Signiant Support

New Media Shuttle Feature - Storage Server Version 2.0.0 (No Inbound) Print


Use this FAQ to learn more about the new Media Shuttle feature: Storage Server Version 2.0.0 (No Inbound).

What is the no inbound release?
Who is this release targeted for?
How do I know if this release applies to me?
How do I obtain this release?
When a v2.0.0 upgrade occurs, is PubNub used automatically? If so, and that doesn’t work, is there fallback to the original inbound connections?
How can I confirm that my server is running version 2.0.0?
What is the most important change with this release?
Are there any other functional or technical enhancements in version 2.0.0 of the Media Shuttle storage server? If so, what are they?
My automatic proxy is not being automatically detected. How can I manually set my automatic proxy information?
Are authenticated proxies supported?
Are both HTTP and HTTPS proxies supported?
I have Media Shuttle with Managers and Agents. Can I upgrade to a version that doesn’t require inbound connectivity?
How does the portal status checking work?
How does the storage server receive the commands required to manage share portal related tasks?
How is security maintained for encryption and authorization? What steps has Signiant taken to ensure that unauthorized users can’t create commands for storage servers?
How often does the storage server communicate outbound?
How does the storage server respond to command requests?
What ports are needed and what are the endpoints that the storage server needs to talk to?
What inbound firewall rules can I turn off?
What is the processing order and mechanics used for proxying outbound traffic?
What is the no inbound release?
This release is an upgrade of the Media Shuttle storage server (v2.0.0), eliminating the inbound connection (TCP 443). This inbound connection was needed to support Share portal browsing operations. This release also contains security fixes and enables the storage server to use a web proxy for outbound HTTPS communication.

Who is this release targeted for?
This release is for IT security and IT networking personnel.

How do I know if this release applies to me?
If you create portals using manage.mediashuttle.com then this release applies to you.

How do I obtain this release?
This release (v2.0.0 of the storage server) is automatically downloaded by your storage server when it checks for updates. If you have installed a storage server at a release earlier than v2.0.0, it follows the update process that is already implemented (check for update at regular interval or on storage server restart and download to the updates folder if an update exists). If you don’t already have an installed storage server, use the regular mechanism to obtain the storage server software (ie. log in to manage.mediashuttle.com and download it from the Storage tab). The regular update process is in place and followed for the storage server. The upgrade occurs on a service restart.

When a v2.0.0 upgrade occurs, is PubNub used automatically? If so, and that doesn’t work, is there fallback to the original inbound connections?
When a storage server is upgraded to v2.0.0, it automatically subscribes to and listens to a PubNub channel. It won’t fallback to original inbound connections. However, the storage server monitors the subscription channel to ensure it remains subscribed.

How can I confirm that my server is running version 2.0.0?
To verify your storage server version, in manage.mediashuttle.com, click Storage, highlight the storage server and click the options button.



What is the most important change with this release?
Media Shuttle Storage servers no longer need to allow 443 inbound in order to support share portal browsing. Once your storage server is running version 2.0.0 you can remove inbound 443 as a firewall rule.

Are there any other functional or technical enhancements in version 2.0.0 of the Media Shuttle storage server? If so, what are they?
Yes, now outbound service communication from the storage server automatically detects a web proxy and uses that proxy. In addition, Tomcat has been upgraded to a more secure version. Issues around timeouts (that required service restarts) have also been addressed.

My automatic proxy is not being automatically detected. How can I manually set my automatic proxy information?
To manually set your automatic proxy information, do the following:
  1. Edit your server’s Tomcat configuration (e.g. C:\Program Files\Signiant Media Shuttle\bin\tomcat\webapps\ROOT\WEB-INF\config.properties).
  2. Add the following line: PROXY_AUTOMATIC_CONFIGURATION_SCRIPT=
  3. Enter your proxy configuration file URL. Now the line will look similar to: PROXY_AUTOMATIC_CONFIGURATION_SCRIPT=http://wpad.x3mk.local/wpad.dat
  4. Restart your Tomcat services.
Are authenticated proxies supported?
No, they are not supported.

Are both HTTP and HTTPS proxies supported?
Yes, both are supported.

I have Media Shuttle with Managers and Agents. Can I upgrade to a version that doesn’t require inbound connectivity?
No, only cloud-managed Media Shuttle storage servers support this.

How does the portal status checking work?
The Ops admin portal status for cloud-managed storage servers is determined using storage server heartbeat data in the cloud. Storage servers send a heartbeat to the cloud every five minutes. If three intervals are missed (15 minutes), the portal status is updated to red. If the portal status is red, and the storage server sends a heartbeat to the cloud, the portal status is updated to green.

Technical Details

How does the storage server receive the commands required to manage share portal related tasks?
This communication is handled through the PubNub messaging service over a secured channel, issuing a command on a PubNub messaging channel dedicated to the storage server.

How is security maintained for encryption and authorization? What steps has Signiant taken to ensure that unauthorized users can’t create commands for storage servers?
The PubNub channels are encrypted using a cipher key ensuring the information sent via PubNub is secured in transit and cannot be read by PubNub. Furthermore, the PubNub channel is secured with authorization tokens that expire after five minutes. All messages to a storage server are also signed with a JSON Web Token (JWT) containing information to validate the request issuer.

How often does the storage server communicate outbound?
The storage server is always communicating outbound since it is connected to the subscribe channel. Two other commands periodically run on the outbound channel: checking for storage server updates and sending portal storage maintenance checks (asking the cloud what should be removed from storage when maintenance runs).

How does the storage server respond to command requests?
The storage server communicates outbound to signal a running state to cloud-managed Media Shuttle, and in response to valid commands sent to the storage server such as browsing files.

What ports are needed and what are the endpoints that the storage server needs to talk to?
The storage server registers locally on TCP port 8080, and requires connectivity to PubNub endpoints dynamically generated to receive and respond to commands. The base PubNub format is: https://pubsub.pubnub.com
If you are configuring outbound rules, you need to allow outbound to *.pubnub.com. These endpoints are dynamic.

What inbound firewall rules can I turn off?
Port 443 for inbound TCP traffic can now be turned off. The Tomcat service no longer listens for inbound requests on this port.

What is the processing order and mechanics used for proxying outbound traffic?
The processing order is:
  1. User-configured setting
  2. DHCP
  3. DNS
The mechanics are:
  1. Examine config.properties for the Automatic Configuration Script PAC URL.
  2. If the URL is not configured and the server is configured to use DHCP, we try to detect over the DHCP entry. If this is not the case, then we try to find over WPAD (DNS).