This page summarizes how to gather shipping information to order an aedifion Edge Device and how to install it on site.
The aedifion Edge Device is an industrial PC which covers functionality such as being an automation network gateway (therefore it has two ethernet ports) and providing computing power for those aedifion services, which are sensitive to internet connection losses.
For plug and play installation of the device, aedifion preconfigures its network interfaces before shipping it to you. Therefore please provide the required shipping information.
About firewall security: Only outgoing connections from the device to the aedifion servers are needed. Set the firewall settings to these minimum requirements to enable the aedifion services.
The installation guide provides the necessary information on how to wire the aedifion Edge Device. Basically, first connect the ethernet cables to the right ports, then plug in power.
For any support, please do not hesitate to contact us!
Before shipping, aedifion's staff needs to set some preconfigurations to account for seamless plug-and-play plant integration. This section describes the information we need.
Please provide the name of a contact person and a postal address that aedifion can ship the Edge Device to.
To preconfigure the Edge Device, please provide information about the settings of the network(s) the device will be connected to. The following flow chart helps you determine that information.
Figure 1: Flow chart to determine required network information
Imagine the following setup:
- NewCo's headquarters ordered an aedifion Edge Device.
- The automation network in the headquarters is separated from all other networks, especially those with internet access.
- There is a local network, LocalNet, that has internet access and a DHCP server.
- The automation network, AutoNet, has no DHCP server running.
The following information is needed to preconfigure the aedifion Edge Device:
- The automation network does not have internet access and the aedifion Edge Device will be used as a gateway between the AutoNet and LocalNet.
- AutoNet does not have DHCP and the settings for a static IP for the Edge Device are:
- IP: 192.168.100.100
- Netmask: 255.255.255.0
- Gateway: 192.168.100.1
- LocalNet runs a DHCP and the aedifion Edge Device should obtain its IP address and further settings automatically.
Operating the Edge Device only requires outgoing connections. It does not run any kind of service that exposes your network to the Internet. Thus, any incoming connection requests can be blocked by your firewall.
For outgoing connections, a subset of the following ports have to be allowed:
- Port 22 (SSH): This port is reuqired for the SSH protocol which we use per standard for remote access and maintenance. SSH is the de-facto standard protocol for remote administration in cloud environments and used in millions of IT systems world wide. If the customer supplies other means of remote access, e.g., through a VPN connection, allowing outgoing connections on this port is not required.
- Port 53 (DNS): The DNS protocol is used to resolve domain names to IP addresses and is used at different points both by the operating system and aedifion's software stack. If a local DNS server is used, allowing outgoing connections on this port is not required.
- Port 123 (NTP): NTP is a standard protocol for system time synchronization. Time synchronization counters clock-drift in order to ensure that timestamps of collected data are accurate. Per default, the Edge Device establishes an outgoing connection to the pool of Ubuntu's standard timeservers. On request, the Edge Device can use customer-provided local time servers instead. In this case, port 123/TCP may remain closed in the customer's firewall.
- Port 443 (HTTPS): HTTPS (HTTP over TLS) is the standard for secure communication on the Internet, e.g., used to secure online banking, mail accounts, and so forth. It is well understood by firewalls, intrusion detection, and deep packet inspection systems. The Edge Device uses HTTPS for the following tasks:
- The Edge Device sends periodic heartbeats to two dedicated servers. Based on this feedback, aedifion monitors the accessibility, status, and functionality of its fleet of Edge Devices.
- The Edge Device contacts the Ubuntu package repository to check for security updates every night. Available updates are automatically installed. All communication with the Ubuntu package repository is carried securely over HTTPS.
- The Edge Device can optionally publish collected data via HTTPS to the aedifion.io platform.
- Port 5672 (AMQP): AMQP is a scalable, reliable and standardized messaging protocol with rich queuing and routing semantics. The Edge Device uses AMQP to receive control messages and can optionally use AMQP to publish data to the platform. The AMQP connection is secured via TLS. If data is published via other protocols and cloud-control is disabled, this port may remain closed.
- Port 8883 and 8884 (MQTT): MQTT is a standardized messaging protocol that has gained high popularity for Internet of Things use cases. The Edge Device can optionally use MQTT to stream collected data to the aedifion.io platform. All MQTT messages are transported exclusively over TLS. If data is published via other protocols, this port may remain closed.
- Port 9092 (Kafka): Apache Kafka is a highly performant, scalable and reliable message broker trusted by thousands for stream-processing use cases. Per standard, the Edge Device uses Kafka to publish data to the aedifion.io platform. The Kafka connection is secured via TLS. If data is published via other protocols, this port may remain closed.
Restricting target addresses
In most cases, outgoing connections can be further limited to a set of specific server addresses. The exact addresses depend on whether you are using the aedifion cloud or a dedicated deployment and will be communicated to you individually.
During or prior your onboarding, aedifion supports local IT administration and security officers to set up the firewall correctly:
- aedifion provides a document to each customer that comprehensivley lists all communication endpoints of the Edge Device and explains their purpose.
- aedifion provides Manufacturer Usage Description (MUD) files on-demand that fully describe the exact communication behavior of the aedifion Edge Device. MUD files are standardized can be automatically processed by compatible hardware obsoleting any manual configuration of firewalls.
- The Edge Device provides a web dashboard that can be used to check if the firewall has been configured correctly to allow all required outgoing connections.
If you still face firewall configuration or compliance issues, please do not hesitate to contact us.
Figure 2: aedifion's Edge Device
To install your aedifion Edge Device, please execute the installation in the order of the flow chart:
Figure 3: Installation workflow
Restarting the aedifion Edge Device solved 99 % of the issues which occurred during installation in the past.