Speaker
Description
At NSLS-II, EPICS applications for the accelerator and beamlines reside on dedicated VLANs that are isolated for security and network bandwidth. Because clients must run their applications within their respective networks, this poses a challenge for enabling centralized observability and control for facility staff with various roles. We have created a single portal to access EPICS process variables (PVs) across the facility, using Virtual Desktop Infrastructure (VDI) and a dual Channel Access Gateway (CAGW) architecture on a dedicated “EPICS VDI” network. For each beamline and the accelerator, two dedicated CAGW instances are deployed: one on the “EPICS VDI” network serving client applications, and one on the control system VLAN communicating with IOCs. The controls-side gateway bridges the isolated “Controls” network and the routable “Science” network, enabling inter-gateway communication over beamline-specific ports configured by convention and governed by firewall rules.
EPICS channel access security is enforced with PVs read-only by default, while Active Directory group membership determines beamline-specific write privileges. Any EPICS CA-based client tool can run in the VDI environment, including CS-Studio Phoebus—the primary use case enabling staff to view and interact with PVs across the entire facility from a single session. Having PV access through the VDI portal removes the need for running client software directly in the Controls environment, thereby reducing system exposure and improving architectural separation. CAGW configuration and deployment are automated using Ansible, with templated generation of gateway settings, including network configuration, PV lists, and access control rules. This approach builds on a proven model used for accelerator-beamline communication and has demonstrated stable performance across multiple deployed instances.
