OEM needs access to the PLC from outside the plant, and the end-user IT guys have a "standard practice" for allowing remote equipment into their network - to do port forwarding on their external ip address.

This seems like a bad idea - leaving the machine connected directly to the internet. Is it possible for the IT to forward that port only from connections from the OEM's home office static IP? And ignore connection requests to that port from everywhere else?

Also, on a side note, they are wanting the OEM to change the static IP of the PLC and HMI to match their internal subnet 10.9.8.xxx with a subnet mask of 255.255.255.0. Is this even necessary? The PLC and HMI are already set to static IPs of 192.168.3.xxx, shouldn't their IT guys be able to setup the forwarding to those addresses as long as their not in use inside their network?

(I am aware of remote VPN solutions like Ewon, but for the sake of this post lets assume that's not feasible)

 

Investigate Route1.com... MobiKEY - remote access made easy... secure... their IT peeps will like it... you won't get to the PLC directly - which is good.. because you DO NOT want or need the PLC connected on an open port for any reason.. asking for trouble. Written columns on remote access.. see controldesign.com

Cheers from: Jeremy Pollard, CET The Caring Canuckian!
Crisis, necessity, change