service.sugarcrm.com
- https://hint-notifications.service.sugarcrm.com