There are multiple ways you can setup PI Trust. APM supports the following:
From APM there are two points of connection both of which are read-only
Requirements on any machine to connect to PI Server:
PI SDK Utility will log when connections are successful and when they refused so you can look at that log.
It logs process name and user and IP
eg: At 2:19 I connected in order to browse tags.
At 2:22 I tried to connect to pull a reading and you will notice that the message mentions IvaraServer rather than IvaraClient. This failed because the only trust setup on our system was for domain accounts rather and IvaraServer was configured to run as the Local System account.
At 2:31 I successfully pulled a reading as I added the IP address to the trusts.
Other Notes:
If OnPrem machine is on a DMZ Network, it gets complicated; cannot configure a domain user to run the service. Recommend using IP authentication