Allowlist requirements for IP addresses and URLs

To allow seamless connectivity to the Datto RMM Web Portal and between Agents, you must open TCP port 443 outbound through your firewall.
If your company has a more aggressive security posture for outbound traffic (for example, port blocking and IP address access lists), then you may need to add a number of IP addresses to the allowlist as well as open up port 443 to allow Datto RMM to make the required connections. The IP addresses you must add to the allowlist are specific to your platform, and you only need to add those associated with your platform.
NOTE For information about the platform your site is hosted on, refer to Datto RMM platforms.

IMPORTANT In order to reduce security false positives, improve monitoring and automation reliability, and make our Agent’s allowlisting more comprehensive, we now make use of a temporary directory underneath the Datto RMM Agent’s installation path rather than the %TEMP% folder.
This change affects all supported operating systems (Windows, macOS, and Linux). The new paths are as follows:
• Windows: %ProgramData%\CentraStage\Temp, %ProgramData%\CentraStage\AEMAgent\Temp
• macOS and Linux: usr/local/share/CentraStage/Temp, usr/local/share/CentraStage/AEMAgent/Temp
The following operations no longer create or modify files in the %TEMP% folder:
- Script files
- Downloading of Agent Modules packages
- CagService update
- Agent update
- Downloading of Windows Updater file
- Vine VNC setup script file (macOS)
- Screen Capture (macOS)
- Web Remote file transfer
NOTE If the CagService, Agent, or Web Remote operations are not able to create or use their own Temp directory, all operations above will fallback to using the default %TEMP% folder.

For partners managing devices in environments with rigorous network security, note that the following ports are used by Datto RMM's extended processes, remote tools, and software management. These ports are actively used by the Agent all of the time:
- Port 13300 (UDP) - used for Agent discovery.
- Port 6800 (TCP) - used for Agent communication with the Aria process.

The initial connection between browser and Agent is initialized via WebRTC servers. Refer to WebRTC. Depending on the firewall configuration, the connection will resolve via STUN server (when P2P connection is possible) or TURN server (when Relay connection would be chosen). The WebRTC servers are located in several regions. Refer to Add the following IP addresses and URLS to the allowlist.
The minimum requirements for Web Remote are as follows: outbound port 3478 and ports between 49152 - 65535 should be open (both TCP and UDP) for the IPs listed under IP addresses for the tunnel server grid. In addition, make sure to add the following URL to the allowlist:
Software | Operating System | URL |
---|---|---|
Microsoft .NET | Windows | https://dotnet.microsoft.com |

Unless a peer-to-peer connection can be established between devices, Agent to Agent connectivity and remote takeover are managed by a tunnel server over an encrypted connection. Tunnel servers are connection relays located around the globe to provide maximum coverage and the best performance depending on your location. They are automatically available to all users.
When a remote takeover session is initiated:
- The admin device performs a DNS query to find the nearest tunnel server. The tunnel server is picked based on the proximity to the admin device.
- A connection is made to a load-balanced tunnel server cluster.
- Finally, a connection is established to the remote device.
To make the most of the tunnel server grid, please ensure that the IP addresses relevant to your geographic location are added to the allowlist and outbound traffic on port 443 is open on your own and your endpoints' firewalls.

The following rules are configured for all local and remote ports:
Rule Name | Protocol | Description | Inbound | Outbound |
---|---|---|---|---|
AEMAgent | ANY | Datto RMM Agent Process |
![]() |
![]() |
aria2c | ANY | Download manager used by the AEMAgent process |
![]() |
![]() |
CentraStage_monitor | TCP/UDP | Datto RMM Monitoring Agent |
![]() |
|
CentraStage_service | TCP/UDP | Datto RMM Agent Service |
![]() |
|
RMM RTC Proxy | ANY | Datto RMM Web Remote RTC Proxy Service |
![]() |
![]() |
RMM RTO Proxy | ANY | Datto RMM Web Remote RTO Proxy Service |
![]() |
![]() |
RMM Web Remote | ANY | Datto RMM Web Remote Process |
![]() |
![]() |
uVNC_Service | TCP/UDP | uVNC Service for VNC Connections |
![]() |

The Datto RMM Agent communicates with the platform using the IPv4 protocol.
NOTE IPv6 connections are not supported at this time.

It is strongly recommended that any Stateful Packet Inspection be turned off for access to any centrastage.net address, and that all attempts possible are made to guarantee that TCP connections to the cc.centrastage.net addresses are not terminated in cases of inactivity (these connections may be inactive for up to 180 seconds at a time if no client activity is detected).

To help ease the burden of administration and reduce human error when managing allowlists across multiple firewalls, a series of DNS A records that will return every IP address applicable for a given platform is available. These records are as follows:
- concord-ips.centrastage.net
- vidal-ips.centrastage.net
- zinfandel-ips.centrastage.net
- merlot-ips.centrastage.net
- pinotage-ips.centrastage.net
- syrah-ips.centrastage.net
While the complete list of IP addresses will continue to be available in this article, you may query any of these records to obtain the list of addresses for use in IP-based filtering capable firewalls or scripting purposes.
Querying the DNS A records
To query the DNS A records, use the following commands depending on your operating system:
- Windows: nslookup <platform>-ips.centrastage.net
- Linux: dig <platform>-ips.centrastage.net, host <platform>-ips.centrastage.net, or nslookup <platform>-ips.centrastage.net
- macOS: host <platform>-ips.centrastage.net
For more information, refer to this Community post.

Some countries are not permitted access to the Datto RMM web interface. For more information, refer to Blocklist.
Add the following IP addresses and URLS to the allowlist
IMPORTANT Aside from the IP addresses listed below, additional IPs may be used to access various Amazon Web Services (AWS) infrastructure. The list gets updated as AWS makes changes. For more information, refer to AWS IP Address Ranges.
IMPORTANT If your antivirus product has flagged the Datto RMM Agent installer as malicious, speak to your antivirus provider and request that they mark the installer as a false positive to allow it through.
IP addresses per platform (Inbound)
Concord (US East) | Vidal (US East) NEW | Zinfandel (US West) | Merlot (EU) | Pinotage (EU) | Syrah (APAC) |
---|---|---|---|---|---|
13.248.181.252 15.197.219.241 NEW 3.212.135.46 3.214.218.15 3.225.100.60 3.33.215.54 NEW 34.194.150.48 34.195.169.6 34.197.246.173 34.224.132.33 34.226.13.192 35.153.96.73 44.196.147.108 44.199.24.116 52.2.62.118 52.202.196.195 52.23.104.21 52.4.97.130 52.44.145.56 52.45.55.143 52.5.251.79 52.6.151.191 52.7.200.96 52.7.54.43 52.71.59.169 54.164.96.143 54.165.240.214 54.165.85.82 54.172.198.183 54.172.8.243 54.173.70.131 54.225.244.30 54.227.227.71 54.88.212.141 54.88.94.23 75.2.102.225 99.83.166.51 99.83.202.36 |
15.197.187.175 23.22.202.6 3.211.115.95 3.220.155.148 3.222.64.18 3.227.56.89 3.33.190.122 34.193.53.123 34.232.189.146 34.237.171.187 35.174.97.178 35.71.189.82 44.196.50.36 44.199.36.241 52.0.158.138 52.0.206.196 52.206.34.175 52.223.51.142 54.237.52.130 75.2.34.181 99.83.220.89 |
15.197.238.235 NEW 15.197.255.240 3.33.243.218 3.33.246.235 NEW 34.210.221.105 35.163.45.75 35.164.164.104 35.71.139.224 35.71.170.255 44.227.220.32 44.228.215.246 44.229.43.198 44.237.20.207 44.239.113.157 52.10.187.64 52.11.249.126 52.11.96.162 52.223.44.223 52.26.220.111 52.27.100.233 52.223.63.230 54.149.146.68 54.186.19.220 54.200.154.205 54.201.132.105 54.201.158.254 54.201.174.248 54.201.211.18 54.213.162.73 54.213.57.149 54.214.186.160 |
13.248.183.85 NEW 15.197.188.79 3.33.180.249 34.249.56.200 34.249.66.145 34.250.95.109 34.252.248.172 34.253.21.48 34.253.45.80 52.213.142.143 54.170.197.44 54.194.100.128 54.194.153.16 54.194.17.228 54.194.217.74 54.194.218.239 54.194.242.0 54.194.245.26 54.194.25.164 54.194.42.15 54.194.50.12 54.194.54.213 54.194.55.167 54.194.59.222 54.194.70.100 54.194.73.199 54.194.74.127 54.194.87.166 54.216.209.93 54.77.66.30 75.2.6.70 76.223.59.231 NEW 99.83.233.223 |
15.197.229.100 3.33.220.55 35.71.166.34 NEW 52.16.135.243 52.16.171.246 52.16.199.216 52.16.205.224 52.16.45.168 52.17.157.63 52.17.242.187 52.17.35.190 52.212.124.100 52.223.27.83 NEW 52.31.177.46 52.31.57.249 54.154.110.190 54.154.110.191 54.154.123.55 54.154.190.153 54.154.76.59 54.171.164.97 54.171.166.217 54.217.76.61 54.72.80.221 54.73.173.11 54.74.189.187 54.77.108.71 54.77.122.85 54.77.247.84 54.77.69.163 75.2.101.69 99.83.237.20 |
13.210.253.189 13.55.135.54 13.55.144.234 15.197.170.96 3.33.177.203 35.71.190.244 52.64.56.179 52.223.23.124 54.206.10.157 54.206.12.124 54.206.20.221 54.206.24.4 54.206.24.91 54.206.60.138 54.206.73.160 54.252.198.125 54.79.127.79 54.79.25.73 54.79.4.211 54.79.44.13 54.79.91.80 54.79.98.220 75.2.121.116 NEW 99.83.196.254 NEW |
IP addresses per platform (Outbound)
If you are using the ConnectWise PSA Integration and are connecting to an on-premise Connectwise PSA server, add the following IP addresses to the allowlist for outbound communication:
Concord (US East) | Vidal (US East) NEW | Zinfandel (US West) | Merlot (EU) | Pinotage (EU) | Syrah (APAC) |
---|---|---|---|---|---|
54.90.30.238 18.210.141.219 34.206.106.100 52.72.137.122 |
107.22.0.143 34.231.104.171 34.232.253.178 |
52.33.150.151 44.237.4.153 52.41.95.147 |
18.202.215.160 3.251.48.174 52.210.155.229 |
52.210.155.229 52.212.169.223 54.155.36.8 |
3.104.103.44 52.62.188.240 |
IP addresses for the tunnel server grid
US East (N. Virginia) | US East (Ohio) | US West (Oregon) | Africa (Cape Town) | Asia Pacific (Seoul) | Asia Pacific (Singapore) | Asia Pacific (Sydney) | Asia Pacific (Tokyo) | Canada (Central) | Europe (Frankfurt) | Europe (Ireland) | Europe (Milan) | Middle East (Bahrain) | South America (Sao Paulo) |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3.95.35.79 3.211.80.125 3.234.81.179 34.206.178.102 34.227.128.69 34.227.174.51 35.168.26.58 35.170.148.86 52.5.82.167 52.20.64.236 52.22.230.203 54.85.43.39 54.156.209.219 54.164.188.10 54.164.228.61 54.172.132.152 54.172.136.43 54.173.173.38 |
3.12.86.201 3.138.166.208 3.142.203.40 18.119.50.31 |
34.208.24.64 44.226.41.206 44.237.246.246 52.25.80.37 52.34.11.113 54.68.30.38 54.71.45.244 54.187.170.202 54.188.40.205 54.190.114.117 54.191.106.204 54.200.178.30
|
13.245.61.188 13.245.244.6 |
3.39.158.124 15.164.1.105 15.164.247.44 43.200.96.253 |
18.138.127.233 52.220.216.208 54.169.73.64 54.169.119.179 |
3.24.51.183 3.105.171.124 3.106.51.250 13.54.116.244 13.55.143.125 13.238.236.228 52.62.24.125 52.62.172.85 54.79.75.129 54.79.97.42 54.252.172.242 |
18.178.136.165 52.199.87.119 |
3.98.60.106 15.222.111.106 35.183.237.95 |
3.74.13.184 3.123.193.160 18.157.202.135 18.185.3.89 18.198.200.249 18.198.217.209 34.255.30.57 52.28.142.189 52.28.143.32 52.29.179.182 54.93.63.109 54.93.70.139 |
34.249.11.108 34.249.107.133 34.252.65.215 34.253.141.153 34.254.83.6 34.255.142.98 52.17.144.57 54.72.134.204 54.72.228.106 54.76.210.230 54.77.1.79 54.77.25.238 54.77.29.239 54.246.118.170 63.33.39.246 63.35.143.99 99.81.143.245 |
15.160.37.74 15.161.26.111 18.102.39.74 |
15.184.59.149 15.184.92.236 15.185.79.35 157.175.9.72 |
18.230.90.222 54.94.126.16 54.207.102.187 54.207.105.254 |
URLs
In addition to IP addresses, some firewalls, proxies, or security appliances may require access to the URL of the service as well as the IP address.
If you are using a proxy or security appliance, we recommend that you add the centrastage.net and the rmm.datto.com domains to the allowlist in their entirety if possible or, at a minimum, ensure that the relevant URLs to your platform are added to the allowlist.
Platform | Service | URLs | TCP Port | Direction |
---|---|---|---|---|
EU (Pinotage) | Web Service | https://01ws.centrastage.net https://agent-gateway.pinotage.rmm.datto.com/ https://pinotage-agent.centrastage.net https://pinotage-audit.centrastage.net https://pinotage-monitoring.centrastage.net https://pinotage-agent-notifications.centrastage.net https://pinotage-agent-comms.centrastage.net |
HTTPS / 443 | Outbound |
Agent Updates | https://update.centrastage.net https://storage.rmm.datto.com https://download.visualstudio.microsoft.com |
|||
Web Portal and New UI | https://pinotage.centrastage.net https://pinotage-realtime.centrastage.net https://pinotage.rmm.datto.com https://pinotagermm.centrastage.net |
|||
Control Channel | 01cc.centrastage.net | |||
Tunnel Server | ts.centrastage.net | |||
Component Library | https://cpt.centrastage.net https://cpt.centrastage.net.s3.amazonaws.com |
|||
EU (Merlot) | Web Service | https://02ws.centrastage.net https://agent-gateway.merlot.rmm.datto.com/ https://merlot-agent.centrastage.net https://merlot-audit.centrastage.net https://merlot-monitoring.centrastage.net https://merlot-agent-notifications.centrastage.net https://merlot-agent-comms.centrastage.net |
HTTPS / 443 | Outbound |
Agent Updates | https://update-merlot.centrastage.net https://update.centrastage.net https://storage.rmm.datto.com https://download.visualstudio.microsoft.com |
|||
Web Portal and New UI | https://merlot.centrastage.net https://merlot-realtime.centrastage.net https://merlot.rmm.datto.com https://merlotrmm.centrastage.net |
|||
Control Channel | 02cc.centrastage.net | |||
Tunnel Server | ts.centrastage.net | |||
Component Library | https://cpt-merlot.centrastage.net https://cpt-merlot.centrastage.net.s3.amazonaws.com |
|||
US East (Concord) | Web Service | https://01concordws.centrastage.net https://agent-gateway.concord.rmm.datto.com/ https://concord-agent.centrastage.net https://concord-audit.centrastage.net https://concord-monitoring.centrastage.net https://concord-agent-notifications.centrastage.net https://concord-agent-comms.centrastage.net |
HTTPS / 443 | Outbound |
Agent Updates | https://update-concord.centrastage.net https://update.centrastage.net https://storage.rmm.datto.com https://download.visualstudio.microsoft.com |
|||
Web Portal and New UI | https://concord.centrastage.net https://concord-realtime.centrastage.net https://concord.rmm.datto.com https://concordrmm.centrastage.net |
|||
Control Channel | concordcc.centrastage.net 01concordcc.centrastage.net |
|||
Tunnel Server | ts.centrastage.net | |||
Component Library | https://cpt-concord.centrastage.net https://cpt-concord.centrastage.net.s3.amazonaws.com https://s3.amazonaws.com/cpt-concord.centrastage.net |
|||
US East (Vidal) NEW | Web Service | https://01vidalws.centrastage.net https://agent-gateway.vidal.rmm.datto.com/ https://vidal-agent.centrastage.net https://vidal-audit.centrastage.net https://vidal-monitoring.centrastage.net https://vidal-agent-notifications.centrastage.net https://vidal-agent-comms.centrastage.net |
HTTPS / 443 | Outbound |
Agent Updates | https://update-vidal.centrastage.net https://update.centrastage.net https://storage.rmm.datto.com https://download.visualstudio.microsoft.com |
|||
Web Portal and New UI | https://vidal.centrastage.net https://vidal-realtime.centrastage.net https://vidal.rmm.datto.com https://vidalrmm.centrastage.net |
|||
Control Channel | vidalcc.centrastage.net 01vidalcc.centrastage.net |
|||
Tunnel Server | ts.centrastage.net | |||
Component Library | https://cpt-vidal.centrastage.net https://cpt-vidal.centrastage.net.s3.amazonaws.com https://s3.amazonaws.com/cpt-vidal.centrastage.net |
|||
US West (Zinfandel) | Web Service | https://03ws.centrastage.net https://agent-gateway.zinfandel.rmm.datto.com/ https://zinfandel-agent.centrastage.net https://zinfandel-audit.centrastage.net https://zinfandel-monitoring.centrastage.net https://zinfandel-agent-notifications.centrastage.net https://zinfandel-agent-comms.centrastage.net |
HTTPS / 443 | Outbound |
Agent Updates | https://update-zinfandel.centrastage.net https://update.centrastage.net https://storage.rmm.datto.com https://download.visualstudio.microsoft.com |
|||
Web Portal and New UI | https://zinfandel.centrastage.net https://zinfandel-realtime.centrastage.net https://zinfandel.rmm.datto.com https://zinfandelrmm.centrastage.net |
|||
Control Channel | 03cc.centrastage.net |
|||
Tunnel Server | ts.centrastage.net | |||
Component Library | https://cpt-zinfandel.centrastage.net https://cpt-zinfandel.centrastage.net.s3.amazonaws.com |
|||
APAC (Syrah) | Web Service | https://agent-gateway.syrah.rmm.datto.com/ https://syrahws.centrastage.net https://syrah-agent.centrastage.net https://syrah-audit.centrastage.net https://syrah-monitoring.centrastage.net https://syrah-agent-notifications.centrastage.net https://syrah-agent-comms.centrastage.net |
HTTPS / 443 | Outbound |
Agent Updates | https://update-syrah.centrastage.net https://update.centrastage.net https://storage.rmm.datto.com https://download.visualstudio.microsoft.com |
|||
Web Portal and New UI | https://syrah.centrastage.net https://syrah-realtime.centrastage.net https://syrah.rmm.datto.com https://syrahrmm.centrastage.net |
|||
Control Channel | syrahcc.centrastage.net 01syrahcc.centrastage.net |
|||
Tunnel Server | ts.centrastage.net | |||
Component Library | https://cpt-syrah.centrastage.net https://cpt-syrah.centrastage.net.s3.amazonaws.com |
ComStore component and Software Management URLs
If you are downloading and running components from the ComStore, we recommend that you add storage.centrastage.net and storage.rmm.datto.com to the allowlist. Additionally, if you use any of the software applications below either as a ComStore component or via Software Management, make sure to add the relevant URL(s) to the allowlist:
Software | Operating System | URL |
---|---|---|
7-Zip | Windows | https://www.7-zip.org |
Adobe Acrobat Reader DC | Windows, macOS | https://ardownload2.adobe.com |
Bitdefender Endpoint Security Tools | Windows | http://download.bitdefender.com and https://cloudgz.gravityzone.bitdefender.com |
BitDefender GravityZone - Deployment/Management | Windows, macOS, Linux | http://download.bitdefender.com |
Citrix Workspace | Windows, macOS | https://downloads.citrix.com |
Deploy F-Secure Computer Protection | Windows | https://download.sp.f-secure.com |
ESET Direct Endpoint Management - Deployment | Windows, macOS | https://update.esetusa.com |
FileZilla Client | Windows | https://filezilla-project.org |
Foxit Reader | Windows | https://www.foxitsoftware.com |
Google Chrome | Windows, macOS | http://dl.google.com |
Huntress Agent Deployment | Windows | https://huntress.io |
Java Runtime Environment 8 (latest update) | Windows | https://javadl.oracle.com and https://sdlc-esd.oracle.com |
Liongard Roar Agent | Windows | https://agents.static.liongard.com |
Microsoft Office 365 (Current and Semi-Annual Channels) | Windows | http://dl.delivery.mp.microsoft.com and https://download.microsoft.com https://clients.config.office.net |
Microsoft Teams | Windows | https://aka.ms and https://teams.microsoft.com |
Mozilla Firefox | Windows, macOS | https://download.mozilla.org |
Mozilla Thunderbird | Windows, macOS | https://download.mozilla.org and https://download-installer.cdn.mozilla.net |
Notepad++ | Windows | https://notepad-plus-plus.org |
Paint.NET x86/x64 | Windows | https://www.dotpdn.com |
PuTTY | Windows | https://the.earth.li (official mirror) |
Skype | Windows, macOS | https://get.skype.com |
Trend Micro Worry-Free Services - Deployment | Windows | https://wfbs-svc-nabu-aal.trendmicro.com or https://wfbs-svc-emea-aal.trendmicro.com (depending on geographical region) |
VLC Media Player | Windows | https://www.mirrorservice.org https://download.videolan.org |
VMWare Tools | Windows | https://packages.vmware.com |
Webroot SecureAnywhere Endpoint Protection | Windows | https://anywhere.webrootcloudav.com |
Windows 10 Upgrade - Professional x86/x64 | Windows | http://dl.delivery.mp.microsoft.com and https://download.microsoft.com |
Zoom | Windows, macOS |
https://www.zoom.us https://cdn.zoom.us |