Network Services

In addition to providing a IPv4 networking stack, Lantronix gateways also include support for a number of networking protocols and services that deliver a complete network communications offload engine in network co-processor mode. The production ready services work together in wireless microcontroller mode to minimize required application development.

You can configure, start, and stop the clients and servers using the available management interfaces.

CLI Server

The CLI Server allows you to access the command mode remotely over the network using Telnet. By default, the CLI Server is disabled and remote access to the command line is not available. To connect using Telnet, the CLI server must be enabled in the configuration.

Important

Permissions configured in HTTP Server do not apply to CLI Server. CLI and CLI Server access is available to all users if enabled.

To configure the CLI Server:

In Web Manager, go to CLI Server > Configuration.

For CLI, see Config CLI Server Level.

For XML, see configgroup CLI Server.

CLI Server Configuration Settings

The following table describes the Web Manager CLI Server configuration settings.

Links to the equivalent settings for the CLI and XML reference are listed below.

For CLI, see Config CLI Server Level.

For XML, see configgroup CLI Server.

CLI Server Settings Description
Inactivity Timeout The amount of time CLI server will maintain the connection without activity. Enter 0 for none. Units can be minutes and/or hours.
Mode Enables or disables the CLI server.
Interface The interface used for the CLI server. This can be any, or eth0.
Port The CLI server will listen on this port for connections.

DHCP Client

The DHCP client obtains an IP address and other networking parameters when attempting to make a connection on the eth0 interface. Configure the DHCP client for the interface by accessing the network interface configuration group.

By default, the interface is configured for DHCP mode versus static IP mode.

In Web Manager, go to Network and select eth0 > Interface > Configuration.

For the CLI, see Config Interface level.

For XML, see configgroup interface.

DNS Client

The DNS client resolves and caches the DNS domain name to IP address mapping.

It communicates with the DNS server addresses configured statically or obtained via DHCP within the eth0 interface.

You can configure the Primary DNS and Secondary DNS to define the DNS servers that will be used when performing a domain name lookup.

In Web Manager, go to Network > eth0.

For the CLI, go to Config Interface level.

For XML, go to configgroup interface.

HTTP(S) Server

The HTTP server is used to store, process, and deliver web pages to the Web UI client using HTTP. It also serves resources such as HTML pages, Javascript files, images, etc. to web browser based applications or network applications that utilize the HTTP protocol for communication.

The HTTP server can be configured with TLS to provide secure HTTP communication.

HTTP Server Configuration

You can configure the following HTTP Server settings:

  • Set the operation mode. The HTTP server can be enabled, disabled, or triggered by the CPM role. For details on configurable pins, see CPM.
  • Specify the TLS credential to be used. For details on TLS credentials, see TLS Credentials.
  • Set the authentication timeout value if Digest Authentication is in use.

To configure the HTTP server:

In Web Manager, go to HTTP Server > Configuration.

In CLI, see Config HTTP Server Level.

In XML, see configgroup http server.

HTTP Server Configuration Settings

The following table describes the Web Manager HTTP Server configuration settings.

Links to the equivalent settings for the CLI and XML reference are listed below.

In CLI, see Config HTTP Server Level.

In XML, see configgroup http server.

Changes to HTTP Server take effect after reboot.

HTTP Settings Description
Mode Enables or disables the HTTP server.
Choices are:
Enabled
Disabled
Triggered - HTTP Server will wait for the CPM Role to become active. Then the HTTP server stays up indefinitely.
Port HTTP server port number. Default is 80. Clearing the field will restore the default. Enter 0 for none.
Secure Port Secure port number. Enter 0 for none. The default Secure Port (TLS) can be overridden.
Secure Credential TLS server credential. It may contain up to 30 characters. The secure credential specifies the name of the TLS Server Credential to be used for the secure connection.
Authentication Timeout The Authentication Timeout value is applied only if Digest authentication is being used.
Inactivity Timeout The amount of time the HTTP server will hold power on after completing a request. This setting only applies if HTTP Server is enabled in Power settings. The HTTP Server will hold power on this long after it completes a request.
Access-Control-Allow-Origin Access-Control-Allow-Origin is a newer security mechanism supported by some browsers. This feature is also referred to as CORS.
When blank (by default), CORS is disabled.
Set a name of up to 50 characters to enable CORS. Use "*" for wildcard, but beware this exposes the device to Cross-Site Request Forgery (CSRF).

HTTP Server Security

HTTP Server security provides role-based access control enabling you to assign authentication directives to specific URIs, config groups (for setting configuration), and status groups (for performing actions that appear in the status menu). In addition to controlling access to config groups, status groups, and built-in URIs (such as "/tlog" or "/upgrade"), you can also control access to URIs that you create, such as a "/welcome" URI.

To assign access control to specific URIs, config groups, and status groups, you specify the authentication type (what type of passphrase is required) and the user level (Admin, Tech, User, or None). The access control is hierarchical; Admin can access URIs, config groups, and status groups assigned to Admin or below, while Tech can access URIs, config groups, and status groups assigned to Tech or User level, and User can only access URIs, config groups, and status groups granted to User level. Additionally, the Tech user level can only see URIs, config groups, and status groups associated with their assigned Zone(s). See User Management for more details on zones.

The permission settings of a URI are passed on to the child folders of that URI, unless you set a different permission directive for a child folder. The directive will override the parent folder's access control setting.

When setting permissions for config groups and status groups, a partial group name can be used to apply that permission to all groups that match that partial name. For example, a permission for "Tunnel" would apply to "Tunnel Accept," "Tunnel Line," "Tunnel Connect," "Tunnel Disconnect," and "Tunnel Packing."

Built-in URIs

The following URIs are built in to the server:

URI Description
/action/status Action Web API
/ajax Web Manager helper
/export/config Config export Web API
/export/status Status export Web API
/import/config Config import Web API
/wm/firmware_upgrade Web Manager upgrade firmware
/wm/fs/copy Web Manager copy file
/wm/fs/mkdir Web Manager make directory
/wm/fs/rename Web Manager rename file
/wm/fs/rm Web Manager remove file
/wm/fs/rmdir Web Manager remove directory
/wm/fs/upload Web Manager upload file
/fs File System Web API
/logout Digest Authentication
/mux_http Mux HTTP Listener
/tlog Trouble log
/upgrade Firmware Upgrade Web API
/wm/pkcs12_upload Web Manager PKCS12 upload

Example configuration:

To allow administrators full access and restrict users to only being able to configure line settings, set the configuration as follows:

  • Config 1 Group: Line
  • Config 1 User: User

Default permissions:

By default, only Admin level has permission. Permission needs to be given to users in the Tech or User levels. Before firmware version 3.5, all users had permission by default. If you had non-administrator users on firmware versions lower than 3.5, you can achieve backward compatibility by adding the following:

  • Config 1 Group: *
  • Config 1 User Level: User
  • Status 1 Group: *
  • Status 1 User Level: User

Important

Permissions set here apply to the HTTP Server, including Web API and Web Manager. Permissions do not apply to CLI or CLI Server (Telnet CLI). Full access to CLI (and CLI Server if it's enabled) is given to all users.

HTTP Server Security Configuration

To configure HTTP server security from Web Manager:

  1. Go to HTTP Server > Security.
  2. Click Edit next to Access Control, Config, or Status.
  3. Enter a URI (starting with /), a config group, or a status group.
  4. Configure the authentication type and user level.
  5. If you have not created a Tech level user or User level user, do so now. See User Management for details.
  6. If necessary, create the URI and add an html file to the file system. See File System. If you configured access control on a built-in URI, you can skip this step.
  7. Test the authorization level.

For CLI, see Config HTTP Server Security Level.

For XML, see configgroup HTTP Server Security.

Microsoft Azure Integration

Microsoft Azure Integration is not included in the default firmware. For information on how to use this feature, see the Optional Features chapter of the XPort EDGE SDK User Guide.

Network Discovery

Network discovery allows applications on the network to discover the Lantronix gateway. An application such as DeviceInstaller issues discovery queries according to the Lantronix Discovery Protocol operating on UDP port 30718 (0x77FE).

To allow applications to discover the device, you enable the Discovery Query Port parameter for the network interface. Discovery is enabled by default.

To prevent applications from discovering the device, you disable the Query Port parameter for the network interface.

In Web Manager, go to Discovery > eth0. Enable or disable the query port state.

For the CLI, see Config Discovery level.

For XML, see configgroup Discovery.

SMTP Client

The Simple Mail Transfer Protocol (SMTP) client is used to configure an email message to be sent using an external SMTP server.

The SMTP client is available only through the CLI. To configure an email message, see Status SMTP level.

Example usage follows:

Send <ssl server hostname>
<username>
<password>
<from mail address>
<first recipient mail address>
[optional second recipient mail address]
[...] <-- Empty line ends recipient list
<subject>
<first line of body>
[optional second line of body]
[...] <-- Empty line ends body

SNMP

SNMP is not included in the default firmware. To use SNMP, use the SDK to create a project including the snmp module. See the Optional Features chapter of the XPort EDGE SDK User Guide for more information.

SNTP Client

The Simple Network Time Protocol (SNTP) client synchronizes with the Network Time Protocol (NTP) server. NTP is an Internet protocol used to synchronize computer clocks to a single time reference.

You can configure the Clock settings to update according to NTP or to update manually. For information on how to set the clock, see Clock.

You can also view and set the SNTP client configuration. See NTP.

TCP Client

The TCP client initiates a Tunnel connection with a TCP server that is listening on a designated port for a request.

TCP connections can use AES or TLS to encrypt the data stream. To configure the connection using either of these encryption types, you will need to supply an AES credential or TLS credential.

To configure TCP connections, see TruPort Serial.

TCP Server

The TCP server accepts Tunnel connection requests initiated by a TCP client.

TCP connections can use AES or TLS to encrypt the data stream. To configure the connection using either of these encryption types, you will need to supply an AES credential or TLS credential.

To configure TCP connections, see TruPort Serial.

TCP KeepAlive

A TCP KeepAlive packet is transmitted every 45 seconds. If a response is missed, retries happen every 5 seconds. After 3 failures, the TCP connection is closed.

TLS Client

TLS can be configured for TCP tunnel connections or Socket (Mux).

TLS can be configured with HTTP to provide a secure HTTP server. For details on setting up TLS with HTTP, see HTTPS Server.

To configure TLS, you create a TLS credential that contains the security details such as the certificate, private key, and trusted authority, as needed.

The TLS protocol version must be one of the following combinations:

  • TLS 1.0
  • TLS 1.1
  • TLS 1.2
  • TLS 1.1, TLS 1.2
  • TLS 1.0, TLS 1.1, TLS 1.2

To set up a TLS client for a tunnel or Mux connection, specify the TLS credential as part of the connection settings.

See TruPort Serial or TruPort Socket for details on how to set up these connections.

TLS Server

TLS can be configured for TCP tunnel connections or Socket (Mux).

To configure TLS, you create a TLS credential that contains the security details such as the certificate, private key, and trusted authority, as needed.

The TLS protocol version must be one of the following combinations:

  • TLS 1.0
  • TLS 1.1
  • TLS 1.2
  • TLS 1.1, TLS 1.2
  • TLS 1.0, TLS 1.1, TLS 1.2

To set up a TLS server for a TruPort Serial (tunnel) or TruPort Socket (Mux) connection, specify the TLS credential as part of the connection settings.

See TruPort Serial or TruPort Socket for details on how to set up these connections.

UDP Client and Server

User Datagram Protocol (UDP) can be used to provide an alternative transport-layer protocol for Tunnel connections.

You can configure Tunnel to use UDP protocol. The reception setting can be "restricted" or "unrestricted." When it is set to "restricted," UDP packets will only be accepted from the address and port designated by the Host Address and Port. The remote address and port of the first received packet are taken as designated until the socket is closed. When it is set to "unrestricted," UDP packets from any IP address will be accepted as long as they are directed to the local Port.

To configure UDP, see TruPort Serial.