Connectivity requirements
Contents |
Connectivity requirements
Overview
Find the connectivity requirements of every Nexthink product in the reference tables below. You can configure some of the products to use either a secure or a non secure channel for specific services (see the column Reason). Depending on their configuration, note that you may require to allow connections through a different port number.
Starting from V6.19, if rule-based Collector assignment is turned on, the TCP channel of the Collector also connects to the Portal. Collectors use this connection to ask for their assigned Engine. From V6.20 on, if you change the default port number of the Collector TCP channel, modify accordingly the port number where the Portal is listening.
Starting from V6.21, the Collector no longer requires a separate UDP channel to send end-user analytics to the Engine. Instead, end-user analytics, as well as coordination data and updates, may be optionally transmitted through the TCP channel. If you change the default port numbers that the Collector uses for communicating with the Engine, change as well the default port numbers in the Engine through the Web Console. Starting from V6.24, the default is to use TCP port 443 for all Collector communications in on-premises setups, although the use of a custom TCP port (default 8443) and the UDP channel are still allowed. On the Nexhtink Cloud, TCP port 8443 is used for all Collector communications.
For each connection, the tables indicate the transport protocol used. When an application protocol handles the connection over the transport layer, the name of the application protocol precedes the name of the transport protocol.
First, find in this overview two diagrams:
- A diagram with the connections and default ports that are common to all Nexthink Appliances, regardless of the Appliance hosting the Portal, the Engine or both.
- A diagram with the default ports of the Portal and Engine Appliances separately, as well as the connections with other components.
Common connections of the Appliance
Connections between Portal, Engine and other components
Connections required for rule-based Collector Assignment
Starting from V6.19, the following additional connections are required if rule-based Collector assignment is turned on. Federate your appliances before activating rule-based Collector assignment.
The connectivity between Engines through TCP and UDP ports 8301 is optional, as the consensus protocol behind rule-based Collector assignment uses these connections to implement a feature that is actually not required by Collector assignment. If communication through TCP and UDP ports 8301 is blocked between Engines (by internal firewalls, for instance), the underlying consensus protocol will write failed connection messages to its log file:
-
/var/nexthink/nxconsul/logs/nxconsul.log
You can safely ignore these error messages.
Engine
In the following table, we describe the different ports that must be open on the Engine appliance to communicate seamlessly with the other Nexthink components and with standard network services.
| Port
Number | Protocol | Direction
(IN/OUT) | Reason | Domains |
|---|---|---|---|---|
| 22 | SSH / TCP | IN | Secure shell connection to the CLI | |
| SSH / TCP | IN OUT | Appliance federation | ||
| 25 | SMTP / TCP | OUT | Mail server for notifications | |
| 53 | DNS / UDP | OUT | Resolving destination names by reverse IP | |
| 99 | HTTPS / TCP | IN | Administration through the Web Console | |
| 123 | NTP / UDP | OUT | Time synchronization |
0.centos.pool.ntp.org 1.centos.pool.ntp.org 2.centos.pool.ntp.org |
| 389 | LDAP / TCP | OUT | Connection to Active Directory (non secure) | |
| 443 | WebSocket / TCP | IN | Collector TCP channel to the Engine (on-premises default) | |
| HTTPS / TCP | IN | Access to the Web API | Only for Engines on the Nexthink Cloud | |
| HTTPS / TCP | OUT | Connection to the Application Library |
application‑library‑v5.nexthink.com application‑library‑v6.nexthink.com | |
| HTTPS / TCP | OUT | Connection to automatic updates |
updates‑v6.nexthink.com updates‑centos‑v6.nexthink.com | |
| 636 | LDAPs / TCP | OUT | Connection to Active Directory (secure) | |
| 999 | UDP | IN | Optional: Collector analytics | |
| TCP | IN | User connection from the Finder (on premises only) or the Portal | ||
| 1671 | HTTPS / TCP | IN | Access to the Web API | Only for Engines on premises (V6.X) |
| 20XX | TCP | IN | User connection from the Finder (Nexthink Cloud only), where XX indicates the Engine number | |
|
7000 7001 7002 7003 | TCP | OUT | Communication channels with the Portal | |
| 8300 | TCP | IN OUT | Communication with Portal for Collector assignment | |
| 8301 | TCP & UDP | IN OUT | Communication with Portal and peer Engines for Collector assignment | |
| 8443 | WebSocket / TCP | IN | Collector default custom / Nexthink Cloud TCP channel to the Engine | |
| 10402 | TCP | OUT | Additional communication with Portal for Collector assignment | |
| 11031 | HTTPS / TCP | OUT | Communication with the Mobile Bridge |
Portal
In the following table, we describe the different ports that must be open in the Portal appliance to communicate seamlessly with the other Nexthink components.
| Port
Number | Protocol | Direction
(IN/OUT) | Reason | Domains |
|---|---|---|---|---|
| 22 | SSH / TCP | IN | Secure shell connection to the CLI | |
| SSH / TCP | IN OUT | Appliance federation | ||
| 25 | SMTP / TCP | OUT | Mail server for notifications | |
| 53 | DNS / UDP | OUT | Lookup name of AD servers | |
| 80 | HTTP / TCP | IN | Access to the Portal (non secure) | |
| 88 | TCP & UDP | OUT | Kerberos authentication of AD users | |
| 99 | HTTPS / TCP | IN | Administration through the Web Console | |
| HTTPS / TCP | OUT | Centralized administration of the Engine | ||
| 123 | NTP / UDP | OUT | Time synchronization |
0.centos.pool.ntp.org 1.centos.pool.ntp.org 2.centos.pool.ntp.org |
| 389 | LDAP / TCP | OUT | Connection to Active Directory (non secure) | |
| 443 | HTTPS / TCP | IN | Access to the Portal (secure) | |
| WebSocket / TCP | IN | User connection from the Finder | ||
| WebSocket / TCP | IN | Collector TCP channel to the Portal (on premises default) | ||
| HTTPS / TCP | IN | Installation and updates of the Finder from the Portal | Portal address | |
| HTTPS / TCP | IN | API of remote actions | Portal address | |
| HTTPS / TCP | OUT | Connection to the Online License mechanism | license.nexthink.com | |
| HTTPS / TCP | OUT | Connection to the Application Library |
application‑library‑v5.nexthink.com application‑library‑v6.nexthink.com | |
| HTTPS / TCP | OUT | Connection to automatic updates |
updates‑v6.nexthink.com updates‑centos‑v6.nexthink.com | |
| 636 | LDAPs / TCP | OUT | Connection to Active Directory (secure) | |
| 999 | TCP | OUT | Connection to the Engine | |
|
7000 7001 7002 7003 | TCP | IN | Communication channels with the Engine | |
| 8100 | HTTP / TCP | OUT | Send license information to Local License Manager | |
| 8300 | TCP | IN OUT | Communication with Engines for Collector assignment | |
| 8301 | TCP & UDP | IN OUT | Communication with Engines for Collector assignment | |
| 8443 | WebSocket / TCP | IN | Collector default custom / Nexthink Cloud TCP channel to the Portal | |
| 10402 | TCP | IN | Additional communication with Engines for Collector assignment |
Local License Manager
The Local License Manager resides in the same machine as the Portal.
| Port
Number | Protocol | Direction
(IN/OUT) | Reason |
|---|---|---|---|
| 8100 | HTTP / TCP | IN | Get license information from the Portal |
Mobile Bridge
The Mobile Bridge needs to connect to the Exchange CAS to get mobile information. In turn, it offers a REST interface for the Engine to use to retrieve the collected information.
| Port
Number | Protocol | Direction
(IN/OUT) | Reason |
|---|---|---|---|
| 80 | HTTP / TCP | OUT | Communication with Exchange (non secure) |
| 443 | HTTPS / TCP | OUT | Communication with Exchange (secure) |
| 11031 | HTTP / TCP | IN | REST interface for the Engine |
Finder
In the following table, we describe the different ports that must be opened on the computers running the Finder to communicate seamlessly with the other Nexthink components.
| Port
Number | Protocol | Direction
(IN/OUT) | Reason | Domains |
|---|---|---|---|---|
| 25 | SMTP / TCP | OUT | Send email in case of error | |
| 80 | HTTP / TCP | OUT | Connection to the documentation web site | doc.nexthink.com |
| HTTP / TCP | OUT | Verification of security certificates | ocsp.verisign.com | |
| 443 | WebSocket / TCP | OUT | User connection to the Portal | |
| HTTPS / TCP | OUT | Installation and updates of the Finder from the Portal | Portal address | |
| HTTPS / TCP | OUT | Support telemetry | alib.nexthink.com | |
| HTTPS / TCP | OUT | Connection to the Library | library.nexthink.com | |
| 999 | TCP | OUT | User connection to the Engine (on premises only) | |
| 20XX | WebSocket / TCP | OUT | User connection to the Engine (Nexthink Cloud only), where XX is the Engine number |
Collector
In the following table, we describe the different ports that must be opened on the computers running the Nexthink Collector to send data seamlessly with the Nexthink Engine.
| Port
Number | Protocol | Direction
(IN/OUT) | Reason |
|---|---|---|---|
| 999 | UDP | OUT | Optional: Collector UDP channel to the Engine |
| 443 | WebSocket / TCP | OUT | Collector default (on premises) TCP channel to the Engine and, if rule-based Collector assignment is turned on, to the Portal |
| 8443 | WebSocket / TCP | OUT | Collector default custom / Nexthink Cloud TCP channel to the Engine and, if rule-based Collector assignment is turned on, to the Portal |
In addition, starting from V6.19, Windows Collector components call a Windows API method once every 24 hours that triggers a connection for client to domain controller operations through TCP port 135. Ephemeral TCP ports in the range 49152-65535 are used for service response.