This article covers the communication requirements for deploying ControlUp version 9.0 for VDI & DaaS organizations created in the EU region. Visit these articles to see the communication requirements for:
- Synthetic Monitoring (Scoutbees)
- ControlUp for Physical Desktops
- Communication ports for VDI & DaaS for US + rest of the world (non-EU)
Network testing tool
You can use our network connection testing tool to make sure you have all the network communication requirements in place.
9.0 Specific URLs
All 9.0 specific URLs below need to be accessed via port 443. All these services are running via REST.
9.0 Monitors
9.0 and higher monitors initially attempt to connect to cu-services-cpa.controlup.com. Depending on their geolocation, they will then attempt to connect to a region-specific URL (either -us or -eu). If your organization operates monitors in different geographical regions, we highly recommend to allowlist all URLs as listed below to avoid communication issues.
Outbound Connections
Devices and servers used by ControlUp, providing configuration interface, data aggregation, upload and authorization validation for the VDI App, access, and other services.
When you use a proxy in your environment, make sure to allowlist and open the ControlUp Cloud configuration servers through your proxy.
To verify connectivity from ControlUp products and components, you can use our network tester tool which checks connectivity to all required outbound URLs.
ControlUp ensures that all URLs are protected using TLS to safeguard data during transit. However, for certain URLs, you must also enable SOAP. You can find this information in the Purpose column for the relevant URLs.
From the Real-Time Agent Machine
For the optional outbound communication feature, ensure you allowlist the following URLs. Similarly, we recommend to allowlist all URLs if your agent machines operate across various geographical locations.
Mandatory Outbound URLs to use Agent Outbound Communication*
| Source | DNS | Type | Port | Protocol | Purpose |
|---|---|---|---|---|---|
| ControlUp Agent | cu-agents-cpa.controlup.com | TCP | 443 | HTTPS | |
| ControlUp Agent | cu-agents-cpa-eu.controlup.com | TCP | 443 | HTTPS |
Optional port, to use for Agent Outbound Communication
| Source | DNS | Type | Port | Protocol | Purpose |
|---|---|---|---|---|---|
| ControlUp Agent | ControlUp Monitor | TCP | 443 | HTTPS | Agent to Monitor communication |
Optional port, to use Remote Control in the VDI App
| Source | DNS | Type | Port | Protocol | Purpose |
|---|---|---|---|---|---|
| ControlUp Agent | solve-ws-proxy-eu.controlup.com | TCP | 443 | HTTPS / WSS | Remote Control session from the VDI App |
It is possible that outbound communication from the Real-Time agent machines to our services may be disrupted by SSL inspection technology. In this case, it is recommended that the address spaces or IPs are added to internal bypass lists to allow for this communication to succeed.
From the machine used to access the DEX Platform web app
| Source | DNS | Type | Port | Protocol | Purpose |
|---|---|---|---|---|---|
| Any computer | app.controlup.com | TCP | 443 | HTTPS | DEX Platform |
| Any computer | https://prod-dex-login-westeurope.controlup.com | TCP | 443 | HTTPS | Required only for SAML SSO |
| Any computer | https://prod-dex-login.controlup.com | TCP | 443 | HTTPS | Web login |
| Any computer | https://solve-cdn.controlup.com | TCP | 443 | HTTPS | Required to deliver static files |
9.0 Consoles
9.0 and higher consoles initially attempt to connect to cu-services-cpa.controlup.com to retrieve a list of required backend services. Similar to the monitors, we highly recommend to allowlist all URLs, especially if you are operating the console on machines across different geographical regions.
From the Real-Time Console Machine
Mandatory Outbound URLs
| Source | DNS | Type | Port | Protocol | Purpose |
|---|---|---|---|---|---|
| Console | app.controlup.com | TCP | 443 | HTTPS | Required only for Real-Time DX version 9.0.5 or higher. Used for authentication through the DEX Platform. |
| Console | fe1.controlup.com | TCP | 443 | HTTPS | Real-Time DX login services, SOAP |
| Console | fe2.controlup.com | TCP | 443 | HTTPS | Real-Time DX login services, SOAP |
| Console | fe3.controlup.com | TCP | 443 | HTTPS | Real-Time DX login services, SOAP |
| Console | fe4.controlup.com | TCP | 443 | HTTPS | Real-Time DX login services, SOAP |
| Console | rt-app.controlup.com | TCP | 443 | HTTPS | Real-Time DX login services, SOAP |
| Console | rt-app-eu-central-1.controlup.com | TCP | 443 | HTTPS | Real-Time DX login services |
| Console | rt-app-eu.controlup.com | TCP | 443 | HTTPS | Real-Time DX login services |
| Console | cu-ca-eu.controlup.com | TCP | 443 | HTTPS | Real-Time DX Centralized Auditing services |
| Console | cu-ca-eu-central-1.controlup.com | TCP | 443 | HTTPS | Real-Time DX Centralized Auditing services |
| Console | cu-services-cpa-eu.controlup.com | TCP | 443 | HTTPS | Google Analytics service, Google Kubernetes service, Events Reporter Kubernetes service, Identity Management service, Configuration Kubernetes service, SBA Store service |
| Console | cu-services-cpa.controlup.com | TCP | 443 | HTTPS | Outbound security Kubernetes service, Master Broker, Action API notification service, Identity Management service, Configuration Kubernetes service, SBA Store Kubernetes service |
| Console | cu-services-cpa.controlup.com/api/ServiceDiscovery/GetLoginUrl | TCP | 443 | HTTPS | Required only for Real-Time DX version 9.0 or higher. Used for Service Discovery, login URL. |
Mandatory Ports
| Source | DNS | Type | Port | Protocol | Purpose |
|---|---|---|---|---|---|
| Console | ControlUp Agent | TCP | 40705 | WCF | Incoming TCP / WCF traffic from Console and Monitor cluster to ControlUp Agents |
| Console | ControlUp Agent | TCP | 135 - 139 | RPC | Agent deployment from the Console and certain built-in actions such as restarting the Agent |
| Console | ControlUp Monitor | TCP | 40706 | WCF | Console ⇔ Monitor and internal Monitor cluster communication |
| Console | ControlUp Monitor | TCP | 135 - 139, 445, 49152-65535 | RPC / WMI / SMB | Monitor deployment and upgrades from the Console and certain built-in actions, such as restarting the Agent |
| Console | Data Collector | TCP | 40705 | WCF | Console to data collector communication |
| Console | Domain Controller | TCP | 389 | LDAP | LDAP communication from the Real-Time Console and ControlUp Monitors with Domain Controllers |
Optional ports, depending on what you want to monitor
| Source | DNS | Type | Port | Protocol | Purpose |
|---|---|---|---|---|---|
| Console | https://* .cloud.com https://*.citrixworkspacesapi.net https:// *.xendesktop.net |
TCP | 443 | HTTPS | Communication with Citrix Cloud |
| Console | Citrix XenDesktop Controllers | TCP | 80 / 443 | HTTP/S | Communication with XenDesktop Infrastructure |
| Console | Citrix XenServer Pool Master/Hosts | TCP | 80 / 443 | HTTP/S | Communication with XenServer Infrastructure (and RRD communications) |
| Console | Linux Client | TCP | 22 | SSH | Communications with Linux machines |
| Console | NetScalers | TCP | 443 / 80 | HTTP(S) | Depending on what the administrator configured |
| Console | Nutanix/AHV | TCP | 9440 | Communication with Nutanix Infrastructure | |
| Console | Horizon Connection Server | TCP | 443 | HTTPS | Communication with Horizon Infrastructure |
| Console | VMware vCenter Server | TCP | 443 | HTTPS | Communication with vSphere Infrastructure |
From the Real-Time Monitor Machine
Mandatory Outbound URLs
| Source | DNS | Type | Port | Protocol | Purpose |
|---|---|---|---|---|---|
| Monitor | fe1.controlup.com | TCP | 443 | HTTPS | Real-Time DX login services, SOAP |
| Monitor | fe2.controlup.com | TCP | 443 | HTTPS | Real-Time DX login services, SOAP |
| Monitor | fe3.controlup.com | TCP | 443 | HTTPS | Real-Time DX login services, SOAP |
| Monitor | fe4.controlup.com | TCP | 443 | HTTPS | Real-Time DX login services, SOAP |
| Monitor | rt-app.controlup.com | TCP | 443 | HTTPS | Real-Time DX login services, SOAP |
| Monitor | rt-app-eu-central-1.controlup.com | TCP | 443 | HTTPS | Real-Time DX login services |
| Monitor | rt-app-eu.controlup.com | TCP | 443 | HTTPS | Real-Time DX login services |
| Monitor | cu-ca-eu.controlup.com | TCP | 443 | HTTPS | Real-Time DX Centralized Auditing services |
| Monitor | cu-ca-eu-central-1.controlup.com | TCP | 443 | HTTPS | Real-Time DX Centralized Auditing services |
| Monitor | mp.controlup.com | TCP | 443 | HTTPS / Secure Web Socket | Real-Time DX <> the VDI App query engine |
| Monitor | monitor-receiver-azure-westeurope-prod.controlup.com/v1/data (Or by IP address: 20.4.63.242) | TCP | 443 | HTTPS | Real-Time DX new data pipeline for reports |
| Monitor | insights-hec.controlup.com | TCP | 443 | HTTPS | HTTP Event Collector (HEC) Endpoint - telemetry data from ControlUp Monitors |
| Monitor | solve.controlup.com | TCP | 443 | HTTPS | Required to use the VDI App actions |
| Monitor | solve-cdn.controlup.com | TCP | 443 | HTTPS | Required to deliver static files |
| Monitor | cu-services-cpa.controlup.com | TCP | 443 | HTTPS | Outbound security Kubernetes service, Master Broker, Action API notification service, Identity Management service, Configuration Kubernetes service, SBA Store Kubernetes service |
| Monitor | cu-services-cpa-eu.controlup.com | TCP | 443 | HTTPS | Outbound security Kubernetes service, Master Broker, Action API notification service, Identity Management service, Configuration Kubernetes service, SBA Store Kubernetes service |
| Monitor | cu-services-cpz-eu.controlup.com | TCP | 443 | HTTPS | Schema service, Monitor receiver |
Mandatory Ports
| Source | DNS | Type | Port | Protocol | Purpose |
|---|---|---|---|---|---|
| Monitor | ControlUp Agent | TCP | 135 - 139, 445, 49152-65535 | RPC / WMI / SMB | Agent deployment via the monitor |
| Monitor | ControlUp Agent | TCP | 40705 | WCF | Monitor to agent communication |
| Monitor | ControlUp Monitor | TCP | 40706 | WCF | Inter-Monitor communication |
| Monitor | ControlUp Monitor | TCP | 135 - 139, 445, 49152-65535 | RPC / WMI / SMB | Monitor deployment from the console |
| Monitor | Data Collector | TCP | 40705 | WCF | Monitor to data collector communication |
| Monitor | Domain Controller | TCP | 389 | LDAP | LDAP communication with Domain Controllers |
Optional ports, depending on what you want to monitor
| Source | DNS | Type | Port | Protocol | Purpose |
|---|---|---|---|---|---|
| Monitor | https://* .cloud.com https://*.citrixworkspacesapi.net https:// *.xendesktop.net |
TCP | 443 | HTTPS | Communication with Citrix Cloud |
| Monitor | Citrix XenDesktop Controllers | TCP | 80 / 443 | HTTP/S | Communication with XenDesktop Infrastructure |
| Monitor | Citrix XenServer Pool Master/Hosts | TCP | 80 / 443 | HTTP/S | Communication with XenServer Infrastructure (and RRD communications) |
| Monitor | Linux Client | TCP | 22 | SSH | Communications with Linux machines |
| Monitor | NetScalers | TCP | 443 / 80 | HTTP(S) | Depending on what the administrator configured |
| Monitor | Nutanix/AHV | TCP | 9440 | Communication with Nutanix Infrastructure | |
| Monitor | SMTP Server | TCP | 25 | Email alerts | |
| Monitor | Horizon Connection Server | TCP | 443 | HTTPS | Communication with Horizon Infrastructure |
| Monitor | VMware vCenter Server | TCP | 443 | HTTPS | Communication with vSphere Infrastructure |
| Monitor | solve-ws-proxy-eu.controlup.com* | TCP | 443 | HTTPS / WSS | Remote Control session from the VDI App |
* These URLs are only relevant for ControlUp version 9.0.
From the Real-Time Data Collector Machine
Optional ports, depending on what you want to monitor
| Source | DNS | Type | Port | Protocol | Purpose |
|---|---|---|---|---|---|
| Data Collector | https://* .cloud.com https://*.citrixworkspacesapi.net https:// *.xendesktop.net |
TCP | 443 | HTTPS | Communication with Citrix Cloud |
| Data Collector | https://management.azure.com | TCP | 443 | HTTPS | Communication with Microsoft Azure |
| Data Collector | https://sts.amazonaws.com https://ec2.amazonaws.com |
TCP | 443 | HTTPS | Communication with AWS for the AWS Cloud integration. |
| Data Collector | Citrix XenDesktop Controllers | TCP | 80 / 443 | HTTP/S | Communication with XenDesktop Infrastructure |
| Data Collector | Citrix XenServer Pool Master/Hosts | TCP | 80 / 443 | HTTP/S | Communication with XenServer Infrastructure (and RRD communications) |
| Data Collector | Linux Client | TCP | 22 | SSH | Communications with Linux machines |
| Data Collector | NetScalers | TCP | 443 / 80 | HTTP(S) | Depending on what the administrator configured |
| Data Collector | Nutanix/AHV | TCP | 9440 | Communication with Nutanix Infrastructure | |
| Data Collector | Horizon Connection Server | TCP | 443 | HTTPS | Communication with Horizon Infrastructure |
| Data Collector | VMware vCenter Server | TCP | 443 | HTTPS | Communication with vSphere Infrastructure |
Required Connection for Real-Time Reports from New Data Pipeline
To enable ControlUp monitors to send data to the new data pipeline for reporting, add the following URL to your allow list:
- https://monitor-receiver-azure-westeurope-prod.controlup.com/v1/data
Or by IP address: 20.4.63.242
(As mentioned in the Monitor table above.)
If you use legacy reports to view historical data, add the following URLs to your allow list:
- https://cu-services-cpa-eu.controlup.com
- https://cu-services-cpz-eu.controlup.com
Synthetic Monitoring
ControlUp for VDI & DaaS includes proactive synthetic testing for your network infrastructure and EUC gateways. Visit Communication requirements for Scoutbees for details.