For optimal security all communication between zencontrol cloud infrastructure is performed on a secure TLS socket. Each connection uses an ephemeral port, and is always an outbound connection
The sites network must also be synchronised with an NTP server in order for the TLS handshake to complete and secure the connection. When commissioning, devices defaultly receive network configurations via a DHCP server. It is also recommended that the network enables ICMP types 0, 3 and 8 to allow for network diagnostics and discovery of control systems.
For WiFi connected devices, they will need to connect to a 802.11g network on channels 1-11 authenticated via WPA-2 personal security. There should also be no 'Captive portal' page on the WiFi.
The following table shows the required ports that must be enabled to use the sites internet connection for communication with the zencontrol cloud infrastructure.
|Api Server||Commissioning||8901||TCP||Outbound||MNCP 2.0, TLS 1.2 PKI|
|Api Server||Commissioning||8902||TCP||Outbound||HTTP/2, TLS 1.2 PKI|
|C2C MNCP||Controller||5110||TCP/UDP||Internal||MNCP 2.0 & TLS 1.2 PSK|
|Device Upgrade||Controller||5112 & 6396||TCP||Outbound||MNCP 2.0|
|Cloud MNCP||Controller||5113||TCP||Outbound||MNCP 2.0 & TLS 1.2 PKI|
|API||Controller||5108||UDP||Internal||Third Party Interface|
Multicast groups (IGMP)
Additional internal C2C communication takes place over 18.104.22.168. Further multicast groups for creating logical zones of control systems can be added via commissioning, and these should also be communicated to the network administrator.