Setting up SNMP to Manage Internet-Deployed STBs

This forum includes general topics related to managing Cilutions products.

Setting up SNMP to Manage Internet-Deployed STBs

Postby Cilutions Support » Fri Nov 25, 2011 3:19 pm

The following is a helpful a guide for the initial installation and configuration of the data center software needed to SNMP monitor, configure and support A140/A540 STBs deployed in an Internet configuration. That is, where the management server is in a data center with a well-known public IP address and the STBs are distributed across the Internet, behind a router, where the IP address is not known (i.e., a NAT'd connection).

1) Establish an IT point person in the data center familiar with networking, router firewall and port forwarding, Windows firewall configuration and overall Windows operations. The STBs, when properly configured, register with the data center and the software in the data center must be properly installed and configured to accept registrations and communicate with the STBs.
2) This same individual should be familiar with SNMP, MIBs and MIB Browsers to be able to set up and poll for STB activity though SNMP.
3) Identify a Windows platform (XP/Server 2003/Server 2008) to use for SNMP management.
4) Install the Digital Media Bridge SNMP Proxy Server on the management machine. This runs as a Windows service named: "SNMP Forwarder Service". Note that the incoming proxy port to use for this service is in the command which starts the service. Here is an example of how to start the service using UDP port 7654: "C:\Program Files\Cilutions\SNMPProxy\SNMP_Proxy\forwarder.exe" -B 7654. Note: There is an SNMP Proxy man page in this forum with far more operational details.
5) Configure the Windows firewall to permit incoming UDP packets on port 7654 (note that this port is configurable but must match the same value configured in the STBs where registration is initiated)
6) Configure the router on the local network to "port forward" all incoming traffic on UDP port 7654 to the Windows platform
7) Configure each STB to register with the data center using the following SNMP settings (must be applied locally at each STB):
    SNMP Engine ID: Typically the serialno of the STB
    SNMP Proxy IP: The public, well-known, IP address of the data center
    SNMP Proxy Port: 7654 (in this example configuration scenario)
    SNMP Heartbeat Freq: 20 (how often, in seconds, the STB sends a UDP registration message back to the SNMP Proxy)
    SNMP Local Port: 161 (the conventional source port of the UDP registration message)

Very Important
    Be sure to also configure the STB for access out of the local network by either enabling DHCP or by manually configuring the network settings, including the gateway.
    Typically, no firewall changes are needed to enable connectivity from the local STB to the public SNMP Proxy. But if the local firewall does not permit outbound UDP traffic it may be necessary to change the firewall configuration to enable UDP outbound traffic, on port 7654 in this example, from the local network, where the STB resides, towards the public network, where the SNMP Proxy resides.
See the STB release notes for more explicit configuration procedures.

8) Start up a MIB Browser (e.g., the free iReasoning MIB Browser) on the management machine and load the Cilutions-provided SNMP-AGENT-MIB-2.txt MIB. This MIB offers access into the internal SNMP Proxy cache showing any and all registrations of STBs. So using this MIB an operator can see which STBs have registered with the SNMP Proxy.
9) Set the Read Community for Address 127.0.0.1 to SNMP_PROXY. The iReasoning MIB Browser offers this through the Advanced button.
10) Issue a MIB Browser "Get Subtree" command for IP Address 127.0.0.1 (the local platform where the SNMP Proxy is running) and MIB variable snmpAgentTable (OID .1.3.6.1.6.3.50.1.1). Any and all registered STBs should be displayed in the response.
11) The next step will be to select an SNMP Manager and configure it to manage the STBs "through" the SNMP Proxy. This procedure is discussed in a separate forum posting.
Cilutions Support
Site Admin
 
Posts: 139
Joined: Mon Feb 07, 2011 3:03 pm

Re: Setting up SNMP to Manage Internet-Deployed STBs

Postby Henry.G » Tue Dec 03, 2013 4:48 pm

I have a question on the SNMP proxy firewall setup. I know that I need to have outgoing access on UDP 7654 from the STB towards the Internet. Do I also need to have that incoming as well? I am running into an issue at one Internet site and wanted to know if they need to open this incoming port for the SNMP proxy to work.
Henry.G
 
Posts: 45
Joined: Mon Apr 25, 2011 12:54 pm

Re: Setting up SNMP to Manage Internet-Deployed STBs

Postby Cilutions Support » Wed Dec 04, 2013 1:15 pm

There have been reports of firewalls/routers blocking the local port (SNMP standard of 161). It is not the 7654 outbound UDP packet that cannot get out to the Proxy but the response from the Proxy back to the STB gets blocked.

So, for example, if you have an SNMP Proxy config with 7654 as the Proxy Port and 161 (the default) as the Local Port
most firewalls replace the source port (of 161 in this case) with a made up source port when forwarding the UDP packet to the Proxy. In this case the UDP packet arrives at the Proxy with:

Dest Port: 7654 Source Port: 3500 (made up value)

Then the Proxy communicates with the STB with:

Dest Port: 3500 Source Port: 7654

In these configurations (the norm) there is no special configuration needed in the firewall. The firewall/router selected port 3500 (in this example) itself and by definition allows it.

But some firewalls just replicate the source port from the STB so it would forward the following UDP packet to the Internet as such:

Dest Port: 7654 Source Port: 161 (value from the local STB inside the local network)

When this occurs the firewall may block the return UDP packet from the Proxy which would look like this:

Dest Port: 161 Source Port: 7654

Because port 161 is a known SNMP port and the firewall blocks such traffic by default.

Setting your STB to have an SNMP Proxy config with 7654 as the Proxy Port and 4700 as the Local Port is a work-around which avoids the port 161 problem (we have found). With port 4700 you would likely not need to change any firewall configuration (is our experience).

As a last resort, for clients with higher than consumer-level security, you may have to allow this proxy traffic through their firewall. (e.g., port forward UDP traffic on port 4700 to the STB).
Cilutions Support
Site Admin
 
Posts: 139
Joined: Mon Feb 07, 2011 3:03 pm

Re: Setting up SNMP to Manage Internet-Deployed STBs

Postby Cilutions Support » Tue Aug 05, 2014 3:13 pm

A540 and A140 releases earlier than August 2014 should use IP addresses for the SNMP Proxy instead of domain names. It has been reported that failed network connections at STB start-up (e.g., a switch that boots much slower than the STB), when using a name for the SNMP Proxy instead of the dotted decimal IP address, can cause the STB to fail to connect with the SNMP Proxy server; needing a reboot to recover. Using an IP address fixes this issue.

In addition, it is recommended that the network administrator use multiple monitoring techniques to draw conclusions on whether or not a site is functioning before involving an end user or sending a tech for a site visit. Our system offers the following means of monitoring the health of a site:
a) The telnet proxy server - Here an administrator can attempt to login to an STB and analyze logs for review. This also offers a means of rebooting by command without involving the customer.
b) Review the FTP Logs - If FTP file retrieval is configured this offers another means to determine that a site is alive. Logs can be reviewed manually or even automatically by network administration personnel.
c) Use the finstall method in the FTP Server to, say, issue a reboot command to an STB if desired. Search the support forums for finstall to learn more. Be careful, this is a powerful tool and must be done correctly.
Cilutions Support
Site Admin
 
Posts: 139
Joined: Mon Feb 07, 2011 3:03 pm


Return to Remote Management General Issues

Who is online

Users browsing this forum: No registered users and 2 guests

cron