Intro Remote connectivity is one of the major features of Visual Designer and our new operator interface hardware platforms running that software. The ability to monitor, troubleshoot, edit and administer Eaton XV, XP, and epro PS systems remotely over a plant network or over the Internet can save customers time and money through reduced support and maintenance and improve overall machine effectiveness by reducing downtime and improving quality. This paper describes the various hardware platforms and how each addresses remote access and management. While remote connectivity is usually thought of as the ability to view and take action from a user s PC an equally important aspect is the ability of the machine to reach out and programmatically contact key individuals when a problem is developing prior to serious downtime or quality issues. Visual Designer can easily be configured on these OI platforms to monitor process and quality problems and even system health and sent out emails or text message alerts to local or remote personnel to prevent problems from occurring. XV Family There are five ways to monitor and administer the XV unit remotely over the Internet. These can be demonstrated locally by connecting a PC to the XV with a crossover cable or through a hub/switch/ router. Replicating this over the Internet is dependent on the user setting up secure remote access through their corporate or local firewall. There are four processes that automatically start on the XV unit from the Autoexec.bat file which support the five remote connections. The first is the remote desktop server (CERemoteSvr.exe), the second is the FTP server (FtpSvr.exe), the third is the web server (HttpdStart.exe) and the fourth is the Visual Designer remote agent (CEServer. exe). A fifth process, VNC Gateway is remarked out in the Autoexec.bat file of the XV unit but the file can be edited to launch this service as well. This allows VNC clients connections, available on devices such as the iphone, ipad, Android and Blackberry (non-windows) devices, to connect to the remote desktop server of the XV unit over a WiFi network. 1. The Remote (desktop) Client can be downloaded from Eaton s Website under OI Documentation/Software Downloads at: http://www.eaton.com/electrical/usa/ ProductsandServices/AutomationandControl/ OperatorInterface/XVXP/index.htm This file can be copied to a PC and run without going through an install process. It is a true remote desktop client (like VNC or UltraVNC on a standard PC) allowing full remote control of the unit. This connects to the remote desktop server running on the XV unit. Only one remote desktop connection can be supported at the same time. 2. The user can connect using a thin client interface to the web server running on the XV by opening up Internet Explorer and browsing to the XV s IP address followed by a forward slash and the name of the startup page. For example, if the XV s IP address is 192.168.1.20 and the startup page was named Main, then the URL to open would be: http://192.168.1.20/main.html No special software is required to be installed prior to connecting to the unit, but the first time the user connects they will be asked to accept a download of an ActiveX control that automatically installs allowing Internet Explorer to display the application pages. The XV unit is licensed from the factory for one web client session, meaning only one web client can be connected at one time. Field upgrades can be purchased that will allow up to 8 simultaneous web client connections. 3. The user can connect to the FTP server by opening Windows Explorer on their PC and typing in ftp://ipaddress where ipaddress is the IP address of the XV unit. You can use this to copy and paste files to and from the XV unit. Multiple simultaneous FTP connections are possible. 4. Visual Designer development software can connect to the XV remote agent for: a. Uploading the project b. Downloading or updating the project and/or runtime software c. Downloading or updating the runtime software d. Updating the runtime license to add tags or thin client connections. This is done by clicking on the Connect icon in the Remote Management group of the Home tab of the ribbon then typing in the IP address
of the unit and clicking the connect button. The developer can then pick the desired function from the four tabs in the Remote Management window. 5. The user can connect using a SMA (Studio Mobile Access) thin client interface from a Smart Phone, Blackberry, PDA, iphone/ipad, or other smart wi-fi or Internet enabled device. Studio SMA uses Collaboration Data Objects (CDO) and Active Server Pages (ASP) to build the Web application pages for mobile browsers. The mobile browser does not need to support Java, Flash, or any other advanced features because the pages are built entirely on the server-side and then sent to the browser as simple HTML. To connect through the SMA interface the user must open a browser on the mobile device and use the following link: http://ipaddress/sma/logon.asp In some cases the user may want to limit remote access to the XV unit. All that is needed is to upload the XV s autoexec.bat file using the FTP connection, then remark out the commands that start the various remote servers automatically then copy the file back and perform a reboot. It is recommended to at least leave the Visual Designer remote agent started automatically to facilitate stopping the Visual Designer project to gain access to the operating system from which the other servers can be manually started. Another way to do this would be to place an Exit function in the project with the proper security setting to allow OS access for maintenance. XP and epro PS Families There are also five ways to monitor and administer the XP or epro PS units remotely over the Internet. On these platforms the IIS and FTP services are included in the OS build and automatically started to support web client and SMA connections through Internet Explorer and FTP connections through Windows Explorer much like the XV units. One difference is that the FTP site for the XV is the entire internal flash and external SD flash driver whereas the default FTP site for the XP is D:\Cfg and on the epro D:\. Also the FTP directories both have the virtual name of Cfg so that in Windows Explorer the user types ftp://ipaddress/cfg where ipaddress is the IP address of the XP or epro PS unit. On both units the user can add FTP virtual sites to gain remote file access to other folders through Control Panel > Admin Tools > Internet Information Services. The Visual Designer remote agent is automatically started on both XV and epro PS through a shortcut in the All Programs/Startup folder. The developer can then connect to the units from the Visual Designer editor to upload/download/update the project. However, unlike the XV units, the runtime software cannot be updated from the editor/remote agent connection nor can the Visual Designer license be updated. To update the runtime software version the user must follow the installation process from the unit much like they would do on a standard PC. Upgrading the runtime license is also accomplished locally using the Register utility from Start > All Programs > Eaton > Visual Designer Vx.y > Register. This will allow the user to update the tag count or increase the number of simultaneous thin client connections. On the XP and epro the user can have a maximum of 256 simultaneous thin client connections. To accomplish a remote desktop feature on these units it is recommended that a third party server called UltraVNC be installed. This is an open source, free download from the Internet that has been fully tested on the XP and epro PS. It can be downloaded from the link www.ultravnc.com then installed on the XP or epro unit. During the installation the user will be able to create a unique password to prevent unwanted access. On the remote PC all that needs to be installed is the UltraVNC client component. Then from the PC the user can launch the UltraVNC client, provide the IP Address of the unit they wish to connect to, and supply the password assigned to the remote unit. Some of the advanced features of UltraVNC include the ability to launch Task Manager, get to the Windows start menu, start a chat session with the remote user, and manage file transfers from and to the remote unit, negating the need to use the FTP service. Application Security and Internet / Firewall Security Considerations The security system in Visual Designer is fully implemented for web thin client connections. The application developer can prevent remote changes to process settings and control for all web thin client connections or rely on the user/password security settings to dictate control access as well as access to specific pages or screens. For all remote connections such as Web Thin Client, FTP, remote desktop, and remote editing, network security needs to be considered when setting up Internet and Firewall connectivity. Proper setup of network security is up to personnel familiar with the setup of the network hardware to allow or prevent access to specific activities through routers and firewalls. While specific Internet hardware settings and the user interface to configure them will be somewhat different from vendor to vendor, the network configurator will need to know what Ethernet ports are used by each of the remote connections. For instance the Visual Designer web server utilizes ports 80 (HTML) and 1234 (TCP/IP) for its functionality and the remote agent that allows for the Visual Designer editor to remotely edit an XP or XV unit uses port 4322. A complete list of potential port usage is shown below: Port # Program 20 FTP Server (Data) 21 FTP Server (Command) 25 SMTP Server 80 Microsoft IIS Server for HTTP packets 110 POP3 118 Microsoft SQL Server Services 161 SNMP 162 SNMP Trap 389 LDAP 443 Microsoft IIS Server for HTTPS packets (SSL) 502 Modbus TCP/IP protocol 663 LDAP over SSL 1028 FTP Client (Command) 1029 FTP Client (Data) 1234 Project TCP/IP Server 1443 Microsoft SQL Server 1444 Microsoft SQL Server default port (Monitor) 1521 Oracle 1526 Oracle 2030 Oracle 3001 A-B Ethernet TCP/IP Protocol (default) 3306 MySQL (can be configured to use 3306-3309) 3872 Oracle Management Remote Agent 3997 Studio ADO Gateway 4322 Remote Agent (CEServer) 5900 RealVNC/UltraVNC 5432 PostgreSQL 47808 BACNet UDP Protocol (default) 51738 Remote Desktop Server (XV-102/152) 2
Technical Data AP04803010E There is a wealth of information available on the Internet for setting up firewalls and routers and there are many IT professionals who can assist in these efforts to insure network security. The following section provides some insight into the various ways of setting this up. Thin Client Web Viewing using a Public IP Address This section describes those steps and issues to address to successfully implement thin client web viewing with Visual Designer and XV, XP and epro PS touch panels using a public IP address. Only some key points are covered. Thin client web viewing has been verified using Microsoft Internet Explorer V8 on Windows XP and Windows 7. It will not work with the 64-bit version of Internet Explorer 9, however when IE9 is installed on a Windows 7, 64-bit machine, it automatically installs both the 32-bit and 64-bit versions, and the shortcut created during the install points to the 32 bit version that works. Thin Client web viewing is also not supported with non-microsoft browsers such as Mozilla Firefox and Google Chrome. The internet router must be setup to port forward the following ports: Port 80 (default HTML port) Port 1234 (default TCP/IP port) Port forwarding is typically configured from the Firewall section (sometimes called applications and gaming) of popular routers such as Cisco seen in Figure 1. The ports must be forwarded to the local IP address of your Eaton OI panel, for example 192.168.1.7. The name property in the Custom Service Table shown in Figure 1 (in other routers this may be called Application field) can be any name you wish to use, but it is highly recommended to reference the unit to be forwarded to when the internal network will have more than one OI unit to remote to. Be sure to check that the port forwarding has been enabled, and save your settings. Figure 2 Figure 3 Figure 1 In Figure 2 where Access Rules are configured you pick the IP address to forward to for each service configured in Figure 1. This rule becomes part of the selected policy, shown in Figure 3, by adding a rule and saving it. Note that each Router will configure somewhat differently but the same general terms and operations are supported by all modern routers. Default port: Multiple reasons may necessitate changing the default port of both the web server (default 80) and the data server (1234) that the thin client uses within an application. These reasons may include but are not limited to: Port 80 is blocked by some Internet service providers Corporate policy requires specified port addresses for web servers Multiple web serving Visual Designer applications need remote access and are on the same network Changing the default Webserver Port on XV To change the port modification on the boot sequence on XV units, the following is required: Download the zip-file: http://custom.microinnovation.com/431/ XVWebServerChangePort.zip Unzip, and edit the file changeport.reg. In changeport.reg the default HTTPD port is set to 8080 (on the command line byte 3 and 4 in hex numbers (1F90)): SockAddr =hex(3):02,00,1f,90,00,00,00,00,00,00,00,00,00,00,00,00 To change to 8081 for example, change the file to reference the number 8081 in hex 1F91H: SockAddr =hex(3):02,00,1f,91,00,00,00,00,00,00,00,00,00,00,00,00 These files should be placed in the proper boot location in either \ InternalStorage\ or \StorageCard\ depending on application setup. 3
Changing the default Webserver Port on XP and epro PS Open up Administrative tools from the Control Panel and open Internet Information Services: Designer products with the Project Settings, Communication properties. The default port setting is 1234. Figure 4 Click on the plus signs to find the Default Web Site and right-click on it to open properties. Figure 6 IMPORTANT! The Secondary Data Server IP address must be set to the public IP address of your web server. To configure the secondary data server, click on the Thin Client icon in the Web group of the Project tab: Next, click the Advanced button: Figure 5 Change the TCP Port to the designated port address (in this example 8080) then click Apply, then OK and complete a protect mode save. Note: If you set the port to something other than 80, you will need to add :8080 to the IP address URL when using Internet Explorer to view the unit as a thin client. Eg. http://x.x.x.x:8080/startup.html Changing the default Data Server Port on all Visual Designer Projects Just like the web server it may also be necessary to change the data server (TCP/IP) port of the application. This can be done for all Visual 4
Technical Data AP04803010E In the Advanced dialog enter the Secondary Data Server IP Address. This is the public IP address for your web server. No entries required in WINS tab: Once you have configured the Thin Client setting in Visual Designer, you must re-publish all your HTML screen files and download them to the panel. Note: Internet sites such as whatismyip.com or ipmonkey.com will identify your public IP address. Note: The IP address of your gateway (router) needs to be set in the IP tab and DNS tab of your XV, XP or epro PS panel s Network properties. Examples below show the setup for an XV panel (XP and epro units configuration is the same as a normal Windows XP PC): Open the target unit s Control Panel then click on the Network icon and set the Gateway setting to the Router s local IP address. Use the left right arrow buttons to increment/decrement the value in the selected field. To view the Visual Designer project screens remotely using the web thin client, first launch MS Internet Explorer. Enter the public IP address followed by the startup screen name, for example: http://54.33.45.11/startup.html. If this is the first time you have attempting thin client viewing you will be prompted to install an ActiveX control. This will take a minute or so. After the ActiveX control is installed, you will be able to view the project screens in your web browser. 5
FTP and Remote Desktop Access using a Public IP Address The key points to setting up FTP (File Transfer Protocol) and Remote Desktop access using a public IP address is similar to those for thin client viewing. You will need to port forward the following ports in your router for such access. The Internet router must be setup to port forward the following ports: Port 21 (for FTP access) Port 4322 for Remote Agent (CE Server) Port 5900 for UltraVNC (XP-702) Port 51738 for Remote Server (XV-102/152 remote desktop agent) To view the Visual Designer project folders remotely using FTP on an XV unit, first launch Windows Explorer. Enter the public IP address, for example: ftp://54.33.45.11. You will now be able to view, copy, and paste to the folders on your XV panel drives from your PC. On an XP or epro PS unit you will have to make sure the Windows Firewall is turned off in Control Panel of the unit, then add the Virtual Site Cfg to the end of the address in Windows Explorer on the remote PC. For example: ftp://54.33.45.22/cfg Alternately, on an XP or epro PS machine third party software such as UltraVNC server can be installed which offers file transfer utilities that do not require you to turn off the Windows Firewall on the unit. UltraVNC however, uses a different port (5900 by default) which would also need to be opened in the Router s firewall/port forwarding settings. Eaton Corporation Electrical Sector 1111 Superior Ave. Cleveland, OH 44114 United States 877-ETN-CARE (877-386-2273) Eaton.com 2011 Eaton Corporation All Rights Reserved Printed in USA Publication No. AP04803010E / TN August 2011 Eaton and Visual Designer are registered trademarks of Eaton Corporation. All other trademarks are property of their respective owners.