How does Haivision Helper Work?
Once installed, Haivision Helper works invisibly. It is configured to start automatically whenever a user logs in to their computer. Running continuously in the background, Haivision Helper does two things: (1) it launches some other Haivision application (e.g. multicast agent, low-latency agent, or InStream player) in response to a user’s request, and (2) it communicates with a secure server to see if authorized updates are available, and applies updates to itself as needed.
A Haivision Media Platform or Furnace web page communicates with Haivision Helper via JavaScript. But JavaScript, by design, runs in a sandbox in which it can only perform web-related actions, not general-purpose programming tasks like creating files or controlling third-party applications. Moreover, JavaScript is constrained by the "same origin policy"— scripts from one web site do not have access to information on another site. How, then, does Haivision Helper communicate with the HMP/Furnace web page?
Haivision Helper has an internal API server which listens for commands on only the local device's loopback interface. A widely accepted mechanism called "Cross-Origin Resource Sharing" allows JavaScript code (from the HMP/Furnace web pages) running in the local browser to communicate with the locally installed Helper over secure HTTPS. This channel is used to provide Haivision Helper with a limited set of specific information (e.g. browser and OS type/version, server IP address). In a separate step, Haivision Helper uses this information to fetch and launch the proper Haivision application (e.g. multicast agent, low-latency agent, or InStream player) from an authorized HMP/Furnace server.
Since the JavaScript code in the browser needs to know how to reach Haivision Helper's internal API server, it is directed to use the client PC's local loopback IP address, which is always 127.0.0.1:<port number>. Because a port number is never guaranteed — some other local service, like a printer driver, may be using the loopback interface as well — when Haivision Helper first starts, it searches for and binds to the first free port in the 17210–17219 range. The JavaScript code searches for the locally installed Haivision Helper using the same range.
Haivision Helper is designed to communicate securely with the browser using the HTTPS protocol. To facilitate this secure communication, Haivision has a valid SSL/TLS certificate included in the application. SSL/TLS certificates require domain names (a certificate cannot be based on an IP address — this is a well known security model). Haivision Helper uses the Distinguished Name "*.apps-local.haivision.com". This is what is referred to as a wildcard domain.
The wildcard domain name enables Haivision Helper to communicate with the browser using more than one hostname if needed, such as when a lot of data is being exchanged. The browser randomly generates the first part of the host name when it makes a call.
Note
- For Haivision Helper to work properly in a given network environment, the associated DNS servers must always resolve *.apps-local.haivision.com to 127.0.0.1 on the local user’s machine.
- HMP includes a Static Helper URL setting, which disables the wildcard domain. See Haivision Media Platform Integration for more details.
To see this secure communication between Haivision Helper and the browser in action, enter the following in a web browser:
https://<some-random-string>.apps-local.haivision.com:17210
You will see the Helper control panel and its valid HTTPS connection. Click on the lock icon beside the URL to get more details. Anexample from the Chrome browser is shown below:
In closed networks with no connectivity to external DNS resolution, an entry for the wildcard must be manually created in the internal DNS. This can be done at the network level (recommended) or directly on each client machine (via entry into the local hosts file). In either case, this entry must resolve to 127.0.0.1.