Required list of IP address for ocsp.entrust.net for firewall team to inclusion list the oscp.entrust.net endpoint for mid server communication


Description

The firewall team would need to know the specific IP addresses list for ocsp.entrust.net as the firewall team is getting a different IP address packet trace to inclusion list oscp.entrust.net for MID Server to communicate with the instance


Resolution

The Entrust IP addresses used revocation checks are dynamic and globally load-balanced, because of this Entrust cannot provide a set of Static IP addresses.

Other Options:

1. Inclusion list the FQDN's listed below:

. crl.entrust.net
. crl2.entrust.net
. ocsp.entrust.net

2. Proxy the CRL requests to a server in DMZ.

Request to crl.entrust.net would be directed to a proxy server which has internet access. Proxy server downloads the CRL.
Implementation details are dependent on the hardware/software available to execute this setup.

3. Host the CRL internally.

Please check the below link from entrust for more details

https://www.entrust.com/knowledgebase/ssl/ip-range-for-entrust-revocation-crlocsp