TR001 - Remote Access Advanced

IXON Training
 ■ Introduction
■ Remote Access fundamentals
■ Configuration options for the edge
devices

Agenda
■ How to organise your fleet?
■ Default permissions and access
rights set-up
■ How to convince your customer
■ Security recommendations
■ Troubleshooting
Introduction
Introduction

■ Trainers
■ Participants

“What do you want to achieve?”

Wi-Fi

■ SSID: IXON Guest

■ Password: ixoncloud
Schedule

■ Breaks & Lunch

■ Please feel free to interrupt and ask questions
Remote Access
fundamentals
Step 1: Setting up your company account
The IXON Cloud is split into four different apps:
■ IXON Cloud Portal
■ IXON Cloud Admin
■ IXON Cloud Fleet Manager
■ IXON Cloud Studio
Configuration options

The following things can be configured in your company account

■ Branding
■ User Management
■ Pages
○ Cards
○ Main pages
■ Custom fields
■ Filtering
Step 2: How to get a router online?

4 configuration options
1. Via USB-file
2. Via The IXrouter’s Local Web Interface
a. Some unique features
3. Using the Router API (advanced)
Only available after the initial configuration:
4. Changing settings in the IXON Cloud Fleet Manager
Networking basics
IP-addresses: unique address
Subnet: determines network part and host part
Port: “communication door” in a host
Protocol: “language” to speak (HTML for web browser)
DNS: human readable name to IP-address
DHCP: automatic IP-addresses in a network
VPN: tunnel over internet from one IP-address to another
IP-address
Firewall: Guarded gateway of a company network
General router settings
Automatic initial configuration
Basic router settings
■ Network settings
○ WiFi Hotspot
○ Failover
■ Reboot
■ Recovery mode
Additional functionalities:
■ Services
○ LAN Access Management
■ Data sources
The Local Web Interface
Settings in the Local Web Interface
■ Current network configuration
○ Actual status
○ Signal strength
■ Change network configuration
○ Additional settings
■ Diagnostic tools
○ Network utilities
Step 3: Connect to your machine
■ VPN Is configured automatically
■ VNC / HTTP services can be added for
quick access
Exercise remote access
Create a HTTP connection to your HMI
■ IP address: 192.168.140.10
■ Port: 8080
■ Default landing page: /webvisu.htm
■ Access category HTTP

Hint:
1. in which app can you configure the router?
2. search for “HTTP service” on
support.ixon.cloud
Configuration options
for the edge devices
Fleet Manager
How to organise your
fleet?
Naming & Custom fields
Groups

A group is a selection of devices

and users. You can divide groups
in different group types.
Default permissions and
access rights set-up
Roles

A role is a selection of permissions.

There are admin and device permissions,
and you can add access categories.
Access Categories

An access category is a selection of pages and services.

Access categories for Service

Access categories for Remote Access Cloud: Lifecycle Cloud:
■ VPN ■ Alarms and Notifications
■ VNC ■ Data dashboards external
■ HTTP ■ Data dashboards internal
Set up user management for a device

Fleet Manager > [select device]

■ Add groups
■ Select access categories
■ The default option
Invite users
Portal > Users
1. Select role
2. Select invitation language (optional)
3. Write a message (optional)
4. Select group or device (optional)
5. Temporary access (optional)
6. Send invite
What comes next?
Set up 2 factor authentication
Account > My profile
■ Login and Security
■ Choose authenticator
■ Backup Codes
■ Enforce 2FA company wide
Exercise User Management

1. Create 3 groups for each group type

2. Create 2 access categories
a. VPN
b. HTTP
3. Apply these new user rights to each role and device.
4. Configure the settings in the IXrouter
5. Configure the settings for a user
Exercise troubleshooting

■ No access to VPN and connect buttons

How to convince your
customer
On-premise

Cloud
■ Safer by default
■ Easy deployment
■ Worry-free
■ Scalable
■ Lower latency
■ Easier access
 On-premise Cloud

1. Complete control 1. Quick deployment

2. Single-tenant 2. Worry-free IT
3. Safer by default 3. Scalability
4. Lower latency
5. Access anywhere
Setting up a server is easy

Maintaining a server is hard

The security framework

■ ISO 27001 certified Information ■ Audit trail system

Security Management System (ISMS) ■ Multi-factor authentication
■ IT Security Breach protocol ■ Audited by our white-label partners
■ Centralized logging system ■ Audited by Chubb Cyber-risk Insurance

■ Automated anomaly detection system ■ 24/7 real-time monitoring

■ Vulnerability audits by an external party ■ Redundant servers at various locations for

lower latency
Keeping your servers up-to-date

Access Penetration Server Server

Patching Server scaling
management testing redundancy hardening

Vulnerability Firewall
Monitoring Log analysis Clean-up
auditing configuration
Communication to the customer

■ Start early in the process when selling the machine

■ Talk to the right people (not the operator)
■ Bring it up yourself
Tools

■ Intake form
■ Security Commitment Declaration (link)
■ Security White Paper (link)
■ ISO certifications:
○ ISO 9001
○ ISO 27001
○ ISO 27017
○ ISO 27701
○ IEC 62443 (-4-1 and -4-2)
Security
recommendations
A word from our Security Officer

■ Passwords should
○ At least 12 characters, preferably 16+
○ Unique
○ Enable 2FA (enforce it)
■ Accounts should not be shared
■ Sanitize your access tokens regularly
■ Review the audit trail regularly
A word from our Security Officer

■ Permissions should be given based on principle of least privilege, but

without creating a single point of failure
○ Give people no more access than needed, but make sure you retain access if
someone is unavailable
○ Train people on proper conduct before you give them permissions to change
something
A word from our Security Officer

■ Local firewall configuration

○ Only open the ports (outgoing) needed for communication to the IXON Cloud
○ Whitelist only the IXON Cloud servers (whitelist.ixon.cloud)

■ IXrouters
○ Restrict physical access to the router
○ Do not change the default firewall settings if not necessary
○ Update router firmware whenever possible (especially for security improvements)
○ Change the IXrouter web UI password to something strong and unique
A word from our Security Officer

■ IXagents are valid to connect to the IXON Cloud, but they lack a firewall
and this has security consequences
A word from our Security Officer

■ Subscribe to status.ixon.cloud
■ Keep an eye out for our security advisories
Troubleshooting
Explaining terms

■ Configuration connection
■ VPN connection
■ What is LAN/WAN
■ TCP and UDP
■ Broadcast address
■ TAP-Adapter
Unable to connect your IXrouter to the platform

● Causes:
○ Firewall issues:
■ Outgoing port 443 not open;
■ MQTT is working, but is VPN blocked (stealth mode).
○ Configuration issues
■ Configuration file not correct: IXrouter.conf
■ Configuration not correct (LAN/WAN conflict);
■ Using Wi-Fi or cellular: signal strength or signal settings.
● Tools:
○ IXrouter LEDs
○ IXrouter’s local web interface
○ Connection details (e.g. firewall)
Unable to connect your IXrouter to the platform
Unable to establish a VPN connection

● Most common causes:

○ Firewall issues:
■ National firewall (stealth mode);
■ Computer/company firewall (check with phone hotspot).
○ Other VPN connection active and using TAP adapter;
○ Antivirus program (temporarily turn off and check again).
● Tools:
○ Error codes: 113/213/313, 710, 741, 743/744, 746.
Unable to connect over VNC/HTTP

1. Can you ping the PLC or HMI?

2. Does it work when you’re using VPN?
a. HTTP: set up a VPN connection, open a new tab and enter the IP address of
the PLC;
b. VNC: set up a VPN connection, open a VNC client (like RealVNC) and enter the
IP address of the PLC.

Troubleshoot VNC/HTTP
Unable to connect to the PLC

1. Is the VPN connection active?

○ Click on [Connect].
2. Can I ping the PLC’s IP address? Can I ping the LAN side of the IXrouter?
○ Unable to ping PLC but able to ping LAN side? Check whether PLC and
IXrouter IP address are in the same range.
○ Are there any IP conflicts?
3. Am I connecting using a broadcast or a specific IP address?
○ Some programs, like TIA Portal allow you to connect to both a specific IP
address and broadcast to see which devices are connected.

Connect to your machine

Resource center - Need help?
Need help? button on portal.ixon.cloud
(no ad-blocker and only for platform
administrators)
Here you can find all websites:
■ status.ixon.cloud
■ support.ixon.cloud
■ developer.ixon.cloud
Or contact support: support@ixon.cloud
Support website
Generating a log file for IXON Support

What if the IXrouter still won’t come online?

1. (If applicable) Wait for the problem to occur
2. Important: leave the IXrouter on
3. Insert an empty USB flash drive into the IXrouter
4. Important: wait 2 minutes
5. Remove the USB flash drive from the IXrouter
6. Send the file called "log" to support@ixon.cloud and describe the issue
that the customer is experiencing
Is the USB flash drive still empty? Check if it's formatted as FAT/FAT32 or try
using a different USB flash drive
Any more questions?
Thank you!