Architecture

To better understand the impact that N-able N-central may have on the security of the networks that it manages, it is necessary to have an understanding of its components and design.

N-able N-central consists of three major components: Agents, Probes, and the N-able N-central server.

Probes and Agents

A Probe is a Windows application that resides on a system within a customer’s network, behind their firewall or within their private IP space. Probes provide network discovery, monitoring and management services for devices on that private network, leveraging industry standard protocols such as WMI, SNMP, ODBC, and others.

An Agent is an additional software component that may be installed on a Microsoft, macOS, or Linux host device in order to gather data specific to that local device. Agents are typically installed on all Windows devices to provide full monitoring and management regardless of the logical placement of that device on the Internet.

Probe and Agent Communications

N-able N-central Probes and Agents communicate with the N-able N-central server using similar architecture and methods. The Probes and Agents leverage client-side initiated communications, where all data communications begin with an outbound call from the Agent or Probe.

As a direct result of this architecture, there is no public IP address or port forwarding required from the Internet to the devices running the Probes or Agents. The outbound communications from the Agents to the N-able N-central server are based on SOAP and XMPP, and are transmitted using the HTTP or HTTPS protocols on the standard web ports. The nature of these communications allows for the support of standard proxies on the local network.

After the outbound session is established, the Agent receives a session ID that is used to identify that session and it persists until the session is closed. The Agents and Probes will open a second (asynchronous) signalling channel leveraging the XMPP protocol (on port 5280 or 443) that is persistent to allow the N-able N-central server to signal the Agents and Probes when actions are necessary (such as to initiate a remote control session). In cases where the XMPP session is terminated abnormally (for example, by a firewall cleaning open sessions), the Agent will re-create the session automatically.

N-able N-central leverages the XMPP based communications for control purposes only, not for the transmission of monitored data. As an additional measure, the XMPP protocol can be turned off for individual devices or globally, however, this is not recommended as this will increase system load and will cause latency on certain N-able N-central features.

By default, the N-able N-central Agent, Probe, and XMPP-based communications use HTTPS with the data encrypted using TLS and the strongest cipher suite supported by both the client and the server.

Probe as a Cache

The Windows Probe also acts as a cache location for software installation files such as the Agent, AV Defender, Backup Manager, and Windows Patches. Agents communicate with the Probe over TCP 10004 using the .NET remote communication protocol.

Security Profiles

Sometimes you have to work with older operating systems that use older security protocols. Security Profiles in N-able N-central enable you to select between modern security protocols, or legacy ones. The Modern security profile is enabled by default to block TLS 1.0 and 1.1. You can switch the network security profile to the Legacy Security Profile to use older TLS versions. To change Security Profiles, at the System level, click Administration > Mail and Network Settings > Network Security.

Because the Modern security profile is enabled by default, you need to ensure that Agents and Probes are at version 12.1 SP1 or higher. Version 12.1 SP1 and higher leverage TLS 1.2 properly and communicate with N-able N-central 12.2 and higher. This also applies to ReportManager; you need to upgrade it to version 5.0 SP5.

The differences between the profiles are:

Compatibility Security Profile

The Compatibility security profile sits between the Legacy and Modern security profiles. It allows you to support older operating systems, such as Windows Server 2012 R2, but without allowing TLS 1.1 or 1.0.
Does not support TLS 1.0 and 1.1.
Disables weak SSH Ciphers, MACs and KEX Algorithms.
Supports Modern Operating Systems (Windows 7/Server 2008 R2 and newer).
Meets PCI requirements for TLS and ciphers.
Support for only 2048 bit keys

N-able strongly recommends that you choose between either the Compatibility or Modern security profile as we plan to deprecate the Legacy security profile in a future release of N-central.

Modern Security Profile:

Configures N-central's UI so that it does not support TLS 1.0, 1.1, SHA1 and all weak ciphers and non-PFS ciphers.
Supports TLS 1.3 on all UI, API, and Agent ports. The Web UI ports have further been enhanced with TLS ciphers that offer improved performance on mobile devices.
Disables weak SSH Ciphers, MACs and KEX Algorithms.
Will work with Modern Operating Systems (Windows 10/Server 2016 and newer).
Meets PCI requirements for TLS and ciphers.
Support for only 2048 bit keys

Legacy Security Profile:

Configures N-central's UI to support TLS 1.0 and 1.1
Not PCI/HIPPA/NIST compliant.
Supports legacy operating systems (i.e. Windows Vista/Server 2008).

N-able N-central Server

The N-able N-central server is the "brains" of the system and contains a number of components including the Web Interface, Data Management System (DMS), Database, and other core system components. In addition to providing an interface for the Agents and Probes, the DMS is also the business logic layer of the application. All rules that govern how N-able N-central deals with data are executed at this level. All physical data (configuration or monitored) is stored within the relational PostgreSQL database.

The N-able N-central server is designed and secured so that it may be placed directly on the Internet, however, the recommended best practice is to place it in a restricted internet zone such as a DMZ.

For specific information on the ports that must be accessible for an N-able N-central server, please refer to Network Requirements page.

Port Access Requirements

Access must be permitted to the following ports:

Port Number

Port Location

Description

N-able N-central Server

Managed Device

Inbound

Outbound

Inbound

Outbound

Used for FTP connections, particularly when configured for backups.

22*

SSH - used for remote control sessions. The firewall must be configured to allow access from the Internet to this port on the N-able N-central server.

(*OPTIONAL)

SMTP - used for sending mail.

Used for DNS.

HTTP - used for communication between the N-able N-central and agents or probes.

N-able N-central recommends that you block all access from the internet to this port on the N-able N-central server, unless it is absolutely required. This port may be closed in a future release.

This port must also be open for outbound traffic if the N-able N-central server is monitoring HTTP services on remote managed devices.

123

Used by the NTP Date service which keeps the server clock synchronized. Normally using UDP (although some servers can use TCP).

135

Used by Agents and Probes for WMI queries to monitor various services.

Inbound from the Windows Probe to the Windows Agent.

139

Used by Agents and Probes for WMI queries to monitor various services.

Inbound from the Windows Probe to the Windows Agent.

443

HTTPS - used for communication between N-able N-central and Agents or Probes (including MSP Connect and MSP Anywhere).

Your firewall must be configured to allow access from the Internet to this port on the N-able N-central server.

This port must be open for outbound traffic if the N-able N-central server is monitoring HTTPS services on remote managed devices.

Backup Manager on endpoint devices uses Port 443 TCP outbound. It is almost always open on workstations but may be closed on servers. Used by Agents and Probes as a failover for XMPP traffic when they cannot reach N-centralon port 5280. To activate EDR the N-able N-central server needs outbound HTTPS access to port 443 and the following domains:

*.sentinelone.net
sis.n-able.com
keybox.solarwindsmsp.com

Pendo allows us to provide in-UI messaging and guides when there are important changes, new features onboarding, or other critical messages that we need to tell you about. You can gain access to these important messages, and help us make important design decisions from usage data, by allowing outbound HTTPS/443 access from your N-central server to the following URLs:

Only windows agents will send data to the app.pendo.io URL.

app.pendo.io
cdn.pendo.io
data.pendo.io
pendo-io-static.storage.googleapis.com
pendo-static*.storage.googleapis.com

445

Used by Agents and Probes for WMI queries to monitor various services.

1234

Used by MSP Connect in UDP mode.

1235

1433

Outbound on the N-able N-central server, port 1433 is used by Report Manager for data export. On managed devices, it is also used by Agents (inbound) and Probes (out- bound) to monitor Backup Exec jobs.

Inbound from the local LAN and not the Internet.

Port access is only required if you have installed the corresponding product. For example, access to port 1433 is only required if you have installed Report Manager or if you are managing Backup Exec jobs.

5000

Backup Manager will use local port 5000. If this port is unavailable, Backup Manager will detect a free port automatically (starting from 5001, 5002 and up).

5280

Used by Agents and Probes for XMPP traffic.

Outbound access to port 5280 for Managed Devices is recommended but not required.

8014

Backup Manager requires access to port 8014. This value cannot be modified.

Inbound from the local LAN and not the Internet.

8088

HTTPS – Used for communications to the N-able event communication system to enable communications between N-able cloud and N-central server.

8443

The default port for the N-central UI.

TCP port 8443 is used for TLS (HTTPS) connections to the N-central Web UI. Your firewall may be configured to allow access from the internet to this port on the N-able N-central server, if you require Web UI access outside of the network N-central is deployed to.

You can change this port number in the N-central Administrator menu, under "Network Setup".

8800

The Feature Flag System in N-able N-central needs to talk to mtls.api.featureflags.prd.sharedsvcs.system-monitor.com.

Used by N-able – generally during Early Access Preview and Release Candidate testing – to enable and disable features within N-able N-central.

10000

HTTPS - used for access to the N-able N-central Administration Console (NAC). The firewall must be configured to allow access from the Internet to this port on the N-able N-central server.

N-able recommends excluding all other inbound traffic to port 10000 except from N-able Ports for Support section below.

10004

N-able N-central Agents must be able to communicate with a Probe on the network over port 10004 in order for Probe caching of software updates to function properly.

Inbound from the local LAN and not the Internet.

15000

For downloading software patches, port 15000 must be accessible for inbound traffic on the Probe device while it must be accessible for outbound traffic on devices with Agents.

Inbound from the local LAN and not the Internet.

To ensure the flow of information between the N-able N-central server and outside sources, ensure the following domains and URLs are added to your firewall allow list. These domains are needed for outbound communication.

send.n-able.com	The N-able internal FTP server where a partner can upload and download files such as logs, executables and scripts. This is also the location where you download scripts from Scripto for additional troubleshooting tools for N-able N-central. Ports required: TCP 20 and 21, ports above UDP 1024 for passive transfer.
sis.n-able.com	A repository of XML files. Each XML lists download links for .exe, patches and so on. For example, when the agent is installed on a device and it needs to download AV Defender, the agent goes to http://sis.n-able.com/GenericFiles.xml and get the link to download the files compatible for the agent version. Port required: HTTP (80) and HTTPS (443)
All domains below require port TCP 443.
update.n-able.com	The location where N-able N-central obtains the NSP file for upgrade. It also has .ISO, vdh.gz files for a N-able N-central installation. There is also an alias of this domain at releases.n-able.com.
feeds.n-able.com	The location where the N-able N-central gets RSS feeds.
sis.n-able.com	A repository of XML files. Each XML lists download links for .exe, patches and so on.
servermetrics.n-able.com On-Premise only	When an N-able N-central server is installed, all information about it is sent to the N-able internal Activation Server.
licensing.n-able.com On-Premise only	Once the N-able N-central server is validated, it communicates with the internal Activation Server to get the full license depending on the contract details.
push.n-able.com	Used for Apple Push Notification service (APN) and CSR certificate request for Mobile Device Management.
scep.n-able.com	Used for MDM installation, pushing profile to the target device
sso.navigatorlogin.com On-Premise only	The login page used for MSP SSO authentication.
msp-sso-proxy.eu-west-1.prd.cdo.system-monitor.com msp-sso-proxy.us-west-2.prd.cdo.system-monitor.com	MSP SSO proxy URLs used for user enrollment and user changes synchronization.
updatewarranty.com On-Premise only	Used by N-able N-central to check the warranty expiration dates of managed devices.
microsoft.com	Used For Windows Update, which is needed for Patch Management or any other patch solution software.
https://keybox.n-able.com	Used with Netpath, EDR and future integrated components.
https://keybox.solarwindsmsp.com	Used with Netpath, EDR and future integrated components.
*.sentinelone.net	Used by EDR.
https://api.ecosystem-middleware.eu-central-1.prd.esp.system-monitor.com https://api.ecosystem-middleware.eu-west-1.prd.esp.system-monitor.com https://api.ecosystem-middleware.us-west-2.prd.esp.system-monitor.com https://api.ecosystem-middleware.ap-southeast-2.prd.esp.system-monitor.com https://ui.ecosystem-middleware.prd.esp.system-monitor.com/	Used by Microsoft Intune.
api.ecosystem-middleware.eu-east-1.prd.esp.system-monitor.com api.ecosystem-middleware.us-west-1.prd.esp.system-monitor.com	Middleware endpoints.
rest.ecosystem.ap-southeast-2.prd.esp.system-monitor.com rest.ecosystem.eu-east-1.prd.esp.system-monitor.com rest.ecosystem.eu-west-1.prd.esp.system-monitor.com rest.ecosystem.us-west-1.prd.esp.system-monitor.com	Rest endpoints.
grpc.ecosystem.ap-southeast-2.prd.esp.system-monitor.com grpc.ecosystem.eu-east-1.prd.esp.system-monitor.com grpc.ecosystem.eu-west-1.prd.esp.system-monitor.com grpc.ecosystem.us-west-1.prd.esp.system-monitor.com	GRPC endpoints.
cdn.pendo.io data.pendo.io pendo-io-static.storage.googleapis.com pendo-static*.storage.googleapis.com	Used by Pendo to receive data. Port required: HTTPS (443)
mtls.api.featureflags.prd.sharedsvcs.system-monitor.com	Used for Feature Preview.
assets.prd.esp.system-monitor.com	Used for Integrations like DNS Filter and EDR.
integrated.cloudbackup.management *.cloudbackup.management secure.n-able.com	Used for Backup integration connections.
.ap-southeast-2.prd.cdo.system-monitor.com .eu-central-1.prd.cdo.system-monitor.com .eu-west-1.prd.cdo.system-monitor.com .us-west-2.prd.cdo.system-monitor.com cdn-component.fusion.prd.cdo.system-monitor.com cdn-notary.pub.prd.cdo.system-monitor.com	Used for modern agent to cloud communications.

The N-able N-central server itself is based on the CentOS 7.x operating system which was fully patched at the time of the release. Additional updates are distributed as required through the standard N-able N-central Hotfix or Service Pack process. This same process applies to all internal components such as the database and application servers.

N-central server security

N-central incorporates the notion of IP blocking. If the server is hammered with too many invalid requests from the same IP address in a ten second period, N-central blocks the traffic for new requests on that IP. It does not block active requests on the same IP address. An example would be agents, which have valid session IDs or users logged in the UI. Protections are in place to better manage the session to detect the offending IP address. To detect the correct IP address that is hammering the server, you will need to set up your firewall to allow the external IP address to be passed along. Some firewalls refer to this as preserve the client IP.

Server Security Management
The N-able N-central server includes an integrated firewall which blocks traffic on unused ports. It is recommended that you use your own IDS/IPS/IAV while following the minimum networking requirements to allow traffic, ports, and IP addresses documented in this Security White Paper and in Online Help.

Internally, the system is built using industry standard best practices including:

storage of all user passwords by first encrypting them using one-way encryption
strong input type checking
user access permissions
protective support for cross site scripting (XSS) attacks

Recommended exclusions for third party AV software

N-able N-central software (agents and probes) must be excluded from third party antivirus scans in order to function properly.

N-able recommends that you add the following path to the list of exclusions from security scans:

Folders

N-able N-central needs read/write access to following folders and their subfolders:

%Programfiles(x86)%\MspPlatform\PME
%Programfiles(x86)%\MspPlatform\FileCacheServiceAgent
%Programfiles(x86)%\MspPlatform\RequestHandlerAgent
%ProgramData%\MspPlatform
%programfiles(x86)%\MSP-agent

Applications

N-able N-central needs installation and access to following applications:

%Programfiles(x86)%\MspPlatform\FileCacheServiceAgent\FileCacheServiceAgent.exe
%Programfiles(x86)%\MspPlatform\PME\ThirdPartyPatch\7z.exe
%Programfiles(x86)%\MspPlatform\PME\Installers\CacheServiceSetup.exe
%Programfiles(x86)%\MspPlatform\PME\Installers\RPCServerServiceSetup.exe
%Programfiles(x86)%\MspPlatform\PME\Diagnostics\PME.Diagnostics.exe
%Programfiles(x86)%\MspPlatform\RequestHandlerAgent\RequestHandlerAgent.exe
%programfiles(x86)%\msp-agent\msp-agent-core.exe

Firewall

Firewall must be not blocking following communication channels:
HTTP and HTTPS communication (port 80 and port 443) between FileCacheServiceAgent windows service (%Programfiles(x86)%\MspPlatform\FileCacheServiceAgent\FileCacheServiceAgent.exe) and sis.n-able.com server
If you use a probe, the firewall must not block communication between FileCacheServiceAgent windows service and the probe device on port 15000.

For a complete list of paths you can include to exclude from security scans, see Global Exclusions in the N-able N-central Online Help. This list includes folders excluded by AV Defender by default.

The Upgrade Process

Upgrading N-able N-central involves not only upgrading the N-able N-central server but also the Agents and Probes that communicate with it. Refer to Upgrading to This Release.

The upgrade process for N-able N-central 2021.3 consists of a number of elements including:

Agent and Probe Upgrade

The N-able N-central server is upgraded.

The first time that the Probe connects to the N-able N-central server after it has been upgraded, the Probe will detect the new version. The Probe will be updated automatically if it has been configured to do so.
After being upgraded, the Probe will automatically download the latest version of the Agent upgrade software and store it in the C:\Program Files (x86)\N-able Technologies\Windows Software Probe\cache directory.
If the Agents have been configured to upgrade automatically, they will:
1. Ping all of the Probes with which they can communicate to determine which Probe provides the fastest response time.
2. Download the Agent upgrade software from the fastest Probe they can communicate with using the .NET Remoting using TCP/IP via port 10004.
If the Agents cannot connect to a Probe, they will download the Agent upgrade software directly from the N-able N-central server.

Software Upgrades for Backup Manager and AV Defender

Upgrades for Backup Manager and AV Defender follow the same procedure:

The Windows Probe will communicate with sis.n-able.com to determine the latest upgrade software every hour. If a new version is available, the Windows Probe will download the latest upgrade software.
If software is installed on a device (Backup Manager or AV Defender), the Agent will communicate via port 443 with the Windows Probe (or Probes) on the network to determine if it is running the latest version.
The Agent will download the upgrade software from the Probe using the .NET Remote API mechanism.

For Backup Manager, if the Agent cannot download the upgrade software from a Probe, it will download it directly from http://rmdmdownloads.ca.com.

The N-able N-central server will connect with sis.n-able.com on an hourly basis to check for new upgrades. If a newer version of the software is available, the appropriate service (for example, the AV Defender Status service for AV Defender) will transition to a Warning state until the software on that device is upgraded.