Purpose: Get your first site online and start a Just-in-Time (JIT) vendor session in ~15 minutes.

Who is this for? Plant/OT admins, vendor engineers, system integrators.

---

Prerequisites

• RoltekConnect Cloud account (Admin or Maintainer role).
• A gateway on site: RLTK421 (LTE + RS-485/RS-232) or RLTK451 (LTE + Wi-Fi + dual Ethernet).
• Internet uplink for the gateway (Ethernet or LTE/APN).
• Target asset to reach (PLC/HMI/SCADA) with IP addressing decided (e.g., 192.168.10.0/24).
• Optional: SSO/MFA (Azure AD / SAML / LDAP / SCIM) configured.

Tip: If this is a lab trial, connect the gateway’s LAN to a small test network with a PLC/HMI or a simulator.

---

What you’ll do (at a glance)

1. Create your Organization and Site
2. Register the RLTK421/451 gateway
3. Define a Scoped Policy (asset + ports/protocol + time)
4. Invite a Vendor and start a JIT session
5. Verify connectivity and logs/recording

---

1) Create Organization & Site

1. Sign in to RoltekConnect Cloud.
2. Go to Settings → Organization and set name/logo.
3. Go to Sites → New Site, give it a name (e.g., “Factory-West”), set site time zone.

Best practice: Use one site per physical location (or per routed domain) for clean scoping and logging.

---

2) Register a Gateway (RLTK421 / RLTK451)

A. Wire and power

• Connect WAN/Internet (ETH or insert micro-SIM and attach antennas for LTE).
• Connect LAN to your OT subnet (e.g., PLC network).
• Power on; wait ~60–90s for boot.

B. First access

• Default LAN IP (factory): 192.168.1.1 (check device label/quick start).
• Browse to the gateway UI, change admin password, set time/NTP, and WAN or LTE/APN.
• Confirm Internet: the UI should show Online.

C. Link to Cloud

• In Cloud: Gateways → Add Gateway.
• Enter the Gateway ID/Serial (or scan QR in the UI).
• The device appears as Online in Cloud within 1–2 minutes.

RLTK421: Use LTE when there’s no plant Internet (great for out-of-band).
RLTK451: Use Wi-Fi for site access point or client (as needed).

---

3) Add Assets (PLC/HMI) & Create a Scoped Policy

A. Asset definition

• Go to Assets → Add Asset
• Example:
  • Name: Line-3 / PLC-120
  • IP: 192.168.10.120
  • Protocol/Port(s): Modbus TCP (502), S7 (102), RDP/SSH if needed
  • Site: Factory-West

B. Scoped policy (least-privilege)

• Policies → New Policy
• Role: Vendor-OEM (Program)
• Scope: Line-3 / PLC-120
• Allowed ports/protocols: e.g., TCP/102 (S7) only
• Time limit: 2 hours
• Controls: Session recording ON, clipboard/file transfer OFF (toggle as needed)
• Approver: OT-Lead (or Site Admin)

Keep scope tight: per-asset, only required ports. You can add a second policy for read-only diagnostics.

---

4) Invite a Vendor & Start a JIT Session

A. Invite

• Users → Invite User → role Vendor.
• If SSO is enabled, invite their corporate email to enforce MFA/SSO.

B. JIT request

• Vendor opens RoltekConnect Cloud → Request Access
• Select Asset (Line-3 / PLC-120) + Time window (e.g., 2h) + Purpose/work-order
• Approver gets a notification and clicks Approve.

C. Operate

• Access opens for the approved window.
• Vendor connects with their native tool (TIA Portal, Studio 5000, GX Works, etc.) over the encrypted tunnel.
• Clipboard/file transfer obeys policy; session is recorded.

Emergency? Use Instant Revoke to kill the session immediately.

---

5) Verify It Works

• Asset reachable: Ping 192.168.10.120 (if allowed) or open the PLC tool and connect.
• Session logs: Cloud → Sessions → you should see start/stop, user, asset, duration.
• Recording: Open the session entry to review the capture (if enabled).
• Auto-close: After 2h the session should expire automatically.

---

Troubleshooting

Gateway shows Offline

• Check WAN/LTE status (APN, SIM PIN, antenna attached).
• Ensure outbound ports/protocols allowed by IT (default tunneling: OpenVPN/IPsec—see Network Requirements).
• Verify time/NTP—wrong clock can break TLS/tunnels.

Vendor can’t reach asset

• Confirm asset IP & route on gateway LAN.
• Check policy scope (did you allow the correct port/protocol?).
• PLC/HMI local firewall? Add allow rules.

SSO/MFA issues

• Confirm the user exists in the IdP group mapped to Vendor role.
• Time drift can break MFA—verify clock sync.

Recording missing

• Ensure Recording = ON in policy.
• Some client tools may use encryption inside the tunnel; recording captures the session wrapper/metadata—export logs to SIEM if you need deeper correlation.

---

Network Requirements (summary)

• Outbound from gateway to Cloud: allow standard VPN/TLS egress (OpenVPN/IPsec/TLS).
• LAN side: gateway must route to asset subnet(s); avoid overlapping IP ranges.
• Optional: IP allowlist your corporate egress.

Need specifics for your environment? See /docs/security/network-requirements/ (link once you publish it).

---

Best Practices

• One policy per task type (e.g., Diagnostics vs Programming).
• Short time windows (1–2h) + Approvals + Recording.
• Name assets clearly: Line-3 / PLC-120.
• Tag sessions with work-order numbers for audit.
• Rotate gateway admin creds; use SSO for Cloud users.

---

Next Steps

• Invite your vendor team and run a live test.
• Build Policy Templates for common tasks (Diagnostics, Update, Commissioning).
• Set up SIEM export (syslog/JSON) for centralized audit.
• Add your other sites and assets.

---