• State Not Answered
  • Replies 4 replies
  • Subscribers 3 subscribers
  • Views 807 views
  • Users 0 members are here
Options
Related

PI system architecture - network design and security

MatthiasMulder

We have a network design where a redundant PI opc interface is on the DCS network (level 2) and the PI server is on the level 3 network (see picture).

We would like to use Windows integrated security for users using PI datalink. These users are on the business network. To accomplish this, our IT department has suggested to move the PI server to the business network (level 4). Is it recommended to do this? Is it secure to direct PI data directly from the DCS network (level 2) to the PI server on the business network (level 4)?

  • 0

    hi Matthias,

    If user are in same domain as PI server then integrated security should work when firewall is enabled between level 4 (users) and level 3 (PI servers) i.e. firewall communication over port 5450.

    If PI Server is in different domain as user then you will have a problem with windows integrated security. You can also take advantage of windows credential manager if you dont want to key in password but downside is that you need to maintain the password and if you have more users then it will be a tedious task.

     

    PI Server works whether it is in Level 3 or Level 4 but looking at your architecture, Looks like design decision was made to secure PI server from business network and also request you to check if there are any use cases that has driven this type of deployment. e.g. write back functionality or output from PI to DCS system etc.

  • 0

    Hi Lal Babu,

    Thanks for your answer! Indeed level 3 and level 4 have their own domains. I have asked our IT department about using the Windows credential manager but they don't think this is a good solution (I am not sure why). We would only have 10 users by the way.

    The reason the PI server is currently on level 3 is because maintenance by a 3rd party is easier. This level is maintained by the production department. The maintenance by the 3rd party is always done on site.

    If we move the PI server to level 4 we will become more dependent on IT, I guess, but that may not me a show-stopper.

    We also write back from PI to the DCS system, indeed.

  • 0

    If you are having write back functionality to DCS then moving to Level 4 might not be a good idea. As there are limited users (10) recommend taking an advantage of windows credential manager which is less time-consuming task.

    PI Data Archive using Windows Credential Manager

    I'm sharing reference KB article which help your IT department on the approach.

    Note: Encryption used by credential manager is a proven solution and secure.

  • 0

    Thanks, very useful, and easy to understand article!

    Currently, our PI server is still in a workgroup (we are upgrading our systems and the PI server will be part of a domain). Up to now I always used 'PI user authentication' to connect PI datalink (on level 4 computer) to the PI data archive (on level 3) using a PI user. But I just tried using Windows Authentication and it works even without using the credential manager. I was able to login using a Windows local account which is on the PI server. This account is mapped to a pi identity in PI SMT.

    Is Windows credential manager only required if the PI server is in a domain? What credentials need to be typed in in the 'Connect to PI Data Archive' dialog box in that case? The level 3 domain credentials?