Product User Manual

CA Proxy Solution

SW Version 3.18

Changing the way operators deliver TV

9 February 2015

Change log
Date

Revision

Who

What

1.9.12

1.0

PMJ

Initial revision

1.10.13

1.1

PMJ

CA proxy system revised and improved. Improved client status

and management on server side. Improved redundancy
scheme in clients. To be supported in software 3.xx

SW Version 3.18

9 February 2015

Page 2 of 20

Table of Contents
1

INTRODUCTION ......................................................................................................................... 4

THE CA PROXY SOLUTION .................................................................................................... 5

2.1 RECOVERY WINDOW ..................................................................................................................... 6
2.1.1 Recovery window vs client redundancy switching ................................................................. 7

SYSTEM SECURITY AND VPN SETUP .................................................................................. 8

3.1 FIREWALL SETTINGS .................................................................................................................... 8
3.1.1 CA proxy server firewall ....................................................................................................... 8
3.1.2 CA proxy Client firewall ........................................................................................................ 8
3.2 CONFIGURING THE OPENVPN SYSTEM ......................................................................................... 8
3.2.1 Proxy server VPN configuration overview ............................................................................ 8
3.2.2 Proxy client VPN configuration overview ............................................................................. 8
3.3 VPN CERTIFICATE FILES CREATION............................................................................................. 9

CONFIGURING PROXY SERVER ......................................................................................... 10

4.1 INSTALLING THE VPN CERTIFICATES ......................................................................................... 10
4.2 CA PROXY SERVER IP ADDRESSES .............................................................................................. 10
4.3 DEFINING THE CLIENT LIST ......................................................................................................... 12
4.3.1 Client connection attributes................................................................................................. 12
4.3.2 Edit multiple client attributes .............................................................................................. 13
4.4 DEFINING THE ECMS (ACCESS CRITERIAS) .............................................................................. 13
4.5 DEFINING THE RECOVERY WINDOW ............................................................................................ 13

CONFIGURING THE PROXY CLIENT................................................................................. 15

5.1 INSTALLING THE CLIENT VPN CERTIFICATES ............................................................................. 15
5.2 CA PROXY CLIENT IP ADDRESSES ............................................................................................... 15
5.3 ESTABLISH CONNECTION TO THE CA PROXY SERVER ................................................................. 15
5.4 DEFINING A REDUNDANT CA PROXY SERVER ............................................................................. 16
5.4.1 Disable alarm triggers ........................................................................................................ 17
5.5 DEFINING ECMS ....................................................................................................................... 17

SYSTEM MONITORING .......................................................................................................... 19

6.1
6.2

CLIENT MONITORING ................................................................................................................. 19

ECM MONITORING..................................................................................................................... 20

SW Version 3.18

9 February 2015

Page 3 of 20

1 Introduction
This users manual is intended as a supplement to the general users manual. It describes the
ca proxy solution only.
This manual is divided into two sections. The first aims to explain the solution that has been
developed, while the second section explains how to configure the system using the WEB
interface.
The customer system today is multiple Cable networks being fed through a satellite
distribution channel. All Conditional access is handled centrally and all encryption/scrambling
is handled on the main head-end.
Now, the operator wants to expand the offering to the cable customers, but there is no more
capacity over the satellite link. The solution is to turnaround services from other satellite
distributors locally at the remote head-ends. This can be done in a traditional fashion, but
there will be a requirement for encryption of these added services into those cable networks.
This manual will describe a system that can distribute a Simulcrypt interface in a proxy
fashion from a centralized head-end to multiple remote located head-ends. The solution has
taken into account the security requirements with regard to media of distribution

SW Version 3.18

9 February 2015

Page 4 of 20

2 The CA Proxy solution

The CA Proxy solution provides a system for an efficient distribution of CW/ECM pairs to
multiple clients over a secure communication link.
The CA proxy Conditional Access solution will appear as shown in the figure below.

Main headend

CAS

SCS
Proxy

Internet
Figure 1 CA proxy Architecture

CW/ECM

CW/ECM

SCS Slave/
Scrambler

SCS Slave/
Scrambler

Regional network 1

Regional network n

The solution based on three major components

o

SCS_Master : This card does the communication to the CA system.

This card will generate the CW and collect the ECM from the CA system. In essence
this is similar to a standard scrambler card. It has some additional features regarding
communication to the CA proxy Server card.

CA_PROXY server: This card will request CW/ECM pair from the SCS_Master card,
for each individual SCG_ID (Access Criteria). These pairs will then be transferred to
the connected clients.

CA_PROXY_client. The scrambler card running in the regional head ends. This card

requests CW/ECM pairs from the CA proxy server.

SW Version 3.18

9 February 2015

Page 5 of 20

The flow of the CW and ECMs are shown below.

CAS
CW_Prov (1, 5)
ECM(1,5)
ECM_Req(1)
SCS
MMI
Master

CW +
ECM(1, 5)

CA
proxy
server

Central Headend

CW_Prov (1, 12)

<- VPN Tunnel

CW +
ECM(1,5)

MMI

DVBS
In

SCS

IP
Out

Regional Headend

Note: Although the clients initially will use their local CP number scheme the CA proxy server
will push down the CP numbering scheme from the Master SCS. So in the end all clients will
be synchronized to the same crypto period. In the above the client initially requests an ecm
for CP=12, the returned value is CP=5.

2.1 Recovery window

If the network for some reason fails, the reconnection of the channel is done in the same
principle manner as the Simulcrypt by the fact that SCS Slave tries to re-establish the
channel. If connection with the Proxy is lost, the ingested channels will be scrambled with the
last successfully received CW/ECM pair until a new valid pair is received.
A valid pair is in this context defined as the next crypto-period. If the Crypto-period
changeover is not sequential then the receiver will not be able to do a seamless CP change.
So in order to survive a connection failure the system must ensure that the next CW/ECM
pair that is received after a re-connection is for the Next CP. This is implemented by buffering
the CW/ECM pairs associated with a client if a client transfer fails. The recovery window
defines the connection downtime interval that will not cause picture artifacts upon client
reconnection.
The re-synchronization of clients is achieved by lowering the Crypto-period for the overall
system (to Max CP as defined in GUI) while the client who has re-connected runs on the
original CP duration.

SW Version 3.18

9 February 2015

Page 6 of 20

2.1.1 Recovery window vs client redundancy switching

The CA proxy solution has two independent systems to tackle problems between the CA
proxy server and the client.
1. CA proxy server redundancy switching (Implemented on the CA proxy Client)
2. Recovery Window (implemented on the CA proxy server)
In order for the total system to work optimally it is vital that the switch delay is tuned
according to the recovery window. If a 2 hour Recovery Window is defined on the server,
then the switch delay on the client should be set to the same delay. If the switching
happens much earlier the Recovery Window functionality is obsolete.

SW Version 3.18

9 February 2015

Page 7 of 20

3 System security and VPN setup

The communication between the CA proxy server and CA proxy client is done through a VPN
tunnel. The VPN server runs on the CA_PROXY_server card, and the VPN clients run on the
CA_PROXY_client. The VPN system is based on OpenVPN (http://openvpn.net/), the server
is configured such that duplicated client certificates are not allowed.
Both the CA Proxy server and the CA proxy client is firewalled using Iptables.

3.1 Firewall Settings

3.1.1 CA proxy server firewall
The CA proxy server runs a firewall that allows external connection on port 1194 only. When
a connection is established the system opens the required ports within the VPN tunnel. Ports
not used by the simulcrypt communication are closed.

3.1.2 CA proxy Client firewall

The client firewall does not allow any connections outside the VPN tunnel.
Within the tunnel tcp port 22 (SSH) is open such that it is possible to access the remote
clients via the openVPN tunnel.

3.2 Configuring the OpenVPN system

3.2.1 Proxy server VPN configuration overview
This is an overview only, details are found in the following paragraphs.
o

In the GUI, define the IP address and the corresponding net mask for the VPN tunnel.
This causes the system to generate a VPN configuration file on the CA_PROXY_server
card with the IP address and subnet defined.

Generate and install the VPN certificate files.

o

The generation of the certificate files must handled externally from the
AppearTV environment.

Define each client to be allowed access. This access list will add an extra layer of
security, where the serial number of the CA_PROXY_client cards is the identifier.

The VPN server must be accessed on port 1194.

3.2.2 Proxy client VPN configuration overview

This is an overview only, details are found in the following paragraphs.
o
o

In the GUI define the Ethernet address of the CA_PROXY_server card.

Install the client certificate (in the archive format explained below)

The client shall now be ready. In the case of a redundant CA_PROXY_server unit you will
need to define a redundant two CA_PROXY server IP addresses. Note that in a redundant
configuration the CA_PROXY_client will not open a tunnel to the backup CA_Proxy_server
until a redundancy switch is performed..

SW Version 3.18

9 February 2015

Page 8 of 20

3.3 VPN Certificate Files Creation

In order for the VPN connection can be established both the CA Proxy Server and the clients
must be configured with the correct certificate files.
The keys and certificates shall be created by the user using openvpn.
Follow these instructions to create files correctly.
http://openvpn.net/index.php/open-source/documentation/howto.html#pki
necessary files.

to

create

the

For server(s):
o
o
o
o

ca.crt,
server.key,
server.crt,
dhXXXX.pem

For clientX:
o
o
o

ca.crt,
clientX.key,
clientX.crt

Follow the instructions on

http://openvpn.net/index.php/open-source/documentation/howto.html#security
to create the necessary ta.key file.
When the above files has been created they need to be packed into tar-ball files for
installation into the CA proxy server and clients.
Create a tar-ball for the server(s) containing (ca.crt, server.key, server.crt, dhXXXX.pem,
ta.key)
Create a tar-ball for clientX containing (ca.crt, clientX.key, clientX.crt, ta.key)
NOTE: It is mandatory to follow these naming conventions (where XXX is selectable by the
user):
o

Master certificate authority: "ca.crt"

Shared secret tls-auth key: "ta.key"

Diffie Hellman parameters: "XXX.pem"

Server/client certificate:

Server/client key:

SW Version 3.18

XXX.crt"
"XXX.key"

9 February 2015

Page 9 of 20

4 Configuring Proxy server

4.1 Installing the VPN certificates
How to generate the VPN certificates please refer to previous sections in this document.
To install the certificates, press install certificate on the admin page:
o

Admin->ca_proxy_server->install certificate , or for the client

Admin->ca_proxy_client->install certificate

The figure in the next paragraph shows this page.

The system will then prompt the user to browse for the file to install. Choose the appropriate
tar-ball generated earlier, and press Install.

Upon completion the system will list the files that successfully where installed.
NOTE: If the required files are not present this will generate an alarm indicating which files
are not installed.
NOTE: If more than one proxy server is defined for a client, make sure that those servers
have the same certificates installed.

4.2 CA proxy server IP addresses

The CA proxy server card defines two sets of IP addresses, the IP address of the control port
and the VPN network.
To set the network addresses got to the Admin setup page for the CA Proxy server card.

SW Version 3.18

9 February 2015

Page 10 of 20

Figure 2: IP address configuration of CA proxy server.

External Proxy Access

(Control Port)

This is the control port of the CA proxy card, to which all the
remote clients should do a VPN connection.

IP address

The ip address of the control port

Gateway Address

The GW address of the control port.

Subnet mask

The subnet mask of the control port.

VPN Tunnel settings

This defines the virtual network address space for the VPN tunnel.

VPN server Address

This is the address to which the VPN clients will connect. Note
that this address will not be visible to the user in the client
configuration. The client configuration will configure the External
Proxy Address only. This network address will be resolved locally
by the remote clients via information available in the VPN
environment.
This address is resolved from the VPN IP Network Address and
the Max number of clients.

VPN Network mask

This mask is resolved from the VPN IP Network Address and the
Max number of clients

VPN IP Network Address

This network address of the VPN network. The value accepted for
this address also depends on the number of clients parameter.

Max number of clients

Defines the number of clients that the VPN network shall be able
to handle. The larger number the wider the network mask will be.

NOTE: Do not use network 192.168.0.x mask 255.255.255.0. This is a reserved network for
internal usage.

SW Version 3.18

9 February 2015

Page 11 of 20

4.3 Defining the client list

In order for clients to be allowed connection to a proxy server card the client must be added
to the client access list. This access list identifies a client via the serial number of the clients
scrambler card
Go to Conditional Access->SCS Proxy Server->Clients

Figure 3 Adding clients

4.3.1 Client connection attributes

From the client connection view it is possible to change the connection attributes of a
client.
To edit a clients attributes, click the edit on the client row.

Client Attribute
Name

Client connection name

Serial Number

The serial number of the scrambler card in the proxy client.

Connection

Allow/Deny Allow is the default value. Set the connection

state to Deny to temporally block a user. This can be done to
force the client to switch to the other CA proxy server (if that
is installed)

Recovery Window

Include/Exclude Default: Include

Include - This client is part of the recovery window logic.

SW Version 3.18

9 February 2015

Page 12 of 20

Exclude- The client is excluded from the RW logic, and hence

will not affect the CryptoPeriod of the system upon
communication failures..

4.3.2 Edit multiple client attributes

When multiple clients are selected a new edit icon will appear on the top row

Click the edit icon (the pencil) and the multiple client edit dialog appears.

The edit action will be applied to all selected clients.

4.4 Defining the ECMS (Access criterias)

The CA proxy server also hosts a scs card which shall communicate with the CA system.
To do this go to
o

Conditional Access->SCS ->ECMG

(define the location of the CA system)

Conditional Access->SCS ->ECM

(define the ecms.)

The ECMs is the ink between an access criteria and the SCG_ID. For further details on how to
configure the scs card please refer to the standard users manual.
Note: When the clients are configured later they do not relate to an access criteria, but to
the scg_id only.

4.5 Defining the recovery window

The recovery window is the maximum time a client can be disconnected without causing the
client to do a seamless re-connect.
A long recovery-window essentially accepts long crypto periods when client disconnects
happens. Please refer to the description section above for details.

SW Version 3.18

9 February 2015

Page 13 of 20

To set the recovery window go to

o

Conditional Access->scs proxy server

Figure 4 Recover window settings

Recovery window
Slot

The slot of the CA proxy server card.

Clients

Number of connected clients.

Minimum CP

The minimum crypto period. Normally this is dictated by the

CA system. Now the proxy server takes that function.

Maximum CP

How long crypto period shall the system allow when remote
clients are failing to communicate.

Client recovery window

A function of the Max crypto period.

SW Version 3.18

9 February 2015

Page 14 of 20

5 Configuring the Proxy client

The ca proxy clients are essentially scramblers which receive the ECMs and CWs from the CA
proxy servers. This manual does not describe how to configure services and start scrambling,
but it describes all the operations required to get the CA proxy server communication to
work. For details on how to configure services please refer to the standard users manual.

5.1 Installing the client VPN certificates

How to generate the VPN certificates please refer to previous sections in this document.
For instruction details please refer to the Proxy server VPN certificate installation guide.
NOTE: If more than one proxy server is defined for a client, make sure that those servers
have the same certificates installed.
NOTE: If the client is configured with a redundant CA proxy server, then only the active
connection will be open at the time.

5.2 CA proxy client IP addresses

The ca proxy client card communicates to the ca proxy server via the control port of the
SCS/scrambler card. The IP address of the control port is configured on the admin page of
the caproxy-client card. Please refer to the general users manual for details.
NOTE: Do not use the following networks addresses for the control port.
o

The network defined for the VPN network at the CA proxy server

The internal subnet of the client card: 192.168.0.x mask 255.255.255.0

5.3 Establish connection to the CA proxy server

The ca proxy client supports connection to one ca proxy server, with an option to define a
redundant proxy server.
To add a ca proxy server go to
o

Conditional Access->scs -> Connection

Figure 5 Add proxy server connection

SW Version 3.18

9 February 2015

Page 15 of 20

CA proxy connection
CA proxy External Access IP

This is the IP address where the VPN server can be reached.

This could be the public IP address of a firewall. This firewall
must then redirect port 1194 to the ca proxy server unit. If
the CA proxy server card is connected to a public address
then this ip address shall be the IP address of the control port
of the CA proxy scrambler card.

CAS ID

CA system id. This is used locally for generation of the CA

descriptor in the PMT.

Sub ID

Simulcrypt sub id. (typical value = 1)

State

Connection state to the server. Note that before a successful

connection can e established the server must define the serial
number of this scrambler card as a valid client in its client list.

Note: The VPN certificates must be installed to establish connection to the server.

5.4 Defining a redundant CA proxy server

As for standard ECMG connections it is possible to define a redundant CA proxy server. Note
however that if a client connection to the main ca proxy server is in a failure state it is not
possible to know if this is due to a connection problem or if it is due to a problem with the CA
proxy server on the central head end. Given the recovery window will survive long
connection failures it should be considered how to use this feature. Disabling all alarm
triggers for the CA redundancy module could be an alternative.
If the client attempt to connect to the redundant proxy then the recovery window is broken.
To define a redundant ca proxy server go to
o

Redundancy->CA

Figure 6 Defining the redundant CA proxy server

Redundant CA proxy
IP

The IP address of the redundant ca proxy server. Use the CA

proxy External Access IP of the proxy server.

Port

N/A, 1194 will be used.

SW Version 3.18

9 February 2015

Page 16 of 20

Channel

N/A for proxy systems, set to 1

CAS Sub id

N/A for proxy systems, set to 1

5.4.1 Disable alarm triggers

As discussed above, due to the Recovery window feature, it should be considered to set
redundancy switching into manual mode. This can be achieved by disabling all the
redundancy triggers.
When a trigger is disabled it means it is not sent to the redundancy module, hence an
automatic switch will not occur.
To disable the trigger, go to
o

Redundancy->Triggers , then disable alarms associated with the CA Redundancy

module. Currently one alarm only, the No Connection alarm

Figure 7 Redundancy Triggers

5.5 Defining ECMS

As for standard scramblers this ca proxy client must define its ECMs.
To add ecms go to
o

Conditional Access->SCS -> ECM

SW Version 3.18

9 February 2015

Page 17 of 20

Figure 8 Defining client ECMs

Define ECMs
Stream id

Simulcrypt stream ID. Stream alarms will be linked to this

value.

Name

Name for the ECM

ECM Generator

The ca proxy server now represents the ECMG.

SCG_ID

The SCG id must match an ID defined on the CA proxy server.

This is essentially the link to the access criteria.

Private data

Optional parameter: Private data that can be added to the CA

descriptor in the PMT.

Preferred ECM PID.

All services which use this ECM for the scrambling will try to
use the preferred ECM PID value if possible. It may clash with
other pids in the service, and then it will be remapped to
another value. See description of the component type
mapping feature on the output service configuration for more
options on how to control the output pid-line-up. This is
described in the standard users manual

SW Version 3.18

9 February 2015

Page 18 of 20

6 System monitoring
6.1 Client Monitoring
The client monitoring aims at giving the operator as much info about a connected client.

Client info

Description

Name

The name of the client as defined during configuration.

Serial Number

The serial number of the client scrambler card.

Software Version

Software version running on the remote clients scrambler

card, reported by the client.

Redundancy Mode

The currently active redundancy mode configured in the client,

as reported by the client.

Connects

Number of times the client has connected.

Connection State

Open/ Closed
The state of the communication link.

CP State

Crypto period State (MIN/MAX). This is dictated by the

Recovery Window state.

Recovery Time

MIN: All ECMs are running fine.

MAX: One or more ECMs are buffered on the server for
recovery.
The recovery time is time it will take until a client is in sync,
given the connection is open. If everything is OK then this
value = 0 seconds. I.e. the client is in synch.

SW Version 3.18

"0s" Everything OK
"1h 23m 33s" Within Recovery Window (RW), offset
is as indicated.
Outside RW" the client is outside the RW.
"No subscriptions" the client has not subscribed to
any ECMs
"Excluded" the client is excluded from the RW logic.
9 February 2015

Page 19 of 20

Subscribed ECMs

Click the link to get details state overview of all ECMs used by
this client.

6.2 ECM Monitoring

The ECM monitoring provides an overview of the state of each ECM in the system with respect to crypto period and client
associations.

This view is best understood by understanding the recovery window explained elsewhere in this document. However each ECM
has an allocated recovery buffer that can be used to cache CW/ECM pairs that can be re-transmitted to clients that has
temporarily lost connection.
The ECM Usage window lists all ECMs and the state for it. Normally the recovery buffer is empty, if not one or more clients are
not in sync. To see which clients this applies to click the Subscribed clients list.

Client info

Description

SCG ID

The scrambling control group id.

Name

A name for the ECM, defined when creating the ECM.

Client count

The number of clients that has subscribed to this ECM.

CP State

Crypto period State (MIN/MAX). This is dictated by the

Recovery Window state.
MIN: The ECM is updated correctly. I.e. all connected
clients using this ECM is doing fine.
MAX: One or more client that has subscribed to this
ECM has trouble.
See client monitoring description above

Recovery Time
Subscribed clients

SW Version 3.18

The link will list all clients that has subscribed to this particular
ecm.

9 February 2015

Page 20 of 20