Firewall Settings for Atera's Integrations

This article comprises a list of the required Firewall settings for the AteraAgent and the integrated add-ons as follows:

• Splashtop
• Online Backup
• Acronis
• Webroot
• Network Discovery
• ScreenConnect
• TeamViewer
• Chocolatey
• Bitdefender
• AnyDesk

Atera Agent

Allow outbound traffic over port 443 (TCP) in the Antivirus, Firewall, and Proxy server. 

List of servers that the agent is communicating with, make sure to have these servers whitelisted on your network.

1. pubsub.atera.com
2. pubsub.pubnub.com
3. agentreporting.atera.com
4. app.atera.com
5. agenthb.atera.com
6. packagesstore.blob.core.windows.net
7. ps.pndsn.com
8. agent-api.atera.com
9. cacerts.thawte.com
10. agentreportingstore.blob.core.windows.net
11. atera-agent-heartbeat.servicebus.windows.net
12. ps.atera.com
13. atera.pubnubapi.com
14. appcdn.atera.com
15. atera-agent-heartbeat-cus.servicebus.windows.net
16. ticketingitemsstoreeu.blob.core.windows.net
17. download.visualstudio.microsoft.com

Security Software Whitelisting:  

• Antivirus - Add Atera's application to the antivirus whitelist. C:\Program Files\Atera Networks.
• Firewall - In some networks HTTPS traffic is blocked. Make sure to add a rule to allow HTTPS traffic from LAN to WAN (Atera address: agent-api.atera.com). 
  

Note: The Great Firewall of China is blocking some of the servers required by AteraAgent to report the device's availability (online/offline status). Therefore, machines that are located in this country will not be manageable from the console. Using a VPN connection may override these restrictions, however, we cannot provide specific instructions or support for setting up such configurations. 

• Proxy - Proxy / Web-filtering is very common and can also be an obstacle to stable agent behavior. Make sure to permit outbound traffic (443) and file extensions; ZIP & EXE from our website (Atera address: agent-api.atera.com). 
• Geo-blocking - As an example, SonicWall routers are well known for their Geo-Blocking features. 
• Permit content traffic in addition to TCP (443 ) traffic. 

For more information, check these troubleshooting articles for Windows or MAC machines. 

Splashtop

• Ensure these ports are open: 443 including non-ssl traffic, 6783, 6784, and 6785 
• Splashtop uses Amazon Web Servers (AWS) so please allow the following Amazon Web Servers:
  - amazonaws.com
  - *.api.splashtop.com (represents wildcard)
  - *.relay.splashtop.com (represents wildcard) 
  - Sn.splashtop.com 

For more information, click here. 

Online Backup

Our cloud server has two sub-nets:  

• 31.186.246.0/24 
• 130.117.250.0/24 

And cloud.atera.com. Also, ensure that you are allowing outbound communication via ports 5000 and 443.

Acronis

• TCP ports 443 and 8443 for accessing the Cyber Protection console, registering the agents, downloading the certificates, user authorization, and downloading files from the cloud storage. 
• TCP ports 5905, 7770...7800 for communication between components 
• TCP port 9850 for command line (acrocmd, acropsh) commands 
• TCP ports 445 and 25001 for remote installation
• TCP ports 443 and 902 to access the vCenter Server and ESX(i) hosts 
• TCP port 44445 for data transfer during backup and recovery 
• TCP ports 443, 44445, and 55556 for backup to the cloud 
• TCP port 6109 for Active Protection 

Webroot

Please open ports 443 and 80 for the following URLs:

• Agent communication and updates
  *.webrootcloudav.com
  
  
• Agent Messaging
  *.webroot.com
  
  
• Management portal and support ticket logs upload
  *.webrootanywhere.com
  
  
• Agent file downloading and uploading
  wrskynet.s3.amazonaws.com/*
  wrskynet-eu.s3-eu-west-1.amazonaws.com/*
  wrskynet-oregon.s3-us-west-2.amazonaws.com/*
  
  
• WebFiltering
  WSAWebFilteringPortal.elasticbeanstalk.com (elasticbeanstalk is an Amazon AWS domain)

NOTE: Some firewalls do not support double dotted subdomain names with a single wildcard mask (i.e. g1.p4.webrootcloudav.com being represented by *.webrootcloudav.com). In these cases, you will need to use *.p4.webrootcloudav.com or *.*.webrootcloudav.com.

Network Discovery

• Allow Windows Management Instrumentation (WMI) service to operate through Windows
  Firewall. You can use this command:

netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes

• Allow ICMP (Internet Control Message Protocol) to operate through Windows Firewall. You can use this command:

netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow

• Check that the following services are running and Startup Type is set to Automatic:

sc query RPCSS
sc query Winmgmt
sc query RemoteRegistry
sc query wuauserv

Learn more about optimal network settings 

ScreenConnect

Port 443 TCP is required for the cloud instance. For on-premises installations, ports 8040 and 8041 need to be open:

More details here.  

TeamViewer

In order for TeamViewer to work properly, access to all TeamViewer servers has to be possible. The easiest way to achieve this is to open port 5938 (TCP) for outbound connections to any IP address. You can also add *.teamviewer.com to the whitelist.

If TeamViewer can’t connect over port 5938 (primary port), it will next try to connect over TCP port 443 or TCP port 80.

More details can be found in this article from Teamviewer. 

Chocolatey

You may need to whitelist the following servers: chocolatey.org and packages.chocolatey.org.

Bitdefender

Below you can find the list of ports and servers used by Bitdefender broken down per component.

Web console (Control Center)

Security Agent (BEST, BEST Legacy, Endpoint Security, Endpoint Security for Mac)

Relay Agent

Security Server (Multi-Platform)

Sandbox Analyzer

For more details and a description of each of the above ports, please review this article from Bitdefender support. 

AnyDesk

To allow AnyDesk for incoming connections, the following needs to be added to the Whitelist:

*.net.anydesk.com

TCP-Ports 80, 443 and 6568

Learn more