7 Replies Latest reply on Jul 26, 2013 1:38 PM by IPCOSRumaila

    Redirect PI-access through Port-forwarding

    IPCOSRumaila

      Hi,

       

      we have the problem that our PI-server lives behind a firewall outside the network. We access the Data on the PI-Server through PI/AF which is inside the  network. Unfortunately it is not enough the enable access to port 5450 from the PI/AF server to the PI-server in the firewall. All PI/AF clients will collect the information from   the PI/AF server on the PI-point (tag and server) and connect directly to the PI-server on port 5450. Unfortunately it is not possible open port 5450 for traffic from all possible clients to the PI-server. One solution would be to configure the PI-Points on the AF-server to connect to a machine inside the network and then forward all traffic on port 5450 on that machine to the PI-server , port 5450.  Could such a solution work?

       

      I tried it: But I keep on getting the response

       

      --------------------
      Error
      --------------------
      [-10727] PINET: RPC is Non-Existent.
      --------------------
      OK
      --------------------

       

      Any advice on this topic is much appriciated!

       

       

       

      Regards,

       

       

       

      Henk

        • Re: Redirect PI-access through Port-forwarding

          Install a PI Server inside of your network, setup bi-directional PI to PI interfaces between Internal and external PI Servers (or span a PI Collective across the firewall). 5450 need only be open between your PI to PI interface node and the external PI Server.

           

          Re-address your AF Attributes to the internal PI Server/internal collective member.

           

          Use PI Cloud Connect (depends on your data requirements for clients).

           

          Why are the users and PI Server separated by a firewall that you can't open up 5450 to your client IP range?

            • Re: Redirect PI-access through Port-forwarding

              It's important to note the AF Server is a meta data store (dictionary) of PI Points, it doesn't actually make the data requests to the PI Server. The PI Point DR is executed on each client...which I think you've come to realise.

              • Re: Redirect PI-access through Port-forwarding
                IPCOSRumaila

                Hi Rhys,

                 

                Thanks for your answer(s). It confirms the ideas I had on how things work. It crossed my mind setting up a PI-server inside the client-network that connects to the external PI-server, but that sounds like a heavy solution. In case port-forwarding could solve the problem that would be much simpler?

                 

                Still not clear of that could work.

                 

                Regards,

                 

                Henk

                  • Re: Redirect PI-access through Port-forwarding

                    Hello Denis,

                     

                    The communication from a client to a PI Server through PI SDK requires port 5450. Please also see Technical Support KB 2820OSI8 - Which firewall ports should be opened for a PI Server?

                     

                    Rhys raised 2 important questions that you didn't yet answer.

                    1. Why is the PI Server placed behind the firewall?
                    2. Why is opening port 5450 not an option?

                    I can only guess that your PI Server is placed within the control network and access from the office to the control network is strongly restricted by your companies IT policy. My suggestion is to place the PI Server in the office network besides the AF Server. If there are concerns preventing you from doing so, please let's discuss those. 

                      • Re: Redirect PI-access through Port-forwarding
                        IPCOSRumaila

                        Hi Gregor,

                         

                        Thanks for pointing us to the unanswered questions ;-).  We are implementing a solution for a client, so we see the network-layout a bit as "given", not that we cannot discuss about it. I guess the fact that the PI-Server and the users of the PI-server  are separated by the firewall is related to the way the PI-server is filled with data (Data comes for wireless sensors outside of the network ). We may bring up the idea of putting the PI-server inside the network, but this will probably cause ports to be opened to the receiving side which may even be worse.

                         

                        By default IT would like to open up port 5450 only to a limited amount of (servers), but opening the port also for client would be our preferred solution. But in case this is rejected we have to  find another solution.  

                         

                        Regards,

                         

                        Henk

                          • Re: Redirect PI-access through Port-forwarding
                            mhamel

                            @Henk: The PI Server does not support port forwarding. With the constraints you have not a lot of options are available for you. You need to "limit" who are what can traverse the firewall, so I think the best way is using a PI to PI interface and another PI Server on the corporate network side.

                             

                            Otherwise, you would need to do some change on the "given" network. Most companies will utilize a DMZ zone to put the PI Server behind two firewalls, one to protect the process control network and the other from the corporate network. In this case, you could opt out for opening the port 5450 from the corporate side. This could look like the figure below.

                             

                            3010.sc1.png

                             

                             

                             

                            I hope this helps!