Hi,
Do you have a complete guide to give the IT Services to ensure a good and full implementation of a Flexy module in the company firewall.
Thanks
Christian
Hi Christian,
I would recommend referring them to this page: https://websupport.ewon.biz/support/docs/flexy#5
Specifically to the User Manual: https://websupport.ewon.biz/sites/default/files/um-0002-00-en-flexy-family.pdf as the Implementation manual deals a lot with the hardware.
The Flexy external (WAN) communication is through OpenVPN: https://websupport.ewon.biz/sites/default/files/kb-0018-0-en_using_ewon_with_openvpn.pdf which greatly simplifies what IT has to deal with. As long as OpenVPN is not blocked, there should not be any issues. Only the device and it’s internal LAN are accessible through the VPN and the default configuration segregates the internal LAN from the rest of the network.
There can be more complex set ups and more info can be found on the support page above, but for a basic set up, it only requires a connection to the internet.
Kyle
Hi Kyle,
Here is my summary for configuring the Firewall for the Flexy IP address on the WAN side
For the Internet connection
The following port must be configured “outcoming”:
- 80 (TCP) for HTTP
For the VPN connection
The following ports must be configured “outcoming”:
- 443 (TCP) for openVPN
- 1194 (UDP) for openVPN
Firewall rules
- “openVPN” service must be allowed
- *.talk2M.com domains must be accessible
For MQTT communication (does not go through the VPN)
The following port must be configured “outcoming”:
- 1883 (TCP) if not over TLS/SSL
- 8883 (TCP) over TLS / SSL
For HTTPX communication
The following port must be configured “outcoming”:
- 443 (TCP) HTTPS over TLS / SSL
I would like to know if the summary is good and if there are important things to clarify or modify?
Thanks
Christian
Christian,
Looks good! The big one is making sure they aren’t blocking 1194 out. No external firewall ports need to be opened. Do they enforce a whitelist? (not allowing any URLs (websites) unless they are on an approved list?) If they are not, you should be all set. Nice job.
Thanks,
Kyle
Hi Kyle,
When I use Basic HTTPX instructions, I would like to know if the information goes outside the VPN as an MQTT transaction?
Thanks again
Christian
Where is your MQTT broker located, on your local network or is it accessible over the internet?
Hi Kyle,
I use AWS IoT or Azure IoT Hub as MQTT Broker.
In another post Deryck said:
Is this the same for Basic HTTPX instructions?
Thanks
Christian
What do mean by “Basic HTTPX instructions”?
HTTPX:
The BASIC implemented in the device is capable of dealing with HTTP(S) request & response
- REQUESTHTTPX
- RESPONSEHTTPX
Christian
Thanks. Packets intended for the general internet (like the Azure broker) will not go through the VPN.
Is it possible to send the MQTT messages via VPN to an IoT-Hub from Azure?
No. They will go through the WAN network to the internet.