Remote access to ISY-99

[clark21236]

I have a Belkin router that has automatic updates to dyndns.org so I decided to play with remote access a little bit.

 

I went to dyndns.org and created a hostname. I setup my router to keep my IP address updated.

 

I wasn't completely sure about the port forwarding. I forwarded the TCP port of my ISY-99 (rev 2.6.4) and this didn't work. So I tried port 80 and that worked, but I got some warnings from the admin console about this not being secure because I was not using SSL.

 

So I tried to fumble through the stuff to manage a ssl certificate. What I saw was that I could no longer access the ISY from my internal network without using https. I was able to get in from the outside world without the ssl warning.

 

I then turned off port 80 and forwarded UDP port (my ISY port) and I could get in without problems.

 

My question is, is there some setup info on this? Should I just be forwarding the UDP port in my router? How secure is this from the outside world? Is the username password screen from the new rev 2.6 login secure? How about the admin console username and password, is that secure?

 

Should I be using SSL? and if so, how about some setup help for that? If I use SSL, does that mean it has to be for inside and outside access?

 

Is there a setup guide, or documentation on how to do this?

[d_l]

Clark, there is this about SSL, self signed certificates, and port 443: http://www.universal-devices.com/mwiki/ ... o_Your_ISY

 

For secure remote access, you should be accessing the ISY on port 443 unless some device on your LAN is already using 443. Then follow the explanation about how to change the ISY's secure port to another port.

 

Frankly I don't use simple port forwarding through my router to 443 on the ISY. There are just so many malware probes on 443, I let my router "translate ports and forward" to 443, e.g. external access is on another port, say X443 where X is any value greater than 1 and up to 63, and the router forwards this port access to 443. Your Belkin router may not have this capability, not all routers do. I chose X443 to be a port without any known trojans and other malware.

 

Your LAN access to the ISY can (and probably should for default simplicity) remain on port 80. On the LAN side you would simply access the ISY by its LAN IP.

 

How are you accessing the ISY from the internet? With another broadband connection? You would access it at https://your_dyndyns_address:whatever_SSL_port_ you _passthrough_your router. If you aren't using another broadband to access the ISY and are trying the SSL port from your LAN, then you are probably running into a loop back situation.

[clark21236]

d_l, that's a good idea about changing the incoming port and sending it to 443 internally. I really didn't think that would work here. We used to do that for some sites that had an internal web server, but the DSL provider would block port 80. Might be a good idea to do that here as well.

 

I have a Sprint card for my laptop. I used that to test the access from the outside world.

 

I thought that https always used 443. It seemed to me at the time that using https://your_dyndns_address:whatever_SSL_port would make it choke. You don't have any problem doing it that way?

[d_l]

Clark, https://your_dyndns_address:whatever_SSL_port should work fine. It works fine for me when I set up a second connection dial up or second DSL line to "remotely" access my LAN.

 

I actually have my host name and included port web hopped to something like my_isy.webhop.net. That way I save having to remember the port and have to use just a web address.

 

When you go through web hop frames like that your locked symbol on your browser won't show for the encrypted transfer, but it is still operating.

 

BTW, you really wouldn't have to have your router map in a port like X443 to 443 in the ISY. I used X443 so I could remember more easily what was happening. I have a few of these port remappings in use and things can get confusing a few months later after my memory isn't as fresh.

[clark21236]

d_l, I had to change my setup slightly to get it to work. I tried using port X443 from the outside world and had my router forward it to 443 on the inside.

 

I couldn't get this to work that way. I made the router forward X443 TCP from the outside to 443 on the inside. I also had to have it forward UDP (my ISY port) from the outside directly to the inside.

 

And then it worked. Strange. My router has a setup for Virtual Servers, so you have to tell it exactly what incoming port or port range in TCP or UDP, and where you want it to go. And by that I mean what IP address inside and what port number or range.

 

The only way I would be able to get mine to work with out having the router map port X443 to 443 is to put my ISY in the DMZ. And we don't want to do that.