I know this is not directly related to Ignition, but I wanted to reach out and see if anyone else has looked into/implemented locking down tags in a 5069 Compact Logix PLC from OPC UA Access.
I'm currently working on a new project where a local Ignition server will be polling remote sites for critical alarms and statuses. This server will act as a alarm notification server tied in with a VOIP service to provide voice notifications. I would like to use the Logix driver to browse the tags at each site. The communications will be via cellular and will have an IP SEC tunnel for each site back to a firewall at the main office.
My concern is if the server is accessed by an outside source that they cannot randomly OPC browse tags from these PLCs and start writing erroneous values to the PLCs. I've looked into the OPC UA Access settings of the tags in Studio 5000 and I have always had them set to none, but have still been able to browse them from Ignition.
I cannot set the external access of all of my tags to read only as I have some tags that are written to by Ignition and other OITs at each site.
Has anyone implemented what I have described above in regards to locking down tags in the PLC from OPC access?
Just to clear things up a little - if you are using the Logix driver to access the tags in the controller, you're not using OPC UA to access them, you're using EtherNet/IP.
[Ignition OPC UA client] --> [Ignition OPC UA Server | Logix Driver] --> [Logix PLC]
so if you're looking at settings related to OPC UA in the Studio 5000 you're looking for the wrong thing.
Why would your Ignition server be accessible by any old outside source? Why wouldn't you lock it down and put security on the tags, etc...? Do you need to give third parties access to the OPC UA server?
1 Like
First, I would recommend putting Edge at each site and using MQTT Engine on your central server to push the data from the edge to the central server. You wouldn't have any external access with that solution and it wouldn't burn up your data plan either.
If you do stick with polling from a central Ignition server, the only people that can browse and write tags that aren't part of your application are developers (anyone that has access to the designer or the web config interface).
Unless you're using the new OPC-UA features in v36 or v37 firmware, the External Access column is for the Logix driver, and the new OPC-UA access is only for if you actually set up and configure it in the firmware of the PLC (which is very limited, but would be more bandwidth efficient than direct polling if you're only reading a few tags).