Firewall concerns for outbound EDP connections to Device Cloud or Remote Manager

Prerequisites:

This article assumes you've reviewed the available Configuration/Troubleshooting guidance for your particular Digi product, and have ensured your Gateway or device is otherwise configured properly for a Device Cloud or Remote Manager connection.
 

Firewall concerns:

 

Firewalls (and the IT security people that maintain them) are generally concerned with protecting a location's Local Area Network from unauthorized use - both from traffic coming at the network from the outside world, and traffic from within the local area network going outward.  A Remote Management-capable Digi product falls into the latter category, because the Digi device creates an outbound TCP socket connection to the Device Cloud or Remote Manager server.  This  EDP (easy device protocol) socket connection is a tunnel through which data from your Gateway gets pushed to the Device Cloud, so that data can be accessed from anywhere in the world.
 

The following article describes:

  • The IP socket connections used when a Digi RF Gateway, TransPort Router, or edp-capable device (using Digi Cloud connector) makes a Remote Management connection to Device Cloud or Remote Manager.
  • How to determine the IP address in use for a given Device Cloud or Remote Manager DNS name.

Note:  DNS service is strongly recommended.  If access to DNS service is not allowed or possible from your network, the device's remote connectivity address would need to use one of several IP addresses, rather than the DNS name itself (see below under What IP address is needed for outbound Firewall rule(s)? for more details).
 


Locations where it is likely that Firewall Rules will be needed:

Those who are trying to connect to Device Cloud or Remote Manager from a location which has strict outbound firewall rules will especially need the guidance found within this article.  Some likely examples for this type of network security environment include:  Government offices/buildings and institutions, Schools, Universities, and some Businesses (especially ones that do government contract work).
 

What network port(s) does a capable device use to connect to Digi Remote Manager?

By default, the TCP and/or UDP port(s) your Device Cloud-capable Gateway or device uses to connect with Device Cloud will depend in part on the age/default configuration of your Gateway, the device's configuration, as well as the particular model.

TCP Port 3197:  The outbound EDP/non-SSL (non-secure) socket connection from NDS-based products like the ConnectPort X2 / X4 / X5 / X8 Gateways, and ERT/Ethernet Gateway (especially if the product has older firmware), which may still be configured to create an un-encrypted Device Cloud socket connection.

Note:  If possible, the firmware of older products should be updated so that the Device Cloud configuration settings can changed to use of SSL socket connections into the Device Cloud instead (see next entry below). Some updates may cause connectivity requirements to change. For example, after an update, a device might connect to a different, more secure, Device Cloud server (IP address) than it was using before the update.

TCP Port 3199:   The outbound EDP/SSL (secure) socket connection from NDS-based products like the ConnectPort X2 / X4 / X5 / X8 Gateways, and ERT/Ethernet Gateway with newer firmware which are configured to create a secure SSL socket connection into Device Cloud.  Required on ALL Linux-based Gateways, examples:  XBee Gateway ZB and ConnectPort X2e for Smart Energy.  Can also be required if the Device Cloud account is configured to accept SSL connections only (new Device Cloud option as of version 2.16).

UDP Port 53:  Outbound DNS (Domain Name Service) name recognition service, i.e. translates the name of the Device Cloud server (for example, my.devicecloud.com or edp12.devicecloud.com) to the required IP.

Note:  DNS service is strongly recommended.  If access to DNS service is not allowed or possible from your network, the device's remote connectivity address would need to use one of several IP addresses, rather than the DNS name itself (see below under What IP address is needed for outbound Firewall rule(s)? for more details).

UDP Port 123:  The outbound socket connection to an NTP (time) server is required for ALL Linux-based Gateways such as the XBee Gateway and ConnectPort X2e, as well as  gateways and devices configured for NTP time management.


Important Note for devices configured for NTP Time Management by default:

Digi devices which are Linux-based (and non-Linux devices configured for NTP) require outbound access to UDP port 123 in order to sync date/time with the NTP server.  Correct date/time is required on the device in order to generate the secure (SSL) TCP socket connection into Digi Remote Manager.

If your Digi device is added to your Digi Remote Manager account but never shows up with a Connected status (and the device date/time is incorrect), check to ensure that outbound NTP access is available for the device through your local network Firewall.
 

What Digi Device Cloud and Remote Manager server should my Digi device connect to?

In general, you should not configure your device to use a non-default remote management host, URL, or server name. Allow the device to pick the correct server name based on the level of the firmware and the security capabilities of that firmware.
If you have already configured the firmware with an explicit name or IP address, consider removing that configuration and testing the device for connectivity to my.devicecloud.com or edp12.devicecloud.com.

Having the device auto-configure itself is not always possible, so you may need to choose between these server names:
  • edp12.devicecloud.com - Appropriate for devices that:
    • Fully support TLS 1.2
    • Should not fall back to less secure connectivity
    • Support negotiation for device side certificates.
  • my.devicecloud.com – Appropriate for devices with older firmware or that have not yet been updated for the security enhancements associated with edp12.devicecloud.com


edp12.devicecloud.com:

Device types that should use edp12.devicecloud.com in order to get the most secure connection possible:
  • Any device running Digi Accelerated Linux operating system at firmware version 22.2.x or later should use edp12.devicecloud.com.
  • Specifically, any device in the following list that is running firmware 22.2.x or later and is configured to use Remote Manager for central management should use edp12.devicecloud.com for the Remote Manager URL. Note, since the writing of this article there may be mew Digi Accelerated Linux device types, include those devices.
    • AcceleratedConcepts 5400-RM
    • AcceleratedConcepts 5401-RM
    • AcceleratedConcepts 6300-CX
    • AcceleratedConcepts 6310-DX
    • AcceleratedConcepts 6330-MX
    • AcceleratedConcepts 6335-MX
    • AcceleratedConcepts 6350-SR
    • AcceleratedConcepts 6355-SR
    • Digi AnywhereUSB 2 Plus
    • Digi AnywhereUSB 2 Plus Industrial
    • Digi AnywhereUSB 8 Plus
    • Digi AnywhereUSB 8W Plus
    • Digi AnywhereUSB 24 Plus
    • Digi AnywhereUSB 24W Plus
    • Digi Connect EZ-Mini
    • Digi Connect EZ2
    • Digi Connect EZ4
    • Digi ConnectIT-Mini
    • Digi ConnectIT4
    • Digi ConnectIT16
    • Digi ConnectIT48
    • Digi EX12
    • Digi EX12-PR
    • Digi EX15
    • Digi EX15-PR
    • Digi EX15W
    • Digi EX15W-PR
    • Digi EX50
    • Digi IX10
    • Digi IX14
    • Digi IX15
    • Digi IX20
    • Digi IX20-PR
    • Digi IX20W
    • Digi IX20W-PR
    • Digi IX30
    • Digi IX30-PR
    • Digi LR54
    • Digi LR54W
    • Digi TX54-Dual-Cellular
    • Digi TX54-Dual-Cellular-PR
    • Digi TX54-Dual-Wi-Fi
    • Digi TX54-Single-Cellular
    • Digi TX54-Single-Cellular-PR
    • Digi TX64
    • Digi TX64-PR
    • Digi TX64-Rail-Single-Cellular
    • Digi TX64-Rail-Single-Cellular-PR
 




my.devicecloud.com:

Devices not in the list above should generally use my.devicecloud.com. Test those devices or older firmware with edp12.devicecloud.com before using edp12.devicecloud.com as the target server.
 

Deprecated DNS names:

The following host names are deprecated and should no longer be used.
  • devicecloud.digi.com
  • devicecloud-uk.digi.com
 

Removed DNS names:

The following host names are removed and must no longer be used:
  • *.idigi.com (my.idigi.com, app.idigi.com, my.idigi.co.uk, etc)
  • *.etherios.* (login.etherios.com, login.etherios.co.uk, etc)
 

What IP address is needed for outbound Firewall rule(s)?

The best way to determine the IP address is to nslookup the DNS name of the Remote Management server your device will be connecting to.

All modern Digi devices are configured for a correct Central Management server address at default, and that target server DNS name should not be changed or you may affect the connectivity characteristics (like security) of the device. 

As of the date of this article (2/22/2022), here is how this looked from my Windows 10 commandline (Start - Run - CMD) prompt when doing nslookup of our various Remote Management and NTP ring servers:
 

Digi Remote Manager device connectivity address:


Your device will use either my.devicecloud.com or edp12.devicecloud.com, depending on firmware type and version.  Rather than using the following IP addresses, verify the IP address of the DNS name at configuration time, in case the IP address which the DNS name resolves to has changed since this article was published.

Use DNS names whenever possible:

C:\> nslookup my.devicecloud.com
Name:  my.devicecloud.com
Address:  52.73.23.137

C:\> nslookup edp12.devicecloud.com
Name:  edp12.devicecloud.com
Address:  52.73.109.182

NOTE: this IP address will definitely change in the coming months

Past Device Cloud connectivity addresses which may still be in use on devices. All device configurations should be updated to use my.devicecloud.com or edp12.devicecloud.com (if the device firmware fully supports TLS 1.2), then re-connected to the server at the new address:
  • devicecloud.digi.com
  • login.etherios.com
  • my.idigi.com
  • app.idigi.com
  • devicecloud-uk.digi.com
  • login.etherios.co.uk
  • my.idigi.co.uk

Digi Primary NTP Time Server Ring addresses:

C:\>nslookup time.devicecloud.com
Name:     time.devicecloud.com
Addresses:  35.164.164.69, 52.2.40.158
 

Secondary/Tertiary NTP Time Server addresses for pool usage:

C:\>nslookup 0.time.devicecloud.com
Name:     0.time.devicecloud.com
Addresses:  52.2.40.158

C:\>nslookup 1.time.devicecloud.com
Name:     1.time.devicecloud.com
Addresses:  35.164.164.69
 

Deprecated NTP/Time server addresses:

These may still be in use on devices (all devices should be updated to use time.devicecloud.com within their configuration):
  • time.digi.com
  • time.etherios.com
  • time.etherios.co.uk
  • 0.idigi.pool.ntp.org
  • 1.idigi.pool.ntp.org
  • 2.idigi.pool.ntp.org

Making the Firewall Rules:

If the IP address of the DNS name ever changes (before this article is updated to reflect it), a Windows CLI command can be used to determine the IP address of our server:
  nslookup <DNS name of server>

The Name and Address fields will be the DNS name and IP address for the Remote Management or Time server listed.  Your firewall rule will need to allow access for the appropriate network port used based on your Gateway's Device Management configuration, as well as UDP port 123 if NTP Time Management is in use.
 

Important Note regarding deprecated DNS names:

If your device is configured to use a *.idigi.com or etherios.* DNS name to connect to Digi Remote Manager, it should be re-configured to use my.devicecloud.com or edp12.devicecloud.com (if the device firmware fully supports TLS 1.2) at your earliest convenience. You will need to create firewall rules for all IP addresses/ports used, for all Remote Management and Time DNS server names used in the device configuration.
Last updated: Mar 22, 2019

Filed Under

Digi Remote Manager

Recently Viewed

No recently viewed articles