Article for advanced users
Information on this page is intended for users with advanced technical knowledge.Treon Gateway Deployment behind a Firewall or in a Private Network
Jan 9, 2024 · 11 minutes to read
When deployed behind a firewall or in a closed network, it is important to pay attention to make sure all the features of the Treon Gateway will work correctly.
Behind a firewall, the correct ports need to be open to allow Treon Gateway services such as the connection test and the device updates to have network access. If the backend is outside the firewall, the correct ports need to be open to allow data flow from the Treon Gateway to the backend.
In a private network, not all services might work, but for some as the Treon Gateway time service alternative strategies are possible to ensure full functionality.
Overview of Treon Gateway Ports
| Purpose | Domain | Protocol | Port |
|---|---|---|---|
| Sensor data | configured1 | HTTP | 80 |
| Sensor data | configured1 | HTTPS | 80,443 |
| Sensor data | configured1 | MQTT | 1883 |
| Sensor data | configured1 | MQTT | 80 |
| Treon diagnostics | telemetry.treon.fi | HTTPS | 8094 |
| Treon remote maintenance access | debug.treon.fi | SSH | >300002 |
| Local SSH access | custom3 | SSH | 22 |
| Treon firmware updates | debug.treon.fi | HTTPS | 80,443 |
| Wirepas Network Tool diagnostics | wnt.treon.fi4 | MQTT | 8883 |
| Time service | provided by DHCP | NTP (UDP) | 123 |
| Name resolution | provided by DHCP | DNS | 53 |
| Connection test5 | google.com6 | ICMP (ping) | - |
| Connman connection test7 | ipv4.connman.net | HTTP | 80 |
1 The sensor data of nodes connected to the Treon Gateway is sent to the pre-configured domain(s). The table lists multiple sensor data connections via HTTP and MQTT, both secure and non-secure. The exact configuration depends on the individual deployment use case. Treon recommends to always use TLS-based connections.
2 The exact port is not fixed and for security reasons uniquely defined during production.
3 Needed to connect to the Treon Gateway via SSH in a local network.
4 Access for the Wirepas Network Tool (WNT) in case it is in use.
5 This test is run automatically by the Treon Gateway unless deactivated via the Configuration UI and determines the green and red status light of the gateway.
6 google.com is used as a preset for the connection test ping and can be changed in the Configuration UI.
7 ConnMan is the internet connection manager running on the Treon Gateway.
Deployment behind a Firewall
A firewall establishes a barrier between a trusted network and an untrusted network like the internet. When the Treon Gateway is deployed behind this barrier, it must be made sure that certain ports are open to guarantee full functionality of the product.
Data Transfer
The sensor data of Treon sensors connected to the Treon Gateway within the mesh network is sent to the pre-configured domain(s). Multiple sensor data connections via HTTP and MQTT are possible, both secure and non-secure. The exact configuration depends on the individual deployment use case. Treon recommends to always use TLS-based connections.
Connection Test
The Treon Gateway tests the successful network connection via a ping to google.com. A successful connection test results in a green LED light on the gateway, an unsuccessful test in a red light. While this has no influence on the functionality of the Treon Gateway, it is intended as a visual information for the user.
You can disable the ping or change the ping address via the Configuration UI of the Treon Gateway.
Please note that the protocol for a ping is ICMP (Internet Control Message Protocol), which is not IP traffic but lower-level traffic than the Transport Layer of ports. Depending on your specific firewall, the ping might reach through even if all other traffic is blocked and the Treon Gateway will show a green light.
Connman Connection Test
The Treon Gateway’s connection manager Connman performs its own additional connection test.
Port 80 needs to be open for the test to be successful, but the result has no influence on the functionality of the Treon Gateway. An unsuccessful Connman connection test will show up in the network logs though.
Name Resolution via DNS
For the correct resolution of a domain name to the IP address, the domain name server (DNS) needs to be accessible. In a deployment behind a firewall, port 53 must be open for the Treon Gateway to be able to connect to e.g. server addresses (e.g. Microsoft Azure connection string, MQTT configuration, etc.).
Alternatively, it is possible to use only IP addresses instead.
Time Service
In order for the Treon Gateway to assign the correct time to all status and measurement messages, the time needs to be set in one of three ways:
- The Treon Gateway receives time updates from the time server. In a deployment behind a firewall, port 123 needs to be open to allow access. The time server is set up in the Configuration UI of the gateway.
- The time is set manually on the Treon Gateway via the Configuration UI. Please note that the gateway will retain the last time before a reboot or power outage and continue using it after the reboot. This means that the set time will be off for the time that the gateway took to reboot or was without power.
The Treon Gateway 2 contains a real-time clock (RTC) and a backup battery, so the correct time will pull through a reboot. - A dedicated local time server is operated behind the firewall.
The address of the the time server can be changed via the Configuration UI or via SSH connection to the Treon Gateway.
Treon Remote Maintenance Access
Access to remote maintenance and diagnostics by Treon Support may be blocked when the Treon Gateway is deployed behind a firewall.
The port number for remote maintenance access for a Treon Gateway is above port number 3000. The exact port is unique to each Treon Gateway and defined by Treon for security reasons. Please contact Treon Customer Support to find out the exact port number of your Treon product.
Updating Treon Aito Release for Gateway
When deployed behind a firewall, the Treon Gateway and other Treon products can be updated normally. Simply be sure that port 80 is open in order to allow the update process.
Read more about Treon product updates in our Update section.
Wirepas Network Tool Diagnostics
In case the Wirepas Network Tool (WNT) software needs to have access to the Treon products behind the firewall, make sure that port 8883 is open.
Conclusion: Deployment behind Firewall
To ensure the functionality and successful data transfer, the minimum requirements for a deployment of the Treon Gateway are:
- MQTT traffic is possible.
- DNS is available or IP addresses are set directly.
- Time management is handled in one of 3 ways: open port, time set manually or dedicated time server.
- For updates, the Treon Gateway needs to be connected to the internet.
- Treon Support maintenance access is only possible when the correct port is open.
Deployment in a Private Network
A private network means that the Treon Gateway is deployed in a closed network environment without any network access. The sensor and maintenance data is sent to and from a backend which is also located within the private network.
Due to a multitude of potential technical environments and setups, we recommend to check with the IT department responsible for the deployment site how the network is configured.
Data Transfer
The sensor data of Treon sensors connected to the Treon Gateway within the mesh network is sent to the pre-configured IP address (or domain if a local DNS is used) for the backend brokers.
If there is no DHCP server in the internal network, it needs to be disabled in the Configuration UI of the Treon Gateway.
Connection Test
The Treon Gateway tests the successful network connection via a ping to google.com. A successful connection test results in a green LED light on the gateway, an unsuccessful test in a red light. While this has no influence on the functionality of the Treon Gateway, it is intended as a visual information for the user.
In a private network, the connection test will fail due to network access and the Treon Gateway will show a red connection LED light.
You can disable the ping or change it to an IP address in the internal network or via the Configuration UI of the Treon Gateway.
Connman Connection Test
The Treon Gateway’s connection manager Connman performs its own additional connection test.
In a private network, the Connman connection test will fail, which has no influence on the functionality of the Treon Gateway. An unsuccessful Connman connection test will show up in the network logs though.
Name Resolution via DNS
If a local domain name server is used, it needs to be set in the Configuration UI of the Treon Gateway.
If no local domain name server is available, the correct IP addresses need to be used throughout the whole configuration of the Treon Gateway. The DHCP client in the Configuration UI needs to be disabled.
Time Server
Without access to an online time service, either a local time server needs to be used or the time needs to be set manually in order for the the Treon Gateway to assign the correct time to all status and measurement messages.
If a local time server is used, please set it in the Configuration UI of the Treon Gateway.
If no local time server is available, the time needs to be set manually. Please note that the Treon Gateway will retain the last time before a reboot or power outage and continue using it after the reboot. This means that the set time will be off for the time that the gateway took to reboot or was without power.
Treon Remote Maintenance Access
When deployed in a private network, the Treon Gateway cannot be accessed remotely for maintenance and diagnostic work by Treon Support.
In case necessary, the best work-around is to take the Treon Gateway out of the private network and connect via a public network for the time of the remote connection, for example through cellular (SIM) or Ethernet connection to a router with internet access.
Updating Treon Aito Release for Gateway
Within a private network, the Treon Gateway and other Treon products cannot be updated due to lacking access to Treon’s update server.
The best strategy in most cases is to connect the Treon Gateway to the internet via cellular (SIM) connection temporarily until the update process has finished.
Alternatively, the Treon Gateway can be taken out of the mesh network for a limited time, during which no data is collected or forwarded to the backend, and connected to a router that has internet access via Ethernet or Wi-Fi connection. This way, the Treon Gateway can be updated. If you would like to use this method to update other Treon products within the mesh network as well, please contact Treon Support to discuss an update strategy suitable for your deployment.
Conclusion: Deployment in a Private Network
To ensure the functionality and successful data transfer, the minimum requirements for a deployment of the Treon Gateway are:
- MQTT traffic to the backend is possible.
- Local DNS is available or IP addresses are set directly.
- Time management is handled in one of 2 ways: time is set manually or dedicated time server.
- For updates, the Treon Gateway needs to be connected to the internet.
- Treon Support maintenance access is only possible if the Treon Gateway is temporarily connected to the internet.
Deployment with Cellular (SIM) Connection
In certain technical deployment environments it might not be possible to allow the Treon Gateway the level of network access needed to guarantee full functionality of all services as well as data transfer of the sensor data to the backend.
As an alternative strategy, it is possible to deploy the Treon Gateway by using a cellular (SIM) connection. This way, the gateway has full network access without using the IT infrastructure at the deployment site.
Treon Support
You still have questions? Our dedicated team of experts is happy to help you! Please contact Treon Support directly by e-mail.
Did you know? Treon offers Premium Support and Maintenance Packages for our customers. Get even more out of Treon and boost your sales - inquire now about features and prices!
