Firewall concerns for outbound EDP connections to Digi Remote Manager

Prerequisites:

This article assumes you've reviewed the available Configuration/Troubleshooting guidance for your particular Digi product, and have ensured your Gateway or device is otherwise configured properly for a Digi Remote Manager (aka Digi RM) connection.
 

Firewall concerns:

 

Firewalls (and the IT security people that maintain them) are generally concerned with protecting a location's Local Area Network from unauthorized use - both from traffic coming at the network from outside, and with traffic from within the local area network going outward.

A Central Management-capable Digi product falls into the latter category, because the Digi device creates an outbound TCP socket connection to the Digi Remote Manager server.  This  EDP (easy device protocol) socket connection is a tunnel through which data from your Digi device gets pushed to our cloud server, so that the data is accessible from anywhere in the world.
 

The following article describes:

  • The IP socket connection(s) used when a Digi Router, Gateway, or other edp-capable device (via Digi Cloud connector) makes a Central Management connection to Digi Remote Manager.
  • How to determine the IP address in use with a given Digi RM-related DNS name.


Note:  DNS service is strongly recommended.  If access to DNS service is not allowed or possible from your network, the device's remote connectivity address would need to use an IP address, rather than the DNS name itself (see below under What IP address is needed for outbound Firewall rule(s)? for more details).
 


Locations where it is likely that Firewall Rules will be needed:

Those with Digi devices trying to connect to Digi Remote Manager from a location with strict outbound firewall rules will especially need the guidance found within this article.  Some likely examples for this type of network security environment include:  Government offices/buildings and institutions, Schools, Universities, and some Businesses (especially ones that do government contract work).
 

What network port(s) does a capable device use to connect to Digi Remote Manager?

By default, the TCP and/or UDP port(s) your central management capable Digi Router, Gateway, or device uses to connect with Digi RM will depend in part on the age/firmware of your device, the device configuration, and model.


TCP Port 3197:  The outbound EDP/non-SSL (non-secure) socket connection from older Digi products (or if the product uses older firmware), which may still be configured to use an un-encrypted socket connection into Digi Remote Manager.

Note:  If possible, the firmware of older Digi products should be updated to the latest firmware version available to enable use of the SSL socket connection into Digi Remote Manager (see below) if possible.

TCP Port 3199:   The outbound EDP/SSL (secure) socket connection from Digi Routers, Gateways, or other Digi devices with newer firmware,  configured to create a secure SSL socket connection into Digi RM.  The SSL socket connection into Digi RM is required on ALL Linux-based Gateways such as our DAL OS products and XBee Gateway.  The SSL socket connection might also be required if the Digi Remote Manager account is configured to accept SSL connections only.

UDP Port 53:  DNS (Domain Name Service) recognition, i.e. translates the name of the Digi RM servername (examples:  my.devicecloud.com or edp12.devicecloud.com) to the required IP.

UDP Port 123:  Outbound socket connection to an NTP (time) server is required for ALL Linux-based Digi devices for NTP time management (unless an alternate clock source is allowed/configured for use).

Important Note concerning accurate date/time on a device:

Devices connecting to Digi Remote Manager via SSL socket connection need to be keeping accurate Date/Time in order to generate the secure (SSL) TCP socket connection into Digi Remote Manager, or Digi RM will refuse the connection.  For example, devices still using a Unix epoch or firmware release date-based date/timestamp will be unable to connect.

Note:  If you've added a capable Digi device to your Digi Remote Manager account (but the device never shows up with Connected status), check to ensure that the date/time being kept on the device is current in order to meet the above requirement.
 

What Digi Remote Manager server should my Digi device connect to?

In general, you should not configure your device to use a non-default remote management host, URL, or server name. Allow the device to pick the correct server name based on the level of the firmware and the security capabilities of that firmware.
If you have already configured the firmware with an explicit name or IP address, consider removing that configuration and testing the device for connectivity to my.devicecloud.com or edp12.devicecloud.com.

Having the device auto-configure itself is not always possible, so you may need to choose between these server names:

  • edp12.devicecloud.com - Appropriate for devices that:
    • Fully support TLS 1.2
    • Should not fall back to less secure connectivity
    • Support negotiation for device side certificates.
    • DAL OS-based devices with version 22.2 or newer firmware.
  • my.devicecloud.com – Appropriate for devices with older firmware or that have not yet been updated for the security enhancements associated with edp12.devicecloud.com


edp12.devicecloud.com:

Device types that should use edp12.devicecloud.com in order to get the most secure connection possible:

  • Any device running Digi Accelerated Linux operating system at firmware version 22.2.x or later should use edp12.devicecloud.com.
  • Specifically, any device in the following list that is running firmware 22.2.x or later and is configured to use Remote Manager for central management should use edp12.devicecloud.com for the Remote Manager URL. Note, since the writing of this article there may be mew Digi Accelerated Linux device types, include those devices.
    • AcceleratedConcepts 5400-RM
    • AcceleratedConcepts 5401-RM
    • AcceleratedConcepts 6300-CX
    • AcceleratedConcepts 6310-DX
    • AcceleratedConcepts 6330-MX
    • AcceleratedConcepts 6335-MX
    • AcceleratedConcepts 6350-SR
    • AcceleratedConcepts 6355-SR
    • Digi AnywhereUSB 2 Plus
    • Digi AnywhereUSB 2 Plus Industrial
    • Digi AnywhereUSB 8 Plus
    • Digi AnywhereUSB 8W Plus
    • Digi AnywhereUSB 24 Plus
    • Digi AnywhereUSB 24W Plus
    • Digi Connect EZ-Mini
    • Digi Connect EZ2
    • Digi Connect EZ4
    • Digi ConnectIT-Mini
    • Digi ConnectIT4
    • Digi ConnectIT16
    • Digi ConnectIT48
    • Digi EX12
    • Digi EX12-PR
    • Digi EX15
    • Digi EX15-PR
    • Digi EX15W
    • Digi EX15W-PR
    • Digi EX50
    • Digi IX10
    • Digi IX14
    • Digi IX15
    • Digi IX20
    • Digi IX20-PR
    • Digi IX20W
    • Digi IX20W-PR
    • Digi IX30
    • Digi IX30-PR
    • Digi LR54
    • Digi LR54W
    • Digi TX54-Dual-Cellular
    • Digi TX54-Dual-Cellular-PR
    • Digi TX54-Dual-Wi-Fi
    • Digi TX54-Single-Cellular
    • Digi TX54-Single-Cellular-PR
    • Digi TX64
    • Digi TX64-PR
    • Digi TX64-Rail-Single-Cellular
    • Digi TX64-Rail-Single-Cellular-PR

 




my.devicecloud.com:

Devices not in the list above should generally use my.devicecloud.com.
 

Deprecated DNS names:

The following host names are deprecated and should no longer be used.

  • devicecloud.digi.com
  • devicecloud-uk.digi.com

 

Removed DNS names:

The following host names are removed and must no longer be used:

  • *.idigi.com (my.idigi.com, app.idigi.com, my.idigi.co.uk, etc)
  • *.etherios.* (login.etherios.com, login.etherios.co.uk, etc)

 

What IP address is needed for outbound Firewall rule(s)?

The best way to determine the IP address is to nslookup the DNS name of the Remote Management server your device will be connecting to.

Modern Digi devices are configured for a correct Central Management server address at default.  The DNS name of the Digi Remote Manager server should not be changed, or you may affect the connectivity characteristics (like security) of the device. 

As of the date of this article (2/22/2022), here is how this looked from my Windows 10 commandline (Start - Run - CMD) prompt when doing nslookup of our various Remote Management and NTP ring servers:
 

Digi Remote Manager device connectivity address:


Your device will use either my.devicecloud.com or edp12.devicecloud.com, depending on firmware type and version.  Rather than using the following IP addresses, verify the IP address of the DNS name at configuration time, in case the IP address which the DNS name resolves to has changed since this article was published.

Use DNS names whenever possible:

C:\> nslookup my.devicecloud.com
Name:  my.devicecloud.com
Address:  52.73.23.137

C:\> nslookup edp12.devicecloud.com
Name:  edp12.devicecloud.com
Address:  52.73.118.175


The following past Device Cloud connectivity addresses may possibly still be in use on devices.  Devices using the following DNS names should be updated to use my.devicecloud.com or edp12.devicecloud.com (if the device firmware fully supports TLS 1.2), then re-connected to the server at the new address:

  • devicecloud.digi.com
  • login.etherios.com
  • my.idigi.com
  • app.idigi.com
  • devicecloud-uk.digi.com
  • login.etherios.co.uk
  • my.idigi.co.uk

Digi Primary NTP Time Server Ring addresses:

C:\>nslookup time.devicecloud.com
Name:     time.devicecloud.com
Addresses:  35.164.164.69, 52.2.40.158
 

Secondary/Tertiary NTP Time Server addresses for pool usage:

C:\>nslookup 0.time.devicecloud.com
Name:     0.time.devicecloud.com
Addresses:  52.2.40.158

C:\>nslookup 1.time.devicecloud.com
Name:     1.time.devicecloud.com
Addresses:  35.164.164.69
 

Deprecated NTP/Time server addresses:

The following DNS names may still be in use on devices (all devices should be updated to use time.devicecloud.com within their configuration):

  • time.digi.com
  • time.etherios.com
  • time.etherios.co.uk
  • 0.idigi.pool.ntp.org
  • 1.idigi.pool.ntp.org
  • 2.idigi.pool.ntp.org

Making the Firewall Rules:

If the IP address of the DNS name ever changes (before this article is updated to reflect it), a Windows CLI command can be used to determine the IP address of our server:
 

nslookup <DNS name of server>

The Name and Address fields will be the DNS name and IP address for the Remote Management or Time server listed.  Your firewall rule will need to allow access for the appropriate network port used based on your Gateway's Device Management configuration, as well as UDP port 123 if NTP Time Management is in use.
 

Important Note regarding deprecated DNS names:

If your device is configured to use a *.idigi.com or etherios.com DNS name to connect to Digi Remote Manager, it should be re-configured to use my.devicecloud.com or edp12.devicecloud.com (if the device firmware fully supports TLS 1.2) at your earliest convenience. You will need to create firewall rules for all IP addresses/ports used, for all Remote Management and Time DNS server names used in the device configuration.

Last updated: Mar 22, 2019

Filed Under

Digi Remote Manager

Recently Viewed

No recently viewed articles

Did you find this article helpful?