Required URLs, IP addresses and ports
This topic provides an overview of URLs, IP addresses and ports that must be added to the allow list (also known as whitelist) in your firewall to ensure that the Ivanti Neurons Platform and its agents can communicate.
The overview starts with information that applies to all environments (Common URLs for all environments, directly below), followed by information that differs based on where your environment is hosted: Landscape-specific.
All outbound network traffic is typically via port 443 and 8883. Network communication from Ivanti Neurons to agents is done through MQTT technology. Individual services on the Ivanti Neurons agent can communicate to Ivanti Neurons on secure port 443.
Common for all environments
Registration
The table below outlines the base URLs needed for the Ivanti Neurons agent to register and communicate with the Neurons Platform. Without access to these URLs, the Neurons agent cannot register or install.
| URL | IP address |
|---|---|
| https://agentreg.ivanticloud.com | Dynamic IP (Can change often) |
| https://agentsync.ivanticloud.com | Dynamic IP (Can change often) |
| https://download.ivanticloud.com | Dynamic IP (Can change often) |
|
https://edgelocation.ivanticloud.com |
20.108.85.53 (to be deprecated) |
The Neurons Platform utilizes some features of Microsoft Azure which do not allow static IP addresses. Microsoft has a pool of IP addresses available, to use these features publicly.
If you cannot add the URLs listed above to the allow list of your firewall, the alternative would be to allow the following certificate:
*.ivanticloud.com
Content
The table below lists URLs that are needed for downloading content and updates. Access to some of these URLs is required for installation of the Neurons Agent, as the Agent has to load updated .Net libraries and the .NET UI SDK.
| URL | Remark |
|---|---|
| download.visualstudio.microsoft.com | Prerequisite downloads of .NET and C++ runtime updates |
| download.windowsupdate.com | |
| download.microsoft.com | Patch file downloads provided by Microsoft |
|
content.ivanti.com |
Ivanti Patch data |
|
docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html |
Provide IP addresses of the CloudFront CDN that serves Ivanti Patch content, and the Neurons Agent and its engines. |
| d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips |
If you use Ivanti Neurons for Patching, manufacturer download portals also need to be accessible.
Example: http://downloadarchive.documentfoundation.org/ for LibreOffice
The table below lists ports that are needed for downloading updates.
| Port | Remark |
|---|---|
| 33121, 33122 | Required for peer downloads. TCP and UDP. |
Port 9000
The Neurons agent has an engine called STAgentProxy that uses port 9000 for communication between engines. If you have other programs that require port 9000, you can configure STAgentProxy to use a different port.
-
Using a registry editor, for example RegEdit, go to the following path in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Ivanti\Ivanti Cloud Agent\STAgentProxy -
Find the key Port (REG_DWORD) and set the value to the desired port.
-
Save your settings.
-
Using, for example, the Windows Task Manager, restart the STAgentProxy service.
Certificate Revocation Lists
The table below lists URLs that are needed to access Certificate Revocation Lists (CRLs) and to which server they apply.
| URL | CRL for |
|---|---|
| http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl | agentreg.ivanticloud.com agentsync.ivanticloud.com |
| http://crl.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crl |
*.ivanticloud.com Also for landscape-specific: |
| http://crl.r2m03.amazontrust.com/r2m03.crl | content.ivanti.com |
| http://crl.r2m01.amazontrust.com/r2m01.crl | download.ivanticloud.com |
Landscape-specific
Ivanti Neurons tenants can be located in different 'landscapes', depending on where you are located geographically. The landscape that holds your tenant determines what you must add to the allow list.
To determine the landscape of your tenant, go to the Ivanti Neurons sign-in page for your tenant and look at the URL. The first three characters indicate the landscape.
Current landscapes are:
- NVU for America-based (AMER) customers.
- UKU for Europe, Middle-East or Africa-based (EMEA) customers.
- MLU for Asia-Pacific-based (APAC) customers.
- FRU for EU-based customers that want to host their data inside the EU.
If you need help understanding in which landscape your environment is hosted, feel free to reach out to your account representative or Ivanti Support.
The sections below list the landscape-specific URLs, IP addresses, and ports needed for each of the Ivanti Neurons Platform services. The services available in your environment depend on which Ivanti Neurons license you have.
Click on the name of the relevant landscape to expand the list.
NVU landscape
| Service | URL | IP address | Ports |
|---|---|---|---|
| Agent (required) | |||
| Backbone Neurons Communications | nvuprd-sfc.ivanticloud.com | Dynamic | 443 (TCP) |
| Agent Communications | nvu-prd.mqtt.ivanticloud.com | 20.81.12.92 | 8883 |
| Connector Engine | Local traffic | Local traffic | 443 (TCP) |
| Connector Engine – SQL | Local traffic | Local traffic | As defined by your SQL Server instance |
| Edge Intelligence | |||
| Real-Time Engine | nvu-prd.mqtt.ivanticloud.com | 20.81.12.92 | 8883 (TCP) |
| Remote Control | |||
| Remote Control on the Endpoint machine | nvuprd-rc.ivanticloud.com | 20.75.194.96 | Port Range 44345 to 44349 (TCP) |
| Remote Control for the Analyst machine | Port Range 45344 to 45348 (TCP) | ||
| Patch Management | |||
| Patch Engine - Vendors | See Vendor list at https://forums.ivanti.com | 443/80 (TCP, outbound only) | |
| Patch Engine - Sideload | sapatchtenantfilesc49a57.blob.core.windows.net | Dynamic | 443 (TCP, outbound only) |
| Discovery | |||
| AgentlessEngine | Local traffic | Local traffic | 445 (TCP) 135 (TCP) |
| IvantiCsepEngine | Local traffic | Local traffic | 33554 (TCP and UDP) 33555 (UDP) |
| IvantiDiscoveryEngine | Local traffic | Local traffic | 137 (UDP) 53 (UDP) |
| DeploymentEngine | nvuprd-adpstat.ivanticloud.com | Dynamic |
443 (TCP) |
| Deployment | |||
|
DeploymentEngine |
nvuprd-adpstat.ivanti.cloud.com |
Dynamic |
443 (TCP) |
|
DeploymentEngine |
Local traffic |
Local traffic |
445 (TCP) Optional for NETBIOS: 139 (TCP) 137-138 (UDP) |
|
DeploymentEngine |
Local traffic |
Local traffic |
22 (TCP) macOS and Linux |
| Status of, for example, Deployment and Discovery Scan | |||
| Live updates of the UI (instead of refreshing the webpage) |
https://rg-nvz-prd-discoagentmgmtdisco-notifications-nvz.service.signalr.net/client/negotiate |
|
|
|
wss://rg-nvz-prd-discoagentmgmtdisco-notifications-nvz.service.signalr.net/client/ |
|
|
|
UKU landscape
| Service | URL | IP address | Ports |
|---|---|---|---|
| Agent (required) | |||
| Backbone Neurons Communications | ukuprd-sfc.ivanticloud.com | Dynamic | 443 (TCP) |
| Agent Communications | uku-prd.mqtt.ivanticloud.com | 20.49.172.247 | 8883 |
| Connector Engine | Local traffic | Local traffic | 443 (TCP) |
| Connector Engine – SQL | Local traffic | Local traffic | As defined by your SQL Server instance |
| Edge Intelligence | |||
| Real-Time Engine | uku-prd.mqtt.ivanticloud.com | 20.49.172.247 | 8883 (TCP) |
| Remote Control | |||
| Remote Control on the Endpoint machine | ukuprd-rc.ivanticloud.com | 20.77.156.96 | Port Range 44345 to 44349 (TCP) |
| Remote Control for the Analyst machine | Port Range 45344 to 45348 (TCP) | ||
| Patch Management | |||
| Patch Engine - Vendors | See Vendor list at https://forums.ivanti.com | 443/80 (TCP, outbound only) | |
| Patch Engine - Sideload | sapatchtenantfiles8061b2.blob.core.windows.net | Dynamic | 443 (TCP, outbound only) |
| Discovery | |||
| AgentlessEngine | Local traffic | Local traffic | 445 (TCP) 135 (TCP) |
| IvantiCsepEngine | Local traffic | Local traffic | 33554 (TCP and UDP) 33555 (UDP) |
| IvantiDiscoveryEngine | Local traffic | Local traffic | 137 (UDP) 53 (UDP) |
| DeploymentEngine | ukuprd-adpstat.ivanticloud.com | Dynamic |
443 (TCP) |
| Deployment | |||
|
DeploymentEngine |
nvuprd-adpstat.ivanti.cloud.com |
Dynamic |
443 (TCP) |
|
DeploymentEngine |
Local traffic |
Local traffic |
445 (TCP) Optional for NETBIOS: 139 (TCP) 137-138 (UDP) |
|
DeploymentEngine |
Local traffic |
Local traffic |
22 (TCP) macOS and Linux |
| Status of, for example, Deployment and Discovery Scan | |||
| Live updates of the UI (instead of refreshing the webpage) |
https://rg-uks-prd-discoagentmgmtdisco-notifications-uks.service.signalr.net/client/negotiate |
|
|
|
wss://rg-uks-prd-discoagentmgmtdisco-notifications-uks.service.signalr.net/client/ |
|
|
|
MLU landscape
| Service | URL | IP address | Ports |
|---|---|---|---|
| Agent (required) | |||
| Backbone Neurons Communications | mluprd-sfc.ivanticloud.com | Dynamic | 443 (TCP) |
| Agent Communications | mlu-prd.mqtt.ivanticloud.com | 20.53.68.63 | 8883 |
| Connector Engine | Local traffic | Local traffic | 443 (TCP) |
| Connector Engine – SQL | Local traffic | Local traffic | As defined by your SQL Server instance |
| Edge Intelligence | |||
| Real-Time Engine | mlu-prd.mqtt.ivanticloud.com | 20.53.68.63 | 8883 (TCP) |
| Remote Control | |||
| Remote Control on the Endpoint machine | mluprd-rc.ivanticloud.com | 20.53.149.64 | Port Range 44345 to 44349 (TCP) |
| Remote Control for the Analyst machine | Port Range 45344 to 45348 (TCP) | ||
| Patch Management | |||
| Patch Engine - Vendors | See Vendor list at https://forums.ivanti.com | 443/80 (TCP, outbound only) | |
| Patch Engine - Sideload | sapatchtenantfiles0a0009.blob.core.windows.net | Dynamic | 443 (TCP, outbound only) |
| Discovery | |||
| AgentlessEngine | Local traffic | Local traffic | 445 (TCP) 135 (TCP) |
| IvantiCsepEngine | Local traffic | Local traffic | 33554 (TCP and UDP) 33555 (UDP) |
| IvantiDiscoveryEngine | Local traffic | Local traffic | 137 (UDP) 53 (UDP) |
| DeploymentEngine | mluprd-adpstat.ivanticloud.com | Dynamic |
443 (TCP) |
| Deployment | |||
|
DeploymentEngine |
nvuprd-adpstat.ivanti.cloud.com |
Dynamic |
443 (TCP) |
|
DeploymentEngine |
Local traffic |
Local traffic |
445 (TCP) Optional for NETBIOS: 139 (TCP) 137-138 (UDP) |
|
DeploymentEngine |
Local traffic |
Local traffic |
22 (TCP) macOS and Linux |
| Status of, for example, Deployment and Discovery Scan | |||
| Live updates of the UI (instead of refreshing the webpage) |
https://rg-mlz-prd-discoagentmgmtdisco-notifications-mlz.service.signalr.net/client/negotiate |
|
|
|
wss://rg-mlz-prd-discoagentmgmtdisco-notifications-mlz.service.signalr.net/client/ |
|
|
|
FRU landscape
| Service | URL | IP address | Ports |
|---|---|---|---|
| Agent (required) | |||
| Backbone Neurons Communications | fruprd-sfc.ivanticloud.com | Dynamic | 443 (TCP) |
| Agent Communications | fru-prd.mqtt.ivanticloud.com | 20.79.245.45 | 8883 |
| Connector Engine | Local traffic | Local traffic | 443 (TCP) |
| Connector Engine – SQL | Local traffic | Local traffic | As defined by your SQL Server instance |
| Edge Intelligence | |||
| Real-Time Engine | fru-prd.mqtt.ivanticloud.com | 20.79.245.45 | 8883 (TCP) |
| Remote Control | |||
| Remote Control on the Endpoint machine | fruprd-rc.ivanticloud.com | 20.79.146.18 | Port Range 44345 to 44349 (TCP) |
| Remote Control for the Analyst machine | Port Range 45344 to 45348 (TCP) | ||
| Patch Management | |||
| Patch Engine - Vendors | See Vendor list at https://forums.ivanti.com | 443/80 (TCP, outbound only) | |
| Patch Engine - Sideload | sapatchtenantfilesd467b8.blob.core.windows.net | Dynamic | 443 (TCP, outbound only) |
| Discovery | |||
| AgentlessEngine | Local traffic | Local traffic | 445 (TCP) 135 (TCP) |
| IvantiCsepEngine | Local traffic | Local traffic | 33554 (TCP and UDP) 33555 (UDP) |
| IvantiDiscoveryEngine | Local traffic | Local traffic | 137 (UDP) 53 (UDP) |
| DeploymentEngine | fruprd-adpstat.ivanticloud.com | Dynamic |
443 (TCP) |
| Deployment | |||
|
DeploymentEngine |
nvuprd-adpstat.ivanti.cloud.com |
Dynamic |
443 (TCP) |
|
DeploymentEngine |
Local traffic |
Local traffic |
445 (TCP) Optional for NETBIOS: 139 (TCP) 137-138 (UDP) |
|
DeploymentEngine |
Local traffic |
Local traffic |
22 (TCP) macOS and Linux |
| Status of, for example, Deployment and Discovery Scan | |||
| Live updates of the UI (instead of refreshing the webpage) |
https://rg-fru-prd-discoagentmgmtdisco-notifications-fru.service.signalr.net/client/negotiate |
|
|
|
wss://rg-fru-prd-discoagentmgmtdisco-notifications-fru.service.signalr.net/client/ |
|
|
|