Network Requirements
On-Premise: Set up port access requirements

Access must be permitted to the following ports:
Port Number | Port Location | Description | |||||
---|---|---|---|---|---|---|---|
N-able N-central Server | Managed Device | ||||||
Inbound | Outbound | Inbound | Outbound | ||||
20 |
|
Ö |
|
|
Used for FTP connections, particularly when configured for backups. |
||
21 |
|
Ö |
|
|
Used for FTP connections, particularly when configured for backups. | ||
22 |
Ö |
|
|
Ö |
SSH - used for remote control sessions. The firewall must be configured to allow access from the Internet to this port on the N-able N-central server. |
||
25 |
|
Ö |
|
|
SMTP - used for sending mail. |
||
53 |
|
Ö |
|
|
Used for DNS. |
||
80 |
Ö |
Ö |
|
Ö |
HTTP - used for communication between the N-able N-central and agents or probes. N-able N-central recommends that you block all access from the internet to this port on the N-able N-central server, unless it is absolutely required. This port may be closed in a future release. This port must also be open for outbound traffic if the N-able N-central server is monitoring HTTP services on remote managed devices. |
||
123 |
|
Ö |
|
|
Used by the NTP Date service which keeps the server clock synchronized. Normally using UDP (although some servers can use TCP). |
||
135 |
|
|
Ö |
|
Used by Agents and Probes for WMI queries to monitor various services. Inbound from the Windows Probe to the Windows Agent. |
||
139 |
|
|
Ö |
|
Used by Agents and Probes for WMI queries to monitor various services. Inbound from the Windows Probe to the Windows Agent. |
||
443 |
Ö |
Ö |
|
Ö |
HTTPS - used for communication between N-able N-central and Agents or Probes (including MSP Connect and MSP Anywhere). Your firewall must be configured to allow access from the Internet to this port on the N-able N-central server. This port must be open for outbound traffic if the N-able N-central server is monitoring HTTPS services on remote managed devices. Backup Manager on endpoint devices uses Port 443 TCP outbound. It is almost always open on workstations but may be closed on servers. Used by Agents and Probes as a failover for XMPP traffic when they cannot reach N-centralon port 5280. To activate EDR the N-able N-central server needs outbound HTTPS access to port 443 and the following domains:
Pendo allows us to provide in-UI messaging and guides when there are important changes, new features onboarding, or other critical messages that we need to tell you about. You can gain access to these important messages, and help us make important design decisions from usage data, by allowing outbound HTTPS/443 access from your N-central server to the following URLs:
|
||
445 |
|
|
Ö |
|
Used by Agents and Probes for WMI queries to monitor various services. |
||
1234 |
Ö |
Ö |
Used by MSP Connect in UDP mode. |
||||
1235 |
Ö |
Ö |
|||||
1433 |
|
* |
* |
* |
Outbound on the N-able N-central server, port 1433 is used by Report Manager for data export. On managed devices, it is also used by Agents (inbound) and Probes (out- bound) to monitor Backup Exec jobs. Inbound from the local LAN and not the Internet. |
||
|
|||||||
5000 |
Ö |
Backup Manager will use local port 5000. If this port is unavailable, Backup Manager will detect a free port automatically (starting from 5001, 5002 and up). |
|||||
5280 |
Ö | Ö |
Used by Agents and Probes for XMPP traffic. Outbound access to port 5280 for Managed Devices is recommended but not required. |
||||
8014 |
|
|
Ö |
|
Backup Manager requires access to port 8014. This value cannot be modified. Inbound from the local LAN and not the Internet. |
||
8443 |
Ö |
Ö |
|
Ö |
The default port for the N-central UI. TCP port 8443 is used for TLS (HTTPS) connections to the N-central Web UI. Your firewall may be configured to allow access from the internet to this port on the N-able N-central server, if you require Web UI access outside of the network N-central is deployed to. You can change this port number in the N-central Administrator menu, under "Network Setup". |
||
8800 | Ö |
The Feature Flag System in N-able N-central needs to talk to mtls.api.featureflags.prd.sharedsvcs.system-monitor.com. Used by N-able – generally during Early Access Preview and Release Candidate testing – to enable and disable features within N-able N-central.
|
|||||
10000 |
Ö |
|
|
|
HTTPS - used for access to the N-able N-central Administration Console (NAC). The firewall must be configured to allow access from the Internet to this port on the N-able N-central server. N-able recommends excluding all other inbound traffic to port 10000 except from N-able Ports for Support section below. |
||
10004 |
|
|
Ö |
Ö |
N-able N-central Agents must be able to communicate with a Probe on the network over port 10004 in order for Probe caching of software updates to function properly. Inbound from the local LAN and not the Internet. |
||
15000 |
|
|
Ö |
Ö |
For downloading software patches, port 15000 must be accessible for inbound traffic on the Probe device while it must be accessible for outbound traffic on devices with Agents. Inbound from the local LAN and not the Internet. |

N-central uses a cloud service called LaunchDarkly for enabling and disabling features. This can include existing features that are generally available and upcoming features that are in preview.To ensure the flow of information between the N-central server and LaunchDarkly, ensure that the following URIs are added to your firewall allow list:
URI |
https://stream.launchdarkly.com |
https://sdk.launchdarkly.com or https://app.launchdarkly.com |
https://events.launchdarkly.com |

The table below outlines the TCP open port configurations required to send/receive push notifications for MDM.
Port Number | Port Location | Description | |||
---|---|---|---|---|---|
N-able N-central Server | Target Network Server | ||||
Inbound | Outbound | Inbound | Outbound | ||
80 |
|
Ö |
Ö |
|
|
443 |
|
Ö |
Ö |
|
|
2195 |
Ö |
Access to ports 2195 and 2196 must be granted to gateway.push-apple.com.akadns.net. |
|||
2196 |
Ö |
||||
5222 |
Ö |
||||
5223 |
Ö |
||||
5228 |
Ö |
TCP and UDP mode. |

Ports used for AV Defender and other services include:
Port | Source/Destination | Description |
---|---|---|
80 |
submit.bitdefender.com |
Port used for submitting endpoint dumps in case of crashes. |
update-solarwinds.2d585.cdn.bitdefender.net | Bitdefender update server. | |
upgrade.bitdefender.com | Bitdefender upgrade server. | |
lv2.bitdefender.com | License validation. | |
53 | *.v1.bdnsrt.org | DNS requests for signature update checks. |
7074 | Update Server | Downloading updates from local Update Server. An update server cannot acquire updates from another local Update Server; it is not possible to cascade them. |
443 | avc-fu.nimbus.bitdefender.net | Antimalware behavior scanning with Bitdefender Cloud servers. |
nimbus.bitdefender.net/elam/blob | Early Launch Anti-Malware (ELAM) cloud server. | |
elam-fu.nimbus.bitdefender.net/submission | Submission to Bitdefender cloud servers of unrecognized applications by Early Launch Anti-Malware (ELAM) module. | |
nimbus.bitdefender.net | Antimalware, antiphishing and content control scanning with Bitdefender Cloud servers. |
The Probe automatically creates firewall rules for these ports.
To ensure signature updates and minor updates to AV Defender can occur, ensure that DNS and outbound TCP port 80 access to http://upgrade.bitdefender.com are available through the firewall.

You can also configure N-able N-central to communicate with Report Manager over port 80 or 443.
If you choose 443, you must setup the proper SSL certificate.
Configure the external and internal addresses by opening the Report Manager administration console and clicking System setup and logs > Server IP Configuration and setting the External and Internal IP address.
The internal address or FQDN must be accessible from N-able N-central over port 1433 and either port 80 or 443.

When using Remote Desktop for remote connections, configure the following ports:
- On the Operator Machine:
- TCP 443 outbound (required)
- TCP 22 outbound (recommended for best remote control experience) to N-central
- For the Target Machine/Probe:
- TCP 443 outbound (required)
- TCP 22 outbound (recommended for best remote control experience) to N-central
- For the Probe:
- If using a probe as the connecting device, it must be able to reach the Target Machine on port 3389 (or custom port if specified) on the local network (and N-central as above).

The ports identified in the tables below must be accessible for Take Control (MSP Anywhere) remote control connections.
macOS uses TCP Mode only.
TCP Mode (Required)
If the agent has a direct TCP port configured, the same port must be open at the agent's firewall and be accessible by the viewer.
Port Number | Port Location | |||
---|---|---|---|---|
Take Control Viewer | Target Device | |||
Inbound | Outbound | Inbound | Outbound | |
Port 80 |
Ö | Ö | ||
Port 443 |
Ö | Ö | ||
Port 3377 Take Control fails over to this port as an alternative connection method. |
Ö | Ö |
TCP Port usage in N-central is optional and used to directly connect a Technician's device to remote devices on the same local network instead of using the application's gateways (outside the local network) to broker the connection.
Note: When any associated Firewall rules are disabled or removed, direct connection becomes unavailable and all connections are routed externally, even when both devices are in the same local network.
The Attempt peer-to-peer connection first option is meant only for peer-to-peer connections with devices outside the local network. The option attempts to make a P2P UDP connection to the device. It has no impact on peer-to-peer connections with local network devices, when traffic is allowed over TCP Port 5948. The option is not needed for remote control but the port will always be used unless it is disabled in the agent configuration file. In the rarest cases where the device is accessible on the internet it can also be used for P2P even not within the same LAN.
When using Take Control, the N-able N-central server, remote endpoints, and devices running the Viewer (those devices that are used to establish the remote session) must be able to resolve and reach hosts with the following domain names:
-
*.n-able.com
-
sis.n-able.com
The following domain also needs to be resolved for update downloads:
-
swi-rc.cdn-sw.net
IP addresses in the range 38.71.16.x are used to download product updates.
When using MSP Anywhere, the N-able N-central server must be able to resolve the following domain names:
-
*.beanywhere.com
-
mspa.n-able.com
-
*.pubnub.com
UDP Mode (Optional)
Take Control can use the UDP transmission model to connect to devices in addition to TCP.
Initially, the Take Control viewer requires access to port 1234. After the system administrator modifies the firewall to enable the identified IP addresses to communicate with the server, the ports can be random.
Port Number | Port Location | |||
---|---|---|---|---|
Take Control Viewer | Target Device | |||
Inbound | Outbound | Inbound | Outbound | |
Port 1234 |
Ö | Ö | ||
Port 1235 |
Ö | Ö |
-
BASupApp.exe
-
BASupTSHelper.exe
-
agent.exe
-
AgentMaint.exe
-
NCentralRDViewer.exe
-
BASEClient.exe

Port 443 TCP outbound. It is almost always open on workstations but may be closed on servers.
Local port 5000. If this port is unavailable, the Backup Manager detects a free port automatically (starting from 5001, 5002 and up).
In most cases, no firewall configuration is required.

Port/Type | Protocol | Source | Destination | Description |
---|---|---|---|---|
Type: 11 (ICMP Time Exceeded) | ICMP | Networking devices along your path | NetPath probe | Used by NetPath probe to discover network paths. |
Port: User Configured | TCP | NetPath agent | Path destination | Used by NetPath probe to discover the service status over the entered path port. |
Port 43 | TCP | Main polling engine | BGP data providers | Used by NetPath to query IP ownership and other information about the discovered IP addresses. |

These are the minimum port and IP address requirements for N-able Support to troubleshoot your N-able N-central server. Review these requirements to help Support resolve your issue.
Port Access Requirements
For N-able Technical Support to troubleshoot and diagnose your issue, you will need to permit the following incoming connections to N-able N-central:
- TCP Port 22 (SSH) is used for Remote Control sessions (Web, SSH, Telnet, Custom) and by N-able Support.
- TCP Port 8443 (HTTPS) is used for UI and agent/probe communication.
- TCP Port 443 (HTTPS) is used for UI and agent/probe communication.
The following outbound access is required from your N-able N-central server to troubleshoot it:
- TCP Ports 20, 21 (FTP) for backing up N-able N-central and by N-able Support to update their tools.
- TCP Port 25 (SMTP) for sending email from N-able N-central if not using a local mail relay.
- TCP/UDP Port 53 (DNS) is used for DNS lookups.
- TCP/UDP Port 123 (NTP) to keep the N-able N-central server clock in sync.
- TCP Port 1433 is used by N-able N-central to export data to Report Manager if enabled.
Required inbound access IPs
N-able Support
Open access to all the listed IP addresses. Although most Support connections will come from your local Support office, some shifts are covered by other offices.
Americas
- 32.60.115.209-222 – Ottawa, Ontario, Canada (Support and Development)
- 207.35.253.229 – Ottawa, Ontario, Canada (Support and Development)
- 209.120.234.64-79 – Ottawa, Ontario, Canada (Support and Development)
- 216.85.162.34 – Durham, North Carolina, United States of America (Support)
- 4.35.232.2 – Durham, North Carolina, United States of America (Support)
- 174.99.133.19 – Durham, North Carolina, United States of America (Support)
-
4.7.118.146 - Durham, North Carolina, United States of America (Support)
APAC
- 122.53.149.180 – Manila, Philippines (Support)
- 122.53.149.190 – Manila, Philippines (Support)
- 120.28.59.197 – Manila, Philippines (Support)
- 122.3.252.208/28 – Manila, Philippines (Support)
- 180.232.22.208/29 – Manila, Philippines (Support)
EMEA
- 62.253.153.163 – Dundee, Scotland (Support)
- 212.187.250.0/28 – Dundee, Scotland (Support)
- 62.28.208.190 – Lisbon, Portugal (Support and Development)
- 62.209.223.224-255 – Brno, Czech Republic (Development)
- 82.113.44.0-31 – Brno, Czech Republic (Development)
- 128.140.241.11 – Minsk, Republic of Belarus (Development)
- 78.11.93.114 – Krakow, Poland (Development)
- 82.177.176.130 – Krakow, Poland (Development)
Mothership monitoring, licensing updates and renewals
- mothership.n-able.com - Primary Mothership Monitoring
- mothership2.n-able.com - Supplemental Mothership Monitoring
- licensing.n-able.com - Activations, License Renewals, License Updates
Required Outbound Domain Access
The N-able server must be able to resolve and access over FTP - TCP ports 20, 21, UDP ports above 1024 for Passive Transfer, the following domain name:
- send.n-able.com
The N-able N-central server must be able to resolve and access over TCP port 8443 (HTTPS) and 443 (HTTPS), the following domain name:
- sis.n-able.com
The N-able N-central server must be able to resolve and access using HTTPS TCP port 443, the following domain names:
- update.n-able.com
- feeds.n-able.com
- servermetrics.n-able.com
- push.n-able.com
- scep.n-able.com
- licensing.n-able.com
- updatewarranty.com
- microsoft.com
- https://keybox.n-able.com
- https://ui.netpath.n-able.com
Hosted & On-Premise: Set up the firewall to allow traffic to domains
To ensure the flow of information between the N-able N-central server and outside sources, ensure the following domains and URLs are added to your firewall allow list. These domains are needed for outbound communication.
send.n-able.com |
The N-able internal FTP server where a partner can upload and download files such as logs, executables and scripts. This is also the location where you download scripts from Scripto for additional troubleshooting tools for N-able N-central. Ports required: TCP 20 and 21, ports above UDP 1024 for passive transfer. |
sis.n-able.com |
A repository of XML files. Each XML lists download links for .exe, patches and so on. For example, when the agent is installed on a device and it needs to download AV Defender, the agent goes to http://sis.n-able.com/GenericFiles.xml and get the link to download the files compatible for the agent version. Port required: HTTP (80) and HTTPS (443) |
All domains below require port TCP 443. |
|
update.n-able.com |
The location where N-able N-central obtains the NSP file for upgrade. It also has .ISO, vdh.gz files for a N-able N-central installation. There is also an alias of this domain at releases.n-able.com. |
feeds.n-able.com |
The location where the N-able N-central gets RSS feeds. |
sis.n-able.com |
A repository of XML files. Each XML lists download links for .exe, patches and so on. |
servermetrics.n-able.com On-Premise only |
When an N-able N-central server is installed, all information about it is sent to the N-able internal Activation Server. |
licensing.n-able.com On-Premise only |
Once the N-able N-central server is validated, it communicates with the internal Activation Server to get the full license depending on the contract details. |
push.n-able.com |
Used for Apple Push Notification service (APN) and CSR certificate request for Mobile Device Management. |
scep.n-able.com |
Used for MDM installation, pushing profile to the target device |
updatewarranty.com On-Premise only |
Used by N-able N-central to check the warranty expiration dates of managed devices. |
microsoft.com |
Used For Windows Update, which is needed for Patch Management or any other patch solution software. |
https://keybox.n-able.com |
Used with Netpath, EDR and future integrated components. |
https://keybox.solarwindsmsp.com | Used with Netpath, EDR and future integrated components. |
*.sentinelone.net |
Used by EDR. |
https://api.ecosystem-middleware.eu-central-1.prd.esp.system-monitor.com https://api.ecosystem-middleware.eu-west-1.prd.esp.system-monitor.com https://api.ecosystem-middleware.us-west-2.prd.esp.system-monitor.com https://api.ecosystem-middleware.ap-southeast-2.prd.esp.system-monitor.com https://ui.ecosystem-middleware.prd.esp.system-monitor.com/ |
Used by Microsoft Intune. |
api.ecosystem-middleware.eu-east-1.prd.esp.system-monitor.com api.ecosystem-middleware.us-west-1.prd.esp.system-monitor.com |
Middleware endpoints. |
rest.ecosystem.ap-southeast-2.prd.esp.system-monitor.com rest.ecosystem.eu-east-1.prd.esp.system-monitor.com rest.ecosystem.eu-west-1.prd.esp.system-monitor.com rest.ecosystem.us-west-1.prd.esp.system-monitor.com |
Rest endpoints. |
grpc.ecosystem.ap-southeast-2.prd.esp.system-monitor.com grpc.ecosystem.eu-east-1.prd.esp.system-monitor.com grpc.ecosystem.eu-west-1.prd.esp.system-monitor.com grpc.ecosystem.us-west-1.prd.esp.system-monitor.com |
GRPC endpoints. |
cdn.pendo.io data.pendo.io pendo-io-static.storage.googleapis.com pendo-static*.storage.googleapis.com |
Used by Pendo to receive data. Port required: HTTPS (443) |
mtls.api.featureflags.prd.sharedsvcs.system-monitor.com | Used for Feature Preview. |
assets.prd.esp.system-monitor.com | Used for Integrations like DNS Filter and EDR. |