- 6 minutes to read

Why do Nodinite use port 8000?

Discover why Nodinite Monitoring Agents use TCP port 8000 by default, and how this design choice benefits your integration environment. This page explains the security, administration, and connectivity advantages, and provides guidance for configuration and troubleshooting.

✅ Enhanced security with minimal open ports
✅ Simplified firewall and network administration
✅ Consistent, reliable connectivity for all Monitoring Agents
✅ Easy configuration and troubleshooting for integration experts

Fewer ports, less administration, more secure

Important

BREAKING CHANGE: If you use the Nodinite Azure Logic Apps agent with any other Nodinite Agent, you must remove the wildcard allowance 'netsh http delete urlacl url=http://+:8000/Nodinite/' and replace it with a specific setting for each agent and account. See the Table below for details.

From a Nodinite perspective, Monitoring Agents require only one inbound TCP port to be opened for communication. The Monitoring Service initiates this traffic (outbound). Port 8000 is essential for the Monitoring Service to monitor the state of Resources and to perform manual or auto-healing Remote Actions.

Stay Secure with Limited Ports

Nodinite Monitoring Agents are designed to require only one inbound TCP port for Nodinite services. Depending on the agent's function, additional ports may be needed (see individual prerequisites).

  • Fewer open TCP ports mean fewer attack vectors and greater security
  • Less hassle and reduced administration for IT teams
  • All Monitoring Agents use port 8000 by default for installation and updates
  • Competing solutions often require many more open ports (e.g., RDP, VPN, dynamic RPC)

Note

Each Monitoring Agent may have unique port requirements depending on the featured service.

Connectivity Options

Navigate to Administration, then manage Monitoring Agents in the Nodinite Web Client.
From the Connection tab for a selected Monitoring Agent, you can configure settings that enable the Monitoring Service and Web API to communicate with the agent.

Connection tab
The Connection tab for configuring Monitoring Agent connectivity.

The Service URL is set individually for each Monitoring Agent. Learn more here.

If you install the agent on a different network (customer, partner, cloud), you can use Microsoft Service Bus Relaying as an alternative to TCP port 8000.

  1. TCP port 8000 (default) incoming
  2. Service Bus Relaying as an alternative configuration
graph LR subgraph "Server A" ro(fal:fa-watch-fitness Monitoring Service) -->|8000|ro1(fal:fa-monitor-waveform Monitoring Agent A) ro -->|8000|ro2(fal:fa-monitor-waveform Monitoring Agent B) end subgraph "Server B" ro -->|8000|ro4(fal:fa-monitor-waveform Monitoring Agent A) end

Diagram: Monitoring Service communicates with Monitoring Agents over port 8000.

Monitoring Service
Monitoring Agents
Monitoring
Web API - Remote Actions and Metrics

graph LR subgraph "Server A" ro(fal:fa-cloud-sun Web API) -->|8000|ro1(fal:fa-monitor-waveform Monitoring Agent A) ro -->|8000|ro2(fal:fa-monitor-waveform Monitoring Agent B) end subgraph "Server B" ro -->|8000|ro4(fal:fa-monitor-waveform Monitoring Agent A) end

Diagram: Web API communicates with Monitoring Agents over port 8000.

Web API
Monitoring Agents
Monitoring

TCP Ports between Monitoring Service and Web API

Nodinite displays the state of the Monitoring Service for Users in the Web Client. The Web Client queries the Web API, which in turn communicates with the Monitoring Service. The Monitoring Service uses the Web API for all features.

graph LR subgraph "Windows Server" roMonitoringService(fal:fa-watch-fitness Monitoring Service) end subgraph "Windows Server" roLoggingService(fal:fa-hard-drive Logging Service) end subgraph "Web Server" roWebAPI(fal:fa-cloud-sun Web API) roWebAPI -->|8000| roMonitoringService roWebAPI -->|8000| roLoggingService end

Diagram: Web API communicates with Monitoring Service and Logging Service over port 8000.

Web API Monitoring Service
Web API Logging Service

How do I allow the service account to use the configured TCP port?

You must grant service accounts that are not local administrators permission to use a port from the URL access control list.

Info

Local administrators already have the right to use any TCP port. If your account is a local admin and you still have issues, see further troubleshooting below.

To display registered URLACLs, run this command from an elevated command prompt:

netsh http show urlacl

To remove a URL ACL:

netsh http delete urlacl url=http://+:8000/Nodinite/

Monitoring Agents URL Access Control List

If you host all Nodinite Monitoring Agents in IIS, you can skip this section. URL ACL reservations only apply when running agents as Windows Services.

Important

If you use the Nodinite Logic Apps Logging and Monitoring Agent, remove the wildcard reservation and use fully qualified names. See the table below for examples.

Agent Command Description
Logic Apps Logging and Monitoring Agent netsh http add urlacl url=http://localhost:8000/Nodinite/Monitor/Agent/AzureLogicApps/ user=DOMAIN\ServiceAccount
Azure Monitoring Agent netsh http add urlacl url=http://localhost:8000/Nodinite/Agent/Monitor/Azure/ user=DOMAIN\ServiceAccount
BizTalk Monitoring Agent netsh http add urlacl url=http://localhost:8000/Nodinite/Monitor/Agent/BizTalk/ user=DOMAIN\ServiceAccount
Database Monitoring Agent netsh http add urlacl url=http://localhost:8000/Nodinite/Monitor/Agent/Database/ user=DOMAIN\ServiceAccount
Dynamics 365 Monitoring Agent (CRM) netsh http add urlacl url=http://localhost:8000/Nodinite/Monitor/Agent/DynamicsCRM/ user=DOMAIN\ServiceAccount
File Monitoring Agent netsh http add urlacl url=http://localhost:8000/Nodinite/Monitor/Agent/FileFolder/ user=DOMAIN\ServiceAccount
IBM DataPower Monitoring Agent netsh http add urlacl url=http://localhost:8000/Nodinite/Monitor/Agent/DataPower/ user=DOMAIN\ServiceAccount
IBM MQ Monitoring Agent netsh http add urlacl url=http://localhost:8000/Nodinite/Monitor/Agent/IBMMQ/ user=DOMAIN\ServiceAccount
Log File Parser Monitoring Agent netsh http add urlacl url=http://localhost:8000/Nodinite/Monitor/Agent/LogFileParser/ user=DOMAIN\ServiceAccount
Message Queuing Monitoring Agent netsh http add urlacl url=http://localhost:8000/Nodinite/Monitor/Agent/MessageQueue/ user=DOMAIN\ServiceAccount
Mule ESB Monitoring Agent netsh http add urlacl url=http://localhost:8000/Nodinite/Monitor/Agent/Mule/ user=DOMAIN\ServiceAccount
Non-Events Monitoring Agent netsh http add urlacl url=http://localhost:8000/Nodinite/Monitor/Agent/NonEvents/ user=DOMAIN\ServiceAccount
RabbitMQ Monitoring Agent netsh http add urlacl url=http://localhost:8000/Nodinite/Monitor/Agent/RabbitMQ/ user=DOMAIN\ServiceAccount
Web Services Monitoring Agent netsh http add urlacl url=http://localhost:8000/Nodinite/Monitor/Agent/WebServices/ user=DOMAIN\ServiceAccount
Windows Server Monitoring Agent netsh http add urlacl url=http://localhost:8000/Nodinite/Monitor/Agent/WindowsServer/ user=DOMAIN\ServiceAccount

Specify the URL ACL on each Windows Server where agents run as Windows Services. From Nodinite 7, you can run agents in IIS, so URL ACL reservations do not apply.

What firewall settings do I need?

The firewall must allow the port(s) your Monitoring are configured to use. All Monitoring Agents use TCP port 8000 (inbound) by default. Administrators can change this port, but it is not recommended.

Service section from the configuration file: Nodinite.MonitorAgent.BizTalkHost.exe.config for the BizTalk Monitoring Agent.

<services>
  <service behaviourConfiguration="MonitorAgentBehavior" name="IM.MonitorAgent.BizTalk.ServiceApi">
    <endpoint address="http://localhost:8000/Nodinite/Monitor/Agent/BizTalk" binding="webHttpBinding" bindingConfiguration="MonitorAgentBinding" name="MonitorAgentEndPoint" contract="IM.MonitorAgent.BizTalk.Contracts.IBizTalkContract"/>
  </service>
</services>

<services>
  <service behaviourConfiguration="MonitorAgentBehavior" name="IM.MonitorAgent.BizTalk.ServiceApi">
    <endpoint address="http://localhost:8000/IM/Monitor/Agent/BizTalk" binding="webHttpBinding" bindingConfiguration="MonitorAgentBinding" name="MonitorAgentEndPoint" contract="IM.MonitorAgent.BizTalk.Contracts.IBizTalkContract"/>
  </service>
</services>

Note

If you change the TCP port for Monitoring, update the Monitoring Agents configuration for that agent so the Monitoring Service can communicate with it.

Troubleshooting

Service cannot start due to port restrictions

Startup problems for Monitoring Agents are usually Security or Firewall related. Agents may also require specific 3rd party libraries to be installed before configuration.

A common issue is that the service account is not a local administrator and lacks permission to use the port. Assign this right as needed.

HTTP could not register URL http://+:8000/IM/Monitor/Agent/Servicename/. your process does not have access rights to this namespace (see https://go.microsoft.com/fwlink/?LinkId=70353 for details).

Exception example from the diagnostics log file.

Next Step

Monitoring Agents

Microsoft Service Bus Relaying
Monitoring Service
Logon as Service Rights