Secure remote web server access (Node-Red)

Secure remote access to edge devices

Many IoT or Operational Technology (OT) industrial application scenarios demand remote access to SCADA systems or other type of web servers running on the edge devices. This can be a simple web server that is used to configure the unit or a more complex application like Node-RED that needs remote access to its web user interface. With qbee it is possible to remotely access edge device across firewalls and NATs. This example shows how to.

The first thing to understand is how the application on the embedded IoT device is working:

  • If the application has a web server or some other means of providing information over a port this tutorial is the right one. The later is true for some SCADA systems that exchange information over a port and there is a desktop application to process and visualize this information on the user's local machine.
  • If the full desktop needs to be shared in a Teamviewer style please have exactly the same functionality utilizing VNC in this tutorial.

Often this access to the web server port 80 or 443 or to the VNC port 5900 is only possible within the local network because the firewall is configured to block all access attempts from the outside. In many cases this is done on purpose to have an air-gap to the internet in order to protect the system. However, this can be very impractical for effective daily operations if remote access is needed.

With qbee.io it is possible to close all ports via the firewall of the edge device and still access the web server remotely. qbee can also connect through the firewall or any NAT that comes before the device. This is all done through the build-in secure connection mechanism that qbee features. The integrated VPN requests information over port 443 from the inside and this allows the firewall to listen for packets coming back from the specified IP.

Remote access while maintaining a secure air-gap

No matter if:

  • you want to get secure remote access to a device running a web server
  • or if a digitalization initiative has removed a previous air-gap exposing local devices with webserver in a larger network context

qbee will allow you to close the device firewall and still provide secure remote access. This works on any port, no matter of this is http (80), https (443) or a special port like Node-RED's 1880 or VNC's 5900. The qbee agent can even turn on/off the firewall dynamically if a no VPN scenario is preferred.

Just install the qbee-agent on your device and bootstrap it to your qbee account. As always, we recommend you to configure the qbee firewall to drop all connections for increased security.

Then you can start qbee-connect on your local machine. This application is available for Windows, Linux and MacOS. For this example we want to connect to Node-RED on a industrial Systec CTR-700 edge device. All this can also be done with a standard Raspbian image on a Raspberry Pi or with any other embedded Linux device.

Select the device and create a custom port 1880 for Node-RED.

This will securely map the remote port 1880 to a local port. In this case it is port 64388.

qbee-secure-remote-web-server-access2

By clicking on the copy item this port can be copied. Then simply start a local web browser and guide it to localhost:64388 or 127.0.0.1:64388. This will open the remote web page as if you are locally logged in to the machine.

qbee-node-red-remote-access

Map any port or service conveniently to your local machine

qbee.io can securely map any port from an edge device to your local machine. Some examples of what can be achieved with this are given here:

  • remote web server on http (port 80) or https (port 443)
  • special application specifc ports such as Node-RED's 1880
  • using port 5900 allows to pipe a VNC connection through qbee-connect. More information about secure remote VNC connections can be found here
  • using standard ssh port 22 allows to use all protocols such as scp, sftp, rsync and sshfas as well as many others. Here is another tutorial