Firewall Configuration for On-Premise Server (SOPS)¶

Background¶

There are two situations of the deployment:

1. All devices are on the same local area network (or VPN);
1. The SOPS is on the Internet; the hubs are on the local area network.

A. All-in-LAN deployment¶

This deployment is typically for a client with an in-house server as the data source (e.g., Microsoft Exchange, price database).

If the data source is the Microsoft Exchange or other services inside the LAN/VPN, there’s no need to configure any inbound firewall rules for the SOPS.
F[1]: However, If the data source is the cloud-based calendar services like Google Workspace (G Suite)/Office 365, please set up the inbound rule for webhook. See section From Internet to SOPS (Inbound, for Data Source).
Meanwhile, to let the SOPS access some resources over the Internet, please don’t block some outbound domains & ports. See section From SOPS to Internet (Outbound).

B. Internet + LAN deployment¶

This deployment is typically for a client who installs hubs across multiple office locations and uses one SOPS to manage all of them. In this case, the SOPS is usually installed on a VPS on cloud services like AWS/Azure.

F[1]: If the data source is the cloud-based calendar services like Google Workspace (G Suite)/Office 365, please set up the inbound rule for webhook. See section From Internet to SOPS (Inbound, for Data Source).
F[2]: To allow the Hubs to connect to the SOPS, please set up the inbound firewall rules on the cloud service, see section From Internet to SOPS (Inbound, for Hubs).
F[3]: To allow the Hubs to connect to the SOPS, please don’t block the Hubs accessing to the SOPS, see section From Hubs to SOPS on the Internet (Outbound).
Meanwhile, to let the SOPS access some resources over the Internet, please don’t block some outbound domains & ports. See section From SOPS to Internet (Outbound).

Firewall Settings¶

Please check the following on your WiFi router or firewall:

From SOPS to Internet (Outbound)¶

SOPS will need to access some Internet services. Please allow the outbound to domains/ports below:

Services for OTA¶

Protocol	Port	Destination Domain	Functions
TCP	443, 8433	up.sync-sign.com	OTA Update Server
TCP	22, 443	github.com	OTA Firmware Server
TCP	443	registry.hub.docker.com, docker.io	OTA Docker Image Server

Basic Network Services¶

Protocol	Port	Destination Domain	Functions
UDP	123	pool.ntp.org, europe.pool.ntp.org, time.google.com	NTP Time Synchronisation

Services by Data Sources (Optional)¶

Protocol	Port	Destination Domain	Functions
TCP	443	www.googleapis.com	API of Google Calender/G-Suite
TCP	443	graph.microsoft.com	API of Office 365 Calendar

From Internet to SOPS (Inbound, for Hubs)¶

Protocol	Port	Destination Domain	Functions
TCP	8883, 8443	LAN IP of your-on-premise-server-domain	MQTT Remote Notification (mqtts/wss)
TCP	1883, 8888	your-on-premise-server-domain	MQTT Remote Notification (mqtt/ws)
TCP	80, 443	your-on-premise-server-domain	Device / Client API / Admin Portal

From Internet to SOPS (Inbound, for Data Source)¶

Protocol	Port	Destination Domain	Functions
TCP	80, 443	your-on-premise-server-domain	“Data-Updated” Notification Webhook Called by Data Source

Note

Only the data sources capable of “Send-Notification-on-Change” are required to set up the webhook, allowing the data source to notify the SOPS that there is new data to fetch. For those without this callback feature, SOPS can be configured as a Poll-at-Interval mechanism.

From Hubs to SOPS on the Internet (Outbound)¶

Protocol	Port	Destination Domain	Functions
TCP	8883, 8443	your-on-premise-server-domain	MQTT Remote Notification (mqtts/wss)
TCP	1883, 8888	your-on-premise-server-domain	MQTT Remote Notification (mqtt/ws)
TCP	80, 443	your-on-premise-server-domain	API
TCP	443	sync.sync-sign.com	Device Health Report
TCP	443	update.sync-sign.com	OTA Update Server
TCP	443	file.sync-sign.com	OTA Firmware Server
TCP	80	pub.sync-sign.com	Time Server (as failsafe to NTP)