Making an indirect connection to Remote Assistance

It is sometimes awkward to connect a Platinum system, such as an EAM or 40TDE instrument, to the Internet for remote assistance. For example: in some cases, the only available Internet access is via WiFi so, if the Platinum system does not have a WiFi interface, direct connection becomes impossible. In these cases, a PC or laptop can be used as a gateway, allowing the Platinum system to contact the Güralp remote-assistance server indirectly, via the PC.

Another example where this technique is useful is where a remote Platinum system is connected to a data-centre via a VPN; In this case, a PC at the data-centre which has both VPN and Internet access can be used as a remote-assistance gateway.

This article describes one way to set up a PC for this purpose. For windows users, we will use the (free) PuTTY terminal emulation software to make a local network connection to the Platinum system while providing a port-forwarding facility which the Platinum system can use to contact the remote-assistance server. Linux users can do the same or use a much simpler command-line technique.

Note: This technique does not open any additional ports to the outside world. The only connections from the PC and the Platinum system are outgoing.

Theory

The PC is configured to make an SSH connection to the Platinum system, shown in blue in the picture below. This connection is configured with a port-forwarding rule which causes the PC to listen for incoming connections on port 8080. If it receives any such connections, it will transparently forward them to port 80 on the remote-assistance server, as shown by the dotted orange line.

Next, the remote-assistance service on the Platinum device is reconfigured to connect to port 8080 on the PC rather than directly to the remote-assistance server. This connection is transparently forwarded (by the PC) to the real remote-assistance server. This connection is configured with a tunnel: a listener on the remote-assistance server forwards connections to port 22 on the Platinum device using the same authenticated, encrypted connection. The port number of the listener is assigned automatically. Other listeners forward connections to port 80 for web access and port 1567 for access to GCF data. The connection and the tunnel are shown here in green:

At this point, the Güralp support engineer can connect to any or all of the listening ports on the remote-assistance server and all such connections are tunnelled directly to the Platinum device. Because these connections are made through an SSH tunnel, they are protected by strong authentication and encryption. The connections are shown in orange, grey and brown in the diagram below. The Güralp support engineer may configure additional tunnels so, for example, the Platinum device can access the firmware upgrade server. These tunnels are not shown but each one benefits from strong authentication and encryption.

Configuration for Windows users

To configure an indirect connection:

  1. If you do not already have PuTTY installed on your PC, download it from this link and install it, accepting the defaults at each stage of the installation process

    Note: If you cannot or do not want to install third-party software on your PC, you can use the Linux command-line instructions below in conjunction with the command-line ssh client shipped with Windows 10. (This feature may need to be enabled before use, in which case please see this article for instructions.)
  2. Open PuTTY – the following dialogue is displayed:

  3. Enter the I.P. address of the Platinum system in the "Host Name (or IP address) field, as shown:

  4. Select Connection→Data from the left-hand menu and enter root as the "Auto-login username":

  5. Select SSH→ Tunnels from the left-hand menu. In this screen (shown below):

    • Tick the “Local ports accept connections from other hosts” check-box,
    • Enter 8080 in the "Source port" field,
    • Enter 212.110.190.11:80 in the "Destination" field
    and then click the Add button

    Note: we have used an IP address - 212.110.190.11 - rather than a DNS name here in order to to remove a potential source of problems. If you are confident that your PC has a functioning name-resolution system, you can use remote‑assist.guralp.com:80 in place of 203.0.113.13:80 This provides a degree of future-proofing, guarding against a change in the address of the Güralp remote-assistance server.
  6. Check that a new entry beginning L8080 appears in the central list area exactly as shown:

  7. Select "Sessions" from the top of the left hand menu and enter a name for your Platinum system in the "Saved Sessions" box above the list of saved sessions. In the example below, we have used the name EAMxxxx but you are free to choose your own.

  8. Click the Save button. Your new saved session should appear in the list below "Default Settings"

  9. Click the Open button. The first time you do this, a security dialogue is displayed:

    Simply click Yes (or, in some versions, "Accept") to clear this.

  10. An emulator window then opens, prompting you for the root password of the Platinum system:

    Enter the password and check that you reach the command line.

  11. Make a note of the I.P. address of the PC. If you do not know this, please follow this procedure to discover it.

  12. In the emulator window (i.e. at the command line of the Platinum system), enter

    remote-assist disable
    echo “server_list = ip.addr.of.pc:8080” > /etc/remote-assist/client.cf.local
    remote-assist

    replacing ip.addr.of.pc with the actual I.P. address of your PC, as obtained in the previous step. A typical example would look like this:

    remote-assist disable
    echo “server_list = 203.0.113.13:8080” > /etc/remote-assist/client.cf.local
    remote-assist

The Platinum system should now connect to the remote assistance server using the Windows PC as a port-forwarding gateway.

Configuration for Linux users

PuTTY is available for Linux so you can, if you choose, follow the above instructions exactly. Linux systems are, however, almost always shipped with a command-line ssh program and, if you are comfortable working on the command line, you may find the approach below to be simpler.

To configure a Linux PC to act as an intermediary for a remote-assistance connection:

  1. Key the control key+the alt key+the T key to open a terminal window.

  2. In the terminal window, type

    ssh -L*:8080:212.110.190.11:80 root@ip.address.of.Platinum-system

    replacing ip.address.of.Platinum-system with the actual I.P. address of the Platinum system.

    Note: in the first argument to the ssh command here, we have used an IP address - 212.110.190.11 - rather than a DNS name. This is in order to to remove a potential source of problems. If you are confident that your PC has a functioning name-resolution system, you can use
    -L*:8080:remote‑assist.guralp.com:80
    in place of
    -L*:8080:203.0.113.13:80.
    This provides a degree of future-proofing, guarding against a change in the address of the Güralp remote-assistance server.
  3. If you have not used ssh to connect to this Platinum system before, you will see a message like:

    The authenticity of host 'suprt-eam (10.10.0.2)' can't be established.
    ECDSA key fingerprint is SHA256:lhh5mklJV+ZjIwpqdhtPqSU/Gf9V8D3upfNdT8z2FtU.
    Are you sure you want to continue connecting (yes/no)? 

    Type the word yes to continue.

  4. You are now prompted for the root password of the Platinum system.

  5. Make a note of the I.P. address of the PC. If you do not know this, please follow this procedure to discover it.

  6. At the command line of the Platinum system, enter

    remote-assist disable
    echo “server_list = ip.addr.of.pc:8080” > /etc/remote-assist/client.cf.local
    remote-assist

    replacing ip.addr.of.pc with the actual I.P. address of your PC, as obtained in the previous step. A typical example would look like this:

    remote-assist disable
    echo “server_list = 203.0.113.13:8080” > /etc/remote-assist/client.cf.local
    remote-assist

The Platinum system should now connect to the remote assistance server using the Linux PC as a port-forwarding gateway.

  Submit Enquiry Contact Us Contact Local Distributor
 

You can view our case studies to find out more about how our instrumentation is used around the world.

Address

 

Guralp Systems Limited
Midas House
Calleva Park
Aldermaston
Reading
RG7 8EA, UK

Tel: +44 118 981 9056
Fax: +44 118 981 9943
E-Mail: sales@guralp.com

JoomShaper