ThousandEyes Documentation
  • ThousandEyes Documentation
  • What's New
    • Changelog
    • Naming and Navigation Menu Changes - Summary List
  • Product Documentation
    • Getting Started
      • Getting Started with Account Setup
      • Getting Started with Cloud and Enterprise Agents
      • Getting Started with Cloud and Enterprise Agent Tests
      • Getting Started with Endpoint Agents
      • Getting Started with Transactions
      • Getting Started with Dashboards
      • Getting Started with Alerts
      • Getting Started with Internet Insights
      • Getting Started with the ThousandEyes API
      • Getting Started with API Tests
      • Getting Support from ThousandEyes
      • Notification of Upgrades, Maintenance and Outages
      • New User FAQ
      • ThousandEyes Glossary
    • Global Vantage Points
      • Cloud Agents
        • Where Are Cloud Agents Available?
        • Webex Cloud Agents
        • AWS Wavelength Cloud Agents
        • Cloud Agent with Local Problems
      • Enterprise Agents
        • Getting Started
          • Where Can I Get the Account Group Token?
        • Installing
          • Enterprise Agent System Requirements
            • Enterprise Agent Support Lifecycle
          • Appliances
            • How to Set Up the Virtual Appliance
            • Enterprise Agents: Hypervisor Installation
            • Installing Enterprise Agent on VirtualBox
            • Enterprise Agent Deployment Using ThousandEyes Virtual Appliance (Hyper-V)
            • Enterprise Agent Deployment Using ThousandEyes Virtual Appliance (OVA)
            • Custom Virtual Appliances
            • Installing a Physical Appliance
            • Installing an Enterprise Agent on a Raspberry Pi Device
          • Cisco Devices
            • Catalyst Switching
            • Catalyst Routing
            • Nexus Switching
            • Service Routing
            • Meraki MX Appliances
            • Cisco Enterprise NFV Infrastructure Software
            • Installation Methods
              • Installing Enterprise Agents on Cisco Nexus Switches with Application Hosting
              • Installing Enterprise Agents on Cisco Nexus Switches with Guestshell
              • Installing Enterprise Agents on Cisco Routers using SD-WAN Manager Feature Templates
              • Installing Enterprise Agents on Cisco Routers using the SD-WAN Manager ThousandEyes Workflow
              • Installing Enterprise Agents on Cisco Switches with Docker
              • Installing Enterprise Agents on Cisco Routers with Docker
              • Installing Enterprise Agents on Cisco Switches with the DNA Center
          • Linux Packages
            • Enterprise Agent Deployment Using Linux Package Method
            • Installing the Enterprise Agent with BrowserBot on Oracle Linux Server 7
          • Docker Agents
            • Installing Enterprise Agents with Docker
          • Cloud Templates
            • Installing Enterprise Agents with Microsoft Azure
          • Docker Agent Configuration Options
          • Missing Dependencies for Enterprise Agent on Redhat Enterprise Linux RHEL 7 Installation
          • Migrating ThousandEyes Appliance or Package-Based Enterprise Agent to Docker
        • Configuring
          • Password Reset on the Virtual Appliance
          • Configuring rDNS Lookups for Enterprise Agents
          • Connecting to the ThousandEyes Virtual Appliance Using SSH (Mac/Linux)
          • Connecting to the ThousandEyes Virtual Appliance Using SSH (Windows)
          • Static IP Addresses for ThousandEyes Repositories
          • Firewall Configuration for Enterprise Agents
          • Enterprise Agent Port Forwarding
          • Security Policy and Public NTP Servers on Enterprise Agents
          • Secure Access to ThousandEyes Appliances
          • Disabling the Web Server of a Virtual Appliance
          • NAT Traversal for Agent-to-Agent Tests
          • Enterprise Agent on Docker Advanced Networking
        • Managing
          • Cisco Devices
            • Disable, Restart, or Uninstall the Enterprise Agent via DCNM
          • Docker Agents
            • Add/Remove BrowserBot from Existing Docker Enterprise Agents
          • Upgrading Operating Systems for Enterprise Agents
          • Backup and Restore Your Enterprise Agent Configuration
          • Upgrade Ubuntu 20.04 Focal-Based ThousandEyes Appliances
          • Crash Reporting for Enterprise Agents
          • Configuring a Local Mirror of the ThousandEyes Package Repository
          • Resetting an Enterprise Agent
          • Working with Enterprise Agent Clusters
          • Replacing an Enterprise Agent Using the Agent Clustering Method
          • Replacing an Enterprise Agent Using Agent Identity Files
          • Unlocking the ThousandEyes Appliance
          • Uninstalling the Enterprise Agent (Linux Package)
        • Proxy Environments
          • Installing Enterprise Agents in Proxy Environments
          • Configuring an Enterprise Agent to Use a Proxy Server
          • Writing and Testing Proxy Auto-Configuration (PAC) Files
        • Troubleshooting
          • How to Generate Packet Captures
          • Troubleshooting Automatic-Update Problems on Enterprise Agents
          • Troubleshooting Time Synchronization on Enterprise Agents
          • Installing CA Certificates on Enterprise Agents
          • Agent Unable to Trace Path to Destination?
          • BrowserBot Installation Fails on Red Hat or CentOS in Amazon EC2
          • What to Do If te-agent Stops Running Due to a VACUUM Error
        • Enterprise Agents: What Information Do We Collect?
        • What Is BrowserBot?
        • Upgrading to BrowserBot 2
        • Upgrading to BrowserBot 2.6+ (Chromium 97)
        • Enterprise Agent Utilization
        • Network Utilization from Enterprise Agent Test Traffic
        • Enterprise Agent Interface Selection
        • ThousandEyes Product Lifecycle Policy
      • Endpoint Agents
        • Installing
          • System Requirements
          • Download the Endpoint Agent Installer
          • Install the Endpoint Agent
          • Reinstall the Endpoint Agent
          • Install the Endpoint Agent Browser Extension
          • Install Endpoint Agents for Windows via Group Policy
          • Installing Browser Extensions for Windows via Group Policy
          • Guidance for Windows Software Deployment Teams
          • Install Endpoint Agents for macOS using Munki and the Managed Software Center
          • Deploy an MSI package to Intune for Windows Devices
          • Endpoint Agent Installation on Cisco Webex Devices (RoomOS)
          • Endpoint Agent Installation on Cisco Phone Devices (PhoneOS)
          • Uninstall or Delete an Endpoint Agent
          • Endpoint Agent Installation Reference
          • NPCAP Driver Upgrade Management
        • Configuring
          • Configure Endpoint Agent Labels
          • Endpoint Agent Proxy Configuration for Scheduled Tests
        • Managing
          • Manage Endpoint Agent Settings
        • How Does the Endpoint Agent Work
        • Cisco Secure Client ThousandEyes Endpoint Agent Module
        • Endpoint Agent Licensing
        • Assigning tests to an Endpoint Agent
        • Data Collected by Endpoint Agent
        • Reporting on data collected by Endpoint Agent
        • Endpoint Agent VPN Support
        • Endpoint Agent TCP Support
        • Endpoint Agent End-user Experience
        • Endpoint Agent FAQ
      • Working with Agent Settings
      • Obtaining a list of ThousandEyes Agent IP Addresses with te-iplist
    • Tests
      • HTTP Server Tests
        • Collecting Proxy Metrics
        • POSIX Extended Regular Expression Syntax (Quick Reference)
        • POSIX Extended Regular Expression Syntax
        • Custom User-Agent Strings in a Web Test
        • Two-Step HTTP Testing (OAuth)
      • Web-Layer Tests
      • Network Tests
        • Network Tests Explained
        • Agent-to-Agent Test Overview
        • DSCP Options in Network Tests
      • DNS Tests
      • Voice Tests
        • Using the SIP Server View
        • Using the RTP Stream View
      • BGP Tests
        • Inside-Out BGP Visibility
        • Using the BGP Route Visualization View
        • Using the BGP Updates Table
        • Working with Raw BGP Data
        • Reasons for Failure of Private Peering with ThousandEyes
        • RPKI
      • API Tests
        • Using the API Test Step Builder
      • Templates
        • User-defined Templates
      • Recommendations
        • Associated Service Recommendations
        • AWS Test Recommendations
      • ThousandEyes Metrics: What Do Your Results Mean?
      • Sharing Test Data
      • Working with Test Settings
      • Scheduled Versus Instant Tests
      • Working with Instant Tests
      • Working with Labels for Agent and Test Groups
      • Multi-Service Views
      • Identifying Traffic from ThousandEyes Agents
      • Excluding ThousandEyes Agents from Google Analytics
    • Internet and WAN Monitoring
      • Path Visualization
        • How Path Trace Works
        • MPLS Tunnel Inference Using Deep Path Analysis
        • Troubleshooting
          • Reasons for Missing Information on the Visualization View
          • Virtual Machine with NAT Breaks Path Visualization
          • Cisco ASA Breaks Path Visualization
          • Path Visualization: Edge Firewall Incorrectly Shows a Single Hop to the Destination
          • Network Overview Shows Packet Loss That Does Not Appear in Path Visualization
      • Views
        • Using the Network Overview
        • Using the FTP Server View
        • Using the HTTP Server View
        • Using the DNS Server View
        • Using the DNS Domain Trace View
        • Using the DNSSEC Trace View
        • Using the API Test Views
      • Troubleshooting
        • CLI Network Troubleshooting Utilities
        • HTTP Server Test Fails with SSL Error
        • HTTP Server Test Fails with SSL Error: OpenSSL SSL_connect: SSL_ERROR_SYSCALL
        • HTTP Server Test Error "dh Key Too Small"
    • Browser Synthetics
      • Browser Synthetics Test Types
      • Browser Synthetics Disambiguation
      • Test Settings for Page Load and Transaction Tests
      • Navigating Waterfall Charts for Page Load and Transaction Tests
      • Using Round Robin Test Scheduling
      • What Information Is Transmitted in a Page Load or Transaction Test?
      • Transaction Test SSO Support
        • Implementing SSO in Transaction Scripts
        • Caveats for NTLM/Kerberos Authentication
        • TOTP Examples for SSO
      • Page Load Tests
        • When to Use a Page Load Test
        • Creating a Page Load Test
        • Using the Page Load View
        • How to Generate a HAR File
        • Migrating to Single Interval for Page Load Tests
        • Creating a Page Load Test that Uses SSO
      • Transaction Tests
        • Getting Started With Transaction Tests
          • When to Use a Transaction Test
          • Transaction Tests Compared With Other Test Types
          • ThousandEyes Recorder
          • ThousandEyes Recorder Permissions
          • Working With Web Development Tools
          • Working With Secure Credentials
          • Transaction Test Table Tab View
          • Transaction Metrics on Alerts and Dashboards
          • Screenshots in Transaction Test Views
        • Transaction Test Development Guide
          • Creating Robust Transaction Scripts
            • Optimizing and Troubleshooting Transaction Scripts
            • Transaction Scripting Tips and Tricks
          • Transactions – Executing Custom JavaScript Code
        • Use Cases | Code Examples
          • Uploading or Downloading Files in a Script
            • Transaction Scripting Examples for File Downloads
          • Include API Calls in a Transaction Test
            • Using the node-fetch module
            • Using the net module
            • Using the tls module
        • Transaction Scripting Reference
      • Dual Chromium Option
        • Why Are Regular Chromium Upgrades Needed?
        • Configuring Dual Chromium
        • Working With Dual Chromium
        • Chromium Update History
        • Chromium Upgrade Known Issues
    • Endpoint Experience
      • Test Settings
        • Monitoring an Application using Synthetic Tests
        • Configuration Options for Synthetic Tests
        • Managing Synthetic Tests
        • Real User Tests
      • Viewing Data
        • Endpoint Agent Scheduled Tests View
        • Endpoint Agent Real User Tests View
        • Endpoint Agent Local Networks View
        • Endpoint Agent Dynamic Tests View
        • Endpoint Agent Views
        • Endpoint Views Reference
      • Troubleshooting
        • Step-by-Step Guide to Troubleshooting Endpoint Agent Problems
        • Troubleshooting Endpoint Agent Issues
    • Connected Devices
      • Connected Devices Tests
        • Routing
          • Traceroute
        • Network
          • Speed Tests
          • Latency, Loss, Disconnections, and Jitter Tests
          • Responsiveness (Latency under Load) Tests
        • DNS
          • DNS Resolution Tests
        • Web
          • Web Browsing Lite Tests
          • Generic Streaming (HLS/DASH) Tests
        • Voice
        • Dynamic Application Test Suites
          • Gameplay Test Suite
          • Video Conferencing Test Suite
          • Social Media Test Suite
          • Game Store Test Suite
          • Video Streaming Test Suite
            • Netflix Streaming Tests
            • YouTube Streaming Tests
            • BBC iPlayer Streaming Tests
          • Content Delivery Network (CDN) Test Suite
        • Local Network Information
          • Data Usage
      • Test Management
        • Test Triggers
          • Scheduled Tests
          • Instant Tests
        • Testing Thresholds
        • Test Targets
          • Test Server Methodology
        • Automatic Test Configuration Retrieval
      • Device Agents
        • Router Agents
          • Router Agent Device Support
        • Installing Device Agent with Docker
        • Connected Devices Agent Release Versions
      • Usage Guides
        • Viewing Charts
        • Configuring Charts
        • Using Maps
        • Exporting Data
        • Importing Metadata
        • Managing Metadata
        • Creating Reports
        • Viewing Agents
        • Using Test Schedules
        • Accessing Your APIs
        • Using ConstantCare
      • Cisco Real Speed
    • Cloud Insights
      • Integrations
      • Views
      • Settings
    • Traffic Insights
      • Traffic Insights System Requirements
      • Traffic Insights Configuration Guide
      • Traffic Insights Views and Settings
      • Traffic Insights FPS Monitoring
    • WAN Insights
      • WAN Insights Quick Start
        • How to Activate ThousandEyes WAN Insights
        • WAN Insights Introductory Tour, Part 1
        • WAN Insights Introductory Tour, Part 2
        • WAN Insights Introductory Tour, Part 3
      • Introducing WAN Insights
        • What Is WAN Insights?
        • WAN Insights Value-Add
        • Why Use WAN Insights?
        • Using WAN Insights Together With ThousandEyes Network Assurance
        • Using WAN Insights Together with vAnalytics and vManage
        • WAN Insights Key Components
        • Enabling WAN Insights
        • Getting Support for WAN Insights
      • WAN Insights Terminology and Reference
      • WAN Insights Technical Overview
        • Application Categories
        • Sites, Routers, Paths, and Interfaces
        • Application Traffic Types
        • Estimating User Counts
        • Estimating Throughput
        • Capacity Planning
        • Understanding Quality
        • Life of a Recommendation
        • Understanding Recommendations
        • WAN Insights and ThousandEyes Alerts
      • WAN Insights User Interface
        • Logging In for the First Time
        • WAN Insights Screens and Workflows
        • Recommendations Screen
        • Recommendation Cards, Explained
        • Recommendation Details Modal
        • Endpoint-Pair Quality Comparison
        • Site Details Screen
        • Capacity Planning Screen
        • Capacity Detail Modal
        • Enter or Upload Bandwidth Data
      • Common Tasks
        • Adding Business-Critical Applications to WAN Insights
        • Email Notifications
        • Adding and Managing WAN Insights Users
        • Applying WAN Insights Recommendations
    • Internet Insights
      • Internet Insights Terminology
      • Limited Outage Map
      • Internet Insights Screens
        • Overview Screen
        • Internet Insights Service Views Screen
        • Application Outages
        • Network Outages
        • Catalog Settings Screen
      • Saving and Sharing from Internet Insights
      • Configuring Internet Insights
      • Provider Labels
      • Using Alerts and Dashboards With Internet Insights
        • My Affected Tests
        • Setting Up Alert Rules for Internet Insights
        • Using the Internet Insights Built-In Dashboard
    • Event Detection
    • Alerts
      • Creating and Editing Alert Rules
        • Global and Location Alert Conditions
        • Alert Rule Severity
        • Adaptive Alert Detection
        • Dynamic Baselines
        • Transport Layer Security (TLS) Alerts
        • Alert Rules for Devices
        • Alert Metrics Reference
      • Default Alert Rules
      • Viewing Alerts
      • Alert Clearing
        • Alert Suppression Windows
      • Alert Notifications
      • Standard Notification Methods
        • Alert Notifications via Email
        • Alert Notifications via SMS
        • Classic Webhooks for Alert Notifications
    • Dashboards
      • Using the Dashboard
      • Customizing Your Dashboard
      • Using the Dashboard Templates
      • Dashboard Widgets
      • Embedding Dashboard Widgets in External Web Sites
      • Excluding Periods of Data From a Dashboard
      • Dashboard Sharing and Snapshots
      • Dashboard Labels
      • Troubleshooting with Dashboard Drill Down
      • Tailoring Dashboards with Dashboard Filters
    • Device Layer
      • Discovering Device-Layer Devices
      • Device Discovery Results
      • Using the Device Layer View
    • Account Management
      • User Registration
        • SAML JIT Provisioning
        • ThousandEyes Support for SCIM
          • How to Configure SCIM with Azure Active Directory
          • How to Configure SCIM with Okta
      • Authorization
        • Role-Based Access Control
          • Role-Based Access, Explained
          • Built-In Roles and Permissions
        • Account Groups
          • What is an Account Group?
          • Working with Account Settings
          • Users in Multiple Organizations
          • Changing Ownership of a Test
          • Working with Time Zone Settings
        • OAuth 2.0 with ThousandEyes
          • Integrations with OAuth 2.0
        • Adding a Profile Image with Gravatar
      • Authentication
        • Logging In
        • How to Configure Single Sign-On
      • User Activity
        • Working with the Activity Log
        • ThousandEyes User Session Timeouts and Terminations
        • How Long is my Data Accessible via ThousandEyes?
        • Retaining Data Beyond the 90-Day Limit
        • Multi-Region Cloud Support
      • Usage-Based Billing
        • About Our Consumption Model
          • Device Agent Consumption Model
        • About Units
        • Test Type Layers and Units
        • Setting Quotas
        • Calculating Units
        • FAQs: Usage
      • Customer Security and Privacy Responsibilities
    • Integrations
      • Custom Webhooks
        • Using OAuth 2.0 Authentication for Your Custom Webhook
        • Webhook Variables
      • Custom Webhook Examples
        • Microsoft Teams for Alert Notifications
        • Cisco Webex for Alert Notifications
        • Google Chat for Alert Notifications
        • Event-Driven Ansible for Alert Notifications
        • Splunk Alert Notification
      • Custom-Built Integrations
        • PagerDuty for Alert Notifications
        • ServiceNow for Alert Notifications
          • Incident Management
        • Slack for Alert Notifications
        • AppDynamics for Alert Notifications
        • AppDynamics for Test Recommendations
        • AWS for Test Recommendations
        • AWS for Cloud Insights
          • AWS for Cloud Insights Using CLI
        • Meraki for Data Enrichment
        • Webex Control Hub Integration
        • Microsoft Teams Integration
        • ThousandEyes for OpenTelemetry
          • Configuring ThousandEyes for OpenTelemetry
            • Configuring ThousandEyes for OpenTelemetry Using the API
            • Configuring ThousandEyes for OpenTelemetry Using the UI
          • Configuring ThousandEyes for Splunk Cloud or Enterprise
            • Configuring ThousandEyes for Splunk Cloud or Enterprise using the API
            • Configuring ThousandEyes for Splunk Cloud or Enterprise using the UI
          • ThousandEyes for OpenTelemetry Data Model
            • ThousandEyes for OpenTelemetry Data Model v1
              • OpenTelemetry Collector Data v1 Example
            • ThousandEyes for OpenTelemetry Data Model v2
              • ThousandEyes for OpenTelemetry Data Model v2 - Metrics
                • OpenTelemetry Collector Data v2 Metrics Example
                • ThousandEyes for OpenTelemetry Data Model Metrics - Migration from v1 to v2
              • ThousandEyes for OpenTelemetry Data Model v2 - Traces
                • OpenTelemetry Collector Data v2 Traces Example
          • OpenTelemetry Collector Configuration
          • Automatic Disabling of Failing Streaming Integrations
        • Cisco ThousandEyes App for Splunk
          • Configuration
          • Inputs
          • Dashboards
          • Troubleshooting
        • Distributed Tracing with Splunk Observability APM
    • Best-Practices Guides
      • Choosing the Right Test Protocol for Network & App Synthetics Tests
      • Optimizing SYN vs SACK Probing Methods to Avoid Unexplainable Packet Loss
      • Using Dashboards to Tell a Story
      • Best Practices for Implementing Account Groups
      • Monitoring Microsoft 365
      • Monitoring Microsoft Teams
      • Monitoring Salesforce
      • Monitoring Slack
      • Monitoring Webex Meetings with Endpoint Agents
      • Monitoring Webex Calling
      • Monitoring Webex Meetings with Cloud and Enterprise Agents
      • Monitoring Zoom
    • API
      • Create/Update/Delete Tests Using the ThousandEyes API
      • Obtaining a List of ThousandEyes Agent IP Addresses
      • Writing JSON to API Produces HTTP 406 Response Code
    • Privacy-Related
      • Authorized Subprocessors for ThousandEyes Network Intelligence Platform
    • Archived Documentation
      • Archived - Displaying and Alerting for Unit Consumption
      • Archived - Dependency Tree for ThousandEyes Enterprise Agent Software
      • Archived - Getting Started with ThousandEyes
      • Archived - Sending ThousandEyes Alerts to AppDynamics
      • Archived - ThousandEyes Infrastructure Changes
      • Archived - Using the Transactions (Classic) View
      • Archived - Transaction Test Migration Workflow
      • Archived - Instructions for Mitigating Meltdown and Spectre on Enterprise Agents
      • Archived - Bash (ShellShock) Security Notice
      • Archived - Endpoint Installation using Customized Installers
      • Archived - Configuring Endpoint Agent Setup
      • Archived - Creating Scheduled Tests on Endpoint Agents
      • Archived - Managing the Endpoint Agent
      • Archived - Enterprise Agent Installation on Juniper NFX Routers
      • Archived - Installing and Removing ThousandEyes X Virtual Framebuffer on Enterprise Agents
      • Archived - Permitted Content Types for Page Load Tests
  • Archived Release Notes
    • 2024
      • Release Notes: January 2024
      • Release Notes: February 2024
      • Release Notes: March 2024
      • Release Notes: April 2024
      • Release Notes: May 2024
      • Release Notes: June 2024
      • Release Notes: July 2024
      • Release Notes: August 2024
    • 2023
      • Release Notes: January 2023
      • Release Notes: February 2023
      • Release Notes: March 2023
      • Release Notes: April 2023
      • Release Notes: May 2023
      • Release Notes: June 2023
      • Release Notes: July 2023
      • Release Notes: August 2023
      • Release Notes: September 2023
      • Release Notes: October 2023
      • Release Notes: November 2023
      • Release Notes: December 2023
    • 2022
      • Release Notes: January 2022
      • Release Notes: February 2022
      • Release Notes: March 2022
      • Release Notes: April 2022
      • Release Notes: May 2022
      • Release Notes: June 2022
      • Release Notes: July 2022
      • Release Notes: August 2022
      • Release Notes: September 2022
      • Release Notes: October 2022
      • Release Notes: November 2022
      • Release Notes: December 2022
    • 2021
      • Release Notes: January 2021
      • Release Notes: February 2021
      • Release Notes: March 2021
      • Release Notes: April 2021
      • Release Notes: May 2021
      • Release Notes: June 2021
      • Release Notes: July 2021
      • Release Notes: August 2021
      • Release Notes: September 2021
      • Release Notes: October 2021
      • Release Notes: November 2021
      • Release Notes: December 2021
    • 2020
      • Release Notes: January 2020
      • Release Notes: February 2020
      • Release Notes: March 2020
      • Release Notes: April 2020
      • Release Notes: May 2020
      • Release Notes: June 2020
      • Release Notes: July 2020
      • Release Notes: August 2020
      • Release Notes: September 2020
      • Release Notes: October 2020
      • Release Notes: November 2020
      • Release Notes: December 2020
    • 2019
      • Release Notes: 2019-01-08
      • Release Notes: 2019-02-06
      • Release Notes: 2019-02-20
      • Release Notes: 2019-03-06
      • Release Notes: 2019-03-19
      • Release Notes: 2019-04-02
      • Release Notes: 2019-04-30
      • Release Notes: 2019-05-14
      • Release Notes: 2019-05-30
      • Release Notes: 2019-06-11
      • Release Notes: 2019-07-23
      • Release Notes: 2019-08-06
      • Release Notes: 2019-08-20
      • Release Notes: 2019-09-03
      • Release Notes: 2019-09-17
      • Release Notes: 2019-10-03
      • Release Notes: 2019-10-15
      • Release Notes: 2019-10-29
      • Release Notes: 2019-11-12
      • Release Notes: 2019-11-26
      • Release Notes: 2019-12-10
    • 2018
      • Release Notes: 2018-01-10
      • Release Notes: 2018-01-17
      • Release Notes: 2018-01-31
      • Release Notes: 2018-02-14
      • Release Notes: 2018-03-07
      • Release Notes: 2018-03-14
      • Release Notes: 2018-03-28
      • Release Notes: 2018-04-11
      • Release Notes: 2018-04-25
      • Release Notes: 2018-05-09
      • Release Notes: 2018-05-23
      • Release Notes: 2018-06-06
      • Release Notes: 2018-06-20
      • Release Notes: 2018-07-03
      • Release Notes: 2018-07-18
      • Release Notes: 2018-08-01
      • Release Notes: 2018-08-15
      • Release Notes: 2018-08-29
      • Release Notes: 2018-09-12
      • Release Notes: 2018-09-26
      • Release Notes: 2018-10-10
      • Release Notes: 2018-10-23
      • Release Notes: 2018-11-13
      • Release Notes: 2018-11-27
      • Release Notes: 2018-12-18
    • 2017
      • Release Notes: 2017-01-04
      • Release Notes: 2017-01-18
      • Release Notes: 2017-02-01
      • Release Notes: 2017-02-16
      • Release Notes: 2017-03-02
      • Release Notes: 2017-03-15
      • Release Notes: 2017-03-29
      • Release Notes: 2017-04-12
      • Release Notes: 2017-04-26
      • Release Notes: 2017-05-10
      • Release Notes: 2017-05-24
      • Release Notes: 2017-06-06
      • Release Notes: 2017-06-21
      • Release Notes: 2017-07-07
      • Release Notes: 2017-07-19
      • Release Notes: 2017-08-02
      • Release Notes: 2017-08-16
      • Release Notes: 2017-08-30
      • Release Notes: 2017-09-13
      • Release Notes: 2017-09-27
      • Release Notes: 2017-10-12
      • Release Notes: 2017-10-25
      • Release Notes: 2017-11-08
      • Release Notes: 2017-11-29
      • Release Notes: 2017-12-13
    • 2016
      • Release Notes: 2016-01-06
      • Release Notes: 2016-01-20
      • Release Notes: 2016-02-03
      • Release Notes: 2016-02-17
      • Release Notes: 2016-03-02
      • Release Notes: 2016-03-16
      • Release Notes: 2016-03-30
      • Release Notes: 2016-04-13
      • Release Notes: 2016-04-27
      • Release Notes: 2016-05-11
      • Release Notes: 2016-05-25
      • Release Notes: 2016-06-08
      • Release Notes: 2016-06-22
      • Release Notes: 2016-07-06
      • Release Notes: 2016-07-20
      • Release Notes: 2016-08-03
      • Release Notes: 2016-08-17
      • Release Notes: 2016-08-31
      • Release Notes: 2016-09-14
      • Release Notes: 2016-09-28
      • Release Notes: 2016-10-12
      • Release Notes: 2016-10-26
      • Release Notes: 2016-11-09
      • Release Notes: 2016-11-23
      • Release Notes: 2016-12-07
      • Release Notes: 2016-12-21
    • 2015
      • Release Notes: 2015-01-07
      • Release Notes: 2015-01-21
      • Release Notes: 2015-02-04
      • Release Notes: 2015-02-18
      • Release Notes: 2015-03-04
      • Release Notes: 2015-04-01
      • Release Notes: 2015-04-15
      • Release Notes: 2015-04-29
      • Release Notes: 2015-05-13
      • Release Notes: 2015-05-27
      • Release Notes: 2015-06-10
      • Release Notes: 2015-06-24
      • Release Notes: 2015-07-08
      • Release Notes: 2015-07-22
      • Release Notes: 2015-08-05
      • Release Notes: 2015-08-19
      • Release Notes: 2015-09-16
      • Release Notes: 2015-09-30
      • Release Notes: 2015-10-14
      • Release Notes: 2015-10-28
      • Release Notes: 2015-11-11
      • Release Notes: 2015-12-02
      • Release Notes: 2015-12-16
    • 2014
      • Release Notes: 2014-01-09
      • Release Notes: 2014-01-22
      • Release Notes: 2014-02-05
      • Release Notes: 2014-03-05
      • Release Notes: 2014-03-19
      • Release Notes: 2014-04-09
      • Release Notes: 2014-04-30
      • Release Notes: 2014-06-04
      • Release Notes: 2014-06-11
      • Release Notes: 2014-06-26
      • Release Notes: 2014-07-09
      • Release Notes: 2014-07-23
      • Release Notes: 2014-08-20
      • Release Notes: 2014-09-04
      • Release Notes: 2014-09-17
      • Release Notes: 2014-10-01
      • Release Notes: 2014-10-15
      • Release Notes: 2014-10-29
      • Release Notes: 2014-11-12
    • 2013
      • Release Notes: 2013-01-08
      • Release Notes: 2013-02-27
      • Release Notes: 2013-03-20
      • Release Notes: 2013-04-02
      • Release Notes: 2013-04-17
      • Release Notes: 2013-05-01
      • Release Notes: 2013-05-21
      • Release Notes: 2013-06-11
      • Release Notes: 2013-06-18
      • Release Notes: 2013-07-10
      • Release Notes: 2013-07-24
      • Release Notes: 2013-08-07
      • Release Notes: 2013-09-05
      • Release Notes: 2013-09-18
      • Release Notes: 2013-10-02
      • Release Notes: 2013-10-30
      • Release Notes: 2013-11-13
      • Release Notes: 2013-11-27
    • 2012
      • Release Notes: 2012-03-28
      • Release Notes: 2012-04-11
      • Release Notes: 2012-04-24
      • Release Notes: 2012-05-22
      • Release Notes: 2012-06-05
      • Release Notes: 2012-06-20
      • Release Notes: 2012-08-01
      • Release Notes: 2012-08-28
On this page
  • Introduction
  • Network Address Translation
  • Proxy Servers
  • Rules Overview
  • Base Rules
  • United States (US) Region Infrastructure
  • Europe (EU) Region Infrastructure
  • Installation Type Rules
  • Appliances
  • Docker Containers
  • Linux Packages
  • Test Rules
  • Routing Layer
  • Network Layer
  • DNS Layer
  • Web Layer
  • Voice Layer
  • Miscellaneous
  • Kerberos and Active Directory
  • Proxies
  • Device Layer
  • Internet Insights
  1. Product Documentation
  2. Global Vantage Points
  3. Enterprise Agents
  4. Configuring

Firewall Configuration for Enterprise Agents

PreviousStatic IP Addresses for ThousandEyes RepositoriesNextEnterprise Agent Port Forwarding

Last updated 4 months ago

When installing a ThousandEyes Enterprise Agent behind a firewall or similar device (such as a router with access control lists (ACLs)), the device must be configured with rules that allow the Enterprise Agent to register with the ThousandEyes platform, execute tests, report test results, and access necessary infrastructure services such as the domain name service (DNS), the Network Time Protocol (NTP) and repositories for software package updates.

This article provides a complete set of information to allow Enterprise Agent network communication to traverse a firewall or similar device. For administrators wishing to quickly install an Enterprise Agent, review the section for the instructions required to register the agent in the ThousandEyes platform. Software updates are covered in the section.

Introduction

A firewall rule or ACL for Enterprise Agent communication is specified using one or more of the following criteria:

  • Destination IP address(es) or DNS domain name(s)

  • Destination port numbers (if the protocol is TCP or UDP)

  • Protocol (TCP, UDP, or ICMP)

  • Direction (outbound from the agent unless otherwise noted)

To use domain names in rules or ACLs, the firewall or other filtering device must support resolution of domain names to IP addresses.

In the tables below, any destination specified only by domain name must be resolved by the customer if an IP address is required. Many common tools such as dig, drill or nslookup can be used for resolving DNS names to IP addresses. Note that third-party (non-ThousandEyes) DNS mappings may change without warning.

thousandeyes.com domain names are not currently protected by DNSSEC.

Direction assumes rules or ACLs use dynamic/stateful filtering, which permit response packets automatically. If your firewall or filter device uses static packet filters, you must create rules in both directions of the communication.

Network Address Translation

Firewalls or similar devices which use rules or ACLs are typically also capable of performing network address translation (NAT). If your Enterprise Agent is behind a NAT device, then ensure that the necessary NAT rule for your agent exists for the types of tests that the agent will run. ThousandEyes recommends creating static, "one-to-one" NAT rules for the agent as the simplest configuration for proper test function.

Proxy Servers

Agents will still require configuration of rules or ACLs for non-HTTP based communication, which is typically not sent via proxy servers. Most notably, the Network layer data (overview metrics and path visualization) can only be obtained to the proxy but cannot be transmitted through a proxy to the target server. If Network layer data to the target server is desired, then the proxy will need to be bypassed and firewall rules or ACLs configured to allow the Network layer communication directly from the agent to the target.

Rules Overview

Rules are divided into four section: 1) base rules that are required for all agents, 2) rules specific to an agent's installation type, 3) rules required for tests run by an agent, and miscellaneous rules. The latter three categories have multiple sections and subsections. To construct rules for your installation, review the relevant sections and subsections in each category to identify all needed rules.

Use the links in the list below for quick navigation to a specific section of this document.

Rules in each category are cumulative. Add base rules plus the applicable rules for your Enterprise Agent installation type and tests and to obtain the complete ruleset needed for a given agent.

Base Rules

The sections below provide the base firewall communication rules required for the installation and full functionality of ThousandEyes Enterprise Agents. The rules are region specific.

Some organizations may not require rules for DNS and/or NTP servers if both the agent and servers are located inside the organization's network, and thus this communication is not blocked by existing rules or ACLs.

Additionally, ThousandEyes recommends permitting all ICMP error message types inbound to the agent in order to ensure full network functionality. If your firewall is fully stateful/dynamic for all ICMP error response types, then no rules are required. For firewalls which do not dynamically allow ICMP error messages in response to packets sent outbound that encounter the error conditions, we recommend allowing inbound the following:

Protocol

ICMP Types

IPv4

3, 11

IPv6

1-4, 129

Consult your firewall vendor's documentation or contact their technical support to determine whether you need to add rules to allow these ICMP error message responses. Be aware that explicit NAT rules may also be required for the inbound ICMP if the agent is behind a NAT IP address.

United States (US) Region Infrastructure

Protocol

Port

Destination address and/or name

Notes

TCP, UDP

53

DNS server IP address(es)

Domain Name Service

TCP, UDP

9119, 9120

ntrav.thousandeyes.com or 54.241.50.7, 54.176.41.14

NAT Traversal

UDP

123

NTP server domain names or IP addresses

Time synchronization

TCP

443

c1.thousandeyes.com, c1.agt.thousandeyes.com, sc1.thousandeyes.com, crashreports.thousandeyes.com, data1.agt.thousandeyes.com, api.thousandeyes.com, registry.agt.thousandeyes.com or 3.13.54.169, 3.17.98.26, 3.18.18.42, 3.134.227.22, 3.138.52.162, 3.141.159.49, 13.52.142.100, 13.248.134.58, 13.248.148.46, 13.248.149.2, 13.248.155.8 , 13.248.200.34, 13.248.202.9 , 13.248.202.19, 13.248.203.51, 13.248.204.16, 13.248.209.13, 13.248.210.21, 13.248.217.17, 18.144.148.196, 18.144.149.12, 35.81.172.197, 35.155.240.202, 44.227.213.61, 50.18.29.173, 50.18.71.33, 50.18.101.91, 50.18.147.222, 50.18.191.119, 52.8.4.84, 52.8.104.182, 52.8.189.216, 52.9.5.97, 52.9.192.109, 52.27.149.70, 52.32.30.54, 52.89.210.182, 54.151.40.182, 54.151.125.71, 54.153.4.162, 54.153.76.24, 54.176.41.14, 54.176.57.120, 54.176.79.58, 54.176.123.201, 54.176.128.223, 54.176.144.255, 54.176.253.85, 54.177.34.231, 54.177.66.87, 54.177.159.228, 54.177.244.79, 54.193.142.147, 54.215.2.49, 54.215.23.174, 54.215.97.223, 54.219.6.129, 54.219.8.137, 54.219.22.100, 54.219.78.196, 54.219.101.241, 54.219.105.52, 54.219.249.111, 54.241.50.7, 54.241.92.230, 54.241.205.203, 54.241.250.221, 75.2.27.3, 75.2.38.56, 75.2.45.13, 75.2.49.1, 75.2.66.34, 75.2.81.6, 75.2.95.38, 75.2.105.19, 75.2.122.52, 76.223.1.146, 76.223.11.132, 76.223.22.131, 76.223.22.172, 76.223.68.153, 76.223.69.131, 76.223.72.156, 76.223.76.176, 76.223.82.139, 76.223.86.189, 76.223.88.183, 76.223.92.188, 99.83.133.153, 99.83.133.174, 99.83.136.191, 99.83.139.130, 99.83.143.133, 99.83.165.166, 99.83.227.178, 99.83.242.129, 99.83.250.143, 184.169.143.99, 192.150.160.17, 204.236.184.131, 204.236.190.123, 2600:9000:a402:3156:ec1c:12bb:2fe3:5cfe, 2600:9000:a71c:9fff:69db:1ae2:5e68:87fa, 2600:9000:a402:3156:16f1:9d65:eafc:2b7f, 2600:9000:a71c:9fff:6e1b:8d49:2cd0:fe34, 2600:9000:a71c:9fff:9fd2:e70e:cae7:1ab7, 2600:9000:a402:3156:1a3c:ceb1:d30c:dabe, 2600:9000:a402:3156:fdf3:d270:bb9c:9606, 2600:9000:a71c:9fff:ea13:4e6a:4c50:53a6

ThousandEyes Agent infrastructure

Europe (EU) Region Infrastructure

Protocol

Port

Destination address and/or name

Notes

TCP, UDP

53

DNS server IP address(es)

Domain Name Service

TCP, UDP

9119, 9120

ntrav.agt.eu1.thousandeyes.com or 18.196.154.132, 18.198.93.108

NAT Traversal

UDP

123

NTP server domain names or IP addresses

Time synchronization

TCP

443

c1.eu1.thousandeyes.com, c1.agt.eu1.thousandeyes.com, sc1.eu1.thousandeyes.com, crashreports.eu1.thousandeyes.com, crashreports.agt.eu1.thousandeyes.com, data1.agt.eu1.thousandeyes.com, api.thousandeyes.com, registry.agt.thousandeyes.com, sc1.agt.eu1.thousandeyes.com or 3.33.164.16, 3.33.187.44, 3.33.215.45, 3.64.86.17, 3.64.141.190, 3.65.47.201, 3.65.166.122, 3.65.171.231, 3.65.171.239, 3.65.185.162, 3.65.191.148, 3.66.9.208, 3.66.71.28, 3.66.128.248, 3.67.61.181, 3.67.218.64, 3.69.141.127, 3.70.151.143, 3.122.35.251, 3.123.81.97, 3.123.89.250, 3.123.107.208, 3.123.252.103, 3.124.9.190, 3.124.252.11, 3.125.85.224, 3.125.254.106, 3.126.0.158, 3.126.74.162, 3.127.83.94, 3.127.120.153, 3.127.178.204, 13.248.161.94, 13.248.168.65, 13.248.183.127, 13.248.200.34, 13.248.235.103, 15.197.167.77, 15.197.185.73, 15.197.255.121, 18.156.19.75, 18.156.88.25, 18.157.218.95, 18.158.27.194, 18.158.53.4, 18.158.92.124, 18.159.84.31, 18.159.94.223, 18.159.99.39, 18.184.56.44, 18.185.182.46, 18.185.208.167, 18.192.82.10, 18.192.201.226, 18.193.23.116, 18.193.229.212, 18.194.73.211, 18.195.106.116, 18.195.137.74, 18.195.247.42, 18.196.71.170, 18.196.154.132, 18.197.136.39, 18.198.93.108, 18.198.102.67, 18.198.145.229, 35.71.129.45, 35.71.130.48, 35.71.139.15, 35.71.156.36, 35.71.163.48, 35.71.179.10, 35.157.204.27, 52.28.224.133, 52.57.69.190, 52.57.199.196, 52.58.234.168, 52.223.3.68, 52.223.12.120, 52.223.23.95, 52.223.32.91, 52.223.46.66, 52.223.50.116, 75.2.42.105, 75.2.72.82, 75.2.105.19, 76.223.33.5, 76.223.46.53, 76.223.63.14, 76.223.86.189, 76.223.116.8, 99.83.165.166, 99.83.171.52, 99.83.208.32, 2600:9000:a71f:f2a:3882:322c:4f31:8fb5, 2600:9000:a419:70ce:42b:8b42:5402:ca40, 2600:9000:a71f:f2a:2cce:e68b:6f1d:c5c6, 2600:9000:a419:70ce:eef3:7c97:e2b7:348c, 2600:9000:a71f:f2a:57ff:f7bc:e892:a871, 2600:9000:a419:70ce:9ca0:c090:375:2210, 2600:9000:a419:70ce:f120:ba93:e202:47fc, 2600:9000:a71f:f2a:9e2a:cb4b:58d2:b9e1

ThousandEyes Agent infrastructure

Installation Type Rules

Determine the installation type of your Enterprise Agents and refer the applicable section(s) below. Some installation types fall under more than one section's set of rules (i.e. rules are cumulative, per the infobox above). For example, a Raspberry Pi appliance requires the rules in the Appliances section, as well as the Raspberry Pi subsection.

Appliances

ThousandEyes appliances are based on the Ubuntu Linux operating system, and require access to both the generic Ubuntu software package repositories and the ThousandEyes repository to update software automatically. The following rules are required for agents distributed in virtual machine format (virtual appliances and Hyper-V appliances) and for Physical Appliances and Raspberry Pi-based agents which are distributed via ISO image:

Protocol

Port

Destination

Notes

TCP

80

archive.ubuntu.com

Ubuntu Linux package repository

TCP

80

security.ubuntu.com

Ubuntu Linux package repository

TCP

80

archive.canonical.com

Ubuntu Linux package repository

TCP

443

changelogs.ubuntu.com

Ubuntu Linux package repository

TCP

80 or 443

apt.thousandeyes.com

ThousandEyes APT package repository

Select port 80 or port 443 depending on your organization's security requirements.

ThousandEyes appliances, which include virtual appliances, physical appliances, Hyper-V appliances, and agents installed on Raspberry Pi platforms -- also provide a web-based administration interface, as well as an SSH server for command-line management. The direction of the connections are inbound to the agent (agent IP address is the destination). If web or SSH connections traverse a firewall, the following rules are required:

Protocol

Port

Destination

Notes

TCP

443

Agent IP address

Inbound to the agent

TCP

22

Agent IP address

Inbound to the agent

Raspberry Pi

The following rule is required for agents installed on Raspberry Pi 4 hardware:

Protocol

Port

Destination

Notes

TCP

80

ports.ubuntu.com

Ubuntu Linux package repository

Docker Containers

ThousandEyes agent software for Docker-based containers, including Cisco devices using Cisco Application Hosting, is supplied by the ThousandEyes APK repository apk.thousandeyes.com repository. Agent software has dependencies on software packages provided in common repositories that typically are required for the operating system. Consult your operating system's documentation for the locations of these repositories and construct rules as required.

Protocol

Port

Destination

Notes

TCP

443

hub.docker.com

Docker-based agents (install only)

TCP

443

auth.docker.io

Docker-based agents (install only)

TCP

443

registry.docker.io

Docker-based agents (install only)

TCP

443

production.cloudflare.docker.com

Docker-based agents (install only)

The following rules are required for Docker installations to keep the software updated inside the container:

Protocol

Port

Destination

Notes

TCP

80 or 443

apk.thousandeyes.com

ThousandEyes APK package repository

TCP

80 or 443

dl-cdn.alpinelinux.org

Alpine Linux package repository

Select port 80 or port 443 depending on your organization's security requirements.

Linux Packages

ThousandEyes agent software for linux packages is supplied by the ThousandEyes APT repository apt.thousandeyes.com (for Ubuntu), or the ThousandEyes YUM repository yum.thousandeyes.com (For Red Hat, CentOS and Oracle Linux). Agent software has dependencies on software packages provided in common repositories that typically are required for the operating system. Consult your operating system's documentation for the locations of these repositories and construct rules as required.

For all Linux package installs, if the ThousandEyes BrowserBot package has been installed (implements the Page Load and the Web Transaction test types) and if host-based Linux-based firewall software is employed then following rule is required:

Protocol

Port

Destination

Notes

TCP

8998

127.0.0.1

BrowserBot sandbox (for host-based firewalls only)

Agent processes make internal network connections (i.e. not using the physical network) to the BrowserBot sandbox, which listens on port 8998/TCP of the loopback interface (normally uses IP address 127.0.0.1). Configure the host-based firewall to allow connections to the loopback IP address on the specified port.

Ubuntu

The following rules are required for Ubuntu Linux package installations:

Protocol

Port

Destination

Notes

TCP

80 or 443

apt.thousandeyes.com

ThousandEyes APT package repository

Select port 80 or port 443 depending on your organization's security requirements.

Red Hat

The following rules are required for Red Hat Enterprise Linux, CentOS and Oracle Linux package installations:

Protocol

Port

Destination

Notes

TCP

80 or 443

yum.thousandeyes.com

ThousandEyes YUM package repository

Select port 80 or port 443 depending on your organization's security requirements.

Test Rules

The protocol, port, and destination of rules to permit test traffic will depend on the type of test created and the target (destination) of the test. Normally, the direction for test rules is outbound from the agent. However, for agent-to-agent tests and RTP stream tests, agents are both sources and target of the test, so the direction for test rules is both outbound and inbound, as indicated below.

The sections below use the default ports for the test types. For example, a web layer test will need outbound access on TCP port 80 and/or 443 by default. If a test is configured with a non-default port number then the rule must use that port number instead of the default.

Routing Layer

BGP

Private BGP Monitors peer with a router in the ThousandEyes infrastructure. When the private BGP monitor is first configured, customers are sent the domain name of the ThousandEyes peer, along with peering instructions. If a private BGP monitor traverses a firewall, then the following firewall rule or ACL may be required.

Protocol

Port

Destination

Notes

TCP

179

ThousandEyes peer

Obtain peer's domain name from configuration instructions email

The source is the customer's BGP-speaking device, not an Enterprise Agent. The destination information can be obtained from the email that ThousandEyes sends after a private BGP monitor is requested. ThousandEyes emails configuration information to the requestor, including the peer's domain name (for example bgpc1.thousandeyes.com) or IP address.

Network Layer

Network layer tests permit a choice of protocol (TCP, UDP, and/or ICMP depending on the test type). Create rules with the protocol configured in the test's Protocol setting.

Agent-to-Server

Agent-to-server tests default to TCP as the protocol and 80 as the port. If a different port number is used in the test, use that port number in the rule.

Protocol

Port

Destination

Notes

TCP

80

test target

If test's Protocol setting is TCP

Alternatively, if ICMP is selected in the Protocol field on the Basic Configuration tab of the test settings then use the following rule.

Protocol

ICMP service

Destination

Notes

ICMP

ping

test target

Overview metrics (Loss, Latency and Jitter) and Path Visualization

For the Path Visualization, the outbound ICMP packets use type 8, code 0 (Echo Request) and the returning inbound ICMP packets use both type 0, code 0 (Echo Reply) and type 11, code 0 (Time to Live exceeded in Transit). Many firewalls refer to this combination as the "traceroute" service or object. Normally, a separate rule for traceroute is not needed because stateful firewalls associate the outbound packets (whether TCP, UDP or ICMP) with the inbound ICMP type 11 packets generated by the outbound packets. However, if a firewall cannot make this association, a second rule to allow the type 11 packets inbound to the agent may be required. Such a rule may be similar to the above ICMP rule but with the "traceroute" object, or may require a rule for ICMP type 11 to the agent as destination, from any source.

Note also that "many-to-one" network address translation may not make the association between outbound packets and incoming ICMP type 11 packets, and will block the type 11 packets. A one-to-one NAT rule will need to be configured to allow the inbound ICMP type 11 packets to be correctly translated.

Agent-to-Agent

Agent-to-agent tests default to TCP as the protocol and 49153 as the port. Alternatively, if UDP is selected in the Protocol field on the Basic Configuration tab of the test settings then use UDP. If a different port number is used in the test, use that port number in the rule.

Protocol

Port

Destination

Notes

TCP or UDP

49153

test target

Use TCP or UDP per test's Protocol setting

With agent-to-agent tests, if one or both agents is behind a network address translation device, the NAT traversal feature may be required, particularly if the NAT is not a one-to-one NAT. If required, the Behind a NAT box must be checked on the Enterprise Agent's Settings page.

NAT traversal requires communication to the ThousandEyes NAT traversal service, which may require an additional rule. Use the first rule for TCP-based tests; the second for UDP-based tests.

Protocol

Port

Destination

Notes

TCP

9119 and 9120

ntrav.thousandeyes.com

TCP-based agent-to-agent tests

TCP and UDP

9119 and 9120

ntrav.thousandeyes.com

UDP-based agent-to-agent tests

DNS Layer

DNS Layer tests all use a destination port of 53. The port is not user-configurable. Additionally, DNS Layer tests use only one transport protocol, either UDP or TCP. Truncated responses will never result in a test switching from UDP to TCP.

DNS Server

DNS Server tests default to UDP as the protocol, as specified in the Transport field on the Advanced Settings tab of the test settings. Alternatively, TCP may be used.

Protocol

Port

Destination

Notes

UDP or TCP

53

test target

Use UDP or TCP per test's Transport setting

DNS Trace

DNS Trace tests default to UDP as the protocol, as specified in the Transport field on the Advanced Settings tab of the test settings. Alternatively, TCP may be used.

Protocol

Port

Destination

Notes

UDP or TCP

53

all destinations

Use UDP or TCP per test's Transport setting

Normally, the test must have access to all destinations in order to access all of the servers required to perform iterative queries to authoritative nameservers in the DNS hierarchy, starting from the root nameservers.

DNSSEC

DNSSEC tests are similar to DNS Trace tests, except that DNSSEC tests always use UDP as the transport protocol.

Protocol

Port

Destination

Notes

UDP

53

all destinations

Normally, the test must have access to all destinations in order to access all of the servers required to perform iterative queries to authoritative nameservers in the DNS hierarchy, starting from the root nameservers.

Web Layer

Web layer tests (other than FTP Server tests) differ from other tests in that the target of the test is potentially (or likely) not the only destination for traffic from the agent. HTTP Server tests can receive HTTP redirects to domains other than the target domain name or IP address. Moreover. Page Load and Transaction tests load entire web pages which typically require connections to many destinations. For this reason, the Destination column in the Page Load and Transaction test section indicates "all destinations". If the domains to which requests are made are known, rules can be created which specify only those domains.

HTTP Server

The HTTP Server test uses port 80 by default if the test target is configured with the http:// scheme and uses port 443 if configured with the https:// scheme. If a non-default port number is used by the target server, use that port number in the rule.

Protocol

Port

Destination

Notes

TCP

80 or 443

test target

HTTP or HTTPS (defaults); test target may redirect to a different destination(s)

Typically, a request using HTTP to port 80 is redirected to the HTTPS service on port 443.

Page Load and Transaction

Normally, for Page Load and Transaction tests (a.k.a. Browser-based tests) allowing the agent to access all destinations using HTTP and HTTPS is the easiest way to configure the ruleset, unless the destinations are well known and few in number.

Protocol

Port

Destination

Notes

TCP

80 and 443

all destinations

HTTP and HTTPS (default ports)

Note that when an agent running browser-based tests is configured to use a proxy server, some amount of HTTP-based communication cannot be proxied. Specifically, HTTP-based downloads of SSL/TLS digital certificates (AIA fetching) and certificate revocation lists (CRLs) as well as the Online Certificate Status Protocol (OCSP) are not currently proxy-aware. Under certain circumstances (OCSP stapling unavailable, sites using EV certificates) a Browser-based test could experience errors if the agent cannot perform these types of communication directly. In this situation, two options exist:

  • Create a firewall rule or ACL which permits HTTP connections (typically using the http:// scheme) from the agent to the site required

  • Create a firewall rule or ACL which responds with a TCP reset to the connection attempts from the agent

Contact ThousandEyes Customer Engineering for additional information.

FTP Server

FTP Server tests can use one of three TCP-based protocols: FTP (Active or Passive modes), FTPS or SFTP. The FTP server test uses the following ports by default:

  • Port 21 if the test target is configured with the ftp:// scheme, and port 20 (inbound to the agent from the target server) if Active mode is configured in the Advanced Settings tab

  • Port 990 if configured with the ftps:// scheme

  • Port 22 if configured with the sftp:// scheme

If a non-default port number is used by the target server, use that port number in the rule.

Protocol

Port

Destination

Notes

TCP

21

test target

FTP command channel

TCP

20

Enterprise Agent

FTP data channel (Active mode only)

TCP

990

test target

FTPS

TCP

22

test target

SFTP

Voice Layer

Voice Layer provide tests for control and data streams of a voice-over-IP (VoIP) call, using SIP and RTP, respectively. The SIP Server test connects to a server, proxy, session border controller (SBC) or gateway, on the customer's premises or in the cloud. The RTP Stream test is performed between two ThousandEyes Agents to assess the quality of voice data given the characteristics of the network path.

SIP Server

SIP Server tests default to TCP as the protocol and 5060 as the port number. Alternatively, if UDP is selected in the Protocol field on the Basic Configuration tab of the test settings then use UDP, or if TLS is selected in the Protocol field then use TCP as the protocol and 5061 as the port number. If a different port number is used in the test, use that port number in the rule.

Protocol

Port

Destination

Notes

TCP or UDP

5060

SIP server/proxy/SBC

SIP Server test

TCP

5061

SIP server/proxy/SBC

SIP Server test over TLS

Select one of the two rules above per your test's configuration.

RTP Stream

Protocol

Port

Destination

Notes

UDP

49152

Cloud or Enterprise Agent

RTP Stream test

Miscellaneous

Enterprise Agents may require additional rules for optional configurations, such as Kerberos/Active Directory authentication, proxy server configurations, or the Device Layer.

Kerberos and Active Directory

Protocol

Port

Destination

Notes

UDP and TCP

88

KDC

Kerberos/AD authentication

The Kerberos settings default to port number 88. If a different port number is used in the configuration's KDC Port field then use that port number in the rule.

Proxies

Enterprise Agents can be configured to use one or more proxy servers for tests, administrative communications, or both. These configurations may require additional firewall rules or ACLs.

Proxy Servers

An organization's proxy servers may be deployed on the same internal networks as Enterprise Agents, or the proxies may be cloud-based, including SaaS-based proxy solutions. If communication to any configured proxy server traverses a firewall, then the following rule is required:

Protocol

Port

Destination

Notes

TCP

proxy port(s)

proxy server(s)

One or more ports per proxy

A proxy server may use one port number for all connections or may use multiple ports for different protocols--most commonly one port for HTTP connections and a second for HTTPS connections. Review your organization's proxy configuration documentation or contact your proxy server administrators to determine what port(s) are used by all proxies that the agent will use.

PAC file Servers

When a client such as a browser or an Enterprise Agent must use multiple proxy servers (for redundancy, optimal performance or other reasons), the client can be configured to use a proxy auto-configuration (PAC) file to select a proxy to handle each HTTP request. The PAC file must be retrieved from a web server at client start-up. If communication to the PAC file's web server traverses a firewall, then the following rule is required:

Protocol

Port

Destination

Notes

TCP

80 or 443

all destinations

HTTP or HTTPS (default ports)

Select the appropriate port number based on the scheme (http:// or https://) of the PAC file's URL.

Device Layer

ThousandEyes Device Layer feature uses the Simple Network Management Protocol (SNMP) to communicate with networked devices. Agents send SNMP GET requests to networked devices either when configured as the targets of Device Discovery, or after the devices have been discovered. If communication to the targeted device traverses a firewall, then the following rule is required:

Protocol

Port

Destination

Notes

UDP

161

target device

SNMP GET

Additional devices may be discovered without explicitly specifying an IP address in a discovery's Targets field. The discovery can occur even if those devices are blocked from the agent by a firewall, but the agent will not be able to retrieve data. For those discovered devices, a similar rule to the above will be required, using the discovered device:

Protocol

Port

Destination

Notes

UDP

161

discovered device

SNMP GET

Internet Insights

ThousandEyes' Internet Insights feature aggregates data from existing tests of various types. Because no tests are specific to Internet Insights, no firewall rules or ACLs are required to use Internet Insights.

Some organizations require an Enterprise Agent to use a proxy server for HTTP-based communication. A proxy may be configured with an allowed list of destinations, which are normally specified by domain names (some proxies may require IP addresses or both). For environments which require a proxy, consult your organization's proxy administrator and the articles and .

Installation types are displayed in the dialog of the page. Additionally, the "Type" filter of the Enterprise Agents page displays a listing of the types of currently installed (active and deactivated) Enterprise Agents belonging to the current account group.

The apt.thousandeyes.com repository is located in a content delivery network (CDN), where IP addresses can change without notice. For customers requiring a static IP address for the ThousandEyes APT repository, the aptproxy.thousandeyes.com domain name will always resolve to the same IP addresses. See the ThousandEyes article for additional information.

For more information, see .

The apk.thousandeyes.com repository is located in a content delivery network (CDN), where IP addresses can change without notice. For customers requiring a static IP address for the ThousandEyes repositories, the apkproxy.thousandeyes.com domain name will always resolve to the same IP addresses. See the ThousandEyes article for additional information.

The following rules are required only for installation of Docker container-based agents that download images maintained in the Docker registry (as installed with the default docker pull command; see ). This includes deployments of Docker for Linux, Webex VMN, and Meraki.

The apt.thousandeyes.com and yum.thousandeyes.com repositories are located in a content delivery network (CDN), where IP addresses can change without notice. For customers requiring a static IP address for the ThousandEyes repositories, the aptproxy.thousandeyes.com and yumproxy.thousandeyes.com domain names will always resolve to the same IP addresses. See the ThousandEyes article for additional information.

Additionally, most non-network layer tests include network measurements via the Perform network measurements setting (configured by default, under the Advanced Settings tab of the test configuration). When using Perform network measurements, additional rules may be required for those measurements, in addition to any rules based on the test type. Use the instructions in the section below to add any needed rule for your test's network measurements, treating the Protocol field on your test's Advanced Settings tab as the Protocol field in the agent-to-server test.

Similarly, if the Perform network measurements setting includes Collect BGP data then use the instructions in the section below to add any needed rules for your test's network measurements.

The Routing Layer contains the BGP test type which provides the BGP Route Visualization. The BGP Route Visualization is also part of the Perform network measurements setting of other test types. BGP data is supplied by public BGP Monitors which report data to ThousandEyes, or customers may create using their own BGP-enabled devices to peer with ThousandEyes. If a Private BGP Monitor is used for a BGP test or as part of other tests' Network metrics, and that Private BGP Monitor traverses a firewall, then a firewall rule or ACL may be required.

Private BGP Monitors are independent of Enterprise Agents, but can provide data for tests run by Enterprise Agents, so are included in this article. If your organization uses Private BGP Monitors, review the article for additional information.

ICMP uses , rather than port numbers. For the "Overview" metrics rule, the outbound ICMP code and type uses Type 8, Code 0 (Echo Request) and the return/inbound ICMP uses code 0, type 0 (Echo Reply). Many firewalls refer to this combination as the "ping" service or object.

If a many-to-one type of NAT is used, then the NAT device should meet the criteria in the article for agent-to-agent tests.

The RTP Stream test is performed between two ThousandEyes Agents--similar to an agent-to-agent test. Review the . RTP Stream tests default to 49152 as the port number. If a different port number is used in the test, use that port number in the rule.

Enterprise Agents which use Kerberos authentication (which is used by Microsoft's Active Directory) to authenticate HTTP requests to web servers or proxies must be able to reach the Kerberos domain controller (KDC) listed in the configuration's KDC Host field on the . If using a Kerberos configuration for an agent, and if communication to the Kerberos domain controller traverses a firewall, then the following rule is required:

Installing Enterprise Agents in Proxy Environments
Configuring an Enterprise Agent to Use a Proxy Server
Add New Enterprise Agent
Enterprise Agents
Static IP Addresses for ThousandEyes Repositories
How to set up the Virtual Appliance
Static IP Addresses for ThousandEyes Repositories
Enterprise Agent Deployment Using Docker
Static IP Addresses for ThousandEyes Repositories
Private BGP Monitors
Inside-Out BGP Visibility
Types and Codes
NAT Traversal for Agent-to-Agent Tests
Kerberos Settings page
Base Rules
Installation Type Rules
Base rules required for all agents
Rules specific to an agent's installation type
Appliances
Raspberry Pi
Docker Containers (including Cisco Application Hosting and Meraki Agents)
Linux packages
Ubuntu
Red Hat Enterprise Linux, CentOS and Oracle Linux
Rules required for tests run by an agent
Routing Layer
BGP
Network Layer
Agent-to-server
Agent-to-agent
DNS Layer
DNS Server
DNS Trace
DNSSEC
Web Layer
HTTP Server
Page Load and Transaction
FTP Server
Voice Layer
SIP Server
RTP Stream
Miscellaneous
Kerberos and Active Directory
Proxies
Proxy Servers
PAC file Servers
Device Layer
Internet Insights
Agent-to-Server
Routing Layer
requirements for agent-to-agent test rules