We have a new customer that installed SSL certificates on their recording servers (see below). They are running Expert 2022R2. Our existing protocol integration is certified and deployed and is able to get images from the cameras using the Image API on port 7563. In this case we are able to connect to the management server to get the IDs but when we go to open the socket to the recording server as we normally do, we get the following error
ConnectionResetError: [WinError 10054] An existing connection was forcibly closed by the remote host.
This is a generic error indicating there is something rejecting the socket connection.
Any suggestions or debugging tips are much appreciated!
Thank you for your reply and for the reference. I notice that the link you provided refers to C# function definitions. Is there a way to do this for Protocol integrations? Below are some questions that would be helpful to know if we implement this ourselves.
Is the encryption you are referring to here anything beyond SSL? i.e., If the user provides us with the certificate can we communicate over port 7563 in the exact same way we would if there was no SSL encryption present? Can you confirm if it’s actually SSL, TLS, the version, the cipher, and any other information we may need to implement this?
The connection is a “standard” SSL/TLS connection and hopefully the TcpVideoViewer protocol sample below will work as a reference. The sample checks the recording server URI scheme and if it’s “HTTPS”, then the already established NetworkStream is used to instantiate an SslStream instance.
A couple of notes for you, in case it’s possible to make this experience a little easier on us. We almost lost a customer because of this…
in the configuration API there is no indication that the hostname is accessed via HTTPS. Second, SSL/TLS has many versions. We found the one that happened to work for this server but I do not know if this will hold for other ones.
As you are probably familiar, this is what we see. It would be nice if we can determine from this response the security & protocol version from this too.
Glad to hear it’s working for you and you didn’t lose that customer!
For a protocol integration I’m pretty sure you should be able to discover whether the ImageServer API transport layer is encrypted ahead of time based on the URI. You mention configuration API but that JSON object looks more like an incomplete RecorderInfo object from the ServerCommandService “GetConfiguration” method which returns a RecorderInfo object like the one below for me. Here, I can use the WebServerUri to determine whether to assume an encrypted connection. In this case it’s unencrypted as the scheme is “http”.
With regard to the TLS protocol to use, this is something we delegate to the OS and I’ve rarely had an issue except when all protocols except TLS 1.2 have been disabled on the OS and the SSL/TLS library I’m using doesn’t automatically include TLS 1.2 as an allowed protocol version. Like a web client, you wouldn’t usually know protocol to use ahead of time when connecting to the web server - you would connect and negotiate a common protocol version, and usually there’s a way for you to specify a collection of protocol versions to use in your stream prior to authenticating. For good security it might be a good idea to limit it to TLS 1.2 and maybe TLS 1.1 by default, but I think you can offer all protocols for negotiation so that the client/server choose the highest common protocol version.
It’s unrelated to Milestone but I have a PowerShell sample function for testing a web URI and on line 97 I take a list of protocol enums and “OR” them together before authenticating with the remote web server. I wrote it for testing HTTP web server certificates but since it doesn’t attempt to send any HTTP requests it looks like it works well against a recording server as well.
Thank you for sharing that screenshot of using the PS-Tools. A few questions
On what computer do we need to install our agent in order for us to be able to run PS tools? Does it need to be installed on the computer running the Milestone Management Server or can this run from any computer?
Are PS-Tools available 100% of the time or starting some version? Or does the user need to install anything additional?
The MilestonePSTools module only needs to be installed on the system you want to run PowerShell commands from and does not need to be present on the management server unless you want to use a MilestonePSTools cmdlet from that machine.
I haven’t tested the module on versions older than 2019 in a long time but in theory it can work as far back as 2014 when the configuration API was introduced. But certain commands will not work on older versions where the server did not support that functionality. For example, failover groups/recorders were apparently not available in configuration api until 2021 R2. I attempt to throw meaningful errors when the VMS version is too old for a given command but I know there are a number of commands that need these assertions added, and eventually I’ll automate placing a note in the cmdlet docs when the source for the cmdlet contains a minimum version assertion to make it easier to know ahead of time.
