Is OMI Web 2023R2 still configurable behind a reverse proxy ? Nothing found in documentation

Hello,

Is it possibble to configure OMI Web 2023 R2 behind a reverse proxy as it was with OMI Web 2023 ?

What is the new procedure if possible ?

Thanks and regards,

Mathieu

Parents
  • At this time, that is not something that we have Investigate it or worked on. Our first priority was to get the OMI web server released on the new technology. Next up, we will start to close the parity gaps in order of priority. This will probably be something that we look at as part of that effort.  Can you explain the use case a little (paying particular attention to security)?

  • Ok thanks Ernst. That's clear.

    The goal would be to provide OMI Web outside the production network by passing through a reverse proxy (as it is possible with InTouch and as it was with OMI Web 2023).

  • I need a little more than that, I am sorry Smile.
    I am after the "Why". Do you intend to have endusers do control from the internet? Or from the Business Network? Or is it just a visualisation? Who is the target audience? Operators on mobile devices? Or managers on browsers etc.  How would a real end-user want to use this capability?

  • Hi  
    I have an example from our existing customer. They have separate IT and OT networks with their respective Active Directories. In between IT and OT network is DMZ network hosting reverse proxy. Through this reverse proxy end users from IT network access OT resources (Historian Client Web, InTouch Access Anywhere, InTouch Web Server...), while OT users access IT resources (CMMS, GIS, custom web apps, PI Vision...) which are incorporated into InTouch OMI. In this particular instance, end users on the business side need only visualisation, both for managers using desktop browsers, and operators on mobile devices as they only have access to the IT network from their devices. These operators have the task of visiting remote assets and comparing sensor readings visible in OMI with separate analog device readings and noting the difference in a custom IT system resembling Mobile Operator.

Reply
  • Hi  
    I have an example from our existing customer. They have separate IT and OT networks with their respective Active Directories. In between IT and OT network is DMZ network hosting reverse proxy. Through this reverse proxy end users from IT network access OT resources (Historian Client Web, InTouch Access Anywhere, InTouch Web Server...), while OT users access IT resources (CMMS, GIS, custom web apps, PI Vision...) which are incorporated into InTouch OMI. In this particular instance, end users on the business side need only visualisation, both for managers using desktop browsers, and operators on mobile devices as they only have access to the IT network from their devices. These operators have the task of visiting remote assets and comparing sensor readings visible in OMI with separate analog device readings and noting the difference in a custom IT system resembling Mobile Operator.

Children
  • Thank you very much Nenad! This is indeed the use case that we find interesting too and we are already investigating how to do this in the best, most secure way possible. This is definitely a use case that I would want to support in the future, having end-users be able to access OMI web clients from the IT network across a DMZ.

    It is different from exposing OMI directly to the Internet, however. I am still not convinced that OMI web client on an on premises web server should ever be exposed to the broad internet for SCADA applications...