# Connectivity requirements ## Overview This page shows the connectivity requirements of every Nexthink product. If you operate in a restricted environment, your network administrator must add the domains on this page to an allowlist. Some Nexthink products allow you to use a secure or a non-secure channel for specific services. Depending on their configuration, you may need to allow connections through a port number that is different from what is shown here. Your Nexthink URL pattern can be one of the following: * `..nexthink.cloud` * `.data..nexthink.cloud` URL pattern description: * `` - The name of the Nexthink instance. * `` - The name of the localization of the instance: * `us` - United States. * `eu` - European Union. * `pac` - Asia-Pacific region. * `meta` - Middle East, Turkey, and Africa. {% hint style="info" %} Ensure your firewall has TCP port 443 open for your Nexthink instance URL. {% endhint %} The following tables indicate the transport protocol for each connection. When an application protocol handles the connection over the transport layer, the application protocol name precedes the transport protocol name. ## Web interface
Port numberProtocolDirectionSourceReasonDomainAPI base URL
443HTTPS / TCPOUTNexthink administrator device (browser)Access to the Nexthink web intefaceNexthink instance Fully Qualified Domain Name (FQDN) link pattern:
<instance>.<region>.nexthink.cloud		https://instance.api.region.nexthink.cloud
443HTTPS / TCPOUTNexthink administrator device (browser)Access to the Nexthink web interface with SAML-based authenticationNexthink instance FQDN link pattern:
https://<instance>-login.<region>.nexthink.cloud
443HTTPS / TCPOUTNexthink administrator device (browser)Access to the Nexthink web interface for the authentication
  • *.okta.com
  • *.oktacdn.com
443WebSocket / TCPIN/OUT

(Bidirectional)		Nexthink administrator device (browser)
or
Nexthink Cloud (backend services)		Real-time communication between frontend and backend.

Blocking this connection could impair features in Nexthink Assist and Nexthink Adopt.		events-<region>-<cluster>.<continent-id>.nexthink.cloud

For example: events-ap-northeast-1-main.pac.nexthink.cloud.		-
{% hint style="warning" %} **WebSocket** communication is only applicable to standard Nexthink environments. FedRAMP-compliant [infinity-for-government](https://docs.nexthink.com/platform/security/infinity-for-government "mention") environments are not impacted by this requirement. {% endhint %} ## Telemetry and monitoring
Port numberProtocolDirectionSourceReasonDomain
443HTTPS / TCPOUTNexthink Cloud (backend services)Access to Datadog Real User Monitoring; for more information on data processing, see the Nexthink Data Processing Schedulebrowser-intake-datadoghq.com
443HTTPS / TCPOUTNexthink Cloud (backend services)Access to Pendo telemetry
  • content.insights.nexthink.com
  • data.insights.nexthink.com
## Collector
Port numberProtocolDirectionSourceReason
443WebSocket / TCP / HTTPSOUTEnd-user device with Collector.Default communication channel to reach a Nexthink instance.
### Daily API call Windows Collector calls a Windows API method once every 24 hours. The API method triggers a connection for the client to the domain controller operations through TCP port 135. Service responses use ephemeral TCP ports in the 49152—65535 range. ### Automatic update URL Collector downloads installers for automatic updates to enhance reliability and performance. For this purpose, ensure the following URL is accessible under your organization’s network policies and firewall configurations: `global.nexthink.cloud` ## Nexthink Mobile
Port numberProtocolDirectionSourceReason
443HTTPSOUTEnd-user device running Nexthink App.Default communication channel to reach a Nexthink instance.
443/80HTTPS/HTTPOUTEnd-user device running Nexthink App.Access to Firebase telemetry
## Data export Nexthink users can export the results of their investigations using the export function. Each user can perform one export at a time. Multiple users of the same Nexthink instance can run a maximum of five exports in parallel. The data export generates a link to an export file. This is a pre-signed link to an Amazon Web Services (AWS) S3 bucket, which is valid for 10 minutes. The link uses Amazon virtual-hosted-style. See the following example to understand the link structure:
Data export link structure
You should add this URL to the allowlist of your firewall.
How do I determine the URL for my organization's AWS S3 bucket? From **Investigations** in the Nexthink web interface: 1. Create or run any investigation query. 2. **Export results** from the top-right corner. 3. Check the link provided by Nexthink to download the CSV file. This is the URL you should add to the allowlist of your firewall. In the example below, the URL is `https://aris-export-us-east-2-884848470805.s3.us-east-2.amazonaws.com`
Alternatively, you can also create the URL using the structure `https://nxc-ch-data-export-884848470805--.s3..amazonaws.com`. * Change `` , in both places, to the region of your tenant. For example: `eu-west-2` * If your environment is in a region with multiple clusters—which is determined by Nexthink according to technical requirements—change `` with the cluster of your tenant. For example: `main`, `a`, `b`, etc. {% hint style="warning" %} For single-cluster regions, you do not need to add/replace the `` within the URL. {% endhint %}
## Documentation platform Add the following domains to an allowlist to enable browsing the [Nexthink documentation](https://docs.nexthink.com/) in virtual desktop environments (VDIs).
DomainProtocolDescription
*.fontawesome.comHTTPSFont Awesome icon library
*.gitbook.comHTTPSGitBook documentation platform
*.gitbook.ioHTTPSGitBook documentation platform
*.iframe.lyHTTPSIframely content delivery network (CDN)
*.jsdelivr.netHTTPSjsDelivr CDN
*.mux.comHTTPSMux video streaming infrastructure
*.nexthink.comHTTPSNexthink documentation platform
*.okta.comHTTPSOkta identity and access management
*.synthesia.ioHTTPSSynthesia video streaming platform
## Data Enricher (classic)
Port numberProtocolDirectionReasonDomain
53DNS / UDPOUTResolving destination names by reverse IP
389LDAP / TCPOUTConnection to Active Directory (AD); non-secure
443HTTPS / TCPOUTSend AD and DNS dataagora.<region>.nexthink.cloud

Replace <region> with the availability region of the customer
636LDAPS / TCPOUTConnection to AD; secure
## Finder (classic) {% hint style="info" %} Nexthink Finder is a Windows-only desktop application. Its functionality is available within the Nexthink web interface. Nexthink can now be used directly from a browser, and most functions no longer require an additional desktop application. {% endhint %}
Port numberProtocolDirectionReasonDomain
25SMTP / TCPOUTSend email in case of errors
80HTTP / TCPOUTConnection to the documentation websitedoc.nexthink.com
80HTTP / TCPOUTVerification of security certificatesocsp.verisign.com
443HTTPS / TCPOUTConnection to the documentation website
  • doc.nexthink.com
  • docs.nexthink.com
443WebSocket / TCPOUTUser connection to the web interfaceNexthink instance FQDN
443HTTPS / TCPOUTApplication installation and software updatesNexthink instance FQDN
443HTTPS / TCPOUTSupport telemetryalib.nexthink.com
443HTTPS / TCPOUTConnection to Nexthink Librarylibrary.nexthink.com
## Engine (classic) {% hint style="info" %} If rule-based Collector assignment is turned on, the TCP channel of Collector also connects to the Nexthink web interface. Collectors use this connection to ask for their assigned Engine (classic). Collector can no longer use a UDP channel to send end-user analytics to the Engine (classic). {% endhint %}
Port numberProtocolDirectionReason
443TCPOUTSend end-user analytics to the Engine (classic); coordination data and updates