Searching...
AMM Management Tunnel for ALEOS Devices
In normal operation, an ALEOS device only communicates data to the AirLink Manager server via individual transactions. There are benefits to this approach from a data usage perspective, but there are also limitations, in that all communication is device-initiated and therefore limited. The Management Tunnel allows for a persistent encrypted connection (SSL VPN tunnel) from the device to the server and some communication gets routed through that VPN.
A side benefit to using the Management Tunnel is that a user logged into the AirLink Manager server, can log in remotely to an individual device via ACEmanager without allowing remote access (it comes through as a local connection from the LAN side), and this works even if the device has a private cellular (or other WAN) address. This can be beneficial, since enabling WAN access is generally considered a poor security practice, while private address cellular connections are generally cheaper, safer, and easier to acquire in the current cellular environment.
For AMM 2.17.5+, if the management tunnel is up, a software upgrade will now be routed through the management tunnel. If the tunnel is not available, a software upgrade will occur using port 80.
Additional Information:
ALEOS Device Limitations and AMM Server Requirements for Management Tunnel
- ALEOS devices must be running ALEOS 4.15 or higher with AAF application support and have the AMMER application (minimum 1.0.3.005) installed. This feature is not supported on systems for which the minimum required ALEOS version is not available.
- The ALEOS devices must be using the default port 9443 for local (LAN) https access (MSCIID=1172) and for the remote Access ACEmanager feature to work. ACEmanager remote access is not required.
- The AMM server version must be a minimum of 2.17.5 or higher, and have a valid TLS/SSL certificate to support the management tunnel feature (the AAF application is not distributed with earlier server images).
Configuration Steps for AMM Management Tunnel
For ALEOS 4.15+, the AMM Management Tunnel can be set up as follows :
- On the ACEmanager server, navigate to Services
. - Expand the MSCI section
. - Set the AMM Management Tunnel to Enable
. - Set the AMM Management Tunnel Port.
By default, this is port 1190. A standard AMM installation is configured to accept ports 1190-1193, to support load balancing across multiple tunnels for large fleets. - Press Apply
to apply the changes. Reboot the device to activate the management tunnel.
Once the management tunnel has been activated, you will be able to access ACEmanager from the AMM gateway tree. To access the ACEmanager, refer to the Gateway Details under the Gateway Tree.
- On the ACEmanager server, navigate to Services
Tunnel IP Addresses and Management Tunnel Ports
The AMM server is configured with four possible ports for the AMM management tunnel, but ALEOS (as of 4.11) does not contain any configuration elements or logic for selecting ports for load-balancing purposes.
MSCIID 10034 is used to configure the ports (1190-1193) and the AMM has a limit of 2047 VPN connections per port. If a very large fleet is being added or the fleet is being added to a multi-tenant server, consider allocating the AMM Management Tunnels across all four available ports. This can be accomplished via the AMM’s Admin > Gateways spreadsheet upload feature, once devices are communicating with the server.
The following table provides the private tunnel IP addresses associated with each AMM management tunnel port. These can be changed on the AMM server if these addresses are in conflict with addresses already used within the customer network. Contact Semtech Technical Support if the addressing needs to be modified.
Port Starting IP Ending IP Network 1190 10.4.32.1 10.4.63.254 10.4.32.0/19 1191 10.4.96.1 10.4.127.254 10.4.96.0/19 1192 10.4.160.1 10.4.191.254 10.4.160.0/19 1193 10.4.224.1 10.4.255.254 10.4.224.0/19 Displaying the Connection Status for an AMM Management Tunnel
ALEOS does not currently have any UI indication of whether or not a management tunnel is connected, but a threshold can be added to the AMM dashboard to display the management tunnel address, which will only be present if the tunnel is in place. The server stat is ManagementTunnel-IPAddress.
Ensuring the Correct Time on the Device
As with any VPN, the time on the router must be accurate in order to establish the VPN connection. Typically, the router gets the time from the cellular signal and from GPS. If you are working on a bench without cellular or GPS, ensure that you have enabled NTP and that the configured NTP servers are reachable.
For a list of related ports and protocols for this functionality see: ALEOS TCP/UDP Port Summary.
.
.
.
By default, this is port 1190. A standard AMM installation is configured to accept ports 1190-1193, to support load balancing across multiple tunnels for large fleets.
to apply the changes. Reboot the device to activate the management tunnel.