Ray Appliances are cloud-controlled and use Amazon Web Services (AWS) for it. There are certain network requirements for connecting to Ray cloud servers. If your business cannot do the below, we unfortunately cannot support your cloud setup. If you have done the below and you are still unable to send messages, please contact us.
Ray requires a long-lived TCP connection. Occasional requests will be made so the connection does not stay idle. However, you will have to ensure that your firewall, router, security, etc. do not terminate long-lived TCP connections.
This document covers
- Ports
- Protocols
- Domains
- IP Addresses
Ports
Incoming Traffic
Your business's firewall can still protect from incoming traffic as normal.
Outgoing Traffic
There are two ports used for outgoing traffic
8884 (mqttcloud.ray.life)
443 (hubcloud.ray.life)
80 (pushprox.ray.life)
They are not listening or used for incoming traffic.
Protocols
The Ray Appliances use the following protocols:
MQTT
HTTPS
Ping
Ray uses the MQTT protocol for communication between the Appliances & the Controller. MQTT is an open OASIS and ISO standard lightweight, publish-subscribe network protocol that transports messages between devices. The required ports should be open and whitelisted for all outgoing traffic. Some firewalls and proxies terminate non-SSL connections which will interfere with the appliances' ability to connect to Ray Controller.
Ray uses HTTPS during the registration step and it is necessary for restarts. We do not recommend blocking HTTPS after registration because you never know when you will have to re-register or restart your appliance.
Ray uses the Ping protocol as one of the steps in the network performance test.
Domains
Whitelisting can be done by hostname rather than IP address. Ray requires connectivity to
time1.google.com (NTP Server)
time2.google.com (NTP Server)
time3.google.com (NTP Server)
time4.google.com (NTP Server)
IP Addresses
Depending on your firewall and how it functions, just whitelisting the hostnames may not work and you will need to whitelist all IP addresses instead.
Examples of firewall behavior that will not work with just hostname whitelisting are:
Firewalls that run a DNS query (against the DNS configured in your data center) and use the resulting IPs in the whitelist; Firewalls that look for outbound DNS queries from machines in the data center and use IP addresses that are seen in the response to the whitelist; Firewalls that look for hostnames in the HTTP/HTTPS handshake.
In the event that your firewall exhibits one of these behaviors, you would need to use IP whitelisting.
You need to contact us at support@ray.life if you need the list of IP addresses.
You can try to allow all of the IP addresses. However, it is best to just allow all outgoing traffic and connections from the above ports.