HikVision Mobile App problems

[ZachO]

Hi All,

I have a HikVision NVR/DVR and all works well with the HikVision Apple App. However, I recently locked down the company router and enforced the firewall. This immediately shutdown the mobile app.

I opened ports 554, 10554, 8000, 8200, 80, 443 and still no luck. Says "bad connection" after loading the cameras to 90%.

After playing with it for 8 hours, I noticed if I open ports 50,000-65,000 all works fine. However, according to everything I read, I should only need ports 554 and 8000. Why is the mobile ap using these odd ports? Is this bad camera setups?

Thanks,
Zach

 

[StewartM]

Might be useful: Hikvision Network Ports
Perhaps Hikvision's assigned ephemeral port range?

 

[ZachO]

So this is unresolved. HIK support got back to me after 3 weeks and said. "Sorry for delay. No ports need to be opened for Hik-Vision app". Well, not with my setup. The only way my 12 cameras work is if I open ports 40,000 - 65,000. It seems every time I connect they get a new port number in that range. Its really crazy. Most cameras are 50,000+ but two stay in the 40,000 range.

 

[StewartM]

Interested to hear others input on this - my take:
Hikvision uses (to large degree) AWS to facilitate their Hikconnect service. Noted there are a few exceptions like the Russian servers.

Hikvision's response to your query seemed somewhat curt but I'm not sure they would have provided the clarification you needed regardless. My understanding, under correction, is you typically don't need any assigned ports open for their service to work. However, AWS uses ephemeral ports (automatically and randomly assigned) for temporary IP connections that should be available to facilitate the connection. These ports can range from 1025 to 65k odd depending on the OS. Perhaps the two cameras you mention that stay to the 40k range are using the Ezviz or earlier incarnations of platform access.

 

[ZachO]

HI Stewart,

That is fascinating to learn. That matches what I have found - ports are different every time I login to the iOS app. It seems, contrary to this forum, documentation and HIK customer service, that the iOS apps streams directly from the camera, and not from the DVR itself, hence these ports must remain open. Their is no configuration in the DVR to set IP ports for cameras.

I am not a big fan of this. Not much I can do now it seems. Leaving 30K ports open on my firewall is not preferred

Thanks!

 

[StewartM]

You could mitigate the security risk using custom rules or use a VLAN to separate the NVR.