Domain

The domain represents the company account hosted by the FactoryTalk Remote Access Cloud Infrastructure. A domain consists of a group of devices, users, groups, firewall rules, and permissions. All remote devices in a domain are organized in folders in a tree-structure. User permissions to the remote devices can then be assigned. Information about the usage of the remote access service is collected in the audit and log files associated with the domain.

FactoryTalk Remote Access uses multi-factor authentication to help secure access to resources. Before you start working with your domain, you must set-up your authentication method.

See also

Creating Folders to Organize Assets - Viewing Audits and Logs

Set-up multi-factor authentication

When you first sign-in to FactoryTalk Remote Access you will receive a message that multi-factor authentication must be configured and activated before use. After clicking the Activation link a QR code is displayed that can be scanned with any application that supports the Google Authenticator standard. Use the following links from your device to download an authenticator app:

• Authy

• Google Authenticator

• Duo

• Microsoft Authenticator

If your device cannot scan the QR code click the link Can’t read? to view the security code to be used with your authentication app as an alternative to scanning the QR code.

After the first sign-in, subsequent sign-ins will ask for your authenticator code. This code is updated every 3 minutes. Open the authenticator app on your device and type in the current code that is assigned to your account.

Create a domain

To start using FactoryTalk Remote Access you must create a domain to access and use the services. Your domain must have a unique name.

This is an operation that is only done once.

Important

To create and use the domain you must have a working internet connection on the PC and your organization must have the FactoryTalk Remote Access entitlement.

To create a domain

1. Sign-in to FactoryTalk Hub.

2. Select the FactoryTalk Remote Access service tile.

3. You will be asked to authenticate yourself using your authenticator code.

4. In Create domain, provide a name for the domain. The domain name is required and must be unique.

   Important

   Domain names cannot be changed after they are created.

5. Click Create Domain. Once the domain is successfully created, a confirmation message appears.

Note

Each newly created domain is immediately usable.

The first time the domain is accessed, sign in using an administrator user account. For more information, see Access Management

Domain membership

Entities that can be part of a FactoryTalk Remote Access domain are:

• User accounts

  User accounts are the individual users that sign in to FactoryTalk Hub and use the FactoryTalk Remote Access domain and access remote machines. Each use is authenticated before entering the domain of the organization. Users must have been invited to join the FactoryTalk Remote Access domain to access the service. See Add user accounts.

• Groups

  A group is used to efficiently assign permissions to multiple user accounts. You create the groups according to the types of user accounts in your organization. Common categories for groups are roles and regions. FactoryTalk Remote Access provides the Admin, Contributor, and Owner groups by default in each domain.

  Tip

  A user account can belong to multiple groups.

• Remote Device

  A remote device is the Stratix 4300 Remote Access router.

• Folders

  A folder is a container of objects, such as devices, firewall policies, and groups. Like folders and documents on your computer, you can organize objects in different folders. Folders can be added as needed.

  Tip

  Once an object is placed in folder it can be moved to another folder, but it cannot be in multiple folders simultaneously.

• Permissions

  Permissions are rules applied to user accounts that allow or deny them access to folders and devices.

• Firewall policies

  Firewall policies are rules applied to VPN packets that control if certain protocols, ports, IP addresses are allowed or denied access to devices. Firewall policies have to be imported or defined first then applied either to folders to apply the policy to all devices in the folder or directly to a single device. The firewall policies applied are defined according to the user account, so different user accounts can be assigned different policies.

Domain connectivity

The basic requirement for FactoryTalk Remote Access functioning is a working internet connection.

FactoryTalk Remote Access uses outgoing connections, which are allowed by most firewall systems.

FactoryTalk Remote Access act as a “client” of the FactoryTalk Remote Access Cloud Infrastructure, which accepts incoming connections.

FactoryTalk Remote Access must have at least one of the following TCP ports open to connect to the FactoryTalk Remote Access Cloud Infrastructure:

• 80

• 443

• 5935

The first open port will be used to connect clients to the FactoryTalk Remote Access servers, after a scan of the available ports; after that, an end-to-end connection the remote device and FactoryTalk Remote Access will be established.

Important

All FactoryTalk Remote Access connections, regardless of the port used, are made using the secure SSL/TLS protocol which to help ensure safer information exchange over the internet. The use of the SSL/TLS protocol allows FactoryTalk Remote Access to verify the identity of the FactoryTalk Remote Access Server and later the confidentiality of the information exchanged with the server and the remote device.

Next, configure the Stratix 4300 Remote Access Router. See Stratix 4300 Remote Access Router Configuration.