Cover Remote Control Concept with SCALANCE S Modules over IPsec-secured VPN Tunnel SCALANCE S Application Description February 2010 Applications & Tools Answers for industry.
Industry Automation and Drives Technologies Service & Support Portal This article is taken from the Service Portal of Siemens AG, Industry Automation and Drives Technologies. The following link takes you directly to the download page of this document. http://support.automation.siemens.com/ww/view/en/22056713 For questions about this document please use the following e-mail address: online-support.automation@siemens.com 2 V10 Entry ID: 22056713
s Automation Task 1 Automation Solution 2 Function Mechanisms of this Application 3 SIMATIC SCALANCE S Remote control concept with SCALANCE S modules over IPsec-secured VPN tunnel Installation 4 Starting up the Application 5 Operating the Application 6 Literature 7 History 8 V10, Entry ID: 22056713 3
Warranty and Liability Warranty and Liability Note The Application Examples are not binding and do not claim to be complete regarding the configuration, equipping and any eventuality. The application examples do not represent customer-specific solutions. They are only intended to provide support for typical applications. You are responsible for ensuring that the described products are used correctly. These application examples do not relieve you of the responsibility of safely and professionally using, installing, operating and servicing equipment. When using these application examples, you recognize that we cannot be made liable for any damage/claims beyond the liability clause described. We reserve the right to make changes to these application examples at any time without prior notice. If there are any deviations between the recommendations provided in this application example and other Siemens publications e.g. catalogs the contents of the other documents have priority. We do not accept any liability for the information contained in this document. Any claims against us based on whatever legal reason resulting from the use of the examples, information, programs, engineering and performance data etc., described in this Application Example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act ( Produkthaftungsgesetz ), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or breach of a condition which goes to the root of the contract ( wesentliche Vertragspflichten ). However, claims arising from a breach of a condition which goes to the root of the contract shall be limited to the foreseeable damage which is intrinsic to the contract, unless caused by intent or gross negligence or based on mandatory liability for injury of life, body or health. The above provisions do not imply a change of the burden of proof to your detriment. It is not permissible to transfer or copy these application examples or excerpts of them without having prior authorization from Siemens Industry Sector in writing. 4 V10 Entry ID: 22056713
Table of Contents Table of Contents Warranty and Liability... 4 1 Automation Task... 6 2 Automation Solution... 8 2.1 Overview of the automation solution... 8 2.2 Description of the core functionality... 9 2.3 Hardware and software components used... 11 3 Function Mechanisms of this Application... 12 3.1 Remote servicing program VNC... 12 3.2 Setting up a secured connection... 13 3.3 Tunnel overview in the Softnet Security Client... 16 3.4 Diagnostics Options in the Security Configuration Tool... 18 4 Installation... 20 4.1 Installation of the hardware... 20 4.2 Installing the software... 22 4.3 Installing the application software... 22 5 Starting up the Application... 24 5.1 Reset of the SCALANCE S modules... 24 5.2 Address allocation... 24 5.3 Port forwarding in the DSL routers... 28 5.4 Configuration of the security module... 28 5.4.1 Inserting modules in the SCT... 28 5.4.2 Changing over to advanced mode... 30 5.4.3 Creating firewall and routing rules... 30 5.4.4 Definition of VPN groups in the SCT... 33 5.4.5 Inserting the modules in the groups... 34 5.4.6 Download the modules... 36 5.5 Activation of the Softnet Security Client... 38 5.6 Configuration of VNC... 40 6 Operating the Application... 42 6.1 Preconditions... 42 6.2 Operation... 44 7 Links & Literature... 45 7.1 Literature... 45 7.2 Internet Links... 45 8 History... 45 V10, Entry ID: 22056713 5
1 0BAutomation Task 1 Automation Task Introduction Modern automation technology is based on communication and increased networking between the individual production islands. In this context, confidentiality, protection and integrity in data transfer are central issues. The topic of remote servicing will also take a higher priority in the future. The efficiency regarding the workload and time and the corresponding costs is significantly higher than sending service technicians to plants around the world. Remote control helps to cut the high costs for time-consuming travels. Whether it concerns data exchange and diagnostics from and between production cells, or remote access to the company network in the world of automation, the growing interaction between industrial communication systems and the IT world via IT mechanisms like e-mail, webserver and wireless LAN also brings with it some inherent risks such as hacker attacks, worms and trojans. Overview of the automation problem The figure below provides an overview of the automation task. Figure 1-1 Service technician Control Center Data base Data transfer Remote Station 1 Remote Station 2 Remote Station n Controller Controller Controller 6 V10 Entry ID: 22056713
1 0BAutomation Task Description of the automation problem In the field of industrial automation, the security of networks used in the area of production takes the highest priority. The objective of this application is to maintain the data integrity, confidentiality and protection within industrial communication. The control center is the central point here. Firstly, the configuration data for the controller are saved here, and secondly all connections to the remote stations branch off from here. Via this connection the projects are loaded to the controllers of the remote station and data is monitored. Service technicians should be enabled to connect to the control center with their PGs/ PCs via a secured connection to receive access to the remote stations. An important point in realizing the automation task should be that the secured connection can be realized cost-effective and without expert IT knowledge. V10, Entry ID: 22056713 7
2 1BAutomation Solution 2 Automation Solution 2.1 Overview of the automation solution Schematic diagram The following figure displays the most important components of the solution: Figure 2-1 Control Center SCALANCE S612 with remote servicing PCs an VNC server Service technician PG/PC with Softnet Security Client and VNC client secured connection Remote Station SCALANCE S612 with S7-300 station Description of the automation solution The security modules SCALANCE S612 and Softnet Security Client are used to set up the secured connection. The remote station consists of an S7-300 CPU. Remote servicing PCs and a data base with the necessary configuration data for the remote station are available in the control center as a center of the plant. 8 V10 Entry ID: 22056713
2 1BAutomation Solution Topics not covered by this application This document only discusses the new functions and mechanisms. All information on the security components of SIMATIC NET and basics on Industrial Security are no longer covered. Further information is available in the document Security with SCALANCE S612 modules via IPSec-secured VPN tunnels available on the same html-page. Required knowledge Since this document only discusses the new functions and mechanisms, basic knowledge on industrial security as well as the components is assumed. 2.2 Description of the core functionality The core functionality of this application is based on the SIMATIC NET industrial security concept. With this solution, risks that may arise through the consistent use of Ethernet structures and Internet technologies in sensitive areas can be eliminated. This document introduces a complex remote control concept such as routing between the secured connections using VNC (Virtual Network Computing). Schematic representation of the solution Figure 2-2 Control Center 3 1 2 Service technician 4 Remote Station V10, Entry ID: 22056713 9
2 1BAutomation Solution Step-by-step representation The following table illustrates the process of remote control: Table 2-1 Step Description 1. The service technician establishes a secured connection with the control center. 2. The remote station also establishes a secured connection with the control center. 3. A remote servicing software on the PG of the technician enables remote control of the remote servicing PC. (e.g. the operation of STEP 7) 4. Via this remote servicing PC the required configuration data are loaded to the remote station (e.g. loading the hardware configuration into the controller). Advantages of this solution Apart from the advantages of the security concept this solution has two additional advantages: Securing all project-relevant files in a central database. Minimizing wrong configurations/settings since all service technicians can download the required configuration data from the central database. Access to the remote station can be limited to particular service technicians. Further remote stations can be integrated into the application without extensive workload. 10 V10 Entry ID: 22056713
2 1BAutomation Solution 2.3 Hardware and software components used Hardware components Table 2-2 The application has been set up with the following components: Component Qty MLFB / order number Note Security module 2 6GK5612-0BA00 2AA3 V2.3 SCALANCE S612 CPU 315-2DP 1 6ES7315-2AG10-0AB0 Alternatively, another CPU can also be used. CP343-1 Advanced 1 6GK7343-1GX21-0XE0 Power Supply 2 6ES7307-1BA01-0AA0 DSL router with port forwarding 3 Two of them with fixed public IP address Standard software components Table 2-3 Component Qty MLFB / order number Note STEP 7 V5.4 SP4 1 6ES7810-4CC08-0YA5 Primary Setup Tool 1 The tool for performing address assignments can here (entry ID: 19440762) be downloaded free of charge. Security Configuration 1 Delivered with the S612 Tool V 02.02.00.01 Softnet Security Client 1 6GK1704-1VW02-0AA0 2008 V2.0 VNC Remote Desktop 1 In this application the RealVNC is used. Example files and projects The following list contains all files and projects used in this example. Table 2-4 Component 22056713_RemoteAccess_S612_CODE_v10.zip 22056713_RemoteAccess_S612_DOKU_v10_e.pdf Note This zip file contains the STEP 7 project This document V10, Entry ID: 22056713 11
3 2BFunction Mechanisms of this Application 3 Function Mechanisms of this Application 3.1 Remote servicing program VNC What is VNC? VNC (Virtual Network Computing) is a remote servicing software according to the client-server principle. This tool enables displaying the screen contents of a remote computer (server) on the local computer (client). In contrast, the mouse movements and keyboard inputs of the client is transferred to the server. This method provides the opportunity to access and control another computer remotely. VNC implements the Remote Frame buffer Protocol, a network protocol on the bitoriented graphics buffer (frame buffer) level. This makes VNC platformindependent. Principle of operation For the remote access it is necessary that the client software package has been installed and started on the local computer and the server variant on the remote computer. Via the IP address or the computer names the client establishes a connection with the server and depicts the screen content on its own PC. The screen contents are transferred as bitmaps, where only the respective changes are transferred to the client. Color depths of 8, 16 and 32 Bit per pixel are supported. Exemplary representation This principle is illustrated by the following graphic: Figure 3-1 Client Keyboard input & mouse movement Server Screen content 12 V10 Entry ID: 22056713
3 2BFunction Mechanisms of this Application 3.2 Setting up a secured connection In this automation solution two different VPN tunnel connections are required. VPN tunnel 1 between service technician and control center VPN tunnel 2 between control center and service technician. This is realized by using unequal certificates. In the Security Configuration Tool the following rule applies: all modules which are part of a VPN group communicate via the same VPN tunnel and can exchange data between each other. Since only two different tunnels are required, two respective VPN groups are created. Structure of the VPN tunnel 1 As VPN client the Softnet Security must initiate the secured connection with the VPN server (the SALANCE S612) in the control center. Figure 3-2 Service Technician Softnet Security Client Active Initiates connection S612 Passive Control Center Setting up the VPN tunnel 2 The secured connection between the SCALANCE S modules is effected by one of the S612 modules. The SCALANCE S modules may be defined either as VPN clients or as VPN servers, i.e. they can actively establish the connection or wait for a request. Figure 3-3 Remote Station S612 Aktive Initiates connection Control Center S612 Passive V10, Entry ID: 22056713 13
3 2BFunction Mechanisms of this Application Overview of the VPN tunnels After setting up the desired connections, two different VPN tunnels are available: Figure 3-4 Service Technician Softnet Security Client Control Center S612 Remote Station S612 VPN groups in the SCT In the Security Configuration Tool the different tunnels are represented by two VPN groups. This screenshot shows the nodes of VPN tunnel 1: Figure 3-5 14 V10 Entry ID: 22056713
3 2BFunction Mechanisms of this Application Figure 3-6 This screenshot shows the nodes of VPN tunnel 2: Connection of further remote stations Further remote stations can easily be integrated into the existing application. For each further remote station in the configuration a new S612 module is added in the Security Configuration Tool. For performance reason it is advisable to integrate the new module into the already existing VPN group. V10, Entry ID: 22056713 15
3 2BFunction Mechanisms of this Application 3.3 Tunnel overview in the Softnet Security Client The Softnet Security Client offers an overview of the configured tunnel connection and its status in a special dialog window. The screenshot below shows this overview: Figure 3-7 The parameters have the following meaning: Table 3-1 State Name Parameters IP address SCALANCE S IP Address Tunnel over.. Description The possible status displays are listed in the next table. Name of the module or station as retrieved from the configuration in the Security Configuration Tool. For stations: IP address of the internal node. IP address of the allocated SCALANCE S module If you use more than one network cards in your PC, the allocated IP address will be shown in this column. Note If your PG/PC is equipped with several network adapters, the Softnet Security Client will automatically select one of these adapters for setting up a tunnel. If the Softnet Security Client could not find an adapter suitable for your project, it will just take any of the available ones. In this case the network adapter settings are to be adjusted manually via the context menus for the station and the SCALANCE S modules. 16 V10 Entry ID: 22056713
3 2BFunction Mechanisms of this Application The status display may show the following symbols: Table 3-2 Icon Description There is no connection to the module or station. There are further stations which are not displayed. Double-click this symbol to show the other stations. This station has been configured and tested. SCALANCE S module deactivated. SCALANCE S module activated. V10, Entry ID: 22056713 17
3 2BFunction Mechanisms of this Application 3.4 Diagnostics Options in the Security Configuration Tool The Security Configuration Tool offers an online mode for diagnostics purposes. Preconditions for online viewing Before using the Online View, the following is to be fulfilled: the online mode in the Security Configuration Tool must be activated (View-> Online) a network connection to the selected module must be activated the associated project which was used for module configuration must be opened Online functions The screenshot below shows the Online View dialog window: Figure 3-8 18 V10 Entry ID: 22056713
3 2BFunction Mechanisms of this Application This window offers the following functions: Table 3-3 Function Status Communication Status Date and time Internal Nodes System Log Audit Log Packet Filter Log Description Shows the device status of the SCALANCE S module selected in the project. Shows the communication status and the internal network nodes to further SCALANCE S modules belonging to the VPN group. Time and date settings. Display of the internal network nodes of the SCALANCE S module. Display of system events listed in a log. Display of safety events listed in a log. Display of data packets listed in a log, e.g. start and stop of packet logging. V10, Entry ID: 22056713 19
4 3BInstallation 4 Installation 4.1 Installation of the hardware Figure 4-1 The figure below shows the hardware setup for this remote control concept: For the hardware components, please refer to chapter 2.3. Control Center with Remote Servicing PCs PG with Softnet Security Client Router SOFTNET Router Control Center Router Remote Station Remote Station with CPU315-2 DP + CP343-1 Advanced 20 V10 Entry ID: 22056713
4 3BInstallation To set up the hardware, please follow the instructions in the below table: Table 4-1 No. Action Comment 1. Attach all modules to be used for the remote station to a mounting rail. 2. Connect the modules via Ethernet as follows: in the remote station: CP343-1 Advanced with the internal interface (green) of the S612. Router Remote Station with the external interface (red) of the S612. The PG via the internal network card with the SOFTNET router. In the control center: Control Center router with the external interface of the S612. Remote servicing PC with the internal interface of the S612. Note S612 CPU315-2DP CP343-1 Advanced PS307 The installation instructions for the individual components are to be observed in any case. V10, Entry ID: 22056713 21
4 3BInstallation 4.2 Installing the software Table 4-2 No. Loc atio n Action Comment 1 Install STEP 7 V5.4 SP4 on the remote servicing PC. Please follow the instructions of the installation program. Remote servicing PC: 2 Install RealVNC Server on the remote servicing PC. Please follow the instructions of the installation program. 3 Install the Primary Setup Tool on the PC. Please follow the instructions of the installation program. 4 Install the Security Configuration Tool V02.02.00.01 on the PG. Please follow the instructions of the installation program. 5 Install the Softnet Security Client 2008 V2.0 on the PG. Please follow the instructions of the installation program. 6 Install RealVNC Client on the PG. Please follow the instructions of the installation program. PG 4.3 Installing the application software Table 4-3 Unzip the file 22056713_S7300_MicroSC_CODE_V10.zip. It includes the STEP7 project RemoteAccess.zip. 1 At the remote servicing PC you open the SIMATIC MANAGER and unzip the STEP 7 project. 2 Click Options ->Set PG/PCInterface and set the PC interface to MPI. File -> Retrieve. 3 Connect the CPU315-2DP and the PG with the MPI cable. 22 V10 Entry ID: 22056713
4 3BInstallation 4 Select the station CPU_LEAN and download it into the CPU. 5 Select Options ->Set PG/PCInterface and set the PG interface to Ethernet. To do so, select the network card of your PG to be used for this application. Do NOT use TCP/IP (Auto). Please take note of the ATTENTION note at the end of this table. Attention If TCP/IP (Auto) is used, the system assumes that the PG/PC is located in the same Ethernet network as the controller and that no "matching" IP configuration is available. In order to access one of the configured controllers, the system allocates a "new" IP address from the destination network (controller network) to the PG/PC network card. These additional IP addresses for the PG/PC network card will cause problems when establishing the VPN tunnel. V10, Entry ID: 22056713 23
5 4BStarting up the Application 5 Starting up the Application 5.1 Reset of the SCALANCE S modules In order to ensure that no other VPN configuration or certificates are stored in the modules, the SCALANCE S modules must be reset to factory settings. This procedure is described in the SCALANCE S manual as listed under \3\ in the Appendix. 5.2 Address allocation Overview of IP addresses Table 5-1 Module IP address PG 192.168.2.4 Router SOFTNET 192.168.2.1 Internal interface of the S612 of the control center 172.168.2.1 External interface of the S612 of the control center 192.168.2.2 Remote servicing PC 172.168.2.2 Control center router 192.168.2.1 Internal interface of the S612 of the remote station 140.80.0.1 External interface of the S612 of the remote station 192.168.2.3 CP343-1 Advanced 140.80.0.2 Router Remote Station 192.168.2.1 24 V10 Entry ID: 22056713
5 4BStarting up the Application IP address allocation on the PG Table 5-2 1 Open the Internet Protocol (TCP/IP) properties via Start -> Settings -> Network Connection -> Local Connections. Enter the IP address 192.168.2.4 for the PG. The router IP address 192.168.2.1 is used as gateway and DNS server. 2 Close dialog box with OK. IP address allocation on the remote servicing PG Table 5-3 1 Open the Internet Protocol (TCP/IP) properties via Start -> Settings -> Network Connection -> Local Connections. Enter 172.168.2.2 as further IP address. The router IP address 172.158.2.1 of the SCALANCE S612 is used as gateway and DNS server. 2 Close dialog box with OK. V10, Entry ID: 22056713 25
5 4BStarting up the Application IP address allocation for the components During the loading process of the S7 stations via MPI, the relevant IP address for the CP343-1 Advanced has already been configured. Only an address for the SCALANCE S612 module needs to be defined. Table 5-4 1 Connect the remote servicing PC with the S612 external interface of the control center. 2 On the remote servicing PC you open the Primary Setup Tool by clicking Start > SIMATIC -> Primary Setup Tool. Click the reading-glass icon to browse for the modules connected to the network. Note: The DCP protocol for node initiation by means of the Primary Setup Tools in the S612 Firewall is not activated by default. For this reason, any modules that are not connected to the internal S612 network will not be displayed. 3 A new module has been found. Select it. 4 Click the + -sign to open the module and enter the relevant IP address (192.168.2.2) and the router address (192.168.2.1) at Ind. Ethernet interface. The subnet mask is always set to 255.255.255.0. 26 V10 Entry ID: 22056713
5 4BStarting up the Application 5 Select the MAC address of the SCALANCE S module and then click the relevant icon to load the parameters into the SCALANCE device. 6 Connect the remote servicing PC with the external interface of the S612 of the remote station. Repeat steps 2 to 5. Enter 192.168.2.3 as IP address, the router address 192.168.2.1 as well as the subnet mask 255.255.255.0. 7 Addressing of the SCALANCE modules is now completed. 8 Connect the remote servicing PC with the internal interface of the S612 control center. Note For security reasons, the IP address allocation for SCALANCE S modules via the PST tool can be performed only after a reset to factory settings. The IP address of a configured SCALANCE S module can be changed in the project using the SCT. IP address allocation for the routers The remote servicing concept requires routers. These must have an IP address (192.168.2.1 for all three routers) allocated by the LAN. The relevant procedure is described in the manual. V10, Entry ID: 22056713 27
5 4BStarting up the Application 5.3 Port forwarding in the DSL routers The Control Center Router is located on the passive side, i.e. both VPN tunnels are initiated to it. Therefore it is necessary to enable certain ports: UDP Port 500 (ISAKMP) UDP Port 4500 (NAT-T) Configure the following port forwarding rules in your router: Control center router: forwarding of the specified ports to the external IP address of the S612 (192.168.2.2) The manual of your router includes a detailed description on the port forwarding process. 5.4 Configuration of the security module 5.4.1 Inserting modules in the SCT Table 5-5 1 Select Start -> SIMATIC -> SCALANCE -> Security ->Security Configuration Tool to open the Security Configuration Tool. 2 Select Project -> New to create a new project. You will be asked to enter a user name and password to protect your project. Fill in the relevant fields and confirm your settings with OK. 3 The first module will be added automatically to the project. 28 V10 Entry ID: 22056713
5 4BStarting up the Application 4 Click the relevant icon or select Insert -> Module to add two further modules to the project. 5 Click the Name column and assign a name for each module do distinguish them more easily. Module 1: Service Module 2: Central Module 3: Remote 6 Click the Type column of Module Service and change the type to SOFTNET. Answer the warning prompt with Yes. 7 This also changes Type of the remaining nodes. Select S612 V2 for Modules Central and Remote. 8 Click the IP address ext column and change the IP addresses as follows: Module Central: 192.168.2.2 Module Remote: 192.168.2.3 Adopt the MAC addresses, which are also located in the casing of the respective modules, in the configuration (MAC address column). V10, Entry ID: 22056713 29
5 4BStarting up the Application 5.4.2 Changing over to advanced mode Table 5-6 1 If you require more setting options, the view of the Security Configuration Tool must be expanded. Change over to the Advanced Mode by selecting View-> Advanced Mode. 2 After having changed over to advanced mode, you cannot return to standard mode any more. Answer the warning prompt with Yes. 5.4.3 Creating firewall and routing rules Table 5-7 1 Select the Module Central line and double-click the relevant icon or press your right mouse button and select Properties to open the Module Properties dialog window. 2 Select Firewall Settings and the IP Rules tab. Click the Add Rule button to add a new firewall rule. 3 Select the action Allow and the direction Internal -> Tunnel. With these settings all data packets to be transmitted from the internal network via the tunnel will be let through. Use Add Rule to add a further firewall rule. 30 V10 Entry ID: 22056713
5 4BStarting up the Application 4 Select the action Allow and the direction Internal -> Tunnel. With these settings all data packets to be transferred to the internal network via the tunnel will be let through. 5 Change over to the Routing Mode tab. 6 Activate the Routing. Enter 172.168.2.1 as internal module IP address and the subnet mask 255.255.255.0. Close dialog box with OK. 7 Select the third module Remote and double-click the relevant icon or press your right mouse button and select Properties to open the Module Properties dialog window. V10, Entry ID: 22056713 31
5 4BStarting up the Application 8 Select Firewall Settings and the IP Rules tab. Click the Add Rule button to add a new firewall rule. 9 Select the action Allow and the direction Internal -> Tunnel. With these settings all data packets to be transmitted from the internal network via the tunnel will be let through. Use Add Rule to add a further firewall rule. 10 Select the action Allow and the direction Internal -> Tunnel. With these settings all data packets to be transferred to the internal network via the tunnel will be let through. Change over to the Routing Mode tab. 11 Activate the Routing. Enter 140.80.0.1 as internal module IP address and the subnet mask 255.255.255.0. Close dialog box with OK. 32 V10 Entry ID: 22056713
5 4BStarting up the Application 12 Supplement the IP configuration with the router address, Click the Default Router column of the respective module and enter 192.168.2.1 for each one. 5.4.4 Definition of VPN groups in the SCT Table 5-8 1 Select VPN groups and click the relevant icon or select Insert -> Group to add two new VPN groups to the project. 2 Successively select the VPN groups and rename them via right mouse button -> Rename. VPN Group 1: Service-Central VPN Group 2: Remote-Central 3 Select the VPN groups. The newly created groups are displayed with the new name. V10, Entry ID: 22056713 33
5 4BStarting up the Application 5.4.5 Inserting the modules in the groups Table 5-9 1 Successively select the modules Central and Remote and move them into the VPN group Remote-Central via Drag&Drop. 2 Successively select the modules Central and Service and move them into the VPN group Service-Central via Drag&Drop. Attention: Always start with an S612 module, so as to ensure that the correct operating mode of the VPN group will be used. 3 Select the VPN group Service-Central and check whether the modules Central and Service are located there. 4 Select the VPN group Remote-Central and check whether the modules Central and Remote are located there. 34 V10 Entry ID: 22056713
5 4BStarting up the Application 5 In All modules you select the second module Central and double-click the relevant icon or press your right mouse button and select Properties to open the Module Properties dialog window. Go to the VPN tab. The S612 of the control center is passive i.e. it waits for a VPN connection. For Permission to initiate the connection you select Wait for connection from remote VPN Gateway accordingly. For WAN IP address you enter the fixed, public IP address of your DSL router or the control center. Close dialog box with OK. 6 Also select the third module Remote and double-click the relevant icon or press your right mouse button and select Properties to open the Module Properties dialog window. Go to the VPN tab. The S612 of the remote station is active i.e. it sets up the VPN connection. For Permission to initiate the connection you select Start connection to remote VPN Gateway accordingly. For WAN IP address you enter the fixed, public IP address of your DSL router or the remote station. Close dialog box with OK. 7 Acknowledge the warning with OK. V10, Entry ID: 22056713 35
5 4BStarting up the Application 5.4.6 Download the modules Table 5-10 1 Connect the PG with the S612 external interface of the control center. 2 In All Modules you select the second module Central. Download the configuration into the module via the respective icon. 3 Prior to downloading the module the project must be saved. Acknowledge the warning with OK. 4 Save the configuration unless already done. 5 Start downloading the configuration files by pressing the Start button. 6 In All Modules you select the third module Remote. Download the configuration into the module via the respective icon. 36 V10 Entry ID: 22056713
5 4BStarting up the Application 7 Start downloading the configuration files by pressing the Start button. 8 In All Modules you select the first module Service. Download the configuration into the module via the respective icon. 9 The configuration data for the Softnet Security Client is saved in a separate.dat file. Select the storage location and save the file. 10 For the certificates an additional password can be assigned. Confirm the message with Yes. 11 Enter a password and acknowledge with OK. V10, Entry ID: 22056713 37
5 4BStarting up the Application 5.5 Activation of the Softnet Security Client Table 5-11 This chapter describes how you can activate the Softnet Security Client. 1 Select Start -> SIMATIC ->SCALANCE -> Security ->Softnet Security Client to open the Softnet Security Client. 2 Click the Load Configurationdata button. 3 Navigate to the path that contains the configuration file and the certificates for the Softnet Security Client. Click the Open button to load this.dat file. 4 If you have already saved a configuration in the Softnet Security Client you replace it. Click Next. 5 At this point you will be prompted for the password you have previously defined when transferring the configuration file for the Softnet Security Client from the Security Configuration Tool. Enter your password and click Next. 38 V10 Entry ID: 22056713
5 4BStarting up the Application 6 Select now whether the tunnel connections shall be activated for the members specified in the configuration. Click Yes. The tunnel between the SCALANCE S module and the Softnet Security Client will now be established. 7 Use the Tunnel overview button to show an overview of the configured tunnel connections and their status. 8 Check whether the network address 192.168.2.4 is displayed in the Tunnel over column. If this is not the case click on right mouse button -> Select Network Device. 9 Select the suitable network card and adopt with OK. V10, Entry ID: 22056713 39
5 4BStarting up the Application 5.6 Configuration of VNC Table 5-12 1 At the remote servicing PC you start the server configuration dialog via Start -> Programs-> RealVNC->VNC Server 4 (User-Mode) -> Configure User-Mode Settings 2 In the Authentification tab you press Configure. 3 Enter a password for authentication of the clients at the server. Confirm the input with OK. 4 At the remote servicing PC you start the server via Start -> Programs-> RealVNC->VNC Server 4 (User-Mode) -> Run VNC Server 5 At the PG you start the VNC Client via Start -> Programs-> RealVNC->VNC Viewer 4 -> Run VNC Viewer. At Server you enter the IP address of the remote servicing PC (172.158.2.2). Click OK. 40 V10 Entry ID: 22056713
5 4BStarting up the Application 6 When the connection with the server has been established you must enter the password for authentication of the client. Confirm with OK. 7 After successful authentication a new window with the screen of the remote servicing PC opens. V10, Entry ID: 22056713 41
6 5BOperating the Application 6 Operating the Application 6.1 Preconditions Before you can test the presented scenarios, the configured VPN tunnel connections to the communication partners must be established. Softnet Security Client After connection to the communication partners has been built up, they will be displayed in the Security Client as activated and configured stations (yellow key). Figure 6-1 42 V10 Entry ID: 22056713
6 5BOperating the Application Security Configuration Tool In the online view of the configuration tool, all set up VPN tunnels can be seen in the Communication Status tab. Figure 6-2 V10, Entry ID: 22056713 43
6 5BOperating the Application 6.2 Operation S7-CPU download Table 6-1 1 Start the VNC Server at the remote servicing PC as well as the VNC Viewer at the PG. 2 After successful connection the screen of the remote servicing PC is displayed on the PG. Open the SIMATIC Manager via VNC. 3 Open the project VPN_S612 and download the project into the CPU via the respective icon. HTML page of CP343-1 Advanced Table 6-2 1 Open an Internet browser on the remote servicing PC via VNC. 2 Enter the IP address (140.80.0.2) of the CP343-1 Advanced in the address list. The internal HTML page of the communication block appears. 44 V10 Entry ID: 22056713
7 6BLinks & Literature 7 Links & Literature 7.1 Literature The following list is by no means complete and only provides a selection of appropriate sources. Table 7-1 Topic Title /1/ STEP7 Automatisieren mit STEP7 in AWL und SCL (Automating with STEP7 in STL and SCL) Hans Berger Publicis MCD Verlag ISBN 3-89578-113-4 /2/ 7.2 Internet Links The following list is by no means complete and only provides a selection of appropriate sources. Table 7-2 Topic \1\ Reference to this document \2\ Siemens I IA/DT Customer Support \3\ SCALANCE S and SOFTNET Security Client manual \4\ Application (Entry ID: 24960449) \5\ Application (Entry ID: 26662448) Title http://support.automation.siemens.com/ww/view/en/2205671 3 http://support.automation.siemens.com http://support.automation.siemens.com/ww/view/en/2171844 9 Secured Remote Access to SIMATIC Stations via Internet with EGPRS Router MD741-1 and SCALANCE S612 (Configuration 9) WAN Access Methods 8 History Table 8-1 Version Date Changes V1.0 16.02.2010 First issue V10, Entry ID: 22056713 45