Xyte Proxy Architecture

General overview 
The Xyte’s security architecture is built around requiring the least possible network actors and open port requirements.
All communication is always initiated by devices within organizations and no incoming connections are ever required to be allowed.
Device to cloud communication is supported in two methods: “Standard” and “Proxy” as described below.
The Xyte’s servers are hosted on AWS and uses Google’s APIs for Maps, location resolution, fonts and other similar services.
Xyte is fully SOC2 compliant and continuously undergoes security checks, both in the code and operational environment. 
Standard device to cloud communication 
Devices communicate directly with Xyte’s servers.
Devices initiate periodic connections to the Xyte hub servers to send status updates and receive back notifications on pending commands, licenses, configuration changes, etc.
All the communication is always from the in-network devices out to Xyte servers only.
No additional configuration is required to set up devices to work in this mode. 
Proxy device to cloud communication 
Devices communicate with Xyte via an on-premise Xyte Proxy service.
All communication within the network is routed through the Xyte Proxy service and the server is the only outgoing connection from the intranet to the Xyte Servers on the internet.
This method requires:
1.The installation of a server capable of running a Docker image that contains the Xyte Proxy service and can listen to HTTP port 80. 
2.Addition of a local DNS entry for “proxy.xyte.local” that resolves to the Xyte Proxy service’s IP. 
3.Some devices might require some custom settings to work via the Xyte Proxy service. Xyte 
Architecture - Device & Proxy Topology
Required outgoing connections
Device (or Proxy) to Cloud 
Allow devices to register and send telemetries
Domain
Requirement
Protocol
entry.xyte.io
Device communication
HTTPS only (TLS 1.3)
*.endpoints.xyte.io
Telemetries
HTTPS only (TLS 1.3)
*.endpoints.xyte.io
MQTT
Ports 8883 only (TLS 1.3)
*.amazonaws.com
Firmware updates
HTTPS only (TLS 1.3)
Desktop to Cloud 
Access to Xyte monitoring platform
Domain
Requirement
Protocol
*.xyte.io (all subdomains)
Portal communication
HTTPS only (TLS 1.3)
*.googleapis.com
Fonts / Maps / etc
HTTPS only (TLS 1.3)
maps.gstatic.com
Maps
HTTPS only (TLS 1.3)
*.ingest.sentry.io
Error reporting
HTTPS only (TLS 1.3)
res.cloudinary.com
Images
HTTPS only (TLS 1.3)
*.amazonaws.com
File uploads
HTTPS only (TLS 1.3)

Domain	Requirement	Protocol
entry.xyte.io	Device communication	HTTPS only (TLS 1.3)
*.endpoints.xyte.io	Telemetries	HTTPS only (TLS 1.3)
*.endpoints.xyte.io	MQTT	Ports 8883 only (TLS 1.3)
*.amazonaws.com	Firmware updates	HTTPS only (TLS 1.3)

Domain	Requirement	Protocol
*.xyte.io (all subdomains)	Portal communication	HTTPS only (TLS 1.3)
*.googleapis.com	Fonts / Maps / etc	HTTPS only (TLS 1.3)
maps.gstatic.com	Maps	HTTPS only (TLS 1.3)
*.ingest.sentry.io	Error reporting	HTTPS only (TLS 1.3)
res.cloudinary.com	Images	HTTPS only (TLS 1.3)
*.amazonaws.com	File uploads	HTTPS only (TLS 1.3)

IoT Device Communication to the Cloud

Data Storage

Last modified 10mo ago