Core Architecture

N-central follows a client-server architecture, where a central N-central Server communicates with various agents, probes, and client devices to provide monitoring, management, and automation services.

N-central offers two deployment options, on-premises and hosted, each catering to different organizational needs and preferences, whilst offering the same core capabilities.

  • On-Premises (Self-hosted, using AWS and Azure): Organizations can install and operate the N-central server on hardware within their own infrastructure. This deployment model gives teams direct control over the environment, enabling greater customization and hands-on management of the server. It suits organizations with specific security requirements or those that prefer to maintain and manage their IT infrastructure internally.

  • Hosted: Organizations can deploy N-central using the N-able cloud infrastructure, hosted on Amazon Web Services (AWS). This model eliminates the need for on-site hardware and reduces maintenance responsibilities. N-able manages server operations, including updates and backups, allowing teams to focus on core activities. Hosted deployment offers a scalable and cost-effective solution for organizations seeking to minimize administrative overhead while maintaining reliable access to N-central capabilities.

Core Components

At the heart of the N-central functionality are several core components that work together to provide seamless IT management. These components include

  • N-central Server: The core system that manages data and communications.

  • Agents: Installed on client devices to collect data and perform tasks.

  • Probes: Network devices that monitor and manage network segments and agent less devices.

Additionally, N-central features APIs and integration layers that allow it to connect with third-party tools, extending its capabilities even further.

Together, these core components form a scalable and secure IT management ecosystem that enables MSPs and IT Pros to provide proactive IT services, improve operational efficiency, and maintain high levels of service quality across multiple client environments. The following sections explore each component in detail, highlighting its role within the N-central architecture.

N-central Server

The N-able N-central server is the "brains" of the system and contains a number of components including the Web Interface, Data Management System (DMS), Database, and other core system components. In addition to providing an interface for the Agents and Probes, the DMS is also the business logic layer of the application. All rules that govern how N-able N-central deals with data are executed at this level.

The N-able N-central server operates as an appliance that communicates with agents and services over the internet. To secure this communication, organizations should apply network security best practices that align with internal policies. A recommended approach involves placing the N-central server in a demilitarized zone (DMZ) and enforcing appropriate firewall restrictions.

By default, fresh installations enable both the user interface (UI) and agent communication ports. Administrators can configure and secure these ports independently, allowing for tailored access controls and segmentation based on organizational needs. See Port access requirements for the ports that the N-able N-central server must have access to.

Agents and Probes (Classic)

A Probe is a Windows application that resides on a system within a customer’s network, behind their firewall or within their private IP space. Probes provide network discovery, monitoring and management services for devices on that private network, leveraging industry standards such as WMI, SNMP, ODBC, and other protocols as needed. In addition, the probes are capable of discovery and installing agents on compatible devices when configured.

An Agent is a software component that MSPs or IT Pros can install on a Microsoft Windows, macOS, or Linux device to gather data specific to that local device.

  • N-able N-central Probes and Agents communicate with the N-able N-central server using similar architecture and methods. The Probes and Agents leverage client-side initiated communications, where all data communications begin with an outbound call from the Agent or Probe.

  • As a direct result of this architecture, there is no public IP address or port forwarding required from the Internet to the devices running the Probes or Agents. The outbound communications from the Agents to the N-able N-central server are based on SOAP and Extensible Messaging and Presence Protocol (XMPP), and are transmitted using the HTTPS protocols on the standard web ports. The nature of these communications allows for the support of standard proxies on the local network.

  • After the outbound session is established over port 443, the Agent receives a session ID that is used to identify that session, and it persists until the session is closed. The Agents and Probes will open a second (asynchronous) signaling channel leveraging the XMPP protocol (on port 5280) that is persistent to allow the N-able N-central server to signal the Agents and Probes when actions are necessary (such as to initiate a remote-control session). In cases where the XMPP session is terminated abnormally (for example, by a firewall cleaning open sessions), the Agent will re-create the session automatically.

  • N-able N-central leverages XMPP (Extensible Messaging and Presence Protocol) based communications for control purposes only, not for the transmission of monitored data. It plays an important role in both Take Control and Direct Support Tools by ensuring quick and efficient communication between the N-central server, technicians, and managed devices. As an additional measure, the XMPP protocol can be turned off for individual devices or globally, however, this is not recommended as this will increase system load and will cause latency on certain N-able N-central features.

Unified Agent (Modern Agent)

The N-central Unified (Modern Agent) Agent is a key part of the N-able agent modernization effort. It is designed to run side-by-side with the existing N-central agent, ensuring a smooth transition while new capabilities are developed and deployed.

Parallel Operation - The Unified Agent runs alongside the current agent without interference, allowing for a gradual transition.

Function Migration - Over time, N-central functionalities will migrate from the Classic Agent to the Unified Agent, enhancing performance and security.

Automatic Updates - The Unified Agent checks for updates during its regular operations and applies them automatically, ensuring it remains up-to-date with the latest security patches.

Unified Agent Communication Flow

The Unified Agent in N-central communicates with several components to support cloud-based functionality and endpoint management. Here's a breakdown of its communication flow:

Cloud Microservices (Ecoverse Layer)

  • Sends telemetry data (e.g., device health, patch status, vulnerability info)

  • Receives orchestration instructions, such as feature activation or remediation tasks

  • Communicates securely through HTTPS using event-driven protocols

N-central Server

  • Exchanges device registration, policy enforcement, and status updates

  • Uses SOAP/REST APIs, HTTPS (443), and XMPP (5228) for communication

Patch Management Engine (PME)

  • Triggers patch scans and installations

  • Reports patch results and reboot status

  • May use Windows Update Agent (WUA) for online scans or offline metadata

N-able Ecoverse

Ecoverse is a set of cloud-hosted capabilities that are part of the N-central cloud-native evolution, extending N-central capabilities through a modular, microservices-based architecture that supports dynamic feature delivery, secure data handling, and integration with third-party platforms.

Cloud-hosted capabilities such as vulnerability management, patch intelligence, cloud asset control, and identity services surface through components that expose cloud features within the N-central user interface without impacting backend systems or customer-managed infrastructure. Decoupling functionality into discrete services improves scalability, flexibility, and operational efficiency across managed environments.

How Ecoverse integrates into the N-central architecture

Cloud Microservices

The N-central architecture leverages cloud microservices to deliver modular, scalable, and event-driven IT management capabilities. Each microservice is a contained, independently deployable unit that performs a specific function within N-central.

Microservices operate as part of a distributed cloud layer that interfaces with:

  • The N-central Server Appliance (on-prem or cloud-hosted)

  • The Unified Agent on managed endpoints

  • External systems, for example, identity providers such as Microsoft Entra ID, to enable SSO.

They communicate via secure APIs, event streams, and schema-driven orchestration, enabling real-time responsiveness and modular feature delivery.

Data flow and Communications

Agents continuously monitor endpoints and send telemetry data to probes or directly to the server using encrypted communication channels to ensure data security.

Typical Data Flow

Agents collect telemetry data such as system health, performance metrics, patch status, and logs, then transmit it securely via TLS either directly to the N-central server or to distributed probes across the network. Probes aggregate and preprocess data from multiple agents, cache software files (for example, patches, agents), and forward processed data to the server. The server stores this information in a PostgreSQL database, analyzes it to generate alerts, evaluate compliance, and trigger automation workflows as configured by administrators. Administrators access this data through the web-based UI or via APIs and webhooks for integrations.

Probe and Agent (Classic) Communications

Client-side initiated communications use HTTPS protocols. Probes and agents communicate with the N-central server via SOAP and XMPP, with data encrypted using TLS. This architecture ensures secure and efficient data transmission between components.

Probe as a Cache

Probes act as cache locations for software installation files, including the Agent, AV Defender, and Windows patches. Agents communicate with probes to retrieve these files, reducing bandwidth usage and accelerating software deployments.

Database Server

The database server is a critical N-central component responsible for storing all system data, including device configurations, logs, monitoring data, and reports. Using PostgreSQL as the database engine, it delivers robust performance, reliability, and scalability. This setup ensures data integrity and availability, supporting the efficient operation of N-central capabilities.

Web-based User Interface

The web-based User Interface (UI) provides administrators with a centralized console to manage and monitor devices. It offers Role-Based Access Control (RBAC), enabling multi-user access with varying permissions based on roles and access groups. The system applies the Least Rights Principle (LRP) when permissions overlap, ensuring secure delegation of tasks and maintaining control over system access. The intuitive UI enhances the user experience, providing seamless and comprehensive IT management.

Integration Layer (API & Webhooks)

The N-central Integration Layer enhances connectivity and automation through its REST API and webhooks. It supports seamless integration with third-party tools, including PSA platforms such as MSP Manager, ConnectWise, Autotask, ticketing systems, and billing platforms. This API allows administrators to extend N-central capabilities by connecting with essential business applications, creating a cohesive IT management ecosystem. Webhooks enable event-driven automation, allowing custom workflows to trigger in response to specific system events. Together, these features support dynamic, automated processes that improve operational efficiency and responsiveness.

Scalability

N-central employs a client-server architecture designed to support scalable management across IT environments of all sizes—from a few endpoints to enterprise networks with thousands of nodes. At the heart of its scalability are distributed probes and agents, which decentralize data collection and processing. Agents send data to nearby probes, which aggregate, preprocess, and cache data—such as patch files—and then forward it to the central server. This reduces bandwidth usage and minimizes load on the server infrastructure

The PostgreSQL database serves as a robust, reliable back end, handling large volumes of device configurations, logs, monitoring data, and reports. Its support for indexing, replication, and query optimization is essential for maintaining performance at scale

N-central offers flexible deployment options, including on-premises and cloud-hosted environments, allowing organizations to tailor their infrastructure to growth demands. While virtualization is supported, N-able notes that performance variability depends on host configurations and hardware, and best performance is often achieved with dedicated server resources.

N-central is architected to support IT environments of varying sizes, from small deployments to enterprise-scale networks with more than 2,000 nodes. Its modular and distributed design enables the platform to scale horizontally and vertically without compromising performance or reliability.

A key scalability enabler is the use of distributed probes and agents for decentralized data collection and processing. Probes act as intermediaries between endpoints and the N-central server, aggregating telemetry data, caching software installation files, and reducing bandwidth consumption during software deployments. This reduces the load on the central server and optimizes network traffic in large, geographically dispersed environments.

The system’s PostgreSQL database engine provides a high-performance, reliable backend for storing device configurations, logs, monitoring data, and reports. PostgreSQL’s robust indexing, replication, and query optimization capabilities support large-scale data handling and fast retrieval times, even under heavy load.

N-central also supports flexible deployment options—including on-premises and hosted environments—allowing administrators to choose configurations that match organizational growth and resource requirements. Role-based access control (RBAC) and multi-tenancy ensure that scaling to manage multiple clients or large endpoint inventories remains secure and manageable.

Through this architecture, N-central can maintain operational efficiency and responsiveness in large-scale deployments, enabling consistent monitoring, automation, and reporting across thousands of devices.

Secure Platform Architecture

N-central incorporates security as a core part of its architecture and ongoing development.

Multi-Tenancy

N-able N-central is built to support secure, scalable multi-tenancy for both hosted and on-prem deployments. Multi-tenancy allows MSPs and IT Pros to manage multiple customer environments independently from a single platform instance without risking data leakage or policy crossover.

Tenant Isolation Mechanisms: Tenant data - including scripts, configuration files, reports, logs, and credentials - is stored and processed using logical data separation, ensuring each tenant's information remains isolated to prevent unauthorized cross-tenant access.

Role-Based Access Control: Tenant-specific access permissions ensure technicians can only interact with the data and devices for which they have been explicitly granted rights.

Scoped APIs and UI Contexts: All API calls and UI actions are scoped to the user’s tenant context, preventing accidental or malicious data exposure.

Credential Vaulting: Credentials are stored per tenant and protected by strong encryption, ensuring compartmentalization.

Audit Logging: All actions within the platform are logged with tenant identifiers for forensic traceability and compliance purposes.

This isolation model prevents unauthorized access between tenants and strengthens regulatory compliance for service providers working with sensitive or regulated industries.

Zero Trust Access Controls

N-central never assumes trust. It authenticates and authorizes every access attempt. Micro-permissions, audit trails, and limited session lifetimes reduce attack surfaces.

Recommended exclusions for third-party AV software

N-able N-central software (agents and probes) must be excluded from third party antivirus scans in order to function properly.

N-able recommends adding the following path to the list of exclusions from security scans:

Folders

N-able N-central needs read/write access to following folders and their subfolders:

  • %Programfiles(x86)%\MspPlatform\PME
  • %Programfiles(x86)%\MspPlatform\FileCacheServiceAgent
  • %Programfiles(x86)%\MspPlatform\RequestHandlerAgent
  • %ProgramData%\MspPlatform

  • %programfiles(x86)%\MSP-agent

Applications

N-able N-central needs installation and access to following applications:

  • %Programfiles(x86)%\MspPlatform\FileCacheServiceAgent\FileCacheServiceAgent.exe
  • %Programfiles(x86)%\MspPlatform\PME\ThirdPartyPatch\7z.exe
  • %Programfiles(x86)%\MspPlatform\PME\Installers\CacheServiceSetup.exe
  • %Programfiles(x86)%\MspPlatform\PME\Installers\RPCServerServiceSetup.exe
  • %Programfiles(x86)%\MspPlatform\PME\Diagnostics\PME.Diagnostics.exe
  • %Programfiles(x86)%\MspPlatform\RequestHandlerAgent\RequestHandlerAgent.exe

  • %programfiles(x86)%\msp-agent\msp-agent-core.exe

Firewall

The Firewall must not block the following outbound communication channels:

  • HTTPS communication (port 443) between FileCacheServiceAgent windows service (%Programfiles(x86)%\MspPlatform\FileCacheServiceAgent\FileCacheServiceAgent.exe) and sis.n-able.com server (Server-In the-sky, N-able cloud server)

For a complete list of paths to include for exclusion from security scans, see Global Exclusions in the N-able N-central Online Help. This list includes folders excluded by AV Defender by default.

The Upgrade Process

Upgrading N-able N-central involves not only upgrading the N-able N-central server but also the Agents and Probes that communicate with it. Refer to Upgrading to This Release.

The upgrade process for N-able N-central consists of a number of elements including:

Agent and Probe Upgrade

When Agent and Probe upgrade settings are set to Always, the server upgrade process follows this sequence:

  1. The first time that the Probe connects to the N-able N-central server after it has been upgraded, the Probe will detect the new version. The Probe will be updated automatically if it has been configured to do so.

  2. After being upgraded, the Probe automatically downloads the latest version of the Agent upgrade software and store it in the Windows directory C:\Program Files (x86)\N-able Technologies\Windows Software Probe\cache

  3. If the Agents have been configured to upgrade automatically, they will:

    1. Ping all of the Probes they can communicate with to determine which Probe provides the fastest response time.

    2. Download the Agent upgrade software from the fastest Probe they can communicate with.

  4. If the Agents cannot connect to a Probe, they download the Agent upgrade software directly from the N-able N-central server.

In line with best practice to avoid unnecessary strain on the internet connection, enable Probe upgrades one hour after the server upgrade. Once Probe upgrades are complete, enable Agent upgrades so Agents retrieve installation files from a local Probe.

Software Upgrades for AV Defender

Upgrades for AV Defender follow the same procedure if the probe has been enabled as the update server:

  1. The Windows Probe communicates with sis.n-able.com to determine the latest upgrade software every hour. If a new version is available, the Windows Probe downloads the latest upgrade software.

  2. If AV Defender installed on a device, the Agent communicates via port 443 with the Windows Probe (or Probes) on the network to determine if it is running the latest version.

  3. The Agent will download the upgrade software from the Probe.

The N-able N-central server connects with sis.n-able.com on an hourly basis to check for new upgrades. If a newer version of the software is available, the appropriate service (for example, the AV Defender Status service for AV Defender) transitions to a Warning state until the software on that device is upgraded.

If the Probe is not set up as the update server, or is unavailable, AV Defender agents retrieve their ugrades directly from the N-able N-central server (sis.n-able.com) or from external Bitdefender URLs like upgrade.bitdefender.com.