Network and security considerations
FlexxAgent, in its regular operation, requires a series of network requirements to connect to cloud orchestration services and support proxies, as well as complex network ecosystems.
Before deploying FlexxAgent on the devices, it is recommended to validate that at the network level these can access the defined destinations in URLs and ports.
Bandwidth usage
FlexxAgent process
When FlexxAgent starts, it collects and sends an initial report of approximately 75 KB; from that moment, it sends differential reports of approximately 3-4 KB. This process is responsible for executing on-demand or automatic actions on the device. At those moments, the network traffic could increase.
FlexxAgent Analyzer process
FlexxAgent Analyzer collects user session information every 15 seconds, such as application consumption, resource usage, and more. And it adds this information into files of approximately 35-50 KB, which are sent to the consoles every 5 minutes, although the time could change in specific functionalities.
In multi-user systems, a single instance of FlexxAgent will run and as many instances of FlexxAgent Analyzer as user sessions the system has.
Required URLs and Ports
In terms of communications, FlexxAgent must be able to contact the orchestration layer of the service hosted on the Internet, which includes:
URL | Ambit | Port | Region | Product |
---|---|---|---|---|
https://flxsbname\*\*\*.servicebus.windows.net | Agent | 443 | West Europe | FXXOne, FlexxClient & FlexxDesktop |
https://flxiothub\*\*\*.azure-devices.net | Agent | 443 | West Europe | FXXOne, FlexxClient & FlexxDesktop |
https://west-eu.agent-api.analyzer.flexxible.com | Agent | 443 | West Europe | FXXOne, FlexxClient & FlexxDesktop |
https://flexxibleglobal.blob.core.windows.net | Agent | 443 | West Europe | FXXOne, FlexxClient & FlexxDesktop |
https://api.ipify.org | Agent | 443 | West Europe | FXXOne, FlexxClient & FlexxDesktop |
https://ras.flexxible.com | Agent – Remote Assistance | 443 | West Europe | FXXOne, FlexxClient & FlexxDesktop |
https://update.workspaces.flexxible.com | Agent | 443 | West Europe | FXXOne, FlexxClient & FlexxDesktop |
https://agents-weu.one.flexxible.net | Agent | 443 | West Europe | FXXOne |
https://agents-weu.flexxible.net | Agent | 443 | West Europe | FlexxClient & FlexxDesktop |
https://west-eu-01.agent-api.one.analyzer.flexxible.com | Agent | 443 | West Europe | FXXOne |
*** unique identifier provided by Flexxible.
Security
To ensure a good user experience, in some cases it will be necessary to configure exclusions in the antivirus; however, if not managed properly, these exclusions can pose a security risk.
For this reason, it is advised to periodically scan the files and folders that have been excluded from antivirus scanning. Both Microsoft and Flexxible recommend:
-
Use a File Integrity Monitoring (FIM) or Host Intrusion Prevention (HIP) solution to protect the integrity of the elements excluded from real-time analysis.
-
If Azure Sentinel is used and Windows Defender is not configured correctly, performance issues may arise. Disable Windows Defender with the following PowerShell command:
Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Antivirus exclusions
The items to exclude from antivirus analysis are as follows:
Folders
C:\Program Files\Flexxible
Compute
FlexxAgent.exe
FlexxibleRA.exe
FlexxibleRemoteAssistance_XXXX.exe
Deep SSL Inspection
For security solutions like Deep SSL Inspection or Trend Micro, the instructions described below should be taken into account to ensure optimal performance of FlexxAgent.
Deep SSL Inspection should be disabled for the following URLs on devices that use it as a security solution:
- https://flxsbname\*\*\*.servicebus.windows.net
- https://flxiothub\*\*\*.azure-devices.net
- https://agents-weu.flexxible.net
- https://ras.flexxible.com
PowerShell process restriction
Some security solutions do not allow the installation and/or self-update of FlexxAgent to be performed effectively, as is the case with Trend Micro.
During the process, the installer may return the message:
The process was terminated with errors. A corrupted installation was detected due to external processes. This is usually caused by antivirus activity. Please check your antivirus settings.
To solve this, Flexxible recommends excluding the following files from the device:
C:\Windows\Temp\FlexxibleIT
C:\Windows\Temp\UpdateFlexxAgent.ps1
Wake on LAN (WoL)
Wake on LAN allows devices to be powered on by sending a Magic Packet that instructs the network card to power on. The following is required in order to use this functionality:
- Compatible network card
- Activate WoL in BIOS/UEFI
- Configure WoL in the operating system
- A
Bridge
device on the same network as the device to be powered on, with FlexxAgent installed and reporting
Wake on LAN (WoL) normally operates within a local network, and can work between subnets as long as there are no restrictions imposed by firewalls or network devices blocking the Magic Packet transmission. In subnet-segmented environments, network-level exceptions need to be configured to allow Magic Packet routing between subnets.
Configure Wake on LAN (WoL) in Windows
To configure the Wake on LAN (WoL) functionality on a device with Windows operating system, follow these steps:
- Check if WoL is On
In the CMD window, execute the following command:
powercfg /devicequery wake_programmable
- On WoL
Run the command:
powercfg /deviceenablewake "Realtek PCIe GbE Family Controller"
Replace "Realtek PCIe GbE Family Controller" with the name of the corresponding driver.
Remote assistance through proxy
For remote assistance, FlexxAgent will use a proxy when it is configured and accessible.
In case it is configured with a proxy but it is not accessible at that moment, remote support will be launched with the “auto detect” option which will use the internet exit configuration set by the end user.