- Print
- DarkLight
- PDF
Communication Ports for VDI & DaaS (US Region)
- Print
- DarkLight
- PDF
This article covers the communication requirements for deploying ControlUp version 9.0 and higher for VDI & DaaS in the US + rest of the world (non-EU) region. Visit these articles to see the communication requirements for:
- Synthetic Monitoring (Scoutbees)
- ControlUp for Physical Endpoints & Apps
- Communication Ports for VDI & DaaS (EU Region)
Network testing tool
You can use our network connection testing tool to make sure you have all the network communication requirements in place.
9.0 Specific URLs
All 9.0 and higher specific URLs below need to be accessed via port 443. All these services are running via REST.
9.0 Monitors
9.0 and higher monitors initially attempt to connect to cu-services-cpa.controlup.com. Depending on their geolocation, they will then attempt to connect to a region-specific URL (either -us or -eu). If your organization operates monitors in different geographical regions, we highly recommend to allowlist all URLs as listed below to avoid communication issues.
Outbound Connections
The following table includes all the communication ports that you need for ControlUp to work properly. To use our integrations, you must allowlist mandatory ports and URLs, as well as mandatory outbound URLs.
When you use a proxy in your environment, you must allowlist and open the ControlUp cloud configuration servers through your proxy.
To verify connectivity from ControlUp products and components, you can use our network tester tool which checks connectivity to all required outbound URLs.
ControlUp ensures that all URLs are protected using TLS to safeguard data during transit. However, for certain URLs, you must also enable SOAP. You can find this information in the Purpose column for the relevant URLs.
From the Real-Time Agent Machine*
For the optional outbound communication feature, ensure you allowlist the following URLs. Similarly, we recommend to allowlist all URLs if your agent machines operate across various geographical locations.
Source | DNS | Type | Port | Protocol | Purpose |
---|---|---|---|---|---|
Mandatory outbound URLs to use Agent Outbound Communication | |||||
ControlUp Agent | ControlUp Monitor | TCP | 443 | HTTPS | Agent to Monitor communication |
ControlUp Agent | cu-agents-cpa.controlup.com/broker-discovery | TCP | 443 | HTTPS | Broker Discovery service for agent outbound communication |
ControlUp Agent | cu-agents-cpa.controlup.com/outbound-security | TCP | 443 | HTTPS | Outbound security service for agent outbound communication |
ControlUp Agent | cu-agents-cpa-us.controlup.com/broker-discovery | TCP | 443 | HTTPS | Broker Discovery service for agent outbound communication |
ControlUp Agent | cu-agents-cpa-us.controlup.com/outbound-security | TCP | 443 | HTTPS | Outbound security service for agent outbound communication |
Optional ports, to use Remote Control in web UI | |||||
ControlUp Agent | solve-ws-proxy-us.controlup.com | TCP | 443 | HTTPS / WSS | Remote Control session from the web UI |
* These URLs are only relevant to use Agent Outbound Communication in ControlUp version 9.0
It is possible that outbound communication from the Real-Time agent machines to our services may be disrupted by SSL inspection technology. In this case, it is recommended that the address spaces or IPs are added to internal bypass lists to allow for this communication to succeed.
From the machine used to access the DEX Platform web app
To manage your VDI & DaaS environment from the web UI, your machine must have access to:
Source | DNS | Type | Port | Protocol | Purpose |
---|---|---|---|---|---|
Any computer | app.controlup.com | TCP | 443 | HTTPS | DEX platform |
Any computer | google.com/recaptcha | TCP | 443 | HTTPS | Authentication (reCAPTCHA) |
Any computer | gstatic.com/recaptcha | TCP | 443 | HTTPS | Authentication (reCAPTCHA) |
Any computer | https://prod-dex-login-eastus.controlup.com | TCP | 443 | HTTPS | Required only for SAML SSO |
9.0 Consoles
9.0 and higher consoles initially attempt to connect to cu-services-cpa.controlup.com to retrieve a list of required backend services. Similar to the monitors, we highly recommend to allowlist all URLs, especially if you are operating the console on machines across different geographical regions.
From the Real-Time Console Machine
To use the Real-Time DX desktop console (used for configuration and connecting to your virtual infrastructure), your machine must have access to:
Source | DNS | Type | Port | Protocol | Purpose |
---|---|---|---|---|---|
Mandatory outbound URLs | |||||
Console | app.controlup.com | TCP | 443 | HTTPS | Required only for Real-Time DX version 9.0.5 or higher. Used for authentication through the DEX platform. |
Console | google.com/recaptcha | TCP | 443 | HTTPS | Required only for Real-Time DX version 9.0.5 or higher. Used for authentication through the DEX platform. |
Console | gstatic.com/recaptcha | TCP | 443 | HTTPS | Required only for Real-Time DX version 9.0.5 or higher. Used for authentication through the DEX platform. |
Console | fe1.controlup.com | TCP | 443 | HTTPS | Real-Time DX login services, SOAP |
Console | fe2.controlup.com | TCP | 443 | HTTPS | Real-Time DX login services, SOAP |
Console | fe3.controlup.com | TCP | 443 | HTTPS | Real-Time DX login services, SOAP |
Console | fe4.controlup.com | TCP | 443 | HTTPS | Real-Time DX login services, SOAP |
Console | rt-app.controlup.com | TCP | 443 | HTTPS | Real-Time DX login services, SOAP |
Console | rt-app-us.controlup.com | TCP | 443 | HTTPS | Real-Time DX login services |
Console | cu-ca-us.controlup.com | TCP | 443 | HTTPS | Real-Time DX Centralized Auditing services |
Console | cu-services-cpa.controlup.com | TCP | 443 | HTTPS | Google Analytics service, Google Kubernetes service, Events Reporter Kubernetes service, Identity Mangement service, Configuration Kubernetes service, SBA Store Kubernetes service |
Console | cu-services-cpa-us.controlup.com | TCP | 443 | HTTPS | Google Analytics service, Google Kubernetes service, Events Reporter Kubernetes service, Identity Mangement service, Configuration Kubernetes service, SBA Store Kubernetes service |
Console | cu-services-cpa.controlup.com/api/ServiceDiscovery/GetLoginUrl | TCP | 443 | HTTPS | Required only for Real-Time DX version 9.0 or higher. Used for Service Discovery, login URL |
Mandatory ports | |||||
Console | ControlUp Agent | TCP | 40705 | WCF | Incoming TCP / WCF traffic from Console and Monitor cluster to ControlUp Agents |
Console | ControlUp Agent | TCP | 135 - 139 | RPC | Agent deployment from the Console and certain built-in actions such as restarting the Agent |
Console | ControlUp Monitor | TCP | 40706 | WCF | Console ⇔ Monitor and internal Monitor cluster communication |
Console | ControlUp Monitor | TCP | 135 - 139, 445, 49152-65535 | RPC / WMI / SMB | Monitor deployment and upgrades from the Console and certain built-in actions, such as restarting the Agent |
Console | Data Collector | TCP | 40705 | WCF | Console to data collector communication |
Console | Domain Controller | TCP/UDP | 389, 3268 | LDAP | LDAP communication from the Real-Time Console and ControlUp Monitors with Domain Controllers |
Optional ports, depending on what you want to monitor | |||||
Console | https://*.cloud.com https://*.citrixworkspacesapi.net https://*.xendesktop.net | TCP | 443 | HTTPS | Communication with Citrix Cloud |
Console | Citrix XenDesktop Controllers | TCP | 80/443 | HTTP/S | Communication with XenDesktop infrastructure |
Console | Citrix XenServer Pool Master/Hosts | TCP | 80/443 | HTTP/S | Communication with XenServer Infrastructure (and RRD communications) |
Console | Linux Client | TCP | 22 | SSH | Communications with Linux machines |
Console | NetScalers | TCP | 80/443 | HTTP/S | Depending on what the administrator configured |
Console | Nutanix/AHV | TCP | 9440 | Communication with Nutanix Infrastructure | |
Console | VMware Horizon Connection Server | TCP | 443 | HTTPS | Communication with Horizon infrastructure |
Console | VMware vCenter Server | TCP | 443 | HTTPS | Communication with vSphere infrastructure |
From the Real-Time Monitor Machine
Source | DNS | Type | Port | Protocol | Purpose |
---|---|---|---|---|---|
Mandatory outbound URLs | |||||
Monitor | fe1.controlup.com | TCP | 443 | HTTPS | Real-Time DX login services, SOAP |
Monitor | fe2.controlup.com | TCP | 443 | HTTPS | Real-Time DX login services, SOAP |
Monitor | fe3.controlup.com | TCP | 443 | HTTPS | Real-Time DX login services, SOAP |
Monitor | fe4.controlup.com | TCP | 443 | HTTPS | Real-Time DX login services, SOAP |
Monitor | rt-app.controlup.com | TCP | 443 | HTTPS | Real-Time DX login services, SOAP |
Monitor | rt-app-us.controlup.com | TCP | 443 | HTTPS | Real-Time DX login services |
Monitor | cu-ca-us.controlup.com | TCP | 443 | HTTPS | Real-Time DX Centralized Auditing services |
Monitor | monitor-receiver-azure-eastus-prod.controlup.com/v1/data Or by IP address: 20.168.200.122 | TCP | 443 | HTTPS | Real-Time DX new data pipeline for reports (US and rest of world) |
Monitor | monitor-receiver-azure-canadacentral-prod.controlup.com Or by IP address: 20.220.227.160 | TCP | 443 | HTTPS | Real-Time DX new data pipeline for reports (Canada only) |
Monitor | insights-hec.controlup.com | TCP | 443 | HTTPS | HTTP Event Collector (HEC) Endpoint - telemetry data from ControlUp Monitors |
Monitor | mp.controlup.com | TCP | 443 | HTTPS / WSS | Web UI (Monitor Proxy) |
Monitor | solve.controlup.com | TCP | 443 | HTTPS | Web UI Action API Notification Service, Remote Control Feature |
Monitor | solve-cdn.controlup.com | TCP | 443 | HTTPS | Required to deliver static files |
Monitor | s3.amazonaws.com | TCP | 443 | HTTPS | Historical data uploads for the legacy reports. This is not required for new customers, or customers who have upgraded to the new data pipeline. See VDI and DaaS Reports for details. |
Monitor | cu-services-cpa.controlup.com | TCP | 443 | HTTPS | Outbound security Kubernetes service, Master Broker, Action API notification service, Identity Mangement service, Configuration Kubernetes service, SBA Store Kubernetes service |
Monitor | cu-services-cpa-us.controlup.com | TCP | 443 | HTTPS | Outbound security Kubernetes service, Master Broker, Action API notification service, Identity Mangement service, Configuration Kubernetes service, SBA Store Kubernetes service |
Monitor | cu-services-cpz-us.controlup.com | TCP | 443 | HTTPS | Schema service, Monitor receiver |
Monitor | rt-app-services-us.controlup.com | TCP | 443 | HTTPS | Shadow Kubernetes service |
Mandatory ports | |||||
Monitor | ControlUp Agent | TCP | 135 - 139, 445, 49152-65535 | RPC / WMI / SMB | Agent deployment via the monitor |
Monitor | ControlUp Agent | TCP | 40705 | WCF | Monitor to agent communication |
Monitor | ControlUp Monitor | TCP | 40706 | WCF | Inter-Monitor communication |
Monitor | ControlUp Monitor | TCP | 135 - 139, 445, 49152-65535 | RPC / WMI / SMB | Monitor deployment from the console |
Monitor | Data Collector | TCP | 40705 | WCF | Monitor to data collector communication |
Monitor | Domain Controller | TCP/UDP | 389, 3268 | LDAP | LDAP communication with Domain Controllers |
Optional ports, depending on what you want to monitor | |||||
Monitor | https://*.cloud.com https://*.citrixworkspacesapi.net https://*.xendesktop.net | TCP | 443 | HTTPS | Communication with Citrix Cloud |
Monitor | Citrix XenDesktop Controllers | TCP | 80/443 | HTTP/S | Communication with XenDesktop infrastructure |
Monitor | Citrix XenServer Pool Master/Hosts | TCP | 80/443 | HTTP/S | Communication with XenServer Infrastructure (and RRD communications) |
Monitor | Linux Client | TCP | 22 | SSH | Communications with Linux machines |
Monitor | NetScalers | TCP | 80/443 | HTTP/S | Depending on what the administrator configured |
Monitor | Nutanix/AHV | TCP | 9440 | Communication with Nutanix Infrastructure | |
Monitor | SMTP Server | TCP | 25 | SMTP | Email alerts |
Monitor | VMware Horizon Connection Server | TCP | 443 | HTTPS | Communication with Horizon infrastructure |
Monitor | VMware vCenter Server | TCP | 443 | HTTPS | Communication with vSphere infrastructure |
Monitor | solve-ws-proxy-us.controlup.com* | TCP | 443 | HTTPS / WSS | Remote Control session from the web UI |
From the Real-Time Data Collector Machine
Source | DNS | Type | Port | Protocol | Purpose |
---|---|---|---|---|---|
Optional ports, depending on what you want to monitor | |||||
Data Collector | https://*.cloud.com https://*.citrixworkspacesapi.net https://*.xendesktop.net | TCP | 443 | HTTPS | Communication with Citrix Cloud |
Data Collector | https://management.azure.com | TCP | 443 | HTTPS | Communication with Microsoft Azure |
Data Collector | https://sts.amazonaws.com https://ec2.amazonaws.com | TCP | 443 | HTTPS | Communication with AWS for the AWS Cloud integration. |
Data Collector | Citrix XenDesktop Controllers | TCP | 80/443 | HTTP/S | Communication with XenDesktop infrastructure |
Data Collector | Citrix XenServer Pool Master/Hosts | TCP | 80/443 | HTTP/S | Communication with XenServer Infrastructure (and RRD communications) |
Data Collector | Linux Client | TCP | 22 | SSH | Communications with Linux machines |
Data Collector | NetScalers | TCP | 80/443 | HTTP/S | Depending on what the administrator configured |
Data Collector | Nutanix/AHV | TCP | 9440 | Communication with Nutanix Infrastructure | |
Data Collector | VMware Horizon Connection Server | TCP | 443 | HTTPS | Communication with Horizon infrastructure |
Data Collector | VMware vCenter Server | TCP | 443 | HTTPS | Communication with vSphere infrastructure |
Required Connection for Real-Time Reports from New Data Pipeline
To enable ControlUp monitors to send data to the new data pipeline for reporting, add the respective URL to your allow list based on your region:
- https://monitor-receiver-azure-eastus-prod.controlup.com/v1/data
- https://monitor-receiver-azure-canadacentral-prod.controlup.com
Or by IP address, as mentioned in the Monitor table above:
- 20.168.200.122 (US East)
- 20.220.227.160 (Canada)
If you use legacy reports to view historical data, add the following URLs to your allow list:
- https://cu-services-cpa-us.controlup.com
- https://cu-services-cpz-us.controlup.com
Synthetic Monitoring
ControlUp for VDI & DaaS includes proactive synthetic testing for your network infrastructure and EUC gateways. Visit Communication requirements for Scoutbees for details.