R591482 12 Note

OpSpace
Security Document
R591482_12
August 2021
Barco OpSpace Security Document
R591482, Current Version

Title: OpSpace Security Document
ID No.: R591482
Revision: 12
Date: August 2021
This manual refers to OpSpace 1.9.4 software release.
Trademarks
Brand and product names mentioned in this manual may be trademarks, registered trademarks, or copy-
rights of their respective holders. All brand and product names mentioned in this manual serve as com-
ments or examples and are not to be understood as advertising for the products or their manufacturers.
Copyright © 2021 by Barco

All rights reserved. No part of this document may be copied, reproduced, or translated. It shall not other-
wise be recorded, transmitted, or stored in a retrieval system without the prior written consent of Barco.
OpSpace Security Document - R591482

www.barco.com
Barco OpSpace Security Document
Document history
Date Author Reason for Changes
27-Jun-2016 HEKR DRAFT version
20-Dec-2016 HEKR Release OpSpace 1.0
22-Dec-2016 HEKR Add Barco P/N R591482
30-Mar-2017 EREB Release OpSpace 1.1
18-May-2018 EREB Release OpSpace 1.3
05-Feb-2019 HEKR Release OpSpace 1.4
13-Aug-2019 GRIM Release OpSpace 1.5
17-Sep-2019 HEKR Release OpSpace 1.5 (section 13.2)
27-Jan-2020 PHIHE Release OpSpace 1.7
05-May-2020 PHIHE Release OpSpace 1.8
27-Jul-2020 PHIHE Release OpSpace 1.9
15-Oct-2020 PHIHE Release OpSpace 1.9.1
17-Dec-2020 PHIHE Release OpSpace 1.9.2
14-Apr-2021 PHIHE Release OpSpace 1.9.3
Review history
Date Reviewer Review performed and feedback received
14-Dec-2016 KLK, THKA, EREB,
GRIM
20-Dec-2016 ELVMU
19-Jun-2018 ERIBE
06-Feb-2019 HOLLE ELVMU
13-Aug-2019 ELVMU
15-Aug-2019 HOLLE
27-Jan-2020 HEKR
06-May-2020 HEKR
28-July-2020 HEKR
15-Oct-2020 HEKR
19-Apr-2021 HEKR

www.barco.com
Barco OpSpace Security Document Contents
Contents
1 General Information ........................................................................................................................................ 6
2 Description ........................................................................................................................................................ 7
3 Scope .................................................................................................................................................................. 8
4 Architecture ...................................................................................................................................................... 9
4.1 Deployment View................................................................................................................................................... 9
4.2 Component View .................................................................................................................................................. 9
4.3 Overview of APIs .................................................................................................................................................. 10
4.4 Configuration Flow ............................................................................................................................................. 10
4.4.1 EDP Control Service ....................................................................................................................................................... 10
4.4.2 Auto Discovery and Registration of Barco Devices ................................................................................................. 11
4.4.3 Configuring OpSpace ..................................................................................................................................................... 11
5 Components ................................................................................................................................................... 12
5.1 OpSpace Device Agent ........................................................................................................................................12
5.2 OpSpace Virtual Environment............................................................................................................................12
5.3 OpSpace System Manager .................................................................................................................................12
5.4 OpSpace Application Service .............................................................................................................................13
5.5 OpSpace Workstation ..........................................................................................................................................13
5.6 OpSpace Client Appliance ..................................................................................................................................13
5.6.1 Keyboard/Mouse.............................................................................................................................................................. 13
5.6.2 Audio .................................................................................................................................................................................. 13
5.7 Session Gateway Service .................................................................................................................................... 14
5.8 Media Service ........................................................................................................................................................ 14
5.9 Barco Encoders .....................................................................................................................................................15
5.9.1 NGS-D200 ......................................................................................................................................................................... 15
5.9.2 NGS-D220 ......................................................................................................................................................................... 15
5.9.3 NGS-D320 ......................................................................................................................................................................... 15
5.10 Deployment & Upgrade Server .......................................................................................................................15
5.11 Barco Device Discovery Tool ...........................................................................................................................15
5.12 OpSpace Logout Tool .......................................................................................................................................15
6 Communication............................................................................................................................................. 16
6.1 Well-Known Service Listening Ports ................................................................................................................ 16
6.2 Ephemeral Ports ................................................................................................................................................... 25
7 Identity & Access Management .................................................................................................................. 27
7.1 User Access Rights Management ..................................................................................................................... 27
7.1.1 System Admin User Management ................................................................................................................................ 27
7.1.2 Operator Group Management ...................................................................................................................................... 27
7.1.3 Component Description ................................................................................................................................................ 28
7.2 Barco Service Access Password ........................................................................................................................31
7.3 Device Password ...................................................................................................................................................31
7.4 Barco Encoders .....................................................................................................................................................31
Page IV

www.barco.com
Barco OpSpace Security Document Contents
8 Logging ............................................................................................................................................................ 32
8.1 Audit logging ......................................................................................................................................................... 32
8.2 System log ............................................................................................................................................................. 32
9 High Availability / Redundancy ................................................................................................................... 34
9.1 Network Interface Bonding ............................................................................................................................... 34
9.2 Redundant Setup ................................................................................................................................................. 34
9.3 OpSpace Client Appliance................................................................................................................................. 34
9.4 OpSpace Server Cluster ..................................................................................................................................... 34
9.4.1 EDP Control Service ....................................................................................................................................................... 35
9.4.2 OpSpace Application Service ....................................................................................................................................... 35
9.4.3 Session Gateway Service ............................................................................................................................................... 35
9.4.4 General Network Failure Behavior .............................................................................................................................. 35
9.5 Media Service ........................................................................................................................................................ 35
10 Health Monitoring ....................................................................................................................................... 36
10.1 System Status ...................................................................................................................................................... 36
10.2 SNMP .................................................................................................................................................................... 36
10.3 Monit ..................................................................................................................................................................... 36
11 Backup & Restore ......................................................................................................................................... 37
11.1 System Maintenance .......................................................................................................................................... 37
11.2 Replacement ....................................................................................................................................................... 37
12 Patch Management ..................................................................................................................................... 38
12.1 Deployment & Upgrade Server ....................................................................................................................... 38
13 Public key infrastructure ............................................................................................................................. 39
13.1 Step-by-step guide OpSpace ........................................................................................................................... 39
13.2 Certificate formats ............................................................................................................................................. 41
13.2.1 PEM format ...................................................................................................................................................................... 41
13.2.2 DER format...................................................................................................................................................................... 41
13.2.3 PKCS#7 or P7B format ................................................................................................................................................. 41
13.2.4 PKCS#12 or PFX format ............................................................................................................................................... 42
13.3 Certificate key matching .................................................................................................................................. 42
14 Threat Analysis & Mitigation ...................................................................................................................... 43
14.1 Default Passwords .............................................................................................................................................. 43
14.2 Device Password ................................................................................................................................................ 43
14.3 Threats During System Administration ......................................................................................................... 43
14.4 Threats During Initial System Setup............................................................................................................... 43
14.4.1 DNS Spoofing ................................................................................................................................................................. 43
14.5 Threats during operation ................................................................................................................................. 44
14.5.1 Malware/Viruses .............................................................................................................................................................44
15 Contact........................................................................................................................................................... 45
Page V

www.barco.com
Barco OpSpace Security Document General Information
1 General Information
Manufacturer Barco N.V.
System OpSpace
Release 1.9.4
This document describes security objectives and controls implemented in the Barco OpSpace (Operator
Workspace) product.
Main intent is to provide customers running an Information Security Management System (ISMS) for their
installation with the necessary information about security controls. The OpSpace product is designed to
contain basic security features required in various environments. Based on this information, customers
can align the detailed requirements from their ISMS with the security features of the OpSpace product.
Page 6

www.barco.com
Barco OpSpace Security Document Description
2 Description
OpSpace provides operators with a single, personalized, concurrent view on applications, remote desk-
tops and video streams - all freely combined onto a single high-resolution unified display surface span-
ning multiple displays on their desk.
OpSpace is a hardware independent, networked visualization and collaboration software suite providing
unparalleled flexibility and scalability through the use of industry standard networks, application servers
and software decoding technologies for video, from standard and high definition to 4K resolution, as well
as screen-scraped and virtualized computer desktops or application, from a single workplace up to a large
number of interconnected workstations. The software supports full redundancy from a network level up
to fully redundant servers and workstations.
The distributed architecture of this revolutionary solution enables sources including remote applications
or video content to be captured once—in any location—and distributed and displayed as many times as
required in any location.
For detailed information, consult the section What is OpSpace? in the OpSpace
Setup & Configuration Manual (R591480).
Page 7

www.barco.com
Barco OpSpace Security Document Scope
3 Scope
The security concept describes the security measures implemented in the product regarding the
 confidentiality
 integrity
 availability
of the system and the data at rest or in transit.
This implies to have a user management that provides for:
 authentication
 authorization
 accountability.
The foundation of a Security Concept is a declaration of assets to protect. This of course mainly depends
on the specific security requirements of a customer’s installation. The OpSpace product has been devel-
oped with the objective to achieve a high availability of the system and to preserve confidentiality and in-
tegrity of data processed. The implemented measures are documented herein so the customer can align
them with their specific requirements.
Confidentiality is addressed by:
 controlling access to video sources per user permissions
 limiting access to configuration data per user permissions
 logging access to data by user and operation
Integrity of configuration data is achieved by verifying component configurations regularly.
The security of the network infrastructure connecting the systems components with each other and the
outside are not in the scope of the security concept.
The video & audio data which is transported as multicast/unicast streams over the network is not covered
either.
Availability of the system is addressed by:
 redundant network connection and setup
 fast and easy replacement of failing components
 backup/restore of system configuration data
 patch management to keep the system up to date with security fixes
Accountability is addressed by:
 sending audit logging to a remote SysLog service.
Page 8

www.barco.com
Barco OpSpace Security Document Architecture
4 Architecture
4.1 Deployment View
The OpSpace system features several components that can be fully distributed across an IP network. It
can also be configured for more complex environments where multiple networks are used for either se-
curity or performance reasons.
The OpSpace components are categorized into server and workstation (client) components.
Interconnection of all relevant server room (yellow) and control room (blue) components:
The physical server components are designed as standard rack-mountable chassis and have sophisticated
redundancy features.
The server software is independent from specific hardware. It is available for virtual environments and can
also be configured for full redundancy.
Source adapter components include both hard- and software encoders as well as VDI protocols. In addi-
tion, OpSpace is capable to directly connect to IP camera streams of all major camera brands and codecs
such as Axis, Bosch, or Pelco.
OpSpace uses Ethernet networking technology as the backbone for distributing real-time content.
4.2 Component View

The picture below gives a detailed view of the complete OpSpace solution:
 The OpSpace Virtual Environment, OpSpace Client Appliance, Media Service and Barco Encoders
are deployed on dedicated hardware appliances.
 Server appliances (EDP Control Service, OpSpace Application Service, etc.) are deployed as OVAs
and hosted on in a virtualized environment.
 The EDP Control Service and OpSpace Application Service support high availability.
 The Session Gateway Service and Media Service support redundant setup.
Page 9

www.barco.com
4.3 Overview of APIs

The communication between the OpSpace components is realized via internal APIs. See chapter 6
Communication.
SNMP v3 is used for Health Monitoring. See chapter 10 Health Monitoring.
4.4 Configuration Flow

OpSpace is set up in the browser-based System Manager GUI of the EDP Control Service permitting to
detect and configure all the components of the system through one simple interface.
4.4.1 EDP Control Service

The EDP Control Service needs to be configured first.
In the Initial Setup, you will be guided through a series of settings to configure
your OpSpace system.
For detailed information, consult the section Initial Setup in the OpSpace Setup
and Configuration Manual (R591480).
The Timezone Setting affects the time added into the logfiles and audit logging
events.
You can change the admin password (and edit your initial settings) on the
OpSpace Configuration page. Select the button System Configuration on the
System Manager homepage, navigate to SysAdmin User Mgmt, and edit the user
admin.
Page 10

www.barco.com
4.4.2 Auto Discovery and Registration of Barco Devices

If you enabled the Auto Discovery and Registration of Barco Devices the devices and components in your
system will be auto discovered and can register with the EDP Control Service.
4.4.3 Configuring OpSpace

On the OpSpace System Manager home page, select the button System Configuration. Subsequently,
you will be guided through the entire process of configuring your specific system.
For detailed information, consult the section Configuring OpSpace in the

OpSpace Setup and Configuration Manual (R591480).
Page 11

www.barco.com
Barco OpSpace Security Document Components
5 Components
5.1 OpSpace Device Agent
Barco provides a generic device agent as part of the BaseOS to handle device detection and configura-
tion within the EDP Control Service.
OpSpace devices (virtual & hardware appliances) self-register with the EDP Control Service for device
management.
The Barco BaseOS is a tailored Debian based Linux system which is supposed to
run on Barco PC appliances.
5.2 OpSpace Virtual Environment

The system kit contains a USB stick as boot medium for the installation of the virtual environment on a
DELL R340 server.
Included in the delivery volume is a USB stick containing a system image that is prepopulated with four
.ova files (open virtual appliances/applications).
These files are the main system EDP Control Service, OpSpace Application Service, Deployment &
Upgrade Server and the Session Gateway Service.
For detailed information, consult the section Installing OpSpace Software in the
Management of the Virtual Machines:

 Start the Barco Device Discovery Tool
 Select VirtualHost and the device, and click on the http:// link displayed to connect to the Virtual
Host
 Log in using admin (user name) and b4rc0,BCD (default password)
5.3 OpSpace System Manager

The OpSpace System Manager is the browser-based graphic user interface of the EDP Control Service
which serves to configure, customize and maintain the network, devices and workplaces in the OpSpace
system. The user interface is intuitive and largely self-explanatory due to the detailed tooltips available.
For detailed information, consult the section OpSpace System Manager in the
Page 12

www.barco.com
5.4 OpSpace Application Service

The OpSpace Application Service hosts the business logic, manages all subsystems and the communica-
tion with and on behalf of the thin client workstations.
 Operators use the full-screen browser(s) on their OpSpace workstation to access the client-side Ja-
vaScript application.
 The OpSpace application allows the operator to view and interact with the different type of sources in
the OpSpace system.
5.5 OpSpace Workstation

The OpSpace workstation is the physical representation of the operator workspace solution (OpSpace).
A workstation consists of several OpSpace client appliances each connected to one or several displays.
5.6 OpSpace Client Appliance

The OpSpace client is a PC-based appliance connected to one or several displays.
We distinguish between master and slave appliances. Depending on the size of an OpSpace workstation
there will be always one master and zero, one or several slave appliances.
A master appliance has keyboard/mouse and optionally loudspeakers or a headphone actively connected.
Each display connected to an appliance is driven by one browser engine performing the rendering of the
content visible on that display.
Rendering of graphics and video/data sources will be done in HTML5 and supported by plugins to allow
displaying of different streaming sources for each type of content.
Synchronizing session specific content between browsers within a workstation requires communication
between the different browsers.
5.6.1 Keyboard/Mouse
Keyboard and mouse are routed transparently via network across several PC-based appliances in an
OpSpace workstation.
Keyboard and mouse are connected to the master appliance, but HID information reaches all machines
configured within a master-slave setup.
5.6.2 Audio
Audio sources are routed via network from the OpSpace client appliances (OpSpace audio client) where
the audio is decoded to the OpSpace audio master appliance (OpSpace audio server) which has a
speaker or headphone connected.
Page 13

www.barco.com
5.7 Session Gateway Service

The Session Gateway Service is a gateway for RDP & VNC sources and converts standard RDP/VNC into
RDP/VNC-over-WebSocket allowing to display one single RDP/VNC session several times at different lo-
cations, and to control it from different ends.
Since the OpSpace workstation consists of different appliances and different browser instances, the
Session Gateway Service is a way to use RDP/VNC in an easy way within OpSpace.
5.8 Media Service

The Media Service is a streaming platform used as a gateway for multicast sources in OpSpace.
Page 14

www.barco.com
5.9 Barco Encoders

5.9.1 NGS-D200
The NGS-D200 is a networked V2D (Video-to-Data codec) encoder and decoder, both for DVI content,
with or without audio and integrated keyboard and mouse control.
5.9.2 NGS-D220
The NGS-D220 is a networked H.264 encoder and decoder, both for DVI and DisplayPort content, with
or without audio and integrated keyboard and mouse control.
5.9.3 NGS-D320
The NGS-D320 is an evolution of the NGS-D220 with the same networked H.264 encoder and decoder,
but additional features like HDMI input/output and more. Furthermore, NGS-D320 is also a networked
V2D (Video-to-Data codec) encoder and decoder, both for DVI content, with or without audio and inte-
grated keyboard and mouse control.
5.10 Deployment & Upgrade Server

The system management tools provide a central Deployment & Upgrade Server which can update all
Barco devices from a central point at the click of a button.
5.11 Barco Device Discovery Tool

The Barco Device Discovery Tool can be used to discover the OpSpace components based on Zero-
Conf announcements from a Windows® computer connected to the network for setup or maintenance.
5.12 OpSpace Logout Tool

The Barco OpSpace Logout Tool allows you to remotely log out workplaces. This can be helpful if a
source is locked by an operator who is not available.
Page 15

www.barco.com
Barco OpSpace Security Document Communication
6 Communication
List of Open TCP/UDP ports by service & device
6.1 Well-Known Service Listening Ports

D D D
Client-/ O S O O S E D
Trans Encryp 2 2 3
Service Protocol Port used by Server- V M A C G M U Remark
port tion 0 2 2
AuthN E S S A S S S
0 0 0
** can be firewalled on
FTP ftp 21 TCP Not in use x
network level
pw/ pub-
SSH ssh 22 TCP setup computer lic SSH x x x x x x x x x x
key
F F F F F * port is blocked by fire-

SMTP smtp 25 TCP Linux OS
* * * * * wall
TCP ** can be firewalled on

DNS dns 53 not in use x
UDP network level
DHCP-client dhcp 68 UDP DHCP server - - x x x x x x x x x x
x x x x x x x x x
WebUI http 80 TCP setup computer pw/- - x * redirect to :443
* * * * * * * * *
EDP Control Ser-

EDP agent http 81 TCP - x x x x x
vice
NTP ntp 123 UDP NTP client - - x x x x x x x x x x
P 16

www.barco.com
D D D
Trans Encryp 2 2 3
port tion 0 2 2
AuthN E S S A S S S
0 0 0
SNMP 3rd party shared enabled by default on

SNMP 161 UDP DES x x x x x x O x
v2/v3 health monitoring secret BaseOS devices
F * port is blocked by fire-

LDAP Server ldap 389 TCP not in use
* wall
WebUI https 443* TCP setup computer pw/cert TLS x x x x x x x x
OpSpace Ap-
https 443* TCP OpSpace client pw/cert TLS x
plication
https/ EDP Control Ser-

REST-API 443* TCP pw/cert TLS x x x
REST vice
EDP Control Ser- for device registration

Device Agent XMPP 443* TCP ?/cert TLS x x x x x x x x
vice & configuration
Rsyslog syslog 514 UDP setup computer - - x x
Streaming TCP
rtsp 554 BaseOS - - x x x x x x x x
Server UDP
OpSpace Applica-
LDAP Server ldaps 636 TCP pw/cert TLS x
tion Service
Linux HA heartbeat 694 UDP HA cluster x
EDP Control Ser- F * port is blocked by fire-

XMPP-Client XMPP 1554 TCP
vice * wall
corosync corosync 2120 UDP HA cluster x x
P 17

www.barco.com
D D D
Trans Encryp 2 2 3
port tion 0 2 2
AuthN E S S A S S S
0 0 0
x
corosync corosync 2140 UDP HA cluster
corosync corosync 2150 UDP HA cluster x
EDP Control Ser-

monit monit 2812 TCP x x x x x
vice
RDP
Screenscrap- rdp 3389 TCP OpSpace client x
ing
5000: to access the console of

VNC VNC TCP setup computer pw/- - O
5010 Vbox Guest
jack-audio http-rest 5017 TCP audio
jack-audio Mixer-osc 5018 UDP audio
rest-rdp-helper http-rest 5020 TCP
EDP Control Ser-

xmpp-client XMPP 5222 TCP x
vice
xmpp XMPP 5223 TCP not in use x
network level
network level
EDP Control Ser-

xmpp XMPP 5269 TCP x
vice
P 18

www.barco.com
D D D
Trans Encryp 2 2 3
port tion 0 2 2
AuthN E S S A S S S
0 0 0
network level
EDP Control Ser-

vice x DNS-based service discov-
Avahi-daemon zero-conf 5353 UDP - - x x x x x x x x x 1
setup computer w/ ery
Discovery Tool
Chrome Zero- x
5353 UDP Pepper plugin
browser conf
EDP Control Ser-

HA replication freeciv 5555 TCP x
vice Redundancy
* port is blocked by fire-

EDP Control Ser- F wall
rest2ldap http 5837 TCP
vice * access only via local proxy
from https:443

OpSpace de- EDP Control Ser- F F F F wall
http-rest 5838 TCP
vice agent vice * * * * access only via local proxy
from https:443
Health Moni-
5845 TCP
tor Web UI
1
will be enabled for NGS-D320 in Managed Mode only!
P 19

www.barco.com
D D D
Trans Encryp 2 2 3
port tion 0 2 2
AuthN E S S A S S S
0 0 0

OpSpace F wall
http-rest 5895 TCP OpSpace client
server api * access only via local proxy
from https:443
OpSpace
5896 TCP
server
OpSpace cli-
5897 TCP
ent Proxy
VNC screen-
vnc 5900 TCP OpSpace client x
scraping
Falcon
Vnc 5900 TCP OpSpace client pw/- - x x x
VNC2HID

OpSpace client L wall
Gstreamer 5917 TCP
audio * access only via local proxy
from https://127.0.0.1:443
OpSpace client
non-mixer 5918 UDP x
audio
rest-rdp-helper http-rest 5920 TCP OpSpace client x
F * port is blocked by fire-

xorg xorg 6000 TCP not in use
* wall
P 20

www.barco.com
D D D
Trans Encryp 2 2 3
port tion 0 2 2
AuthN E S S A S S S
0 0 0
Stream Con- 6970-

rtsp UDP OpSpace client - - x
trol 7170
APP Server
ZMQ 7000 TCP OpSpace client - - x x
Push
APP Server
ZMQ 7001 TCP OpSpace client - x x x
Push
Stream Con- 7070- TCP /

Rtsp
trol 7071 UDP
Openfire 7070 TCP not in use x
network level
Xmpp 7443 TCP not in use x
network level
xmpp file ** can be firewalled on

interwise 7778 TCP not in use x
transfer network level
8000: x x x x
GStreamer UDP Streaming server - - x
8999
GStreamer x
8005 UDP Streaming server x x x x
blockwatcher
used for firmware ** could be firewalled on

device control https 8080 TCP x
upgrade network level
device control https 8443 TCP TLS x
P 21

www.barco.com
D D D
Trans Encryp 2 2 3
port tion 0 2 2
AuthN E S S A S S S
0 0 0
device control http 8880 TCP not in use x
network level
P 22

www.barco.com
D D D
Trans Encryp 2 2 3
port tion 0 2 2
AuthN E S S A S S S
0 0 0
not in use
GStreamer / (Session An- ** can be firewalled on
SAP 9875 UDP x x x x x
SAP nouncement Pro- network level
tocol)
Stream Con- ** can be firewalled on

rtsp 10001 TCP NGS-D200 - - x
trol network level
Stream Con- 10002 ** can be firewalled on

rtsp TCP NGS-D200 - - x
trol network level

wall
x
EDP Control Ser- pw / F F F F F access only via local proxy
Device Agent XMPP 10007 TCP TLS *
vice cert * * * * * from https:443
*
network level

wall
x
1008 EDP Control Ser- F F F F F access only via local proxy
Device Agent http TCP *
0 vice * * * * * from https:443
*
network level
EDP Control Ser- ** can be firewalled on

exist db 10085 TCP x
vice network level

osgi jetty http 10087 TCP x
vice network level
P 23

www.barco.com
D D D
Trans Encryp 2 2 3
port tion 0 2 2
AuthN E S S A S S S
0 0 0
1008 EDP Control Ser- ** can be firewalled on

NodeJS http TCP x
9 vice network level
1009 EDP Control Ser- ** can be firewalled on

openfire TCP x
0 vice network level

openfire 10091 TCP x
vice network level

openfire 10092 TCP x
vice network level

F wall
vboxwebsrv http 18083 TCP Setup computer
* access only via local proxy
from https:443
18999
-
Jack Audio netjack2 UDP OpSpace client - - x
1900
0
2480
Synergy Synergy TCP OpSpace client - - x
0
Mon- OpSpace Applica-

pw or
goDB tion Service
MongoDB 27017 TCP shared TLS x x
Wire Pro- EDP Control Ser-
ssh-key
tocol vice
P 24

www.barco.com
6.2 Ephemeral Ports

Ephemeral ports in the range of 32768 to 65535 are used on Barco devices as the dynamic port assignment by the operating system (e.g. Linux Kernel on
BaseOS) for the client end of a client–server communication to a well-known port on a server, or as the port assignment on the server end of a communica-
tion to continue communications with a client that initially connected to one of the server's well-known service listening ports.
The allocations are temporary and only valid for the duration of the communication session. Since the ports are used on a per-request basis they are also
called dynamic ports.
The table below lists the services known to use dynamic ports in OpSpace. The ports are just examples and will change dynamically between communication
sessions.
D D D
used 2 2 3
Service Protocol Port Transport Server- Encryption V M A C G M U Remark
by 0 2 2
AuthN E S S A S S S
0 0 0
corosync 3857 UDP x

1
xmpp client 3937 UDP x x

7
device agent 3969 UDP x x x x x

2
avahi-daemon 4457 UDP x x x x x

7
barco-jack-restful- 5773 UDP x
controller 2
snmpd 6095 UDP x x x x x x x

7
* A lighttpd runs as proxyserver on port 443 on all devices to forward the https/REST requests depending on the URL to the different services running on lo-
calhost only.
** All TCP ports in the range from 0 to 65535 and the UDP ports in the range from 0 to 1023 are blocked by default by the firewall.
F* - service listening but port is blocked by firewall
L* - service listening on localhost only & port is blocked by firewall
P 25

www.barco.com
 OVE: OpSpace Virtual Environment

 SMS: EDP Control Service
 OAS: OpSpace Application Service
 OCA: OpSpace client appliance
 SGS: Session Gateway Service
 EMS: Media Service
 DUS: Deployment & Upgrade Server
 D200: NGS-D200
 D220: NGS-D220
 D320: NGS-D320
P 26

www.barco.com
Barco OpSpace Security Document Identity & Access Management
7 Identity & Access Management

7.1 User Access Rights Management
7.1.1 System Admin User Management
All users have full access to the functions in user accounts since the access to the EDP Control Service is
managed separately and locally.
At installation of the service a default account (admin) is created. This default account can be personal-
ized, changing full name and/or password, but cannot be deleted.
More accounts can be freely added, edited or deleted, the currently logged in account cannot be deleted.
The password policy requests 8 to 14 characters including at least one uppercase, lowercase, digit and
special character, no spaces, <; &, >, /, ", \, ', @, °, :, €".
All accounts provide full access to the functions of the GUI.
The credentials will not be valid for OpSpace workplaces.
You can edit users, i.e. change the full username (not the login name) and the password.
Deleting users will cause an alert message which must be acknowledged.
7.1.2 Operator Group Management

The authorization concept for OpSpace is based on predefined roles with a fixed set of permissions.
Users and groups are managed in a central user management system and will be assigned to roles, per-
missions and sources.
The access control is limited to the permissions of the current role, but the admin can exclude permis-
sions when assigning the role to a user group.
P 27

www.barco.com
7.1.3 Component Description
LDAP Account Manager (LAM)

The OpSpace system has its own LDAP server which can be used to manage OpSpace specific users and
groups.
The LDAP Account Manager (LAM) is the administration GUI of the built-in OpSpace User Management,
where you can add and manage the users and user groups for your system.
The user groups created in the OpSpace User Management are subsequently edited and assigned their
OpSpace roles, i.e. their access rights to certain media groups (cf. section Media Groups), in the
OpSpace System Manager, enabling them to log into an OpSpace workplace with the access rights and
privileges assigned to their role.
Members of user groups that have no OpSpace role assigned cannot log into an OpSpace workplace.
Consequently, proceed by adding the required user groups for your topology and then edit and assign
their roles.
For detailed information, consult the section Operator Group Management in the
User
Represents one single user.
The default user is opsadmin.
Group
Represents a set of users.
The default groups are opsusers & opsadministators.
OpSpace Application
Sources & Media Groups

Sources are managed by the EDP Control Service where a source is represented as a port.
The purpose of a Media Group is to combine sources into larger groups. A source can only belong to
one Media Group each. You can then conveniently assign access rights not to the individual sources but
to the existing Media Groups.
P 28

www.barco.com
Exclusive Sources
The administrator can configure a source as exclusive in the System Manager which means that this
source can only be used by one operator at a time.
Permission
Permissions in OpSpace are grouped in roles; a specific role has a fixed set of permissions.
The access control is limited to the permissions of the current role, but the admin can exclude permis-
sions when assigning the role to a user group.
Type Permission
System Permissions Create Ports
System Permissions Delete Ports
Console Permission Restart System
Console Permission Shutdown System
Role
OpSpace provides built-in roles that group the permissions needed for the different levels of access in the
system.
A higher role includes the permissions of the lower one:
 Admin
 Supervisor
 Operator
 API
Each role has a predefined set of permissions which can be fully granted or reduced to customize the
permissions as needed.
Role Permissions
Deny or grant access rights (view or control) to the available source Media Groups to
All roles
any of the roles.
Administra- Deny or grant access rights (view or control) to the available source Media Groups and
tor give or deny system permissions and console permissions (granted by default).
Deny or grant access rights (view or control) to the available source Media Groups and
Supervisor
give or deny console permissions (granted by default).
Operator Deny or grant access rights (view or control) to the available source Media Groups.
Deny or grant access rights (view or control) to the available source Media Groups and
API
give or deny console permissions (granted by default).
P 29

www.barco.com
EDP & LAM password policies

 EDP: Requires at least one uppercase, lowercase, digit, and special character and must be 8 to 14
characters; no spaces or <; &, >, /, ", \, ', @, °, :, €"
 LAM:
# Password: minimum password length
passwordMinLength: 8
# Password: minimum uppercase characters

passwordMinUpper: 1
# Password: minimum lowercase characters

passwordMinLower: 1
# Password: minimum numeric characters

passwordMinNumeric: 1
# Password: minimum symbolic characters

passwordMinSymbol: 1
# Password: minimum character classes (0-4)

passwordMinClasses: 1
# Password: checked rules

checkedRulesCount: -1
# Password: must not contain part of user name

passwordMustNotContain3Chars: false
# Password: must not contain user name

passwordMustNotContainUser: false
P 30

www.barco.com
7.2 Barco Service Access Password

During initial setup you enter a Barco Service Access Password, which eliminates the need to assign any
passwords to each single device when you configure these in System Manager.
This password allows to access the devices (unless configured with a user-defined device password) via
SSH in case service needs to debug it for some issue.
This applies to both Single Setups and Cluster Setups. If the Barco Service Access Password option is se-
lected for clustered devices, all devices in the cluster will have the same password.
7.3 Device Password

In the System Manager a device password is set which will replace the given Barco Service Access Pass-
word on the OpSpace device.
This means this password will be used for all internal communication with the OpSpace device and with
the EDP Control Service. It is recommended that the user provides a device password when doing exter-
nal maintenance to avoid security issues caused by sharing the Barco Service Access Password.
This password will also be used for the local default user accounts (admin, barco)
which can e.g. login via SSH.
The password provided in the Group Information of the Cluster settings is used as
common device password on all servers within the cluster which will also be used for
the communication within the server cluster.
A shared SSH key is used for the communication between the MongoDB services in a
redundant OpSpace Application Service.
7.4 Barco Encoders

Barco Encoders use token-based authentication. The Authtoken is refreshed at every reboot of the en-
coder and included in the URLs provided by the EDP Control Service to the OpSpace workplace.
P 31

www.barco.com
Barco OpSpace Security Document Logging
8 Logging
8.1 Audit logging
The audit log contains all the information necessary to follow a user's interaction with the system. It con-
tains more sensitive information than other system logs so access to it should be restricted.
Hence audit logging in OpSpace is disabled by default and, once enabled, will only forward the audit
events to an external syslog server but never store it inside the OpSpace system.
For more information refer to the chapter Audit logging in the OpSpace Setup & Configuration Manual
(R591480).
8.2 System log

Logging can be configured from the System Manager. The server cluster page allows managing the ap-
pliances.
If not yet visible, unhide the toolbar (toggle) with the respective appliance selected,
and choose the desired action.
Set Log
• Specify the log level, i.e. select the desired log level from a drop-down list (e.g. FATAL, ERROR, WARN,
INFO, DEBUG, TRACE)
The Time Zone setting affects the time added into the log files.
Get Log
A compressed log file (.tar format, e.g. ops-app-srv_1463138594921_logs.tar.gz,
ops-appsrv_1463138693178_logs.tar.gz) is prepared for the device selected, and a Save As dialog is dis-
played to select the desired destination folder.
For detailed information on how to backup the logfiles, consult the section
Monitor/Maintain System | System Maintenance in the OpSpace Setup and
Configuration Manual (R591480).
P 32

www.barco.com
Barco OpSpace Security Document Logging
Log level
Default Log level: INFO
Level Description
FATAL The system was not able to recover from the error
Records that something went wrong, i.e. some sort of failure occurred, and either:
The system was not able to recover from the error, or
ERROR The system was able to recover, but at the expense of losing some information or failing
to honor a request.
The error level logs are always included in the log files.
A warn message records that something in the system was not as expected.
It is not an error, i.e. it is not preventing correct operation of the system or any part of it,
WARN but it is still an indicator that something is wrong with the system that the operator should
be aware of and may wish to investigate.
The warn level logs are always included in the log files.
Info priority messages are intended to show what’s going on in the system, at a broad-
INFO brush level.
The info level logs include info, error and warn level logs in the log files.
Debug messages are intended to help isolate a problem in a running system, by showing
DEBUG the code that is executed, and the context information used during that execution.
The debug level logs include debug, info, error and warn level logs in the log files.
You can use this log level to very detailed logic or helper logic.
TRACE
The trace level logs include trace, debug, info, error and warn level logs in the log files.
P 33

www.barco.com
Barco OpSpace Security Document High Availability / Redundancy
9 High Availability / Redundancy

9.1 Network Interface Bonding
With exception of the Media Services all OpSpace devices support Layer 2 network interface bonding by
default. No extra configuration is needed to enable this functionality.
OpSpace currently only supports switched networks and no routed networks.
For technical details, please have a look at Chapters 11.1 High Availability in a Single Switch Topology and
11.2 High Availability in a Multiple Switch Topology in the Linux Kernel documentation (https://www.ker-
nel.org/doc/Documentation/networking/bonding.txt).
9.2 Redundant Setup

The redundancy concept is different for client and server, but also for the different server types.
Client redundancy is achieved by providing spare workplaces; servers are organized in clusters of two or
three units for higher availability.
All cluster members send pings to the default gateway in their network to ensure
network connectivity and cluster functionality.
If this ping is blocked, the cluster cannot be established.
9.3 OpSpace Client Appliance

To provide redundancy on the client side, one or several additional OpSpace workplaces will be de-
ployed, which will be configured in the same way as the other OpSpace workplaces within an installation.
This means there are simply more workplaces available than required (e.g. N+1 redundancy).
Since all relevant information is stored on the server and all appliances are considered thin clients (zero
install), a user can just log into a spare workplace in case a defect would appear on their workplace.
9.4 OpSpace Server Cluster

All services in OpSpace can be organized in separate clusters for enhanced system availability. An exem-
plary redundant setup is shown in the picture below.
For detailed information, consult the section Manage Server Cluster in the OpSpace
Setup and Configuration Manual (R591480).
P 34

www.barco.com
Barco OpSpace Security Document High Availability / Redundancy
9.4.1 EDP Control Service

To set up two redundant servers, you will configure one of the servers as primary server and the other
one as secondary server. The primary server will initially be the master in the system.
9.4.2 OpSpace Application Service

OpSpace server redundancy is built on top of the MongoDB cluster. Therefore, a redundant setup re-
quires exactly three OpSpace Application Services.
OpSpace clients will connect to the current master in the OpSpace server cluster via a shared virtual IP.
9.4.3 Session Gateway Service

The Session Gateway Service redundancy is built on a virtual IP. The cluster contains 3 to N virtual ma-
chines.
In the event of a defect on one device the sources provided by this Session Gateway Service (RDP &
VNC) will be interrupted and reloaded to use the capacity of the remaining devices.
9.4.4 General Network Failure Behavior

The redundant setup has one master and 1 to N slaves, where server-1 is the current master and server-2
is one of the slaves.
Case 1 – Cut network from server-1

1. Failover: server-2 will become master
2. All clients will reconnect to server-2
3. Replug network of server-1
4. Server-1 will join the cluster as a slave
Case 2 – Cut network from server-2

1. No impact on the current master server-1
2. Replug network of server-2
3. Server-2 will become slave again
Case 3 – Full network cut

1. The entire system loses connection
2. Replug network
3. Server-1 will reconnect as the master
4. Server-2 will become again a slave
5. All clients will re-connect to server-1
9.5 Media Service

The Media Service uses a virtual IP address for load balancing between several devices. To provide N+1
redundancy for the Media Service, one additional device will be deployed. This means there is simply
more capacity available than needed for the desired load.
In the event of a defect on one device the video streams provided by this Media Service will be inter-
rupted and reloaded to use the capacity of the remaining devices.
P 35

www.barco.com
Barco OpSpace Security Document Health Monitoring
10 Health Monitoring
10.1 System Status
This part of the user interface serves to verify the system status, obtain log files, device, health and net-
work information.
The dialog shows all appliances together with their status, device type, alarm description, software ver-
sion, location, and media group.
Moreover, this page enables to replace broken devices.
For detailed information, consult the section Monitor/Maintain System in the OpSpace
10.2 SNMP
SNMPv3 is enabled on all BaseOS devices by default for the Barco Health Monitoring Service.
On the Barco encoders (NGS-D200/-D220/-D320) you can enable SNMP manually.
10.3 Monit
Each BaseOS Systems runs a monit daemon which checks the system’s parameters.
If a critical threshold is exceeded or a service is no longer running, monit will recognize this and report to
the EDP Control Service.
P 36

www.barco.com
Barco OpSpace Security Document Backup & Restore
11 Backup & Restore

11.1 System Maintenance
The System Maintenance GUI shows the EDP Control Service(s) and OpSpace Application Service(s)
available in your system.
This dialog serves to back up the servers (including log files) in one click, and to restore the servers from
an existing backup. The backup for OpSpace Application Service(s) includes the business data, users, and
local user management as well as log files. The backup for EDP Control Service(s) includes the configu-
ration, Media Service(s), and Session Gateway Service(s) as well as log files.
For detailed information, consult the section Configuring OpSpace in the OpSpace
11.2 Replacement
If your hardware or virtual machine needs to be replaced because it is broken (or after an upgrade), you
can use the Replace function to configure your replacement hardware or virtual machine.
For detailed information, consult the section Monitor/Maintain System in the OpSpace
P 37

www.barco.com
Barco OpSpace Security Document Patch Management
12 Patch Management
12.1 Deployment & Upgrade Server
The System Manager tools provide a central Deployment & Upgrade Server which can update all Barco
devices from a central position at the click of a button.
For detailed information, consult the section Monitor/Maintain System| Version

Management in the OpSpace Setup and Configuration Manual (R591480).
P 38

www.barco.com
Barco OpSpace Security Document Public key infrastructure
13 Public key infrastructure

Per default the OpSpace system uses self-signed TLS certificates for the HTTPS webpages (e.g. System
Manager).
On Barco BaseOS devices the certificate is stored in following files:
File Purpose Default
barco.web-server-
Root certificate of signing CA copy of self-signed certificate
ca.crt
barco.web-ser- Self-signed certificate or chain from self-signed certificate based on private

ver.crt certificate up to root CA key & signing request
barco.web-ser- signing request based on private key,

Certificate signing request
ver.csr hostname, FQDN, IP address
barco.web-ser-
Certificate private key created on installation of device
ver.key
The certificates need to be provided in PEM format.

For more information on certificate formats, please refer to 13.2 Certificate formats.
Those files are created on first boot and bound to the device (hostname, IPv4 address) itself. Hence, they
are not part of any backup/restore operation.
Since self-signed TLS certificates cause issues/warnings e.g. in current web browsers a customer might
want to exchange the existing certificates with certificates signed by his own Public Key Infrastructure
(PKI) or an external PKI.
Exchanging the certificate therefore means that on replacement or reinstallation of a device, the certifi-
cate must be replaced again.
13.1 Step-by-step guide OpSpace

Files can be uploaded or downloaded via SCP using the credentials of the barco account.
 username: barco
 password: <device-password>
To access the certificate files in /etc/ssl/barco elevation with sudo is required.
Permission and owner:

The files in /etc/ssl/barco need to be owned by the user 'root' & the group 'barco-ssl'.
This will be set automatically for new installation of or upgrades to OpSpace-1.9.1.
It can be fixed during a manual replacement of the certificate files via the following commands:
o sudo chown root:barco-ssl /etc/ssl/barco/barco.web-server*
o sudo chmod 640 /etc/ssl/barco/barco.web-server*
• Re-create self signed certificate one of the following three ways:
 Based on existing key & CSR
P 39

www.barco.com
o sudo /usr/sbin/barco.sslcert
 With new key & CSR
o sudo /usr/sbin/barco.sslcert --force
 Adding additional SubjectAlternativeNames (e.g. cluster IP)
o sudo /usr/sbin/barco.sslcert --subjectAltName="DNS:ecs-vlan75-VIP,
IP:172.20.75.21"
Always check the file permissions and reload the webserver:

ls -l /etc/ssl/barco/
sudo systemctl reload nginx
• get CSR from device and sign it in your PKI

o sudo cp /etc/ssl/barco/barco.web-server.csr ~/
o sudo chown $(whoami):$(whoami) ~/barco.web-server.csr
o copy barco.web-server.csr from home directory with SCP and sign it within the PKI.
 Convert the files into PEM format if needed (see 13.2.1).

 Check the uploaded certificate for Certificate key with the existing key on the
system.
 Concatenate individual certificate files (root ca, issuing ca, webserver cert) into one
chain file if needed.
• Copy the root certificate and the full certificate chain with SCP back to the home directory on the
device:
o Certificate chain from signed certificate up to root CA (see 13.2.1):
sudo cp ~/certificate-chain.crt /etc/ssl/barco/barco.web-server.crt
o Root CA certificate:
sudo cp ~/root-ca-certificate.pem /etc/ssl/barco/barco.web-server-
ca.crt
• set permission for SSL certificate files
o sudo chown root:barco-ssl /etc/ssl/barco/barco.web-server*
o sudo chmod 640 /etc/ssl/barco/barco.web-server*
• reload nginx web server configuration
o sudo systemctl reload nginx
All files are located in /etc/ssl/barco.
The root certificate of the certificate authority needs to be imported into the truststore
of the Windows host or browser from where you will access the site via HTTPS:
• Right click - Install certificate
• Store Location: Local Machine
• Place all certificates in the following store: 'Trusted Root Certification Authorities'
P 40

www.barco.com
13.2 Certificate formats

The certificates need to be provided in PEM format (Base64 encoded ASCII) containing
-----BEGIN CERTIFICATE-----
and
-----END CERTIFICATE-----
statements.
Certificates provided in a format other than PEM need to be convert to PEM format to
be used!
Use below commands to do this.
13.2.1 PEM format

The PEM format is the most common format that certificate authorities issue certificates in. PEM certifi-
cates usually have extensions such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files and
contain -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- statements. Server certificates,
intermediate certificates, and private keys can all be put into the PEM format.
Concatenate Certificates into one certificate chain file
Depending on the PKI the chain can contain several levels of intermediate CA
certificates
• Server certificate:
cat server-certificate.pem > ~/certificate-chain.crt
• Issuing CA certifcate:
cat issuing-ca-certificate.pem >> ~/certificate-chain.crt
• Intermediate CA certificate:
cat intermediate-ca-certificate.pem >> ~/certificate-chain.crt
• Root CA certificate:
cat root-ca-certificate.pem >> ~/certificate-chain.crt
13.2.2 DER format

The DER format is simply a binary form of a certificate instead of the ASCII PEM format. It sometimes has
a file extension of .der but it often has a file extension of .cer so the only way to tell the difference be-
tween a DER .cer file and a PEM .cer file is to open it in an editor and look for the BEGIN/END state-
ments.
Convert DER to PEM

• openssl x509 -inform der -in certificatename.der -out certificatename.pem
13.2.3 PKCS#7 or P7B format

The PKCS#7 or P7B format is stored in Base64 ASCII format and has a file extension of .p7b or .p7c.
A P7B file only contains certificates and chain certificates (intermediate CAs), not the private key. The
most common platforms that support P7B files are Microsoft Windows and Java Tomcat.
P 41

www.barco.com
Convert PKCS#7 to PEM

• openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.pem
13.2.4 PKCS#12 or PFX format

The PKCS#12 or PFX format is a binary format for storing the server certificate, intermediate certificates,
and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX
files are typically used on Windows machines to import and export certificates and private keys.
Convert PKCS#12 to PEM

• openssl pkcs12 -in certificatename.pfx -out certificatename.pem
13.3 Certificate key matching

When you are dealing with different certificates it can be easy to lose track of which certificate goes with
which private key or which CSR was used to generate which certificate.
To check whether a private key matches a certificate or whether a certificate matches a certificate signing
request (CSR) we need to compare a hash of the public key from the private key, the certificate, or the
CSR to tell whether they match or not.
You can check whether a certificate matches a private key, or a CSR matches a certificate by using the
OpenSSL commands below:
This will always check for the first certifcate in the file, hence the chain in barco.web-
server.crt needs to start with the webserver certificate!
• sudo openssl pkey -in /etc/ssl/barco/barco.web-server.key -pubout -outform

pem | sha256sum
• sudo openssl x509 -in /etc/ssl/barco/barco.web-server.crt -pubkey -noout -
outform pem | sha256sum
• sudo openssl req -in /etc/ssl/barco/barco.web-server.csr -pubkey -noout -
outform pem | sha256sum
P 42

www.barco.com
Barco OpSpace Security Document Threat Analysis & Mitigation
14 Threat Analysis & Mitigation

14.1 Default Passwords
The system is installed with default passwords for the different admin accounts which need to be
changed during setup:
Default
Component Scope Type User Name Where to Change
Password
Device
Administration local user admin System Manager:
All devices b4rc0,BCD
Manage Virtual account barco <device password>
Environment
system man-
System System
agement ac- admin b4rc0,BCD System Manager
Manager Administration
count
LDAP Account
OpSpace Manager /
OpSpace ldap opsadmin b4rc0,BCD
Administration OpSpace User
Management
SNMP SNMP configuration

All devices SNMP barco B4rc0,BCD
authentication on device
The root account is disabled by default on all devices, but the admin account is part of the sudo group,
hence can be used to execute commands with full root privileges.
14.2 Device Password

After installation the devices register with the EDP Control Service with an initial device password which
is stored in /etc/edpagent/LoginRequest.xml.
In the System Manager the admin sets a Barco Service Access Password which will replace all default
passwords on the OpSpace device to avoid factory default passwords.
This password will also be used for the local default user accounts (admin, barco) which can e.g. log in via
SSH.
If a specific device password is set for an OpSpace device, this will replace the given Barco Service Ac-
cess Password.
14.3 Threats During System Administration

 Reboot the wrong system from System Manager (e.g. VM Server instead of OpSpace Application
Service)
14.4 Threats During Initial System Setup

14.4.1 DNS Spoofing
The Device Agent uses zeroconf or DNS to find a system with the DNS name barcosc.<domain given by
DHCP> or barco-sc.<domain given by DHCP> to register initially with the EDP Control Service.
This enables an attacker to launch an MITM attack by installing a rogue system with the same DNS name
which might trick the new device into registering with this system instead of the EDP Control Service.
P 43

www.barco.com
Barco OpSpace Security Document Threat Analysis & Mitigation
14.5 Threats during operation

14.5.1 Malware/Viruses
The OpSpace System is designed to view applications, remote desktops and video streams only without
the possibility to directly process user data like uploaded files, web downloads, emails etc.
The Operator has no access to the operating system and filesystem of the OpSpace Client Appliance,
hence there is no need to run a malware/virus scanner on those devices.
Uploading of System Backups is limited to Administrators or Authorized Service Engineers which can scan
the files on their local PC as part of the maintenance activity without the need to maintain a full malware
scanner as part of the OpSpace system.
P 44

www.barco.com
Barco OpSpace Security Document Contact
15 Contact
Visit Barco at www.barco.com
For Professional Support visit

http://www.barco.com/support
For Sales or other Contact information visit

http://www.barco.com/contact/regional-offices
Barco N.V.
Beneluxpark 21 – 8500 Kortrijk (Belgium)
Registered Office:
Barco N.V.
Pres. Kennedypark 35 – 8500 Kortrijk (Belgium)
RPR Kortrijk - BE0473191041
P 45

www.barco.com

R591482 12 Note

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

R591482 12 Note

Uploaded by

Copyright:

Available Formats

OpSpace

R591482, Current Version

This manual refers to OpSpace 1.9.4 software release.

Copyright © 2021 by Barco

OpSpace Security Document - R591482

OpSpace Security Document - R591482

OpSpace Security Document - R591482

OpSpace Security Document - R591482

OpSpace Security Document - R591482

OpSpace Security Document - R591482

OpSpace Security Document - R591482

4.2 Component View

OpSpace Security Document - R591482

4.3 Overview of APIs

4.4 Configuration Flow

4.4.1 EDP Control Service

OpSpace Security Document - R591482

4.4.2 Auto Discovery and Registration of Barco Devices

4.4.3 Configuring OpSpace

For detailed information, consult the section Configuring OpSpace in the

OpSpace Security Document - R591482

5.2 OpSpace Virtual Environment

Management of the Virtual Machines:

5.3 OpSpace System Manager

OpSpace Security Document - R591482

5.4 OpSpace Application Service

5.5 OpSpace Workstation

5.6 OpSpace Client Appliance

OpSpace Security Document - R591482

5.7 Session Gateway Service

5.8 Media Service

OpSpace Security Document - R591482

5.9 Barco Encoders

5.10 Deployment & Upgrade Server

5.11 Barco Device Discovery Tool

5.12 OpSpace Logout Tool

OpSpace Security Document - R591482

6.1 Well-Known Service Listening Ports

F F F F F * port is blocked by fire-

TCP ** can be firewalled on

DHCP-client dhcp 68 UDP DHCP server - - x x x x x x x x x x

EDP Control Ser-

NTP ntp 123 UDP NTP client - - x x x x x x x x x x

OpSpace Security Document - R591482

SNMP 3rd party shared enabled by default on

F * port is blocked by fire-

WebUI https 443* TCP setup computer pw/cert TLS x x x x x x x x

https/ EDP Control Ser-

EDP Control Ser- for device registration

Rsyslog syslog 514 UDP setup computer - - x x

Linux HA heartbeat 694 UDP HA cluster x

EDP Control Ser- F * port is blocked by fire-

corosync corosync 2120 UDP HA cluster x x

OpSpace Security Document - R591482

corosync corosync 2150 UDP HA cluster x

EDP Control Ser-

5000: to access the console of

jack-audio http-rest 5017 TCP audio

jack-audio Mixer-osc 5018 UDP audio

rest-rdp-helper http-rest 5020 TCP

EDP Control Ser-

EDP Control Ser-

OpSpace Security Document - R591482