The device (IXrouter / IXagent) uses outgoing port(s) to establish a secure connection to the IXON Cloud. This means there is no need to open any incoming ports in your firewall.
How to grant network access to your device?
To grant the device the access that it requires, you may need to create exceptions in your firewall:
- for the device's ports & protocols.
- for the device in relevant company firewall settings.
- for the device to access necessary servers.
Ports & protocols
Below is an overview of all the ports and protocols that the device may utilize. If desired, please check with your device/machine supplier to see which ports and protocols are required.
|Outbound||443||TCP||HTTPS, MQTT (TLS), OpenVPN(1)|
|Outbound||53(3)||TCP & UDP||DNS|
|Outbound||(no port)(5)||ICMP (Echo request)||-|
(1) The very first package may be considered unencrypted as the OpenVPN handshake takes place prior to the TLS handshake. For this reason an exception may be required on firewall rules that block non-SSL traffic over SSL-ports.
(2) (Optional) Only used when stealth mode is activated for connectivity via a censored internet connection (i.e. when located in China).
(3) (Optional) DNS requests are often handled by local DNS servers. In those cases the listed DNS port can be ignored.
(4) (Optional) Used to synchronize the time for its internal system log, Cloud Logging data, and providing NTP functionality to the machine.
(5) (Optional) Only used when failover is configured.
Company firewall settings
There may be firewall settings active in the local company firewall that may unintentionally interfere with the device's connection(s). These firewall settings may require changes or exceptions for the device to establish its secure connections. An overview is listed below.
|MAC address filter||
Info: A firewall filter that only allows devices with a certain MAC address to establish an outgoing connection.IXON: The IXrouter's MAC address can be found on the label on the side of the IXrouter.
|IP address filter||
Info: A firewall filter that only allows outgoing connections (1) coming from devices with a certain IP address or (2) going to servers with certain IP addresses.IXON: The IXrouter's IP address is usually set to automatic, but can be set to a static IP address if so desired. Information about the IXON servers' IP addresses can be found below, at Servers & domains.
Info: A firewall filter that allows (whitelist), or blocks (blacklist), connections that are using certain application protocols.IXON: The application protocols used by the device can be found above, at Ports & protocols.
|SSL inspection, Deep packet inspection, or similar||
Info: A firewall feature that intercepts the connection and is then able to read/inspect the on-going communication (up to a certain degree). The behavior of this feature is similar to a man-in-the-middle attack, which means that something is actively inspecting or can even make changes to the remote connection and its contents.
IXON: The device will not establish its outgoing connections when this happens, as the security and integrity of the remote connection cannot be ensured. On a technical level the following happens: in the process of trying to establish its secure MQTT and OpenVPN connections, the device will receive an SSL certificate from the interfering party (e.g. the company firewall) and not from IXON, which is untrusted for reasons explained earlier, after which it will immediately abort that connection attempt.
Servers & domains
The device connects to different IXON servers: REST API, MQTT, and OpenVPN servers, which include the following domains:
- *.ayayot.com (phonetic IIoT)
Doing a DNS lookup (nslookup) at the following domain name always returns an up-to-date IP list of all current IXON servers:
With time, some servers may be removed or added to benefit the service. We strongly try to keep these changes to a minimum. If we add a server, we simply add a DNS record to the above mentioned whitelist.ixon.cloud. Likewise, if we remove a server, we will remove its DNS record.
To grant the device its necessary server access there is an easy and an alternative method:
Easy server access method: automatic updates
Make an exception for the domain name whitelist.ixon.cloud in your firewall, which will always return an up-to-date IP list of all current IXON servers. Your firewall will re-check the domain once the TTL expires and within an hour your firewall will be up-to-date in the event that a server is either added or removed.
Alternative server access method: manual updates
Execute a DNS lookup (nslookup) request for the domain name whitelist.ixon.cloud to get an IP list of all current IXON servers. You can then create exceptions to these IP addresses to grant the device the access it needs.
Please keep your firewall rules/exceptions up-to-date by periodically performing a DNS lookup and checking for changes to maintain optimal remote service accessibility.