Some of the technical content on this site is only available in English.

Technical notes on the Local IO Bridge in Salto Space

What is the Local IO Bridge?

The Local IO Bridge is a lightweight Windows service developed by Salto that solves a fundamental connectivity problem: the Space server, running on a remote machine, has no direct way to reach USB devices physically connected to a client machine. The Local IO Bridge runs locally on the client machine and acts as a relay, bridging the Space server with USB devices, such as USB NCoders and PPDs.

See System requirements for an introduction to the Local IO Bridge and its role in the Space architecture.

The Local IO Bridge exposes a local REST API to the Space web application running in the browser, which orchestrates the communication. The browser instructs the Local IO Bridge to open a relay connection between the Space server and the USB device, through which the Space server can operate the device directly.

Local IO Bridge communicationLocal IO Bridge communication

When is it required?

The Local IO Bridge is only needed on machines where a USB device is physically connected.

ScenarioLocal IO Bridge required?
Client machine with USB NCoderYes
Client machine with USB PPDYes
Browser-only machine (no USB device attached)No
Machine using an Ethernet-connected (IP) NCoderNo - IP NCoders communicate directly with the Space server over the network

Installation

ItemDetail
Operating systemWindows 10, Windows 11, or Windows Server 2016 or later
Software dependency.NET Framework 4.8.0 (automatically installed if not present)
InstallerDownload from the Space web application or from the ..\dist folder
InstallationDouble-click the installer to run a guided setup wizard. For unattended deployments, silent install is also supported: setup_saltolocaliobridge.exe -quiet -InstallDir="C:\path"
Service startupStarts automatically with Windows and must be running before any USB operation is performed

Network and firewall considerations

The Local IO Bridge binds only to localhost (127.0.0.1). Its local REST API ports are not accessible from other machines on the network, so no inbound firewall rules are required at the network level.

Local ports (browser-Local IO Bridge)

In default mode the Local IO Bridge randomly selects one HTTP port and one HTTPS port at each startup from the following allowed ranges:

Range
50000—50009
50110—50119
50220—50229
50330—50339
50440—50449
50550—50559
50660—50669
50770—50779
50880—50889
50990—50999

If a localhost firewall is in place, it must allow the Local IO Bridge process to listen on ports within these ranges.

In advanced mode, fixed port numbers can be configured. See section Advanced mode configuration for further details.

Outbound connection (Local IO Bridge-Space server)

The Local IO Bridge establishes an outbound WebSocket connection to the Space server on TCP port 8102 (default, configurable). When Space is configured with HTTPS, this connection is secured using WSS with the Space server's trusted CA-signed certificate.

Advanced mode configuration

By default the Local IO Bridge works out of the box with no configuration required: it selects random ports from the allowed ranges and uses its own built-in self-signed certificate for the local HTTPS endpoint. In managed environments, an administrator may wish to:

  • Fix the HTTPS port to a known value, avoiding port scanning by the browser.
  • Use a trusted CA-signed certificate for the local HTTPS endpoint instead of the built-in self-signed one.

Both are configured by creating a file called service.ini in the Local IO Bridge installation folder. The file is read once at startup and the service must be restarted after any change. Only a user with administrator rights can create or modify this file.

If service.ini does not exist, the Local IO Bridge keeps the default behavior.

Port and certificate configuration are independent—it is possible to configure only the port, only the certificate, or both.

Port configuration

KeyDescription
HttpsPortFixed HTTPS port for the Local IO Bridge. Must be within one of the allowed ranges listed in section Local ports. When set, the HTTP port is not opened.

Certificate configuration

KeyValuesDescription
HttpsCertManual0 / 10 = use the built-in self-signed certificate (default).
1 = use a certificate from the Windows Certificate Store.
HttpsCertStoreNameStore nameCertificate store to search within LocalMachine.
Default: My.
HttpsCertIdentificationMethod0 / 1 / 2Method to identify the certificate: 0 = Subject CN, 1 = Subject DN (default), 2 = Issuer.
HttpsCertIdentificationMatchValueStringValue to match against the selected identification method.
HttpsCertSelectionStrategy0 / 1When multiple certificates match: 0 = most recent NotBefore date (default), 1 = latest NotAfter date.

Certificate requirements when using manual mode (HttpsCertManual=1):

  • Must be signed by a Certificate Authority trusted by the client machine.
  • Must not be expired.
  • Must include IP Address=127.0.0.1 in the Subject Alternative Name (SAN) field, since the Local IO Bridge binds only to localhost.

When HttpsCertManual=1, the Local IO Bridge is accessible over HTTPS only—the HTTP port is not opened.

  • Example:
ini 
[Https]
HttpsPort=50110
HttpsCertManual=1
HttpsCertStoreName=My
HttpsCertIdentificationMethod=0
HttpsCertIdentificationMatchValue=my-server.comtoso.com
HttpsCertSelectionStrategy=0

This configuration fixes the HTTPS port to 50110, uses a certificate from the Windows Certificate Store and identifies it by Subject CN matching my-server.comtoso.com from the My store, selecting the one with the most recent NotBefore date if multiple matches exist.

Data handling and privacy

A key property of the Local IO Bridge is that it never has access to the data it relays. All communication between the Space server and the USB device—including any card data and credentials—is encrypted end-to-end using DTLS 1.2 before it enters the relay. The Local IO Bridge only ever forwards encrypted bytes. It has no keys to decrypt the content and cannot read, inspect, or tamper with it in any way.

The Local IO Bridge is a blind relay by design.

Data handling and privacyData handling and privacy

The only data that passes between the browser and the Local IO Bridge—through the local REST API—is non-sensitive control information: port enumeration and relay management commands. No card data or credentials are ever present on this interface.

Security summary

AspectDetail
Blind relayThe Local IO Bridge cannot read or tamper with card data—it is encrypted end-to-end (DTLS 1.2) between the Space server and the USB device
Local REST APICommands exchanged between the browser and the Local IO Bridge are non-sensitive (port enumeration, relay control). No card data or credentials pass through this interface
HTTPS certificateBy default the local HTTPS endpoint uses a self-signed certificate. In advanced mode, a trusted CA-signed certificate from the Windows Certificate Store can be used instead. That certificate must include IP Address=127.0.0.1 in its SAN field
WSS connectionWhen Space is configured with HTTPS, the WebSocket connection between the Local IO Bridge and the Space server uses the Space server's trusted CA-signed certificate
Localhost onlyThe Local IO Bridge REST API ports are bound to localhost (127.0.0.1)—they are not accessible from other machines on the network

Salto Systems, S. L. uses third-party data storage and retrieval devices in order to allow secure browsing and gain a better understanding of how users interact with the website in order to improve our services. You can accept all cookies by clicking the "Accept cookies" button or reject their use by clicking the "Reject cookies" button. For more information, visit our Cookies Policy