VPN Routers

[ProductManagerR]

Still not seeing this product as a replacement for a good vpn setup, yes it might be a solution to provide building operators we a uniform GUI to multiple BACnet IP and Modbus based systems but not the "fix" for remote access for integrators. The recurring costs will also drive more people to a true vpn solution that offers one-time cost solution, by the Tosibox does not have any recurring cost unless you move to the central lock server.

If your post is directed to me, then let me ask you a few questions before i give you my view on this.

1) How much time does a tech spend to setup a VPN to a working state per site ? i.e. cost of labor per site.
2) What is the material and license cost for the software ? Ie. PC's required on premise and licences if you are buying the VPN solution
3) What does this cost become when you have 10 customers, each with 10 sites ?

[Pascone10]

Hey ProductManagerR. I'm curious of your background. Are you in sales for this solution or a BMS tech that works in the field on this stuff every day?

[ProductManagerR]

Hey ProductManagerR. I'm curious of your background. Are you in sales for this solution or a BMS tech that works in the field on this stuff every day?

I have a computer science degree, I'm not in sales and came up through the ranks of engineering into managing development of new products. I work in product management, responsible for developing and bringing new products to the market. Having said this, I'm fairly new to the HVACR industry (about 2 years) my background is about 20 years in tech world so it's been fun learning about this industry and the market challenges.

My philosophy is that we can build products but if it doesn't solve a problem then its a dud, so besides talking to my customers I come to this forum to learn and understand problems and solutions that challenges the techs and users.

[numbawunfela]

1)it's own Cloud application UI (frontend) via a browser UI using https(443)
2)Existing system web application via a browser UI using https (443)
these end point need to be on Port 80 or 443, Port 443/HTTPS is the HTTP protocol over TLS/SSL. Port 80/HTTP is the World Wide Web. Anything else (non standard ports) it will not support as this becomes a security risk.

Often, disparate applications use different ports to deliver different applications. I am not clear how the device can deliver its stuff and my stuff on the same port. I suppose there has to be a switch on the X300 to make the change... is that right?
Pretty much everyone here understands port 80 and 443....
So it seems as though there is no configurability on these ports? If that is the case I do not see how this is useful. If I went to the trouble of making a UI, the customer can get it through your device just the same as without. Except now I have extremely limited ability to do any programming changes, as I am also limited to using that same web UI since the port that gets me into the programming side is closed. That web UI is not typically where the magic happens in Niagara systems (for example). Delta would love it, maybe. Schneider needs at least 2 more ports. Niagara needs 4911 and 5011 at least, others for Distech, and what about getting a time sync to my JACE on port 25?
It seems like the benefit is that there are no settings to screw up when delivering a web UI securely to a customer ONLY. The downside is that a VPN scans as a VPN on the interwebs... this device will likely have it's own signature to tell everyone he is a BAS specific device, losing the anonymization benefit of an off the shelf VPN. Also, it cannot deliver the access needed to get ANY programming done for a Niagara or Schneider system. It will probably be fine for Delta and JCI. They deliver programming tools on 80 and 443.

[numbawunfela]

I'm not in sales
I work in product management, responsible for developing and bringing new products to the market.
Having said this, I'm fairly new to the HVACR industry (about 2 years) my background is about 20 years in tech world so it's been fun learning about this industry and the market challenges.

So you dont sell it, instead you make it and give it to the sales guys...
You will find the crowd here very.... candid. If something is cool we will say so. If you try to spin something that is clearly not cool you will be skinned alive mercilessly.... and then we will like your post on kitten videos a week later. If you take your not cool thing and make it cool we will gladly pat you on the back.
There are a few other reps for manufacturers here. you may benefit from seeing how they interact (as you are at about 20 posts so far). S2sam comes to mind, and Betterduck. One has a better time interacting than the other, one is more cordial and easy to get along with than the other. There are probably other reps I am not thinking of. The only thing better than learning from your mistakes is learning from the mistakes of others...
MaxBurn has a VERY extensive thread on securing a site with a VPN. I think it is on the pro side... You may gain insights on what we are looking for from there.

[ProductManagerR]

Often, disparate applications use different ports to deliver different applications. I am not clear how the device can deliver its stuff and my stuff on the same port. I suppose there has to be a switch on the X300 to make the change... is that right?
Pretty much everyone here understands port 80 and 443....
So it seems as though there is no configurability on these ports? If that is the case I do not see how this is useful. If I went to the trouble of making a UI, the customer can get it through your device just the same as without. Except now I have extremely limited ability to do any programming changes, as I am also limited to using that same web UI since the port that gets me into the programming side is closed. That web UI is not typically where the magic happens in Niagara systems (for example). Delta would love it, maybe. Schneider needs at least 2 more ports. Niagara needs 4911 and 5011 at least, others for Distech, and what about getting a time sync to my JACE on port 25?
It seems like the benefit is that there are no settings to screw up when delivering a web UI securely to a customer ONLY. The downside is that a VPN scans as a VPN on the interwebs... this device will likely have it's own signature to tell everyone he is a BAS specific device, losing the anonymization benefit of an off the shelf VPN. Also, it cannot deliver the access needed to get ANY programming done for a Niagara or Schneider system. It will probably be fine for Delta and JCI. They deliver programming tools on 80 and 443.

Yes the benefit is that there are no settings to screw up when delivering a web UI securely and for now no configurability on ports, it just a security issue.
Is there a list I can get of the different ports for different vendors needed and what it supports. eg. Niagara needs 4911 and 5011 ?

[MaxBurn]

What it sounds like he is wanting to do is pass through fox/foxs etc connections through like a VPN connection would but I don't get the impression that's what your solution is aimed at.

There are no perfect list of port numbers either, they are all configurable and even if we looked at BACnet UDP 47808 it is sometimes useful to shunt misbehaving vendors to another port to separate them from the rest of the system.

[ProductManagerR]

What it sounds like he is wanting to do is pass through fox/foxs etc connections through like a VPN connection would but I don't get the impression that's what your solution is aimed at.

There are no perfect list of port numbers either, they are all configurable and even if we looked at BACnet UDP 47808 it is sometimes useful to shunt misbehaving vendors to another port to separate them from the rest of the system.

So I understand fox/foxs is proprietary to Niagara, so this will not work. What will work is https and hopefully http in the near future. Regarding ports - BACnet has a range of ports and we support it via range.

[MaxBurn]

Regarding ports - BACnet has a range of ports and we support it via range.

But you don't pass it through to the end user right? I'm thinking the BACnet handling pretty much ends at your gateway on site. Goes up to the cloud as some other API.

[ProductManagerR]

But you don't pass it through to the end user right? I'm thinking the BACnet handling pretty much ends at your gateway on site. Goes up to the cloud as some other API.

You are correct, BACnet handling pretty ends at the gateway.

[ProductManagerR]

So you dont sell it, instead you make it and give it to the sales guys...
You will find the crowd here very.... candid. If something is cool we will say so. If you try to spin something that is clearly not cool you will be skinned alive mercilessly.... and then we will like your post on kitten videos a week later. If you take your not cool thing and make it cool we will gladly pat you on the back.
There are a few other reps for manufacturers here. you may benefit from seeing how they interact (as you are at about 20 posts so far). S2sam comes to mind, and Betterduck. One has a better time interacting than the other, one is more cordial and easy to get along with than the other. There are probably other reps I am not thinking of. The only thing better than learning from your mistakes is learning from the mistakes of others...
MaxBurn has a VERY extensive thread on securing a site with a VPN. I think it is on the pro side... You may gain insights on what we are looking for from there.

I hear you and spinning stuff is not my style, plus knowing my customers one thing I can tell is that most will smell spinning from a mile away. Like I said, I like to build products that solves a problem in the market, if I am successful it will sell. Also, thanks for the feedback on the reps, I'll take a look at it.

[numbawunfela]

Also, thanks for the feedback on the reps, I'll take a look at it.

You can search for posts by author. Works better when you are logged into the site.

[ProductManagerR]

So you dont sell it, instead you make it and give it to the sales guys...
You will find the crowd here very.... candid. If something is cool we will say so. If you try to spin something that is clearly not cool you will be skinned alive mercilessly.... and then we will like your post on kitten videos a week later. If you take your not cool thing and make it cool we will gladly pat you on the back.
There are a few other reps for manufacturers here. you may benefit from seeing how they interact (as you are at about 20 posts so far). S2sam comes to mind, and Betterduck. One has a better time interacting than the other, one is more cordial and easy to get along with than the other. There are probably other reps I am not thinking of. The only thing better than learning from your mistakes is learning from the mistakes of others...
MaxBurn has a VERY extensive thread on securing a site with a VPN. I think it is on the pro side... You may gain insights on what we are looking for from there.

Thanks for the info, I'll take a look.

[klrogers]

If your post is directed to me, then let me ask you a few questions before i give you my view on this.

1) How much time does a tech spend to setup a VPN to a working state per site ? i.e. cost of labor per site.
2) What is the material and license cost for the software ? Ie. PC's required on premise and licences if you are buying the VPN solution
3) What does this cost become when you have 10 customers, each with 10 sites ?

I can only speak for what I am familiar with, that being Tosibox,

1) How much time does a tech spend to setup a VPN to a working state per site ? i.e. cost of labor per site.Minutes
2) What is the material and license cost for the software ? Ie. PC's required on premise and licences if you are buying the VPN solution One time moderate purchase cost no licensing, no PC needed on site.
3) What does this cost become when you have 10 customers, each with 10 sites ? Each site would cost the same.

Is Tosibox perfect, No of course not, higher initial cost then Maxburn's solution, reliance on Tosibox to provide the connection server are the two main objections of it, but it can provide full access to all the devices and ports on the the BAS subnet, plus access can be restricted if desired, all without any deep IT knowledge.

[MaxBurn]

Outages all over the internet today, hope everyone's stuff is still up.

https://www.reddit.com/r/networking/...utage_chicago/

https://www.reddit.com/r/sysadmin/co...ternet_outage/

Digital Ocean too. I'm seeing problems in NYC1

https://twitter.com/DOStatus/status/1252641163690950656

https://twitter.com/DOStatus/status/1252674722677944320

https://status.digitalocean.com/#

Our Engineering team is aware of further disruption impacting our NYC1 region, due to the disruption from a major internet backbone provider. Users may have experienced outages with networking for services in our NYC1 region, including Droplets and Managed Database Clusters. Our Engineering team has applied a fix to route around the disruption, and at this time, services in our NYC1 region should be starting to operate normally. We are continuing to monitor the situation closely, and we will share more information as it becomes available.

I did an additional piece for the VPN article. This was also troubleshooting some ALC problems we have but there is discussion on the construction and testing of the VPN tunnel and why I did it that way. https://blog.jalbert.me/why-did-i-do-that/

[numbawunfela]

Look at you, having a blog. Wish I was cool like that....

[Pascone10]

Better Duck. Can you shoot me an email? I have some questions on Loytec. Email is in my profile. Thanks!

[ProductManagerR]

Sorry I have been busy, but I did want to provide a response.

The biggest different between Tosibox and Building Operator is that Building Operator is a end to end cloud solution. This means Cloud Computing & Storage + secure connectivity + gateway that talks building protocols versus Tosibox which is for secure connectivity via gateway (lock) and key (usb) solution .

From Cloud Computing & Storage perspective it means

Cloud application for monitoring and control/commanding
Multi-Site-Management via one simplified front end
Aggregates data from different BACnet/Modbus systems (additional connectors planned) into one central place
Data Storage up to 3 years
Stored data allows Trend Analysis.
Building block for FDD/Analytics and API use cases.
btw - come early next year remote access to on premise web applications won't be restricted to 443/80.

[ProductManagerR]

What it sounds like he is wanting to do is pass through fox/foxs etc connections through like a VPN connection would but I don't get the impression that's what your solution is aimed at.

There are no perfect list of port numbers either, they are all configurable and even if we looked at BACnet UDP 47808 it is sometimes useful to shunt misbehaving vendors to another port to separate them from the rest of the system.

MaxBurn, I took this back to the engineers and I'm happy to say we have a solution with configurable port numbers now.

[orion242]

Peplink just added openvpn support to all their routers in v8 firmware.