Agent Outbound Communication
This article covers information relevant only to the version 9.0 beta release. Want to be the first to try our new features? Join the ControlUp Beta Program!
ControlUp Real-Time DX no longer supports Windows Server 2012/R2 machines, following Microsoft's recent end of support. We recommend Windows Server 2016 or a later version to use the 9.0 features.
Before ControlUp version 9.0, the ControlUp Agents acted as servers by listening on TCP port 40705 for inbound connections. The ControlUp Console and Monitors acted as clients by connecting to the agents. This method required you to allowlist incoming TCP connections for all the machines in your organization with agents installed.
From version 9.0, the Agent Outbound Communication feature reverses the connection direction. Now by default, the agents act as the clients, and the monitors act as the servers by listening to port 40705 for outbound connections from the agents.
The following diagram illustrates the connection changes:
Outbound communication is supported only for connections from the ControlUp Agents to the Monitors. It isn't supported for connections from the Agents to the Consoles.
Inbound port 40705 is still required for:
Data collector machines
Machines you want to manage via the Console
Prerequisites to enable Agent Outbound Communication
From version 9.0, .NET Framework 4.8 must be installed on the agent, console, and monitor machines.
Enable outbound port 443 (TLS 1.2) on all agent machines
Provide all agents with the Registration Key. If you use the console, it is automatically added to the registry. If you install/upgrade agents with the MSI, you must provide it manually.
US + Rest of the World (non-EU) URLs
To use the Remote Control feature:
To use the Remote Control feature:
Agent outbound communication can benefit your environment by reducing barriers for the following:
MSPs with multi-tenant deployments
Streamline deployment of ControlUp Agents
Enabling Outbound Communication
You can install the 9.0 agent with either MSI or the Real-Time Console. If you upgrade or install the agent from the console, the agent is automatically configured with the registry key saved under the following path:
If you configure the agent using group policy, the registry key is saved under:
The agent uses the
CertificateValidationLevel key to validate the certificate at its respective location in the registry. If the
CertificateValidationLevel key is missing or has a value of “0”, the agent only checks if the certificate subject matches the monitor IP address. If the
CertificateValidationLevel key has a value of “1” or more, the agent performs the full certificate validation process.
If you install the agent with the MSI, you must manually provide:
Authentication Key. Required to connect to the agent via the console.
New in 9.0: Registration Key. Required for outbound communication. Without it, the agent won’t be able to communicate outbound.
If you install the agent on a machine that will be used as a master image for non-persistent machines, in the MSI installer, select the Configure this installation as a master image checkbox:
Revert to Agent Inbound Communication
If you don’t want to use the new agent outbound communication, you can revert to the inbound communication.
Broker Discovery Service
The broker is a new monitor role which is granted to all monitors in the cluster. The Broker Discovery service discovers the broker monitors in clusters for ControlUp Agents in outbound connection mode.
The following clients call the service:
Agents query data on brokers in the cluster before connecting to the monitor with the lightest load.
Monitors submit updated data from brokers in the cluster.
When the service is online, it discovers brokers via our ControlUp Hybrid Cloud Services. When the service is offline, it discovers brokers listed in the registry settings of the agent machines.
Broker Registry Configuration
You can set the Broker Discovery service to discover brokers when the service is offline by using the following registry settings on the agent machines.
If you installed the agent from the console, use registry path
If you configured the agent using group policy, use registry path
You can configure the following available keys and values in either path:
Monitors. For offline broker discovery, a list of monitor addresses to be contacted.
DisableOnlineBrokeringFlow. To automatically use offline brokering, set value to
OnlineServiceEnvSuffix. The environment for online services, for example
OnlineServiceRegionSuffix. The region suffix for online services, for example
-cpa-eu, etc. Usually there is no need to configure it manually, because it is resolved automatically.
DisableProxyToOnlineServices. If the proxy shouldn’t be used to connect cloud services, set to
DisableProxyToMonitor. If the proxy shouldn’t be used to connect to the monitor, set to
ProxyToOnlineServices. Dedicated proxy (DNS or IP) that the agent should use to connect to cloud services.
ProxyToMonitor. Dedicated proxy address (DNS or IP) that the agent uses to connect to the monitor.
SiteId. Site ID of the agent.
Outbound. If the agent should be used for inbound communication, set to
LastDiscoveredMonitors. For offline broker discovery in combination with the
Monitorslist, a list of last discovered monitor addresses via online brokering.
The Broker Discovery service authenticates monitors with JSON Web Tokens (JWT) and agents with personal access tokens (PAT).
The ControlUp Agent must validate server certificates for outbound communication issued by the ControlUp Monitor. Outbound communication works over TLS channels, which require SSL certificates to establish connections. The monitor automatically creates a unique certificate each time it starts the gRPC server, based on its public DNS/FQDN, with one of the following methods:
Self-signed certificates. The agent validates if the Common Name from the certificate corresponds to the monitor's IP address.
Third-party certificates. The monitor creates a certificate sourced from the local certificate store. If enabled, the agent validates if the certificate is endorsed by a root authority or if it's part of a recognized certificate chain.