Network considerations
- Last Updated: May 1, 2026
- 2 minute read
- Automate MFT
- Documentation
Automate MFT is a cloud-native solution with infrastructure hosted on Amazon Web Services (AWS) in both the United States and Europe. When planning your deployment, consider the following:
Data residency and data center locations
- US Hosting: Primary region is Virginia (AWS us-east-1), with backup in N. California (AWS us-west-1).
- EU Hosting: Primary region is Ireland (AWS eu-west-1), with backup in Frankfurt, Germany (AWS eu-central-1).
Agent placement
Self-hosted agents: Install self-hosted agents on servers within your network that have access to the required endpoints. These agents can also access public endpoints if network access is available.
Progress-hosted agents: Used for tasks where all endpoints are publicly accessible. If endpoints require firewall whitelisting, administrators should allow access from the Progress-hosted agent IP addresses.
Whitelisting Progress-hosted agents
Some users need Progress-hosted agents to access endpoints that are publicly available but protected by firewalls. To enable this, administrators must whitelist the IP addresses used by Progress-hosted agents, making it practical to configure firewall rules for secure access. Only three IP addresses are used per hosting region:
98.85.37.6352.55.247.1833.224.52.249
54.73.46.2152.212.76.6852.210.14.205
Outbound connectivity requirements
If your organization uses outbound network filters, ensure that both end-users accessing the Automate MFT portal and self-hosted agents can reach the necessary Automate MFT SaaS services. These connections originate from your internal network to external cloud resources. This requirement only applies if outbound internet access is restricted.
Outbound connectivity requirements for self-hosted agents
If your organization restricts outbound internet traffic, ensure that self-hosted agents can establish outbound connections to Automate MFT.
- TCP 443 (HTTPS): used for agent communication with Automate MFT Cloud services.
- TCP 80 (HTTP): used only for OCSP and CRL certificate validation during HTTPS connections to Automate MFT Cloud services.
It is difficult to provide a concise list of IP addresses for outbound firewall rules. Instead, use the DNS names listed below for the Automate MFT SaaS service inbound services.
- Self-hosted agent:
- Temporary credentials: c3ra9acxthkfu5.credentials.iot.us-east-1.amazonaws.com
- IoT data endpoint: agent-iot-data.us.mft.progress.com
- Data ingestion API: data-ingestion.us.mft.progress.com
- Update functionality:
https://app-us-agent-public-artifacts.s3.us-east-1.amazonaws.com -
OCSP (Online Certificate Status Protocol):
http://ocsp.*.amazontrust.com -
CRL (Certificate Revocation Lists):
http://crl.*.amazontrust.com/*.crl
- Portal:
- UI: us.mft.progress.com
- API: api.us.mft.progress.com
- Cognito API: cognito-idp.us-east-1.amazonaws.com
- Self-hosted agent:
- Temporary credentials: c91omqeg54i9k.credentials.iot.eu-west-1.amazonaws.com
- IoT data endpoint: agent-iot-data.eu.mft.progress.com
- Data ingestion API: data-ingestion.eu.mft.progress.com
- Update functionality: https://app-production-agent-public-artifacts.s3.eu-west-1.amazonaws.com
-
OCSP (Online Certificate Status Protocol):
http://ocsp.*.amazontrust.com -
CRL (Certificate Revocation Lists):
http://crl.*.amazontrust.com/*.crl
- Portal:
- UI: eu.mft.progress.com
- API: api.eu.mft.progress.com
- Cognito API: cognito-idp.eu-west-1.amazonaws.com
Additional connectivity requirements for scripting on self‑hosted agents
If you are using scripting within tasks on self‑hosted agents, the agent must have outbound connectivity to the following endpoints so it can retrieve script content:
-
Customers in the US environment:
https://app-us-script-content.s3.us-east-1.amazonaws.com -
Customers in the EU environment:
https://app-eu-script-content.s3.eu-west-1.amazonaws.com