For optimal security all communication between zencontrol cloud infrastructure is performed on a secure TLS socket. Each connection uses an ephemeral port, and is always an outbound connection
To ensure secure connections, the site's network must be synchronized with an NTP server, enabling successful TLS handshake completion. During commissioning, devices typically obtain network configurations through a DHCP server. For effective network diagnostics and control system discovery, it's advised to enable ICMP types 0, 3, and 8 on the network. For clarity, "ingress" denotes data entering a system or network, while "egress" indicates data leaving it. It's important to note that all hostnames can resolve to multiple IP addresses, some of which are static.
Required services (WAN/Internet or Local)
The table below lists essential ports and services required for controllers and legacy WiFi emergency monitoring devices to operate correctly. These can be configured within the local network, without necessitating external internet exposure. NTP services can be provided locally using DHCP option 42 or by redirecting ntp.buildinglogin.com to a local NTP server through DNS remapping. Similarly, DNS services can be supplied by the router or a local DNS server, negating the need for direct internet access while ensuring controllers can still access these essential services. It's vital that controllers have access to these specified services for proper functionality. In cases where local services are unavailable, firewall configurations must permit the necessary traffic to pass through to the Internet.
Service | Type | Port | Protocol | Network access |
Application Layer |
Hostname |
Time | Controller | 123 | UDP | Egress | SNTP | ntp.buildinglogin.com |
DNS | Controller | 53 | UDP | Egress | DNS | N/A |
Cloud required controller ports (WAN/Internet)
The table below outlines the essential ports that need to be opened to allow communication between the site's internet connection and the zencontrol cloud infrastructure. These port configurations are only necessary when controllers are set up for cloud connectivity and are not being managed locally through zencontrol onsite software. Enabling these ports ensures seamless integration with zencontrol's cloud-based services for remote management and monitoring.
Service | Type | Port | Protocol | Network access |
Application Layer |
Hostname | Europe |
Default |
Device Upgrade | Controller | 6396 | TCP | Egress | MNCP 2.0 | fw-download.zencontrol.com |
N/A |
52.63.22.255 13.54.48.224 13.237.237.138 |
Cloud MNCP | Controller | 5113 | TCP | Egress | MNCP 2.0 & TLS 1.2 PKI | connect.zencontrol.com | 3.9.156.107 18.132.138.163 18.169.81.155 |
3.105.60.161 54.206.175.162 52.62.2.172 |
Service specific optional controller ports (Local)
The table below lists the local network ports that need to be opened for controllers to effectively communicate with each other and with other devices on the local network. Each entry in the table corresponds to a specific service and may not be universally required. For instance, in most installations where controllers need to interact with each other, firewall rules must be configured to permit this inter-controller communication. Similarly, if BACnet IP is being utilized, the BACnet server should be allowed to connect to the controllers and retrieve information. The necessity of each port depends on the specific requirements and configuration of your installation.
Service | Type | Port | Protocol | Network access |
Application Layer |
Hostname |
Controller to controller MNCP | Controller | 5110 | TCP/UDP | Ingress/Egress | MNCP 2.0 & TLS 1.2 PSK | N/A |
API | Controller | 5108 | UDP | Ingress | Third Party Interface | N/A |
BACnet IP | Controller | User configured default - 47808 |
UDP | Ingress | BACnet IP | N/A |
MQTT | Controller | User configured defaults - 1998 (Std) 8883 (TLS) |
TCP | Egress | MQTT | N/A |
Commissioning Application (Smart phone)
Where the Smartphone used for commissioning is connected to the local network, the following ports are used to communicate with the zencontrol cloud. These ports are not required where a smartphone uses it's own 4/5g internet connection.
Service | Type | Port | Protocol | Network access |
Application Layer |
Hostname | Europe |
Default |
Api Server | Commissioning | 8901 | TCP | Egress | MNCP 2.0, TLS 1.2 PKI | mobile.zencontrol.com | 18.175.27.128 18.170.141.135 3.9.119.227 |
13.239.192.170 54.79.13.201 52.62.11.209 |
Api Server | Commissioning | 8902 | TCP | Egress | HTTP/2, TLS 1.2 PKI | mobile.zencontrol.com | 18.175.27.128 18.170.141.135 3.9.119.227 |
13.239.192.170 54.79.13.201 52.62.11.209 |
Cloud web portal (Browser)
To enable access to the cloud web portal from the client's network, the following ports and services must be made accessible through the firewall. This configuration is only necessary if the customer intends to access the portal using their own network and internet connection, such as from a communications room. Opening these specified ports ensures secure and efficient connectivity to the zencontrol cloud services from within the client's network infrastructure.
Service | Type | Port | Protocol | Network access |
Application Layer |
Hostname | Europe |
Default |
API Service | Commissioning & monitoring | 443 | TCP | Egress | TLS 1.2 | api.zencontrol.com | 13.42.120.204 18.168.92.148 35.179.53.178 |
13.211.118.47 13.239.194.228 52.64.172.76 |
Login Service | Commissioning & monitoring | 443 | TCP | Egress | TLS 1.2 | login.zencontrol.com | N/A | 13.54.172.190 52.63.4.140 54.79.87.205 |
Web GUI Service | Commissioning & monitoring | 443 | TCP | Egress | TLS 1.2 | cloud.zencontrol.com | N/A | 13.237.253.135 13.54.137.216 54.153.243.101 |
File Service | Commissioning & monitoring | 443 | TCP | Egress | TLS 1.2 | file.zencontrol.com | N/A | N/A |
Developer Documentation | Information | 443 | TCP | Egress | TLS 1.2 | developer.zencontrol.com | N/A | 13.238.196.138 3.104.60.169 3.106.36.184 |
Legacy Wi-Fi Emergency monitoring devices
For WiFi connected devices, they will need to connect to a 802.11g network on channels 1-11 authenticated via WPA-2 personal security. There should also be no 'Captive portal' page on the WiFi.
The following table shows the required ports that must be enabled to use the sites internet connection for communication with the zencontrol cloud infrastructure.
Service | Type | Port | Protocol | Network access |
Application Layer |
Zentri OTA | Controller | 443 | TCP | Egress | HTTPS |
Multicast groups (IGMP)
Additional internal C2C communication takes place over 239.255.90.67. Further multicast groups for creating logical zones of control systems can be added via commissioning, and these should also be communicated to the network administrator.
Comments
0 comments
Article is closed for comments.