VNC Connection from Perspective page

Ignition
1

Hi,

I’m on a project looking to consolidate all of the different operations into one portal: an Ignition Perspective page. One of the absolute requirements is they need to VNC to site computer running specialized software. Anyone know of where to start for building out an embedded VNC client?

I dont think this option exists for perspective, I’m thinking of hosting a react page that handles this function, that they can reach with a link in the Perspective app. Of course any perspective authentication functionality would be lost, but they’ve already authenticated to the network with a VPN connection, and should therefore have access anyway.

1 Like
2

A couple candidates jumped right out of duckduckgo:

and

https://guacamole.apache.org/

The latter uses the Apache Software License, which is compatible with building an Ignition module, fwiw.

3

Thanks. I was able to get guacamole up and running and connect to my vnc hosts. Putting my apache server’s address in a iframe component worked pretty nicely.

Now I’m just trying to figure it out so that the Ignition application acts as a kind of proxy for accessing that server. It would be nice if that guacamole web page was only accessible from within an authenticated perspective session. Anyone have any thoughts of where to start?

4

The VNC Repeater function may be what you’re looking for. Just as a guess, you’ll need to install guacamole on the Ignition server and route from there.
https://guacamole.apache.org/doc/gug/configuring-guacamole.html

OT: Now I’ll have to set up guacamole and play with it. I blame Phil for this. :wink:

2 Likes
5

Hrm, not sure that’s what i’m looking for.

I’ve got guacamole up and running on my ignition server, and can access it on the local network either in my browser or in an iframe.

What I want to do is only expose my Ignition application to the user, so the user connects to it, and then the application has a page that displays the guacamole web page. But as I understand it, iframe’s dont work as a proxy, they just link the user directly to the url.

6

Were you ever able to come up with a Guacamole configuration that does what you mention here.

“What I want to do is only expose my Ignition application to the user, so the user connects to it, and then the application has a page that displays the guacamole web page.”

I am looking to do the same thing. But just as you eluded, I want the Ignition server to connect to the VNC device and present it in the Perspective view. I can’t provide network access between the user and the VNC device, that would be the role of the Perspective/Ignition server.

7

in the end we decided users should use vpn to connect to our main network where Ignition and Guacamole was hosted. To see the remote computer we had a button that opened in a new tab the guacamole connection. by default they will have to sign in with separate guacamole credentials, but its possible to set it up for SSO. VPN users couldnt reach the remote computer normally, but the guacacmole server had a special route to the remote computer.

8

Thanks for the response. We have been looking at a number of ways to skin this one while keeping appropriate secure access for the user. Your comments added a few details that we can mix with previous ideas. Thanks again.

9

Thanks for all the information! I was able to use noVNC with the Web Dev module (mounted the Embedded files to the Gateway, then linked to it with an inline frame) and websockify as a proxy.

This appears to work well when connecting to computers, but I am having issues using it to connect to PanelView terminals, which use TightVNC internally for their server. Only a few lines of the picture are displayed (same when using noVNC’s online version).

image
image832×548 3.82 KB

If left on and the screen keeps change (i.e. someone else working with it), more lines get added.

image
image819×524 3.95 KB

Here is what is read by the noVNC and thrown to the Console in the Ignition Designer:
14:52:54.680 [Browser Thread: 57167] INFO Perspective.Designer.Workspace - Server ProtocolVersion: 003.008
14:52:54.772 [Browser Thread: 57167] INFO Perspective.Designer.Workspace - Screen: 640x480, bpp: 16, depth: 16, bigEndian: 0, trueColor: 1, redMax: 31, greenMax: 63, blueMax: 31, redShift: 11, greenShift: 5, blueShift: 0

The encoding is also “raw”, not “tight” like TightVNC’s name would imply.

I’ve scoured the support forums for Rockwell Automation, Inductive Automation, and noVNC, but I have not found a working solution. Has anyone found a better HTML5 browser to use (couldn’t get Guacamole to work), or found the magic settings/adjustments in the javascript files noVNC gives to make this work correctly? Or, is there a different approach I should be using (i.e. having buttons that open up a VNC client to the desired server)?

Thanks!

10

Hi mate,

Thanks for sharing the information.

I am in the same situation as you for connection to panelview VNC.
Have you found a solution to it?

11

We use Guacamole in Docker.

You can even find some image with everything preinstalled in one docker.

Then integrate the guacamole webpage inside perspective.

1 Like
12

I have a project going trying to implement VNC to control HMI panels trough Ignition.
Got the idea from the forums here to use Guacamole from Apache.

After a lot of trial and error installing Guacamole on docker desktop (never used docker before), i finally got it up and running as a trial on my own computer. Worked great, I just integrated guacamole with an inline frame in perspective. Log into guacamole and VNC connection is displayed in the view.

Then I installed it on the Ignition server that is running SSL, I realized that the browser will not let you view http content on a https website…

Does anyone have an idea on how to best solve this?

From a searching around I found that the best way of solving this problem was using Nginx Proxy Manager in docker as an reverse proxy to redirect and add encryption.
After following the tutorial below, step by step, using my guacamole ip, I cant get it to work.
Nginx short tutorial

Iv also been thinking that the best way would be to implement it into the ignition webserver, and have it locked away behind the ignition IDP, but I’m not even sure if this is possible.

I’m not an IT guy so I guess the main problem is between the chair and keyboard as usual… :sweat_smile:
I could just link to the site with a button, but that’s not ideal.

Here is my notes for installing guac in docker on a windows server, if anyone is struggling like I did.
Most guides online, install guacamole on docker from linux, so I couldn’t find any clear instructions on how to do it. Using PowerShell is slightly different.

Guacamole install notes

Docker / guacamole notes:

Activate nested virtualization on host machine:
Powershell command:
Note: VM must be turned off.
Set-VMProcessor -ExposeVirtualizationExtensions $true

Check status:
(Get-VMProcessor ).ExposeVirtualizationExtensions

Download images:
docker pull guacamole/guacamole
docker pull guacamole/guacd
docker pull mysql/mysql-server

Change powershell folder:
cd .\DockerFiles\

Generate a one-time password for MySQL root. View the generated password in the logs:
docker run --name guac-mysql -e MYSQL_RANDOM_ROOT_PASSWORD=yes -e MYSQL_ONETIME_PASSWORD=yes -d mysql/mysql-server

docker logs guac-mysql
[Entrypoint] GENERATED ROOT PASSWORD: MyLongOneTimePassword

Rename and move initdb.sql into the MySQL container.
docker cp initdb.sql guac-mysql:/guac_db.sql

Open a bash shell within the MySQL Docker container.
docker exec -it guac-mysql bash

Within the bash shell prompt for the container, log in to mysql as the root user:
mysql -u root -p

TYPE! the password generated: MyLongOneTimePassword

While in the mysql prompt, change the root password, create a database, and create a new user for that database. When running the below commands, replace any instance of password with a secure password string for the mysql root user and the new user for your database, respectively.

ALTER USER ‘root’@‘localhost’ IDENTIFIED BY ‘MyRootPassword’;
CREATE DATABASE guacamole_db;
CREATE USER ‘MyUserName’@‘%’ IDENTIFIED BY ‘MyUserPassword’;
GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole_db.* TO ‘MyUserName’@‘%’;
FLUSH PRIVILEGES;

Exit mysql bash shell:
quit

///DOES NOT WORK
While in the bash shell, create tables from the initialization script for the new database.
cat guac_db.sql | mysql -u root -p guacamole_db
///DOES NOT WORK — Possibly due to UTF16/UTF8 problems in powershell.

WORKAROUND (FINNALY)
Open a new powershell thats not in the container:

cat ‘.\DockerFiles\initdb.sql’ | docker exec -i guac-mysql mysql -u root -pMyRootPassword guacamole_db
/// if & is used in your password, type “&” instead

Test:
If you’d like, you can verify that the tables were successfully created by logging back into the mysql prompt and viewing the tables in the database:

mysql -u MyUserName -p
USE guacamole_db;
SHOW TABLES;

quit

Back to powershell:
Start guacd in Docker:

docker run --name name_guacd -d guacamole/guacd

Start guacamole in Docker, making sure to link the containers so Guacamole can verify credentials stored in the MySQL database. Replace the value for MyUserPassword with the password you configured for the MySQL database user MyUserName.

docker run --name name_guacamole --link name_guacd:guacd --link guac-mysql:mysql -e MYSQL_DATABASE=guacamole_db -e MYSQL_USER=MyUserName -e MYSQL_PASSWORD=MyUserPassword -d -p 8089:8080 guacamole/guacamole

To verify that all the docker containers are running properly, run the following command.
docker ps -a

Your guacamole is now available on localhost:8089/guacamole
Open port on all firewalls to make it accessible from the internet.

2 Likes
13

Did you ever get this to work? We're looking at options for remote access to PanelViews from perspective. It might be a no-go for us if we can't connect to panelviews via novnc.

14

A no-go for Ignition? Or for Perspective? Because a Vision client can launch any external VNC viewer you like.

15

Perspective. I see that cwells above was having issues with PanelView screens. He was able to connect using noVNC but he can't see anything.

16

Did you try Guacamole ? Docker
We use that with siemens panel view and rockwell panelview without any issues

2 Likes
17

Guacamole should work as @Arnaud_Declerck mentioned. Your URL for Guacamole inside Vision or Perspective will follow this format (once you create your connections and users inside Guacamole):

http://192.168.10.40:8080/#/client/MQBjAHBvc3RncmVzcWw/?username=guacadmin&password=guacadmin

Just substitute your base URL, username, and password. One key thing is that if you're using SSL (HTTPS) on Perspective, you'll also need to make sure Guacamole is using HTTPS as well, otherwise the connection won't work.

1 Like
18

I did use Guacamole with Rancher Desktop on a Windows Machine for the VNC connection (Rancher Desktop instead of Docker, since it is open-source).

I got this to work for one client, but for another one, their version of Windows did not support it (requires support of Windows Subsystem for Linux - 2 (WSL-2)), so we used Viewpoint on the PanelView instead. Viewpoint works fine (separate client from local, but only supports one client), though earlier versions of PanelViews will not support it, since they use Microsoft SilverLight (which is not supported by browsers anymore).

For both cases (Guacamole or Viewpoint), I used a "Navigation" link on the "OnActionPerformed" event of a button set to the URL of the PanelView's ViewPoint link and to "Open in new tab", and set the "Tab/Window Links" option in the Perspective Workstation to "System Browser". This opened up a new instance of the client web browser with that particular program opened up. I was having issues with using an InlineFrame component with this, so I decided to go with this method instead.

19

The main "gotcha" with Viewpoint is that you can't see alarm banners if I recall correctly (unless that was an older version). It works OK but we had some clients with PanelViews that would show alarm banners for the alarms and they would never show up leading to the operators not realizing they were getting alarms because they weren't popping up. Not sure if there's other issues as we switched to VNC after that.

1 Like