Opto22 Integration Module
Avadine is excited to partner with Opto22 and release Opto22 Integration, an advanced module that provides the ability to remotely configure and integrate with Opto22 groov products directly from Ignition, from Port Redirect configuration to the full suite of groov APIs.
Why?
Because we wanted to configure temporary Port Redirect rules from Ignition to remotely allow developers to access unsecured PLCs that are being protected by Opto22 groov EPIC. And, why while we were at it, why not expose ALL of the Opto22 groov API's as system functions in Ignition so that numerous groov devices can be managed and orchestrated centrally from Ignition.
Wait. What are you talking about?
One of the best ways to secure legacy PLCs, controllers, and other devices is to block all incoming traffic and obscure the device from the network. With Opto22's groov products, you can do just that! By putting an Opto22 EPIC (or RIO, in the near future) physically in front of legacy unprotected devices, they can be protected from bad actors. With Opto22 groov EPIC's dual NIC design and built-in firewall, the legacy PLCs can be connected to eth1 in a LAN/trusted network configuration, with the EPIC's eth0 connected publicly to an untrusted network. Because eth0 and eth1 are separated by a firewall, the legacy PLC is obscured from the outside world.
But how how do trusted/SCADA systems connect to the legacy device if it's being blocked by the Opto22 firewall? I'm glad you asked!
Port Redirect
Port redirection, also known as port forwarding, allows remote computers or mobile devices on one network segment to connect to a specific computer or service within a private LAN through a specific port. Usually, it pokes a “pinhole” in your firewall that packets of information can pass through. This kind of port forwarding is unsecure and not recommended, especially when the remote computer is on a public LAN like the Internet.
However, using port redirects over a VPN is secure and provides a conduit between the two network segments that can be very useful. For example, if you anticipate having to update a PLC’s program on a private network from your PC at remote site, you can place a groov EPIC on the PLC’s network and use a VPN and port redirect to establish a conduit, securely accessing your PLC to make the change.
That sounds awesome! But what does it have to do with Ignition?
True... you can configure these Port Redirect rules directly in Opto22 groovManage. The rules configured directly in groovManage are persistent, allowing specific traffic over specific ports to traverse the internal firewall separating the 2 network interfaces on the EPIC until changed or deleted.
But what if you want to dynamically add new Port Redirect rules from a central location, like some kind of application that can monitor and control devices... something like... IGNITION!?! And what if the Port Redirect rules that were issued from Ignition could be configured with an interval so they would automatically turn off after the time expired? And what if you could monitor and orchestrate configuration changes to all of your Opto22 groov devices centrally from Ignition?
With the Opto22 Integration module, now you can!
Use Case: A legacy/unsecurable PLC is protected by an Opto22 EPIC and, therefore, not able to be remotely connected from engineering workstations for development or logic changes. An admin logs into Ignition Perspective application and temporarily creates a Port Redirect rule for an engineering laptop's IP address to connect to the legacy PLC over a specific Allen-Bradley TCP Port, and configures the rule to only stay open for 1 hour. After 1 hour expires, the rule disables and the engineer is no longer able to access the legacy PLC.
Woah! But, even groov REST API calls are available as well?
You heard right. All of the Opto22 groovManage REST API calls are available in this module as system.opto22.* functions. Documentation to Opto22's swagger can be found HERE.
Module Information
Effective Date: 2025-05-08
Author: Avadine
Audience: System Integrators and Developers
Application: Ignition by Inductive Automation (v8.1+)
Module: Opto22 Integration Module (Download Here!)
1. Prerequisites
- Ignition Gateway version 8.1 or later
- Access to the Ignition Gateway Web Interface
- Opto22 Integration Module
.modlfile - API Key from a groov EPIC device with API access
- IP address or hostname of the target groov EPIC device
2. Installation Procedure
- Log in to the Ignition Gateway Web Interface.
- Navigate to the Config tab.
- Under the System category, click on Modules.
- Select Install or Upgrade a Module.
- Upload the
.modlfile from your local system. - Accept the self-signed certificate and End User License Agreement (EULA).
3. Basic Module Configuration
- On the Config tab, navigate to Opto 22 Groov → General.
- Enable the API Configuration toggle.
- Enter the Hostname or IP address of the groov EPIC device (e.g.,
10.10.10.100ortest.groov.epic). - Enter the API Key associated with an API-enabled user on the EPIC device.
4. VPN Configuration (Optional)
- On the Config tab, navigate to Opto 22 Groov → Network.
- Configure the VPN settings:
- Toggle the VPN on or off.
- Modify advanced timeout and network settings as required.
5. Port Redirect Rules - Directly from the Gateway Homepage!
- Navigate to Opto 22 Groov → Port Redirect Rules under the Config tab.
- Use the table to:
- Modify existing rules, or
- Create new Port Redirect Rules by selecting "Create new Port Redirect Rule".
- Configure the required parameters for the new rule.
- To defer syncing the rule to the EPIC device:
- Disable the rule during creation.
- The rule will remain configured and can be activated later by enabling it.
Additional Info
Download the Opto22 Integration module HERE (in case you missed the download above)
More documentation coming soon!
Check out our website for more information about services offered!
More Ignition Exchange resources and modules are coming soon!
Third-party module showcase pending approval!
