Domain view#

The Domain view can be customized according to requirements of each FactoryTalk Remote Access user. This is especially useful if you want to create different access rules depending on users.

Tip

Permissions can be assigned to the folders as well to a device. Devices in each folder inherit the permissions set for the folder. Assigning permissions (either deny or allow) to a single device overrides the inherited permissions.

From the Domain View you can:

  • Search for a resource

  • Create a folder

  • Add a device

  • Create a firewall policy

  • Import a firewall policy

  • Associate a firewall policy

  • Create a group

  • Configure permissions

To search for a resource#

From the Domain view you can search the entire domain.

  1. Enter the search criteria into the Search box at the top of the view and then press Enter. The resources that match the search criteria are listed in the table.

  2. Click the x next to the Search box to clear the search criteria and return the grid to displaying all resources.

To create a folder#

  1. Sign in to the FactoryTalk Remote Access organization with an administrator account.

  2. In the Explorer go to the Domain view.

  3. Select an item in the tree view, either the root or an existing folder.

  4. Select Add resource then choose Create folder

You can create as many folders and sub-folders as you want.

To rename a folder#

  1. Select the folder and then select Edit.

  2. In Edit folder in the Folder name box type the new name of the folder.

To add a device#

  1. Click the plus sign (+) next to the top-level or subordinate folder and then select Add device.

  2. Select Add device locally to discover routers on the local network.

  3. When prompted for device credentials enter the password to the router.

  4. In the list of routers displayed, select the router you want to add to the domain.

  5. In the Initial name box, type a name for the router and then click Register.

Once the device has been registered to the domain, you can start a remote assistance session using the VPN link from the main window of the FactoryTalk Remote Access web app. After you click the VPN link, an image for the VPN will blink in your PC’s toolbar at the bottom of your screen. Click that icon to open the connection screen for your device.

Tip

If necessary, the address of the proxy server can be set in the VPN Settings tool.

Firewall policies#

The firewall policy defined or imported can be associated to a folder or to a single device. The Firewall section of the Domain view is used to associate a firewall policy with a specific user account or group name and determine whether different types of communications are allowed or denied.

By default, domains are set to allow communication through the domain and Ethernet communication is permitted without requiring verification against the firewall policy. When all communication is allowed by default, you control access though the firewall by building a policy that establishes which packets have to be blocked; these policies are built then with the use of the Deny action. Alternatively, you can setting the default action, at domain root level, as Deny which restricts all Ethernet communication through the domain. To control access configure the policies with Allow action, establishing then which packets are permitted through the domain.

By default, firewall policies applied to a folder are inherited by the devices within the folder. This behavior can be changed clearing the Inherit firewall policies checkbox in the Firewall section.The Inherit firewall policies setting is available at the root level of the domain and at each folder level. If you need to prevent firewall policies from being inherited, choose the level directly above the elements that need to use a different firewall policy.

Tip

When you select any device or folder from the Domain view, the firewall section displays a summary of all the policies applied, both explicit and inherited.

To create a firewall policy#

  1. Click the folder where you want to define the policy and then click Create firewall policy.

  2. Type the name of the policy in the space provided. Confirm the name is correct, then click OK to create the policy.

  3. Click the policy name to display the policy configuration panel where you can define the rules of the firewall policy.

  4. Click Add to configure a rule in the policy definition. The parameters for the rule definition are:

    • MAC address

    • Ethernet Type

    Note

    • FactoryTalk Remote Access VPN supports the virtualization of the data link layer and the integrated firewall supports the definition of networking connection rules.

    • The Ethernet type lists the Ethernet communication protocols.

  5. After selecting the Ethernet type the appropriate configurable properties are displayed. For example, after selecting IP the configurable properties displayed are IP address, IP protocol, and IP ports. As you configure the firewall rule different configurable properties are displayed to step you through creating a complete firewall rule. Selecting different Ethernet types provides different configurable properties as appropriate.

  6. Once completed, the rule is shown in the list.

When a policy is evaluated, rules are evaluated in sequential order. The first rule that matches the Ethernet packet in transit makes the policy applicable.

To import a firewall policy#

  1. Click the folder where you want to define the policy and then click Import firewall policy. A list of available policies is displayed.

  2. Select the firewall policy you want to import from the list and then click OK. The policy is imported into the domain.

The firewall policy is displayed in the Domain view at the same level as the folder that was selected when you imported the policy.

To associate a firewall policy#

  1. Click the folder or device in the Domain view and then expand the Firewall section.

  2. Click Add to open the Associate firewall policy dialog box.

  3. In Select firewall policy click the arrow to select a firewall policy you have created or imported.

  4. In User account/Group select whether the policy only applies to a certain user or group. If so, select the User account or Group Name from the list provided. The policy will be applied at the next sign on of the affected user accounts.

  5. In Default Action choose the action to be taken when the evaluated packet matches with the rules of the firewall policy.

    • Select Allow to permit the packet transmission

    • Select Deny to reject the packet transmission

Groups#

Groups are collections of user accounts. They are useful to better organize user account permissions. Groups can be created for the domain and for subdomains.

A user account can be a member of one or more groups.

To create a group#

You must sign in to FactoryTalk Remote Access with an administrator account to create a group.

  1. Select the folder under which you want to organize the group then click the Add resource (+) sign.

    Tip

    The Create group command is also available when you right-click a folder

  2. In the Create group window, enter the Group name and then click OK to create the group.

To add user accounts to a group#

  1. In the Domain view select the group.

  2. On the side pane, next to User Accounts, click the Add (+) icon to open the Add user accounts window.

  3. Click the Add icon (+) next to the user account to add it to the group.

Tip

To quickly find a user account in the list, type part of the user account name in the search box to reduce the number of user accounts lists.

Permissions#

FactoryTalk Remote Access allows you to define permissions for devices and folders. By assigning devices, groups, and user accounts to folders they inherit the permissions defined by that folder. You can also assign permissions directly to devices.

Rules assigned to sub-folders and individual devices take precedence over rules in the folder that contains them.

To configure permissions#

Permissions are configured from the Domain view.

  1. Select the folder or device for which you want to configure permissions.

  2. In the side panel, expand Permissions to see the currently configured permissions.

  3. Click the Add (+) icon next to Permissions to give a user account or group permission to the folder or device.

  4. Click the Remove icon next to a user or group listed under Permissions to remove that user or group permissions to the folder or device.

For more information, see Managing permissions