This is why devices needing this ability have NAT settings so the user doesn't have to setup port forwarding. Specifically the receiver should recognize that it's on a NAT connection and setup NAT keep alive. (IMO, it ought to be the default mode) NAT keep alive will cause the router to acknowledge incoming requests from Dish simply by sending a few bytes to Dish on a periodic basis. VoIP is a big user of this technique. Based on what I've seen on my router, Dish Receivers do periodically send very small amounts of data through the router which I assume is for this purpose. It's obscure but I bet this is what Dish does, or they would be having many many more complaints about it.
I highlighted the key sentence and two very important words ... "from dish"
When you are at work .. you aren't Dish (unless by chance you work for them
).
How would the firewall at your office allow you to connect to your Sling Device? Your firewall at work allows outbound access, and allows inbound response .... it must match the inbound "response" with the source and destination that it logged for your *outbound* request.
Your firewall at home, is pinging DISH for that keep alive ... so your firewall at home is expecting *dish* to respond *not* your office firewall.
What your thinking, is the scheme that things like "Go To My PC" uses (gotomypc<.>com) .... your pc runs the agent app ... it pings ("alerts" GTMPC, not the literal "ping" command) GoToMyPC that you're there ... and can be connected to. You at your office mean while, go to the GoToMyPC website ... you log in, it redirects you to another sub-server that will host the connection, gotomypc *responds* to a previous packet (ie, that 5 mins or 15 mins ago keep alive your pc sent out) saying OK, connection is "here" ... and you and your pc RELAY through GoToMyPC.
http://tinyurl.com/gtmpc-how
that is a link to a google doc copy of the the GoToMyPC whitepaper ... physically numbered page two, the last two bullet points
.
- Broker: The broker is a matchmaker that listens for requests and maps them to registered computers.
.
- Communication Server: The communication server is an intermediate system that relays
.
If DISH did this... yes.. would work just fine 99% of the time ... however two things.. first it means *EVERY* sling adapter user would get relayed through them for *EVERY* sling session ... and second.. your sling ability everywhere including in house, would be limited to your upload speed. (in house I get near HD quality and run 8 to 10 megs ... my Comcast Cable connection is 6/1 ... if I had to relay through dish, the max quality I would have is 1meg! not the 8 to 10 I get now by connecting directly)
The first reason why dish would not want to do this.. is the length of time a user would be connected .... 30 mins for a half hour show ... 1 hour for an hour long show ... several hours for a movies etc..
Next the bandwidth cost ... an OC3 is about 155 megs of data ... if you attached 100 users that would be a stream of roughly 1.5 megs per user .... an OC3 costs about 10000 a month ... which would be $100 per user per month serviced.
Instead .... *most* of the connections are direct rather than relay .. so you at your office.. you connect directly to the sling in your house... the Administrivia goes between you and dish, and your sling and dish ... at its most, for a few seconds, there would be maybe 20k of data for the initial setup of the sling connection (authentication, endpoint mapping, etc) and then the amount of administrivia data drops to 200 bytes...
@200bytes ... 1-OC3 could support 775,000 administration channels.. even if its 2k of administrivia once the link is established; that would still mean servicing 77,500 users ... which equates to 12.9 cents per user per month ... either would be a real cost incentive for them to go this route..
to the best of my knowledge ... where an
un-managed firewall is concerned ... there is no way to map end points different from the original source/destination headers.
On Dish's side ... prior to DishOnline ... no where was this more clear than Dish Remote Access ... you login with dish ... you get directed to a specific server dish16.sling.com ... dish36.sling.com ... etc.. and your subsequent connections are with that server...
so at GO time ... you authenticated to Dish Network .. dish looked up a server that can service you (metrics for numbers of users, last connection time, etc..) and sent that server advanced notice and a copy of the token you'll be connecting with.
Meanwhile .. the firewall in front of those servers *allows* unsolicited traffic in to port 80 & port 443 (plus others) ... your SlingPlayer sends the request to *your* Sling Adapter with the token ... it sends that token to dish, gets redirected to the correct server, the correct server listens on 80/443 ... but replies with a port redirection for your administrivia ... the port redirection hits the sling, it then connects to the new port and administration is up, you're OK where ever you are.. etc..
And ... there could even be a script that runs pushing updates to the firewall in front of the dish/sling servers.. when you authenticated to Dish ... they got your IP .. they could flag that IP with the firewall as allowed for unsolicited attempts to other dish servers for the next 5 mins ... etc.. (way more complex then *that* needs to be but its possible)
Even if you manually typed in dish.sling.com .. you would get redirected to a specific server to service you via web ... an allowed port ... the administrivia would still be to different ports, and would still have to be an "allowed" condition. (didn't see you on port 80 first? firewall blocks you from attaching to dish's servers on other ports, etc)
And .... dish *does* do similar to Netflix, GoToMyPC etc.. when it comes to the DishOnline content that is *not* on your Sling ... hence why D.O. can still work without your receiver working and without your receiver "On Line".
The key is what the firewalls are trained for .. your office firewall is not concerned with allowing sling services ... your home firewall isn't either.. until you setup port forwarding or its done for you through UPnP.
All you need to do is google UPnP Xbox Live ... and you'll see this isn't just a problem for Dish ... any time you have high data use ... no one wants to pay to be the relay broker and relay communications server ... hence why GoToMyPC has a minimum monthly cost .... also know that GoToMyPC is using a compressed datastream, and the agent/client can send positional information, it doesn't have to re-draw the screen for your mouse, it just tracks were your mouse is on a static picture of your remote desktop...data magnitude
far less than SD much less HD; video.
(sorry post is long ... not a simple subject)
Edit: the token and hand off may not be exactly as I've suggested ... but its basically in some way similar ... you don't have to authenticate to find a sling receiver, but to actually start getting the stream, there is a server that must authenticate you .. either by token, user/pass, etc. exactly what stage each is consulted, etc.. is a minor point ...
the key is still that the data for your connection is from endpoint to endpoint and *not* relayed through Dish, only the administrivia goes to dish while you are streaming.