Firewall Configuration for On-Premise Server (SOPS)

Background

There are two situations of the deployment:

    1. All devices are on the same local area network (or VPN);

    1. The SOPS is on the Internet; the hubs are on the local area network.

A. All-in-LAN deployment

This deployment is typically for a client with an in-house server as the data source (e.g., Microsoft Exchange, price database).

../_images/sops_install_case_one.png
  • If the data source is the Microsoft Exchange or other services inside the LAN/VPN, there’s no need to configure any inbound firewall rules for the SOPS.

  • F[1]: However, If the data source is the cloud-based calendar services like G Suite/Office 365, please set up the inbound rule for webhook. See section From Internet to SOPS (Inbound, for Data Source).

  • Meanwhile, to let the SOPS access some resources over the Internet, please don’t block some outbound domains & ports. See section From SOPS to Internet (Outbound).

B. Internet + LAN deployment

This deployment is typically for a client who installs hubs across multiple office locations and uses one SOPS to manage all of them. In this case, the SOPS is usually installed on a VPS on cloud services like AWS/Azure.

../_images/sops_install_case_two.png

Firewall Settings

Please check the following on your WiFi router or firewall:

From SOPS to Internet (Outbound)

SOPS will need to access some Internet services. Please allow the outbound to domains/ports below:

Services for OTA

Protocol

Port

Destination Domain

Functions

TCP

443, 8433

up.sync-sign.com

OTA Update Server

TCP

22, 443

github.com

OTA Firmware Server

TCP

443

registry.hub.docker.com, docker.io

OTA Docker Image Server

Basic Network Services

Protocol

Port

Destination Domain

Functions

UDP

123

pool.ntp.org, europe.pool.ntp.org, time.google.com

NTP Time Synchronisation

Services by Data Sources (Optional)

Protocol

Port

Destination Domain

Functions

TCP

443

www.googleapis.com

API of Google Calender/G-Suite

TCP

443

graph.microsoft.com

API of Office 365 Calendar

From Internet to SOPS (Inbound, for Hubs)

Protocol

Port

Destination Domain

Functions

TCP

8883, 8443

LAN IP of your-on-premise-server-domain

MQTT Remote Notification (mqtts/wss)

TCP

1883, 8888

your-on-premise-server-domain

MQTT Remote Notification (mqtt/ws)

TCP

80, 443

your-on-premise-server-domain

Device / Client API / Admin Portal

From Internet to SOPS (Inbound, for Data Source)

Protocol

Port

Destination Domain

Functions

TCP

80, 443

your-on-premise-server-domain

“Data-Updated” Notification Webhook Called by Data Source

Note

Only the data sources capable of “Send-Notification-on-Change” are required to set up the webhook, allowing the data source to notify the SOPS that there is new data to fetch. For those without this callback feature, SOPS can be configured as a Poll-at-Interval mechanism.

From Hubs to SOPS on the Internet (Outbound)

Protocol

Port

Destination Domain

Functions

TCP

8883, 8443

your-on-premise-server-domain

MQTT Remote Notification (mqtts/wss)

TCP

1883, 8888

your-on-premise-server-domain

MQTT Remote Notification (mqtt/ws)

TCP

80, 443

your-on-premise-server-domain

API

TCP

443

sync.sync-sign.com

Device Health Report

TCP

443

update.sync-sign.com

OTA Update Server

TCP

443

file.sync-sign.com

OTA Firmware Server

TCP

80

pub.sync-sign.com

Time Server (as failsafe to NTP)

See also: