Arcules is designed to make a minimal footprint on your network infrastructure, and requires a few rules to be put in place to allow us to access your gateways, with permission, as well as to apply updates to the Arcules Software, and the operating system. Some minor changes may be required on the customer’s side to ensure all of these criteria are met.
Physical Gateway Requirements
Specifications (Dimensions are Width x Depth x Height)
Micro Form Factor Gateways - 1.42"x7.01"x7.17"
Small Form Factor Gateways - 3.65"x11.42"x11.53"
Rack Form Factor Gateways* - 1U Rack Space, 23.45" Deep
Micro and Small Form Factor Gateways require an HDMI or Display Port connection for a monitor. Rack Form Factors require VGA connections.
*Rack Form Factor Gateways come with Dell Ready Rails for installation to a standard 4 post rack.
Installation
Gateways should be unboxed, installed, and attached to power and network prior to attempting to add the gateway to your organization, or contacting Customer Care for assistance. A USB Keyboard and monitor are required to set a Static IP Address on the gateway.
Network Architecture recommendations can be found in this Knowledge Base Article: Recommended Network Architectures
For easiest installation, the gateway should be on the network with access to the cameras, and the internet.
Network Adapters
Micro Form Factors and Small Form Factors have a single network adapter.
Rack Form Factors come with multiple NIC's, but will require Customer Care assistance to utilize more than one NIC in order to reach a second network (i.e. NIC 1 is Internet Facing, NIC 2 is on a segregated camera network). Rack Form Factors cannot be configured for load balancing or redundancy over the network adapters.
Guidelines and Notes
Certificates
Arcules will only validate against trusted certificate authorities, and not self signed certificates when communicating via the public internet. If you have questions around this please reach out to our security and compliance team.
Multi-ISP Environments
When the Arcules system lives within an environment that contains multiple ISP's, a firewall rule should be implemented to ensure all Arcules traffic goes over the same ISP, with the fastest ISP speed. Load balancing this traffic can affect the performance of live video feeds and gateway uploads.
Firewall Settings
All firewall rules are for Outbound traffic only. No Inbound Ports should need to be opened. We have designed this in order to provide maximum security, with minimal rules.
All network traffic concerning customer data is encrypted both at rest and in flight to ensure data integrity and security.
Arcules recommends using domain names over IP addresses when configuring Allow listing for outbound traffic. We cannot guarantee they will not change IP Addresses in the future.
This is also the reason why Arcules does not provide an IP address as a replacement for the domain name. If an IP address of a domain is required, using a ping or nslookup through your DNS of choice will give you the current IP Address of the domain(s).
SSL/TLS Deep Packet Inspection
Arcules does not support network appliances running deep packet inspection on our traffic. This can cause certificate issues, and trust issues with our traffic’s encryption, and will have a detrimental effect on the operation of the Arcules system.
Proxy Servers
Arcules does not support network appliances functioning as proxy servers for internet traffic.
Camera Protocol Configuration
Currently, Arcules requires a camera to have both HTTP and HTTPS enabled for successful connection to the Arcules Gateway Device.
Gateway Device Rules
The following domains and ports must be opened in order for the Arcules Gateway to be able to function, pull down updates, and report home for proactive monitoring.
These domains and ports must be opened so that each Gateway has access to these endpoints.
Domain Name | Purpose | Protocol | Port |
*.arcules.com | API Services | UDP/TCP/HTTPS,WSS | 443 |
|
|
|
|
*.cloud.google.com | Google Services | TCP/HTTPS | 443 |
*.googleapis.com | Google Services | TCP/HTTPS | 443 |
*.googleusercontent.com | Google Services | TCP/HTTPS | 443 |
|
|
|
|
*.ubuntu.com | OS Updates | TCP/HTTPS,HTTP,UDP/NTP | 443, 80, 123 |
*.launchpad.net | OS Updates | TCP/HTTPS,HTTP | 443, 80 |
*.snapcraft.io | OS Updates | TCP/HTTPS,HTTP | 443, 80 |
*.snapcraftcontent.com | OS Updates | TCP/HTTPS | 443 |
*.canonical.com | OS Updates | TCP/HTTPS,HTTP | 443, 80 |
|
|
|
|
*.gcr.io | Arcules Image Repository | TCP/HTTPS | 443 |
|
|
|
|
*.docker.io | Core Image Repository | TCP/HTTPS | 443 |
*.docker.com | Core Image Repository | TCP/HTTPS | 443 |
|
|
|
|
rcss-production.arcules.com | Remote Support | TCP/SSH | 2222 |
|
|
|
|
* | Speed Test | TCP/HTTPS | 8080 |
* | Online/Offline Detection | ICMP |
|
*.pool.ntp.org | Network Time Protocol | UDP | 123 |
8.8.8.8 & <Insert own DNS here> | Domain Name Services | TCP & UDP | 53 |
Client Network Rules
These client rules will allow for any system accessing the Arcules platform seamless usage. Any Inbound Ports associated to the requests would be client specified by the Client’s Operating System. Local Live / Local Playback feature requires clients to communicate directly to the cloud using UDP on Port 443. You cannot use Local Live / Local Playback if the client needs to go through proxies.
Domain | Usage | Protocol | Outbound Ports |
API Services | UDP/TCP/HTTPS,WSS | 443 | |
*.arcules.com | Remote Device Access | TCP | 4200 - 4250 |
*.intercom.com | Support And Chat | TCP/HTTPS/WSS | 443 |
*.split.io | Early release Features | TCP/HTTPS/WSS | 443 |
<Insert own DNS here> | Domain Name Services | TCP & UDP | 53 |
Internal Network Service Rules
All of these requirements are only within your local network, and no external application of these rules are required. Due to the wide range of drivers we support, some devices and cameras may operate differently than listed below, but this captures the most universal information.
Connection Type | Purpose | Protocols | Ports |
|
SERVER | For emergency offline viewing | TCP/HTTP,WS | 9000/443 |
|
CLIENT | ONVIF Communication (Camera) | TCP/SOAP | ~80, 443 |
|
CLIENT | Video Stream (Camera) | TCP/RTSP | ~554 |
|
CLIENT | File Transfer | TCP/FTP | ~21 |
|
CLIENT | Video or Audio Data | UDP/RTP | ~10000-20000 |
|
CLIENT/SERVER | Auto Discovery | UDP/mDNS | 5353 |
|
CLIENT/SERVER | Auto Discovery | UDP/uPNP | 1900 |
|
CLIENT | Auto Discovery | TCP/HTTP | ~80 |
|
CLIENT/SERVER | Auto Discovery | UDP/ONVIF | 3702 |
|
CLIENT/SERVER | Local Live Viewing | UDP/RTP | 20000 - 24999 |
|
CLIENT | Signaling and File Transfer | TCP/HTTP, HTTPS | 80,443 |
|
Note '~' Indicates the typical port that this operates on, and can be changed by the installer.
Optional Firmware Rule (Axis Cameras Only)
Domain | Purpose | Protocols | Ports |
*.axis.com | Firmware Updates for Axis hardware | TCP/HTTPS | 443 |