Ignition access thru the internet

What need to be done to access Ignition HMI anywhere in the world aside for having a VPN? Do we need to have a public IP address to do this?

If you could, please provide sample network diagram so that our IT can have an idea. Thanks in advance.

1 Like

Please see following topics for advice

2 Likes

Its possible to use PubNub cloud based real time streaming network to connect remote devices to Ignition server over secure Internet connection with guaranteed latency of 250ms for packet size of 250kb, anywhere in the world using our RMS module. However the HMI will not be Ignition but through our mSCADA module which works on HTML5 and SVG in a standard browser, and has simplified features than Ignition.

1 Like

Hi @PRAMANJ why can’t we use Ignition HMI?

This is another scenario which need the use of the internet.

We need a data from an external web server (e.g. WESM Web Server) via the internet. WESM Web server will provide an API where we can use to extract the data from them and will be going to be received by Ignition Gateway using Access database which is installed in the same server where the Ignition gateway is also installed. This mean we need to have an internet enabled.

My questions are,

  1. Does this setup secure? From an external server to Access database then to Ignition Gateway. What setup is recommended?

  2. Do I still need to put the VPN for that?

  3. Do I need to open the port 8088 (http) for that? Or need a public IP?

Please enlighten me. Thank you

Because ignition client can communicate only with ignition server on http protocol . Though it would be possible to connect two ignition servers over internet with our RMS module then you can use many ignition clients at the remote ignition server which could as well be an edge gateway. But that would involve cost of ignition edge gateway at remote end hence suggested our mSCADA module .

1 Data can be received in ignition server tags data base from WESM server using our RMS module over secure PUBNUB services thru the APIs provided by WESM server

2 No you don’t need VPN for that.

3 no you don’t need to open the 8088 port for that

It is important to know what sort of data you meed to get from WESM server and at what scan rate ?What is the data structure? Can you explain the usecase scenario ?

Hi @PRAMANJ, what is the difference between Sepasoft Web Services Module and your RMS module?

What is PUBNUB services?

I don’t know about sepasofts web services module but our RMS is for sending receiving a set of ignition tags as a JSON object between your application and Ignition server using PubNub streaming network (see www.pubnub.com) which allows integrating any two or more applications with each other across a secure internet connection using their SDKs available in 70+ languages ! RMS Module uses these APIs in jython language on ignition server side and JS or JAVA on the application side. It can as well support Ignition on both sides using jython.

How secure is this "secure internet connection" ? Could you explain this? Do you have a network diagram? Is this more secure than using VPN?

It allows https connection and encryption using your supplied security key. Their web site explains the configuration, please see the developers section. Also see tutorials section on their website. PubNub is basically a cloud server which allows messaging between an arbitrary number of clients and provides optional secure storage of all or selected messages on their servers for historization purposes. They also allow an ability of processing of messages on the server using their BLOCKs feature, before forwarding to clients. So it's a server less platform for integrating applications across the internet where in we don't have to have our own server for storage and computation, its all provided by PubNub, we just pay per use. Their pricing is based on number of messages and storage used per month and is quite cheap and guarantees SLA and maximum latency of 250 ms between any two points across the glob. This is ideal for utility companies which are geographically spread across a vast area!

I guess, it will be atleast as secure as a VPN, as that's a concern for all in modern world and they are bound by an SLA! I think cost and ease of implementation and response would be the key advantage of PubNub over VPN.

Hi Michael,

In case you haven’t figured it out, Pramanj is a PubNub evangelist, which is a complementary technology, not an enabler for the remote HMI operation you wish to support.

The posts linked by @Matrix_Engineering cover your options for remote HMIs. The key is you need a network route from your clients to the Ignition gateway, supporting either http and/or https. Ignition v8 can run over just an https connection, both for Vision and for Perspective. Prior to v8, you can run Ignition Vision clients over http or http+https. A public IP would be required if no VPN, but you can place a load balancer or reverse proxy at that IP address instead of Ignition itself (highly recommended).

As for Web APIs, you have multiple choices.

  1. Accessing external APIs from Ignition can be scripted using Java services in any version of Ignition (no add-on module required). Later versions of Ignition provide helpers to make this easier. Such access does not need a VPN or public IP, as long as the Ignition server can reach the internet.

  2. Offering Web APIs in Ignition for access from external systems is the primary purpose of the WebDev module. Its resources are exposed in the same environment as used by clients and designers, so the same network route and port requirements will apply. The WebDev module is sufficiently free-form that it can be used to expose complete Web User Interfaces. Prior to v8, this was the only way to support HTML5 clients. (Completely on your own…)

  3. The SepaSoft Web Services module provides an alternative way to configure, use, and expose web APIs that follow industry standards. It supports both access to external APIs, and providing APIs to external users. As above, the latter will require a network route to your Ignition Gateway.

Hope this helps.

3 Likes

Hi pturmel ! My question here is that if we expose the Ignition server to the internet and to access other external web server, how secure will this be since the Ignition Server is expose to the public already? What can we do to make it secure?

Perhaps you can use an intermediate proxy server between ignition server and the internet. Without internet connectivity how do you expect ignition to connect to remote locations , except for VPN connection ?

Perhaps MQTT can connect ignition servers and ignition edge devices thru their broker on a private network not public internet ? I don’t know how it works perhaps they can enlighten us on it ?

1 Like

I Had just stumbled upon PubNub a few years ago and found it an interesting technology. I just thought perhaps it can be used for ignition as well for remote monitoring and remote connection between ignition and other systems. As system integrators it’s our job to find new solutions to diverse automation problems leveraging new developments in tools and technologies which may make sense for some problems and situations !

For item #1 in my list, accesses to external web services from Ignition, there is no need to expose Ignition to the internet. Just allow it to make outbound connections to the internet.

In all of the above, where external systems/clients are connecting to Ignition, you need https or a VPN. You also need appropriate password policies and controls. Ignition is like any other web server.

1 Like

Indeed. PubNub is interesting. It's just utterly non-applicable to the OP's question.

1 Like

Our setup will be like this,

Data (from external web server) -->Data (to Microsoft Access Database)–>Data (to Ignition Server)

That means data is going inbound to the Ignition Server. Not outbound.

My question here is how are we going to make this kind of setup secure?

Your external server isn’t talking to Ignition. It’s talking to Access. (Why in the world would you do that?) Then Ignition is talking to Access. It matters where everything is located. I don’t know that your setup can be made secure.

Seriously, don’t use Access. Ideally, have the external web server talk directly to Ignition using one of the Web services API approaches above (#2 or #3).

I have no idea. This is our contractor's idea. He said it is easier to code and extract data from another web server using MS Access.