Search…
Xyte Proxy Architecture

General overview

The Xyte’s security architecture is built around requiring the least possible network actors and open port requirements.
All communication is always initiated by devices within organizations and no incoming connections are ever required to be allowed.
Device to cloud communication is supported in two methods: “Standard” and “Proxy” as described below.
The Xyte’s servers are hosted on AWS and uses Google’s APIs for Maps, location resolution, fonts and other similar services.
Xyte is fully SOC2 compliant and continuously undergoes security checks, both in the code and operational environment.

Standard device to cloud communication

Devices communicate directly with Xyte’s servers.
Devices initiate periodic connections to the Xyte hub servers to send status updates and receive back notifications on pending commands, licenses, configuration changes, etc.
All the communication is always from the in-network devices out to Xyte servers only.
No additional configuration is required to set up devices to work in this mode.

Proxy device to cloud communication

Devices communicate with Xyte via an on-premise Xyte Proxy service.
All communication within the network is routed through the Xyte Proxy service and the server is the only outgoing connection from the intranet to the Xyte Servers on the internet.
This method requires:
  1. 1.
    The installation of a server capable of running a Docker image that contains the Xyte Proxy service and can listen to HTTP port 80.
  2. 2.
    Addition of a local DNS entry for “proxy.xyte.local” that resolves to the Xyte Proxy service’s IP.
  3. 3.
    Some devices might require some custom settings to work via the Xyte Proxy service. Xyte

Architecture - Device & Proxy Topology

Required outgoing connections

Device (or Proxy) to Cloud

Allow devices to register and send telemetries
Domain
Requirement
Protocol
entry.xyte.io
Device communication
HTTPS only (TLS 1.3)
*.endpoints.xyte.io
Telemetries
HTTPS only (TLS 1.3)
*.endpoints.xyte.io
MQTT
Ports 8883 only (TLS 1.3)
*.amazonaws.com
Firmware updates
HTTPS only (TLS 1.3)

Desktop to Cloud

Access to Xyte monitoring platform
Domain
Requirement
Protocol
*.xyte.io (all subdomains)
Portal communication
HTTPS only (TLS 1.3)
*.googleapis.com
Fonts / Maps / etc
HTTPS only (TLS 1.3)
maps.gstatic.com
Maps
HTTPS only (TLS 1.3)
*.ingest.sentry.io
Error reporting
HTTPS only (TLS 1.3)
res.cloudinary.com
Images
HTTPS only (TLS 1.3)
*.amazonaws.com
File uploads
HTTPS only (TLS 1.3)
Copy link
On this page
General overview
Standard device to cloud communication
Proxy device to cloud communication
Architecture - Device & Proxy Topology
Required outgoing connections