Skip to content

Firewall Settings

It is recommended to use a firewall between the Internet and the MindConnect Software Agent, this is also recommended for communication to the automation network.

In the direction to Automation Network a firewall supporting NAPT (in case of DMZ, see section “List of abbreviations”) or supporting the “Ghost-Mode” is required. Siemens offers many types of Firewalls for fulfilling these requirements.


① Corporate / Office Network with route to the internet or direct internet access, e.g. via a DSL modem

② Production / Machine Network

“Ghost-Mode”, also known as “Transparent Mode”, is used to protect individual, event alternating, devices by dynamically taking over the IP address.

Firewall/Proxy rules for MindConnect Software Agent

MindConnect Software Agent require open HTTPS and DNS ports for communication with MindSphere. You can open port 443 to enable this.

MindConnect Software Agent will connect to the following DNS names:


For <region> enter the area that was defined in your contract, example *.eu1.

MindSphere uses modern cloud principles (such as content delivery networks) to achieve high availability/scalability. The above mentioned DNS names can be resolved to a large range of IP addresses based on the context of the caller and the state of the backend.

If you are trying to login from the firewall backend, you need * and in addition a MindSphere Interactive Login Page URL is required, example The below given links are the examples for interactive logins in the browser for agents or application starting with *

  • https://*

To communicate agent only, you will only need the

Port exceptions

For region eu2, please add the following port exception to enable the online firmware download:


Any questions left?

Ask the community

Except where otherwise noted, content on this site is licensed under the Development License Agreement.

Last update: October 4, 2022