Network ports

From SpinetiX Support Wiki

Jump to: navigation, search

This article is about the logical network ports used by the player. For physical Ethernet port interfaces on the player, please see the HMP page.

Introduction

In computer networking, a port is an endpoint of communication. Physical and wireless connections are terminated at ports of hardware devices. At the software level, within an operating system, a port is a logical construct that identifies a specific process or a type of network service. The software port is always associated with an IP address of a host and the protocol type of the communication.

Ports provide a multiplexing service for multiple services or multiple communication sessions at one network address. Specific port numbers are commonly reserved to identify specific services. The most commonly used protocols that use ports are the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP).

A firewall can reside on your local machine, on your router, or as part of your corporate network. Your computer's firewall controls the network traffic in and out of that machine. A network firewall typically establishes a barrier between a trusted internal network and untrusted external network, such as the Internet.

Generic network diagram with SpinetiX players and Elementi software.

You can also download this diagram in PDF format.

Player services

The following logical network ports are used by the players' services:

Type Port Service description
TCP 80 HTTP access to the embedded web server (player web interface, HMP Control Center, RPC etc.) of the player.
TCP 443 Secure HTTP (HTTPS) access to the embedded web server of the player. Added in firmware 4.0.0.
TCP 81 WebDAV access to the player content server for publishing from Elementi or other WebDAV clients.
TCP 9802 Secure WebDAV access to the player content server for publishing from Elementi or other WebDAV clients. Added in firmware 4.0.0.
TCP 1234 TCP / HTTP access to the legacy end-point of the Shared Variables Network API. This is not enabled by default. The default port can be freely modified.
TCP, UDP 5684 Secure CoAP access to the Shared Variables Network API. This is not enabled by default. Added in firmware 4.3.0.
TCP, UDP 161 SNMP monitoring. This is not enabled by default.
UDP 68 DHCP to request IP addresses and networking parameters automatically. Disabled when static IP configuration is used.
UDP 123 NTP for internal clock synchronization.
UDP 1900 SSDP / UPnP device discovery. Added in firmware 4.1.0.
UDP 5353 Multicast DNS (Bonjour) device discovery.
TCP, UDP 5355 LLMNR (Windows compatible local name resolution). Added in firmware 4.7.1.
Note Note:
All the above services can be disabled from Control Center and some are not even enabled by default; the port UDP 123 however remains opened even when NTP is not used.

Network firewall

Network firewalls filter traffic between two or more networks and are positioned on the gateway computers of LANs, WANs, and intranets. A network firewall typically establishes a barrier between a trusted internal network and untrusted external network, such as the Internet.

No ports need to be opened on the network firewall for inbound traffic, unless you specifically want to allow remote access to the player. The following standard ports should be opened for outbound traffic from the players towards external destinations:

Type Port Service description
TCP 80 HTTP access to external web servers, such as SpinetiX firmware update server, data feeds, etc.
TCP 443 Secure HTTP (HTTPS) access to Cockpit, data feeds, SpinetiX ARYA, DSOS license activation, and other services on SpinetiX cloud infrastructure, etc.
TCP 8883 MQTT access to SpinetiX cloud infrastructure. Added in firmware 4.4.0.
UDP 123 NTP for internal clock synchronization.
Note Warning:
Opening or closing ports on the network firewall controls access for ALL devices on that network.
Note Note:
SpinetiX players can be configured to use an HTTP proxy (with basic username/password authentication) for HTTP traffic, but services like MQTT require the respective port to be opened on the firewall for direct connection from the players.

SpinetiX ARYA

ARYA is SpinetiX's cloud-based visual communication solution, easy to use and accessible from anywhere from a browser from any device and at any time. The DSOS players are using standard network protocols and ports (listed above) to communicate with the SpinetiX cloud.

For networks that have very strict access rules to the Internet, an extended list of services, protocols, ports, and hostnames used by DSOS players and web clients to connect to SpinetiX ARYA, is provided below. You can also download this diagram in PDF format.

Network diagram for SpinetiX ARYA
Note Notes:
  • All connections are outgoing and initiated by the DSOS player or the web client
  • IP filtering is not possible as all names resolve to dynamic IP addresses due to round-robin, GeoDNS, and load balancing
  • TLS inspection is possible, except for the MQTT and AWS Credential provider services, as these use client-certificate authentication
  • If MQTT is blocked, players will work in a degraded mode (Slow Sync) where each update or request to the player from ARYA is delayed by several minutes.
  • Any names under the services.spinetix.com domain (i.e. matching the *.services.spinetix.com pattern) should be allowed as other services may be added or some existing ones (like *.cloudfront.net or *.amazonaws.com) may be moved under that domain in the future without prior notice.

Computer firewall

Your computer's firewall controls the network traffic in and out of that machine. It might be restricted or totally available to you and some / all firewall rules might be set through group policies.

Most of the ports detailed above are standard ports, so they should already be opened. If not, to access the player services detailed above, the corresponding ports must be opened for outbound traffic; some of them might also need to be opened for inbound traffic, for instance the ones related to Shared Variables and SNMP monitoring.

Elementi

If Elementi is installed and used, some additional ports might need to be opened, such as:

Type Port Service description
TCP 80 HTTP access to external web services like data feeds, external web servers, etc.
TCP 443 Secure HTTP (HTTPS) access for license activation, software update, publishing to ARYA, etc.
TCP 81 Publishing onto the players using WebDAV.
TCP 9802 Publishing onto the players using Secure WebDAV. Added in Elementi 2015.
UDP 1900 Device discovery using SSDP / UPnP. Added in Elementi 2016.
UDP 5353 Device discovery using Multicast DNS (Bonjour).
TCP, UDP 5684 Secure CoAP access to the Shared Variables Network API. This applies to Elementi 2018 X only, and it is not enabled by default.
TCP 1234 TCP / HTTP access to the legacy end-point of the Shared Variables Network API. This applies to Elementi X only, it is not enabled by default, and the default 1234 port can be freely modified.
Note Note:
Other ports might need to be opened in case of accessing streaming media sources.
This page was last modified on 28 February 2023, at 16:35.