Bandwidth usage
FlexxAgent process
When FlexxAgent starts, it collects and sends an initial report of approximately 75 KB; from then on, it sends differential reports of approximately 3-4 KB. This process is responsible for executing on-demand or automatic actions on the device. During those moments, network traffic may increase.FlexxAgent Analyzer process
FlexxAgent Analyzer collects information about the user’s session every 15 seconds, such as application consumption, resource usage, and so on. It aggregates this information into files of approximately 35-50 KB, which are sent to the consoles every 5 minutes, although the timing may vary for specific features. On multi-user systems, a single instance of FlexxAgent will run, along with as many instances of FlexxAgent Analyzer as user sessions the system has.Required URLs and ports
In terms of communications, FlexxAgent must be able to reach the service’s orchestration layer hosted on the internet, which includes:| URL | Scope | Port | Region |
|---|---|---|---|
| https://west-eu.agent-api.analyzer.flexxible.com | Agent | 443 | West Europe |
| https://flexxibleglobal.blob.core.windows.net | Agent | 443 | West Europe |
| https://api.ipify.org | Agent | 443 | West Europe |
| tcp://ras.flexxible.com | Agent – Flexxible Remote Assistance | 443 | West Europe |
| https://update.workspaces.flexxible.com | Agent | 443 | West Europe |
| https://agents-weu.flexxible.net | Agent | 443 | West Europe |
| https://south-br.agent-api.analyzer.flexxible.com (Brazil only) | Agent | 443 | Brazil South |
| https://flxsbname***.servicebus.windows.net | Agent | 443 | West Europe |
| https://flxiothub***.azure-devices.net | Agent | 443 | West Europe |
| URL | Scope | Port | Region |
|---|---|---|---|
| https://agents-weu.one.flexxible.net | Agent | 443 | West Europe |
| https://west-eu-01.agent-api.one.analyzer.flexxible.com | Agent | 443 | West Europe |
The three asterisks (***) represent a dynamic, unique identifier between 9 and 15 alphanumeric characters long, provided by Flexxible.Depending on the capabilities of the security device, URL exceptions can be configured using regular expressions (RegEx) or wildcards.Examples of exceptions using regular expressions (Regex)Examples of exceptions using wildcards
Security
To provide a good user experience, in some cases it will be necessary to configure exclusions in the antivirus; however, if these exclusions are not managed appropriately, they can pose a security risk. For that reason, we recommend running periodic scans of the files and folders that have been excluded from antivirus scanning. Both Microsoft and Flexxible recommend:- Using a File Integrity Monitoring (FIM) or Host Intrusion Prevention (HIP) solution to protect the integrity of items excluded from real-time scanning.
- If Azure Sentinel is used and Windows Defender is not properly configured, performance issues may arise. Disable Windows Defender using the following PowerShell command:
Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Antivirus exclusions
FlexxAgent should be able to work correctly without configuring exceptions, but in more restrictive environments some may need to be set. The items to exclude from antivirus scanning are the following: FoldersC:\Program Files\FlexxibleC:\Windows\Temp\FlexxibleIT\
FlexxAgent.exeFlexxibleRA.exeFlexxibleRemoteAssistance_XXXX.exe
C:\Windows\Temp\FlexxAgentInstallation.logC:\Windows\Temp\UpdateFlexxAgent.ps1C:\Windows\Temp\FlexxAgentHealthCheck.log
Deep SSL Inspection
Deep SSL Inspection should be disabled for the following URLs on devices that use it as a security solution, in order for FlexxAgent to work optimally.- https://flxsbname***.servicebus.windows.net
- https://flxiothub***.azure-devices.net
- https://agents-weu.flexxible.net
- tcp://ras.flexxible.com
PowerShell process restriction
Some security solutions do not allow FlexxAgent installation and/or self-update to run effectively. During the process, the installer may return the message:The process was terminated with errors. A corrupted installation was detected due to external processes. This is usually caused by antivirus activity. Please check your antivirus settings.To fix this, Flexxible recommends excluding the following items:
C:\Windows\Temp\FlexxibleIT
C:\Windows\Temp\UpdateFlexxAgent.ps1
Wake on LAN (WoL)
Wake on LAN (WoL) makes it possible to turn on devices by sending a magic packet (Magic Packet) that tells the network card to power on. To use this feature you need:- A compatible network card
- Enable WoL in the BIOS/UEFI
- Configure WoL in the operating system
- A bridge device—with FlexxAgent installed and reporting—on the same network as the device you want to turn on.
Configure Wake on LAN (WoL) on Windows
To configure the Wake on LAN (WoL) feature on a device running Windows, follow these steps:- Check whether WoL is active
powercfg /devicequery wake_programmable
- Enable WoL
powercfg /deviceenablewake "Realtek PCIe GbE Family Controller"
Replace “Realtek PCIe GbE Family Controller” with the appropriate driver name.
Flexxible Remote Assistance through a proxy
For remote assistance, FlexxAgent will use a proxy when it is configured and accessible. If it is configured with a proxy but the proxy is not accessible at that moment, Flexxible Remote Assistance will run with the “auto detect” option, which will use the internet outbound configuration set by the end user.vPro
If an organization wants to enable vPro, the hostname of the Flexxible Intel EMA server must be resolvable from all its devices.| URL | Scope | Port | Region |
|---|---|---|---|
| https://iagent.flexxible.com | Agent | 443 | West Europe |
| URL | Scope | Port | Region |
|---|---|---|---|
| https://iagent.flexxible.com | Agent | 443 | West Europe |
Requirements for vPro to work through a proxy
- Dynamic Host Configuration Protocol (DHCP) must provide a DNS suffix (DHCP option 15) that matches the certificate’s domain.
- The proxy must allow the HTTP CONNECT method to the ports used.
- The Flexxible URL must be excluded to avoid deep SSL/TLS inspection on Client Initiated Remote Access (CIRA) connections.
- The proxy must not modify HTTP headers during the CONNECT phase.
Static source IP addresses for Webhooks
If the endpoint receiving the webhooks is behind a firewall or NAT, you may need to allow connections from the following static source IP addresses:52.215.16.23954.216.8.7263.33.109.1232a05:d028:17:8000::/56