Question

Relay server clarification and guidance.

0

Good day. I’ve been working with the hub, IEM and a handful of IEDs these last couple of weeks. Currently the IEM and our IEDs are all on the same firewalled subnet of a corporate network. Communication between the IEM and IEDs works fine. For our IED and application testing, I will be moving the IEDs into our isolated test network which consists of a few dozen routed segments that provide various TCPIP services to equipment that we test. Connection between our test network and the corporate firewalled segment is strongly controlled. i.e. Assets do not have access outside of the test network. In the Setting up the IEM documentation, the configuring of a relay server on the IEM is described. For us, the “Relay Server” appears to be the solution for dealing with the type of isolation that we have between our networks. i.e. very limited connectivity between the subnet containing the IEM and our separate network which will containing our IEDs. From the documentation. Adding a relay server – When your Edge Devices are placed in your plant network that is separated for example by NAT Gateway from the control plane network in which the IEM is running, the Edge Devices in the plant network establish the connection to the relay server. This relay server allows you to access the Edge Devices from the control plane network. Where I am looking for some guidance is the connection method that is used to connect between the subnet with the IEM and the separate network. Port forwarding? Router? Bridge? Is there documentation that discusses this type of network configuration? Any advice is appreciated.

asked 2023-08-02

John Baker

3 answers

Marco Spoel · Answer 1 · 2023-08-03

Hi John,

I can’t tell from experience; I only worked with the 204o. But if I read the manual: https://cache.industry.siemens.com/dl/files/387/109795387/att_1059471/v1/iem_getting_started_enUS_en-US.pdf, it looks to me that the EIM is reaching out to the Insight Hub facilitating the remote access connection for debugging on edge devices. Section 4.9 on page 88 (onward) describes this. In that case, you don't need to add PAT or NAT on the Firewall to facilitate connections from outside to inside, as the EIM is communicating from inside to out, allowing remote access to be initiated from the inside.

Go Make It

Matthias Doerr · Answer 2 · 2023-08-03

HI John and Marco,

the relay server is creating a tunnel, which needs to be enabled for defined time, between the IEM and a specific IED. So to control and configure your separated IEDs via the IEM it can be used. It is not meant to be permanent route/tunnel.

Online Documentation can be found here: Adding a relay server - Industrial Edge Documentation (siemens.cloud)
Network security and segmentation - Industrial Edge Documentation (siemens.cloud)

SideNote: this documentation website(What is Industrial Edge - Industrial Edge Documentation (siemens.cloud)) also contains a nice search feature ;)

John Baker · Answer 3 · 2023-08-03

Many thanks for responding.

Our IEM is running on a corporate firewalled network and has no issues contacting the IE hub. This is all performed on networks maintained by corporate. For now, our IEDs reside on the firewalled network.

Our IEDs will eventually be running on a separate test network that is almost completely isolated from the production firewalled network (We do have some gateway systems dual homed to both networks). This isolated test network has multiple private subnets with routing capabilities and most TCPIP services needed for testing purposes. Directing our IEDs to their default gateway will not end up with IEM access. Therein lies the rub.