Creating my very first Ignition project and I’m having difficulty setting up the Gateway Network. It seems like such a simple straightforward process and I’m wondering if Windows Firewall is getting in the way.
My main Gateway has all my licensing (history & perspective modules) and my remote gateway is just a bare bones base license. The PCs are running Windows 10 and were shipped to my from the end user with cached login information from their plant network which has local admin privileges.
Installation went fine, creating tags on the main PC is fine and I can connect to my PLC and read tags just fine. I can ping each PC from the other.
I go to my remote gateway and create an outgoing connection (although I’ve tried this both ways) and it tries to connect but will comeback shortly saying “faulted”. When I check the logs it just says to verify the host and port settings. I’ve tried changing the General Settings under Gateway Network to Unrestricted just to see if I could establish a connection with no change.
I’m wondering if Windows Firewall is hosing me up. When I go look into the firewall settings it tells me the firewall settings are managed by my group policy (and therefore I cannot shut it off altogether to test). By default all incoming connections are blocked which I think means blocked unless there’s an incoming rule for it.
I tried creating two incoming rules - one a program rule that points to IgnitionGateway.exe and is open for all traffic, all ports etc. And one rule that is just for port 8060 no matter who’s asking but neither of these rules make any difference. I’m not strong on group policy or windows firewall beyond what I’ve tried.
Can anyone suggest any next steps or troubleshooting or insight to any of this?
Any help would be much appreciated!
The flow for setting this up (and what you’ll see) should be like below:
- Two gateways,
remote. Setup Outgoing Connection in
remote to point to
main at port
- Firewall on
main needs to allow incoming connections on port
- You’ll first see the certificate from
remote appear in the Incoming Connections tab of Gateway Network configuration on
main. If you’re not getting this, check logs on
remote. Verify that the hostname that you’re using resolves to the
main machine. If you’re getting Connection timed out from
remote, that is a typical behavior of
main dropping incoming packets due to firewall configuration. If everything is working, go ahead and approve that certificate.
- Next, you’ll see a new connection from
remote in that same Incoming Connections tab of the Gateway Network configuration on
main. This is where you’d approve the connection itself.
Hope this helps–definitely sounds like firewall could be the issue here.
Thank you for this. It seems so straightforward I’m baffled why I’m having trouble. Where I am is at #3 - I don’t get the certificate appearing on the incoming connections tab. I am using the IP address in place of a hostname so it should find it just fine. I’ll try to post a pic of the exact error from the remote:
Yes, that sure sings of firewall blockage. Did you check that the incoming rule that you created on
main in my example) for port
8060/tcp applied to all profiles (Public, Private, Domain)? I’m wondering if there are other GP rules getting in your way here.
Yes the incoming rule applies to all but I don’t think the policy is allowing the rule to be used because when I look at the list of active rules the ones I created don’t show there. Guess I’ll have to go back to the end user and see about modifying the group policy. Thanks for the help
If you’re able to reach the gateway webpage of
main via 8088 (from
remote), you could try disabling SSL on the Gateway Network configuration and direct the outgoing connection on
remote to use
main at port
8088 and no SSL. That might allow you to get your development going in the meantime, knowing that you’ll just want to adjust that config for production.
Just tried that and I cannot reach the gateway webpage either. I’m thinking this means they got this locked down TIGHT. I think this also means trying to connect to main for any perspective clients wont work either. I wonder how many ports I’ll have to have their policy adjust for?
I’d shoot for
Awesome. What’s 8043 for?
It is used if you enable TLS on the gateway (it is independent from the TLS on Gateway Network connections via
8060). If you’re going to setup fw rules, might as well include this port as well so you have the option of setting that up [to replace standard http via
8088 with https via
Thank you very much for all the help!