Problems with setting up Gateway Network

Hi there,

Creating my very first Ignition project and I’m having difficulty setting up the Gateway Network. It seems like such a simple straightforward process and I’m wondering if Windows Firewall is getting in the way.

My main Gateway has all my licensing (history & perspective modules) and my remote gateway is just a bare bones base license. The PCs are running Windows 10 and were shipped to my from the end user with cached login information from their plant network which has local admin privileges.

Installation went fine, creating tags on the main PC is fine and I can connect to my PLC and read tags just fine. I can ping each PC from the other.

I go to my remote gateway and create an outgoing connection (although I’ve tried this both ways) and it tries to connect but will comeback shortly saying “faulted”. When I check the logs it just says to verify the host and port settings. I’ve tried changing the General Settings under Gateway Network to Unrestricted just to see if I could establish a connection with no change.

I’m wondering if Windows Firewall is hosing me up. When I go look into the firewall settings it tells me the firewall settings are managed by my group policy (and therefore I cannot shut it off altogether to test). By default all incoming connections are blocked which I think means blocked unless there’s an incoming rule for it.

I tried creating two incoming rules - one a program rule that points to IgnitionGateway.exe and is open for all traffic, all ports etc. And one rule that is just for port 8060 no matter who’s asking but neither of these rules make any difference. I’m not strong on group policy or windows firewall beyond what I’ve tried.

Can anyone suggest any next steps or troubleshooting or insight to any of this?

Any help would be much appreciated!

The flow for setting this up (and what you’ll see) should be like below:

  1. Two gateways, main and remote. Setup Outgoing Connection in remote to point to main at port 8060.
  2. Firewall on main needs to allow incoming connections on port 8060.
  3. You’ll first see the certificate from remote appear in the Incoming Connections tab of Gateway Network configuration on main. If you’re not getting this, check logs on remote. Verify that the hostname that you’re using resolves to the main machine. If you’re getting Connection timed out from remote, that is a typical behavior of main dropping incoming packets due to firewall configuration. If everything is working, go ahead and approve that certificate.
  4. Next, you’ll see a new connection from remote in that same Incoming Connections tab of the Gateway Network configuration on main. This is where you’d approve the connection itself.

Hope this helps–definitely sounds like firewall could be the issue here.

1 Like

Thank you for this. It seems so straightforward I’m baffled why I’m having trouble. Where I am is at #3 - I don’t get the certificate appearing on the incoming connections tab. I am using the IP address in place of a hostname so it should find it just fine. I’ll try to post a pic of the exact error from the remote:

image

Yes, that sure sings of firewall blockage. Did you check that the incoming rule that you created on 192.168.1.168 (main in my example) for port 8060/tcp applied to all profiles (Public, Private, Domain)? I’m wondering if there are other GP rules getting in your way here.

Yes the incoming rule applies to all but I don’t think the policy is allowing the rule to be used because when I look at the list of active rules the ones I created don’t show there. Guess I’ll have to go back to the end user and see about modifying the group policy. Thanks for the help

If you’re able to reach the gateway webpage of main via 8088 (from remote), you could try disabling SSL on the Gateway Network configuration and direct the outgoing connection on remote to use main at port 8088 and no SSL. That might allow you to get your development going in the meantime, knowing that you’ll just want to adjust that config for production.

Just tried that and I cannot reach the gateway webpage either. I’m thinking this means they got this locked down TIGHT. I think this also means trying to connect to main for any perspective clients wont work either. I wonder how many ports I’ll have to have their policy adjust for?

I'd shoot for 8088/tcp, 8043/tcp, and 8060/tcp...

Awesome. What’s 8043 for?

It is used if you enable TLS on the gateway (it is independent from the TLS on Gateway Network connections via 8060). If you’re going to setup fw rules, might as well include this port as well so you have the option of setting that up [to replace standard http via 8088 with https via 8043].

Thank you very much for all the help!