Using The Motorola Tunnel Service MSP

Using the Motorola Tunnel Service with
MSP
Using the Motorola Tunnel Service with MSP
72E-134766-05
Revision B
April 2012
© 2012 by Motorola Solutions, Inc. All rights reserved.
No part of this publication may be reproduced or used in any form, or by any electrical or
mechanical means, without permission in writing from Motorola Solutions. This includes
electronic or mechanical means, such as photocopying, recording, or information storage and
retrieval systems. The material in this manual is subject to change without notice.
While every reasonable precaution has been taken in the preparation of this document, neither
Symbol Technologies, Inc., nor Motorola Solutions, Inc., assumes responsibility for errors or
omissions, or for damages resulting from the use of the information contained herein.
The software is provided strictly on an “as is” basis. All software, including firmware, furnished to
the user is on a licensed basis. Motorola Solutions grants to the user a non-transferable and non-
exclusive license to use each software or firmware program delivered hereunder (licensed
program). Except as noted below, such license may not be assigned, sublicensed, or otherwise
transferred by the user without prior written consent of Motorola Solutions. No right to copy a
licensed program in whole or in part is granted, except as permitted under copyright law. The
user shall not modify, merge, or incorporate any form or portion of a licensed program with other
program material, create a derivative work from a licensed program, or use a licensed program in
a network without written permission from Motorola Solutions. The user agrees to maintain
Motorola Solution’s copyright notice on the licensed programs delivered hereunder, and to
include the same on any authorized copies it makes, in whole or in part. The user agrees not to
decompile, disassemble, decode, or reverse engineer any licensed program delivered to the user
or any portion thereof.
Motorola Solutions reserves the right to make changes to any software or product to improve
reliability, function, or design.
Motorola Solutions does not assume any product liability arising out of, or in connection with, the
application or use of any product, circuit, or application described herein.
No license is granted, either expressly or by implication, estoppel, or otherwise under any

Motorola Solutions, Inc., intellectual property rights. An implied license only exists for equipment,
circuits, and subsystems contained in Motorola Solutions products.
Motorola Solutions and the Stylized M Logo and Symbol and the Symbol logo are registered in
the US Patent & Trademark Office. All other product or service names are the property of their
respective owners.
Motorola Solutions, Inc
One Motorola Plaza
Holtsville, New York 11742-1300
http:/motorolasolutions.com/
Table of Contents
About This Guide ................................................................................................ 1

MSP Documentation ........................................................................................................................ 1
Help ................................................................................................................................................. 1
Service Information .......................................................................................................................... 1
Chapter 1 – Introduction .................................................................................... 3

Overview .......................................................................................................................................... 3
What is the Motorola Tunnel Service?............................................................................................. 3
Acquiring the Motorola Tunnel Service ........................................................................................... 4
Obtaining the Add-On Kit........................................................................................................................ 4
Add-On Kit Contents .............................................................................................................................. 4
Add-On Kit Installation ............................................................................................................................ 5
Licensing the Motorola Tunnel Service ........................................................................................... 5
Chapter 2 – Key Concepts of Tunnel Service Operation ................................. 7

Overview .......................................................................................................................................... 7
Tunnel Service Patrons ................................................................................................................... 7
Device Contactability ....................................................................................................................... 7
Directly Contactable ............................................................................................................................... 7
Indirectly Contactable ............................................................................................................................. 8
Tunnel Agent Modes of Operation................................................................................................... 9
Inbound Mode ........................................................................................................................................ 9
Tunnel Service Patron Inbound Port Information ...................................................................................12
Outbound Mode .....................................................................................................................................13
Tunnel Service Patron Outbound Port Information ................................................................................17
Tunnel Agent Device Attributes ..................................................................................................... 18
Chapter 3 – Security Considerations .............................................................. 19

Overview ........................................................................................................................................ 19
Motorola Tunnel Service Contactability ......................................................................................... 19
Tunnel Service Ports ..................................................................................................................... 20
vi -- Using the Motorola Tunnel Service with MSP
Tunnel Agent Ports ........................................................................................................................ 21

Connection Security ...................................................................................................................... 22
General Network Node Attacks .............................................................................................................22
Motorola Tunnel Service-Specific Attacks .............................................................................................22
General Port Attacks ...............................................................................................................22
Service-Based Attacks ............................................................................................................22
End-to-End Security ................................................................................................................23
Chapter 4 – Control Modules ........................................................................... 25

Required Control Modules ............................................................................................................. 25
TunnelAgent ..........................................................................................................................................25
Purpose ...................................................................................................................................25
Installation ...............................................................................................................................25
Configuration ...........................................................................................................................25
Description ...................................................................................................................25
Connection Type:.........................................................................................................26
Tunnel Agent Listening Port: .......................................................................................26
Workstation to Tunnel Service IP:................................................................................26
Workstation to Tunnel Service Port: ............................................................................26
Device to Tunnel Service IP: .......................................................................................26
Device to Tunnel Service Port: ....................................................................................26
Number of Retries:.......................................................................................................27
Connection Loss Retry Frequency:..............................................................................27
Retry Frequency: .........................................................................................................27
Heartbeat Interval: .......................................................................................................27
Log Level: ....................................................................................................................27
Display Tray Icon?: ................................................................................................................................28
Operation ................................................................................................................................28
Device Attributes .....................................................................................................................28
Related Control Modules ............................................................................................................... 30
GetAdapters ..........................................................................................................................................30
Chapter 5 – Installation and Configuration ..................................................... 31

Overview ........................................................................................................................................ 31
Motorola Tunnel Service Target Hardware ................................................................................... 31
Motorola Tunnel Service Pre-requisites ........................................................................................ 31
Motorola Tunnel Service Deployment ........................................................................................... 32
Motorola Tunnel Service Configuration ......................................................................................... 33
TunnelService.Configuration Settings Object ........................................................................................33
Description ..............................................................................................................................33
Workstation to Tunnel Service Port: ........................................................................................33
Device to Tunnel Service Port: ................................................................................................34
Log Level: ...............................................................................................................................34
Configuration Wizard .............................................................................................................................35
Tunnel Service Workstation Port .............................................................................................35
Tunnel Service Device Port .....................................................................................................36
Log Level ................................................................................................................................36
Chapter 6 – Using the Motorola Tunnel Service............................................. 37

Overview ........................................................................................................................................ 37
Usage Transparency ..................................................................................................................... 37
NAT Traversal................................................................................................................................ 37
NAT Traversal Operation.......................................................................................................................38
One-to-One NAT IP Address Mapping ....................................................................................38
One-to-Many NAT IP Address Mapping ..................................................................................38
Simplifying NAT Variations ....................................................................................................................39
Table of Contents -- vii
Configuring MSP NAT Traversal for Tunnel Service .............................................................................39

System Deployment ...................................................................................................................... 40
Tunnel Service Status Monitoring .................................................................................................. 40
Status Monitoring Using MSP ................................................................................................................40
Status Monitoring Using Standalone Status Viewer ..............................................................................41
Best Practices ................................................................................................................................ 43
viii -- Using the Motorola Tunnel Service with MSP
About This Guide
MSP Documentation
This document provides information on using Motorola Tunnel Service. The library of available
MSP documentation is extensive and widely available to MSP customers. Customers may obtain
the latest version of all documents from:
http://support.symbol.com/support/product/softwaredownloads.do.
Help
On-line Help is available in both the MSP Console UI and the MSP Administration Program. Roll-
over help is included for many fields in the MSP Console UI. In the MSP Administration Program,
press F1 from any page to open page-specific Help (in some configurations you may have to
press F1 twice).
For page-specific Help in the MSP Console UI, click Help in the upper-right corner and click Help
in the dropdown (see below).
In the MSP Console UI, you also can click Help and Document Library to access PDF files of all
the standard MSP manuals. When you import an MSP Add-On that comes with a manual, the
manual will appear in the Document Library list after import.
Service Information
If you have a problem with your software, contact Motorola Enterprise Mobility support for your
region. Contact information is available at: http://www.symbol.com/contactsupport.
When contacting Enterprise Mobility support, please have the following information available:
2 -- Using the Motorola Tunnel Service with MSP
Serial number of the software

Model number or product name
Software type and version number
Software license information
Motorola responds to calls by email, telephone or fax within the time limits set forth in support
agreements.
If you purchased your Enterprise Mobility business product from a Motorola business partner,
contact that business partner for support.
Chapter 1 – Introduction
Overview
The Motorola Tunnel Service provides a mechanism to enhance the contactability of devices from
Workstation PCs. One or more instances of the Motorola Tunnel Service can be installed, at
appropriate locations within an Enterprise.
The Motorola Tunnel Service is intended to be used in conjunction with its Tunnel Agent Patrons,
such as the Motorola Remote Control Solution and the Motorola Real-Time Management
Solution. The Motorola Tunnel Service is deployed and configured independently of its patrons.
Both patrons will work without the Motorola Tunnel Service, to support Directly Contactable
devices, and will detect and use the Motorola Tunnel Service, when it is deployed and
appropriately configured, to support Indirectly Contactable devices.
What is the Motorola Tunnel Service?

The Motorola Tunnel Service is software that runs on one or more Windows PCs within an
Enterprise and facilitates the establishment of communication sessions between Workstation PCs
and devices. Each instance of the Motorola Tunnel Service must installed on a Windows PC that
resides within the Enterprise at a location that is reachable by Workstation PCs and that is
Directly Managed by MSP via the Windows PC Client, which is a variety of the MSP Client
Software.
Note:
For more information on the Windows PC Client, see the MSP Client Software Guide.
One or more instances of the Motorola Tunnel Service are typically deployed in cases where
devices are not Directly Contactable from Workstation PCs. An instance of the Motorola Tunnel
Service is generally required when contactability of devices must be enhanced in order to
support Remote Control or Remote UI sessions to them or to support various MSP Real-Time
Management functions.
When the contactability of a given device will be enhanced using an instance of the Motorola
Tunnel Service, an additional device resident software component, called the Motorola Tunnel
Agent, must be deployed and configured on that device. The Motorola Tunnel Agent is the
device counterpart of the Motorola Tunnel Service and handles interactions with the Tunnel
Motorola Service on behalf of the device and applications that benefit from enhanced
contactability.
Deploying one or more instances of the Motorola Tunnel Service can make devices Indirectly
Contactable by allowing Workstation PCs to contact a given device indirectly, via a Tunnel
Service and Tunnel Agent pair. The Tunnel Service can forward traffic from a Workstation PC to
the Tunnel Agent on a device either via a connection established by the Tunnel Service to the
Tunnel Agent (Inbound Mode) or over a connection established and maintained by Tunnel Agent
to the Tunnel Service (Outbound Mode). The deployment of one or more instances of the
Motorola Tunnel Service can thus enhance contactability and help overcome problems
experienced due to the organization and security characteristics of an Enterprise network.
Acquiring the Motorola Tunnel Service

Obtaining the Add-On Kit
The Motorola Tunnel Service components are provided via Add-On Kits that are available for
download from the following link:
http://support.symbol.com/support/product/softwaredownloads.do
Updated versions of the Add-On Kits containing updated components may also periodically be
available for download from the same link.
Add-On Kit Contents

The Add-On-Kit will be a .ZIP File with a name of the form:
Motorola_TunnelService_<os, if applicable>_<core version>_<zip version>_<date>.ZIP
where:
<os> is WM5 for Windows Mobile 5.0 or higher,
WM2003 for Windows Mobile 2003 only,
or CE for Windows CE
or PC for Managed Windows PC
<core version> This is the version of the primary component of the Add-On.
<zip version> This is a version number that is used to indicate that something
has changed in the Add-On other than the primary component.
This needs to be reset when the Core Version changes.
<date> indicates the release date of the Add-On Kit .ZIP File
(represented in YYYYDDMM format).
Each Add-On Kit .ZIP File contains the following contents:
The Definition Document for Tunnel Agent settings, TunnelAgent.Configuration.setting.xml.
The definition document for Tunnel Service settings, TunnelService.Configuration.setting.xml

Chapter 1 – Introduction -- 5
TunnelAgent.apf or PC_TunnelAgent.apf , which includes the component necessary for

installing the Tunnel agent on the Windows handheld device or Managed Windows PC
respectively
TunnelService_Prerequisites.apf, which includes the component necessary for installing the

Tunnel Service Pre-requisites
TunnelService_Setup.apf, which includes the component necessary for installing the Tunnel
Service
Add-On Kit Installation

Important:
If more than one Add-On Kit for the same solution is installed, then certain common files will likely
appear in all .ZIP Files. Since Updates to parallel Add-On Kits may be released on independent
schedules, it is very important that the latest copy of these common files be used.
This can be accomplished by installing Add-On Kits in oldest to newest order since the last Add-
On Kit installed will determine the version of the common files that will be used. This ordering
can be determined by looking at the date that is part of the Add-On Kit .ZIP File name.
For Users with direct access to Windows Console on the MSP Server, an Add-On Kit .ZIP Files
can be installed using the MSP Administration Program. See Add-On Kit Installation in
Administering MSP.
Licensing the Motorola Tunnel Service

Each instance of the Motorola Tunnel Service must be installed onto a Windows PC that is
Directly Managed by MSP via the Windows PC version of the MSP Client Software. This
managed Windows PC requires MSP to allocate a Provision or Control license. A Provision
Edition License is required if a Data Collection Solution is not deployed to the Windows PC. A
Control Edition License is required if a Data Collection Solution is deployed to the Windows PC.
The Motorola Tunnel Service is implemented as Proxy Plug-In to the MSP Client Software on the
Windows PC. As a result, once the Motorola Tunnel Service is installed onto a Windows PC, that
an additional managed device, with a Device Class of “TunnelServiceProxy”, is discovered.
Since the instance of the Motorola Tunnel Service is treated as a managed device, it also
requires MSP to allocate a license. The Motorola Tunnel Service always requires a Control
Edition License.
Important:
Because the Motorola Tunnel Service requires a Control Edition License, the Motorola Tunnel
Service can only be used with MSP Control Edition.
For more information on Proxies, see Understanding MSP – Understanding Device Classes and
Proxies.
Chapter 2 – Key Concepts of Tunnel
Service Operation
Overview
This chapter introduces some key concepts that are important to grasp in order to understand
and effectively utilize one or more instances of the Motorola Tunnel Service to enhance the
contactability of devices managed by MSP. The solutions which makes use of Tunnel Service to
resolve the connectivity issues are referred as Tunnel Service Patrons
Tunnel Service Patrons

The current Tunnel Service Patrons are the Motorola Remote Control Solution (MRCS) and the
Motorola Real-Time Management Solution (RTM).
They work in conjunction with the Motorola Tunnel Agent to leverage the enhanced contactability
offered by the Motorola Tunnel Service. MRCS and/or RTM can be used alone for a device that
is Directly Contactable. But when a device is Not Directly Contactable, it must be made Indirectly
Contactable for such applets to be used. That means deploying an instance of the Motorola
Tunnel Service, deploying the Motorola Tunnel Agent to the device, and suitably configuring the
Tunnel Agent to work with that instance of the Motorola Tunnel Service.
Device Contactability
In order to use a Tunnel Service Patron (i.e., the Motorola Remote Control Solution and Real-
Time Management) when there is no direct contact to a device, the Tunnel Service has to serve
as a bridge for exchanging information between a device from a Workstation PC.
Directly Contactable
A device is Directly Contactable (Figure 1) if a connection from a Workstation PC can be directly
established to the device via the IP Address reported to MSP by the device. If a given device is
Directly Contactable from a Workstation PC, then an instance of the Motorola Tunnel Service is
generally not required. For consistency, if an instance of the Motorola Tunnel Service is required
to support other devices, it can also be used, even for devices that would otherwise not require it.
Figure 1 – Direct – Workstation to Device

As shown above, the Direct connection is implemented via the following steps:
1. Browser requests MSP server to serve the Tunnel Service Patron applet (MRCS or
RTM) on clicking on the appropriate link in the device details or device status page
2. The Applet is served up from the MSP Server to the Web Browser running on the
Workstation PC along with the device IP Address and Port number in which Tunnel
Agent patron is listening
3. The MSP Console User requests for a control function. If a connection is not already
established or the previous connection has been lost, then a new connection to the
device function is established.
4. Response will be delivered to the applet and appropriate rendering will be done
Indirectly Contactable
If a device is not Directly Contactable from a Workstation PC, then an instance of the Motorola
Tunnel Service would generally be required to make the device Indirectly Contactable. Whenever
the Motorola Tunnel Service will be used to enhance the contactability of a given device, the
Tunnel Agent must be deployed and configured on that device either in Inbound mode (Tunnel
Service contacts the device) or outbound mode (Device contacts the Tunnel Service) as
explained below
Important:
The Tunnel Agent is a mandatory component on any device that will be used with an instance of
the Motorola Tunnel Service.
Chapter 2 – Key Concepts of Tunnel Service Operation -- 9
Tunnel Agent Modes of Operation

The Motorola Tunnel Service and Motorola Tunnel Agent collectively support two modes of
operation: Inbound Mode and Outbound mode. While the Tunnel Agent on any one device can
operate in only one mode at a time, a single instance of the Motorola Tunnel Service can support
multiple devices configured for different modes.
Inbound Mode
In Inbound Mode, an instance of the Motorola Tunnel Service acts as a bridge between
Workstation PCs and the Tunnel Agents in one or more devices. A Workstation PC connects to a
specific instance of the Motorola Tunnel Service which then bridges the connection to a specific
device over a new connection it establishes on-demand to the Motorola Tunnel Agent in that
device.
A key advantage of Inbound Mode is the fact that the Motorola Tunnel Agent in the device listens
for incoming connections from an instance of the Motorola Tunnel Service. This means that the
device does not need to establish and maintain a connection to that instance, as would be
required in Outbound Mode. The instance of the Motorola Tunnel Service establishes a
connection to the Motorola Tunnel Agent in a device only in response to a connection request
from a Workstation PC and hence a connection to the device only exists when it is actually
needed. This can reduce network traffic and improve battery life by avoiding the need to keep a
session continuously open.
A key disadvantage of Inbound Mode is the requirement that devices be directly contactable from
the instance of the Motorola Tunnel Service. This can severely constrain the locations where that
instance of the Motorola Tunnel Service can be installed and hence may limit its viability as a
solution. If the instance cannot be deployed such that it can contact the devices, then Inbound
Mode cannot be effectively used.
An instance of the Motorola Tunnel Service operating in Inbound Mode can be viewed as
providing similar functionality to that which can be achieved through NAT Traversal. For
example, in the case of an Enterprise NAT, the Enterprise NAT could be re-configured to enable
Port Address Translation (PAT) and then MSP could be configured to contact selected ports that
would then be mapped to specific devices. Using an instance of the Motorola Tunnel Service in
Inbound Mode may offer a simpler solution that is easier to implement and use. By locating an
instance of the Motorola Tunnel Service on the private side of a NAT, only a single port would
need to be opened through the NAT to allow Workstation PCs to contact that instance. All
devices could then be contacted by Workstation PCs via a single port that allows access to that
instance.
Inbound Mode is not always a viable solution, however. In the case of a Service Provider NAT,
Inbound Mode generally will not solve the inherent contactability problem since an instance of the
Motorola Tunnel Service likely could not be located inside the Service Provider NAT. If an
instance cannot be located such that it can contact devices, then it cannot use Inbound Mode to
help Workstation PCs contact those devices. To solve the contactability problems engendered by
a Service Provider NAT, the use of Outbound Mode would generally be required.
When using Inbound Mode, the Motorola Tunnel Agent in the device listens for incoming
connections from an instance of the Motorola Tunnel Service and then routes those incoming
connections to the appropriate Tunnel Service Patron on the device. This works similarly to the
way it would work if the connections had come directly from the Workstation PC. The difference
is that the actual connections from the Workstation PC to the device are indirect, bridged through
connections to the device initiated by the instance of the Motorola Tunnel Service.
To use Inbound Mode, the Motorola Tunnel Agent must be deployed to the device and must be
configured to listen for contact from a specific instance of the Motorola Tunnel Service. The
Tunnel Agent on any one device can only be configured to listen for contact from a single
instance of the Motorola Tunnel Service at any one time. If that instance becomes unavailable,
the device will no longer be Indirectly Contactable until the instance becomes available again or
the Motorola Tunnel Agent is re-configured to listen for contact from a different instance of the
Motorola Tunnel Service.
When the Motorola Tunnel Agent is configured to listen for contact from an instance of the
Motorola Tunnel Service, it reports that information to MSP as Device Attributes. Any
Workstation PC that wishes to establish a session to a device whose Motorola Tunnel Agent is
configured to use Inbound Mode must do so via that instance of the Motorola Tunnel Service.
To use Inbound Mode, the Motorola Tunnel Agent running on a device must be configured by
applying a TunnelAgent.Configuration Settings Object. This Settings Object must specify a
Connection Type of “Workstation PC contacts Tunnel Service which contacts device”
(Inbound Mode). The Settings Object must also specify the IP Address and Port at which the
instance of the Motorola Tunnel Service will be contacted by the Workstation PC and the Port at
which the instance of the Motorola Tunnel Service will contact the device.
Important:
The configuration applied to the Motorola Tunnel Agent running on a device must properly specify
the information about the instance of the Motorola Tunnel Service that will be used and must be
compatible with the configuration applied to that instance of the Motorola Tunnel Service.
When the Motorola Tunnel Agent running on a device processes the TunnelAgent.Configuration
Settings Object, it will configure itself to listen for incoming connections from the proper instance
of the Motorola Tunnel Service. It will also arrange to report to MSP the IP Address and Port at
which the Workstation PC should contact that instance of the Motorola Tunnel Service.
When an Applet running on a Workstation PC initiates a connection to a device, the Applet will
connect to the proper instance of the Motorola Tunnel Service using the IP Address and Port sent
to MSP by the Motorola Tunnel Agent running on that device. The Applet will also be provided
with the IP Address of the device and the Port on which the Motorola Tunnel Agent running on
the device is listening, which will passed on to the instance of the Motorola Tunnel Service to use
when establishing an on-demand connection. The Applet will also pass information about the
target Tunnel Agent Patron (the device counterpart of the Applet) that it wishes to contact.
The instance of the Motorola Tunnel Service will then establish an on-demand connection
(tunnel) to the Motorola Tunnel Agent on the appropriate device, using the IP Address and Port
that was provided by the Workstation PC, and bridges the connection from the Workstation PC to
the Motorola Tunnel Agent running on the device, over that connection (tunnel). If the Tunnel
Service is on the same side of a NAT or Firewall as the device, then it would generally have no
problem establishing the required on-demand connection to the device.
When the instance of the Motorola Tunnel Service bridges the traffic to the Motorola Tunnel
Agent running on the device, the Tunnel Agent will direct that traffic to the appropriate Tunnel
Service Patron as determined by the information passes by the Workstation PC to the instance of
the Motorola Tunnel Service and then passed on to the Tunnel Agent.
Once a bridged connection is successfully established, the Applet on the Workstation PC Control
Module on the device will communicate over that connection. If the connection is lost, the Applet
will reestablish the connection seamlessly, in coordination with the Tunnel Service and Tunnel
Agent, without any additional involvement of the MSP Server.
The actual exchange of data between the Applet and the Control Module is end-to-end and will
occur based on how the Control Module is configured. This may include authentication and/or
encryption, if selected. The instance of the Motorola Tunnel Service and the Motorola Tunnel
Agent are not active participants in the end-to-end communications - they merely provide a
connection bridge across which the end-to-end communications can occur. All authentication
and encryption, if selected, is between the Applet and the Control Module, and is simply “passed
through” by the Tunnel Service and Tunnel Agent.
If a Workstation PC running a Tunnel Service Patron applet (i.e., MRCS, RTM) cannot be in direct
contact with a managed device and the Tunnel Service and the device are on the same side of
the NAT or the Firewall, Tunnel Service can be used in Inbound Mode. Figure 2 represents
Tunnel Service being employed in Inbound Mode.
Figure 2 – Indirect – Workstation PC to Tunnel Service to Device – Inbound Mode
As shown above, the Indirect connection inbound mode is implemented via the following steps:
Workstation PC along with the Tunnel Service IP, Port, Device IP, Tunnel Agent Port
and the target Tunnel Service patron.
established with the Tunnel Service or the previous connection has been lost, then a
new connection to the Tunnel Service is established. On receiving request from
workstation PC, tunnel service will establish a tunnel with device using the
connection information passed by the workstation
4. Response will be delivered to the applet and appropriate rendering will be done in the
applet
Tunnel Service Patron Inbound Port Information

The following table discusses specific port information for the existing Tunnel Service Patrons.
Tunnel Service Patron Port Information
The MRCS Applet running on the Workstation PC establishes an

indirect connection to the device by establishing a direct
connection to TCP Port 7778 on the Tunnel Service. The Tunnel
Service then establishes an on-demand connection to the device
using the IP Address reported by the device to MSP and bridges
the connection from the Workstation PC to the device over the
connection established from the Tunnel Service to the device.
Since the Tunnel Service is on the same side of the NAT or
Firewall as the device, it has no problem contacting the device.
If a NAT or Firewall were present, it would need to be configured
to permit connections from the Workstation PC to the Tunnel
Service on port 7778, but would not need to be configured to
Motorola Remote Control permit connections from the Workstation PC to devices on port
Solution 7776 (Tunnel Agent Port). This configuration is likely simpler and
more practical than would be required to traverse a NAT without a
Tunnel Service, but it nonetheless may not be consistent with
Enterprise security policies.
Note:
Default port for Tunnel Service from Workstation PC is 7778 (Old

port is 7775)
Default port for Tunnel Agent is 7776
Default port for MRCS is 7775

The Applet running on the Workstation PC establishes an indirect

connection to the device by establishing a direct connection to TCP
Port 7778 on the Tunnel Service. The Tunnel Service then
establishes an on-demand connection (shown as a tunnel) to the
device using the IP Address reported by the device to MSP and
bridges the connection from the Workstation PC to the device over
the connection established from the Tunnel Service to the device.
Since the Tunnel Service is on the same side of the NAT or
Firewall as the device, it has no problem contacting the device.
If a NAT or Firewall were present, it would need to be configured to
permit connections from the Workstation PC to the Tunnel Service
on port 7778, but would not need to be configured to permit
Motorola Real Time connections from the Workstation PC to devices on port 7776
Management Solution (Tunnel Agent Port). This configuration is likely simpler and more
practical than would be required to traverse a NAT without a
Tunnel Service, but it nonetheless may not be consistent with
Enterprise security policies.
Note:

port is 7775)
Default port for Tunnel Agent is 7776
Default port for RTM is 7777
Outbound Mode
In Outbound mode, the Motorola Tunnel Agent in the device is responsible for establishing and
maintaining a connection to a specifically configured instance of the Motorola Tunnel Service. As
connectivity is lost and regained, the Motorola Tunnel Agent will automatically and invisibly re-
establish the connection to the instance as needed. On establishing the connection Tunnel Agent
registers the device UUID with the Tunnel Service. A Workstation PC connects to a device by
connecting to that instance of the Motorola Tunnel Service, which then informs the device to
establish a new session over the existing connection established and maintained to that instance
by the Motorola Tunnel Agent. On receiving request from Tunnel Service the new data
connection will be established from device to Tunnel Service so that Tunnel Service will maintain
a tunnel between Workstation PC and device over this new connection. Further traffic from the
Applet running on the Workstation PC is then bridged to target Tunnel Service Patron running on
the device, over the connection (tunnel) established between the Tunnel Service and the Tunnel
Agent
A key advantage of Outbound Mode is the fact that an instance of the Motorola Tunnel Service
does not need to be located such that it can contact devices. Instead, the instance must be
located such it can be contacted both by devices and by Workstation PCs. This is often more
readily achievable than the requirements for Inbound Mode.
A key disadvantage of Outbound Mode is the requirement for the Motorola Tunnel Agent in each
device to establish and continuously maintain a connection to its configured instance of the
Motorola Tunnel Service. This can impact battery life and add a small, but measurable additional
load on the network. This is often an acceptable price to pay to enable contactability when it
would otherwise not be possible.
Using Outbound Mode can solve problems that would otherwise be impractical to solve. For
example, in the case of a Service Provider NAT, it is often the case that devices can contact the
internet but cannot be contacted from the internet. By locating an instance of the Motorola
Tunnel Service such that it is contactable from the internet, devices can be made Indirectly
Contactable. Workstation PCs would contact that instance of the Motorola Tunnel Service and,
via that instance, would be able to contact devices, via their resident Motorola Tunnel Agents.
To use Outbound Mode, the Motorola Tunnel Agent running on a device must be configured by
applying a TunnelAgent.Configuration Settings Object. This Settings Object must specify a
Connection Type of “Workstation PC contacts Tunnel Service which is contacted by device”
(Outbound Mode). The Settings Object must also specify the IP Address and Port at which the
instance of the Motorola Tunnel Service will be contacted by the device and the IP Address and
Port at which the instance of the Motorola Tunnel Service will be contacted by the Workstation
PC.
Important:
The configuration applied to the Motorola Tunnel Agent running on a device must properly specify
the information about the instance of the Motorola Tunnel Service that will be used and must be
compatible with the configuration applied to that instance of the Motorola Tunnel Service.
When the Motorola Tunnel Agent running on a device processes the TunnelAgent.Configuration
Settings Object, it will configure itself to contact the instance of the Motorola Tunnel Service at the
appropriate IP Address and Port. It will also arrange to report to MSP the IP Address and Port at
which the Workstation PC should contact that instance of the Motorola Tunnel Service.
When a Tunnel Service Patron applet (i.e., MRCS, RTM) running on a Workstation PC initiates a
connection to a device, the Applet will connect to the proper instance of the Motorola Tunnel
Service using the IP Address and Port sent to MSP by the Motorola Tunnel running on that
device. The Applet will also be provided with the UUID of the device, which will be passed on to
the instance of the Motorola Tunnel Service to identify the device to be contacted. The Applet will
also pass information on the target Tunnel Agent Patron (the device counterpart of the Applet)
that it wishes to contact.
The instance of the Motorola Tunnel Service will then check to see if a device of the requested
UUID has already established a connection (tunnel) to that instance of the Motorola Tunnel
Service. If not, then the connection from the Workstation PC will be immediately refused. If a
device with the requested UUID already established a connection (tunnel) to that instance of the
Motorola Tunnel Service, then the Tunnel Service bridges the connection from the Workstation
PC to the Motorola Tunnel Agent running on the device, by informing the device to make a new
connection to establish the over that connection (tunnel).
Once a bridged connection is successfully established, the Applet on the Workstation PC Control
Module on the device will communicate over that connection. If the connection is lost, the Applet
will reestablish the connection seamlessly, in coordination with the Tunnel Service.
As discussed above, in Outbound Mode a connection (tunnel) is established and maintained by
the Motorola Tunnel Agent running on the device to an instance of the Motorola Tunnel Service,
even when no application session is in progress. The instance of the Tunnel Service keeps a list
of devices, by UUID, that have registered and that continue to maintain such connections.
It is part of the nature of many devices, especially mobile devices, that connectivity may come
and go and/or that devices may suspend and resume, reboot, etc. As a result, the connection
(tunnel) established between the Motorola Tunnel Agent on a device and an instance of the
Motorola Tunnel Service may occasionally be lost. When the connection from a device to a
Tunnel Service is lost, it may stay disconnected for a significant period of time.
Maintaining a connection with a device requires a continuing use of resources on the instance of
the Motorola Tunnel Service. If many connections are lost, a significant amount of Tunnel
Service resources could be dedicated to keeping track of “stale” sessions. This could limit the
scalability and performance of Tunnel Service. The Tunnel Service is therefore designed to
detect a time-out and un-register devices that have not been heard from for a while.
To prevent unnecessary time-outs, a “heartbeat” is maintained between the Motorola Tunnel
Agent running on a device and the instance of the Motorola Tunnel Service. The “heartbeat”
consists of a message that is periodically sent from the Tunnel Service to the Tunnel Agent. The
Tunnel Service uses the “heartbeat” to reset its timer and keep the connection active. The
“heartbeat” also allows the Tunnel Agent to better detect losses of connectivity. When
connectivity is lost and becomes available again, the Tunnel Agent on the device automatically
re-establishes a connection to its Tunnel Service.
Note:
The “heartbeat” between the device and the Tunnel Service in Outbound Mode represents
additional network traffic that can also lead to a reduction in battery life. This is an unavoidable
consequence of using Outbound Mode which must be weighed against the benefits of enhanced
contactability. When no Tunnel Service is used or when in Inbound Mode is used, a “heartbeat”
is not required. As a result, Outbound Mode should only be used when the contactability benefits
it offers are important enough to justify the additional network traffic and impact on battery life.
The actual exchange of data between the Applet and the Control Module is end-to-end and will
occur based on how the Control Module is configured. This may include authentication and/or
encryption, if selected. The instance of the Motorola Tunnel Service and the Motorola Tunnel
Agent are not active participants in the end-to-end communications - they merely provide a
connection bridge across which the end-to-end communications can occur. All authentication
and encryption, if selected, is between the Applet and the Control Module, and is simply “passed
through” by the Tunnel Service and Tunnel Agent.
If a Workstation PC running a Tunnel Service Patron applet (i.e., MRCS, RTM) cannot be in direct
contact with a managed device and the Tunnel Service and the device are on different sides of
the NAT or the Firewall, Tunnel Service can be used in Outbound Mode. Figure 3 represents
Tunnel Service being employed in Outbound Mode.
Figure 3 – Indirect – Workstation PC to Tunnel Service to Device – Outbound Mode
As shown above, the Indirect connection outbound mode is implemented via the following steps:
1. During startup Tunnel Agent registers the device UUID with the Tunnel Service
2. Tunnel Service acknowledges the registration and maintains the map
3. Tunnel Service maintains the connection with Tunnel Agent by sending heartbeat
request to the tunnel agent
Workstation PC along with the Tunnel Service IP, Port, Device UUID and the target
Tunnel Service patron.
established with the Tunnel Service or the previous connection has been lost, then a
new connection to the Tunnel Service is established.
7. On receiving request from workstation PC, tunnel service will inform the Tunnel agent
to initiates a data connection to establish a tunnel with device
8. Tunnel Agent will establish a new data connection to the Tunnel Service and
establishes a tunnel between Tunnel Service and Tunnel Agent
9. Tunnel Service forwards the request from Workstation PC to the Tunnel Agent over
newly established data connection (tunnel)
10. Response from device will be traversed back to the requested applet over the tunnel
Tunnel Service Patron Outbound Port Information

The following table discusses specific port information for the existing Tunnel Service Patrons.
The MRCS applet running on the Workstation PC establishes an

connection to TCP Port 7778 on the Tunnel Service. The device
has previously established a connection (shown as a tunnel) to
the Tunnel Service on port 7779. The Tunnel Service then
informs the device over the existing connection to make a new
connection to the Tunnel Service. On receiving the new data
connection from device the Tunnel Service bridges the connection
from the Workstation PC to the device and maintains a tunnel
to permit connections from the device to the Tunnel Service on
port 7779. Support for outgoing connections is often the default
configuration for such NATs and Firewalls. But even if this were
Motorola Remote Control not the default configuration, changing the configuration would
Solution likely be reasonably simple and would quite often be consistent
with Enterprise security policies.
Note:

port is 7775)
Default port for Tunnel Service from device is 7779 (Old port is
7776)
Default port for MRCS is 7775

The RTM applet running on the Workstation PC establishes an

connection to TCP Port 7778 on the Tunnel Service. The device
has previously established a connection (shown as a tunnel) to
the Tunnel Service on port 7779. The Tunnel Service then
informs the device over the existing connection to make a new
connection to the Tunnel Service. On receiving the new data
connection from device the Tunnel Service bridges the connection
from the Workstation PC to the device and maintains a tunnel
to permit connections from the device to the Tunnel Service on
port 7779. Support for outgoing connections is often the default
configuration for such NATs and Firewalls. But even if this were
Motorola Real Time not the default configuration, changing the configuration would
Management Solution likely be reasonably simple and would quite often be consistent
with Enterprise security policies.
Note:

port is 7775)
Default port for Tunnel Service from device is 7779 (Old port is
7776)
Default port for RTM is 7777
Tunnel Agent Device Attributes

As discussed earlier, when the Tunnel Agent is configured by applying a Settings Object, it
reports to MSP the Connection Type that will be used by a Workstation PC to contact the Control
Module and the information that will be needed to establish that Connection Type. This is
accomplished via the values of Device Attributes set by the Control Module in the Device Registry
and then reported to MSP by the MSP Agent.
Chapter 3 – Security Considerations
Overview
This chapter discusses some security considerations that should be taken into account when
deploying one or more instances of the Motorola Tunnel Service into an Enterprise network.
Motorola Tunnel Service Contactability

Each instance of the Motorola Tunnel Service continuously listens for incoming socket
connections from Workstation PCs. It is therefore imperative that each instance be located such
that it will be contactable from all Workstation PCs that will need to contact devices via that
instance.
Notes:
Connections are never established directly from the MSP Server to an instance of the Motorola
Tunnel Service. The MSP Console UI merely facilitates the establishment of connections from a
Workstation PC to a Tunnel Service.
Both the MSP Server and appropriate instances of the Motorola Tunnel Service must be
contactable from the Workstation PC, but instances of the Motorola Tunnel Service do not need
to be contactable from the MSP Server.
In Inbound Mode, an instance of the Motorola Tunnel Service contacts the Motorola Tunnel
Agents running on devices on behalf of Workstation PCs. If Inbound Mode is used, then it is
imperative that a given instance of the Motorola Tunnel Service be located where it will be able to
reach devices that it will need to contact.
In Outbound mode, an instance of the Motorola Tunnel Service continuously listens for incoming
socket connections from Motorola Tunnel Agents running on devices. If Outbound Mode is used,
then it is imperative that a given instance of the Motorola Tunnel Service be located where it can
be reached by all devices that will need to contact it.
Note:
If a single instance of the Motorola Tunnel Service is supporting a mixture of devices in Inbound
and Outbound Modes, it may be necessary for that instance to be able to contact some devices
(to support Inbound Mode) and to be contactable by some devices (to support Outbound Mode).
Tunnel Service Ports

Each instance of the Motorola Tunnel Service must be contacted by Workstation PCs and may
need to contact or be contacted by Tunnel Agents running on devices. Depending on the
organization and configuration of the Enterprise network, this may require some configuration of
NATs, Firewalls, etc. to enable connections to be established on the requisite network ports.
Table 1 below shows the various ports that are used by the Motorola Tunnel Service.
Table 1 – Tunnel Service Ports
Interface Description/Purpose Old New Can

Name Default Default Change?
Port Port
Tunnel Service Used to connect to the Tunnel TCP 7775 TCP 7778 Yes
Workstation Port Service from Workstation PCs.
Tunnel Service Used to connect to the Tunnel TCP 7776 TCP 7779 Yes
Device Port Service from devices.
Chapter 3 – Security Considerations -- 21
Important:
Prior to version 2.2 of the Tunnel Service, the default ports used by the Tunnel Service were in
conflict with the default ports used by the Motorola Remote Control Solution. This prevented the
Tunnel Service, the Tunnel Agent, and the Motorola Remote Control Solution from all being used
on the same Managed Windows PC unless some ports were suitably reconfigured.
Beginning with version 2.2 of the Tunnel Service, the default ports have been changed to coexist
with the default ports used by the Tunnel Agent and the Motorola Remote Control Solution. This
allows the Tunnel Service, the Tunnel Agent, and the Motorola Remote Control Solution to all be
used on the same Managed Windows PC without the need to reconfigure the ports.
Because of this change, care must be taken when installing new instances of the new Tunnel
Service onto new Managed Windows PCs or updating existing Managed Windows PCs to use the
new Tunnel Service. If any instances of the Tunnel Service were previously deployed that used
the old default ports, and if the Tunnel Agent on any devices was configured to access those
instances of the Tunnel Service via those default ports, then some changes will likely need to be
made when the new Tunnel Service is deployed.
To remain compatible with existing devices, one approach would be to ensure that all instances
of the Tunnel Service are configured to use the old default ports. This would need to be done
explicitly since both new and updated instances would use the new default ports in the absence
of explicit reconfiguration. An alternate approach would be to reconfigure the Tunnel Agent on
devices to use the new default ports to connect to new and updated instances of the Tunnel
Service.
If the new default ports are used, reconfiguration of Firewalls and/or NATs may be required to
allow traffic on these new ports to be properly routed.
Tunnel Agent Ports

An instance of the Motorola Tunnel Service may need to contact the Tunnel Agent in one or more
devices (i.e. when Inbound mode is used). Depending on the organization and configuration of
the Enterprise network, this may require some configuration of NATs, Firewalls, etc. to enable
connections to be established on the requisite network ports. Table 2 below shows the various
ports that are used by an instance of the Motorola Tunnel Service to contact the Motorola Tunnel
Agent.
Table 2 – Motorola Tunnel Agent Ports
Interface Description/Purpose Default Can

Name Port Change?
Tunnel Agent Used by the Tunnel Service to connect TCP Yes

Listening Port to the Tunnel Agent in the inbound 7776
mode.
Notes:
If the Tunnel Agent Listening Port for an instance of the Motorola Tunnel Service is changed from
the default, then the configuration of the Motorola Tunnel Agent must generally be
correspondingly changed on devices that will be contacted by that instance of the Tunnel Service,
in order to ensure successful operation.
Connection Security
It is important to understand that the Motorola Tunnel Service is designed as a solution to
enhance contactability of devices by Workstations PCs and is not designed as a solution to
increase the security of those connections. In fact, in some cases the introduction of one or more
Tunnel Services could actually have a negative impact on overall network security.
Any new entity introduced into an Enterprise represents a potential new attack surface and hence
introduces the possibility of new vulnerabilities. And, by increasing the contactability of devices,
the vulnerability of devices to contact by unauthorized entities may potentially be increased. The
following subsections present some specific security issues that may be worthy of consideration
and describe mitigations where applicable.
General Network Node Attacks

The introduction of the Windows PC on which an instance of the Motorola Tunnel Service
software is installed could introduce vulnerabilities not directly related to the Motorola Tunnel
Service software itself. Like any other node introduced into an Enterprise, an assessment should
be made of the potential vulnerabilities of that node and suitable mitigations should be deployed
where appropriate. For example, all relevant and available Operating System security patches
should be deployed to harden the Windows PC against malicious attacks. Further, any network
ports that may be open for incoming traffic on the Windows should be closed if they are not
needed. Such “hardening” of network nodes is always good practice and would generally be part
of any standard Enterprise security policy.
Motorola Tunnel Service-Specific Attacks

Since an instance of the Motorola Tunnel Service is designed to act as a bridge between
Workstation PCs and devices, it is designed to accept connections from those Workstation PCs
and devices. This means that ports must be opened to permit incoming connections from the
network. As such, every instance of the Motorola Tunnel Service may be exposed to attack by
malicious entities attempting to exploit these exposed network ports. For example, if an instance
of the Motorola Tunnel Service is exposed to the internet, to allow it to be accessed by devices
over a Wide Area Network, then that instance may be subject to attacks from malicious entities
anywhere on the internet.
General Port Attacks

Since the Motorola Tunnel Service requires two ports (by default TCP Port 7778 and TCP Port
7779) to be opened, these ports are subject to general port attacks. A malicious entity could
repeatedly send traffic on these ports without making any attempt to conform to the interfaces
supported by the services listening on these ports. As such, a malicious entity could cause the
Motorola Tunnel Service software to expend resources simply receiving and rejecting traffic on
these ports. This is generally unavoidable and is part of the risk involved in exposing any
interface on any network.
Service-Based Attacks
Attacks that attempt to conform to the interface supported by a service listening on a network port
can have more serious consequences. This is because, if successful, they can result in the
allocation of resources by the server and hence could cause an overload condition and prevent
the service from fulfilling its intended goal. Such an attack is generally referred to as a Denial of
Service Attack.
There are only two services that are exposed to access from the network by an instance of the
Motorola Tunnel Service. The first is the ability of a device to contact that instance and register
Chapter 3 – Security Considerations -- 23
its UUID. The second is the ability for a Workstation PC to contact a device via that instance,
either over a previously registered connection from the Motorola Tunnel Agent in the device or
over a connection established on-demand to the Motorola Tunnel Agent in the device.
The Motorola Tunnel Service protects itself from Denial of Service attacks on both services
through the use of a mandatory built-in challenge/response mechanism. Whenever a
Workstation PC or Motorola Tunnel Agent attempts to connect to a service of an instance of the
Motorola Tunnel Service, the instance issues a challenge that includes a piece of data randomly
selected by that instance. The Workstation PC or device must respond to the challenge by
sending back the same random data, encrypted using a shared 128 bit AES encryption key. The
Applet on the Workstation PC, the Control Module on the device, and the Motorola Tunnel
Service all have the requisite shared encryption key hard-coded.
This challenge/response mechanism effectively means that an entity cannot conform to the
service interfaces of the Motorola Tunnel Service unless it has access to the proper shared
encryption key. And the use of a challenge/response mechanism with random data-based
encrypted using a 128 bit AES encryption key means that it is computationally impractical to
derive the encryption key from simply snooping on connections occurring over the network. This
provides a high degree of protection to the Motorola Tunnel Service against Service-Based
Denial of Service Attacks.
End-to-End Security
As stated earlier, the Motorola Tunnel Service itself is not designed as a solution to increase the
security of connections between Workstation PCs and devices. No protection against
unauthorized connections from Workstation PCs to devices is implemented within the Motorola
Tunnel Service. Likewise, no protection of the privacy or integrity of the data exchanged between
Workstation PCs and devices is implemented within the Motorola Tunnel Service.
Nonetheless, authorization, privacy, and security are of significant concern and are addressed as
part of the solutions that can interoperate with the Motorola Tunnel Service. But security is not
addressed specifically by the Motorola Tunnel Service. Instead, optional end-to-end security
features are implemented between Workstation PCs and devices as part of other solutions.
These end-to-end security features can be used whether or not the Motorola Tunnel Service is
being used as part of the overall system solution.
The Motorola Tunnel Service is completely unaware of and does not participate in any end-to-end
security mechanisms implemented between Workstation PCs and devices. The Motorola Tunnel
Service merely provides for enhanced contactability of devices by Workstation PCs. The
Motorola Tunnel Service does not monitor or participate in the communications performed over
connections it helps establish. The end-to-end security mechanisms used between Workstation
PC and devices are opaque to the Motorola Tunnel Service and all data is merely passed along,
unmodified and unexamined by the Motorola Tunnel Service.
Chapter 4 – Control Modules
Required Control Modules

TunnelAgent
Purpose
The TunnelAgent Control Module is used to deploy the Motorola Tunnel Agent to a device to
facilitate contactability from Workstation PCs to devices, on behalf of Tunnel Agent Patrons, such
as the Motorola Remote Control Solution and the Motorola Remote Management Solution. In
order for a device to be used with an instance of the Motorola Tunnel Service, the TunnelAgent
Control Module must be deployed to the device.
Installation
In order for a device to be used with an instance of the Motorola Tunnel Service, the Tunnel
Agent must be deployed using MSP via a Package that adds the Motorola Tunnel Agent to the
device. Use the appropriate TunnelAgent Package depending on the Target device.
Configuration
When it is initially deployed, the TunnelAgent Control Module is turned off. This ensures that
existing contactability is not affected simply by the installation of this Control Module. Once it is
installed, the TunnelAgent Control Module can be configured to turn it on by setting the desired
Contact Mode by applying a TunnelAgent.Configuration Settings Object.
Settings Objects of the Settings Class TunnelAgent.Configuration are used to configure the
Motorola Tunnel Agent on a device. The following Settings can be used to configure the
operation of the Motorola Tunnel Agent.
Description
This Setting specifies an optional overall description which can be used to enter comments or
other information about this Settings Object.
Connection Type:
This Setting specifies that how the Workstation PC can contact the device.
The following values are possible:
Turn off Tunnel Service

This indicates that the Motorola Tunnel Agent is deactivated. In this mode, Workstation PCs
must contact devices directly.
Deactivating the Motorola Tunnel Agent allows it to be installed without immediately affecting
device operation and allows it to be deactivated without requiring it to be uninstalled. , All
patrons of the Motorola Tunnel Agent will behave identically when the Motorola Tunnel Agent
is installed but deactivated as they do when it is not installed at all. This is the default value.
Workstation PC contacts Tunnel Service which contacts device

This indicates that the Motorola Tunnel Agent is activated in Inbound Mode. In this mode,
Workstation PCs must contact the device indirectly via the proper instance of the Motorola
Tunnel Service.
Workstation PC contacts Tunnel Service which is contacted by device

This indicates that the Motorola Tunnel Agent is activated in Outbound Mode. In this mode,
Workstation PCs must contact the device indirectly via the proper instance of the Motorola
Tunnel Service.
Tunnel Agent Listening Port:

This Setting specifies the Port on which the Motorola Tunnel Agent should listen for incoming
connections from an instance of the Motorola Tunnel Service. This setting is applicable only when
the Motorola Tunnel Agent is activated in Inbound Mode.
Default Value: 7776
Workstation to Tunnel Service IP:

This Setting specifies the IP Address or Network Name that will be used by Workstation PCs to
contact the instance of the Motorola Tunnel Service. This setting is applicable only when the
Motorola Tunnel Agent is activated in either Inbound Mode or Outbound Mode.
Workstation to Tunnel Service Port:

This Setting specifies the Port that will be used by Workstation PCs to contact the instance of the
Motorola Tunnel Service. This setting is applicable only when the Motorola Tunnel Agent is
activated in either Inbound Mode or Outbound Mode.
Default Value: 7778
Device to Tunnel Service IP:

This Setting specifies the IP Address or Network Name that will be used by the Motorola Tunnel
Agent on the device to contact the instance of the Motorola Tunnel Service. This setting is
applicable only when the Motorola Tunnel Agent is activated in Outbound Mode.
Device to Tunnel Service Port:

This Setting specifies the Port that will be used by the Motorola Tunnel Agent on the device to
contact the instance of the Motorola Tunnel Service. This setting is applicable only when the
Motorola Tunnel Agent is activated in Outbound Mode.
Chapter 4 – Control Modules -- 27
Default Value: 7779
Number of Retries:
This Setting specifies how many times the Motorola Tunnel Agent running on the device will
attempt to connect to the instance of the Motorola Tunnel Service before considering it as an
unrecoverable failure. This Setting is applicable only when the Motorola Tunnel Agent is
activated in Outbound Mode.
Default Value: 4096
Possible values: 1-65535
Notes:
If the specified number of retries is exhausted, the Motorola Tunnel Agent will cease trying to
connect to the instance of the Motorola Tunnel Service until the Motorola Tunnel Agent is
restarted or re-configured.
Connection Loss Retry Frequency:

This Setting specifies the time interval in seconds to check for the network connectivity available.
If the device network is not configured Motorola Tunnel Agent will continuously checks for the
connectivity before making an attempt to connect to the Tunnel Service. There is no limit for
number of attempts made for this check
Default Value: 30 seconds
Possible values: 1-120 seconds
Retry Frequency:
This Setting specifies the time interval in seconds to check for the connection attempt to the
Tunnel Service. If the Tunnel Service is not reachable then it will attempt until number of retries
exhaust
Heartbeat Interval:
This Setting specifies the time interval in seconds between heart beat messages sent by the
instance of the Motorola Tunnel Service to the Motorola Tunnel Agent running on the device to
keep the connection alive. If the Motorola Tunnel Agent does not receive a heart beat request
within this time period, then it will automatically re-establish the connection. This Setting is
applicable only when the Motorola Tunnel Agent is activated in Outbound Mode.
Log Level:
This Setting specifies the level of logging generated by the Motorola Tunnel Agent.
Default Value: INFO
ERROR
This is the lowest level you can set for this setting. Only Error logs will be logged in the log file
WARN
Error and Warning logs will be logged in the log file
INFO
Error, Warning and Information logs will be logged in the log file
DEBUG
This is highest level of logging available. All the logs will be logged in the log file
Display Tray Icon?:

This Setting specifies whether the Tray Icon should be displayed in the System Tray of the device
UI when the Tunnel Agent is running. The Tray Icon can be used to visually determine if the
Tunnel Agent Control Module is running, which can often be a good indicator of whether
connectivity is through Tunnel Agent
True
This indicates that the Tray Icon should be displayed in the System Tray. If many Tray Icons
are displayed, the device may respond in a variety of ways, including truncating the list of
icons, allowing the list to be scrolled, etc.
Prompt the Device User for permission

This indicates that the Tray Icon should not be displayed in the System Tray. This may be
desirable if the System Tray is already full or if the System Tray is not generally visible to
Device Users (e.g. because it is hidden by a custom application).
Default Value: True
Operation
See Chapter 6 – Using the Motorola Tunnel Service for information on the operation of this
Control Module.
Device Attributes
The TunnelAgent Control Module will add or replace entries into the device Registry to set
various Device Attributes to reflect the use of an instance of the Motorola Tunnel Service. Table 3
below details the Device Attributes that can be reported by the TunnelAgent Control Module.
Chapter 4 – Control Modules -- 29
Table 3 – Device Attributes
Attribute Name Explanation
UserAttribute.TunnelService.ConnectionType
This Device Attribute is reported as having a
value of “0” when the Tunnel Agent is turned off
so that direct connection from Workstation PC to
device is allowed.
value of “1” when the Tunnel Agent is configured
for “Workstation PC contacts Tunnel Service
which contacts device” (i.e. Indirect Contact,
Inbound Mode).
value of “2” when the Tunnel Agent is configured
for “Workstation PC contacts Tunnel Service
which is contacted by device” (i.e. Indirect
Contact, Outbound Mode).
UserAttribute.TunnelService.TunnelAgentPort This Device Attribute is reported only if the

Device Attribute
“UserAttribute.TunnelService.ConnectionType” is
reported as having a value of “1”.
This Device Attribute reports the Port on which
the Tunnel Agent is listening and at which it
should be contacted by a Tunnel Service when
the Tunnel Agent is configured for “Workstation
PC contacts Tunnel Service which contacts
device” (i.e. Indirect Contact, Inbound Mode).
UserAttribute.TunnelService.TunnelIpAddr This Device Attribute is reported only if the

Device Attribute
reported as having a value of “1” or “2”.
This Device Attribute reports the IP address or
Network Name at which the Workstation PC
should contact the Tunnel Service.
UserAttribute.TunnelService.TunnelPort This Device Attribute is reported only if the

Device Attribute
reported as having a value of “1” or “2”.
This Device Attribute reports the TCP Port at
which the Workstation PC should contact the
Tunnel Service.
Related Control Modules

GetAdapters
As described in Understanding MSP – Understanding Control Modules, the GetAdapters Control
Module acquires and delivers information about all networks adapters that are active and
connected in a device and what it considers to be the “best” adapter to be used to contact the
device.
The TunnelAgent Control Module does not duplicate the functionality of the GetAdapters Control
Module. In particular, since the GetAdapters Control Module already reports the IP Address via
which the device can be contacted, the TunnelAgent Control Module leverages this information
for use in Indirect Contact Inbound Mode.
Chapter 5 – Installation and
Configuration
Overview
This chapter discusses the installation and configuration of instances of the Tunnel Service.
Motorola Tunnel Service Target Hardware

An instance of the Motorola Tunnel Service software should be installed on one or more Windows
PCs within an Enterprise when the need for enhanced contactability of devices is required.
Instances of the Motorola Tunnel Service software could be installed on any dedicated or shared
Windows PC or Windows Virtual Machine that is running a supported Windows Operating
System.
Motorola Tunnel Service Pre-requisites

Important:
Because each instance of the Motorola Tunnel Service requires a Control Edition License, the
Motorola Tunnel Service can only be used with MSP Control Edition.
Instances of the Motorola Tunnel Service must always be installed using MSP onto a Windows
PC that is already being Directly Managed by MSP via the Windows PC Client.
Note:
For information on the Windows PC Client and how to get a Windows PC to be Directly Managed
by MSP, refer to the MSP Client Software Guide.
In addition to the Windows PC Client, the Motorola Tunnel Service requires that the following pre-
requisites be present on the Windows PC before the Motorola Tunnel Service can be successfully
installed onto that Windows PC:
Java Runtime Environment

The MSP recommended Java Runtime can be installed via the TunnelService_Prerequisite
Package.
Motorola Tunnel Service Prerequisites can be manually installed onto a Windows PC or can be
deployed to a Windows PC using MSP via a Package that adds all the necessary pre-requisites
onto a Windows PC. Once a given Windows PC has been discovered by MSP and is shown as
having a Device Class of “Windows PC”, the Tunnel Service Pre-requisites Package can be
installed onto that Windows PC by deploying the Package “TunnelService_Prerequisites.apf” to
that Windows PC.
Note:
Installing the Motorola Tunnel Service Pre-requisites Package will install all the Motorola Tunnel
Service Pre-requisites, but uninstalling the Motorola Tunnel Service Pre-requisites Package will
not remove those pre-requisites. In particular, uninstalling the Motorola Tunnel Service Pre-
requisites Package will not prevent the Motorola Tunnel Service, if it has been installed, from
continuing to operate.
If the previous version of Java is already installed on the machine and is being used by any of the
process then installation of pre-requisite will fail. This is because during java upgrade instead of
doing the silent installation it throws up the error message on the server saying Java is being
used by one of the process. Always make sure no program is using the Java before installing the
pre-requisite
During the un-installation of Tunnel Service make sure that Tunnel Service Status viewer and
Tunnel Service Configuration Wizard is closed. This is important because these two components
are part of Tunnel Service package and will be removed during the un-installation process. If
these file being used then Tunnel Service un-installation will fail.
Motorola Tunnel Service Deployment

An instance of the Motorola Tunnel Service is deployed using MSP via a Package that adds
Tunnel Service support into the Windows PC Client running on a Windows PC. Once a given
Windows PC has been discovered by MSP and is shown as having a Device Class of “Windows
PC”, the Tunnel Service can be installed onto that Windows PC by deploying the Package
“TunnelService_Setup.apf” to that Windows PC. If any of the Motorola Tunnel Service Pre-
requisites are not met on that Windows PC, then the installation of that Package will fail.
Once the Motorola Tunnel Service Package is successfully installed on the Windows PC, the
instance of the Motorola Tunnel Service on that Windows PC will get discovered by MSP and will
be shown as having a Device Class of “TunnelServiceProxy”. This will be an indication that the
instance of the Motorola Tunnel Service on that Windows PC is active and ready to be
configured.
Chapter 5 – Installation and Configuration -- 33
Motorola Tunnel Service Configuration

Each instance of the Motorola Tunnel Service is initially configured with defaults that may allow it
to be used right away. In some cases, however, the default configuration may not be suitable
and re-configuration may be required. An instance of the Motorola Tunnel Service software can
be configured in any of the following ways:
TunnelService.Configuration Settings Object

Once an instance of the Motorola Tunnel Service is installed on a Windows PC and discovered
as a managed device, then it is ready to be configured. One or more instances of the Motorola
Tunnel Service can be configured by creating and deploying a Settings Object of Settings Class
TunnelService.Configuration.
Important:
TunnelService.Configuration Settings Objects can only be deployed to managed devices of

Device Class “TunnelServiceProxy”. If a TunnelService.Configuration Settings Object is
deployed to any other Device Class, such as to a Windows PC, then it will fail. This is true even
though the managed device of Device Class “TunnelServiceProxy” is running on the Windows
PC.
If multiple instances of the Motorola Tunnel Service are installed on multiple Windows PCs, they
could all be configured using a single TunnelService.Configuration Settings Object. Whether this
is appropriate to do would depend on whether the desired configuration is the same for all
instances. Sending the same Settings Object to multiple instances could easily be accomplished
by using a Provisioning Policy with an Applicability Rule that includes a test for the Device Class
“TunnelServiceProxy”,
The following Settings can be used to configure the operation of an instance of the Motorola
Tunnel Service.
Description
This Setting specifies an optional overall description which can be used to enter comments or
other information about this Settings Object.
Workstation to Tunnel Service Port:

This Setting specifies the Port that should be used by Workstation PCs to contact the instance of
This Setting is applicable for Indirect Contact Inbound Mode (i.e. when Connection Type is set to
“Workstation PC contacts Tunnel Service which contacts device”) or Indirect Contact Outbound
Mode (i.e. when Connection Type is set to “Workstation PC contacts Tunnel Service which is
contacted by device”).
Default Value: 7778
Note:
If the default port is changed for an instance of the Motorola Tunnel Service, then a
corresponding change will need to be made to the configuration of the Motorola Tunnel Agent for
all devices that will be used with that instance of the Motorola Tunnel Service.
Device to Tunnel Service Port:

This Setting specifies the Port that should be used by the Motorola Tunnel Agent running on
devices to contact the instance of the Motorola Tunnel Service when Outbound Mode is used.
This Setting is applicable only for Indirect Contact Outbound Mode (i.e. when Connection Type is
set to “Workstation PC contacts Tunnel Service which is contacted by device”).
Default Value: 7779
Note:
all devices that will be used in Outbound Mode with that instance of the Motorola Tunnel Service.
Log Level:
This Setting specifies the level of logging to be generated by the instance of the Motorola Tunnel
Service.
SEVERE
This is the lowest level of logging available. Only the occurrence of Errors will be logged.
WARNING
The occurrence of Errors and Warnings will be logged.
INFO
The occurrence of Errors, Warnings, and Informational Messages will be logged.
DEBUG
This is the highest level of logging available. The occurrence of Errors, Warnings,
Informational Messages, and Debug Messages will be logged.
Note:
The higher the level of logging configured, the larger and faster the Log file can grow in the
Tunnel Service. Logging should be configured as low as appropriate under normal
circumstances. If problems are encountered, then logging may be increased until the problem is
found, but should be lowered again when no longer needed. There will be a maximum of 3 log
files created with 10MB size. After this first file will be deleted
Chapter 5 – Installation and Configuration -- 35
Default Value: INFO
Configuration Wizard
Once an instance of the Motorola Tunnel Service has been installed on a Windows PC, that
single instance can be re-configured using the Motorola Tunnel Service Configuration Wizard.
This is not recommended way for changing the configuration
Note:
If multiple instances of the Motorola Tunnel Service need to be identically configured, then a
using a TunnelService.Configuration Settings Object, as described in the prior section, would
likely be a more efficient approach.
The Motorola Tunnel Service Configuration Wizard can be launched using the Tunnel Service
Configuration shortcut that can be found in the Start Menu of the Windows PC at Programs >
Motorola MSP > Tunnel Service Configuration.
Important:
Running the Motorola Tunnel Service Configuration Wizard requires access to the Windows
Console of the Windows PC on which the Motorola Tunnel Service has been installed. This
would generally require physical access to that Windows PC or the ability to remotely login to the
Windows Console of that Windows PC (e.g. using the Microsoft Remote Desktop Protocol or
some similar mechanism).
Figure 4 below shows the Motorola Tunnel Service Configuration Wizard Dialog that will be
displayed when the Motorola Tunnel Service Configuration Wizard is launched using the shortcut.
Figure 4 – Tunnel Service Configuration Wizard Dialog
Note:
If the Tunnel Service is installed on Windows Vista and above user must login as Administrator to
make any changes to the configuration using Wizard.
Changes made to the configuration of an instance of the Motorola Tunnel Service while it is
running may not take effect until the instance is restarted or the Windows PC is rebooted.
Tunnel Service Workstation Port

This option specifies the Port that should be used by Workstation PCs to contact the instance of
Note:
all devices that will be used with that instance of the Motorola Tunnel Service.
Tunnel Service Device Port

This option specifies the Port that should be used by the Motorola Tunnel Agent running on
devices to contact the instance of the Motorola Tunnel Service when Outbound Mode is used.
Note:
all devices that will be used in Outbound Mode with that instance of the Motorola Tunnel Service.
Log Level
The Tunnel Service Log Level can be adjusted, if needed. This might be changed if there is a
need to debug the operation of the Tunnel Service.
Chapter 6 – Using the Motorola Tunnel
Service
Overview
This chapter discusses how to use the Tunnel Service
Usage Transparency
The Tunnel Service is designed to enhance the contactability of devices from Workstation PCs,
when used in conjunction with Tunnel Agent Patrons, such as the Motorola Remote Control
Solution or the Motorola Real-Time Management Solution, while providing a high degree of
Usage Transparency. By this is meant that once the Tunnel Services are appropriately installed
and configured and once devices are appropriately configured, the usage of the Tunnel Agent
Patrons is the same as if no Tunnel Service were used.
In fact, to meet the potentially varying needs of a complex Enterprise network, some devices
might need to be contacted directly (without an intermediary Tunnel Service), some devices might
need to be contacted via a Tunnel Service using Inbound Mode, and some devices might need to
be contacted via a Tunnel Service using Outbound Mode. Once such a system is properly
deployed, an MSP Console UI User can use the Tunnel Agent Patrons without needing to worry
how devices will be contacted.
NAT Traversal
For Indirect Contact Modes to be used, Workstation PCs must be able to directly contact
instances of the Motorola Tunnel Service. If an instance of the Motorola Tunnel Service is inside
the inner network of a NAT and Workstation PCs are in the outer network, then it may be the
case that the instance of the Motorola Tunnel Service will not be directly contactable from some
or all Workstation PCs. When such a situation exists, NAT Traversal may be used or the
instance of the Motorola Tunnel Service will need to be relocated.
It may seem somewhat strange to set up a network in this way, since one key reason for using an
instance of the Motorola Tunnel Service is to avoid the need for NAT Traversal. But in fact, this
can be a very reasonable approach.
Configuring NAT Traversal for a large number of devices can be quite complicated since it must
take into account the mappings required to reach each and every device. If an instance of the
Motorola Tunnel Service is placed with the devices in the inner network, then NAT Traversal need
only be configured to reach the instance of the Motorola Tunnel Service and the instance of the
Motorola Tunnel Service will handle reaching the devices. In addition, traffic to the instance of
the Motorola Tunnel Service may be the only traffic for which NAT Traversal must be configured.
This can make the configuration of the NAT Router much simpler since there is only one IP
Address and one port to be dealt with.
NAT Traversal Operation

The most automatic way for a node in an inner network to learn the IP Address of a node in an
inner network is to have the node in the inner network send it to the node in the outer network. .
But this does not help much for NAT Traversal since a node in the inner network generally does
not know its public IP Address, and hence cannot tell a node in the outer network about it. While
traffic from the node in the inner network may be identified as coming from its public IP Address,
the public IP Address generally cannot be included as data sent by the node.
The key task in NAT Traversal is determining the proper IP Address and possibly Port Number (if
NAPT is used) required to contact nodes in the inner network from nodes in the outer network.
This requires understanding and leveraging knowledge about configuration of the NAT Router.
There are two primary NAT IP Address Mapping modes: One-to-One NAT IP Address Mapping
and One-to-Many NAT IP Address Mapping. These modes have different requirements for
successfully accomplishing NAT Traversal.
One-to-One NAT IP Address Mapping

When One-to-One NAT IP Address Mapping is used, the NAT Traversal must somehow
determine the proper public IP Address to use to contact the desired node in the inner network
from a node in the outer network. This process can be relatively simple since there is a unique
public IP Address for each node.
NAT Traversal must be accomplished by maintaining a table mapping private IP Addresses to
public IP Addresses. Since a node in an inner network can know its private IP Address, it can
report that. A node in the outer network can then use that private IP Address to look up the
proper public IP Address required to reach that node.
As mentioned earlier, implementing NAT Traversal for instances of the Motorola Tunnel Service
can often be significantly less work than implementing NAT Traversal for devices. This is
because there are generally far fewer instances of the Motorola Tunnel Service than there are
devices, since a single instance of the Motorola Tunnel Service generally services many devices.
One-to-Many NAT IP Address Mapping

When One-to-Many NAT IP Address Mapping is used, the NAT Traversal must somehow
determine both the proper public IP Address and Port Number to use to contact the desired node
in the inner network from a node in the outer network. This process is more complicated since
the same public IP Address is used for multiple devices and must be paired with a Port Number.
NAT Traversal must be accomplished by maintaining a table mapping private IP Addresses to
pairs of public IP Addresses and Port Numbers. Since a node in an inner network can know its
private IP Address, it can report that. A node in the outer network can then use that private IP
Address to look up the proper pair of public IP Address and Port Number required to reach that
node.
Chapter 6 – Using the Motorola Tunnel Service -- 39
As mentioned earlier, implementing NAT Traversal for instances of the Motorola Tunnel Service
can often be significantly less work than implementing NAT Traversal for devices. This is
because there are generally far fewer instances of the Motorola Tunnel Service than there are
devices, since a single instance of the Motorola Tunnel Service generally services many devices.
Simplifying NAT Variations

NAT Traversal can be very complicated in the general case, especially if there are many NAT
Routers and their configurations vary. Having several different models or vendors of NAT
Routers could also significantly complicate the successful configuration of NAT Traversal.
If all NAT Routers are of the same vendor and model and if all NAT Routers are configured
similarly, then the effort to configure MSP for NAT Traversal can be made much more practical.
This is sometimes referred to as a “cookie cutter” approach because all inner networks look alike
and are served by NAT Routers that behave consistently.
Configuring MSP NAT Traversal for Tunnel

Service
When necessary, NAT Traversal may be used to enable the use of Indirect Contact Modes
between Workstation PCs in an outer network and devices in an inner network when the instance
of the Motorola Tunnel Service to be used is also inside the same inner network. This can be
configured as described below.
When the MotoRemoteControl or MotoRemoteUI Control Module is configured to use Indirect
Contact Mode, the IP Address and Port Number of an instance of the Motorola Tunnel Service
must also be configured. The Control Module then notifies the MSP Server of this information
using the Device Attributes “UserAttribute.TunnelService.TunnelIpAddr” and
”UserAttribute.TunnelService.TunnelPort”. The MSP Server uses this information to connect
Workstation PCs to the instance of the Motorola Tunnel Service and thence to devices. Since the
instance of the Motorola Tunnel Service is in the inner network, and Workstation PCs are in the
outer network, the Control Module must report the public IP Address of the instance of the
Motorola Tunnel Service to the MSP Server.
In this type of configuration, Indirect Contact Inbound Mode should generally be used. In this
mode, the instance of the Motorola Tunnel Service will contact the devices, at the request of
Workstation PCs, rather than the devices contacting the instance of the Motorola Tunnel Service.
Devices can thus safely be configured with the public IP Address of the instance of the Motorola
Tunnel Service since they will send it to the MSP Server but will not use it to contact the instance
of the Motorola Tunnel Service themselves.
If Indirect Contact Outbound Mode were used instead, then the devices would need to contact the
instance of the Motorola Tunnel Service using the public IP Address. This might work, if the NAT
Router were capable of detecting and routing such references properly efficiently. But not all
NAT Routers can perform such routing and many cannot perform it inefficiently. And there should
be no reason to use Indirect Contact Outbound Mode in this type of configuration. Since the
instance of the Motorola Tunnel Service and devices are in the same inner network, Indirect
Contact Inbound Mode should work fine. And Indirect Contact Inbound Mode will improve battery
life and reduce network traffic.
System Deployment
To deploy an MSP system that leverages the Tunnel Service to support any application which
requires the contactability need, the following Tunnel Service-specific steps should be followed:
1. Identify all devices where contactability will need to be enhanced through the use of a
Tunnel Service.
2. Identify the Tunnel Service Connection Type that will be used for each identified device.
3. Identify all Servers within the Enterprise network on which Tunnel Service software is
required to enhance the contactability of the identified devices.
4. Identify any changes to the default Tunnel Service ports that will be required for each
identified Server to comply with Enterprise security policies.
5. Install the Tunnel Service software on each identified Server and configure any identified
changes to default Tunnel Service ports using the TunnelService.Configuration setting
6. Identify the groups of devices that will be contacted via the same Tunnel Service using
the same Connection Type.
7. Create a TunnelAgent.Configuration Settings Object that specifies the Tunnel Service,
Connection Type, and other device and Tunnel Service-specific information, for each
identified group of devices.
8. Provision the Tunnel Agent Package to all devices to be used with the Tunnel Service
Solution.
9. Provision the appropriate TunnelAgent.Configuration Settings Object to the devices in
each identified group of devices.
Once the above steps have been completed, any Tunnel Agent Patron can leverage the
contactability through the Tunnel Service.
Tunnel Service Status Monitoring

The status of an instance of the Motorola Tunnel Service can be monitored using the MSP
Console UI or using a standalone status viewer application running on the Windows PC on which
that instance of the Motorola Tunnel Service is installed. These methods are described in the
following sub-sections.
Status Monitoring Using MSP

In every Tunnel Service Plug-In check-in interval, Plug-In queries the Tunnel Service to display
the following information
Device Status Attribute Description
Device ID UUID of the device
IP address IP address of the device

Device Status Attribute Description
Status Displays the Tunnel Service status

Possible Values:
Running – Tunnel Service is in running state
Stopped – Tunnel Service is stopped
Not Installed – Tunnel Service Plug-In is not
installed
Number of Devices Total number of devices using Tunnel Service
Number of Registered outbound devices Total number of devices registered to Tunnel

Service
Number of Active outbound sessions Total number of active outbound sessions
Number of Active inbound sessions Total number of active inbound sessions
Status Monitoring Using Standalone Status

Viewer
Using this feature administrator can monitor the Tunnel Service connections. This is installed as
part of the Tunnel Service installer
To launch the Tunnel Service status viewer, use the Tunnel Service Status Viewer shortcut that
was installed into the Start Menu when the Tunnel Service software was installed. This shortcut
can be found at: Programs > Motorola MSP > Tunnel Service Status Viewer. Figure 5 shows the
Status Viewer Window
Figure 5 - Status Viewer Window
The following table shows the details that will be displayed in the Status Viewer Window:
Field Description
Device ID UUID of the device
IP address IP address of the device

Field Description
Status Status of the connection

Possible Values:
Registered – Device is registered to Tunnel
Service but there is no active session
(Outbound mode only)
Active – Device has an active remote control
or Request Checkin session running
(Outbound mode only)
Inbound – If the Remote control or Request
Checkin session is established using the
inbound mode
Active Connections The number of active sessions for a device
The user can export the list to the file in the csv format.
Note:
This standalone status viewer can be used to monitor any one single instance of Tunnel Service.
The recommended method is to use the MSP Device status page to monitor the status attributes
Best Practices
The following Best Practices can be followed to help improve the overall success when using a
Tunnel Service with the Motorola Remote Control Solution.
Deploy the minimum number Tunnel Services required to achieve the desired enhancement
of device contactability.
Choose the Connection Type to be used for each device carefully:

○ Use a Connection Type of “Workstation PC contacts device” (Direct Contact, without a
Tunnel Service) whenever practical.
○ Use a Connection Type of “Workstation PC contacts Tunnel Service which contacts
device” (Indirect Contact, Inbound Mode), if possible, when Direct Contact is not
practical.
○ Use a Connection Type of “Workstation PC contacts Tunnel Service which is contacted
by device” (Indirect Contact, Outbound Mode) only when no other Connection Type is
practical.
Ensure that a TunnelAgent.Configuration Settings Object is deployed to all devices to specify

the Connection Type to be used for each device.
Do not change the default Tunnel Service ports on a Tunnel Service unless it is required to
conform to Enterprise security policies.
○ If the ports are changed, ensure that a TunnelAgent.Configuration Settings Object is

deployed to all affected devices to configure the changed ports.
End application is responsible for any end-to-end encryption. Tunnel Service only act as a
pass through. Enable end-to-end encryption only when it is necessary to ensure the privacy
and integrity of data, such as when connections will occur over an insecure network segment
(e.g. over the internet).
Motorola Solutions, Inc.
One Motorola Plaza
Holtsville, New York 11742, USA
1-800-927-9626
http://www.motorolasolutions.com
© Motorola Solutions, Inc. 2012
72E-134766-05

Using The Motorola Tunnel Service MSP

Uploaded by

Copyright:

Available Formats

Using The Motorola Tunnel Service MSP

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Using The Motorola Tunnel Service MSP

Uploaded by

Copyright:

Available Formats

Using the Motorola Tunnel Service with

No license is granted, either expressly or by implication, estoppel, or otherwise under any

About This Guide ................................................................................................ 1

Chapter 1 – Introduction .................................................................................... 3

Chapter 2 – Key Concepts of Tunnel Service Operation ................................. 7

Chapter 3 – Security Considerations .............................................................. 19

Tunnel Agent Ports ........................................................................................................................ 21

Chapter 4 – Control Modules ........................................................................... 25

Chapter 5 – Installation and Configuration ..................................................... 31

Chapter 6 – Using the Motorola Tunnel Service............................................. 37

Configuring MSP NAT Traversal for Tunnel Service .............................................................................39

Serial number of the software

What is the Motorola Tunnel Service?

Acquiring the Motorola Tunnel Service

Add-On Kit Contents

Each Add-On Kit .ZIP File contains the following contents:

The Definition Document for Tunnel Agent settings, TunnelAgent.Configuration.setting.xml.

The definition document for Tunnel Service settings, TunnelService.Configuration.setting.xml

TunnelAgent.apf or PC_TunnelAgent.apf , which includes the component necessary for

TunnelService_Prerequisites.apf, which includes the component necessary for installing the

Add-On Kit Installation

Licensing the Motorola Tunnel Service

Tunnel Service Patrons

Figure 1 – Direct – Workstation to Device

Tunnel Agent Modes of Operation

Figure 2 – Indirect – Workstation PC to Tunnel Service to Device – Inbound Mode

Tunnel Service Patron Inbound Port Information

Tunnel Service Patron Port Information

The MRCS Applet running on the Workstation PC establishes an

Default port for Tunnel Service from Workstation PC is 7778 (Old

Default port for Tunnel Agent is 7776

Default port for MRCS is 7775

Tunnel Service Patron Port Information

The Applet running on the Workstation PC establishes an indirect

Default port for Tunnel Service from Workstation PC is 7778 (Old

Default port for Tunnel Agent is 7776

Default port for RTM is 7777

Figure 3 – Indirect – Workstation PC to Tunnel Service to Device – Outbound Mode

Tunnel Service Patron Outbound Port Information

Tunnel Service Patron Port Information

The MRCS applet running on the Workstation PC establishes an

Default port for Tunnel Service from Workstation PC is 7778 (Old

Default port for MRCS is 7775

Tunnel Service Patron Port Information

The RTM applet running on the Workstation PC establishes an

Default port for Tunnel Service from Workstation PC is 7778 (Old

Default port for RTM is 7777

Tunnel Agent Device Attributes

Motorola Tunnel Service Contactability

Tunnel Service Ports

Interface Description/Purpose Old New Can

Tunnel Agent Ports

Interface Description/Purpose Default Can

Tunnel Agent Used by the Tunnel Service to connect TCP Yes

General Network Node Attacks

Motorola Tunnel Service-Specific Attacks

General Port Attacks

Required Control Modules

Turn off Tunnel Service