Scribd
Upload
88 views58 pages

IXON TR001 - Remote Access Advanced Training v0.1

IXON, Netherlands: IXON Cloud is the all-in-one platform that makes remote access and IIoT easy and accessible for everyone. Developed by engineers, for engineers.  IXON Cloud  No-Code IIOT Remote Monitoring  Datalogging  Cloud Monitoring Routers & Solutions

Uploaded by

Chaudhary Asadullah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
88 views58 pages

IXON TR001 - Remote Access Advanced Training v0.1

IXON, Netherlands: IXON Cloud is the all-in-one platform that makes remote access and IIoT easy and accessible for everyone. Developed by engineers, for engineers.  IXON Cloud  No-Code IIOT Remote Monitoring  Datalogging  Cloud Monitoring Routers & Solutions

Uploaded by

Chaudhary Asadullah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 58

TR001 - Remote Access Advanced

IXON Training
■ Introduction
■ Remote Access fundamentals
■ Configuration options for the edge
devices

Agenda
■ How to organise your fleet?
■ Default permissions and access
rights set-up
■ How to convince your customer
■ Security recommendations
■ Troubleshooting
Introduction
Introduction

■ Trainers
■ Participants

“What do you want to achieve?”


Wi-Fi

■ SSID: IXON Guest


■ Password: ixoncloud
Schedule

■ Breaks & Lunch


■ Please feel free to interrupt and ask questions
Remote Access
fundamentals
Step 1: Setting up your company account
The IXON Cloud is split into four different apps:
■ IXON Cloud Portal
■ IXON Cloud Admin
■ IXON Cloud Fleet Manager
■ IXON Cloud Studio
Configuration options

The following things can be configured in your company account


■ Branding
■ User Management
■ Pages
○ Cards
○ Main pages
■ Custom fields
■ Filtering
Step 2: How to get a router online?

4 configuration options
1. Via USB-file
2. Via The IXrouter’s Local Web Interface
a. Some unique features
3. Using the Router API (advanced)
Only available after the initial configuration:
4. Changing settings in the IXON Cloud Fleet Manager
Networking basics
IP-addresses: unique address
Subnet: determines network part and host part
Port: “communication door” in a host
Protocol: “language” to speak (HTML for web browser)
DNS: human readable name to IP-address
DHCP: automatic IP-addresses in a network
VPN: tunnel over internet from one IP-address to another
IP-address
Firewall: Guarded gateway of a company network
General router settings
Automatic initial configuration
Basic router settings
■ Network settings
○ WiFi Hotspot
○ Failover
■ Reboot
■ Recovery mode
Additional functionalities:
■ Services
○ LAN Access Management
■ Data sources
The Local Web Interface
Settings in the Local Web Interface
■ Current network configuration
○ Actual status
○ Signal strength
■ Change network configuration
○ Additional settings
■ Diagnostic tools
○ Network utilities
Step 3: Connect to your machine
■ VPN Is configured automatically
■ VNC / HTTP services can be added for
quick access
Exercise remote access
Create a HTTP connection to your HMI
■ IP address: 192.168.140.10
■ Port: 8080
■ Default landing page: /webvisu.htm
■ Access category HTTP

Hint:
1. in which app can you configure the router?
2. search for “HTTP service” on
support.ixon.cloud
Configuration options
for the edge devices
Fleet Manager
How to organise your
fleet?
Naming & Custom fields
Groups

A group is a selection of devices


and users. You can divide groups
in different group types.
Default permissions and
access rights set-up
Roles

A role is a selection of permissions.


There are admin and device permissions,
and you can add access categories.
Access Categories

An access category is a selection of pages and services.

Access categories for Service


Access categories for Remote Access Cloud: Lifecycle Cloud:
■ VPN ■ Alarms and Notifications
■ VNC ■ Data dashboards external
■ HTTP ■ Data dashboards internal
Set up user management for a device

Fleet Manager > [select device]


■ Add groups
■ Select access categories
■ The default option
Invite users
Portal > Users
1. Select role
2. Select invitation language (optional)
3. Write a message (optional)
4. Select group or device (optional)
5. Temporary access (optional)
6. Send invite
What comes next?
Set up 2 factor authentication
Account > My profile
■ Login and Security
■ Choose authenticator
■ Backup Codes
■ Enforce 2FA company wide
Exercise User Management

1. Create 3 groups for each group type


2. Create 2 access categories
a. VPN
b. HTTP
3. Apply these new user rights to each role and device.
4. Configure the settings in the IXrouter
5. Configure the settings for a user
Exercise troubleshooting

■ No access to VPN and connect buttons


How to convince your
customer
On-premise

Cloud
■ Safer by default
■ Easy deployment
■ Worry-free
■ Scalable
■ Lower latency
■ Easier access
On-premise Cloud

1. Complete control 1. Quick deployment


2. Single-tenant 2. Worry-free IT
3. Safer by default 3. Scalability
4. Lower latency
5. Access anywhere
Setting up a server is easy

Maintaining a server is hard


The security framework

■ ISO 27001 certified Information ■ Audit trail system


Security Management System (ISMS) ■ Multi-factor authentication
■ IT Security Breach protocol ■ Audited by our white-label partners
■ Centralized logging system ■ Audited by Chubb Cyber-risk Insurance

■ Automated anomaly detection system ■ 24/7 real-time monitoring

■ Vulnerability audits by an external party ■ Redundant servers at various locations for


lower latency
Keeping your servers up-to-date

Access Penetration Server Server


Patching Server scaling
management testing redundancy hardening

Vulnerability Firewall
Monitoring Log analysis Clean-up
auditing configuration
Communication to the customer

■ Start early in the process when selling the machine


■ Talk to the right people (not the operator)
■ Bring it up yourself
Tools

■ Intake form
■ Security Commitment Declaration (link)
■ Security White Paper (link)
■ ISO certifications:
○ ISO 9001
○ ISO 27001
○ ISO 27017
○ ISO 27701
○ IEC 62443 (-4-1 and -4-2)
Security
recommendations
A word from our Security Officer

■ Passwords should
○ At least 12 characters, preferably 16+
○ Unique
○ Enable 2FA (enforce it)
■ Accounts should not be shared
■ Sanitize your access tokens regularly
■ Review the audit trail regularly
A word from our Security Officer

■ Permissions should be given based on principle of least privilege, but


without creating a single point of failure
○ Give people no more access than needed, but make sure you retain access if
someone is unavailable
○ Train people on proper conduct before you give them permissions to change
something
A word from our Security Officer

■ Local firewall configuration


○ Only open the ports (outgoing) needed for communication to the IXON Cloud
○ Whitelist only the IXON Cloud servers (whitelist.ixon.cloud)

■ IXrouters
○ Restrict physical access to the router
○ Do not change the default firewall settings if not necessary
○ Update router firmware whenever possible (especially for security improvements)
○ Change the IXrouter web UI password to something strong and unique
A word from our Security Officer

■ IXagents are valid to connect to the IXON Cloud, but they lack a firewall
and this has security consequences
A word from our Security Officer

■ Subscribe to status.ixon.cloud
■ Keep an eye out for our security advisories
Troubleshooting
Explaining terms

■ Configuration connection
■ VPN connection
■ What is LAN/WAN
■ TCP and UDP
■ Broadcast address
■ TAP-Adapter
Unable to connect your IXrouter to the platform

● Causes:
○ Firewall issues:
■ Outgoing port 443 not open;
■ MQTT is working, but is VPN blocked (stealth mode).
○ Configuration issues
■ Configuration file not correct: IXrouter.conf
■ Configuration not correct (LAN/WAN conflict);
■ Using Wi-Fi or cellular: signal strength or signal settings.
● Tools:
○ IXrouter LEDs
○ IXrouter’s local web interface
○ Connection details (e.g. firewall)
Unable to connect your IXrouter to the platform
Unable to establish a VPN connection

● Most common causes:


○ Firewall issues:
■ National firewall (stealth mode);
■ Computer/company firewall (check with phone hotspot).
○ Other VPN connection active and using TAP adapter;
○ Antivirus program (temporarily turn off and check again).
● Tools:
○ Error codes: 113/213/313, 710, 741, 743/744, 746.
Unable to connect over VNC/HTTP

1. Can you ping the PLC or HMI?


2. Does it work when you’re using VPN?
a. HTTP: set up a VPN connection, open a new tab and enter the IP address of
the PLC;
b. VNC: set up a VPN connection, open a VNC client (like RealVNC) and enter the
IP address of the PLC.

Troubleshoot VNC/HTTP
Unable to connect to the PLC

1. Is the VPN connection active?


○ Click on [Connect].
2. Can I ping the PLC’s IP address? Can I ping the LAN side of the IXrouter?
○ Unable to ping PLC but able to ping LAN side? Check whether PLC and
IXrouter IP address are in the same range.
○ Are there any IP conflicts?
3. Am I connecting using a broadcast or a specific IP address?
○ Some programs, like TIA Portal allow you to connect to both a specific IP
address and broadcast to see which devices are connected.

Connect to your machine


Resource center - Need help?
Need help? button on portal.ixon.cloud
(no ad-blocker and only for platform
administrators)
Here you can find all websites:
■ status.ixon.cloud
■ support.ixon.cloud
■ developer.ixon.cloud
Or contact support: [email protected]
Support website
Generating a log file for IXON Support

What if the IXrouter still won’t come online?


1. (If applicable) Wait for the problem to occur
2. Important: leave the IXrouter on
3. Insert an empty USB flash drive into the IXrouter
4. Important: wait 2 minutes
5. Remove the USB flash drive from the IXrouter
6. Send the file called "log" to [email protected] and describe the issue
that the customer is experiencing
Is the USB flash drive still empty? Check if it's formatted as FAT/FAT32 or try
using a different USB flash drive
Any more questions?
Thank you!

You might also like