Case study: Access through reverse proxy?

I’m looking at how our customers are currently configured and I’m interested in sticking a handful of gateways behind a reverse proxy so the customer can access the SCADA system directly from our support site sans VPN access.

Has anyone attempted putting their gateway behind a reverse proxy? Did performance suffer? Anything simpler I might be overlooking?

I’ve never tried using Ignition behind a reverse proxy. Typically a port forward from your router to your Ignition gateway in a DMZ would be sufficient. I suspect that you may be able to gain marginal security benefits from that approach. I can’t think of any performance benefits (caching, load balancing, etc) that would come with a reverse proxy.

What is the motivation behind this? Are you using SSL? My guess is that your Ignition gateway may necessarily be on the same network segment as sensitive nodes (either control or business). Even then, port forwarding with a firewall in between may be approximately equivalent. A lot depends on your architecture and requirements.

As an aside - (the guys will probably kill me for mentioning this given the current roadmap), a specialized Ignition reverse proxy could make sense, particularly for a hosted version. I would imagine it as an Ignition gateway with only 1 specialized module installed, no direct database or OPC connectivity for security purposes. Reverse proxies are a preferred method for deploying Java/Tomcat web apps. The hardened, specific app would run in your DMZ and act as a reverse proxy between clients over the Internet and one or more Ignition gateways that are placed on more vulnerable segments of your network. It could do some pretty cool content caching and load balancing if it was specially written to be aware of the gateways, especially if you were accessing sites across slower WAN links. It could also support more methods of integrated authentication - think Kerberos/LDAP pass through and common authentication between gateways. It could also potentially work well with many hosted gateways, either on separate ports or as a sort of aggregator.

That said, I doubt the demand exists. My guess is that 99% of the users can achieve accessible and secure implementations using the existing Gateway and standard IT technologies. Cool thought, though.

We want to create a secured zone for accessing Ignition via our CRM solution. We give the customer a dashboard of their sites already, but it becomes a hassle building out rules in the network for the gateways. A reverse proxy would be a really simple solution towards moving to a single point of entry to the secured area the Ignition gateways reside in. As you indicated however, the performance gains would be minimal, and this is more about shoehorning Ignition into the same area as the CRM portal.

Are you integrating Ignition applets on your dashboard? Do you want customers to be able to web launch apps from the Internet?