Remote setup

[dalporto]

Hi all.

First thank to Phil for the update, looks great so far!

This is the situation. I'm mostly working from home since the pandemic when I'm not on site (site accounts for maybe 10-15% of my time) or doing FAT with customers (5%). "After" the pandemic, they shut down a tunnel that I was driving through every day, leading to a 2h30-3h30 commute each day. My boss accepted that I stayed in remote since he does not want to lose me.

So I got a lot of PLC stock here at home, mostly our own lab testing devices. Last week I took home a whole new project Rockwell PLC rig and I started to stress a little bit with my daughters around it. I was driving home and I was thinking that this one backplane was worth 4-5 times my car, and this stock would be mostly uninsured in my car or at home.

This afternoon my boss called me saying pretty much the same thing, coming from higher management. This could mess up the project big time if something happens to any of that stuff. I agree, but this is really convenient to have it all here right next to me, but I don't want any trouble.

So I'm gonna bring it back to the office, and I'm looking for the best way to build an efficient setup. Basically, I need to access a Rockwell PLC / Logix Designer and an InTouch installation. Right now I have one VM for each, and only one license for WW.

4-5 years ago I remember we set up something on a server (I still have the server) using a free VMware product that we could use coast to coast (we were working with a Vancouver team, I'm in Montreal). We installed VM's within the server and we had like 10 different accounts to log into it with Remote Desktop through a NO-IP VPN. Anyone has any idea what I'm talking about? I don't have contact with these people anymore.

I still have access to that router in the office (I hope), so I could take my NO-IP account back if needed. I also can re-host my VM licenses and activate them on a new installation (server or another PC) if needed.

Basically, I need to have access to Studio 5000 and InTouch remotely, with the L82 and a couple more devices available on that network, with 2-3 screens. I don't want to create a tunnel where I could poll the PLC from home, I just need to be able to take control, and I'm not sure I want to use Team Viewer to do so.

So, people that do remote work, what would you do?

 

[DaDaDadeo]

I've posted several times related to this topic over the years because I am still amazed with the technology that is available. Every day I must be able to provide remote support for equipment in the field and for FAT support.

In my company, I am the only person who has Studio 5000 and yet I live 1000 miles from the factory. Plus, our equipment is installed around the world. The challenge will always be "how can anyone on the remote end help me connect without requiring expensive and/or invasive hardware/software installations on their end?"

On my computer, I use VM Virtual box to run a very small operating system (TinyCore Linux) for the pipeline connection.

Best of all, what makes all this possible, is that the end user only requires Java to be installed on their Windows computer, access to the internet, and an Ethernet connection. The internet access can be a facility WIFI (even guest) or a hotspot through a cell phone. Another benefit is that I don't need to have a VPN and gateway configuration.

 

[Ken Moore]

I do not know the details, but VMWare was the software. We had many remote employees, we could all remote into a server and all of us work on a project. It was not free, and required some expertise, plus a server class machine. So..what you want is possible.

 

[dalporto]

I just fired up the old server, it was VMWare ESXi 6.7, which was free pre-pandemic (and of course I lost the post-it with the stupidly complicated root password on it). Not sure if it only changed name (VMware vSphere Hypervisor (ESXi) 8.0U2 now) or if it's a whole different experience.

I'm looking for the prices right now, I hate that kind of web sites.

 

[dalporto]

Just had a flash to look in my old project notebooks.

Bingo!

Now it's a fair fight.

 

[Ken Roach]

VMWare's Linux-based bare-metal ESXi hypervisor is a wonderful tool, especially for the free and low-spec versions. Quite a lot of people in the IT business got into preferring VMWare because ESXi was free and it let them build up high-performance, high-featured virtual machine servers.

Unfortunately the free version of ESXi was a recent victim of the Broadcom acquisition of VMWare, along with their simple perpetual licensing for small installations. You could install ESXi right now from an old version you previously downloaded, but you can no longer get a free activation code.

I have a PLC test bench in my office that works the way you describe. There's an old PC running OpenWRT as a firewall and router between my office and the Company network. ZeroTier lets me get to the router itself from the Internet with secure tunnels (even without using my Company VPN). I have some of my computers set up for wake-on-LAN so I can log into the firewall and hit it with a WOL packet to start it up. Every kilowatt-hour matters !

The test bench itself is a tiny wheeled 19" rackmount server rack with panels of PLC and HMI and VFD and other goodies attached to it, powered by a small UPS and wired into a battle-scarred surplus 24-port switch.

And the ESXi server sits under my desk. The guest operating systems (some Linux, some Windows Server, some Windows 7/10 Professional) can be spun up one at a time as I need them. I have some for Siemens stuff, some for Rockwell. We activate the Windows licenses with our enterprise agreement with Microsoft that also lets us build and rebuild our laptops and desktops.

I run ZeroTier on each of the guest VMs on my server, and cheerily connect to them via Windows Remote Desktop.

The trickiest part for me is that the ESXi hypervisor itself has to be accessed from the vSphere client, or a Web browser, or an instance of VMWare Workstation. That's easy when I'm sitting in the office, on the private side of my router. I don't have a true "VPN", but rather am set up with ZeroTier to get access to the computers that run it (and ESXi doesn't, not on its own).

So I have another backdoor: an old Intel NUC that I installed CloudReady (basically Chrome OS for general purpose PC's instead of Chromebooks) installed in the room. It runs Chrome Remote Desktop, so I can log into it from anywhere and use it as my "local browser" for anything that needs a Web browser *inside* the lab.

 

[Ken Roach]

Writing that all out... there are definitely simpler ways to do this than I have. If you've got an IT department that will help you set up an honest-to-goodness VPN connection where the endpoint is in your lab, you won't need all the hacked-together stuff I do to get tunnels into the lab.

 

[dalporto]

VMWare's Linux-based bare-metal ESXi hypervisor is a wonderful tool, especially for the free and low-spec versions. Quite a lot of people in the IT business got into preferring VMWare because ESXi was free and it let them build up high-performance, high-featured virtual machine servers.

Unfortunately the free version of ESXi was a recent victim of the Broadcom acquisition of VMWare, along with their simple perpetual licensing for small installations. You could install ESXi right now from an old version you previously downloaded, but you can no longer get a free activation code.

Thank you for that message, I was wondering if I was E.T. here.

Fortunately, I found the old management console password, and the activation is still there even thought is version 6.7. So far I don't have any compatibility issues when rolling back a VM from VM17 to V ESXi6.7 and uploading it to the server.

My biggest challenge will be untangling the many network connections settings in that thing, I wasn't the one who did it that one time and it looks a bit complicated for what this is supposed to do.

For the VPN I'm pretty sure this is still the same router at the office, so the setting should still be there, I'll just need to renew my No-IP account. This is a "residential" router we use to go around the company business network because, you know, IT.

And like last time, I'll put a laptop there too with Teams Viewer so I can access the console if needed.

I hope this will work.

 

[dalporto]

If you've got an IT department that will help you

I've never had the chance to have that.

I use my "office laptop" only for one thing; AutoCAD Electrical, because I can't do otherwise since the Vault is on the company servers. Otherwise I use my "field laptop". They updated company laptops to AutoCAD 2024 over the Christmas holidays and nothing was working anymore. So, I had a call with IT because I can't do anything on my own with that laptop, they even locked Ctrl+Alt+Del and Ethernet Adapter IP address with a password, in addition to all software installation except the mostly useless ones that can only be installed from an approved list and that has about nothing to do with my line of work.

So, he figured out the first AutoCAD problem quickly enough. Then, he and one of its colleague spent one hour trying to figure out the 2 other problems, without any luck.

Meanwhile, I was punching 1 hour in IT waste of time (really, we have a time code for that, not written like that of course, more like software unavailability) and Googling the problems I was having with AutoCAD while watching them fight against it, like trying the same thing over and over, like insane peoples.

After one hour they gave up and ramp it to another level, saying that someone else will call me soon, saying it was working well enough for now and I could use it (they couldn't fix the file association between CAD and .DWG so I now have to go around the whole thing to be able to open a DWG, which is a huge waste of time when looking for THE drawing with a stupid number you're looking for). I don't remember what was the other one. They hung up, leaving regedit open (yeah!!!).

So I tried the first result on Google for both of my problems and it fixed it. So my guess is that the next IT level would be Google / ask Chat GPT. It was litteraly the first Google result for each problem. I sent him screenshots from Firefox with the solutions over Teams. He said thanks and that was the end of it. I received the "closed ticket" notification one minute later.

And this is one of the reasons why I won't ask our IT department to help me set up a VPN.

Sorry, I just wanted to tell someone that story, I kept it to myself since then. I didn't want to cause trouble to these guys, but eh. Maybe I expect too much too.

They wanted to take control of our residential router at some point, I said hell no! This is ours!!