
Rockwell Automation PanelView VNC
Rockwell Automation’s Allen-Bradley PanelView Graphic Terminals provide rugged Human Machine Interface (HMI) in an industrial setting. These terminals support VNC for remote access.
Learn how to making VNC remotely available, simply, securely, without port-forwards, VPNs, or complex firewalls using Agilicus AnyX.
Rockwell Automation PanelView VNC Overview
Rockwell Automation PanelView devices offer industrial-hardened Human Machine Interfaces (HMI). These may be used for viewing process status & alarms, or for input/control.
A common requirement is to have remote operations view (or interact) with the HMI. The PanelView devices support VNC, meaning its possible, but the network security of VNC is very poor. Absent a product like Agilicus AnyX, plants often use port-forward, DMZ, VPN access, putting themselves at risk.
In this example using Agilicus AnyX, we will show how to safely, securely, simply use Rockwell Automation PanelView devices from a remote network, assigning permissions to individual users with single-sign-on, optional with multi-factor authentication, without modifying the local firewall config. Agilicus AnyX can perform password stuffing in VNC, meaning there is no need to share the password with the individual operators.
Installation Instructions
Overview
If you have not already, sign up for Agilicus AnyX. In the below instructions, we will refer to _ _MYDOMAIN_ _, this is the domain you chose during the Agilicus AnyX sign up process. If you have navigated to this page from the Agilicus admin console (https://admin.__MYDOMAIN__), this will be filled in automatically.
Once setup, the data flow will be as shown to the right. The user will have either web-based access, or, desktop client access to each HMI. They will sign in with their natural corporate credentials (regardless of whether directly employed by the Plant or being a 3rd-party contractor providing remote operations). The will see the HMI directly, no client software is required, no changes are needed on the firewall.
Concepts
Agilicus Connector: this software installs as a service on some device in your network. It can support multiple operating systems. Each connector can support an arbitrary number of resources (web applications, shares, VNC, RDP, etc.). In general you need one connector per site.
Authentication: attesting you are who you say you are. Agilicus AnyX uses OpenID Connect, and supports zero-config of Microsoft, Google, Yahoo, Linkedin, or, you can configure your own such as Okta.
Identity: who you are. This is external to the Agilicus AnyX system.
Resource: an individually accessible and permissionable endpoint. In this example, VNC
Permission: assigning a role and access rules per person<->resource pair.
1. Install Connector
For details see Agilicus Connector.
In this example, we are assuming you will install the Connector on a machine on the same network as the PanelView HMI. It needs to have access to port 5900 on the HMI.
Select the appropriate tab for your Operating System.
Navigate to the admin console (https://admin.__MYDOMAIN__). Sign in with the credentials you used during sign up. Select resoures/connectors/new, and give the new connector a name (here we are using ‘openwebui’). Select ‘Install Connector’.
In the dialog that comes up, select Linux at the top, and then copy the command line. Paste this into a root shell.
Depending on your Linux distribution, this will install a service with systemd, upstart, init.d, etc. These instructions should also work on embedded devices (e.g. Raspberry pi).
When complete, the dialog should dismiss itself. We can now check the connector status in Resources/Connectors/Overview, and see it will go ‘good’.
If the connector doesn’t come online, check that the service is running and check for any errors in its log. Common errors include:
- NTP / timesync is not setup
- Outbound firewall prevents connections to port 443 (the Connector can support MITM proxies in corporate environments if needed)






(For more details, see Agilicus Connector – Microsoft Windows)
Navigate to the admin console (https://admin.__MYDOMAIN__). Sign in with the credentials you used during sign up. Select resoures/connectors/new, and give the new connector a name (here we are using ‘openwebui’). Select ‘Install Connector’.
In the dialog that comes up, select Windows-CMD at the top, and then copy the command line. Paste this into an Administrator cmd interface (e.g. on start menu, type ‘cmd’, and then select ‘Administrative shell’ on the right).
When complete, the dialog should dismiss itself. We can now check the connector status in Resources/Connectors/Overview, and see it will go ‘good’.
If the connector doesn’t come online, check that the service is running and check for any errors in eventvwr. Common errors include:
- NTP / timesync is not setup
- Outbound firewall prevents connections to port 443 (the Connector can support MITM proxies in corporate environments if needed)







2. Create PanelView VNC Resource
In this example we assume you already have the PanelView device running and VNC enabled on it with either a ‘View Only’ or a ‘Control’ password.
In our sample network, the HMI is called ‘PV800T4T’ and has an IP of 172.16.0.247 (please either use a name and ensure your DNS resolves it, or, disable DHCP on the HMI and use a static IP.
Follow the images below, ‘Resources/Desktops/New’, create a new desktop, give it a name. For the optional component about password stuffing, you can ignore in which case the user must enter a 2nd VNC password each time. Or, you can enter the View Only and/or Control password. If you do this, the end user will not be aware of the password.
Assign permissions to yourself to test.
Once configured, navigate to https://profile.__MYDOMAIN__, you may need to hit refresh, but you should now see an icon for the new VNC. You can open this directly in the browser, or, if you choose, install the desktop integration and click it to open the native client.










3. Add a second user (optional)
We can now add a second user to share. Enter their email address (this must match that given by the Identity Provider, e.g. user@gmail, user@outlook.com, user@google-workspace-domain, user@office365-domain etc.

Now, add permissions to the user. If you have a lot of applications or a lot of users, consider using Groups.
