Connector Network Requirements
Purpose
Lists external endpoints and local connectivity requirements for SailPoint Entro Connectors.
Local Access
-
Connector must be able to reach every onboarded integration inside your perimeter (Bitbucket, GitLab, SMB, Vault, etc.).
-
Ensure no firewall/proxy/DPI blocks these connections.
-
SMB file share scanning requires local network access to file servers.
Note
Connector needs direct network access to the resources it scans. If your environment restricts internal connectivity, adjust firewall rules or provide a routing path (VPN, VPC peering, etc.) so the connector can reach those services.
SailPoint Entro & AWS Endpoints
Connector needs outbound access to SailPoint Entro services and various AWS endpoints used for logging and storage. Common AWS endpoints include:
-
*.s3.amazonaws.com -
*.s3.{region}.amazonaws.com -
iam.amazonaws.com -
logs.{region}.amazonaws.com -
secretsmanager.{region}.amazonaws.com -
sqs.{region}.amazonaws.com -
sts.{region}.amazonaws.com -
s3express-control.{region}.amazonaws.com -
monitoring.us-east-1.amazonaws.com(and FIPS variants) -
*api.entro.security- SailPoint Entro's own API endpoint
The connector does not communicate directly with SailPoint Entro's UI (app.entro.security)
Note
Default region is us-east-1 unless specified otherwise. Replace {region} accordingly.
Firewall / Proxy Notes
Warning
Do not perform SSL stripping or MITM on SailPoint Entro traffic.
-
Allow outbound HTTPS to SailPoint Entro API hosts and required AWS endpoints above.
-
If using SailPoint Entro perimeter static IPs, see the IP list on the SaaS-perimeter page.
-
If a proxy is required, make sure the proxy is configured in the
.env-connectorfile.
Troubleshooting
Troubleshooting steps
-
If connector fails to reach a service, capture tcpdump and check DNS resolution and proxy logs.
-
Verify proxy authentication and TLS interception are not interfering.
-
Confirm outbound HTTPS to the relevant SailPoint Entro and AWS hosts is permitted and not being altered by DPI.