# Domains for Agent Communication | ManageEngine Endpoint Central This document provides the list of approved domains and IP addresses which are required for seamless agent-server communication. ## US Data Center (.com) ### Domain Whitelist Communication across remote offices is possible in the following ways: - [Endpoint Central domains to be excluded in Roaming agent](#us-roaming) - [Endpoint Central domains that should be whitelisted in the domain itself](#us-distribution-server) - [Domains to be whitelisted in agents under the distribution server](#us-ds-agents) #### Endpoint Central domains to be excluded in Roaming agent {#us-roaming} Roaming users directly contact the cloud server. Since these users are constantly roaming, they can't be managed by a central server. Therefore, the roaming agents should connect to these websites: ##### desktopcentral.manageengine.com This is the server's URL. The roaming agent updates the task status to the cloud server and in order to ensure seamless agent-server communication, the agent has to connect to desktopcentral.manageengine.com. [Check Domain](https://desktopcentral.manageengine.com/) ##### (endpointcentral-agent)(p)?[0-9]{1,2}\.manageengine\.com Endpoint Central agents will use these domains to contact Endpoint Central servers. If regex-based domain whitelisting is not supported, whitelist the following domains: - **endpointcentral-agent0.manageengine.com** [Check Domain](https://endpointcentral-agent0.manageengine.com/) - **endpointcentral-agent1.manageengine.com** [Check Domain](https://endpointcentral-agent1.manageengine.com/) - **endpointcentral-agent2.manageengine.com** [Check Domain](https://endpointcentral-agent2.manageengine.com/) - **endpointcentral-agent3.manageengine.com** [Check Domain](https://endpointcentral-agent3.manageengine.com/) - **endpointcentral-agent4.manageengine.com** [Check Domain](https://endpointcentral-agent4.manageengine.com/) - **endpointcentral-agent5.manageengine.com** [Check Domain](https://endpointcentral-agent5.manageengine.com/) - **endpointcentral-agent6.manageengine.com** [Check Domain](https://endpointcentral-agent6.manageengine.com/) - **endpointcentral-agent7.manageengine.com** [Check Domain](https://endpointcentral-agent7.manageengine.com/) - **endpointcentral-agent8.manageengine.com** [Check Domain](https://endpointcentral-agent8.manageengine.com/) - **endpointcentral-agent9.manageengine.com** [Check Domain](https://endpointcentral-agent9.manageengine.com/) - **endpointcentral-agentp1.manageengine.com** [Check Domain](https://endpointcentral-agentp1.manageengine.com/) - **endpointcentral-agentp2.manageengine.com** [Check Domain](https://endpointcentral-agentp2.manageengine.com/) - **endpointcentral-agentp3.manageengine.com** [Check Domain](https://endpointcentral-agentp3.manageengine.com/) - **endpointcentral-agentp5.manageengine.com** [Check Domain](https://endpointcentral-agentp5.manageengine.com/) - **endpointcentral-agentp18.manageengine.com** [Check Domain](https://endpointcentral-agentp18.manageengine.com/) ##### patchdb.manageengine.com This website contains the latest patch information along with the download URLs. [Check Domain](https://patchdb.manageengine.com/) ##### bonitas.zohocorp.com To upload logs for analysis and troubleshooting, connect to: [Check Domain](https://bonitas.zohocorp.com/) ##### patchdatabase.manageengine.com Required to download dependent patches from the Endpoint Central server. [Check Domain](https://patchdatabase.manageengine.com/) ##### us3-dms.zoho.com Required to perform on-demand operations. [Check Domain](https://us3-dms.zoho.com/) ##### us4-dms.zoho.com Required for immediate system scan operations. [Check Domain](https://us4-dms.zoho.com/) ##### download-accl.zoho.com Required to download manually uploaded packages in the Software Deployment module. [Check Domain](https://download-accl.zoho.com/) ##### downloads.zohocdn.com Required to download new agent binaries during upgrades. [Check Domain](https://downloads.zohocdn.com/) ##### files-me-accl.zoho.com Required to download files from the server. [Check Domain](https://files-me-accl.zoho.com/) --- ### IP Whitelist Here’s the list of IP addresses that must be added to the whitelist: #### US Region Data Center IPs - `204.141.42.0/23` - `136.143.190.0/23` - `136.143.186.0/23` - `136.143.189.0/24` - `204.141.32.0/23` - `136.143.182.0/23` - `136.143.180.0/23` - `136.143.185.0/24` #### Geo DNS Domains **It is strongly recommended to whitelist the domain instead of whitelisting the IP address as these domains use GeoDNS (IP addresses change based on user geolocation).** If you still wish to whitelist IPs: Execute: ``` nslookup ``` ##### downloads.zohocdn.com ![US1](https://www.manageengine.com/products/desktop-central/help/images/US1.png) ##### download-accl.zoho.com ![US2](https://www.manageengine.com/products/desktop-central/help/images/US2.png) ##### files-me-accl.zoho.com ![US3](https://www.manageengine.com/products/desktop-central/help/images/US3.png) ##### patchdb.manageengine.com ![US4](https://www.manageengine.com/products/desktop-central/help/images/US4.png) ##### patchdatabase.manageengine.com ![US5](https://www.manageengine.com/products/desktop-central/help/images/US5.png) --- ## Ports These ports must be enabled for communication between the agent and the server. | Port | Purpose | Type | Connection | |---|---|---|---| | 443 | Communication between Agent/Distribution Server and Endpoint Central server. Source: Agent/DS → Destination: Endpoint Central server | HTTPS | Outbound from Agent/DS | | 443 | Notification server port for on-demand operations. Source: Agent/DS → Destination: Notification server | WSS | Outbound from Agent/DS | | 8384 | Communication between remote agent and distribution server. Source: Agent → Destination: Distribution Server | HTTPS | Inbound to Distribution Server; Outbound from Agent/DS | --- ## Module Wise Configurations ### Patch Management Refer to: [Domains required for patching](https://www.manageengine.com/products/desktop-central/help/configuring_desktop_central/domains-required-for-patching.html) **Note:** If agents are managed through a Distribution Server, the listed domains must be whitelisted on the Distribution Server. Otherwise, apply exclusions directly on the agent. ### Exclusions (File Extensions) The following file extensions must be excluded in Endpoint Central Agent/Distribution Server: | Windows | Mac | Linux | |---|---|---| | .xml, .xml.gz, .gz, .7z, .json, .zip, .dll.gz, .exe, .exe.gz, .crt, .pem, .properties, .xz, .tar, .tar.gz, .svg, .gif, .bin, .txt, .list, .ISO, .yaml.gz, .yml.gz, .repo, .bz2, .config, .conf, .manifest, .BAT, .VBS, .PY | .json, .plist, .properties, .xml, .py, .sh, .scpt, .pl, .command, .7z, .bz, .bz2, .gz, .pkg, .mpkg, .tar, .tar.gz, .xml.gz, .zip, .jpg, .gif, .png, .mobileconfig, .otf, .ttf | .json, .xml, .zip, .xz, .tar, .tar.gz, .gz, .bin, .py, .bz, .properties, .xml.gz, .repo, .sh, .bash, .ksh, .csh, .tcsh | --- ### Remote Control Remote Control requires direct communication with the cloud. Domains must be whitelisted on the agent even if managed by a Distribution Server. #### Domains to Whitelist | Region | Domains | |---|---| | Common (All Regions) | *.zoho.com, *.zohomeeting.com, downloads.zohocdn.com, *.zohocdn.com, *.zohoassist.com, gateway.zohoassist.com | | Europe | *.zoho.eu | | India | *.zoho.in | | Australia | *.zoho.com.au | | Japan | *.zoho.jp | | UK | *.zoho.uk | | Saudi Arabia | *.zoho.sa | | Canada | *.zohocloud.ca | | China | *.zoho.com.cn, *.zohomeeting.com.cn, downloads.zohocdn.com.cn, *.zohocdn.com.cn, *.zohoassist.com.cn | #### Ports - TCP and WebSocket port **443** #### Directories to Exclude - 32-bit OS: `%programfiles%/ZohoMeeting` - 64-bit OS: `%programfiles(x86)%/ZohoMeeting` #### Antivirus Whitelist | Executable | Purpose | |---|---| | **agent.exe** | Session validation, communication, control, screen sharing | | **agent_ui.exe** | Renders UI during remote sessions | | **ZAFileTransfer.exe** | Secure file transfer | | **Connect.exe** | Downloads/updates remote components | | **ZAService.exe** | Elevates agent for admin sessions | | **ZAAudioClient.exe** | Streams remote audio | --- ### Mobile Device Manager Ensure required ports are open and domains allowed: Reference: [MDM FAQ Domains](https://www.manageengine.com/mobile-device-management/faq.html#g2) #### Android Enterprise Network Requirements [Android Enterprise Network Requirements](https://support.google.com/work/android/answer/10513641?hl=en) TLS and TCP protocols are used for device enrollment in MDM.