Remote internet connection to HMI (on the same network as the gateway.)

AutomationTechBrian

Lifetime Supporting Member
AutomationTechBrian
Join Date
Jul 2013
Location
St. Cloud, MN
Posts
669
I have a customer who has a very large plastic extruder. I put a Stride Industrial VPN on the machine's LAN so I can remotely access the SLC 5/05 and all the temperature and pressure controllers from home. When I replaced the HMI, I chose a re-branded Red Lion 15" (Eurotherm "Penguin") with two ethernet ports... one connected to the machine's network, and the other to the office's network (which is connected to the gateway). We set it up so the plant manager could remotely access the HMI screen from his office computer, mainly so he could monitor the temperatures from his desk.

As we were talking, he asked me if there was a way he could access his machine's HMI from home so he could start it up late Sunday night and have it ready for production when the day shift came in Monday morning. I would also like to be able to see his HMI screens for remote troubleshooting. I assume some kind of VPN would probably be appropriate for this as well, but I get lost in the details of what service would be the best for this. The current Stride VPN is connecting the PLC's network to the gateway on this office network, but I don't see how I could use that VPN for this second network. It doesn't seem right to use another Stride VPN for a network that is directly connected to the internet gateway... the connection doesn't make sense. I don't mind researching choices, but I need some direction on what I should be considering. I remember someone telling me about a VPN that is not attached to a service (like **** or Stride). They use something like USB dongles for each remote connection to the VPN router. I don't remember what it was called, but even if I could, I don't know if this is the best solution. For those with experience, what should I consider for this "front-end of the HMI" remote connection on the office network?
 
Last edited:
Team Viewer has a VPN built in. I know it has been used with Omron PLCs and HMIs for programming and for viewing as well. Hope this helps.
 
Brian, there is a way to set this up for free.
There is a free VPN software called "Softether" developed y Tsukuba University in Japan.
On your customer's computer hosting the HMI you need to install the Softether VPN server, and there is a Windows VPN server version with a VPN server configuration tool with GUI, in addition to the CLI which I think is too difficult. Then you need to install the VPN client component on the PC that you run from home, as well as the customer. When you setup the VPN server with the configuration tool it will guide you through the process. The interesting thing about Softether is that it creates an account in Microsoft's Azure's free service that maintains the public IP address for the VPN server. Then you configure the users for the VPN server. When you configure the VPN client, the address for the VPN server is an Azure address. The PC hosting the VPN server, which is connected to the company LAN, when the VPN client attempts to establish a connection, will request an IP address to the DHCP server of the company for the VPN client, and if all the passwords and logins are correct, the VPN server will assign the company's LAN's IP address to your computer or the customer's computer at home.
Tried to make myself clear but I may have not due to my English-as-a-second-language. The Softether English documentation is decent. I hpe this can be helpful

https://www.softether.org/
 
Alfredo: That is really cool... Thanks for sharing that! It'll be interesting to explore when I have a little time.

BobB: Wow... how did I not think of Teamviewer? I have it installed on my host PC, as well as half of my VMs. For this particular customer, that's perfect!
 
Very interesting.
i can imagine me using softether as an alterntive to teamviewer vpn.
it shall be interesting to hear from someone using it in real life to connect to plc and hmis.
 
JesperMP said:
Very interesting.
i can imagine me using softether as an alterntive to teamviewer vpn.
it shall be interesting to hear from someone using it in real life to connect to plc and hmis.
Click to expand...

I have done a little over 100 installs of soft ether for VPN and other networking purposes.

I like to use Intel NUC's like Hades or skull canyon for the client hardware and configure the hardware based on the project needs.
 
AutomationTechBrian said:
I have a customer who has a very large plastic extruder. I put a Stride Industrial VPN on the machine's LAN so I can remotely access the SLC 5/05 and all the temperature and pressure controllers from home. When I replaced the HMI, I chose a re-branded Red Lion 15" (Eurotherm "Penguin") with two ethernet ports... one connected to the machine's network, and the other to the office's network (which is connected to the gateway). We set it up so the plant manager could remotely access the HMI screen from his office computer, mainly so he could monitor the temperatures from his desk.

As we were talking, he asked me if there was a way he could access his machine's HMI from home so he could start it up late Sunday night and have it ready for production when the day shift came in Monday morning. I would also like to be able to see his HMI screens for remote troubleshooting. I assume some kind of VPN would probably be appropriate for this as well, but I get lost in the details of what service would be the best for this. The current Stride VPN is connecting the PLC's network to the gateway on this office network, but I don't see how I could use that VPN for this second network. It doesn't seem right to use another Stride VPN for a network that is directly connected to the internet gateway... the connection doesn't make sense. I don't mind researching choices, but I need some direction on what I should be considering. I remember someone telling me about a VPN that is not attached to a service (like **** or Stride). They use something like USB dongles for each remote connection to the VPN router. I don't remember what it was called, but even if I could, I don't know if this is the best solution. For those with experience, what should I consider for this "front-end of the HMI" remote connection on the office network?
Click to expand...

The Red Lion CR3000 and the Graphite series both have webservers so all you need is a connection to the HMI and you can access the built-in web server once it's set up which will give you view and or control of the HMI.

Just set the customer up as a new user in the stride and in the HMI with his own credentials and he will be using the same VPN route as you do to connect.
 
Phil Buchanan said:
The Red Lion CR3000 and the Graphite series both have webservers so all you need is a connection to the HMI and you can access the built-in web server once it's set up which will give you view and or control of the HMI.

Just set the customer up as a new user in the stride and in the HMI with his own credentials and he will be using the same VPN route as you do to connect.
Click to expand...

I obviously need to do more discovery with using the HMI... but here's my understanding:

Lets get specific...

Ethernet Port 1: Machine LAN = 192.168.1.001 This is the VPN's target network, so I have access to this network through my Stride account. The PLC, all the Eurotherm temperature controllers and pressure controllers all communicate to the HMI on this LAN.

Ethernet Port 2: Office LAN = 192.168.2.001 The gateway is on this LAN. I have the HMI web server on this port, and the plant manager monitors the machine through his browser on this office laptop. I do not have access to this LAN, unless there is something I don't yet understand about the HMI's capabilities. Since I don't have access to this LAN, I'm assuming I don't have access to the static IP on this network that has the web page HMI clone. Again, if there is some kind of bridge between Port 1 and Port 2 on the HMI, I don't know about it. This re-branded Red Lion HMI is operating on the equivalent of Crimson 2. (They call it GUIcon 2.0)

So right now, I'm thinking that the Teamviewer is something the plant manager would like, since he would just create a link between his office laptop and his home laptop. And on the rare occasion that I'd need to have access to the web page HMI clone, I could get the Teamviewer connection details from him and connect... just like I do when I'm helping my mom figure out why her computer isn't working right. I've set up some trending pages on the HMI for the analog values, and they're often helpful in diagnosing issues. Everything else I can just connect to the PLC to watch the behavior.

Softether has some serious possibilities for the future. I'm just trying to get this up and running in the next week or two, without interfering with the other projects currently happening.
 
If this is any help this was the method used with an Omron system. May be some clues there.
 
AutomationTechBrian said:
I obviously need to do more discovery with using the HMI... but here's my understanding:

Lets get specific...

Ethernet Port 1: Machine LAN = 192.168.1.001 This is the VPN's target network, so I have access to this network through my Stride account. The PLC, all the Eurotherm temperature controllers and pressure controllers all communicate to the HMI on this LAN.

Ethernet Port 2: Office LAN = 192.168.2.001 The gateway is on this LAN. I have the HMI web server on this port, and the plant manager monitors the machine through his browser on this office laptop. I do not have access to this LAN, unless there is something I don't yet understand about the HMI's capabilities. Since I don't have access to this LAN, I'm assuming I don't have access to the static IP on this network that has the web page HMI clone. Again, if there is some kind of bridge between Port 1 and Port 2 on the HMI, I don't know about it. This re-branded Red Lion HMI is operating on the equivalent of Crimson 2. (They call it GUIcon 2.0)

So right now, I'm thinking that the Teamviewer is something the plant manager would like, since he would just create a link between his office laptop and his home laptop. And on the rare occasion that I'd need to have access to the web page HMI clone, I could get the Teamviewer connection details from him and connect... just like I do when I'm helping my mom figure out why her computer isn't working right. I've set up some trending pages on the HMI for the analog values, and they're often helpful in diagnosing issues. Everything else I can just connect to the PLC to watch the behavior.

Softether has some serious possibilities for the future. I'm just trying to get this up and running in the next week or two, without interfering with the other projects currently happening.
Click to expand...

Well you were given slightly incorrect advice about team viewer and soft ether.

Those are PC based applications that would only help you if you had a PC based HMI or SCADA application but you have an HMI application with dedicated hardware thus being the red Lion HMI Panel and it will only run crimson HMI applications and will not install or run any 3rd party PC based applications like team viewer or soft ether.

If you had something like FT View ME HMI software with a runtime license running on a Windows based panel PF or similar then you could also install 3rd party applications like team viewer or soft ether on that same windows based panel pc and sometimes Linux based PC if the 3rd party applications support Linux or other operating systems.
 
Not sure if there is a way to bond both Ethernet interfaces to the web server or not.

I would think there would be because this is a common thing in many similar applications. It may be a good question to pose to red lion support. If they don’t have that feature it would not be hard to add as I am sure the hardware is capable.

The people at Red Lion like to hear new ideas and are good about implementing new features.

Me personally from what you described I would have it all on the same network and have anyone that needed access connect through the stride from the outside and give internal access with a vlan and inter vlan routing. Should be a very simple change from what you have setup now.
 
I'm not installing it on the HMI. I'm connecting to the laptop that is connected to the HMI. This part I'm not uncertain about. I can do the demo right now on a laptop connected to a Automation Direct EA9. I have the laptop connected to the EA9 over an Ethernet connection. I can bring up the HMI on my Chrome browser, start Teamviewer, and drive downtown and connect to my laptop over Teamviewer and control the HMI.

All my customer is looking at doing is turning on the machine so all the heating zones are at the setpoint and the machine is ready for production when they arrive in the morning. This involves hitting the reset on the master control relay and turning on the chiller. Then, a quick scan of the zones before going back to bed.

That's why I think the Teamviewer solution seems perfect.
 
AutomationTechBrian said:
I'm not installing it on the HMI. I'm connecting to the laptop that is connected to the HMI. This part I'm not uncertain about. I can do the demo right now on a laptop connected to a Automation Direct EA9. I have the laptop connected to the EA9 over an Ethernet connection. I can bring up the HMI on my Chrome browser, start Teamviewer, and drive downtown and connect to my laptop over Teamviewer and control the HMI.

All my customer is looking at doing is turning on the machine so all the heating zones are at the setpoint and the machine is ready for production when they arrive in the morning. This involves hitting the reset on the master control relay and turning on the chiller. Then, a quick scan of the zones before going back to bed.

That's why I think the Teamviewer solution seems perfect.
Click to expand...

Yes if installing to a laptop on-site then yes that should serve you well.
 
Since you need to access a Windows laptop you could use RealVNC which supports encryption.

The best option for me in this case is just to use Chrome Remote Desktop since he will be accessing since personal work laptop. It's easy to setup, no port forwarding is needed and is very reliable. This is what I use to access my work computer from home.
 
If you can access the PLCs through the internet via the Stridelinx router, and I assume the HMI (one Ethernet port) is on that same network, all you should have to do is add the manager as a user on that router and add a service to access the HMI built in web server. I have 6 of them set up this way for water system operators to be able to view their (and only their) HMIs from their phones or laptops. And I can update the HMI or PLC code connected to that router remotely as well.

I am remotely updating an HMI running Crimson 3.1 right now, and it is a little slow since it includes a firmware update, but when it is done, I will grab a screenshot of how I have the service set up.

strideservice.png strideservice 2.png
 
Last edited:

Similar Topics

T
Remote Internet connection using RSLinx to connect to a CLX
At work I have a Backplane with a ControlLogix Processor, 1756-ENBT Ethernet card and a PanelView Plus all connected to a switch located in the...
Replies
2
Views
4,598
scottmurphy
S
id10t_error
Internet Access at remote Sites
Manny systems we build are not connected to the internet and during startup its nice to have access to manuals on the internet. I typically...
Replies
12
Views
3,791
drbitboy
drbitboy
L
internet remote control speed for controllogix
hi, does anyone know what is the recommendation internet speed to connect to controllogix?
Replies
5
Views
1,777
mk42
M
HJTRBO
Remote access machine through internet and clients PC
Hi all, Looking for a way to use my computer at home with Rockwell software and my internet connection to connect to a machine at my clients...
Replies
3
Views
1,879
HJTRBO
HJTRBO
B
cost effective solution for remote monitoring of events of a PLC via internet.
Dear All, I work for an Air-conditioning firm in Dubai. we use a Danfoss PLC as a multi-stage thermostate.It has CAN bus option I need to monitor...
Replies
7
Views
2,798
Pudden
P
Back
Top Bottom