FactoryTalk Remote Access Manager Best Practices

FactoryTalk Remote Access - Help

Important user information

FactoryTalk® Remote Access™ Release Notes

Getting Started

Introduction

Abbreviations and acronyms

System architecture

System items interaction

Connection between FactoryTalk Remote Access Manager and remote devices

Client and server connectivity

Proxy

Security Architecture Whitepaper

Network and protocol design

Transport security

Remote Access Tools Security

Authentication

Operation Audit

Authorization

Cyberattacks Countermeasures

Data center

Software Updates

Data Breach Policy

Best Practices

System components

FactoryTalk Remote Access

FactoryTalk Remote Access Manager Tools

Stratix 4300 Remote Access Router

Router factory settings and identification

Protection against domain change

OptixPanel Graphic Terminals

Embedded Edge Compute Module

OptixEdge

ASEM 6300 iPC

ASEM 6300B Box PC

ASEM 6300P Panel PC

ASEM 6300PA On-Machine Industrial PC

Runtime (for third party devices)

FactoryTalk Remote Access Manager

FactoryTalk Remote Access Manager overview and related entities

Organizations, domains and domain subfolders

Access protection

Menu Tree

Explorer

Geolocation

Audit

Settings

Tools

Log

FactoryTalk Remote Access Manager Tools

Interactive Access

(Interactive Access) Remote desktop

(Interactive Access) Processes

(Interactive Access) Explorer

(Interactive Access) Connection

(Interactive Access) Information

(Interactive Access) Log

Device Setup

Connection Settings

Start FactoryTalk Remote Access

Create your MyRockwellAutomation account

Log in to FactoryTalk Hub

Create an organization and a domain

Invite users to an organization

Organization activities

Manage domains and related entities

Domain roles and domain groups

Domain user permissions

Create a domain subfolder

Groups creation

Device registration to domain

Device move and removal

Runtime registration

Invite users to a device

View and manage invited users and related permissions

Domain roles and domain groups

Subdevices

Add a subdevice

Add a service

Custom service application example

Launch a service

Subdevices management

Approve remote access

Request Assistance

Firewall settings

Routing rules

Entitlements

Features comparison

Basic entitlement on ASEM 6300 iPC

Software components setup and installation

FactoryTalk Remote Access Manager Tools installation

Language setup

Runtime configuration

Windows Runtime installation and configuration

Ubuntu 22 Runtime installation and configuration

Ubuntu 22 keys reference table

Runtime command lines

FactoryTalk Remote Access entitlement activation

Local connection

Internet Sharing

Runtime service in a Docker container

Runtime features supported in Container

Step-by-step setup guide

Requirements

Install Docker and Docker Compose

Unpack components from the installation folder

Upload Docker images

Configure features supported in the container

Enable the Remote Desktop Protocol (RDP)

Enable a VPN connection

Validate configuration

Run Docker Runtime

Runtime container exposed ports

Updates

Runtime and firmware update

Over the air update for Windows Runtime

Over the air update for firmware

FactoryTalk Remote Access Manager Tools update

Ubuntu 22 Runtime update

Quick reference guide

FactoryTalk Remote Access Manager Best Practices

How to create an organization or domain

How to activate a entitlement

How to establish a remote desktop connection

How to establish a VPN connection with a remote device

How to establish a VPN connection

How to set permissions rights

How to view operations log

How to implement any network safety settings

Which ports and public IPs shall I allow through my company firewall?

Runtime connection lost

Enable FactoryTalk Remote Access for FactoryTalk Design Studio

FactoryTalk® Remote Access™
Manager Best Practices

Use the following tips for proper usage of

FactoryTalk® Remote Access™

.

• In the case of software installations on Windows devices, configure a firewall in the network (best if a hardware firewall) so that all connections from the Internet to the device are blocked. Only one outgoing port should be used by

FactoryTalk® Remote Access™

(TCP port 443, 80 or 5935) and kept open from the device to the Internet.

• Windows devices should only run controlled and safe software.

• Update the

FactoryTalk® Remote Access™

software in case security improvements are released.

• Given a given proper, static and controlled industrial environment, an antivirus software can be avoided.

• A strong administrator password change per IEC 62443-3-3 is enforced to register a Router to an organization. Keep the administrator password safe and do not share it with unauthorized personnel.

•

FactoryTalk® Remote Access™

routers can be connected to the Internet through their WAN port.

FactoryTalk® Remote Access™

routers do not enable any service through that port and will only need an outgoing connection through to the configured outgoing port (TCP port 443, 80 or 5935). They do not expose any surface to known attacks from the outside. The latest version of the firmware stack against new kinds of attacks is periodically tested. However, for best security, an additional specialized hardware firewall provides the best protection from the outside.

Quick reference guide

Provide Feedback

Have questions or feedback about this documentation? Please submit your feedback here.