Port Access Requirements

Access must be permitted to the following ports:

Port Number	Port Location				Description
	N-able N-central Server		Managed Device
	Inbound	Outbound	Inbound	Outbound
20		Ö			Used for FTP connections, particularly when configured for backups.
21		Ö			Used for FTP connections, particularly when configured for backups.
22*	Ö			Ö	SSH - used for remote control sessions. The firewall must be configured to allow access from the Internet to this port on the N-able N-central server. (*OPTIONAL)
25		Ö			SMTP - used for sending mail.
53		Ö			Used for DNS.
80	Ö	Ö		Ö	HTTP - used for communication between the N-able N-central and agents or probes. N-able N-central recommends that you block all access from the internet to this port on the N-able N-central server, unless it is absolutely required. This port may be closed in a future release. This port must also be open for outbound traffic if the N-able N-central server is monitoring HTTP services on remote managed devices.
123		Ö			Used by the NTP Date service which keeps the server clock synchronized. Normally using UDP (although some servers can use TCP).
135			Ö		Used by Agents and Probes for WMI queries to monitor various services. Inbound from the Windows Probe to the Windows Agent.
139			Ö		Used by Agents and Probes for WMI queries to monitor various services. Inbound from the Windows Probe to the Windows Agent.
443	Ö	Ö		Ö	HTTPS - used for communication between N-able N-central and Agents or Probes (including MSP Connect and MSP Anywhere). Your firewall must be configured to allow access from the Internet to this port on the N-able N-central server. This port must be open for outbound traffic if the N-able N-central server is monitoring HTTPS services on remote managed devices. Backup Manager on endpoint devices uses Port 443 TCP outbound. It is almost always open on workstations but may be closed on servers. Used by Agents and Probes as a failover for XMPP traffic when they cannot reach N-centralon port 5280. To activate EDR the N-able N-central server needs outbound HTTPS access to port 443 and the following domains: *.sentinelone.net sis.n-able.com keybox.solarwindsmsp.com Pendo allows us to provide in-UI messaging and guides when there are important changes, new features onboarding, or other critical messages that we need to tell you about. You can gain access to these important messages, and help us make important design decisions from usage data, by allowing outbound HTTPS/443 access from your N-central server to the following URLs: Only windows agents will send data to the app.pendo.io URL. app.pendo.io cdn.pendo.io data.pendo.io pendo-io-static.storage.googleapis.com pendo-static*.storage.googleapis.com
445			Ö		Used by Agents and Probes for WMI queries to monitor various services.
1234		Ö		Ö	Used by MSP Connect in UDP mode.
1235		Ö		Ö
1433		*	*	*	Outbound on the N-able N-central server, port 1433 is used by Report Manager for data export. On managed devices, it is also used by Agents (inbound) and Probes (out- bound) to monitor Backup Exec jobs. Inbound from the local LAN and not the Internet.
	* Port access is only required if you have installed the corresponding product. For example, access to port 1433 is only required if you have installed Report Manager or if you are managing Backup Exec jobs.
5000		Ö			Backup Manager will use local port 5000. If this port is unavailable, Backup Manager will detect a free port automatically (starting from 5001, 5002 and up).
5280	Ö			Ö	Used by Agents and Probes for XMPP traffic. Outbound access to port 5280 for Managed Devices is recommended but not required.
8014			Ö		Backup Manager requires access to port 8014. This value cannot be modified. Inbound from the local LAN and not the Internet.
8088		Ö			HTTPS – Used for communications to the N-able event communication system to enable communications between N-able cloud and N-central server.
8443	Ö	Ö		Ö	The default port for the N-central UI. TCP port 8443 is used for TLS (HTTPS) connections to the N-central Web UI. Your firewall may be configured to allow access from the internet to this port on the N-able N-central server, if you require Web UI access outside of the network N-central is deployed to. You can change this port number in the N-central Administrator menu, under "Network Setup".
8800		Ö			The Feature Flag System in N-able N-central needs to talk to mtls.api.featureflags.prd.sharedsvcs.system-monitor.com. Used by N-able – generally during Early Access Preview and Release Candidate testing – to enable and disable features within N-able N-central.
10000	Ö				HTTPS - used for access to the N-able N-central Administration Console (NAC). The firewall must be configured to allow access from the Internet to this port on the N-able N-central server. N-able recommends excluding all other inbound traffic to port 10000 except from N-able Ports for Support section below.
10004			Ö	Ö	N-able N-central Agents must be able to communicate with a Probe on the network over port 10004 in order for Probe caching of software updates to function properly. Inbound from the local LAN and not the Internet.
15000			Ö	Ö	For downloading software patches, port 15000 must be accessible for inbound traffic on the Probe device while it must be accessible for outbound traffic on devices with Agents. Inbound from the local LAN and not the Internet.

See Also

Network Security Profiles - ciphers supported

N-central Analytics requires specific N-central and Power BI URLs for Analytics to work properly:

N-central URLs (region-specific):

• https://us.prd.relay.system-monitor.com
• https://eu-w.prd.relay.system-monitor.com
• https://eu-c.prd.relay.system-monitor.com
• https://ap.prd.relay.system-monitor.com

Power BI URLs (region-specific):

• https://authnproxy.powerbiapi.apse2.prd.ar.system-monitor.com

• https://authnproxy.powerbiapi.uswe2.prd.ar.system-monitor.com

• https://authnproxy.powerbiapi.euwe1.prd.ar.system-monitor.com

• https://authnproxy.powerbiapi.euce1.prd.ar.system-monitor.com

N-central uses a cloud service called LaunchDarkly for enabling and disabling features. This can include existing features that are generally available and upcoming features that are in preview. To ensure the flow of information between the N-central server and LaunchDarkly, ensure that the following URLs are added to your firewall allow list:

URL

https://stream.launchdarkly.com

https://sdk.launchdarkly.com or https://app.launchdarkly.com

https://events.launchdarkly.com

The table below outlines the TCP open port configurations required to send/receive push notifications for MDM.

Port Number	Port Location				Description
	N-able N-central Server		Target Network Server
	Inbound	Outbound	Inbound	Outbound
80		Ö	Ö
443		Ö	Ö
2195		Ö			Access to ports 2195 and 2196 must be granted to gateway.push-apple.com.akadns.net.
2196		Ö
5222			Ö
5223			Ö
5228			Ö		TCP and UDP mode.

Ports used for AV Defender and other services include:

Port	Source/Destination	Description
80	submit.bitdefender.com	Port used for submitting endpoint dumps in case of crashes.
	https://custom-update-server.logicnow.us	Bitdefender update server.
	upgrade.bitdefender.com	Bitdefender upgrade server.
	lv2.bitdefender.com	License validation.
53	*.v1.bdnsrt.org	DNS requests for signature update checks.
7074	Update Server	Downloading updates from local Update Server. An update server cannot acquire updates from another local Update Server; it is not possible to cascade them.
443	avc-fu.nimbus.bitdefender.net	Antimalware behavior scanning with Bitdefender Cloud servers.
	nimbus.bitdefender.net/elam/blob	Early Launch Anti-Malware (ELAM) cloud server.
	elam-fu.nimbus.bitdefender.net/submission	Submission to Bitdefender cloud servers of unrecognized applications by Early Launch Anti-Malware (ELAM) module.
	nimbus.bitdefender.net	Antimalware, antiphishing and content control scanning with Bitdefender Cloud servers.

The Probe automatically creates firewall rules for these ports.

To ensure signature updates and minor updates to AV Defender can occur, ensure that DNS and outbound TCP port 80 access to http://upgrade.bitdefender.com are available through the firewall.

You can also configure N-able N-central to communicate with Report Manager over port 80 or 443.

If you choose 443, you must setup the proper SSL certificate.

Configure the external and internal addresses by opening the Report Manager administration console and clicking System setup and logs > Server IP Configuration and setting the External and Internal IP address.

The internal address or FQDN must be accessible from N-able N-central over port 1433 and either port 80 or 443.

When using Remote Desktop for remote connections, configure the following ports:

• On the Operator Machine:
  • TCP 443 outbound (required)
  • TCP 22 outbound (recommended for best remote control experience) to N-central
• For the Target Machine/Probe:
  • TCP 443 outbound (required)
  • TCP 22 outbound (recommended for best remote control experience) to N-central
• For the Probe:
  • If using a probe as the connecting device, it must be able to reach the Target Machine on port 3389 (or custom port if specified) on the local network (and N-central as above).

Take Control traffic is secured using multi-layer authentication. Elliptic-curve Diffie-Hellman is implemented to protect our public/private key exchanges, a component step in session instantiation. All commands, including keyboard and mouse strokes, file transfers and clipboard information are digitally signed.

Take Control does not have access to session content. All encryption is based on an end-to-end negotiation that does not intercept transferred information or decode the information in the gateway. Encryption keys are randomly generated for each session.

Take Control uses servers located in large data centers around the world, and a geolocation method ensures the geographically nearest router is always used for the connection.

As public IP Addresses are dynamically assigned (outside of N-able's control) and, as internal infrastructure changes (dynamic or effective), these public IP addresses are required to manage the infrastructure (within N-able's control). No IP Address lists or ranges can be provided, guaranteeing that they will not eventually become invalid.

Allow Outbound Network Traffic

Outbound network traffic must be allowed on both the Take Control Viewer and Agent sides for the following domains, over TCP Port 443 (https):

• swi-rc.cdn-sw.net
• *.n-able.com
• *.mspa.n-able.com
• *global.mspa.n-able.com
• *.us1.mspa.n-able.com
• *.us2.mspa.n-able.com
• *.eu1.mspa.n-able.com

Almost all of the above Firewall Rules require the use of wildcard exclusions, which are not supported by some vendors. As an alternative, the Firewall Rules can be configured as follows:

1. Allow outbound communications to any IP Addresses over TCP Port 3377 (used to communicate with the Take Control Gateways).
2. Allow outbound communication over TCP Port 443 (https) for the following URLs:
• swi-rc.cdn-sw.net
• comserver.global.mspa.n-able.com
• comserver.us1.mspa.n-able.com
• comserver.us2.mspa.n-able.com
• comserver.eu1.mspa.n-able.com
• comserver-hb-eu1-fra.n-able.com
• comserver-hb-eu1-iad1.n-able.com
• comserver-hb-us0-iad1.n-able.com
• comserver-hb-us0-lax.n-able.com
• comserver-hb-us1-iad2.n-able.com
• comserver-hb-us1-lax.n-able.com
• comserver-hb-us2-lax.n-able.com
• comserver-hb-us2-iad2.n-able.com

Outbound network traffic must be allowed on both the Take Control Viewer and Agent sides for the following domains, over TCP Ports 80 (http) and 443 (https):

• *.mspa.n-able.com
• *.swi-rc.cdn-sw.net

The Take Control Firewall requires the use of wildcard exceptions, which are not configurable on some legacy Network equipment. As an alternative, use fail over TCP Port 3377, which can be configured as follows:

1. Allow outbound communications to any IP Addresses over TCP Port 3377.
2. Allow outbound communication over TCP Ports 80(http) and 443 (https) for the following URLs:
• comserver.us0.swi-rc.com
• comserver.us3.swi-rc.com
• comserver.eu2.swi-rc.com

Ports and URLs

To avoid potential communication or connection problems to these global servers, we recommend you allow the following Ports and URLs in your firewall or web-monitoring software:

Ports

• 80 (TCP)
• 443 (TCP)
• 3377 (TCP) - used as a fall over if 443 is unsuccessful

URLs

• *.mspa.n-able.com
• *.swi-rc.cdn-sw.net

Services and Processes (Windows only)

Take Control includes the following executables that run continuously or for the duration of a single session:

Continuously running executables

Executable	Type	Description
BASupSrvc.exe	Service	Allows remote sessions and maintains communication to the All Devices view and infrastructure
BASupSrvcUpdater.exe	Service	Updates the BASupSrv service when required and ensures it is always running
BASupSrvcCnfg.exe	Process (Normal)	Allows in-session chats between the technician and the user, and also displays the session authorization pop-ups. This process is loaded for each user logged on to the machine and multiple instances can exist at the same time. If the session is killed, in-session chats are not available and session authorization pop-ups do not display to the local user (the default action defined will occur after a timeout period).

Single session executables

Executable	Type	Description
BASupTSHelper.exe	Process (Elevated)	Permits image capturing during the remote session
BASupSrvcEvnt.dll	DLL	Registers Take Control related Events that display in the device's Event Viewer. To ensure Take Control is reported as the Event source, the .dll remains on the device after Take Control is uninstalled.

Port 443 TCP outbound. It is almost always open on workstations but may be closed on servers.

Local port 5000. If this port is unavailable, the Backup Manager detects a free port automatically (starting from 5001, 5002 and up).

In most cases, no firewall configuration is required.

Port/Type	Protocol	Source	Destination	Description
Type: 11 (ICMP Time Exceeded)	ICMP	Networking devices along your path	NetPath probe	Used by NetPath probe to discover network paths.
Port: User Configured	TCP	NetPath agent	Path destination	Used by NetPath probe to discover the service status over the entered path port.
Port 43	TCP	Main polling engine	BGP data providers	Used by NetPath to query IP ownership and other information about the discovered IP addresses.

These are the minimum port and IP address requirements for N-able Support to troubleshoot your N-able N-central server. Review these requirements to help Support resolve your issue.

Port Access Requirements

For N-able Technical Support to troubleshoot and diagnose your issue, you will need to permit the following incoming connections to N-able N-central:

• TCP Port 22 (SSH) is used for Remote Control sessions (Web, SSH, Telnet, Custom) and by N-able Support.
• TCP Port 8443 (HTTPS) is used for UI and agent/probe communication.
• TCP Port 443 (HTTPS) is used for UI and agent/probe communication.

The following outbound access is required from your N-able N-central server to troubleshoot it:

• TCP Ports 20, 21 (FTP) for backing up N-able N-central and by N-able Support to update their tools.
• TCP Port 25 (SMTP) for sending email from N-able N-central if not using a local mail relay.
• TCP/UDP Port 53 (DNS) is used for DNS lookups.
• TCP/UDP Port 123 (NTP) to keep the N-able N-central server clock in sync.
• TCP Port 1433 is used by N-able N-central to export data to Report Manager if enabled.

Required inbound access IPs

N-able Support

Open access to all the listed IP addresses. Although most Support connections will come from your local Support office, some shifts are covered by other offices.

Americas

• 32.60.115.209-222 – Ottawa, Ontario, Canada (Support and Development)
• 207.35.253.229 – Ottawa, Ontario, Canada (Support and Development)
• 209.120.234.64-79 – Ottawa, Ontario, Canada (Support and Development)
• 216.85.162.34 – Durham, North Carolina, United States of America (Support)
• 4.35.232.2 – Durham, North Carolina, United States of America (Support)
• 174.99.133.19 – Durham, North Carolina, United States of America (Support)

• 4.7.118.146 - Durham, North Carolina, United States of America (Support)

APAC

• 122.53.149.180 – Manila, Philippines (Support)
• 122.53.149.190 – Manila, Philippines (Support)
• 120.28.59.197 – Manila, Philippines (Support)
• 122.3.252.208/28 – Manila, Philippines (Support)
• 180.232.22.208/29 – Manila, Philippines (Support)
• 116.50.225.187 – Manila, Philippines (Support)

EMEA

• 208.70.88.4 - Dundee, Scotland (Support)
• 62.253.153.163 – Dundee, Scotland (Support)
• 212.187.250.0/28 – Dundee, Scotland (Support)
• 62.28.208.190 – Lisbon, Portugal (Support and Development)
• 78.11.93.114 – Krakow, Poland (Development)
• 82.177.176.130 – Krakow, Poland (Development)

Licensing updates and renewals

• mothership.n-able.com - Primary Mothership Monitoring (Deprected on April 1, 2025)

• mothership2.n-able.com - Supplemental Mothership Monitoring (Deprected on April 1, 2025)

• licensing.n-able.com - Activations, License Renewals, License Updates

Mothership monitoring: This was a service provided by N-able as a solution to externally monitor partners N-central servers for various services. including Connectivity. The Mothership monitoring service was deprecated on April 1, 2025, and you no longer need to add the Mothership URLs to your allow list.

Required Outbound Domain Access

The N-able N-central server must be able to resolve and access over TCP port 8443 (HTTPS) and 443 (HTTPS), the following domain name:

• sis.n-able.com

The N-able N-central server must be able to resolve and access using HTTPS TCP port 443, the following domain names:

• update.n-able.com
• feeds.n-able.com
• servermetrics.n-able.com
• push.n-able.com
• scep.n-able.com
• licensing.n-able.com
• updatewarranty.com
• microsoft.com
• https://keybox.n-able.com
• https://ui.netpath.n-able.com
• api.openai.com