Sample: Schneider Electric Control Expert

Schneider PLC

Schneider Electric Control Expert

Overview

Schneider Electric’s Control Expert Software interoperates with the Agilicus Launcher to create a seamless remote, authenticated, secure PLC operation and configuration.

The only communication mode currently supported is TCPIP (not USB or Serial).

The below example was tested with EcoStructure Control Expert V15.0 on Windows 10.

The Control Expert software can be run inside a VM if desired.

Theory of Operation and Data Flow

A PLC is located at a remote location. The location has no inbound access, no VPN available. It may be behind a cellular or satellite modem, it may have a restrictive firewall.

An Agilicus Connector is installed at this location such that the connector can reach the PLC on TCP port 502 (Modbus). The Connector must also be able to reach out to the Agilicus AnyX infrastructure on port 443.

On the user’s desktop, the Agilicus Launcher is installed. When the user selects the ‘Control Expert’ icon from their desktop start menu, or, when they select the icon from the Agilicus Profile, the network activity of the Control Expert software is seamlessly intercepted and tunneled to the PLC.

Authentication (and multi-factor authentication) is performed via a browser which may appear if the user is not signed in.

Unlike a VPN-style connection:

  • no PLC’s (nor any other network resources) other than the granted one can be accessed
  • no need to change local IP addressing in case of overlap
  • multiple sites and PLC can be used simultaneously
  • No reverse-path network traffic is allowed
  • No inbound connectivity to the remote site is required

The PLC Modbus traffic is tunneled over HTTPS, over WebSocket, end-to-end encrypted from the User’s PC to the Agilicus Connector in the remote site.

Configuration and Setup

There are 4 basic steps:

  1. Create a Network Resource for the PLC
  2. Create a Launcher
  3. Set user permissions
  4. Install Launcher on Desktop

Create Network Resource (PLC)

We will create a ‘network resource’, this acts as the endpoint of the PLC. It has a name (example-plc in below) and the IP/port of the actual PLC (as reachable by the connector on site). Later in the Control Expert software we will refer to this IP (even though it is not locally reachable).

Create Launcher

Now we will create a Launcher resource. This models the executable on the user’s PC, taking the executable path and the network resources to encapsulate as arguments. If you have PLC’s on multiple sites with multiple connectors, associate them all here.

NOTE: there is an interoperability issue with the Control Expert ‘RatSrv.exe’ and the instructions above. In some cases the Agilicus Interceptor does not see the RatSrv.exe startup. The workaround is simple:
1. Create a file ‘schneider-control.cmd” with the below contents
taskkill /im RatSrv.exe
start "" "C:\Program Files (x86)\Common Files\Schneider Electric Shared\RAT\RatSrv.exe"
"C:\Program Files (x86)\Schneider Electric\Control Expert 15.0\ControlExpert.exe"

2. In step one above, instead of “C:\Program Files (x86)\Schneider Electric\Control Expert 15.0\ControlExpert.exe”, use the full patch to the ‘schneider-control.cmd’ you have created.

Assign Permissions

In the screen shots above in the ‘Create Launcher’, we assigned initial permissions. (Note: we recommend using groups to assign permissions since it simplifies configuration. For example, create a group called PLC-Admins, assign the users to it once, and then assign the PLC access permissions to the group. For more information, see “Using Groups for Assigning Role-Based Permissions

Install Launcher

On the PC with Control Expert installed, we will install the Agilicus Launcher. Refer to “Agilicus Launcher: Browser Desktop Integration“. This is done (on the PC with Control Expert installed) from a browser opened to https://profile.YOURDOMAIN.

Once the launcher is installed on this machine, we will see a ‘demo-plc’ icon on the start menu (and also in the profile web interface if the browser extension is installed).

At this stage, the user can open Control Expert, either via the profile web interface, or the desktop start menu. It will automatically be able to connect to the IP address of the PLC used above in the Network Resource (even though that IP is not reachable from this machine).

(None)