Network and security considerations

FlexxAgent, in its regular operation, requires a series of network requirements to connect to cloud orchestration services and support proxies, as well as complex network ecosystems.

Before deploying FlexxAgent on the devices, it is recommended to validate that at the network level these can access the defined destinations in URLs and ports.

Bandwidth usage

FlexxAgent process

When FlexxAgent starts, it collects and sends an initial report of approximately 75 KB; from that moment, it sends differential reports of approximately 3-4 KB. This process is responsible for executing on-demand or automatic actions on the device. At those moments, the network traffic could increase.

FlexxAgent Analyzer process

FlexxAgent Analyzer collects user session information every 15 seconds, such as application consumption, resource usage, and more. And it adds this information into files of approximately 35-50 KB, which are sent to the consoles every 5 minutes, although the time could change in specific functionalities.

In multi-user systems, a single instance of FlexxAgent will run and as many instances of FlexxAgent Analyzer as user sessions the system has.

Required URLs and Ports

In terms of communications, FlexxAgent must be able to contact the orchestration layer of the service hosted on the Internet, which includes:

URL	Ambit	Port	Region	Product
https://flxsbname\*\*\*.servicebus.windows.net	Agent	443	West Europe	FXXOne, FlexxClient & FlexxDesktop
https://flxiothub\*\*\*.azure-devices.net	Agent	443	West Europe	FXXOne, FlexxClient & FlexxDesktop
https://west-eu.agent-api.analyzer.flexxible.com	Agent	443	West Europe	FXXOne, FlexxClient & FlexxDesktop
https://flexxibleglobal.blob.core.windows.net	Agent	443	West Europe	FXXOne, FlexxClient & FlexxDesktop
https://api.ipify.org	Agent	443	West Europe	FXXOne, FlexxClient & FlexxDesktop
https://ras.flexxible.com	Agent – Remote Assistance	443	West Europe	FXXOne, FlexxClient & FlexxDesktop
https://update.workspaces.flexxible.com	Agent	443	West Europe	FXXOne, FlexxClient & FlexxDesktop
https://agents-weu.one.flexxible.net	Agent	443	West Europe	FXXOne
https://agents-weu.flexxible.net	Agent	443	West Europe	FlexxClient & FlexxDesktop
https://west-eu-01.agent-api.one.analyzer.flexxible.com	Agent	443	West Europe	FXXOne

*** unique identifier provided by Flexxible.

Security

To ensure a good user experience, in some cases it will be necessary to configure exclusions in the antivirus; however, if not managed properly, these exclusions can pose a security risk.

For this reason, it is advised to periodically scan the files and folders that have been excluded from antivirus scanning. Both Microsoft and Flexxible recommend:

• Use a File Integrity Monitoring (FIM) or Host Intrusion Prevention (HIP) solution to protect the integrity of the elements excluded from real-time analysis.

• If Azure Sentinel is used and Windows Defender is not configured correctly, performance issues may arise. Disable Windows Defender with the following PowerShell command:

Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

Antivirus exclusions

The items to exclude from antivirus analysis are as follows:

Folders

• C:\Program Files\Flexxible

Compute

• FlexxAgent.exe
• FlexxibleRA.exe
• FlexxibleRemoteAssistance_XXXX.exe

Deep SSL Inspection

For security solutions like Deep SSL Inspection or Trend Micro, the instructions described below should be taken into account to ensure optimal performance of FlexxAgent.

Deep SSL Inspection should be disabled for the following URLs on devices that use it as a security solution:

• https://flxsbname\*\*\*.servicebus.windows.net
• https://flxiothub\*\*\*.azure-devices.net
• https://agents-weu.flexxible.net
• https://ras.flexxible.com

PowerShell process restriction

Some security solutions do not allow the installation and/or self-update of FlexxAgent to be performed effectively, as is the case with Trend Micro.

During the process, the installer may return the message:

The process was terminated with errors. A corrupted installation was detected due to external processes. This is usually caused by antivirus activity. Please check your antivirus settings.

To solve this, Flexxible recommends excluding the following files from the device:

C:\Windows\Temp\FlexxibleIT

C:\Windows\Temp\UpdateFlexxAgent.ps1

Wake on LAN (WoL)

Wake on LAN allows devices to be powered on by sending a Magic Packet that instructs the network card to power on. The following is required in order to use this functionality:

• Compatible network card
• Activate WoL in BIOS/UEFI
• Configure WoL in the operating system
• A Bridge device on the same network as the device to be powered on, with FlexxAgent installed and reporting

Wake on LAN (WoL) normally operates within a local network, and can work between subnets as long as there are no restrictions imposed by firewalls or network devices blocking the Magic Packet transmission. In subnet-segmented environments, network-level exceptions need to be configured to allow Magic Packet routing between subnets.

Configure Wake on LAN (WoL) in Windows

To configure the Wake on LAN (WoL) functionality on a device with Windows operating system, follow these steps:

1. Check if WoL is On

In the CMD window, execute the following command:

powercfg /devicequery wake_programmable

2. On WoL

Run the command:

powercfg /deviceenablewake "Realtek PCIe GbE Family Controller"

Replace "Realtek PCIe GbE Family Controller" with the name of the corresponding driver.

Remote assistance through proxy

For remote assistance, FlexxAgent will use a proxy when it is configured and accessible.

In case it is configured with a proxy but it is not accessible at that moment, remote support will be launched with the “auto detect” option which will use the internet exit configuration set by the end user.