Firewall Configuration for Secure Networks

Firewall Configuration for Secure Networks

Firewall Configuration for Secure Networks

2024-08-08

Version 1.1


Description

The Eagle Eye Cloud VMS and its bridge hardware is specifically designed to be highly secure and only uses utilizes TCP and UDP connections to transmit data to the cloud. If you restrict outbound connections on your local firewall, here is the IPv4 and port information you will need.

Warning
There can be no proxies or similar application-layer filtration devices between the Eagle Eye Bridge and the Internet, and multicast must be enabled so the bridge can detect cameras (if the bridge and cameras are on the same subnet, generally this isn’t a problem). UPNP is NOT required (the bridge won’t use it if enabled).
Info
For further information on the ONVIF camera discovery protocol we use, see this article on WS-Discovery. Web Service Discovery is an OASIS industry standard and generally works without much effort on most internal networks. You should not need to adjust your firewall to get it to work unless there are additional firewalls between your bridge and cameras

Specifications


Outbound Ports for the Eagle Eye Bridge

The following TCP and UDP ports are used by the Eagle Eye Bridge. All connections are outbound-only, meaning that the bridge connects outbound and never accepts inbound connections (generally, you do NOT need to set up NAT rules).

80/TCP                                                # Used to discover video termination endpoints in the cloud

443/TCP                                              # Used to transfer video to the cloud (TLS 1.2+)

773/TCP                                              # Used to transfer video to the cloud (TLS 1.2+)

8081/TCP                                            # Used occasionally to test video transfer to the cloud

8082/UDP                                           # Used to transfer video metadata to the cloud

50000-60000/TCP                             # Used occasionally to provide remote troubleshooting and maintenance
                                                                      (Secured via SSL)

Info
Ports 80 and 443 are utilized for firmware management. If these ports are filtered or blocked it can cause failed updates for our systems.
Info
Ports 8081 and 8082 are utilized for the preview stream. If this port is filtered or blocked it will impact the preview stream stability and quality.
Info
Eagle Eye utilizes standard ports for our troubleshooting tools. (Ex. Ncat and Fping) These may show as being utilized on your network, but rest assured they are only for system maintenance.

Outbound IPs for the Eagle Eye Bridge

Should you need to restrict the Eagle Eye Bridge to a specific set of IP addresses, the following is the list of Eagle Eye IP addresses you should allow, in CIDR format:

IPs
209.94.248.0/26
208.81.96.0/22
216.245.88.0/21
61.120.148.0/25
210.248.158.0/24
218.102.54.64/26
223.197.211.0/25
199.204.51.0/25
62.50.13.192/27
195.81.164.160/27
89.202.213.96/28
167.248.134.0/23
167.94.38.0/23
167.94.228.0/23
192.40.4.0/23
199.45.160.0/22
96.9.120.0/22
96.9.120.0/24
96.9.121.0/24
96.9.122.0/24
96.9.123.0/24

Alert
Ensure that your Firewall has our DNS sites whitelisted as well. Those sites are as follows:
*.eagleeyenetworks.com
*.plumv.com
*.eencloud.com


Outbound Ports for the Eagle Eye Web and Mobile Applications

Independent of the bridge, the Eagle Eye Web and Mobile Applications for PCs, tablets, and phones also need to connect to the cloud to retrieve video, set settings, and so on. The ports required for this are:

80/TCP                                    # HTTP -> SSL Redirect Only

443/TCP                                  # Web user interface
      
50000-60000/TCP                # Secure video transfer

The IP addresses are generally the same as for the bridge.


Outbound Ports for CameraDirect

Camera Direct uses the following TCP ports. All connections are outbound-only, meaning that connections are outbound and never accept inbound connections (so you do NOT need to set up e.g. NAT rules as a general rule).

80/TCP                                # Used to discover video termination endpoints in the cloud

443/TCP                              # Used to discover video termination endpoints in the cloud

8181/TCP                            # Used to transfer video to the cloud

Eagle Eye Camera Direct Subnets
dispatch1v1.eagleeyenetworks.com (167.248.134.73)
dispatch2v1.cameramanager.com  (167.248.135.100)
dispatch2v1.eagleeyenetworks.com (167.248.135.100)
192.40.4.124
192.40.5.26

Apart from these, the IP’s which are used by “Outbound IPs for the Eagle Eye Bridge”, also need to be allowed.


Outbound Ports for 2 Way Audio

443/TCP                                        #Used to send signals to the device

3478/ UDP                                   #API for 

5060/ TCP                                    #Speaker Device Port (Configurable)

Eagle Eye 2 Way Audio Subnets
global.turn.twilio.com
global.stun.twilio.com
signal.cXXX.eagleeyenetworks.com

Notes
Eagle Eye utilizes the 2.centos.pool.ntp.org server for NTP. Usually through port 123 as is the standard.

Info


For support please email: support@een.com 

or give us a call at: 512-473-0501

Eagle Eye Knowledge Base

US: +1-512-473-0501 

EU: 31 (0) 20 26 10 461

ASIA PACIFIC: +81-(3)-6869-5477

#1 In Cloud Media Video Surveillance Worldwide

Copyright Eagle Eye Networks. All rights reserved.

    • Related Articles

    • CameraManager Firewall Configuration

      CameraManager Firewall Configuration 2024-05-13 Version 2.0 Description The following TCP and UDP ports are used by the Eagle Eye CameraManager. All connections are outbound-only, meaning that connections are outbound and never accept inbound ...
    • EE AN062 Essential Firewall Configuration

      EE AN062 Essential Firewall Configuration Firewall Information Click the banner to view the full Application Note. This Application Note is designed to cover firewall configuration when installing an Eagle Eye Cloud VMS system and is intended for ...
    • Adjusting Network Settings on an Eagle Eye Bridge

      Adjusting Network Settings on an Eagle Eye Networks Bridge 2024-05-13 Version 2.0 Description By default, all of our devices are set up for DHCP on the WAN and the CamLAN. In order to reconfigure these settings you will need to connect a keyboard and ...
    • EE AN029 Adjusting Camera Settings Through Camera Tunnels

      Eagle Eye Application Note – AN0029 Adjusting Camera Settings Through Camera Tunnels Adjusting Camera Settings Through Camera Tunnels Click the banner to view the full Application Note. This Application Note is intended for administrators of the ...
    • Recommended Camera Settings

      Recommended Camera Settings 2024-05-14 Version 2.0 Description When integrating a third party camera with your Eagle Eye system it is necessary to preconfigure the device to ensure optimal operation. ONVIF Protocol If the camera supports ONVIF ensure ...