Crestron e-Control®
Reference Guide
This document was prepared and written by the Technical Documentation department at:
Crestron Electronics, Inc.
15 Volvo Drive
Rockleigh, NJ 07647
1-888-CRESTRON
All brand names, product names and trademarks are the property of their respective owners.
2002 Crestron Electronics. Inc.
Crestron e-Control® Software
Contents
CRESTRON E-CONTROL®................................................................................1
INTRODUCTION.....................................................................................................1
ETHERNET NETWORKING .....................................................................................2
Network Cards.................................................................................................3
Cables, Hubs, and Switches.............................................................................3
Internet Routers...............................................................................................6
Crestron NAT...................................................................................................6
IP COMMUNICATION ............................................................................................7
IP Addressing ..................................................................................................7
Network Classes ..........................................................................................8
IP Subnet Masking.......................................................................................8
Private Subnets ............................................................................................8
Default Gateway..........................................................................................9
Static and Dynamic IP Addressing..............................................................9
Obtaining IP Information...........................................................................10
Port Numbers.................................................................................................10
Port Mapping.................................................................................................11
Secure Sockets Layer.....................................................................................12
E-CONTROL HARDWARE CONFIGURATION .........................................................15
Windows DHCP/DNS Server Configuration .................................................15
Control Systems.............................................................................................16
X-Series Control Systems..........................................................................16
2-Series Control Systems...........................................................................17
2-Series SSL Configuration.......................................................................20
Ethernet Touchpanels....................................................................................24
IP Table Setup ...............................................................................................26
Using the PING Utility to Test an Internet Connection.................................30
AUTONEGOT Command .............................................................................. 31
INTERFACES TO E-CONTROL...............................................................................31
Third-Party Interfaces and the Crestron Gateway........................................32
e-Control Web Pages and e-Control 2 ..........................................................32
Java-Based Browser Projects.....................................................................33
XPANEL Projects (e-Control 2)................................................................33
IP Settings (Java and XPANEL)................................................................34
SIMPL Windows Programming (Java and XPANEL) .............................. 35
Uploading HTML Pages to a Web Server.................................................36
Standalone Executables .............................................................................37
Gateway Configurations ............................................................................38
ActiveCNX .....................................................................................................41
Intersystem Communication .......................................................................... 45
Intersystem Communication .......................................................................... 45
APPENDIX A: GLOSSARY....................................................................................46
APPENDIX B: THE OSI REFERENCE MODEL.......................................................55
APPENDIX C: CONTROL SYSTEM TIMING DATA .................................................57
APPENDIX D: WEB SERVER CONSOLE COMMANDS............................................60
SSL Console Commands...........................................................................61
Design Guide – DOC. 5999 Contents • i
APPENDIX E: FAQ FOR IT/MIS PROFESSIONALS ............................................... 62
SOFTWARE LICENSE AGREEMENT ......................................................................64
RETURN AND WARRANTY POLICIES ...................................................................66
Merchandise Returns / Repair Service ..........................................................66
ii • Crestron e-Control® Reference Guide – DOC. 6052
Crestron e-Control® Software
Crestron e-Control®
Introduction
Crestron e-Control® is a broad-based technology that integrates Crestron audio/visual
control into Ethernet/IP networks. Ethernet technology has been used since the mid
1970s and is the most widely accepted standard throughout the world. By using
Ethernet in your control applications, you are following the common trend in
technology today. In addition, you gain the ability to harness the speed and flexibility
of the Internet to access, analyze, and diagnose control system functions.
Crestron e-Control offers many benefits, including:
• Worldwide acceptance of Ethernet products and use of standard networking
protocols.
• Ability to use low-cost Ethernet switches and other affordable Ethernet
physical media.
• Connections that are simple to wire, and easy to debug and maintain.
• Support for both 10 and 100Mbps products and half and full-duplex
transmission.
• Support for static and dynamic IP addressing.
• Control systems with built-in Web server capability, allowing devices to be
controlled using a standard Web browser.
• Analysis, control, and diagnostics available at any time or place.
This document is your reference guide to e-Control. The first half reviews the basic
networking principles needed to set up and maintain an e-Control network. This
includes an explanation of common networking terminology as well as cabling
specifications and concepts such as static and dynamic IP addressing, subnet masks,
and port numbers. The second half deals with specific e-Control applications,
including hardware setup and configuration, software programming, and system-tosystem communication.
This electronic document will continue to be updated as Crestron adds new features
and capabilities to e-Control, so be sure to check back for the latest information.
Reference Guide – DOC. 6052 Crestron e-Control® • 1
Software Crestron e-Control
Ethernet Networking
NOTE: This section reviews basic Ethernet and IP networking principles that form
the foundation for e-Control. Even if you are familiar with these terms or have prior
networking experience, the material contained here will help you better understand
how Crestron implements e-Control. You can also refer to “Appendix A: Glossary”
on page 46 for a list of networking terms and acronyms used throughout this guide.
A network is any collection of independent computers, printers, and peripheral
devices that are connected by cables. A network incorporating e-Control will also
typically include connected Crestron control systems, network control modules, and
touchpanels that control AV, lighting, and other equipment. Information travels over
the cables, allowing users on the network to communicate, exchange data, and
control equipment. Each device that is connected to the network is called a node.
Networks can have tens, thousands, or even millions of nodes.
Local Area Networks (LANs) are usually confined to a geographic area, such as a
single building or a college campus. LANs can be small, linking as few as two or
three computers, but often can link hundreds of computers used by thousands of
people. Wide Area Networks
(WANs) such as the Internet
combine multiple LANs that are
geographically separate.
®
The development of standard
networking protocols and media
has resulted in worldwide
proliferation of LANs
throughout business and
educational organizations. The
most popular LAN technology
in use today, and the standard
Switch or Hub
Network Cable
that is the basis for e-Control, is
Ethernet, which consists of
computers and devices cabled
together according to specific
rules defined by the Institute for
Electrical and Electronic
Engineers (IEEE).
Ethernet networks are categorized by how fast they can transfer data. Speed is
expressed in megabits per second (Mbps) and even gigabits per second (Gbps). One
"bit" is equal to 1/8th of a character, letter, or number. Standard Ethernet operates
at 10Mbps, which is fast enough for most networking tasks. Crestron’s X-Series
control systems and CEN devices operate at 10Mbps. Fast Ethernet, by contrast,
operates 10 times faster at 100Mbps, making it ideal for video, multimedia, and other
speed-intensive applications. Crestron’s 2-Series control systems and TPS Ethernetenabled touchpanels can operate at 10Mbps or 100Mbps. Fast Ethernet and Standard
Ethernet are not readily compatible; making the two speeds communicate on the
same network requires special equipment such as a switch.
2 • Crestron e-Control® Reference Guide – DOC. 6052
Crestron e-Control® Software
Some network devices, including Crestron 2-Series control systems and TPS
Ethernet-enabled touchpanels, can determine the speed of data transfer and
automatically adjust to that speed. This is called auto-sensing. Any device that has
been labeled “10/100” or “auto-sensing” should be able to work with any standard
Ethernet network devices, regardless of speed, provided that the proper cabling is
used.
Full duplex and half duplex are terms that refer to how data is transferred over a
network. Duplex means "two-way", and describes the sending and receiving of data.
If a device is full duplex, it means that the device sends and receives data
simultaneously. If it is a half duplex device, it alternates between sending and
receiving. Thus, a 100Mbps full duplex device (such as a Crestron 2-Series control
system or TPS Ethernet touchpanel) is actually operating at 200Mbps. A 10Mbps half
duplex device (such as a Crestron X-Series control system or CEN device), alternates
between sending at 10Mbps and then receiving at 10Mbps.
Network Cards
To communicate over Ethernet a device must have an Ethernet network card or
adapter installed. Ethernet network cards (often called Network Interface Cards, or
NICs) are installed inside a device, while
network adapters are external. Some
Crestron control systems, such as the
MP2E, come with an Ethernet network
card already built in, whereas others like
the PRO2 require separate purchase of a
C2ENET card (shown in the figure). TPS
touchpanels connect to the Ethernet network via a Crestron TPS-ENET or a
TPS-ENETL card.
Ethernet networking also requires at least one hub or switch to act as the central point
of the network. This is because you can’t string multiple devices on an Ethernet
network directly into one another. They must connect at a central point. (However, a
crossover cable can be used when connecting only two devices together.)
Cables, Hubs, and Switches
Special cabling is required to build an Ethernet network. One end of an RJ-45 cable
plugs directly into the device’s Ethernet network card or adapter, and the other end
plugs into a switch, hub, or similar device, connecting that device to the other
networked devices.
RJ-45 connectors look like standard telephone line
connectors, except that they have a set of eight wires
instead of four, which makes the clip wider and
thicker than a telephone connector. The socket into
which the RJ-45 fits can be found on practically all
Ethernet devices, including Crestron control systems,
TPS touchpanels and CEN devices.
The most popular type of Ethernet cabling, and the
type that Crestron recommends for use in e-Control, is twisted-pair, which looks like
an ordinary telephone cable, except that it has eight wires inside instead of four.
Reference Guide – DOC. 6052 Crestron e-Control® • 3
Software Crestron e-Control
Twisted-pair cabling is available in different grades or categories. About 85% of the
networks in the U.S. use standard unshielded twisted-pair (UTP) Category 5 cable
because it offers a performance advantage
over lower grades, and because it supports
both Ethernet and Fast Ethernet networks.
Crestron recommends using UTP Cat 5
cabling for use in e-Control.
The most common type of network cable is
a straight-through cable, which, as its
name indicates, allows data to travel along
a straight path through the cable to its destination. A straight-through cable is used to
connect a computer, control system, or touchpanel to a hub or switch. This is because
the send and receive connections on the hub or switch are the reverse of those on the
device’s network card or adapter. Thus, data goes "straight" from a send connection
on the device to a receive connection on the hub or switch.
®
In contrast, crossover cables are useful for connecting any two network devices
whose send and receive connections are the same. For example, many cable modems
require a crossover cable to connect to a router. Here the cable "crosses" connections,
allowing send connections to be directed to receive connections, and vice versa.
You should always know the type of cable a connection requires.
When UTP Cat 5 cabling is used, straight-through cabling is inserted between each
network device and the hub or switch. If you have five devices, you'll need five
cables.
4 • Crestron e-Control® Reference Guide – DOC. 6052
Crestron e-Control® Software
Each cable cannot exceed 328 feet in length. When viewed from
above, a 10BaseT network forms a star configuration. That is,
the cables from all of the devices converge at a common point.
As shown in the figure, three computers are connected with
10BaseT cabling and a hub.
A 10BaseT hub is simply a box with a row of 10BaseT jacks.
Most hubs have five, eight, 12, or 16 jacks, but some may have
more. Most hubs also have an uplink port, which is a special
port that allows the hub to be connected to other hubs. Uplink ports are the reverse of
the other regular ports on the hub or switch. This is useful for "daisy-chaining"
network connection devices so you can add ports.
To connect two 5-port switches together, for instance, you could connect one end of a
straight-through cable to the uplink port on the back of the first switch, and connect
the other end of the cable to any available regular port on the second switch. This
would effectively add four more ports to the network.
A hub differs from a switch in that hubs use shared bandwidth, meaning that they
must share their speed across the total number of ports on the device. As an example,
a 10Mbps 5-port hub shares its 10Mbps speed across the five ports. Thus, if five
devices are connected to five ports, each port can only transfer data at a rate of
2Mbps, because 10 divided by 5 equals 2. A 100Mbps 10-port hub with 10 devices
connected to it shares the 100Mbps across the 10 ports, for a speed of 10Mbps per
port. In addition, the duplex type of the device contributes to the total throughput of
the device.
Switches, on the other hand, use dedicated bandwidth. Each port on a switch is
given the full speed of the switch. Therefore, a 100Mbps 5-port switch with five
devices attached would transfer data at 100Mbps over every port — an obvious
advantage over a hub. Switches are usually more expensive than hubs, but the
performance is better. Duplex is a factor in total performance as well.
10/100 Ethernet Cabling Distances
Hub to Hub (without a switch) 10Mbps 100 meters/328 feet
Hub to Hub (without a switch) 100Mbps 10 meters/32.8 feet
Hub to Switch 100Mbps 100 meters/328 feet
PC to Hub/Switch 100Mbps 100 meters/328 feet
Crestron Control System to Hub/Switch (2-Series and X-Series) 10Mbps 100 meters/328 feet
Crestron Control System to Hub/Switch (2-Series only) 100Mbps 100 meters/328 feet
Crestron touchpanel to Hub/Switch (TPS-ENET only) 10Mbps 100 meters/328 feet
Crestron touchpanel to Hub/Switch (TPS-ENET only) 100Mbps 100 meters/328 feet
Crestron CEN device to Hub/Switch 10Mbps 100 meters/328 feet
Connection Speed Maximum Distance
Reference Guide – DOC. 6052 Crestron e-Control® • 5
Software Crestron e-Control
Internet Routers
Internet security is an important consideration in networking, since any networked
device with access to the Internet is, to some degree, at risk for unauthorized access.
Fortunately, protecting a network is both inexpensive and easy. The most simple and
flexible way to build an
Internet firewall (network
shield from unauthorized
access) is to install a piece of
hardware into the network
that already has firewall
software built into it. The
most commonly used
firewall device is an Internet
router.
Internet
Modem
®
An Internet router is installed
between an Internet
connection and the rest of the
network. It protects the
Router
Switch
WAN
LAN
network by making
individual computers, control
systems, and other Ethernet
devices “invisible” to the
outside world. The only
externally recognized device is the router itself. Put another way, a router is a
network device with two sides: one side is made up of the private LAN of PCs,
control systems, touchpanels, etc. which this reference guide sometimes calls the
“internal LAN.” The other, public side is the Internet, or the WAN. We will see that
in some applications the “public” side can also be a corporate or residential LAN,
with the “internal” side being a sub-network within that LAN.
The router’s firewall (NAT, or Network Address Translator) protects the internal
LAN by inspecting the data coming in from the WAN port before delivery to the
final destination on the LAN port. The router inspects Internet port services like the
Web server, FTP server, or other Internet applications, and, if allowed, it will forward
the data to the appropriate PC or control system on the LAN side.
In this way, an Internet router accomplishes two separate but related tasks. First, it
protects the network from unwanted access and/or unneeded information. Second, it
routes information to the intended destination.
Crestron NAT
Crestron manufactures an Ethernet network card for its 2-Series control systems
called the C2ENET-2 card, which provides two RJ-45 Ethernet ports (labeled LAN A
and LAN B). The card works with an internal NAT on the 2-Series processor that
enables programmers to create a sub-network within a larger corporate or residential
LAN. Here the card’s LAN A port is the public side that is visible to the larger
network, while the LAN B port connects to the private, internal LAN of e-Control
devices.
6 • Crestron e-Control® Reference Guide – DOC. 6052
Crestron e-Control® Software
IP Communication
The Ethernet standard supports numerous communication protocols that determine
how data is transferred from one network node to another. Different protocols work
together at different levels, or layers, as outlined by the OSI reference model, to
enable communication on a network. The OSI reference model separates node-tonode communications into seven layers, each building upon the standards contained
in the levels below it. The lowest of the seven layers deals solely with hardware
links; the highest deals with software interactions at the application-program level.
(The OSI model is explained more in detail in “Appendix B: The OSI Reference
Model” on page 55.)
TCP/IP is the suite (or stack) of networking protocols that make up the Internet and
most LANs. The TCP/IP name is taken from two of the core protocols in the suite, IP
(Internet Protocol) and TCP (Transport Control Protocol. Another core protocol in
the suite is UDP (User Datagram Protocol).
Crestron equipment communicates over Ethernet using a proprietary protocol called
CIP (Crestron over Internet Protocol), which is an implementation of UDP. Crestron
also provides hardware and software gateways that convert data received over TCP
into CIP, and vice-versa.
Both UDP and TCP are transport-layer (layer 3) protocols that run over IP networks.
UDP has several characteristics that make it convenient and useful for e-Control.
First, UDP is connectionless, meaning that Crestron equipment can transfer data over
Ethernet without prior advertising or need to negotiate a connection. UDP has
minimal overhead; each datagram on the network is composed of just a small header
and the control data. In addition, UDP allows data to be broadcast to multiple
devices. UDP thus provides simple, fast, and efficient transfer of data.
In contrast, TCP is a connection-oriented protocol. Before data transfer can take
place, a connection must first be established; after data transfer, the connection must
be torn down. TCP incurs much more overhead than UDP because it provides
extensive error checking and flow control. This makes TCP a more reliable, yet
slower transmission.
IP Addressing
Both UDP and TCP use the same addressing scheme; that is, they use IP addresses
to identify devices (hosts) connected via Ethernet to other hosts. Every host on an IP
network must have a unique IP address to identify its “location,” or address, on the
network. This applies to both the WAN and LAN connections.
The IP address is a 32-bit binary number that is expressed in “dotted quad” format,
consisting of the decimal values of its four octets (bytes) separated by periods. For
example, the IP address 192.168.123.132 is the decimal equivalent of the binary
number 11000000.10101000.01111011.10000100.
The decimal numbers separated by periods are the octets converted from binary to
decimal notation.
The first part of an IP address identifies the network; the last part identifies the host,
or node. If you take the example 192.168.123.132 and divide it into these two parts
you get 192.168.123.0 as the network address; and 0.0.0.132 as the host address.
Reference Guide – DOC. 6052 Crestron e-Control® • 7
Software Crestron e-Control
Network Classes
Internet addresses are allocated by the InterNIC, the organization that administers the
Internet. These public IP addresses are divided into classes, the most common being
A, B, and C. The class of a network depends on its size.
You can identify the class of an IP address by looking at its first octet, as follows:
• Class A addresses are for large networks with many devices. These networks
have 0-127 as their first octet. The address 10.52.36.11 is a Class A address.
Its first octet is 10, which is between 1 and 126, inclusive.
Class A networks can have up to 16,777,214 hosts.
• Class B addresses are for medium-sized networks. These networks have 128-
191 as their first octet. The address 145.16.52.63 is a Class B address. Its first
octet is 145, which is between 128 and 191, inclusive.
Class B networks can have up to 65,534 hosts.
• Class C addresses are for small networks. These networks have 192-223 as
their first octet. The address 198.145.123.132 is a Class C address. Its first
octet is 198, which is between 192 and 223, inclusive.
Class C networks can have up to 254 hosts.
®
IP Subnet Masking
Applying a subnet mask to an IP address allows an Internet router to identify the
“network” and “node” parts of the address. The 1s in the mask represent the network
bits, and the 0s in the mask represent the node bits. Performing a bitwise logical
AND operation between the IP address and the subnet mask results in the network
address. For example:
10010110.11010111.00010001.00001001 150.215.017.009 (IP address)
11111111.11111111.00000000.00000000 255.255.000.000 (subnet mask)
-------------------------------------------------------
10010110.11010111.00000000.00000000 150.215.000.000 (network address)
This result may seem familiar because Class A, B and C addresses have a selfencoded or default subnet mask built in:
Class A - 255.0.0.0 11111111.00000000.00000000.00000000
Class B - 255.255.0.0 11111111.11111111.00000000.00000000
Class C - 255.255.255.0 11111111.11111111.11111111.00000000
Private Subnets
Three specific ranges of IP network addresses have been set aside for internal use,
meaning that they are not routable on the Internet. These addresses are considered
unregistered. No company or agency can claim ownership of unregistered addresses
or use them on public computers. Routers are designed to discard (instead of
forward) unregistered addresses.
8 • Crestron e-Control® Reference Guide – DOC. 6052
Crestron e-Control® Software
The private network addresses are as follows:
• Range 1: Class A - 10.0.0.0 through 10.255.255.255
• Range 2: Class B - 172.16.0.0 through 172.31.255.255
• Range 3: Class C - 192.168.0.0 through 192.168.255.255
You are not required to use any particular range when you set up an internal network.
However, Crestron recommends using the private network addresses for e-Control
equipment on an internal LAN, because they greatly reduce the chance of an IP
address conflict.
Another reserved IP address is 127.0.0.1, or localhost. This special address is also
referred to as a loopback address and represents the same computer or device on
which a TCP/IP message originates. Data going to 127.0.0.1 does not actually go out
to the Internet.
Default Gateway
A default gateway is a router that links a subnet, or internal LAN, to outside
networks. When a device attempts to communicate with another device on the same
internal LAN, the data is simply transferred on the local subnet. However, if the
destination is a remote device, then the data has to be forwarded to the default
gateway. It is then the responsibility of the router to forward the data to the correct
subnet.
In cases where data will not be routed outside the internal LAN, the default gateway
address can be set to 0.0.0.0. Otherwise, you would specify the internal LAN address
of the router.
Static and Dynamic IP Addressing
Static and dynamic IP addressing are two different methods of assigning an IP
address to a device.
A static IP address is a fixed IP address that you assign manually to a computer or
network device. It remains valid until it is disabled; static IP addressing thus ensures
that a device will always have the same IP address until it is changed to a different
value.
Crestron’s X-Series control systems and CEN devices require static IP addressing for
use in e-Control.
In contrast, a dynamic IP address is automatically assigned to a device on the
network. These IP addresses are called “dynamic” because they are only temporarily
assigned, or leased, to the device. After a certain time they expire and may change.
When a device connects to the network (or the Internet) and its dynamic IP address
has expired, the DHCP (Dynamic Host Configuration Protocol) server will assign it a
new dynamic IP address.
The purpose of DHCP is to let network administrators centrally manage and
automate the assignment of IP addresses in an organization’s network. DHCP greatly
reduces the work necessary to administer a large IP network. Without DHCP, the
administrator has to manually configure the IP address each time a computer is added
to the network or moves to a different location.
Reference Guide – DOC. 6052 Crestron e-Control® • 9
Software Crestron e-Control
DHCP provides integration with a DNS (Domain Name System) service. This system
allows hosts to have both domain name addresses (such as ftp.crestron.com) and IP
addresses (such as 65.206.113.4). The domain name address is easier for people to
remember and is automatically translated into the numerical IP address.
The domain name address (also called the Fully-Qualified Domain Name, or FQDN)
identifies the owner of that address in a hierarchical format: server.organization.type.
For example, ftp.crestron.com identifies the FTP server at Crestron, with “.com”
signifying a commercial organization.
A DNS server, also called a name server, maintains a database containing the host
computers and their corresponding IP addresses. Presented with the domain name
address ftp.crestron.com, for example, the DNS server would return the IP address
65.206.113.4.
Another name-resolution service is WINS (Windows Internet Naming Service).
WINS is used in conjunction with DNS and DHCP in a Windows NT 4.0 Server
environment.
Crestron’s 2-Series control systems and TPS touchpanels support DHCP in a
Windows 2000 Server or Windows NT 4.0 Server environment.
®
Obtaining IP Information
If you are setting up a residential LAN, you must obtain the IP address and other IP
configuration information for the WAN side of the router from the ISP. You would
then use the router’s network configuration screens to define the range of static IP
addresses available on the LAN side.
If you are installing e-Control in a corporate LAN, the network administrator must
provide you with static IP addresses if you are configuring X-Series and CEN
equipment. In addition to the static IP address of each device, the network
administrator will give you the subnet mask and default gateway address of the
network.
For 2-Series control systems and TPS touchpanels, you can configure the equipment
to accept dynamic IP addresses from the Windows DHCP Server.
If you are using the NAT on the C2ENET-2 card, you can configure the LAN A side
for static or dynamic IP addressing. Then you can assign static IP addresses for
devices on the LAN B side, using the range of private IP addresses.
Port Numbers
Any server machine makes its services available to the Internet using numbered
ports, one for each service. For example, if a server machine is running a Web server
and an FTP server, the Web server would typically be available on port 80, and the
FTP server would be available on port 21. Clients connect to a service at a specific IP
address and on a specific port number. There are 65,535 port numbers available for
use with TCP, and the same number is available for UDP.
The port numbers are divided into three ranges: the Well Known Ports, the
Registered Ports, and the Dynamic and/or Private Ports.
• The Well Known Ports are those from 0 through 1023.
10 • Crestron e-Control® Reference Guide – DOC. 6052
Crestron e-Control® Software
• The Registered Ports are those from 1024 through 49151—Crestron has four
registered ports for CIP and TCP communication.
• The Dynamic and/or Private Ports are those from 49152 through 65535.
Some examples of well-known port numbers are FTP (port 21), Telnet (port 23),
E-mail (SMTP, or Simple Mail Transfer Protocol, port 25) and WWW (port 80).
If the server machine accepts connections on a port from the outside world, and if a
firewall is not protecting the port, you can connect to the port from anywhere on the
Internet and use the service.
Note that nothing forces a Web server, for example, to be on port 80. If you were to
set up your own Web server, you could put it on port 49153 or any other unused port.
Then if the server were located at http://www.e-control.com, someone on the
Internet could connect to that server by typing http://www.e-control.com:49153
. The
":49153" explicitly specifies the port number, and would have to be included for
someone to reach the server. When no port is specified, the browser simply assumes
that the server is using the well-known port 80.
Port Mapping
If a firewall or NAT is protecting a port, an Internet client can still access a server
machine on the internal LAN if the router or NAT is configured for port mapping.
Port mapping is a mechanism that makes specific services available to the WAN
without exposing other areas of the internal LAN.
Here you assign an “external” port number to whichever service you want to make
available to the outside world; the external port is mapped to the real port number on
the internal LAN. This allows anyone on the outside to connect to the server, if they
know the IP address or domain name address of the router and the external port
number of the server.
For example, if you were to set up a Web server on the internal LAN, you could
assign it an external port number 918, and map it to internal port 80. Any Internet
client that wants to connect to that server would then need to know the IP address of
the router, and the external port number. If the router were located at IP address
195.164.35.7, the client would enter http://195.164.35.7:918, as shown below.
Browser (http://195.164.35.7:918)
WAN (195.164.35.7)
Router
LAN (192.168.1.1)
External Port IP Address Protocol Internal Port
Router Port Mapping Settings
918 192.168.1.8 TCP 80
Hub
Server (192.168.1.8)
Most routers allow between 10 and 16 ports to be opened using port mapping; the
Crestron NAT that is built into the 2-Series processor allows up to 16.
Reference Guide – DOC. 6052 Crestron e-Control® • 11
Software Crestron e-Control
Secure Sockets Layer
Crestron 2-Series control systems are the first in the AV industry to provide built-in
support for SSL, Secure Sockets Layer, the de facto standard for protecting Webbased communication between clients and servers. SSL is a protocol that provides a
secure channel for communication between two machines. The secure channel is
transparent, which means that it passes the data through, unchanged. The data is
encrypted between the client and the server, but the data that one end writes is
exactly what the other end reads. The SSL protocol uses TCP as the medium of
transport.
SSL ensures that the connection between a Web browser and Web server is secure by
providing authentication and encryption. Authentication confirms that servers, and
sometimes clients, are who they say they are. Encryption creates a secure “tunnel”
between the two, which prevents unauthorized access to the system.
The secure tunnel that SSL creates is an encrypted connection that ensures that all
information sent between the client and server remains private. SSL also provides a
mechanism for detecting if someone has altered the data in transit. If at any point
SSL detects that a connection is not secure, it will terminate the connection and the
client and server will have to establish a new, secure connection.
®
SSL uses both public-key and symmetric key encryption techniques. Public keys are
a component of public-key cryptographic systems. The sender of a message uses a
public key to encrypt data; the recipient of the message can only decrypt the data
with the corresponding private key. Public keys are known to everybody, while
private keys are secret and only known to the recipient of the message. Since only the
server has access to its private key, only the server can decrypt the information. This
is how the information remains confidential and tamper-proof while in transit across
the network.
An SSL transaction consists of two distinct parts: the key exchange, and the bulk data
transfer. The SSL Handshake Protocol handles key exchange and the SSL Record
Protocol handles the bulk data transfer.
The key exchange (SSL handshake protocol) begins with an exchange of messages
called the SSL handshake. During the handshake, the server authenticates itself to the
client using public-key encryption techniques. Then the client and the server create a
set of symmetric keys that they use during that session to encrypt and decrypt data
and to detect if someone has tampered with the data. Symmetric key encryption is
much faster than public-key encryption, while public-key encryption provides strong
authentication techniques.
Once the key exchange is complete, the client and the server use this session key to
encrypt all communication between them. They do this encryption with a cipher, or
symmetric key encryption algorithm, such as RC4 or DES. This is the function of the
SSL Record Protocol. There are two types of ciphers, symmetric and asymmetric.
Symmetric ciphers require the same key for encryption and decryption, whereas with
asymmetric ciphers, data can be encrypted using a public key, but decrypted using a
private key.
SSL supports a variety of ciphers that it uses for authentication, transmission of
certificates, and establishing session keys. SSL-enabled devices can be configured to
support different sets of ciphers, called cipher suites.
12 • Crestron e-Control® Reference Guide – DOC. 6052
Crestron e-Control® Software
Crestron’s implementation of SSL is based on OpenSSL (www.openssl.org), version
0.9.6a. The encryption algorithms and the key lengths supported in the 2-Series
processor are as follows:
Name Type Session key lengths (bits)
DES Symmetric 56
3DES Symmetric 168
RC2 Symmetric 128
RC4 Symmetric 128
DH Asymmetric 512
RSA Asymmetric 512
SSL-enabled clients and servers confirm each other’s identities using digital
certificates. Digital certificates are issued by trusted third-party enterprises called
Certificate Authorities, or CAs. From the certificate, the sender can verify the
recipient's claimed identity and recover their public key. By validating digital
certificates, both parties can ensure that an imposter has not intercepted a
transmission and provided a false public key for which they have the correct private
key.
A CA-signed certificate provides several important capabilities for a Web server:
• Browsers will automatically recognize the certificate and allow a secure
connection to be made, without prompting the user. (If a browser encounters
a certificate whose authorizing CA is not in its list of trusted CAs, the
browser will prompt the user to accept or decline the connection.)
• When a CA issues a signed certificate, they are guaranteeing the identity of
the organization that is providing the Web pages to the browser.
Alternatively, self-signed certificates can be generated for secure Web servers, but
self-signed certificates do not provide the same functionality as CA-signed
certificates. Browsers will not automatically recognize a self-signed certificate; and a
self-signed certificate does not provide any guarantee concerning the identity of the
organization that is providing the server.
In addition, handshaking is much faster in the case of CA-signed certificates because
the process of creating private/public keys is CPU intensive. With self-signed
certificates, these keys are created at every instance of a handshake, whereas with
CA-signed certificates the keys are already loaded. A CA-signed certificate thus
provides many important capabilities for a secure server.
There are various Certificate Authorities, notable among them being Thawte and
Verisign. For a fee, a CA investigates the organization hosting the server and issues a
certificate vouching for the identity of the server. The procedure for
obtaining/enrolling for a CA-signed certificate varies with each CA and is described
on their Web sites. However, all CAs require a CSR, or Certificate Signing Request.
The CSR can be copied and pasted to the online enrollment form or sent via e-mail to
the CA, along with any other pertinent information the CA requires. The CA then
issues the certificate, usually via e-mail. The Crestron Viewport provides all the
certificate management tools necessary to generate a CSR and upload the certificate
to the 2-series processor.
Reference Guide – DOC. 6052 Crestron e-Control® • 13
Software Crestron e-Control
The CA-signed certificate is an ASCII “base64” encoded text (*.CER) file, which the
2-Series processor converts to a binary file called \\SYS\srv_cert.der. As a part of the
CSR process, a private key is also created as \\SYS\srv_key.der. It is extremely
important to back up the private key, as it is unique to each CSR. If the private key is
lost the certificate is useless and it would be necessary to begin the enrollment
process all over again.
Here is a description of an SSL transaction:
1. The browser sends a request for an SSL session to the Web server.
2. The Web server sends the browser its digital certificate. The certificate
contains information about the server, including the server’s public key.
3. The browser verifies that the certificate is valid and that a trusted CA issued
it.
4. The browser generates a “master secret” that is encrypted using the server’s
public key and sent to the Web server.
5. The Web server decrypts the master secret using the server’s private key.
6. Now that both the browser and the Web server have the same master secret,
they use this master secret to create keys for the encryption and MAC
(message authentication code) algorithms used in the bulk-data process of
SSL. Since both participants used the same master key, they now have the
same encryption and MAC keys.
®
7. The browser and Web server use the SSL encryption and authentication
algorithms to create an encrypted tunnel. Through this encrypted tunnel, they
can pass data securely through the network.
Though the authentication and encryption process may seem involved, the user
generally does not even know it is taking place. However, the user will be able to tell
when the secure tunnel has been established since most SSL-enabled Web browsers
will display a small closed lock at the bottom (or top) of their screen when the
connection is secure. Users can also identify secure Web sites by looking at the Web
site address; a secure Web site’s address will begin with https:// rather than the usual
http://. The Web server listens for a secure connection on the well-known port 443.
14 • Crestron e-Control® Reference Guide – DOC. 6052
Crestron e-Control® Software
e-Control Hardware Configuration
This section describes how to configure X-Series and 2-Series equipment for
integration into a LAN.
Windows DHCP/DNS Server Configuration
Crestron’s 2-Series control systems (minimum CUZ 3.041) and TPS touchpanels
support DHCP in the following environments:
• Windows 2000 Server with DHCP Server and DNS Server (Dynamic DNS
enabled)
• Windows NT 4.0 Server with DHCP Server and WINS Server
In the configuration requirements below, a scope defines the range of IP addresses
for the network. Typically a scope defines a single physical subnet on the network.
Scopes provide the primary way for the DHCP server to manage distribution and
assignment of IP addresses and any related configuration parameters to clients on the
network.
Scope options are client configuration parameters applied specifically to all clients
that obtain a lease within a particular scope. Some commonly used options include IP
addresses for default gateways (routers), WINS servers, and DNS servers.
The network administrator should configure the Windows Server as follows:
Configuration 1: DHCP + Dynamic DNS (Windows 2000 only)
The network administrator should configure the DHCP scope to include the
following scope options:
• 003 - Router
• 006 - DNS Servers
• 015 - Domain Name
The DHCP scope should also have the following options enabled:
• Always dynamically update all nodes
• Enable updating of nodes that don’t support dynamic DNS
The DNS Server should have the following option enabled:
• Enable WINS Resolution (Windows (NT 4.0)
• Enable WINS Forward Lookup (Windows 2000)
Configuration 2: DHCP + DNS + WINS (Windows NT 4.0 and Windows 2000)
The network administrator should configure the DHCP scope to include the
following scope options:
• 003 - Router
• 006 - DNS Servers
• 015 - Domain Name
Reference Guide – DOC. 6052 Crestron e-Control® • 15
Software Crestron e-Control
• 044 - WINS/NBNS Servers
• 046 - WINS/NBT Node Type (set value to “0x2”)
The DNS Server should have the following option enabled:
• Handle Dynamic Updates (Windows 2000 only)
Control Systems
Before setting the control system’s IP information for the first time, use the Crestron
Viewport to establish a serial connection to the unit, as follows:
1. Use a DB9 straight-through serial cable to connect a COM port on the PC to
the COMPUTER port on the control system.
®
2. Start the Crestron Viewport and click Communication Settings on the
Setup menu. Select RS-232 as the connection type. Then set the PC to match
the communication settings of the control system:
• Port = COM 1. Select the PC COM port (COM 1 - COM 8).
• Baud rate = 115200 for 2-Series processors; 57600 for X-Series.
• Parity = None.
• Number of data bits = 8.
• Number of stop bits = 1.
• Hardware handshaking (RTS/CTS) enabled.
• Software handshaking (XON/XOFF) not enabled.
When communication is established, the title bar at the top of the Viewport
screen will display the serial settings, i.e., “COM1 115200 N81 RTS/CTS”.
You can also click Establish Communication on the Diagnostics menu to
verify communication.
X-Series Control Systems
1. CNXENET and CNXENET+ cards: Click Set Control System IP
Information on the Functions menu.
2. Enter the static IP address of the control system. In the following example,
the control system is assigned the private IP address 192.168.1.4. The
example also shows the default subnet mask for that address class (Class C),
255.255.255.0.
16 • Crestron e-Control® Reference Guide – DOC. 6052
Crestron e-Control® Software
3. Enter the default router address. In residential applications, this is the internal
LAN address of the router, not the WAN IP address that is visible to the
outside. In the example above, the default router address is 192.168.1.1,
which is the default address used by router manufacturers such as Linksys. If
data will not be routed to outside subnets, you can set the default router
address to 0.0.0.0.
4. When you are satisfied with the IP settings click OK to reboot the control
system.
2-Series Control Systems
C2ENET-1 and C2ENET-2 cards: The C2ENET cards provide two configuration
options: one for LAN A and the other for LAN B. With the C2ENET-1 card, values
should only be entered for LAN A.
For static IP addressing, enter the IP information just as described for the CNXENET and CNX-ENET+ cards.
1. Enter the static IP address of the control system.
2. Enter the subnet mask.
3. Enter the default router address (if data will not be routed to outside subnets,
this value can be set to 0.0.0.0).
In the following example, the control system will be set to the IP address
192.168.1.4. The subnet mask is the default for that address class (Class C),
255.255.255.0, and the default router address will be set to 0.0.0.0.
Reference Guide – DOC. 6052 Crestron e-Control® • 17
Software Crestron e-Control
®
4. Static IP values can be set for the LAN B side of the C2ENET-2 card the
same way. Simply select LAN B from the Ethernet Adapter list.
As described previously, the C2ENET-2 card allows you to create a subnetwork within a larger corporate or residential LAN. Here LAN A is the
public side that is visible to users on the larger network, while LAN B is the
internal LAN of e-Control devices. In this way, a network administrator
would need to provide one static IP address, for the public (LAN A) side.
Alternatively, the LAN A side can be configured for dynamic IP addressing.
When assigning an IP address for LAN B, it is recommended that you choose
from the private IP address classes described earlier.
The network addresses of LAN A and LAN B cannot be the same. For
example, if the same subnet mask is applied to both IP addresses and the
resulting network address is 192.168.1.0, then an error message will be
generated.
For dynamic IP addressing:
1. Select the DHCP check box to enable DHCP with Windows 2000 Server; for
Windows NT 4.0 Server, select both the DHCP and the WINS check boxes.
(The IP address and IP mask fields will be ignored if either check box is
selected.)
2. Enter the hostname of the control system in the Hostname field. The
hostname identifies the machine on the network and is automatically
translated into the numerical IP address. The hostname can consist of up to
64 characters. Valid characters are 0 – 9, A – Z (not case-sensitive), and the
18 • Crestron e-Control® Reference Guide – DOC. 6052
Crestron e-Control® Software
dash (hyphen character). No other characters are valid. The hostname cannot
begin with a dash or number.
3. The IP address of the default router is provided by the DHCP server and thus
the Default Router field should be left blank.
4. If applicable, enter the domain in the Domain field. This is only necessary if
you are configuring DHCP on an Ethernet connection to a control system
that currently has a static address. The domain name will be used to
reconnect to the control system after it reboots. With a serial connection, the
domain does not need to be entered.
Note that the domain supplied by the DHCP server will overwrite the domain
that is indicated in this field.
Advanced Settings (optional):
1. Click the Advanced button to set optional parameters. You can enter the IP
address of the primary DNS server in the DNS Server 1 field; enter the IP
address of the secondary DNS Server in field 2.
If the DHCP server provides the address for the DNS server, it is not
necessary to enter these values. Here the DNS server addresses will
automatically be filled in.
2. You have the option to change the CIP and CTP port numbers in rare cases
where a network conflict may exist with ports 41794 and 41795.
The Web port can be changed for security reasons if no firewall or router is
Reference Guide – DOC. 6052 Crestron e-Control® • 19
Loading...