Network Services
Use the Network Services page to manage the Q-SYS Core's ability to communicate with devices through its network interfaces, as well as configure SNMP access. System administrators can:
- Disable unused network services on a per-network adapter level (LAN A, LAN B, AUX LAN, etc.). Disabling unused network services can increase the security of the Q-SYS system and help to satisfy customer-specific security requirements.
- Easily see a summary of all currently-enabled network services and protocols, per network adapter, on the Q-SYS Core.
CAUTION: By default, all network services are enabled on the Q-SYS Core. QSC recommends disabling unneeded network services.
Summary
The Summary tab provides a read-only listing of all active network protocols on the Q-SYS Core and the network adapters on which they are enabled.
For any active network protocol, click + to see a list of the network services using that particular protocol.
Management
The Management tab provides a list of high-level network services on the Q-SYS Core. A check mark indicates if a network service is active for a particular LAN adapter.
- Click Edit to enable or disable (select or deselect) a network service for a LAN adapter, and then click Save.
Note: Some network services can only be toggled on or off for all LAN adapters at once.
- Click + to expand a high-level network service to see a list of protocols used by that service.
- Expand the Network Protocols drop-down menu to see a summary of protocol usage on the Q-SYS Core. The number in the green circle indicates how many network services are using that protocol across all LAN adapters. For example:
Tip: In the Network Protocols drop-down menu, click a protocol name to filter the High-Level Network Services list to show only those services that use the selected protocol. To turn the filter off, click the protocol name again.
SNMP
SNMP allows you to manage and/or monitor devices on the Q-LAN network for conditions that may need attention. With a third-party Management Information Base (MIB) browser, you can poll any Q-SYS Core, which returns its status as well as the status of any Q-SYS peripheral devices included in the running design. Additionally, 3rd party devices monitored via Enterprise Manager-enabled plugins or the Monitoring Proxy component also report their statuses via the Core using SNMP.
Configuring SNMP Access
Depending on the MIB browser you select, you can access the Q-SYS information using SNMP v2c and/or SNMP v3.
Note: The parameters you specify in Network Services > SNMP must be the same values you specify in the MIB browser.
Click Edit to modify SNMP access parameters.
Version 2C
- Access: Select SNMP v2c access is Disabled, Read Only, or Read/Write.
- Community: Specify the v2c community text string.
Version 3
- Access: Select whether SNMP v3 access is Disabled, Read Only, or Read/Write.
- User: The SNMP v3 username string.
- Security Level: Select from:
- No Authorization – Only a username is required.
- Authorization No Privacy – Requires a password, and allows selection of an Auth Protocol.
- Authorization and Privacy – Adds another layer of security using a Privacy Password and Encryption.
- Password: The password for authorization, which is encrypted and masked. The password must be a minimum of 8 characters.
- Auth Protocol: The protocol for encrypting the signature attached to the SNMP message, either MD5 or SHA.
- Privacy Password: This password is used with the 'Authorization and Privacy' security level, which encrypts the entire SNMP message. The password is encrypted and masked, and must be a minimum of 8 characters.
- Encryption: Select an encryption type, either DES or AES.
Loading the MIB File
Load the Q-SYS MIB into a MIB browser to access the Q-SYS SNMP objects by name. You can put the MIB anywhere as long as the MIB browser has access to the location.
You can obtain the MIB file from:
- The Q-SYS Designer installation directory:
C:\Program Files\QSC\Q-SYS Designer\SNMP - The QSC website (https://www.qsc.com) – search for "MIB".
Supported Third-Party MIBs
- NET-SNMP-MIB
- NET-SNMP-FRAMEWORK-MIB
- NET-SNMP-EXTEND-MIB
- SNMPv2-MIB
- SNMP-MPD-MIB
- SNMP-USER-BASED-SM-MIB
- SNMP-VIEW-BASED-ACM-MIB
- UCD-SNMP-MIB
- UCD-DLMOD-MIB
Inventory Table
Each device in the Q-SYS design's Inventory has an entry with the following objects:
- invDeviceName (Read Only) – the name of the Inventory device
- invDeviceType (Read Only) – the type of Inventory device (Core, Peripheral, Page Station, Amplifier, etc. )
- invDeviceModel (Read Only) – the specific model of the Inventory device
- invDeviceLocation (Read Only) – the Location of the Inventory device
- invDeviceStatus (Read Only) – the Status string
- invDeviceStatusValue (Read Only) – the Status value. (See See Status Reference for possible values.)
Snapshot Table
Each Snapshot Bank has an entry with the following objects:
- ssSnapshotName (Read Only) – the Name of the Snapshot Bank.
- ssSsTotalSnapshots (Read Only) – the total available snapshots in the Snapshot Bank.
- ssActiveSnapshot (Read/Write) – Sets the active Snapshot.
- ssRampTimeSec (Read/Write) – Sets the time it takes for the controls to reach the saved position or value (in seconds).
Note: For all other Q-SYS SNMP objects, see MIB file.
Use Cases and Recommendations
Disabling HTTP / TCP Port 80
By default, HTTP is enabled on the Q-SYS Core for simple communication with multiple products and services. If your deployment requires disabling port 80 for security reasons, then you must disable all of the following Network Services on the LAN adapter you intend to secure (LAN A, LAN B, AUX LAN, etc.):
- Q-SYS Designer Communications - Legacy: Allows for communication between the Core and Q-SYS Designer software v7.1 or earlier. Q-SYS Cores running v7.2 firmware or higher have HTTPS (port 443) enabled by default as a secure alternative to this service. Therefore, it is no longer required unless you intend to downgrade the Core's firmware to v7.1 or lower.
- Q-SYS TSC-3: Allows for communication between the Core and TSC-3 touch screen devices.
- Q-SYS Control Peripherals: Allows for communication between the Q-SYS Core and other TSC touch screen devices.
- Q-SYS UCI Viewers - Windows and iOS: Allows for communication between the Core and any UCI Viewer application, including the iOS App and Windows UCI Viewer application.
Solving PTP Syncing Issues
In situations where multiple Cores are connected to the corporate network for control and monitoring only, Q-SYS Audio Enabled Peripherals should be disabled on LAN B. This will stop the Core from behaving as a PTP boundary clock and will solve problems related to Cores attempting to PTP sync over a potentially non-real-time-capable network infrastructure.
Running older designs with the 'PTPv2 Disable LAN B' design property enabled
The Q-SYS Audio Enabled Peripherals network service includes the PTPv2 protocol. In Q-SYS Designer versions prior to 7.1, this protocol could be disabled for LAN B in the Design Properties. If you attempt to save a design to the Core with this property enabled, you will be prompted to disable Q-SYS Audio Enabled Peripherals for LAN B in the Network Services manager if this network service is currently enabled on LAN B.
Note: Alternatively, you can choose to clear the PTPv2 Disable design property and run your design without configuring Network Services. Doing so is not recommended unless you explicitly require the design to allow PTPv2 traffic on both LAN A and LAN B – for example, for redundant networking, or third party devices configured for LAN A and LAN B connections.
Securing Q-SYS Devices from the Corporate Network
If LAN B (or AUX) is connected to the corporate network, you may want to disable Q-SYS Device Discovery, Q-SYS Audio Enabled Peripherals, and Q-SYS Control Peripherals for LAN B / AUX to "lock down" Q-SYS devices from the corporate network. However, to still allow UCI viewers (Windows and iOS) to communicate with the Core from the corporate network, you could enable Q-SYS UCI Viewers for LAN B / AUX exclusively.
Note: If device discovery is disabled, Hard Links must be used to locate the Q-SYS Core on the network.
Disabling Unneeded Peripheral Audio
If you have a Core and touchscreen and are only using the built-in audio on the Core, you could disable Q-SYS Audio Enabled Peripherals for all network adapters but keep Q-SYS Control Peripherals enabled.
Disabling Unused TSC-3 Touchscreen and FTP Protocol
If your design does not use any TSC-3 touchscreens, you could disable the Q-SYS TSC-3 network service, which disables the FTP protocol on the Core.
Restricting Third-Party Control
If your system does not require control from a third-party control system, consider disabling the Q-SYS External Control Protocol (ASCII and JSONRPC) on all network interface ports.
Configuring for Network Redundancy
If your design does not use Network Redundancy, you could disable LAN B / AUX for all network services.
Configuring for Core Redundancy
If your design uses Core Redundancy:
- Ensure that all network services for both the Primary Core and Backup Core are configured the same.
Notes
- Some protocols are used by multiple network services – for example, Q-SYS Discovery Protocol. A protocol remains active on the Core until all network services using it are disabled for a particular LAN adapter.
- The Q-SYS Designer Communications - Secure network service uses self-signed, encrypted HTTPS communications between the Core and Q-SYS Designer, so is active on all network ports at all times.
- To avoid issues, ensure that design-specific settings (such as Core Redundancy) are compatible with the Core's Network Services configuration.
