Communication Ports for VDI & DaaS (EU Region)

Prev Next

This article covers the communication requirements for deploying ControlUp version 9.0 for VDI & DaaS organizations created in the EU region. Visit these articles to see the communication requirements for:

2025marketecture

Network testing tool

You can use our network connection testing tool to make sure you have all the network communication requirements in place.

9.0 Specific URLs

All 9.0 specific URLs below need to be accessed via port 443. All these services are running via REST.

9.0 Monitors

9.0 and higher monitors initially attempt to connect to cu-services-cpa.controlup.com. Depending on their geolocation, they will then attempt to connect to a region-specific URL (either -us or -eu). If your organization operates monitors in different geographical regions, we highly recommend to allowlist all URLs as listed below to avoid communication issues.

Outbound Connections

Devices and servers used by ControlUp, providing configuration interface, data aggregation, upload and authorization validation for the VDI App, access, and other services.

When you use a proxy in your environment, make sure to allowlist and open the ControlUp Cloud configuration servers through your proxy.

Network Tester Tool

To verify connectivity from ControlUp products and components, you can use our network tester tool which checks connectivity to all required outbound URLs.

Web Application Firewall

ControlUp ensures that all URLs are protected using TLS to safeguard data during transit. However, for certain URLs, you must also enable SOAP. You can find this information in the Purpose column for the relevant URLs.

From the Real-Time Agent Machine

For the optional outbound communication feature, ensure you allowlist the following URLs. Similarly, we recommend to allowlist all URLs if your agent machines operate across various geographical locations.

Mandatory Outbound URLs to use Agent Outbound Communication*

Source DNS Type Port Protocol Purpose
ControlUp Agent cu-agents-cpa.controlup.com TCP 443 HTTPS
ControlUp Agent cu-agents-cpa-eu.controlup.com TCP 443 HTTPS

Optional port, to use for Agent Outbound Communication

Source DNS Type Port Protocol Purpose
ControlUp Agent ControlUp Monitor TCP 443 HTTPS Agent to Monitor communication

Optional port, to use Remote Control in the VDI App

Source DNS Type Port Protocol Purpose
ControlUp Agent solve-ws-proxy-eu.controlup.com TCP 443 HTTPS / WSS Remote Control session from the VDI App
SSL Inspection

It is possible that outbound communication from the Real-Time agent machines to our services may be disrupted by SSL inspection technology. In this case, it is recommended that the address spaces or IPs are added to internal bypass lists to allow for this communication to succeed.

From the machine used to access the DEX Platform web app

Source DNS Type Port Protocol Purpose
Any computer app.controlup.com TCP 443 HTTPS DEX Platform
Any computer https://prod-dex-login-westeurope.controlup.com TCP 443 HTTPS Required only for SAML SSO
Any computer https://prod-dex-login.controlup.com TCP 443 HTTPS Web login
Any computer https://solve-cdn.controlup.com TCP 443 HTTPS Required to deliver static files

9.0 Consoles

9.0 and higher consoles initially attempt to connect to cu-services-cpa.controlup.com to retrieve a list of required backend services. Similar to the monitors, we highly recommend to allowlist all URLs, especially if you are operating the console on machines across different geographical regions.

From the Real-Time Console Machine

Mandatory Outbound URLs

Source DNS Type Port Protocol Purpose
Console app.controlup.com TCP 443 HTTPS Required only for Real-Time DX version 9.0.5 or higher. Used for authentication through the DEX Platform.
Console fe1.controlup.com TCP 443 HTTPS Real-Time DX login services, SOAP
Console fe2.controlup.com TCP 443 HTTPS Real-Time DX login services, SOAP
Console fe3.controlup.com TCP 443 HTTPS Real-Time DX login services, SOAP
Console fe4.controlup.com TCP 443 HTTPS Real-Time DX login services, SOAP
Console rt-app.controlup.com TCP 443 HTTPS Real-Time DX login services, SOAP
Console rt-app-eu-central-1.controlup.com TCP 443 HTTPS Real-Time DX login services
Console rt-app-eu.controlup.com TCP 443 HTTPS Real-Time DX login services
Console cu-ca-eu.controlup.com TCP 443 HTTPS Real-Time DX Centralized Auditing services
Console cu-ca-eu-central-1.controlup.com TCP 443 HTTPS Real-Time DX Centralized Auditing services
Console cu-services-cpa-eu.controlup.com TCP 443 HTTPS Google Analytics service, Google Kubernetes service, Events Reporter Kubernetes service, Identity Management service, Configuration Kubernetes service, SBA Store service
Console cu-services-cpa.controlup.com TCP 443 HTTPS Outbound security Kubernetes service, Master Broker, Action API notification service, Identity Management service, Configuration Kubernetes service, SBA Store Kubernetes service
Console cu-services-cpa.controlup.com/api/ServiceDiscovery/GetLoginUrl TCP 443 HTTPS Required only for Real-Time DX version 9.0 or higher. Used for Service Discovery, login URL.

Mandatory Ports

Source DNS Type Port Protocol Purpose
Console ControlUp Agent TCP 40705 WCF Incoming TCP / WCF traffic from Console and Monitor cluster to ControlUp Agents
Console ControlUp Agent TCP 135 - 139 RPC Agent deployment from the Console and certain built-in actions such as restarting the Agent
Console ControlUp Monitor TCP 40706 WCF Console ⇔ Monitor and internal Monitor cluster communication
Console ControlUp Monitor TCP 135 - 139, 445, 49152-65535 RPC / WMI / SMB Monitor deployment and upgrades from the Console and certain built-in actions, such as restarting the Agent
Console Data Collector TCP 40705 WCF Console to data collector communication
Console Domain Controller TCP 389 LDAP LDAP communication from the Real-Time Console and ControlUp Monitors with Domain Controllers

Optional ports, depending on what you want to monitor

Source DNS Type Port Protocol Purpose
Console https://* .cloud.com
https://*.citrixworkspacesapi.net
https:// *.xendesktop.net
TCP 443 HTTPS Communication with Citrix Cloud
Console Citrix XenDesktop Controllers TCP 80 / 443 HTTP/S Communication with XenDesktop Infrastructure
Console Citrix XenServer Pool Master/Hosts TCP 80 / 443 HTTP/S Communication with XenServer Infrastructure (and RRD communications)
Console Linux Client TCP 22 SSH Communications with Linux machines
Console NetScalers TCP 443 / 80 HTTP(S) Depending on what the administrator configured
Console Nutanix/AHV TCP 9440 Communication with Nutanix Infrastructure
Console Horizon Connection Server TCP 443 HTTPS Communication with Horizon Infrastructure
Console VMware vCenter Server TCP 443 HTTPS Communication with vSphere Infrastructure

From the Real-Time Monitor Machine

Mandatory Outbound URLs

Source DNS Type Port Protocol Purpose
Monitor fe1.controlup.com TCP 443 HTTPS Real-Time DX login services, SOAP
Monitor fe2.controlup.com TCP 443 HTTPS Real-Time DX login services, SOAP
Monitor fe3.controlup.com TCP 443 HTTPS Real-Time DX login services, SOAP
Monitor fe4.controlup.com TCP 443 HTTPS Real-Time DX login services, SOAP
Monitor rt-app.controlup.com TCP 443 HTTPS Real-Time DX login services, SOAP
Monitor rt-app-eu-central-1.controlup.com TCP 443 HTTPS Real-Time DX login services
Monitor rt-app-eu.controlup.com TCP 443 HTTPS Real-Time DX login services
Monitor cu-ca-eu.controlup.com TCP 443 HTTPS Real-Time DX Centralized Auditing services
Monitor cu-ca-eu-central-1.controlup.com TCP 443 HTTPS Real-Time DX Centralized Auditing services
Monitor mp.controlup.com TCP 443 HTTPS / Secure Web Socket Real-Time DX <> the VDI App query engine
Monitor monitor-receiver-azure-westeurope-prod.controlup.com/v1/data (Or by IP address: 20.4.63.242) TCP 443 HTTPS Real-Time DX new data pipeline for reports
Monitor insights-hec.controlup.com TCP 443 HTTPS HTTP Event Collector (HEC) Endpoint - telemetry data from ControlUp Monitors
Monitor solve.controlup.com TCP 443 HTTPS Required to use the VDI App actions
Monitor solve-cdn.controlup.com TCP 443 HTTPS Required to deliver static files
Monitor cu-services-cpa.controlup.com TCP 443 HTTPS Outbound security Kubernetes service, Master Broker, Action API notification service, Identity Management service, Configuration Kubernetes service, SBA Store Kubernetes service
Monitor cu-services-cpa-eu.controlup.com TCP 443 HTTPS Outbound security Kubernetes service, Master Broker, Action API notification service, Identity Management service, Configuration Kubernetes service, SBA Store Kubernetes service
Monitor cu-services-cpz-eu.controlup.com TCP 443 HTTPS Schema service, Monitor receiver

Mandatory Ports

Source DNS Type Port Protocol Purpose
Monitor ControlUp Agent TCP 135 - 139, 445, 49152-65535 RPC / WMI / SMB Agent deployment via the monitor
Monitor ControlUp Agent TCP 40705 WCF Monitor to agent communication
Monitor ControlUp Monitor TCP 40706 WCF Inter-Monitor communication
Monitor ControlUp Monitor TCP 135 - 139, 445, 49152-65535 RPC / WMI / SMB Monitor deployment from the console
Monitor Data Collector TCP 40705 WCF Monitor to data collector communication
Monitor Domain Controller TCP 389 LDAP LDAP communication with Domain Controllers

Optional ports, depending on what you want to monitor

Source DNS Type Port Protocol Purpose
Monitor https://* .cloud.com
https://*.citrixworkspacesapi.net
https:// *.xendesktop.net
TCP 443 HTTPS Communication with Citrix Cloud
Monitor Citrix XenDesktop Controllers TCP 80 / 443 HTTP/S Communication with XenDesktop Infrastructure
Monitor Citrix XenServer Pool Master/Hosts TCP 80 / 443 HTTP/S Communication with XenServer Infrastructure (and RRD communications)
Monitor Linux Client TCP 22 SSH Communications with Linux machines
Monitor NetScalers TCP 443 / 80 HTTP(S) Depending on what the administrator configured
Monitor Nutanix/AHV TCP 9440 Communication with Nutanix Infrastructure
Monitor SMTP Server TCP 25 Email alerts
Monitor Horizon Connection Server TCP 443 HTTPS Communication with Horizon Infrastructure
Monitor VMware vCenter Server TCP 443 HTTPS Communication with vSphere Infrastructure
Monitor solve-ws-proxy-eu.controlup.com* TCP 443 HTTPS / WSS Remote Control session from the VDI App

* These URLs are only relevant for ControlUp version 9.0.

From the Real-Time Data Collector Machine

Optional ports, depending on what you want to monitor

Source DNS Type Port Protocol Purpose
Data Collector https://* .cloud.com
https://*.citrixworkspacesapi.net
https:// *.xendesktop.net
TCP 443 HTTPS Communication with Citrix Cloud
Data Collector https://management.azure.com TCP 443 HTTPS Communication with Microsoft Azure
Data Collector https://sts.amazonaws.com
https://ec2.amazonaws.com
TCP 443 HTTPS Communication with AWS for the AWS Cloud integration.
Data Collector Citrix XenDesktop Controllers TCP 80 / 443 HTTP/S Communication with XenDesktop Infrastructure
Data Collector Citrix XenServer Pool Master/Hosts TCP 80 / 443 HTTP/S Communication with XenServer Infrastructure (and RRD communications)
Data Collector Linux Client TCP 22 SSH Communications with Linux machines
Data Collector NetScalers TCP 443 / 80 HTTP(S) Depending on what the administrator configured
Data Collector Nutanix/AHV TCP 9440 Communication with Nutanix Infrastructure
Data Collector Horizon Connection Server TCP 443 HTTPS Communication with Horizon Infrastructure
Data Collector VMware vCenter Server TCP 443 HTTPS Communication with vSphere Infrastructure

Required Connection for Real-Time Reports from New Data Pipeline

To enable ControlUp monitors to send data to the new data pipeline for reporting, add the following URL to your allow list:

  • https://monitor-receiver-azure-westeurope-prod.controlup.com/v1/data

Or by IP address: 20.4.63.242
(As mentioned in the Monitor table above.)

If you use legacy reports to view historical data, add the following URLs to your allow list:

  • https://cu-services-cpa-eu.controlup.com
  • https://cu-services-cpz-eu.controlup.com

Synthetic Monitoring

ControlUp for VDI & DaaS includes proactive synthetic testing for your network infrastructure and EUC gateways. Visit Communication requirements for Scoutbees for details.