Read this article and make sure you meet the prerequisites before you deploy ControlUp for Desktops.
This article covers the prerequisites for implementing ControlUp for Desktops. For prerequisites for other ControlUp products, visit the following articles:
- ControlUp Synthetic Monitoring communication requirements
- ControlUp for VDI communication ports (US Region)
- ControlUp for VDI communication ports (EU Region)
Network requirements
Some of these URLs require you to enter your tenant name. To find your tenant name, go to Devices > Configuration > Downloads.
Managed physical endpoints must have access to these URLs:
URL |
Type | Notes |
|---|---|---|
| <tenant-name>.sip.controlup.com | HTTPS and WSS over port 443 (SSL) | The ControlUp for Desktops Agent connects to WSS (secure websocket) on the tenant for Remote Control, Remote Shadow, and Remote Shell using the configured proxy. If you use domain-based firewall rules, you might need to add an extra URL. Read below for details. |
| downloads.sip.controlup.com | HTTPS over port 443 (SSL) | Used for downloading ControlUp for Desktops Agent versions and ControlUp for Apps browser extensions. |
| cdn.spm.controlup.com/waapi | HTTPS over port 443 (SSL) | Required only for ControlUp for Compliance |
| cdn.spm.controlup.com/agent | HTTPS over port 443 (SSL) | Required only for ControlUp for Compliance |
| securedx-cdn.controlup.com | HTTPS over port 443 (SSL) | Required only for ControlUp for Compliance |
| For Google Chrome: https://edgedx.blob.core.windows.net/ artifacts/appdx/latest/appdx_chrome.xml For Microsoft Edge: https://edgedx.blob.core.windows.net/ artifacts/appdx/latest/appdx_edge.xml |
HTTPS over port 443 (SSL) | Required for deploying the ControlUp for Apps browser extensions. |
To use the ControlUp application in your browser, you must have access to the these URLs:
URL |
Type | Notes |
|---|---|---|
| <tenant-name>.sip.controlup.com | HTTPS and WSS over port 443 (SSL) | WSS (secure websocket) connection to the tenant is required for Remote Control, Remote Shadow, and Remote Shell. |
| app.controlup.com | HTTPS over port 443 (SSL) | |
| google.com/recaptcha | HTTPS over port 443 (SSL) | Used for authentication (reCAPTCHA) |
| gstatic.com/recaptcha | HTTPS over port 443 (SSL) | Used for authentication (reCAPTCHA) |
| maps.google.com | HTTPS over port 443 (SSL) | |
| edgedx-functions.azurewebsites.net | HTTPS over port 443 (SSL) | Required only for the first time you sign in to your environment and create your tenant. |
| https://prod-dex-login-eastus.controlup.com (for US region) or https://prod-dex-login-westeurope.controlup.com (for EU region) | HTTPS over port 443 (SSL) | Required only for SAML SSO |
| https://employee-cdn-prod.controlup.com | HTTPS over port 443 (SSL) | Required to access the Employees dashboards |
Requirement for domain-based firewall rules
Your tenant URL is normally in the format: <tenant-name>.sip.controlup.com. This is a CNAME record pointing to an Azure domain which can point to a Load Balancer or your ControlUp tenant directly. If you use domain-based firewall rules, you might also need to allow your access to the intermediary CNAME domain. To find it, run an nslookup on <tenant-name>.sip.controlup.com.
SSL inspection
If you have a proxy or firewall performing SSL inspection, you must have the trusted certificate installed on devices with the ControlUp for Desktops Agent installed. The certificate must be accessible to the Computer account (and not only the User account).
Alternatively, you can disable SSL inspection for your tenant URL (<tenant-name>.sip.controlup.com).
Proxy server
You can configure the ControlUp for Desktops Agent to use a proxy server during Agent installation.
If your proxy is only open when a user account is signed in, and you want to monitor the device when no user account is signed in, configure your proxy to bypass the following URLs:
- <tenant-name>.sip.controlup.com
- downloads.sip.controlup.com
ZScaler VPN
If you are using a ZScaler VPN, follow the instructions in this article to ensure that you can see the real IP addresses of your devices.
Antivirus exclusions
Whitelist the following directories in your antivirus software (including next-gen security products such as Crowdstrike, Carbon Black, etc.):
C:\Program Files\Avacee\sip_agent\
C:\ProgramData\Avacee\sip_agent\scripts
C:\Program Files\ControlUp\AgentManager
C:\ProgramData\ControlUp\EdgeDx\UserSurveys
Alternatively, if you are unable to whitelist directories, you can whitelist the following executables:
C:\Program Files\Avacee\sip_agent\SIPAgent.exe
C:\Program Files\Avacee\sip_agent\RCNotifications.exe
C:\Program Files\Avacee\sip_agent\UserPrompt.exe
C:\Program Files\Avacee\sip_agent\WinFocusMonitor.exe
C:\Program Files\Avacee\sip_agent\Wow64MIHelper.exe
C:\Program Files\Avacee\sip_agent\uwp\Survey.exe
C:\Program Files\Avacee\sip_agent\wpf\SentimentUI.exe
C:\Program Files\ControlUp\AgentManager\AgentManager.exe
Test your connection
To make sure you have all networking and proxy requirements in place, run our network tester tool.