Security Architecture Whitepaper

FactoryTalk Remote Access - Help

Important user information

FactoryTalk® Remote Access™ Release Notes

Getting Started

Introduction

Abbreviations and acronyms

System architecture

System items interaction

Connection between FactoryTalk Remote Access Manager and remote devices

Client and server connectivity

Proxy

Security Architecture Whitepaper

Network and protocol design

Transport security

Remote Access Tools Security

Authentication

Operation Audit

Authorization

Cyberattacks Countermeasures

Data center

Software Updates

Data Breach Policy

Best Practices

System components

FactoryTalk Remote Access

FactoryTalk Remote Access Manager Tools

Stratix 4300 Remote Access Router

Router factory settings and identification

Protection against domain change

OptixPanel Graphic Terminals

Embedded Edge Compute Module

OptixEdge

ASEM 6300 iPC

ASEM 6300B Box PC

ASEM 6300P Panel PC

ASEM 6300PA On-Machine Industrial PC

Runtime (for third party devices)

FactoryTalk Remote Access Manager

FactoryTalk Remote Access Manager overview and related entities

Organizations, domains and domain subfolders

Access protection

Menu Tree

Explorer

Geolocation

Audit

Settings

Tools

Log

FactoryTalk Remote Access Manager Tools

Interactive Access

(Interactive Access) Remote desktop

(Interactive Access) Processes

(Interactive Access) Explorer

(Interactive Access) Connection

(Interactive Access) Information

(Interactive Access) Log

Device Setup

Connection Settings

Start FactoryTalk Remote Access

Create your MyRockwellAutomation account

Log in to FactoryTalk Hub

Create an organization and a domain

Invite users to an organization

Organization activities

Manage domains and related entities

Domain roles and domain groups

Domain user permissions

Create a domain subfolder

Groups creation

Device registration to domain

Device move and removal

Runtime registration

Invite users to a device

View and manage invited users and related permissions

Domain roles and domain groups

Subdevices

Add a subdevice

Add a service

Custom service application example

Launch a service

Subdevices management

Approve remote access

Request Assistance

Firewall settings

Routing rules

Entitlements

Features comparison

Basic entitlement on ASEM 6300 iPC

Software components setup and installation

FactoryTalk Remote Access Manager Tools installation

Language setup

Runtime configuration

Windows Runtime installation and configuration

Ubuntu 22 Runtime installation and configuration

Ubuntu 22 keys reference table

Runtime command lines

FactoryTalk Remote Access entitlement activation

Local connection

Internet Sharing

Runtime service in a Docker container

Runtime features supported in Container

Step-by-step setup guide

Requirements

Install Docker and Docker Compose

Unpack components from the installation folder

Upload Docker images

Configure features supported in the container

Enable the Remote Desktop Protocol (RDP)

Enable a VPN connection

Validate configuration

Run Docker Runtime

Runtime container exposed ports

Updates

Runtime and firmware update

Over the air update for Windows Runtime

Over the air update for firmware

FactoryTalk Remote Access Manager Tools update

Ubuntu 22 Runtime update

Quick reference guide

FactoryTalk Remote Access Manager Best Practices

How to create an organization or domain

How to activate a entitlement

How to establish a remote desktop connection

How to establish a VPN connection with a remote device

How to establish a VPN connection

How to set permissions rights

How to view operations log

How to implement any network safety settings

Which ports and public IPs shall I allow through my company firewall?

Runtime connection lost

Enable FactoryTalk Remote Access for FactoryTalk Design Studio

Security Architecture Whitepaper

This document provides a description of the network architecture and security design of

Rockwell Automation’s

FactoryTalk® Remote Access™

solution.

This document is aimed to network administrators, security auditors and decision makers to provide a complete description of the security management and design to evaluate if

FactoryTalk® Remote Access™

is compliant to their security standards and their use case scenarios.

Design Consideration

The core task of

FactoryTalk® Remote Access™

is to connect securely to a client to remote devices through the Internet (considered an insecure network). Thus, security is paramount on all design and implementation decisions, more than any other usability aspects.

Components Architecture
FactoryTalk® Remote Access™ Runtime	The software service that runs on remote devices to allow remote access to the device itself from Frontend clients. The Runtime is available for open systems such as Windows computers and for closed systems, such as Rockwell Automation’s industrial routers. The same security considerations apply in each case.
Access Servers	Access Servers are a distributed, redundant set of servers that enables device connection and provides a location for clients to connect to devices.
FactoryTalk® Remote Access™ Domain	The domain is a logical container that stores all the resources of a customer account: users, groups, and devices, and their configurations, folders, authorization rules and logs.
Web Frontend	The interactive web client allows users to log in into their FactoryTalk® Remote Access™ organization and connects to remote devices that run the FactoryTalk® Remote Access™ Runtime. Administrative users can also use the Web Frontend to manage the security rules and the configuration of devices. Advanced functions like VPN are achieved by using applets (Tools) that can be started directly from the web browser. In this document, the web frontend is generically referenced as a Frontend client.
Relay Servers	These servers in are in multiple regions and act as a public relay endpoint between Control Center and Runtime. They are not directly exposed and reachable through the Internet.
FactoryTalk® Remote Access™ Web API	This API exposes the API needed by the Web Frontend and the Tools Applets to work and provides for other auxiliary facilities such as software updates.

System architecture

Network and protocol design

Transport security

Remote Access Tools Security

Operation Audit

Cyberattacks Countermeasures

Software Updates

Data Breach Policy

Provide Feedback

Have questions or feedback about this documentation? Please submit your feedback here.

Normal