LVS/MPS Security Information
The Loadscan Load Volume Scanner (LVS) and Mine Payload Scanner (MPS) offer various forms of connectivity on the local network and internet which can be configured to meet your needs. This document discusses each of these, and their security implications.
The LVS and MPS are not designed to act as edge devices, and do not have any services designed to accept direct inbound connections from the internet. Loadscan offers an optional cloud service called MyScanner. If LVS/MPS devices are configured to make use of MyScanner services, all communication is initiated on the LVS/MPS side, and fully under your control via a system account on each device.
We strongly recommend these devices be kept behind a firewall and that you only enable the features you require. If cloud features are enabled, cloud communication from your network will be outbound traffic using the HTTPS protocol on TCP port 443 and outbound on the AMQP protocol on TCP port 5672.
LVS/MPS Local Network Functionality
Remote-control from the local network
LVS and MPS devices can be remote-controlled on the local network via a PC with a Virtual Network Computing (VNC) client on TCP port 5900. This feature can be enabled or disabled in the settings screen, and the password used to authenticate can be set. At the time of writing, it is not possible to change the TCP port used by VNC. Loadscan Overview reporting software includes a built-in VNC client for this purpose.
When VNC is disabled, port 5900 will be closed and the related LVS/MPS service stopped.
Note that the “Allow remote-control” setting under the MyScanner section of the LVS/MPS settings only affects remote control from the MyScanner cloud service, and does not have any effect on VNC functionality on the local network.
Loadsync SQL on the local network
Loadsync SQL is a LVS/MPS feature that will push measurements as they occur to a SQL database server within your local network. We support various types of database servers including Microsoft SQL Server, Oracle, PostgreSQL and MySQL. We may be able to configure Loadsync SQL to support other SQL databases on request.
Loadsync SQL is a custom function that is disabled by default and can only be activated by Loadscan. Once activated it can be enabled/disabled in the LVS/MPS settings.
The specific ports and communication protocols used here will depend on the database in use, and how it has been configured. The typical default ports for common databases are as follows:
| Database | Default port |
|---|---|
| Microsoft SQL Server | TCP 1433 |
| Oracle | TCP 1521 |
| PostgreSQL | TCP5432 |
| MySQL | TCP 3306 |
Loadsync SQL does support the use of non-default ports, but does not support dynamic ports in Microsoft SQL Server. The port used must be fixed and dedicated for connections to the specific database instance.
Loadsync API via local network
Loadsync API is a simple JSON API which enables systems within your private network to request measurement data directly from the LVS/MPS in a form suitable for integration with other systems within your organisation.
On the LVS/MPS, Loadsync API is a custom function that is disabled by default and can only be activated by Loadscan. Once activated it can be enabled/disabled in the LVS/MPS custom settings.
When enabled it may be accessible via either HTTP on port 80, HTTPS on port 443, or both. This is dependant on user configurable LVS/MPS security settings. You can upload your own HTTPS certificate and key pair using a USB drive.
In order to use this API, enable incoming connections on TCP port 443 (the recommended port). Users must set a password which acts as the Loadsync API token in the custom settings. If full HTTPS certificate validation is required, you will need to import a valid SSL certificate and key as well.
LVS/MPS Cloud Functionality – MyScanner
MyScanner is a cloud service offered by Loadscan that enables customers access to view and export their measurement data as well as control their LVS and MPS units remotely. MyScanner requires an active subscription for use, and the functionality has to be enabled on the LVS/MPS.
Transfer of measurement data to MyScanner
You can enable the transfer of measurement data from your LVS/MPS to MyScanner by enabling it in the scanner’s settings.
This is required if you wish to use any of the following MyScanner cloud features:
- Viewing your measurement data in MyScanner.
- Reading your measurement data in JSON format from our MyScanner API cloud service.
- Synchronise truck reference scans and load detail lists between multiple LVS/MPS units.
- Viewing 3D load profiles of measurement records.
When enabled, every measurement will be uploaded to MyScanner over an encrypted AMQP connection on port 5672.
Remote-control via MyScanner
Remote-control of your LVS or MPS is available from MyScanner if it is enabled in the LVS/MPS settings. Note that this does not use VNC, and the LVS/MPS setting that enables/disables VNC does not impact MyScanner remote-control.
When MyScanner remote-control is enabled, a service on the LVS/MPS will open an encrypted tunnel with MyScanner over TCP port 443. This connection is kept alive. When a user attempts to initiate a remote connection from MyScanner back to the LVS/MPS, this tunnel is used for communication. If the tunnel is not available, MyScanner cannot communicate with the LVS or MPS.
When MyScanner remote-control is disabled, the service maintaining the encrypted tunnel with MyScanner is stopped.
Multi-scanner synchronisation via MyScanner
MyScanner can be used as a central hub for LVS/MPS units to synchronise and backup their database of reference scans and/or load detail selection lists between scanners. This is typically used on a large sites with multiple LVS/MPS units operating where the database and lists need to be shared between all LVS/MPS units on the site.
Multi-scanner synchronisation via MyScanner must be enabled in the LVS/MPS settings. Database and list synchronisation can be enabled independently.
When synchronisation via MyScanner is enabled on a LVS or MPS, the scanner will open a connection to MyScanner and synchronise its reference scans and/or load detail lists with the central store in MyScanner. This communication takes places over an encrypted HTTPS connection on TCP port 443.
Loadtrak
The optional Loadtrak system includes in-cab consoles that are installed in the trucks, and a dedicated Wi-Fi unit added to the LVS/MPS for communication with the consoles. These provide remote data entry and reporting capabilities to the LVS/MPS. Loadtrak consoles connect to a dedicated Wi-Fi unit in the LVS/MPS scan head when in range. The Wi-Fi unit is only installed on scanners intended to use the Loadtrak system.
In order to use Loadtrak, it needs to be activated in the LVS/MPS custom settings. Once activated it can be enabled/disabled as required.
Loadtrak communicates with the LVS/MPS using HTTP. Since there is no DNS or internet connection available to Loadtrak devices, full certificate validation is not feasible. These connections are still encrypted by WPA2 with AES encryption.
Wired Connectivity
The LVS and MPS provide an ethernet port for customer use. The TCP/IP settings for this port can be controlled from the LVS/MPS user interface.
A cellular router or Wi-Fi router may optionally be provided by Loadscan to provide internet connectivity on remote sites. These will connect to the ethernet port.
In this Article
LVS/MPS Security Information
The Loadscan Load Volume Scanner (LVS) and Mine Payload Scanner (MPS) offer various forms of connectivity on the local network and internet which can be configured to meet your needs. This document discusses each of these, and their security implications.
The LVS and MPS are not designed to act as edge devices, and do not have any services designed to accept direct inbound connections from the internet. Loadscan offers an optional cloud service called MyScanner. If LVS/MPS devices are configured to make use of MyScanner services, all communication is initiated on the LVS/MPS side, and fully under your control via a system account on each device.
We strongly recommend these devices be kept behind a firewall and that you only enable the features you require. If cloud features are enabled, cloud communication from your network will be outbound traffic using the HTTPS protocol on TCP port 443 and outbound on the AMQP protocol on TCP port 5672.
LVS/MPS Local Network Functionality
Remote-control from the local network
LVS and MPS devices can be remote-controlled on the local network via a PC with a Virtual Network Computing (VNC) client on TCP port 5900. This feature can be enabled or disabled in the settings screen, and the password used to authenticate can be set. At the time of writing, it is not possible to change the TCP port used by VNC. Loadscan Overview reporting software includes a built-in VNC client for this purpose.
When VNC is disabled, port 5900 will be closed and the related LVS/MPS service stopped.
Note that the “Allow remote-control” setting under the MyScanner section of the LVS/MPS settings only affects remote control from the MyScanner cloud service, and does not have any effect on VNC functionality on the local network.
Loadsync SQL on the local network
Loadsync SQL is a LVS/MPS feature that will push measurements as they occur to a SQL database server within your local network. We support various types of database servers including Microsoft SQL Server, Oracle, PostgreSQL and MySQL. We may be able to configure Loadsync SQL to support other SQL databases on request.
Loadsync SQL is a custom function that is disabled by default and can only be activated by Loadscan. Once activated it can be enabled/disabled in the LVS/MPS settings.
The specific ports and communication protocols used here will depend on the database in use, and how it has been configured. The typical default ports for common databases are as follows:
| Database | Default port |
|---|---|
| Microsoft SQL Server | TCP 1433 |
| Oracle | TCP 1521 |
| PostgreSQL | TCP5432 |
| MySQL | TCP 3306 |
Loadsync SQL does support the use of non-default ports, but does not support dynamic ports in Microsoft SQL Server. The port used must be fixed and dedicated for connections to the specific database instance.
Loadsync API via local network
Loadsync API is a simple JSON API which enables systems within your private network to request measurement data directly from the LVS/MPS in a form suitable for integration with other systems within your organisation.
On the LVS/MPS, Loadsync API is a custom function that is disabled by default and can only be activated by Loadscan. Once activated it can be enabled/disabled in the LVS/MPS custom settings.
When enabled it may be accessible via either HTTP on port 80, HTTPS on port 443, or both. This is dependant on user configurable LVS/MPS security settings. You can upload your own HTTPS certificate and key pair using a USB drive.
In order to use this API, enable incoming connections on TCP port 443 (the recommended port). Users must set a password which acts as the Loadsync API token in the custom settings. If full HTTPS certificate validation is required, you will need to import a valid SSL certificate and key as well.
LVS/MPS Cloud Functionality – MyScanner
MyScanner is a cloud service offered by Loadscan that enables customers access to view and export their measurement data as well as control their LVS and MPS units remotely. MyScanner requires an active subscription for use, and the functionality has to be enabled on the LVS/MPS.
Transfer of measurement data to MyScanner
You can enable the transfer of measurement data from your LVS/MPS to MyScanner by enabling it in the scanner’s settings.
This is required if you wish to use any of the following MyScanner cloud features:
- Viewing your measurement data in MyScanner.
- Reading your measurement data in JSON format from our MyScanner API cloud service.
- Synchronise truck reference scans and load detail lists between multiple LVS/MPS units.
- Viewing 3D load profiles of measurement records.
When enabled, every measurement will be uploaded to MyScanner over an encrypted AMQP connection on port 5672.
Remote-control via MyScanner
Remote-control of your LVS or MPS is available from MyScanner if it is enabled in the LVS/MPS settings. Note that this does not use VNC, and the LVS/MPS setting that enables/disables VNC does not impact MyScanner remote-control.
When MyScanner remote-control is enabled, a service on the LVS/MPS will open an encrypted tunnel with MyScanner over TCP port 443. This connection is kept alive. When a user attempts to initiate a remote connection from MyScanner back to the LVS/MPS, this tunnel is used for communication. If the tunnel is not available, MyScanner cannot communicate with the LVS or MPS.
When MyScanner remote-control is disabled, the service maintaining the encrypted tunnel with MyScanner is stopped.
Multi-scanner synchronisation via MyScanner
MyScanner can be used as a central hub for LVS/MPS units to synchronise and backup their database of reference scans and/or load detail selection lists between scanners. This is typically used on a large sites with multiple LVS/MPS units operating where the database and lists need to be shared between all LVS/MPS units on the site.
Multi-scanner synchronisation via MyScanner must be enabled in the LVS/MPS settings. Database and list synchronisation can be enabled independently.
When synchronisation via MyScanner is enabled on a LVS or MPS, the scanner will open a connection to MyScanner and synchronise its reference scans and/or load detail lists with the central store in MyScanner. This communication takes places over an encrypted HTTPS connection on TCP port 443.
Loadtrak
The optional Loadtrak system includes in-cab consoles that are installed in the trucks, and a dedicated Wi-Fi unit added to the LVS/MPS for communication with the consoles. These provide remote data entry and reporting capabilities to the LVS/MPS. Loadtrak consoles connect to a dedicated Wi-Fi unit in the LVS/MPS scan head when in range. The Wi-Fi unit is only installed on scanners intended to use the Loadtrak system.
In order to use Loadtrak, it needs to be activated in the LVS/MPS custom settings. Once activated it can be enabled/disabled as required.
Loadtrak communicates with the LVS/MPS using HTTP. Since there is no DNS or internet connection available to Loadtrak devices, full certificate validation is not feasible. These connections are still encrypted by WPA2 with AES encryption.
Wired Connectivity
The LVS and MPS provide an ethernet port for customer use. The TCP/IP settings for this port can be controlled from the LVS/MPS user interface.
A cellular router or Wi-Fi router may optionally be provided by Loadscan to provide internet connectivity on remote sites. These will connect to the ethernet port.