Figure 7.   Typical single-site (LAN) architecture

The network is configured for remote connectivity over Internet. All the stations are behind an Access point TLS VPN gateway, which ensures that systems are not directly exposed to the Internet.

Browser A is a BUI (Browser User Interface) user located across the Internet and browser B is a BUI user located internally on the LAN. The site has multiple field controllers controlling field devices. These field controllers are remotely controlled by controller A and controller B. Each field controller has a private IP addresses, so they are not accessible by the Browser A located across the Internet. However they are available to Browser B located on the same LAN.

The Supervisor station is connected through Ethernet hub A and has a public IP address assigned to it in the firewall. It can be reached by both Browsers A (the external user) and Browser B (the internal user). In the example, the Supervisor has been engineered to include graphics that show real-time information originating from controller A and controller B. To accomplish this, the Supervisor proxies data in the controller A and controller B. In addition, the Supervisor functions as a supervisory station, archiving the other station’s (controller A and B) data logs, alarms, and so on. This data is available to both Browser A and B.

The network administrator of the site chooses to place the Supervisor outside the enterprise LAN but just behind the firewall. This allows faster access by the external user (Browser A) because the network traffic between the external host and the Supervisor does not come onto the customer’s enterprise LAN (which may be congested).