This article assumes you've reviewed the available Configuration/Troubleshooting guidance for your particular Digi product, and have ensured your Gateway or device is otherwise configured properly for a Digi Remote Manager (aka Digi RM) connection.
Firewalls (and the IT security people that maintain them) are generally concerned with protecting a location's Local Area Network from unauthorized use - both from traffic coming at the network from outside, and with traffic from within the local area network going outward.
A Central Management-capable Digi product falls into the latter category, because the Digi device creates an outbound TCP socket connection to the Digi Remote Manager server. This EDP (easy device protocol) socket connection is a tunnel through which data from your Digi device gets pushed to our cloud server, so that the data is accessible from anywhere in the world.
Note: DNS service is strongly recommended. If access to DNS service is not allowed or possible from your network, the device's remote connectivity address would need to use an IP address, rather than the DNS name itself (see below under What IP address is needed for outbound Firewall rule(s)? for more details).
Those with Digi devices trying to connect to Digi Remote Manager from a location with strict outbound firewall rules will especially need the guidance found within this article. Some likely examples for this type of network security environment include: Government offices/buildings and institutions, Schools, Universities, and some Businesses (especially ones that do government contract work).
By default, the TCP and/or UDP port(s) your central management capable Digi Router, Gateway, or device uses to connect with Digi RM will depend in part on the age/firmware of your device, the device configuration, and model.
TCP Port 3197: The outbound EDP/non-SSL (non-secure) socket connection from older Digi products (or if the product uses older firmware), which may still be configured to use an un-encrypted socket connection into Digi Remote Manager.
Note: If possible, the firmware of older Digi products should be updated to the latest firmware version available to enable use of the SSL socket connection into Digi Remote Manager (see below) if possible.
TCP Port 3199: The outbound EDP/SSL (secure) socket connection from Digi Routers, Gateways, or other Digi devices with newer firmware, configured to create a secure SSL socket connection into Digi RM. The SSL socket connection into Digi RM is required on ALL Linux-based Gateways such as our DAL OS products and XBee Gateway. The SSL socket connection might also be required if the Digi Remote Manager account is configured to accept SSL connections only.
UDP Port 53: DNS (Domain Name Service) recognition, i.e. translates the name of the Digi RM servername (examples: my.devicecloud.com or edp12.devicecloud.com) to the required IP.
UDP Port 123: Outbound socket connection to an NTP (time) server is required for ALL Linux-based Digi devices for NTP time management (unless an alternate clock source is allowed/configured for use).
Important Note concerning accurate date/time on a device:
Devices connecting to Digi Remote Manager via SSL socket connection need to be keeping accurate Date/Time in order to generate the secure (SSL) TCP socket connection into Digi Remote Manager, or Digi RM will refuse the connection. For example, devices still using a Unix epoch or firmware release date-based date/timestamp will be unable to connect.
Note: If you've added a capable Digi device to your Digi Remote Manager account (but the device never shows up with Connected status), check to ensure that the date/time being kept on the device is current in order to meet the above requirement.
In general, you should not configure your device to use a non-default remote management host, URL, or server name. Allow the device to pick the correct server name based on the level of the firmware and the security capabilities of that firmware.
If you have already configured the firmware with an explicit name or IP address, consider removing that configuration and testing the device for connectivity to my.devicecloud.com or edp12.devicecloud.com.
Having the device auto-configure itself is not always possible, so you may need to choose between these server names:
Device types that should use edp12.devicecloud.com in order to get the most secure connection possible:
Devices not in the list above should generally use my.devicecloud.com.
The following host names are deprecated and should no longer be used.
The following host names are removed and must no longer be used:
The best way to determine the IP address is to nslookup the DNS name of the Remote Management server your device will be connecting to.
Modern Digi devices are configured for a correct Central Management server address at default. The DNS name of the Digi Remote Manager server should not be changed, or you may affect the connectivity characteristics (like security) of the device.
As of the date of this article (2/22/2022), here is how this looked from my Windows 10 commandline (Start - Run - CMD) prompt when doing nslookup of our various Remote Management and NTP ring servers:
Your device will use either my.devicecloud.com or edp12.devicecloud.com, depending on firmware type and version. Rather than using the following IP addresses, verify the IP address of the DNS name at configuration time, in case the IP address which the DNS name resolves to has changed since this article was published.
Use DNS names whenever possible:
C:\> nslookup my.devicecloud.com
C:\> nslookup edp12.devicecloud.com
The following past Device Cloud connectivity addresses may possibly still be in use on devices. Devices using the following DNS names should be updated to use my.devicecloud.com or edp12.devicecloud.com (if the device firmware fully supports TLS 1.2), then re-connected to the server at the new address:
Addresses: 184.108.40.206, 220.127.116.11
The following DNS names may still be in use on devices (all devices should be updated to use time.devicecloud.com within their configuration):
If the IP address of the DNS name ever changes (before this article is updated to reflect it), a Windows CLI command can be used to determine the IP address of our server:
nslookup <DNS name of server>
The Name and Address fields will be the DNS name and IP address for the Remote Management or Time server listed. Your firewall rule will need to allow access for the appropriate network port used based on your Gateway's Device Management configuration, as well as UDP port 123 if NTP Time Management is in use.
If your device is configured to use a *.idigi.com or etherios.com DNS name to connect to Digi Remote Manager, it should be re-configured to use my.devicecloud.com or edp12.devicecloud.com (if the device firmware fully supports TLS 1.2) at your earliest convenience. You will need to create firewall rules for all IP addresses/ports used, for all Remote Management and Time DNS server names used in the device configuration.