# Domains required for Agent communication This document provides the list of approved domains and IP addresses which are required for seamless agent-server communication. ## US Data center (.com) ### Domain Whitelist Communication across remote offices is possible in the following ways: - [Endpoint Central domains to be excluded in Roaming agent](#roaming-users-us) - [Endpoint Central domains that should be whitelisted in the domain itself](#distribution-server-us) - [The following domains should be whitelisted in agents that are under the distribution server.](#ds-agents-us) #### Endpoint Central domains to be excluded in Roaming agent Roaming users directly contact the cloud server. Since these users are constantly roaming, they can't be managed by a central server. Therefore, the roaming agents should connect to these websites: ##### vmp.manageengine.com This is the server's URL. The roaming agent updates the task status to the cloud server and in order to ensure seamless agent-server communication, the agent has to connect to vmp.manageengine.com. [Check Domain](https://vmp.manageengine.com/) ##### (endpointcentral-agent)(p)?[0-9]{1,2}\.manageengine\.com Endpoint central agents will use these domains to contact endpoint central servers. If regex based domain whitelisting is not supported whitelist the following domains: - **endpointcentral-agent0.manageengine.com** [Check Domain](https://endpointcentral-agent0.manageengine.com/) - **endpointcentral-agent1.manageengine.com** [Check Domain](https://endpointcentral-agent1.manageengine.com/) - **endpointcentral-agent2.manageengine.com** [Check Domain](https://endpointcentral-agent2.manageengine.com/) - **endpointcentral-agent3.manageengine.com** [Check Domain](https://endpointcentral-agent3.manageengine.com/) - **endpointcentral-agent4.manageengine.com** [Check Domain](https://endpointcentral-agent4.manageengine.com/) - **endpointcentral-agentp1.manageengine.com** [Check Domain](https://endpointcentral-agentp1.manageengine.com/) - **endpointcentral-agentp2.manageengine.com** [Check Domain](https://endpointcentral-agentp2.manageengine.com/) - **endpointcentral-agentp3.manageengine.com** [Check Domain](https://endpointcentral-agentp3.manageengine.com/) - **endpointcentral-agentp5.manageengine.com** [Check Domain](https://endpointcentral-agentp5.manageengine.com/) - **endpointcentral-agent5.manageengine.com** [Check Domain](https://endpointcentral-agent5.manageengine.com/) - **endpointcentral-agent6.manageengine.com** [Check Domain](https://endpointcentral-agent6.manageengine.com/) - **endpointcentral-agent7.manageengine.com** [Check Domain](https://endpointcentral-agent7.manageengine.com/) - **endpointcentral-agent8.manageengine.com** [Check Domain](https://endpointcentral-agent8.manageengine.com/) - **endpointcentral-agent9.manageengine.com** [Check Domain](https://endpointcentral-agent9.manageengine.com/) - **endpointcentral-agentp18.manageengine.com** [Check Domain](https://endpointcentral-agentp18.manageengine.com/) ##### patchdb.manageengine.com This website will have the latest patch information along with the download URLs. To find the missing patches during the scan process, the agent gets the latest patch details from the patch database, for which it has to connect to patchdb.manageengine.com. [Check Domain](https://patchdb.manageengine.com/) ##### bonitas.zohocorp.com This is the cloud server's URL. To upload logs for analysis and troubleshooting, you need to connect to bonitas.zohocorp.com. [Check Domain](https://bonitas.zohocorp.com/) ##### patchdatabase.manageengine.com The roaming agent has to connect to patchdatabase.manageengine.com in order to download dependent patches from the Endpoint Central Server. [Check Domain](https://patchdatabase.manageengine.com/) ##### us3-dms.zoho.com The roaming agent has to connect to us3-dms.zoho.com to perform on-demand operations. [Check Domain](https://us3-dms.zoho.com/) ##### us4-dms.zoho.com The agent should connect to this domain for the user to be able to scan his system immediately. [Check Domain](https://us4-dms.zoho.com/) ##### download-accl.zoho.com The agent should connect to download-accl.zoho.com in order to download the manually uploaded packages in Software Deployment module. [Check Domain](https://download-accl.zoho.com/) ##### downloads.zohocdn.com The Roaming agent should connect to downloads.zohocdn.com in order to download new agent binaries that are required during upgrade process. [Check Domain](https://downloads.zohocdn.com/) ##### files-me-accl.zoho.com The agent should connect to files-me-accl.zoho.com in order to download files from server. [Check Domain](https://files-me-accl.zoho.com/) ### IP Whitelist Here's the list of IP addresses that are required to be added to the whitelist. #### US region data centre IP's - `204.141.42.0/23` - `136.143.190.0/23` - `136.143.186.0/23` - `136.143.189.0/24` - `204.141.32.0/23` - `136.143.182.0/23` - `136.143.180.0/23` - `136.143.185.0/24` #### Geo DNS Domains **It is strongly recommended to whitelist the domain instead of whitelisting the IP address as these domains are using GeoDNS, i.e. the IP address of the domains will change based on geolocation of the user.** However, if you still wish to whitelist IP for the domains: Navigate to the command prompt and execute the command: ``` nslookup ``` 1. downloads.zohocdn.com ![US1](https://cdn.manageengine.com/products/desktop-central/help/images/US1.png) 2. download-accl.zoho.com ![US1](https://cdn.manageengine.com/products/desktop-central/help/images/US2.png) 3. files-me-accl.zoho.com ![US1](https://cdn.manageengine.com/products/desktop-central/help/images/US3.png) 4. patchdb.manageengine.com ![US1](https://cdn.manageengine.com/products/desktop-central/help/images/US4.png) 5. patchdatabase.manageengine.com ![US1](https://cdn.manageengine.com/products/desktop-central/help/images/US5.png) --- ## Ports These Ports must be enabled for communication between the agent and the server. | Port | Purpose | Type | Connection | |---|---|---|---| | 443 | For communication between the agent or distribution server and the Endpoint Central server.

Source: Agent/Distribution server
Destination: Endpoint Central server | HTTPS | Outbound from Agent/DS | | 443 | The Notification server port is responsible for communicating on-demand operations from the server to the agent.

Source: Agent/Distribution server
Destination: Notification server | WSS | Outbound from Agent/DS | | 8384 | For communication between remote agent and distribution server

Source: Agent
Destination: Distribution server | HTTPS | Inbound to distribution server
Outbound from Agent/DS | ## Module Wise Configurations ### Patch Management Refer to [this page](https://www.manageengine.com/vulnerability-management/help/domains-required-for-patching.html#domains) to know about domains required for patching. **Note:** If agents are managed through a Distribution Server, the domains listed in the page must be whitelisted on the Distribution Server. If no Distribution Server is configured, the exclusions should be applied directly on the agent. ## Exclusions (File Extensions) to be made in Vulnerability Manager Plus Agents and Distribution Server The below file extensions must be excluded in the Vulnerability Manager Plus Agent/Distribution Server for patch detection, deployment and other agent functionalities. | Windows | Mac | Linux | |---|---|---| | .xml, .xml.gz, .gz, .7z, .Json, .zip, .Json.gz, .dll.gz, .exe, .exe.gz, .crt, .pem, .json, .properties, .xz, .tar, .tar.gz, .svg, .gif, .bin, .txt, .list, .ISO, .yaml.gz, .yml.gz, .repo, .bz2, .config, .conf, .manifest, .BAT, .VBS, .PY | .json, .plist, .properties, .xml, .py, .sh, .scpt, .pl, .command, .7z, .bz, .bz2, .gz, .pkg, .mpkg, .tar, .tar.gz, .xml.gz, .zip, .jpg, .gif, .png, .mobileconfig, .otf, .ttf | .json, .xml, .zip, .xz, .tar, .tar.gz, .gz, .bin, .py, .bz, .properties, .xml.gz, .repo, .sh, .bash, .ksh, .csh, .tcsh |