Speical reqirements from customer

10 Posts
5 Users
0 Likes
57 Views
fl.chen
(@fl-chenarcinfo-com)
Posts: 170
Reputable Member
Topic starter
 

Hello network experts,

I draw a network architecture according to the customer’s requirement. The customer wants the PcVue Station installed in his office can get all data from other PcVue stations installed in End-user’s Control Room via Internet.

2913=391 1 2016 05 18

As we know, for one-way communication(one Socket connection) it can be satisfied.e.g. Modbus IP. IEC104. But as far as I know, there are two Sockets connection between PcVue Server and Client. I don‘t know what will happen when one socket connection is broken.

2913=392 2 2016 05 18

thanks

Mark

 
Posted : 18/05/2016 3:39 pm
(@admin_doc72)
Posts: 493
Member Admin
 

Is it possible to configure a VPN ? that will be easier

 
Posted : 18/05/2016 5:44 pm
f.cubattoli
(@f-cubattoliarcinfo-com)
Posts: 167
Reputable Member
 

Hello!

Your main problem is that you don't have a public fixed IP but you can easily deal with it using some services like www.dyndns.org. Practically you have to open an account using that service and then to install a little software in the remote PcVue machine (Server one, in your case). As soon the external IP change, this little software will detect it and update the DNS record.
So your remote machines, with dynamic IP, will be reachable using an address like : mydistantpcvue.dyndns.org instead than a numerical IPv4 address that is subject to change.
That solution implies two things:

  1. The external IP address can be dynamic, but must be PUBLIC (sometimes - for example 3G or 4G connection by mobile phones are under NAT for IPv4 - so your mobile phone is like to be in the private LAN of your telco provider).
    You can easily verify this if the external WAN shown in the router is the same you can see from www.monip.fr
  2. The customer must open in the router the port (usually TCP 1981) to redirect the external 1981 TCP port to the IP address of the local PcVue station - this feature is called NAT or Virtual Server

Up to here it's magic and fast but... you can expose your customer to a security risk because actually the Winnet protocol in PcVue is not encrypted and not authenticated.

So the best is to do what Nicolas already told you : a VPN.
But... nothing is magic since many VPN system requires to have a STATIC IP on BOTH endopoints..!!
So the easiest solution I know can be OPENVPN - an Open Source project.

You can install an OpenVPN client - as a service - on the distant PcVue Stations.
When Windows Starts on the distant PcVue server station, this machine (with dynamic IP address) will call the VPN Server - instead to be called, located in the PcVue client side.

In the PcVue client side, an OpenVPN Server (I suggest you pfsense www.pfsense.org - that is able to export ready-to-use configuration for Clients) will reiceve this call and connect the various endpoints.

In this case you should not have any problem regarding NAT, Virtual Server, Private IP and so on and - first of all - you should not have any security risk because everything is encrypted and authenticated.

When the OpenVPN tunnel is estabilished, any PcVue station will have a particular static IP address in a private LAN subnet like 192.168.250.x dedicated to the VPN, and you can configure your PcVue Client Station to reach any machine using that addressing space.

Unfortunately is not simple if you never done that but I hope to have at least clarified your view...
Let me know if is not clear,

Good luck!

 
Posted : 18/05/2016 8:27 pm
n.kunzer
(@n-kunzerarcinfo-com)
Posts: 1236
Member Moderator
 

And why not using RDS on each PcVue station?
For me it is the most adapted solution...

Nico

 
Posted : 19/05/2016 6:55 am
fl.chen
(@fl-chenarcinfo-com)
Posts: 170
Reputable Member
Topic starter
 

Yes, VPN can be a backup solution.

BRs,
Mark

 
Posted : 19/05/2016 1:56 pm
fl.chen
(@fl-chenarcinfo-com)
Posts: 170
Reputable Member
Topic starter
 

Hi Filippo,

Thanks for your more detailed reply.

If I understood well, you listed three solutions:

  • Dynamic DNS
  • VPN
  • OPENVPN

My question is what do you mean "many VPN system requires to have a STATIC IP on BOTH endopoints",why BOTH?

Second question is do you konw how much is the OPENVPN?

thanks

BRs,
Mark

 
Posted : 19/05/2016 2:21 pm
fl.chen
(@fl-chenarcinfo-com)
Posts: 170
Reputable Member
Topic starter
 

Hi Nico,

Each PcVue Server station works as a data producer. So how to use RDS?

BRs,
Mark

 
Posted : 19/05/2016 2:27 pm
f.cubattoli
(@f-cubattoliarcinfo-com)
Posts: 167
Reputable Member
 

Hello Mark!

I confirm these 3 possibility:

  1. Using Dynamic DNS with no VPN tunnelling but exposing to a security risk
  2. Using any kind of VPN with hardware devices (firewalls) in the middle (1 box for each site)
  3. Using OpenVPN - because I'm sure it can works also if the clients (in your case the PcVue server station) are behind NAT and with dynamic IP address. And also OpenVPN allows you to do everything via software without using any hardware box since both OpenVPN server and clients can runs on Windows

To answer to the other 2 questions:

  1. In some cases (depending from the vendor) some VPN systems uses the IP address of BOTH endpoints as element of identification. For example in some IPSEC LAN-to-LAN implementations. It's not mandatory (can use also a static identifier or a certificate) but you must check it when you select the firewall vendor.
  2. OpenVPN it's free! https://openvpn.net//open-source.html

🙂

Hope it helps!

 
Posted : 19/05/2016 9:26 pm
n.kunzer
(@n-kunzerarcinfo-com)
Posts: 1236
Member Moderator
 

Mark,

Each Station is a RDS server. The system integrator connects using Remote Desktop Connection (RDC) and acts as a PcVue Client.

The constraint is: On each Server Station you must have Windows 2012 R2 with the RDS license

Nico

 
Posted : 20/05/2016 8:29 am
ED
 ED
(@e-duvalarcinfo-com)
Posts: 138
Estimable Member
 

Hi All
Nico's solution drawback for the customer is that you must add on the site existing dongle a client for each End-user control room.
That is good for you but might be prohibitive for the customer 😉

In my point of view, Filippo' s solution (OpenVPN) seems to be the most cost effective solution.

Manu

 
Posted : 20/05/2016 11:03 am