Firewall Configuration
Inbound and Outbound Connections Explained
The Action1 agent is designed to establish connections exclusively to the Action1 cloud servers – it’s always the agent that initiates contact, never the other way around. As a result, you only need to set up outbound firewall rules. Despite this one-way initiation, data transfer can and does occur in both directions: from the agent to the server and back again.
When a connection is established, the agent simply waits for instructions from the server. These directions might be to execute a policy or gather data for a report. The server sends these instructions either when prompted by the user via the Action1 Console or according to a preset schedule. Think of it like an orchestra: the conductor (the server) gives instructions, and the musicians (the agents) wait for and follow these instructions. The musicians are always attentive to the conductor’s directions, not the other way around.
There is one exception to the outbound-only rule: when Action1 agents on the same local network want to exchange software package parts via peer-to-peer (P2P) sharing. In these cases, the agents will accept inbound connections from their peers. Although it’s not mandatory, we recommend setting up inbound LAN-only firewall rules to facilitate this type of exchange.
Network & Data Flow Diagram
Firewall Rule Reference
Refer to this section for a complete description of ports and protocols that should be configured in your system. Create firewall rules to allow access to the following resources:
Region: North America
NOTE: Accounts set up in the North America region benefit from a “Global access” capability: Remote Desktop connections initiated from various global locations (e.g., South America, the Middle East) are automatically routed through the nearest available cloud infrastructure. For accounts configured in Europe or Australia regions, Remote Desktop connections are routed through the respective regional infrastructure, regardless of the user’s current geographic location. See also: Remote Desktop.
Resource
Action1 servers (server.action1.com):
- 54.210.188.13
- 54.227.102.112
- 3.210.54.212
- 3.213.90.174
Action1 Remote Desktop relay servers in North America:
- 34.203.184.16
- 44.212.254.73
- 52.200.246.160
- 52.205.66.134
- 100.24.103.37
- 3.229.22.34
- 3.88.244.142
- 54.144.130.130
Action1 Remote Desktop relay servers in Europe:
- 18.135.32.225
- 18.169.144.48
- 3.10.103.241
- 13.41.182.195
- 18.171.0.33
- 35.179.20.122
Action1 Remote Desktop relay servers in the Middle East:
- 43.204.118.97
- 43.204.185.8
- 13.202.109.124
- 43.205.156.38
Action1 Remote Desktop relay servers in East Asia:
- 13.215.147.78
- 54.169.182.56
- 3.0.4.167
- 13.213.228.50
Action1 Remote Desktop relay servers in Australia:
- 13.211.73.202
- 54.79.23.166
- 3.104.236.56
- 54.79.198.20
Action1 Remote Desktop relay servers in Africa:
- 13.244.155.212
- 13.244.175.69
- 13.245.225.6
- 13.247.34.181
Action1 Remote Desktop relay servers in South America:
- 15.229.170.56
- 18.230.233.136
- 18.231.231.56
- 54.207.116.27
Managed endpoints
(LAN only)
(LAN only)
a1-backend-packages.s3.amazonaws.com
*.windowsupdate.com
*.mp.microsoft.com
emdl.ws.microsoft.com
- tsfe.trafficshaping.
dsp.mp.microsoft.com - download.windowsupdate.com
- dl.delivery.mp.microsoft.com
- download.windowsupdate.com
- windowsupdate.microsoft.com
- *.windowsupdate.microsoft.com
- *.update.microsoft.com
- update.microsoft.com
- download.microsoft.com
- ntservicepack.microsoft.com
- login.live.com
- us-cdn.action1.com
- us-cdn-action1-com.b-cdn.net
Action1 Remote Desktop Console for North America:
- us.remote.app.action1.com
Action1 Remote Desktop Console for Africa:
- af.remote.app.action1.com
Action1 Remote Desktop Console for Australia:
- au.remote.app.action1.com
Action1 Remote Desktop Console for Asia:
- ea.remote.app.action1.com
Action1 Remote Desktop Console for Europe:
- eu.remote.app.action1.com
Action1 Remote Desktop Console for the Middle East:
- me.remote.app.action1.com
Action1 Remote Desktop Console for South America:
- sa.remote.app.action1.com
Type
Outbound
Outbound
Outbound
Outbound
Outbound
Outbound
Outbound
Outbound
Outbound
Outbound
Outbound
Outbound
Outbound
Inbound
Outbound
Outbound
Outbound
Outbound
Outbound
Outbound
Outbound
Outbound
Outbound
Outbound
Outbound
Outbound
Outbound
Port & Protocol
22543 TCP,
TLS 1.2 over TCP
TLS 1.2 over TCP
135 RPC TCP
139 SMB TCP
445 SMB TCP
389 LDAP TCP
Randomly allocated high TCP ports (between 49152 - 65535) TCP
22543 TCP,
TLS 1.2 over TCP
TLS 1.2 over TCP
22543 TCP,
TLS 1.2 over TCP
TLS 1.2 over TCP
22543 TCP,
TLS 1.2 over TCP
TLS 1.2 over TCP
22543 TCP,
TLS 1.2 over TCP
TLS 1.2 over TCP
22543 TCP,
TLS 1.2 over TCP
TLS 1.2 over TCP
22543 TCP,
TLS 1.2 over TCP
TLS 1.2 over TCP
22543 TCP,
TLS 1.2 over TCP
TLS 1.2 over TCP
22551 TCP/UDP,
6771 UDP
6771 UDP
443 HTTPS
TCP, proprietary by Microsoft
HTTPS/TLS 1.2
HTTP
HTTPS/TLS 1.2
443 HTTPS (no SSL inspection)
443 HTTPS
443 HTTPS
443 HTTPS
443 HTTPS
443 HTTPS
443 HTTPS
443 HTTPS
Required for
Connection to Action1 Cloud.
Connection to Action1 Cloud.
Connection to Action1 Cloud.
Connection to Action1 Cloud.
Connection to Action1 Cloud.
Connection to Action1 Cloud.
North America only: Connection to Action1 Remote Desktop relay servers. These servers are located in North America to ensure a smooth Remote Desktop experience for the users located in this region.
Europe only: Connection to Action1 Remote Desktop relay servers. These servers are located in Europe to ensure a smooth Remote Desktop experience for the users located in this region. This relay server will be used by the agents that belong to North American region but located in Europe (e.g. branch offices).
The Middle East only: Connection to Action1 Remote Desktop relay servers. These servers are located in the Middle East to ensure a smooth Remote Desktop experience for the users located in this region.
East Asia only: Connection to Action1 Remote Desktop relay servers. These servers are located in East Asia to ensure a smooth Remote Desktop experience for the users located in this region.
Australia only: Connection to Action1 Remote Desktop relay servers. These servers are located in Australia to ensure a smooth Remote Desktop experience for the users located in this region.
Africa only: Connection to Action1 Remote Desktop relay servers. These servers are located in Africa to ensure a smooth Remote Desktop experience for the users located in this region.
South America only: Connection to Action1 Remote Desktop relay servers. These servers are located in South America to ensure a smooth Remote Desktop experience for the users located in this region.
(Recommended) Exchanging pieces of downloaded apps (P2P file sharing) that helps minimize the external bandwidth usage. The port should be open locally on managed endpoints to allow connections between agents in the local network. If the inbound communication between agents on the local network is not allowed, the agents will not be exchanging downloaded app pieces locally and always download in full from the cloud.
Deploying apps and 3rd party patch management.
Windows Update management.
Windows Update management.
Windows Update management.
Windows Update management.
Deploying apps and 3rd party patch management. Make sure you turn off the SSL inspection. Otherwise, software package downloads may fail with some firewalls (such as Zscaler).
North America only: Connection to Action1 Remote Desktop Console. These servers are located in North America to ensure a smooth Remote Desktop experience for the users located in this region.
Africa only: Connection to Action1 Remote Desktop Console. These servers are located in Africa to ensure a smooth Remote Desktop experience for the users located in this region.
Australia only: Connection to Action1 Remote Desktop Console. These servers are located in Australia to ensure a smooth Remote Desktop experience for the users located in this region.
Asia only: Connection to Action1 Remote Desktop Console. These servers are located in Asia to ensure a smooth Remote Desktop experience for the users located in this region.
Europe only: Connection to Action1 Remote Desktop Console. These servers are located in Europe to ensure a smooth Remote Desktop experience for the users located in this region. This server will be used for North American customers connecting from Europe (e.g. during travel).
The Middle East only: Connection to Action1 Remote Desktop Console. These servers are located in the Middle East to ensure a smooth Remote Desktop experience for the users located in this region.
South America only: Connection to Action1 Remote Desktop Console. These servers are located in South America to ensure a smooth Remote Desktop experience for the users located in this region.
Components
Agents, Deployer
Deployer
Deployer
Deployer
Deployer
Deployer
Agents
Agents
Agents
Agents
Agents
Agents
Agents
Agents
Agents
Agents
Agents
Agents
Agents
Agents
Action1 Console (web browser)
Action1 Console (web browser)
Action1 Console (web browser)
Action1 Console (web browser)
Action1 Console (web browser)
Action1 Console (web browser)
Action1 Console (web browser)
Region: Europe
Resource
Action1 servers (server.eu.action1.com):
- 18.159.245.29
- 18.195.232.183
- 3.69.247.61
- 52.29.164.59
Action1 Remote Desktop relay servers in Europe:
- 18.185.175.163
- 3.71.193.26
- 3.74.109.234
- 35.159.135.52
Managed endpoints
(LAN only)
(LAN only)
a1-backend-packages-434810787744-eu-central-1.s3.amazonaws.com
*.windowsupdate.com
*.mp.microsoft.com
emdl.ws.microsoft.com
- tsfe.trafficshaping.
dsp.mp.microsoft.com - download.windowsupdate.com
- dl.delivery.mp.microsoft.com
- download.windowsupdate.com
- windowsupdate.microsoft.com
- *.windowsupdate.microsoft.com
- *.update.microsoft.com
- update.microsoft.com
- download.microsoft.com
- ntservicepack.microsoft.com
- login.live.com
- eu-cdn.action1.com
- eu-cdn-action1-com.b-cdn.net
Action1 Remote Desktop Console for Europe:
- remote.eu.action1.com
Type
Outbound
Outbound
Outbound
Outbound
Outbound
Outbound
Outbound
Inbound
Outbound
Outbound
Outbound
Outbound
Outbound
Outbound
Outbound
Port & Protocol
22543 TCP,
TLS 1.2 over TCP
TLS 1.2 over TCP
135 RPC TCP
139 SMB TCP
445 SMB TCP
389 LDAP TCP
Randomly allocated high TCP ports (between 49152 - 65535) TCP
22543 TCP,
TLS 1.2 over TCP
TLS 1.2 over TCP
22551 TCP/UDP,
6771 UDP
6771 UDP
443 HTTPS
TCP, proprietary by Microsoft
HTTPS/TLS 1.2
HTTP
HTTPS/TLS 1.2
443 HTTPS (no SSL inspection)
443 HTTPS
Required for
Connection to Action1 Cloud.
Connection to Action1 Cloud.
Connection to Action1 Cloud.
Connection to Action1 Cloud.
Connection to Action1 Cloud.
Connection to Action1 Cloud.
Europe only: Connection to Action1 Remote Desktop relay servers. These servers are located in Europe to ensure a smooth Remote Desktop experience for the users located in this region.
(Recommended) Exchanging pieces of downloaded apps (P2P file sharing) that helps minimize the external bandwidth usage. The port should be open locally on managed endpoints to allow connections between agents in the local network. If the inbound communication between agents on the local network is not allowed, the agents will not be exchanging downloaded app pieces locally and always download in full from the cloud.
Deploying apps and 3rd party patch management.
Windows Update management.
Windows Update management.
Windows Update management.
Windows Update management.
Deploying apps and 3rd party patch management. Make sure you turn off the SSL inspection. Otherwise, software package downloads may fail with some firewalls (such as Zscaler).
Europe only: Connection to Action1 Remote Desktop Console. These servers are located in Europe to ensure a smooth Remote Desktop experience for the users located in this region.
Components
Agents, Deployer
Deployer
Deployer
Deployer
Deployer
Deployer
Agents
Agents
Agents
Agents
Agents
Agents
Agents
Agents
Action1 Console (web browser)
Region: Australia
Resource
Action1 servers (server.au.action1.com):
- 13.238.191.59
- 13.55.204.40
- 3.104.0.1
- 3.105.163.243
Action1 Remote Desktop relay servers in Australia:
- 13.238.126.63
- 3.105.27.166
- 52.63.120.112
- 54.253.145.16
Managed endpoints
(LAN only)
(LAN only)
a1-backend-packages-730335655190-ap-southeast-2.s3.amazonaws.com
*.windowsupdate.com
*.mp.microsoft.com
emdl.ws.microsoft.com
- tsfe.trafficshaping.
dsp.mp.microsoft.com - download.windowsupdate.com
- dl.delivery.mp.microsoft.com
- download.windowsupdate.com
- windowsupdate.microsoft.com
- *.windowsupdate.microsoft.com
- *.update.microsoft.com
- update.microsoft.com
- download.microsoft.com
- ntservicepack.microsoft.com
- login.live.com
- au-cdn.action1.com
- au-cdn-action1-com.b-cdn.net
Action1 Remote Desktop Console for Australia:
- remote.au.action1.com
Type
Outbound
Outbound
Outbound
Outbound
Outbound
Outbound
Outbound
Inbound
Outbound
Outbound
Outbound
Outbound
Outbound
Outbound
Outbound
Port & Protocol
22543 TCP,
TLS 1.2 over TCP
TLS 1.2 over TCP
135 RPC TCP
139 SMB TCP
445 SMB TCP
389 LDAP TCP
Randomly allocated high TCP ports (between 49152 - 65535) TCP
22543 TCP,
TLS 1.2 over TCP
TLS 1.2 over TCP
22551 TCP/UDP,
6771 UDP
6771 UDP
443 HTTPS
TCP, proprietary by Microsoft
HTTPS/TLS 1.2
HTTP
HTTPS/TLS 1.2
443 HTTPS (no SSL inspection)
443 HTTPS
Required for
Connection to Action1 Cloud.
Connection to Action1 Cloud.
Connection to Action1 Cloud.
Connection to Action1 Cloud.
Connection to Action1 Cloud.
Connection to Action1 Cloud.
Australia only: Connection to Action1 Remote Desktop relay servers. These servers are located in Australia to ensure a smooth Remote Desktop experience for the users located in this region.
(Recommended) Exchanging pieces of downloaded apps (P2P file sharing) that helps minimize the external bandwidth usage. The port should be open locally on managed endpoints to allow connections between agents in the local network. If the inbound communication between agents on the local network is not allowed, the agents will not be exchanging downloaded app pieces locally and always download in full from the cloud.
Deploying apps and 3rd party patch management.
Windows Update management.
Windows Update management.
Windows Update management.
Windows Update management.
Deploying apps and 3rd party patch management. Make sure you turn off the SSL inspection. Otherwise, software package downloads may fail with some firewalls (such as Zscaler).
Australia only: Connection to Action1 Remote Desktop Console. These servers are located in Australia to ensure a smooth Remote Desktop experience for the users located in this region.
Components
Agents, Deployer
Deployer
Deployer
Deployer
Deployer
Deployer
Agents
Agents
Agents
Agents
Agents
Agents
Agents
Agents
Action1 Console (web browser)
NOTE: * (asterisk sign) in DNS names means including all child subdomains, with multi-level nesting. For example, *.example.com would include example.com, child.example.com, grand.child.example.com, and all other possible subdomains.