Accessing a PLC in Europe via company intranet.

[TConnolly 13]

One of our European subsidiaries has a number of SLC5/05s. Each SLC 5/05 is connected to an RSView32 station using a single cross-over cable. They are not networked together and the RSView32 computers are not on the network. HOWEVER, if I put the RSVIEW computers on the network at the European plant, I would be able to see that computer on the network from our main offices here in SLC UT USA. Each of the computers has two ethernet ports. It would be a really big help if I could access the PLCs from here (even though I do like travelling across the pond). The personnel at the Euro-plant do not have any PLC skills and they have minimal IT skills. So here is my thought - I install a manged switch over there and network all the controllers and RSView stations together using one of the two NICs in each computer. The other NICs are attached to the network and configured for DHCP. Then I put RSLinx Gateway on one computer. If I can see that computer (with Gateway) on the network then shouldn't I be able to browse through it onto the controller network? What about security - anyone else anywhere in the corporation can also see that computer? I've never used Gateway and I know very little about it. Is there a better way?

[paulengr 44]

There is no inherent security in the RS-Linx model regardless of what you add to it. In fact, there's no inherent advantage of adding RS-Linx Gateway in the scenario as you defined it. You could just as easily talk directly to the SLC's. Where RS-Linx Gateway is useful is for instance if you wanted to communicate via a PC and the existing Ethernet connections or if the SLC 5/05's were on DH+ or DH-485 since that would be a true "gateway" or "bridge" application. This would be the case if for instance you plugged the second NIC into a switch. I don't know exactly what you have for IP address space but you'd probably be looking to add some sort of router at the other end as well. The Gateway machine would need a static IP address (not DHCP) so that you could set up permanent routes to it in RS-Linx at your end and not have to go finding it all the time. Plus, it is almost 100% gauranteed that it will end up in a different broadcast domain so it won't auto-populate either. In this condition, you'd have "security by obscurity"...then the least expensive route for some sort of security is to password the SLC 5/05's. I don't know if you get the full security model in a PLC-5 where you can designate certain data tables as wide open (so that RS-View can get into them) or if you are stuck with just a master password which won't work for your scenario (that's the security model in Micrologix which I'm more familiar with). If not, and you still want this form of protection, your only choice is RSAssetSecurity or whatever Rockwell is calling it these days. This is an application that runs alongside all copies of RS-Logix 500, RS-Linx, RS-View, etc. It interfaces to those programs and provides fine grained security control over everything. The only real downside as I see it is that Rockwell thinks all the end users are defense contractors and pharmaceuticals so they charge accordingly. The better security would be to run a firewall and/or a router so that the IP addresses are a bit more obscured and you can lock down all ports and machines except the RS-Linx one. Many of the off-the-shelf routers these days have firewall capabilities for this built in. The ultimate security is to place another PC in the DMZ of the firewall that either contains your RS-Logix 500 application (access it via Dameware, VNC, etc.,) or better yet, running some form of VPN software so that you can just tunnel into the remote network and talk to everything more or less "directly". I've used the "direct" route many times before. It works great as long as the network connection is very stable. But, the VNC/Dameware route works REGARDLESS of the network stability since if the network connection drops out for some reason, the remote PC is still running Logix 500 at the other end. No harm, no foul. You just have to get used to the inherent slowness screen scraping. Considering that there is a possibility some day of someone not replacing a battery in one of the PLC's, there are a couple choices to fix that. Either put the memory cards in and use them, or else get a serial/Ethernet server (I like the ones from Digi) and plug all the Channel 0 ports into the serial server, leaving the baud rates of the PLC's at the default (2400 bps? Or is it faster on a SLC 5/05?). That way if the PLC goes blank, you can still access it via the serial server ports even though normally you'd go through the Ethernet port. In terms of running remotely, I've found that the most stable way to do this is with VNC or preferably Dameware MRC. Put your Logix 500 software and a license on the remote PC and run it from there. It is a bit clunky but if the network connection drops, you won't end up in some strange pseudo-error state between the PLC and Logix 500 that is difficult to work with such as not being able to save a copy of your work if you made Online edits. Edited 29 Feb 2008 by paulengr

[Snerkel 0]

I would look at installing a router doing NAT with the port for VPN being the only thing open. Setup a VPN server on one of the RSview PCs. Make a VPN connection from your PC to the RSview PC which will allow you to use RSlinx gateway to give you full access. This is about as secure as you can make it while still giving you full network access to those PCs snd PLCs.

[TConnolly 13]

Here is a sketch of the basic system architecture. Once they get the network cables run, I will be able to browse right to the RSView computers over our intranet, but I'm not sure how to get through the computer onto the PLC network. IOW, I think I need the computer to work like a router. The idea is to be able to make some software changes remotely as well as provide diagnostic assisance. The process is still evolving and everytime there is an update someone here gets on a plane. The Logix500 active X is embedded in one of the RSview screens and a download button has been added to the screen so they can download the software if a battery goes dead or we send an updated .RSS file, but there isn't a way to monitor the performance remotely so we have not used that option since their one knowledgable tech left the company. The battery status bit is also monitored by RSView and tied into an alarm so that shouldn't be an issue as long as they pay attention to it. Edited 6 Mar 2008 by Alaric