Background

Lumeo is a "no-code" video analytics platform that lets you create and deploy a wide range video analytic solutions in minutes, and provides you the flexibility to run analytics on-premise, in your cloud, or on Lumeo's cloud.

In order to do that, some of Lumeo's software runs on servers/edge appliances or VMs deployed in customer networks or customer cloud, and communicates with Lumeo's Cloud services for command and control.

Lumeo Agent

Lumeo Agent is the software that runs on the on-prem equipment or in your cloud, and is installed using an installation script. If you use Lumeo-Ready Gateways, it comes pre-installed on the Lumeo-ready devices. It is responsible for communicating with Lumeo's Cloud via an API, running analytic pipelines, streaming video, and discovering local cameras and video management systems.

Open Ports - Inbound

Lumeo will listen on port 554 for RTSP connections. This is used by VMS to ingest/record Lumeo output.

Depending on configuration, Lumeo will also create WebRTC stream(s) on one or more random ports, with random identifiers. This is used to view the video using a browser.

Local Network Connections - Outbound

On the local network, Lumeo will periodically run WS-Discovery process to detect other ONVIF cameras and video management systems on the network. This communication can use the standard ports or vendor specific ports for particular customer integrations.

Lumeo will also (depending on deployment settings) ingest local video streams from cameras or network video recorders. These streams are typically over RTSP.

Additionally, Lumeo may be configured to send alarms and events to locally deployed VMS systems over vendor-specific ports.

External Network Connections - Outbound

Lumeo makes outbound connections to various cloud services for command & control and integrations.

MQTT

Lumeo initiates an SSL socket connection (using MQTT) over port 8883 to mqtt.lumeo.com please note that the ip address is likely to change.

REST API - HTTPS

Lumeo will make https requests to Lumeo's REST API api.lumeo.com over port 443. These communications are also over SSL.

Integrations, Data Storage - HTTPS

Lumeo will make https connections over port 443 to other domains and REST APIs. These connections are for storing/retrieving large data files, Integrations with cloud services (ex. SMS, Email, Elasticsearch, etc.). These communications are also over SSL.

WebRTC

Depending on the deployment configuration, Lumeo will make video streams available over WebRTC to authorized internet clients (user's looking at video output from deployments on Lumeo's web based admin console: https://console.lumeo.com ). As part of WebRTC, Lumeo will make connections to traverse.lumeo.com and stun.google.com to attempt STUN and TURN to make a direct peer-to-peer connection to the video stream viewer.

Updates - HTTPS

During installation and automatic updates, Lumeo will also need access to public software repositories over https(tcp port 80 & tcp port 443) and dns (udp port 53).

Safe & Secure Programming

Lumeo is written in a secure programming language called Rust (https://rust-lang.org). It is used by many large companies, like Microsoft, Cloudflare, Dropbox, Google, Yelp, Firefox, and more. The language is designed to be highly performant (on par with C/C++) and prevent any memory overflows, buffer overflows, and the types of programming errors that account for a large majority (around 70%) of security vulnerabilities. https://msrc-blog.microsoft.com/2019/07/22/why-rust-for-safe-systems-programming/

Recommended Network Configuration

This document describes the basic network setup for the Lumeo Agent running locally on customer sites.

The recommended simplified network configuration for the Gateway running the Lumeo agent:

No restrictions on outbound connections to the Cloud (UDP, TCP)
Allow 554 (TCP, UDP) inbound connections from your local network / VMS IP Address ranges
Allow ONVIF (80, 443 TCP & UDP), RTSP (554 TCP & UDP) outbound connections to your local cameras & VMS.
- If your VMS or Camera is running ONVIF / RTSP service on a different port, you will need to open those up too.
We recommend running Lumeo on a Dual-NIC device. Lumeo-Ready Gateways are all mostly equipped with Dual-NICs as well. With a Dual-NIC device, you can connect one NIC to your camera network, and the other to a network with internet access.

Ports

The main ports for Lumeo on-prem agent / device are listed in the table.

outbound direction indicates that the Lumeo agent makes an outbound connection to the specified Domain on those ports
inbound direction indicates that the Lumeo software listens on that port for inbound connections on the local network.
Note that no ports need to be opened in your firewall for inbound connections.

Function	Ports	direction	Protocol	Domain
Installation, Updates, Operations	80 & 443	outbound	TCP	api.lumeo.com assets.lumeo.com
WebRTC (stun)	3478, 19302	outbound	TCP/UDP	traverse.lumeo.com stun.google.com stun.l.google.com
WebRTC (turn, turns)	3478, 5349	outbound	TCP/UDP	traverse.lumeo.com
WebRTC (streaming)	49152-65535	outbound	UDP	traverse.lumeo.com and local network
Agent Communication	8883	outbound	TCP	mqtt.lumeo.com
RTSP	554	outbound - inbound (to pull output streams into a VMS)	TCP, UDP	local network
Web management interface, ONVIF & Discovery Only for Lumeo-Ready Gateways	80 (ONVIF) 443 (Web-based Gateway Management interface) Following ports are opened only when Media Server & ONVIF are enabled: 8555 (ONVIF RTSP) 8322 (RTSPS) 8888 (HLS)	inbound	TCP	local network
DNS	53	outbound	UDP
Camera Discovery	3702, 80, 443 Other ports may be used based on camera vendor.	outbound	TCP/UDP	camera network or streams
Integrations	Check node documentation for additional ports you need to allow outbound communications on. Ex. Milestone integration (port 9090), Genetec (port 4590) https://docs.lumeo.com/docs/node-reference

Ports - Lumeo Cloud Gateways

Lumeo Cloud Gateways do not open any publicly accessible ports. They make outbound connections to your Cameras from Lumeo's cloud.