Communication Ports for VDI & DaaS (US Region)
    • Dark
      Light
    • PDF

    Communication Ports for VDI & DaaS (US Region)

    • Dark
      Light
    • PDF

    Article summary

    This article covers the communication requirements for deploying ControlUp version 9.0 and higher for VDI & DaaS in the US + rest of the world (non-EU) region. Visit these articles to see the communication requirements for:

    HybridArch9.0

    Network testing tool

    You can use our network connection testing tool to make sure you have all the network communication requirements in place.

    9.0 Specific URLs

    All 9.0 and higher specific URLs below need to be accessed via port 443. All these services are running via REST.

    9.0 Monitors

    9.0 and higher monitors initially attempt to connect to cu-services-cpa.controlup.com. Depending on their geolocation, they will then attempt to connect to a region-specific URL (either -us or -eu). If your organization operates monitors in different geographical regions, we highly recommend to allowlist all URLs as listed below to avoid communication issues.

    Outbound Connections

    The following table includes all the communication ports that you need for ControlUp to work properly. To use our integrations, you must allowlist mandatory ports and URLs, as well as mandatory outbound URLs.

    When you use a proxy in your environment, you must allowlist and open the ControlUp cloud configuration servers through your proxy.

    Network Tester Tool

    To verify connectivity from ControlUp products and components, you can use our network tester tool which checks connectivity to all required outbound URLs.

    Web Application Firewall

    ControlUp ensures that all URLs are protected using TLS to safeguard data during transit. However, for certain URLs, you must also enable SOAP. You can find this information in the Purpose column for the relevant URLs.

    From the Real-Time Agent Machine*

    For the optional outbound communication feature, ensure you allowlist the following URLs. Similarly, we recommend to allowlist all URLs if your agent machines operate across various geographical locations.

    SourceDNSTypePortProtocolPurpose
    Mandatory outbound URLs to use Agent Outbound Communication
    ControlUp AgentControlUp MonitorTCP443HTTPSAgent to Monitor communication
    ControlUp Agentcu-agents-cpa.controlup.com/broker-discoveryTCP443HTTPSBroker Discovery service for agent outbound communication
    ControlUp Agentcu-agents-cpa.controlup.com/outbound-securityTCP443HTTPSOutbound security service for agent outbound communication
    ControlUp Agentcu-agents-cpa-us.controlup.com/broker-discoveryTCP443HTTPSBroker Discovery service for agent outbound communication
    ControlUp Agentcu-agents-cpa-us.controlup.com/outbound-securityTCP443HTTPSOutbound security service for agent outbound communication
    Optional ports, to use Remote Control in web UI
    ControlUp Agentsolve-ws-proxy-us.controlup.comTCP443HTTPS / WSSRemote Control session from the web UI

    * These URLs are only relevant to use Agent Outbound Communication in ControlUp version 9.0

    SSL Inspection

    It is possible that outbound communication from the Real-Time agent machines to our services may be disrupted by SSL inspection technology. In this case, it is recommended that the address spaces or IPs are added to internal bypass lists to allow for this communication to succeed.

    From the machine used to access the DEX Platform web app

    To manage your VDI & DaaS environment from the web UI, your machine must have access to:

    SourceDNSTypePortProtocolPurpose
    Any computerapp.controlup.comTCP443HTTPSDEX platform
    Any computergoogle.com/recaptchaTCP443HTTPSAuthentication (reCAPTCHA)
    Any computergstatic.com/recaptchaTCP443HTTPSAuthentication (reCAPTCHA)
    Any computerhttps://prod-dex-login-eastus.controlup.comTCP443HTTPSRequired only for SAML SSO

    9.0 Consoles

    9.0 and higher consoles initially attempt to connect to cu-services-cpa.controlup.com to retrieve a list of required backend services. Similar to the monitors, we highly recommend to allowlist all URLs, especially if you are operating the console on machines across different geographical regions.

    From the Real-Time Console Machine

    To use the Real-Time DX desktop console (used for configuration and connecting to your virtual infrastructure), your machine must have access to:

    SourceDNSTypePortProtocolPurpose
    Mandatory outbound URLs
    Consoleapp.controlup.comTCP443HTTPSRequired only for Real-Time DX version 9.0.5 or higher. Used for authentication through the DEX platform.
    Consolegoogle.com/recaptchaTCP443HTTPSRequired only for Real-Time DX version 9.0.5 or higher. Used for authentication through the DEX platform.
    Consolegstatic.com/recaptchaTCP443HTTPSRequired only for Real-Time DX version 9.0.5 or higher. Used for authentication through the DEX platform.
    Consolefe1.controlup.comTCP443HTTPSReal-Time DX login services, SOAP
    Consolefe2.controlup.comTCP443HTTPSReal-Time DX login services, SOAP
    Consolefe3.controlup.comTCP443HTTPSReal-Time DX login services, SOAP
    Consolefe4.controlup.comTCP443HTTPSReal-Time DX login services, SOAP
    Consolert-app.controlup.comTCP443HTTPSReal-Time DX login services, SOAP
    Consolert-app-us.controlup.comTCP443HTTPSReal-Time DX login services
    Consolecu-ca-us.controlup.comTCP443HTTPSReal-Time DX Centralized Auditing services
    Consolecu-services-cpa.controlup.comTCP443HTTPSGoogle Analytics service, Google Kubernetes service, Events Reporter Kubernetes service, Identity Mangement service, Configuration Kubernetes service, SBA Store Kubernetes service
    Consolecu-services-cpa-us.controlup.comTCP443HTTPSGoogle Analytics service, Google Kubernetes service, Events Reporter Kubernetes service, Identity Mangement service, Configuration Kubernetes service, SBA Store Kubernetes service
    Consolecu-services-cpa.controlup.com/api/ServiceDiscovery/GetLoginUrlTCP443HTTPSRequired only for Real-Time DX version 9.0 or higher. Used for Service Discovery, login URL
    Mandatory ports
    ConsoleControlUp AgentTCP40705WCFIncoming TCP / WCF traffic from Console and Monitor cluster to ControlUp Agents
    ConsoleControlUp AgentTCP135 - 139RPCAgent deployment from the Console and certain built-in actions such as restarting the Agent
    ConsoleControlUp MonitorTCP40706WCFConsole ⇔ Monitor and internal Monitor cluster communication
    ConsoleControlUp MonitorTCP135 - 139, 445, 49152-65535RPC / WMI / SMBMonitor deployment and upgrades from the Console and certain built-in actions, such as restarting the Agent
    ConsoleData CollectorTCP40705WCFConsole to data collector communication
    ConsoleDomain ControllerTCP/UDP389, 3268LDAPLDAP communication from the Real-Time Console and ControlUp Monitors with Domain Controllers
    Optional ports, depending on what you want to monitor
    Consolehttps://*.cloud.com
    https://*.citrixworkspacesapi.net
    https://*.xendesktop.net
    TCP443HTTPSCommunication with Citrix Cloud
    ConsoleCitrix XenDesktop ControllersTCP80/443HTTP/SCommunication with XenDesktop infrastructure
    ConsoleCitrix XenServer Pool Master/HostsTCP80/443HTTP/SCommunication with XenServer Infrastructure (and RRD communications)
    ConsoleLinux ClientTCP22SSHCommunications with Linux machines
    ConsoleNetScalersTCP80/443HTTP/SDepending on what the administrator configured
    ConsoleNutanix/AHVTCP9440Communication with Nutanix Infrastructure
    ConsoleVMware Horizon Connection ServerTCP443HTTPSCommunication with Horizon infrastructure
    ConsoleVMware vCenter ServerTCP443HTTPSCommunication with vSphere infrastructure

    From the Real-Time Monitor Machine

    SourceDNSTypePortProtocolPurpose
    Mandatory outbound URLs
    Monitorfe1.controlup.comTCP443HTTPSReal-Time DX login services, SOAP
    Monitorfe2.controlup.comTCP443HTTPSReal-Time DX login services, SOAP
    Monitorfe3.controlup.comTCP443HTTPSReal-Time DX login services, SOAP
    Monitorfe4.controlup.comTCP443HTTPSReal-Time DX login services, SOAP
    Monitorrt-app.controlup.comTCP443HTTPSReal-Time DX login services, SOAP
    Monitorrt-app-us.controlup.comTCP443HTTPSReal-Time DX login services
    Monitorcu-ca-us.controlup.comTCP443HTTPSReal-Time DX Centralized Auditing services
    Monitormonitor-receiver-azure-eastus-prod.controlup.com/v1/data

    Or by IP address: 20.168.200.122
    TCP443HTTPSReal-Time DX new data pipeline for reports (US and rest of world)
    Monitormonitor-receiver-azure-canadacentral-prod.controlup.com

    Or by IP address: 20.220.227.160
    TCP443HTTPSReal-Time DX new data pipeline for reports (Canada only)
    Monitorinsights-hec.controlup.comTCP443HTTPSHTTP Event Collector (HEC) Endpoint - telemetry data from ControlUp Monitors
    Monitormp.controlup.comTCP443HTTPS / WSSWeb UI (Monitor Proxy)
    Monitorsolve.controlup.comTCP443HTTPSWeb UI Action API Notification Service, Remote Control Feature
    Monitorsolve-cdn.controlup.comTCP443HTTPSRequired to deliver static files
    Monitors3.amazonaws.comTCP443HTTPSHistorical data uploads for the legacy reports. This is not required for new customers, or customers who have upgraded to the new data pipeline. See VDI and DaaS Reports for details.
    Monitorcu-services-cpa.controlup.comTCP443HTTPSOutbound security Kubernetes service, Master Broker, Action API notification service, Identity Mangement service, Configuration Kubernetes service, SBA Store Kubernetes service
    Monitorcu-services-cpa-us.controlup.comTCP443HTTPSOutbound security Kubernetes service, Master Broker, Action API notification service, Identity Mangement service, Configuration Kubernetes service, SBA Store Kubernetes service
    Monitorcu-services-cpz-us.controlup.comTCP443HTTPSSchema service, Monitor receiver
    Monitorrt-app-services-us.controlup.comTCP443HTTPSShadow Kubernetes service
    Mandatory ports
    MonitorControlUp AgentTCP135 - 139, 445, 49152-65535RPC / WMI / SMBAgent deployment via the monitor
    MonitorControlUp AgentTCP40705WCFMonitor to agent communication
    MonitorControlUp MonitorTCP40706WCFInter-Monitor communication
    MonitorControlUp MonitorTCP135 - 139, 445, 49152-65535RPC / WMI / SMBMonitor deployment from the console
    MonitorData CollectorTCP40705WCFMonitor to data collector communication
    MonitorDomain ControllerTCP/UDP389, 3268LDAPLDAP communication with Domain Controllers
    Optional ports, depending on what you want to monitor
    Monitorhttps://*.cloud.com
    https://*.citrixworkspacesapi.net
    https://*.xendesktop.net
    TCP443HTTPSCommunication with Citrix Cloud
    MonitorCitrix XenDesktop ControllersTCP80/443HTTP/SCommunication with XenDesktop infrastructure
    MonitorCitrix XenServer Pool Master/HostsTCP80/443HTTP/SCommunication with XenServer Infrastructure (and RRD communications)
    MonitorLinux ClientTCP22SSHCommunications with Linux machines
    MonitorNetScalersTCP80/443HTTP/SDepending on what the administrator configured
    MonitorNutanix/AHVTCP9440Communication with Nutanix Infrastructure
    MonitorSMTP ServerTCP25SMTPEmail alerts
    MonitorVMware Horizon Connection ServerTCP443HTTPSCommunication with Horizon infrastructure
    MonitorVMware vCenter ServerTCP443HTTPSCommunication with vSphere infrastructure
    Monitorsolve-ws-proxy-us.controlup.com*TCP443HTTPS / WSSRemote Control session from the web UI
    * These URLs are only relevant for ControlUp version 9.0.

    From the Real-Time Data Collector Machine

    SourceDNSTypePortProtocolPurpose
    Optional ports, depending on what you want to monitor
    Data Collectorhttps://*.cloud.com
    https://*.citrixworkspacesapi.net
    https://*.xendesktop.net
    TCP443HTTPSCommunication with Citrix Cloud
    Data Collectorhttps://management.azure.comTCP443HTTPSCommunication with Microsoft Azure
    Data Collectorhttps://sts.amazonaws.com
    https://ec2.amazonaws.com
    TCP443HTTPSCommunication with AWS for the AWS Cloud integration.
    Data CollectorCitrix XenDesktop ControllersTCP80/443HTTP/SCommunication with XenDesktop infrastructure
    Data CollectorCitrix XenServer Pool Master/HostsTCP80/443HTTP/SCommunication with XenServer Infrastructure (and RRD communications)
    Data CollectorLinux ClientTCP22SSHCommunications with Linux machines
    Data CollectorNetScalersTCP80/443HTTP/SDepending on what the administrator configured
    Data CollectorNutanix/AHVTCP9440Communication with Nutanix Infrastructure
    Data CollectorVMware Horizon Connection ServerTCP443HTTPSCommunication with Horizon infrastructure
    Data CollectorVMware vCenter ServerTCP443HTTPSCommunication with vSphere infrastructure

    Required Connection for Real-Time Reports from New Data Pipeline

    To enable ControlUp monitors to send data to the new data pipeline for reporting, add the respective URL to your allow list based on your region:

    • https://monitor-receiver-azure-eastus-prod.controlup.com/v1/data
    • https://monitor-receiver-azure-canadacentral-prod.controlup.com

    Or by IP address, as mentioned in the Monitor table above:

    • 20.168.200.122 (US East)
    • 20.220.227.160 (Canada)

    If you use legacy reports to view historical data, add the following URLs to your allow list:

    • https://cu-services-cpa-us.controlup.com
    • https://cu-services-cpz-us.controlup.com

    Synthetic Monitoring

    ControlUp for VDI & DaaS includes proactive synthetic testing for your network infrastructure and EUC gateways. Visit Communication requirements for Scoutbees for details.


    Was this article helpful?