/
Key Master Networking FAQs

Key Master Networking FAQs

FAQs

Why is it required for a customer to enable firewall rules for the cabinet?

If the cabinet is connected to the customer network and sits behind a firewall, The cabinet will not be able to communicate with Smartrak servers to perform it’s routine operations unless those specific network traffic is allowed by the firewall.

As shown in the following image, outbound communication to various systems is essential for the smooth working of the cabinet. If the traffic is interrupted by a firewall, the respective functionality will not work properly resulting in undesired results.

cabinet_sync.png

We are concerned about the network security when we enable the firewall rules. Is it secure?

All communication starts from the cabinet and is outbound. The cabinet’s terminal and ports are closed.

Even the facility for Smartrak staff to remotely access the cabinet for troubleshooting customer issues starts with a request from the cabinet. Refer answer for Key Master Networking FAQs | How does Smartrak staff access the cabinet to perform maintenance when there ar... for further details on remote maintenance.

Sessions opened by the cabinet to our servers are short lived and uses random ports and the request is outbound from the cabinet making it a secure option.

How does Smartrak staff access the cabinet to perform maintenance when there are issues?

The cabinet, as part of it’s heartbeat communicates with sync.keymaster.net.au. If a Smartrak staff has requested to access the cabinet, the cabinet would be able to know about it as part of the response received for the heartbeat. When such a request is received, the cabinet creates an SSH tunnel to KMUtil which is a Smartrak server(hosted in Azure) secured behind a Firewall. The Smartrak staff access the cabinet using this tunnel. Once the maintenance is over, the tunnel is closed.

02_KMTunnel_Workflow-20250828-213738.png

What happens if we don’t enable the firewall rules and provide the network permissions?

The cabinet will not be able to open a session for the staff to perform maintenance. Smartrak will not be able to resolve any reported issues without the rules in place.

03_KMTunnel_NoRules-20250828-221429.png

We don't block any outbound network traffic. Do we need to take any action?

If there is no firewall rule that blocks outbound traffic to the specified IP addresses and URLs, No action is required from your end.

Are there any inbound connections or firewall rules required?

All communication is outbound from the cabinet. No inbound firewall rules are required.

Should we be adding firewall rules for whitelisting IP addresses or Fully Qualified Domain Name?

We recommend whitelisting fully qualified domain names as the servers may be replaced with new ones as they age and the IP address is likely to change.

What does the outbound connection to sync.keymaster.net.au do?

Key cabinets communicate with sync.keymaster.net.au to announce that they are online and healthy. Smartrak monitors the health of the cabinets and if this heartbeat is missing, the cabinet is considered offline. Daily backup of the cabinet database is uploaded to Smartrak’s secure server using this.

What does the outbound connection to PoolCar Server and PoolCar URL do?

The cabinets sync bookings and perform check out and check in of booking using these URLs. If these are not allowed, cabinets will not be able to download, check out or check in bookings from PoolCar.

What does the outbound connection to kmutil.keymaster.net.au (For KM3) and gpssyd1.keymaster.net.au (For KM2) do?

Whenever there is an issue with the cabinet, Smartrak staff would need to remotely access the cabinet for troubleshooting if required. This is made possible with the help of these servers. If communication to these servers is not allowed, Smartrak staff will not be able to troubleshoot issues in the cabinet.

Following diagram illustrates what happens if the firewall does not allow this outbound connection.

02_KMTunnel_Workflow copy.png

Why do we need to have an outbound firewall rule for http://github.com

Smartrak deploys the firmware of the KeyCabinet to a private repository in GitHub. When an attempt is made to update the firmware of a cabinet, the latest firmware is pulled from GitHub and necessary changes are applied.

We have already provided SSH access to domains - kmutil.keymaster.net.au, gpssyd1.keymaster.net.au and github.com as fully qualified domain name (FQDN). Will it pick up the IP address change automatically?

Yes. It will be automatically picked up. Key Master cabinet does not use IP address internally. It uses FQDN for the outbound communication and IP address gets resolved automatically.

To set the Firewall rules, What would be the source IP?

The source IP address would be the IP address of your cabinet. Unfortunately, we do not have the visibility to provide this information. Your IT would be able to provide this info. If you have enabled DHCP in the cabinet, the cabinet IP would change, and you will need to allow access to all IP address in your network. If you are using dedicated IP addresses for cabinets, Please provide access to only those IPs.

How do we identify if the cabinet is a KM2 or KM3?

Please check your cabinet Serial Number. If it is 000165 or below, it is a KM2 cabinet. Cabinets with serial numbers 000166 and above are KM3 cabinets.

Our cabinet’s time is out of sync. What could be the possible reasons? How do we fix this?

The possible reason is that the cabinet is not configured to update the time from an internet NTP server. Please raise a service desk ticket. If you have a preference for an NTP server, Please let us know.

Who would be the best person to talk to if I have additional technical questions?

For any additional technical queries, please raise a service desk ticket and the corresponding technical team will respond to it. Ensure that you loop in your CSM.