Login
logo
Compare

Secure Remote Access to FlexEdge Using Talk2M

20 Mar 2026

Overview

This article describes how to securely connect to a FlexEdge device using Talk2M, enabling remote access to PLCs, HMIs, and other devices on the local network.

Talk2M uses routed VPN (Layer 3) architecture, requiring direct IP-based communication.

 

Architecture Overview

 

Example Network:

  • FlexEdge LAN: 192.168.0.0/24
  • FlexEdge: 192.168.0.10
  • PLC: 192.168.0.11

 

 

Prerequisites

Before proceeding, ensure:

  • FlexEdge device with Talk2M capability
  • Active Talk2M account (Lite or Pro)
  • Internet access for both FlexEdge and remote PC
  • eCatcher installed on the remote PC

 

Initial Setup

  1. Ensure Crimson 3.2.1053 or later is installed
  2. Create or log into your Talk2M account
  3. Order DAA00AC1LIT2M000 part number from HMS directly

 

Talk2M Account FlexEdge Setup

  1. Once the order has been processed, the device will show up in eCatcher (see below)

2. Log into the Web GUI of the FlexEdge device and click on the Talk2m integration icon.

3. Input the serial number that your FlexEdge was assigned in eCatcher, into the Talk2m Serial Number field

4. Download the enroll file.

5. Go to support.hms-networks.com and submit a support request using Ewon as the product brand, and Talk2M as the product group.

 

5. Please include your Talk2m account number as well as the Enroll file

6. You will receive the Completion File by email in zip format

 

7. Simply extract it to access the included .crt file

8. Then navigate to the Talk2m Integration page on the FlexEdge web UI again

9. Then click on “Upload Completion File” and select the .crt file

10. The FlexEdge is now enrolled in Talk2m

11. The FlexEdge should show as online in Ecatcher, as long as it has an internet connection, but there is one more setting to change. In Ecatcher, in the Ewon's Properties, navigate to 'LAN & Firewall' > 'Modify LAN Subnet". Here you will choose which network the VPN will bridge to on the FlexEdge. 


 

Security Consideration: Network Access and Routing Behavior

When a remote user connects to a FlexEdge device through Talk2M, the VPN connection provides Layer 3 (routed) access to the selected network interface on the FlexEdge.

Important Behavior

By default:

  • The user will have access to the entire subnet behind the FlexEdge interface used for Talk2M

  • This includes all devices reachable within that network

  • Access is not limited to a single device unless explicitly configured

 

Example

If the FlexEdge LAN is configured as:

  • Network: 192.168.0.0/24

A connected user can potentially access:

  • 192.168.0.10 (FlexEdge)

  • 192.168.0.11 (PLC)

  • 192.168.0.12 (HMI)

  • Any other device on that subnet 

    192.168.0.1 - 192.168.0.254

 

Access can be restricted using FlexEdge firewall rules (refer to the Crimson 3.2 Software guide here, pg. 60 for Firewall Setup) as well as the Ecatcher Firewall rules (https://help.ewon.biz/ecatcher/help/en/ewons-486369.html#devices---firewall-487234). 

However, these must be intentionally configured — they are not enforced by default.

 

Best Practice: Network Segmentation

To minimize unintended access and improve security, HMS strongly recommends:

  • Configuring separate WAN and LAN networks on the FlexEdge

  • Avoiding placing field devices directly on externally accessible networks

  • Using the FlexEdge as a boundary between:

    • External (Talk2M/WAN) access

    • Internal (LAN) control networks