How to check if the AD Broker connects to the cloud

In this topic, you will learn how to check if the Portnox™ Active Directory Broker connects to the Portnox™ Cloud service.

The Portnox Active Directory Broker connects to the cloud on the following ports:

  • Outgoing: portnox-centraal-prod.servicebus.windows.net:443
  • Outgoing: mobilecentraal.portnox.com:8081

You need to allow these connections on the firewall and these names/ports must be reachable from the Active Directory Broker machine.

Note: There are no static IP addresses for these services, only DNS names.

To check if the cloud is reachable, use the following methods:

  • Use the following PowerShell commands:

    • Test-NetConnection -Port 443 -ComputerName portnox-centraal-prod.servicebus.windows.net -InformationLevel Detailed
    • Test-NetConnection -Port 8081 -ComputerName mobilecentraal.portnox.com -InformationLevel Detailed

  • Try to open the following URLs in your browser and see if you receive a server response:

    • https://portnox-centraal-prod.servicebus.windows.net:443
    • https://mobilecentraal.portnox.com:8081 (a 503 response code means that there is connectivity)

If the servers are not reachable, you need to check DNS, firewall, and proxy settings.

The following configurations must be done on the firewall for the broker to be able to communicate with the cloud:

FQDN Protocol Ports Direction
mobilecentraal.portnox.com TCP 8081 Outbound
cloudcentraalstoreprodus.blob.core.windows.net TCP 443 Outbound
cloudcentraalstoreprod.blob.core.windows.net TCP 443 Outbound
pnxeusprdclrinstallers.blob.core.windows.net TCP 443 Outbound
pnxweuprdclrinstallers.blob.core.windows.net TCP 443 Outbound
pnxweuprdclrpublic.blob.core.windows.net TCP 443 Outbound
pnxeusprdclrpublic.blob.core.windows.net TCP 443 Outbound
*.servicebus.windows.net TCP 80, 443, 5671, 5672, 9350, 9351, 9352 Outbound
Warning: Since Microsoft services can change their public IP addresses (as has happened in the past), we recommend avoiding the use of static IP addresses. Instead, use fully qualified domain names (FQDNs) as listed above.

If your firewall software does not support FQDNs or encounters issues, such as failing to recognize some IP addresses resolved from the FQDNs, you can use this official Azure script to retrieve the IP addresses associated with an Azure FQDN. You can then add all these IP addresses to the firewall instead of the FQDNs. However, be sure to regularly monitor connectivity and check for any updates, as Microsoft may add or remove IP addresses over time.