Required URLs, IP addresses and ports

This topic provides an overview of URLs, IP addresses and ports that must be added to the allow list (also known as whitelist) in your firewall to ensure that the Ivanti Neurons Platform and its agents can communicate.

The overview starts with information that applies to all environments (Common URLs for all environments, directly below), followed by information that differs based on where your environment is hosted: Landscapes.

All outbound network traffic is typically via port 443 and 8883. Network communication from Ivanti Neurons to agents is done through MQTT technology. Individual services on the Ivanti Neurons agent can communicate to Ivanti Neurons on secure port 443.

Revision history

This topic was last updated on December 10 , 2024.

Accessing and interacting with the Neurons Platform portal

The table below outlines the URLs needed to interact with the Neurons Platform portal.
This includes using consoles from other Ivanti solutions to prepare data for use in the Neurons Platform, such as UWM Hybrid Deployment. For more information, see the Application Control (Hybrid), Environment Manager (Hybrid), and Performance Manager (Hybrid) capabilities in Agent Policy Capabilities.

URL Remark
https://app.launchdarkly.com
https://events.launchdarkly.com
Feature availability

https://dc.services.visualstudio.com/v2/track

Telemetry

https://fonts.googleapis.com/css2 Correct layout
https://www.recaptcha.net/recaptcha/api.js Additional security during logon.
(only required if reCAPTCHA has NOT been disabled)

Azure Blob Storage URLs

The table below outlines the URLs needed for storage. The IP addresses of Azure Blob Storage are dynamic.

On client devices, the App Distribution engine (swd.engine) via Agent Framework, downloads the App Distribution files ReturnCodeTemplates.json, Packages.json, and Portal.json from the following URL domains, using port 443:

Geo URL
NVU https://sanvuprddefaul0x08888888.blob.core.windows.net/
UKU https://saukuprddefaul0x08888888.blob.core.windows.net/
FRU https://safruprddefaul0x08888888.blob.core.windows.net/
MLU https://samluprddefaul0x08888888.blob.core.windows.net/

TTU

https://sattuprddefaul0x08888888.blob.core.windows.net/

TKU

https://satkuprddefaul0x08888888.blob.core.windows.net/

On client devices, the App Distribution engine (swd.engine) via Agent Framework, downloads any targeted files uploaded to App Distribution's Ivanti Free Storage account from the following URL domains, using port 443:

Geo URL
NVU https://saappdistnvu.blob.core.windows.net/
UKU https://saappdistuku.blob.core.windows.net/
FRU https://saappdistfru.blob.core.windows.net/
MLU https://saappdistmlu.blob.core.windows.net/

TTU

https://saappdistttu.blob.core.windows.net/

TKU

https://saappdisttku.blob.core.windows.net/

Common for all landscapes

Registration

The table below outlines the base ivanticloud URLs needed for the Ivanti Neurons agent to register and communicate with the Neurons Platform.

URL (ivanticloud.com) IP address
https://agentreg.ivanticloud.com Dynamic IP (Can change often)
https://agentsync.ivanticloud.com Dynamic IP (Can change often)
https://download.ivanticloud.com Dynamic IP (Can change often)

https://edgelocation.ivanticloud.com

20.77.156.110

The Neurons Platform utilizes some features of Microsoft Azure which do not allow static IP addresses. Microsoft has a pool of IP addresses available, to use these features publicly.

If you cannot add the URLs listed above to the allow list of your firewall, the alternative would be to allow the following certificate:

*.ivanticloud.com

The table below outlines URLs outside the ivanticloud domain that are needed for the Ivanti Neurons agent to register and communicate with the Neurons Platform.

URL (other) IP address

http://ocsp.usertrust.com/

Dynamic IP (Can change often)

Without access to the URLs in the tables above, the Neurons agent cannot register or install.

Content

The table below lists URLs that are needed for downloading content and updates. Access to some of these URLs is required for installation of the Neurons Agent, as the Agent has to load updated .Net libraries and the .NET UI SDK.

URL Remark
download.visualstudio.microsoft.com Prerequisite downloads of .NET and C++ runtime updates
dc.services.visualstudio.com  
download.windowsupdate.com
download.microsoft.com Patch file downloads provided by Microsoft

content.ivanti.com

Ivanti Patch data

docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html

Provide IP addresses of the CloudFront CDN that serves Ivanti Patch content, and the Neurons Agent and its engines.

d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips

If you use Ivanti Neurons for Patching, manufacturer download portals also need to be accessible.
Example: http://downloadarchive.documentfoundation.org/ for LibreOffice

The table below lists ports that are needed for downloading updates.

Port Remark
33121, 33122 Required for peer downloads.
TCP and UDP.

App Distribution Cloud Storage

If you use Neurons App Distribution with cloud storage, the endpoints in your environment must be able to access your cloud storage.
To identify the IP addresses used by your cloud storage, see the following articles:

Port 9000

The Neurons agent has an engine called STAgentProxy that uses port 9000 for communication between engines. If you have other programs that require port 9000, you can configure STAgentProxy to use a different port.

  1. Using a registry editor, for example RegEdit, go to the following path in the registry:
    HKEY_LOCAL_MACHINE\SOFTWARE\Ivanti\Ivanti Cloud Agent\STAgentProxy

  2. Find the key Port (REG_DWORD) and set the value to the desired port.

  3. Save your settings.

  4. Using, for example, the Windows Task Manager, restart the STAgentProxy service.

Certificate Revocation Lists

The table below lists URLs that are needed to access Certificate Revocation Lists (CRLs) and to which server they apply.

URL CRL for
http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl
http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl
agentreg.ivanticloud.com
agentsync.ivanticloud.com
http://crl.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crl

*.ivanticloud.com

Also for landscape-specific:
fruprd-sfc.ivanticloud.com
mluprd-sfc.ivanticloud.com
nvuprd-sfc.ivanticloud.com
tkuprd-sfc.ivanticloud.com
ttuprd-sfc.ivanticloud.com
ukuprd-sfc.ivanticloud.com

http://crl.r2m01.amazontrust.com/r2m01.crl
http://crl.r2m03.amazontrust.com/r2m03.crl
http://crt.r2m01.amazontrust.com/r2m01.cer
http://crt.r2m03.amazontrust.com/r2m03.cer
http://ocsp.r2m01.amazontrust.com
content.ivanti.com
http://crl.r2m01.amazontrust.com/r2m01.crl download.ivanticloud.com

CRLs are usually hosted via HTTP, not HTTPS. Because the CRLs themselves are signed, this is not considered a security vulnerability.

Landscapes

Ivanti Neurons tenants can be located in different 'landscapes', depending on where you are located geographically. The landscape that holds your tenant determines what you must add to the allow list.
To determine the landscape of your tenant, go to the Ivanti Neurons sign-in page for your tenant and look at the URL. The first three characters indicate the landscape.

Sign-in screen, showing the URL that starts with NVU (underlined for emphasis)

Current landscapes are:

  • FRU for EU-based customers who want to host their data inside the EU.
  • MLU for Asia-Pacific-based (APAC) customers.
  • NVU for America-based (AMER) customers.
  • TKU for Japan-based (JPN) customers.
  • TTU for Canada-based (CAN) customers.
  • UKU for Europe, Middle-East or Africa-based (EMEA) customers.

If you need help understanding in which landscape your environment is hosted, feel free to reach out to your account representative or Ivanti Support.

Landscape-specific settings

The sections below list the landscape-specific URLs, IP addresses, and ports needed for each of the Ivanti Neurons Platform services. The services available in your environment depend on which Ivanti Neurons license you have.
You can use the menu on the right to jump to the desired section.

FRU landscape

Service URL IP address Required ports
Agent (required)
Backbone Neurons Communications fruprd-sfc.ivanticloud.com Dynamic 443 (TCP)
Agent Communications fru-prd.mqtt.ivanticloud.com 20.79.245.45 8883 (TCP)
Connector Engine Local traffic Local traffic 443 (TCP)
Connector Engine – SQL Local traffic Local traffic As defined by your SQL Server instance
Edge Intelligence
Real-Time Engine fru-prd.mqtt.ivanticloud.com 20.79.245.45 8883 (TCP)
Remote Control
Remote Control on the Endpoint machine fruprd-rc.ivanticloud.com 20.79.146.18 Port Range 44345 to 44349 (TCP) (all)
Remote Control for the Analyst machine Port Range 45344 to 45348 (TCP) (all)
Patch Management
Patch Engine - Vendors See Vendor list at https://forums.ivanti.com 443/80 (TCP, outbound only)
Patch Engine - Sideload sapatchtenantfilesd467b8.blob.core.windows.net Dynamic 443 (TCP, outbound only)
Discovery
AgentlessEngine Local traffic Local traffic 445 (TCP)
135 (TCP)
IvantiCsepEngine Local traffic Local traffic 33554 (TCP and UDP)
33555 (UDP)
IvantiDiscoveryEngine Local traffic Local traffic 137 (UDP)
53 (UDP)
Deployment

DeploymentEngine

fruprd-adpstat.ivanticloud.com

Dynamic

443 (TCP)

DeploymentEngine

Local traffic

Local traffic

445 (TCP)

Optional for NETBIOS:

139 (TCP)

137-138 (UDP)

DeploymentEngine

Local traffic

Local traffic

22 (TCP) macOS and Linux

Status of, for example, Deployment and Discovery Scan
Live updates of the UI
(instead of refreshing the webpage)

https://rg-fru-prd-discoagentmgmtdisco-notifications-fru.service.signalr.net/client/negotiate

 

 

wss://rg-fru-prd-discoagentmgmtdisco-notifications-fru.service.signalr.net/client/

 

 

MLU landscape

Service URL IP address Required ports
Agent (required)
Backbone Neurons Communications mluprd-sfc.ivanticloud.com Dynamic 443 (TCP)
Agent Communications mlu-prd.mqtt.ivanticloud.com 20.53.68.63 8883 (TCP)
Connector Engine Local traffic Local traffic 443 (TCP)
Connector Engine – SQL Local traffic Local traffic As defined by your SQL Server instance
Edge Intelligence
Real-Time Engine mlu-prd.mqtt.ivanticloud.com 20.53.68.63 8883 (TCP)
Remote Control
Remote Control on the Endpoint machine mluprd-rc.ivanticloud.com 20.53.149.64 Port Range 44345 to 44349 (TCP) (all)
Remote Control for the Analyst machine Port Range 45344 to 45348 (TCP) (all)
Patch Management
Patch Engine - Vendors See Vendor list at https://forums.ivanti.com 443/80 (TCP, outbound only)
Patch Engine - Sideload sapatchtenantfiles0a0009.blob.core.windows.net Dynamic 443 (TCP, outbound only)
Discovery
AgentlessEngine Local traffic Local traffic 445 (TCP)
135 (TCP)
IvantiCsepEngine Local traffic Local traffic 33554 (TCP and UDP)
33555 (UDP)
IvantiDiscoveryEngine Local traffic Local traffic 137 (UDP)
53 (UDP)
Deployment

DeploymentEngine

mluprd-adpstat.ivanticloud.com

Dynamic

443 (TCP)

DeploymentEngine

Local traffic

Local traffic

445 (TCP)

Optional for NETBIOS:

139 (TCP)

137-138 (UDP)

DeploymentEngine

Local traffic

Local traffic

22 (TCP) macOS and Linux

Status of, for example, Deployment and Discovery Scan
Live updates of the UI
(instead of refreshing the webpage)

https://rg-mlz-prd-discoagentmgmtdisco-notifications-mlz.service.signalr.net/client/negotiate

 

 

wss://rg-mlz-prd-discoagentmgmtdisco-notifications-mlz.service.signalr.net/client/

 

 

NVU landscape

Service URL IP address Required ports
Agent (required)
Backbone Neurons Communications nvuprd-sfc.ivanticloud.com Dynamic 443 (TCP)
Agent Communications nvu-prd.mqtt.ivanticloud.com 20.81.12.92 8883 (TCP)
Connector Engine Local traffic Local traffic 443 (TCP)
Connector Engine – SQL Local traffic Local traffic As defined by your SQL Server instance
Edge Intelligence
Real-Time Engine nvu-prd.mqtt.ivanticloud.com 20.81.12.92 8883 (TCP)
Remote Control
Remote Control on the Endpoint machine nvuprd-rc.ivanticloud.com 20.75.194.96 Port Range 44345 to 44349 (TCP) (all)
Remote Control for the Analyst machine Port Range 45344 to 45348 (TCP) (all)
Patch Management
Patch Engine - Vendors See Vendor list at https://forums.ivanti.com 443/80 (TCP, outbound only)
Patch Engine - Sideload sapatchtenantfilesc49a57.blob.core.windows.net Dynamic 443 (TCP, outbound only)
Discovery
AgentlessEngine Local traffic Local traffic 445 (TCP)
135 (TCP)
IvantiCsepEngine Local traffic Local traffic 33554 (TCP and UDP)
33555 (UDP)
IvantiDiscoveryEngine Local traffic Local traffic 137 (UDP)
53 (UDP)
Deployment

DeploymentEngine

nvuprd-adpstat.ivanticloud.com

Dynamic

443 (TCP)

DeploymentEngine

Local traffic

Local traffic

445 (TCP)

Optional for NETBIOS:

139 (TCP)

137-138 (UDP)

DeploymentEngine

Local traffic

Local traffic

22 (TCP) macOS and Linux

Status of, for example, Deployment and Discovery Scan
Live updates of the UI
(instead of refreshing the webpage)

https://rg-nvz-prd-discoagentmgmtdisco-notifications-nvz.service.signalr.net/client/negotiate

 

 

wss://rg-nvz-prd-discoagentmgmtdisco-notifications-nvz.service.signalr.net/client/

 

 

TKU landscape

Service URL IP address Required ports
Agent (required)
Backbone Neurons Communications tkuprd-sfc.ivanticloud.com Dynamic 443 (TCP)
Agent Communications tku-prd.mqtt.ivanticloud.com 4.189.25.254 8883 (TCP)
Connector Engine Local traffic Local traffic 443 (TCP)
Connector Engine – SQL Local traffic Local traffic As defined by your SQL Server instance
Edge Intelligence
Real-Time Engine tku-prd.mqtt.ivanticloud.com 4.189.25.254 8883 (TCP)
Remote Control
Remote Control on the Endpoint machine tkuprd-rc.ivanticloud.com 4.241.23.131 Port Range 44345 to 44349 (TCP) (all)
Remote Control for the Analyst machine Port Range 45344 to 45348 (TCP) (all)
Patch Management
Patch Engine - Vendors See Vendor list at https://forums.ivanti.com 443/80 (TCP, outbound only)
Patch Engine - Sideload Sapatchtenantfiles7d3d2f.blob.core.windows.net Dynamic 443 (TCP, outbound only)
Discovery
AgentlessEngine Local traffic Local traffic 445 (TCP)
135 (TCP)
IvantiCsepEngine Local traffic Local traffic 33554 (TCP and UDP)
33555 (UDP)
IvantiDiscoveryEngine Local traffic Local traffic 137 (UDP)
53 (UDP)
Deployment

DeploymentEngine

tkuprd-adpstat.ivanticloud.com

Dynamic

443 (TCP)

DeploymentEngine

Local traffic

Local traffic

445 (TCP)

Optional for NETBIOS:

139 (TCP)

137-138 (UDP)

DeploymentEngine

Local traffic

Local traffic

22 (TCP) macOS and Linux

Status of, for example, Deployment and Discovery Scan
Live updates of the UI
(instead of refreshing the webpage)

https://rg-tku-prd-discoagentmgmtdisco-notifications-tku.service.signalr.net/client/negotiate

 

 

wss://rg-tku-prd-discoagentmgmtdisco-notifications-tku.service.signalr.net/client/

 

 

TTU landscape

Service URL IP address Required ports
Agent (required)
Backbone Neurons Communications ttuprd-sfc.ivanticloud.com Dynamic 443 (TCP)
Agent Communications ttu-prd.mqtt.ivanticloud.com 4.172.56.29 8883 (TCP)
Connector Engine Local traffic Local traffic 443 (TCP)
Connector Engine – SQL Local traffic Local traffic As defined by your SQL Server instance
Edge Intelligence
Real-Time Engine ttu-prd.mqtt.ivanticloud.com 4.172.56.29 8883 (TCP)
Remote Control
Remote Control on the Endpoint machine ttuprd-rc.ivanticloud.com 20.220.252.197 Port Range 44345 to 44349 (TCP) (all)
Remote Control for the Analyst machine Port Range 45344 to 45348 (TCP) (all)
Patch Management
Patch Engine - Vendors See Vendor list at https://forums.ivanti.com 443/80 (TCP, outbound only)
Patch Engine - Sideload Sapatchtenantfilesa1aefe.blob.core.windows.net Dynamic 443 (TCP, outbound only)
Discovery
AgentlessEngine Local traffic Local traffic 445 (TCP)
135 (TCP)
IvantiCsepEngine Local traffic Local traffic 33554 (TCP and UDP)
33555 (UDP)
IvantiDiscoveryEngine Local traffic Local traffic 137 (UDP)
53 (UDP)
Deployment

DeploymentEngine

fruprd-adpstat.ivanticloud.com

Dynamic

443 (TCP)

DeploymentEngine

Local traffic

Local traffic

445 (TCP)

Optional for NETBIOS:

139 (TCP)

137-138 (UDP)

DeploymentEngine

Local traffic

Local traffic

22 (TCP) macOS and Linux

Status of, for example, Deployment and Discovery Scan
Live updates of the UI
(instead of refreshing the webpage)

https://rg-ttu-prd-discoagentmgmtdisco-notifications-ttu.service.signalr.net/client/negotiate

 

 

wss://rg-ttu-prd-discoagentmgmtdisco-notifications-ttu.service.signalr.net/client/

 

 

UKU landscape

Service URL IP address Required ports
Agent (required)
Backbone Neurons Communications ukuprd-sfc.ivanticloud.com Dynamic 443 (TCP)
Agent Communications uku-prd.mqtt.ivanticloud.com 20.49.172.247 8883 (TCP)
Connector Engine Local traffic Local traffic 443 (TCP)
Connector Engine – SQL Local traffic Local traffic As defined by your SQL Server instance
Edge Intelligence
Real-Time Engine uku-prd.mqtt.ivanticloud.com 20.49.172.247 8883 (TCP)
Remote Control
Remote Control on the Endpoint machine ukuprd-rc.ivanticloud.com 20.77.156.96 Port Range 44345 to 44349 (TCP) (all)
Remote Control for the Analyst machine Port Range 45344 to 45348 (TCP) (all)
Patch Management
Patch Engine - Vendors See Vendor list at https://forums.ivanti.com 443/80 (TCP, outbound only)
Patch Engine - Sideload sapatchtenantfiles8061b2.blob.core.windows.net Dynamic 443 (TCP, outbound only)
Discovery
AgentlessEngine Local traffic Local traffic 445 (TCP)
135 (TCP)
IvantiCsepEngine Local traffic Local traffic 33554 (TCP and UDP)
33555 (UDP)
IvantiDiscoveryEngine Local traffic Local traffic 137 (UDP)
53 (UDP)
Deployment

DeploymentEngine

ukuprd-adpstat.ivanticloud.com

Dynamic

443 (TCP)

DeploymentEngine

Local traffic

Local traffic

445 (TCP)

Optional for NETBIOS:

139 (TCP)

137-138 (UDP)

DeploymentEngine

Local traffic

Local traffic

22 (TCP) macOS and Linux

Status of, for example, Deployment and Discovery Scan
Live updates of the UI
(instead of refreshing the webpage)

https://rg-uks-prd-discoagentmgmtdisco-notifications-uks.service.signalr.net/client/negotiate

 

 

wss://rg-uks-prd-discoagentmgmtdisco-notifications-uks.service.signalr.net/client/