The Portal Light, available in three models, is Kontakt.io’s Bluetooth® Low Energy (BLE) to Wi-Fi gateway. It receives and aggregates data from Kontakt.io BLE tags and infrastructure devices, transmitting this data to the Kio Cloud platform over a local Wi-Fi network. Additionally, Portal Lights deliver over-the-air (OTA) firmware and configuration updates.
To allow Portal Light connectivity to the local Wi-Fi network and the Kio Cloud platform, specific network requirements must be met. The following information outlines these requirements, including the supported network communication protocols, firewall configurations, and port settings.
To meet network security and protocol standards, the Portal Light supports an array of options for secure network connectivity.
-
Wireless networking protocols: 802.11 b/g/n (802.11n up to 150 Mbps) | Portal Light: 2.4 ~ 2.5 GHz | Portal Light 2 models: 2.4 and 5 GHz
-
Wireless security protocols: Open, WEP, WPA (TKIP & AES), WPA2 (TKIP & AES) - Personal and Enterprise modes
-
Wireless authentication protocols: EAP-TLS, EAP-TTLS (MSCHAPv2), PEAP v0 (MSCHAPv2)
-
Network communication protocols: Hypertext Transfer Protocol Secure (HTTPS)/TLS 1.2
-
IP addressing: Dynamic Host Configuration Protocol (DHCP)
-
Data Packet Size: typically less than 6 kilobytes (kB) per second
The Kio Cloud platform runs on the Amazon Web Services (AWS) cloud infrastructure. Organizations with network firewalls in place must proactively allow outbound network communication and file downloads through specific Kio Cloud Domains and URLs.
Important
Kio Cloud is a high-availability (HA) platform that may change IP addresses at anytime. Therefore, the use of firewall IP addressing filtering is not supported.
If the firewall support wildcards:
|
US (United States) environment |
UK (United Kingdom) environment |
|
|---|---|---|
|
Domain filters |
*.api.kontakt.io *.event.cloud.us.kontakt.io *.software.kontakt.io *.gateway.cloud.us.kontakt.io |
*.dm-api.cloud.uk.kontakt.io *.event.cloud.uk.kontakt.io *.software.kontakt.io *.gateway.cloud.uk.kontakt.io |
|
URL filters |
https://*.kontakt.io |
https://*.kontakt.io |
If the firewall does not support wildcards:
|
US (United States) environment |
UK (United Kingdom) environment |
|
|---|---|---|
|
Domain filters |
api.kontakt.io event.cloud.us.kontakt.io software.kontakt.io gateway.cloud.us.kontakt.io |
dm-api.cloud.uk.kontakt.io event.cloud.uk.kontakt.io software.kontakt.io gateway.cloud.uk.kontakt.io |
|
URL filters |
https://api.kontakt.io https://event.cloud.us.kontakt.io https://software.kontakt.io https://gateway.cloud.us.kontakt.io |
https://dm-api.cloud.uk.kontakt.io https://event.cloud.uk.kontakt.io https://software.kontakt.io https://gateway.cloud.uk.kontakt.io |
Note
api.kontakt.io | dm-api.cloud.kontakt.io > Kio Cloud APIs, SDKs, Stream integration, Kio Setup Manager
event.cloud.us.kontakt.io | event.cloud.uk.kontakt.io > Portal Light data transmission
software.kontakt.io > Portal Light firmware distribution updates
gateway.cloud.us.kontakt.io | gateway.cloud.uk.kontakt.io > Proxy server for the apiHost and dataHost
A Portal Light communicates to Kio Cloud over a facility's network using the HTTPS protocol. Data is encrypted in transit and all sensitive data is encrypted at rest. An outbound HTTPS connection is established by a Portal Light and once completed the IP address is released.
The following ports are required to be open to allow for outgoing communication from the facility network.
-
Port TCP 443: required to be open to allow Hypertext Transfer Protocol over TLS/SSL (HTTPS) communication with Kio Cloud
-
Port UDP 123: required to be open to allow Portal Lights to connect to an external Network Time Protocol (NTP) time source (pool.ntp.org; time.google.com)
Note
Use of an internal NTP server is also supported; configuration is completed by Kontakt.io.
When deploying Kontakt.io Portal Lights within an enterprise network, Kontakt.io recommends the utilization of a Virtual Local Area Network (VLAN) to optimize security, streamline operations, and simplify management for your IoT ecosystem. Using VLANs for specific IoT (Internet of Things) devices in an enterprise environment, including not relying solely on MAC address filtering, offers several benefits that contribute to better security, performance, and management of the network.
By placing Kontakt.io Portal Light devices on a VLAN, there are several key advantages including:
-
Complete Network Isolation. The setup ensures a clear demarcation between the standard corporate network and IoT devices. This guarantees that data traffic associated with employee or patient data remains entirely separate from IoT device data.
-
Prevention of Unauthorized Access. The arrangement eliminates any possibility of IoT devices gaining access to network file servers, printers, code repositories, or other resources not specifically designated for IoT devices. This ensures that IoT devices can only see the other IoT devices.
-
Zero Additional Cost. The implementation of this solution does not require the incorporation of extra network infrastructure. Modern networking equipment, including a single set of Wireless Access Points, can efficiently serve multiple VLANs created for distinct purposes, such as accommodating IoT devices.
-
Customized Configuration and Security. The IoT VLAN can be tailored to the unique requirements of IoT devices. This configuration, encompassing SSIDs, passwords, firewall rules, etc., has no bearing on the corporate network. For instance, the IoT network can be restricted to communication with approved URLs, while the corporate network retains more lenient policies to facilitate unrestricted access for employees and other users.
-
No Need for Whitelisting. While it's feasible to manually whitelist IoT devices using their MAC addresses and then configure corresponding firewall rules, this approach is both unwieldy and prone to errors. A more effective strategy involves segregating IoT devices on their own VLAN, thereby establishing a comprehensive security protocol for the entire IoT network. This avoids complications arising from incorrect MAC address configurations when devices are replaced or added over time.