Resetting reverse tunnels

2024-04-19Last updated

If the identity certificate of the Federation™ host or remote site is modified while the reverse tunnel is disconnected, you must reset the tunnel by generating and applying a new keyfile.

What you should know

For security reasons, a reverse tunnel keyfile can only be used once. The tunnel keyfile is only needed to establish the first connection from the remote site to the host.
Note: A tunnel reset is not required if the Federation host certificate is replaced while the tunnel is connected. The new host certificate is propagated to the remote system automatically.

Procedure

  1. Generate a new keyfile on the Federation host:
    1. In Genetec Configuration desktop, sign in to the Federation host system.
    2. Open the System task and click Roles > Reverse Tunnel Server > Properties .
    3. Select the site with the broken tunnel and click Force re-enrollment of this site ().
    4. click OK > Apply .
      The status of the site reverts to Not registered.
    5. Get the keyfile by doing one of the following:
    • If your workstation can access the remote site, click Copy keyfile to clipboard ().
    • If your workstation cannot access the remote site, click Save keyfile to disk (), and specify the file location.

      A file named <SiteName>.keyfile is saved to the folder that you select.

  2. Apply the new keyfile to the remote site:
    1. In Config Tool, sign in to the remote system.
    2. Open the System task and click Roles > Reverse Tunnel > Properties .
    3. (Optional) Select an Encryption option.
      Important: By default, connections to a Security Center SaaS Federation host require encryption.
      Encrypt
      Encrypt video in transit from the remote site to the Federation host.
      Prefer encryption
      Encrypt video in transit if both the remote site and the Federation host support TLS. Use this option if you are not certain of the capabilities of the Federation host.
      Do not encrypt
      Do not encrypt video in transit. Only use this option if the video is encrypted through other methods.
    4. (Optional) Turn on the Create agents on role servers option.
      By default, servers hosting Directory, Media Router, and Redirector roles all require internet access for reverse tunneling.

      When this option is enabled, only servers listed on the Resources need outbound internet access for reverse tunneling.

    5. Enter the keyfile by doing one of the following:
    • If the keyfile was copied to the clipboard, paste it into the Tunnel keyfile field.
    • Click Select file (), browse for the keyfile, and click Open.
    System task in Config Tool showing the Reverse Tunnel Properties tab when a tunnel reset is required.
  3. Click Apply.
    The Connection status changes to Connected.

After you finish

Sign in to the Federation host and confirm that the status of the remote site is Online.