IP CCTV camera installation for remote monitoring can be a tricky business. We understand that CCTV System Integrators are paid to install CCTV systems, not negotiate between corporate departments, so we’ve got a few tips for anyone who is frustrated by corporate networks which block outbound traffic from IP cameras.
Enterprise networks vary in how they deal with security. Many enterprise clients restrict access to the internet entirely to protect their network. Corporate and Enterprise networks are often heavily guarded networks with firewalls and IT security experts to navigate. And so they should be – cyber security is the biggest threat to any businesses and corporate IT departments are busy and often under-staffed. Gartner says that 80% of organisations struggle to find security professionals.
However, your job is to professionally install cutting edge CCTV systems to protect a business’s physical perimeter, while their IT department protect their corporate network perimeter.
You might have found yourself in this situation: you’ve got a new site to install IP CCTV cameras, and the IT company are willing to allow you to use their internet access for remote monitoring and maintenance. They will permit selected corporate users to connect to your video recorder (NVR). Happy days.
In a perfect world it would be nice to allow all traffic in and out from your NVR, but for most enterprise networks, this is rarely possible due to their restrictive firewalls policies.
When will they open it? Will they ever? And even when an IT department are forthcoming with assistance, it can still take days or weeks to achieve.
We cover two use case scenarios here relating to corporate/enterprise networks:
Scenario A
The IT company are willing to allow you to use their internet access, for remote monitoring and maintenance.
You install the NVR and i-spi in the VLAN or DMZ (IT word for untrusted zone) that they provide. Configure your cameras and NVR as normal.
Typically they will provide you with a single connection to their network plus IP subnet details (shown in red).
Corporate Network
This connection is shown in red as it is usually locked down to block everything. They don’t want your NVR or cameras being able to contact (hack) their servers.
They will permit selected corporate users to connect to your NVR. Shown in green here. If this is all you need then you don’t need an i-spi.
However, your problem is that the external monitoring ARC can’t connect to the NVR. Or you can’t connect from your office to fix things. The client just sees it as not working.
Roadblock. You could request that the IT department set up port forward rules and allow out NTP and SMTP packets from your NVR.
Two things can happen here:
- The IT department are terrible at understanding their own routing and firewall set up and can’t get it right.
- They will – after days or weeks – but if you need any changes it can take more days (or weeks). Also access to features like Dahua Virtual Host is not possible.
Spoiler alert – this always ends up meaning more site visits.
How to solve this frequently occurring problem – the i-spi by Netcelero
The i-spi allows you to request a simple non-threatening level of access, but to still provide yourself with the flexibility you need for the client and any future work you may need to perform remotely.
A simple request to the IT team to allow the i-spi to connect out – no port forward rules but allow its traffic out to the internet. They will normally agree to this, however if they wish to be really strict, there are a handful of destination subnets and ports that you can provide with a quick look up in our customer portal.
-Now the ARC can connect to the NVR via the i-spi
-The NVR can send out SMTP alerts via the i-spi
-The corporate user can still connect locally
-You can change port forwards as you require on our customer portal
-Remotely from your laptop or smart device you can access on site equipment or features like Dahua Virtual Host, via the end-to-end VPN.
Scenario B
This is the ‘somebody on the client side either can’t or won’t do their part’. This happens way too often and always leads to massive time wasting while sitting around.
The solution is to just add any type of 4G/5G router with any working SIM card. Correct, this will work with any SIM and router that can provide internet access.
The i-spi connects back to Netcelero via the 4G connection, rather than the corporate network.
The ARC and you now have secure remote access to the NVR and onsite equipment and features.
How is this different from a static IP SIM card?
Well, the corporate user can still access the NVR via the CORPORATE network, so not using up your 4G data bundle. Plus, as you can use any SIM you want, you can always just use this as a temporary solution until ‘you know who, does you know what!’
Hopefully this blog provides some helpful information. As a company our objective is to simplify secure connectivity for our customers and to make their lives easier.
If you would like to speak to one of our engineers about challenges you are facing, please do get in touch today and we’ll be happy to try and troubleshoot for you.
For more information here is another interesting link
