Systemenvironment

Version 12/2025 — Changes in content, scope of services and product names reserved.

––––––––––––––––––––––––

Network and Firewall

NDPro is the central platform of the system. Communication with AV and building technology devices takes place locally via IP-based device interfaces. All core functions such as control, automation, user interfaces, backups, and scheduling are fully available offline.

An internet connection is required for the following services:
– System updates for operating system/services
– NDPro Updater (software updates & patches)
– NDC Monitoring (status messages, notifications)

DNS routing for visualizations:
For encrypted, signed access via browsers or touch panels:
– A DNS entry is required, e.g. muster.ndpro.app → 192.168.100.5

Firewall-Freigaben Internetzugriffe:
– HTTPS (TCP Port 443): The controllers require HTTPS access for the secure transmission of status, operational, and fault messages.
– DNS (TCP/UDP Port 53 + 853): The controllers require access to an internal or external DNS server for domain name resolution (e.g., 8.8.8.8 / 8.8.4.4).
– NTP/SNTP (UDP Port 123): The controllers require access to an internal or external time server (NTP) to ensure accurate time-stamping of system events.
– VPN (UDP Port 1201): The controllers require access to the NDPro update server to continuously receive software updates and security patches.
– Generally: For operating system updates, selective or permanent access to TCP ports 80/443 should be permitted to download update packages from the Debian repositories.

Firewall permissions for local network communication
– Access to NDPro – For administration, visualization and file access, the following protocols/ports must be reachable: SSH (22), HTTP (80), HTTPS (443), SMB (445)
– Access from NDPro to endpoint devices – Depending on manufacturer and protocol, the control system requires flexible communication paths. Therefore, inbound traffic from the NDPro controller to endpoint devices should allow ANY TCP/UDP + ICMP to ensure full support of vendor-specific APIs, status reporting, and protocol communication.

Hardware and VM (Virtuelle Maschine)

Requirements for deployment on dedicated hardware or as a virtual machine:
– Processor: Intel Xeon E5 or newer / AMD Ryzen 5 or newer
– RAM: minimum 4 GB, recommended 8 GB or more
– Storage: minimum 80 GB, recommended 260 GB or more SSD
– Network Interface: Gigabit Ethernet
– Operating System: Debian 12 (Bookworm) or newer

Installation process for a new instance
– Provision server hardware meeting the above requirements
– Install operating system: Debian 12 (Bookworm, no-desktop default setup) on a single partition
– Configure IPv4 adapter with static IP or DHCP on 1G/10G Ethernet
– Enable SSH access and provide a user account named “ndpro”
– Configure hostname and hosts file according to project requirements
– Install the NDPro environment using the provided *.sh script, which automatically installs required components: curl, openvpn, openssl, htop, zip, unzip, ufw, samba, sqlite3, ca-certificates, gnupg, and apache2
– Script installs Node.js latest LTS (22.11 or newer) with PM2 as process watchdog and npm/ncu as package management
– Optional installation and configuration of SMB/Samba for folder sharing
– Automatic setup of UFW firewall with rules for SSH, (SMB), HTTP and HTTPS
– Download current NDPro release from update.ndpro.app
– Extract and deploy NDPro environment into the home directory of user “ndpro”
– NDPro runs in the non-privileged “ndpro” user context; services are managed via PM2/systemd (no sudo/root required)
– Generate a self-signed certificate as default solution, later replacement by customer certificate
– Configure Apache2 VirtualHost for HTTPS forwarding/proxy
– Setup of OpenVPN client for NDPro update bridge (AES-256-GCM, ECDSA secp521r1 + TLS)
– Completion with provisioning of the system key for documentation
– All further configuration is performed via the NDPro web interface

––––––––––––––––––––––––