Key highlights of ThingPark Enterprise
Secure
Secure activation of OTAA devices
-
Secure activation on standalone Join Servers (offered by ThingPark Activation) + Hardware Security Module (HSM)
-
Support for devices with Secure Elements (in conjunction with ThingPark Activation HSM)
Secure Radio Access Network
- Integrated Public Key Infrastructure (PKI) with auto-renewal of X.509 certificates
- Secure gateway connection to core network: Both IPSec and TLS tunneling options are supported, offering secure authentication (reliable PKI with asymmetric cryptography) and data encryption
- Rich set of backhaul usage counters (supported by LRR), allowing detection of abnormal traffic situations
- Secure remote access to base stations, independent of customer-configured support password
- Disabled remote access from public IP addresses once the gateway has a stable connection to the core network
- Secure gateway bootstrapping, by ThingPark's zero-touch Infrastructure Commissioning Service
Data integrity protection
-
Data encryption in transit: All endpoints exposed to public networks are secured with TLS or SSH, protecting data from disclosure or modification in transit.
-
Data encryption at rest: All the servers running ThingPark platforms, potentially containing customer data or metadata, are encrypted using AWS-256 algorithm. We leverage AWS KMS to manage the keys securely and rotate them.
-
Payload integrity protection and encryption over radio link, natively supported by LoRaWAN® protocol
Secure network architecture
A three-layer logical network structure identified by colors:
- RED, public access, exposed to untrusted zones (Internet)
- ORANGE, application layer, only accessible from services hosted in the RED zone
- GREEN, database layer, only accessible from applications hosted in ORANGE zone
Secure end-user management
-
Secure authentication, through multi-factor authentication and brute-force mitigation mechanisms
-
Integration with External Authentication providers (using oAuth2 and OpenID-Connect)
-
Multi-role user permission model, supporting several administrative roles from administrators to read-only users
-
Audit trails (aka user action logs), including login attempts
Secure network operations
-
Periodic security scans, including both the OS and the containers, to detect CVEs and provide the necessary security patches
-
Secure exchange of outgoing/incoming reports with Application Servers, via TLS protocol
-
Safe core network upgrades, using canary mode (valid only for SaaS)
-
DoS & replay attack mitigation
-
Secure network flows, including stringent firewall rules enforced by Iptables and network proxies
Reliable
Resilient & no-touch High Availability design
-
No-touch failover/failback between primary and secondary nodes, including automatic database resynchronization
-
Fault-tolerant architecture, leveraging Apache Kafka message queues to buffer packets during temporary unavailability of internal/external data consumers
-
No split brain risk through arbiter site
Fault-tolerant gateway's packet forwarder (Long Range Relay - LRR)
-
Real-time buffering capabilities, preventing packet loss in case of temporary backhaul disconnection between the gateway and the core network. Queued uplink packets (flagged "Late") are gracefully dequeued after connection reestablishment to avoid flooding the core network.
-
Support for geo-redundant network servers
-
Support for network interface failover: LRR supports primary and secondary network interfaces with an automatic failover/failback according to the instantaneous state of each interface.
-
Permanent supervision of all network servers and network interfaces
SaaS edition
-
Native geo-redundant architecture for disaster recovery
-
TPE SaaS ensures enterprise-grade best-in class service level agreement
Self-hosted edition
-
High availability setup using a 3-node cluster (no split brain risk), supporting both Docker Swarm or Kubernetes orchestration modes
-
Supports both standalone (mono-server) and High Availability deployment options
Flexible
Support a variety of deployment models (and combinations through peering)
-
On-premise, with or without internet access. For the latter mode, offline installation/upgrade is supported.
-
Cloud providers, with ready-to-use images for AWS, Azure and Alibaba clouds
-
SaaS, hosted on Actility's regional data-centers
-
ThingPark Enterprise All-in-One: Autonomous gateway with embedded network server
Gateway manufacturer agnostic
Simplify network management through harmonized user interface, avoid vendor lock-in (select best products per use case, mitigate sourcing risks).
-
ThingPark's Long Range Relay (LRR) packet forwarder is compatible with most gateway manufacturers: Kerlink, MultiTech, Tektelic, Browan, Milesight, Motorola, Rad, Option, Cisco, Miromico and others... Full list available in Supported brands of base stations.
-
Any gateway compatible with Semtech's Basics Station packet forwarder can also connect to ThingPark: Dragino, Advantech, RAK Wireless...
-
Professional maintenance of fully owned code. Open source packet forwarders packaged by default by gateway manufacturers are provided "as is" and without any SLA. By contrast, Actility fully owns and maintains the LRR code with industrial grade SLAs.
Support any LoRaWAN®-compliant sensor without exclusion
-
All LoRaWAN® device classes: A, B, C
-
All LoRaWAN® activation modes: Activation by Personalization (ABP) or Over-the-Air Activation (OTAA)
-
All LoRaWAN® MAC versions: 1.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4 and 1.1
-
Full support of LoRaWAN® relays
Deploy your IoT services anywhere: ThingPark supports all the LoRaWAN® Regional Profiles (ISM Bands)
-
EU 863-870 MHz
-
EU 433 MHz
-
US 902-928 MHz
-
AU 915-928 MHz
-
AS923-1, AS923-2, AS923-3, AS923-4...
-
KR 920-923 MHz
-
CN 470-510 MHz
-
IN 865-867 MHz
-
RU 864-870 MHz
-
WW 2400 MHz (worldwide ISM band, PoC)
Build your RF coverage as you wish
-
Deploy your own Radio Access Network, with any mix of outdoor macro and indoor pico/femto gateways.
-
Extend your RF coverage through LoRaWAN relays.
-
Complement your RF coverage through mobile gateways providing temporary coverage, to support drive-by/walk-by data collection use-cases.
-
Further extend your RF coverage through passive roaming, leveraging ThingPark Exchange roaming hub to connect with your roaming peers.
-
Any mix of Regional profiles, any mix of 8, 16 or 64 channel gateways which can even have overlapping RF coverage.
Flexible pricing model
-
Choose your licensing model, either based on device volumes or gateway volumes.
-
On-demand value-added features: On-premise High Availability, Network Geolocation...
-
Dedicated portal Actility Central to manage Channel Partner & customer subscription and renewal requests
Flexible definition of user roles & permissions
-
Choose which user profiles should have write access to Device Management and Base Station Management tasks, versus read-only access.
-
Restrict user access to resources bound to their administrative domains.
-
Freely define hierarchical structures (e.g. country/region/city/site) for your administrative user domains.
Multi-language user interface
Choose your preferred language to display the user interface: English, French, Spanish, Italian, Japanese and German.
Additional languages can be added on demand.
Low-touch operations
Off-the-shelf, ready-to-use and easily upgradable catalogs
-
Device Profile catalog, including generic profiles + vendor-specific models for all leading LoRaWAN® device manufacturers.
-
Base Station catalog, supporting gateway models from all leading gateway manufacturers.
-
RF Region catalog, including Regional Profiles supporting all the ISM bands standardized by LoRa Alliance with their optimized RF channel plans and radio configuration parameters.
-
Payload driver catalog, allowing the decoding/encoding of uplink/downlink application payloads. Support for custom drivers.
-
Normalization of ontologies & ontology mapping to leading IoT platforms.
-
Custom ontology mapping and format conversion through native support for JSLT, JSonata and JMESPath.
Zero-touch gateway bootstrapping & maintenance
-
Bootstrapping, configuration and software upgrade of base stations without any physical access, through ThingPark Infrastructure Commissioning Service (ICS).
-
Intuitive ICS GUI to personalize gateway configuration: PKI, core network endpoints, network interfaces, LRR parameters, firewall configuration...
Easily add devices (sensors) to your network
-
Low-touch device provisioning by scanning LoRaWAN® QR code.
-
Bulk provisioning through mass import of device list.
-
Per-device activation of value-added features: roaming, network geolocation...
Comprehensive alarm management & supervision through intuitive user interface
-
Provision, configure, administrate and supervise LoRaWAN® sensors, gateways and connections towards external Application Servers.
-
Built-in SNMP integration to external supervision systems.
-
A large set of UX-oriented features: real-time device & gateway status, smart search/filtering, object tagging, fleet management, cartography, send downlink packets to sensors from the GUI...
-
Rich set of dashboards, statistics and KPIs.
A rich set of network analysis tools
-
Wireless (packet) Logger: showing all uplink and downlink packets processed by the network in both raw and decoded formats, including the transmission status of each downlink packet over the air.
-
Spectrum Analysis: intuitive GUI showing the raw/aggregated results of individual RF spectrum scan campaigns, precious for RF planning and troubleshooting of RF noise problems.
-
Network Survey: examine your LoRaWAN® network coverage on a map.
-
Network Coverage: simulate the RF coverage of your LoRaWAN network and choose the best gateway placements for your future deployment.
-
Air Interface Dimensioning: Analytical coverage & capacity dimensioning tool for outdoor base station deployments.
Easy to integrate with your applications
The most complete set of professionally-supported IoT connectors towards your Application Servers
-
Off-the-shelf set of connectors towards all leading cloud IoT platforms: Amazon AWS IoT, Amazon Greengrass, Azure IoT Central, Azure IoT Hub, Thingworx, Cumulocity, Yandex, SAP, IBM Watson, Here, Ginjer...
-
Simplified integration with AWS cloud, through ready-to-use Cloud Formation Templates (CFT)
-
General-purpose connectors, using HTTP, MQTT and AMQP protocols.
Exchange decoded payloads between ThingPark and your Application Servers
-
Off-the-shelf catalog of payload drivers (650+), delivering ready-to-use decoded payloads to Application Servers.
-
Built-in normalization of ontology through OASIS oBix Points
-
Mapping of ontology to leading IoT platforms, and support for custom ontology mapping.
-
Build your own custom payload driver, through ThingPark X IoT-Flow user interface.
RESTful APIs
-
Authentication, authorization and user management for all user roles.
-
Swagger contracts for easy integration with Application developers.
-
Swagger user interface, allowing developers to try out each endpoint.
Scalable
Scale up/out as you grow
-
Up to 50,000 gateways and 12 millions devices.
-
Full horizontally and vertically scalable regional SaaS platforms.
-
Microservice-driven architecture with fully sharded databases.
-
Load & stress test reports available for each ThingPark release.
-
Ready-to-use sizing utilities for on-premise deployments, covering different sizing segments for both standalone servers and private clouds.
Explore ThingPark's multitenancy for your multi-site/multi-use-case deployments
-
Leverage multi-tenancy to expand your IoT deployment towards new vertical use-cases, new geographical locations, new end-customers...
-
Restrict user access to resources bound to their administrative domains.
Future-proof Value-Added Services
Peer with any network using Passive Roaming
-
Roaming allows exchanging packets between public and private LoRaWAN® networks, in a transparent way while keeping the MAC layer management at the home network of the device.
-
When a device roams, its LoRaWAN® packets are relayed by the visited network (forwarding NS) to the home/serving network through standardized inter-LNS messages defined by the LoRaWAN® Backend Interfaces specification.
-
Both roam-in and roam-out use-cases are supported by ThingPark.
-
The application servers communicates only with the home network, removing the complexity of integrating with multiple network back-ends.
-
Roam-in opens-up your RAN to serve foreign devices belonging to your agreed roaming partners, besides your own devices.
-
Roam-out allows your own devices to be served by foreign gateways belonging to your agreed roaming partners.
-
Reliable Multicast (RMC) and Firmware Update Services
-
Firmware Update Over the Air (FUOTA): Remote update of the device firmware using multicast mode.
-
General-purpose multicast: Efficient management of multicast mode by supporting application-layer configuration of the multicast group/session parameters via ThingPark RMC-Server.
-
Note Standard Multicast is supported off-the-shelf, whereas Reliable multicast (RMC) and FUOTA services require a separate RMC server provided as an option.
Network Geolocation
-
A sophisticated geolocation algorithm supporting a combination of TDoA and RSSI triangulation techniques to leverage the strength of both methods and improve the overall location accuracy.
-
TDoA-based geolocation: Location estimation using triangulation algorithms based on the time of arrival and received signal characteristics of uplink frames at the receiving base stations. Only relevant when fine-timestamps are generated by the base station (valid for both Semtech's v2 and corecell reference designs) with nanosecond accuracy.
-
RSSI-based geolocation: Location estimation is based on the received signal strength level. Valid for any base station model (even when GPS/fine timestamp is not available) but has less accuracy than TDoA mode.
State-of-the-art OSS, LoRaWAN® Network Server and Gateways components
Discover how ThingPark Enterprise addresses LPWAN state of the art with the following main components: