Connectivity requirements

Overview

Find the connectivity requirements of every Nexthink product in the reference tables below. You can configure some of the products to use either a secure or a non-secure channel for specific services (see the column Reason). Depending on their configuration, note that you may require to allow connections through a different port number.

Starting from V6.19, if rule-based Collector assignment is turned on, the TCP channel of the Collector also connects to the Portal. Collectors use this connection to ask for their assigned Engine. From V6.20 on, if you change the default port number of the Collector TCP channel, modify accordingly the port number where the Portal is listening.

Starting from V6.21, the Collector no longer requires a separate UDP channel to send end-user analytics to the Engine. Instead, end-user analytics, as well as coordination data and updates, may be optionally transmitted through the TCP channel. If you change the default port numbers that the Collector uses for communicating with the Engine, change as well the default port numbers in the Engine through the Web Console. Starting from V6.24, the default is to use TCP port 443 for all Collector communications in on-premises setups, although the use of a custom TCP port (default 8443) and the UDP channel are still allowed.

For each connection, the tables indicate the transport protocol used. When an application protocol handles the connection over the transport layer, the name of the application protocol precedes the name of the transport protocol.

First, find in this overview two diagrams:

A diagram with the connections and default ports that are common to all Nexthink Appliances, regardless of the Appliance hosting the Portal, the Engine or both.
A diagram with the default ports of the Portal and Engine Appliances separately, as well as the connections with other components.

Common connections of CentOS-based Appliance

Common connections of Oracle Linux-based Appliance

Connections between Portal, Engine and other components

Connections required for rule-based Collector Assignment

Starting from V6.19, the following additional connections are required if the rule-based Collector assignment is turned on. Federate your appliances before activating the rule-based Collector assignment. The Collector assignment feature does not work when Portal and Engine are installed on the same Appliance.

The connectivity between Engines through TCP and UDP ports 8301 is optional, as the consensus protocol behind rule-based Collector assignment uses these connections to implement a feature that is actually not required by Collector assignment. If communication through TCP and UDP ports 8301 is blocked between Engines (by internal firewalls, for instance), the underlying consensus protocol will write failed connection messages to its log file:

/var/nexthink/nxconsul/logs/nxconsul.log

You can safely ignore these error messages.

Engine

In the following table, we describe the different ports that must be open on the Engine appliance to communicate seamlessly with the other Nexthink components and with standard network services.

Port Number

Protocol

Direction (IN/OUT)

Reason

Domains

SSH / TCP

Secure shell connection to the CLI

SSH / TCP

IN OUT

Appliance federation

SMTP / TCP

OUT

Mail server for notifications

DNS / UDP

OUT

Resolving destination names by reverse IP

HTTPS / TCP

Administration through the Web Console

123

NTP / UDP

OUT

Time synchronization

For CentOS-based appliances:

0.centos.pool.ntp.org

1.centos.pool.ntp.org

2.centos.pool.ntp.org

For Oracle Linux-based appliances:

0.pool.ntp.org

1.pool.ntp.org

2.pool.ntp.org

3.pool.ntp.org

389

LDAP / TCP

OUT

Connection to Active Directory (non-secure)

443

WebSocket / TCP

Collector TCP channel to the Engine (on-premises default)

WebSocket / TCP

User connection from the Finder (Nexthink Cloud only)

HTTPS / TCP

Audit Trail API connection from the Portal

HTTPS / TCP

Access to the Web API

Only for Engines on the Nexthink Cloud

HTTPS / TCP

OUT

Connection to the Application Library

application‑library‑v5.nexthink.com

application‑library‑v6.nexthink.com

HTTPS / TCP

OUT

Connection to automatic updates

For CentOS-based appliances:

updates‑v6.nexthink.com

updates‑centos‑v6.nexthink.com

For Oracle Linux-based appliances:

updates-v6-el8.nexthink.com

636

LDAPs / TCP

OUT

Connection to Active Directory (secure)

999

UDP

Optional: Collector analytics

TCP

User connection from the Finder (on-premises only) or the Portal

1671

HTTPS / TCP

Access to the Web API

Only for Engines on-premises (V6.X)

7000 7001 7002 7003

TCP

OUT

Communication channels with the Portal

8300

TCP

IN OUT

Communication with Portal for Collector assignment

8301

TCP & UDP

IN OUT

Communication with Portal and peer Engines for Collector assignment

8443

WebSocket / TCP

Collector default custom / Nexthink Cloud TCP channel to the Engine

10402

TCP

OUT

Additional communication with Portal for Collector assignment

11031

HTTPS / TCP

OUT

Communication with the Mobile Bridge

Portal

In the following table, we describe the different ports that must be open in the Portal appliance to communicate seamlessly with the other Nexthink components.

Port Number

Protocol

Direction (IN/OUT)

Reason

Domains

SSH / TCP

Secure shell connection to the CLI

SSH / TCP

IN OUT

Appliance federation

SMTP / TCP

OUT

Mail server for notifications

DNS / UDP

OUT

Lookup name of AD servers

HTTP / TCP

Access to the Portal (non-secure)

TCP & UDP

OUT

Kerberos authentication of AD users

HTTPS / TCP

Administration through the Web Console

HTTPS / TCP

OUT

Centralized administration of the Engine

123

NTP / UDP

OUT

Time synchronization

For CentOS-based appliances:

0.centos.pool.ntp.org

1.centos.pool.ntp.org

2.centos.pool.ntp.org

For Oracle Linux-based appliances:

0.pool.ntp.org

1.pool.ntp.org

2.pool.ntp.org

3.pool.ntp.org

389

LDAP / TCP

OUT

Connection to Active Directory (non-secure)

443

HTTPS / TCP

Access to the Portal (secure)

WebSocket / TCP

User connection from the Finder

WebSocket / TCP

Collector TCP channel to the Portal (on-premises default)

HTTPS / TCP

Installation and updates of the Finder from the Portal

Portal address

HTTPS / TCP

API of remote actions

Portal address

HTTPS / TCP

OUT

Connection to the Online License mechanism

license.nexthink.com

HTTPS / TCP

OUT

Connection to the Application Library

alib.nexthink.com

application‑library‑v5.nexthink.com

application‑library‑v6.nexthink.com

HTTPS / TCP

OUT

Connection to automatic updates

For CentOS-based appliances:

updates‑v6.nexthink.com

updates‑centos‑v6.nexthink.com

For Oracle Linux-based appliances:

updates-v6-el8.nexthink.com

636

LDAPs / TCP

OUT

Connection to Active Directory (secure)

999

TCP

OUT

Connection to the Engine

7000 7001 7002 7003

TCP

Communication channels with the Engine

8100

HTTP / TCP

OUT

Send license information to Local License Manager

8300

TCP

IN OUT

Communication with Engines for Collector assignment

8301

TCP & UDP

IN OUT

Communication with Engines for Collector assignment

8443

WebSocket / TCP

Collector default custom / Nexthink Cloud TCP channel to the Portal

10402

TCP

Additional communication with Engines for Collector assignment

Local License Manager

The Local License Manager resides in the same machine as the Portal.

Port Number

Protocol

Direction (IN/OUT)

Reason

8100

HTTP / TCP

Get license information from the Portal

Mobile Bridge

The Mobile Bridge needs to connect to the Exchange CAS to get mobile information. In turn, it offers a REST interface for the Engine to use to retrieve the collected information.

Port Number

Protocol

Direction (IN/OUT)

Reason

HTTP / TCP

OUT

Communication with Exchange (non-secure)

443

HTTPS / TCP

OUT

Communication with Exchange (secure)

11031

HTTP / TCP

REST interface for the Engine

Finder

In the following table, we describe the different ports that must be opened on the computers running the Finder to communicate seamlessly with the other Nexthink components.

Port Number

Protocol

Direction (IN/OUT)

Reason

Domains

SMTP / TCP

OUT

Send email in case of error

HTTP / TCP

OUT

Connection to the documentation website

doc.nexthink.com

HTTP / TCP

OUT

Verification of security certificates

ocsp.verisign.com

443

WebSocket / TCP

OUT

User connection to the Portal

WebSocket / TCP

OUT

User connection to the Engine (Nexthink Cloud only)

HTTPS / TCP

OUT

Installation and updates of the Finder from the Portal

Portal address

HTTPS / TCP

OUT

Support telemetry

alib.nexthink.com

HTTPS / TCP

OUT

Connection to the Library

library.nexthink.com

999

TCP

OUT

User connection to the Engine (on-premises only)

Collector

In the following table, we describe the different ports that must be opened on the computers running the Nexthink Collector to send data seamlessly with the Nexthink Engine.

Port Number

Protocol

Direction (IN/OUT)

Reason

999

UDP

OUT

Optional: Collector UDP channel to the Engine

443

WebSocket / TCP

OUT

Collector default (on-premises) TCP channel to the Engine and, if rule-based Collector assignment is turned on, to the Portal

8443

WebSocket / TCP

OUT

Collector default custom / Nexthink Cloud TCP channel to the Engine and, if rule-based Collector assignment is turned on, to the Portal

Applies to platforms | Windows | macOS |

In addition, starting from V6.19, Windows Collector components call a Windows API method once every 24 hours that triggers a connection for client to domain controller operations through TCP port 135. Ephemeral TCP ports in the range 49152-65535 are used for service response.

Applies to platforms | Windows |

RELATED TASKS

Federating your Appliances

RELATED REFERENCE

Changing the default ports in the Appliance

Last updated 6 months ago