Controlling access to specific projects

Hello guys,

I have a question that I am sure you have a simple answer to. I have a gateway set up with about 5 projects on it. This gateway is connected to two separate networks, each having radically different subnets. The first network is my production network where the plant floor PC’s connect to and the second is the corporate LAN. Of the 5 projects I have on the IA machine, I only want only one specific project to be viewable from either network since this particular project is a read-only application with non-sensitive information on it. For the other 4 restricted projects, what I have in mind is to have some sort of global script that checks to see if it is being launched from the plant network by checking the first octet of the IP address and if it is not a specific number then reject access to any further pages of the project and notify the user that they are forbidden access to the project. This script would only reside in the 4 projects that I do not want to be accessed outside the production network which has an IP address starting with 170. The 5th view only project would be unsrestricted. Could you give me an example of how that script would look like and give me any pointers of what else I may need to know.



First off, I’m not sure you can run a FactoryPMI server with either 2 NICs or 2 IP addresses - the network page on the gateway configuration seems to only allow one IP address to be configured.

If this is possible, the best approach I have come up with for testing the IP address of a client is to put the following code into the Global Event Scripts Startup script:

myIP = if myIP[:3] == "170": fpmi.nav.openWindow("Normal startup") else: fpmi.nav.openWindow("Warning")
If the IP of the client PC starts with 170, the “Normal startup” window will be displayed; if it doesn’t, the “Warning” window will be displayed - this window can display a message telling the user that they can’t run the system from that PC, with maybe an auto-shutdown within a time period.

This isn’t the neatest solution, as a user will still potentially have to download the system and log in before discovering they cannot run the system from the PC they are on. There is no way as far as I know to limit the list of systems displayed on the portal page by IP address of the client.

As an aside, an IP address starting with 170 is not in one of the 3 private address ranges, which is unusual on a private LAN - are these public IP addresses?


Al’s script looks good to me. Don’t forget to un-set any windows as “startup windows” since your IP restriction startup script will be in charge of this now.

You sure can without any problems as long as you’re not using clustering.

First off, thank you very much for the reply Al. We are running dual NIC’s. It is incredibly easy to do that with IA software these days. With earlier versions of PMI it was a bit cumbersome. This is the third one we set up this way so far. You can easily hit the gatway from either subnet.

You asked about the 170 subnet we have in use right now for the plant network. We do not know why the OEM’s and other integrators started there but we normally go with the typical 192 IP scheme on plant networks and ride on whatever the corp networks use internally which seems to be 10. from we see. We just went along with what was there already to simplify things

Thanks for the code example. That is what I was looking for and I think it should work just fine for what I am doing.

Carl, thanks for confirming that script.

Have a good weekend guys!