Let the platform do the work

Configuring IP Addresses, Ports, and Domains

Overview

While most Sugar features are available to you and your team out of the box, several Sugar features require additional configurations if your Sugar instance is, for example, on-site or behind a firewall. This article aggregates all the various IP addresses, port numbers, and domains you may need to configure if you wish to use the specified Sugar service. The following topics are covered on this page and can be completed by your administrator or IT team depending on your needs:

General Outbound Network Restrictions 

In order to promote a secure environment for SugarCloud customers, outbound network traffic is restricted to only allow connections to specific ports and common services:

Port Common Service
25 SMTP
80 HTTP
110 POP3
143 IMAP
443 HTTPS, excluding DNS-over-HTTPS provider IPs
465 SMTPS (SMTP over SSL/TLS)
587 Submission (SMTP with enforced STARTTLS)
993 IMAPS (IMAP4 over SSL/TLS)
995 POP3S (POP3 over SSL/TLS)
2525 Common SMTP alternative port

If you have a specific use case that requires access to a port or service not listed here, please create a Support case outlining the details so our Cloud Operations team can review your request.

Sugar Updates and License Validation Servers

To communicate with Sugar's Updates and License Validation server, your local firewall will need to be configured to allow traffic to and from the following domain:

  • updates.sugarcrm.com

Lightweight Directory Access Protocol (LDAP) Authentication

To configure Lightweight Directory Access Protocol (LDAP) authentication, you will need to set the default port numbers: 

  • Enter "636" if using LDAPS encryption.
  • Enter "389" if using "StartTLS" or no encryption.

For more information on configuring LDAP with SugarIdentity, refer to the SugarIdentity Guide. For more information on configuring LDAP without SugarIdentity, refer to the Password Management page in the Administration Guide.

Active Directory Authentication With Firewall

SugarIdentity can be configured to accept Lightweight Directory Access Protocol (LDAP) authentication if your organization has implemented LDAP or Active Directory authentication. If the Active Directory authentication server is behind a corporate firewall and your instance uses SugarIdentity, you need to make sure the appropriate IP address range is open on your firewall to allow communication to the Active Directory server. A rule will need to be created allowing the LDAP bi-directional communication for the necessary IP range. This can be the standard LDAP port 389 or you can use LDAP over SSL. Please add the appropriate IP addresses to your allowlist according to the following table:

Region Outbound IP Addresses
Australia (ap-southeast-2) 3.105.246.8
13.236.42.185
52.65.222.14
Europe - Frankfurt (eu-central-1) 3.124.84.100
3.121.108.6
52.58.11.13
Europe - UK (eu-west-2) 35.176.19.189
3.9.6.50
35.176.37.81
North America - Canada (ca-central-1) 15.222.160.94
15.223.58.20
15.223.144.228
North America - US (us-west-2) 52.40.34.59
52.88.151.74
52.43.45.176
Singapore (ap-southeast-1) 54.254.112.168
54.151.129.127
3.0.140.48

Email

You can send and receive email directly in Sugar if your email server is appropriately configured. The following sections detail specific configurations that may be needed.

Configure Outbound Email Server

If your email service provider restricts access to their servers to a predefined range of IP addresses, you will need to determine which geographic location your SugarCloud instance is hosted in. Please refer to the Using the Case Portal article to confirm the geographic location. Once the location is confirmed, have the appropriate IP addresses added to your allowlist according to the following table:

Note: These IP addresses only apply to instances hosted on the SugarCloud service.

SugarCloud Region IP Addresses
Australia (ap-southeast-2) 52.64.34.40
52.64.128.40
Europe - Frankfurt (eu-central-1)
52.59.58.195
3.122.45.38
52.58.98.157
Europe - UK (eu-west-2)
18.133.81.250
3.10.88.56
35.176.133.186
North America - Canada (ca-central-1)
35.182.68.172
35.183.168.13
North America - US (us-west-2)
52.10.234.30
52.89.22.243
Singapore (ap-southeast-1) 52.221.83.215
54.151.168.230
54.169.3.37

Connections from your SugarCloud server will be made from these IP addresses. Please be aware that these IP addresses may change in the future.

Verify Inbound Email Port Numbers

The Check Inbound Mailboxes scheduler automatically retrieves unread emails from the system inbound email accounts configured in Admin > Inbound Email. You must ensure that the port numbers specified in the Inbound Email settings are correct. Navigate to Admin > Inbound Email and open the affected inbound email account. Verify the port numbers according to the following tables, which list some common email and web port numbers.

Common Email Port Numbers

Email Servers Port Numbers
POP3 110
POP3 over SSL/TLS 995
IMAP 143
IMAP4 over SSL/TLS 993
SMTP 25
SMTP Alternate  26 or 587
SMTPS (SMTP-over-SSL/TLS) 465

Common Web Port Numbers

Web Servers Port Numbers
HTTP 80
HTTP over SSL/TLS 443
FTP 21
FTP with implicit TLS/SSL  990
SFTP 22
Webdisk 2077
Webdisk - SSL 2078
MySQL 3306
MSSQL 1433
SSH 22

Sugar Email Archiving (SNIP)

Sugar's Email Archiving servers can work with your instance only when it can be reached over the internet. Specifically, the URL {site_url}/service/v4/rest.php needs to be accessible from our SugarCloud IP addresses:

  • 54.153.90.191/32
  • 54.153.90.96/32

If you have a 255.255.255.255 subnet mask, the IP addresses are:

  • 54.153.90.191
  • 54.153.90.96

Sugar Connect's Outbound IP Addresses

The following outbound IP addresses are used by Sugar Connect. For on-site hosted instances, please confirm that the IPs for your region(s) are added to the allowlist for your Sugar server for Sugar Connect to successfully make network calls to your Sugar database.

Region Outbound IP Addresses
Australia (ap-southeast-2) 3.105.246.8
13.236.42.185
52.65.222.14
Europe - Frankfurt (eu-central-1) 3.124.84.100
3.121.108.6
52.58.11.13
North America - US (us-west-2) 52.40.34.59
52.88.151.74
52.43.45.176

Sugar Market

IP Addresses for CRM Integration

If your CRM web services are inaccessible publicly, they are most likely behind a firewall, which means that Sugar Market will not be able to connect to your web service. To enable the sync between your CRM and Sugar Market, please request your IT and/or CRM Admin to allowlist the following IP addresses. If your CRM web services are open to the public, then you do not need to allow any additional IP addresses.

The following are the outgoing IP addresses from Sugar Market servers that will be connecting to your CRM servers:

Region IP Address Range
NA/LATAM

54.224.224.232

52.205.115.120

44.217.54.160

35.153.250.29

34.226.3.118

52.90.37.29

52.90.37.96 - 52.90.37.103

52.90.37.108

52.90.37.110

54.72.85.124

54.157.239.6

EMEA

34.240.158.101

52.19.95.145

54.228.216.217

18.200.57.140

34.249.190.128

52.214.82.207
54.72.104.95
63.35.114.131
APAC

13.210.17.231

52.64.141.214

54.66.117.148

3.26.128.192 - 3.26.128.255

13.210.17.231

13.236.250.138

52.64.141.214

54.66.117.148

 

Note: The ports are defined via the web service URL you provide. For example, if your web service URL is HTTP, it is port 80. If it is HTTPS, then it is port 443.

IP Addresses for Email Builder Tool

In order to ensure that internal notifications are delivered to your team, you must allowlist the following addresses for your region before you begin creating email campaigns: 

Region Sending IP Address Ranges
US 18.232.1.16 - 18.232.1.31
52.200.60.192 - 52.200.60.255
52.73.255.192 - 52.73.255.255
EU 3.251.152.64/26
APAC 3.26.128.192 - 3.26.128.255
18.232.1.16 - 18.232.1.31
52.200.60.192 - 52.200.60.255
52.73.255.192 - 52.73.255.255

If possible, we also recommend you allowlist all sending domains you will be using.

IP Addresses for Salesforce Connector

Salesforce requires that you add the following IP address ranges to your Salesforce instance for Sugar Market to sync with your database:

    • 52.90.37.96 - 52.90.37.103
    • 54.72.104.95

Elasticsearch

The communication between your web server and the DB server depends on your database flavor and is orchestrated through your PHP database driver module (MySQLi, ODBC, etc.). For the ES integration, there is no need to load an additional PHP module in the web server as all communication uses a REST API over HTTP. The REST API is accessed through TCP on port 9200 by default. The ES cluster utilizes node-to-node communication through TCP on port 9300 by default.

Report Chart Service

If you have an IP restriction on your server, you must add the corresponding IPs to your allowlist to include charts in scheduled reports. The IPs will correspond with the region's URL that you selected when changing the region. Add the IP addresses for your selected region to your allowlist according to the following table:

Region Outbound IP Addresses
us-west-2  52.40.34.59
52.88.151.74
52.43.45.176
ca-central-1 15.222.160.94
15.223.58.20
15.223.144.228
ap-southeast-2 3.105.246.8
13.236.42.185
52.65.222.14
ap-southeast-1 54.254.112.168
54.151.129.127
3.0.140.48
eu-central-1 3.124.84.100
3.121.108.6
52.58.11.13
eu-west-2 35.176.19.189
3.9.6.50
35.176.37.81

Doc Merge

If you have an IP restriction on your server, you must add the corresponding IPs to your allowlist to use the Doc Merge feature. The IPs will correspond with the region's URL that you selected when changing the region. Add the IP addresses for your selected region to your allowlist according to the following table:

Region  Outbound IP Addresses
us-west-2 52.40.34.59
52.88.151.74
52.43.45.176
ca-central-1 15.222.160.94
15.223.58.20
15.223.144.228
ap-southeast-2 3.105.246.8
13.236.42.185
52.65.222.14
ap-southeast-1 54.254.112.168
54.151.129.127
3.0.140.48
eu-central-1 3.124.84.100
3.121.108.6
52.58.11.13
eu-west-2 35.176.19.189
3.9.6.50
35.176.37.81

Note: A valid SSL certificate is required for your Sugar instance for Doc Merge to work.

Sugar Hint

If your server has firewalls set up that block direct access to the internet, you must add the following Hint service URLs to your allowlist for Hint to work:

    • https://hint-data-enrichment.service.sugarcrm.com
    • https://hint-interest-subscription.service.sugarcrm.com
    • https://hint-notifications.service.sugarcrm.com