LogoLogo
Enterprise Guide
Enterprise Guide
  • Getting Started
  • Start Your Trial
  • Resources
  • Keeper for Teams and Small Business
  • Keeper Enterprise
  • Implementation Overview
  • Domain Reservation
  • Deploying Keeper to End-Users
    • Desktop Applications
      • Launch on Start Up
    • Forcefield
    • Browser Extension (KeeperFill)
      • Mac
        • PLIST (.plist) Policy Deployment
          • Jamf Pro Policy Deployment - Chrome
          • Microsoft Intune Policy Deployment - Chrome
      • Linux
        • JSON Policy Deployment - Chrome
      • Windows
        • Group Policy Deployment - Chrome
        • Group Policy Deployment - Firefox
        • Group Policy Deployment - Edge
        • SCCM Deployment - Chrome
        • Intune - Chrome
        • Intune - Edge
        • Edge Settings Policy
        • Chrome Settings Policy
      • Virtual Machine Persistence
    • Mobile Apps
      • IBM MaaS360
    • Optional Deployment Tasks
    • IE11 Trusted Sites
  • End-User Guides
  • Keeper Admin Console Overview
  • Nodes and Organizational Structure
  • Risk Management Dashboard
  • User and Team Provisioning
    • Custom Invite and Logo
      • Custom Email - Markdown Language
    • Simple Provisioning through the Admin Console
    • Active Directory Provisioning
    • LDAP Provisioning
    • SSO JIT (Just-in-Time) Provisioning
    • Okta Provisioning
    • Entra ID / Azure AD Provisioning
    • Google Workspace Provisioning
    • JumpCloud Provisioning
    • CloudGate Provisioning
    • OneLogin Provisioning
    • Microsoft AD FS Provisioning
    • API Provisioning with SCIM
      • Using SCIM API Provisioning
    • Team and User Approvals
    • Email Auto-Provisioning
    • CLI Provisioning with Commander SDK
  • SSO / SAML Authentication
  • User Management and Lifecycle
  • Email Address Changes
  • Roles, RBAC and Permissions
    • Enforcement Policies
    • Security Keys
  • Delegated Administration
  • Account Transfer Policy
  • Teams (Groups)
  • Sharing
    • Record and File Sharing
    • Shared Folders
    • PAM Resource Sharing
    • One-Time Share
    • Share Admin
    • Time-Limited Access
    • Self-Destructing Records
    • Hiding Passwords
  • Creating Vault Records
  • Importing Data
  • Record Types
  • Two-Factor Authentication
  • Storing Two-Factor Codes
  • Security Audit
    • Security Audit Score Calculation
  • BreachWatch (Dark Web)
  • Secure File Storage & Sharing
  • Reporting, Alerts & SIEM
    • Event Descriptions
    • Splunk
    • Sumo Logic
    • Exabeam (LogRhythm)
    • Syslog
    • QRadar
    • Azure Monitor
    • Azure Sentinel
    • AWS S3 Bucket
    • Devo
    • Datadog
    • Logz.io
    • Elastic
    • Firewall Configuration
    • On-site Commander Push
  • Recommended Alerts
  • Webhooks
    • Slack Webhooks
    • Teams Webhooks
    • Amazon Chime Webhooks
    • Discord Webhooks
  • Compliance Reports
  • Vault Offline Access
  • Secrets Manager
  • Commander CLI
  • Keeper Connection Manager
  • KeeperPAM Privileged Access Manager
  • Keeper Forcefield
  • KeeperChat
  • Keeper MSP
    • Free Trial
    • Getting Started
    • Fundamentals
    • Consumption-Based Billing
      • Secure Add-Ons
      • Existing MSP Admins
    • Onboarding
    • PSA Billing Reconciliation
    • Join the Slack Channel
    • Next Steps
    • Offboarding
    • Commander CLI/SDK
    • Account Management APIs
    • Provision Family Plans via API
    • MSP Best Practices
  • Free Family License for Personal Use
    • Provision Family plans via API
    • Provision Student plans via API
    • API Troubleshooting
      • API Parameters
      • API Response Codes
      • API Explorer - Swagger
  • Keeper Security Benchmarks and Recommended Security Settings
  • IP Allow Keeper
  • Keeper Encryption and Security Model Details
  • Developer API / SDK Tools
  • On-Prem vs. Cloud
  • Authentication Flow V3
  • Migrating from LastPass
  • Training and Support
  • Keeper SCORM Files for LMS Modules
  • Docs Home
Powered by GitBook

Company

  • Keeper Home
  • About Us
  • Careers
  • Security

Support

  • Help Center
  • Contact Sales
  • System Status
  • Terms of Use

Solutions

  • Enterprise Password Management
  • Business Password Management
  • Privileged Access Management
  • Public Sector

Pricing

  • Business and Enterprise
  • Personal and Family
  • Student
  • Military and Medical

© 2025 Keeper Security, Inc.

On this page
  • Overview
  • Emails from Keeper Security

Was this helpful?

Export as PDF

IP Allow Keeper

IP Allow lists for Keeper network communications

PreviousKeeper Security Benchmarks and Recommended Security SettingsNextKeeper Encryption and Security Model Details

Last updated 4 months ago

Was this helpful?

Overview

This page contains information on restricting access to Keeper's communications based on end-user application access, email delivery, SIEM and Automator requests.

For enhanced security, if you have deployed a firewall or zero trust network which restricts end-user network traffic to specific services, you can add Keeper to your AllowList based on FQDN. We recommend using FQDN since some of Keeper's services use dynamic IPs.

Emails from Keeper Security

Keeper sends several types of transactional emails.

  • If the role enforcement policy is enabled, email invitations are sent to newly provisioned end-users via the Admin Console, Bridge or SCIM methods. The content of the email invites can be customized by the Admin in the console configurations screen.

  • Keeper does not send marketing communications or any other product marketing emails to enterprise end-users.

  • Users with Administrative rights will receive emails related to account status and billing. End-users will not receive account related emails.

  • The primary account owner who signs up for Keeper will receive an onboarding email and documentation links, as well as direct communication from a Keeper customer success manager.

  • Device verification emails (when logging into a new device) are sent to end-users for authentication purposes.

  • Alerts configured by the Keeper Admin in the Advanced Reporting & Alerts application can be optionally sent to end-users, but this is not activated by default.

Email Delivery

Keeper's email services are hosted with Amazon SES using dedicated IPs. To ensure that emails from Keeper Security are delivered to users with high success, we recommend ensuring that your mail filters accept email from the below FQDNs and IP Senders. Domains:

Email Sender IPs:

  • keepersecurity.com

  • keepersecurity.com.au

  • keepersecurity.eu

  • keepersecurity.ca

  • govcloud.keepersecurity.us

  • keepersecurity.jp

SIEM Events and Automator Device Approvals

For customers who are receiving inbound SIEM events and Automator device approval requests from the Keeper production environment, you can lock down traffic to the below IP addresses.

US / Global

  • 34.194.242.137/32

  • 18.235.39.229/32

  • 54.208.20.102/32

  • 34.203.159.189/32

EU / Dublin

  • 54.246.149.209/32

  • 34.250.37.43/32

  • 52.210.163.45/32

  • 54.246.185.95/32

AU / Sydney

  • 54.206.253.126/32

  • 52.64.85.78/32

  • 3.106.40.41/32

  • 54.206.208.132/32

US / GovCloud

  • 18.253.101.55/32

  • 18.253.102.58/32

  • 18.252.135.74/32

  • 18.253.212.59/32

CA / Canada Hosted Customers

  • 35.182.155.224/32

  • 35.182.216.11/32

  • 15.223.136.134/32

JP / Tokyo Hosted Customers

  • 35.74.131.237/32

  • 54.150.11.204/32

  • 52.68.53.105/32

After external logging is established, it might be automatically put on pause if the external system becomes unavailable and the number of the events in the queue reaches a threshold of 50. If this happens, you will have to manually resume the external logging after correcting the issue. We recommend setting up an alert for the "Paused Audit log Sync" event so you get notified if the external logging is paused.

54.240.35.231, 54.240.35.230, 54.240.34.220, 54.240.34.131, 54.240.34.133, 54.240.34.219, 54.240.34.135, 54.240.34.132, 54.240.34.134, 54.240.35.227, 54.240.55.117, 54.240.55.118, 69.169.235.44, 69.169.235.45, 69.169.235.46, 69.169.235.47, 69.169.235.48

Canada, Japan and GovCloud regions do not currently have static IPs for Email Senders. This is coming soon.

FQDN Allow List for End-User Applications

For all application access, outbound TCP port 443 should be open to your users for the endpoints listed below, depending on your tenant location.

For KeeperPAM connections and tunnels, TCP and UDP 3478 also needs to be open to the region's krelay endpoint.

Global - All Customers

  • keepersecurity.com

  • keeper.io

  • gitbook.io (documentation portal)

  • PLUS.. add additional endpoints listed below.

US Hosted Customers

  • keepersecurity.com

  • push.services.keepersecurity.com

  • files.services.keepersecurity.com

  • connect.keepersecurity.com

  • krelay.keepersecurity.com

US / GovCloud Hosted Customers

  • govcloud.keepersecurity.us

  • push.services.keepersecurity.us

  • files.services.keepersecurity.us

  • connect.keepersecurity.us

  • krelay.keepersecurity.com

EU Hosted Customers

  • keepersecurity.eu

  • push.services.keepersecurity.eu

  • files.services.keepersecurity.eu

  • connect.keepersecurity.eu

  • krelay.keepersecurity.eu

AU Hosted Customers

  • keepersecurity.com.au

  • push.services.keepersecurity.com.au

  • files.services.keepersecurity.com.au

  • connect.keepersecurity.com.au

  • krelay.keepersecurity.com.au

CA / Canada Hosted Customers

  • keepersecurity.ca

  • push.services.keepersecurity.ca

  • files.services.keepersecurity.ca

  • connect.keepersecurity.ca

  • krelay.keepersecurity.ca

JP / Tokyo Hosted Customers

  • keepersecurity.jp

  • push.services.keepersecurity.jp

  • files.services.keepersecurity.jp

  • connect.keepersecurity.jp

  • krelay.keepersecurity.jp