cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Your Friends List is a way to easily have access to the community members that you interact with the most! X

Translate the entire conversation x

How can external CAD designers connect to our internal windchill database without eVPN

CD_10645700
5-Regular Member
5-Regular Member
‎Jul 09, 2025 05:36 AM
‎Jul 09, 2025 05:36 AM

How can external CAD designers connect to our internal windchill database without eVPN

Hello everyone,

 

Our IT department is shutting down all eVPN access due to cybersecurity concerns.

 

Until now, this was the method we used to connect external CAD designers (for co-design on projects or subcontracting) to our internal Windchill database—either via ProjectLink or directly through PDMLink, depending on the use case.

 

Is anyone else facing a similar issue? Do you have any suggestions or alternative solutions?

 

Here’s what we’ve tried so far:

  • Virtual Machine with Creo installed: Unfortunately, the performance was too poor—too slow to be usable.
  • Creo+: We considered this option, but compatibility with our current Windchill setup is problematic. Additionally, the session-sharing workflow doesn’t align well with our needs.
  • Secondary Windchill database with package exchange: This could work, but it’s too cumbersome for users, adds infrastructure costs, and increases our internal workload.

We’re looking for a secure, efficient, and user-friendly way to allow external collaborators to work with our Windchill data. Any ideas or experiences would be greatly appreciated.

 

Thanks in advance!

Labels:
0 Kudos
Notify Moderator
5 REPLIES 5
avillanueva
23-Emerald I
23-Emerald I
(To:CD_10645700)
‎Jul 09, 2025 07:35 AM
‎Jul 09, 2025 07:35 AM

Great topic, not sure you will get a solution here but this topic came up at the last user conference. PTC ran a focus group and these concerns you listed were all brought up.  See the pinned message at the top of the board (Participate in Supplier Collaboration Research). This slide was shown:

avillanueva_0-1752060066269.png

Things seemed to fall apart when we discussed CMMC, Cyber Security, ITAR as being the major stumbling blocks to integrations. 

If you are dealing with individual contracts and designers, they can be vetted and treated like regular employees with appropriate access. I am sure your IT has to have some remote workers who connect over VPN.  Sometimes that involves them working on laptops you supply that you control so it shifts the problem of interfacing with that laptop to their end, basically eliminated the untrusted hardware aspect connecting to your network.

I suspect you are dealing with interfacing with an entity or company where the resources assigned are dynamic (many or changing users from their side). Same problem but you might not be dealing with static users on the other end. Creo+ might be out due to what you said about version compatibility. 

A virtual machine could work and I've seen it done. Its a bit like operating like this.

avillanueva_2-1752060520902.png

Your suppliers would still need to VPN in and connect to a VDI (graphics session) of a VM operating inside your network or DMZ. You need to make sure your network can support this (latency can be a killer) and its optimized for Creo (single threaded processes). We did see lag when spinning and typing characters but those were solved so that it was near same as running locally even though the user was in another state. The issue then becomes getting files into and out of that sandbox. In this setup, you want to make sure nothing leaves that is sensitive. So you still need some dropbox style portal to ferry data back and forth to the supplier. Ideally, there would be no need for transfer, that anything created or viewed stayed within your systems. That never happens though.

Notify Moderator
mmeadows-3
16-Pearl
16-Pearl
(To:avillanueva)
‎Jul 09, 2025 07:39 AM
‎Jul 09, 2025 07:39 AM

Basically reitterating @avillanueva's response.  I am not a Cyber Security expert but I don't believe they are saying no VPN.  The vast majority of companies use VPN of some sort: Palo Alto Global Protect, Cisco AnyConnect, SonicWall NetExtender, FortiClient VPN, Sophos SSL VPN, Watchguard VPN, etc.  After a quick ChatGPT search, it sounds like eVPN is the security concern.  Most companies use IPsec VPN with two-form authentication or some sort of zero trust network authentication.  Generally this is an IT issue that needs to be resolved by IT.

 

Windchill is a PLM system that works with network security solutions.  It is expected to reside behind the corporate firewall.  The corporate firewall may extend to a data center or design partner.  Some companies have opted to expose Windchill outside the corporate firewall by setting up a reverse proxy in the corporate DMZ.  But that is only as secure as the corporate authentication configuration for Windchill: port 443 thru the firewall, LDAPS to encrypt credentials, SSO, MFA, etc.

 

Business Requirements...

Provide IT/Cyber Security with the business requirement:

  • Work with individual contractors outside the corporate firewall (point-to-point VPN)
  • Integrate development/production partners (company-to-company VPN)
  • Both
  • Other?

Let them come back with a VPN solution that meets their security requirements and is cost effective.

 

If this is supposed to be an isolated (air-gap) network, then all the contractors must come on site to do the work.  If external access is permitted, are Creo clients allowed to work externally or should all Creo sessions be inside the corporate firewall?  A few companies have set up CAD workstations in the server room and allow remote users access them via VPN.  The benefit is intellectual property stays inside the corporate firewall.

 

Notify Moderator
CD_10645700
5-Regular Member
5-Regular Member
(To:mmeadows-3)
‎Jul 09, 2025 08:53 AM
‎Jul 09, 2025 08:53 AM

Their VPN answer is no VPN on a computer not managed by the company (eVPN = external VPN). Therefore we really only have the issue when working with the outside. We could send computer to co-designers, but subcontractor...
We spoke with them, they understand our issue but there is nothing they can do: the risk is too high. They asked us if we couldn't go cloud, and that's it... We are part of IT, the software expert, they rely on us to find the solution...

 

Having computer with remote controle or VM we have the same performance issue...(allready tested). @avillanueva how did you solve the lag? because it's exactely what we expirienced.

 

 

0 Kudos
Notify Moderator
avillanueva
23-Emerald I
23-Emerald I
(To:CD_10645700)
‎Jul 09, 2025 10:12 AM
‎Jul 09, 2025 10:12 AM

Where is your server vs the remote users? You want to have latency below 100ms ideally. Any higher and people can perceive it. When we traced our issues, it was network related so we solved the congested network issue. We were only dealing with CT to MA so not too far. 

0 Kudos
Notify Moderator
CD_10645700
5-Regular Member
5-Regular Member
(To:avillanueva)
‎Jul 09, 2025 11:40 AM
‎Jul 09, 2025 11:40 AM

it will be between europe (north europe) and india or japan at least...

0 Kudos
Notify Moderator
Announcements

Contact Community Management
Top Tags