See below for the network requirements for all Windows devices in an Active Directory forest.

Connection to the Windows domain is not a requirement for certificate enrollment. When fulfilling the below requirements, domain-joined devices can enroll for certificates even when not connected to the same network as the Windows domain.

Device outbound access to the Entrust WSTEP service

Grant any device access to Entrust PKIaaS.

EU region
wstep.eu.pkiaas.entrust.com
US region
wstep.pkiaas.entrust.com

Target port

Protocol

Application

443

TCP

HTTPS

Device outbound access to the Entrust certificate validation services

Grant any device access to the following Entrust certificate validation services

Target port

Protocol

Application

Target service

80

TCP

HTTP

See Entrust PKIaaS OCSP service

80

TCP

HTTP

See Entrust PKIaaS Certificate Revocation Lists