Whitelisting requirements for IP addresses and URLs


Connecting to the Datto RMM Web Portal

To allow seamless connectivity to the Datto RMM Web Portal, and between Agents, you must open TCP port 443 outbound through your firewall.

If your company has a more aggressive security posture for outbound traffic (e.g. port blocking and IP address access lists), then you may need to whitelist a number of IP addresses, as well as open up port 443 to allow Datto RMM to make the required connections. The IP addresses you must whitelist are specific to your platform, and you only need to whitelist the ones associated with your platform.

For information about the platform your site is hosted on, refer to Datto RMM platforms.

Port usage

For partners managing devices in environments with rigorous network security, note that the following ports are used by Datto RMM's extended processes, remote tools, and software management. These ports are actively used by the Agent all of the time.

  • Port 13229 (TCP) - used for Agent to Agent communication.
  • Port 13300 (UDP) - used for Agent discovery.
  • Port 6800 (TCP) - used for Agent communication with the Aria process.

Connecting Agents through the tunnel server grid

Unless a peer-to-peer connection can be established between devices, Agent to Agent connectivity and remote takeover are managed by a tunnel server over an encrypted connection. Tunnel servers are connection relays located around the globe to provide maximum coverage and the best performance depending on your location. They are automatically available to all users.

When a remote takeover session is initiated:

  1. The admin device performs a DNS query to find the nearest tunnel server. The tunnel server is picked based on the proximity to the admin device.
  1. A connection is made to a load-balanced tunnel server cluster.
  1. Finally, a connection is established to the remote device.

To make the most of the tunnel server grid, please ensure that the IP addresses relevant to your geographic location are whitelisted and outbound traffic on port 443 is open on your own and your endpoints' firewalls.

Internet Protocol

The Datto RMM Agent communicates with the platform using the IPv4 protocol.

IPv6 connections are not supported at this time.

Stateful Packet Inspection

It is strongly recommended that any Stateful Packet Inspection be turned off for access to any centrastage.net address, and that all attempts possible are made to guarantee that TCP connections to the cc.centrastage.net addresses are not terminated in cases of inactivity. (These connections may be inactive for up to 180 seconds at a time if no client activity is detected.)

Whitelist the following IP addresses and URLS

We are moving! Datto RMM is moving from *centrastage.net to *rmm.datto.com and you can now access the new URLs to test and whitelist them. Please note that the Datto RMM Online Help is also moving to a new URL.

Here is the full rollout plan:

  • In the 7.6.0 release, we will start using *rmm.datto.com in various parts of the product, such as email notifications, but *centrastage.net will still be usable.
  • In the 7.7.0 release, *centrastage.net will redirect to *rmm.datto.com.
  • The Datto RMM Online Help's current URL (https://help.aem.autotask.net) will redirect to https://help.rmm.datto.com for 3 months, starting from the 7.7.0 release. Be sure to save the new URL as well as to update any bookmarks you may have during this transition period.

This won't impact Agent communication channels and the API. These will still be using the centrastage.net URLs.


Need to troubleshoot this? Open the Datto Knowledge Base.
Want to talk about it? Head on over to our Community Forum!
Forward this topic to others.
Provide feedback for the Documentation team.