isy portal communications

[aweber1nj]

Are there any specific ports that my isy994i needs to connect out to the ISY Portal?

 

I just purchased the portal to try it out with my Amazon Echo.  The ISY is added to the portal, but continues to say "Never connected".  The ISY Portals page shows "Offline  Never Registered".

 

Hopefully it's just a little slow tonight, because there isn't any info I can find that says there are any special ports that it requires outbound (my firewall DOES filter outbound traffic).

 

Any ideas?

 

Thanks,
AJ

[stusviews]

You don't need any specific port opened, the portal takes care of that. But you do need to register the portal. Have you attempted to register? Did you receive an email about registering?

[aweber1nj]

Yessir, I registered it.

 

Could be total coincidence, but when I set an exception in my firewall to allow the ISY unfettered access outbound, things started to get back on track.  I saw it ask for permission in the ISY Console, the icon went yellow in the portal, and after accepting it, it went green and now I'm off and running.

 

So IDK if it's coincidence or if the devs are using a non-standard port to communicate outbound to the portal servers.

[paulbates]

AJ

 

If there are firewall rules preventing devices from accessing the internet, that would explain it. The  portal model assumes that the ISY can "phone home" from an outbound perspective.

 

Paul

[aweber1nj]

That's what I was wondering.  If the ISY uses http/https (or a multitude of other ports I already have open), it would be OK.  If it's using something specific, I think it should be published somewhere so crazy guys with hardened home firewalls know what the device requires to operate.

[paulbates]

I'm guessing it doesn't always want to use something specific, there's some value in "security by obscurity". The port would have to be guessed by potential hackers.

[aweber1nj]

Outbound ports shouldn't be too insecure to publish.  You can't connect to them, they're outbound.

 

The reason I don't allow "all ports" outbound is to reduce exposure for anything malicious that finds its way into my network.  (And because I'm a freak. )

 

I just feel that if you have a connected device, you should ask for (or specify requirements for) communications; consider it a privilege, not a right.

 

It's not a huge deal.  Just thought if a dev read this, they could correct me or publish the info for "the next guy".

[paulbates]

AJ

 

Constraints for outbound initiated traffic is more of a statement of if you trust the device initiating outbound transactions. Its been common for a while for home based "server" functions, including the HA appliances, NAS's, Smart TVs, thermostats, cloud backup up solutions like webroot, idrive.. etc, to pick the port that they would like to use.

 

The isy is a very specific purpose network appliance, not a formal full feature OS with capabilities that can catch a virus, etc. I'm good with that being unpublished

 

Paul

[aweber1nj]

I really don't want to get off topic here.

 

The vast majority of networked appliances leverage https (sometimes http) to connect to servers in the cloud.  I have plenty of them.  Those that don't use standard ports typically publish their requirements somewhere.  Google something like "Sonos ports", or "ecobee network ports".  You'll see them explicitly define what they require for normal operation.  They typically wouldn't be prone to viruses either.

 

Anyway, thank you for the feedback!

[Michel Kohanim]

Hi AJ,

 

You do need the following outbound ports NOT blocked from ISY to my.isy.io:

443 - dispatcher

8001 - proxy

 

You do not need any inbound port mapping.

 

Are you sure your security settings are correct? Please make sure HTTPS Client setting is set to TLS 1.2/Strength All/Verify should be UNCHECKED.

 

With kind regards,

Michel

[aweber1nj]

OK, cool.  So 8001 was originally missing - it's not a "standard" port so I have it blocked by default.  Once I allowed all outbound traffic last night, things started working fine.

 

(I did double-check the HTTPS Client settings, and they were OK.)

 

I can go back and change the firewall rule to only allow 443/tcp and 8001/tcp for the ISY's MAC address instead of "everything".

 

Thank you for the response.

 

-AJ