Architecture

N-central High-Level Architecture (N-central at a glance)

N-central follows a client-server architecture, where a central N-central Server communicates with various agents, probes, and client devices to provide monitoring, management, and automation services.

N-central offers two deployment options, on-premises and hosted, each catering to different organizational needs and preferences, whilst offering the same core capabilities.

  • On-Premises (Self-hosted, using AWS and Azure): Install and run the N-central server on your own hardware within your organization's infrastructure. This option provides greater control over the environment, allowing for more customization and direct management of the server. It's ideal for organizations with specific security requirements or those that prefer to maintain their own IT infrastructure.

  • Hosted: The hosted deployment, also known as N-central Cloud, runs the N-central server on N-able's AWS cloud infrastructure. This option reduces the need for on-site hardware and maintenance, as N-able handles the server management, updates, and backups. It's a convenient choice for organizations looking for a scalable, cost-effective solution with less administrative overhead.

Core Components

At the heart of N-central’s functionality are several core components that work together to provide seamless IT management. These components include the

  • N-central Server: The core system that manages data and communications.

  • Agents: Installed on client devices to collect data and perform tasks.

  • Probes: Network devices that monitor and manage network segments and agent less devices.

Additionally, N-central features APIs and integration layers that allow it to connect with third-party tools, extending its capabilities even further.

Together, these core components form a scalable and secure IT management ecosystem that enables MSPs and IT Pros to provide proactive IT services, improve operational efficiency, and maintain high levels of service quality across multiple client environments. The following sections explore each component in detail, highlighting its role within the N-central architecture.

N-central Server

The N-able N-central server is the "brains" of the system and contains a number of components including the Web Interface, Data Management System (DMS), Database, and other core system components. In addition to providing an interface for the Agents and Probes, the DMS is also the business logic layer of the application. All rules that govern how N-able N-central deals with data are executed at this level.

The N-able N-central server is an appliance designed to be able to communicate with agents and services over the internet. N-central should be protected through proper network security best practices aligned to your company policies such as placing the N-central server in a DMZ with proper firewall restrictions. The N-central UI and Agent communication ports(On by default for fresh installations) are designed so that they can be split and secured independently. See Port access requirements for the ports that the N-able N-central server must have access to.

N-central server security

N-central incorporates IP blocking. If the server is flooded with excessive invalid requests from the same IP address in a ten second period, N-central blocks the traffic for new requests on that IP. It does not block active requests on the same IP address. An example would be agents, which have valid session IDs or users logged in the UI. Protections are in place to better manage the session to detect the offending IP address. To detect the correct IP address that is flooding the server, you will need to set up your firewall to allow the external IP address to be passed along. Some firewalls refer to this as preserve the client IP.

Server Security Management

The N-able N-central server includes an integrated firewall which blocks traffic on unused ports. It is recommended that you use your own IDS/IPS/IAV while following the minimum networking requirements to allow traffic, ports, and IP addresses documented in this Security White Paper and in Online Help.

Internally, the system is built using industry standard best practices including:

  • storage of all user passwords by first encrypting them using one-way encryption

  • strong input type checking

  • user access permissions

  • protective support for cross site scripting (XSS) attacks

Agents and Probes (Classic)

A Probe is a Windows application that resides on a system within a customer’s network, behind their firewall or within their private IP space. Probes provide network discovery, monitoring and management services for devices on that private network, leveraging industry standards such as WMI, SNMP, ODBC, and other protocols as needed. In addition, the probes are capable of discovery and installing agents on compatible devices when configured.

An Agent is a software component that MSPs or IT Pros can install on a Microsoft Windows, macOS, or Linux device to gather data specific to that local device.

N-able N-central Probes and Agents communicate with the N-able N-central server using similar architecture and methods. The Probes and Agents leverage client-side initiated communications, where all data communications begin with an outbound call from the Agent or Probe.

As a direct result of this architecture, there is no public IP address or port forwarding required from the Internet to the devices running the Probes or Agents. The outbound communications from the Agents to the N-able N-central server are based on SOAP and XMPP, and are transmitted using the HTTPS protocols on the standard web ports. The nature of these communications allows for the support of standard proxies on the local network.

After the outbound session is established over port 443, the Agent receives a session ID that is used to identify that session, and it persists until the session is closed. The Agents and Probes will open a second (asynchronous) signaling channel leveraging the XMPP protocol (on port 5280) that is persistent to allow the N-able N-central server to signal the Agents and Probes when actions are necessary (such as to initiate a remote-control session). In cases where the XMPP session is terminated abnormally (for example, by a firewall cleaning open sessions), the Agent will re-create the session automatically.

N-able N-central leverages XMPP (Extensible Messaging and Presence Protocol) based communications for control purposes only, not for the transmission of monitored data. It plays an important role in both Take Control and Direct Support Tools by ensuring quick and efficient communication between the N-central server, technicians, and managed devices. As an additional measure, the XMPP protocol can be turned off for individual devices or globally, however, this is not recommended as this will increase system load and will cause latency on certain N-able N-central features.

N-central Unified Agent

The N-central Unified (Modern) Agent is a key part of the N-able agent modernization effort. It is designed to run side-by-side with the existing N-central agent, ensuring a smooth transition while new capabilities are developed and deployed.

Parallel Operation - The Unified Agent is designed to run alongside the Current Agent without interference, allowing for a gradual transition.

Function Migration - Over time, functionalities will migrate from the Classic Agent to the Unified Agent, enhancing performance and security.

Automatic Updates - The Unified Agent checks for updates during its regular operations and applies them automatically, ensuring it remains up-to-date with the latest security patches.

As modernization progresses, specific features and components will migrate to the modern agent and eventually be deprecated from the existing one. This approach enables:

  • Faster updates to functionality

  • Optimized performance across systems

  • Improved overall agent health and manageability

Communication Flow

Probe and Agent (Classic) Communications: Client-side initiated communications using HTTPS protocols. Probes and Agents communicate with the N-central server using SOAP and XMPP, with data encrypted using TLS. This architecture ensures secure and efficient data transmission between components.

Probe as a Cache: Acts as a cache location for software installation files such as the Agent, AV Defender, Backup Manager, and Windows Patches. Agents communicate with the Probe. This caching mechanism reduces bandwidth usage and speeds up software deployments.

Database Server: A critical component of N-central, responsible for storing all system data. This includes device configurations, logs, monitoring data, and reports, ensuring that all collected information is securely maintained and readily accessible for analysis and reporting. By utilizing PostgreSQL as the database engine, the Database Server provides robust performance, reliability, and scalability. This setup ensures data integrity and availability, supporting the efficient operation of N-central's various functionalities.

Web-based User Interface: The Web-based User Interface (UI) is a crucial component of N-central, offering web console that allows administrators to manage and monitor devices. This intuitive interface provides a centralized view of all monitored devices and system activities. It supports role-based access control (RBAC), enabling multi-user access with varying levels of rights and permissions based on their roles and access groups while applying LRP (Least Rights Principle) in the event of overlap of either. This ensures that administrators can delegate tasks and responsibilities securely, maintaining control over who can access and modify different parts of the system. The web-based UI enhances the overall user experience by providing a seamless, accessible platform for comprehensive IT management.

Integration Layer (API & Webhooks): The Integration Layer of N-central is designed to enhance connectivity and automation through its API and webhooks. It provides a REST API that facilitates seamless third-party integrations with various tools, such as PSA (Professional Services Automation) platforms like MSP Manager, ConnectWise, and Autotask, ticketing systems, and billing platforms. This API enables administrators to extend N-central's capabilities by connecting it with other essential business applications, ensuring a cohesive IT management ecosystem. Additionally, webhooks allow for event-driven automation, enabling custom workflows that respond to specific triggers within the system. This functionality supports dynamic and automated processes, enhancing operational efficiency and responsiveness.

Secure Platform Architecture

N-central incorporates security as a core part of its architecture and ongoing development.

Multi-Tenancy

N-able N-central is built to support secure, scalable multi-tenancy for both hosted and on-prem deployments. Multi-tenancy allows MSPs and IT Pros to manage multiple customer environments independently from a single platform instance without risking data leakage or policy crossover.

Tenant Isolation Mechanisms: Tenant data - including scripts, configuration files, reports, logs, and credentials - is stored and processed using logical data separation, ensuring each tenant's information remains isolated to prevent unauthorized cross-tenant access.

Role-Based Access Control (RBAC): Tenant-specific access permissions ensure technicians can only interact with the data and devices for which they have been explicitly granted rights.

Scoped APIs and UI Contexts: All API calls and UI actions are scoped to the user’s tenant context, preventing accidental or malicious data exposure.

Credential Vaulting: Credentials are stored per tenant and protected by strong encryption, ensuring compartmentalization.

Audit Logging: All actions within the platform are logged with tenant identifiers for forensic traceability and compliance purposes.

This isolation model prevents unauthorized access between tenants and strengthens regulatory compliance for service providers working with sensitive or regulated industries.

Zero Trust Access Controls

N-central never assumes trust. It authenticates and authorizes every access attempt. Micro-permissions, audit trails, and limited session lifetimes reduce attack surfaces.

Recommended exclusions for third party AV software

N-able N-central software (agents and probes) must be excluded from third party antivirus scans in order to function properly

N-able recommends that you add the following path to the list of exclusions from security scans:

Folders

N-able N-central needs read/write access to following folders and their subfolders:

  • %Programfiles(x86)%\MspPlatform\PME
  • %Programfiles(x86)%\MspPlatform\FileCacheServiceAgent
  • %Programfiles(x86)%\MspPlatform\RequestHandlerAgent
  • %ProgramData%\MspPlatform

  • %programfiles(x86)%\MSP-agent

Applications

N-able N-central needs installation and access to following applications:

  • %Programfiles(x86)%\MspPlatform\FileCacheServiceAgent\FileCacheServiceAgent.exe
  • %Programfiles(x86)%\MspPlatform\PME\ThirdPartyPatch\7z.exe
  • %Programfiles(x86)%\MspPlatform\PME\Installers\CacheServiceSetup.exe
  • %Programfiles(x86)%\MspPlatform\PME\Installers\RPCServerServiceSetup.exe
  • %Programfiles(x86)%\MspPlatform\PME\Diagnostics\PME.Diagnostics.exe
  • %Programfiles(x86)%\MspPlatform\RequestHandlerAgent\RequestHandlerAgent.exe

  • %programfiles(x86)%\msp-agent\msp-agent-core.exe

Firewall

  • Firewall must be not blocking following communication channels:

  • HTTPS communication (port 443) between FileCacheServiceAgent windows service (%Programfiles(x86)%\MspPlatform\FileCacheServiceAgent\FileCacheServiceAgent.exe) and sis.n-able.com server (Server-In the-sky, N-able cloud server)

For a complete list of paths you can include to exclude from security scans, see Global Exclusions in the N-able N-central Online Help. This list includes folders excluded by AV Defender by default.

The Upgrade Process

Upgrading N-able N-central involves not only upgrading the N-able N-central server but also the Agents and Probes that communicate with it. Refer to Upgrading to This Release.

The upgrade process for N-able N-central consists of a number of elements including:

Agent and Probe Upgrade

When Agent and Probe upgrade settings are set to Always, the server upgrade process follows this sequence:

  1. The first time that the Probe connects to the N-able N-central server after it has been upgraded, the Probe will detect the new version. The Probe will be updated automatically if it has been configured to do so.

  2. After being upgraded, the Probe automatically downloads the latest version of the Agent upgrade software and store it in the Windows directory C:\Program Files (x86)\N-able Technologies\Windows Software Probe\cache

  3. If the Agents have been configured to upgrade automatically, they will:

    1. Ping all of the Probes they can communicate with to determine which Probe provides the fastest response time.

    2. Download the Agent upgrade software from the fastest Probe they can communicate with.

  4. If the Agents cannot connect to a Probe, they will download the Agent upgrade software directly from your N-able N-central server.

In line with best practice to avoid unnecessary strain on your internet connection, enable Probe upgrades one hour after the server upgrade. Once Probe upgrades are complete, enable Agent upgrades so Agents retrieve installation files from a local Probe.

Software Upgrades for AV Defender

Upgrades for AV Defender follow the same procedure, if the probe has been enabled as the Update Server:

  1. The Windows Probe will communicate with sis.n-able.com to determine the latest upgrade software every hour. If a new version is available, the Windows Probe will download the latest upgrade software.

  2. If software is installed on a device (AV Defender), the Agent will communicate via port 443 with the Windows Probe (or Probes) on the network to determine if it is running the latest version.

  3. The Agent will download the upgrade software from the Probe.

The N-able N-central server will connect with sis.n-able.com on an hourly basis to check for new upgrades. If a newer version of the software is available, the appropriate service (for example, the AV Defender Status service for AV Defender) will transition to a Warning state until the software on that device is upgraded.

If the Probe isn’t set up as the update server, or is unavailable, AV Defender agents retrieve their updates directly from the N-able N-central server (sis.n-able.com) or from external Bitdefender URLs like upgrade.bitdefender.com.