Hi, I have been trying to convince the latest Toolkit beta to connect to CGate remotely via SSH tunnels. I have been setting up SSH tunnels for ports 20023, 20024, 20025 and 20026. This works whilst I am on the same network, but fails soon as I go remote. I get a "timeout" error from the toolkit. The ports were tested using telnet, so the tunnel has been successfully setup but Toolkit doesn't want to play. Duncan, do you have any hints on which ports need forwarding? Has anybody else tried this? Without doing a full VPN, how do other people securely access network connected installations? Many thanks, Andy. PS. Even within a trusted site this is a very useful way to ensure nobody can "accidently" access CGate.
Is C-Gate set up to accept a remote connection? I'm just guessing here but this *may* have nothing whatever to do with secure sockets. Do you have C-Gate set up to accept connections from a remote user? Check out this tutorial and follow the recommendations. http://www.cbusforums.com/forums/showthread.php?t=628 Then try to connect with normal connections first. If all that works then try the secure sockets.
Hi Andy, The reason it doesn't work for Toolkit is toolkit uses the C-GAte secure SSL port 20123. From the C-Gate Configuration File. #### secure.port-base: # Base port number for SSL secured ports # Default Value: 20123 # Scope: global # Effective on: restart ### secure.port-base=20123 So all COMMAND communications use SSL encryption. Toolkit also connects to the event and load change ports, but these are read only anyway and don't propose a control security risk. We haven't done any SSH tunnelling tests, but for Toolkit this is largely unnecessary. In a not to distant version of Toolkit (and compatiable products) support for user authentication ( username and password) will be optionally available to control access C-Gate. I'm not sure what the requirements are for NON CIS software to use the SSL port, or even if that will be possible. If you only want to access C-Gate using Toolkit you can safely block the command port 20023.
Richo, Thanks for the guidance. Soon as I changed the command port to the SSL port, everything started working very nicely. BUT - their always is a but - the successful test was on an ethernet connection. When I attempt to connect from a dialup connection, Toolkit shows signs of getting an initial connection eg "C-Bus Projects" appears in the tree but after a short period I get an error: Code: Exception 'ECGateCommandTimeOut' in module CBusToolkit1_1.exe at 0012DC1C TcgcPPGetUnitSpecCatalog343-Begin XML Snippet 347-< ?xml version="1.0" encoding="utf-8"? > Module: CIS_TCGateCommand, Source: CIS_TCGateCommand.pas, Line 539 Procedure: TThreadCommandSynchroniser.ProcessResponses[/INDENT] Is this Toolkit not liking the dialup speed (48kbs) connection? I am using SSH because I do not want to expose C-Gate to the Internet. So like all other machines in the network, it is firewalled from the Internet and accessed for remote maintenance (hopefully) via SSH tunnelling. If dialup is too slow, well that is not a big loss. In the next few days I will arrange another test of the SSH tunnelling from a high speed net connection across the Internet. Andy. PS. The spaces at the beginning and end of the XML snippet have been inserted by me to stop the Forum software trying to interpret the XML.
Hi Andy, I suspect the speed is an issue.. the command thats failing there is a command that retrieves the Catalog of Unit Types, an XML file, from CGate.. not a particularly helpful message however.. I'm sure if we wound the time out for that command things would probably work quite well.. I'll make sure thats done before the next release as I'm sure you're not the only one who will be on the end of a slow IP link at some point.
