Online Connectivity & Security Considerations
| Сайт: | QSC | 
| Курс: | General Q-SYS Topics | 
| Книга: | Online Connectivity & Security Considerations | 
| Напечатано:: | Gast | 
| Дата: | Saturday, 25 October 2025, 07:22 | 
Описание
Video Transcript
00:07
         Today we’re going to talk a little bit about network security options that you have on your Q-SYS system.
    00:12
         Q-SYS Designer Software version 8.0 or higher
    00:15
         uses a powerful web-based browser tool that allows for simplified Core management, known as CORE-MAN.
    00:23
         CORE-MAN! Who has the ability to adjust your network services with a single click!
    00:30
         Ah, I’m sorry, the complete name is Core-Manager,
    00:36
         but it does give you superhero-level powers.
    00:39
         Core Manager allows for a lot of granularity in your network security options -
    00:44
         especially when you give your Core access to QSC’s Cloud services via the Internet.
    00:49
         Now let’s start by setting up our Core for safe and secure connectivity
    00:53
         to QSC services like Q-SYS Reflect Enterprise Manager.
    00:57
         First, let's open up any web browser and enter your Core’s IP address into the address bar.
    01:05
         You can find your device’s IP address from its front panel,
    01:08
         or—if you’re already connected—from the top bar in the software.
    01:12
         You can use this IP address to access the Core Manager,
    01:15
         but before you do that … let’s talk briefly about connection protocols.
    01:20
         HTTP, or HyperText Transfer Protocol,
    01:23
         is the method by which information is formatted and transmitted on the web.
    01:27
         Now HTTPS is the same protocol, but it’s encrypted –
    01:32
         the S actually stands for Hope.
    01:36
         No, the S stands for Secure, obviously.
    01:39
         The two different protocols connect using two different ports –
    01:42
         HTTP uses port 80, where HTTPS uses port 443 – more on that later.
    01:48
         We recommend that you always use the HTTPS protocols when connecting to QSC devices using a browser.
    01:55
         However, there are a couple of things you should be aware of. Such as this:
    02:01
         Wow. That’s concerning.
    02:03
         Except, actually, it’s not; because I’m connecting to a device that I own as part of my infrastructure,
    02:10
         on the same local network as my computer– in this case, my Core processor.
    02:14
         I know this web page is accurate and encrypted.
    02:17
         In fact, it’s more secure than using HTTP
    02:21
         which, ironically, does not prompt these standard web browser warning messages.
    02:25
         So, it’s ok to bypass this warning and open the connection.
    02:30
         By the way, if you ever see this warning whiile trying to connect to a public website like your bank,
    02:36
         or … maybe that website with superhero fan-fiction, you probably (definitely) shouldn’t bypass that warning.
    02:46
         If you look at the address bar of the browser, however,
    02:48
         you’ll notice that the connection is flagged as Not Secure – but this is not entirely accurate.
    02:55
         The Core is using what’s referred to as a self-signed security certificate—
    02:59
         which may sound like something about as trustworthy as a dentistry license printed from home—
    03:06
         but because the connection made is using the HTTPS designation,
    03:11
         it is, in fact, still encrypted and more secure than a non-encrypted HTTP connection.
    03:18
         You can connect to a Core using standard HTTP and avoid these browser warning messages,
    03:23
         but you need to understand that those sessions are unencrypted, so inherently less secure.
    03:30
         As a result, you really should get into the habit of using this secure,
    03:34
         HTTPS method when connecting to your Core via a browser.
    03:39
         Now, let's look at Core Manager
    03:41
         We can see the status of my Core: including the Model, Firmware Version, the running design, etc.
    03:48
         Today, we’re going to focus on three main tabs: Users, Network Services, and Network Settings.
    03:55
         Let’s take a look at Users first.
    03:57
         It’s a good idea to protect your Core with a Username and Password.
    04:02
         Let’s “Enable Access Control”
    04:04
         to create different Users and permission levels defining who can edit or access the Core.
    04:10
         Let’s create our first User.
    04:12
         The first User created will always be an Administrator level user,
    04:16
         but you can name the user anything you like.
    04:20
         So rather than “Admin”, I'm going to name mine after someone who should have all the power …
    04:26
         ... and our lawyers are telling me I need to use the full name of … SUPERMANAGER.
    04:32
         And of course, we need a password:
    04:35
         … double check it,
    04:37
         There.
    04:38
         Now that we’re all set up, you’re ready to log into our Core, using our newly-created credentials.
    04:44
         Once we’re in,
    04:45
         we’re going to head over to the Users tab and set up another user by pressing the New User button.
    04:52
         Once again we can create a username and password,
    04:56
         but you’ll also notice that we can now assign the user a role.
    05:01
         There are three roles available – Viewer, Technician, and Administrator.
    05:06
         Our first user was automatically an Administrator.
    05:09
         An Administrator has full, unfettered access,
    05:12
         including the ability to add, edit and delete User accounts, and even disable Access Control entirely.
    05:19
         A Technician has full read/write access, with the exception of User accounts, which are read-only.
    05:26
         I’ll create a Technician role for a user who needs to make changes,
    05:30
         but doesn’t have as much power as our Admin role.
    05:34
         The final role is a Viewer.
    05:36
         A Viewer is essentially a read-only user that can view all of the settings except passwords and PINs,
    05:43
         but cannot edit anything.
    05:45
         The only action that the Viewer can perform is to reboot the Core from Core Manager.
    05:50
         So let’s make a Viewer user for somebody who is basically only good for watching:
    05:56
         Yes.
    05:58
         So, that’s Access Control—and it’s something that you should really use every time you deploy a Core.
    06:03
         Note that Users with the Administrator Role can edit other User’s passwords,
    06:08
         but if you forget the password for all Users with the Administrator Role, there is no real way to recover it –
    06:15
         so make sure you store it somewhere secure;
    06:17
         Remember, with great power comes great….
    06:20
         Oh, I'm sorry, I’m told that’s from a different universe.
    06:24
         Alright, let’s move on and talk about networking and IT security.
    06:29
         For that, we’ll navigate to the Network Settings page.
    06:32
         You’ll see that on the Core 110f we have three sections: LAN A, LAN B and DNS.
    06:40
         LAN A and LAN B represent the network interface ports of the same names on my Core.
    06:45
         The DNS addresses and gateway settings populate automatically from a DHCP server
    06:51
         somewhere on the corporate network,
    06:53
         or are provided by the network administrators.
    06:56
         Without a valid gateway and DNS address,
    06:59
         you’d be unable to connect to a web address using a Fully Qualified Domain Name, or FQDN.
    07:06
         In order to use certain Cloud services like Software Feature License activation,
    07:11
         or Q-SYS Reflect Enterprise Manager,
    07:14
         your Core will need to be able to connect to QSC’s secure servers via the Internet –
    07:19
         however, in most deployments, AV equipment tends to be on a dedicated,
    07:23
         and often not web-connected, subnet.
    07:27
         That’s where the LAN B comes in.
    07:29
         Most installers use LAN A for a dedicated AV subnet,
    07:32
         and LAN B for the main corporate network or some other network that provides secure web connectivity,
    07:38
         so you can take full advantage of those QSC web services.
    07:41
         ‘But wait!’ I hear you cry ‘Isn’t that going to make our friends in IT a little nervous?'
    07:46
         Don’t worry citizen, we’ve got that covered, and we’ll talk about how to manage this later.
    07:52
         As you can see, my LAN A connection has a statically-assigned IP address and net mask,
    07:57
         and does not have a gateway assigned.
    08:00
         This is because it is a dedicated subnet, with no requirement for a Gateway.
    08:05
         My LAN B connection, however, in addition to an IP address and net mask, also has a Gateway address.
    08:12
         This is the pathway for the Internet.
    08:14
         Another interesting thing to note
    08:16
         is that all communication between the Core and QSC’s Cloud services
    08:21
         are initiated by the Core as a secure, outbound connection on Port 443—
    08:26
         which, you may remember, is what HTTPS uses.
    08:31
         What this means is that, in most cases,
    08:34
         no additional network or firewall configuration is needed
    08:38
         to allow for full communication between the Core and QSC’s Cloud services.
    08:42
         So, now that the Core can connect both to our dedicated AV subnet and QSC’s Cloud services via the Internet,
    08:49
         let’s talk about managing the services running on those network ports.
    08:54
         For that, we’re going to look at the Network Services tab.
    08:58
         Here, in the Summary tab,
    09:00
         we can see the two network interfaces on my Core: LAN A and LAN B -
    09:05
         and, for each interface, there are a number of network protocols listed.
    09:09
         Each service displays the relevant TCP or UDP Ports it uses defined in the Protocol Detail field –
    09:16
         you can see port 80 for HTTP and port 443 for HTTPS, for example -
    09:22
         and all of which are currently enabled on both network interfaces.
    09:27
         If I click over here on the plus symbol for any protocol, I can see which services require this protocol.
    09:33
         Q-SYS Discovery Protocol, for instance, is required for Device Discovery,
    09:37
         Audio Enabled Peripherals and Control Peripherals, and communicating with TSC-3 touchpanels.
    09:43
         Long story, but those use a slightly different protocol than our other touchpanels.
    09:47
         If you click on the same plus symbol for the Q-SYS Control Binary protocol,
    09:51
         you’ll see a different set of services appear.
    09:54
         If we look over here on the right,
    09:56
         we can see that we have individual check marks
    09:59
         for each of the protocols and services in our expanded view.
    10:02
         Let’s go into the Management tab, and change a few of these settings.
    10:06
         As you can see,
    10:06
         we’re looking at the same information
    10:08
         but from the perspective of the Services rather than their underlying Protocols.
    10:13
         By clicking on the Edit button here, I can turn these services on or off individually for each LAN port.
    10:21
         Let’s say I have some Q-SYS Cameras deployed in my Design.
    10:25
         Obviously, those cameras need to communicate with the Core,
    10:27
         so we’re going to leave that particular service enabled on LAN A,
    10:31
         but the Core doesn’t need to be able to discover Q-SYS Cameras on the Corporate Network,
    10:35
         so let’s turn that service off on LAN B.
    10:40
         Now, I simply hit Save, my Core updates, and I’m taken back to my Summary tab –
    10:46
         where I can see that WSD, which uses port 3702, is disabled on LAN B.
    10:54
         If I click the plus symbol, my expanded view tells me that, yes, this protocol is used for Q-SYS Cameras,
    11:01
         and that it’s enabled on LAN A and disabled on LAN B.
    11:05
         That means the Core is no longer advertising,
    11:09
         or making available any ports or services related to the Q-SYS cameras on LAN B.
    11:14
         Note that some Protocols are used by multiple Services, look at Q-SYS Control Binary as an example.
    11:21
         In these cases, that Protocol (TCP:1700) will remain active
    11:26
         until all of those Services have been disabled using the Management tab.
    11:31
         Now, in most cases, you’ll want to leave all of the services for your AV LAN (typically LAN A) enabled
    11:37
         unless there are items that you know are not required,
    11:41
         but feel free to check with the IT Department to confirm that this is ok.
    11:44
         How many services you leave enabled on LAN B will really depend on the requirements of your project,
    11:50
         and the network security policies for the corporate network in question.
    11:54
         In many scenarios, where you simply want to use LAN B for secure communication with QSC’s Cloud services,
    12:01
         you would disable all Services leaving only secure, HTTPS enabled on LAN B.
    12:07
         Note that some services, like VoIP or SNMP,
    12:10
         are managed using their own pages outside of the Network Services Manager
    12:14
         so you'll want to consult those pages as well when locking down your Q-SYS Core for secure deployments.
    12:20
         So, now you’re equipped to manage secure access to your Core,
    12:24
         connect that Core to QSC’s secure web services,
    12:27
         and manage communications on all of your Core LAN ports.
    12:31
         Thanks for watching.