An Identity provider will requires access to a number of external websites during it's life. These sites will be on addresses that are likely to move about with respect to their IP addresses. This makes it difficult to configure a firewall for outbound traffic requests and is NOT recommended. If access restrictions are placed on outbound traffic for on-premise servers then the use of an outbound proxy is the recommended approach. The following table provides a list of addresses the IdP will access during it's life (this assumes the AAF IdP installer has been used to perform the installation).

When Site Content
Installation and upgrades
Installer configuration
Binaries used by the installer
The AAF Metadata certificate

Software repository URL used for OS and Package installs and updates. YUM repos
On-going operation
    - Production IdP
Federation metadata for the AAF production environment.
On-going operation
    - Test IdP
Federation metadata for the AAF test environment,

Note: All component can be configured to use a outbound proxy.

Note: All sites accessed by the IdP are using the secure https protocol and all sites will have valid, current certificates installed.

Future consideration: The AAF will being requesting anonymitized usage logs from IdPs using the F-TICKS logging configuration. F-TICKS is a standardized audit record format used by some federations for collection of federated login statistics. This may require the IdP to send logs via syslog on port 514 using UDP, but this has yet to be confirmed.