- Software components setup and installation
Client and server connectivity
FactoryTalk®
Remote Access™
Remote devices operate as clients towards the Server Infrastructure. In fact, they communicate through outbound connections, as allowed by firewall settings. In return, the Server Infrastructure receives inbound connections from remote devices.
NOTE:
See System architecture for further information on this subject.
Access Server
The access server supports the connection and authentication.
FactoryTalk®
Remote Access™
ManagerWhen the Runtime connects to the Access Server for the first time, it obtains a signed
identity file that contains the device UID as assigned in the domain.
FactoryTalk®
Remote Access™
Manager
NOTE:
Once a router is registered to an organization, it cannot be registered to another organization until it gets deregistered first by an admin user. This is made possible by linking the actual device identity to the hardware UID.
Relay Server
A Relay Server provides data transaction during a remote access session among the , Tools and Runtime. Relay Servers
allow both the and Runtime to stay safe behind
their firewalls.
FactoryTalk®
Remote Access™
ManagerFactoryTalk®
Remote Access™
ManagerFactoryTalk®
Remote Access™
ManagerTo select the best Relay Server for a remote access session, both and Runtime perform a connection
test to all Relay Servers and assess the network performances of each of them. The test
results provided by both and Runtime are then combined and
compared to select the best performing Relay Server.
FactoryTalk®
Remote Access™
ManagerFactoryTalk®
Remote Access™
ManagerThe sections below describe some necessary protocol settings.
TCP protocol
To enable the communication service between the Internet protocol and the , at least one of the following TCP
ports of the remote services shall be set to open on the main servers of the Server
Infrastructure. The ports listed below are set as default and can be accessed and viewed
through the computer settings.
FactoryTalk®
Remote Access™
Manager- 80
- 443
- 5935
Furthermore, both the Runtime and router need to resolve the Infrastructure servers IP address through a dedicated domain name resolution server (DNS). To enable this process, the following ports shall be set to open:
- TCP 53
- UDP 53
The connection from clients to the Access Server uses TLS 1.2 with certificate
authentication. Clients can use the default TCP 443 outgoing port or can be configured to
use port 80 or 5935 (TLS is still in use), depending on which solution is best to comply
with local IT policies. Clients automatically test available outgoing ports, but they can be
configured to operate with a fixed port.
NOTE:
Access Servers are redundant and fault
tolerant.
NOTE:
FactoryTalk®
Remote Access™
Tools and Runtime need to be able to connect to
the following addresses: Access server:
- accessserver.cloud.rockwellautomation.com
Relay servers:
- ubiquityrs1.asem.it (Germany)
- ubiquityrs2.asem.it (Italy)
- ubiquityrs3.asem.it (USA - West Coast)
- ubiquityrs4.asem.it (USA - East Coast)
- ubiquityrs5.asem.it (Singapore)
- ubiquityrs6.asem.it (Hong Kong)
- ubiquityrs7.asem.it (Brazil)
- ubiquityrs8.asem.it (USA - South Central)
- ubiquityrs9.asem.it (USA - North Central)
- ubiquityrs10.asem.it (Central India)
- ubiquityrs11.asem.it (Central Australia)
- ubiquityrs12.asem.it (Italy)
Platform server:
- ftra-webapi.cloud.rockwellautomation.com
While a VPN connection is being established, the
FactoryTalk®
Remote Access™
Tools and Runtime perform a check to determine
the duration it takes for data to reach each Relay Server. This information assists the
Access Server in selecting the most optimal Relay Server to be utilized, regardless of
the geographical location of the device.Remote devices and the router then search for any open port to establish a server connection and consequently an end-to-end connection.
These settings allow you to locate each device by its own IP address within the network
through the Tools.
FactoryTalk®
Remote Access™
NOTE:
See FactoryTalk Remote Access Manager Tools for further information on this
subject.
SSL/TLS protocol
All of the connections available in the are made through an SSL/TLS
protocol, regardless of the port used for each connection. This protocol allows for a safe
and private data transaction between the server and Runtime.
FactoryTalk®
Remote Access™
Manager
NOTE:
Access Servers use an SSL server certificate signed by a Certification Authority (CA) to authenticate content transferred through web servers.
SNTP protocol
The UDP 123 port shall be set to
open
, to allow the clock synchronization through the SNTP protocol.Keep-alive feature
The data exchanged for the keep-alive feature between Runtime and the server infrastructure
and between and the server infrastructure is
approximately 1 KB per minute.
FactoryTalk®
Remote Access™
ManagerProvide Feedback