Requirement Description	Yes	No
Do you know the quantity of IP Devices (including edge devices, switches and routers) within the plant network?
Do you know the IP address ranges of all Ethernet/IP devices you want IntraVUE to visualize and Monitor?
Do know the IP addresses of all Layer 2/3 switches (including the ones in a different Subnet or VLAN)? This will help you confirm the questions below. Right-click on all nodes looking for weblinks to a switch's configuration.
Is SNMP enabled on all Layer 2/3 managed switches? Most Industrial Automation devices communicate through SNMP.
Have you configured SNMP Read-Only Communities on all Layer 2/3 managed switches through which the industrial systems are interconnected? (e.g. 'public') These are not to be confused with SNMP Traps.
Do you know the Gateway Address and scan ranges of all VLANs? This is to verify IntraVUE can ping the edge devices successfully. The 'tracert x.x.x.x' command (replace x.x.x.x with the IP of the any edge device) returns the gateway IP address right before the IP address of the edge device in the command results.
Is HTTP traffic allowed on the plant network?
All Layer2/3 switches are Fully Managed Switches? These are switches that comply with IETF RFC 1493 and IEEE 802.1d standards. Unmanaged switches are not recommended in Industrial Network Environments.
There are no silos where edge devices are hidden behind APs, Gateways, PLCs, or Network Address Translators (NAT) devices? If there are, you will need an IntraVUE Agent to scan these. Search Help for "IntraVUE Agent" for more information.
There are No Unmanaged APs, Firewalls, or Access Control Lists (ACLs) between the IntraVUE™ host and the edge devices? If so these can be configured by the owners of those devices, place IntraVUE™ closer to the edge devices, or use an IntraVUE Agent to scan remotely. Search Help for "IntraVUE Agent" for more information

If you answered 'Yes' to all, That’s Great! You will be able to install IntraVUE and quickly Discover, Map, Monitor, and Diagnose the Health of your Industrial Plant Network successfully.

If you answered 'No' to any, that's still okay. We recommend calling IntraVUE Tech Support to request assistance guidance with those items you think you need help with.

 

Once you have met all of the requirements of the readiness checklist above, the system and configuration requirements are shown below. Because IntraVUE is used in industrial automation environments, the next requirements are meant to make running IntraVUE easy.

 

IntraVUE Scanning Requirements

The IntraVUE™ Server must be able to PING all the devices in the scan range. Open a dos command prompt and type "ping x.x.x.x" replacing x.x.x.x with the ip address of a device in the scan range. If the ping command returns "Reply from ..." without timing out then the device passed this requirement.

If any device is in a different subnet, you should be able to PING them using the TRACERT dos command (e.g. c:\> tracert "192.168.0.1." or similar) which will yield the last hop router leading to the device. The IP address previous to the target device in the output results is the gateway address required as top parent in the next section.

Layer 2/3 switches store the mac addresses of connected devices in the scan ranges and must be configured to respond to SNMP from the IntraVUE host. This requires that an SNMP Read-Only Community be configured on these devices and may require additional permissions such as an entry in an Access Control List (if applicable).

IntraVUE will not be able to map the full topology if SNMP is not enabled and SNMP Read-Only Communities are not configured on all L2/L3 switches in the plant floor. Install IntraVUE and use the switchprobe utility to confirm this requirement before proceeding. See Verifying SNMP on Fully Managed Switches.

When enabling SNMP and SNMP Read-Only Communities on some L2/L3 switches you may be required to perform a reboot to allow changes to take effect.

 

System Requirements for IntraVUE™ 3

Server
Processor	IntraVUE has been designed to work with a low power computer
RAM (available)	2 GB: 250+ nodes, 4 GB: 500+ nodes, 6 GB: 1000+ nodes, 8 GB: 1500+ nodes
Disk space	4 GB: 500+ nodes, 8 GB: 1000+ nodes, 12 GB 1500+ nodes
OS	Workstations OS: Windows 7 32-bit and 64-bit, and Windows 10. Server OS: Windows Server 2008, 2012, and Server 2016. Vista, and Windows 8 (and variants) are not certified nor recommended. When installing on Windows 7 ALWAYS choose a folder outside Program Files to avoid read-only file permission problems. We recommend a folder such as C:\IntraVUE. If you install on a Server based system, you MUST use the Add Programs function of Control Panel's Add/Remove Programs.
Virtualization	Any hypervisor platform that supports the operating systems above and that has a fixed virtual machine ID (VMID) not susceptible to high-availability changes is required.
Java	(will be automatically installed as part of the IntraVUE™ ). User interfaces does not make use of java. JRE 8 32-bit will be installed as part of IntraVUE™ Installation. In 64-bit windows computers, only the 32-bit version of the Java Runtime Environment (JRE) should be installed (i.e. under C:\Program Files(x86)\Java).
Security	Firewalls, and Antivirus software must be disabled/turned off during the installation. You can turn them back on when the installation completes, and have configured firewall rules, and on-demand scanning exclusions to allow IntraVUE™ to scan.
MySQL	(will be automatically installed as part of IntraVUE™ Server Installation) *The C:\MySQL folder must be excluded from being backed up or analyzed by virus checking programs. The programs will lock critical, large files and cause the mysql service to stop if it cannot access certain files for longer than a few seconds. Should this occur, restarting the msyql service always works, but there will be no IntraVUE data collected while mysql is stopped.
Apache Tomcat	(will be installed as part of IntraVUE™ Server Installation)
Client
Web Browser	A browser that supports HTML 5 and JavaScript. Supported browsers include Internet Explorer 11 or later, Firefox (Most recent), Chrome (Most recent).
Mobile
Compatible Phones	Android based (5.0 or newer OS version recommended)

Refer to IntraVUE 3 System Requirements for complete System Requirements

 

The following are the most common physical network configurations where IntraVUE is used or can be used to scan the "local area network" (i.e. all devices that are exclusively inside a plant site without having to go through the WAN or IT networks). It's important to know which one if you type of network so that you can place IntraVUE accordingly.

It's important to scan locally your plant network as many CIsCritical Infrastructure (e.g. SCADA, TCP/IP) are being connected to ITInformation Technology. Corporate group that manages the core network but not necesarily the automation networks. networks using TCP/IP equipment that could create a backdoor of weak points from vulnerable IT systems where APTAdvanced Persistent Threat: a group of hackers that develop hacking tools that uses multiple attack vectors for long undetected periods of time in order to compromise and control a target plant network. These tools can by-pass firewalls, IDS, and even Anti-Virus software. attacks could bring down automation systems.

Simple Network: The simplest network in which all the edge devices and all the switches are in the same subnet (e.g. scan range 192.168.0.1 - 192.168.0.254). To scan this type network you only have to enter the full scan range and proper SNMP communities. If this is your network, you do not have to read the rest of this document. IntraVUE was designed for this type network when the subnet mask is 255.255.255.0 (Class C) and there is not router required. Each 'cloud' represents different 'physical' plant zones, but all devices are pingable from the Top parent which is the IntraVUE host.

Multiple LANs from a single IntraVUE host using a router in between. Another simple network is one in which all the edge devices are in one subnet and all the infrastructure switches are in another subnet. The IntraVUE Server should be in the subnet of the edge devices and should be the top parent of the IntraVUE network. The IntraVUE Server is on the left scanning all the LOCAL edge devices communicate without going thru a router. However, the IntraVUE Server must go through a router in order to get ping and SNMP data from the switches to the remote networks. The router (which knows the macs of the switches) must be in the scan range of the same IntraVUE network and respond to the same SNMP read-only community configured in IntraVUE. See System Config - Scanner Tab.

 

 

Multiple NIC cards and No Router or SNMP: In some cases, plant personnel are not allowed to know the SNMP community of the central router or access switch. In the next figure, a NIC card has been added for each formerly remote LAN to solve this problem. Now those LANs have local addresses on the host computer and communication does NOT go through the router. The MAC addresses of all devices are in the host computer local ARP cache. This configuration is also useful when IT departments isolate private LANs using VLANs or a firewall and SNMP is not allowed to go through. The use of Virtual Machines where the IntraVUE agent can be installed to scan those private LANs or VLANs solves this problem. However, if the number of virtual machines using IntraVUE agents is over whelming or costly to manage, we recommend instead using IntraVUE appliances installed as agents within those private LANs or VLANs. See Using the IntraVUE Scanner Agent and Appliance Configuration for more details.

 

 

Networks using VLANs: is made more complex by configuring the layer 2 switches in the network to have VLANs. This is one of the most common plant floor network architectures. There are 5 VLANs. The layer 2 switches are in the center circle, Switch VLAN. Even though they are connected by layer 2 switches, devices in one VLAN can not communicate with devices in another VLAN without going through the router. For IntraVUE to provide the most diagnostics, each VLAN of edge devices should be a separate IntraVUE network in the System Configuration Scanner Tab. Each one of the 'remote' networks must also include the interface (Gateway IP address) of the router leading to the edge devices (as determined by DOS command TRACERT) as the top parent. In the next figure, the IntraVUe network for VLAN 1 needs to have the local computer as top parent, all the local IP addresses, the router, and the switch IP Addresses. VLANs 2, 3, and 4 each need to have the IP address of the router as top parent, the IP addresses of the VLAN, the router, and switch's IP addresses all in the scan ranges of that IntraVUE network. (The switch's IP addresses will be in all 4 IntraVUE networks.) VLANs are configured in a layer 2 switch by assigning VLAN numbers to ports of the switch. Packets arriving on a port of a switch having a VLAN(s) configured will only be sent to other ports having the same VLANs configured. This limits broadcast traffic to only the ports with the same VLAN number as the originator.

 

Multiple VLANs: using different colored lines for each VLAN. If the destination MAC is on a port in another VLAN, the message will be sent to the gateway and then back to the switch on the port having the same VLAN number as the destination. If a port of a switch is not configured for a VLAN, it acts as if all VLANs are configured for that port. All traffic for a device in a different VLAN (different colored line) must go to the router to be redirected to the switch.

Implementing Rapid Spanning Tree protocol (RSTP) in the switches creates a physical ring of communication where the last switch in a series of connected switches is connected to the first switch, thus forming a ring. The last link is never 'active' unless there is a break between any other switches in the ring. At that time, communication will start a new path and all switches will continue to be able to communicate, but using a different path. Nothing special needs to be done to handle this situation. IntraVUE will discover the new path and redraw the topology to reflect the change in the ring.

 

Hot Standby Redundant protocol: (HSRP) creates a connection between a pair of routers. In this scenario 2 routers are configured so that either one can act for the other in the event the other router fails. The routers 'share' a virtual IP address and a virtual mac address as well as having their own ip and mac. In some cases, one router will respond to the virtual IP/MAC Address, but the other can assume in within milliseconds if necessary. In many cases, each router handles some VLANs. Router A will handle the even VLANs and router B will handle the odd VLANs. Other devices are configured to use the 'virtual' IP address of the routers. Additionally each 'upper level' layer 2 switch is connected to both routers, so that if a router failure happens there is a connection to the other router using the same 'virtual' IP address. Since the routers are connected and the upper switches are connected to each router, an alternate path is created and the mac of the routers can be seen on two possible ports of the 'upper level' switches.

Isolated Networks behind a Gateway, PLC, Private VLANs, Firewalls, NATs

The IntraVUE Appliance

The IntraVUE Appliance is a small-factor headless appliance strategically placed in a network closet at a remote site with the purpose of scanning edge devices in one or multiple cases below:

1. Devices in an isolated network behind a gateway. A switch inside the 'isolated network' behind a gateway using one port of the agent and the other port of the agent is connected to a switch on the 'plant' side (or plant VLAN Access) network.

2. Private VLANs. One is the private VLAN of the 'system' and the other provides access from the 'plant' to the PLC of the 'system'. The IntraVUE Agent has one interface connected to a 'system VLAN' port of the switch and the other agent's Ethernet interface is connected to a 'plant VLAN' port of the same switch.

3. If a NAT, or Firewall Access to the NAT, or Firewall devices is configured to send all packets from an IP address on the plant side to the IP of the IntraVUE agent on the 'system' side of the NAT/Firewall, then the IntraVUE Agent can scan the devices behind the NAT, or Firewall.

 

Using IntraVUE Appliance as an Agent to scan Isolated Networks:

This is the most common use of the IntraVUE appliance where it's simply configured with a static (or dynamic) IP address and allows the IntraVUE host to scan the edge devices on the private or isolated network and add them to the Map View as if they were in the local plant network. The IntraVUE agent does not require additional licensing and it exists in two formats industrial guide (scans unlimited nodes) and low-cost (which is less expensive but it's limited in the number of nodes it can scan).

Using IntraVUE Appliance as an Stand-alone Server to scan the Plant Network:

When there is no physical server or virtual machine available, the small-factor headless appliance can be deployed as an IntraVUE Server. The only differences is that it does require software registration and only one port of the appliance is connected to a switch on the 'plant' side.

See Using the IntraVUE Scanner Agent and Appliance Configuration for more details

 

Installation or Upgrade Instructions of IntraVUE™ full version for Windows Based Systems

Before you install or Upgrade IntraVUE you will need to have an active support contract or active IntraVUE subscription before you can register your Product Key (PK). The IntraVUE Web registration portal will reject your PK if your do not have either requirement. You will need to contact a distributor near you to renew either one.

1. Download the latest Intravue_.x.x.exe installer. See Downloads
2. Right-Click Click Intravue_.x.x.exe and select "Run as Admin"
3. Click "Next" for on the Welcome to the IntraVUE Setup Wizard screen
4. Click "I Agree" to the License Agreement.
5. Select "Install" for Choose Install Location. Default location is set to C:\intravue but you can change.
   1. If you're upgrading, you will receive a notice to make a backup of your current database. Click “OK” to continue with the upgrade.

   2. IntraVUE will make a backup of the appropriate folders and store them automatically in “prevxxxx” folders under C:\intravue when you run an upgrade.

   

   

6. Select “Yes” to use IntraVUE™ with a software license key. If you purchased an IntraVUE USB dongle select "No".

This question is used to determine where IntraVUE should look for licensing information (c:\intravue or from a USB dongle)

7. A Java Setup - Welcome window appears whenever java is not installed in the machine. Click "Install" and let the Java Install run its course.

   Java 32-bit is required to be installed for the IntraVUE™ scanner to run. The UI does not make use of Java 32-bit.

   1. Click “Next” at the “Restore Java security prompt” when asked.

   2. Click “Close” to finish the Java installation

JAVA might prompt you to update. Ignore as IntraVUE™ will install a 32-bit version of Java

8. Close the “Verify Java Version” Internet Browser.

9. Click “Yes” to “Do you want to launch IntraVUE™ Browser”

   

10. Once the browser window launches, if you get IntraVUE™ logo at the top your installation performed successfully.

11. You can Open IntraVUE™ in any compatible browser such as IE 11, Chrome or Firefox. See IntraVUE 3 System Requirements for details.

 

Register or Update IntraVUE™ Product Key

If you are registering or updating an IntraVUE dongle proceed to 'Register IntraVUE when using a dongle' down below.

1. Invoke IntraVUE™ from your desktop or open an internet browser and enter http://127.0.0.1:8765 in the address bar if IntraVUE is installed on the same computer, otherwise change 127.0.0.1 to the IP address or URL of the IntraVUE host. Press Enter.

2. Click > Configure > Login as user "admin" > password "intravue".

3. The Registration link will immediately appear.

4. Copy the KEYCODE number. You'll need this number in the next step.
5. Obtain an IntraVUE registration code from the IntraVUE User Web-Based Registration by clicking "here" next to "To get a registration code" or entering this address into a second tab https://intravuereg.panduit.com/intravue-registration/index.php

6. Within the web registration form, Enter your Email Address, Organization, KEY CODE, PRODUCT KEY and SERVICE CODE (As Provided by Panduit with your purchase). Click "Submit Query".

 

7. Copy the returned “Registration Code” into the Registration Code field in the IntraVUE's "REGISTRATION" page. This activates IntraVUE™ to enable monitoring of Automation Networks.
8. Copy the "Product Key" into the "PRODUCT KEY" field in IntraVUE's "REGISTRATION" page. This activates the IntraVUE product itself.
9. Copy the “Service Contract Code” into the “SERVICE CODE” field in the IntraVUE's REGISTRATION page. This activates the KPI system and other add-on features of IntraVUE™ provided for customers under Support. If target software is not currently under support, the “Service Contract Code” field will remain blank.
10. Click 'Submit Registration'. At the top of the REGISTRATION page should show something “Your registration has been completed successfully”. If it does not call Tech Support.

Your Product Key might be rejected by the web registration system for several reasons. See this knowledge base article for more details: KB4473

Make sure there are not trailing blank spaces as this will prevent the IntraVUE™ User Web-Based Registration from completing your request successfully.