Applies To
Intermatic Connect Wi-Fi timers (ETW series, PE Series with Wi-Fi)
Question / Problem
What network ports, protocols, and firewall rules are required for Intermatic Connect Wi-Fi timers to communicate properly?
Overview
Intermatic Connect Wi-Fi timers use outbound-only, TLS-encrypted connections to communicate with cloud services hosted on Amazon Web Services (AWS). No inbound traffic or port forwarding is required. If network connectivity is lost, the timer continues to operate locally using its stored schedule. Remote management and firmware updates resume automatically when connectivity is restored.
Outbound Communication Details
AWS IoT Core (Primary Communication Method)
The timer connects to AWS IoT Core using the MQTT protocol for device configuration, status reporting and remote management.
- Endpoint format: <account-prefix>-ats.iot.<region>.amazonaws.com
- Protocol: MQTT over TLS 1.2
- Port: 8883/TCP
- Authentication: X.509 mutual certificate authentication
OTA Firmware Updates
Firmware updates are delivered through HTTPS requests to Amazon S3 using pre-signed URLs.
- Domains: *.s3.amazonaws.com and *.s3.<region>.amazonaws.com
- Port: 443/TCP
- Encryption: TLS 1.2
DNS Resolution
The timer requires outbound DNS access (UDP/TCP port 53) to resolve AWS domain names. AWS uses dynamic, DNS-based endpoints. Static IP allow-listing is not supported. Firewall rules should use fully qualified domain names (FQDN) rather than IP addresses.
Return Traffic
All return traffic flows over the same TLS sessions initiated by the timer. The timer does not accept inbound connections.
Required Ports and Protocols
| Purpose | Protocol | Port | Encryption and Authentication |
|---|---|---|---|
| IoT Core (MQTT) | TCP | 8883 | TLS 1.2 + X.509 mutual authentication |
| OTA Firmware Updates (HTTPS) | TCP | 443 | TLS 1.2 |
| DNS Resolution | UDP/TCP | 53 | Standard DNS |
| Local Provisioning (BLE) | On-site only | N/A | DH key exchange + AES-128 encryption |
Recommended Outbound Firewall Rules
| Destination (FQDN) | Port | Purpose |
|---|---|---|
| *.iot.amazonaws.com | 8883 | Global IoT endpoint |
| *.iot.us-east-1.amazonaws.com | 8883 | Region-specific MQTT |
| *.iot.us-west-2.amazonaws.com | 8883 | Region-specific MQTT (optional) |
| *.s3.amazonaws.com | 443 | S3 global access (OTA) |
| *.s3.*.amazonaws.com | 443 | Regional S3 buckets (OTA) |
Data Transmission and Storage
The timer transmits device configuration settings and status information over encrypted MQTT connections on port 8883. All device configuration and user account data is securely stored in the Intermatic cloud infrastructure hosted on AWS.
The device ID used in MQTT communications is derived from the timer's MAC address. This MAC address is used to create a unique identifier for each device.
Tips
- If network connectivity is blocked, the timer continues to operate locally using its stored schedule. Remote management and over-the-air updates resume when Wi-Fi connectivity is restored.
- Device authentication uses X.509 certificates. All traffic between the timer and AWS is TLS-encrypted, and S3 URLs used for firmware updates are short-lived and cryptographically signed.
- Static IP allow-listing is not supported because AWS uses dynamic, DNS-based endpoints. Configure firewall rules using the FQDN entries listed above.
- The primary AWS region is us-east-1 (N. Virginia). AWS handles redundancy and disaster-recovery routing automatically.