Network requirements
When @opcua/for-node-red runs inside a corporate or industrial network, the
following outbound connections must be allowed by your firewall and any
URL-filtering proxy. This page is intended to be shared with your IT or
security team.
The product never accepts inbound connections to these endpoints. All traffic is initiated from the host running Node-RED.
Hostnames and ports
| Hostname | Protocol | Port(s) | Purpose | Required? |
|---|---|---|---|---|
kyu.sterfive.com | HTTPS | 443/tcp | Customer onboarding and licence-management API | Yes for first-time installation and Pro-eval |
telemetry.sterfive.com | HTTPS / OTLP | 443/tcp | Anonymous product telemetry (OpenTelemetry over HTTPS and gRPC) | Optional — can be disabled (see below) |
*.cryptlex.com | HTTPS | 443/tcp | Online licence activation and heartbeat (Cryptlex licensing service) | Yes unless you use an on-premise licence server |
registry.npmjs.org | HTTPS | 443/tcp | Node-RED palette / npm package installation | Standard Node-RED requirement |
The kyu.sterfive.com and telemetry.sterfive.com hostnames are operated by
Sterfive SAS, currently hosted on OVH SAS infrastructure in France
(AS16276). The current public IP is 51.91.111.176. IP addresses may
change without notice — please configure firewall rules by hostname rather
than by IP whenever possible.
HTTP/3 (QUIC) — optional
The Sterfive endpoints advertise HTTP/3 via the Alt-Svc response header.
Modern clients may switch to QUIC over 443/udp. If your firewall does not
permit outbound UDP/443, this is harmless: clients fall back to HTTPS over
TCP automatically. You only need to allow UDP/443 if you want to take
advantage of HTTP/3 performance improvements.
TLS certificates
All Sterfive endpoints use TLS 1.2+ with certificates issued by Let's Encrypt, the same publicly-trusted CA used by most modern web services. Certificates are short-lived (90 days) and automatically renewed.
If your environment performs TLS-inspection (man-in-the-middle proxy), make sure the proxy:
- Trusts the standard Let's Encrypt root chain (ISRG Root X1).
- Allows SNI value
kyu.sterfive.comandtelemetry.sterfive.comexactly. Both certificates list a single SAN entry — they do not use a wildcard. - Does not strip the
Alt-Svcresponse header (or accept that clients will fall back to HTTP/2 over TCP, which works fine).
Disabling telemetry
Connectivity to telemetry.sterfive.com is not required for product
functionality. To disable it, set the environment variable
STERFIVE_DISABLE_TELEMETRY=1 on the host running Node-RED. See the
Telemetry page for details on what is collected and what
is not.
Sample firewall snippets
The following snippets allow outbound HTTPS to all Sterfive endpoints used by the product. Replace policy / object names to match your environment.
iptables (Linux host firewall)
# Outbound HTTPS to Sterfive product endpoints
iptables -A OUTPUT -p tcp -d kyu.sterfive.com --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -d telemetry.sterfive.com --dport 443 -j ACCEPT
Palo Alto Networks (URL category exception)
Create a custom URL category Sterfive-Product containing:
kyu.sterfive.com
telemetry.sterfive.com
*.cryptlex.com
then add a security policy that allows the web-browsing and
ssl applications from your Node-RED hosts to that category.
Generic proxy allowlist
kyu.sterfive.com:443
telemetry.sterfive.com:443
*.cryptlex.com:443
Verifying connectivity
From the Node-RED host, the following commands should all succeed:
curl -sSI https://kyu.sterfive.com/api/v1/health
curl -sSI https://telemetry.sterfive.com/
The first call should return 200 OK. The second should return 200 OK
with Content-Type: text/html (the public landing page).
If either call fails, capture the full output and forward it to support@sterfive.com.
Testing the offline / firewall-blocked behaviour
If you want to verify how the Node-RED config panel behaves when
kyu.sterfive.com is unreachable — without actually blocking the host
in your firewall — set the following environment variable on the
Node-RED process:
# Linux / macOS
STERFIVE_KYU_SIMULATE_UNREACHABLE=1 node-red
# Windows PowerShell
$env:STERFIVE_KYU_SIMULATE_UNREACHABLE=1; node-red
Every call from @opcua/for-node-red to kyu.sterfive.com will then
fail with a synthetic network error, exactly as if the host were
firewalled. The registration page will surface the amber "Cannot reach
kyu.sterfive.com" panel and auto-expand the I already have an
activation key or licence key alternatives, so you can confirm that
licence-key activation still works in an air-gapped environment. Unset
the variable to restore normal behaviour.