Home / Resources / How To: Use FactoryPMI Gateway On 2 Closed Networks

How To: Use FactoryPMI Gateway On 2 Closed Networks

This article explains how to set up a FactoryPMI Gateway that needs to be accessible from 2 separate private networks on different adapters.

Many industrial controls systems have been set up as 2 separate networks; the corporate subnet has local server and Internet access, while the controls subnet houses the PLCs and HMI systems. SCADA applications, especially as you get into reporting, MES, and ERP, often need to access both sides. These setups typically have computers with 2 network cards, one attached to each network. This is called a multihomed host. This article describes how to configure FactoryPMI on a multihomed computer.

We don't recommend this type of setup, especially since they were often configured without care. In critical production facilities it's not uncommon to see IP addresses like 1.2.3.4 (random routable addresses) or subnet masks that show that the engineer had no idea what they do. That was fine when industrial sites were isolated. Now that Internet access is becoming universal, this kind of practice borders somewhere between sloppy and unprofessional. Additionally, SCADA security is a hot and important area of Homeland Security.

Background

The FactoryPMI Gateway needs to be able to tell runtime clients its single address to communicate over. This is important for clustering and reconnection, even if there is only one Gateway. The address is set as the HTTP Address in the Network section of the Gateway Configuration page. If set to autodetect, the Gateway will choose one IP address, and runtime clients will only work if they can contact the Gateway via that address - in most cases one network will work and the other will not! If autodetect is unchecked it can be set to an IP address (for example 192.168.0.55), a hostname or NetBIOS name (sn25p), or a fully registered domain name (fpmi.inductiveautomation.com).



Determining the Gateway address and problem

On a working FactoryPMI client menu go to help->About FactoryPMI. This is most simply done on the FactoryPMI Gateway machine. You will see the FPMI Gateway location. This is the address that the FactoryPMI Gateway gives clients for communication. If a client can not connect to the Gateway over this address it won't be able to run a project.



You should always be able to pull up the Gateway Configuration web page - the Gateway (web server) listens over all IP addresses and interfaces. The common problem that you may see is that launching the client on one network works and the other fails. On the failed network it will load as if everything were fine, but then give you an error message right before logging in. Possible errors that you may see are Error Loading Plugins or Error downloading project data.



Getting FactoryPMI working on both networks

Getting both networks running is as simple as telling both networks a name or address that they each recognize. The easiest way to accomplish this is to simply use a the computers hostname or NetBIOS name. Name resolution can work in a number of ways. The easiest way to determine if it will work is by opening a DOS prompt and the client and pinging the Gateway by that address. If you get a response, you're good on that network. Repeat for both networks.



In most cases this will resolve seemingly magically by broadcast. If client and Gateway use the same WINS server, this should always work. If you have control of your own DNS servers you can add an "A" record, but Dynamic DNS might resolve it automatically. In the worst case you can always add manual hostname to IP address mappings in the HOSTS or LMHOSTS file of the local client.

Success! You should now be able to run your FactoryPMI clients from either network!

Naive 2 network setup usually = bad idea

The "separate networks" concept for security is a good idea. You should consider putting a computer on both networks to be the same (or worse) than putting a router in between the networks as far as security is concerned. It can be done securely or insecurely, but should not be plugged in carelessly. This type of setup isn't the best solution, but it's cheap and easy, and therefore common. Here are a few reasons that this type of setup should eventually become a relic of times passed:
  • A properly configured router (can be a PC) can isolate both subnets, routing traffic for certain designated nodes, identified by MAC address. This provides a single, configurable, secure, point. Each node needs only one Ethernet adapter and IP address. A layer 3 switch is ideal for this application.
  • Even home Ethernet switches provide enough bandwidth so that one side will not bog down the other. QOS (quality of service) and other performance options exist. If the PLC side truly needs realtime or deterministic performance, or the corporate network is huge, you'll probably be using other equipment and have a knowledgeable IT staff.
  • It's now standard to use non-routable IP addresses and NAT behind a firewall for the corporate network. Companies no longer provide real (Internet accessible) addresses for each computer. In most cases this a sufficient starting point with respect to security, for the controls network. If it's not, you should be using an IT department instead of a tacky workaround. Your efforts are better spent password protecting the PLCs and securing the firewall.
The point to take away is that a closed (controls) network is about as secure as you can get. It no longer remains closed when you bridge it to another network. Don't kid yourself into thinking that the networks are still isolated when you have that one computer with 2 ethernet cards plugged into each. As you add computers to both networks or make your SCADA system more distributed, which is the trend for corporate access, the security of this 2 networks concept disappears. If you need security, standard IT technology has this problem figured out. There is nothing inherently "bad" about a multihomed system - it's something that you should strive to learn more about if you wish to implement one. Industrial software users and systems integrators alike should become proficient with IT basics.

Summary

We learned that FactoryPMI can be easily set up to work in a multihomed setup. We considered that networking technologies exist to properly segment and secure our traffic. Here's how we setup a FactoryPMI Gateway to work with multiple networks:
  • Verified that name resolution works on both networks
  • In the Network section of the Gateway Configuration page, set a hostname as the http address
published: 04/30/14