Home AMX User Forum AMX Technical Discussion

Remote Access Questions

Our company would like the ability to remotely access our clients systems from our office.

Here is what we are wanting to be able to do:

1.) Connect from our office to a clients system
a.) to be able to perform firmware updates
b.) make panel changes
c.) make programming changes if needed

Is this possible?
Has anyone successfully done this?
What is needed to do this?

Any suggestions or ideas would be great.


Thanks

Chris Ondrovic
H & H Lifestyles

Comments

  • yuriyuri Posts: 861
    sure, all you need is the following:

    for upgrading software and other Netlinx Studio activities, you need to open port 1319 on the client side.
    If you want to use G3 webcontrol, you need to open up port 10500, and for G4 webcontrol it is port 5900 if i'm correct.
    You could open ports 21 and 23 for ftp and telnet access.

    For firmware updates, i think port 1319 is good, but i'm not sure. I'm not a big fan of remote firmware updates...
  • ondrovicondrovic Posts: 217
    thanks will give it a try
  • HedbergHedberg Posts: 671
    If you have an office Netlinx master and it is connected to the internet with port 1319 open and forwarded on your office network, all you really need to do to have access to the customer's remote system is connect the customer's system to the internet and place the IP address or URL of your office Netlinx master in the URL table of the customer's master. All masters connected must have distinct system numbers assigned, I suppose.

    If you do this, the customer's master will find your office master even though port 1319 is not forwarded at the customer's site. Just so long as the customer's system does not block port 1319. The two masters will establish a master-to-master relationship. Anything you can do via master-to-master you will be able to do with the remote system. You will be able to load (or receive) code to the customer's master, you will be able to load IR files to the ports on your customer's master, you will be able to upload and download touchpanel files. I think you will be able to upgrade firmware too, but I have not tried this and before I tried with a customer's installation, I would try it with a test system.

    You can't access the remote system as system 0, so, as far as I know, you can't run debug on the customer's system or access device notifications and the like. You can change the route table, change the time, change device addressing, change the network addressing

    When I first learned of this capability, I was a little surprised because I didn't understand how a Netlinx master could communicate with another Netlinx master that was behind a firewall if the master behind the firewall did not have port 1319 forwarded to it. But, when you think about it, it's not really so different from the way client browsers and web servers communicate using port 80. The browser behind the firewall connects to the server and communication both ways is established with the webserver having all sorts of abilities with respect to the client browser even though the client is behind a firewall and port 80 is not forwarded.

    Now, you can protect the office master from certain types of direct access from the net. But, if you put the master on the net with port 1319 forwarded to it, I don't believe that there is any way to protect that master from being linked up to any other netlinx master via master-to-master communications. Route_mode should probably be set to direct to protect any other master that has master-to-master with the office master from being manipulated from a master other than the office master.
  • viningvining Posts: 4,368
    If at all possible set up a VPN Client Access. It helps if you set up your own networks but if you don't and there are IT guys on site asked the powers that be to allow this access and set it up for you. If you want to do it your self you could do what I do and use Linksys RV series routers. They come complete with VPN client software on the set up disc and if you go into the router's web server for set up, go to VPN it almost as simple as typing your name. You type a name, a password, check enable and save. You don't really need to do anything else inside the router and on your laptop just load the software application. The only thing your to do is make sure your not on the same LAN IP address. I always set up my clients router so that the router is on say 192.168.5.1 and my office router is on 192.168.4.1 that way I'm always assured to be on a different LAN IP.

    You will also need to establish a dynamic dns service. There's modules that can be run on the client master to do this but I prefer to maintain these for clients through a regular paid service provider such DYNDNS.org. I think for $10 US a year you get a block of 20 dynamic hosts which you'll need to set up in the router so I guess that's two things you need to do in there. If you want you can charge the customer an yearly fee for adminstering this service but for $10 a year for 20 customers your talking two cup of Starbucks coffee.
  • DHawthorneDHawthorne Posts: 4,584
    For most systems, I simply use NAT port forwarding on ports 1, 23, and 1319 to the master, and 5900 to the touch panel. If there are multiple masters or panels, it makes life simpler to create a VPN login, but a lot of routers either don't support it, or have such a miserable implementation (like NetGear) that when I can get away with just NAT, that's what I do.
  • viningvining Posts: 4,368
    DHawthorne wrote:
    but a lot of routers either don't support it, or have such a miserable implementation (like NetGear) that when I can get away with just NAT, that's what I do.
    Dave next time you get a chance spec the Linksys RV sereies router for a job and give it a try. It doesn't get any simpler to do Client Access VPN tunnel. Gateway to Gateway is a little more complicated but unless you want to maintain a tunnel for master to master comms why use it. It supports subnetting and VLANS and a bunch of other stuff.
  • DHawthorneDHawthorne Posts: 4,584
    vining wrote:
    Dave next time you get a chance spec the Linksys RV sereies router for a job and give it a try. It doesn't get any simpler to do Client Access VPN tunnel. Gateway to Gateway is a little more complicated but unless you want to maintain a tunnel for master to master comms why use it. It supports subnetting and VLANS and a bunch of other stuff.
    Thanks, I'll take a look at that; unfortunately, I usually get stuck with whatever the client already has and rarely get to actually spec the router.
Sign In or Register to comment.