Network settings

This page is related to the Control Center interface present on all DSOS players. For older models, see this page.

Description

The "Network" page of HMP Control Center allows configuring different network-related settings, grouped within the following sections:

• IP Configuration
• Wi-Fi (HMP400W and iBX400W only)
• NTP
• HTTP Proxy
• Trusted Certificates
• Server Certificates
• Server Security
• Bonjour
• UPnP
• Watchdog
• Logging
• SNMP
• Port Security (HMP350 only)

These sections are further detailed below.

IP Configuration

IP Configuration section

On this section, you can find details about the current IP configuration and you can change that configuration as following:

• DHCP (default).

  The device has an IP address assigned by the DHCP server on the network.

  If no DHCP server is found, the player uses an auto-configured IP in the range 169.254.1.0-169.254.254.255.

• Fixed IP.

  The user must specify the IP settings.

  Although only the "Address" and the "Netmask" fields are mandatory, the "Gateway" and the "DNS" fields should also be entered for the player to be able to access the Internet and to resolve domain names (for instance, to update the firmware or get RSS feeds).

Note:

In case of problems connecting to the player, see this troubleshooting section.

Wi-Fi

 

Applies to HMP400W and iBX410W.

Wi-Fi section

On this section, you can find details about the current Wi-Fi configuration: name (i.e., SSID), security (can be Open, Personal/PSK, or Enterprise), signal strength, and connection status.

• Press the "Refresh" button to update these details.
• Press the "Reconfigure" button to start the Wi-Fi configuration process. This will reset the current Wi-Fi and network configuration.

Note:

When you set up the Wi-Fi in Control Center, you can only select one wireless network; if you need to add more Wi-Fi networks, use the network configurator tool to generate a separate configuration file for each wireless network, and then restore them within Control Center.

NTP

On this section, you can find the player's NTP statistics (see the dedicated page for more details) and the internal clock calibration data, and you can configure up to five NTP servers for the player to synchronize with the Coordinated Universal Time (UTC).

• Server 1, ..., Server 5.

  Enter the IP or hostname address of an NTP server, which can be located on the local network or online.

  The "Monitor only" checkbox on the right-hand side instructs the player to only consult that NTP server, but not actively use it as a time source.

• Pause device at startup to wait for NTP servers by

  Select a delay period from 0 to 150 seconds to increase the player's booting time and ensure that the NTP servers are up and running.

Notes:

• To use NTP servers, you must enable the "Automatic time from Internet (NTP)" option on the System → Date & Time page in Control Center. Also, the network port UDP 123 must be open on the firewall for connecting to external NTP servers.
• By default, the SpinetiX players are configured with a generic NTP servers provided by ntp.org – these are fine for non-synchronous content, but in the case of running time-synchronized content, use one or more of these timeservers of Stratum 1/2 offering the required time accuracy.
• If access to a local/public NTP server is not possible, you can use one player as NTP server for other players. The "Monitor only" and "Pause device at startup..." options are useful for this case.
• For legacy players, see the Date/Time page.

HTTP Proxy

See also the Proxy settings page.

HTTP Proxy section

On this section, you can configure the proxy settings to be used by the player to connect to the Internet - for that follow these steps:

1. Enable "Use Proxy" option.
2. Enter the server hostname address (without the http part) and the port.
3. Enable / disable bypassing the proxy server for local addresses.

   When enabled, the player first queries the hostname to find the corresponding IP address and then checks whether that IP address is located in the same subnet (according to the subnet mask); if so, the proxy is bypassed, otherwise (the IP is external or the hostname cannot be resolved) the proxy is used.

4. Enter the username and password.

   Note that the HMP supports only basic and digest authentication mechanisms.

Trusted Certificates

 

This section was named "HTTPS" prior to 4.2.0 firmware.

The player has a built-in database of the trusted root certificates of public certification authorities, matching those in web browsers, that are used to verify the authenticity of servers to which the player connects to via secure HTTP (https).

If a website is using an SSL certificate delivered by a private or enterprise-internal certification authority, or the connection is passing through a firewall with SSL inspection enabled, then the player will not be able to connect - a "Server certificate verification failed: issuer is not trusted" SSL error will be present in the player.log. In this case, you need to manually add the root certificate for that website - for that, follow these steps:

Trusted Certificates section

1. Click the "Add Trusted Certificates" button.
2. Select the root certificate file you want to add.
3. Click the "Apply" button.

From this section, you can also:

• View a certificate information by clicking the i button next to it.

  To save the certificate, click the "Download Certificate" button in the popup window.

  The root certificate of the active server certificate is automatically added to this list; by default, this is the player's auto-generated self-signed server certificate ("_auto_self_signed"). If you activate another server certificate, the list is automatically adjusted with the corresponding root certificate.

• Toggle the full verification of HTTPS certificates.

  This option is enabled by default and should not be disabled in a production environment, because doing so, renders all HTTPS connections insecure and vulnerable to man in the middle attacks. It should only be disabled for temporary testing and diagnosis.

  For web content, the HTTPS certificate are always verified, regardless of the state of this option.

Server Certificates

Added in firmware 4.2.0.

Server certificates are used to secure connections to the player’s embedded web server, to access the player web interface via a browser and publish content. Several such certificates can be installed, but only one can be active at any time.

Server Certificates section

On this section, you can add HTTP server certificates onto the device - for that follow these steps:

1. Click the "Add Server Certificate" button. The wizard dialog appears.
2. Enter the certificate name then click "Next".

   This name is used to identify the certificate in the interface and by the <active-certificate> command. It must be between 4 and 32 characters and contains only number, letter and any of the following “.@_”.

3. Select the certificate format between "PEM files" or "PCKS#12 file".
4. Click the "Select File" button(s) to upload the certificate file(s).
   • If "PEM files" format is selected, you need to upload the certificate, certificate private key, and (optionally) the certificate chain files individually; otherwise, you need to upload the pfx / p12 file containing the bundle of certificate, private key and certificate chain information.
   • The certificate chain represents all the certificates from the certificate itself up to the root CA. This is necessary so that the embedded HTTP server can hand out a complete chain to the client, otherwise the verification might fail when the client does not have all the intermediate certificates, even if it has the root certificate.
5. Click "Next".
6. Enter the passphrase used to encrypt the certificate private key, if necessary.
7. Click "Submit".

Notes:

• To activate a certificate, click the button under the "Active" column. The currently active certificate is shown with a check sign over that button.
• To view a certificate info, click the i button next to it.

Server Security

Added in firmware 4.2.0. Updated in firmware 4.3.0.

Server Security section

From this section, you can control the player behavior regarding insecure HTTP connections to its player web interface and publish server.

• Server access

  Select how the player should behave upon HTTP (insecure) access to its player web interface. The following options are available:

  • Allow insecure HTTP (default)
  • Redirect insecure HTTP to secure HTTP
  • Disable insecure HTTP

• Allow connections to publish server over secure HTTP only

  Added in firmware 4.3.0 to enforce HTTPS connections to the publish server, even when allowing or redirecting insecure HTTP on the player web interface.

  This option is activated by default on all players so that insecure access to the publish server is disallowed - the sole exception is when updating from an older firmware version not supporting TLS-SRP, in which case insecure connections are still allowed for backward compatibility; note however that resetting the player to factory default settings or installing the firmware package will activate this feature.

Notes:

• In firmware 4.2.x, the "Server access" setting applies to the publish server as well.
• Connections over HTTP Secure (HTTPS) are are not affected by these options and are always allowed.
• Starting with Elementi 2017, the server access configuration is automatically detected during device discovery and the publish method is adjusted accordingly. Configuring the players to redirect or disable insecure HTTP access would prevent publishing content onto them from older Elementi versions.
• Starting with Elementi 2018, secured publishing using TLS-SRP is activated by default for HMP350 and HMP300 devices discovered automatically. That might require an update of the user password to activate SRP.

Bonjour

Added in firmware 4.2.2 / 4.2.3.

Bonjour section

On this section, you can control whether Bonjour service is enabled on the player.

• Enable Bonjour service discovery and name resolution

  When enabled (default option), the player advertises its Bonjour services and can resolve local hostnames (e.g., you can use a player hostname instead of its IP address).

  When disabled, the Bonjour service on the player is totally stopped. The next option is automatically disabled as well.

• Enable player discovery via Bonjour

  When enabled (default option), the player can be discovered via Bonjour service by other applications - for instance, it will appear under Devices in Elementi.

  When disabled, the player doesn't advertise its Bonjour services.

UPnP

UPnP section

On this section, you can control whether SSDP / UPnP and LLMNR discovery is enabled on the player.

• Enable SSDP / UPnP

  Enable SSDP / UPnP discovery of the player

• Enable Windows compatible name resolution (LLMNR)

  Enable Windows compatible name resolution (LLMNR) discovery of the player which allows Windows to resolve the hostname of a player without installing Bonjour

Note:

These settings are enabled by default on all players.

Logging

Logging section

 

Does not apply to DiVA.

From this section, you can enable capturing the network packets received by the player in order to debug issues related to streaming and/or the HTTP traffic. Once done, click the "Clear Files" button to remove all the capture files.

Options:

• Capture stream packets

  Enable this option to start a stream capture; reload the page and find a file, which name starts with "CAP_" followed by a unique ID, above this option.

  Make sure to disable the option before downloading the capture file! See the full procedure on the Streaming page.

  This option has no effect on the HMP300, as this model doesn't support streaming.

  Warning:

  Be aware that a streaming capture might create large files on the device storage and should not be left enabled for a long period of time.

• Capture http packets

  This option was added in firmware 4.5.0.

  Enable this option to start an HTTP traffic capture; reload the page and find a JSON file which name starts with "HTTP-player-network", followed by the current timestamp.

  Make sure to disable this option before downloading the capture file!

  If you have Elementi X, you can drag & drop the HTTP traffic capture into Developer Console > Network tab and analyze the HTTP traffic.

Note:

Starting with DSOS 4.7.0, these options are available regardless of whether a DSOS license is present.

Watchdog

HMP350: Network Watchdog section

This section is not present on DiVA, HMP400/HMP400W, iBX410/iBX410W and iBX440 players without DSOS SYSTEMS license.

The Network Watchdog is activated if any of the two conditions are set to a value other than 0 (0s by default). Both parameters can be configured using a time defined in seconds (e.g. 10s), minutes (e.g. 10m) or hours (e.g. 1h).

• When activated, the HMP will reboot if one of the condition is no longer valid. Link-local (i.e. Zeroconf) addresses are not taken into account.

SNMP

SNMP section

On this section, you can configure the SNMP settings of the player.

• Read only community

  This string (by default set to "public") is like an ID sent along with each SNMP Get-Request and allows (or denies) access to the device's statistics - if the community string is correct, the device responds with the requested information; otherwise, the device simply ignores the request and does not respond.

• Limit access to SNMP from the network

  By default, the access to SNMP is disabled (closed); it can be opened to a specific IPv4 addresses range (e.g., 192.168.1.100, 192.168.1.0/24, or 192.168.1.0/255.255.255.0) or opened without restrictions (IPv6 is accepted in this case).

Notes:

• Before firmware 4.7.6, the SNMP functionality was not available on DiVA players and required a DSOS activation license on HMP400/HMP400W players.
• The player supports SNMP version 2c (with read-only access), does not generate SNMP traps and runs the Net-SNMP 5.4 (fully patched). SNMP can be accessed via UDP and TCP. For the list of MIBs available, see SNMP monitoring page.

Port Security

HMP350: Port Security

This section is present only on HMP350.

On this section, you can control whether the secondary network port is disabled.

Note:

The secondary network port is enabled by default on all players.