Does our KS system have firewall port setting requirement?

When connecting the IQ 2.0 through ethernet or WiFi local network settings can interfere with the IQ operation. Updates and normal operation requires different settings. Ideally, the IQ should be on a network where all outbound traffic for the IQ is accepted. This is the only way to ensure an update will work as it should and will ensure no issues with normal operation.

For updating, any port could be used so the network must allow all outgoing traffic.

For normal operation, the IQ uses below IP-addresses and port 40000 and 40001, these should be whitelisted. Note that the IQ makes a connection to these ports on the SaltoKS' backend system, but the connection is done from a random port. Thus, the IQ must be allowed to connect to external port 40000 or 40001 for this to work.

If it's not accepted the IQ must have access due to security reasons an M2M connection is an option.

If the IQ cannot connect, check the following:

  • Network requirements:

  • DHCP server that provides the IQ with an IP address

  • For WiFi: Preferably WPA or WPA2 encryption, otherwise an open network. 2.4ghz only.

  • For Ethernet: No network authentication (no 802.1X)

  • The IQ connects to a server on TCP ports 40000 and 40001

  • The IQ updates by downloading a file from our FTPS server

It is not possible to give out fixed IP addresses of the Salto KS back-end to which the IQ's connect. The Salto KS back-end is dynamically hosted and scales up/down based on number of requests and connected IQ's. You can compare this to for example going to or any other popular website. When connecting you're not sure to which server you're forwarded.

However what some of our customers do, they implement whitelisting on IQ mac address. Which means they only allow IQ mac addresses that are whitelisted to connect to the outside world.

If MAB is used in the network (MAC Authentication Bypass), it would be necessary to whitelist MAC addresses of the IQs (which do not support 802.1X) in the network authentication back-end, allowing the IQs to connect without further authentication.

We would advice the customer to look into this option. There is no way to whitelist IP's of our back-end services.

App storePlay store