MindSphere Remote Service (MRS) Getting Started

Introduction 

MindSphere Remote Service (MRS) offers you secure remote access to your and your customers’ on-site Service Assets (e.g. machines) for the following key use cases:

Service on-site Service Assets fast via Remote Login to quickly perform diagnostic tasks or change or update configurations or resolve incidents. 

Engineer PLCs and controllers by Remote Engineering instead of running your engineering tool locally within your serviced customer's network.

Use File Transfer from remote onto an on-site Service Asset to access data for further analysis or to deliver data or files onto remote Service Assets for update, compliance or configuration purposes. 

MRS uses tunnel technology providing an additional level of security for meeting regulatory or market constraints for remote connectivity and data transfer. This also eases your IT security management and supervision by bundling many Service Asset connections into a single tunnel. WebSocket Secure tunnels enable fast setup via downloadable tunnel endpoints without the need for installing additional network hardware. 

Please be aware that Remote Service infrastructure may be leveraged for versatile integration with other data or 3rd party tools using the same provided secure tunnels. Detailed use-case-specific information is available upon request. 

 

Using and Configuring the System

This section gives an overview of how to use and configure MindSphere Remote Service. Furthermore, all relevant terms and definitions are introduced. 



Each MindSphere user working with MindSphere Remote Service must also be registered as a User at the User Management in Remote Service. Every user may have one or more User Roles, which grant the user certain access rights depending on the responsibilities and duties that person must fulfil at a given point of time. Such grants apply only to a certain scope and are marked as "partly" while others cannot be configured but only "used" as outlined in the table below.

In Asset System Management the general term Customer Asset (or Asset) is used for any kind of equipment located at the customer side, which will be subjected to being serviced from remote. A Customer Asset might for instance be a machine in a manufacturing line or a part of a power plant.

Customer Assets are managed by means of a tree-shaped Organization Structure, such a tree allows for grouping Service Assets according to Organizations and Sub-Organizations (e.g., geographical or logical areas) and on the lowest hierarchy level according to customer-specific Sites

To alleviate working with different types of Service Assets at a given site, Service Assets are associated with a customer-defined logical Product type, which allows for instance for distinguishing manufacturing machinery from energy-generating machinery or machinery used for transporting goods on the factory floor. 

The combination of User Roles, Asset Tree and Product Typeprovides for convenient handling of all equipment at a selected location as outlined by below example:


Note: If needed, customer-side gateways shall be handled as primary Service Assets. Certain network specifics at the customer or Service Provider side might require involving respective IT departments for initial connectivity setup.


Remote Service-related roles for registered users

  • Tenant Administrator: This person is authorized to administrate Remote Service objects (add, modify, or delete customer Service Assets, user accounts, and so on) or to grant other users the authorization to use Remote Service functions. An administrator is assigned to one tenant and may administrate only that tenant’s objects and grants.

  • Region Tenant Administrator: This role is capable of user management, role management, asset system management, and configuration of Protocol Applications within the assigned Region part of the Organization Tree. A Tenant Administrator assigns the "Region Tenant Administrator" role to a given user and specifies the accessible Region or Sub-Organization. 

  • Site Owner: The Site Owner role is capable of asset system management and assigning protocol application instances to assets. The Site Owner has the privileges for the assigned sites only.

  • Remote User: This is a basic role for performing the everyday tasks of Remote Service and Remote Engineering. This role has access to a set of assets as granted by above administrative roles.

  • Power User: This is a Remote User who may also use the "On-Demand Device" capability for establishing temporary Remote Service connections. 

 

Using Remote Service Apps

This section gives an overview of how to use MindSphere apps delivering Remote Service. MindSphere launchpad offers two apps for Remote Service, which provide a task-specific User Experience:

  • MindSphere Remote Service with UI V.1 (MRS V.1) provides all functionality for all user roles and is meant for administrative tasks
    • users may switch between Remote Service roles as needed
    • this allows for frequent switching between offered functionality
  • MindSphere Remote Service with UI V.2 (MRS V.2) offers a subset of MRS V.1 functionality in a workflow-style approach recommended for everyday service use
    • provides everyday functionality relevant for users with the role "Remote User" 
    • adds additional guidance via role-specific workflows

The following chart outlines the functional scope of the dedicated user interfaces of the otherwise identical Remote Service apps. Details of the supported Application Protocols are outlined further below

Note: If you use MRS UI V.2, then you will also have to leverage MRS V.1 for complementary administrative tasks.

The User Interface of the workflow-driven MRS V.2 is structured as follows:

  • the very left allows for selecting the scope of workflows a user wants to apply. For instance, the "device scope" allows for the configuration of assets and their underlying devices. 
  • next to it, there is a tenant-specific tree allowing to navigate between assets and selecting one of them for further processing. This area can be collapsed if needed.
  • the main area extends from there all the way to the right and provides a workflow-specific area for edit and status purposes. 
  • above that, the different stages of a workflow are shown, which also allows for navigating back to earlier stages of the currently used workflow.
  • next to it a user's currently active user role is displayed, and it may also be changed here via a drop-down menu. 
  • a general status bar provides overview statics on available or connected devices. 


 

 

Setting Up Remote Service Specifics

MindSphere Remote Service relies on tunnel technology, which requires upfront setup as outlined on the following sections.

MindSphere Remote Service uses a versatile downloadable compact Client, which doesn't require to install additional runtime environments so that it can be used on constrained hardware. This client is deployed both in the Remote Service Provider's and in the Serviced Customer's network and it builds on top of secure WebSocket communication tunnel technology. It serves different purposes: 

  • Operator Client - This is the entry-point for Remote Service communication tunnels originating within the Service Provider's network. The client is installed on the PC of a service engineer. It enables native Remote Login as well as Remote Engineering and File Transfer. 
  • Device Client - It is installed on a Service Asset residing in the Serviced Customer's network providing the endpoint for Remote Service tunnels. 
  • Gateway - The Device Client can also act as a Gateway providing access to other registered and connected assets, which do not have this client installed. The latter assets become Secondary Assets (asset sec), while those assets hosting this Device Client with no Secondary Assets connected are then referred to as Primary Assets (asset prim). 
  • On-Demand Device - When delivering Remote Services there might be situations that require instant access to equipment or devices, which are not registered assets yet, e.g., due to missing service contracts with a to-be-serviced customer. In this case, a client may be installed on-demand and used for Remote Service purposes assuming, that the network and device configuration at the Customer Site permits doing so.

Client-based communication allows for integration with and tunnelling of different kinds of configurable protocols for Remote Service purposes. This is managed by setting up Remote Service Protocol Applications per asset: 

A Protocol Application Type specifies a Remote Service protocol and provides fields for protocol-specific configuration such as port numbers or authentication information. Different Application Types allow for serving different operational needs. 

A Protocol Application Instance of a given Application Type assigns concrete values to the protocol parameters, for instance, username and password needed for authentication at a specific customer network. 
Each Customer Asset has a Protocol Application assigned referring to a selected Protocol Application Instance so that it can be accessed and serviced from remote via a specified protocol. 

In MRS V.2 such assignment is done by using the Asset Tree for navigating to a Service Asset. At the bottom of the related device page there is a button "Create new application".

That will open the Connectivity Hub for assigning Application Protocols to Service Assets:

Remote Login with Operator Client:

  • Remote Login is supported both in native and browser-based (web) versions. Please note, that using browsers has functional limitations and does not require an Operator Client to be installed.
  • The following Remote Login protocols are available:
    • Remote Desktop Protocol (RDP) – common protocol for login to remote devices, such as Microsoft Windows® based systems
    • Secure Shell (SSH) – common protocol for services, which do not provide a user interface but just access via a console. For instance, many Linux® servers offer remote access via SSH.
    • Virtual Network Client (VNC) – primarily targets remote login to Unix® or Linux® systems. Other than RDP it offers the option to establish parallel sessions to a target device. For instance, this allows for a remote operator to collaborate with an engineer who is connected to the same device locally on-site. 
 
Remote Engineering with Operator Client:
  • Dynamic Transparent Tunnel (DTT) – provides a general mechanism for routing other TCP/UDP-based protocols giving experienced users the flexibility to create their own application types with specialized port and proxy settings
  • Proxy Unaware (PU) – provides a powerful means for routing connections, which were not designed for being routed, to remote devices. This could be leveraged for connecting engineering or diagnostic tools running on the operator's computer to devices at a remote site. Please note, that tool-specific restrictions such as timeouts might apply
  • Web Server – allows for connecting to HTTP or HTTPS servers running in a remote network. For instance, some devices such as PLCs offer such servers for further configuration or diagnostic purposes

 

 

MRS V.1: Create Product Structure for Classifying Serviced Assets

 

Responsible Roles: Tenant Administrator

To create a new product, follow these steps:

  1. Click Structure Management under the Dashboard tab of the Home page. 

  2. Click Product Structure on the Structure Management page.

  3. Select the Product from the product structure tree to which you want to create a new product.
  4. Click Add New.

  5. Complete the fields by entering the Product Name (here: Wind Turbine) and the Annotation.
  6. Click Add to tree.

The Product, Wind Turbine is added to the Product Structure and is displayed in the Product structure tree. 

 

 

MRS V.1: Create Organization Structure for Managing Sericed Assets

 

Create Region

Responsible Roles: Tenant Administrator

Let us create a Region, for example, country, company, etc.

  1. Click Structure Management under the Dashboard tab of the Home page.
  2. Click Organization Structure on the Structure Management page. 
  3. Select the region from the organization structure tree for which you want to create a new region.
  4. Click Add New.

  5. Enter the Organization Name (India) and an Annotation outlining the input and click Add to tree.

The Region, India is added to the Organization Structure and displayed in the System tree.

 

Create Sites

Let us create a Site “Wind power station”.

Responsible Roles

  • Tenant Administrator
  • Region Tenant Administrator

Let us create a Site "Wind power station".

  1. Click System Management under the Dashboard tab of the Home page. 

  2. Click the Region tab on the System Management page.

  3. Select the region (India) from the Organization tree for which you want to create a new site.

  4. Click Add Site in the upper-right corner. 

  5. Enter the site information and click Save.

A new site 'Wind power station' is created and displayed on the System Management page.

 

Create Service Assets

Responsible Roles:

  • Tenant Administrator
  • Region Tenant Administrator
  • Site Owner

Let us create a Service Asset 'Vortex Generator' under the sample site 'Wind power station'. 

  1. Click System Management under the Dashboard tab of the Home page.
  2. Click the Region tab on the System Management page and select the sample Region India.
  3. Click the remote site 'Wind power station'. 
  4. Click New Device upper-right corner of the device table.

  5. Enter the Asset and Location information in the fields. 

  6. Click Add Products in the upper-right corner of the Product field and check the checkbox next to the product Wind Turbine and click Select.  

  7. Click Save.

A new asset 'Vortex Generator' is created under the site Wind power station.

 

 

MRS V.1: Managing Users for Remote Service

Responsible Roles

  • Tenant Administrator
  • Region Tenant Administrator

In order to make use of Remote Service, a user is required with specific grants. Let us create a new user John S.

  1. Click User Management under the Dashboard tab of the Home page.

  2. Click the Users tab on the User Management page and click Add User Account. 

  3. Enter the User information and necessary additional details in the fields and click Save.

A new user 'John S' is created.

 

 

MRS V.1: Assign Roles to Users

Responsible Roles:

  • Tenant Administrator
  • Region Tenant Administrator

When a user is created, the new user is assigned with the default role 'Remote User'. The user 'John S' is created in the previous section. Now, it is necessary to assign the roles required for his service tasks.

  1. Click the Associate Roles tab on the Edit user 'John S' page.

  2. Assign the required roles and click Save. 

 

 

MRS V.1: Assign Users with Grants for Scopes of Serviced Assets

Responsible Roles:

  • Tenant Administrator
  • Region Tenant Administrator

John has been assigned Remote User and Tenant Admin roles. In order to access the Organization and Product structures or subsets, John must be assigned some Service Asset-specific grants.

  1. Click the Attribute Based grants tab.

  2. Click Add Organizational Structure in the upper-right corner of the Organizational Structure field.

  3. Check the checkbox next to the site (Wind power station) and click Select.

  4. Click Add Products in the upper-right corner of the Products field. 

  5. Check the checkbox next to the product (Wind Turbine) and click Select.

  6. Click Add Roles in the upper-right corner of the Roles field.

  7. Check the checkbox next to the roles that you want to assign and click Select.

  8. Click Add to Grants and Save.

 

 

MRS V.1: Create an on-demand device

Responsible Role: Remote Power User

Once the on-demand device is created, it works like a normal device within the 'On-Demand Organization Tree' and can be managed as a normal device for the duration it is created for. Remote Service supports the following types of on-demand device connection:

  • Primary Asset as target
  • Gateway

To create an on-demand device, follow these steps:

  1. Click “on-demand device package” under the Dashboard tab of the Home page.

  2. The Create On-demand device page is displayed as follows: 

  3. Enter the device details, Days until automatic removal of the Service Asset (expiration of the on-demand device) and click “Save”.

The on-demand asset/device is created and displayed in the Device table.

The on-demand Service Asset/device is created and displayed in the Device table.

 

 

Getting Started – Tips & Tricks

The following tips & tricks shall guide you to resolve potential setup or communication issues:

  • download of clients: for export control (ECC) reasons the public IP address of a computer initiating a client download must match the country of the user operating it.  
  • please ensure that the proxy settings on Operator PCs or devices hosting a Device Client allow a connection to MindSphere. 
  • for native Remote Login (not using a browser) and all Remote Engineering connections it is necessary to launch the Operator Client before issuing any connection requests to Service Assets via the user interface. Connection Requests also demand targeted Device Clients to be up and running.
  • MRS standard (supporting Remote Engineering): please match the targeted remote web server's protocol (HTTP vs. HTTPS) when using "Web Application".
  • in case of clients not connecting to MindSphere starting the client in diagnostic mode via "mrs-client –diagnose" will give first indications on potential network configuration issues. After doing so please restart the client in regular mode.