-1.png?width=500&height=125&name=PathSpot-Logo-RGB-Horizontal-1.0.0-1-e1600793653493%20(1)-1.png){kind=logo}
PathSpot HandScanner operating on untrusted VLANs
The PathSpot HandScanner is designed to work securely in networks where inbound connections are blocked (such as an untrusted VLAN). Any cloud-to-device instructions (config updates, software updates, etc.) are delivered via an existing outbound TLS MQTT session from the device to AWS IoT Core - No inbound session initiation is required.
🔐 PathSpot HandScanner on Untrusted VLANs
Secure Connectivity with Outbound-Only Communication
🛡️ Designed for Secure, Inbound-Blocked Networks
| ✅ Feature | 💡 Description |
|---|---|
| 🔁 Device-Initiated Only | All connections are outbound (device to cloud). |
| 🚫 No Inbound Required | No port forwarding, no pinholes, no external access. |
| ☁️ Cloud Updates via AWS | Config/software updates are pulled via secure outbound MQTT + HTTPS. |
🌐 Required Network Access
| 🌍 Destination | 🔢 Port | 🔌 Protocol | 📋 Purpose |
|---|---|---|---|
| Router (local) | 53 | UDP | DNS resolution |
| Router (local) | 67, 68 | UDP | DHCP assignment |
a16pvx628lslju-ats.iot.us-east-1.amazonaws.com |
443 | TCP (MQTT over TLS) | Device heartbeat, status updates |
c17vf01fhrpedp.credentials.iot.us-east-1.amazonaws.com/role-aliases/s3uploadrolealias/credentials |
443 | TCP (HTTPS) | Device authentication & AWS credentials |
*.s3.amazonaws.com |
443 | TCP (HTTPS) | Large file transfers (updates) |
clients3.google.com/generate_204 |
80 | TCP (HTTP GET) | Captive portal detection |
pathspot.app/blank |
80 | TCP (HTTP GET) | Captive portal detection |
1.us.pool.ntp.org |
123 | UDP | Time sync (SNTP) |
📈 Traffic Patterns
| 🕒 Event | 📤 Frequency |
|---|---|
| 🔄 MQTT Heartbeat | Every 3 min, and: on scan, every 5 min, 20 min, 59 min, on connect |
| 🔐 HTTPS Auth | Hourly |
| ⬇️ S3 Downloads | At boot, during updates, on scan |
| 🌐 Captive Portal Check | On network connection |
| ⏰ NTP Time Sync | On app launch |
🧰 VLAN Configuration Summary
| ✔️ What to Allow | ❌ What to Block |
|---|---|
| ✅ Outbound TCP: 443, 80 | 🚫 No inbound TCP required |
| ✅ Outbound UDP: 53, 67, 68, 123 | 🚫 No static IPs needed |
| ✅ Domain Whitelisting if outbound filtering is enforced | 🚫 No port forwarding |
| ✅ MAC Address Allowlisting (if MAC filtering is in place) | 🚫 No special routing rules |
🔄 Key Takeaways
✅ PathSpot HandScanner – Network Setup Made Easy
-
No need to open any ports on your network. The device only makes outbound connections, like how your phone connects to the internet.
-
It checks in with the cloud regularly to send data and receive updates.
-
Works great on restricted networks (like untrusted VLANs) that block inbound traffic.
🔌 What Your Network Needs to Allow
-
Outbound internet access on these:
-
TCP ports: 443 (secure web), 80 (basic web)
-
UDP ports: 53 (DNS), 67/68 (DHCP), 123 (time sync)
-
-
If your network filters websites, allow access to specific PathSpot and AWS domains (we'll provide the list).
-
Static IPs aren't needed. If you use MAC filtering, just ask us for the device's MAC address. This is also on the back of the scanner
🛠️ You Don't Need To:
-
Open any firewall ports
-
Set static IPs
-
Set up port forwarding
-
Allow inbound traffic
Bottom line:
If your network allows secure outbound internet traffic, the PathSpot HandScanner will work — no special setup required.