Ignition go ONLINE

Hi All,

Currently i wanted to learn how to make Ignition HMI to be accessed through Internet instead of Intranet. I searching around the forum but no confirmed source about it. Is there any documents or manual or simple samples that can guide me in setting up the Ignition gateway so i can access it remotely from different network through Internet? Thank you very much.

To connect remotely via the internet you can do this in a couple ways. You can use a VPN connection, RDP session, or you can configure port forwarding and expose Ignition to the internet.

As Greg says, this is a networking setup issue, not an Ignition issue.

Do take security into account when considering this of course. Allowing forward facing connections to your Ignition box means you’ll want to check and recheck your security.

Make sure you’re using nice strong passwords, Get rid of default accounts or disable them, Do some form of threat analysis on the machine often. Firewall should be provided by a dedicated device most likely, You’ll want to only forward the minimum number of ports if going that route. VPN is less of a risk, but still better safe than sorry.

This is where Linux really scores. SSH is far easier to set up properly than a VPN.

Dravik really hit the nail on the head about security. All excellent points that you should be taking into consideration when putting your HMI on the internet.

Thank you for all the advises. Actually i wanted to try personally so that i can be prepared when projects needed to put the HMI online and can be accessed anywhere with Internet access. Security is the highest priority once anything goes on public. Thank you dravik about the security concern.

I am facing some issues along these lines.

I have configured the gateway page to minimize it’s footprint/visibility.

Is there any plans at all to implement a failed login “lockout” mechanism at the project and gateway levels.

Right now, if I wanted to, I could brute force script login attempts to the gateway “configure” section and I can’t see where those login failures are logged or that there is any lockout mechanism either by IP or something else that would slow down a brute force attack.

I do have an alarm set up on projects where I have a tag set to query the audit events table looking for events where the action is login and the status code <> 0 and send out an alarm every time that count increments, but that only affects projects themselves and not the gateway.

The solution of VPN or other methods gets messy with cross platform devices (IOS/Android/Windows) accessing screens from out in the field.

It is a good idea to have the sign-on do some sort of protection against brute-force attacks. I’ve put it on the feature request list, but no promises as to when we’ll get to it.

Great idea! A reasonable approach would be to force a wait for a given user account after a certain number of failed logon attempts in some time period. Alternatively, you could make the brief wait longer each time a user account tries and fails to log in.

This feature has been added for version 7.6.3.