Skip to content

Remote Access

Industrial Edge devices can be controlled through a remote connection, including a connection created from outside their defined security perimeter.

If you click on Enable remote access, a remote connection is established from the Industrial Edge device to the Industrial Edge Management system. A success message confirms that the remote connection setup process has started. You can monitor the job status in the job overview window.

Once the remote connection is established successfully, you can start the remote session by clicking on Remote connect. This opens a new browser tab and displays the login page for the Industrial Edge device. The default time for remote access is 2 hours.

You can enable remote access for many devices, but you can connect remotely to only one device at a time in the same browser. To access two devices at the same time, use another browser or incognito mode. If you connect remotely to one device while another session is open, a warning is displayed.

You can disable remote access at any time by clicking on Disable remote access. A confirmation dialog appears to prevent accidental disabling.

Remote Access

With remote access enabled, if a K8s IEM becomes inaccessible, it can take up to 7 minutes to connect through remote access once IEM is connected to the IE Device. With remote access enabled, if a non-K8s IEM becomes inaccessible, it can take up to 15 minutes to connect through remote access once IEM is connected to the IE Device.

NOTICE

To ensure data integrity and authenticity in line with the Cyber Resilience Act (CRA) and the NIS2 Directive, IEM proactively terminates active remote connections if it detects an IP address change or a device reboot. This measure is important because an IP change can indicate an unauthorized network alteration or a potential Man-in-the-Middle (MITM) attack. A device reboot resets the operational state of the device. Re-establishing a connection therefore requires a complete re-verification of both the device identity and its current secure operational state. This minimizes the attack surface and supports robust session management.

Next-generation firewalls (NGFWs)

Remote access to Industrial Edge Devices is established through a WebSocket connection with an overlay SSH channel. This enables secure communication and remote management of devices. Next-generation firewalls (NGFWs) can detect and inspect this traffic and may block it based on protocol identification and security policies. If you use an NGFW, ensure that a TCP profile is used for this traffic to allow direct tunneling. If an SSL profile is applied, ensure that SSH traffic is explicitly allowed within the profile. Ensure that WebSocket traffic is permitted to avoid disconnection issues. Review firewall logs to verify whether the traffic is being blocked. Adjust the settings accordingly to prevent interference with remote access functionality.