Remote Maintenance Service
The Brightlayer Remote Maintenance service enables user to set up and securely manage remote maintenance groups. The service allows to establish and control VPN connections between Gateway devices and Users.
Overview
Gateway (GW)device - A GW device is a physical device located in the application and connected to the local network within the machine / application. The GW device is the interface of the application to external services (Cloud; Remote Maintenance)
User device - A User device is a computer that has an OpenVPN Client installed on it. Uploading the configuration files for the Remote Maintenance Service provided by Brightlayer enables the user of the User device to connect to a gateway device.
Connection - A Connection descibes the status of the communication between a GW device and a User device (connecting, connected, disconnected).
Note: At a time, one GW device can only be connect to one User device.
One RM Service consists of a group of GW devices, User Devices and their connections.
Users could have access to several RM services. So user can see the Gateway devices, User devices and Connections associated with a RM Service by selecting it in dropdown.
The following sections will walk you through all functionalities of the Remote Maintenance service. For your convenience find an overview on the content of this document below.
| Section | Content |
|---|---|
| Accessing the Remote Maintenance service | Activate single sign on feature |
| Managing gateway devices | Add GW devices to RM service, Special settings for Gateway devices |
| Managing user devices | Add user device, OpenVPN Client for remote maintenance and connect to a GW device, Configuration Files for the OpenVPN Client, delete the User Device |
| Managing connections | Connection status of Gateway device, User Device and Connections |
Accessing the Remote Maintenance service
When a Remote Maintenance service has been added to a subscription and users have been given access rights to it. Each user needs to activate the single sign on feature for this service:
When clicking on “Remote Maintenance” in the main drawer for the first time users would only see the “activation” icon in the main window.
Clicking on this icon will bring the user to an OpenVPN registration page where he has to simply click on Single Sign On (SSO) button.
Upon successful authorization, the user is enrolled in the RM Service, and upon refreshing the portal main window page, they get access to the Remote Maintenance Page.
When the RM service is created, it contains at least one Connection by default.
One connection in the Brightlayer RM service is an end-to-end connection between a GW device and a User device. The Subscription Admin can add additional connections to the RM service (currently limited to three (3) connections).
Managing gateway devices
Adding GW devices to RM services
There are two (2) different options of adding a GW device to a remote maintenance service:
The subscriber has signed a Dashboard service
In this case it is recommended to create the GW device from an existing device in the Dashboard service.
If the device has not yet been created in the dashboard service it is recommended to create the device using the Device Configuration.
Afterwards dashboard device can be chosen from a list of existing devices in the Remote Maintenance service.
The subscriber has not signed a Dashboard service
In this case a new device would be created.
Important: Usually devices can be synchronized between the Dashboard services and the RM services. If devices are created only within the RM service (e.g. because the subscription has not yet signed a Dashboard service) there are restrictions that have to be considered:
If a Dashboard group (start) service is signed, the devices can be moved into this Dashboard group service by an Eaton administrator.
If a Dashboard tenant (Flex or Flexplus) service is signed it is not possible to synchronise the devices with an existing RM service! If devices should be synchronized all devices of the RM services have to be deleted and the gateway hardware has to be reconfigured.
Special settings for Gateway devices
Tick box: Allow embedded IP:
When Allow Embedded IP is active for a gateway then devices in the gateway’s local network can accessed from the User via the remote maintenance connection. To access such a device, the IP address of the device needs to be known. The URL that needs to be entered into the browser to access the device is the following:
IP Address of the device in the network (e.g. 192.168.20.2)
GW device name (e.g. mygateway)
Domain name: “rm.machinery-monitoring.com”
URL to access the device
Example: “192-168-20-2.mygateway.rm.machinery-monitoring.com”
Tick box: Allow Gateway Device to establish TCP/UDP connection to User Device
The Allow Gateway Device to establish TCP/UDP connection to User Device option controls if a device in the Gateway’s local network can establish a payload connection to a User Device. Payload connection here means any TCP/UDP connection within the already established VPN tunnel. i.e. this option has no influence on the VPN tunnel direction and/or who can establish the tunnel.
If the Allow Gateway Device to establish TCP/UDP connection to User Device option is not activated then a connection can be established
from User Device to Gateway Device and Device in the Gateway Device’s local network
but not from a Device within the Gateway Device’s local network
The firewall on the VPN server will recognize that a connection is initialized and will block it.
If the Allow Gateway Device to establish TCP/UDP connection to User Device option is activated then a connection can be established
from User Device to a Gateway Device
from Gateway Device and from Device within Gateway Device’s local network to User Device
Security Note
It should be noted that for security reasons the option Allow Gateway Device to establish TCP/UDP connection to User Device should only be added when really required for the communications intended.
FTP Connection
Active FTP communication require the Allow Gateway Device to establish TCP/UDP connection to User Device to be set for a successfull communication. Passive FTP communication will not work regardless of whether this option is used, due to the way how Passive FTP protocol establishes the data connection.
Gateway service restriction
For all new Gateway device that are added it is possible to restrict the access to certain Eaton tools that may be installed within the application.
The option Allow all services is selected per default
The specific Custom settings are only accessible when Custom is selected.
When clicking on info icon the following information is displayed
When Allow all services is selected no services will be prevented. For security reasons selecting only required protocols and ports for intended operations is highly advisable.
When using an active FTP communication to download a Galileo project to devices, it is required that also the option Allow Gateway Device to establish TCP/UDP connections to User Device is activated, otherwise communication is not possible.
When Galileo is selected the User device has access to the Galileo Design tool
to connect to a panel in the gateway’s local network using active FTP communication
to start/stop Galileo Runtime system execution
When XSOFT-CODESYS-3 is selected the User device is capable:
to connect to CODESYS runtime on a panel in the gateway’s local network
to download a new project
to debug project
When easySoft is selected User device is capable:
to connect to an easy device in the gateway’s local network
to download a new project
to see device state
Gateway Configuration
Network Topology 
GW configuration can be done in 2 ways:
1. Import Configuration on Gateway
Download: nubisnet_config.cup
Upload .cup file on Nubisnet portal:
Password for .cup file is Nubisnet12!@
Update MQTT message:
a. Open NubisNet web configuration tool and enter credentials
b. Navigate to Settings section, select Settings tab → PLC → Messages
c. In the Receive messages section, click on Edit button and fill out the form with following values to create the MQTT (Un)Connect message.
Name Value Comment Active <TRUE> Keep it as is. Channel - Topic s/ds Kepp it as is. Channel - Text 511,<DEVICE_NAME>,"{"id":"<DEVICE_ID>","etn_openvpn":{"connect":{"value":%vpn_connect%}}}" With <DEVICE_NAME> the name of the device in the device name field on device configuration page.
With <DEVICE_ID> the ID of the device in the device id on device configuration page.To update MQTT connection setting see Configure Mqtt Messages Client.
To update OpenVpn connection settings see Configure OpenVPN Client.
2. Manual configuration
Configure OpenVPN Client (Un)Connect Signal Processing
Create OpenVPN Connection State Variable
This section creates PLC boolean variables. The following table describes the variables
| Name | Description |
|---|---|
| vpn_connect | This variable stores the current connection state which the OpenVPN client should have. A value of 1 means the OpenVPN client should connect to the server, a value of 0 means the OpenVPN client should disconnect from sever. |
| vpn_running | This variable is 1 when the OpenVPN client is running, 0 otherwise. |
| vpn_connected | This variable is 1 when the OpenVPN client is connected to the server, 0 otherwise. |
Create the variable by applying following steps
Open NubisNet web configuration tool and enter credentials
Navigate to Settings section → select Settings tab → PLC → Variables
Click on Add button and enter value in following table
Name Value Comment Name vpn_connect Data type Boolean Maximum string length <empty> Portal path Take preset value Retentive <FALSE> Repeat the last step also for the vpn_running and vpn_connected variables
Click on OK to create the variable.
Click on OK to store the updated variable settings.
Create Receive MQTT Messages
Open NubisNet web configuration tool and enter credentials
Navigate to Settings section, select Settings tab → PLC → Messages
In Send messages section, click on Add button and fill out form with following values to create the Confirm Command Received message
Name Value Active <TRUE> Channel - Topic s/us Channel - Text 501,c8y_Command In Send messages section, click on Add button and fill out form with following values to create the Confirm Command Successful message
Name Value Active <TRUE> Channel - Topic s/us Channel - Text 503,c8y_Command In Receive messages section, click on Add button and fill out form with following values to create the MQTT (Un)Connect message
Name Value Comment Active <TRUE> Channel - Topic s/ds Channel - Text 511,<DEVICE_NAME>,"{"id":"<DEVICE_ID>","etn_openvpn":{"connect":{"value":%vpn_connect%}}}" With <DEVICE_NAME> the name of the device in the Dashboard Tenant.
With <DEVICE_ID> the ID of the device in the Dashboard Tenant.Use the information from setting up the Dashboard tenant device section to configure broker with correct endpoint and device credentials.
Click on OK
Setup PLC Program
Open NubisNet web configuration tool and enter credentials
Navigate to PLC Editor
Create the following logic diagram
In above diagram Recv Msg 9 is the MQTT (Un)Connect message. Send Msg 2 and Send Msg 3 are the Confirm Command Received and Confirm Command Successful messages, respectively. The index of all three messages has to be adapted to the correct message index as defined in the MQTT messages list.
The upper part of the diagram takes care to acknowledge and returning successful processing of the receiving the MQTT (Un)Connect message from dashboard tenant.
Configure IP forwarding:
- Open NubisNet web configuration tool and enter credentials.
- Navigate to Settings section → select Settings tab → Network → Network
| Name | Value | Comment |
|---|---|---|
| Enable IP forwarding: | True | To access network below the GW. IP forwarding should be enabled. |
Configure OpenVPN Client
Open NubisNet web configuration tool and enter credentials.
Navigate to Settings section → select Settings tab → Network → OpenVPN
Fill the given settings fields according to following table
Name Value Comment Connect at start-up <FALSE> Allow connection to be controlled via com.tom PORTAL <FALSE> OpenVPN configuration file Copy the remaining ovpn configuration file content into this field from previous section. I.e. copy the ovpn configuration without any certificates and keys in it. Authority’s certificate file (ca.crt) Upload the ca.crt file created in last section Certificate file (cert.crt) Upload the cert.crt file created in last section Private key file (cert.key) Upload the cert.key file created in last section User and password file (userpass.txt) <NOT USED> Diffie-Hellman file (dh.pem) <NOT USED> TLS pre-shared key file (tlsauth.key) Upload the tlsauth.key file created in last section Click on OK
Configure Mqtt Messages Client
Open NubisNet web configuration tool and enter credentials
Navigate to Settings section → select Settings tab → Network → OpenVPN
Fill the given settings fields according to following table
Name Value Comment Enabled TRUE MQTT version: 3.1.1 or 3.1 UseTLS: TRUE Host Copy MQTT Broker from device config page. Port 8883 Client ID Copy Device Name from device config page. User name: Copy User Name from device config page. Password: Copy Password from device config page.Please note: You will be able to see password only once when you create device. Click on OK
Managing user devices
All subscribers have the ability to create a user device within the RM service. However, each user can only have one user device created in any of the RM services they have access to. Additionally, a single user device in the RM service can establish a connection to only one GW (Gateway) device within the same RM service.
In the User Device tab the list of existing user devices in the respective RM service is shown. Four activities are possible in this tab:
Add User Device button. Clicking on that button will open the Add User Device page.
On this page a name has to be assigned to the User Device. Afterwards a user can be selected from the drop down User Name. This drop down would show the e-mail address of all users that have access to the service.
After these fields have been filled in, the User Device can be added by clicking the Add button.
Download OpenVPN Client button. Clicking on this button will start a download of the OpenVPN Client application to the download folder of the computer. To utilize the remote maintenance feature and establish a remote connection to a GW device, you must install the client application.
In the context menu (3 dots) of each User Device the Configuration Files for the OpenVPN Client can be downloaded. After Download the Configuration files have to be uploaded to the OpenVPN Client that is installed on the computer of the User Device.
In the context menu (3 dots) there is also an option to delete the User Device
Managing connections
In all 3 tabs (Gateway device, User Device, Connections) the connection status is indicated behind each device or connection:
Icon striked out cloud: Not connected. The device is currently not connected and may not be available.
Icon green cloud: End-to-end connection is established. Both devices are connected to the server.
Best Network Practices
Best practices to manage VPN
Access Control: Implement strict access controls to restrict VPN access to authorized users or devices. Utilize robust authentication methods such as username-password pairs, digital certificates, or two-factor authentication (2FA) to ensure only legitimate users can establish VPN connections. This helps prevent unauthorized access to your network.
Check regularly whether all users still have a legitimate interest in using the VPN network or whether, for example due to a change in the user’s tasks, an access right is no longer necessary or should be excluded. Consistently delete users with expired access rights.
Access control is the first line of defense against unauthorized access to your network. By enforcing strong authentication, you ensure that only trusted individuals or devices can connect to your network through the VPN.Firewall Rules: Configure firewall rules on the VPN server to control incoming and outgoing traffic. Explicitly define what traffic is allowed and what should be blocked. Follow the principle of least privilege, allowing only the minimum necessary access to resources.
Firewall rules act as a gatekeeper for your network, preventing unwanted traffic from entering and protecting sensitive resources. Properly configured firewall rules are essential to secure your network and VPN.Network Segmentation: Isolate the VPN network from other networks as much as possible. Avoid connecting the gateway machine’s network to other networks without appropriate network devices, such as firewalls, routers, or switches, to ensure proper isolation and security.
Network segmentation helps contain potential threats within specific segments of your network, reducing the risk of lateral movement by attackers. Connecting networks without proper isolation can expose your entire network to vulnerabilities.Encryption: Implement strong encryption for data transmitted over the VPN connection. OpenVPN typically uses SSL/TLS for encryption. Configure encryption settings to use strong ciphers and key exchange methods to safeguard data privacy and prevent eavesdropping.
Encryption ensures that data traveling over the VPN tunnel remains confidential and secure. It protects sensitive information from interception and unauthorized access.Logging and Monitoring: Set up logging and monitoring tools to track VPN traffic and server activities. Regularly review logs to detect and respond to any suspicious or anomalous behavior. Monitoring helps in identifying security incidents promptly.
Logging and monitoring are crucial for identifying security breaches, troubleshooting issues, and maintaining the overall security of your VPN infrastructure. They provide visibility into network activities.User Training: Educate users on secure VPN usage practices. Instruct them on how to choose strong passwords, recognize phishing attempts, and follow company policies for remote access. User awareness is an essential part of network security.
Users can inadvertently introduce security risks if they are not aware of best practices. Training helps users become security-conscious and reduce the likelihood of security incidents caused by human error.Incident Response Plan: Establish an incident response plan that outlines steps to take in the event of a security incident or breach related to the VPN. Define roles and responsibilities for incident management.
Having a well-defined incident response plan ensures that your organization can respond effectively to security incidents, minimizing potential damage and downtime.