Network and firewall requirements for Neat

Last updated on December 18, 2023

This article describes the network and firewall requirements for all Neat devices.

DHCP

Neat devices obtain their IP address and other network parameter configurations (e.g. Default Gateway, DNS etc.) via DHCP. When setting up a Neat Bar or Neat Bar Pro and a Neat Pad, you will need to make sure they are on the same subnet.

mDNS

Neat devices rely on mDNS (multicast DNS) protocol to discover each other. As soon as it has joined the network, a Neat Bar or a Neat Bar-Pro will register itself as an mDNS service in your network. It will use an mDNS service string of _neat._tcp. and use the domain .local. A Neat Pad will then look for any devices on the same subnet that are registered with service string _neat._tcp. and find the Neat Bar (or Bar Pro) and subsequently pair with it.

In most subnets, mDNS protocol (which uses multicast packets) will be allowed and therefore the Neat Pad should not have any difficulties in finding the Neat Bar/Bar Pro (provided they are on the same subnet). However, in some subnets, especially when using Wireless Controllers, mDNS may be disabled or only a select few mDNS services may be allowed. In such cases, you will have to ask your network team to enable mDNS for the subnet or add the mDNS service string to the allowed list.

Note: Some network devices like Aruba require you to add only the service string to their allowed list for mDNS (e.g. _neat._tcp). However, Cisco WLCs appear to require both service string + domain (e.g. _neat._tcp.local) to be added to the allowed list. Please consult your network team and/or the manufacturer’s documentation in such cases.

NTP server

All Neat devices require NTP (Network Time Protocol) server for a variety of functions, and therefore a valid NTP server is a requirement when setting up and operating the devices. Neat uses the standard UDP port 123 to reach out to the following NTP server (default):

time.neat.no (IP address: 34.91.253.47)
Location: The Netherlands*

Newer firmware also supports two additional methods of providing NTP to the system; either the network can provide an NTP server address via DHCP option 42, or a user can manually enter an NTP server address during setup.

Please note that if you have a DHCP server that is providing you with DHCP option 42, Neat device will use that NTP server over time.neat.no (or even a manually entered one). If your DHCP server provides an incorrect DHCP option 42 (e.g. see NTP issues with Cisco Meraki Network), then your Neat device might report invalid NTP server or no internet connection error.

Cloud storage

Neat devices are required to access Neat’s cloud storage to download latest firmware. This is done over HTTPS (TCP port 443) and the server address is:

https://ota.neat.no (IP address: 34.107.186.64)
Location: The USA*

*Disclaimer: Please note that both NTP service and Cloud storage services are hosted by Google cloud services and therefore their respective IP addresses and locations may change.

Additional requirements

For network security teams that are ‘white-listing’ webpages, we very strongly recommend allowing access to all subdomains under *.neat.no . This ensures that any new features introduced by Neat are fully functional and not inadvertently blocked by future upgrades.

Note: Neat uses the same static IP address (34.107.186.64) for all the HTTP and HTTPS services below. Please note that the IP addresses behind these sites may be subject to change.

Neat will require access to the following Web pages in addition to the NTP and Cloud servers:

Web addressesIP addressPorts that need to be opened
connectivitycheck.neat.no34.107.186.64tcp 80 (http) and tcp 443 (https)
id.neat.no34.107.186.64tcp 443 (https)
api.neat.no34.107.186.64tcp 443 (https)
metrics.neat.no34.107.186.64tcp 443 (https)

Neat Pulse requirements

Neat Pulse is the management platform to manage Neat devices remotely. The following requirements need to be met in order to use Neat Pulse:

  • Protocols:
    • HTTPS, including http/2 and http/1 with WebSockets
  • DNS hostnames:
    • pulse.neat.no
    • *.pulse.neat.no
  • IP addresses (subject to change):
    • 20.76.42.235
    • 20.16.158.114
    • 108.142.134.73
  • Ports:
    • 443 TCP

HTTP proxies are supported if they support ‘HTTP CONNECT’.

Microsoft Teams software requirements

After you complete the Neat firmware installation and have chosen Microsoft Teams, Neat devices will run Microsoft Teams Room for Android software provided by Microsoft and connect to the Microsoft backend. For ongoing operation, ensure all Microsoft resources are available via your firewall as described in the following articles provided by Microsoft on this topic.

In general: The ports used for Microsoft Teams Rooms for Android are the same as any other Microsoft Teams client on your laptop/pc.

Zoom Room software requirements

After you complete the Neat firmware installation and have chosen Zoom, Neat devices will run Zoom Room software provided by Zoom, and connect to the Zoom backend. For ongoing operation, ensure all Zoom resources are available via your firewall as described in the following articles provided by Zoom on this topic.

Summary

ProductProtocolPortsFirewall rulesDescription
NeatDHCPUDP 67, 68None requiredObtain IP address, default gateway, DNS etc.
NeatmDNSMulticast packets to
224.0.0.251
UDP 5353
None required (multicast traffic remains local to the subnet)Discovery and pairing
Neat NTPUDP 123Open UDP 123 on firewall to:
time.neat.no (default) 
NTP time server for various operations
NeatHTTPSTCP 443Open TCP 443 to:
ota.neat.no
connectivitycheck.neat.no
id.neat.no
metrics.neat.no
api.neat.no
Note: Generally allow *.neat.no domain over HTTPS/TCP 443
ota.neat.no: Access cloud storage for software connectivitycheck.neat.no: connectivity checks (for captive portal configuration)
id.neat.no: To be able to obtain certificates to maintain communication with ZDM as well as other non-Pulse microservices.
api.neat.no: Non-Pulse control micro-services.
metrics.neat.no: Non-Pulse control micro-services.
NeatHTTPTCP 80Open TCP 80 to:
connectivitycheck.neat.no
connectivitycheck.neat.no: connectivity checks (for captive portal configuration)
NeatHTTPSTCP 443Open TCP 443 to pulse.neat.no and *.pulse.neat.noCommunication with Neat Pulse device management cloud
MicrosoftVariousVariousFollow Microsoft’s advice here
ZoomVariousVariousFollow Zoom’s advice on Zoom and Zoom RoomsTo allow Zoom Room software to connect to Zoom cloud
Table: Neat’s Network and Firewall requirements

IMPORTANT NOTE

The firewall requirements on Neat Bar and Neat Pad* differ depending on the software version running on these devices. Until April 2020, Neat software versions required multiple network resources to be accessible for the initial configuration process. After April 2020, Neat simplified its network requirements. When Neat devices are shipped out from manufacturing locations, some may be running pre-April 2020 firmware. For simplicity and to avoid any confusion, this article only describes the network requirements for newer (post April 2020) software releases. All Neat devices will upgrade to the latest software version once connected to the network.
If you continue to encounter issues after opening the network ports above, please reach out to Neat’s technical support team at
support@neat.no.
*All Neat Boards and Neat Bar Pros were manufactured after April 2020 and therefore this article (with newer firewall requirements) applies to them.