Unblock Outgoing Connections on Firewall

How to configure your firewall to allow Domotz Agent to connect to the Domotz Cloud

For the Domotz Agent to connect properly to the Domotz Cloud, OUTGOING connections on the following hosts/ports of your firewall need to be allowed:

General:

• portal.domotz.com (port 443 TCP)
• echo.domotz.com (ICMP)

API Connectivity:

• For North America: api-us-east-1-cell-1.domotz.com (port 443 TCP)
• Rest of the World:  api-eu-west-1-cell-1.domotz.com (port 443 TCP)

Messaging and Remote Control Connectivity:

• For North America: messaging-us-east-1-cell-1.domotz.com (port 5671 TCP)
• Rest of the World:  messaging-eu-west-1-cell-1.domotz.com (port 5671 TCP)

Remote Connections:

Depending on the location of the Agent, and availability of the cloud service, the following endpoints are used for the Remote Connections:

• sshg.domotz.co (range: 32700 – 57699 TCP)
• us-east-1-sshg.domotz.co (range: 32700 – 57699 TCP)
• us-east-1-02-sshg.domotz.co (range: 32700 – 57699 TCP)
• us-west-2-sshg.domotz.co (range: 32700 – 57699 TCP)
• ap-southeast-2-sshg.domotz.co (range: 32700 – 57699 TCP)

Domotz Box – specific outgoing connections

Additionally, if you are using the Domotz Box provided by Domotz, the following services are used to perform automated upgrades of the packages and provide access to Domotz provisioning channel:

Provisioning Channel:

• provisioning.domotz.com (ports 4505 and 4506 TCP)
• pool.sks-keyservers.net (port 11371 TCP)
• messaging.orchestration.domotz.com (port 5671 TCP)
• api.orchestration.domotz.com (port 443 TCP)
• zbx02.domotz.co (port 55022 TCP) – Used by the engineering to troubleshoot issues at the system level (e.g. Troubleshoot VLAN settings, USB NIC configuration etc.) (Optional)

Updates from Canonical:

• api.snapcraft.io (port 443 TCP)
• serial-vault-partners.canonical.com (port 443 TCP)
• storage.snapcraftcontent.com (port 443 TCP)
• canonical-lgw01.cdn.snapcraftcontent.com (port 443 TCP)
• canonical-lcy01.cdn.snapcraftcontent.com (port 443 TCP)
• canonical-lcy02.cdn.snapcraftcontent.com (port 443 TCP)
• canonical-bos01.cdn.snapcraftcontent.com (port 443 TCP)
• upload.apps.ubuntu.com (port 443 TCP)

HTP Servers:

• www.google.com (port 443 TCP)
• www.fast.com (port 443 TCP)
• www.canonical.com (port 443 TCP)
• www.redhat.com (port 443 TCP)

NTP Servers:

• ntp.ubuntu.com (port 123 UDP)
• 0.pool.ntp.org (port 123 UDP)
• 1.pool.ntp.org (port 123 UDP)

To prevent potential name resolution issues with the addresses above, we highly recommend incorporating at least one public DNS server into your network configuration. Some reputable options include:

– Cisco OpenDNS: 208.67.222.222 and 208.67.220.220
– Cloudflare: 1.1.1.1 and 1.0.0.1
– Google Public DNS: 8.8.8.8 and 8.8.4.4
– Quad9: 9.9.9.9 and 149.112.112.112

If using a transparent proxy solution (e.g. Zscaler, Cisco Umbrella, Uncydr, Todyl etc…) make sure you allow the above connections without replacing its certificates.