Table of Contents
- Essential Firewall Rules
- Regional Infrastructure Access
- Test-Specific Rules
- Reference: ICMP Types
1. Essential Firewall Rules
This section outlines the minimum required firewall rules for ThousandEyes Enterprise Agents to function properly.
Core Communication Rules
| Protocol |
Port |
Direction |
Source |
Destination |
Purpose |
| TCP |
443 |
Outbound |
Agent |
*.thousandeyes.com |
Agent communication |
| UDP |
123 |
Outbound |
Agent |
NTP servers |
Time synchronization |
| TCP, UDP |
53 |
Outbound |
Agent |
DNS servers |
Domain resolution |
ICMP Requirements
For proper network diagnostics, allow these ICMP types:
| Protocol |
ICMP Types |
Direction |
Purpose |
| IPv4 |
3, 11 |
Inbound |
Error messages and traceroute |
| IPv6 |
1-4, 129 |
Inbound |
Error messages and traceroute |
Implementation Note: If your firewall is fully stateful for ICMP, explicit rules may not be needed. For agents behind NAT, configure 1:1 NAT or explicit ICMP translation.
2. Regional Infrastructure Access
Europe (EU) Region
| Protocol |
Port |
Direction |
Source |
Destination |
Purpose |
| TCP |
443 |
Outbound |
Agent |
*.eu1.thousandeyes.com |
Agent communication |
| TCP, UDP |
9119, 9120 |
Outbound |
Agent |
ntrav.agt.eu1.thousandeyes.com |
NAT traversal |
Implementation Note: If your security policy requires IP-based rules rather than domain-based rules, contact 42clue support for the current IP address ranges.
Package Repository Access
| Protocol |
Port |
Direction |
Source |
Destination |
Purpose |
| TCP |
443 |
Outbound |
Agent |
apt.thousandeyes.com, yum.thousandeyes.com |
Software updates |
| TCP |
443 |
Outbound |
Agent |
aptproxy.thousandeyes.com, yumproxy.thousandeyes.com |
Static IP alternatives |
3. Test-Specific Rules
Configure these rules only if you’re using the corresponding test types.
Network Layer Tests
| Protocol |
Port |
Direction |
Source |
Destination |
Purpose |
| TCP |
80 |
Outbound |
Agent |
Test targets |
HTTP tests |
| ICMP |
Echo |
Outbound |
Agent |
Test targets |
Ping tests |
| TCP/UDP |
49153 |
Both |
Agent |
Other agents |
Agent-to-agent tests |
DNS Tests
| Protocol |
Port |
Direction |
Source |
Destination |
Purpose |
| UDP/TCP |
53 |
Outbound |
Agent |
DNS servers |
All DNS tests |
Web Layer Tests
| Protocol |
Port |
Direction |
Source |
Destination |
Purpose |
| TCP |
80, 443 |
Outbound |
Agent |
Web servers |
HTTP/HTTPS tests |
| TCP |
21, 22, 990 |
Outbound |
Agent |
FTP servers |
FTP/SFTP tests |
| TCP |
20 |
Inbound |
FTP servers |
Agent |
FTP active mode |
Voice Tests
| Protocol |
Port |
Direction |
Source |
Destination |
Purpose |
| TCP/UDP |
5060 |
Outbound |
Agent |
SIP servers |
SIP tests |
| TCP |
5061 |
Outbound |
Agent |
SIP servers |
SIP over TLS |
| UDP |
49152 |
Both |
Agent |
Other agents |
RTP stream tests |
4. Reference: ICMP Types
| Protocol |
Type |
Code |
Description |
Required For |
| IPv4 |
3 |
* |
Destination Unreachable |
Error reporting |
| IPv4 |
11 |
0 |
Time Exceeded |
Traceroute functionality |
| IPv6 |
1 |
* |
Destination Unreachable |
Error reporting |
| IPv6 |
3 |
* |
Time Exceeded |
Traceroute functionality |
Implementation Tip: Most modern firewalls have predefined service objects for ICMP that can be used instead of manually configuring ICMP types and codes.
