Accessing myServer from the Internet

myServer is used on a daily basis within the home or business it is controlling. When you are outside of the home, it can be very handy to be able to interact with your systems. Providing secure access to the home should be done in a deliberate way so as not to allow unauthorized use or monitoring of the system.

Instructions

To extend the capabilities to monitor and control your myServer home or business, follow the below instructions to do so with reasonable security.

  1. Ensure you myServer installation is up to date and working well.

  2. If you have an Internet Service Provider (ISP) static IP address, skip to step 4. If not, create a NoIP.com or DynDNS.com account and setup a domain name that you like and that is available from those services.

  3. Open myServer's Options / Network configuration window. Check the box that you are using NoIP or DynDNS domain service. Type your account's username and access password. Type your provided DNS name in the "myServer DNS Name" box. Close this window, and restart myServer to activate your changes. myServer will reboot and shortly you should see it update your IP address in the Event Log. Your router should support "Port Reflection" so when you use your domain name in a URL from your local network, that the router connects you directly to the myServer PC and not out to the Internet. If this doesn't work by default by your router, consider a new router or research how to configure this on your existing router (some don't support this function, most new routers do).  PFSense based routers (freeware highly capable router software) supports "port reflection" within it's settings.

  4. Configure your myServer for some other port than Port 80 (80 is constantly being looked for by hackers), like Port 6245 or 82. Do this in the myServer Options / Network configuration window. Restart myServer for your changes to take effect.  myServer supports port 6245 for the External network and port 80 for the Internal network by default.

  5. You will need to Port Forward your Internet router to forward the port "6245" traffic (whatever you setup myServer on) to the myServer PC.

  6. You will also need to forward Ports: 6246 (web images), and 8181 (websockets connection).

  7. An additional layer of protection is available on myServer which is a login page that by default is turned Off. To enable it, go to myServer's User Accounts page. Add an account user name by clicking the "+" button. Type in the username on the new row, and a password you will remember.  The "Enable Local Security" field forces the user to log in even when they are on the Intranet (local network) that myServer is on. Normal mode is deselected so when you are home, on your local network, you don't have to log in. This same page is used to change the password. The Authorization field sets the time when afterwards, the user will have to re-log in.
    How is this determined? When the client makes a call to the server the server looks at the IP address of the client and compares it to the IP address of the server. If they are on the same subnet then the client is assumed local and won't get the login screen. Otherwise the client is assumed to be outside the home and then will get the login screen.
  8. Yet another layer of security can be added if myServer is behind a Virtual Private Network (VPN) setup that is typically created on the Internet facing router. Setting this up isn't myServer specific, so outside of the scope of this document.

Tips

It's a good idea not to create your Intranet (local network) using "typical" IP settings.  Most networks are 192.168.0.XXX or 1.XXX.  A good idea is to configure the network with settings like 125.XXX or other. Don't forget that all of your routers, port forwarding and other network settings are contingent on this strategy, so decide on this early in your network configuration.

It's also a good idea to have a firewall running either on your Internet facing router and / or on your myServer PC. The myServer installer will open appropriate ports during it's installation on a Windows firewall. Since it is highly recommended to not use the myServer PC as a normal desktop computer, firewall protection is then optional. myServer PC should be a dedicated automation server. If you can't get two PCs to communicate with each other (like a Remote PC), first thing to do is temporarily disable the firewall to isolate where the communication is being blocked. Once understood, modify the firewall settings as appropriate to allow the wanted connection.

Ensure your myServer PC Operating System is updated regularly. Don't use XP as it is no longer supported by Microsoft (and Allonis).

Another good idea is to use a myServer webpage keyboard to activate / deactivate your security system. Don't "hard code" your security system authentication into myServer.

Use unique username's and passwords for all web services configured in myServer - like Pandora, Netflix, Amazon, Google, etc.

Here is the "chain" of networking that is recommended:
Internet web client > VPN client > Your Home's Domain URL (administered by NoIP.com) > your ISP's IP address for your home > Your home's VPN Server (on router) > Your home's firewall (on a router) > Port forward to myServer PC (on router)> myServer on a non typical Intranet IP address (like 192.168.125.002) >myServer user name validation > myServer's web pages > myServer Apps and Content

Configuring myServer Login authentication:

myServer supports three general modes of access:

  • open access - you can access any myServer webpages from the Internet or Intranet (your local network).  Not generally recommended for security reasons.
  • Intranet easy access - you must login when accessing via Internet, but Intranet access does not require login.  Most homes are configured this way.
  • Secure access - you must login from both Intranet and Internet.  Most businesses are configured this way unless the WiFi network supports a Guest (patrons) and a Secure (employees) connections.
 Access Mode  Network Setting  myServer Setting  HTML customer.js
 Intranet Only, Login required  Configure router so myServer cannot be accessed via Internet  select "Enforce Local Security"  
 Intranet Only, Login not required  Configure router so myServer cannot be accessed via Internet  deselect "Enforce Local Security"  
 Internet or Intranet, Login via both  myServer connected to Internet, ports are forwarded  select "Enforce Local Security"  var ENABLE_SECURITY=1;
 Internet Login only   myServer connected to Internet  deselect "Enforce Local Security"  var ENABLE_SECURITY=1;
 No login required via both  myServer connected to Internet  deselect "Enforce Local Security"  var ENABLE_SECURITY=0;

 

How to configure:

  • For Network Settings, see the networking tips at the top of this article
  • myServer Settings, open myServer, click on Tools / User Accounts.  You will see the Enforce Local Security box.  You can also set the number of hours that logged in users need to relog in.
  • HTML custom.js:  Easiest is to open myDesigner, and open the scripts folder for the HTML user interface you want to use.  Double click on the custom.js file.  Make your modifications to ENABLE_SECURITY=    and then save the file.