eKeypad ISY over the Internet

[vbPhil]

I've been using eKeypad, v2.24.0, with my ISY 994i, v4.3.26 over my home network for years without any problems. I'd like to set them up so that I can do the same over the Internet.

 

Is there a tutorial somewhere that explains the best practices for doing this?

 

I've Googled the question but I'm not finding a definitive explanation for the ISY and eKeypad working together. I'm not interested in opening up the ISY for use with the Admin console or browser remotely. I'll only be using the eKeypad app on my iPhone from the Internet.

 

If i open up the ISY to the Internet I'd like it to be secure in that most hacking would be prevented.

 

Some of my questions are

1. Do i use HTTP or HTTPS protocol.
2. Do i have to mess with security certificates
3. UDP or TCP on router settings for port forwarding
4. Port forwarding or DMZ on my router
5. eKeypad - should I use failover settings?

thanks for any help someone might have.   -phil

 

[jerlands]

I don't have eKeypad but I've located instructions on ekeypad.net for setting up remote access (the initial link I tried failed and I had to follow "Help > How To and scoll a couple pages to find it.)

 

Also a couple threads on Cocoontech.com discuss remote access here and here.

 

Hope that helps...

 

 

Jon...

[vbPhil]

I don't have eKeypad but I've located instructions on ekeypad.net for setting up remote access (the initial link I tried failed and I had to follow "Help > How To and scoll a couple pages to find it.)

 

Also a couple threads on Cocoontech.com discuss remote access here and here.

 

Hope that helps...

 

 

Jon...

 

Thanks for the help Jon. i actually had that much working already as it's pretty straight forward. I was feeling a little concerned about opening up a port to the Internet and placing my home network at risk. That's where i wasn't sure if I should be using HTTPS since I see a setting for that on the eKeypad and I'm not sure how to set that up.

 

-phil

[apostolakisl]

Don't have the app, but here are some comments.

 

1) Don't put ISY in the DMZ.  That opens up all ports to it

2) I am quite sure TCP is the protocol that it uses.  UDP is typically for streaming data where packet loss is tolerated.  Though I don't see any harm in clicking on both.

3) Use https or all your communications will not be encrypted (including password)

4) You shouldn't need to purchase a certificate.  You trust your own network is not a scam.

[vbPhil]

I've set up the ISY on ports 1025/1026 for http and https. Everything works fine from eKeypad when I'm on my home network. When I switch WiFi off on my iPhone and use Verizon 4G I can no longer connect between eKeypad and the ISY. I tried changing the IP address in eKeypad to what my router's Internet IP is and I've configured port forwarding on ports 1025 and 1026. Is it possible that Verizon is blocking ports on their 4G data plans?

[apostolakisl]

Verizon wouldn't block an outbound port.  If anybody blocked you it would be your home ISP, but they wouldn't block those ports.  They might block port 80 to prevent you from hosting a website.

 

I would not forward the non-secure port at all. 

 

If you can access it locally but not from the internet, then you must either be using the wrong public IP, or have the port forwarding setup wrong.  Did you click the "apply" button on your router setup page.  Most of those routers tend to make it seem like you actually made a setting, but then you still have to hit an additional apply button and often times that causes the router to reset.

[vbPhil]

Verizon wouldn't block an outbound port.  If anybody blocked you it would be your home ISP, but they wouldn't block those ports.  They might block port 80 to prevent you from hosting a website.

 

I would not forward the non-secure port at all. 

 

If you can access it locally but not from the internet, then you must either be using the wrong public IP, or have the port forwarding setup wrong.  Did you click the "apply" button on your router setup page.  Most of those routers tend to make it seem like you actually made a setting, but then you still have to hit an additional apply button and often times that causes the router to reset.

 

I'm pretty sure I'm setting everything up okay. As a test I used Safari on my iPhone with WiFi turned off and entered in my Internet IP at the secure port of 1026 and Safari pulled up a secure connection to my ISY at home. It's just with eKeypad that things don't work.

 

When I use the same information in eKeypad on my iPhone I'm getting an error message in eKeypad when I save the configuration that says: ISY Validation Error  The Internet connection appears to be offline. There must be something in eKeypad that I'm missing. I'm setting the Network Address to my Internet IP, Port Number to 1026 and I select Https.

 

eKeypad works if I turn on the iPhone WiFi set the Network Address to the ISY internal IP, using the same port 1026 and the https protocol.

 

It seems like when I turn the phone's WiFi off eKeypad complains that there's no Internet connection.

[apostolakisl]

Since you can access your isy over 1026 from another application outside of your lan, then indeed you have everything configured correctly as far your routing is concerned.  The issue must be with how you are configuring ekeypad.  I'm afraid I can't help you there as I don't have that app.

 

I would still recommend you stop forwarding the non-secure port to ISY.

[cyberk]

I've been using ekeypad for a very long time. 

 

At first, I openned the ISY ports through my router and connected that way.

Later on I became concerned with security, so I dropped port forwarding and use VPN.

 

Now, I'm using the ISY Portal and I'm in love with it, no port forwarding, no VPN and enhanced security and you can't beat the price!

 

I can also create multiple accounts on the ISY portal so that people in the house don't have to share the same credentials on ekeypad. If you change your router you don't have to worry about port forwarding settings because, none are needed. 

 

ps: the ekeypad developer is very responsive to questions and emails, he's constantly fixing bugs and adding new features. There's a rather annoying bug right now that won't update the status of ISY devices after they've been switched on/off, hopefully he'll fix that soon!

[vbPhil]

I've been using ekeypad for a very long time. 

 

At first, I openned the ISY ports through my router and connected that way.

Later on I became concerned with security, so I dropped port forwarding and use VPN.

 

Now, I'm using the ISY Portal and I'm in love with it, no port forwarding, no VPN and enhanced security and you can't beat the price!

 

I can also create multiple accounts on the ISY portal so that people in the house don't have to share the same credentials on ekeypad. If you change your router you don't have to worry about port forwarding settings because, none are needed. 

 

ps: the ekeypad developer is very responsive to questions and emails, he's constantly fixing bugs and adding new features. There's a rather annoying bug right now that won't update the status of ISY devices after they've been switched on/off, hopefully he'll fix that soon!

 

I'll check it out. Do I use the eKeypad app with the ISY Portal or do they have their own user interface? Also, where do I study up on it? I don't see any mention of it on the Universal Devices home page.

[cyberk]

You can create a portal account here
https://my.isy.io/index.htm

 

You can purchase the portal by logging into the ISY Admin Console and going to Help - Purchase Modules

More instructions here: http://wiki.universal-devices.com/index.php?title=Main_Page#ISY_Portal.2FAmazon_Echo.2FIFTTT

 

Once you register for the portal and set everything up, you can use the following information in ekeypad to access your ISY

Network Address: my.isy.io

Port Number: 443

HTTPS

ISY Username: portal username

ISY Password: portal password

 

Done!

[vbPhil]

You can create a portal account here

https://my.isy.io/index.htm

 

You can purchase the portal by logging into the ISY Admin Console and going to Help - Purchase Modules

More instructions here: http://wiki.universal-devices.com/index.php?title=Main_Page#ISY_Portal.2FAmazon_Echo.2FIFTTT

 

Once you register for the portal and set everything up, you can use the following information in ekeypad to access your ISY

Network Address: my.isy.io

Port Number: 443

HTTPS

ISY Username: portal username

ISY Password: portal password

 

Done!

 

You sold me. I'm all paid up and running the ISY Portal. Pretty slick. Thanks for letting me know about this.

-phil

[cyberk]

No prob, it really sells itself, and the price is cheaper than other portal services. Now I just need to find something similarly good and cheap for my Elk M1 system.

 

Ps: the portal now gives you free network module and seamless integration with Alexa (Amazon echo) and IFTTT

 

 

Sent from my iPhone using Tapatalk

[vbPhil]

I thought maybe i spoke too quickly. I turned off WiFi on my iPhone and eKeypad wasn't working with the ISY Portal I just set up. Then it dawned on me to check the iPhone settings under Cellular. It turns out that Use Cellular Data for eKeypad was shut off. No wonder it couldn't find the Internet through a 4G connection. That was my problem all along. Stupid me.

[apostolakisl]

The isy portal is running Dynamic DNS, which is nice if you don't want to remember a number or if the number changes often.

 

You already did all the other work with port forwarding and stuff, so that part isn't helping you out.  My assumption is that ISY portal keeps the port alive on your router by regularly pinging the UD server.  When you use the ISY portal as the destination of your ekeypad traffic, the ISY portal forwards it through to your ISY.  In this way, your router at home sees all traffic from the ISY portal (and thus ekeypad) as solicited response to the pings and sends them along to ISY.

[cyberk]

Apos: you're completely off target.

 

 

Sent from my iPhone using Tapatalk

[apostolakisl]

Apos: you're completely off target.

 

 

Sent from my iPhone using Tapatalk

 

Perhaps I am wrong, or not, I don't know.  Since you have offered nothing more than a rather curt response, I did a little research and it would appear to be a viable method.

 

From https://technet.microsoft.com/en-us/library/cc756722(v=ws.10).aspx

 

 

Because the number of mappings that can be established is limited by the number of available 16-bit TCP and UDP ports, the NAT driver must eventually delete the dynamic mappings that it creates in order to free up port numbers for use in new mappings. A dynamic mapping entry remains in the mapping table for the length of time that the administrator specifies on the Translation tab for the properties of the NAT/Basic Firewall component in the Routing and Remote Access snap-in. Routing and Remote Access NAT, by default, uses the RFC 1631 recommended timeouts of 24 hours for idle TCP mappings and 1 minute for idle UDP mappings.

 

So it would seem that the dynamic NAT table entry is typically held for 24 hours on a TCP connection, meaning that a packet once a day would keep the route open.  A packet once per hour would take virtually no resources and quite redundantly hold the route in the NAT table.

 

Since most people have dynamic IP addresses, it must be functioning as an application specific dynamic DNS.  Unless it requires you to use your current IP address, which it would seem is not the case.

[cyberk]

I don't even know what it is you're talking about anymore.

 

The way the portal works has nothing to do with dynamic DNS.

 

I believe you're looking at the "end result" of the portal and the "end result" of dynamic dns/port forwarding and thinking that since both essentially accomplish the same thing, that they must be doing the same thing. This is simply not true.

 

Let's use the analogy of a home and a trip to a foreign destination. Let's pick Disney Orlando!

 

With dynamic DNS and port forwarding, let's take Orlando to be "you, the user on the Internet" and your house to be "the ISY and your home address to be your "dynamic DNS address". In this scenario, a bus driver from "Orlando" drives to your "house", which it knows how to get to via your "address" The driver gets out and walks in to your unlocked front gate, knocks on your door and picks you up and takes you to Orlando.

 

Key points:

1. Orlando goes directly to you via your address (dynamic DNS)

2. The driver gets through your unlocked front gate (your open port on your router/firewall, which also means anyone in the world can walk through your front gate and knock on your door)

3. The driver knocks on your door, (authenticates with ISY, and the rest of the world can sit there and try to brute force your username/password or use some sort of 0day vulnerability to get in)

4. Picks you up and takes you to Orlando (establishes an inbound link between you and the ISY or a hacker who really wanted to, takes your home automation for a ride)

 

With the portal:

You're already at Orlando and your house puts wings on and flies to Orlando. Your door and gate are locked, no one can get in.

 

Key points

1. Your ISY connects and stays connected to the portal service, via an outbound connection. Meaning you don't need to open ports. As a matter of fact, if anyone tries to establish an inbound connection to whatever port you're using on the ISY, they won't get passed your firewall/router. As an example, just because you browse the web on port 80, it doesn't mean servers can now ping your computer on port 80. Inbound connections are not the same thing as outbound connections.

2. If you want to connect to your ISY, you go through the portal. Meaning you connect to the portal too! Once you're in the portal and your ISY are in the portal, you guys can see each other and talk to each other.

3. No other service or person can access your ISY directly. Your ISY is completely hidden from the world. The only way to your ISY is through the portal.

4. Your only weak spot is the portal, should someone hack the portal, you're screwed...but we rely on UDI to secure that for us.

 

So in the end, dynamic DNS and port forwarding enables you to access your ISY remotely. The portal also enables you to access your ISY remotely. But they both do it in completely and separate ways.

 

Extreme circumstances aside, the portal is network agnostic, meaning you don't need to configure any inbound port forwarding or dynamic DNS to find your ISY. As long as your ISY has an Internet connection, you can connect to it.

 

The portal is secure because random hackers doing open port checks won't find your ISY (shodan.io is a search engine to find Internet of things devices with open ports)

 

The portal is awesome because it allows things like Amazon Alexa Connected Home Calls, more secure IFTTT calls, more secure ISY usernames and passwords, MULTIPLE ISY usernames and passwords.... and....it gives you the networking module for free!

 

PS: I acknowledge I could have picked a better analogy but it's the best I want to do right now...nor did I go back and proof read anything so please excuse obvious mistakes.

 

PPS: Google "define curt", I was not curt, but I was rather terse.

 

 

Sent from my iPhone using Tapatalk

[cyberk]

I'm just waiting for Michel to come in and tell us we're both wrong and the portal works off a flux capacitor.

 

 

Sent from my iPhone using Tapatalk

[apostolakisl]

I don't even know what it is you're talking about anymore.

 

The way the portal works has nothing to do with dynamic DNS.

 

I believe you're looking at the "end result" of the portal and the "end result" of dynamic dns/port forwarding and thinking that since both essentially accomplish the same thing, that they must be doing the same thing. This is simply not true.

 

Let's use the analogy of a home and a trip to a foreign destination. Let's pick Disney Orlando!

 

With dynamic DNS and port forwarding, let's take Orlando to be "you, the user on the Internet" and your house to be "the ISY and your home address to be your "dynamic DNS address". In this scenario, a bus driver from "Orlando" drives to your "house", which it knows how to get to via your "address" The driver gets out and walks in to your unlocked front gate, knocks on your door and picks you up and takes you to Orlando.

 

Key points:

1. Orlando goes directly to you via your address (dynamic DNS)

2. The driver gets through your unlocked front gate (your open port on your router/firewall, which also means anyone in the world can walk through your front gate and knock on your door)

3. The driver knocks on your door, (authenticates with ISY, and the rest of the world can sit there and try to brute force your username/password or use some sort of 0day vulnerability to get in)

4. Picks you up and takes you to Orlando (establishes an inbound link between you and the ISY or a hacker who really wanted to, takes your home automation for a ride)

 

With the portal:

You're already at Orlando and your house puts wings on and flies to Orlando. Your door and gate are locked, no one can get in.

 

Key points

1. Your ISY connects and stays connected to the portal service, via an outbound connection. Meaning you don't need to open ports. As a matter of fact, if anyone tries to establish an inbound connection to whatever port you're using on the ISY, they won't get passed your firewall/router. As an example, just because you browse the web on port 80, it doesn't mean servers can now ping your computer on port 80. Inbound connections are not the same thing as outbound connections.

2. If you want to connect to your ISY, you go through the portal. Meaning you connect to the portal too! Once you're in the portal and your ISY are in the portal, you guys can see each other and talk to each other.

3. No other service or person can access your ISY directly. Your ISY is completely hidden from the world. The only way to your ISY is through the portal.

4. Your only weak spot is the portal, should someone hack the portal, you're screwed...but we rely on UDI to secure that for us.

 

So in the end, dynamic DNS and port forwarding enables you to access your ISY remotely. The portal also enables you to access your ISY remotely. But they both do it in completely and separate ways.

 

Extreme circumstances aside, the portal is network agnostic, meaning you don't need to configure any inbound port forwarding or dynamic DNS to find your ISY. As long as your ISY has an Internet connection, you can connect to it.

 

The portal is secure because random hackers doing open port checks won't find your ISY (shodan.io is a search engine to find Internet of things devices with open ports)

 

The portal is awesome because it allows things like Amazon Alexa Connected Home Calls, more secure IFTTT calls, more secure ISY usernames and passwords, MULTIPLE ISY usernames and passwords.... and....it gives you the networking module for free!

 

PS: I acknowledge I could have picked a better analogy but it's the best I want to do right now...nor did I go back and proof read anything so please excuse obvious mistakes.

 

PPS: Google "define curt", I was not curt, but I was rather terse.

 

 

Sent from my iPhone using Tapatalk

 

Curt.  It's a google away, but here it is  http://www.merriam-webster.com/dictionary/curt

 

Your new answer is not curt since it is not short.  Thanks for dumbing it down.  I guess you didn't understand what I wrote since you said what I said except as a trip to Disneyland. 

 

It is doing dynamic dns via a proxy server.

[cyberk]

You are correct, it's doing dynamic DNS, thank you for your explanation and thank you for your time.

 

 

Sent from my iPhone using Tapatalk

[larryllix]

I don't even know what it is you're talking about anymore.

 

The way the portal works has nothing to do with dynamic DNS.

 

...

With the portal:

You're already at Orlando and your house puts wings on and flies to Orlando. Your door and gate are locked, no one can get in.

 

Key points

1. Your ISY connects and stays connected to the portal service, via an outbound connection. Meaning you don't need to open ports. As a matter of fact, if anyone tries to establish an inbound connection to whatever port you're using on the ISY, they won't get passed your firewall/router. As an example, just because you browse the web on port 80, it doesn't mean servers can now ping your computer on port 80. Inbound connections are not the same thing as outbound connections.

2. If you want to connect to your ISY, you go through the portal. Meaning you connect to the portal too! Once you're in the portal and your ISY are in the portal, you guys can see each other and talk to each other.

3. No other service or person can access your ISY directly. Your ISY is completely hidden from the world. The only way to your ISY is through the portal.

4. Your only weak spot is the portal, should someone hack the portal, you're screwed...but we rely on UDI to secure that for us.

 

......

PPS: Google "define curt", I was not curt, but I was rather terse.

....

Thanks for that analogy, cyberk(urt)

It was awesome and well needed in this cyber world for us thick and slow ( Heintz) guys.

 

I am going to make an analogy  suggestion to see if I am understanding this correctly.

 

"With the portal:

You're already at Orlando and your house puts wings on and flies has an underground tunnel to Orlando. Your door and gate are locked, no one can get in."

 

The only DDNS required would be to access the portal but it has a static IP address, can always be found by ISY (by URL name) and therefore we don't need no stinkin' DDNS.

 

Thanks again for that!

[apostolakisl]

Thanks for that analogy, cyberk(urt)

It was awesome and well needed in this cyber world for us thick and slow ( Heintz) guys.

 

I am going to make an analogy  suggestion to see if I am understanding this correctly.

 

"With the portal:

You're already at Orlando and your house puts wings on and flies has an underground tunnel to Orlando. Your door and gate are locked, no one can get in."

 

The only DDNS required would be to access the portal but it has a static IP address, can always be found by ISY (by URL name) and therefore we don't need no stinkin' DDNS.

 

Thanks again for that!

 

The dynamic dns runs between the proxy server and your ISY public IP.  The proxy server tracks your public IP but only shares that with itself.  The difference from standard ddns is that it gives out your public IP to anyone with the url so they can go directly to it.  With a proxy, the URL goes to the proxy and the proxy tunnels it.

 

The proxy server in concert with ISY has maintained the open port on the router by continuing to pass data back and forth, even when you are not using it.  Your router only knows that it is talking to the proxy and your router only holds the port open to ISY for packets delivered from the proxy.  This info is held in the NAT table on your router.

 

The advantage I see to this is that it could be more secure since your port is only open to traffic from the proxy's IP rather than anyone with your public IP.  However, the proxy server is open to all IP's and could be hacked and if successful then the hacker has a tunnel to your ISY.  My guess is that the proxy server is pretty well protected.  My other guess is that not to many people really want to control your ISY.  But there are certainly nut jobs out there who just hack for the sake of hacking.

[Michel Kohanim]

Hello everyone,

 

I am now completely confused!

 

If you use ISY Portal, then you don't need dynamic DNS for connection to ISY. If you have the ELK Module (on ISY), then eKeypad would communicate through ISY Portal as if it's an ISY (@my.isy.io address). ISY Portal will NOT communicate with m1 cloud as there's really no reason to do so since ISY is communicating with M1 directly on the LAN.

 

All this said, please do be kind enough to unconfused me (curt or otherwise).

 

With kind regards,

Michel

[apostolakisl]

Hello everyone,

 

I am now completely confused!

 

If you use ISY Portal, then you don't need dynamic DNS for connection to ISY. If you have the ELK Module (on ISY), then eKeypad would communicate through ISY Portal as if it's an ISY (@my.isy.io address). ISY Portal will NOT communicate with m1 cloud as there's really no reason to do so since ISY is communicating with M1 directly on the LAN.

 

All this said, please do be kind enough to unconfused me (curt or otherwise).

 

With kind regards,

Michel

 

Michel,

 

Sorry, no one (I think, at least not me) is saying you need a DDNS account.  My point is that the portal is doing the DDNS work for you as it keeps track of any changes to the public IP of ISY.  

 

The issue is the mechanism of how all this works, as we can only speculate for certain having not written the code. 

 

Not sure what the conversation on Elk is about.

 

Lou