Firewall Settings - Developer Documentation
Skip to content

Firewall Settings

It is recommended to use a firewall between the Internet and the MindConnect Software Agent, this is also recommended for communication to the automation network.

In the direction to Automation Network a firewall supporting NAPT (in case of DMZ, see section “List of abbreviations”) or supporting the “Ghost-Mode” is required. Siemens offers many types of Firewalls for fulfilling these requirements.


① Corporate / Office Network with route to the internet or direct internet access, e.g. via a DSL modem

② Production / Machine Network

“Ghost-Mode”, also known as “Transparent Mode”, is used to protect individual, event alternating, devices by dynamically taking over the IP address.

Firewall/Proxy rules for MindConnect Software Agent

MindConnect Software Agent require open HTTPS and DNS ports for communication with Industrial IoT. You can open port 443 to enable this.

MindConnect Software Agent will connect to the following DNS names:


For <region> enter the area that was defined in your contract, example *.eu1.

Industrial IoT uses modern cloud principles (such as content delivery networks) to achieve high availability/scalability. The above mentioned DNS names can be resolved to a large range of IP addresses based on the context of the caller and the state of the backend.

If you are trying to log in from the firewall backend, you need * and in addition a Insights Hub Interactive Login Page URL is required, example The below given links are the examples for interactive logins in the browser for agents or application starting with *

  • https://*

To communicate agent only, you will only need the

Last update: February 16, 2024