Required URLs, IP addresses and ports

This topic provides an overview of URLs, IP addresses and ports that must be added to the allow list (also known as whitelist) in your firewall to ensure that the Ivanti Neurons Platform and its agents can communicate.

The overview starts with information that applies to all environments (Common URLs for all environments, directly below), followed by information that differs based on where your environment is hosted: Landscape-specific.

All outbound network traffic is typically via port 443 and 8883. Network communication from Ivanti Neurons to agents is done through MQTT technology. Individual services on the Ivanti Neurons agent can communicate to Ivanti Neurons on secure port 443.

Common for all environments

Registration

The table below outlines the base URLs needed for the Ivanti Neurons agent to register and communicate with the Neurons Platform. Without access to these URLs, the Neurons agent cannot register or install.

URL IP address
https://agentreg.ivanticloud.com Dynamic IP (Can change often)
https://agentsync.ivanticloud.com Dynamic IP (Can change often)
https://download.ivanticloud.com Dynamic IP (Can change often)

https://edgelocation.ivanticloud.com

20.108.85.53 (to be deprecated)
As of May 27, 2024:
20.77.156.110

The Neurons Platform utilizes some features of Microsoft Azure which do not allow static IP addresses. Microsoft has a pool of IP addresses available, to use these features publicly.

If you cannot add the URLs listed above to the allow list of your firewall, the alternative would be to allow the following certificate:

*.ivanticloud.com

Content

The table below lists URLs that are needed for downloading content and updates. Access to some of these URLs is required for installation of the Neurons Agent, as the Agent has to load updated .Net libraries and the .NET UI SDK.

URL Remark
download.visualstudio.microsoft.com Prerequisite downloads of .NET and C++ runtime updates
download.windowsupdate.com
download.microsoft.com Patch file downloads provided by Microsoft

content.ivanti.com

Ivanti Patch data

docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html

Provide IP addresses of the CloudFront CDN that serves Ivanti Patch content, and the Neurons Agent and its engines.

d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips

If you use Ivanti Neurons for Patching, manufacturer download portals also need to be accessible.
Example: http://downloadarchive.documentfoundation.org/ for LibreOffice

The table below lists ports that are needed for downloading updates.

Port Remark
33121, 33122 Required for peer downloads.
TCP and UDP.

Port 9000

The Neurons agent has an engine called STAgentProxy that uses port 9000 for communication between engines. If you have other programs that require port 9000, you can configure STAgentProxy to use a different port.

  1. Using a registry editor, for example RegEdit, go to the following path in the registry:
    HKEY_LOCAL_MACHINE\SOFTWARE\Ivanti\Ivanti Cloud Agent\STAgentProxy

  2. Find the key Port (REG_DWORD) and set the value to the desired port.

  3. Save your settings.

  4. Using, for example, the Windows Task Manager, restart the STAgentProxy service.

Certificate Revocation Lists

The table below lists URLs that are needed to access Certificate Revocation Lists (CRLs) and to which server they apply.

URL CRL for
http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl agentreg.ivanticloud.com
agentsync.ivanticloud.com
http://crl.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crl

*.ivanticloud.com

Also for landscape-specific:
nvuprd-sfc.ivanticloud.com
ukuprd-sfc.ivanticloud.com
mluprd-sfc.ivanticloud.com
fruprd-sfc.ivanticloud.com

http://crl.r2m03.amazontrust.com/r2m03.crl content.ivanti.com
http://crl.r2m01.amazontrust.com/r2m01.crl download.ivanticloud.com

Landscape-specific

Ivanti Neurons tenants can be located in different 'landscapes', depending on where you are located geographically. The landscape that holds your tenant determines what you must add to the allow list.
To determine the landscape of your tenant, go to the Ivanti Neurons sign-in page for your tenant and look at the URL. The first three characters indicate the landscape.

Sign-in screen, showing the URL that starts with NVU (underlined for emphasis)

Current landscapes are:

  • NVU for America-based (AMER) customers.
  • UKU for Europe, Middle-East or Africa-based (EMEA) customers.
  • MLU for Asia-Pacific-based (APAC) customers.
  • FRU for EU-based customers that want to host their data inside the EU.

If you need help understanding in which landscape your environment is hosted, feel free to reach out to your account representative or Ivanti Support.

The sections below list the landscape-specific URLs, IP addresses, and ports needed for each of the Ivanti Neurons Platform services. The services available in your environment depend on which Ivanti Neurons license you have.
Click on the name of the relevant landscape to expand the list.

NVU landscape

Service URL IP address Ports
Agent (required)
Backbone Neurons Communications nvuprd-sfc.ivanticloud.com Dynamic 443 (TCP)
Agent Communications nvu-prd.mqtt.ivanticloud.com 20.81.12.92 8883
Connector Engine Local traffic Local traffic 443 (TCP)
Connector Engine – SQL Local traffic Local traffic As defined by your SQL Server instance
Edge Intelligence
Real-Time Engine nvu-prd.mqtt.ivanticloud.com 20.81.12.92 8883 (TCP)
Remote Control
Remote Control on the Endpoint machine nvuprd-rc.ivanticloud.com 20.75.194.96 Port Range 44345 to 44349 (TCP)
Remote Control for the Analyst machine Port Range 45344 to 45348 (TCP)
Patch Management
Patch Engine - Vendors See Vendor list at https://forums.ivanti.com 443/80 (TCP, outbound only)
Patch Engine - Sideload sapatchtenantfilesc49a57.blob.core.windows.net Dynamic 443 (TCP, outbound only)
Discovery
AgentlessEngine Local traffic Local traffic 445 (TCP)
135 (TCP)
IvantiCsepEngine Local traffic Local traffic 33554 (TCP and UDP)
33555 (UDP)
IvantiDiscoveryEngine Local traffic Local traffic 137 (UDP)
53 (UDP)
Deployment

DeploymentEngine

nvuprd-adpstat.ivanticloud.com

Dynamic

443 (TCP)

DeploymentEngine

Local traffic

Local traffic

445 (TCP)

Optional for NETBIOS:

139 (TCP)

137-138 (UDP)

DeploymentEngine

Local traffic

Local traffic

22 (TCP) macOS and Linux

Status of, for example, Deployment and Discovery Scan
Live updates of the UI
(instead of refreshing the webpage)

https://rg-nvz-prd-discoagentmgmtdisco-notifications-nvz.service.signalr.net/client/negotiate

 

 

wss://rg-nvz-prd-discoagentmgmtdisco-notifications-nvz.service.signalr.net/client/

 

 

UKU landscape

Service URL IP address Ports
Agent (required)
Backbone Neurons Communications ukuprd-sfc.ivanticloud.com Dynamic 443 (TCP)
Agent Communications uku-prd.mqtt.ivanticloud.com 20.49.172.247 8883
Connector Engine Local traffic Local traffic 443 (TCP)
Connector Engine – SQL Local traffic Local traffic As defined by your SQL Server instance
Edge Intelligence
Real-Time Engine uku-prd.mqtt.ivanticloud.com 20.49.172.247 8883 (TCP)
Remote Control
Remote Control on the Endpoint machine ukuprd-rc.ivanticloud.com 20.77.156.96 Port Range 44345 to 44349 (TCP)
Remote Control for the Analyst machine Port Range 45344 to 45348 (TCP)
Patch Management
Patch Engine - Vendors See Vendor list at https://forums.ivanti.com 443/80 (TCP, outbound only)
Patch Engine - Sideload sapatchtenantfiles8061b2.blob.core.windows.net Dynamic 443 (TCP, outbound only)
Discovery
AgentlessEngine Local traffic Local traffic 445 (TCP)
135 (TCP)
IvantiCsepEngine Local traffic Local traffic 33554 (TCP and UDP)
33555 (UDP)
IvantiDiscoveryEngine Local traffic Local traffic 137 (UDP)
53 (UDP)
Deployment

DeploymentEngine

ukuprd-adpstat.ivanticloud.com

Dynamic

443 (TCP)

DeploymentEngine

Local traffic

Local traffic

445 (TCP)

Optional for NETBIOS:

139 (TCP)

137-138 (UDP)

DeploymentEngine

Local traffic

Local traffic

22 (TCP) macOS and Linux

Status of, for example, Deployment and Discovery Scan
Live updates of the UI
(instead of refreshing the webpage)

https://rg-uks-prd-discoagentmgmtdisco-notifications-uks.service.signalr.net/client/negotiate

 

 

wss://rg-uks-prd-discoagentmgmtdisco-notifications-uks.service.signalr.net/client/

 

 

MLU landscape

Service URL IP address Ports
Agent (required)
Backbone Neurons Communications mluprd-sfc.ivanticloud.com Dynamic 443 (TCP)
Agent Communications mlu-prd.mqtt.ivanticloud.com 20.53.68.63 8883
Connector Engine Local traffic Local traffic 443 (TCP)
Connector Engine – SQL Local traffic Local traffic As defined by your SQL Server instance
Edge Intelligence
Real-Time Engine mlu-prd.mqtt.ivanticloud.com 20.53.68.63 8883 (TCP)
Remote Control
Remote Control on the Endpoint machine mluprd-rc.ivanticloud.com 20.53.149.64 Port Range 44345 to 44349 (TCP)
Remote Control for the Analyst machine Port Range 45344 to 45348 (TCP)
Patch Management
Patch Engine - Vendors See Vendor list at https://forums.ivanti.com 443/80 (TCP, outbound only)
Patch Engine - Sideload sapatchtenantfiles0a0009.blob.core.windows.net Dynamic 443 (TCP, outbound only)
Discovery
AgentlessEngine Local traffic Local traffic 445 (TCP)
135 (TCP)
IvantiCsepEngine Local traffic Local traffic 33554 (TCP and UDP)
33555 (UDP)
IvantiDiscoveryEngine Local traffic Local traffic 137 (UDP)
53 (UDP)
Deployment

DeploymentEngine

mluprd-adpstat.ivanticloud.com

Dynamic

443 (TCP)

DeploymentEngine

Local traffic

Local traffic

445 (TCP)

Optional for NETBIOS:

139 (TCP)

137-138 (UDP)

DeploymentEngine

Local traffic

Local traffic

22 (TCP) macOS and Linux

Status of, for example, Deployment and Discovery Scan
Live updates of the UI
(instead of refreshing the webpage)

https://rg-mlz-prd-discoagentmgmtdisco-notifications-mlz.service.signalr.net/client/negotiate

 

 

wss://rg-mlz-prd-discoagentmgmtdisco-notifications-mlz.service.signalr.net/client/

 

 

FRU landscape

Service URL IP address Ports
Agent (required)
Backbone Neurons Communications fruprd-sfc.ivanticloud.com Dynamic 443 (TCP)
Agent Communications fru-prd.mqtt.ivanticloud.com 20.79.245.45 8883
Connector Engine Local traffic Local traffic 443 (TCP)
Connector Engine – SQL Local traffic Local traffic As defined by your SQL Server instance
Edge Intelligence
Real-Time Engine fru-prd.mqtt.ivanticloud.com 20.79.245.45 8883 (TCP)
Remote Control
Remote Control on the Endpoint machine fruprd-rc.ivanticloud.com 20.79.146.18 Port Range 44345 to 44349 (TCP)
Remote Control for the Analyst machine Port Range 45344 to 45348 (TCP)
Patch Management
Patch Engine - Vendors See Vendor list at https://forums.ivanti.com 443/80 (TCP, outbound only)
Patch Engine - Sideload sapatchtenantfilesd467b8.blob.core.windows.net Dynamic 443 (TCP, outbound only)
Discovery
AgentlessEngine Local traffic Local traffic 445 (TCP)
135 (TCP)
IvantiCsepEngine Local traffic Local traffic 33554 (TCP and UDP)
33555 (UDP)
IvantiDiscoveryEngine Local traffic Local traffic 137 (UDP)
53 (UDP)
Deployment

DeploymentEngine

fruprd-adpstat.ivanticloud.com

Dynamic

443 (TCP)

DeploymentEngine

Local traffic

Local traffic

445 (TCP)

Optional for NETBIOS:

139 (TCP)

137-138 (UDP)

DeploymentEngine

Local traffic

Local traffic

22 (TCP) macOS and Linux

Status of, for example, Deployment and Discovery Scan
Live updates of the UI
(instead of refreshing the webpage)

https://rg-fru-prd-discoagentmgmtdisco-notifications-fru.service.signalr.net/client/negotiate

 

 

wss://rg-fru-prd-discoagentmgmtdisco-notifications-fru.service.signalr.net/client/