IP CCTV camera installation for remote monitoring can be a tricky business. We understand that CCTV System Integrators are paid to install CCTV systems, not negotiate between corporate departments, so we’ve got a few tips for anyone who is frustrated by corporate networks which block outbound traffic from IP cameras.
Enterprise networks vary in how they deal with security. Many enterprise clients restrict access to the internet entirely to protect their network. Corporate and Enterprise networks are often heavily guarded networks with firewalls and IT security experts to navigate. And so they should be – cyber security is the biggest threat to any businesses and corporate IT departments are busy and often under-staffed. Gartner says that 80% of organisations struggle to find security professionals.
However, your job is to professionally install cutting edge CCTV systems to protect a business’s physical perimeter, while their IT department protect their corporate network perimeter.
You might have found yourself in this situation: you’ve got a new site to install IP CCTV cameras, and the IT company are willing to allow you to use their internet access for remote monitoring and maintenance. They will permit selected corporate users to connect to your video recorder (NVR). Happy days.
In a perfect world it would be nice to allow all traffic in and out from your NVR, but for most enterprise networks, this is rarely possible due to their restrictive firewalls policies.
When will they open it? Will they ever? And even when an IT department are forthcoming with assistance, it can still take days or weeks to achieve.
We cover two use case scenarios here relating to corporate/enterprise networks:
The IT company are willing to allow you to use their internet access, for remote monitoring and maintenance.
You install the NVR and i-spi in the VLAN or DMZ (IT word for untrusted zone) that they provide. Configure your cameras and NVR as normal.
Typically they will provide you with a single connection to their network plus IP subnet details (shown in red).
This connection is shown in red as it is usually locked down to block everything. They don’t want your NVR or cameras being able to contact (hack) their servers.
They will permit selected corporate users to connect to your NVR. Shown in green here. If this is all you need then you don’t need an i-spi.
However, your problem is that the external monitoring ARC can’t connect to the NVR. Or you can’t connect from your office to fix things. The client just sees it as not working.
Roadblock. You could request that the IT department set up port forward rules and allow out NTP and SMTP packets from your NVR.
Two things can happen here:
- The IT department are terrible at understanding their own routing and firewall set up and can’t get it right.
- They will – after days or weeks – but if you need any changes it can take more days (or weeks). Also access to features like Dahua Virtual Host is not possible.
Spoiler alert – this always ends up meaning more site visits.
How to solve this frequently occurring problem – the i-spi by Netcelero
The i-spi allows you to request a simple non-threatening level of access, but to still provide yourself with the flexibility you need for the client and any future work you may need to perform remotely.
A simple request to the IT team to allow the i-spi to connect out – no port forward rules but allow its traffic out to the internet. They will normally agree to this, however if they wish to be really strict, there are a handful of destination subnets and ports that you can provide with a quick look up in our customer portal.
This is the ‘somebody on the client side either can’t or won’t do their part’. This happens way too often and always leads to massive time wasting while sitting around.
The solution is to just add any type of 4G/5G router with any working SIM card. Correct, this will work with any SIM and router that can provide internet access.
How is this different from a static IP SIM card?
Well, the corporate user can still access the NVR via the CORPORATE network, so not using up your 4G data bundle. Plus, as you can use any SIM you want, you can always just use this as a temporary solution until ‘you know who, does you know what!’
Hopefully this blog provides some helpful information. As a company our objective is to simplify secure connectivity for our customers and to make their lives easier.
If you would like to speak to one of our engineers about challenges you are facing, please do get in touch today and we’ll be happy to try and troubleshoot for you.
For more information here is another interesting link