Firewall Rules
An Igloo media server can be entirely self-contained, though in most cases internet access will be required for system updates, content downloads, web services, etc. There may also be requirements for the media server to communicate with clients on a corporate network, e.g. for NDI streaming. The following table describes ports for common services that are used by an Igloo Media server, as well as the scope.
Explanation of Scopes:
Igloo Network - Network containing the Igloo related hardware i.e. media server, projectors, etc. This can be a separate VLAN, or mixed with a pre-existing network.
Outside - Corporate network or network providing internet access to the Igloo system. Can be behind NAT if only web and software updates are required. For sending OSC messages and / or NDI streams to the Igloo from this network, firewall rules must be in place to allow traffic through.
Inbound / Outbound - Inbound is assumed to be traffic directed at clients on the Igloo network, whereas Outbound is traffic leaving this network. This can be controlled by your gateway firewall, or intermediary security device. Windows Firewall settings on the media server itself should also match where required.
Port | Scope | Description |
TCP 4352 Inbound TCP & UDP 3620 Inbound | Igloo Network | Projector communications and control. |
UDP 9000-9020, 10000 Inbound | Igloo Network, Outside (Optional) | OSC Protocol. |
TCP 49152 - 65535 Inbound | Igloo Network, Outside (Optional) | NDI Streaming. |
TCP 8086 | Igloo Network | Peruse-a-rue application. |
TCP 3000 | Igloo Network | Matterport application. |
TCP 3001 | Igloo Network | GeoCV application. |
TCP 10000 | Igloo Network | Igloo Controller Service. |
TCP & UDP 53, 80, 443 Outbound | Outside | DNS, web connectivity and Windows updates. |
TCP 80, 443, 8200 Outbound | Outside | GoToMyPC Remote access. |
TCP & UDP 5938 Outbound | Outside | TeamViewer Remote access |
UDP 162, 319-320, 2203, 4321, 14336-14600, 4440, 4444, 4455, 5353, 8700-8706, 8800, 8751, 16000-65536 Inbound | Igloo Network | Required if using Dante Audio and Controller. Allows audio routing, clocking, control, monitoring, and related services. See Dante Audio section below for a detailed description of these ports. |
Internet Connectivity
As shown in the above table, ports for web connectivity are optional but preferred for Windows Updates, remote support, and general usability. Windows Updates should generally be allowed and installed for security fixes, though a day should be set aside for larger cumulative and feature updates that may require post-install testing.
Other devices may not require internet connectivity; no device in the Igloo system strictly needs it. This is largely up to your own requirements in terms of accessibility and security.
Protocol Specific Considerations
An Igloo system may depend on much more than basic web traffic, so it is important to take into consideration the type of traffic that will be in common use and how it will impact your network. A simple playback system will not generate much traffic outside of Windows Updates and downloading new content; in this regard the server will behave similarly to a typical client. When content streaming is a requirement, there are some bandwidth and latency requirements to keep in mind, and a network administrator should be involved to make sure there are no adverse effects on your corporate network.
NDI
NDI is a fairly efficient protocol for streaming high quality video content over a network. This is bandwidth intensive by nature, however; a single NDI stream of a 1080i video source will take up around 100Mbps, and requires a latency of around 14ms to avoid frame dropping. It is important to consider how many NDI streams you may have active at a time, and how they are going to traverse your network. It is generally best practice to have clients that need to send NDI streams to the Igloo media server on the local Igloo network, as this reduces the round-trip-time, and also reduces traffic flow across your corporate network.
RTMP
RTMP is a less efficient, though much more easily configurable alternative to NDI streams. Video and audio bitrates can be set independently to match network requirements, and there is control over the codec used to transmit this data. Latency and bandwidth are still important to consider, so the same considerations should be made as in the case of using NDI streams, i.e. how the traffic will traverse your network, how many streams may be active at one time, what the expected latency will be, etc.
Dante Audio
A Dante Audio system is network based, and can sit entirely on the Igloo Network unless external audio sources are required. Bandwidth for an audio stream is typically 6Mbps depending on number of channels and sample size. Dante Audio packets can make use of QoS settings, and publish a guide on these shown below:
Priority | Usage | DSCP Label | Hex | Decimal | Binary |
|---|---|---|---|---|---|
High | Time critical PTP events | CS7 | 0x38 | 56 | 111000 |
Medium | Audio, PTP | EF | 0x2E | 46 | 101110 |
Low | (reserved) | CS1 | 0x08 | 8 | 001000 |
None | Other traffic | BestEffort | 0x00 | 0 | 000000 |
Ports for unicast and multicast Dante audio are included in the port requirements above. A more detailed description of these requirements are as follows:
Ports | Multicast Address | Description |
|---|---|---|
4321 | Dante Audio. | |
5004 | AES67 Audio. | |
14336-14600 | N/A | Unicast Dante Audio. |
5353 | 224.0.0.251 | mDNS and DNS-SD discovery for Dante devices. |
9875 | 239.255.255.255 | AES67 discovery for Dante devices. |
319-320 | 224.0.1.129 - 224.0.1.132 | Precision Time Protocol (PTP). |
9998 | 239.254.3.3 | PTP Logging. |
8700-8708 | 224.0.0.230 - 224.0.0.233 | Monitoring traffic. |
Support
Remote Access
TeamViewer
TeamViewer is Igloo’s remote support method. We install TeamViewer as a service, which grants easy access to our support team. This is not configured to require a password from our support team unless specifically requested. The following ports are required for TeamViewer access:
TCP/UDP 5938 Outbound (Primary)
TCP 443 Outbound (Failover 1)
TCP 80 Outbound (Failover 2)
It’s also possible for Igloo to use TeamViewer to support when TeamViewer is set in LAN only mode should Igloo support have access to a VPN/relevant firewall connection.
LogMeIn GoToMyPC
GoToMyPC is not the preferred method of remote support, though can be used if required. We have no quick access system as with TeamViewer, so response times may be affected. The following network ports will be required for external support to connect to the system:
TCP 80 Outbound
TCP 443 Outbound
TCP 8200 Outbound
Windows RDP:
Windows Remote desktop connection is a tool that can allow Igloo staff to install software updates, however doesn’t grant the ability to remotely assist users - Windows RDP creates a new session, unlike other comparable tools. Using this should be avoided where possible.
Raising a Support Request
Any and all queries should be sent to myadvocate@igloovision.com where a ticket will be raised and one of our support team will be assigned to your case. Tickets can also be raised via the web at myadvocate.igloovision.com.
0 Comments