This article lists the required firewall settings for the Atera Agent and its add-ons.
Atera Agent
Allow outbound traffic over port 443 (TCP) in the Antivirus, Firewall, and Proxy server.
List of servers that the agent is communicating with, make sure to have these servers whitelisted on your network.
- pubsub.atera.com
- pubsub.pubnub.com
- app.atera.com
- agenthb.atera.com
- packagesstore.blob.core.windows.net
- ps.pndsn.com
- agent-api.atera.com
- cacerts.thawte.com
- agentreportingstore.blob.core.windows.net
- atera-agent-heartbeat.servicebus.windows.net
- ps.atera.com
- atera.pubnubapi.com
- appcdn.atera.com
- atera-agent-heartbeat-cus.servicebus.windows.net
- ticketingitemsstoreeu.blob.core.windows.net
- download.visualstudio.microsoft.com
- a32dl55qcodech-ats.iot.eu-west-1.amazonaws.com
- agentspoliciesprod.blob.core.windows.net
Security Software Whitelisting:
- Antivirus: Add Atera's application to the antivirus whitelist. C:\Program Files\Atera Networks.
-
Firewall: In some networks HTTPS traffic is blocked. Make sure to add a rule to allow HTTPS traffic from LAN to WAN (Atera address: agent-api.atera.com).
- Note: The Great Firewall of China is blocking some of the servers required by the Atera Agent to report the device's availability (online/offline status). Therefore, machines that are located in this country will not be manageable from the console. Using a VPN connection may override these restrictions, however, we cannot provide specific instructions or support for setting up such configurations.
-
Proxy: Proxy / Web-filtering is very common and can also be an obstacle to stable agent behavior. Make sure to permit outbound traffic (443) and file extensions; ZIP & EXE from our website (Atera address: agent-api.atera.com).
- Note: Atera does not offer assistance or provisions for proxy configuration.
- Geo-blocking: As an example, SonicWall routers are well known for their Geo-Blocking features.
- Permit content traffic in addition to TCP (443) traffic.
For more information, see:
Acronis
- TCP ports 443 and 8443 for accessing the Cyber Protection console, registering the agents, downloading the certificates, user authorization, and downloading files from the cloud storage.
- TCP ports 5905, 7770...7800 for communication between components
- TCP port 9850 for command line (acrocmd, acropsh) commands
- TCP ports 445 and 25001 for remote installation
- TCP ports 443 and 902 to access the vCenter Server and ESX(i) hosts
- TCP port 44445 for data transfer during backup and recovery
- TCP ports 443, 44445, and 55556 for backup to the cloud
- TCP port 6109 for Active Protection
AnyDesk
To allow AnyDesk for incoming connections, the following needs to be added to the Whitelist:
- *.net.anydesk.com
- TCP-Ports 80, 443, 6568, and 7070.
For more information, see this AnyDesk article
Bitdefender
Below you can find the list of ports and servers used by Bitdefender broken down per component.
Web console (Control Center)
Inbound |
|
Security Agent (BEST, BEST Legacy, Endpoint Security, Endpoint Security for Mac)
Outbound |
|
Relay Agent
Inbound |
|
||||||||||||
Outbound |
|
Security Server (Multi-Platform)
Inbound |
|
||||||||
Outbound |
|
Sandbox Analyzer
Inbound & Outbound |
|
For more details and a description of each of the above ports, please review this article from Bitdefender support.
Chocolatey
You may need to whitelist the following servers:
- chocolatey.org
- packages.chocolatey.org
Network Discovery
Allow Windows Management Instrumentation (WMI) service to operate through Windows
Firewall. You can use this command:
- netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes
Allow ICMP (Internet Control Message Protocol) to operate through Windows Firewall. You can use this command:
- netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow
Check that the following services are running and Startup Type is set to Automatic:
- sc query RPCSS
- sc query Winmgmt
- sc query RemoteRegistry
- sc query wuauserv
For more information, see Network Discovery: Optimal network settings
Online Backup
Our cloud server has two sub-nets:
- 31.186.246.0/24
- 130.117.250.0/24
And cloud.atera.com.
Also, ensure that you're allowing outbound communication via ports 5000 and 443.
ScreenConnect
Port 443 TCP is required for the cloud instance. For on-premises installations, ports 8040 and 8041 need to be open:
Service | Port | Protocol |
ScreenConnect Web Server | 8040 | TCP |
ScreenConnect Relay | 8041 | TCP |
For more information, see this ConnectWise article
Splashtop
Ensure these ports are open:
- 443 (including non-ssl traffic)
- 6783
- 6784
- 6785
As Splashtop is hosted on Amazon Web Servers (AWS), please utilize these AWS domains:
- amazonaws.com
- *.api.splashtop.com (represents wildcard)
- *.relay.splashtop.com (represents wildcard)
- Sn.splashtop.com
For more information, see this Splashtop article
TeamViewer
For TeamViewer to work properly, access to all TeamViewer servers has to be possible. The easiest way to achieve this is to open port 5938 (TCP) for outbound connections to any IP address. You can also add *.teamviewer.com to the whitelist.
If TeamViewer can’t connect over port 5938 (primary port), it will next try to connect over TCP port 443 or TCP port 80.
For more information, see this TeamViewer article
Webroot
Please open ports 443 and 80 for the following URLs:
-
Agent communication and updates
*.webrootcloudav.com
-
Agent Messaging
*.webroot.com
-
Management portal and support ticket logs upload
*.webrootanywhere.com
-
Agent file downloading and uploading
wrskynet.s3.amazonaws.com/*
wrskynet-eu.s3-eu-west-1.amazonaws.com/*
wrskynet-oregon.s3-us-west-2.amazonaws.com/*
-
WebFiltering
WSAWebFilteringPortal.elasticbeanstalk.com (elasticbeanstalk is an Amazon AWS domain)
NOTE: Some firewalls do not support double-dotted subdomain names with a single wildcard mask (i.e. g1.p4.webrootcloudav.com being represented by *.webrootcloudav.com). In these cases, you will need to use *.p4.webrootcloudav.com or *.*.webrootcloudav.com.