Prerequisites for the File and FTP Monitoring Agent
Prepare your environment for seamless, secure file-based integration monitoring with Nodinite. This page details all prerequisites for installing and running the File and FTP Monitoring Agent, including software, user rights, firewall, and network configuration.
✅ Clear software and OS requirements
✅ Step-by-step user rights and firewall setup
✅ PowerShell scripts for fast configuration
✅ Network and security best practices
This page describes the prerequisites to successfully install and run the Nodinite File Monitoring Agent to achieve MFT Monitoring.
This diagram shows how the Nodinite File and FTP Monitoring Agent connects to various file-based resources across your environment.
Instances of this agent can be installed on-premise using TCP/IP for local network access and/or in the cloud/off-site using Service Bus Relaying (see also the external link for additional information 'Azure Relay FAQs').
We recommend that you keep this agent close to the Nodinite Core Services. This documentation covers local network setup (usually on the Nodinite application server)
| Verified | Topic |
|---|---|
| Software Requirements | |
| What Windows User Rights does the File and FTP Monitoring agent require? | |
| What Firewall settings are required for the File and FTP Monitoring agent? |
Software Requirements
| Product | ||
|---|---|---|
| Windows Server | Windows 2025Windows 2022Windows 2019Windows 2016Windows 2012 R2Windows 2012 | |
| .NET Framework | .NET Framework 4.8 or later New 6.0Our recommendation is .NET Framework 4.8.1 or later | |
| DFS Management Tools | You must install ´DFS Management Tools´ if you want to use a DFS file share in the Monitoring |
Versions 6.0 and later make use of the .NET Framework 4.8 or later.
Versions 5.4 and subsequently make use of the .NET Framework 4.6.2 or later.
Versions before 5.4 make use of the .NET Framework 4.5.2 or later.
Install-WindowsFeature RSAT-DFS-Mgmt-Con
What Windows User Rights does the File and FTP Monitoring agent require?
The agent is installed as a Windows Service usually on the Nodinite application server. Virtual machines are supported.
- Local named account or domain account (preferred).
- Access and run-time rights.
- Follow the 'How to set logon as a Windows service right' user guide for detailed instructions.
For each Folder being monitored you may need to provide alternate credentials, review the Configuration user guide for additional details.
least privileges (basic usage)
- Read permission to the folder where to check for files (and all its child folders if the 'Include child folders' option is checked)
- Folders (SMB)
- Folders (NFS)
- FTP
- SFTP
What Firewall settings are required for the File and FTP Monitoring agent?
The File Monitoring Agent has both inbound and outbound communication:
- Between the Monitoring Service and the File Monitoring Agent
- Between the File Monitoring Agent and any of the following file based services
- SMB Services (Typically Windows file shares)
- NFS Services (Typically Linux file shares)
- FTP/FTPS
- SFTP
This diagram illustrates the required network ports and communication paths for the Nodinite File and FTP Monitoring Agent.
![NOTE]
The exact ports in use may vary with your policies and current configuration/reality.
1. Between the Monitoring Service and the File Folder Monitoring agent
The following ports must be allowed on the Windows server where the agent is installed and running:
| Port | Name | Inbound | Outbound | TCP | UDP | Nodinite Version | Comment |
|---|---|---|---|---|---|---|---|
| 53 | DNS | All | The Agent needs to know where your other servers/services are (can sometimes optionally be solved using entries in the local hosts file) |
And further with 'Option 1' or 'Option 2' as documented next:
Option 1a (Nodinite v7 - IIS hosted on local network)
| Port | Name | Inbound | Outbound | TCP | UDP | Nodinite Version | Comment |
|---|---|---|---|---|---|---|---|
| Custom | HTTP/HTTPS | v7 | Agent IIS site port (configured during installation in the Portal). Only required if agent is on a remote IIS server |
Note
Nodinite v7 IIS Hosting: When agents are hosted in IIS on the same server as the Nodinite application (typical installation), firewall rules are not required between the Monitoring Service and the agent. The custom port is assigned during installation via the Nodinite Portal and only needs to be opened if the agent is hosted on a remote IIS Windows Server.
Option 1b (Nodinite v6 and earlier - Windows Service on local network)
| Port | Name | Inbound | Outbound | TCP | UDP | Nodinite Version | Comment |
|---|---|---|---|---|---|---|---|
| 8000 | RPC | v6 and earlier | Communication is initiated by the Monitoring Service. Only used with legacy MSI installer on remote Windows servers |
Note
Nodinite v6 Legacy: Port 8000 is only used when agents have default installations on remote Windows servers using the legacy MSI installer. This port is not required for Nodinite v7 IIS-hosted agents.
Option 2 (Cloud/Hybrid - All versions)
Use Service Bus Relayed connections when Nodinite and the agent are on totally different networks.
Nodinite uses the same principle technique as the On-Premise data gateway, see 'Adjust communication settings for the on-premises data gateway' user guide.
| Port | Name | Inbound | Outbound | TCP | UDP | Nodinite Version | Comment |
|---|---|---|---|---|---|---|---|
| 443 | HTTPS | All | Secure outbound traffic | ||||
| 5671, 5672 | Secure AMQP | All | |||||
| 9350 - 9354 | Net.TCP | All |
2. Between the File Monitoring Agent and File-Based Services
Server types: Agent Server (where File Monitoring Agent is installed), File Server (SMB/NFS file shares), FTP Server, SFTP Server.
Additional firewall requirements may exist depending on the usage of the Samba protocol, FTP, FTPS, SFTP, Certificates, NTLM, Kerberos, SUN RPC.
SMB Connection (Agent → Windows/Samba File Shares)
The agent connects to Windows file shares or Samba-based services to monitor folders and files.
| Direction | Source | Destination | Protocol | Port(s) | Purpose | Notes |
|---|---|---|---|---|---|---|
| Outbound | Agent Server | File Server (SMB) | TCP/UDP | 135-139 | Microsoft file sharing (NetBIOS) | Legacy SMB over NetBIOS |
| Outbound | Agent Server | File Server (SMB) | TCP/UDP | 445 | Direct-hosted SMB traffic | Modern SMB protocol (SMB 2/3) |
| Inbound | File Server (SMB) | Agent Server | TCP/UDP | 135-139, 445 | Response traffic | Allowed automatically by stateful firewalls |
Tip
SMB Versions: Port 445 is used by SMB 2.0 and SMB 3.0 (recommended for security and performance). Ports 135-139 support older SMB 1.0/CIFS for legacy compatibility. Consider disabling SMB 1.0 for security.
Tip
DFS Shares: Distributed File System (DFS) shares also use SMB ports. Ensure connectivity to all DFS namespace servers and targets.
FTP/FTPS Connection (Agent → FTP Servers)
The agent connects to FTP or FTPS servers to monitor folders and download files.
| Direction | Source | Destination | Protocol | Port(s) | Purpose | Notes |
|---|---|---|---|---|---|---|
| Outbound | Agent Server | FTP Server | TCP | 21 | FTP control connection | Command channel |
| Inbound | FTP Server | Agent Server | TCP | 21 | Response traffic | Allowed automatically by stateful firewalls |
Tip
FTPS (FTP over SSL/TLS): FTPS uses port 21 for the control connection. Additional data ports may vary depending on active/passive mode. For Passive Mode (recommended for firewalls), configure the FTP server to use a defined port range (e.g., 50000-51000) and open those ports outbound from the Agent Server.
Tip
Active vs Passive Mode: In Active Mode, the FTP server initiates the data connection back to the agent (requires inbound rules on Agent Server). In Passive Mode, the agent initiates both control and data connections (outbound only from Agent Server).
SFTP Connection (Agent → SFTP Servers)
The agent connects to SFTP (SSH File Transfer Protocol) servers for secure file monitoring.
| Direction | Source | Destination | Protocol | Port(s) | Purpose | Notes |
|---|---|---|---|---|---|---|
| Outbound | Agent Server | SFTP Server | TCP | 22 | SFTP (SSH) connection | Default secure port |
| Outbound | Agent Server | SFTP Server | TCP | 20 | SFTP data transfer | Default for download (less common) |
| Inbound | SFTP Server | Agent Server | TCP | 22, 20 | Response traffic | Allowed automatically by stateful firewalls |
Tip
SSH Key Authentication: SFTP typically uses SSH key-based authentication. Ensure the Agent Server's SSH keys are added to the SFTP server's
~/.ssh/authorized_keysfile for the monitoring user account.
Tip
Custom SSH Ports: Many SFTP servers use custom SSH ports (e.g., 2222, 10022) for security. Adjust the port in the agent configuration to match your SFTP server's SSH listener port.
NFS Connection (Agent → Linux/UNIX File Shares)
The agent connects to NFS (Network File System) servers to monitor folders and files, typically on Linux/UNIX systems.
| Direction | Source | Destination | Protocol | Port(s) | Purpose | Notes |
|---|---|---|---|---|---|---|
| Outbound | Agent Server | NFS Server | TCP/UDP | 111 | RPC Portmapper | Maps RPC requests to correct NFS services |
| Outbound | Agent Server | NFS Server | TCP/UDP | 2049 | NFS Server | Main NFS service (default) |
| Outbound | Agent Server | NFS Server | TCP/UDP | 665-1024 | Privileged ports | When using privileged ports option |
| Outbound | Agent Server | NFS Server | TCP/UDP | 1039, 1047, 1048 | Additional NFS services | mountd, statd, lockd (may vary) |
| Inbound | NFS Server | Agent Server | TCP/UDP | 111, 2049, 665-1024, 1039, 1047, 1048 | Response traffic | Allowed automatically by stateful firewalls |
Tip
NFS Dynamic Ports: NFS services (mountd, statd, lockd) often use dynamic ports assigned by the RPC Portmapper (port 111). To simplify firewall rules, configure your NFS server to use static ports for these services. See the PowerShell script example below for Windows NFS configuration.
Tip
NFS Versions: NFS v3 requires ports 111 (portmapper) and 2049 (nfsd). NFS v4 only requires port 2049 (simplified firewall). Consider using NFS v4 when possible.
NFS PowerShell Script Example
# Open required firewall ports for NFS
$ports = @(111, 2049)
foreach ($port in $ports) {
New-NetFirewallRule -DisplayName "Allow NFS Port $port" -Direction Inbound -Action Allow -Protocol TCP -LocalPort $port -Profile Any -Verbose
New-NetFirewallRule -DisplayName "Allow NFS Port $port (UDP)" -Direction Inbound -Action Allow -Protocol UDP -LocalPort $port -Profile Any -Verbose
}
# Set static ports for NFS services to avoid dynamic assignment
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Rpc" -Name "InternetPorts" -Value 2049 -Type DWord
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Rpc" -Name "InternetAvailable" -Value 1 -Type DWord
# Restart NFS and RPC services
Restart-Service -Name "RpcEptMapper"
Restart-Service -Name "NfsService"
Write-Host "NFS Ports have been configured and firewall rules applied."
Run netstat -ano | findstr :2049 to check if NFS is listening.
Use Test-NetConnection -ComputerName <NFS_SERVER> -Port 2049 to verify connectivity.
✅ This should allow your client to download files without firewall restrictions.
Note
DNS Resolution: All servers (Agent Server and File Servers) require outbound access to DNS on TCP/UDP port 53 for name resolution. This is already listed in section 1 and applies universally. You can optionally solve this using entries in the local
hostsfile on each server.
Important
Stateful Firewalls: Most modern Windows Firewall implementations are stateful, meaning inbound response traffic for established outbound connections is automatically allowed. The inbound rules listed above are primarily for reference and troubleshooting scenarios where stateful inspection may be disabled or restricted.
Next Step
Add or manage Monitoring Agent
Install File Monitoring Agent