NinjaOne Backup — Network Allowlist & Firewall Requirements
Audience: T2 Use when: Setting up a new site, troubleshooting cloud connectivity errors (360, 131, 10053/10054), or confirming a UDM isn't blocking NinjaOne traffic.
What NinjaOne Backup Needs to Reach
Lockhart communicates with two categories of external endpoints:
NinjaOne Platform (agent management + credential retrieval):
| Domain | Port | Purpose |
|---|---|---|
app.ninjarmm.com |
443 (HTTPS) | NinjaOne console and agent communication |
backup.ninjarmm.com |
443 (HTTPS) | Backup-specific API and job coordination |
*.ninjarmm.com |
443 (HTTPS) | Catch-all for NinjaOne subdomains |
AWS Cloud Storage (backup data upload/download):
| Domain | Port | Purpose |
|---|---|---|
s3.amazonaws.com |
443 (HTTPS) | Primary S3 endpoint |
s3.us-east-1.amazonaws.com |
443 (HTTPS) | US East region (primary DTC region) |
s3.us-west-2.amazonaws.com |
443 (HTTPS) | US West region (failover) |
*.s3.amazonaws.com |
443 (HTTPS) | S3 bucket-level addressing |
*.amazonaws.com |
443 (HTTPS) | Catch-all for AWS services |
Testing Connectivity From a Device
# Run on the affected device — tests all critical endpoints
$endpoints = @(
"app.ninjarmm.com",
"backup.ninjarmm.com",
"s3.amazonaws.com",
"s3.us-east-1.amazonaws.com",
"s3.us-west-2.amazonaws.com"
)
$results = $endpoints | ForEach-Object {
$r = Test-NetConnection -ComputerName $_ -Port 443 -WarningAction SilentlyContinue
[PSCustomObject]@{
Endpoint = $_
TCPOk = $r.TcpTestSucceeded
DNSOk = ($r.RemoteAddress -ne $null)
ResolvedIP = $r.RemoteAddress
}
}
$results | Format-Table -AutoSize
# Flag any row where TCPOk = False or DNSOk = False
DNS Resolution Test
# Confirm DNS resolves NinjaOne and AWS domains
$domains = @("app.ninjarmm.com","backup.ninjarmm.com","s3.amazonaws.com")
$domains | ForEach-Object {
try {
$r = Resolve-DnsName $_ -ErrorAction Stop
Write-Host "$_ → $($r[0].IPAddress) ✓"
} catch {
Write-Host "$_ → FAILED ✗"
}
}
If DNS fails: verify the device is using the UDM as its DNS server (DTC standard). The UDM's DNS should forward to an upstream resolver (1.1.1.1 or 8.8.8.8).
UDM Firewall — What to Check
Content filtering (DNSFilter): If DNSFilter is active at the site, verify these categories are not blocked:
- Cloud Storage
- Business Services / SaaS
- Amazon Web Services (may appear in threat categories with aggressive rulesets)
IPS/IDS:
UniFi's IPS may flag sustained large uploads to AWS as anomalous. Check Settings → Security → IPS → review blocked connections log for amazonaws.com entries.
Outbound firewall rules: All outbound HTTPS (port 443) should be permitted by default on the UDM. Verify no custom WAN-out rules are blocking:
UniFi → Settings → Firewall & Security → Firewall Rules → WAN Out — confirm no rules block destination *.amazonaws.com or *.ninjarmm.com.
NAS Connectivity (Local Leg)
The local backup leg uses SMB (port 445) from the device to the NAS:
| Protocol | Port | Purpose |
|---|---|---|
| SMB | 445 (TCP) | NAS share access for local backup writes |
# Test SMB connectivity to NAS
Test-NetConnection -ComputerName "NAS-HOSTNAME" -Port 445
The NAS must be on the same VLAN (CORP) as the device, or routing between VLANs must allow SMB. Do not place the NAS on the Guest VLAN.
Proxy Environments
NinjaOne Backup does not support HTTP proxies. If a proxy is configured in the device's Internet Options or WinHTTP settings, Lockhart may not be able to reach NinjaOne endpoints:
# Check system proxy settings
netsh winhttp show proxy
# If a proxy is configured: set to direct for NinjaOne endpoints, or bypass entirely
netsh winhttp set proxy proxy-server="proxy:port" bypass-list="*.ninjarmm.com;*.amazonaws.com"