Once you have your cameras added and working with Blue Iris, you may want to access
them remotely via PC, browser, smart phone, smart TV, etc. Blue Iris includes a local web
server which offers a range of services. No 3rd party web sites or services are otherwise
required, although some may be leveraged for various functionality.
THE WEB SERVER
The built-in web server “listens” for incoming connections on a specific port. A port is a bit
like a “channel” where each network address (IP address) may have several simultaneous
“open” or accessible services. Each port may in turn be used for multiple simultaneous
conversations.
The default port used by HTTP (normal browser and web server traffic) is 80. In order to
avoid conflict with other HTTP servers potentially installed on the PC, Blue Iris uses a
default of port 81 (although the image shown here has had this changed to 8081). Because
the default HTTP port is 80, you will not normally see this port number added to addresses
in your web browser. When using any other port, you will add the port number following a
colon to the address, such as 192.168.0.19:81 instead of 192.168.0.19 (port 80 assumed).
The files served up by the web server are stored in a folder “www” in the Blue Iris
installation folder, and from a client (browser or phone app) will appear to be the “root,”
which is to say the base of the accessible file structure. The files served will be part of the
new “UI3” browser interface (described below) rather than the legacy pages. You should
not have to change any of these values for normal operation.
It’s possible that your system has multiple LAN IP addresses (local numbers such as
192.168.0.19)—one for each interface such as Ethernet, WiFi, Bluetooth. By default, Blue
Iris listens to the same port number on all interfaces. You can force the software to use one
interface only by selecting the Listen/bind to selected LAN IP only checkbox. You should
use this only if advised or you are an expert, as the LAN IP address and/or available
interfaces can change, rendering the web server inoperative.
If your PC is connected to the Internet, it will have a WAN (wide-area network) address as
well. This is potentially the address that may be used from outside of your home or office to
gain access to your Blue Iris web server and cameras. In most cases, this address is subject
to change by your ISP (Internet Service Provider, generally the cable or satellite company)—
these are called dynamic IP addresses and this behavior is generally not a concern for our
purposes. A dynamic address may appear to change daily or never at all. It is NOT
necessary for Blue Iris to know the WAN address in order to operate the web server, but as
this address is used for remote access, the software makes it available for your information
and convenient retrieval in a number of ways.
The software can continuously check for a newly assigned WAN address. The new address
can be “published” to the Blue Iris server so that it may be retrieved by the client apps using
an option on the About page in Settings. The new address may also be published to the
Messages page in Status, possibly with “error” status so that it can be pushed to you using
the Status Alerts in Messages.
The use of SSL (secure sockets layer) for HTTPS (secure HTTP) is possible via an added
software layer. Software such as the recommended (and free) Stunnel operates a second
web server (a second port) on your PC to listen for HTTPS connections. Stunnel decodes
these conversations and sends them to the Blue Iris HTTP server. This will be further
discussed in topics below.
As the web server is automatically installed and running, it should in most cases become
immediately available if you open a browser on the PC and use the address:
http://127.0.0.1:81
This is a special IP address that always refers to the local PC you are using. The :81 refers to
the default Blue Iris port number on the PC. You may also use the PC’s LAN IP address, for
example (yours will be different):
http://192.168.0.19:8081
Due to security software and other default protective measures, just because a web service is
running on the Blue Iris PC does not mean it will be immediately visible to anyone else on
the LAN (your local-area network, generally equating to your home or office), let alone from
the outside (the Internet or WAN, wide-area network).
NETWORKING AND ROUTER CONFIGURATION
There are two ways to configure remote access. The first is most direct, but involves
“opening a port” on your router to allow remote traffic to connect through to your PC on a
specific port (channel). This may be a simple task, or it may be extremely challenging,
depending on your network topology (hardware and connections) and networking
experience. If your attempts fail, or if your ISP simply disallows these type of connections
on any port (some satellite services notoriously), your recourse is to use a secure tunnel.
A secure tunnel is what something like a Nest thermostat or Rachio sprinkler system uses
to provide you access to your home devices without configuring any of your router or other
network hardware—the local devices and your remote clients (phone apps) “meet up” at a
designated website (typically operated by the device manufacturer). If it becomes necessary
to use a secure tunnel instead of opening a port through your router, the NGROK service is
recommended (https://ngrok.com). This is a free service and requires minimal
configuration on the local PC.
Please understand that as there are so many variables both hardware and software, router
configuration for remote access is strictly not a Blue Iris support issue, however we do all
that we can to assist, beginning with the Remote Access Wizard.
REMOTE ACCESS WIZARD
The Remote Access Wizard covers many topics which must be address for remote access
regardless of the type of connection you will be making. It is accessed either from the main
menu or from a button on the Web server page in Settings.
Introduction
Firewall and antivirus
The first step is to insure there is no local firewall or antivirus software restricting access to
the Blue Iris server port. If you do not see a green check mark, use the Create/update rule
button. When you first launched Blue Iris, you would have been queried by the operating
system on whether to allow Blue Iris access through the firewall. If you did not say Yes at
that time, you may repair that now.
Note that this addresses the Windows firewall only. You may have additional firewall and
security software installed on the PC which may also need to be adjusted to “trust” Blue Iris
to use the Internet. It’s also possible to have a hardware firewall appliance, a separate device
or built-in to the router. These may require configuration through their respective browser
interfaces.
Internet access
This next step basically tests access through the firewall to verify outbound connectivity. If
you do not see a green check mark here, you must return to the previous step and address
all installed firewall software on the PC to make exemptions for Blue Iris.
Web server
This step verifies that the Blue Iris service is actually running (listening) on the specified
port. If all steps are successful to this point, you should have local access to your Blue Iris
server from any other PC on the LAN (same home or office network). If you are unable to
access the Blue Iris server locally, the PCs or devices may be on separate LAN segments and
it may be necessary to move/connect the Blue Iris PC to a more central or root segment
(closer to the modem via switch instead of through possibly multiple routers). If you are
unfamiliar with these topics, you may need to contact a networking support service.
If you are running Stunnel for HTTPS, that uses a second port, and that is tested here as
well.
Router
This step insures that you are able to access the configuration on your router. If you are
using a secure tunnel with NGROK or otherwise, this step and the next may not be relevant
or required.
Your router’s LAN IP address is identified and displayed, and you may use the Open button
to bring it up in a browser. If you are unaware of your router’s login information or it was
installed on your behalf, you may need to contact the installer or the router’s manufacturer
for this information.
Port forwarding
The act of opening the port for remote access is called “port forwarding” in most router
setup pages, but may only be found on Advanced pages in the interface. Port forwarding
works by assigning a public/remote port number to a service (the Blue Iris web server). The
router then forwards all inbound traffic on this port to your Blue Iris PC. Technically the PC
port number may be set differently from the remote port number, but to keep things straight
these two are generally set to the same number. The protocol selection should be TCP or
“both.”
UPnP is a technology which attempts to complete this step for you. It is not always going to
be effective, as it may be turned off as a feature in your router for security. Also, although
Blue Iris requests the rule to be permanent, this is often not honored and the router resets
(removes) the port forwarding rule and it must be completed over and over perhaps daily or
weekly.
Multiple routers
If your Blue Iris PC is not connected directly to the modem via a simple switch (hub), there
may be multiple routers to configure, and these require configuration in series. That is, the
router that “sees” the Internet must be configured to send traffic to the next router in
sequence, which finally connects to the Blue Iris PC. For example:
Internet —> Router 1 —> Router 2 —> Blue Iris PC
66.22.11.11 —> 192.168.0.1 —> 192.168.0.2 —> 192.168.1.6
(and 192.168.1.1)
Router 1 may have a LAN address of 192.168.0.1. Router 2 is a “client” of router 1, and
may have a LAN address of 192.168.0.2 for example. In this example, port forwarding is
completed on router 1 to send port 81 traffic to 192.168.0.2. The Blue Iris PC is a client on
router 2 with a LAN address of (for example) 192.168.1.6. Router 2 would be configured to
forward traffic on port 81 to 192.168.1.6.
This is sometimes called multiple NAT (network address translation), because each router
uses a different address set (notice the .1. instead of .0. in the addresses that each router
handles).
Remote access test
Finally, a test is performed to determine if your router/s have been properly configured:
The website canyouseeme.org offers similar functionality.
Client app login
This page details what you need to use with the client apps for iOS and Android. All
previous steps (or NGROK configuration) must first be completed.
If an admin account has not been created on the Users page in Settings, the software can
automatically create one for you here.
Dynamic IP
If your remote WAN address is often changed by your ISP, you may lose access to your
system until you determine the new address. By using your license key, you can have the
client apps “look up” the addresses for you if they were registered with Blue Iris on the
About page in Settings. Also or instead, you may use a third party service to manage this.
One popular service is no-ip.com, but others exist such as DynDNS.com. Also, if you are
using NGROK, this may be included as well. These services allow you to use a name such as
myserver.no-ip.com instead of a number. The way these services work is to install a small
client software on your PC which sends your current WAN IP address to their website.
Using your name remotely, the website “looks up” your current WAN address.
USERS AND CONNECTIONS
Potential users of your Blue Iris server are managed on the Users page in Settings.
The local_console user is automatically created and is used only locally when you open the
software. There are ways to login locally using another account to limit access, discussed in
the Administration chapter.
The Anonymous user is automatically created if you allow access without authentication (a
login) on either a LAN or WAN connection. This is covered in the Advanced topic below.
Add or edit an existing user:
ID
A user should have a specified password in order to be used remotely.
Access
A remote user with Administrator access may make configuration changes to your system
and delete video clips—please enable this with caution. Remote management allows a
user to connect using another Blue Iris installation to remotely control this one. Only one
user at a time may be connected in this way, and when connected it will not be possible to
use the local console (it will be closed if currently open, but the software service will
continue to run in the background).
The LAN only option attempts to discriminate between local and remote users. Note that
if using Stunnel for HTTPS, all connections may appear to be local, as Stunnel accepts the
connections and then forwards these to Blue Iris.
The PTZ/control option allows the user to move the camera or to make other camera
control changes such as brightness, IR lights, DIO output settings, etc.
The Audio Listen/Talk option may be disabled to prevent the user from listening to the
audio from the camera or sending audio to the camera using a microphone.
The Limit to camera groups setting prevents users from accessing restricted cameras.
Camera groups are set on their General pages in Camera Settings. Each camera may be a
member of multiple groups for this purpose. A camera group is deleted only when all
cameras are removed from that group. Remote users have access only to recorded video
which was recorded from an accessible camera.
Unselect the View recorded clips option to prevent access to any recorded video at all. You
may also restrict the user to video associated with enabled cameras only.
Scheduled access
If enabled, the Schedule interface may be used to select the times during which the user may
connect. Only the Inactive (clear) and Profile 1 (green) drawing is significant here. The
user will be granted login only when the schedule shows active (green).
Other time restrictions
You may restrict the user to a specific number of minutes for each authenticated session,
along with a specification of the number of minutes they must wait between successive
connections. A per-day (24 hour calendar day) restriction is also possible.
A per-stream time limitation is available as well. This will automatically break a continuous
streaming connection after a specified number of minutes. The user will need to re-initiate
a camera video stream when the timer expires. This exists to prevent a user from initiating
a stream and then “walking away” from the PC while this is open.
Bandwidth limitations
You may restrict a user to a specific streaming profile which may be of lower quality.
Streaming profiles are configured on the Advanced page from the Web server page in
Settings.
Another possibility is to limit the number of FPS (frames per second) the user may receive
from a video stream.
Notifications
You may select that a user receive push notification only when specific profiles are active.
Note that in addition to this setting, the user’s device must also be enabled for push
notifications on the Mobile Devices page in Settings.
By default, the software tracks the number of new alerts for each user, for each camera. This
results in counters placed near camera icons on the client app. The alert counters are
typically only reset when the user clicks on the associated camera for live streaming or plays
a new clip recorded from the camera. This behavior may be disabled here.
With an option on the Status Alerts page from the Messages page in Status, notifications
may be sent when users login remotely. However you may desire to defeat this behavior for
specific users, and that may be done so here with a checkbox.
Actions
You may select any number of actions to perform upon user login or logout. Please see the
chapter on Alerts and Actions for more information on configuring these actions.
Connections
Active connections are shown on the Connections page in Status.
Each connection shows an address, a hostname (the remote name, if it may be determined),
the authenticated user, the bit rate (in kbps), the frame rate (fps), total number of frames
served, the current “object” (typically a camera or clip) being streamed, and the duration of
the session. The total number of times this connection entry has been re-used (possibly due
to multiple logins over time) is shown in the # column, along with the total time session
time for this and all previous connections.
Note that a connection does not become a login until the connection has been authenticated
(logged on with a valid user and password).
Previous connections from temporarily banned addresses are shown in red. Connection
banning is managed on the Advanced page from the Web server page in Settings.
One or more connections may be cleared by highlighting them and using the Clear button.
An active login will be logged out and disconnected.
BROWSER INTERFACE
The powerful UI3 browser interface may be used in place of a client phone app or remote
management connection.
This client works best with a modern HTML5 browser such as Chrome. This interface was
designed and built by a third party however—so separate help and support may be available
via the “three dot” menu button at the top/right of the window.
You may choose to use the legacy Blue Iris server pages by unchecking the option on the
Web server page in Settings.
MOBILE DEVICE ACCESS
Apps are available for both the iOS and Android device platforms which offer extended
features such as geofencing and push notifications. Prior to using these apps, remote access
must first be configured and working (see previous topics in this chapter). When you add a
Blue Iris server to the app, you must complete a login page:
You may use part of your license key to “look up” your server addresses instead of entering
them manually. If your WAN address changes frequently, you may wish to use the option to
look up the address each time that you use the app. Using the option to look up the
addresses requires use of the Blue Iris website and you must have registered your addresses
with the website by using the checkbox on the About page in Settings. Use of the license
key here to register and look up your addresses is optional.
The app will attempt both the LAN and WAN addresses to make a connection, with
preference for the LAN address (used when you are at home or in the office). While
connected using the WAN address, the app occasionally attempts to revert to the LAN
address if possible.
Mobile device management
Following a connection from the client app, the mobile device will be added to the Mobile
Devices page in Settings:
Here, you may view the type of device, its name, and whether it’s currently inside or outside
of the fence if using geofencing. You may also select wether or not the device participates in
push notifications and give it a description. For more device settings, highlight a device and
use the Edit button or double-click the device in the table:
Here you may set the description and device tags. Multiple tags may be separated by
semicolons. When configuring a push notification action, you may select to send the
notification only to devices with a matching tag.
Some Android devices on older OS or on certain networks may require the use of the legacy
GCM push notification format instead of the newer FCM format, and that may be selected
here.
Geofencing
Geofencing provides a way for the Blue Iris to take action based on the position of your
mobile devices, generally whether they are inside or outside of your home or office.
A geofence is primarily a phone OS function and is set on the phone app in the app’s settings
page. The geofence is set as a circular perimeter around a specific location. That location
may be specified as either the phone’s current location or the Blue Iris server location. Your
phone’s location is obvious, and may be used when the phone is inside the house near your
Blue Iris PC. The Blue Iris server location is only known or accurate if you set this location on
the About page in Settings on the PC software. The location is specified as latitude and
longitude coordinates. Following a change to this location, you must re-login to the phone
app in order to download the coordinates to the app prior to setting the fence.
In response to a change in a device location, either moving into or out of the set geofence,
you may perform any number of actions as defined by an action set (see that chapter). You
may choose to perform these action only when all other devices are also inside or outside of
the fence.
There are a number of moving parts when using geofencing, and many of them are device
specific. The device’s location must be accurate via GPS and the phone OS must “wake” the
app in order to notify the server. Often times battery or power-saving features on the device
will limit geofence effectiveness. Further, the app must be able to use the WAN address to
connect to your Blue Iris server to adjust the status on the Mobile Devices page in Settings.
Options exist in the client apps for notification upon both successful and unsuccessful
attempts to notify the Blue Iris server of the change in geofence status.
REMOTE MANAGEMENT
Remote management allows you to use one Blue Iris installation to connect to potentially
dozens of others and to administer and access features on those remote installations as
though you were at those locations.
A list of remote systems is maintained on the Remote page in Status.
This list provides an overview of the status of each connected system including details such
as CPU, RAM, up-time, software version, license, and clips storage details.
It’s possible to connect and disconnect to each system from this interface without making
that system the active system in local UI. While connected you may also right-click the
server to force a download of the current Blue Iris software update. The update will proceed
on the remote system and it will be automatically reconnected here when the remote system
is restarted.
Add or edit (double-click) a system on the list to set additional preferences:
The system’s name is set on each system’s About page in Settings.
Connection
You may specify two addresses for the system. These may be LAN and WAN for example if
you access it both locally and remotely. When making the connection and logging in, the
software attempts the primary address first, and then rotates between the two if a
connection cannot be immediately established.
For each URL, you may specify and edit the video encoding properties to be used. These are
the same streaming profiles used by the browser and phone apps, editable on the Advanced
page from the Web server page in settings, placed here for your convenience.
For each remote system managed, that system must be running as a service, and you must
use a user account which has been granted the remote management privilege on the Users page
in Settings on that remote system.
Options
You may choose to connect to each system automatically when you start Blue Iris. Note
however that when connected via remote management, it is not possible to use the console
at the remote system location—the console and remote management are mutually exclusive.
You may choose to automatically disconnect from the remote system when it is no longer
the active system. The active system is the one selected with the control at the top of the
main window UI.
You may choose the amount of local storage to devote to clips and other files downloaded
from the remote system. For security or otherwise, upon disconnection, you may also
choose to delete these files as well as all temporary files associated with the remote system.
When a remote system is connected and selected as the active system, the software will play
sounds and popup notifications from the remote system. If you would like to receive these
while connected even when it’s not the active system, select the option here to do so. This
allows you to receive these types of alerts from any combination or all managed systems
simultaneously.
Operation
When the software is connected to the local cameras the remote management selection box
shows Local:
When you select a remote system, this will show a green icon upon successful connection:
If your local system runs as a service, all local cameras and functions will continue to
operate in the background. Note that it should be possible to also add the local system as a
remote connection in order to continue monitoring its status along with the others if this is
required.
It’s possible to manage and to perform virtually all software functionality via the remote
management connection with few exceptions, and those exceptions will likely be mitigated
as this version of the software matures.
SSL AND HTTPS
Blue Iris authentication (login) is by default encrypted and secure already—no passwords
are sent in “plaintext.” Video however is only encoded and not encrypted by default. For an
added layer of security, you can add an SSL layer to the web server. For this we recommend
the Stunnel software (https://www.stunnel.org).
Stunnel runs a 2nd web server on your PC that listens for HTTPS requests (secure HTTP).
These are then forwarded to your Blue Iris server as configured above. The default HTTPS
port is 443, but you may use another (but not the same number as your Blue Iris server).
Once installed, you may edit the Stunnel configuration file, by default in a folder C:\Program
Files (x86)\stunnel\config called stunnel.conf. Locate the [HTTPS] section in this file:
; TLS front-end to a web server
[https]
accept = 443
connect = 81
cert = stunnel.pem
; “TIMEOUTclose = 0” is a workaround for a design flaw in Microsoft SChannel
; Microsoft implementations do not use TLS close-notify alert and thus they
; are vulnerable to truncation attacks
;TIMEOUTclose = 0
Edit the “connect” line to connect to your Blue Iris server port number, by default 81.
The lines beginning with ; are comments and have no effect.
For remote access exclusively using HTTPS, you may route (port forward) port 443
exclusively instead of port 81. If you are using an HTTPS port number other than the
default 443, be sure to change this in all places (.conf file “accept” line, router port
forwarding as described earlier, as well as the Web server page in Settings).
MORE ON SECURITY
When using Blue Iris and its web server, it is then no longer necessary to open individual
cameras for access from the Internet. Network IP cameras themselves have varying levels of
security and in general should not be trusted in this way. This is a major feature of this
software—a single point of network contact to your cameras without reliance on camera
security or cloud security.
The Blue Iris access model is called on-premises. Your video and authentication is not reliant
on outside cloud services. Because your video is stored locally, concerns of unauthorized
access are limited to physical access to your PC or credentials.
When anonymous access is permitted, you will see a user Anonymous added automatically to
the Users page in Settings. If you disable or limit this account, anonymous access will be
denied. In order to prevent anonymous access, retain the default setting Require from All
connections as discussing the next topic.
The user local_console is automatically created whenever you connect via the console (the PC
running Blue Iris). It is not possible to use this account remotely so that it cannot pose a
security threat.
OTHER ADVANCED WEB SERVER TOPICS
You may leave these settings at default for a typical installation.
Authentication
Authentication just means the requirement of a user and password to login. Without
authentication, anyone can connect anonymously. You may choose to require authentication
only from remote WAN users.
Note however that if you are using Stunnel, all connections may appear to be coming locally
from the LAN as Stunnel is actually receiving the remote connections and forwarding these
to Blue Iris.
By default, authentication is made using secure (encrypted) methods with a separate login
page. For some applications you may require “basic” authentication where the browser
prompts for a login and you may disable this the secure login page. Although less secure,
basic authentication is more flexible, allowing user names and passwords to also be used in
the URL such as:
http://192.168.0.19:81?user=admin&pw=admin
Limit IP addresses
This provides a basic firewall function. The list may contain multiple entries separated by
semicolons. The first character defines the function:
+ allow this address
– deny this address
^ allow this address with admin privileges (use caution here)
An address is an IP address with 4 numbers separated by periods. As a wildcard, an asterisk
() may be substituted for any one or more of these numbers. Depending on the first address’s allow/deny character, all IP addresses are by default allowed or denied. That is, if you begin with +192.168.1., then all other IP addresses are considered denied unless otherwise allowed. The opposite applies if you begin with a denied address (all other addresses will be considered allowed unless specifically denied).
If an address is denied access on this list it is considered permanently banned. There is
actually a second temporary “denied” list maintained by the software that is not visible here.
If you choose to auto-ban an address after a specific number of failed login attempts, that
address will be added to one of these lists. If you select the option to release the ban after a
number of minutes, the banned IP address is added to this internal temporary list instead of
the one visible and editable here.
Temporarily banned IP addresses may be identified with red text on the Connections page in
Status.
More authentication options
You may limit the number of simultaneous users connected to the Blue Iris web server. All
connected uses share your system resources, so it may become necessary limit these
connections to maintain system stability.
By default only authentication connections are logged to the Messages pages in Status. If
you’d like to see each ping of your server, select the option to log all connections. A
connection is not the same as a login. No video or other information is served to a
connection unless it is authenticated.
The options for X-Forwarded-For and Strict-Transport-Security headers were added for users
in enterprise environments requiring specific HTTP security features. You may read about
them here:
https://en.wikipedia.org/wiki/X-Forwarded-For
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
Content
Video is compressed as it is sent to a remote client. You have control over the way the video
is compressed in order to balance quality against bandwidth:
The important settings here are Quality and Rate control. If you use rate control (by
default), the software attempts to keep a steady bit rate, which is ideal for streaming video.
However, the downside of this is that the occasional larger (key) frames will be more
compressed, potentially causing a “pulse” of pixelation each 5 seconds or so. When you
remove bit rate limiting however, the bandwidth is variable and may not be suitable for a
low-bandwidth connection—some larger (key) frames may require more time for
transmission, causing pulses in the timing instead of the quality.
The spacing of these larger frames is controlled by the frame type layout. For streaming
video, it’s generally OK to space these longer, perhaps each 300 frames.
i-frames are HTTP components where essentially one page is displayed within another page.
Certain security requirements specify this not to be allowed.
HttpOnly may be added to cookies generated by Blue Iris and this may be a required setting
for some PCI compliant networks. You may read about their function here:
https://www.owasp.org/index.php/HttpOnly
“deflate” compression may be applied to images, HTML, and other data supplied by the Blue
Iris server, greatly reducing transferred bandwidth at the expense of a a negligible amount of
CPU time. You may read about this technology here:
https://en.wikipedia.org/wiki/DEFLATE
The Allow directory listing option should be disabled for all but very specialized cases.
This will allow a remote user to see and directly download all files in managed folders such
as /clips/ and /www/.
The option to send a Rich push (3D) notification image actually refers to how push
notifications are sent by an action set (see that chapter). Instead of text, a camera image
may be sent as well. Further with iOS (not Android at the time of this writing), it’s possible
to send a short 10-image GIF movie instead of the JPEG.