When working with previous versions of BVMS, remote connectivity was cumbersome due to the amount of port mapping that needed to be configured. BVMS 7.5 provides a new method of remote connectivity utilizing Secure Shell (SSH) Tunnelling.
SSH Tunnelling constructs an encrypted tunnel established by an SSH protocol/socket connection. This encrypted tunnel can provide transport to both encrypted and un-encrypted traffic. The Bosch SSH implementation also utilizes Omni-Path protocol, which is a high performance low latency communications protocol developed by Intel.
Key management
The BVMS SSH service generates a private and public key when it is started for the first time. Both keys are saved in an encrypted file. When the BVMS SSH service restarts this file is detected and the private key is read.
A. Installation
There is little to no configuration required for this feature to function.
If the service has not been installed, the install package can be run from the BVMS 7.5 downloadable install package. If working with a DIVAR IP Recording Appliance, the appliance “Installer Package” must be used.
B. Port mapping entry
The primary configuration step is to configure one (1) port forwarding for the BVMS Central Server to utilize port 5322 for both internal and external connections. This is the only port mapping entry that needs to be made for the entire system.
The image below shows a sample configuration.
A. Login with the Operator Client
After the basic configuration is done, logging in via Operator Client is very intuitive:
From the log menu, select the “Connection” drop down menu, then Select <New…> |
|
You will be prompted to enter an IP address or DNS host name. You will also notice a cheat guide below the entry menu that will assist with address entry. Addressing must be in the following format: ssh://IP or servername:5322. In the example we used: ssh://49.49.49.49:5322. |
|
After entering a properly formatted address, enter a valid user name and password. SSH users MUST have a password associated with their BVMS account. User accounts without a password cannot log in utilizing an SSH Connection. |
|
B. Verification
After connection is established via an SSH Tunnel, all communications between the BVMS Server (192.168.1.19) and a remote client (49.49.49.48) are encrypted. Below is a Wireshark Capture taken from the BVMS Server after a connection is established.
C. Changing the SSH port
Locate the SSH service configuration file in "C:\Program Files\Bosch\BVMS\bin"
Open the configuration file and find the section below. Edit the value of the BvmsSshServicePort (the port should be unused) and restart the system.