Network and firewall requirements for Neat
Last updated on November 26, 2024
This article describes the network and firewall requirements for all Neat devices. The topics covered in this article are:
- DHCP
- mDNS
- NTP server
- Cloud storage
- Additional webpages
- Pairing related specific requirements
- Neat Center-specific requirements
- Neat Pulse Management Platform requirements
- Neat App Hub requirements
- Microsoft Teams software requirements
- Zoom Room software requirements
- BYOD-only mode requirements
- Summary table
1. DHCP
All Neat devices obtain their IP address and other network parameter configurations (e.g. Default Gateway, DNS etc.) via DHCP. When setting up a Neat Bar/Bar2 or Neat Bar Pro and a Neat Pad, you will need to make sure they are on the same subnet.
2. mDNS
All Neat devices rely on mDNS (multicast DNS) protocol to discover each other. As soon as it has joined the network, a Neat Bar, Bar 2, Bar-Pro, Board, Board 50 and Neat Center will register itself as an mDNS service in your network. It will use an mDNS service string of _neat._tcp and _neat-oob._tcp and use the domain .local. A Neat Pad will then look for any devices on the same subnet that are registered with these service strings. Once it finds the device (e.g. Neat Bar or Neat Center), it will subsequently pair with the device.
Neat Bar/Bar2 and Bar Pros will use the service string _neat._tcp. Neat Center will advertise itself using _neat-oob._tcp when in out-of-box mode and once paired, it will switch to _neat._tcp.
In most subnets, mDNS protocol (which uses multicast packets) will be allowed and therefore the Neat Pad should not have any difficulties in finding the Neat Bar/Bar Pro (provided they are on the same subnet). However, in some subnets, especially when using Wireless Controllers, mDNS may be disabled or only a select few mDNS services may be allowed. In such cases, you will have to ask your network team to enable mDNS for the subnet or add the mDNS service string to the allowed list.
Note: Some network devices like Aruba require you to add only the service string to their allowed list for mDNS (e.g. _neat._tcp). However, Cisco WLCs appear to require both service string + domain (e.g. _neat._tcp.local) to be added to the allowed list. Please consult your network team and/or the manufacturer’s documentation in such cases.
3. NTP server
All Neat devices require NTP (Network Time Protocol) server for a variety of functions, and therefore a valid NTP server is a requirement when setting up and operating the devices. Neat uses the standard UDP port 123 to reach out to the following NTP server (default):
time.neat.no (IP address: 34.91.253.47)
Location: The Netherlands*
Newer firmware also supports two additional methods of providing NTP to the system; either the network can provide an NTP server address via DHCP option 42, or a user can manually enter an NTP server address during setup.
Please note that if you have a DHCP server that is providing you with DHCP option 42, Neat device will use that NTP server over time.neat.no (or even a manually entered one). If your DHCP server provides an incorrect DHCP option 42 (e.g. see NTP issues with Cisco Meraki Network), then your Neat device might report invalid NTP server or no internet connection error.
Important note: Neat Centers do not support manual configuration of the NTP server at the moment. If you are installing a Neat Center, please ensure you have opened UDP port 123 to time.neat.no server or configured DHCP 42 for your network.
4. Cloud storage
All Neat devices are required to access Neat’s cloud storage to download latest firmware. This is done over HTTPS (TCP port 443) and the server address is:
https://ota.neat.no (IP address: 34.107.186.64)
Location: The USA*
*Disclaimer: Please note that both NTP service and Cloud storage services are hosted by Google cloud services and therefore their respective IP addresses and locations may change.
5. Additional webpages
For network security teams that are ‘white-listing’ webpages, we very strongly recommend allowing access to all subdomains under *.neat.no . This ensures that any new features introduced by Neat are fully functional and not inadvertently blocked by future upgrades.
Note: Neat uses the same static IP address (34.107.186.64) for all the HTTP and HTTPS services below. Please note that the IP addresses behind these sites may be subject to change.
Neat will require access to the following Web pages in addition to the NTP server:
Web addresses | IP address | Ports that need to be opened | What is it used for |
ota.neat.no | 34.107.186.64 | tcp 443 (https) | Access cloud storage for software downloads |
connectivitycheck.neat.no | 34.107.186.64 | tcp 80 (http) and tcp 443 (https) | connectivity checks (for captive portal configuration) and as a precondition for software downloads |
id.neat.no | 34.107.186.64 | tcp 443 (https) | To be able to obtain certificates to maintain communication with ZDM as well as other non-Pulse microservices. |
api.neat.no | 34.107.186.64 | tcp 443 (https) | Non-Pulse control micro-services and metrics |
metrics.neat.no | 34.107.186.64 | tcp 443 (https) | Non-Pulse control micro-services and metrics |
6. Pairing related requirements
The Neat devices eco system uses multicast for initial setup and to maintain pairing during ongoing operations. Therefore in order to set up the Neat Bar, Bar Pro or Board with their Pad, it is required to have both the main room device and the Pad in the same subnet (with mDNS protocol allowed between them), so they can discover and communicate with each other.
During setup, TCP ports 46000 and 46001 are used for initial discovery.
After setup, the communication between Neat devices consist of encrypted web traffic (TCP port 8443), mDNS/multicast messages to maintain system pairing.
The applications running on the devices will then use their own requirements to establish and maintain connections (e.g. Zoom apps will require TCP port 9090 connection between the Zoom Room Appliance and Zoom Room Controller). For app-specific requirements, please see the relevant sections in this document.
7. Neat Center-specific requirements
Neat Center is a companion device in a pre-established Neat Room alongside our main devices. It can be setup with the following devices, provided they are running Neat OS 24.2.0 or later. These devices must already be installed as a Zoom or Microsoft Teams room before the Neat Center is configured.
- Neat Board, Board 50 and Board Pro
- Neat Bar, Bar Pro and Bar Gen 2
In addition to the standard network requirements for Neat devices (Table 1 and Table 2), the following requirements and limitations need to be considered in order to use Neat Center:
- Protocols and ports (between Neat Center and the main Neat device):
- SRTP media (AEAD_AES_256_GCM_8) sent over UDP ports
- Audio streaming over local network using UDP port 5004
- Video streaming over local network using UDP port 5006
- mDNS requirements:
- _neat._tcp
- _neat-oob._tcp
- NTP support
- Only supports time.neat.no or DHCP 42 as the default NTP server (UDP 123)
- Custom NTP support (from Neat software release 24.5 onwards)
- Network conditions
- Neat Center requires a wired connection with DHCP. To pair Center to a Room, the other paired devices have to be on a wired connection.
- Ethernet NIC: 2.5GBASE-T
- MTU of 1500 bytes.
- Bandwidth required from the Neat Center to the main Neat device is typically less than 6 Mbps, but the network should allow some headroom in the cases where peak bandwidth is higher (e.g. during a layout switch).
- Custom certificate uploads available during OOB phase (from Neat software release 24.5 onwards)
- Unsupported network features
- No Wifi support
- No support for Static IP address
- No support for proxies
- No support for 802.1x
8. Neat Pulse Management Platform requirements
Neat Pulse is the management platform to manage Neat devices remotely. The following requirements need to be met in order to use Neat Pulse Management Platform:
- Protocols:
- HTTPS, including http/2 and http/1 with WebSockets
- DNS hostnames:
- pulse.neat.no
- *.pulse.neat.no
- IP addresses (subject to change):
- 20.76.42.235
- 20.16.158.114
- 108.142.134.73
- 13.81.211.248
- Ports (to open on the firewall for external IP addresses):
- 443 TCP
- Ports (used internally within the same subnet):
- 9876 TCP (between paired Pad and Bar/Bar Pro/Board and used for Neat Pulse Management Platform’s ‘paired remote control’ feature)
- 2867 TCP (between Board/Frame and Board/Bar and used for Neat Share content sharing feature (RTP over TCP is used for this communication).
HTTP proxies are supported if they support ‘HTTP CONNECT’.
9. Neat App Hub requirements
Neat App Hub is an open ecosystem app platform that makes third-party business applications accessible on Neat devices. Neat devices will now be able to run Zoom, Microsoft Teams, or the app(s) that a business chooses on any Neat device. Accessible from Neat Pulse Management Platform, IT administrators have the ability to enable, deploy and manage selected applications across their Neat deployment to take advantage of the tools they already use across their teams.
- Protocols:
- Any Neat devices running Neat App Hub will require the fundamentals features, such as DHCP, NTP, mDNS, webpages etc. enabled. Please ensure all the requirements in items 1-6 in this document are adhered to for normal operations.
- Neat Pulse Management platform
- All the requirements for 7. Neat Pulse Management Platform requirements need to be met.
- 3rd party application requirements:
- For full list of Apps, please visit: https://neat.no/app-hub/
- For ongoing operation, ensure all 3rd party application resources are available via your firewall as instructed by the 3rd party app provider.
10. Microsoft Teams software requirements
After you complete the Neat firmware installation and have chosen Microsoft Teams, Neat devices will run Microsoft Teams Room for Android software provided by Microsoft and connect to the Microsoft backend. For ongoing operation, ensure all Microsoft resources are available via your firewall as described in the following articles provided by Microsoft on this topic.
In general: The ports used for Microsoft Teams Rooms for Android are the same as any other Microsoft Teams client on your laptop/pc.
- How to deploy Microsoft Teams Room on Android: https://docs.microsoft.com/en-us/microsoftteams/devices/collab-bar-deploy
- Detailed firewall port requirements: https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#skype-for-business-online-and-microsoft-teams
11. Zoom Room software requirements
After you complete the Neat firmware installation and have chosen Zoom, Neat devices will run Zoom Room software provided by Zoom, and connect to the Zoom backend. For ongoing operation, ensure all Zoom resources are available via your firewall as described in the following articles provided by Zoom on this topic.
- https://support.zoom.us/hc/en-us/articles/201362683-Network-firewall-or-proxy-server-settings-for-Zoom
- https://support.zoom.us/hc/en-us/articles/203680389-Firewall-Configuration-for-Zoom-Rooms
12. BYOD-only mode requirements
After you complete the Neat firmware installation and have chosen BYOD Only Mode, Neat devices won’t run any 3rd party applications. While you will no longer need to open ports for specific 3rd party apps, please note that all other Neat deployment requirements apply. For ongoing operation, ensure all Neat resources are available via your firewall as described in this article.
13. Summary
Product | Protocol | Ports | Firewall rules | Description |
Neat | DHCP | UDP 67, 68 | None required | Obtain IP address, default gateway, DNS etc. |
Neat | mDNS | Multicast packets to 224.0.0.251 UDP 5353 | None required (multicast traffic remains local to the subnet) | Discovery and pairing |
Neat | NTP | UDP 123 | Open UDP 123 on firewall to: time.neat.no (default) | NTP time server for various operations |
Neat | HTTPS | TCP 443 | Open TCP 443 to: ota.neat.no connectivitycheck.neat.no id.neat.no metrics.neat.no api.neat.no Note: Generally allow *.neat.no domain over HTTPS/TCP 443 | ota.neat.no: Access cloud storage for software downloads connectivitycheck.neat.no: connectivity checks (for captive portal configuration) and as a precondition for software downloads id.neat.no: To be able to obtain certificates to maintain communication with ZDM as well as other non-Pulse microservices. api.neat.no: Non-Pulse control micro-services and metrics. metrics.neat.no: Non-Pulse control micro-services and metrics |
Neat | HTTP | TCP 80 | Open TCP 80 to: connectivitycheck.neat.no | connectivitycheck.neat.no: connectivity checks (for captive portal configuration) |
Neat | HTTPS | TCP 443 | Open TCP 443 to pulse.neat.no and *.pulse.neat.no | Communication with Neat Pulse device management cloud |
Neat | Remote control feature | TCP 9876 | None required (this is between paired devices on the same subnet and should not require any firewall rules) | Pad opens a TCP connection to port 9876 of its Paired Bar/BarPro/Board etc. This is used for the ‘paired remote control’ feature on Pulse Management Platform. |
Microsoft | Various | Various | Follow Microsoft’s advice here | |
Zoom | Various | Various | Follow Zoom’s advice on Zoom and Zoom Rooms | To allow Zoom Room software to connect to Zoom cloud |
IMPORTANT NOTE
The firewall requirements on Neat Bar and Neat Pad* differ depending on the software version running on these devices. Until April 2020, Neat software versions required multiple network resources to be accessible for the initial configuration process. After April 2020, Neat simplified its network requirements. When Neat devices are shipped out from manufacturing locations, some may be running pre-April 2020 firmware. For simplicity and to avoid any confusion, this article only describes the network requirements for newer (post April 2020) software releases. All Neat devices will upgrade to the latest software version once connected to the network.
If you continue to encounter issues after opening the network ports above, please reach out to Neat’s technical support team at support@neat.no.
*All Neat Boards and Neat Bar Pros were manufactured after April 2020 and therefore this article (with newer firewall requirements) applies to them.