How to Provide Secure Remote Access to IoT Edge Devices via Web, SSH and Remote Desktop

Remote access for IoT devices through NAT and Firewalls

Secure remote access to IoT edge devices is one of the fundamental building blocks of the Internet of Things. End users want to access and manage their devices via web or mobile app, service partners need access to devices installed at remote locations, and product support teams need to be able to log-in to devices installed at customer sites.

Web-based user interfaces are standard in IoT edge devices and connected embedded systems, used for configuration, control and monitoring of devices from PCs, smart phones or tablets. Modern web-based user interfaces are powerful, visually attractive and easy to use. Since their only requirement is a HTTP(S) connection between the web browser and the web server running on the device, they are perfectly fitted for remote access scenarios.

However, for this to work, the web browser on the client PC or mobile device must be able to create a network connection to the IoT device’s web server. This is only possible if the IoT device is located in the same network as the device running the web browser, if the networks containing the client and server are linked, or if the IoT device can be directly reached over the internet.

Unfortunately, this is rarely the case in practice. IoT edge devices in the field are often connected to private networks behind NAT routers or firewalls. This is especially true for industrial IoT devices, which are typically located behind a NAT router. Also, devices connected to a mobile 4G/LTE network in most cases do not have public IP addresses and thus are not directly reachable. This means that while these devices can open connections to servers on the internet, it is not possible to access the device’s web server from the outside, unless additional measures are taken.

Port forwarding and Virtual Private Network (VPN) are widely known and established technologies for enabling internet-based remote access to computers and network devices behind NAT routers or firewalls. However, as detailed in the table at the end of this white paper, both technologies have severe drawbacks related to security and complexity, especially when being used with IoT edge devices. For this reason, Applied Informatics has created a new technology that is a great alternative to port forwarding and VPN.

Web-Based Remote Access to IoT Edge Devices with REMOTE REMOTE enables easy and secure remote access to the web server and other TCP-based services such as secure shell (SSH) or remote desktop (VNC, RDP) of an IoT device, even if the device is located in a private or mobile network behind a NAT router or firewall. How this technology works will be explained in the following.

Application Scenarios REMOTE is built to solve a range of common IoT problems including remote access to:

  • IoT gateways, edge computing devices, data loggers and metering and monitoring devices. e.g. renewable energy, environmental monitoring, traffic, transportation and infrastructure
  • Remote access to mobile devices for data acquisition, tracking, fleet management, etc.
  • Remote support, maintenance and servicing of consumer electronics, home/building automation, HVAC devices, industrial equipment, etc.
  • Remote access to IP network cameras and DVRs
  • Remote access to security and access control systems.

How REMOTE Works REMOTE is based on standard internet technologies, specifically, HTTPS and Web-Sockets. The IoT device needs to run a program called WebTunnelAgent that opens and maintains a secure, TLS-protected and always-on WebSocket connection to the REMOTE server running in the cloud. Once the connection between the device and the REMOTE server has been established, the REMOTE server uses this connection to send (“tunnel”) HTTP requests and other TCP-based network traffic to the device.

Desktop view of the device manager

Where do these HTTP requests come from? The REMOTE server also contains a web server, which accepts requests from clients (web browsers). These requests are then simply forwarded to the device, using the device’s tunnel connection. Setting up the initial tunnel connection between the device and the REMOTE server is almost always possible as long as the device can access the Internet. Since the tunnel connection opened by the device uses standard HTTPS and WebSocket protocols, it is very firewall-friendly and even works through an intermediate HTTP proxy server.

Identifying and Addressing Devices

In a typical usage scenario, more than one device will be connected to a REMOTE server. In fact, tens of thousands of devices could be connected to a single server. Therefore, when the REMOTE server receives a HTTP request from a client, it needs to find out to which device the request must be forwarded. This is done via the URL sent from the client to the REMOTE server (e.g. in the HTTP request. The mechanism relies on a wildcard DNS record in the DNS server which resolves all requests for * to the REMOTE server The REMOTE server can then use the Host header in the HTTP request together with an internal table to associate the request with a device (and its tunnel connection).

Running the REMOTE Server

There are multiple options for running the REMOTE server. It can be deployed on an internet-facing server in a private datacenter (on-premises), or it can run on a virtual private server (VPS) provided by a cloud service provider such as Amazon (EC2), Microsoft Azure or Digital Ocean. Running the REMOTE server can also be outsourced to a dedicated service provider. Multiple REMOTE servers can run in a load-balancing setup, making it possible to handle 100.000s or even millions of connected IoT devices.

Security and Privacy Guaranteed

The REMOTE server only transparently forwards HTTP requests and TCP connections, but does not store any data passed through it. Exceptions to this are only made for optional caching of images and style sheets in order to improve performance over low bandwidth network connections. Therefore the REMOTE server does not introduce any additional data security and privacy risks. This also holds true if the REMOTE server is operated in a private data center.

Both the connection between the device and the REMOTE server, as well as the connection between the client (web browser) and the REMOTE server are encrypted and secured with state-of-the-art TLS. This technology is inherently secure. Furthermore the device does not need to have any open ports to the Internet so there is no danger of denial-of-service or other kinds of attacks against the device.

Additional Security and Privacy Features of REMOTE

  • requests to the device can only be sent through the REMOTE server,
  • the REMOTE server requires proper authentication of the user before forwarding requests to the device,
  • devices must authenticate themselves against the REMOTE server when setting up the tunnel connection,
  • device authentication is done through a shared secret or certificate.
Technology Advantages Disadvantages REMOTE based on proven and proxy/firewall-friendly WebSocket protocol

can be used without changes to the existing network infrastructure

supports secure, encrypted (TLS) and authenticated connections

secure forwarding of most TCP-based protocols, not just HTTP, including SSH for remote shell and VNC/RDP for remote desktop access

the REMOTE server can be operated in the cloud

high scalability, up to ten thousands of devices per REMOTE server instance (multiple servers can be clustered to increase capacity up to millions of devices)

integrated user management and detailed role-and permission-based access control REMOTE device agent software must be integrated into device, or a gateway device must be used to integrate legacy devices

some TCP-based protocols cannot be forwarded (e.g., FTP)

cannot be used with UDP-based protocols

Port Forwarding simple and widely supported by NAT routers

allows access to any TCP or UDP-based network service provided by the device

NAT router configuration for port forwarding can be complex, especially if multiple devices must be accessible (every device needs a unique public port number)

a Dynamic DNS service is needed if the NAT router does not have a static public IP address

public IPv4 addresses are becoming scarce

the device is directly exposed to the Internet – very high risk and danger of denial-of-service and other kinds attacks

Virtual Private Network the device is directly integrated into a remote network using a secure tunnel through the Internet

secure, encrypted connection
proven, standardized and widely available technology

VPNs may be blocked by network provider or legally restricted

necessary network and VPN server infrastructure is difficult to setup and to maintain, especially if lots of devices must be integrated

all clients must have access to VPN in order to access the devices – there-fore not suitable for end-user access

additional measures must be taken to isolate devices in the VPN from one another and to prevent users from accessing devices they should not have access to

User Accounts, Roles and Permissions

The REMOTE server supports user account management features and role- and permission-based access control, making it easy to specify which users may access and manage which devices.

Works for Web, SSH and Remote Desktop REMOTE is not just for accessing web pages. Virtually every TCP-based protocol can also be used over a REMOTE tunnel connection, including web services based on REST, JSON-RPC or SOAP technologies, or secure shell (SSH) and remote desktop (VNC, RDP) protocols. REMOTE even includes a web-based VNC client. This makes it a great foundation for automated device management applications and remote support/maintenance portals.

Easy Integration and Customization

The software necessary for integrating REMOTE into a device, as well as the REMOTE server is provided by Applied Informatics. For devices where the necessary modification of the firmware is not possible or feasible, a low-cost gateway device can be used to connect the device to the REMOTE server. The gateway is located in the same local area network as the device, and forwards requests from the REMOTE server to the device’s web server. It’s also possible to install the gateway software on a mobile internet router. The REMOTE server can be integrated with other applications via its REST API. The default web user interface of the REMOTE server can be customized to match customer-specific needs and visual style.

The REMOTE server optionally supports LDAP for user authentication.

Secure Remote Access Made Easy REMOTE is a great and secure alternative to technologies like NAT port forwarding and virtual private networks to enable easy and secure remote access to IoT devices via web, shell or remote desktop. The technology can be used without touching the existing network infrastructure and is suitable for use with end users, service partners or internal support teams. The necessary REMOTE server can be operated in “the cloud”, and devices can be easily integrated, either by updating their firmware or by using a special gateway device or 4G/LTE router. REMOTE can be used for free with up to five devices. For more information as well as tips for getting started, please visit the website at

Get Started with a Free Account REMOTE can be used for free with up to five devices.

Get started with a free account today.

Tagged , , , ,