ECP returning 403 Forbidden from AWS requests

Question

We have a set of Roku devices in a LAB which we connected to our VPN and AWS.In AWS we are running a CI tool which we want to use with the devices, and the devices are correctly responding to the CI host calls:&nbsp;tmp-shel:~# nc -vz 100.101.250.39 8085
Connection to 100.101.250.39 8085 port [tcp/*] succeeded!
tmp-shel:~# nc -vz 100.101.250.39 8060
Connection to 100.101.250.39 8060 port [tcp/*] succeeded!
tmp-shel:~# nc -vz 100.101.250.39 80
Connection to 100.101.250.39 80 port [tcp/http] succeeded!
tmp-shel:~# telnet 100.101.250.39 8085
Connected to 100.101.250.39&nbsp;However, when we attempt any request to the ECP, we receive 403, i.e:&nbsp;tmp-shel:~# curl -vo /dev/null -s -w "%{http_code}
" http://100.101.250.39:8060/query/device-info
*   Trying 100.101.250.39:8060...
* Connected to 100.101.250.39 (100.101.250.39) port 8060 (#0)
&gt; GET /query/device-info HTTP/1.1
&gt; Host: 100.101.250.39:8060
&gt; User-Agent: curl/8.0.1
&gt; Accept: */*
&gt; 
&lt; HTTP/1.1 403 Forbidden
&lt; Server: Roku/12.0.0 UPnP/1.0 Roku/12.0.0
&lt; Content-Length: 0
&lt; 
* Connection #0 to host 100.101.250.39 left intact
403

tmp-shel:~# curl http://100.101.250.39:8060/keypress/Home -X POST -d '' --verbose 
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 100.101.250.39:8060...
* Connected to 100.101.250.39 (100.101.250.39) port 8060 (#0)
&gt; POST /keypress/Home HTTP/1.1
&gt; Host: 100.101.250.39:8060
&gt; User-Agent: curl/8.0.1
&gt; Accept: */*
&gt; Content-Length: 0
&gt; Content-Type: application/x-www-form-urlencoded
&gt; 
&lt; HTTP/1.1 403 Forbidden
&lt; Server: Roku/12.0.0 UPnP/1.0 Roku/12.0.0
&lt; Content-Length: 0
&lt; 
* Connection #0 to host 100.101.250.39 left intact&nbsp;&nbsp;The same actions work with no issue from our VPN:&nbsp;➜  ~ curl http://100.101.250.39:8060/keypress/Home -X POST -d '' --verbose
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 100.101.250.39:8060...
* Connected to 100.101.250.39 (100.101.250.39) port 8060 (#0)
&gt; POST /keypress/Home HTTP/1.1
&gt; Host: 100.101.250.39:8060
&gt; User-Agent: curl/7.87.0
&gt; Accept: */*
&gt; Content-Length: 0
&gt; Content-Type: application/x-www-form-urlencoded
&gt; 
* Mark bundle as not supporting multiuse
&lt; HTTP/1.1 202 Accepted
&lt; Server: Roku/12.0.0 UPnP/1.0 Roku/12.0.0
&lt; Content-Length: 0
&lt; 
* Connection #0 to host 100.101.250.39 left intact
➜  ~ curl -vo /dev/null -s -w "%{http_code}
" http://100.101.250.39:8060/query/device-info
*   Trying 100.101.250.39:8060...
* Connected to 100.101.250.39 (100.101.250.39) port 8060 (#0)
&gt; GET /query/device-info HTTP/1.1
&gt; Host: 100.101.250.39:8060
&gt; User-Agent: curl/7.87.0
&gt; Accept: */*
&gt; 
* Mark bundle as not supporting multiuse
&lt; HTTP/1.1 200 OK
&lt; Server: Roku/12.0.0 UPnP/1.0 Roku/12.0.0
&lt; Content-Length: 3297
&lt; Cache-Control: no-cache
&lt; Content-Type: text/xml; charset="utf-8"
&lt; 
{ [1348 bytes data]
* Connection #0 to host 100.101.250.39 left intact
200&nbsp;&nbsp;Per the similar post for 403 forbidden, this is usually fixed by using the device IP, but I am already doing it that way.I have generated a tcpdump, and it shows the request made it to the Roku device, and then it rejected it.Any insight would be appreciated.&nbsp;

RokuBen · Answer

On the device, go to Settings / System / Advanced system settings / Control by mobile apps.&nbsp; The default setting only allows ECP request from the private IP network addresses.&nbsp; If you set this to permissive, it will also allow requests across the device's subnet, which might work with AWS depending on how it's connected to your network.&nbsp; You might need some sort of local ECP proxy service running on your network to forward the requests from your AWS servers.

jessgofi · Answer

Thanks for your response.- We enabled permissive in the devices and opened our firewalls for debugging, but the 403's keep coming. - We do see the TCP handshakes happening every time, but only when the http call to ECP is sent, it is rejected.-&nbsp;We attempted the port 8085 but nothing is displayed at the time we send the requests.We understand this could be because of the ECP security features rejecting those requests, but at the moment it is a black box why ECP decides to rejects them.Do you happen to know if there is some documentation about those security features and maybe a way to further debug from the devices? &nbsp;Thank you

RokuBen · Answer

This is an intentional security feature to keep Roku devices from being controlled from the Internet. Since AWS's IPs are outside the subnet your devices are on, they get rejected by the server.

The only way to have this work is if you setup a proxy on your local network to which AWS can connect that would then forward the requests to the devices.

Forum Discussion

ECP returning 403 Forbidden from AWS requests

3 Replies

Recent Discussions

Developing a personal/private media player

DoRecovery API

Anyone experiencing trouble adding new products?

Consumable Product?

Bif file creator