What do I need to get from my IS department to install i.LONs?
BACKGROUND
If you install i.LON™ Internet Servers on an existing IP network you will need to work closely with the Information Systems (IS) department that maintains that network. This document provides a concise list of the things you will need to get from your local IS department, and information they will need to adjust any intermediatory firewalls to allow bi-directional communication with the outside world. This document also covers the configuration requirements for Configuration Servers, LNS 3.0 Servers, Full and Lightweight Clients.
What you need to request from your IS department
· A static, unique IP address and subnet mask for each of the i.LONs and the configuration server to be connected to the internal IP infrastructure. You will also need a static IP address for all LNS 3.0 machines that either use an Ethernet VNI interface or are to be an LNS Lightweight Client. Additionally, if any machine is to be connected to the outside world, at a minimum you will need a gateway IP address and optionally a host name along with the IP address of an appropriate DNS machine.
· If any machine is to be referred to externally by its fully qualified domain name (www.myilon.echelon.com for example), then you should ask to have the name added to the Internet domain’s zone file. Or, you can use host file entries in each machine that needs name resolution, thus avoiding the need to modify the zone file. On a Windows 95/98 machine the hosts file typically lives in the C:\Windows folder (you will first have to rename it from host.sam to hosts before editing it). On a Windows NT or 2000 machine the hosts file typically resides in the C:\Winnt\System32\drivers\etc folder. (See your Microsoft Windows documentation for more information on modifying Windows host files)
· If the LonWorks/IP channel is to include the Internet (or excessive internal propagation delays will be involved) you will need the address of an SNTP server.
· Any bandwidth limitations (QOS) that are imposed on any i.LON to avoid saturation of the internal network or Internet connection. Note: you may also need to adjust the LonWorks/IP channel’s aggregation timer value in addition to QOS restrictions.
Use a table similar to the one below whilst preparing your installation (* = optional information):
Device / IP address / Port Number** / Subnet Mask / Gateway* / Host Name* / Host Name Reg. Req’d / DNS Machine* / SNTP Server* / QOS Limit (kbps)*
Config Server PC / 1629
LNS Server
LNS Full Clients 1-n / 1628
i.LONs 1-n / 1628
LNS LW Clients 1-n / N/A
** The port number should taken from the configuration server’s database
FIREWALL/ROUTER CONFIGURATION
If any machine is to be visible to the outside world or needs to connect to the outside world, adjustments to the local firewall/router will need to be made. These adjustments need not only be made for LonWorks/IP channels, HTTP access to i.LONs and LNS Lightweight Clients, but also for the supporting protocols such as FTP to allow web pages to be uploaded to i.LONs and ping to allow for testing.
It should be noted that the IP address of members within a LonWorks /IP channel must remain static and that the firewall/router should not translate their addresses using network address translation (NAT). The firewall/router should also be configured not to transform external client addresses.
Inspect the table below to determine how the firewall/router needs to be opened up and request the changes from your IS department. It is advisable to restrict access to source/destination IP groupings rather than for example open up global Internet access to internal members of a LonWorks /IP channel. In the table, a member of a LonWorks /IP channel may be an i.LON, a Configuration Server, an LNS 3.0 Server or Full Client using a Ethernet VNI connection.
In many corporate infrastructures systems exist between the firewall and the Internet (the dirty side) or off an additional network interface within the firewall in an area called the demilitarized zone (DMZ). Locating devices in the DMZ will be the most secure option as external access is still controlled via the firewall, whereas locating devices on the dirty side will avoid any firewall configuration at the expense of security. If an i.LON is to serve web pages to the Internet, remember to set up access permissions using the i.LON Web Server Parameters utility.
Configuration for LonWorks/IPChannelsCondition / Direction / Target IP / Source IP / Protocol / Target Port / Source Port
LonWorks/IP channel with external members / In / All internal members of the channel / All the external members of the channel / UDP / See note 1 below / See note 1 below
LonWorks/IP channel with external members / Out / All the external members of the channel / All internal members of the channel / UDP / See note 1 below / See note 1 below
Internal SNTP server with external clients / In / The internal SNTP server / All the external members of the channel using the SNTP server / SNTP
(UDP) / 123 / 1024-65535
External SNTP server with internal clients / Out / The external SNTP server / All the internal members of the channel using the SNTP server / SNTP
(UDP) / 123 / 1024-65535
Configuration for
i.LON Web Servers
Condition / Direction / Target IP / Source IP / Protocol / Target Port / Source Port
Internal i.LON Web Server with external HTTP clients / In / The internal i.LON / The external HTTP client / HTTP
(TCP) / 80 / 1024-65535
Configuration for
LNS Lightweight Clients
Condition / Direction / Target IP / Source IP / Protocol / Target Port / Source Port
Internal LNS Server with external LNS lightweight clients / In / The internal LNS server / The external lightweight clients / TCP / 2450 & 2451 See note 2 below / 1024-65535
See note 2
below
External LNS Server with internal LNS lightweight clients / Out / The external LNS Server / The internal LNS lightweight clients / TCP / 2450 & 2451 See note 2
below / 1024-65535
See note 2
below
Configuration for i.LON Maintenance
Condition / Direction / Target IP / Source IP / Protocol / Target Port / Source Port
Internal i.LON with external FTP access / In / The internal i.LON / The external FTP client / FTP
(TCP) / 20 & 21 / 1024-65535
External i.LON internal FTP client / Out / The external i.LON / The internal FTP client / FTP
(TCP) / 20 & 21 / 1024-65535
Configuration for
LonWorks/IP Channel Testing
Condition / Direction / Target IP / Source IP / Protocol / Target Port / Source Port
Ping / In / All internal members of the LonWorks /IP channel / All external members of the LonWorks/IP channel / PING
(ICMP echo request & echo reply) / N/A / N/A
Ping / Out / All external members of the LonWorks /IP channel / All internal members of the LonWorks /IP channel / PING
(ICMP echo request & echo reply) / N/A / N/A
Traceroute / In / All internal members of the LonWorks /IP channel / All external members of the LonWorks /IP channel / TRACEROUTE
(ICMP echo request & echo reply) / N/A / N/A
Traceroute / Out / All external members of the LonWorks /IP channel / All internal members of the LonWorks /IP channel / TRACEROUTE
(ICMP echo request & echo reply) / N/A / N/A
Note 1
Traffic in a LonWorks/IP channel is sent between the members defined in the configuration server’s database. If for example an i.LON using IP address 10.1.0.10 (i.LONs always use port 1628) initiates communication with a EthernetI interface on a PC at IP address 10.1.0.11 that has been configured to use port 1629, the target IP address would be 10.1.0.11 with a target port of 1629 with a source IP address of 10.1.0.10 and a source port of 1628. The source port of a LonWorks/IP channel member will always be static and will use the port as defined in the device’s property listing in the Configuration Server’s database.
Note 2
Traffic between an LNS Lightweight Client and an LNS server will always use ports 2540 and 2541 on the server and a pair of adjacent ports on the client, which are dynamically allocated by the client when the client first connects to the server. The client ports will be in the range 1024-65535
VIRTUAL PRIVATE NETWORKS
Often it is easier to use Virtual Private Networks (VPNs) between remote sites using LonWorks/IP technologies (i.LONs, LNS 3.0 Servers and LNS 3.0 Full Clients using Ethernet Interfaces or LNS Lightweight Clients). There are many commercial hardware and software VPN products available (most firewall packages have VPN support built in), which will simplify remote connectivity between i.LON sites by eliminating complex firewall configurations. Once a tunnel is set up between two points on the Internet, it is as if they were connected locally without any intermediate filtering taking place. One other advantage of using VPNs in conjunction with LonWorks /IP channels is that internal non-routable IP addresses can be used (provided suitable IP subnet configurations are adopted), whereas normally they would have to be translated before reaching the Internet using NAT.
The following diagram illustrates the use of VPNs in conjunction with LonWorks/IP technologies.
There are many sources of VPN products, a list of manufacturers can be found at http://www.corecom.com/external/vpn/vpntable.html