WINK Firewall & Network Configuration Guide

Technical Manual for Network Access Control
WINK Forge Transcoder & Media Router Deployments

Version 1.0 | April 2022
WINK Streaming | wink.co

1. Introduction
2. Deployment Scenarios
3. Hardware Appliance Firewall Requirements
4. Virtual Machine Firewall Requirements
5. Camera Access Scenarios
6. Complete Port Reference Tables
7. Network Architecture Examples
8. Multi-Agency Camera Sharing
9. General Security Best Practices
10. Troubleshooting Network Connectivity

1. Introduction

This guide provides comprehensive firewall and network configuration requirements for WINK Forge Transcoder and Media Router deployments. Whether you're deploying on-premise hardware appliances or virtual machines, this document covers all network access scenarios including:

Internal Camera Access: Accessing IP cameras within your LAN
Remote Camera Access: Accessing cameras from outside your network
Media Distribution: Hosting video streams via HLS, RTSP, RTMP, SRT, and other protocols
Administrative Access: Secure management interfaces
High Availability: VRRP and clustering configurations

Key Concepts

Inbound Traffic: Connections coming INTO the WINK appliance/VM
Outbound Traffic: Connections going OUT FROM the WINK appliance/VM
Bidirectional: Traffic flows in both directions (typically requires both inbound and outbound rules)

2. Deployment Scenarios

Scenario A: On-Site Hardware Appliance

Use Case: Physical WINK Forge or Media Router appliance installed in your data center or equipment room.

Network Requirements:

Static IP address (recommended)
Access to internal camera network
Internet access for licensing and updates (optional but recommended)
Direct connection to viewing clients or through firewall DMZ

Scenario B: Virtual Machine (VM)

Use Case: WINK Forge or Media Router deployed on VMware, Hyper-V, Proxmox, KVM, or cloud infrastructure (AWS, Azure, GCP).

Network Requirements:

VM network adapter configured for bridged or NAT mode
Static IP or DHCP reservation
Port forwarding if behind NAT
Sufficient bandwidth allocation (1Gbps+ recommended)

See also: Virtual Appliance Hardware Requirements for complete VM specifications.

Scenario C: Cloud-Hosted Public Distribution

Use Case: Hosting streams for public access via HLS/DASH on port 443.

Network Requirements:

Public IP address or load balancer
SSL/TLS certificate for HTTPS
Content Delivery Network (CDN) integration (optional)
DDoS protection (recommended)

Scenario D: Hybrid (Internal + Remote Access)

Use Case: Cameras on internal LAN, streams distributed both locally and remotely.

Network Requirements:

Split-horizon DNS or secure tunnel access
Firewall NAT/PAT rules for remote access
Internal and external network zones properly segmented

3. Hardware Appliance Firewall Requirements

3.1 WINK Forge Transcoder - Required Ports

Port(s)	Protocol	Direction	Purpose	Notes
443	TCP	Inbound	HTTPS Web Interface & API	Primary management interface
444	TCP	Inbound	HTTPS Admin Interface	Secondary admin port
554	TCP	Inbound + Outbound	RTSP Camera Input	For connecting to IP cameras
554	UDP	Inbound + Outbound	RTSP UDP Transport	Used when TCP transport unavailable
8554	TCP	Inbound + Outbound	Alternative RTSP Port	Secondary RTSP port for compatibility
5000-5999	UDP	Inbound + Outbound	RTP/RTCP Media Streams	Dynamic ports for RTSP media
1935	TCP	Inbound + Outbound	RTMP Streaming	Ingest and delivery
8000-8016	TCP	Inbound	Genetec Security Center Integration	VMS integration ports (16 channels)
8100-8116	TCP	Inbound	Genetec Security Center Integration	Additional VMS ports (16 channels)
8200-8216	TCP	Inbound	Genetec Omnicast Integration	Legacy VMS integration (16 channels)
8080-8090	TCP	Inbound	HTTP Stream Output	Alternative HTTP ports for media
9000	UDP	Inbound + Outbound	SRT (Secure Reliable Transport)	Configurable, 9000 is default
123	UDP	Outbound	NTP Time Synchronization	Critical for licensing and SSL

Genetec Security Center Integration

When integrating WINK Forge with Genetec Security Center or Omnicast VMS:

Ports 8000-8016: Primary Security Center integration (up to 16 simultaneous streams)
Ports 8100-8116: Secondary Security Center integration pool
Ports 8200-8216: Omnicast (legacy) integration compatibility
Each port represents one available stream/channel to the VMS
Configure these in Forge: Integrations → Genetec Settings

Related Guide: See the WINK-Genetec Interface Manual for complete integration setup.

3.2 WINK Media Router - Required Ports

Port(s)	Protocol	Direction	Purpose	Notes
80	TCP	Inbound + Outbound	HTTP Media Distribution	HLS, DASH, JPEG preview access
443	TCP	Inbound + Outbound	HTTPS Media Distribution	Secure HLS, DASH delivery
88	TCP	Inbound	HTTP Admin Interface	Deprecated - migrate to port 444
444	TCP	Inbound + Outbound	HTTPS Admin Interface & API	Primary management + API access
1935	TCP	Inbound + Outbound	RTMP Publishing & Playback	Ingest from Forge, deliver to clients
554	TCP	Inbound + Outbound	RTSP Distribution	RTSP re-streaming
554	UDP	Inbound + Outbound	RTSP UDP Transport	Alternative to TCP transport
8554	TCP	Inbound + Outbound	Alternative RTSP Port	Secondary RTSP port for compatibility
1024-32000	UDP	Inbound + Outbound	RTSP RTP/RTCP Dynamic Ports	Wide range for RTP sessions
8889	TCP	Inbound + Outbound	WebRTC (WHIP/WHEP)	Ultra-low latency streaming
123	UDP	Outbound	NTP Client	Time synchronization
25	TCP	Outbound	SMTP	Email notifications (configurable)

3.3 Optional Ports (Both Systems)

Port(s)	Protocol	Direction	Purpose	When Required
161	UDP	Inbound	SNMP Monitoring	If using SNMP-based monitoring
123	UDP	Inbound	NTP Server	If device acts as NTP source
5353	UDP	Inbound + Outbound	ZeroConf/mDNS Discovery	Auto-discovery on LAN
8080	TCP	Inbound	HTTP Media Alt Port	Alternative HTTP media port

Minimal Firewall Configuration

If you need to minimize open ports, this is the bare minimum required configuration:

WINK Forge (Minimal):

Inbound:  TCP 443 (HTTPS Web), TCP 444 (HTTPS Admin)
Outbound: TCP 554 (RTSP to cameras), UDP 5000-5999 (RTP), UDP 123 (NTP)

WINK Forge (with Genetec Integration):

Inbound:  TCP 443, 444 (HTTPS Admin), TCP 8000-8016 (Genetec)
Outbound: TCP 554 (RTSP to cameras), UDP 5000-5999 (RTP), UDP 123 (NTP)

WINK Media Router (Minimal for HLS-only distribution):

Inbound:  TCP 443 (HTTPS Media), TCP 444 (HTTPS Admin), TCP 1935 (RTMP from Forge)
Outbound: UDP 123 (NTP)

4. Virtual Machine Firewall Requirements

4.1 MAC Address Assignment - CRITICAL

IMPORTANT: All WINK Streaming hardware appliances and virtual machines are assigned MAC addresses from WINK Streaming's IETF PEN (Private Enterprise Number) allocation.

MAC Address Pool: 8c:1f:64:37:xx:xx

Critical Requirements:

✅ MAC addresses are pre-assigned by WINK Streaming and embedded in the system
✅ MAC addresses are tied to licensing and cannot be changed
✅ MAC addresses cannot be intermixed between systems
✅ Cloning VMs will cause licensing conflicts - contact WINK support before cloning
✅ If MAC address changes (hardware replacement, VM migration), license reactivation is required

Licensing Impact:

System GUID is derived from the MAC address
Changing MAC address will invalidate the license
VM snapshots that change MAC addresses will cause licensing failures
High-availability configurations requiring duplicate GUIDs need special licensing arrangements

Virtual Machine Configuration

When deploying WINK virtual machines, the MAC address configuration in your hypervisor software is critical:

Option 1 - Automatic (Recommended): Set network adapter MAC address to "Automatic" or "Auto" to accept the preconfigured appliance MAC address
Option 2 - Manual: Explicitly set the MAC address to the WINK-assigned address (8c:1f:64:37:xx:xx) provided with your VM

Important: If you manually assign a different MAC address or allow the hypervisor to generate a random MAC, the system will fail to license properly.

Troubleshooting MAC-Related Issues:

To verify the MAC address on your WINK system:

Log into the web interface (HTTPS port 443 or 444)
Navigate to System → Network Settings
Verify the MAC address begins with 8c:1f:64:37
If the MAC address doesn't match this prefix, contact WINK support immediately

4.2 Hypervisor-Level Network Configuration

VMware ESXi / vSphere

- Network Adapter Type: VMXNET3 (recommended) or E1000E
- Port Group: Standard or Distributed vSwitch
- MAC Address Setting: Set to "Automatic" OR manually enter WINK-assigned MAC (8c:1f:64:37:xx:xx)
- Security: Promiscuous Mode OFF, MAC Changes REJECT, Forged Transmits REJECT
- IMPORTANT: Do not select "Manual" with a different MAC address

Hyper-V

- Network Adapter: Synthetic (Generation 2) or Legacy (Generation 1)
- Virtual Switch: External for production traffic
- MAC Address Setting: Set to "Dynamic" (auto-accept) OR "Static" with WINK-assigned MAC (8c:1f:64:37:xx:xx)
- MAC Spoofing: Disabled
- IMPORTANT: If using Static, enter the exact WINK-provided MAC address

KVM/Proxmox

- Network Model: VirtIO (best performance) or E1000
- Bridge: vmbr0 or custom bridge to physical NIC
- MAC Address Setting: Leave blank/auto OR manually enter WINK-assigned MAC (8c:1f:64:37:xx:xx)
- Firewall: Can be enabled at Proxmox level or within VM
- IMPORTANT: In Proxmox, edit VM → Hardware → Network Device → MAC Address field

Cloud Providers (AWS/Azure/GCP)

AWS: Security Groups (stateful firewall), ENI configured with WINK MAC or auto-assigned
Azure: Network Security Groups (NSGs), NIC with WINK MAC address configured
GCP: VPC Firewall Rules, ensure MAC address matches WINK assignment (8c:1f:64:37:xx:xx)

Note: Cloud providers may handle MAC addresses differently. Consult WINK support for
cloud-specific deployment guidance to ensure proper MAC address configuration.

Additional Reading: For complete virtual machine specifications including CPU, RAM, and storage requirements, see the Virtual Appliance Hardware Requirements Guide.

4.3 VM Guest Firewall Configuration

If the WINK VM has a guest-level firewall (iptables, firewalld, ufw), ensure the same port rules from Section 3 are applied. Most WINK deployments have firewall disabled at the guest level, relying on hypervisor or network-level firewalls instead.

Important Notes

Avoid double-NAT scenarios. If the VM is behind NAT, ensure port forwarding is configured correctly at the hypervisor or router level.
Ensure MAC address (8c:1f:64:37:xx:xx) is preserved during VM operations
VM cloning or migration that changes MAC address will cause licensing failures

5. Camera Access Scenarios

5.1 Accessing Cameras Internal to the LAN

Scenario: WINK Forge/Media Router and IP cameras are on the same internal network (e.g., 192.168.1.0/24 or 10.0.0.0/8).

Component	Configuration	Firewall Rule
WINK Forge	Must be able to reach camera IPs directly	Outbound TCP/UDP 554 to camera subnet
IP Cameras	RTSP must be enabled, username/password set	Inbound TCP/UDP 554 from WINK Forge IP
Internal Firewall	If segmented networks, allow WINK → Camera traffic	Allow TCP/UDP 554, UDP 5000-5999
RTP Media	Dynamic UDP ports for video/audio data	Outbound UDP 5000-5999 from WINK to cameras

Firewall Configuration Requirements

Your network firewall must allow the following traffic:

WINK Forge → Cameras: TCP/UDP port 554 (RTSP)
WINK Forge → Cameras: UDP ports 5000-5999 (RTP media)

Configure these rules on your router, enterprise firewall (Cisco ASA, Palo Alto, Fortinet), or cloud security groups.

Related Guide: For optimal camera placement and mounting angles, see the Camera Mounting & Analytics Guide.

[IP Cameras] [WINK Forge] [WINK Media Router] [Internal Clients] 192.168.100.x -> 192.168.1.50 -> 192.168.1.51 -> 192.168.1.0/24 (RTSP 554) (Transcode) (Distribute HLS) (View Port 443)

5.2 Accessing Cameras Remotely from Outside the LAN

Scenario: WINK Forge is on your LAN, but cameras are at a remote site accessible via the internet or secure tunnel.

Option A: Secure Tunnel (Recommended)

Establish site-to-site encrypted tunnel between locations
Cameras appear on local subnet through secure connection
No direct port forwarding needed
Best security practice

Option B: Port Forwarding (Not Recommended for Cameras)

Forward ports 554, 5000-5999 from router to camera IPs
High security risk (exposes cameras to internet)
Only use with strong passwords and IP whitelisting

Option C: WINK Forge Remote Access

Host WINK Forge in DMZ or with public IP
WINK Forge connects to cameras via secure tunnel or private network
Expose only Media Router port 443 (HTTPS/HLS) to public
Most secure for public distribution

Required Firewall Rules (Secure Tunnel Scenario):

Network Gateway Firewall:
- Allow encrypted tunnel traffic between sites
- Allow RTSP traffic through tunnel (TCP/UDP 554)

WINK Forge Firewall:
- Allow outbound to tunnel gateway
- Allow outbound RTSP to remote camera subnet via tunnel

5.3 Hosting Media via WINK Media Router

Scenario: Distributing transcoded video to internal and external viewers via HLS, RTSP, RTMP, SRT, etc.

5.3.1 HLS/DASH over HTTPS (Port 443) - Recommended

Use Case: Widest compatibility, works in browsers, mobile apps, smart TVs.

Firewall Configuration:

Media Router Firewall:
- ALLOW Inbound TCP 443 from ANY (or specific IP ranges)
- ALLOW Outbound TCP 443 for API callbacks (if used)

Example URL Format:

https://mediarouter.example.com/live/HLS/WMR1-GUID_camera1.m3u8

Client Requirements: Modern web browser, HLS-compatible player (VideoJS, JW Player, native HTML5).

Performance Considerations

HLS has 5-30 second latency (configurable)
Best for scalability (can serve thousands of viewers)
Works through most corporate firewalls
CDN-friendly (Cloudflare, Akamai, AWS CloudFront)

5.3.2 RTSP Streaming (Port 554)

Use Case: VMS integration (Milestone, Genetec, ExacqVision), professional monitoring clients.

Firewall Configuration:

Media Router Firewall:
- ALLOW Inbound TCP 554 from specific VMS server IPs
- ALLOW Inbound UDP 554 if UDP transport is used
- ALLOW Inbound UDP 1024-32000 for RTP media streams

Example URL Format:

rtsp://mediarouter.example.com:554/live/WMR1-GUID_camera1

Performance Considerations

Low latency (< 1 second typical)
Requires open firewall ports (harder through NAT)
Limited scalability (100-500 concurrent viewers typical)

5.3.3 RTMP Streaming (Port 1935)

Use Case: Legacy flash players, OBS Studio ingest, social media restreaming.

Firewall Configuration:

Media Router Firewall:
- ALLOW Inbound TCP 1935 from client IP ranges
- ALLOW Outbound TCP 1935 to upstream services (YouTube, Facebook)

Example URL Format:

rtmp://mediarouter.example.com/live/WMR1-GUID_camera1

5.3.4 SRT Streaming (Port 9000 UDP)

Use Case: Low-latency internet streaming with error correction, contribution feeds.

Firewall Configuration:

Media Router Firewall:
- ALLOW Inbound UDP 9000 (or custom port) from specific source IPs
- ALLOW Outbound UDP 9000 for caller mode connections

Example URL Format:

srt://mediarouter.example.com:9000?streamid=camera1&passphrase=secret123

Performance Considerations

Very low latency (sub-second possible)
Excellent on unreliable networks (ARQ error recovery)
Encryption built-in (AES-128/256)
UDP-based (NAT traversal challenges)

Related Guide: For detailed protocol comparisons and use case recommendations, see Protocol Selection for Long-Distance Streaming.

5.3.5 WebRTC Streaming (Port 8889 TCP)

Use Case: Ultra-low latency browser-based viewing, interactive applications.

Firewall Configuration:

Media Router Firewall:
- ALLOW Inbound TCP 8889 for WHIP/WHEP signaling
- ALLOW Inbound UDP 1024-65535 for ICE/STUN/TURN (ephemeral ports)
- Configure STUN/TURN servers for NAT traversal

Example URL Format:

http://mediarouter.example.com:8889/streamname/whep

Performance Considerations

Lowest latency (<500ms glass-to-glass)
Complex NAT traversal (requires STUN/TURN)
Limited scalability without SFU (100-200 viewers typical)
Best for interactive use cases

6. Complete Port Reference Tables

6.1 WINK Forge Transcoder - Complete Port Matrix

Port	Protocol	Direction	Purpose	Priority	Default State
80	TCP	Inbound	HTTP Redirect	Optional	Enabled (redirects to 443)
123	UDP	Outbound	NTP Client	Required	Enabled
443	TCP	Inbound	HTTPS Web/API	Required	Enabled
444	TCP	Inbound	HTTPS Admin	Required	Enabled
554	TCP	In/Out	RTSP Camera Input	Required	Enabled
554	UDP	In/Out	RTSP UDP Transport	Optional	Enabled
1935	TCP	In/Out	RTMP	Optional	Enabled if configured
5000-5999	UDP	In/Out	RTP/RTCP	Required	Enabled
8000-8016	TCP	Inbound	Genetec Security Center	Optional	Enabled if configured
8080-8090	TCP	Inbound	HTTP Streams	Optional	Enabled if configured
8100-8116	TCP	Inbound	Genetec Security Center	Optional	Enabled if configured
8200-8216	TCP	Inbound	Genetec Omnicast	Optional	Enabled if configured
8554	TCP	In/Out	Alternative RTSP	Optional	Enabled if configured
9000	UDP	In/Out	SRT	Optional	Enabled if configured

6.2 WINK Media Router - Complete Port Matrix

Port	Protocol	Direction	Purpose	Priority	Default State
25	TCP	Outbound	SMTP Email	Optional	Enabled if configured
80	TCP	In/Out	HTTP Media	Required	Enabled
88	TCP	Inbound	HTTP Admin (Legacy)	Deprecated	Enabled (will be removed)
123	UDP	Inbound	NTP Server	Optional	Disabled
123	UDP	Outbound	NTP Client	Required	Enabled
161	UDP	Inbound	SNMP	Optional	Disabled
443	TCP	In/Out	HTTPS Media	Required	Enabled
444	TCP	In/Out	HTTPS Admin/API	Required	Enabled
554	TCP	In/Out	RTSP	Required	Enabled
554	UDP	In/Out	RTSP UDP	Optional	Enabled
1024-32000	UDP	In/Out	RTSP RTP/RTCP	Required	Enabled
1935	TCP	In/Out	RTMP	Required	Enabled
5353	UDP	In/Out	ZeroConf	Optional	Disabled
8080	TCP	Inbound	HTTP Media Alt	Optional	Disabled
8554	TCP	In/Out	Alternative RTSP	Optional	Enabled if configured
8889	TCP	In/Out	WebRTC WHIP/WHEP	Optional	Enabled if configured

7. Network Architecture Examples

7.1 Basic Single-Site Deployment

[INTERNET] | [Router/Firewall] | (Port forwarding: 443 → 192.168.1.51) | ---------------------------------------- | | | [IP Cameras] [WINK Forge] [WINK Media Router] 192.168.1.10-20 192.168.1.50 192.168.1.51 | | | +----RTSP:554--------+ | | | +---RTMP:1935-----+ | +---HLS:443---> [Viewers]

Firewall Rules

# Allow Forge to access cameras
Rule 1: ALLOW 192.168.1.50 → 192.168.1.10-20 TCP/UDP 554
Rule 2: ALLOW 192.168.1.50 → 192.168.1.10-20 UDP 5000-5999

# Allow Forge to publish to Media Router
Rule 3: ALLOW 192.168.1.50 → 192.168.1.51 TCP 1935

# Allow public access to Media Router HLS
Rule 4: ALLOW ANY → 192.168.1.51 TCP 443 (port forward from WAN)

# Allow both systems to sync time
Rule 5: ALLOW 192.168.1.50,51 → ANY UDP 123

8. Multi-Agency Camera Sharing

8.1 Camera Sharing Use Cases

Many government agencies and transportation departments use WINK systems to share live camera feeds with partner organizations:

DOT/511 Systems

State DOT sharing traffic cameras with city/county agencies and media outlets

Emergency Response

Police/Fire sharing surveillance feeds during incidents

Public Transparency

Citizen-facing portals for public camera access

Cross-Jurisdictional

County sharing with adjacent counties or state agencies

Key Principle

Partner agencies never receive direct camera access. All distribution flows through WINK Media Router acting as a secure proxy layer.

8.2 Network Architecture for Camera Sharing

Layer 1: Camera Network (Private) | | RTSP 554, RTP 5000-5999 v Layer 2: WINK Forge Transcoder (192.168.1.50) | | RTMP 1935 v Layer 3: WINK Media Router Proxy (192.168.1.51 / DMZ) | | HLS/HTTPS 443 (Internet-facing) v Layer 4: Partner Networks / Public Internet | +----> State Agency A (OTP Auth) +----> Local TV Station B (IP Whitelist) +----> City Agency C (OTP Auth) +----> Public 511 Portal (Anonymous/Rate Limited)

Firewall Rules for Multi-Agency Sharing

Zone	Source	Destination	Port	Protocol	Purpose
Internal	Forge (192.168.1.50)	Cameras (192.168.100.x)	554	TCP/UDP	RTSP camera input
Internal	Forge	Cameras	5000-5999	UDP	RTP media streams
Internal	Forge	Media Router (192.168.1.51)	1935	TCP	RTMP publishing
DMZ	ANY (Internet)	Media Router	443	TCP	HTTPS/HLS distribution
DMZ	Media Router	Internet	123	UDP	NTP time sync
Management	Admin IPs	Forge/Router	444	TCP	Admin interface

8.3 Partner Authentication Methods

Option A: OTP (One-Time Password) - Recommended

Best for: Dynamic IP addresses, web-based viewing, temporary access

How it works:

Partner requests OTP token via API: POST /otp/api/ action=create&duration=60
Media Router returns token: 24814928371014572819
Partner appends to stream URL: https://router.agency.gov/hls/camera1.m3u8?token=24814928371014572819
Token expires after specified duration (default 10 minutes)
Partner requests new token before expiration

Firewall Requirements:

Partners only need outbound HTTPS (443) - works through most corporate firewalls
No IP whitelisting required
No special network configuration needed

Advantages:

Works from any network location
Automatic expiration (no forgotten credentials)
Complete audit trail (who accessed what, when)
No certificate management complexity

Option B: IP Whitelisting

Best for: Fixed infrastructure (VMS systems, control rooms), internal partners

How it works:

Partner provides static IP addresses or CIDR ranges
Media Router ACL configured: Playback ACL: 203.0.113.0/24, 198.51.100.50/32
Partner accesses streams directly: rtsp://router.agency.gov/live/camera1

Firewall Requirements:

Media Router ACL Configuration:
Application: live
Publish ACL: 192.168.1.50/32  (only WINK Forge can publish)
Playback ACL: 203.0.113.0/24, 198.51.100.50/32  (partner IP ranges)
HTTP ACL: 0.0.0.0/0  (public HLS access with OTP)

Advantages:

No token management needed
Lower latency (RTSP direct access)
Better for VMS integration

Disadvantages:

Requires static IPs
Less flexible for remote workers
Harder to audit individual users

8.4 Bandwidth Management for Multiple Partners

Challenge

50 cameras × 3 Mbps each × 5 partners = 750 Mbps potential load

Solutions:

1. Per-Partner Bandwidth Limits

Enforce concurrent connection limits per organization
Example: Agency A gets 10 concurrent streams max
Prevents one partner from consuming all resources

2. Protocol Selection by Use Case

VMS Integration: RTSP (low latency, <10 viewers)
Web Portals: HLS (high scalability, unlimited viewers)
Public 511: HLS + CDN (millions of viewers possible)
Media Outlets: RTMP (legacy compatibility)

3. CDN for Public Distribution

Direct distribution: 100-500 concurrent viewers per Media Router
CDN distribution: Unlimited viewers (Cloudflare, AWS CloudFront)
Only HLS/DASH traffic should use CDN (not RTSP/RTMP)

4. Network Bonding

Use 2+ network interfaces in LACP mode (802.3ad)
Increases throughput from 1Gbps to 2Gbps+
See Media Router manual for bonding configuration

8.5 Security Best Practices for Camera Sharing

DO:

✅ Use Media Router as proxy layer (partners never access cameras directly)
✅ Use OTP for dynamic/remote partners
✅ Use IP whitelisting for fixed infrastructure partners
✅ Enforce bandwidth limits per partner organization
✅ Monitor access logs for unusual patterns
✅ Keep firmware updated on all systems
✅ Use HTTPS (443) for public distribution
✅ Implement rate limiting on public portals

DON'T:

❌ Give partners direct RTSP access to cameras
❌ Provide direct network access to camera infrastructure
❌ Allow partners to redistribute without permission
❌ Use default credentials (admin/admin)
❌ Expose admin ports (444, 22, 88) to internet
❌ Allow anonymous RTMP publishing
❌ Deploy CloudFlare/WAF in front of RTSP/RTMP streams
❌ Change or spoof MAC addresses on WINK systems

9. General Security Best Practices

9.1 Network Segmentation Recommendations

For optimal security, consider isolating your camera network from corporate networks. WINK Streaming does not prescribe specific network topologies - your network architecture is your responsibility. However, typical best practices include:

Example Network Segmentation (for reference only)

Management Network: Admin access to WINK systems
Camera Network: IP cameras and related infrastructure
Video Infrastructure: WINK Forge/Router systems
Corporate Network: General business systems

Typical Firewall Policy Considerations:

Allow WINK systems to reach cameras (RTSP, RTP)
Allow authorized management access to WINK admin interfaces
Restrict direct camera access from corporate networks
Allow corporate users to view streams via Media Router (port 443)

9.2 Access Control Lists (ACLs)

Configure ACLs on Media Router applications:

# Restrict publishing to WINK Forge only
Publish ACL: 192.168.1.50/32

# Restrict playback to internal network
Playback ACL: 192.168.0.0/16

# Public HLS access (no ACL restriction, rely on OTP)
HTTP ACL: 0.0.0.0/0 (with OTP authentication)

9.3 Authentication & Encryption

Always use:

HTTPS for web interfaces (443/444)
Digest authentication for RTSP cameras (not Basic)
SRT with passphrase encryption
One-Time Passwords (OTP) for public HLS access
Strong passwords (16+ characters, mixed case, symbols)

Never:

Expose admin ports (88, 444, 22) to public internet
Use default credentials (admin/admin)
Allow anonymous RTMP publishing
Run HTTP on port 80 for public access (use 443)

9.4 DDoS Protection

For public-facing deployments:

Use a reverse proxy (nginx, HAProxy) in front of Media Router
Enable rate limiting (e.g., 10 connections/second per IP)
Use CDN with DDoS protection (Cloudflare, Akamai)
Implement geo-blocking if appropriate
Monitor for abnormal traffic patterns

9.5 Regular Security Audits

Monthly Checklist

Review firewall logs for unauthorized access attempts
Update WINK firmware to latest version
Rotate admin passwords
Review user accounts and remove unused ones
Check SSL certificate expiration dates
Verify NTP time synchronization
Test failover systems (VRRP, bonding)
Review bandwidth usage for anomalies
Confirm MAC addresses are unchanged (8c:1f:64:37:xx:xx)

10. Troubleshooting Network Connectivity

10.1 Can't Access Cameras from WINK Forge

Symptoms

Forge shows "Camera Offline" or "Connection Timeout"

Troubleshooting Steps:

1. Verify Network Connectivity

Use the built-in network diagnostic tools in WINK Forge web interface:

Log into Forge web interface (HTTPS port 443 or 444)
Navigate to Tools → Network Diagnostics
Use the Ping Tool to test connectivity to camera IP (e.g., 192.168.1.10)
Use the Port Check Tool to verify RTSP port 554 is reachable
Use the Traceroute Tool to identify network path issues

2. Check Firewall Rules

Verify your network firewall configuration:

Ensure TCP/UDP port 554 is allowed from Forge IP to camera subnet
Ensure UDP ports 5000-5999 are allowed (RTP/RTCP)
Check router/firewall logs for blocked connections
Temporarily disable firewall to isolate issue (if safe to do so)

3. Verify Camera Configuration

Ensure RTSP is enabled on camera
Check username/password are correct in Forge camera settings
Try accessing camera RTSP URL from VLC on a workstation to verify camera is working
Verify camera firmware is up to date

4. Check MTU Settings

If cameras are on wireless or tunneled connections, MTU mismatch can cause issues
In Forge web interface, go to System → Network Settings
Try reducing MTU to 1400 if experiencing packet fragmentation

5. Review Forge Logs

In Forge web interface, navigate to System → Logs
Filter for camera connection errors
Look for "Connection refused", "Timeout", or "Authentication failed"

10.2 Viewers Can't Access HLS Streams

Symptoms

"Video failed to load" or infinite buffering in browser

Troubleshooting Steps:

1. Test Direct Access

From the viewer's computer:

Try accessing the stream URL directly in a web browser
Use an online port checker tool to verify port 443 is open (e.g., canyouseeme.org)
Check if you can access the Media Router admin interface (https://mediarouter.example.com:444)

2. Check Media Router Status

In the Media Router web interface:

Navigate to Applications → Live Streams
Verify the stream shows as "Running" status
Check System → Logs → Access Logs for connection attempts
Review System → Network Status to verify port 443 is active

3. Verify Stream is Active

Log into Media Router web interface
Check if stream shows as "Running"
Verify Forge is successfully publishing to Router

4. Check NAT/Port Forwarding

If behind NAT, verify port 443 is forwarded to Media Router
Check router logs for dropped connections
Ensure external IP hasn't changed (use DDNS if dynamic)

5. Browser Developer Tools

Open browser console (F12)
Look for CORS errors, 404 errors, or SSL certificate warnings
Check Network tab for failed requests

Summary

This comprehensive guide covers firewall and network configuration for all WINK Forge and Media Router deployment scenarios. Key takeaways:

Essential Configuration

✅ Always open these ports for basic operation: TCP 443/444 (HTTPS admin and media), TCP/UDP 554 (RTSP), UDP 123 (NTP)
✅ Use HTTPS (port 443) for public distribution - widest compatibility
✅ Segment camera network from corporate network for security
✅ Use secure tunnels for remote camera access instead of port forwarding
✅ Enable OTP authentication for public HLS streams
✅ Monitor bandwidth and CPU usage to prevent performance issues
✅ Keep firmware up to date and change default credentials
✅ Preserve MAC addresses (8c:1f:64:37:xx:xx) - critical for licensing

Additional Support

For additional support, contact:

Email: support@wink.co
Phone: +1-312-281-5433
Documentation: https://wink.co/resources

WINK Firewall & Network Configuration Guide

Table of Contents

1. Introduction

Related Documentation

Key Concepts

2. Deployment Scenarios

Scenario A: On-Site Hardware Appliance

Scenario B: Virtual Machine (VM)

Scenario C: Cloud-Hosted Public Distribution

Scenario D: Hybrid (Internal + Remote Access)

3. Hardware Appliance Firewall Requirements

3.1 WINK Forge Transcoder - Required Ports

Genetec Security Center Integration

3.2 WINK Media Router - Required Ports

3.3 Optional Ports (Both Systems)

Minimal Firewall Configuration

4. Virtual Machine Firewall Requirements

4.1 MAC Address Assignment - CRITICAL

Virtual Machine Configuration

4.2 Hypervisor-Level Network Configuration

VMware ESXi / vSphere

Hyper-V

KVM/Proxmox

Cloud Providers (AWS/Azure/GCP)

4.3 VM Guest Firewall Configuration

Important Notes

5. Camera Access Scenarios

5.1 Accessing Cameras Internal to the LAN

Firewall Configuration Requirements

5.2 Accessing Cameras Remotely from Outside the LAN

Option A: Secure Tunnel (Recommended)

Option B: Port Forwarding (Not Recommended for Cameras)

Option C: WINK Forge Remote Access

5.3 Hosting Media via WINK Media Router

5.3.1 HLS/DASH over HTTPS (Port 443) - Recommended

Performance Considerations

5.3.2 RTSP Streaming (Port 554)

Performance Considerations

5.3.3 RTMP Streaming (Port 1935)

5.3.4 SRT Streaming (Port 9000 UDP)

Performance Considerations

5.3.5 WebRTC Streaming (Port 8889 TCP)

Performance Considerations

6. Complete Port Reference Tables

6.1 WINK Forge Transcoder - Complete Port Matrix

6.2 WINK Media Router - Complete Port Matrix

7. Network Architecture Examples

7.1 Basic Single-Site Deployment

Firewall Rules

8. Multi-Agency Camera Sharing

8.1 Camera Sharing Use Cases

DOT/511 Systems

Emergency Response

Public Transparency

Cross-Jurisdictional

Key Principle

8.2 Network Architecture for Camera Sharing

Firewall Rules for Multi-Agency Sharing

Related Documentation

8.3 Partner Authentication Methods

Option A: OTP (One-Time Password) - Recommended

Best for: Dynamic IP addresses, web-based viewing, temporary access

Option B: IP Whitelisting

Best for: Fixed infrastructure (VMS systems, control rooms), internal partners

8.4 Bandwidth Management for Multiple Partners

Challenge

8.5 Security Best Practices for Camera Sharing

DO:

DON'T:

9. General Security Best Practices

9.1 Network Segmentation Recommendations

Example Network Segmentation (for reference only)

9.2 Access Control Lists (ACLs)

9.3 Authentication & Encryption

Always use:

Never:

9.4 DDoS Protection

9.5 Regular Security Audits

Monthly Checklist

10. Troubleshooting Network Connectivity