How the Lenze x500 series connects to the Cloud

The x500 uses outgoing port(s) to establish a secure connection to the X4 Cloud. This means there is no need to open any incoming ports in your firewall.

How to grant the x500 access?

Easy method: automatic updates

You may create an exception in your firewall for the domain name and ports & protocols, mentioned below, to grant your x500 the access it needs.

With time, some servers may be removed or added to benefit the service. We strongly try to keep these changes to a minimum.

If we add a server, we simply add a DNS record. Your firewall will re-check the domain once the TTL expires. Within an hour your firewall will be up-to-date and allow traffic to the new IP address.

Likewise, if we remove a server, we will remove its DNS record, and your firewall will block any traffic to this IP address.

Alternative method: manual updates

You can execute a DNS lookup (nslookup) request at the domain name mentioned below, to get an IP list of all current X4 servers. You can then create exceptions to these IP addresses, in combination with the ports & protocols mentioned below, to grant the x500 the access it needs.

With time, some servers may be removed or added to benefit the service. We strongly try to keep these changes to a minimum.

Please keep your firewall rules/exceptions up-to-date by periodically performing a DNS lookup and checking for changes to maintain optimal remote service accessibility.

Servers & domains

X4 Remote servers

The x500 connects to different X4 servers: REST API, MQTT, and OpenVPN servers.

For your convenience, we provide a domain name that resolves to an always up-to-date IP list of all current X4 servers:

  • whitelist.ayayot.com

Information

The afforementioned domain is not meant to be visited in a web-brower, the IP-addresses of X4 servers are stores in the domains DNS-record. Your IT department will know how to access the relevant information.

Configured failover?

If your x500 is configured with more than 1 connection type, also called “failover“, then it needs to check whether its connection types (wired, wireless, cellular) provide internet access. It does this by sending a ping request to 4 IP addresses, for each configured connection type.

Below is a list of the IP addresses configured by default. You can change these in the x500’s WAN settings per connection type, if you so prefer.

  • OpenDNS DNS servers:
    • 208.67.222.222
    • 208.67.220.220
  • Google DNS servers:
    • 8.8.8.8
    • 8.8.4.4

Ports & protocols

Below is an overview of the ports and protocols that the x500 utilizes.

DirectionPortTransportApplication
Outbound443TCPHTTPS, MQTT (TLS), OpenVPN(1)
Outbound8443(2)TCPHTTPS
Outbound53(3)TCP & UDPDNS

(1) The very first package may be considered unencrypted as the OpenVPN handshake takes place prior to the TLS handshake. For this reason an exception may be required on firewall rules that block non-SSL traffic over SSL-ports.
(2) Only used when stealth mode is activated for connectivity via a censored internet connection (i.e. when located in China).
(3) DNS requests are often handled by local DNS servers. In those cases the listed DNS port can be ignored.

MAC or IP address filter

Internet access may be granted to specific devices, based on their MAC or IP addresses. The x500’s MAC address can be obtained from the label on the side of the router. The IP address can be set to a static IP address. However, by default the IP address is set to be assigned dynamically via DHCP.