For test purposes I access ignition by “myiP:8088”
Some sites we work on provide internet access but block us getting to our projects so I assume they are blocking port 8088 out going?
How can I get around this? Can I set up a domain name and then have that point to “myiP:8088” or would on-site it stop 8088 being used.
The port number will change once I install SSL but the theory will remain the same.
Its most likely their IT not allowing port forwarding outside of whatever network ignition is hosted on. There really isn’t going to be a work around without going with their IT department. The goal is to try and keep access to equipment to a minimum and in many cases keep their data from being public. Unless you can convince them to put some sort of bridge computer that you can access remotely. I’ve heard good things about eWON, but haven’t used them myself.
Its unfortunate, but it is for valid security reasons.If we do remote support for customers, its usually via a skype or webex session.
There are lots of ways, but if you’re working around a client’s IT restrictions you’re going to want to work with their IT ( though I have “found” my way out of a remote mine site’s very restricted network on one occasion to access my corporate VPN so I could help them). Some (most in our case) clients are happy to have TeamViewer host on their systems for remote support. Others want to initiate the TeamViewer session from their end. Still others ask us to use a particular remote control tool of their choosing. We’ve also had some who setup an account on a server we could access that in turn had access to the equipment we support. And some give us a VPN account to access.
I have just about every solution under the sun with my customers. Some like the eWon products. Many run their own VPN or Remote Access solutions (rather fancy and expensive big name tech) to which the give me credentials. I run my own OpenVPN kit in the cloud for customers who have more constrained IT budgets.
FWIW, eWon’s Talk2M network product is a customized version of OpenVPN.
I’m not sure if i explained correctly. Ignition is set up on our servers in Texas and I can remotely access it etc, it’s in our offices.
I have set it up almost like a ERP system where we can complete time sheets, receive MQTT data etc, complete shift reports.
We have projects all over the world and our site manages have access to the ignition project on their laptop to complete the timesheets and reports etc from what ever location in the world they may be.
For example last week I was in Norway and using my lte hotspot I was able to access my project using the externalip:8088. But using the client supplied internet i was not able to access my project.
I’m no IT expert but I’m guessing the site was blocking me getting out on port 8088 where as my lte hotspot didn’t. This will turn the entire project on its head if our site supervisors can’t access the projects on our Texas server from client sites.
My thinking was having an domain name like www.myproject.com that will then point to to our ip:8088. Or change the ignition port to a different port that’s not normally blocked or some kind of reverse proxy system. Most client sites block vpn access also. If they are blocking port 8088 outgoing I could ask they open it but I would much rather engineer a solution on my end.
Does the Ignition servers always need the port number to launch the project from the NCL.
The only other solution that I gave heard about involves a spare PC with a separate cellular access modem. If the customer IT department is not O.K. with this, they would simply power it down ( and probably not in a nice way ). So when you think about the VPN solutions mentioned by others, you need to realize that: They may or may not already have a Teamviewer™ set up, as this can be home or commercial and in different versions. They may allow access one day and get a new I.T. leader the next. Pointing to a piece of hardware in a PLC cabinet as reason why it can be updated or not makes the person doing the pointing look better to others ( social considerations of hard devices ). YMMV, as in your mileage may vary. I am actually pretty new to the IGN side of this stuff.
This is horrifyingly insecure. A firing offense for whoever set it up this way in any of the public companies I work with.
Aside from that, yes, many companies (the smart ones) block non-standard outbound ports to limit the paths malware can use to exfiltrate data.
You need to use a proper domain name, turn on SSL, and configure your server in texas to operate on the standard http and https ports.
Apologies for horrifying you . The “ignition server” in question is an old PC sat by itself on its own T-Mobile lte modem that I’m using for testing. Not the companies actual servers. This is for testing before we move it over to the main server.
Once we set up a domain name and SSL etc the projects will be able to be accessed from anywhere even if the the local site blocks 8088?
And reconfigure Ignition to use the standard ports instead of 8088 and 8443. Then yes.
This is better, yes, but only if this test server can’t talk to your machinery… If it can, it is still horrifying.
There is no machines or PLC’s etc on this server, Just random test data in a DB we are using to simulate project analytics etc. infact our whole project will not have any local machines/plcs connected to the server. All data will be fed via MQTT from remote locations.
Stupid question, what is the standard ports to use rather then 8088 8443
Standard web ports are HTTP - 80 HTTPS - 443.
I’m thinking that you may have to adjust the t mobile modem settings a bit though as well to enable these ports out. I’m not sure what the default configuration is for those.
Just wanted to add that switching the ports to 80 and 443 and setting up the domain fixed the issues.
The supervisors on the projects overseas can now access the projects on the client supplied internet now.