Network and Security
FlexxAgent, in its regular operation, requires a series of network requirements to connect to cloud orchestration services and support proxies, as well as complex network ecosystems.
Before deploying FlexxAgent on the devices, it is recommended to validate that at the network level these can access the defined destinations in URLs and ports.
Bandwidth usage
FlexxAgent process
When FlexxAgent starts, it collects and sends an initial report of approximately 75 KB; from that moment, it sends differential reports of approximately 3-4 KB. This process is responsible for executing on-demand or automatic actions on the device. At those moments, the network traffic could increase.
FlexxAgent Analyzer process
FlexxAgent Analyzer collects user session information every 15 seconds, such as application consumption, resource usage, and more. And it adds this information into files of approximately 35-50 KB, which are sent to the consoles every 5 minutes, although the time could change in specific functionalities.
In multi-user systems, a single instance of FlexxAgent will run and as many instances of FlexxAgent Analyzer as user sessions the system has.
Required URLs and Ports
In terms of communications, FlexxAgent must be able to contact the orchestration layer of the service hosted on the Internet, which includes:
| URL | Ambit | Port | Region |
|---|---|---|---|
| https://flxsbname\*\*\*.servicebus.windows.net | Agent | 443 | West Europe |
| https://flxiothub\*\*\*.azure-devices.net | Agent | 443 | West Europe |
| https://west-eu.agent-api.analyzer.flexxible.com | Agent | 443 | West Europe |
| https://flexxibleglobal.blob.core.windows.net | Agent | 443 | West Europe |
| https://api.ipify.org | Agent | 443 | West Europe |
| https://ras.flexxible.com | Agent – Remote Assistance | 443 | West Europe |
| https://update.workspaces.flexxible.com | Agent | 443 | West Europe |
| https://agents-weu.one.flexxible.net | Agent | 443 | West Europe |
| https://west-eu-01.agent-api.one.analyzer.flexxible.com | Agent | 443 | West Europe |
| https://south-br.agent-api.analyzer.flexxible.com (Brazil Only) | Agent | 443 | Brazil South |
*** unique identifier provided by Flexxible.
Security
To ensure a good user experience, in some cases it will be necessary to configure exclusions in the antivirus; however, if not managed properly, these exclusions can pose a security risk.
For this reason, it is advised to periodically scan the files and folders that have been excluded from antivirus scanning. Both Microsoft and Flexxible recommend:
-
Use a File Integrity Monitoring (FIM) or Host Intrusion Prevention (HIP) solution to protect the integrity of the elements excluded from real-time analysis.
-
If Azure Sentinel is used and Windows Defender is not configured correctly, performance issues may arise. Disable Windows Defender with the following PowerShell command:
Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Antivirus exclusions
FlexxAgent should be able to function correctly without configuring exceptions, but in more restrictive environments, it might be necessary to set some.
The items to exclude from antivirus analysis are as follows:
Folders
C:\Program Files\FlexxibleC:\Windows\Temp\FlexxibleIT\
Compute
FlexxAgent.exeFlexxibleRA.exeFlexxibleRemoteAssistance_XXXX.exe
Files
C:\Windows\Temp\FlexxAgentInstallation.logC:\Windows\Temp\UpdateFlexxAgent.ps1C:\Windows\Temp\FlexxAgentHealthCheck.log
Deep SSL Inspection
Disable Deep SSL Inspection for the following URLs on devices that use it as a security solution to ensure optimal performance of FlexxAgent.
- https://flxsbname\*\*\*.servicebus.windows.net
- https://flxiothub\*\*\*.azure-devices.net
- https://agents-weu.flexxible.net
- https://ras.flexxible.com
PowerShell process restriction
Some security solutions do not allow the installation and/or self-update of FlexxAgent to be performed effectively. During the process, the installer might return the message:
The process was terminated with errors. A corrupted installation was detected due to external processes. This is usually caused by antivirus activity. Please check your antivirus settings.
To resolve it, Flexxible recommends excluding the following items:
C:\Windows\Temp\FlexxibleIT
C:\Windows\Temp\UpdateFlexxAgent.ps1
Wake on LAN (WoL)
Wake on LAN (WoL) allows devices to be powered on by sending a Magic Packet that instructs the network card to power on. The following is required in order to use this functionality:
- Compatible network card
- Activate WoL in BIOS/UEFI
- Configure WoL in the operating system
- A bridge device —with FlexxAgent installed and reporting— on the same network as the device to be powered on.
WoL typically operates within a local network. It can work between subnets as long as there are no restrictions imposed by firewalls or network devices blocking the transmission of the magic packet. In environments with subnet segmentation, it's necessary to configure network-level exceptions that allow the magic packet to be routed between those subnets.
Configure Wake on LAN (WoL) in Windows
To configure the Wake on LAN (WoL) functionality on a device with Windows operating system, follow these steps:
- Check if WoL is On
In the CMD window, execute the following command:
powercfg /devicequery wake_programmable
- On WoL
Run the command:
powercfg /deviceenablewake "Realtek PCIe GbE Family Controller"
Replace "Realtek PCIe GbE Family Controller" with the name of the corresponding driver.
Remote assistance through a proxy
For remote assistance, FlexxAgent will use a proxy when it is configured and accessible.
If it's configured with a proxy but it is not accessible at that moment, remote assistance will launch with the "auto detect" option which will use the user's configured internet access settings.
vPro
If an organization wants to activate vPro, it will require the Flexxible Intel EMA server's hostname to be resolvable from all their devices.
| URL | Ambit | Port | Region |
|---|---|---|---|
| https://iagent.flexxible.com | Agent | 443 | West Europe |
Requirements for vPro operation via a proxy
- The dynamic host configuration protocol (DHCP) must provide a DNS suffix (DHCP option 15) matching the domain of the certificate.
- The proxy must allow the HTTP CONNECT method to the used ports.
- Exclude the Flexxible URL to avoid deep SSL/TLS inspection in Client Initiated Remote Access (CIRA) connections.
- The proxy must not modify the HTTP headers during the CONNECT phase.
For more information about vPro, please refer to the Integrations section.