Network and protocol design

The authentication to the FactoryTalk Remote Access Domain is done by the Web API for the Web Frontend and Tools and by the Access Server for the Runtime. The FactoryTalk Remote Access Domain information is stored in a database that is behind the Web API and Access Server.

All clients are assumed to be configured behind a firewall that only allows outgoing connections. The connection from clients to the Access Server uses TLS 1.2 with certificate authentication.

Clients can use the default TCP 443 outgoing port or they can be configured to use either port 80 or port 5935 (TLS is still used), depending on which is best to comply with local IT policies. Clients automatically test available outgoing ports, but they can be configured for a fixed port.

Access Servers are redundant and fault tolerant. They are reachable by a couple of exposed endpoints and clients should be able to reach both for best service availability.

The Web API is a REST (Representational State Transfer) API that offers authentication/authorization and administration functions to frontends, such as administering folders, devices, users, and groups, or getting software update download URLs. HTTPS is used for connecting to such services.

It exposes the API needed by the Web Frontend and the Tools Applets to work as well as other auxiliary facilities such as software updates.

When there is a remote access session between a Web Frontend, a Tools Applet and a Runtime, a Relay Server is used for data forwarding. Relay Servers allow both Frontends and Runtime to stay safe behind their firewalls as no incoming ports on their side must be open.

Frontend and Runtime automatically choose the relay server to use from a pool of available list of servers list, provided dynamically by the Access Server.

In order to select a best Relay Server for a certain remote access session, both Frontend and Runtime perform a connection test to all relay servers and measure their respective network performances. Both Frontend and Runtime results are then combined in order to select the best relay. This automatic behavior can be disabled, and clients can be configured to use a fixed relay server.