How the x500 connects to the X4 Cloud (ports, protocols & servers)

The device (your x500) uses outgoing port(s) to establish a secure connection to the X4 Cloud. This means there is no need to open any incoming ports in your firewall.

  • Servers & domains
  • Ports & protocols
  • MAC or IP address
  • How to grant network access to your device?

Servers and domains

The device connects to different X4 servers: REST API, MQTT, and OpenVPN servers, which include the following domains:

  • *.Lenze.cloud
  • *.Lenze.net
  • *.ayayot.com (phonetic IIoT)

Doing a DNS lookup (nslookup) at the following domain name always returns an up-to-date IP list of all current X4 servers:

  • whitelist.ayayot.com

Ports and Protocols

Below is an overview of the ports and protocols that the device utilizes.

Direction Port Transport Application
Outbound 443 TCP HTTPS, MQTT (TLS), OpenVPN(1)
Outbound 8443(2) TCP HTTPS
Outbound 53(3) TCP & UDP DNS
Outbound 123(4) UDP NTP
Outbound (no port)(5) ICMP (Echo request)

(1) The very first package may be considered unencrypted as the OpenVPN handshake takes place prior to the TLS handshake. For this reason an exception may be required on firewall rules that block non-SSL traffic over SSL-ports.
(2) Only used when stealth mode is activated for connectivity via a censored internet connection (i.e. when located in China).
(3) DNS requests are often handled by local DNS servers. In those cases the listed DNS port can be ignored.
(4) (Optional) Used to synchronize the time.
(5) Only used when failover is configured.

MAC or IP address

Internet access may be granted to specific devices, based on their MAC or IP addresses. The x500’s MAC address can be obtained from the label on the side of the router. The IP address can be set to a static IP address. However, by default the IP address is set to be assigned dynamically via DHCP.

How to grant network access to your device?

Easy method: automatic updates

You may create an exception in your firewall for the domain name and ports & protocols, mentioned above, to grant the device the access it needs.

With time, some servers may be removed or added to benefit the service. We strongly try to keep these changes to a minimum.

If we add a server, we simply add a DNS record. Your firewall will re-check the domain once the TTL expires. Within an hour your firewall will be up-to-date and allow traffic to the new IP address.

Likewise, if we remove a server, we will remove its DNS record, and your firewall will block any traffic to this IP address.

Alternative method: manual updates

You can execute a DNS lookup (nslookup) request at the domain name mentioned above, to get an IP list of all current X4 servers. You can then create exceptions to these IP addresses, in combination with the ports & protocols mentioned above, to grant the device the access it needs.

With time, some servers may be removed or added to benefit the service. We strongly try to keep these changes to a minimum.

Please keep your firewall rules/exceptions up-to-date by periodically performing a DNS lookup and checking for changes to maintain optimal remote service accessibility.

 

?crire à Lenze