What is the Best practice? My users want to access PI Vision from outside of the corporate network on their mobile devices. Where should I put PI Vision? Would it be safe to make it a public facing server?
We been able to do it with corporate managed mobile devices and a VMware mobile browser that has a connection to white-listed sites to access internal web-pages but that's all the details I'm allowed to know as a mortal staring upon the Mt Olympus where the security and telecomm gods live.
You can expose your PI Vision server to the internet while still using Windows Integrated Security.
If you are running PI Vision 2016R2+, you can take advantage of claims-based authentication as long as your Active Directory Identity Provider (IdP) that supports either OpenID Connect or WS-Federation (ie. ADFS).
I would suggest reviewing the following resources. They are written for PI Web API, but a similar process is possible for PI Vision. If you do wish to implement it, just let me know and I can provide some more information or contact our Tech Support team who can provide you with the details.
PI Web API - Configure Claims to Windows Token Service
Claims-based authentication in PI Web API 2017
Definitely doable. PI Vision in the internet zone, PI Web API in the DMZ and the servers inside should provide the appropriate zoning. Of course things like server hardening best practices you should include.
Retrieving data ...