Security Architecture Whitepaper

This document provides a description of the network architecture and security design of Rockwell Automation’s FactoryTalk® Remote Access™ solution.
This document is aimed to network administrators, security auditors and decision makers to provide a complete description of the security management and design to evaluate if FactoryTalk® Remote Access™ is compliant to their security standards and their use case scenarios.

Design Consideration

The core task of FactoryTalk Remote Access is to connect securely to a client to remote devices through the Internet (considered an insecure network). Thus, security is paramount on all design and implementation decisions, more than any other usability aspects.
Components Architecture
FactoryTalk Remote Access Runtime
The software service that runs on remote devices to allow remote access to the device itself from Frontend clients.
The Runtime is available for open systems such as Windows computers and for closed systems, such as Rockwell Automation’s industrial routers. The same security considerations apply in each case.
Access Servers
Access Servers are a distributed, redundant set of servers that enables device connection and provides a location for clients to connect to devices.
FactoryTalk Remote Access Domain
The domain is a logical container that stores all the resources of a customer account: users, groups, and devices, and their configurations, folders, authorization rules and logs.
Web Frontend
The interactive web client allows users to log in into their FactoryTalk Remote Access organization and connects to remote devices that run the FactoryTalk Remote Access Runtime. Administrative users can also use the Web Frontend to manage the security rules and the configuration of devices.
Advanced functions like VPN are achieved by using applets (Tools) that can be started directly from the web browser.
In this document, the web frontend is generically referenced as a Frontend client.
Relay Servers
These servers in are in multiple regions and act as a public relay endpoint between Control Center and Runtime. They are not directly exposed and reachable through the Internet.
FactoryTalk Remote Access Web API
This API exposes the API needed by the Web Frontend and the Tools Applets to work and provides for other auxiliary facilities such as software updates.
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.