Ports and URLs for Inventory Beacons

IT Asset Management (Cloud)
The following block diagram highlights the various connections and communication flows around the inventory beacon. The arrows show the direction of each request, and the key numbers on the arrows refer to the explanations in the table below.
Note: For a summary of URLs for the various cloud servers (for example, for setting up firewalls for your inventory beacons), see Configuring Inventory Beacons for Connection to the Application Server.
Except as noted, the port numbers given are default values, and can be configured. The obvious exceptions are items 1-5, which are fixed ports for use with the central cloud server. Items marked * in the diagram apply exclusively to cloud-based implementations.

Note: For brevity in the following table, only the North American instance URLs are shown. The European and APAC instance URLs are identical with the exception of switching the top-level domain from .com to .eu or .au.
Ref Purpose/URL Port
1 IT Asset Management cloud authentication (not used for on-premises implementations) — https://app.flexera.com/login
Note: While operators using Flexera Account Management in a cloud implementation access the authentication sign-on each time they log in to IT Asset Management, each inventory beacon accesses this URL only during registration and configuration (described in Register an Inventory Beacon).
443 (fixed)
Web application server — https://app.flexera.com
Note: For performance and reliability monitoring, browser access to the North American, European or APAC web application servers also triggers access to the following URLs:
  • https://js-agent.newrelic.com
  • https://bam.nr-data.net
and accessing these URLs may also trigger certificate revocation checks, which may access any of the following:
  • http://crl.r2m02.amazontrust.com/r2m02.crl
  • http://crl.sca1b.amazontrust.com/sca1b.crl
  • http://crt.sca1b.amazontrust.com/sca1b.crt
  • http://ocsp.sca1b.amazontrust.com
  • http://crl3.digicert.com/ssca-sha2-g6.crl
  • http://crl4.digicert.com/ssca-sha2-g6.crl
  • http://crl3.digicert.com/DigiCertGlobalRootCA.crl
  • http://crl4.digicert.com/DigiCertGlobalRootCA.crl
  • http://x1.c.lencr.org (CRL)
  • http://r3.o.lencr.org (OCSP)
443 (fixed)
3 The batch serverhttps://beacon.flexnetmanager.com 443 (fixed)
4 Inventory server (for FlexNet inventory scanner and inventory agent data) — https://data.flexnetmanager.com 443 (fixed)
SSL certificate revocation servers (for cloud implementations only).
Note: These URLs are relevant both to the production instances and to the UAT instances, for both the North American, European and APAC cloud implementations.
Revocation checking may occur for any of the following subdomains that are presented by the web application server, in both the .com and .eu domains:
  • bi
  • uat
  • bi-uat
  • A subdomain specific to your enterprise (that is, your tenant account for IT Asset Management).
Amazon certificate authority may use any of the following for revocation checks:
  • http://crl.sca1b.amazontrust.com/sca1b.crl
  • http://crt.sca1b.amazontrust.com/sca1b.crt
  • http://ocsp.sca1b.amazontrust.com
80 (fixed)
6 SAP: Gather SAP Inventories Port. By default, the last two digits of the port number match the SAP instance number. 33nn (default)

IT Asset Management reads Microsoft Active Directory users, computers and groups. (Active Directory security groups are resolved into the individual user/computer members needed for consumption calculations for several inventory adapters, including App-V and Citrix Virtual Apps. However, these groups are managed exclusively in Active Directory, and are not available for display in the web interface of IT Asset Management.)

In the necessary communication with a domain controller, the use of the Secure Sockets Layer (SSL) is optional (where SSL is in use, communication is through LDAP over SSL). The choice is determined by the Use SSL check box on the Active Directory page of the FlexNet Beacon user interface (see Importing from Active Directory).

Tip: Registry settings may be used to customize the configuration used for inventory import from Active Directory. For details, see Registry Keys for Inventory Beacon, starting from ActiveDirectoryImporter. For more information about gathering data from Active Directory, see https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx.

389 (default without SSL)

636 (default with SSL, modifiable in the registry)

8 SQL-based inventory collection (third-party inventory), reading from other databases
  • 1433 (default) for Microsoft SQL
  • 1521 (default) for Oracle
  • 50000 (default) for DB2
9 SAP sends license recommendations — http://beaconServerName/SAPService/SAPService.asmx 80 (default)
10 Discovery of computers on your network, including testing for other specialized computer use. The port depends on which scans you have included in the discovery rule(s). You can customize the ports used for discovery and inventory together when setting a rule. Note that the system requires a response to a ping before continuing with port scans and other methods of discovery.
  • ICMP is used for ping discovery of networked computers
  • 135 (default) on the target device for WMI-based discovery of Hyper-V or XenDesktop (other ports depend on your configuration of WMI)
  • 80 (with HTTP), 443 (with HTTPS) for VMware ESX/VCenter (default values, and of course using TCP)
  • 1433 for Microsoft SQL Server (default)
  • 1521, 2483 for Oracle DB (default)
  • 137 for NetBIOS discovery of networked computers (default)
  • 161 for SNMP discovery of networked computers (default)
11 Instead of being gathered by FlexNet inventory agent, special inventory is gathered directly by the inventory beacon using APIs or other direct connections to the target device. Examples can include Microsoft Graph API, Salesforce API, Flexera SaaS Manager API, and the like. In other cases, scripts or executables run on the target device, and upload the resulting inventory to the inventory beacon.
  • 80, 443 for App-V version 5 or later adapter uploads (default)
  • 80, 443 for XenDesktop adapter uploads (default)
    Tip: On the XenDesktop server, port 5985 must be open, and PowerShell remoting (WinRM) must be enabled.
12 Remote execution, where the default ports depend on the target device and the remote execution technology in use (SMB for Windows, SSH for UNIX-like platforms).
  • 80, 443 for VM ESX/VCenter (default)
  • 1521, 2483 for Oracle DB (default)
  • 22 for SSH on Unix (default)
  • 445 for SMB on Windows (default)
  • 139 for NetBIOS (default)
13 Communications between inventory beacons — configured during implementation, using either the HTTP or HTTPS protocol and the DNS machine name (or IP address) of the inventory beacon server. All communications are "pull" by the child beacon; there is no downward "push". Example:


  • 80 (default for HTTP)
  • 443 (default for HTTPS)
  • If other values are configured during installation of the parent inventory beacon, the specialized port number is added to the URL. Example: https://parentBeaconName:886/

Communication from the FlexNet inventory agent or light-weight FlexNet Inventory Scanner to an inventory beacon — configured during installation of each inventory beacon.

The URLs for each inventory beacon are collated by the central server and shared with all inventory beacons and the FlexNet inventory agents they manage. Each FlexNet inventory agent contacts its nearest available inventory beacon to upload collected inventory. It is mandatory that the URL for each inventory beacon includes both the protocol (HTTP or HTTPS) and the port number on which it is listening for uploads.

In the case of the light-weight inventory scanner, there is no support for an upload infrastructure. You specify the destination for an upload with the command-line option, such as
-o UploadLocation="http://InventoryBeacon/ManageSoftRL"
If the scanner needs to upload to a non-default port, include this in the UploadLocation parameter, such as
-o UploadLocation="https://InventoryBeacon:886/ManageSoftRL"
  • 80 (default for HTTP)
  • 443 (default for HTTPS)
  • The port number (even when a default value) may be included in the URL that agents or scanners use for uploading. Example: http://parentBeaconname:80/

IT Asset Management (Cloud)