Jump to content

ISY994 - Ports required to work with Alexa?


RichTJ99

Recommended Posts

Posted

Hi,

I do not allow my ISY to have internet access on my network at this point.  I did at one point & had the ISY / Alexa working - it was great.  I would like to set it up again but I would like to set it up so the ISY has very limited internet access.

What ports would need to be opened to allow ISY to talk to Alexa?

 

Thanks,

Rich

Posted

Hi,

 

Sorry I think i am not being clear in what i am asking.  I had some network security issues & am looking to give IOT devices (such as ISY) very limited access to the internet & then a specific address would be allowed.

 

It sounds like Alexa doesnt talk to the ISY directly  - does the ISY talk to the portal, and Alexa talks to the portal - the portal is the one commuicating commands?

 

Further - my question is - if I say "Alexa - turn on the kitchen lights"

Does Alexa goto https://my.isy.io/index.htm, login, and look for an update?  

In that case - if i give the ISY access to only the domain my.isy.io on only port 443 or 80, would that allow enough internet access for the ISY to communicate with the portal / alexa?

I am assuming that https://my.isy.io does not need ports 1-65000 opened?  

Posted
2 minutes ago, RichTJ99 said:

Hi,

 

Sorry I think i am not being clear in what i am asking.  I had some network security issues & am looking to give IOT devices (such as ISY) very limited access to the internet & then a specific address would be allowed.

 

It sounds like Alexa doesnt talk to the ISY directly  - does the ISY talk to the portal, and Alexa talks to the portal - the portal is the one commuicating commands?

 

Further - my question is - if I say "Alexa - turn on the kitchen lights"

Does Alexa goto https://my.isy.io/index.htm, login, and look for an update?  

In that case - if i give the ISY access to only the domain my.isy.io on only port 443 or 80, would that allow enough internet access for the ISY to communicate with the portal / alexa?

I am assuming that https://my.isy.io does not need ports 1-65000 opened?  

No! ISY does not require any ports to be opened. IS and browsers have complete access to the internet via your router. Only external devices would need to have a hole punched in your router firewall.

ISY can poll the ISY Portal and get answers back from inside ISY. Nothing is "pushed" from outside your firewall into ISY. It only appears that way from the user's viewpoint.

Posted
No! ISY does not require any ports to be opened. IS and browsers have complete access to the internet via your router. Only external devices would need to have a hole punched in your router firewall. ISY can poll the ISY Portal and get answers back from inside ISY. Nothing is "pushed" from outside your firewall into ISY. It only appears that way from the user's viewpoint.

 

The question I have is whether he is blocking outbound Internet access from his ISY, or whether he's referring to allowing access inbound from the Internet to the ISY. 

 

 

To answer the question, the ISY needs to be able to initiate an outbound connection to the portal. No inbound connections are initiated from the Internet to the ISY.

 

Sent from my SM-N9500 using Tapatalk

 

 

 

 

 

  • 2 weeks later...
Posted

Hi - yes i am blocking all outbound/inbound internet access to the vlan - I would like to give the ISY access to - the portal?  Not sure what i need port wise to open up for the ISY to 'talk' to the portal/alexa.

Posted (edited)
1 hour ago, RichTJ99 said:

Hi - yes i am blocking all outbound/inbound internet access to the vlan - I would like to give the ISY access to - the portal?  Not sure what i need port wise to open up for the ISY to 'talk' to the portal/alexa.

ISY should not be blocked or email, SMS, ISY Portal, PolyGlot, NRs may not work. Your router does not allow any traffic from the Internet to your LAN unless you port forward and make holes in the router's natural firewall. Things inside your Lan, like your browser and ISY initiate requests to go outside and get answers and your router allows those answers to come back  naturally. It's all about the direction of who asked the question and firewalls allow the answer back through.

Edited by larryllix
Posted

Hi I am ok having my isy internal lan IP given access to a specific IP and specific port or ports on that op but I do not want it to have open access to go wherever it wants.  

 

So I have a PBX on a different vlan, the whole network has no external access except the one Ip of the PBX.

It is allowed to go to flowroute.com on ports 5040-5080.  That is the firewall rules, that's all it needs to do its job, that's as far as it can get.

 

The ISY should be able to go-to mail.richtj.com port 465 in order to send mail.

 

The ISY should be able to to visit www.where.com ports ????

 

The ISY doesn't need access to msn.com, Yahoo.com, etc.  

I am really just looking to find out what I specifically need to give it Access to in order to add my alexa ( which is on yet another vlan).

 

Thanks

Rich

Posted

ISY will not use any ports that it does not need. It doesn't wander through cyberspace.There is no need to block any ports from the LAN side of your router. There is no need to block any ports from the WAN side of your router. Your router already does that.

Posted (edited)

My ISY has two long-lived connections open (outbound): IP 52.54.245.47, port 443 and IP 52.54.245.47, port 8000.  Both IPs are in Amazon's cloud, according to a DNS lookup.

I block outbound connections to a site named "flexyourpower.s3.amazonws.com" since that's not pertinent to me, and I'd rather not have the ISY connecting there if there's no reason for it to do so.

Your request makes perfect sense, and as you can clearly tell, the community doesn't really know what the minimum required ports really are.  I'd suggest just opening a support case with UDI and asking.

Edited by mwester
Posted

The problem with blocking outbound ports is that unless your firewall can resolve DNS names in its rules, your ISY access will break if the host name of the ISY Portal points to a new IP (which is entirely possible and even common in a cloud environment such as AWS). Also, your ISY will at a minimum need outbound access to your DNS servers (to resolve hostnames) and NTP servers (to synchronize its clock) unless your router or some other device on your LAN is providing those services. There are also other services you may want it to talk to, such as SMTP, and any services integrations you have from the Network Module (Pushover, etc).

 

Probably the best way to determine which services the ISY needs to talk to is to open up outbound access on your firewall and log all outbound connections from the ISY.

 

Sent from my SM-N9500 using Tapatalk

 

 

 

 

 

 

Guest
This topic is now closed to further replies.

×
×
  • Create New...