Version 1.3
About the Swank Streaming Server
Swank Streaming Server makes it easy to view copyrighted Hollywood movies and TV shows directly on your users' personal devices. Video content is accessed directly via a custom web portal, on demand.
Our solution is compatible with multiple browsers, devices, and operating systems. It works with any Apple Mac or Windows-based PC, iOS or Android (3.x and higher) device; tablet or smartphone. All movie content is protected by Digital Rights Management (DRM) technologies. There are no limits to the number of devices that can connect and there are no limits to the number of playbacks. Video stream quality is network friendly, adjusting on the fly to avoid playback disruption, using adaptive bitrate streaming.
Document Purpose
This document is designed to supply an overview of the Swank Streaming Server solution and all technical requirements for installation and operation of the service in your network.
Swank Streaming Server Technical Overview
Network Requirements
*Domain names listed in this document should be resolved by a public DNS server
| Service | Description | Ports | IP Address / URL |
| Product Update Service | Provides Product Updates, O/S patching and Security | tcp:80,443 | wsus.swankmp.com |
| Content Administrative Services | Content Update and Playback License Services | tcp:80,443 |
pr.swankmp.net fairplay.swankmp.net
marlinproxy.swankmp.net |
| Content Delivery Service | Content updates from Swank Motion Pictures (SMP) to On-site Streaming Server via Aspera FASP protocol. | tcp/ssh:33001 udp:33001 |
cdntransfer.swank.com |
| SMP Digital Support | Remote Management Services and Technical Support. | tcp:443 | secure.logmein.com |
| Usage Tracking | Streaming server usage metrics collection endpoint | tcp:80,443 |
usagetracking.swankmp.net s3usagetracking.swankmp.net |
| Permalink Service | This is needed for permalink administration | tcp:80, 443 | s3api.swankmp.net |
On-Site Devices – Network Requirements for Content Playback
|
Service |
Description |
Ports |
IP Address / URL |
|
VOD Site |
Access to Web Site Streaming the content to the device (movies and Poster art). |
tcp:80,443 |
IP Address of VOD Site Server (URL determined prior to installation) ex: https://movies.housing.edu |
|
License Services |
Playback (DRM) license services |
tcp:443 |
pr.swankmp.net |
HTTPS/SSL Requirement
An SSL certificate must be present on the server and https:// protocol must be used for streaming DRM content. The server is by default bound with our *swankmp.net certificate. You can simply use a subdomain of *swankmp.net, redirect from a custom URL, or we can accommodate your SSL cert for your custom URL.
Option 1: (Easiest and recommended for all API integrations) If you are using our API, users are not directly accessing content via a browser, or you are not concerned with the URL formatting, you can simply use a subdomain of *swankmp.net
- You would simply add a local DNS record that resolves the subdomain of *swankmp.net to the local IP address of the Swank Streaming Server: e.g.: https://movies-school-edu.swankmp.net resolves to [local IP address]
Option 2: Redirect a custom URL to a subdomain utilizing the existing *swankmp.net certificate:
- You can advertise a custom URL and have the URL redirect to the swankmp.net page. **Your originating link must be HTTP in order to avoid SSL errors in Chrome**
- Example: advertise http://movies.school.edu --> redirects to https://movies-school-edu.swankmp.net
- To implement this, Swank will need to know what URL you will be advertising and will set up the redirect for you. Swank also manages all certificate updates and renewals
Option 3: Utilize a URL or wildcard certificate specific to your location:
- You will need to provide an individual URL Certificate (movies.school.edu) or a wildcard certificate (*school.edu) to Swank. Swank will then require a remote session to the server to install and bind the certificate
Installation and Implementation Options
Server Location
The Swank Streaming Server can be located in your datacenter or MDF closet. At a minimum, the server should be physically secured and have a 1 Gigabit (Gbps) Ethernet connection to your network.
Server Management
The Swank Streaming Server is deployed as a managed appliance and is owned and operated by Swank Motion Pictures, as stated in your contract. All hardware and software services within the appliance are supported exclusively by SMP Digital Support.
Hardware
Swank Streaming Servers are deployed on various models of high-end equipment. Each server is equipped with a power supply and internal storage for movie content. Upon termination of your contract, the hardware will be reclaimed by Swank Motion Pictures.
Security and Patch Management
The Swank Streaming Server has been secured to protect content and system settings. Attempting to change the system or access hardware components in any way without the explicit consent of Swank Motion Pictures is strictly prohibited. If you suspect or witness any tampering with or breach of system security please contact your sales representative immediately.
Server security patches are managed and tested by Swank Motion Pictures when received from Microsoft. Upon test completion, patches are pushed from Swank Motion Pictures Windows Update Server to the streaming server four weeks after patch Tuesday. The streaming servers are configured to download and install the patches at 4 AM the following Thursday morning.
Network Firewall Rules – Swank Streaming Server
Below is a summary of the network communication that is required to support the Swank Streaming Server behind a firewall on your network. We recommend configuring a firewall with the full IP ranges of the Streaming Services to account for service migrations within our datacenters.
| Source IP | Destination | Destination Port(s) | Transport | Protocol | Application |
|
<Streaming Server IP> |
12.38.100.0/24 68.188.119.0/24 |
80,443 |
TCP |
http, https |
Product Update Services - Content Delivery Services |
|
<Streaming Server IP> |
12.38.100.0/24 68.188.119.0/24 |
33001 |
TCP |
ssh |
Content Delivery Services - Session Management |
|
<Streaming Server IP> |
12.38.100.0/24 68.188.119.0/24 |
33001 |
UDP |
fasp |
Content Delivery Services - Aspera FASP Protocol |
|
<Streaming Server IP> |
443 |
TCP |
https |
SMP Remote Support |
|
|
<Streaming Server IP> |
usagetracking.swankmp.net 20.221.242.164
|
80, 443 |
TCP |
http, https |
Streaming server usage metrics collection endpoint |
|
<Streaming Server IP> |
s3api.swankmp.net 20.221.242.164
|
80,443 |
TCP |
http, https |
Permalink service |
|
<Client IPs> <Streaming Server IP> |
wvlsmod.swankmp.net 12.38.100.99 20.221.242.164 fairplay.swankmp.net 12.38.100.77 pr.swankmp.net marlinproxy.swankmp.net |
443 |
TCP |
https |
DRM Services |
Application Layer Firewall considerations
For customers that are deploying the Swank Streaming Server behind an application layer firewall, note that authentication for the Content Delivery Services uses ssh over port 33001. If this traffic is not permitted, content updates will not process.
Bandwidth Expectations
The Swank Streaming Server maintains a 1 Gbps network interface for content delivery to your network. Our testing suggests that the actual limit is closer to 600 Megabit (Mbps) of streaming content to the network, regardless of the number of concurrent users connected to the server.
The Swank Streaming Server media players use Adaptive Bitrate Streaming (ABS) and automatically adjusts to network conditions and playback performance of connected devices. For more information on ABS visit: https://www.cloudflare.com/learning/video/what-is-adaptive-bitrate-streaming/
Note: the SMP Digital Support Team is available to review your wireless configuration upon request
Network Traffic Shapers and Quality of Service
The SMP Content Delivery service traffic uses a secure, high-speed protocol for the transfer of all streaming content to the Swank Streaming Server. This protocol can be flagged by some Traffic Shapers as Peer-To-Peer and result in lowered bandwidth and priority at your site. We recommend consulting with your IT Networking Team to ensure that movie downloads are treated as normal traffic.
The traffic pattern to monitor for this condition would be:
| Source IP | Destination IP(s) | Destination Port(s) | Transport | Protocol |
|
<Streaming Server> |
12.38.100.0/24 68.188.119.0/24 |
22, 33001 |
TCP |
ssh |
|
<Streaming Server> |
12.38.100.0/24 68.188.119.0/24 |
33001-33200 |
UDP |
fasp |
Swank MP Public IP Addresses:
The IP public addresses for our offices are 12.156.206.58 and 68.188.119.126. For initial setup and troubleshooting temporary access to your resources may be required from Swank Motion Pictures.
IP Restrictions
In order to restrict access to authorized users only, the server will need to be configured to block all IP addresses except the ones you provide as authorized. An example of allowable ranges of client IPs would be 192.168.0.0/16. Note: Multiple ranges can be supported for more complex networks. To setup IP Restrictions for your site, long into the Administrator site (SiteURL/admin) and click on the IP Restrictions tab.
There are four types of IP Allowances that can be configured:
Single IP
Use this option to allow one machines IP address to access the site.
IP Range
Use this option to allow access to a range of IP's using the lowest and hightest address.
CIDR Range
Use this option to allow access to a range of IP addresses using a CIDR Range value
Subnet Mask
Use this option to allow access to range of IP addresses using a Subnet Mask
Customer Monitoring
Basic monitoring of the appliance can be achieved through ping and http monitors (port 80). CPU, Memory and other performance metrics are managed and monitored by SMP Digital Support.
Remote Management
The SMP Digital Support team uses LogMeIn (LMI) for remote management of the Swank Streaming Server. This service provides a secure session for remote management, installation assistance and ongoing support.
LMI Security Whitepaper can be located here:
LMI HIPAA compliance information can be located here:
LogMeIn sessions
Each Swank Streaming Server maintains a constant SSL-secured connection with one of the LogMeIn gateway servers in a secure datacenter. This link is initiated by the host agent on the Swank Streaming Server and firewalls treat it as an outgoing connection, like secure web-browsing traffic.
Remote Management sessions are established through the SMP Digital Support portal. SMP support representatives are required to authenticate to this portal prior to accessing your server. SMP support will can monitor the status of each server as well as exchange data through the host agent via the secure gateway. The traffic between the client session and the host agent is encrypted over SSL. The client session with a host agent will also need to authenticate itself to the host prior to any data exchange or remote session. Once the host has verified the client's identity and authorized the client to access the computer, the actual remote access session begins.
LogMeIn Data Encryption
The SSL/TLS standard defines a wide range of cipher suites, such as RC4 and 3DES, and some implementations offer more advanced suites that include AES as well. RC4 operates on 128-bit keys, 3DES uses 168 bit keys. AES can utilize 128 or 256-bit keys. The client and the host agree on the strongest cipher possible. The client sends the host a list of ciphers it can use and the host chooses the one it prefers from this list.
The SSL/TLS standard does not define how the host should choose the final cipher. In LogMeIn, the host simply selects the strongest available cipher suite that the client has offered.
This method allows both the client and the host to decline the use of specific data-encryption algorithms without needing to update both components. A more detailed overview of LogMeIn security is available upon request.
Common IT FAQ
Q: Does Swank Streaming Server comply with all common data center management standards?
A: Data center management is a complex process and we appreciate the benefits of standardization and security in managing their environments. However, some elements of the Swank Streaming Server deviate from data center standards. These are, unfortunately, necessary due to the requirements placed on us by the sensitivity of the content loaded on the server.
Q: Customer Logins - User IDs and Passwords for the Swank Streaming Servers?
A: We provide a limited access login to you for self-installs and initial network configuration
Q: Can we join the Swank Streaming Server to our Domain?
A: The Swank Streaming Server is designed to be a standalone server and has been configured to optimize performance and stability. Therefore, it cannot be joined to a Domain. Joining the server to a Domain would impact our ability to manage the appliance.
Q: Can we add additional management software (Antivirus, Monitoring and Backup Agents)?
A: The Swank Streaming Server is a managed appliance and does not support customer supplied software. Monitoring and Antivirus components have been included as a part of our managed service.
Q: Can a VPN connection be substituted for LogMeIn?
A: LogMeIn is the preferred method for remote management that we support. It provides our support team with the best opportunity to service our deployments. However, if you feel you need to substitute a VPN connection for LogMeIn, please contact SMP Digital Support to discuss this option.
Q: Can Swank Streaming Server be virtualized?
A: Yes. The Swank Streaming Server has options for virtualization.
Q: What are the encoding specifications for loading custom content?
A: Video H.264, H264, MP4
Audio AAC
Acceptable profiles: Baseline, Main
Max Video Bit Rate 3Mbps
Max Audio Bit Rate 1Mbps
Q: What are the specifications for a site branding logo?
A: 300x100 pixels JPEG/PNG
Swank Motion Pictures Contact Information
Please submit any questions to:
Swank Digital Support
Comments
2 comments
IP address has changed for the following endpoint:
usagetracking.swankmp.net (20.221.242.164)
I removed all references to pr.swankmp.com since that infrastructure is now obsolete. traffic to that domain is automatically routed to pr.swankmp.net.
Please sign in to leave a comment.