The agent does not listen on any port for traffic initiated external to the localhost, thus does not increase potential attack vectors. However, as outbound connections are made, any egress filtering performed by Antivirus software, firewalls, routers, etc.. would need to be opened. No inbound TCP connections need to be explicitly defined.
Environments using DNS proxies, or other mechanisms that may cache JumpCloud IP addresses may pin themselves to a single server. For larger environments, this could result in rate limiting which will disrupt installations and functionality. Caching JumpCloud IPs is not recommended.
Clients downloading the agent installer need to use TLS 1.2 or higher. Any clients (browsers, curl, PowerShell, etc.) may need to be updated or explicitly told to use TLS 1.2 or higher in order to successfully download the agent installer.
The JumpCloud agent accesses the following servers and ports:
- a1hrq03pdcca60-ats.iot.us-east-1.amazonaws.com:443
- agent.jumpcloud.com:443
- assist.jumpcloud.com:443 - used by Remote Assist agent
- cdn02.jumpcloud.com:443
- chocolatey.org:443 (https://chocolatey.org/api/v2/)
Chocolatey packages may download other files - mainly installers - from the software vendor of the package. Servers and ports accessed will vary depending on the Chocolatey software packages configured. See Software Management: Windows for more information.
- console.jumpcloud.com:443
- kickstart.jumpcloud.com:443
- private-kickstart.jumpcloud.com:443
- *.pwm.jumpcloud.com:443 - used by JumpCloud Password Manager
- In addition, these are the URLs used by Password Manager if needed for defining IPs in firewalls:
- cdn.pwm.jumpcloud.com
- devices.pwm.jumpcloud.com
- In addition, these are the URLs used by Password Manager if needed for defining IPs in firewalls:
- s3.amazonaws.com:443
- pool.ntp.org:123 (UDP)*
*Time synchronization is necessary for the installation and proper function of the agent; as this can be accomplished on an internal network, access to an external host on port 123 is not necessarily required.
- For more information on port and networking requirements specific to Remote Assist features, see Understand the Remote Assist Agent.
- For scripts you can use to test connectivity, see Troubleshoot: Remote Assist End-User Connectivity on Windows and macOS.
Proxy Support
For installation, Linux (initd) and Mac support routing through an https proxy. Use the following commands to set a proxy server for the installer, then run the installer normally.
Linux
echo "http://PROXY_SERVER_IP:PROXY_SERVER_PORT" > /etc/jcagent-proxy.conf
export https_proxy="cat /etc/jcagent-proxy.conf
"
Proxy usage for pre and post-installation on Linux using systemd is supported using an alternative method:
- Create a folder /etc/systemd/system/jcagent.service.d/.
- Create a file override.conf in the above folder.
- Add to the file:
[Service]
Environment=HTTP_PROXY=http://proxy_ip:port/
HTTPS_PROXY=http://proxy_ip:port/
- In the bash session where the installer will run, set environment variables and run the install command:
# export http_proxy=http://proxy_ip:port/
# export https_proxy=$http_proxy
# curl --silent --show-error --header 'x-connect-key: YOUR_CONNECT_KEY' https://kickstart.jumpcloud.com/Kickstart | sudo bash
Mac
echo "http://PROXY_SERVER_IP:PROXY_SERVER_PORT" > /etc/jcagent-proxy.conf
Windows:
At an administrator command prompt, run:
echo "http://PROXY_SERVER_IP:PROXY_SERVER_PORT" > c:\windows\system32\drivers\etc\jcagent-proxy.conf