Domat Proxy server

Why Domat Proxy?

Domat Proxy is a service that enables access to a PLC in a LAN network without the need to establish access to the network via a public IP address. If we want to connect to the PLC, which is in the role of (SSCP) server, from the outside - via the Internet and the public address of the router that connects the internal network to the Internet, a rule must be set in the router for forwarding data to the internal address in the network - the address PLC. Network administrators usually try to avoid these settings because an open port on a public IP address is a security risk: it can become a target for attack.

The ideal solution is to use a VPN: set up a separate technological network, deploy a VPN router on the PLC side and thus connect the PLC and the client through a secure environment. But this is not always possible or economical. Then the Domat Proxy service can come in handy, which mediates the connection between the PLC and SSCP client (e.g. Domat IDE or SCADA), without the need to set rules for incoming packets on the router.

How does it all work?

The prerequisite is that the PLC is installed in a network from which access to the Internet is possible. Furthermore, the network gateway (Default Gateway) and the DNS server address must be set in the PLC. The gateway is necessary for the PLC to send data to the Internet, the DNS server must be available for successful translation of the domain name (here plcproxy.domat.cz) to the IP address.

The technical support department (support@domat.cz) will generate a so-called Proxy ID free of charge upon request. This is the code with which the PLC reports to the proxy server and thus opens the communication channel. After uploading the configuration, the PLC connects itself with the assigned Proxy ID to the proxy server operated by Domat and is ready to receive data from the proxy server. We can see a successful connection in the System Status in the PLC (Connected).

Clients then do not access the PLC directly (where the router will not let them in), but to this proxy server with the same Proxy ID as set in the PLC. The client can be Domat IDE, SCADA, or any other client program (OPC server, Domat Visual, etc.). The connection can be set as secure (TLS), see the IDE help - in this case, it is necessary to use the https:// protocol in the proxy server address, or tcps:// and other TCP ports.

What are the expenses?

Proxy ID allocation and the service itself are free. Domat Proxy facilitates remote management and commissioning - all that is needed is for the PLC to have access to the Internet. Using Domat Proxy is more secure than redirecting traffic from a public IP address, port mapping, etc., because from the point of view of the customer's network, it is an outgoing http(s) connection, which is usually allowed without problems. Via Domat Proxy, values can be read and written, but also the program can be played, the PLC can be restarted and the PLC configuration can be downloaded or uploaded, so it is a full-fledged programming approach. However, this is a non-guaranteed service, so read the licence agreement carefully.

Anything else important?

Detailed settings on the side of the PLC and client programs can be found in the Domat IDE help. In the case of SCADA, the proxy connection and possibly its security is set in the definition data point of the connection in RcWare Vision. Attention, the secure connection directly in RcWare Vision is not functional, so it cannot be tested here; in SCADA, however, even the secure connection works correctly. Domat Visual does not yet support connection security.

Even though the PLC is not directly exposed to the Internet, it is advisable to observe basic security measures, in particular not to use the default password to access the PLC and to use only the necessary level for connection (for example, SCADA does not have to connect as admin, but as user, as it will not perform programming or configuration work). The overall security concept should be designed in cooperation with the facility operator. Domat Proxy can help with commissioning and servicing, especially in the early phase of the project and right after its completion, when we temporarily install an LTE modem at an event where permanent remote access is not expected. In this case, Domat Proxy significantly simplifies connectivity settings - it is not necessary to order a public IP address or set up an APN from the provider.

In case of questions, do not hesitate to contact Domat technical support.