Speaker
Description
At NSLS-II, EPICS servers for the accelerator and beamlines reside on dedicated VLANs isolated for security and network bandwidth. Since clients must run applications within respective networks, this poses a challenge for enabling centralized observability and control for staff with various roles. We have created a portal to access EPICS process variables (PVs) across the facility, using Virtual Desktop Infrastructure (VDI) and a dual Channel Access Gateway (CAGW) architecture on a dedicated “EPICS VDI” network. For each beamline and the accelerator two CAGW instances are deployed: one on the “EPICS VDI” network serving client applications, and one on the control system VLAN communicating with IOCs. The controls-side gateway bridges the isolated “Controls” network and the routable “Services” network.
CAGW security enforces PVs as read-only by default, with Active Directory group membership granting beamline-specific write access. Any EPICS CA-based client can run in the VDI environment, including CS-Studio Phoebus—the primary tool enabling staff to interact with PVs across the facility from a single session. PV access via VDI removes the need to run client software in the Controls environment, reducing system exposure and improving architectural separation. CAGW deployment is automated by Ansible using templated generation of network settings, PV lists, and access rules. This approach builds on a proven accelerator-beamline communication model and has shown stable performance.
