Firewall Requirements

Hosted & On-Premises

To ensure the flow of information between the N-able N-central server and outside sources, ensure the following domains and URLs are added to your firewall allow list. These domains are needed for outbound communication.

sis.n-able.com	A repository of XML files. Each XML lists download links for .exe, patches and so on. For example, when the agent is installed on a device and it needs to download AV Defender, the agent goes to http://sis.n-able.com/GenericFiles.xml and get the link to download the files compatible for the agent version. Port required: HTTP (80) and HTTPS (443)
All domains below require port TCP 443.
update.n-able.com	The location where N-able N-central obtains the NSP file for upgrade. It also has .ISO, vdh.gz files for a N-able N-central installation. There is also an alias of this domain at releases.n-able.com.
feeds.n-able.com	The location where the N-able N-central gets RSS feeds.
sis.n-able.com	A repository of XML files. Each XML lists download links for .exe, patches and so on.
Licensing
servermetrics.n-able.com On-Premises only	When an N-able N-central server is installed, all information about it is sent to the N-able internal Activation Server.
licensing.n-able.com On-Premises only	Once the N-able N-central server is validated, it communicates with the internal Activation Server to get the full license depending on the contract details.
MDM
push.n-able.com	Used for Apple Push Notification service (APN) and CSR certificate request for Mobile Device Management.
scep.n-able.com	Used for MDM installation, pushing profile to the target device
SSO
sso.navigatorlogin.com On-Premises only	The login page used for MSP SSO authentication.
msp-sso-proxy.eu-west-1.prd.cdo.system-monitor.com msp-sso-proxy.us-west-2.prd.cdo.system-monitor.com	MSP SSO proxy URLs used for user enrollment and user changes synchronization.
updatewarranty.com On-Premises only	Used by N-able N-central to check the warranty expiration dates of managed devices.
Windows Updates
microsoft.com	Used For Windows Update, which is needed for Patch Management or any other patch solution software.
.delivery.mp.microsoft.com .update.microsoft.com tsfe.trafficshaping.dsp.mp.microsoft.com *.prod.do.dsp.mp.microsoft.com	Specific Microsoft domains used to support their update infrastructure.
EDR
https://keybox.n-able.com	Used with EDR and future integrated components.
https://keybox.solarwindsmsp.com	Used with EDR and future integrated components.
*.sentinelone.net	Used by EDR.
Ecosystem
https://api.ecosystem-middleware.eu-central-1.prd.esp.system-monitor.com https://api.ecosystem-middleware.eu-west-1.prd.esp.system-monitor.com https://api.ecosystem-middleware.us-west-2.prd.esp.system-monitor.com https://api.ecosystem-middleware.ap-southeast-2.prd.esp.system-monitor.com https://ui.ecosystem-middleware.prd.esp.system-monitor.com/	Used by Microsoft Intune.
api.ecosystem-middleware.eu-east-1.prd.esp.system-monitor.com api.ecosystem-middleware.us-west-1.prd.esp.system-monitor.com	Middleware endpoints.
rest.ecosystem.ap-southeast-2.prd.esp.system-monitor.com rest.ecosystem.eu-east-1.prd.esp.system-monitor.com rest.ecosystem.eu-west-1.prd.esp.system-monitor.com rest.ecosystem.us-west-1.prd.esp.system-monitor.com	Rest endpoints.
grpc.ecosystem.ap-southeast-2.prd.esp.system-monitor.com grpc.ecosystem.eu-east-1.prd.esp.system-monitor.com grpc.ecosystem.eu-west-1.prd.esp.system-monitor.com grpc.ecosystem.us-west-1.prd.esp.system-monitor.com	GRPC endpoints.
Pendo
cdn.pendo.io data.pendo.io pendo-io-static.storage.googleapis.com pendo-static*.storage.googleapis.com	Used by Pendo to receive data. Port required: HTTPS (443)
Feature Flags
mtls.api.featureflags.prd.sharedsvcs.system-monitor.com	Used for Feature Preview.
assets.prd.esp.system-monitor.com	Used for Integrations like EDR.
integrated.cloudbackup.management *.cloudbackup.management secure.n-able.com	Used for Backup integration connections.
Modern Agent
*.prd.cdo.system-monitor.com cdn-component.fusion.prd.cdo.system-monitor.com cdn-notary.pub.prd.cdo.system-monitor.com	Used for modern agent to cloud communications.
eb.eu-west-1.prd.davinci.system-monitor.com eb.us-west-2.prd.davinci.system-monitor.com eb.ap-southeast-2.prd.davinci.system-monitor.com eb.eu-central-1.prd.davinci.system-monitor.com a33d8yamkwy4nx-ats.iot.eu-west-1.amazonaws.com (or where wildcards can be used - .iot.eu-west-1.amazonaws.com) a33d8yamkwy4nx-ats.iot.us-west-2.amazonaws.com (or use wildcards - .iot.us-west-2.amazonaws.com) a33d8yamkwy4nx-ats.iot.eu-central-1.amazonaws.com (or use wildcards -.iot.eu-central-1.amazonaws.com) a33d8yamkwy4nx-ats.iot.ap-southeast-2.amazonaws.com (or use wildcards -.iot.ap-southeast-2.amazonaws.com)	These endpoints are required for the Modern Agent features. Port required: 8088 (TCP)

LaunchDarkly URLs

N-central uses a cloud service called LaunchDarkly for enabling and disabling features. This can include existing features that are generally available and upcoming features that are in preview. To ensure the flow of information between the N-central server and LaunchDarkly, ensure that the following URLs are added to your firewall allow list:

URL
https://stream.launchdarkly.com
https://sdk.launchdarkly.com or https://app.launchdarkly.com
https://events.launchdarkly.com

Take Control

Outbound network traffic must be allowed on both the Take Control Viewer and Agent sides for the following domains, over TCP Port 443 (https):

swi-rc.cdn-sw.net
*.n-able.com
*.mspa.n-able.com
*global.mspa.n-able.com
*.us1.mspa.n-able.com
*.us2.mspa.n-able.com
*.eu1.mspa.n-able.com

Almost all of the above Firewall Rules require the use of wildcard exclusions, which are not supported by some vendors. As an alternative, the Firewall Rules can be configured as follows:

Allow outbound communications to any IP Addresses over TCP Port 3377 (used to communicate with the Take Control Gateways).
Allow outbound communication over TCP Port 443 (https) for the following URLs:

swi-rc.cdn-sw.net
comserver.global.mspa.n-able.com
comserver.us1.mspa.n-able.com
comserver.us2.mspa.n-able.com
comserver.eu1.mspa.n-able.com
comserver-hb-eu1-fra.n-able.com
comserver-hb-eu1-iad1.n-able.com
comserver-hb-us0-iad1.n-able.com
comserver-hb-us0-lax.n-able.com
comserver-hb-us1-iad2.n-able.com
comserver-hb-us1-lax.n-able.com
comserver-hb-us2-lax.n-able.com
comserver-hb-us2-iad2.n-able.com

Required inbound access IPs

N-able Support

Open access to all the listed IP addresses. Although most Support connections will come from your local Support office, some shifts are covered by other offices.

Americas

32.60.115.209-222 – Ottawa, Ontario, Canada (Support and Development)
207.35.253.229 – Ottawa, Ontario, Canada (Support and Development)
209.120.234.64-79 – Ottawa, Ontario, Canada (Support and Development)
216.85.162.34 – Durham, North Carolina, United States of America (Support)
4.35.232.2 – Durham, North Carolina, United States of America (Support)
174.99.133.19 – Durham, North Carolina, United States of America (Support)
4.7.118.146 - Durham, North Carolina, United States of America (Support)

APAC

122.53.149.180 – Manila, Philippines (Support)
122.53.149.190 – Manila, Philippines (Support)
120.28.59.197 – Manila, Philippines (Support)
122.3.252.208/28 – Manila, Philippines (Support)
180.232.22.208/29 – Manila, Philippines (Support)
116.50.225.187 – Manila, Philippines (Support)

EMEA

208.70.88.4 - Dundee, Scotland (Support)
62.253.153.163 – Dundee, Scotland (Support)
212.187.250.0/28 – Dundee, Scotland (Support)
62.28.208.190 – Lisbon, Portugal (Support and Development)
78.11.93.114 – Krakow, Poland (Development)
82.177.176.130 – Krakow, Poland (Development)

Required Outbound Domain Access

The N-able N-central server must be able to resolve and access over TCP port 8443 (HTTPS) and 443 (HTTPS), the following domain name:

sis.n-able.com

The N-able N-central server must be able to resolve and access using HTTPS TCP port 443, the following domain names:

update.n-able.com
feeds.n-able.com
servermetrics.n-able.com
push.n-able.com
scep.n-able.com
licensing.n-able.com
updatewarranty.com
microsoft.com
https://keybox.n-able.com
api.openai.com

Licensing updates and renewals

mothership.n-able.com - Primary Mothership Monitoring (Deprected on April 1, 2025)
mothership2.n-able.com - Supplemental Mothership Monitoring (Deprected on April 1, 2025)
licensing.n-able.com - Activations, License Renewals, License Updates

Mothership monitoring: This was a service provided by N-able as a solution to externally monitor partners N-central servers for various services. including Connectivity. The Mothership monitoring service was deprecated on April 1, 2025, and you no longer need to add the Mothership URLs to your allow list.

Required Outbound Domain Access

The N-able N-central server must be able to resolve and access over TCP port 8443 (HTTPS) and 443 (HTTPS), the following domain name:

sis.n-able.com

The N-able N-central server must be able to resolve and access using HTTPS TCP port 443, the following domain names:

update.n-able.com
feeds.n-able.com
servermetrics.n-able.com
push.n-able.com
scep.n-able.com
licensing.n-able.com
updatewarranty.com
microsoft.com
https://keybox.n-able.com
api.openai.com

Additional Information

In addition to the firewall requirements, other areas that should be taken into consideration include:

Firewall Requirements

Hosted & On-Premises

N-central URLs (region-specific):

Power BI URLs (region-specific):

N-able Support

Americas

APAC

EMEA

Required Outbound Domain Access

Required Outbound Domain Access

Additional Information