Client and server connectivity
Client and server connectivity

Client and server connectivity

FactoryTalk® Remote Access
 securely connects local with remote devices through the Internet.
Remote devices operate as clients towards the Server Infrastructure. In fact, they communicate through outbound connections, as allowed by firewall settings. In return, the Server Infrastructure receives inbound connections from remote devices.
NOTE: See System architecture for further information on this subject.

Access Server

The access server supports the
FactoryTalk® Remote Access
 Manager
 connection and authentication.
When the Runtime connects to the Access Server for the first time, it obtains a signed identity file that contains the device UID as assigned in the
FactoryTalk® Remote Access
 Manager
 domain.
NOTE: Once a router is registered to an organization, it cannot be registered to another organization until it gets deregistered first by an admin user. This is made possible by linking the actual device identity to the hardware UID.

Relay Server

A Relay Server provides data transaction during a remote access session among the
FactoryTalk® Remote Access
 Manager
, Tools and Runtime. Relay Servers allow both the
FactoryTalk® Remote Access
 Manager
 and Runtime to stay safe behind their firewalls.
FactoryTalk® Remote Access
 Manager
 and Runtime automatically choose the Relay Server to use from a pool of available servers list provided by the Access Server.
To select the best Relay Server for a remote access session, both
FactoryTalk® Remote Access
 Manager
 and Runtime perform a connection test to all Relay Servers and assess the network performances of each of them. The test results provided by both
FactoryTalk® Remote Access
 Manager
 and Runtime are then combined and compared to select the best performing Relay Server.
The sections below describe some necessary protocol settings.

TCP protocol

To enable the communication service between the Internet protocol and the
FactoryTalk® Remote Access
 Manager
, at least one of the following TCP ports of the remote services shall be set to open on the main servers of the Server Infrastructure. The ports listed below are set as default and can be accessed and viewed through the computer settings.
  • 80
  • 443
  • 5935
Furthermore, both the Runtime and router need to resolve the Infrastructure servers IP address through a dedicated domain name resolution server (DNS). To enable this process, the following ports shall be set to open:
  • TCP 53
  • UDP 53
The connection from clients to the Access Server uses TLS 1.2 with certificate authentication. Clients can use the default TCP 443 outgoing port or can be configured to use port 80 or 5935 (TLS is still in use), depending on which solution is best to comply with local IT policies. Clients automatically test available outgoing ports, but they can be configured to operate with a fixed port.
NOTE: Access Servers are redundant and fault tolerant.
NOTE:
FactoryTalk® Remote Access
 Tools and Runtime need to be able to connect to the following addresses:
Access server:
  • accessserver.cloud.rockwellautomation.com
Relay servers:
  • ubiquityrs1.asem.it (Germany)
  • ubiquityrs2.asem.it (Italy)
  • ubiquityrs3.asem.it (USA - West Coast)
  • ubiquityrs4.asem.it (USA - East Coast)
  • ubiquityrs5.asem.it (Singapore)
  • ubiquityrs6.asem.it (Hong Kong)
  • ubiquityrs7.asem.it (Brazil)
  • ubiquityrs8.asem.it (USA - South Central)
  • ubiquityrs9.asem.it (USA - North Central)
  • ubiquityrs10.asem.it (Central India)
  • ubiquityrs11.asem.it (Central Australia)
  • ubiquityrs12.asem.it (Italy)
Platform server:
  • ftra-webapi.cloud.rockwellautomation.com
While a VPN connection is being established, the
FactoryTalk® Remote Access
 Tools and Runtime perform a check to determine the duration it takes for data to reach each Relay Server. This information assists the Access Server in selecting the most optimal Relay Server to be utilized, regardless of the geographical location of the device.
Remote devices and the router then search for any open port to establish a server connection and consequently an end-to-end connection.
These settings allow you to locate each device by its own IP address within the network through the
FactoryTalk® Remote Access
 Tools.
NOTE: See FactoryTalk Remote Access Manager Tools for further information on this subject.

SSL/TLS protocol

All of the connections available in the
FactoryTalk® Remote Access
 Manager
 are made through an SSL/TLS protocol, regardless of the port used for each connection. This protocol allows for a safe and private data transaction between the server and Runtime.
NOTE: Access Servers use an SSL server certificate signed by a Certification Authority (CA) to authenticate content transferred through web servers.

SNTP protocol

The UDP 123 port shall be set to
open
, to allow the clock synchronization through the SNTP protocol.

Keep-alive feature

The data exchanged for the keep-alive feature between Runtime and the server infrastructure and between
FactoryTalk® Remote Access
 Manager
 and the server infrastructure is approximately 1 KB per minute.
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal