Overview
IT Agent uses standard, well-understood protocols and minimizes required network access.
Key design goals:
Secure, encrypted communication
Outbound-first connectivity
No inbound access required to managed endpoints when relay is used
Automatic selection of the best available connection method
π Platform Communication
HTTPS / Secure WebSockets (Primary)
Port: TCP 443
Protocols: HTTPS, Secure WebSockets (WSS)
Used for:
Web portal access
API communication
Agent and Receiver coordination
Remote Access session setup
Real-time status and control
In production deployments, all IT Agent platform communication occurs over TLS-encrypted connections on port 443.
π₯οΈ Managed Endpoint (Agent)
Required Outbound Communication
Destination: IT Agent platform (itagent.app and itagent.io domains)
Port: TCP 443
Protocol: Secure WebSockets (WSS)
This outbound connection allows the agent to:
Report status
Receive commands
Participate in Remote Access sessions
No inbound connectivity to managed endpoints is required for standard operation.
π§βπ» Remote Access Connections
For Remote access connections, IT Agent automatically selects the most appropriate connection method.
Direct Connection (Optional)
If direct connectivity is allowed (for example, within the same LAN or over a VPN), IT Agent may establish a direct Remote Access connection.
Direction: Receiver β Agent
Protocol: TCP
Port: Dynamically assigned (starting at 48383)
Direct connections offer the lowest latency but require inbound access to the endpoint.
Relay Connection (Automatic Fallback)
When direct connectivity is not possible, IT Agent automatically uses a secure relay connection.
Relay connections are the recommended option for restrictive or zero-trust environments.
Relay behavior:
Both the Agent and Receiver connect outbound to the relay
The relay session is created only for the duration of the Remote Access session
Ports used:
TCP 443 β relay session setup and coordination
TCP 27000β40000 β temporary session data ports
Important notes:
No inbound ports are required on managed endpoints
Works through NAT and restrictive firewalls
No manual configuration is required by end users
π» Receiver Application
The Receiver application communicates outbound only.
Destination: IT Agent platform and relay (when used)
Ports: TCP 443, and TCP 27000β40000 (relay sessions)
Protocol: HTTPS / encrypted TCP
The Receiver does not listen for inbound connections.
π Summary of Required Ports
Minimum Required (Most Environments)
This configuration supports full platform functionality and Remote Access via relay.
Component | Direction | Port | Protocol |
Browser / Receiver | Outbound β Platform | 443 | HTTPS |
Agent | Outbound β Platform | 443 | WSS |
Remote Access via Relay (Recommended)
Component | Direction | Port | Protocol |
Agent | Outbound β Relay | 443 | HTTPS |
Agent | Outbound β Relay | 27000β40000 | TCP |
Receiver | Outbound β Relay | 27000β40000 | TCP |
Direct Remote Access (Optional)
Component | Direction | Port | Protocol |
Receiver | Inbound β Agent | 48383-48583 | TCP |
This is only required if you want to allow direct (non-relay) Remote Access.
π‘οΈ Security Notes
All communication is encrypted in transit
No inbound firewall rules are required on endpoints when relay is used
Remote Access sessions are authenticated and time-limited
Sessions are initiated only by authorized users
β Recommended Configuration
For most production environments, we recommend:
Allow outbound TCP 443
Allow outbound TCP 27000β40000 to relay hosts
Do not open inbound ports on managed endpoints