Versions Compared

Version Old Version 3 New Version Current
Changes made by

Katarzyna Stodolny

Joanna Kozakiewicz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This document presents a list of network ports on which communication of particular functionalities of VERTEX controllers takes place. In order for all functionalities to work correctly, you must ensure proper network rules for controllersHere you can find a list of network ports for different types of communication with Vertex. You must ensure the network infrastructure is set up correctly for this to work.

Internal network (LAN)

Operator The work stations and all VERTEX controllers in the local area network must be set up according to the following rulesschematic.

...

Vertex - basic functionalities

...

Service

...

Protocol

...

Port

...

Main WebApplication

...

HTTP

...

80

...

LogicEditor WebApplication

...

HTTP

...

1880

...

VERTEX2VERTEXInternalMessageBUS

...

TCP-SOA-XML

...

5280

Vertex commissioning - configuring with Firestarter

...

Service

...

Protocol

...

Port

...

VERTEX-DISCOVERYNeighbourhoodDISCO

...

UDP-NATIVE

...

30005

Services only for maintenance work

...

Service

...

Protocol

...

Port

...

SSH-port

...

TCP

...

22

...

ServicePort

...

TCP

...

5222

Description of services required for the basic functionalities of VERTEX controllers

1. Main WebApplication

...

The user interface and access to system functionality:

  • Displaying information from individual modules/luminaires, monitoring

  • Triggering actions on devices in the system

  • Communication with a user who is on the same network through the website page

Consequences resulting from lack of access to the service:

  • Lack of possibility to monitor the system

  • No possibility to trigger any actions in the system

2. LogicEditor WebApplication

...

Logic editing interface of the lighting system:

  • Graphical logic editor of lighting system operation

  • Using it to create a logic of the lighting system

  • Communication with a user who is on the same network through the website page

Consequences resulting from lack of access to the service:

  • Lack of possibility to adapt the logic of the lighting system operation

3. VERTEX2VERTEX InternalMessageBUS

Service launched on VERTEX control units that are in the same local network, responsible for:

  • exchange of messages between VERTEX control units

  • synchronization of data between VERTEX control units

Consequences resulting from lack of access to the service:

  • Total lack of control on lighting devices

Description of commissioning and initial configuration services for VERTEX devices

1. VERTEX-DISCOVERY NeighbourhoodDISCO

...

The service is used to communicate with the FIRESTARTER application. The application is used for the initial configuration of VERTEX control units. The configuration is made once during the system setup or in emergency situations that require service.Enables changing:

  • The group in which Vertex works (1-8 or ungrouped)

  • The default gateway for each selected group

  • Subnets for each of the selected groups

  • DNS for each selected group

  • IP address for each device

Consequences resulting from lack of access to the service:

  • It is impossible to correctly start the VERTEX controller (change network parameters, remember addresses of modules/luminaires)

Description of services required to carry out maintenance work for VERTEX devices

1. SSH-port

Service that allows direct service access to the VERTEX controllers. Login and access only by an authorized Glamox employee

Consequences resulting from lack of access to the service:

  • There is no possibility to carry out service work

2. ServicePort

The service is used for local failure diagnostics. Login and access only by an authorized Glamox employee.

The consequences resulting from lack of access to the service:

  • There is no possibility to carry out service work

Outbound to GLAMOX infrastructure

For proper operation of SLS services, it is required to allow outgoing traffic in accordance with the following rules.

...

Source

...

Destination

...

Protocol

...

Port

...

Security

...

Description

...

VERTEX connection with SLS service

...

ANY VERTEX (Static IP Address)

...

sls.essystem.pl

...

HTTPS

...

443

...

TLS1.0AES256 RSA2048

...

Initial authorization of VERTEX in SLS service

Sending compressed logs to the SLS service. At the request of the SLS operator.

...

ANY VERTEX (Static IP Address)

...

sls0.essystem.pl

...

MQTT 3.1

...

1883

...

TLS1.2AES256 RSA2048

...

Continuous connection, updating the luminaire and control units status

...

ANY VERTEX (Static IP Address)

...

80.211.241.221

...

OpenVPN 2.3.2

...

1194

...

TLS 1.0AES256 RSA2048

...

Outgoing connection: SLS-VPN. Operated during service work after detecting a failure. At the requestof the SLS operator.

...

Automatic updated of Vertex software

...

ANYVERTEX (Static IP Address)

...

vskylab.essystem.pl

...

HTTP

...

17001

...

AES256

...

Cyclic control every 120 s, checking the availability of the new VERTEX software update.

Downloading an encrypted package with software.

...

Automatic time synchronisation in Vertex (optional, the device has a RTC clock)

...

ANY VERTEX (Static IP Address)

...

0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org

...

NTP

...

123

...

-

...

Increasingthe accuracy of the clock in VERTEX

If necessary, it is possible to set the NTP time server in the internal network infrastructure. For this purpose, individual configuration of each VERTEX over SSH by authorized Glamox employeeis needed.

Default policy

deny (incoming), allow (outgoing), deny (routed)

...

Outbound to GLAMOX infrastructure (remote)

Glamox remote access and maintenance requires that all outgoing traffic is allowed.

...

Default policy

Incoming

DENY

Outgoing

ALLOW

Routed

DENY

Opened ports

TO

Action

From

Desc

Local/remote

22/tcp

ALLOW IN

Anywhere

ssh

local

8080/tcp

ALLOW IN

Anywhere

swupdate*

local

127.0.0.1 8080/tcp

ALLOW IN

127.0.0.1

dnsmasq local

local

5269/tcp

ALLOW IN

Anywhere

prosody

local

1880/tcp

ALLOW IN

Anywhere

nodered

local

1883/tcp

ALLOW IN

Anywhere

mosquitto*

local

30333/tcp

ALLOW IN

Anywhere

ndiscovery_bot

local

5280/tcp

ALLOW IN

Anywhere

prosody

local

5222/tcp

ALLOW IN

Anywhere

prosody

local

80/tcp

ALLOW IN

Anywhere

lighttpd

local

127.0.0.1 53/udp

ALLOW IN

127.0.0.1

dnsmasq local

local

30005/udp

ALLOW IN

Anywhere

ndiscovery_bot beacon

local

1194/

udp

tcp

ALLOW IN

Anywhere

VPN

remote

443/tcp

ALLOW IN

Anywhere

https

local

502/tcp

ALLOW IN

Anywhere

modbus

local

30500-30600/tcp

ALLOW IN

Anywhere

Free TCP ports for our usage

local

9993/tcp

ALLOW IN

Anywhere

remote support

remote

22/tcp (v6)

ALLOW IN

Anywhere (v6)

ssh

local

8080/tcp (v6)

ALLOW IN

Anywhere (v6)

swupdate*

local

5269/tcp (v6)

ALLOW IN

Anywhere (v6)

prosody

local

1880/tcp (v6)

ALLOW IN

Anywhere (v6)

nodered

local

1883/tcp (v6)

ALLOW IN

Anywhere (v6)

mosquitto*

local

30333/tcp (v6)

ALLOW IN

Anywhere (v6)

ndiscovery_bot

local

5280/tcp (v6)

ALLOW IN

Anywhere (v6)

prosody

local

5222/tcp (v6)

ALLOW IN

Anywhere (v6)

prosody

local

80/tcp (v6)

ALLOW IN

Anywhere (v6)

lighttpd

local

30005/udp (v6)

ALLOW IN

Anywhere (v6)

ndiscovery_bot beacon

local

1194/

udp

tcp (v6)

ALLOW IN

Anywhere (v6)

VPN

remote

443/tcp (v6)

ALLOW IN

Anywhere (v6)

https

local

502/tcp (v6)

ALLOW IN

Anywhere (v6)

modbus

local

30500-30600/tcp(v6)

ALLOW IN

Anywhere (v6)

Free TCP ports for our usage

local

9993/tcp(v6)

ALLOW IN

Anywhere (v6)

remote support

remote

Info

Ports marked green are for remote connection (Cloud, support).

All other ports are for internal communication (Vertex to Vertex) and are set by default.

Detailed external service description

Use these ports for the following type of access.

Source

Destination

Protocol

Port

Security

Description

VERTEX access for Glamox

ANY VERTEX (Static IP Address)

sls.essystem.pl

HTTPS

443

TLS1.0AES256 RSA2048

Initial authorization of VERTEX in SLS service

Sending compressed logs to the SLS service. At the request of the SLS operator.

ANY VERTEX (Static IP Address)

sls0.essystem.pl

MQTT 3.1

1883

TLS1.2AES256 RSA2048

Continuous connection, updating the luminaire and control units status

ANY VERTEX (Static IP Address)

ANY

OpenVPN 2.3.2 -2.4.7

1194

TLS 1.0AES256 RSA2048

Outgoing connection: SLS-VPN. Operated during service work after detecting a failure. At the request of the SLS operator.

Automatic time synchronisation in Vertex (optional, the device has a RTC clock)

ANY VERTEX (Static IP Address)

0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org

NTP

123

-

Increasing the accuracy of the clock in VERTEX

If necessary, it is possible to set the NTP time server in the internal network infrastructure. For this purpose, individual configuration of each VERTEX over SSH by Glamox is needed.

For more information go to: