Our client builds machines with an ewon flexy inside for remote access for maintenance. As such end-users are not allowed access to the talk2m account and therefore the vpn as that would allow them access to all the machines our client has in the field.
However, Our clients’ clients are all requesting more and more data from the machines to improve their production process. downloading this data from the machine by hand quickly becomes a tiring process and therefore we’d like to implement a more automated solution.
The situation now is as follows:
We have an industrial pc in the machine network running an OPC UA server and an FTP server. A generic PC is connected to the WAN side of the EWON through the internal company network.
The setup that has our clients preference is one where we allow traffic through the proxy to the FTP and/ore UPC UA server from only a single ip adress inside the company network. , AKA a whitelist. I am aware that this is vulnerable to IP spoofing, but as there should be additional defenses between the company network and the internet this probably is a reduced risk.
Is there any way to set this up? Or are their any other ways to achieve this?
Is it maybe possible to split access to a single machine vpn off so the clients’ client can only access that specific vpn or multiple in case he owns multiple?
In the latter it is very important the clients’ client has no chance of gaining access to a different ewon as they are competing businesses and one of them gaining access to the others machines would be very bad.
It has my personal preference to open the ports for both servers through the proxy and secure by means of login and password and/or trusted certificates. However the client finds it too expensive or to much of a hassle to set this up.
I would really love to hear some opinions or pointers on this subject!