Hi,
for some reasons, I needed a Windows XP installation to open and use an older Automation Studio project. For debugging reasons, it was also neccessary to establish an online connection to the PLC running this project.
But it was an absolut must-have to block Windows XP from accessing the intranet and internet. As I don’t wanted to think too much about routing, forwarding, blocking ports / traffic inside firewalls and / or network infrastructure components, for online connection I decided to use the Remote PVI “gateway mechanism” (TCP client / server communiation between Automation Studio and a PVI manager, which is not installed on the same machine as Automation Studio).
Maybe someone else could have similar needs, therefore I share my learnings here.
Disclaimer
The following information must not be understood as a general recommendation or a proven security mechanism. It’s just an example, intended for informational reasons.
Challenge
Use Windows XP in a Virtual Machine (VM) and prevent the risk of malware infection by exposing the network connection of Windows XP to the intranet or internet, but still being able to connect to a PLC via ethernet, and without being a network administator having extended knowledge of routers, routing, a.s.o.
Solution approach
Allow the VM guest OS network to communicate just with the VM host OS network, and use RemotePVI for forwarding the Automation Studio Online traffic.
My implementation
- I installed Oracle VirtualBox on my host machine with Windows 11.
- Inside Oracle VirtualBox, I installed Windows XP as Guest OS.
- In the Virtual Box network adapter settings, I choose “Host-Only Adapter”
- this setting creates a private, isolated network between the host machine and the virtual machine, allowing them to communicate without accessing the internet or external networks.
- In my setup, the W11 host got the IP address 192.168.56.1, the WXP guest got 192.168.56.101
- In the W11 host machine firewall, I installed a rule allowing incoming communication from the Host-Only network (“allow local and remote IP range 192.168.56.0/24”)
- Additionally, in the W11 host I enabled PVI Remote Access (“use TCP/IP communication” in the PVI Manager settings → B&R Online Help)
- Last, I changed the AS project online settings running inside the WXP Guest OS to a PVI Remote connection, where the PVI Remote IP address is the IP address of the W11 host IP address of the Host-Only network created by VirtualBox ( → B&R Online Help).
Limitations
- WIth Remote PVI, only AS online communication is possible! Other TCP/IP traffic is not transported via Remote PVI (for example direct routed access to a SafeLOGIC).
- Remote PVI server and Remote PVI Client must both have the same family: PVI ↔ PVI, or PVI6 ↔ PVI6 ( → B&R Online Help)
Implementation Screenshot
Please see here a summary screenshot of the settings described above.
BG Alex
