Remote Internet Access to Omron HMI

We need to extablish remote access to an Omron (NS-10) HMI, which is on a remote Hydro-Electric site.

The site has a broadband (ADSL) connection, with a static IP address, and the HMI is connected using ethernet to a Westermo DR-250 router, to link it to the internet.

Now if I'm onsite and my computer is plugged into the router, I can using Internet Explorer, type in the HMI's local LAN address to access the HMI, and view the HMI's screens.

Question is: How do I set the Westermo router up, so that if some types in the static ip address on their internet browser, somewhere in the world, they are directed through to the HMI's screens?

Hi Marc
I don't know this router, but can you set it up for Port Forwarding?

The default port will be 80 for the NS web server (I think this can be changed)

You can 'forward' port 80 to the local IP (192.168.1.xxx)

I've done this with 'domestic' routers, so sure the Westermo will be able to do it.

Pp

Be careful with Port Forwarding. Because of the way it works you are opening a hole in your security, anybody who tries to get onto your network on that port will find themselves at the login screen for the HMI, you do have passwords set for the HMI, yes? You may say that with 65000 ports to choose from the attacker would have to be very lucky, but Port Scanners make finding that one hole a lot quicker than you might think.

A more secure but complicated method is to use VPN, I was researching the DR-250 the other day and have memories that the manual has a lot of info on VPN.

Another issue is that a lot of ADSL providers are applying Firewalls to the ADSL line and you may find that the Port you have chosen for Port Forwarding or the Ports used for VPN are blocked, you have to login to the ADSL account and change the Firewall settings.

Bryan

Use a VPN - the easiest would be to replace the router with a cheap "VPN router".

Unfortunately, replacing the router with a 'cheaper' VPN router, is not really an option, as this is a new site, and it would be extremely embrassing to replace it.

Especially with the history of this project, as the HMI was not the original first choice; the first HMI was a J-mobile E-Top one, but that had to be scrapped when it was discovered that software was more buggy than Microsoft on a bad day.

Besides, as I understand it with VPN connection, I would need VPN software on my remote computer to access it.
Our intention is that the site can be accessed by a simple browser (e.g. Internet Explorer, or the like), so that other customers can view the site, to encourage sales.

The HMI does have log-in password, and the configuration screens have an additional passcode, so assuming that there isn't some kind of ADSL firewall, the Port Forwarding sounds like the best solution.

Now I need to find out how to set that up.

Well then you could add a "VPN Concentrator/endpoint" to your network. You can set up a permanent "site to site/LAN to LAN" tunnel that securely passes traffic between your network segments, over the Internet, as if they were local.

Oh yeah, port forwarding over The Net to an HMI application for remote access would fall in the "poor security practice" category, even with a strong password. Simplest possible case an attacker could easily launch a denial of service attack. You're not at nearly the same risk if the system can only be used for view only and is not remotely configurable.

If you just need users located on site to enable remote support then disable it afterward, port forwarding is probably acceptable.