What the device connects to
| Destination | Port | Purpose |
|---|---|---|
api.iotmanager.dev | 443 (HTTPS) | Device registration, telemetry reporting, uninstall callback |
*.tunnel.iotmanager.dev | 443 (WSS) | Reverse tunnel — terminal, file transfer, container control, public URLs |
Behind a restrictive outbound firewall
If your network only allows specific outbound destinations (common in industrial/locked-down environments), allowlist:The exact subdomain under
tunnel.iotmanager.dev is assigned per-device and can vary — allowlisting the wildcard is the reliable option. If your firewall doesn’t support wildcard TLS/SNI-based rules, allowlist by destination port 443 to any host under tunnel.iotmanager.dev instead of trying to pin an exact hostname.What’s NOT needed
- No inbound ports — the device is never listening for connections from the internet.
- No VPN.
- No static/public IP address. Devices behind NAT, CGNAT, or on a private LAN with no port forwarding work identically to devices with a public IP.
- No SSH daemon exposed publicly — the agent’s built-in SSH server only ever accepts the reverse tunnel connection it initiated itself; nothing needs to reach it from outside.