C-more Remote HMI with Agilicus Zero Trust

b48344db 2024 10 22 09 06

The C-more HMI Panel by Automation Direct is a user-friendly, touch-screen interface designed for controlling and monitoring industrial automation systems. By combining Agilicus AnyX with the existing remote access capabilities, C-more HMIs are secured with Zero-Trust access to enhance efficiency and flexibility in a wide range of applications, from manufacturing to process automation.

Using one C-more Remote HMI application as a launcher for all HMIs

The C-more Remote HMI Windows software is a lightweight, functional executable that allows users to remotely access and control C-more HMI panels from a Windows PC. Typically downloaded directly from the HMI panel itself, this executable is customized for each remote HMI, with the panel’s IP address and port information embedded in the filename. This ensures a quick and direct connection to the specific HMI upon launch, simplifying remote monitoring and control.

The HMI web server is usually pre-configured with a set of IP addresses assigned for its Built-in Ethernet adapter both Local and Remote connection where it is deployed. This configuration assumes a requirement for inbound Firewall traversal through port-forwarding and requires knowledge of the network topology for the operator to properly provision the Remote HMI software. These IP Addresses are often referred in the product documentation as %IP1% and %IP2%

The Remote HMI downloadable application from the panel is named after the %IPx% address fields configured.

For example, if the C-More configuration for %IP2% is IP address 172.17.10.2, the downloaded executable filename would be “RemoteHMI_IP=[172.17.10.2_11102].exe”

This approach streamlines deployment of the viewer application and execution. However, in situations where an operator requires multiple panel views, an executable file is required for each panel remote IP address. This can result in many duplicate copies of the same Remote HMI viewer app with a different filename. This approach also assumes either VPN or port-forwarding capability on the remote network. This also limits the usability of using simultaneous Remote HMI client in cases where the remote C-more panels may have a duplicate or overlapping IP address space across multiple sites, requiring the operator to properly control the remote VPN connectivity to ensure the correct site is being routed, or mapping different TCP ports on the Firewall/Router port-forwarding configurations.

Configuring AnyX Launcher and simplifying deployment

The use of the Agilicus AnyX application launcher vastly simplifies the deployment the C-more Remote HMI application while enhancing security:

  • Single Remote HMI windows executable installation to accomodate all remote panels across all sites
  • Individual launcher shortcut for each panel labeled by name
  • No VPN, No Firewall and Port-Forwarding Configuration
  • Enhanced Security with Identity based authentication and Multi Factor Authentication
  • Specific Resource exposure without network access

In this guide we will:

  • Create and configure a Network Resource for the HMI Panel IP address
  • Create an Application Launcher for the Remote HMI client executable
  • Associate the Network Resource with a Dummy IP to the Application Launcher
  • Grant permission to user or group to use the Launcher
  • Deploy the C-more executable on the local workstation

Creating Network Resources

We will create a Network Resource in the Agilicus AnyX Administration interface for each panel we wish to use view.

We create a network resource named after the HMI panel network information. In this configuration, we will make use of the AnyX “Override IP” in order to simplify the use of the C-More application. The “Override IP” enables an IP address re-write of the destination by the connector. This means, that regardless of where the IP address the C-more HMI client attempts to connect to, the connector will steer the traffic to the “Override IP” address. This approach unlocks the ability to use a ‘Dummy IP’ address in both the C-more HMI client , and Network Resource creation, and then rewrite to the intended destination. The advantage of this feature, as we’ll describe below, is that a single executable file of the C-more HMI client can be used, and the Agilicus AnyX connector will correctly steer the traffic to the intended panel.

First, we configure the Network Resource by selecting the appropriate Connector through which the C-more HMI panel can be reached on the LAN.

We then create the addressable resource by assigning it a meaningful name. Here, as an example, we wish to reach panel #44, create a network as in the below image:

In the next step, we introduce the ‘Dummy IP’ address, as well as the ‘Override IP’ address of the actual panel. In this example, we pick the ‘Dummy IP’ address of 123.123.123.123 , and we intend to reach the HMI panel on the local LAN at the IP address 172. 17.10.2 (note: This should match the %IP1% address defined in the C-more panel configuration). We will use the default TCP port 11102 as in the below images.

Configuring the Application Launcher

In order to create the appropriate launcher, we will define the path of the C-more HMI client software locally on the workstation to be used, and associate the Network Resource specific to this launcher icon. This will create a desktop launch icon with the Launcher Name, and use a single executable for all subsequent launchers created for each panel.

Create launcher name and executable path as in the below image:

Here we choose to name the launcher after the Panel and Plant location example we’ve used in this write up. This will be the name associated with the Launcher icon on the desktop.

For the command path, we are specifying the path to the executable file for the C-more Remote HMI. A previously downloaded client file can be used. We specifically rename the file to contain the previously defined ‘Dummy IP’ address, and the TCP port used. You can rename an existing file and make sure to preserve the syntax [x.x.x.x_Port].exe

We then associate the specific Network Resource of the desired HMI panel previously configured that will be associated with the launcher.

We then enable the launcher DNS and Interception feature

A final review of the launcher parameters can then be applied.

Installing the C-more Remote HMI client

In order for the launcher to execute properly, the application path and filename must match the one configured in the Agilicus AnyX configuration, and a Resource Permission must be assigned to the Identity or Group the user belongs to.

In this case, we specified a command path of : C:\cmore\RemoteHMI_IP=[123.123.123.123_11102].exe

The location of the executable can vary based on deployment requirements, and the use of local expansion variables such as %appdata% can also be employed. Ensure that the executable filename contains the ‘Dummy IP’ address as it is used by the C-more client software itself as a configuration parameter at startup.

Launching the C-more Remote HMI client

After a resource refresh is done on the user workstation, the launcher will appear with the proper application icon as well as label, in this case: Plant-A_Panel-44 .

When executing the launcher, the C-More Remote HMI client will establish a connection to the desired panel defined in the ‘Override IP’ in the Agilicus AnyX configuration and %IP1% in the C-more Remote Access configuration, in this example, 172.17.10.2 .

These steps can be repeated to generate a launcher icon for each panel in the system , across all sites covered by the Agilicus AnyX connectors. The same single executable with the ‘Dummy IP’ address is used, and each instance will connect to the intended remote panel defined

(None)