Required URLs, IP addresses and ports
This topic provides an overview of URLs, IP addresses and ports that must be added to the allow list (also known as whitelist) in your firewall to ensure that the Ivanti Neurons Platform and its agents can communicate.
The overview starts with information that applies to all environments (Common URLs for all environments, directly below), followed by information that differs based on where your environment is hosted: Landscapes.
All outbound network traffic is typically via port 443 and 8883. Network communication from Ivanti Neurons to agents is done through MQTT technology. Individual services on the Ivanti Neurons agent can communicate to Ivanti Neurons on secure port 443.
Revision history
This topic was last updated on December 10 , 2024.
The table below lists changes to this topic, and when they were made.
Date | Change |
---|---|
December 10, 2024 |
Added the Azure Blob Storage URLs section |
October 10, 2024 |
In the Accessing and interacting with the Neurons Platform portal section: |
October 4, 2024 |
Added the Accessing and interacting with the Neurons Platform portal section. |
Registration in the Common section: |
|
Certificate Revocation Lists in the Common section: |
|
August 1, 2024 |
Information for the new landscapes TKU and TTU: |
July 29, 2024 | Added a Revision History section. |
Registration in the Common section: |
|
June 6, 2024 | Added App Distribution Cloud Storage to the Common section. |
May 31, 2024 | Registration in the Common section: Updated IP address for edgelocation.ivanticloud.com. (announced from 25 April, 2024) |
May 9, 2024 |
Deployment in the Landscape-specific sections: |
April 10, 2024 |
Added Deployment to the Landscape-specific sections. |
Accessing and interacting with the Neurons Platform portal
The table below outlines the URLs needed to interact with the Neurons Platform portal.
This includes using consoles from other Ivanti solutions to prepare data for use in the Neurons Platform, such as UWM Hybrid Deployment. For more information, see the Application Control (Hybrid), Environment Manager (Hybrid), and Performance Manager (Hybrid) capabilities in Agent Policy Capabilities.
URL | Remark |
---|---|
https://app.launchdarkly.com https://events.launchdarkly.com |
Feature availability |
https://dc.services.visualstudio.com/v2/track |
Telemetry |
https://fonts.googleapis.com/css2 | Correct layout |
https://www.recaptcha.net/recaptcha/api.js | Additional security during logon. (only required if reCAPTCHA has NOT been disabled) |
Azure Blob Storage URLs
The table below outlines the URLs needed for storage. The IP addresses of Azure Blob Storage are dynamic.
On client devices, the App Distribution engine (swd.engine) via Agent Framework, downloads the App Distribution files ReturnCodeTemplates.json, Packages.json, and Portal.json from the following URL domains, using port 443:
Geo | URL |
---|---|
NVU | https://sanvuprddefaul0x08888888.blob.core.windows.net/ |
UKU | https://saukuprddefaul0x08888888.blob.core.windows.net/ |
FRU | https://safruprddefaul0x08888888.blob.core.windows.net/ |
MLU | https://samluprddefaul0x08888888.blob.core.windows.net/ |
TTU |
https://sattuprddefaul0x08888888.blob.core.windows.net/ |
TKU |
https://satkuprddefaul0x08888888.blob.core.windows.net/ |
On client devices, the App Distribution engine (swd.engine) via Agent Framework, downloads any targeted files uploaded to App Distribution's Ivanti Free Storage account from the following URL domains, using port 443:
Geo | URL |
---|---|
NVU | https://saappdistnvu.blob.core.windows.net/ |
UKU | https://saappdistuku.blob.core.windows.net/ |
FRU | https://saappdistfru.blob.core.windows.net/ |
MLU | https://saappdistmlu.blob.core.windows.net/ |
TTU |
https://saappdistttu.blob.core.windows.net/ |
TKU |
https://saappdisttku.blob.core.windows.net/ |
Common for all landscapes
Registration
The table below outlines the base ivanticloud URLs needed for the Ivanti Neurons agent to register and communicate with the Neurons Platform.
URL (ivanticloud.com) | IP address |
---|---|
https://agentreg.ivanticloud.com | Dynamic IP (Can change often) |
https://agentsync.ivanticloud.com | Dynamic IP (Can change often) |
https://download.ivanticloud.com | Dynamic IP (Can change often) |
https://edgelocation.ivanticloud.com |
20.77.156.110 |
The Neurons Platform utilizes some features of Microsoft Azure which do not allow static IP addresses. Microsoft has a pool of IP addresses available, to use these features publicly.
If you cannot add the URLs listed above to the allow list of your firewall, the alternative would be to allow the following certificate:
*.ivanticloud.com
The table below outlines URLs outside the ivanticloud domain that are needed for the Ivanti Neurons agent to register and communicate with the Neurons Platform.
URL (other) | IP address |
---|---|
http://ocsp.usertrust.com/ |
Dynamic IP (Can change often) |
Without access to the URLs in the tables above, the Neurons agent cannot register or install.
Content
The table below lists URLs that are needed for downloading content and updates. Access to some of these URLs is required for installation of the Neurons Agent, as the Agent has to load updated .Net libraries and the .NET UI SDK.
URL | Remark |
---|---|
download.visualstudio.microsoft.com | Prerequisite downloads of .NET and C++ runtime updates |
dc.services.visualstudio.com | |
download.windowsupdate.com | |
download.microsoft.com | Patch file downloads provided by Microsoft |
content.ivanti.com |
Ivanti Patch data |
docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html |
Provide IP addresses of the CloudFront CDN that serves Ivanti Patch content, and the Neurons Agent and its engines. |
d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips |
If you use Ivanti Neurons for Patching, manufacturer download portals also need to be accessible.
Example: http://downloadarchive.documentfoundation.org/ for LibreOffice
The table below lists ports that are needed for downloading updates.
Port | Remark |
---|---|
33121, 33122 | Required for peer downloads. TCP and UDP. |
App Distribution Cloud Storage
If you use Neurons App Distribution with cloud storage, the endpoints in your environment must be able to access your cloud storage.
To identify the IP addresses used by your cloud storage, see the following articles:
Port 9000
The Neurons agent has an engine called STAgentProxy that uses port 9000 for communication between engines. If you have other programs that require port 9000, you can configure STAgentProxy to use a different port.
-
Using a registry editor, for example RegEdit, go to the following path in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Ivanti\Ivanti Cloud Agent\STAgentProxy -
Find the key Port (REG_DWORD) and set the value to the desired port.
-
Save your settings.
-
Using, for example, the Windows Task Manager, restart the STAgentProxy service.
Certificate Revocation Lists
The table below lists URLs that are needed to access Certificate Revocation Lists (CRLs) and to which server they apply.
URL | CRL for |
---|---|
http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl |
agentreg.ivanticloud.com agentsync.ivanticloud.com |
http://crl.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crl |
*.ivanticloud.com Also for landscape-specific: |
http://crl.r2m01.amazontrust.com/r2m01.crl http://crl.r2m03.amazontrust.com/r2m03.crl http://crt.r2m01.amazontrust.com/r2m01.cer http://crt.r2m03.amazontrust.com/r2m03.cer http://ocsp.r2m01.amazontrust.com |
content.ivanti.com |
http://crl.r2m01.amazontrust.com/r2m01.crl | download.ivanticloud.com |
CRLs are usually hosted via HTTP, not HTTPS. Because the CRLs themselves are signed, this is not considered a security vulnerability.
Landscapes
Ivanti Neurons tenants can be located in different 'landscapes', depending on where you are located geographically. The landscape that holds your tenant determines what you must add to the allow list.
To determine the landscape of your tenant, go to the Ivanti Neurons sign-in page for your tenant and look at the URL. The first three characters indicate the landscape.
Current landscapes are:
- FRU for EU-based customers who want to host their data inside the EU.
- MLU for Asia-Pacific-based (APAC) customers.
- NVU for America-based (AMER) customers.
- TKU for Japan-based (JPN) customers.
- TTU for Canada-based (CAN) customers.
- UKU for Europe, Middle-East or Africa-based (EMEA) customers.
If you need help understanding in which landscape your environment is hosted, feel free to reach out to your account representative or Ivanti Support.
Landscape-specific settings
The sections below list the landscape-specific URLs, IP addresses, and ports needed for each of the Ivanti Neurons Platform services. The services available in your environment depend on which Ivanti Neurons license you have.
You can use the menu on the right to jump to the desired section.
FRU landscape
Service | URL | IP address | Required ports |
---|---|---|---|
Agent (required) | |||
Backbone Neurons Communications | fruprd-sfc.ivanticloud.com | Dynamic | 443 (TCP) |
Agent Communications | fru-prd.mqtt.ivanticloud.com | 20.79.245.45 | 8883 (TCP) |
Connector Engine | Local traffic | Local traffic | 443 (TCP) |
Connector Engine – SQL | Local traffic | Local traffic | As defined by your SQL Server instance |
Edge Intelligence | |||
Real-Time Engine | fru-prd.mqtt.ivanticloud.com | 20.79.245.45 | 8883 (TCP) |
Remote Control | |||
Remote Control on the Endpoint machine | fruprd-rc.ivanticloud.com | 20.79.146.18 | Port Range 44345 to 44349 (TCP) (all) |
Remote Control for the Analyst machine | Port Range 45344 to 45348 (TCP) (all) | ||
Patch Management | |||
Patch Engine - Vendors | See Vendor list at https://forums.ivanti.com | 443/80 (TCP, outbound only) | |
Patch Engine - Sideload | sapatchtenantfilesd467b8.blob.core.windows.net | Dynamic | 443 (TCP, outbound only) |
Discovery | |||
AgentlessEngine | Local traffic | Local traffic | 445 (TCP) 135 (TCP) |
IvantiCsepEngine | Local traffic | Local traffic | 33554 (TCP and UDP) 33555 (UDP) |
IvantiDiscoveryEngine | Local traffic | Local traffic | 137 (UDP) 53 (UDP) |
Deployment | |||
DeploymentEngine |
fruprd-adpstat.ivanticloud.com |
Dynamic |
443 (TCP) |
DeploymentEngine |
Local traffic |
Local traffic |
445 (TCP) Optional for NETBIOS: 139 (TCP) 137-138 (UDP) |
DeploymentEngine |
Local traffic |
Local traffic |
22 (TCP) macOS and Linux |
Status of, for example, Deployment and Discovery Scan | |||
Live updates of the UI (instead of refreshing the webpage) |
https://rg-fru-prd-discoagentmgmtdisco-notifications-fru.service.signalr.net/client/negotiate |
|
|
wss://rg-fru-prd-discoagentmgmtdisco-notifications-fru.service.signalr.net/client/ |
|
|
MLU landscape
Service | URL | IP address | Required ports |
---|---|---|---|
Agent (required) | |||
Backbone Neurons Communications | mluprd-sfc.ivanticloud.com | Dynamic | 443 (TCP) |
Agent Communications | mlu-prd.mqtt.ivanticloud.com | 20.53.68.63 | 8883 (TCP) |
Connector Engine | Local traffic | Local traffic | 443 (TCP) |
Connector Engine – SQL | Local traffic | Local traffic | As defined by your SQL Server instance |
Edge Intelligence | |||
Real-Time Engine | mlu-prd.mqtt.ivanticloud.com | 20.53.68.63 | 8883 (TCP) |
Remote Control | |||
Remote Control on the Endpoint machine | mluprd-rc.ivanticloud.com | 20.53.149.64 | Port Range 44345 to 44349 (TCP) (all) |
Remote Control for the Analyst machine | Port Range 45344 to 45348 (TCP) (all) | ||
Patch Management | |||
Patch Engine - Vendors | See Vendor list at https://forums.ivanti.com | 443/80 (TCP, outbound only) | |
Patch Engine - Sideload | sapatchtenantfiles0a0009.blob.core.windows.net | Dynamic | 443 (TCP, outbound only) |
Discovery | |||
AgentlessEngine | Local traffic | Local traffic | 445 (TCP) 135 (TCP) |
IvantiCsepEngine | Local traffic | Local traffic | 33554 (TCP and UDP) 33555 (UDP) |
IvantiDiscoveryEngine | Local traffic | Local traffic | 137 (UDP) 53 (UDP) |
Deployment | |||
DeploymentEngine |
mluprd-adpstat.ivanticloud.com |
Dynamic |
443 (TCP) |
DeploymentEngine |
Local traffic |
Local traffic |
445 (TCP) Optional for NETBIOS: 139 (TCP) 137-138 (UDP) |
DeploymentEngine |
Local traffic |
Local traffic |
22 (TCP) macOS and Linux |
Status of, for example, Deployment and Discovery Scan | |||
Live updates of the UI (instead of refreshing the webpage) |
https://rg-mlz-prd-discoagentmgmtdisco-notifications-mlz.service.signalr.net/client/negotiate |
|
|
wss://rg-mlz-prd-discoagentmgmtdisco-notifications-mlz.service.signalr.net/client/ |
|
|
NVU landscape
Service | URL | IP address | Required ports |
---|---|---|---|
Agent (required) | |||
Backbone Neurons Communications | nvuprd-sfc.ivanticloud.com | Dynamic | 443 (TCP) |
Agent Communications | nvu-prd.mqtt.ivanticloud.com | 20.81.12.92 | 8883 (TCP) |
Connector Engine | Local traffic | Local traffic | 443 (TCP) |
Connector Engine – SQL | Local traffic | Local traffic | As defined by your SQL Server instance |
Edge Intelligence | |||
Real-Time Engine | nvu-prd.mqtt.ivanticloud.com | 20.81.12.92 | 8883 (TCP) |
Remote Control | |||
Remote Control on the Endpoint machine | nvuprd-rc.ivanticloud.com | 20.75.194.96 | Port Range 44345 to 44349 (TCP) (all) |
Remote Control for the Analyst machine | Port Range 45344 to 45348 (TCP) (all) | ||
Patch Management | |||
Patch Engine - Vendors | See Vendor list at https://forums.ivanti.com | 443/80 (TCP, outbound only) | |
Patch Engine - Sideload | sapatchtenantfilesc49a57.blob.core.windows.net | Dynamic | 443 (TCP, outbound only) |
Discovery | |||
AgentlessEngine | Local traffic | Local traffic | 445 (TCP) 135 (TCP) |
IvantiCsepEngine | Local traffic | Local traffic | 33554 (TCP and UDP) 33555 (UDP) |
IvantiDiscoveryEngine | Local traffic | Local traffic | 137 (UDP) 53 (UDP) |
Deployment | |||
DeploymentEngine |
nvuprd-adpstat.ivanticloud.com |
Dynamic |
443 (TCP) |
DeploymentEngine |
Local traffic |
Local traffic |
445 (TCP) Optional for NETBIOS: 139 (TCP) 137-138 (UDP) |
DeploymentEngine |
Local traffic |
Local traffic |
22 (TCP) macOS and Linux |
Status of, for example, Deployment and Discovery Scan | |||
Live updates of the UI (instead of refreshing the webpage) |
https://rg-nvz-prd-discoagentmgmtdisco-notifications-nvz.service.signalr.net/client/negotiate |
|
|
wss://rg-nvz-prd-discoagentmgmtdisco-notifications-nvz.service.signalr.net/client/ |
|
|
TKU landscape
Service | URL | IP address | Required ports |
---|---|---|---|
Agent (required) | |||
Backbone Neurons Communications | tkuprd-sfc.ivanticloud.com | Dynamic | 443 (TCP) |
Agent Communications | tku-prd.mqtt.ivanticloud.com | 4.189.25.254 | 8883 (TCP) |
Connector Engine | Local traffic | Local traffic | 443 (TCP) |
Connector Engine – SQL | Local traffic | Local traffic | As defined by your SQL Server instance |
Edge Intelligence | |||
Real-Time Engine | tku-prd.mqtt.ivanticloud.com | 4.189.25.254 | 8883 (TCP) |
Remote Control | |||
Remote Control on the Endpoint machine | tkuprd-rc.ivanticloud.com | 4.241.23.131 | Port Range 44345 to 44349 (TCP) (all) |
Remote Control for the Analyst machine | Port Range 45344 to 45348 (TCP) (all) | ||
Patch Management | |||
Patch Engine - Vendors | See Vendor list at https://forums.ivanti.com | 443/80 (TCP, outbound only) | |
Patch Engine - Sideload | Sapatchtenantfiles7d3d2f.blob.core.windows.net | Dynamic | 443 (TCP, outbound only) |
Discovery | |||
AgentlessEngine | Local traffic | Local traffic | 445 (TCP) 135 (TCP) |
IvantiCsepEngine | Local traffic | Local traffic | 33554 (TCP and UDP) 33555 (UDP) |
IvantiDiscoveryEngine | Local traffic | Local traffic | 137 (UDP) 53 (UDP) |
Deployment | |||
DeploymentEngine |
tkuprd-adpstat.ivanticloud.com |
Dynamic |
443 (TCP) |
DeploymentEngine |
Local traffic |
Local traffic |
445 (TCP) Optional for NETBIOS: 139 (TCP) 137-138 (UDP) |
DeploymentEngine |
Local traffic |
Local traffic |
22 (TCP) macOS and Linux |
Status of, for example, Deployment and Discovery Scan | |||
Live updates of the UI (instead of refreshing the webpage) |
https://rg-tku-prd-discoagentmgmtdisco-notifications-tku.service.signalr.net/client/negotiate |
|
|
wss://rg-tku-prd-discoagentmgmtdisco-notifications-tku.service.signalr.net/client/ |
|
|
TTU landscape
Service | URL | IP address | Required ports |
---|---|---|---|
Agent (required) | |||
Backbone Neurons Communications | ttuprd-sfc.ivanticloud.com | Dynamic | 443 (TCP) |
Agent Communications | ttu-prd.mqtt.ivanticloud.com | 4.172.56.29 | 8883 (TCP) |
Connector Engine | Local traffic | Local traffic | 443 (TCP) |
Connector Engine – SQL | Local traffic | Local traffic | As defined by your SQL Server instance |
Edge Intelligence | |||
Real-Time Engine | ttu-prd.mqtt.ivanticloud.com | 4.172.56.29 | 8883 (TCP) |
Remote Control | |||
Remote Control on the Endpoint machine | ttuprd-rc.ivanticloud.com | 20.220.252.197 | Port Range 44345 to 44349 (TCP) (all) |
Remote Control for the Analyst machine | Port Range 45344 to 45348 (TCP) (all) | ||
Patch Management | |||
Patch Engine - Vendors | See Vendor list at https://forums.ivanti.com | 443/80 (TCP, outbound only) | |
Patch Engine - Sideload | Sapatchtenantfilesa1aefe.blob.core.windows.net | Dynamic | 443 (TCP, outbound only) |
Discovery | |||
AgentlessEngine | Local traffic | Local traffic | 445 (TCP) 135 (TCP) |
IvantiCsepEngine | Local traffic | Local traffic | 33554 (TCP and UDP) 33555 (UDP) |
IvantiDiscoveryEngine | Local traffic | Local traffic | 137 (UDP) 53 (UDP) |
Deployment | |||
DeploymentEngine |
fruprd-adpstat.ivanticloud.com |
Dynamic |
443 (TCP) |
DeploymentEngine |
Local traffic |
Local traffic |
445 (TCP) Optional for NETBIOS: 139 (TCP) 137-138 (UDP) |
DeploymentEngine |
Local traffic |
Local traffic |
22 (TCP) macOS and Linux |
Status of, for example, Deployment and Discovery Scan | |||
Live updates of the UI (instead of refreshing the webpage) |
https://rg-ttu-prd-discoagentmgmtdisco-notifications-ttu.service.signalr.net/client/negotiate |
|
|
wss://rg-ttu-prd-discoagentmgmtdisco-notifications-ttu.service.signalr.net/client/ |
|
|
UKU landscape
Service | URL | IP address | Required ports |
---|---|---|---|
Agent (required) | |||
Backbone Neurons Communications | ukuprd-sfc.ivanticloud.com | Dynamic | 443 (TCP) |
Agent Communications | uku-prd.mqtt.ivanticloud.com | 20.49.172.247 | 8883 (TCP) |
Connector Engine | Local traffic | Local traffic | 443 (TCP) |
Connector Engine – SQL | Local traffic | Local traffic | As defined by your SQL Server instance |
Edge Intelligence | |||
Real-Time Engine | uku-prd.mqtt.ivanticloud.com | 20.49.172.247 | 8883 (TCP) |
Remote Control | |||
Remote Control on the Endpoint machine | ukuprd-rc.ivanticloud.com | 20.77.156.96 | Port Range 44345 to 44349 (TCP) (all) |
Remote Control for the Analyst machine | Port Range 45344 to 45348 (TCP) (all) | ||
Patch Management | |||
Patch Engine - Vendors | See Vendor list at https://forums.ivanti.com | 443/80 (TCP, outbound only) | |
Patch Engine - Sideload | sapatchtenantfiles8061b2.blob.core.windows.net | Dynamic | 443 (TCP, outbound only) |
Discovery | |||
AgentlessEngine | Local traffic | Local traffic | 445 (TCP) 135 (TCP) |
IvantiCsepEngine | Local traffic | Local traffic | 33554 (TCP and UDP) 33555 (UDP) |
IvantiDiscoveryEngine | Local traffic | Local traffic | 137 (UDP) 53 (UDP) |
Deployment | |||
DeploymentEngine |
ukuprd-adpstat.ivanticloud.com |
Dynamic |
443 (TCP) |
DeploymentEngine |
Local traffic |
Local traffic |
445 (TCP) Optional for NETBIOS: 139 (TCP) 137-138 (UDP) |
DeploymentEngine |
Local traffic |
Local traffic |
22 (TCP) macOS and Linux |
Status of, for example, Deployment and Discovery Scan | |||
Live updates of the UI (instead of refreshing the webpage) |
https://rg-uks-prd-discoagentmgmtdisco-notifications-uks.service.signalr.net/client/negotiate |
|
|
wss://rg-uks-prd-discoagentmgmtdisco-notifications-uks.service.signalr.net/client/ |
|
|