Remote Web Access from behind corporate firewall

General discussion about the media server. Feature requests. Hints, tips and tricks.
Locked
HDPete
Posts:33
Joined:Thu Jun 21, 2007 11:46 am
Remote Web Access from behind corporate firewall

Post by HDPete » Mon Jan 14, 2008 8:27 pm

I want to access my Twonky collection from behind my corporate firewall. In summary, only port 80 (http) and 443 (https) is allowed out of the network.

Is it possible to configure Twonky to allow web access on port 443 instead of 9100? If so, how? and what would the URL look like?

I'll obviously need to port forward 443 on the firewall on my router, but not sure how best to configure Twonky (v4.4.4.beta).

Cheers
Pete

swordcast
Posts:13
Joined:Wed Jan 16, 2008 1:13 pm

Post by swordcast » Wed Jan 16, 2008 1:21 pm

Are you using Linux, or Winblows for the Twonkymedia software?

HDPete
Posts:33
Joined:Thu Jun 21, 2007 11:46 am

Post by HDPete » Wed Jan 16, 2008 1:55 pm

sorry, should have said:

Buffalo Terastation Live, so it's the linux distro.

swordcast
Posts:13
Joined:Wed Jan 16, 2008 1:13 pm

Post by swordcast » Wed Jan 16, 2008 6:33 pm

There's a few things you can do for it to work. If you don't have a webserver running on that linux box, you can just edit the twonkyvision-mediaserver.ini file and where it says "httpport" just add port 443 or 80 to it. If you do have a webserver running, you can do this:

The main one I would do is modify your iptables script. put in a port redirect.

Code: Select all

iptables -t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.xxx --dport 443 -j DNAT --to- xxx.xxx.xxx.xxx:9100

This is assuming that you don't have a LIVE webserver setup on the box already with a website running. If you do, you can do a proxypass for apache2. If you have mod_proxy enabled, add this to your apache2.conf or httpd.conf file:

Code: Select all

<VirtualHost>
ServerName twonky.yourdomain.com
ProxyPass / http://twonky.yourdomain.com:9100/
ProxyPassReverse / http://twonky.yourdomain.com:9100/
</VirtualHost>
It will pass through port 80 on your corporate firewall and your apache2 webserver will interpret between 80 and 9100 for you. This doesn't cause your webserver to be an open proxy either.

HDPete
Posts:33
Joined:Thu Jun 21, 2007 11:46 am

Post by HDPete » Wed Jan 16, 2008 9:41 pm

Many thanks Swordcast !! Very helpful and a very good start!

I have managed to set 443 in the .ini file (after messing about with a text editor to cope with the encoding).

I have read back the file and confirm that 443 is set. However I can't access the site using https://myip/webbrowse . I turned off my firewall at the router temporarilly (none installed on the machines) so there was no port blocking.

If I select the 'eye' icon in the Twonky Web Interface for Webbrowse, it connects and I can view content - interestingly though, on port 9000. Shouldn't this be 443 as per the ini file?

The PS list on the NAS shows the following, which suggests that Apache is running. I've not installed it. Could this be Buffalo's installation for their web access to their management console? If so, should I try your other suggestions?

<edited> See below extract...
Last edited by HDPete on Wed Jan 16, 2008 9:53 pm, edited 1 time in total.

HDPete
Posts:33
Joined:Thu Jun 21, 2007 11:46 am

Post by HDPete » Wed Jan 16, 2008 9:52 pm

Sorry, can't get the whole PS list pasted for some strange reason....

Here's an extract

1024 root 932 S /usr/local/apache/bin/httpd
1028 root 936 S /usr/local/apache/bin/httpd -f /etc/apache/httpd8080.
1395 root 368 S /mnt/array1/twonky/twonkymedia
4673 root 676 S /usr/local/apache/bin/httpd
4674 root 676 S /usr/local/apache/bin/httpd
4675 root 676 S /usr/local/apache/bin/httpd
4676 root 676 S /usr/local/apache/bin/httpd
4677 root 680 S /usr/local/apache/bin/httpd -f /etc/apache/httpd8080.
4678 root 680 S /usr/local/apache/bin/httpd -f /etc/apache/httpd8080.
4679 root 680 S /usr/local/apache/bin/httpd -f /etc/apache/httpd8080.
4682 root 680 S /usr/local/apache/bin/httpd -f /etc/apache/httpd8080.
4706 root 680 S /usr/local/apache/bin/httpd
4707 root 684 S /usr/local/apache/bin/httpd -f /etc/apache/httpd8080.

swordcast
Posts:13
Joined:Wed Jan 16, 2008 1:13 pm

Post by swordcast » Wed Jan 16, 2008 10:07 pm

Looks like the linux distro came with Apache, which probably enabled port 443. However, you can work around it. Twonky doesn't do SSL support, I don't believe, so you'll need to connect as http://myip:443 and see if that works instead. If anything, you could try this:

Code: Select all

/etc/init.d/httpd stop
then restart twonkymedia
It might be that since Twonky can't bind itself on port 443, it defaults back to 9000 because Apache has 443 locked.

Just in case that doesn't work, I'd need to know your setup to be able to help you fully.

Is your linux box the gateway or router to the internet? or do you have a Router(linksys, etc) that you forward ports into your home network?

picNroll
Posts:1
Joined:Fri Feb 15, 2008 4:14 am

Post by picNroll » Fri Feb 15, 2008 4:35 am

Here is what I did to successfully access my twonky server from behind our corporate firewall:

- I'm using twonky on an HP MediaVault (NAS)
- I use a D-Link EBR-2310 router
- I use a free dynamic DNS service.
- For sample purposes, assume my dynamic dns = http://picnroll.mywebserver.com
- For sample purposes, assume my internal IP address for the HP MediaVault is: 192.168.1.100

I installed twonky with all defaults. I then edited the D-Link router to forward port 443 (TCP) to 192.168.1.100 on port 9000 (TCP). That's pretty much all the configuration that is needed. Now, here's some of the funky stuff I found when accessing it from work, and what I did to work around that funkiness ...

When attempting to use Internet Explorer (v7) to go to http://picnroll.mywebserver.com:443, IE would hang and then give an error. So, I tried the exact same thing with Firefox. The twonky login window appeared, and I successfully logged in to Twonky and it rendered the setup page. NOTE: If you do not have Firefox installed, you can get a portable version of Firefox that is really handy ... and only needs to be installed in a directory of your choice or on a thumbdrive, without updating the registry, etc. Go to http://www.portableapps.com if you want to check that out.

Now, when I clicked on the eye to go to the Webbrowse mode/screens, it gave me the main screen fine. The problem next is that when you click on "Music", "Pictures" or "Video", twonky uses your internal ip address to access them ... so, it tries to connect using http://192.168.1.100:9000/webbrowse/O1 for instance. This obviously won't work from inside your corporate firewall. So, to manually get around this, you'll need to copy that link and replace 192.168.1.100:9000 with picnroll.mywebserver.com:443. Make sure the rest of the URL is correct, and it will navigate to the subsequent folders just fine. NOTE: in /webbrowse/O1 that is the capital letter "O", not the number zero.

Sorry for the long post, but maybe it will help someone else.

Locked