Using the Tunnel

Details and examples of tunnelling specific protocols and applications

Connecting via the Ardexa Remote Desktop Application

Ardexa Remote offers 2 types of access: a Tunnel access or a VPN access, from the client software. In computing, a "tunnel" is where a remote service or computer, that would otherwise not be accessible, is made available to a local network. A tunnel can be established either via the command line or the Ardexa Remote desktop application. In the figure below, the Ardexa Remote desktop application is being used to make a tunnel connection. In this case it is to a machine at IP address "" and "Port 80" (web - http), which is located on the same network as the Ardexa edge device at the remote plant.

If the IP address is, this refers to the Ardexa edge device.

Once the "START TUNNEL" button is selected, the user can then navigate to the remote machine's Port 80 interface using a browser, as follows:


The Ardexa Tunnel works by connecting to an Ardexa Agent via the API and creating a "tunnel" between your local computer and the remote service. The tunnel is will take a remote port and make it available on your local machine as if the service was running on your local machine. Any requests to the local port and bundled up and sent over to the Ardexa encrypted network, and then the response is delivered back to the local port in the same way. In total, there are five critical pieces of information needed to make the tunnel work:

  • The agent you wish to tunnel through

    • Workgroup ID

    • Device ID

  • Details of the remote service

    • The IP address of the remote device

    • The service (TCP port) for which you need access

  • Where to open the tunnel on your local machine

    • The local port. This local port usually defaults to 2222 by the Ardexa Remote application. If you need something different, then enter it number as required

HTTPS: Be aware that when you use a browser to connect to a device that is on port 443 (https) you must connect using the prefix https, as follows: https://localhost:2222 If you connect as http://localhost:2222, without prefixing the URL with https, then the device might return as "Page Not Found". If this is successful you will then likely be presented with a certificate warning. Click to accept the certificate and continue to connect to the device.

If you select the arrow next to the START TUNNEL button, you will see further options as shown below.

  • Fast mode. This uses a GeoIP to make the connection faster. If you find that you are getting errors in conenction, please turn this off and try again. On the command line this is equivalent to -c reliable

  • View logs. This is to view the connection logs. If there are problems, Ardexa may ask for a copy of these logs.

  • Custom coupler. This is to use a custom connection coupler. Ignore this unless otherwise directed by Ardexa.

Connecting via the Command Line

Ardexa Remote will also allow you to establish a tunnel from the command line. If you wish to do so, then log on the Ardexa cloud, navigate to the the following tab: MENU: > [DEVICES] > (select device) > [TUNNEL]and copy the command via the button COPY TO CLIPBOARD . Paste this command onto your Windows Powershell or Mac or Linux console or terminal window, and execute the command. It will prompt you to login with your userid/password, and 2-factor authentication if it is configured. These steps are then as follows:

  • Open the target Workgroup and browse to Devices

  • Select the target Device and open the TUNNEL tab

  • Enter the details of the Remote Service and the Local Port

    • The IP address of the remote machine you wish to connect to

      • if you want to connect to the Ardexa machine

      • Any IP address accessible from the remote machine. Please use the Discovery tools if you are unsure what's available on the remote network.

    • The port number you want to tunnel to on the remote machine (Remote Port)

      • Please see the Common Service Ports section below for a list of commonly used services and ports

    • The Local Port number that you want the client to listen on

      • if you wish to listen on a port below 1024, you will need Administrator/super user privileges

Open your command prompt and type or paste the ardexa-tunnel command. For example:

ardexa-tunnel 123123123 c5e9f077-7221-41a2-b3ab-93c47497579f 22 2222

You will then be prompted to enter your login details for the Ardexa API. You will need to enter your Email address and Password to proceed, and the 2 factor authentication if this is configured for the workgroup. Once you are authenticated, there will be a short wait while the tunnel is established and then you will see the message "Connected". Your tunnel is now ready to use.

Connecting to Siemens S7 TIA Projects

When a Totally Integrated Automation project is being utilised the following procedure should be followed to connect your Ardexa tunnel:

  1. Open the TIA Project

  2. Open Services and stop the service S7 S7DOS Help Service (this service occupies port 102)

  3. In the Ardexa App, configure the TUNNEL to use Local and Remote port 102

  4. Start the tunnel with powershell (as Administrator)

  5. Restart the S7 S7DOS Help Service

  6. In TIA navigate to Online -> Extended online

    • NB. Extended online does not work with HMI panels. This is a limitation of the panel.

  7. Choose PN/IE_

  8. Double-click in the IP Address field and enter the value:


  9. Connect to the SPS

  10. (do work)

  11. Go Offline must be clicked before closing the TUNNEL

  12. Close TIA

  13. Close TUNNEL

If you need to use multiple concurrent tunnels and are unable to alter the local port (e.g TIA Portal), you can tell the Ardexa Tunnel client to bind to a specific IP address. For example:

ardexa-tunnel $workgroupId $deviceId 102 102 -b
ardexa-tunnel $workgroupId $deviceId 102 102 -b

By binding each tunnel to a specific loopback address, you can connect as many tunnels as you need.

Common Service Ports & Examples

SSH: 22

HTTP: 80

HTTPS: 443

Using a TIA Project

Last updated