Physical Connections
The Inteligateway (IG-302) requires a wired ethernet connection to a local LAN port. Beyond this, the Inteligateway can be configured with a static IP address and network parameters, or receive network configuration through DHCP (static addressing may be preferred for troubleshooting).
Via a third-party WiFi-to-Ethernet adapter, the Inteligateway can easily be connected to a WiFi network if wired ethernet is not available in the installation location.
Network Location
The Inteligateway does not need to be on any "internal" or privileged network at your installation site. If you have a "guest", vendor, or untrusted DMZ network, we recommend attaching the Inteligateway(s) to that untrusted network. The Inteligateway requires access to the Internet to send data to the Amazon Web Services IP address space, where the WattIQ Cloud service is hosted, but no internal connections to your resources.
Gateway Network Traffic Definition
The Inteligateway is a limited-purpose network device, designed to forward sensor data but otherwise have a very limited functionality and strong security profile.
The Inteligateway is not a "router" and does not route TCP/IP traffic from sensors and sockets. It communicates with Intelisockets and Intelisensors over a proprietary Zigbee radio mesh network, and then sends data and retrieves commands from the Ibis.io cloud service via HTTPS (HTTP over SSL).
At installation, the Inteligateway is configured to connect to an API endpoint via HTTPS (TLS 1.2) on port 443. This endpoint can be whitelisted in enterprise firewall configurations by DNS name (preferably) or by IP address (if necessary). The endpoint address will be provided at the time of installation, based upon your firewall requirements and possibly geographic location.
The Inteligateway also uses NTP to the set the system clock, to ensure the most accurate timestamps on your data. The gateway uses the public NTP pool, at pool.ntp.org, to the set the clock. If you have your own internal NTP servers, we can configure the Inteligateway to use that address instead. If access to NTP is blocked, and NTP queries do not succeed, then the gateway will set its clock by making an API call to the WattIQ cloud service as part of its normal data flow. This method is less precise than NTP, but it is usually accurate to within a few seconds. If you wish to allow NTP traffic to/from the Inteligateways, permit traffic to port UDP 123.
The inteligateway does not need any ports opened on the firewall for incoming traffic.
The Inteligateway communicates with Ibis.io over HTTPS using the strongest SSL cipher it can negotiate, depending upon gateway firmware version this may be RSA SHA-256 with 2048 bit keys, through a range of updated ciphers. The Inteligateway connection to Intelisockets over Zigbee is encrypted using AES-128, with no keys passed over the air.
Firewall Configuration
WattIQ can provide, at the time of installation, information sufficient to configure enterprise firewalls to "whitelist" both the outbound sensor data flow to the WattIQ Cloud service, and to allow recognition of our browser-based cloud dashboard and API.