Remote Services: Basic Login Connections¶

Within this section we define Device-specific Protocol Applications needed for assigning Remote Login tunneling to Devices. Next, we outline, how to install a RS Service Endpoint for terminating network-to-network tunnels on a user's PC. Then we register Devices as Service Devices and install a RS Device Endpoint on them for terminating network-to-network tunnels on these Devices. In a next step, we assign predefined Protocol Applications for Remote Login to Devices located in primary Device Networks. Finally, we launch such Remote Login and activate permissions so that remote access cannot be established without the responsible Site Owner's consent. Finally, we outline related operational requirements.

Please observe the chapter on requirements for transmitting IP-based Remote Login protocols with Remote Services outlined at the end of this section.

Example: Create Protocol Application for Remote Login via VNC¶

Administrators create Protocol Applications and add these templates to a tenant-wide catalog . Other users may then pull pre-defined Protocol Applications from this catalog and assign one or many of them to a target device located in a Device Network. In RS V2 select the blue box icon in the top left corner to open the Protocol Application menu with the Protocol Hub.

The RS Protocol Hub allows for creation and assignment of Protocol Applications. All Protocol Applications are tagged according to the functional RS use case they might belong to. Select the VNC template.

We assign the new Protocol Application with the name VNC login Europe and use a default port, which is meant for connecting to European devices via VNC-based remote login. Press "Save".

Afterwards, the new Protocol Application is listed in the catalog of pre-defined Protocol Applications. It may be assigned to Devices in a subsequent step.

Example: User Downloads Service Endpoint onto PC in Service Network¶

RS provides a Service Endpoint for download. It must be installed on the "Access Device" (e.g. a PC) located in a Service Network. By doing so, you enable encrypted protocol routing between your "Access Device" and RS hosted on Siemens cloud, so that RS can forward such encrypted traffic to Device Networks.
For instance, if a technician named User Europe wants to perform remote service or maintenance on a Device located in another network, then he or she has to install such a Service Endpoint on their PC.

Download of Service Endpoint (formerly known as Operator Client) is done by users with the role of Remote User after pressing the blue home button in the top left corner of RS UI V.2. The right side of the screen shows a box named "Service Endpoint" - please press the "Download" button.

Now please specify the target operating system (Windows® or Linux®) on which the Service Endpoint will be deployed first by selecting the associated tile. Then you may select the respective OS version by means of the displayed radio buttons.

Download of Service Endpoints is subject to export control and regulation (ECC). Please tick the associated check box and read and accept the displayed terms & conditions before the download of the related ZIP archive will proceed.

Please expand the ZIP containing the Service Endpoint after download. Then the related files become visible in the underlying system's Operating System. The Service Endpoint's executable is called "RS-client".

Example: Onboard a Device to RS as a Service Device¶

Open the Device Tree via the blue hexagon in the top left corner of RS V.2 and navigate to a Site - here: Munich. Then select "Create Device" in the top right corner.

Fill in the required fields such as Device name, whether it is located in a primary or secondary network and so forth. When done, press "Save".

By doing so, your Device becomes a Service Device, and it shows up in the Device Tree. You may edit or even delete it via the buttons in the top right corner. In a next step, please assign a Protocol Application to your Device.

Example: Download Device Endpoint onto Device in Device Network¶

RS provides a Device Endpoint for download. It must be installed by administrative users on a Device in the primary network of a remote Device Network. That enables encrypted protocol routing between that Device and RS, so that RS can forward such encrypted traffic to further Service Networks.

This download functionality is available both in RS UI V1 and V2. This example uses V2. Please select an already registered Device from your device tree to display the Device's information page. Then press the download button in the top right corner.

Now please specify the target operating system (Windows® or Linux®) on which the Device Endpoint will be deployed by first selecting the associated tile. Then you may select the respective OS version by means of the displayed radio buttons.

Download of Device Endpoints is subject to export control and regulation (ECC). Please tick the associated check box and read and accept the displayed terms & conditions before the download of the related ZIP archive will proceed.

Please expand the ZIP containing the Device Endpoint after download. Then the related files become visible in the underlying device's Operating System. The Service Endpoint's executable is called "RS-client".

Example: Assign Protocol Application for VNC to a Device¶

Connecting to a Device in a Service Network demands specification of the IP-based protocol that shall be used for doing so. In this example we assume that a user with site admin rights and named Owner Munich pulls a VNC Protocol Application from the catalog of administrator-defined Protocol Applications and then assigns it to an already registered target Device named IPC m01.

In the beginning, the Device does not have any Protocol Application associated with it. Please use the button "Assign Protocol Application" for doing so.

Next, the catalog of available Protocol Applications will be displayed. Use the blue button next to VNC login Europe to assign this protocol to the device.

Now the Device was assigned with the VNC protocol.

The VNC login Europe is now listed in the Device properties. It may be connected via the blue "chain" button next to it.

Example: Launch Service Endpoint and Establish VNC to a Device¶

Now a remote maintenance expert named User Europe and thus having the RS role of Remote User wants to connect from his/her PC, which must already run a Service Endpoint, to device IPC m01 using the previously assigned Protocol Application registered as VNC login Europe.

In the beginning, the connection is available and marked in orange. Select the blue "chain" button to trigger launching an end-2-end connection between the RS endpoints in the Service Network and a Device Network respectively.

Please provide the connection details regarding the remote host.

The VNC server on the target device will prompt you for credentials.

Once these are provided the VNC remote screen pops up.

Example: Activate Permission Mechanism for Protocol Applications¶

For remote access there are two key use cases:

• trusted environment, where users may launch or terminate connections to Devices anytime,
• managed environment, where users may launch or terminate connections only with the consent of the Site Owner responsible for the targeted Device.

RS allows to configure Protocol Applications such, that responsible Site Owners must grant a remote user's access request, before that user may establish a connection. This permission mechanism is activated by ticking the box Permission Required as indicated here for SSH to PC.

The catalog of Protocol Applications indicates, that the permission mechanism is activated for SSH to PC.

When a RS user with the role Remote User tries to connect to the associated target Device HMI i01 via SSH to PC, then he or she has to click the question mark icon, which replaces the connection icon known from other Protocol Applications. After doing so, a reason for the connection request should be prodided before pressing "Request Permission".

The Device information page indicates a pending connection request.

The Remote User may check the status of connection requests via the blue question mark icon in the top left corner.

There are different categories with pending, granted and completed requests. If needed, pending requests may be deleted by means of the trash icon.

In this situation the reponsible Site Owner of the Site to which the Device HMI i01 belongs, must also be connected to RS. He/she also uses the blue question mark icon in the top left corner of RS V.2 to open the permission request view.

The Site Owner's view of pending requests displays the one issued by our sample Remote User a few steps above. The Site Owner may approve or reject the connection request with the blue and red buttons to the right.

For either decision a comment should be entered.

In a next step the Remote User may now establish the approved connection SSH to PC.

Eventually, the SSH to PC connection becomes established.

If needed, the Site Owner may terminate granted connections anytime by entering the view of granted requests and pressing the red termination button to the right. A reason for doing so should be entered to inform the connected Remote User accordingly.

Requirements for Transmitting IP-based Remote Login Protocols with Remote Services¶

Summary:

• The operating system of a service technician's PC must provide clients for the used outgoing Remote Login protocols (e.g. RDP, VNC), whilst Engineering Tools used remotely on the technician's PC are assumed to have built-in clients for their dedicated engineering protocols.
• Operating system of Devices in Device Networks must provide servers for the incoming Remote Login protocols (e.g. RDP, VNC, SSH) or for the incoming Remote Engineering protocols.
• Native Remote Desktop Protocol (RDP) can only be launched from Windows® based service personnel PCs supporting this Remote Login protocol.