"IT blocked it" is not a troubleshooting strategy. This page provides a minimal, vendor-aligned port checklist and a framework for describing BAS connectivity needs in IT language: source, destination, protocol, and purpose.
BAS devices, supervisors, workstations, and integrations cannot communicate because firewall rules are missing or overly broad. Projects stall while teams argue about which ports are needed.
For each integration, document:
| Field | Example |
|---|---|
| Source host(s) | Workstation 10.1.2.50 |
| Destination host(s) | JACE-8000 10.10.5.20 |
| Protocol | TCP |
| Port(s) | 4911 |
| Service purpose | Niagara station connection (foxs) |
| TLS/encrypted | Yes |
BACnet/IP
| Service | Port | Notes |
|---|---|---|
| BACnet/IP discovery | UDP 47808 | IANA-registered BACnet port |
Niagara Fox connections
| Protocol | Default port | Notes |
|---|---|---|
| fox (unencrypted) | TCP 1911 | Not recommended for production |
| foxs (TLS) | TCP 4911 | Niagara secure baseline |
| foxwss (Fox over WebSocket) | TCP 443 | Passes standard HTTPS firewall rules |
Metasys
Metasys and SCT documentation includes defined port sets and firewall configuration guidance. Implement only what your specific Metasys roles and features require. Reference Johnson Controls Network and IT Guidance for the authoritative port list for your deployment version.
MQTT (if used)
| Protocol | Common port | Notes |
|---|---|---|
| MQTT (unencrypted) | TCP 1883 | Avoid in production deployments |
| MQTT over TLS | TCP 8883 | Preferred for production use |