The current Openpath Jira and Confluence instances will be migrated to the MSI On-Premise solution from August 9th-11th, the current platform will be set to read-only and all future usage will be in the Avigilon Instance. Please ensure access to MSI Jira & MSI Confluence, both are accessible through OKTA. For additional information and details please refer to the Atlassian migration page

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 26 Next »

Firewall

An Ethernet connection with DHCP must be used to connect the Smart Hub (ACU) or Single Door Controller (SDC) to the Local Area Network (LAN). You must also configure firewall settings to communicate with the Avigilon Alta system. Avigilon Alta uses the following outbound ports:

  • TCP port 443

  • UDP port 123

For the Video Reader Pro and Video Intercom Reader Pro, to obtain the best audio and video quality, we also recommend allowing access to the outbound UDP ports listed below. Additionally, please ensure UDP hole-punching is enabled (or disable symmetric NAT).

  • TCP port 443

  • UDP port 123

  • UDP port 3478 - TURN/UDP servers that assist in establishing connectivity

  • UDP 50000 - 60000 - UDP connection for WebRTC

Note: Fortinet firewall has antivirus software pre-configured to run on the firewall. That Antivirus blocks all AWS traffic by default. AWS will need to be whitelisted.

Note: If using an external DNS server, outbound UDP port 53 must also be open.

To support Wi-Fi unlocking from the mobile app, the ACU/SDC's inbound TCP port 443 must be available from within the LAN. Inbound port forwarding on the router, firewall, or NAT device is unnecessary.

We do not allow HTTPS certificate rewriting or TSL/SSL inspection.

IP Address

We do not provide an IP range or FQDN list of Avigilon Alta hostnames for Basic and Premium licenses. Most hostnames resolve to dynamic IPs and the hostnames themselves change during provisioning and configuration update processes. If you wish to segregate traffic from your Avigilon controllers, you can enable a DMZ for the controllers to separate their traffic.

Static Cloud IP

For Enterprise Licenses we offer a Static Cloud IP. This allows organizations with strict network firewall policies to easily open only a few IP addresses to allow Alta Access hardware (ACU/SDC) to connect to the cloud.
This release includes a new version of the Openpath Admin app, which allows for the provisioning of ACU/SDC devices behind an already restricted firewall.

Video Reader / Video Intercom Reader network security best practices

Protecting edge devices

  • PoE access control readers, like the Video Reader Pro / Video Intercom Reader Pro, require a wired network connection installed on the unsecured side of a door. To remove the risk of an attacker gaining access to the local network via the network connection if they’re able to remove the reader from the wall, Avigilon Alta recommends that your IT team place the exposed Ethernet port on a demilitarized zone (DMZ) or perimeter network.

Improving network reliability

  • To improve reliability during some network outage conditions (such as a router outage), you should set static IPs on both the Video Reader Pro and its Remote ACU(s).

Information: Recommended upload speeds for 1 Video Reader Pro or Video Intercom Reader Pro.

(Double for each added Video Reader, Video Intercom reader)

Quality:

Low: 1Mb

Medium: 2Mb

High: 8Mb

We recommend more for the Video Intercom Reader Pro because Live streaming and Video Calls require more bandwidth since they can be used simultaneously.

  • No labels