Top

Auto-Provisioning Mediatrix Units with Configuration Scripts

This configuration describes how to use the Mediatrix unit's functionality that allows it to fetch the firmware and configuration files automatically from a provisioning server by using FTP, TFTP, HTTP or HTTPS.

Note: Mediatrix units can also be provisioned with the Virtuo Element Management System (EMS). For more details on using the Virtuo EMS, refer to the Virtuo documentation published on the Media5 documentation portal at https://documentation.media5corp.com/.

Top

Overview of the Server Configuration

Preparing Windows Server IIS

Before you begin
If using Windows, ensure that the HTTP Server functionality is activated and that the configuration files and binaries are located under (default location): C:\lnetpub\wwwroot
Context
Media5 recommends that the administrator creates a subdirectory for the firmware and another subdirectory for the configuration files under the Web Server root directory.
Steps
  1. Create a subdirectory for the firmware under the Web Server root directory.
  2. Create a subdirectory for the configuration files under the Web Server root directory.
Result



Top

Preparing the Pumpkin TFTP Server

Before you begin
If you are using the Pumpkin TFTP server, ensure that it allows proper permission. For the PumpKIN TFTP server, please make sure that the options are selected as shown in the figure below.
Context
Media5 recommends that the administrator creates a subdirectory for the firmware and another subdirectory for the configuration files under TFTP root.
Steps
  1. Create a subdirectory for the firmware under C:\PumpKIN\
  2. Create a subdirectory for configuration files under C:\PumpKIN\
Result



Top

Configuration Scripts

Configuration Scripts

Configuration scripts are files containing textual commands that are sent from the ACS over the network to a Mediatrix unit.

Configuration scripts support all configuration parameters and can be created for a group of units or for a specific unit of the Network.

The automated importation of configuration scripts can be performed with the use of a Customer Profile or using a DHCP server indicating the location of the file server with options 66 or 67. The automated importation to a unit is what is referred to as zero-touch, as the unit is automatically updated with the latest configuration without manual intervention.

When the configuration scripts are received, the unit executes each command line in sequence. Script commands can assign values to configuration parameters, or execute configuration commands. Scripts are written by the system administrator and can be used to accomplish various tasks, such as automating recurrent configuration tasks or batch-applying configuration settings to multiple devices. They can also be scheduled to be executed when the Mediatrix unit restarts.

They can, for example, update the value of parameters, initiate a firmware upgrade, service restart, or unit reboot. The scripts can be imported by the unit in different situations:
  • When the unit is restarted
  • According to a pre-determined schedule
  • Initiated by a DHCP server indicating where the script files are located using options 66 and 67
Scripts can be sent using the following protocols:
  • FTP
  • TFTP
  • HTTP
  • HTTPS

The configuration script download feature allows updating the Mediatrix unit configuration by transferring a configuration script from a remote server or from the local file system. The Mediatrix unit is the session initiator, which allows NAT traversal. You can also configure the Mediatrix unit to automatically update its configuration or you can generate a configuration script from the running configuration of the Mediatrix unit.


Top

Configuring the FTP Server

Before you begin
If you are not familiar with the procedure on how to set the FTP root path, please refer to your FTP server's documentation.
Context

Perform this procedure if you plan to use the FTP transport protocol.

Steps
  1. Set an FTP service on the assigned server.
  2. Make sure the FTP server can be reached by the Mediatrix unit.
    Note: If the file server is located behind a firewall, make sure that TCP port 21 is open.

Top

Configuring the TFTP Server

Before you begin
If you are not familiar with the procedure on how to set the TFTP root path, please refer to your TFTP server's documentation.
Context
Perform this procedure if you plan to use the TFTP transport protocol.
Steps
  1. Set a TFTP service on the assigned server.
  2. Make sure the TFTP server can be reached by the Mediatrix unit.
    Note: If the file server is located behind a firewall, make sure the UDP port 69 is open.

Top

Configuring the HTTP Server

Before you begin
If you are not familiar with the procedure on how to set the HTTP root path, refer to your HTTP server's documentation.
Context
Perform this procedure if you plan to use the HTTP transport protocol.
Steps
  1. Set an HTTP service on the assigned server.
  2. Make sure the HTTP server can be reached by the Mediatrix unit.
    Note: If the file server is located behind a firewall, make sure the TCP port 80 is open.

Top

Configuring the HTTPS Server

Before you begin
If you are not familiar with the procedure on how to set the HTTPS root path, please refer to your HTTPS documentation.

Make sure the unit is set to the proper date (refer to Configuring the Mediatrix Unit to Use an SNTP Server.

Context
Perform this procedure if you plan to use the HTTPS transport protocol.
Steps
  1. Set an HTTPS service on the assigned server.
  2. Make sure the HTTPS server can be reached by the Mediatrix unit.
    Note: If the file server is located behind a firewall, make sure the TCP port 443 is open.
  3. Make sure that in the Management/Certificates tab, in the Certificate Import Through Web Browser table, there is a certificate that authenticates the HTTPS server selected in the Path field, and that Other is selected in the Type field.
  4. Set the configuration parameters.

Top

Parameters

Although the services can be configured in great part in the web browser, some aspects of the configuration can only be completed with the MIB parameters by:
  • using a MIB browser, such as the Mediatrix Unit Manager Network (UMN);
  • using the CLI;
  • creating a configuration script containing the configuration parameters.

Top

Exporting a Configuration Script Using a File Server

Before you begin
Depending on the type of transport protocol used, one of the following procedures must be completed:
Steps
  1. Go to Management/Configuration Scripts/Export.
  2. In the Export Script table, from the Content selection list, choose if you wish to export only what is different from the factory configuration script or the complete configuration.
  3. From the Service Name selection list, choose if you wish to export the configuration script of a specific service or of all services.
  4. In the Send To URL field, enter the protocol://[user[:password]@]hostname[:port]/[path/]filename where to export the configuration file.
    Note: This must be consistent with the file server you have configured. The file name may be replaced by a macro. For more details, refer to the Unit Macros section. As a best practice, add the *.cfg extension to the file name.
    Note: Remember, if you have several units with several configurations and plan to reuse the configuration on another unit, the name must be explicit. Indicate the date of your script, the interfaces used, the device model, etc.
  5. If you wish to use encryption for transfer operations, enter a encryption key in the Privacy Key field.
    Note: Media5 corp strongly recommends to use encryption to protect certificates and passwords.
  6. Make sure the file server is started.
  7. Click Export and Download.
Result
The configuration script will be exported to the specified file server.


Top

Encryption

Securing Configuration Scripts

Media5 provides an encryption tool (MxCryptFile) to secure the configuration scripts on the server.

There are two encryption algorithms available:

  • AES-256 GCM (recommended, available since DGW 47.0)
  • Blowfish ECB (legacy).

Once the file is encrypted, the transfer of the information over the network is secure. The encryption key must be configured on the Mediatrix units in order to decipher the information. The unit detects automatically the encryption algorithm from the file.

Ensure that the Mediatrix unit is configured with the correct Privacy key in order to decipher the information. Without the proper key, the parameters in the encrypted script would not be applied to the Mediatrix unit.

In any case, the same key is used to decrypt both the generic and specific configuration scripts. When a key is defined, unencrypted configuration scripts are not allowed to be executed.


Top

Securing the configuration scripts using AES-256 GCM

Before you begin
Note: You may need to install python and the cryptography module for python:
  • For MacOS, python3 is already pre-installed on recent MacOS versions.
  • For Linux, some distribution already pre-install python3. Otherwise use the appropriate package manager to install python3 and pip3.
  • For Windows, use an installation package from https://www.python.org/downloads/windows/ or install from the Windows Store on a clean install of Windows 10. Make sure to add application to PATH to facilitate usage.
Once python is installed use the pip package manager to install the cryptography module. Execute the following in a command prompt/terminal: pip3 install cryptography
Context

To secure the configuration scripts using AES-256, the python script MxCryptFileAes.py is available. The key is a password of variable-length ASCII characters. For optimal security, it is recommended to use a password of at least 42 characters. The maximum length is 256 characters.

This is an example of the python script:

Usage: 
  MxCryptFileAes.py -in <input file> -out <output file> -k <key> [-enc|-dec]    
   where:
     -in <input file>
      Specifies the file to read from
     -out <output file>
      Specifies the file to write to
     -k <key>
      The key in variable size.
     -enc
      Perform encryption (default).
     -dec
      Perform decryption.
The following are some examples of MxCryptFileAes.py commands:
  • MxCryptFileAes.py -in mediatrix.cfg -out mediatrix_encrypted.cfg.bin -k MyPassword -enc
  • MxCryptFileAes.py -in mediatrix_encrypted.cfg.bin -out mediatrix.cfg -k MyPassword -dec
Note: This python script also support decrypting backup image files.

Top

Securing the configuration scripts using Blowfish

Context

To secure the configuration scripts using Blowfish, the perl and exe scripts (MxCryptFile.pl and MxCryptFile.exe) are available. The key is encoded in hexadecimal notation, meaning only characters in the range 0-9 and A-F can be used. The maximum key length is 64 hex characters, which gives a binary key of 256 bits. It is the maximum key size accepted by the MxCryptFile external tool. For example, a 32-bit key could look like: A36CB299.

This is an example of the tool running on Windows:

MxCryptFile version 1.0.3.5
Copyright(c) 2009 Media5 Corporation
 Usage:
  MxCryptFile -h  Display online help
   or
  MxCryptFile -in <input file name>
              -out <output file name>
              -k <key string>
                [-s]
                [-enc|-dec]
            where:
              <input file name>: name of the file to read
              <output file name>: name of the file to write
              <key string>: key string (allowed characters are 0-9, a-f, A-F)
              -s: run in silent mode (no display)
              -enc: encrypt (default)
              -dec: decrypt
The following are some examples of MxCryptFile.exe commands:
  • MxCryptFile.exe -in Mediatrix_4102_unencrypted.cfg –out Mediatrix4102.cfg.bin –k 12345678
  • MxCryptFile.exe –in 0090F8XXXXXX_unencrypted.cfg –out 0090F8XXXXXX.cfg.bin –k 89bb6758ac895f56

Top

Preparation of the Configuration Files and Firmware

Executing Configuration Scripts from a File Server Periodically

Before you begin
Depending on the type of transport protocol used, one of the following procedures must be completed:

Mediatrix units do not all include a real time clock allowing them to maintain accurate time when they are shutdown. You must have a time server SNTP that is accessible and properly configured or the automatic configuration update feature may not work properly. Refer to Configuring the Mediatrix Unit to Use an SNTP Server.

Steps
  1. Go to Management/Configuration Scripts/Execute.
  2. In the Execute Scripts table, in the Generic File Name and/or Specific File Name field, indicate the name of the files you wish to import.
    Note: The file name is case sensitive, and may be replaced by a macro. For more details, refer to the Unit Macros section. Make sure to add the *.cfg. file extension.
  3. From the Transfer Protocol selection list, select the type of protocol you wish to use to transfer your script.
    Note: This must be consistent with the file server you have configured.
  4. In the Host Name field, enter the file server IP address or FQDN.
  5. In the Location field, enter the path relative to the root of the file server where the script is saved.
  6. If your server requires authentication, enter your username and password.
  7. If the files are encrypted, provide the privacy key in the Privacy Parameters section.
    Note: The privacy key must match the privacy key used to encrypt the file.
  8. Make sure the file server is started.
  9. In the Automatic Script Execution section, from the Execute Periodically selection list, choose Enable.
  10. Complete the Time Unit, Period and Time Range fields according to your needs.
    Note: The time range ( hh[:mm[:ss]] or hh[:mm[:ss]] - hh[:mm[:ss]]) is based on the Static Time Zone field, under the Network > Host page.
  11. As a best practice, enable the Allow Repeated Execution field.
  12. Click Apply.
Result
The configuration script will be imported from the file server at the specified time or at a random time within the specified interval and thereafter at the period defined by the Period field. Any change to the script will be applied to the running configuration. The unit configuration is only updated if at least one parameter value defined in the imported configuration scripts is different from the actual unit configuration. Keep in mind that if you import a generic and a specific file, the commands of the specific file will override the commands of the generic file.


Top

Executing Configuration Scripts from the Unit File Management System Periodically

Before you begin

You must have a time server SNTP that is accessible and properly configured or the automatic configuration update feature may not work properly. Refer to Configuring the Mediatrix Unit to Use an SNTP Server. Configuration scripts files must be available in the unit's file management system. Refer to Importing a Configuration Script to the Unit File Management System.

A configuration script must have been imported to the unit's file management system. Refer to Importing a Configuration Script to the Unit File Management System.
Steps
  1. Go to Management/Configuration Scripts/Execute.
  2. In the Execute Scripts table, in the Generic File Name and/or Specific File Name field, indicate the name of the files you wish to import or use the Suggestion selection list.
    Note: The file name is case sensitive, and may be replaced by a macro. For more details, refer to the Unit Macros section. Make sure to add the *.cfg. file extension.
  3. From the Transfer Protocol selection list, select File.
  4. If the files are encrypted, provide the privacy key in the Privacy Key field.
    Note: The privacy key must match the privacy key used to encrypt the files.
  5. In the Automatic Script Execution section, from the Execute Periodically selection list, choose Enable.
  6. Complete the Time Unit, Period and Time Range fields according to your needs.
    Note: The time range ( hh[:mm[:ss]] or hh[:mm[:ss]] - hh[:mm[:ss]]) is based on the Static Time Zone field, under the Network > Host page.
  7. As a best practice, enable the Allow Repeated Execution field.
  8. Click Apply.
Result
The configuration script will be imported from the system's file management system at the specified time or at a random time within the specified interval and thereafter at the period defined by the Period field. Any change to the script will be applied to the running configuration. The unit configuration is only updated if at least one parameter value defined in the imported configuration scripts is different from the actual unit configuration. Keep in mind that if you import a generic and specific file, the commands of the specific file will override the commands of the generic file.


Top

Executing Configuration Scripts from a File Server Each Time the Unit is Started

Before you begin
Depending on the type of transport protocol used, one of the following procedures must be completed:
Steps
  1. Go to Management/Configuration Scripts/Execute.
  2. From the Execute Scripts table, in the Generic File Name and/or Specific File Name field, indicate the name of the files you wish to import.
    Note: The file name is case sensitive, and may be replaced by a macro. For more details, refer to the Unit Macros section. Make sure to add the *.cfg. file extension.
  3. From the Transfer Protocol selection list, select the type of protocol you wish to use to transfer your script.
    Note: This must be consistent with the file server you have configured.
  4. In the Host Name field, enter the file server IP address or FQDN.
  5. In the Location field, enter the path relative to the root of the file server where the script is saved.
  6. If your server requires authentication, enter your username and password.
  7. If the files are encrypted, provide the privacy key in the Privacy Parameters section.
    Note: The privacy key must match the privacy key used to encrypt the files.
  8. Make sure the file server is started.
  9. In the Automatic Script Execution section, from the Execute on Startup selection list, choose Enable.
  10. As a best practice, enable the Allow Repeated Execution field.
  11. Click Apply.
Result
When the unit is restarted, the configuration script will be imported from the file server, and any changes to the script will be applied to the running configuration. Keep in mind that if you import a generic and a specific file, the commands of the specific file will override the commands of the generic file.


Top

Executing Configuration Scripts from the Unit File Management System Each Time the Unit is Started

Before you begin
A configuration script must have been imported to the unit's file management system. Refer to Importing a Configuration Script to the Unit File Management System.
Steps
  1. Go to Management/Configuration Scripts/Execute.
  2. From the Execute Scripts table, in the Generic File Name and/or Specific File Name field, indicate the name of the files you wish to import or use the Suggestion selection list.
    Note: The file name is case sensitive, and may be replaced by a macro. For more details, refer to the Unit Macros section. Make sure to add the *.cfg. file extension.
  3. From the Transfer Protocol selection list, select File.
  4. If the files are encrypted, provide the privacy key in the Privacy Parameters section.
  5. In the Automatic Script Execution section, from the Execute on Startup selection list, choose Enable.
  6. As a best practice, enable the Allow Repeated Execution field.
  7. Click Apply.
Result
When the unit is restarted, the configuration script will be imported from the system's file management system, and any changes to the script will be applied to the running configuration. Keep in mind that if you import a generic and specific file, the commands of the specific file will override the commands of the generic file.


Top

Configuring the Mediatrix Unit to Use an SNTP Server

Before you begin
Make sure there is an SNTP server available.
Context
Steps
  1. Go to Network/Host.
  2. In the SNTP Configuration table, from the Configuration Source selection list, select the connection type from which you wish to obtain the SNTP parameters.
    Note: Complete Step 3 only if you are using static SNTP server(s), otherwise go to Step 4.
  3. Provide an IP address or domain name and port numbers for each SNTP server you are using.
  4. If necessary, change the displayed default value of the Synchronisation Period.
  5. If necessary, change the displayed default value of the Synchronisation Period on Error.
  6. Click Apply.
Result
The SNTP host name and port will be displayed in the Host Status table under Network/Status.


Top

Configuration of the Mediatrix Unit

Importing a Configuration Script Using a File Server

Before you begin
Depending on the type of transport protocol used, one of the following procedures must be completed:
Steps
  1. Go to Management/Configuration Scripts/Execute.
  2. In the Execute Scripts table, in the Generic File Name and/or Specific File Name field, indicate the name of the files you wish to import.
    Note: The file name is case sensitive and may be replaced by a macro. For more details on macros, refer to the Unit Macros section. Make sure to add the *.cfg. file extension.
  3. From the Transfer Protocol selection list, select the type of protocol you wish to use to transfer your configuration script.
    Note: This must be consistent with the file server you have configured.
  4. In the Host Name field, enter the file server IP address or FQDN.
  5. In the Location field, enter the path relative to the root of the file server where the configuration script is saved.
  6. If your server requires authentication, enter your username and password.
  7. If the files are encrypted, provide the privacy key in the Privacy Key field.
    Note: The privacy key must match the privacy key used to encrypt the file.
  8. Make sure the file server is started.
  9. Depending on your use case, set the Allow Repeated Execution field to Enable or Disable. This parameter defines if the Mediatrix unit will execute a script or not, when it is the same as the last executed script.",
  10. Click Apply & Execute.
Result
The configuration script will be imported from the file server, and any changes to the script will be applied to the running configuration. Keep in mind that if you import a generic and a specific file, the commands of the specific file will override the commands of the generic file.


Top

Importing a Configuration Script to the Unit File Management System

Before you begin
This option is not available on the Mediatrix 4102S running a firmware version more recent than DGW 2.0.26.451
Steps
  1. Go to Management/File.
  2. If you are not using HTTPS, click Activate unsecure file importation from the Web browser located at the top of the page.
  3. In the Import File Through Web Browser table, from the Path selection list, select Conf/.
  4. Browse to the location of the configuration file.
  5. Click Import.
    Note: A factory reset will remove the file from the Internal file.
Result
The imported configuration file will appear in the Internal files table, under Management/File .


Top

Configuring the DHCP to Trigger Configuration Script Execution

The Mediatrix unit can be configured to automatically import new configuration scripts upon receiving options 66 (tftp-server) or 67 (bootfile), or vendor-specific option 43 using sub-options 66 and 67 in a DHCPv4 answer. A DHCP answer includes both Bound and Renew.

Before you begin
Depending on the type of transport protocol used, one of the following procedures must be completed:

Mediatrix units do not all include a real time clock allowing them to maintain accurate time when they are shutdown. If you are using HTTPS, you must have an SNTP server that is accessible and properly configured or the automatic configuration update feature may not work properly. Refer to Configuring the Mediatrix Unit to Use an SNTP Server.

Context

For more details on DHCPv4 Auto-Provisionning, refer to DHCPv4 Auto-Provisioning

Steps
  1. Go to Management/Configuration Scripts/Execute.
  2. In the Automatic Script Execution section, from the Allow DHCP to Trigger Scripts Execution selection list, choose Enable.
  3. Click Apply.
Result

The instructions sent FROM the DHCP server can be in different formats and will be understood by the Mediatrix unit according to what was chosen for the ScriptsDhcpOptionsFormat MIB parameter (not accessible via Web page). Possible values with their respective formats are:

  • Fully Qualified: Script=[protocol]://[username] :[password]@[server]/[path]/[file].
  • Url: [protocol]:// [username] :[password]@[server]/[path]/[file]
  • ServerHost: Allow one DHCP option to specify the IP address or FQDN of a file server. Uses the path and filename specified in the ScriptLocation and ScriptGenericFileName parameters, use the transfer protocol, username and password specified in ScriptTransferProtocol, ScriptTransferUsername and ScriptTransferPassword parameters.
  • AutoDetect: A value beginning with "Script=" is considered as "FullyQualified", A value beginning with "[protocol]://" is considered as a URL. A value that looks like an IPv4/IPv6 address or domain name is considered as a "ServerHost". (default value)

When the unit starts, it will receive the location of the config script from the DHCP response, as per the format defined by the ScriptsDhcpOptionsFormat parameter. The unit will then import and execute the configuration scripts from the specified location. Any changes to the script will be applied to the running configuration. The unit configuration is only updated if at least one parameter value defined in the imported configuration scripts is different from the actual unit configuration.




Top

DHCPv4 Auto-Provisioning

The Mediatrix unit can be configured to automatically download new configuration scripts upon receiving options 66 (tftp-server) or 67 (bootfile), or vendor-specific option 43 using sub-options 66 and 67 in a DHCPv4 answer

A DHCP server answer includes both Bound and Renew. The contents of option 66, 67 or 43 defines which script to download. The unit's configuration is not used to download the script. This allows the unit, for instance, to download a script from a server after a factory reset and to reconfigure itself without a specific profile. If the imported configuration script is identical to the last executed script, it will not be run again. The script retry mechanism is not enabled for the DHCPv4 triggered scripts. If options 66, 67 and 43 are received, all scripts are executed independently. The script defined by the tftp-server (option 66) option is executed first. If you are using HTTPS to transfer scripts, you must have a time server SNTP that is accessible and properly configured.


Top

Unit Macros

Macro Description
%mac% the MAC address of the unit
%version% the MFP version of the unit (firmware version)
%product% the Product name of the unit
%productseries% the Product series name of the unit.

Top

Online Help

If you are not familiar with the meaning of the fields and buttons, click Show Help, located at the upper right corner of the Web page. When activated, the fields and buttons that offer online help will change to green and if you hover over them, the description will bedisplayed.


Top
Top

Copyright Notice

Copyright © 2023 Media5 Corporation.

This document contains information that is proprietary to Media5 Corporation.

Media5 Corporation reserves all rights to this document as well as to the Intellectual Property of the document and the technology and know-how that it includes and represents.

This publication cannot be reproduced, neither in whole nor in part, in any form whatsoever, without written prior approval by Media5 Corporation.

Media5 Corporation reserves the right to revise this publication and make changes at any time and without the obligation to notify any person and/or entity of such revisions and/or changes.