An IoT device connected to Cumulocity Cloud services can use HTTPS traffic: The device opens HTTPS connections to the cloud and uses these for bi-directional communication, one connection for sending data (upstream) and one connection for receiving data (downstream). In Cumulocity, the downstream connection uses an API called “real-time notification”, see [1] for details. The underlying HTTP protocol is called Bayeux, see also RFC 6202 [2].
This HTTPS connection crosses various networking devices, including routers, firewalls or NAT gateways. While typically this connection works out of the box, you might encounter problems in certain environments. For example, some companies have firewall rules deployed that cause problems.
In order to successfully connect Cumulocity IoT devices, the following must be ensured:
- HTTPS Port 443 open: It must be possible to establish a network connection on the port 443 from the device to Cumulocity.
- Transparent TLS and no TLS interception: It must be possible to create an end-to-end TLS connection to ensure encryption and integrity of the data. Some companies do not allow this, and instead have a TLS proxy that issues on-demand certificates. This on-demand certificate will not be accepted by the IoT device.
- Firewall timeout long enough: Firewall or other intermediate boxes might terminate “inactive” TCP connections after a certain time period. The time period is defined in the firewall. In some cases, the termination is not even properly terminated by the firewall, see [3]. Cumulocity expects by default a timeout higher than 10 minutes. This is sufficient in many cases, as many firewalls use a 15 minute timeout for TCP connections (for example in many mobile networks).
[1] Cumulocity real-time notifications: http://www.cumulocity.com/guides/reference/real-time-notifications/
[2] Known Issues and Best Practices for the Use of Long Polling and Streaming in Bidirectional HTTP: https://tools.ietf.org/html/rfc6202
[3] Issues with incorrectly configured firewalls: https://blog.fastmail.com/2011/06/28/http-keep-alive-connection-timeouts/