N-able N-central/Take Control N-able Firewall Ports and Domain (Integrations in N-able N-central and N-able RMM)

Last Modified

Tues Aug 6 10:27 GMT 2024

Description

  • What are the Ports and Domain required for N-able N-central's Take Control and the N-able RMM Take Control Take Control to install and function without issues.

Environment

  • N-able N-central:
    • Take Control.
  • N-able RMM:
    • Take Control.

Solution

  • In order for the N-able RMM Take Control and N-able RMM Take Control Engine to work properly, Outbound protocols and ports must be configured as follows:
    • Ports:
      • HTTP (TCP 80) - Outbound - Required for HTTP connectivity
      • HTTPS (TCP 443) - Outbound - Required for HTTP connectivity
      • UDP 1234 - Bidirectional - Required for P2P connections
      • UDP 1235 - Bidirectional - Required for P2P connections
      • TCP 3377 - Outbound - Fail-over port when 443 is not accessible

        • No SSL inspection on TCP 443 for traffic regarding the necessary domains

    • Mandatory Domain Exclusion:
      • *.n-able.com
      • swi-rc.cdn-sw.net (Necessary for update downloads)
  • Take Control also allows for optional UDP traffic, which is used to establish P2P connections between the Viewer and the Agent, this reaches out to hosts under the aforementioned domains but initially makes use of ports 1234 and 1235 (to test if a UDP connection is possible) and then, if possible, connects via a randomly available port.
  • This is valid for the technician and also for the end user who receives the support.
  • Additional notes for Firewalls/Proxies:
    • The Agents should be able to reach the internet.
    • No HTTPS snooping should be done on SSL (TCP 443).
    • We validate the HTTPS certificates when communicating with our web servers.
    • If the firewall/proxy is intercepting this traffic through a transparent proxy and encrypting it again with the firewall/proxy's certificate it is going to fail:
      • Create an exception for our domain *.n-able.com.
      • Any protocol fingerprinting (some firewalls will interpret non-HTTPS traffic on 443 as malicious), should be excluded for our domain *.n-able.com.