Network settings

From SpinetiX Support Wiki

Jump to: navigation, search

This page is related to the Control Center interface present on DiVA, HMP300 and HMP350 devices. For older models, see this page.

"Warning!"
It is not recommended to have the player connected directly to the Internet as it does not have a firewall.
See the Network access page for more information about remote access alternatives.

Description

The "Network" page of HMP Control Center allows configuring different network-related settings, grouped within the following sections:

These sections are further detailed below.

IP Configuration

IP Configuration section

On this section, you can find details about the current IP configuration and you can change that configuration as following:

  • DHCP (default).
    The device has an IP address assigned by the DHCP server on the network.
    If no DHCP server is found, the player uses an auto-configured IP in the range 169.254.1.0-169.254.254.255.
  • Fixed IP.
    The user must specify the IP settings.
    Although only the "Address" and the "Netmask" fields are mandatory, the "Gateway" and the "DNS" fields should also be entered for the player to be able to access the Internet and to resolve domain names (for instance, to update the firmware or get RSS feeds).


Note Note:
In case of problems connecting to the player, see this troubleshooting section.

HTTP Proxy

See also the Proxy settings page.

HTTP Proxy section

On this section, you can configure the proxy settings to be used by the player to connect to the Internet - for that follow these steps:

  1. Enable "Use Proxy" option.
  2. Enter the server hostname address (without the http part) and the port.
  3. Enable / disable bypassing the proxy server for local addresses.
    When enabled, the player first queries the hostname to find the corresponding IP address and then checks whether that IP address is located in the same subnet (according to the subnet mask); if so, the proxy is bypassed, otherwise (the IP is external or the hostname cannot be resolved) the proxy is used.
  4. Enter the username and password.
    Note that the HMP supports only basic and digest authentication mechanisms.

Trusted Certificates

This section was named "HTTPS" prior to 4.2.0 firmware.

Trusted certificates are used to verify the authenticity of servers to which the player connects to via secure HTTP (https). The player already has a built-in database of the root certificates of public certification authorities matching those in web browsers. You only need to add extra root certificates if the player needs to connect to servers that use a certificate delivered by a private, or enterprise internal, certification authority. It may also be required if the player needs to access secure sites via a firewall with SSL inspection enabled.


Trusted Certificates section

On this section, you can upload additional root certificates to be trusted by the HMP and you can enable / disable the full verification of HTTPS certificates.

  • To upload a new certificate, click the "Add Trusted Certificates" button and select the certificate file.
  • To view a certificate info, click the i button.
  • The root certificate of the active server certificate is automatically added to this list; by default, this is the player's auto-generated self-signed server certificate ("_auto_self_signed"). If you activate another server certificate, the list is automatically adjusted with the corresponding root certificate.


Warning Warning: Disabling the full verification of HTTPS certificates renders all secure HTTPS (https) connections insecure and vulnerable to man in the middle attacks, thus this should only be used for testing and diagnosis, never in a production environment.


"Technical note"
The auto-generated self-signed server certificate ("_auto_self_signed") cannot be used as a certification authority, but only to verify internal connections to the player's embedded HTTP server. This is due to the fact that the basic constraint extension of this self-signed certificate is not set, thus following RFC3280, this certificate cannot be used to verify any other certificate.

Server Certificates

Added in firmware 4.2.0.

Server certificates are used to secure connections to the player’s embedded web server, to access the player web interface via a browser and publish content. Several such certificates can be installed, but only one can be active at any time.

Server Certificates section

On this section, you can add HTTP server certificates onto the device - for that follow these steps:

  1. Click the "Add Server Certificate" button. The wizard dialog appears.
  2. Enter the certificate name then click "Next".
    This name is used to identify the certificate in the interface and by the <active-certificate> command. It must be between 4 and 32 characters and contains only number, letter and any of the following “.@_”.
  3. Select the certificate format between "PEM files" or "PCKS#12 file".
  4. Click the "Select File" button(s) to upload the certificate file(s).
    • If "PEM files" format is selected, you need to upload the certificate, certificate private key, and (optionally) the certificate chain files individually; otherwise, you need to upload the pfx / p12 file containing the bundle of certificate, private key and certificate chain information.
    • The certificate chain represents all the certificates from the certificate itself up to the root CA. This is necessary so that the embedded HTTP server can hand out a complete chain to the client, otherwise the verification might fail when the client does not have all the intermediate certificates, even if it has the root certificate.
  5. Click "Next".
  6. Enter the passphrase used to encrypt the certificate private key, if necessary.
  7. Click "Submit".


Note Notes:
  • To activate a certificate, click the button under the "Active" column. The currently active certificate is shown with a check sign over that button.
  • To view a certificate info, click the i button next to it.


"Technical note"
The device comes with an auto-generated self-signed certificate, named "_auto_self_signed" - this is, by default, the active server certificate. It is valid for the following CName: spx-hmp-[serial], spx-hmp-[serial].local, where [serial] is the player serial number.

Server Security

Added in firmware 4.2.0.

Server Security section

On this section, you can controls whether the player web server shall accept insecure HTTP connection.

  • Server access
    The possible values for server access are:
    • Allow insecure HTTP (default)
      Both secure and insecure HTTP connection are possible.
    • Redirect insecure HTTP to secure HTTP
      All insecure HTTP connection are automatically redirected to the secure HTTP.
    • Disable insecure HTTP
      Insecure HTTP connections are disabled. The player will not respond on port 80.

By default, all players accept insecure HTTP connection to the web interface.

UPnP

UPnP section

On this section, you can control whether SSDP / UPnP discovery is enabled in the player.

  • Enable SSDP / UPnP
    Enable SSDP / UPnP discovery of the player


Note Note:
This setting is enabled by default on all players.

Network Watchdog

HMP350: Network Watchdog section

This section is present only on HMP300 and HMP350.

The Network Watchdog is activated if any of the two conditions are set to a value other than 0 (0s by default). Both parameters can be configured using a time defined in seconds (e.g. 10s), minutes (e.g. 10m) or hours (e.g. 1h).

  • When activated, the HMP will reboot if one of the condition is no longer valid. Link-local (i.e. Zeroconf) addresses are not taken into account.


SNMP

HMP350: SNMP section

This section is present only on HMP300 and HMP350.

On this section, you can configure the SNMP settings of the player. The HMP supports SNMP version 2c (with read-only access), does not generate SNMP traps and runs the Net-SNMP 5.4 (fully patched).

By default, the access to SNMP is disabled (closed); it can be opened to a specific IPv4 addresses range or opened without restrictions (IPv6 is accepted in this case), and can be accessed via UDP and TCP.

For the list of MIBs that the HMP makes available, see SNMP monitoring page.

Port Security

HMP350: Port Security

This section is present only on HMP350.

On this section, you can control whether the secondary network port is disabled.


Note Note:
The secondary network port is enabled by default on all players.
This page was last modified on 31 May 2017, at 14:37.