Manufacturer in Forest Industry Secures Global and Local Access to Sites
A Marine Vessel Operator Secures Remote Access for Diagnostics, Maintenance and IoT Data Collection
Manufacturer in Forest Industry Secures Global and Local Access to Sites
Customer
The customer is a manufacturer of fiber products, wood products, molecular bioproducts, and low-emission energy for the forest industry. Their mission is to create value from renewable and recyclable raw materials by synthesizing them with their powerful technology and unrivaled expertise. The customer has 54 sites in 12 countries around the world.
Challenge - Lack of Secure Access to Multiple Sites
The customer lacked a “gatekeeper” solution for facilitating secure and transparent remote access for its trusted automation vendors into its multiple production sites. They were looking for a solution that offered increased granularity and layered security, with the following requirements:
- Support for the following connection protocols: RDP, VNC, SSH, HTTP/HTTPS
- An efficient and reliable approval process for session requests
- Limitations on vendor ability to view other vendor options when requesting access
- Capability for AV-checking files
- PLC access from native client to machine outside of common protocols (e.g. Siemens SIMATIC)
- Capability to allow both internal and external users to access target devices remotely
- Capability for each individual site to manage its own access and approval processes.
Solution - PLC, NVC and network target access
SSH worked very closely with the customer to devise a solution that meets their unique requirements. We helped them understand the required features to achieve their objectives and the potential architecture.
SSH committed to developing features not existing in the proposed solution; Network Target access (PLC access using existing customer VPN infrastructure), Plain VNC access, and malware scanning for file uploads/downloads.
Having listened to the customer’s objectives, SSH identified the key obstacles and devised features explicitly designed to overcome them and deliver on wider customer goals. SSH assisted with POC deployment
How does it work?
- PrivX has been deployed in two Azure Regions. Region 1 is the master site and Region 2 is serving connections closer to users/targets to avoid latency issues.
- Users connect to the PrivX application via web portal 1 or when connecting Region 2, using web portal 2.
- PrivX imports users from Azure Active Directory (AD) via Graph API. Authentication to the PrivX application is done using OpenID Connect protocol and MFA is enabled in Azure.
- VPN users authenticate against an on-premises AD which is in sync with Entra ID.
- When users connect from the internet to a private application gateway, Public DNS points to the Azure Public Application Gateway. When connecting within the customer's network, the internal DNS points the private application gateway to Azure Internal Application Gateway.
Region 2 PrivX is accessed only via a public application gateway. - Azure Key Vaults are used to store the Application Gateway certificates.
- Behind application gateways, there are two Red Hat Enterprise Linux 8 Azure VMs hosting PrivX application on each region.
- All PrivX servers are connected to the same Region 1 Azure Database for PostgreSQL. Read replica of the master database is in North Europe region for data recovery or fail-over situations.
- PrivX servers are reading/writing session recordings into mounted SMB Azure File Shares.
The connection from PrivX servers to Azure Region 1 file share is made via Azure private endpoints.
Region 2 PrivX servers areis reading/writing recordings on a local Azure File Share. - PrivX relays remote OT site host connections through PrivX Extenders. Each remote site has two extenders in High-Availability mode connected back to Azure PrivX servers via an internal Application Gateway using the same address, except for Region 2 whose extenders are connected to a Region 2 PrivX with a local address.
- PrivX Web Gateway has been installed on Azure Region 1 in the same subnet with PrivX Servers. The web gateway includes one PrivX Carrier, and one PrivX Web Proxy Red Hat Enterprise Linux 8 Azure VM. The Web Gateway provides access to web targets.
Another PrivX Web Gateway has been installed on Azure Region 2 for the same purpose for region 2.
All access for internal and external users enabled and secure, with support for the necessary protocols.
Ability to proxy VPN traffic to PLC machines.
Rapid, user-friendly, and secure process for requesting and approving sessions.
The customer’s individual sites can individually configure and manage required users, roles, and end targets
Further integrations with current and future ecosystems.
