www.homeseer.com    
 

Go Back   HomeSeer Message Board > HomeSeer Products & Services > HomeSeer Software > HS3Touch™

HS3Touch™ Discussions regarding HS3Touch touchscreen software for HomeSeer HS3

Reply
 
Thread Tools Display Modes
  #1  
Old May 30th, 2017, 03:09 PM
lifespeed's Avatar
lifespeed lifespeed is offline
Seer
 
Join Date: May 2017
Location: San Jose, CA
Posts: 74
remote access to HSTouch server, static external IP

I am new to Homeseer, just ordered the Z-net to get started with two Z-wave devices, Yale YRD240 lock and a Aeon smartswitch 6.

I wonder about access with the Android app. I have always provided a static URL to my home network using a dynamic DNS service. Does this replace the function of a MyHS login and account? Will I be able to connect HStouch android app to the server on my home network simply by entereing the URL and port in Android, and configuring the router and windows firewall appropriately?

I'm trying to figure out the necessity and function of a MyHS account. If Homeseer is truly self-contained, I'm not sure why MyHS does.
Reply With Quote
  #2  
Old May 30th, 2017, 03:11 PM
rmasonjr's Avatar
rmasonjr rmasonjr is offline
OverSeer
 
Join Date: May 2001
Location: Brookhaven, MS USA
Posts: 6,526
You can use a static URL and then port-forward to your HS3 machine. That will work just fine.
myhs is handy for managing multiple HS instances or if you're not network savvy. It is a bit slower than direct access and you are relying on many moving pieces that sometimes can go down.
__________________

HS3Pro Running on a Raspberry Pi2 (Raspbian)
64 Z-Wave Nodes, 162 Events, 293 Devices
UPB modules via OMNI plugin/panel
Plugins: Z-Wave, BLRF, OMNI, HSTouch, weatherXML, EasyTrigger
HSTouch Clients: 3 Android, 1 Joggler
Reply With Quote
  #3  
Old May 30th, 2017, 03:15 PM
lifespeed's Avatar
lifespeed lifespeed is offline
Seer
 
Join Date: May 2017
Location: San Jose, CA
Posts: 74
Quote:
Originally Posted by rmasonjr View Post
You can use a static URL and then port-forward to your HS3 machine. That will work just fine.
myhs is handy for managing multiple HS instances or if you're not network savvy. It is a bit slower than direct access and you are relying on many moving pieces that sometimes can go down.
Thanks, that is great. The cloud may have uses, but as far as I can tell Homeseer is supposed to be able to operate self-contained, and I would be happy to keep it that way.

Do you happen to know if HS3pro runs as a windows service, ie; no user is required to be logged in for the software to function?
Reply With Quote
  #4  
Old May 30th, 2017, 03:18 PM
rmasonjr's Avatar
rmasonjr rmasonjr is offline
OverSeer
 
Join Date: May 2001
Location: Brookhaven, MS USA
Posts: 6,526
Quote:
Originally Posted by lifespeed View Post
Thanks, that is great. The cloud may have uses, but as far as I can tell Homeseer is supposed to be able to operate self-contained, and I would be happy to keep it that way.

Do you happen to know if HS3pro runs as a windows service, ie; no user is required to be logged in for the software to function?
Windows Service - Unfortunately, no. You will need a 3rd-party solution to run it as a service, or running it via Task Scheduler might work. There are a number of threads on the boards on that subject.
Reply With Quote
  #5  
Old May 30th, 2017, 06:26 PM
Kerat Kerat is offline
Seer Master
 
Join Date: May 2016
Location: Colorado USA
Posts: 749
remote access to HSTouch server, static external IP

Quote:
Originally Posted by lifespeed View Post
I am new to Homeseer, just ordered the Z-net to get started with two Z-wave devices, Yale YRD240 lock and a Aeon smartswitch 6.

I wonder about access with the Android app. I have always provided a static URL to my home network using a dynamic DNS service. Does this replace the function of a MyHS login and account? Will I be able to connect HStouch android app to the server on my home network simply by entereing the URL and port in Android, and configuring the router and windows firewall appropriately?

I'm trying to figure out the necessity and function of a MyHS account. If Homeseer is truly self-contained, I'm not sure why MyHS does.


Do note that myhs also provides a level of security by encrypting traffic both between your HS instance and the myhs servers and between the myhs servers and your endpoint. I don't think HS3 natively does SSL/TLS encryption. That said when you make your HS3 instance accessible to the public Internet your authentication is not encrypted and there is a chance that this could be accessible clear text.

There are some plugins that do require connectivity to your system via myhs.

There was a vulnerability in HS3 versions less than 3.0.0.313 (or 312 I don't remember). Where in users could bypass authentication and control your system. This would pose a threat to installs where the HS3 management interface was allowed public access.

Lastly, a brute force attack is the first method used to gain unauthorized access to systems.

(HS3 can do this)
The easiest mitigation methods against this would be to, block public IP addresses after 5 bad password attempts,
(HS3 can do this)

force strong password policies, and lockout user accounts after 5 bad password attempts in say 10 minutes. HS3 does not have any of this functionality built in.

Here I am in the process of locking down access to all my internal websites/network services. I want to minimize my open ports and port forwarding to as few as absolutely necessary. My mantra is, does this really need to be accessible to the public Internet, and if so, how do I lock it down. Currently, I am down to 2 ports open on my firewall. I am currently using a reverse proxy (HAproxy package on pfsense) and remote access via VPN (openvpn package for PFsense) only.

HAproxy acts as a front end and manages access for all the sites I make accessible to the public Internet. It is a hell of a tool. I have it setup to SSL encrypt all the websites I want accessible to the public Internet. Later I will also configure it to only grant access to client endpoints that have the appropriate client certificate.

The VPN is then used when I need remote access to something on my local LAN but do not want it to be accessible to the public Internet.



Sent from my iPhone using Tapatalk

Last edited by Kerat; June 8th, 2017 at 10:49 PM.
Reply With Quote
  #6  
Old June 8th, 2017, 10:26 PM
lifespeed's Avatar
lifespeed lifespeed is offline
Seer
 
Join Date: May 2017
Location: San Jose, CA
Posts: 74
Interesting info, thanks. So if I were to point the HS3Touch app directly to my home network and open the port (which port? noob here) the traffic would not be encrypted?
Reply With Quote
  #7  
Old June 8th, 2017, 10:56 PM
Kerat Kerat is offline
Seer Master
 
Join Date: May 2016
Location: Colorado USA
Posts: 749
Quote:
Originally Posted by lifespeed View Post
Interesting info, thanks. So if I were to point the HS3Touch app directly to my home network and open the port (which port? noob here) the traffic would not be encrypted?

I am not sure that HStouch gives that much control. I think it forces access through myhs.
You can choose any port you want. Generally port 80 is non-encrypted and port 443 is reserved for encrypted traffic. Here I forward port 443 to my HAProxy then determine which sub site based on the subdomain HTTPS request.

Yes, without something that handles SSL encryption it would not be encrypted.


Sent from my iPhone using Tapatalk
Reply With Quote
  #8  
Old June 8th, 2017, 11:20 PM
lifespeed's Avatar
lifespeed lifespeed is offline
Seer
 
Join Date: May 2017
Location: San Jose, CA
Posts: 74
What about external SSL web access? Do I need to create a server.pfx certificate in order for the browser to trust HS3 web page accessed from outside my network? I can access it currently on port 80, but enabling SSL access in HS3 network settings and forwarding the port through the router didn't work, browser complained about an insecure connection.
Reply With Quote
  #9  
Old June 9th, 2017, 02:06 AM
logbuilder logbuilder is offline
Seer Master
 
Join Date: Nov 2016
Location: Pacific North West
Posts: 684
HSTouch does not require myhs. I have an app I created that I can access remotely via a DDNS address that resolves to my HS3 server. There is a port forwarded on the router for this.
Reply With Quote
  #10  
Old June 9th, 2017, 02:12 AM
lifespeed's Avatar
lifespeed lifespeed is offline
Seer
 
Join Date: May 2017
Location: San Jose, CA
Posts: 74
Quote:
Originally Posted by logbuilder View Post
HSTouch does not require myhs. I have an app I created that I can access remotely via a DDNS address that resolves to my HS3 server. There is a port forwarded on the router for this.
A port? There are 65535 of them. Please be specific.
Reply With Quote
  #11  
Old June 9th, 2017, 04:15 AM
zwolfpack zwolfpack is offline
Seer Master
 
Join Date: Sep 2015
Location: Orange County, California, USA
Posts: 999
Quote:
Originally Posted by lifespeed View Post
A port? There are 65535 of them. Please be specific.
..
Attached Images
 
Reply With Quote
  #12  
Old June 9th, 2017, 05:50 AM
Pete's Avatar
Pete Pete is offline
OverSeer
 
Join Date: Jan 2001
Location: House
Posts: 15,445
Personally here have always utilized my no ip dynamic DNS provider. In general the more I added to my home network the more difficult it became to manage the open ports on the firewall.

Note this was for more than HSTouch. Rather than keep playing with the firewall I went to using VPN.

In the middle 2000's I had a few Windows servers and traveled out of country sometimes for a few days and sometimes for a week or two.

I would get bored sometimes at night and would play with my Homeseer servers (had two then and today)such that I would just utilize SSH (Putty) and port forward via an encrypted SSH tunnel. (note this was in the EU, UK, South America and the pacific rim) This provided me with RDP access to my windows servers, web access to any browsers et al.

Today have helped a few Homeseer users via SSH and tunnels within SSH and it works fine. (and works fine without configuring a VPN server).

Basically you just open up one encrypted SSH tunnel (open one port) on the firewall and use it for whatever services/ports you want access too.

Last away mini trip here took one of my Wintel HSTouch tabletop tablets, configured it with VPN access and left it on the nightstand in the Hotel we were staying at and it worked just fine 24/7 for some 3-4 days.

So in a recap you can utilize myhs dot com (opening ports), your own dynamic DNS service (opening ports), SSH tunneling (free), HAProxy (as mentioned by Kerat), Teamviewer and or VPN (free). BTW your Windows 10 desktop has many cloud dependencies built in these days; that is the way it is.

Much of the above involves some basics relating to your OS, networking, routers, firewalls, VPN et al.

Not to overwhelm here but I would start baby step fashion (just open a port and use MyHomeseer dot com) and get familiar with Homeseer and Homeseer touch.

As you familiarize your self with Homeseer start to entertain different methodologies of remote accessing your home network.

Here too have moved away from the typical SOHO or ISP provided combo router to an a la carte setup at home using my own ISP modem (X2), firewall (PFSense), managed Gb switches, autonomous wireless access points, et al. (over 10 years ago now).
__________________
- Pete

Automator

HS3 Pro & Lite Edition Beta 3.0.0.4449

HS3 Wintel Touch | Ubuntu 16.04 64 bit | Oracle Windows Virtual Box ==> for Wintel only SAPI and HS3 plugins | Speech - Microsoft SAPI - Neospeech - Amazon Echo | Hardware | Haswell Intel iSeries 3 - 16Gb | Pine64 - 2Gb computers | Openpeak Intel Atom SoC tabletop touchscreens (15 HS tabletop tablets) | Touchscreens - Windows embedded POE connected |Light switches - X10,UPB, ZWave and Zigbee | Firewall - PFSense - 2 WAN plus 4 LAN interfaces | Network - Gb managed switches / POE WAP(s) | CCTV - Zoneminder IPHD cams - variety | Audio - Russound - AB8SS | Security - Leviton HAI Omni Pro 2 | Weather - Davis Vantage Vue - MeteoStick - WeeWx | 1-Wire - AAG, Midon and HB | OWFS - Mosquitto - Node Red - Python - RPi Stretch - OpenWRT

Last edited by Pete; June 9th, 2017 at 07:52 AM.
Reply With Quote
  #13  
Old June 9th, 2017, 12:11 PM
lifespeed's Avatar
lifespeed lifespeed is offline
Seer
 
Join Date: May 2017
Location: San Jose, CA
Posts: 74
Quote:
Originally Posted by zwolfpack View Post
..
Thanks for showing me where to look, didn't notice that before.
Reply With Quote
  #14  
Old June 9th, 2017, 12:26 PM
lifespeed's Avatar
lifespeed lifespeed is offline
Seer
 
Join Date: May 2017
Location: San Jose, CA
Posts: 74
Quote:
Originally Posted by Pete View Post
So in a recap you can utilize myhs dot com (opening ports), your own dynamic DNS service (opening ports), SSH tunneling (free), HAProxy (as mentioned by Kerat), Teamviewer and or VPN (free). BTW your Windows 10 desktop has many cloud dependencies built in these days; that is the way it is.
Thanks for the comprehensive overview. I am actually somewhat familiar with my home network, having set up dynamic DNS to support FTP server, VPN, Emby server and other home network functions. Opening a port in the router is not a big deal.

VPN has it's strengths, but sometimes it seems like overkill when you just want to do something quick from an Android phone. And it is an addition of an extra "layer", which usually works. But simpler is sometimes more reliable, so cutting out VPN or myhs could be a reasonable thing to do for simplification.
Reply With Quote
  #15  
Old June 9th, 2017, 06:51 PM
lifespeed's Avatar
lifespeed lifespeed is offline
Seer
 
Join Date: May 2017
Location: San Jose, CA
Posts: 74
troubleshooting remote access

I can connect to HS3touch server using myhs, but I cannot connect directly using my external URL. Port 10200 TCP + UDP has been forwarded to the windows 10 PC in the router, and HS3Touch server applied the firewall rules when I enabled it.

Also, my Yale YRD240 lock, although displayed in HS3Touch Android app, does not respond to lock/unlock commands. It works fine when I connect using the web interface to HS3, whether connecting internally or externally, using HTTP on port 80.
Reply With Quote
  #16  
Old June 9th, 2017, 07:40 PM
logbuilder logbuilder is offline
Seer Master
 
Join Date: Nov 2016
Location: Pacific North West
Posts: 684
In your HSTouch application, you need to go into settings and setup one of the connections for remote direct access. You need to know the static IP address or a dynamic DNS address. Enter the port that you will be using which has previously been forwarded in the router. Then use that connection to remotely access HSTouch. Does this sound like what you have done?

I don't have any controlled locks. Maybe someone else can confirm whether they can be remotely controlled via HSTouch app.
Reply With Quote
  #17  
Old June 9th, 2017, 07:55 PM
lifespeed's Avatar
lifespeed lifespeed is offline
Seer
 
Join Date: May 2017
Location: San Jose, CA
Posts: 74
Quote:
Originally Posted by logbuilder View Post
In your HSTouch application, you need to go into settings and setup one of the connections for remote direct access. You need to know the static IP address or a dynamic DNS address. Enter the port that you will be using which has previously been forwarded in the router. Then use that connection to remotely access HSTouch. Does this sound like what you have done?

I don't have any controlled locks. Maybe someone else can confirm whether they can be remotely controlled via HSTouch app.
Yes, that is what I did. I tried leaving the port entry blank, as well as entering 10200, which is supposed to be the default anyway. It won't direct connect.
Reply With Quote
  #18  
Old June 9th, 2017, 08:13 PM
zwolfpack zwolfpack is offline
Seer Master
 
Join Date: Sep 2015
Location: Orange County, California, USA
Posts: 999
Does it work when you connect within the LAN?
For one of the Server 1-4, set the address to the local LAN address (i.e. 192.168.1.xyz) and port to 10200.
Reply With Quote
  #19  
Old June 9th, 2017, 08:14 PM
logbuilder logbuilder is offline
Seer Master
 
Join Date: Nov 2016
Location: Pacific North West
Posts: 684
I hesitate to mention this since I assume it is something unique to my setup, but it did work for me.

I could never get 10200 to forward to 10200 in my router. The router configured it just fine but it would not work. FWIW, it is a tplink router and exede internet. I ended up configuring it to accept incoming connections on port 8090 and forwarding them to port 10200. That worked. I've not taken the time to try and understand why. I've wondered if excede has some limitation.
Reply With Quote
  #20  
Old June 9th, 2017, 08:40 PM
Kerat Kerat is offline
Seer Master
 
Join Date: May 2016
Location: Colorado USA
Posts: 749
remote access to HSTouch server, static external IP

This makes me wonder if I could create another third level domain CNAME that points to my house, source another SSL cert from Let's encrypt, and setup HAProxy to trigger handling by SNI HTTPS request to the new subdomain to deliver the new SSL and reverse proxy to my HS3 server on port 10200 on my internal server. This would allow me to not have to open another port, encrypt the traffic, and remove my last dependency for myhs.


Sent from my iPhone using Tapatalk
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
HSTouch and Remote Access jonathanz Clients - Apple iPhone/iPod/iPad 5 August 29th, 2014 02:51 PM
Remote Access using HSTouch App dbmet Clients - Apple iPhone/iPod/iPad 3 May 3rd, 2014 09:43 PM
Remote Internet access to SBS2003 server connoleg Web Server and Interface 7 February 4th, 2008 02:41 PM
Mistake --Turned Off Remote Server Access. Help benmorris Web Server and Interface 5 May 21st, 2006 09:59 PM


All times are GMT -4. The time now is 03:48 AM.


Copyright HomeSeer Technologies, LLC