Introduction

This quick guide discusses the network and security features available on the Irisys Vector devices, and specifically the port numbers required for the various functionality that you might want to utilize. This information can be used for infrastructure planning and network routing, and provides peace of mind that your Vector device is a modern, secure, IoT (internet of things) platform, designed for use on modern, high-speed, retail and commercial networks.

Note that the inbound and outbound lists of ports required that are shown below, are the most number of ports that you would ever require - they are not a list of all ports that must be available/open. If a certain function is not required then the corresponding port that provides that functionality does not need to be enabled.

 

Encryption process

For data in transit, the Vector 4D uses TLS 1.2 encryption as standard; this is invoked automatically for web traffic over HTTPS and is used for proprietary data communication with Irisys tools (e.g. Estate Manager). A self-signed certificate is used by default, but the ability to replace this with an uploaded 3rd party cert is provided – this is recommended if using HTTPS for web/Rest API.

MQTT also uses TLS 1.2 encryption, if enabled. 

See the Security section for details of uploading your own certificates.
TLS version 1.3 / RFC8446  is not supported.

 

Vector Initial Configuration

On installation, Vectors are configured for their installed environment. Vector 4D supports a local, embedded web browser-based configuration tool. Alternatively an installed version of the setup tool can be used if preferred.

Access to the configuration is password protected, and the password is randomly assigned at time of manufacture using an extremely secure password policy which requires a mix of upper and lowercase characters, numbers and symbols, and a minimum character limit.
Port NumberUDP/TCPPurpose
80TCPRequired when configuring via a web browser connection
4505 (configurable)TCPRequired when configuring via the Irisys RIFT.exe (installed version)

 

Note: if you choose to disable unencrypted web traffic on port 80, and use secure traffic on port 443 instead, please note that you will need to provide a signed certificate for HTTPS traffic.
The RIFT.exe software allows for connection over port 4505 by default, but this can be changed if required, for example in order to communicate with different devices to different ports but accessible remotely via the gateways IP address only. In these cases the gateway must be configured to port forward; 4505 to one device, 4506 to the second etc. Note not all gateways provide this functionality, and port forwarding from outside of the  network, in this way may be considered a security risk.

Data Access

Access to count data is restricted by a number of different methods, dependent on the access type required.

 

REST API

Port NumberUDP/TCPPurpose
4505TCPEncrypted (TLS) data (Inbound)

 

Data access via REST API is restricted by a Web API Key which is only accessible if the configuration password is known. The API key can be regenerated at any time to prevent/restrict access if required.

 

HTTP Post (HTTPS)

Port NumberUDP/TCPPurpose
80TCPHTTP Post default Port (Outbound)
443TCPHTTPS secure Post default Port (Outbound)

 

Today, most websites use HTTPS, a more secure version of the HTTP protocol that uses port 443. Port 443 allows data transmission over an encrypted network, while Port 80 enables data transmission in plain text.

HTTP Posting of data requires configuration of the device with the web location. Additionally HTTP functionality includes additional security features such as user credentials, TLS encryption and authentication/authorization tokens.

 

MQTT

Port NumberUDP/TCPPurpose
1883 (configurable)TCPMQTT protocol for real-time data metric transmission to third-party broker;
8883 (configurable)TCPData sent encrypted over TLS.

 

MQTT sending of data requires configuration of the device with the MQTT broker details. Additionally MQTT functionality includes additional security features such as user credentials, TLS encryption and authentication/authorization tokens.
MQTT sends access credentials in clear text, so using the MQTT-over-SSL port 8883, s strongly recommended in security conscious environments.
Although the MQTT ports are configurable, TCP/IP port 1883 is reserved with the Internet Assigned Numbers Authority (IANA) for use with MQTT and TCP/IP port 8883 is also registered, for using MQTT over SSL. Therefore these are the recommended defaults to use.

 

BACnet

Port NumberUDP/TCPPurpose
47808 (configurable)UDPBACnet/IP devices use this UDP port by default but may be configured to use a different number if necessary.

 

By its very nature, BACnet enabled BMS controllers will be on the same network (same building) as the Vectors and so the port is internal only.

Port 47808 is 'BAC0' in Hexadecimal.

Sending of data over BACnet requires configuration of the device with the BACnet Device ID and Port information.

 

Internal Communication Ports

Port NumberUDP/TCPPurpose
5005, 5006UDPInter-device communication for wider multi-unit install

 

The two ports 5005 an 5006 are used by devices which are working together on a Multi-Unit network (or Wide Tracker). The ports are used for both configuring the master/node assignment at time of installation, and also when in use, as the node devices send their target data to the master device for processing, and ultimately tracking and counting.

Whilst it is unusual for 5005 and 5006 UDP ports to be intentionally blocked, doing so will prevent units installed across a wide opening or in an 'array' configuration, from working together as intended.

 

DNS Support

If using URLs for any of the outbound connections then access to a DNS server will be required. This uses the standard DNS port 53.

Port NumberUDP/TCPPurpose
53UDPDNS – For IP address lookup from a URL

 

It would be unusual for this port to be blocked as DNS is required for the vast majority of web traffic.

 

Hostname Support

Vectors allow configuration of a Hostname for easy connection via web browser on the local network.

Port NumberUDP/TCPPurpose
5353UDPmDNS – Multicast DNS, required for using on-device Hostnames

 

Note, it is very common for hostname support to be disabled by default on corporate networks. 

 

Time Server Support

Port NumberUDP/TCPPurpose
123UDPNTP – only required for Time server access

 

Port 123 must be available/enabled if time synchronization via an NTP server connection is required.

The time synchronization function can alternatively be provided automatically by an Estate Manager connection if one is provided.
Time synchronization functionality is also provided via the REST API if required.
Having more than one time sync mechanism will cause the clock to change unnecessarily often, which could lead to a failure of the clock IC inside the Vector. Therefore you should not configure an NTP server if using Estate Manager, or you are planning on time syncing using the REST API.