Core Architecture
N-central follows a client-server architecture, where a central N-central Server communicates with various agents, probes, and client devices to provide monitoring, management, and automation services.
N-central offers two deployment options, on-premises and hosted, each catering to different organizational needs and preferences, whilst offering the same core capabilities.
-
On-Premises (Self-hosted, using AWS and Azure): Install and run the N-central server on your own hardware within your organization's infrastructure. This option provides greater control over the environment, allowing for more customization and direct management of the server. It's ideal for organizations with specific security requirements or those that prefer to maintain their own IT infrastructure.
-
Hosted: The hosted deployment, also known as N-central Cloud, runs the N-central server on N-able's AWS cloud infrastructure. This option reduces the need for on-site hardware and maintenance, as N-able handles the server management, updates, and backups. It's a convenient choice for organizations looking for a scalable, cost-effective solution with less administrative overhead.
Core Components
At the heart of N-central’s functionality are several core components that work together to provide seamless IT management. These components include the
-
N-central Server: The core system that manages data and communications.
-
Agents: Installed on client devices to collect data and perform tasks.
-
Probes: Network devices that monitor and manage network segments and agent less devices.
Additionally, N-central features APIs and integration layers that allow it to connect with third-party tools, extending its capabilities even further.
Together, these core components form a scalable and secure IT management ecosystem that enables MSPs and IT Pros to provide proactive IT services, improve operational efficiency, and maintain high levels of service quality across multiple client environments. The following sections explore each component in detail, highlighting its role within the N-central architecture.
N-central Server
The N-able N-central server is the "brains" of the system and contains a number of components including the Web Interface, Data Management System (DMS), Database, and other core system components. In addition to providing an interface for the Agents and Probes, the DMS is also the business logic layer of the application. All rules that govern how N-able N-central deals with data are executed at this level.
The N-able N-central server is an appliance designed to be able to communicate with agents and services over the internet. N-central should be protected through proper network security best practices aligned to your company policies such as placing the N-central server in a DMZ with proper firewall restrictions. The N-central UI and Agent communication ports(On by default for fresh installations) are designed so that they can be split and secured independently. See Port access requirements for the ports that the N-able N-central server must have access to.
N-central server security
N-central incorporates IP blocking. If the server is flooded with excessive invalid requests from the same IP address in a ten second period, N-central blocks the traffic for new requests on that IP. It does not block active requests on the same IP address. An example would be agents, which have valid session IDs or users logged in the UI. Protections are in place to better manage the session to detect the offending IP address. To detect the correct IP address that is flooding the server, you will need to set up your firewall to allow the external IP address to be passed along. Some firewalls refer to this as preserve the client IP.
Server Security Management
The N-able N-central server includes an integrated firewall which blocks traffic on unused ports. It is recommended that you use your own IDS/IPS/IAV while following the minimum networking requirements to allow traffic, ports, and IP addresses documented in this Security White Paper and in Online Help.
Internally, the system is built using industry standard best practices including:
-
storage of all user passwords by first encrypting them using one-way encryption
-
strong input type checking
-
user access permissions
-
protective support for cross site scripting (XSS) attacks
Agents and Probes (Classic)
A Probe is a Windows application that resides on a system within a customer’s network, behind their firewall or within their private IP space. Probes provide network discovery, monitoring and management services for devices on that private network, leveraging industry standards such as WMI, SNMP, ODBC, and other protocols as needed. In addition, the probes are capable of discovery and installing agents on compatible devices when configured.
An Agent is a software component that MSPs or IT Pros can install on a Microsoft Windows, macOS, or Linux device to gather data specific to that local device.
-
N-able N-central Probes and Agents communicate with the N-able N-central server using similar architecture and methods. The Probes and Agents leverage client-side initiated communications, where all data communications begin with an outbound call from the Agent or Probe.
-
As a direct result of this architecture, there is no public IP address or port forwarding required from the Internet to the devices running the Probes or Agents. The outbound communications from the Agents to the N-able N-central server are based on SOAP and XMPP, and are transmitted using the HTTPS protocols on the standard web ports. The nature of these communications allows for the support of standard proxies on the local network.
-
After the outbound session is established over port 443, the Agent receives a session ID that is used to identify that session, and it persists until the session is closed. The Agents and Probes will open a second (asynchronous) signaling channel leveraging the XMPP protocol (on port 5280) that is persistent to allow the N-able N-central server to signal the Agents and Probes when actions are necessary (such as to initiate a remote-control session). In cases where the XMPP session is terminated abnormally (for example, by a firewall cleaning open sessions), the Agent will re-create the session automatically.
-
N-able N-central leverages XMPP (Extensible Messaging and Presence Protocol) based communications for control purposes only, not for the transmission of monitored data. It plays an important role in both Take Control and Direct Support Tools by ensuring quick and efficient communication between the N-central server, technicians, and managed devices. As an additional measure, the XMPP protocol can be turned off for individual devices or globally, however, this is not recommended as this will increase system load and will cause latency on certain N-able N-central features.
N-central Unified Agent
The N-central Unified (Modern) Agent is a key part of the N-able agent modernization effort. It is designed to run side-by-side with the existing N-central agent, ensuring a smooth transition while new capabilities are developed and deployed.
Parallel Operation - The Unified Agent is designed to run alongside the Current Agent without interference, allowing for a gradual transition.
Function Migration - Over time, functionalities will migrate from the Classic Agent to the Unified Agent, enhancing performance and security.
Automatic Updates - The Unified Agent checks for updates during its regular operations and applies them automatically, ensuring it remains up-to-date with the latest security patches.
As modernization progresses, specific features and components will migrate to the modern agent and eventually be deprecated from the existing one. This approach enables:
-
Faster updates to functionality
-
Optimized performance across systems
-
Improved overall agent health and manageability
Data flow and Communications
Agents continuously monitor endpoints and send telemetry data to probes or directly to the server using encrypted communication channels to ensure data security.
Typical Data Flow
Agents collect telemetry data such as system health, performance metrics, patch status, and logs, then transmit it securely via TLS either directly to the N-central server or to distributed probes across the network. Probes aggregate and preprocess data from multiple agents, cache software files (for example, patches, agents), and forward processed data to the server. The server stores this information in a PostgreSQL database, analyzes it to generate alerts, evaluate compliance, and trigger automation workflows as configured by administrators. Administrators access this data through the web-based UI or via APIs and webhooks for integrations.
Probe and Agent (Classic) Communications
Client-side initiated communications use HTTPS protocols. Probes and agents communicate with the N-central server via SOAP and XMPP, with data encrypted using TLS. This architecture ensures secure and efficient data transmission between components.
Probe as a Cache
Probes act as cache locations for software installation files, including the Agent, AV Defender, and Windows patches. Agents communicate with probes to retrieve these files, reducing bandwidth usage and accelerating software deployments.
Database Server
The database server is a critical N-central component responsible for storing all system data, including device configurations, logs, monitoring data, and reports. Using PostgreSQL as the database engine, it delivers robust performance, reliability, and scalability. This setup ensures data integrity and availability, supporting the efficient operation of N-central capabilities.
Web-based User Interface
The web-based user interface (UI) provides administrators with a centralized console to manage and monitor devices. It offers role-based access control (RBAC), enabling multi-user access with varying permissions based on roles and access groups. The system applies the Least Rights Principle (LRP) when permissions overlap, ensuring secure delegation of tasks and maintaining control over system access. The intuitive UI enhances the user experience, providing seamless and comprehensive IT management.
Integration Layer (API & Webhooks)
The N-central Integration Layer enhances connectivity and automation through its REST API and webhooks. It supports seamless integration with third-party tools, including PSA platforms such as MSP Manager, ConnectWise, Autotask, ticketing systems, and billing platforms. This API allows administrators to extend N-central capabilities by connecting with essential business applications, creating a cohesive IT management ecosystem. Webhooks enable event-driven automation, allowing custom workflows to trigger in response to specific system events. Together, these features support dynamic, automated processes that improve operational efficiency and responsiveness.
Scalability
N-central employs a client-server architecture designed to support scalable management across IT environments of all sizes—from a few endpoints to enterprise networks with thousands of nodes. At the heart of its scalability are distributed probes and agents, which decentralize data collection and processing. Agents send data to nearby probes, which aggregate, preprocess, and cache data—such as patch files—and then forward it to the central server. This reduces bandwidth usage and minimizes load on the server infrastructure
The PostgreSQL database serves as a robust, reliable back end, handling large volumes of device configurations, logs, monitoring data, and reports. Its support for indexing, replication, and query optimization is essential for maintaining performance at scale
N-central offers flexible deployment options, including on-premises and cloud-hosted environments, allowing organizations to tailor their infrastructure to growth demands. While virtualization is supported, N-able notes that performance variability depends on host configurations and hardware, and best performance is often achieved with dedicated server resources.
N-central is architected to support IT environments of varying sizes, from small deployments to enterprise-scale networks with more than 2,000 nodes. Its modular and distributed design enables the platform to scale horizontally and vertically without compromising performance or reliability.
A key scalability enabler is the use of distributed probes and agents for decentralized data collection and processing. Probes act as intermediaries between endpoints and the N-central server, aggregating telemetry data, caching software installation files, and reducing bandwidth consumption during software deployments. This reduces the load on the central server and optimizes network traffic in large, geographically dispersed environments.
The system’s PostgreSQL database engine provides a high-performance, reliable backend for storing device configurations, logs, monitoring data, and reports. PostgreSQL’s robust indexing, replication, and query optimization capabilities support large-scale data handling and fast retrieval times, even under heavy load.
N-central also supports flexible deployment options—including on-premises and hosted environments—allowing administrators to choose configurations that match organizational growth and resource requirements. Role-based access control (RBAC) and multi-tenancy ensure that scaling to manage multiple clients or large endpoint inventories remains secure and manageable.
Through this architecture, N-central can maintain operational efficiency and responsiveness in large-scale deployments, enabling consistent monitoring, automation, and reporting across thousands of devices.
Secure Platform Architecture
N-central incorporates security as a core part of its architecture and ongoing development.
Multi-Tenancy
N-able N-central is built to support secure, scalable multi-tenancy for both hosted and on-prem deployments. Multi-tenancy allows MSPs and IT Pros to manage multiple customer environments independently from a single platform instance without risking data leakage or policy crossover.
Tenant Isolation Mechanisms: Tenant data - including scripts, configuration files, reports, logs, and credentials - is stored and processed using logical data separation, ensuring each tenant's information remains isolated to prevent unauthorized cross-tenant access.
Role-Based Access Control (RBAC): Tenant-specific access permissions ensure technicians can only interact with the data and devices for which they have been explicitly granted rights.
Scoped APIs and UI Contexts: All API calls and UI actions are scoped to the user’s tenant context, preventing accidental or malicious data exposure.
Credential Vaulting: Credentials are stored per tenant and protected by strong encryption, ensuring compartmentalization.
Audit Logging: All actions within the platform are logged with tenant identifiers for forensic traceability and compliance purposes.
This isolation model prevents unauthorized access between tenants and strengthens regulatory compliance for service providers working with sensitive or regulated industries.
Zero Trust Access Controls
N-central never assumes trust. It authenticates and authorizes every access attempt. Micro-permissions, audit trails, and limited session lifetimes reduce attack surfaces.
Recommended exclusions for third party AV software
N-able N-central software (agents and probes) must be excluded from third party antivirus scans in order to function properly
N-able recommends that you add the following path to the list of exclusions from security scans:
Folders
N-able N-central needs read/write access to following folders and their subfolders:
%Programfiles(x86)%\MspPlatform\PME
%Programfiles(x86)%\MspPlatform\FileCacheServiceAgent
%Programfiles(x86)%\MspPlatform\RequestHandlerAgent
%ProgramData%\MspPlatform
-
%programfiles(x86)%\MSP-agent
Applications
N-able N-central needs installation and access to following applications:
%Programfiles(x86)%\MspPlatform\FileCacheServiceAgent\FileCacheServiceAgent.exe
%Programfiles(x86)%\MspPlatform\PME\ThirdPartyPatch\7z.exe
%Programfiles(x86)%\MspPlatform\PME\Installers\CacheServiceSetup.exe
%Programfiles(x86)%\MspPlatform\PME\Installers\RPCServerServiceSetup.exe
%Programfiles(x86)%\MspPlatform\PME\Diagnostics\PME.Diagnostics.exe
%Programfiles(x86)%\MspPlatform\RequestHandlerAgent\RequestHandlerAgent.exe
-
%programfiles(x86)%\msp-agent\msp-agent-core.exe
Firewall
-
Firewall must be not blocking following communication channels:
-
HTTPS communication (port 443) between FileCacheServiceAgent windows service
(%Programfiles(x86)%\MspPlatform\FileCacheServiceAgent\FileCacheServiceAgent.exe)
and sis.n-able.com server (Server-In the-sky, N-able cloud server)
For a complete list of paths you can include to exclude from security scans, see Global Exclusions in the N-able N-central Online Help. This list includes folders excluded by AV Defender by default.
The Upgrade Process
Upgrading N-able N-central involves not only upgrading the N-able N-central server but also the Agents and Probes that communicate with it.
The upgrade process for N-able N-central consists of a number of elements including:
Agent and Probe Upgrade
When Agent and Probe upgrade settings are set to Always, the server upgrade process follows this sequence:
-
The first time that the Probe connects to the N-able N-central server after it has been upgraded, the Probe will detect the new version. The Probe will be updated automatically if it has been configured to do so.
-
After being upgraded, the Probe automatically downloads the latest version of the Agent upgrade software and store it in the Windows directory
C:\Program Files (x86)\N-able Technologies\Windows Software Probe\cache
-
If the Agents have been configured to upgrade automatically, they will:
-
Ping all of the Probes they can communicate with to determine which Probe provides the fastest response time.
-
Download the Agent upgrade software from the fastest Probe they can communicate with.
-
-
If the Agents cannot connect to a Probe, they will download the Agent upgrade software directly from your N-able N-central server.
In line with best practice to avoid unnecessary strain on your internet connection, enable Probe upgrades one hour after the server upgrade. Once Probe upgrades are complete, enable Agent upgrades so Agents retrieve installation files from a local Probe.
Software Upgrades for AV Defender
Upgrades for AV Defender follow the same procedure, if the probe has been enabled as the Update Server:
-
The Windows Probe will communicate with sis.n-able.com to determine the latest upgrade software every hour. If a new version is available, the Windows Probe will download the latest upgrade software.
-
If software is installed on a device (AV Defender), the Agent will communicate via port 443 with the Windows Probe (or Probes) on the network to determine if it is running the latest version.
-
The Agent will download the upgrade software from the Probe.
The N-able N-central server will connect with sis.n-able.com on an hourly basis to check for new upgrades. If a newer version of the software is available, the appropriate service (for example, the AV Defender Status service for AV Defender) will transition to a Warning state until the software on that device is upgraded.
If the Probe isn’t set up as the update server, or is unavailable, AV Defender agents retrieve their updates directly from the N-able N-central server (sis.n-able.com) or from external Bitdefender URLs like upgrade.bitdefender.com.