Experimental Physics and
Industrial Control System

Andrew Johnson <[email protected]> · Wed, 21 May 2014 17:39:08 -0500

Hi Hovanes,

On 05/21/2014 05:19 PM, Hovanes Egiyan wrote:
> The PVs from these softIOCs need to be accessed from another network in
> our lab that
> happens to be behind a firewall for security reasons. If we can assign
> the TCP address manually then the network administrator only needs to open
> a dozen (or two) predefined port #s between the two different firewalled
> networks, otherwise
> we apparently need to have the whole ephemeral port # range open between
> the networks ,
> which is a possibility too. There was a  similar question back in 2008
> according to
> techtalk, and it seemed that such a thing might get implemented, but I
> do not
> think the EPICS base version we are using has that capability yet.

This sounds like you should look at using a PV Gateway, configured
across the two subnets if your security guys will allow it, but not
necessarily if they'd rather do the hole punch. The gateway should
probably live on a different host where it gets to use the regular 5064
TCP port number, and it forwards the requested PVs to the firewalled
clients. You can configure which PVs are allowed through, and whether
writes are allowed etc.

Here at the APS we run PV gateways to allow all our experimental
beamlines to access selected PVs from the accelerator control system;
each beamline gets its own gateway between their subnet and the central one.

- Andrew
-- 
Advertising may be described as the science of arresting the human
intelligence long enough to get money from it. -- Stephen Leacock

Experimental Physics and Industrial Control System

Experimental Physics and
Industrial Control System