Communication Ports for VDI & DaaS (EU Region)
    • Dark
      Light
    • PDF

    Communication Ports for VDI & DaaS (EU Region)

    • Dark
      Light
    • PDF

    Article summary

    This article covers the communication requirements for deploying ControlUp version 9.0 for VDI & DaaS organizations created in the EU region. Visit these articles to see the communication requirements for:

    HybridArch9.0

    Network testing tool

    You can use our network connection testing tool to make sure you have all the network communication requirements in place.

    9.0 Specific URLs

    All 9.0 specific URLs below need to be accessed via port 443. All these services are running via REST.

    9.0 Monitors

    9.0 and higher monitors initially attempt to connect to cu-services-cpa.controlup.com. Depending on their geolocation, they will then attempt to connect to a region-specific URL (either -us or -eu). If your organization operates monitors in different geographical regions, we highly recommend to allowlist all URLs as listed below to avoid communication issues.

    Outbound Connections

    Devices and servers used by ControlUp, providing configuration interface, data aggregration, upload and authorization validation for web UI, access, and other services.

    When you use a proxy in your environment, make sure to allowlist and open the ControlUp cloud configuration servers through your proxy.

    Network Tester Tool

    To verify connectivity from ControlUp products and components, you can use our network tester tool which checks connectivity to all required outbound URLs.

    Web Application Firewall

    ControlUp ensures that all URLs are protected using TLS to safeguard data during transit. However, for certain URLs, you must also enable SOAP. You can find this information in the Purpose column for the relevant URLs.

    From the Real-Time Agent Machine

    For the optional outbound communication feature, ensure you allowlist the following URLs. Similarly, we recommend to allowlist all URLs if your agent machines operate across various geographical locations.

    Mandatory Outbound URLs to use Agent Outbound Communication*

    SourceDNSTypePortProtocolPurpose
    ControlUp Agentcu-agents-cpa.controlup.comTCP443HTTPS
    ControlUp Agentcu-agents-cpa-eu.controlup.comTCP443HTTPS

    Optional port, to use for Agent Outbound Communication

    SourceDNSTypePortProtocolPurpose
    ControlUp AgentControlUp MonitorTCP443HTTPSAgent to Monitor communication

    Optional port, to use Remote Control in the Web UI

    SourceDNSTypePortProtocolPurpose
    ControlUp Agentsolve-ws-proxy-eu.controlup.comTCP443HTTPS / WSSRemote Control session from the web UI
    SSL Inspection

    It is possible that outbound communication from the Real-Time agent machines to our services may be disrupted by SSL inspection technology. In this case, it is recommended that the address spaces or IPs are added to internal bypass lists to allow for this communication to succeed.

    From the machine used to access the DEX Platform web app

    SourceDNSTypePortProtocolPurpose
    Any computerapp.controlup.comTCP443HTTPSDEX Platform
    Any computergoogle.com/recaptchaTCP443HTTPSAuthentication (reCAPTCHA)
    Any computergstatic.com/recaptchaTCP443HTTPSAuthentication (reCAPTCHA)
    Any computerhttps://prod-dex-login-westeurope.controlup.comTCP443HTTPSRequired only for SAML SSO
    Any computerhttps://solve-cdn.controlup.comTCP443HTTPSRequired to deliver static files

    9.0 Consoles

    9.0 and higher consoles initially attempt to connect to cu-services-cpa.controlup.com to retrieve a list of required backend services. Similar to the monitors, we highly recommend to allowlist all URLs, especially if you are operating the console on machines across different geographical regions.

    From the Real-Time Console Machine

    Mandatory Outbound URLs

    SourceDNSTypePortProtocolPurpose
    Consoleapp.controlup.comTCP443HTTPSRequired only for Real-Time DX version 9.0.5 or higher. Used for authentication through the DEX Platform.
    Consolegoogle.com/recaptchaTCP443HTTPSRequired only for Real-Time DX version 9.0.5 or higher. Used for authentication through the DEX Platform.
    Consolegstatic.com/recaptchaTCP443HTTPSRequired only for Real-Time DX version 9.0.5 or higher. Used for authentication through the DEX Platform.
    Consolefe1.controlup.comTCP443HTTPSReal-Time DX login services, SOAP
    Consolefe2.controlup.comTCP443HTTPSReal-Time DX login services, SOAP
    Consolefe3.controlup.comTCP443HTTPSReal-Time DX login services, SOAP
    Consolefe4.controlup.comTCP443HTTPSReal-Time DX login services, SOAP
    Consolert-app.controlup.comTCP443HTTPSReal-Time DX login services, SOAP
    Consolert-app-eu-central-1.controlup.comTCP443HTTPSReal-Time DX login services
    Consolert-app-eu.controlup.comTCP443HTTPSReal-Time DX login services
    Consolecu-ca-eu.controlup.comTCP443HTTPSReal-Time DX Centralized Auditing services
    Consolecu-ca-eu-central-1.controlup.comTCP443HTTPSReal-Time DX Centralized Auditing services
    Consolecu-services-cpa-eu.controlup.comTCP443HTTPSGoogle Analytics service, Google Kubernetes service, Events Reporter Kubernetes service, Identity Management service, Configuration Kubernetes service, SBA Store service
    Consolecu-services-cpa.controlup.comTCP443HTTPSOutbound security Kubernetes service, Master Broker, Action API notification service, Identity Management service, Configuration Kubernetes service, SBA Store Kubernetes service
    Consolecu-services-cpa.controlup.com/api/ServiceDiscovery/GetLoginUrlTCP443HTTPSRequired only for Real-Time DX version 9.0 or higher. Used for Service Discovery, login URL.

    Mandatory Ports

    SourceDNSTypePortProtocolPurpose
    ConsoleControlUp AgentTCP40705WCFIncoming TCP / WCF traffic from Console and Monitor cluster to ControlUp Agents
    ConsoleControlUp AgentTCP135 - 139RPCAgent deployment from the Console and certain built-in actions such as restarting the Agent
    ConsoleControlUp MonitorTCP40706WCFConsole ⇔ Monitor and internal Monitor cluster communication
    ConsoleControlUp MonitorTCP135 - 139, 445, 49152-65535RPC / WMI / SMBMonitor deployment and upgrades from the Console and certain built-in actions, such as restarting the Agent
    ConsoleData CollectorTCP40705WCFConsole to data collector communication
    ConsoleDomain ControllerTCP389LDAPLDAP communication from the Real-Time Console and ControlUp Monitors with Domain Controllers

    Optional ports, depending on what you want to monitor

    SourceDNSTypePortProtocolPurpose
    Consolehttps://* .cloud.com
    https://*.citrixworkspacesapi.net
    https:// *.xendesktop.net
    TCP443HTTPSCommunication with Citrix Cloud
    ConsoleCitrix XenDesktop ControllersTCP80 / 443HTTP/SCommunication with XenDesktop Infrastructure
    ConsoleCitrix XenServer Pool Master/HostsTCP80 / 443HTTP/SCommunication with XenServer Infrastructure (and RRD communications)
    ConsoleLinux ClientTCP22SSHCommunications with Linux machines
    ConsoleNetScalersTCP443 / 80HTTP(S)Depending on what the administrator configured
    ConsoleNutanix/AHVTCP9440Communication with Nutanix Infrastructure
    ConsoleVMware Horizon Connection ServerTCP443HTTPSCommunication with Horizon Infrastructure
    ConsoleVMware vCenter ServerTCP443HTTPSCommunication with vSphere Infrastructure

    From the Real-Time Monitor Machine

    Mandatory Outbound URLs

    SourceDNSTypePortProtocolPurpose
    Monitorfe1.controlup.comTCP443HTTPSReal-Time DX login services, SOAP
    Monitorfe2.controlup.comTCP443HTTPSReal-Time DX login services, SOAP
    Monitorfe3.controlup.comTCP443HTTPSReal-Time DX login services, SOAP
    Monitorfe4.controlup.comTCP443HTTPSReal-Time DX login services, SOAP
    Monitorrt-app.controlup.comTCP443HTTPSReal-Time DX login services, SOAP
    Monitorrt-app-eu-central-1.controlup.comTCP443HTTPSReal-Time DX login services
    Monitorrt-app-eu.controlup.comTCP443HTTPSReal-Time DX login services
    Monitorcu-ca-eu.controlup.comTCP443HTTPSReal-Time DX Centralized Auditing services
    Monitorcu-ca-eu-central-1.controlup.comTCP443HTTPSReal-Time DX Centralized Auditing services
    Monitormp.controlup.comTCP443HTTPS / Secure Web SocketReal-Time DX <> the web UI query engine
    Monitormonitor-receiver-azure-westeurope-prod.controlup.com/v1/data (Or by IP address: 20.4.63.242)TCP443HTTPSReal-Time DX new data pipeline for reports
    Monitors3.eu-central-1.amazonaws.comTCP443HTTPSHistorical data uploads for the legacy reports. This is not required for new customers, or customers who have upgraded to the new data pipeline. See VDI and DaaS Reports for details.
    Monitoruploader-eu-central-1.controlup.comTCP443HTTPSReal-Time DX / historical data uploads, SOAP
    Monitorinsights-hec.controlup.comTCP443HTTPSHTTP Event Collector (HEC) Endpoint - telemetry data from ControlUp Monitors
    Monitorsolve.controlup.comTCP443HTTPSRequired to use the web UI actions
    Monitorsolve-cdn.controlup.comTCP443HTTPSRequired to deliver static files
    Monitorcu-services-cpa.controlup.comTCP443HTTPSOutbound security Kubernetes service, Master Broker, Action API notification service, Identity Management service, Configuration Kubernetes service, SBA Store Kubernetes service
    Monitorcu-services-cpa-eu.controlup.comTCP443HTTPSOutbound security Kubernetes service, Master Broker, Action API notification service, Identity Management service, Configuration Kubernetes service, SBA Store Kubernetes service
    Monitorcu-services-cpz-eu.controlup.comTCP443HTTPSSchema service, Monitor receiver

    Mandatory Ports

    SourceDNSTypePortProtocolPurpose
    MonitorControlUp AgentTCP135 - 139, 445, 49152-65535RPC / WMI / SMBAgent deployment via the monitor
    MonitorControlUp AgentTCP40705WCFMonitor to agent communication
    MonitorControlUp MonitorTCP40706WCFInter-Monitor communication
    MonitorControlUp MonitorTCP135 - 139, 445, 49152-65535RPC / WMI / SMBMonitor deployment from the console
    MonitorData CollectorTCP40705WCFMonitor to data collector communication
    MonitorDomain ControllerTCP389LDAPLDAP communication with Domain Controllers

    Optional ports, depending on what you want to monitor

    SourceDNSTypePortProtocolPurpose
    Monitorhttps://* .cloud.com
    https://*.citrixworkspacesapi.net
    https:// *.xendesktop.net
    TCP443HTTPSCommunication with Citrix Cloud
    MonitorCitrix XenDesktop ControllersTCP80 / 443HTTP/SCommunication with XenDesktop Infrastructure
    MonitorCitrix XenServer Pool Master/HostsTCP80 / 443HTTP/SCommunication with XenServer Infrastructure (and RRD communications)
    MonitorLinux ClientTCP22SSHCommunications with Linux machines
    MonitorNetScalersTCP443 / 80HTTP(S)Depending on what the administrator configured
    MonitorNutanix/AHVTCP9440Communication with Nutanix Infrastructure
    MonitorSMTP ServerTCP25Email alerts
    MonitorVMware Horizon Connection ServerTCP443HTTPSCommunication with Horizon Infrastructure
    MonitorVMware vCenter ServerTCP443HTTPSCommunication with vSphere Infrastructure
    Monitorsolve-ws-proxy-eu.controlup.com*TCP443HTTPS / WSSRemote Control session from the web UI

    * These URLs are only relevant for ControlUp version 9.0.

    From the Real-Time Data Collector Machine

    Optional ports, depending on what you want to monitor

    SourceDNSTypePortProtocolPurpose
    Data Collectorhttps://* .cloud.com
    https://*.citrixworkspacesapi.net
    https:// *.xendesktop.net
    TCP443HTTPSCommunication with Citrix Cloud
    Data Collectorhttps://management.azure.comTCP443HTTPSCommunication with Microsoft Azure
    Data Collectorhttps://sts.amazonaws.com
    https://ec2.amazonaws.com
    TCP443HTTPSCommunication with AWS for the AWS Cloud integration.
    Data CollectorCitrix XenDesktop ControllersTCP80 / 443HTTP/SCommunication with XenDesktop Infrastructure
    Data CollectorCitrix XenServer Pool Master/HostsTCP80 / 443HTTP/SCommunication with XenServer Infrastructure (and RRD communications)
    Data CollectorLinux ClientTCP22SSHCommunications with Linux machines
    Data CollectorNetScalersTCP443 / 80HTTP(S)Depending on what the administrator configured
    Data CollectorNutanix/AHVTCP9440Communication with Nutanix Infrastructure
    Data CollectorVMware Horizon Connection ServerTCP443HTTPSCommunication with Horizon Infrastructure
    Data CollectorVMware vCenter ServerTCP443HTTPSCommunication with vSphere Infrastructure

    Required Connection for Real-Time Reports from New Data Pipeline

    To enable ControlUp monitors to send data to the new data pipeline for reporting, add the following URL to your allow list:

    • https://monitor-receiver-azure-westeurope-prod.controlup.com/v1/data

    Or by IP address: 20.4.63.242
    (As mentioned in the Monitor table above.)

    If you use legacy reports to view historical data, add the following URLs to your allow list:

    • https://cu-services-cpa-eu.controlup.com
    • https://cu-services-cpz-eu.controlup.com

    Synthetic Monitoring

    ControlUp for VDI & DaaS includes proactive synthetic testing for your network infrastructure and EUC gateways. Visit Communication requirements for Scoutbees for details.


    Was this article helpful?