Tunnelling between the java applet and the ISY

[evarsanyi]

I've been trying to access the iSY remotely and find that a simple TCP tunnel isn't good enough. I can make the connection on my port (16565) via an ssh tunnel (-L16565:isy:16565) by going to http://127.0.0.1:16565/0/p. It even loads up the applet, but the applet then appears to try to establish another inbound connection using the ISY's own notion of its address (ie: not knowing about NATting taking place). After a timeout I get 'XML parse error http://192.172.252.77:16565/0/d.xml' (that IP is my 'inside the NAT' address that the ISY knows itself at).

 

I've also tried a socks5 and squid proxy, but the java stack (in this case on a Mac) seems to ignore the firefox proxy settings and try to connect directly.

 

Is there any way to tell the applet to use a proxy or tunnel rather than asking the ISY over the initial connection what its own address is? Even if I couldn open up a single outside IP and forward the port through, how would the ISY know that I was using NAT and answer with the correct outside address only when contacted from the outside?

 

I have a workaround (I run a browser local to the ISY via a VNC session, which tunnels easily), mostly this is a query if there is something configurable in this area rather than a feature request (I suspect not too many people would care about tunnelling through SSH or another similar VPN).

 

Thanks,

-Eric

 

Boring network details that motivate this:

 

I can't easily expose a single port on a single IP through my firewall -- my network is multi-homed (I have 2 internet connections) yet I do not participate in BGP or have my own ASN so I end up with different external IP address ranges on each ISP's connection. My firewall (iptables based) is set up variably NAT and dynamically route traffic to either connection based on per-connection rules (what machine is the source of the connection, the TCP/UDP port its originating from, the load status of the ISP interfaces). The upshot of all this unfortunate complexity is machines on the inside believe there is 1 default router and have only 1 IP address -- except for machines that must accept inbound traffic, these machines must be able to run on two different virtual subnets so the firewall/nat state can figure out which ISP to use when response packets are sent back.

 

I own the class C 192.172.252 and used to advertise it via BGP, when I went to a natted solution I just didn't change my internal nets to use a 10 or 192.168 range.

[Michel Kohanim]

Eric,

 

Sorry for the delay in my reply. I missed the "unanswered" posts.

 

There's a separate URL to access ISY: simply replace the /p at the end with /x (for external). So, to access your ISY remotely, simply use:

http://your.isp-ip.address:ISY_PORT/0/x.

 

Please let me know if this solves your problems. Also, if you do have a UPnP enabled router, ISY can automatically configure your port forwarding (File->Enable Internet Access). And, to figure out what's your remote access URL, you can simply go to Help->About.

 

With kind regards,

Michel

I've been trying to access the iSY remotely and find that a simple TCP tunnel isn't good enough. I can make the connection on my port (16565) via an ssh tunnel (-L16565:isy:16565) by going to http://127.0.0.1:16565/0/p. It even loads up the applet, but the applet then appears to try to establish another inbound connection using the ISY's own notion of its address (ie: not knowing about NATting taking place). After a timeout I get 'XML parse error http://192.172.252.77:16565/0/d.xml' (that IP is my 'inside the NAT' address that the ISY knows itself at).

 

I've also tried a socks5 and squid proxy, but the java stack (in this case on a Mac) seems to ignore the firefox proxy settings and try to connect directly.

 

Is there any way to tell the applet to use a proxy or tunnel rather than asking the ISY over the initial connection what its own address is? Even if I couldn open up a single outside IP and forward the port through, how would the ISY know that I was using NAT and answer with the correct outside address only when contacted from the outside?

 

I have a workaround (I run a browser local to the ISY via a VNC session, which tunnels easily), mostly this is a query if there is something configurable in this area rather than a feature request (I suspect not too many people would care about tunnelling through SSH or another similar VPN).

 

Thanks,

-Eric

 

Boring network details that motivate this:

 

I can't easily expose a single port on a single IP through my firewall -- my network is multi-homed (I have 2 internet connections) yet I do not participate in BGP or have my own ASN so I end up with different external IP address ranges on each ISP's connection. My firewall (iptables based) is set up variably NAT and dynamically route traffic to either connection based on per-connection rules (what machine is the source of the connection, the TCP/UDP port its originating from, the load status of the ISP interfaces). The upshot of all this unfortunate complexity is machines on the inside believe there is 1 default router and have only 1 IP address -- except for machines that must accept inbound traffic, these machines must be able to run on two different virtual subnets so the firewall/nat state can figure out which ISP to use when response packets are sent back.

 

I own the class C 192.172.252 and used to advertise it via BGP, when I went to a natted solution I just didn't change my internal nets to use a 10 or 192.168 range.

[DCardellini01]

I am having the same issue.

 

I am tunneling into my home from outside.

 

My external browser is set up to with a socks proxy, and I Putty from external machine into my home's ssh server.

 

I access several web servers within my home this way today...and want to do same with the ISY.

 

Unfortunately, I get the main java applet screen (light blue window), and it hangs with XML parser errors...etc.

 

Here are the URL's that I tried with no success:

 

http://192.168.1.101/admin

 

http://192.168.1.101/admin/0/x

 

Did I miss something here?

 

thx in advance!

[Michel Kohanim]

Hello dcardellini,

 

Apologies for tardy reply.

 

What is your ISY's firmware version? When you are local, what URL do you use to access your ISY?

 

With kind regards,

Michel

[DCardellini01]

Version 2.8.13

 

Local access to the Java stuff:

 

http://192.168.1.101/admin

 

When I am remote, I use a PUTTY socks proxy to inside the home and the remote browser looks just like I am in my house, so the URL is identical:

 

http://192.168.1.101/admin

 

Do this now to about three or four machines in my home (web servers, VNC, etc.). Have no problems with access to these servers in home from outside.

 

thx in advance....

[Michel Kohanim]

Thank you.

 

Please do the following:

1. Upgrade to 2.8.15

2. On your remote desktop, go to http://www.universal-devices.com/99i/2.8.15/admin.jnlp

3. In ISY Finder, click on the Add Button and then enter your URL (http://192.168.1.101) ... without the "admin" part

4. Let me know if ISY Finder finds your ISY. If so, double click on it and let me know if you are still getting errors

 

With kind regards,

Michel

[DCardellini01]

OK...

 

Upgraded to 2.8.15

 

Outside home, verified that my PUTTY/socks connection into home can access any internal web servers and any port.

 

Accessed the UDI web site applet to automatically find my ISY.

 

It did this with no problem, but threw the same two faults after loading the blue admin page:

 

Socket Open Failed java.net.SocketTimeoutException

 

XML Parse Error http://192.168.1.101:80/desc

 

Here is some more detail on how I get connected into my home. This is pretty standard stuff.

 

I can use both Firefox and Internet Explorer on the remote machine. I set up a manual proxy in the browser's application settings as follows:

 

I set up a Socks Host on my remote machine (127.0.0.1) on port 7070

 

Now any URL/port that I type on my browsers URL line will stay on my machine and get sent to port 7070 (with the real URL/port encapsulated).

 

I run PUTTY on this remote machine that looks for any traffic on port 7070 locally. Anything that ends up here is sent to my home thru home router on port xxxx that I have forwarded and direct to an ssh server in my home.

 

That ssh server in my home unencapsulates the real URL and port and makes the request. I can access external web sites, or any machine in my home this way from outside the home.

 

This means that ANY application (not just the browser) on my remote machine that does a socks encapsulation of the real destination URL/IP and port and sends to 127.0.0.1 port 7070 will get routed thru.

 

Suspect that the Java Applet ignores the proxy configuration in the browser and is attempting a direct connection to the entered URL.

 

This the initial "blue page" for the admin page loads as html, and the java applet gets hung at this point.

 

Although this seems complicated, it really beats forwarding a ton of unsecure ports into my home from outside. I only forward one port to the ssh server, and I can access anything from the outside securely encrypted.

 

From my android phone, or PC, I can make this ssh connection. I port my personal email (thunderbird) thru this, and feel confident accessing my email anywhere.

 

thanks again for trying to help.

[DCardellini01]

Quick update:

 

My unnecessarily verbose post caused me to rethink this.

 

I do not need to use a dynamic socks connection to make this work....I can use putty to make a simple remote port forward (if ISY only uses one port).

 

So in my remote browser, (no proxy setup at all), I type this in my URL:

 

http://127.0.0.1:5750/admin (I picked an arbitrary unused port number)

 

And on the same remote browser machine, I set up PUTTY to do a local port forward ( -L 5750:192.168.1.101:80 .....) that forwards thru my home ssh server to port 80 on the ISY.

 

Works great!

 

So I think it is confirmed that the java applet is not aware of proxy settings in the browser. Doesn't seem like there is a standard way to do this generically across different browsers (I.E., Firefox, Opera, etc.).

 

I can live with the simple port forward method, for sure.

 

thx.

[DCardellini01]

repost

[Michel Kohanim]

Hello dcardellini,

 

Thanks so very much for the update. Unfortunately, you will have to manually set the proxy in Java Control Panel (Control Panel | Java | Network Settings). I assume currently your settings are direct and do not use the proxy.

 

With kind regards,

Michel

[DCardellini01]

Yes, Michel,

 

Current settings are direct to my machine (127.0.0.1) on a port I picked (5750). I then use Putty to do a port forward the the inside of my home to the ISY: 192.168.1.101 port 80. Works great.

 

As I do move back and forth between proxy and no proxy on my browsers, changing settings in two places...the browser and the Java console is too much of a hassle. I am happy with the simple port-forward method detailed above.

 

However, to close this topic out for anyone looking in the future to employ a proxy to gain access, I did attempt a socks proxy connection.

 

I set both the browser and the Java Settings (thru Control Panel) to a socks proxy of 127.0.0.1 and port 7070. Again, PUTTY on same machine listens to port 7070 and forwards the request with encapsulated URL/IP and port number to an SSH server within the home.

 

Unfortunately, I was not able get a successful connection into the ISY. I get the admin blue-page with headings, then I get the socket/XML errors identical to the one I detailed above.

 

I tried to clear the java cache, but get same result.

 

In any case, thx for your help here Michel.

 

On an offhand topic (that doesn't belong in this thread)....... the only good I can see between the Oracle/Google lawsuit is if Android would truly support true Java including Java browser support. It is such a shame that such a powerful paradigm (Java Applets) is not supported in any handheld nor tablet OS'es. How did Java lose it way on this?

[DCardellini01]

Edit update:

 

When playing with PROXY settings outside of home, I changed both the browser and the Java control panel proxy setting to match.

 

Unsuccessful, I tried to return to no-proxy operation (both in Home and Outside of home) and received error message below.

 

I just discovered that I had forgotten to eliminate the Java proxy settings (only eliminated the browser proxy settings), and that was the cause of the problem and message below.

 

I leave this post and message here in case someone in future does same stupid thing.

 

 

[Michel Kohanim]

Please try adding the proxy to your Java Control Panel | Networking and retry.

 

With kind regards,

Michel

[DCardellini01]

Sorry for the cryptic post above.

 

To clarify, changing the proxy settings in the Java "Control Panel" settings did not fix the original problem.......get XML and Socket error messages.

 

I have tried it several times, different browsers, clearing java and browser caches, rebooting. I have tried some different proxy settings too (I am only changing the "Socks" advanced setting to 127.0.0.1 port 7070...just like the browser settings)

 

The post above was a premature whine about not being able to get back to the ADMIN ISY page even in the home and no proxy. I just discovered that I had not returned my Java control settings to eliminate the proxy (sorry bout that).

 

Everything works fine in home now.

 

Outside home I use simple port forward with PUTTY-SSH and no proxy settings in browser or java control panel, and it works great.

 

But cannot get socks proxy to work outside of home (adding proxy info in both browser and control panel).

[Michel Kohanim]

Hello dcardellini,

 

Thanks so very much for the update. So, basically, no proxy settings are needed when you use PUTTY-SSH. That's awesome! I have to give it a try ...

 

 

With kind regards,

Michel