Question

IEM with a main network and an isolated network.

0

I have just started working with Industrial Edge Manager in a testing capacity. We have multiple Industrial Edge devices with which we are working and need to keep them off of corporate networks. This is very common with the types of testing that we perform but can be problematic. So, our IEM has 2 network adapters defined. The primary NIC is connected to a firewalled corporate network which has full access to the Industrial Edge Hub. The IEM shows online and all is well from that standpoint. The second NIC is connected to a routed test network that is kept isolated from corporate networks. There is no routing between these networks. This is where the physical IEDs are connected and in this case uses the subnet 192.168.15.0/24. After creating an edge device in the IEM, I created an onboarding file and downloaded that to one of our IEDs using it’s webpage. The file was accepted and the IED changed its IP address; however, the IEM shows the device as waiting for onboarding. We’re kind of a fringe case here but I wondered if anyone else has dealt with this scenario before and if so, are there any caveats or gotchas to consider.

asked 2023-07-18

John Baker

4 answers

Marco Spoel · Answer 1 · 2023-07-19

Hi John,

Could it be that the IEM has a default route to the primary NIC and the application is expecting the IED behind that, so the data never reached the 192.168.15.0/24 network? I would use a sniffer to see what goes wrong. Also, it could be a DNS problem, that the EID is resolved outside of the 192.168.15.0/24 network.

Use the etc/hosts file to hard point the EID to the IP of the IED hostname.

I hope this will give you a hint on where to look.

Go Make It

John Baker · Answer 2 · 2023-07-19

To clarify and add some detail, our IEM has 2 NICs and the networks are not connected.

A firewall network
A test subnet.

The IEM Maintenance webpage can be opened and logged on to from either subnet. GOOD

Regardless of which network web address is being used to access the IEM Management page, when I click the Edge Management icon, I am taken to the test subnet address https://192.168.15.41:9443/pp/app/home

Clicking the Sign In icon flashes momentarily and never gives a logon window. Encrypted packets are being sent to the test subnet IP address of the IEM. I suspect that the responses are going out to the firewall network but I cannot monitor that easily.

The Proxy settings are set to not use the proxy with 192.168.0.0/16 as well as 192.168.15.0/24 which is pretty standard.

A workaround.

If I go instead to https://<Firewall IP>:9443/pp/app/home I do get a logon window and am able to access all functions.

So, when I create a provisioning file for an IED and edit it, I see the firewall address of the IEM. If I change it to the Test Subnet IP address of the IEM, it provisions fine and is able to be used as intended with the IEDs.

I have found issues in the past when dealing with our isolated networks on other systems.

Where can I find the root password for the console of the IEM? Or how to access network related files?

John Baker · Answer 3 · 2023-07-25

That is a very poor design consideration for customers that require isolation of networks. In our case testing.

John Baker · Answer 4 · 2023-07-25

That is a very poor design consideration for customers that require isolation of networks. In our case testing.