Skip to content

Possible uses of agents and gateways

Simple network

Figure: Simple network

As shown above, the octoplant server is located in an isolated network (DMZ) and therefore cannot directly access the controllers in the OT network (with NAT).

In order to perform a backup of the two devices, an agent must be used in the OT network. The communication between the octoplant server and the agent must then still be enabled in the firewall, but the agent has two ports, which enables direct communication with both devices.

Alternatively, the PLC can be accessed via port forwarding on the "industrial router". However, this option is not always available and requires detailed knowledge of the devices.

Distributed network

Figure: Distributed network

The network is divided into different zones. This allows several UserClients to connect to the octoplant server via a CSC gateway. This gateway can bypass the firewall and ensure that only octoplant communication is allowed.

This setup is advantageous if the network contains several firewalls and the (re-)configuration of each firewall would be a complicated task. One octoplant server can thus be used to connect to multiple company sites. For security reasons, all communication over untrusted networks (e.g. Internet) should be done via VPN.

Agent connection via gateway

Figure: Agent connection via gateway

In this network scenario, the OT network contains a dedicated subnet/subnet (10.1.0.0/24). Only two devices need to be available to for backups.

As there are two "industrial routers" that provide NAT, an agent can be deployed in the last NAT network (i.e. the subnet that is the most intermediate stops away from from the point of view of octoplant ). There are two ways to establish a connection to the agent:

  • Using a gateway: the first router ("industrial router 1") must be configured so that it forwards incoming connections to the gateway. The gateway itself automatically forwards all requests to the agent. No configuration is required on the second router.
  • Configuring a second router to forward connections: like before, the first router ("Industrial router 1") must be configured to forward incoming connections, but this time to the second router. The second router ("Industrial router 2") must be configured so that it forwards the incoming connection to the agent.

In both cases, the agent can reach all devices in the two subnets 10.1.0.0/24 and 10.0.0.0/24. (The second router already performs NAT routing and forwards all requests to the 10.0.0.0/24 network).

Two locations and multiple subnets

Figure: Multiple subnets

To connect several locations with only one octoplant server, a VPN connection can be established as before.

The routers of the OT network must be configured to forward the agent's connection. If several OT networks exist, it may be useful to install a gateway. This way, only the gateway needs to be accessible from the octoplant server (remote location) and the connection is automatically forwarded between the OT networks. The gateway can also be configured so that it connects directly to the VPN network and thus relieves the firewall devices.