ManageEngine Endpoint Central is a web-based desktop and mobile administration software that helps administrators to effectively manage endpoints from a central point. It provides Configurations, Inventory Management, Patch Management, Service Pack Installation, Software Installation, Desktop Sharing, System Tools, Active Directory Reports and User Logon Report.
The figure below depicts the Endpoint Central Architecture. The details of the individual components are given below:
Fig: Endpoint Central Architecture for LAN
Endpoint Central Server is located at the enterprise (customer site) is responsible for performing various Desktop Management activities. It pushes the Endpoint Central agent to the client machines, deploys configurations, initiates scanning for Inventory and Patch Management, and generates reports of the Active Directory Infrastructure Components to effectively manage the desktops in the enterprise network. It is advised to keep the Endpoint Central server always running to carry out the day-to-day Desktop Management activities. All these actions can be initiated from a web-based administration console in a few simple clicks.
Endpoint Central Agent is light-weight software that gets installed in the client systems that are being managed using Endpoint Central. It acts as a worker to carry out the operations as instructed by the Endpoint Central Server. It is also responsible for updating the Endpoint Central Server with the status of the deployed configurations. The agent periodically pulls the instructions from the Endpoint Central Server and executes the tasks. The agent contacts the server at the following intervals:
The Patch Database is a portal in the ManageEngine site, which hosts the latest vulnerability database that has been published after a thorough testing. The Endpoint Central Server periodically synchronizes this information and scans the systems in the enterprise site to determine the missing patches. Subsequently, the patches are installed to fix the vulnerabilities.
The communication between the Endpoint Central Server and the Patch Database is through the Proxy Server or a direct connection to internet. The required patches will be downloaded from Microsoft website and stored locally in the Endpoint Central Server before deploying the patches to the client computers. Hence, each client computer (agent) will take the patch binaries from the Endpoint Central Server.
For Active Directory based Domain setup, the Endpoint Central Server queries the Active Directory to generate out-of-the-box reports for Sites, Domains, Organization Units, Groups, Computers, etc., which gives you a complete visibility into the Active Directory.
To enable remote installation of the Agent, you should open these ports, these ports may not be required post agent installation.
135 : Used to enable remote administration.
139 & 445 : Used to enable sharing of files and printers.
8020: Used for agent-server communication and to access the Web console
8383: Used for secured communication between the agent and the Endpoint Central server
389: Used for communication with Active Directory Domain Controller
636: Used for secure communication with Active Directory Domain Controller
8443: Used for the Remote Control feature with secured communication
8444: Used for the Remote Control feature
8027: Used to complete on-demand tasks like inventory scanning, patch scanning, remote control, remote shutdown and moving agents from one remote office to another
Endpoint Central supports managing Computers in a distributed setup like branch/remote offices and for mobile users (eg. Sales Persons). The figure below depicts the Endpoint Central Architecture for managing computers in WAN. The details of the individual components are given below: 
Fig: Endpoint Central WAN Architecture
Simple, fast, and an affordable solution for your desktop management needs.
Low bandwidth utilization
Network-neutral desktop management.
No separate VPN infrastructure is required.
Secured communication between the Server and the Agent.
Centralized management of computers from a single console.
Endpoint Central Server has to be installed in your LAN (say, the head office) and has to be configured as an EDGE device. This means that the designated port (default being 8020 and is configurable) should be accessible through Internet. You need to adopt necessary security standards to harden the OS where the Endpoint Central Server is installed. Agents from all the remote locations report to this Endpoint Central Server.
The Server acts as a container to store the configuration details and, upon request, provide the instructions to the agents. It is advised to keep the Endpoint Central server always running to carry out the day-to-day Desktop Management activities.
Endpoint Central Distribution Server is light-weight software that is installed in one of the computers in the Branch Offices. This Distribution Server will communicate with the Endpoint Central Server to pull the information for all the computers in that branch. The agents that reside in the branch office computers will contact the Distribution Server to get the patch, software and script details available to them and process the requests.
Low bandwidth utilization as only one agent will contact the Server periodically
Pulls the configuration details, software packages, patches to be installed, etc., from the Endpoint Central Server and makes it available for the rest of the computers in the branch.
Supports secured mode of communication (SSL/HTTPS) with the Server.
Distribution Server installation is one-time and subsequent upgrades will be automatically performed.
Endpoint Central Agent is light-weight software that is installed in the client systems that are being managed using Endpoint Central. It acts as a worker to carry out the operations as instructed by the Endpoint Central Server.
Unobtrusive light-weight component.
Can either be installed manually or through the logon script in all the computers that are being managed using Endpoint Central. However, for computers in the LAN, the agents will be automatically installed.
Agent installation is one-time and subsequent upgrades will be automatically performed.
For computers in the same LAN as that of the Endpoint Central Server, the agent will periodically connect to the Server to PULL the configurations available for them, deploys them and updates the status back to the Server.
For computers in Branch Offices, the agent will contact the Master Agent to PULL the configurations available for them, deploys them and updates the status back to the Server.
Provides a central control point for all the desktop management functions.
Can be accessed from anywhere: LAN, Remote Offices, and Home through Internet/VPN.
No separate client installations are required.
To enable remote installation of the Agent, you should open these ports, these ports may not be required post agent installation.
135 : Used to enable remote administration.
139 & 445 : Used to enable sharing of files and printers.
8020: Used for agent-server communication and to access the Web console
8383: Used for secured communication between the agent and the Endpoint Central server
389: Used for communication with Active Directory Domain Controller
636: Used for secure communication with Active Directory Domain Controller
8443: Used for the Remote Control feature with secured communication
8444: Used for the Remote Control feature
8027: Used to complete on-demand tasks like inventory scanning, patch scanning, remote control, remote shutdown and moving agents from one remote office to another.
8021: Used for communication between the agents in Remote Offices and the Distribution Server
8384: Used for secured communication between the agents in Remote Offices and the Distribution Server
