Re: Mirror Control Room

["Konrad, Martin via Tech-talk" <tech-talk at aps.anl.gov>]

Hi Elio,
I would suggest to use a VPN tunnel between the facilities with a CA
gateway at each end. Workstations in the "mirror" facility would connect
to their local gateway which in turn would open a connection to the
gateway at the primary facility. The gateway at the primary facility
would find IOCs by broadcasting search requests. It would limit access
to reads for requests coming over the VPN tunnel. Thanks to the fact
that both facilities can use their own broadcast domains as well as the
ability of the gateways to share CA connections between multiple clients
I would expect this to be reasonably efficient. In my experience an
average control-room workstation connects to a few thousand channels
which shouldn't be a big deal even for a control room with many work
stations. Running an off-site archiver however would be a different
story, though, since it might easily keep millions of channels open at
any time. At FRIB the archiver connects to ~7 channels per record.

Depending on your security requirements you might not trust the gateway
enough for a setup like this. If that's the case, you might want to
consider putting an industrial firewall in between (a device that has
been designed for security). You would need to find one that can use a
rule set that lets CA search and read requests pass but blocks/drops
write requests.

I would suggest you try setting this up in a few VMs to get a feeling
for the tools and their performance.

Cheers,

Martin

P.S.: Do you only need to see operator interfaces or do you also need
read access to alarm servers/archivers from your "mirror" control room?

-- 
Martin Konrad
Facility for Rare Isotope Beams
Michigan State University
640 South Shaw Lane
East Lansing, MI 48824-1321, USA
Tel. 517-908-7253
Email: konrad at frib.msu.edu