NAT Gateway

Access you need, when you need it

As cybersecurity threats continue to grow, more organisations are enforcing stricter access controls on their edge networks. In some cases, the Unified Control Node only has access to the Unified Control Hub via port 5671/tcp. No other access is allowed through the local firewall. And we expect this trend to continue as stricter governance and oversight is mandated by governments around the world.

While the UCN can operate with just this one port, there are still some UCN services that require occasional "internet" access in order to function correctly. These include

  • Software installation from trusted repositories (HTTPS)

    • Plugins

    • Security patches

  • Virus definition updates (HTTPS)

  • Clock synchronization (NTP)

  • Large file transfers from the Unified Control Hub (SFTP)

These services are what NAT Gateway aims to enable. By providing specific and temporary access to these services, UCNs can offer their full functionality without compromising the integrity of the local network.


Leveraging the existing connection between the Message Broker and the UCN, the NAT Gateway creates a virtual pathway to deliver the required patches, files and updates.

Access is provided in such a way that access to/from each UCN happens in its own unique context, preventing any chance of "cross talk" between connections.


This pathway is closed by default and cannot be initiated by the UCN. Privileged users in a workgroup can turn on the NAT Gateway for a maximum of 30 minutes. We recommend stopping the service as soon as the required actions are complete.

Disable NAT Gateway for specific devices

NAT Gateway is an optional workgroup addon to assist with keeping UCNs synchronized, patched and up-to-date. Once NAT Gateway is available in a given workgroup (this can be enabled by speaking with your Account Manager if you don't already have one) you have the choice of restricting which UCNs can use the service.

Step 1: Create a Device Group

Browse to Admin -> Workgroups -> Device Groups. Create a new Device Group using the guide here: Device Groups

Step 2: Update the NAT Gateway access

Browse to Admin -> Access -> API tokens.

Find "NAT Gateway" in the list of "Devices with API Access", click Edit, select the new Device Group and click Update.

Last updated