Andover Continuum. Network Security Configuration Guide



Similar documents
Andover Continuum Remote Communication Configuration Guide

How To Set Up A Vpn Tunnel Between Winxp And Zwall On A Pc 2 And Winxp On A Windows Xp 2 On A Microsoft Gbk2 (Windows) On A Macbook 2 (Windows 2) On An Ip

Andover Continuum web.client Planning and Installation Guide for Version 1.92

How To Industrial Networking

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

How to setup a VPN on Windows XP in Safari.

Configuring Windows 2000/XP IPsec for Site-to-Site VPN

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Allworx OfficeSafe Operations Guide Release 6.0

Andover Continuum Security and TAC I/A Series Data Exchange Reference Guide

Scenario: IPsec Remote-Access VPN Configuration

Global VPN Client Getting Started Guide

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

Installation Guide for Windows May 2016

Docufide Client Installation Guide for Windows

Iridium Extreme TM Satellite Phone. Data Services Manual

How-to: Single Sign-On

SQL Server 2008 R2 Express Installation for Windows 7 Professional, Vista Business Edition and XP Professional.

Immotec Systems, Inc. SQL Server 2005 Installation Document

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

Mobility Services Platform Software Installation Guide

Broadband Router ESG-103. User s Guide

Management Software. Web Browser User s Guide AT-S106. For the AT-GS950/48 Gigabit Ethernet Smart Switch. Version Rev.

Advanced Event Viewer Manual

Andover Continuum CyberStation Access Control Essentials Guide

enicq 5 System Administrator s Guide

While every effort was made to verify the following information, no warranty of accuracy or usability is expressed or implied.

DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide

MANUFACTURER RamSoft Incorporated 243 College St, Suite 100 Toronto, ON M5T 1R5 CANADA

How do I set up a branch office VPN tunnel with the Management Server?

Application Note. Using a Windows NT Domain / Active Directory for User Authentication NetScreen Devices 8/15/02 Jay Ratford Version 1.

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

OfficeConnect Internet Firewall VPN Upgrade User Guide

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

Version 1.0 January Xerox Phaser 3635MFP Extensible Interface Platform

Software License Registration Guide

TECHNICAL BULLETIN. Configuring Wireless Settings in an i-stat 1 Wireless Analyzer

Windows XP VPN Client Example

SATO Network Interface Card Configuration Instructions

NETASQ SSO Agent Installation and deployment

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

WS_FTP Pro. Addendum to User s Guide. Software Version 6.6. Ipswitch, Inc.

Application Note 8: TrendView Recorders DCOM Settings and Firewall Plus DCOM Settings for Trendview Historian Server

Configuring the WT-4 for ftp (Ad-hoc Mode)

JPMorgan Chase Treasury Workstation. Certification Setup Guide Version 2.0

PART 1 CONFIGURATION 1.1 Installing Dashboard Software Dashboardxxx.exe Administration Rights Prerequisite Wizard

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Remark FTP Utility. For Remark Office OMR. User s Guide

OvisLink 8000VPN VPN Guide WL/IP-8000VPN. Version 0.6

Magaya Software Installation Guide

MadCap Software. Upgrading Guide. Pulse

FEC Secure IPSec Client

USER GUIDE WEB-BASED SYSTEM CONTROL APPLICATION. August 2014 Phone: Publication: , Rev. C

Configuring Network Load Balancing with Cerberus FTP Server

Network FAX Driver. Operation Guide

Version 3.8. Installation Guide

Check Point FW-1/VPN-1 NG/FP3

How to Logon with Domain Credentials to a Server in a Workgroup

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Windows XP Exchange Client Installation Instructions

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

Use the below instructions to configure your wireless settings to connect to the secure wireless network using Microsoft Windows Vista/7.

Setting Up Scan to SMB on TaskALFA series MFP s.

Orientation Course - Lab Manual

XStream Remote Control: Configuring DCOM Connectivity

HOWTO: How to configure IPSEC gateway (office) to gateway

Scenario: Remote-Access VPN Configuration

Wireless Network Configuration Guide

Configure VPN between ProSafe VPN Client Software and FVG318

isupplier PORTAL ACCESS SYSTEM REQUIREMENTS

USER GUIDE. Ethernet Configuration Guide (Lantronix) P/N: Rev 6

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

Endpoint Security Console. Version 3.0 User Guide

Download/Install IDENTD

SQL 2014 Configuration Guide

Dell SonicWALL Aventail Connect Tunnel User Guide

Deploying Windows Streaming Media Servers NLB Cluster and metasan

Allworx Installation Course

Security Guidelines for MapInfo Discovery 1.1

Chapter 3 Safeguarding Your Network

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

Internet for Everyone In-Room Instructions January 2011 Version 1.3

PlateSpin Migrate 11.1 Installation and Upgrade Guide

2X ApplicationServer & LoadBalancer Manual

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client

SSL-VPN 200 Getting Started Guide

SCADA Security. Enabling Integrated Windows Authentication For CitectSCADA Web Client. Applies To: CitectSCADA 6.xx and 7.xx VijeoCitect 6.xx and 7.

1. Open the Account Settings window by clicking on Account Settings from the Entourage menu.

SOHO 6 Wireless Installation Procedure Windows 95/98/ME with Internet Explorer 5.x & 6.0

Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation

a) Network connection problems (check these for existing installations)

Configuring IBM Cognos Controller 8 to use Single Sign- On

V310 Support Note Version 1.0 November, 2011

If you are unable to set up your Linksys Router by using one of the above options, use the steps below to manually configure your router.

Integrating LANGuardian with Active Directory

Integration Guide. Microsoft Active Directory Rights Management Services (AD RMS) Microsoft Windows Server 2008

Transcription:

Andover Continuum Network Security Configuration Guide

2010, Schneider Electric All Rights Reserved No part of this publication may be reproduced, read or stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of Schneider Electric. This document is produced in the United States of America. Product Names are trademarks of Schneider Electric. All other trademarks are the property of their respective owners. Title: Andover Continuum Network Security Configuration Guide Revision: B Date: February, 2010 Schneider Electric part number: 30-3001-996 Controller names and version number: NetController II model 9680 version 2.0 and ACX 57x0 first-release firmware. Software application version number: Andover Continuum CyberStation Version 1.8 The information in this document is furnished for informational purposes only, is subject to change without notice, and should not be construed as a commitment by Schneider Electric. Schneider Electric assumes no liability for any errors or inaccuracies that may appear in this document. Schneider Electric One High Street North Andover, MA 01845 Phone: (978) 975-9600 Fax: (978) 975-9782 http://www.schneider-electric.com/buildings

Network Security Configuration Guide 30-3001-996 Revision B February, 2010

About this Manual What s in this Manual This manual contains the following content: Chapter 1, Network Security Configuration Overview, describes the steps required for establishing network security on both the controller and the CyberStation workstations that communicate with the controller. Chapter 2, Configuring the Controller, presents the procedures to configure network security on the controller Chapter 3, Configuring the Workstation, presents the procedures to configure security on the CyberStation workstations that communicate with the controller. Chapter 4, Activating Network Securing for the Controller, presents procedures to activate the network security configuration on both existing and new controllers. Network Security Configuration Guide 5

About this Manual Related Documentation For additional or related information, refer to these documents. Document See also the Continuum CyberStation online help. Document Number NetController II Installation Instructions 30-3001-994 NetController II Operation and Technical Reference Guide 30-3001-995 ACX 57xx Series Controller Installation Instructions TBD ACX 57xx Controller Operation and Technical Reference TBD Guide Andover Continuum CyberStation Configurator s Guide 30-3001-781 Symbols Used The Notes, Warnings and Cautions used in this manual are listed below. Note: Contains additional information of interest to the user. CAUTION or WARNING Type of hazard How to avoid hazard. Failure to observe this precaution can result in injury or equipment damage. 6 Schneider Electric

Contents Chapter 1 Security Configuration Overview... 5 Securing IP Controllers Overview... 6 Before Getting Started... 7 Chapter 2 Configuring the Controller... 9 Determining if the Network Security Option is Enabled... 10 Configuring a Controller for Secure Communication... 11 Accessing the Network Security Configuration Web Page... 12 Configuring the Controller for the Preferred Security... 13 Peer to Peer Security Configuration... 13 Network Security Options... 14 Web Server Security Options... 14 Submit the Changes for Network Security Configuration... 15 Chapter 3 Configuring the Workstation... 17 Importing the IPSec Security Policy... 18 Editing the Imported Security Policy... 22 Assigning the Imported Security Policy... 25 Exporting the Modified Security Policy... 26 Chapter 4 Activating Network Security for the Controller... 29 Setting the Network Security Attribute of an Existing Controller 30 Creating a New Controller in CyberStation... 32 Network Security Configuration Guide 1

Contents 2 Schneider Electric

Chapter 1 Security Configuration Overview This chapter presents a brief overview of the major steps for establishing network security on a new network controller, such as the NetController II 9680 or the ACX 57x0, and it provides the requirements checklist for hardware, software, communication, and access privileges. Topics include: Securing IP Controller Overview Before Getting Started Network Security Configuration Guide 3

Chapter 1: Security Configuration Overview Securing IP Controllers Overview The communication between the controller and workstation is secured using Internet Protocol Security (IPSec) and the Internet Key Exchange Protocol (IKE). IPSec, a set of extensions to the IP protocol family, ensures data authentication, integrity, and encryption or authentication and integrity only of IP packets. IKE securely negotiates the properties of the security associations of IPSec enabled peers, such as Andover Continuum controllers and workstations, once all of the following tasks have been addressed. Configuring Network security for the newest generation of Schneider Electric controllers includes the following steps: Task 1: Task 2: Task 3: Task 4: Determine if network security is enabled for the controller Configure controller for secure communication Configure network security on the workstation Activate network security for the controller The following table provides a brief overview of the configuration process and the major tasks defined in this manual. Task 1 Task 2 Task 3 Task 4 Task Configured In Description CyberStation software (Chapter 2) Controller (Chapter 2) Workstation (Chater 3) CyberStation sofware (Chapter 4) Determines whether or not your site has purchased the network security option for this NetController II 9680 or ACX 57x0 controller. Configured network security settings inside the controller. Imports, edits, assigns, and exports the local Schneider Electric network security policy on the workstation. Sets the Network Security attributes for an existing controller or a new controller. 4 Schneider Electric

Chapter 1: Security Configuration Overview Before Getting Started Before you start configuring your controllers and workstations, make sure you have the required hardware and software to configure network security successfully. Table 1 Required Hardware and Software WorkStation Software Controller Hardware Access Privileges Network IP Addresses Continuum CyberStation v1.8 (and higher) Windows XP SP2, Windows 2000 SP4, Windows Server 2003 NetController II 9680 ACX 57x0 series Administrative privileges on the workstation to configure the Local Secity Policy. Administrative privileges on the controller to logon to the Web configuration pages and configure Network Security Properties. You must know the static IP address for each workstation. You must have an available static IP address for each controller. Note: You may need to contact your Network Administrator to get the IP addresses. Note: Older versions of Andover Continuum controllers do not support network security. However, the new versions of CyberStation and the new controllers, such as NetController II 9680 and ACX 57x0, can be configured to communicate with controllers that do not support network security. Network Security Configuration Guide 5

Chapter 1: Security Configuration Overview 6 Schneider Electric

Chapter 2 Configuring the Controller This chapter presents the procedures for configuring network security on the controllers. Topics include: Determining if the Network Security Option is Enabled Configuring a Controller for Secure Communication Configuring a Controller for Secure Communication in FIPS 140-2 Validated Mode Network Security Configuration Guide 7

Chapter 2: Configuring the Controller Determining if the Network Security Option is Enabled To determine if the Network Security option is enabled on the controller, complete this procedure Note: On Andover Continuum controllers, Network Security is not enabled by default and must be purchased as a separately sold option from Schneider Electric. Step 1: Step 2: From the Continuum Explorer, edit the online controller Select the Options tab on the Infinity Controller editor and check the value of the Network Security option. If the Network Security option value is Enabled, proceed to: Configuring a Controller for Secure Communication. If the Network Security option value says Disabled, continue with the next step. 8 Schneider Electric

Chapter 2: Configuring the Controller Step 3: Click the Update OS button, and load the appropriate UPD file, which was provided when you purchased the Network Security option from Schneider Electric, to enable the Network Security option for this controller. Step 4: Step 5: When you have completed the update, verify that the controller has returned online. Select the Options tab on the Infinity Controller editor and verify that the Network Security option is set to Enabled. Configuring a Controller for Secure Communication To configure a controller, complete the steps in the following sections. Network Security Configuration Guide 9

Chapter 2: Configuring the Controller Note: If a controller has the Network Security option enabled, you must access and configure the controller using a Web browser. Accessing the Network Security Configuration Web Page To access the controller's Web configuration page, log in as an administrative user and navigate to the Network Security Configuration Web page. For instructions on logging in and navigating, see the NetController II Operation and Technical Reference Guide 30-3001-995, or the ACX 57xx Series Controller Operation and Technical Reference Guide, 30-3001-999 10 Schneider Electric

Chapter 2: Configuring the Controller Configuring the Controller for the Preferred Security When you are configuring the controller on the Network Security Configuration Web page, you can set the following security options: Peer to Peer Security Configuration-- These options allow each workstation and controller to communication with each other and authenticate each other s identity using the same Shared Authorization Secret. Network Security Options -- These options allow for different levels of network security, including no security (the factory default), a network security policy requiring that all Andover Continuum traffic be authenticated, or a network security policy requiring that all Andover Continuum traffic be authenticated and encrypted. Web Server Security Options -- This option allows for applying the network security level selected under Network Security Options to the controllers Web Server. The network security level will be applied to all of the Web Configuration and Plain English Web pages if this option is turned on. Peer to Peer Security Configuration To configure Peer to Peer Security, complete this procedure: Step 1: In the Enter Code field, enter an Authentication Secret for Key Negotiation. The secret may be any ASCII string up to 32 characters. Note: The default secret from the factory is itsasecret. You must remember the secret that you enter here for later use. All controllers and CyberStations that need to communicate securely must be configured with the same secret. Step 2: Step 3: You must re-enter the same secret in the Confirm Code field to confirm your secret. If this controller will be required to communicate with legacy controllers that do not support network security or controllers that have network security disabled on the same logical Network Security Configuration Guide 11

Chapter 2: Configuring the Controller network, select Allow communication with unsecured controllers. Step 4: If this controller will only communicate with secure peers, select Do not allow communication with unsecured controllers. Network Security Options To configure the Network Security Options, complete this procedure: Step 1: Step 2: Step 3: Keeping the default selection, No Network Security, allows this controller to communicate unsecurely, without network security. Selecting Authentication Only authenticates packets only. Choosing this option will allow packet snooping of the Schneider Electric Andover Continuum Protocol on the wire. However, packets may not be replayed to the controller and the controller will disregard any packets that have had their data altered by an intrusive third party. Selecting Authentication and Encryption authenticates and encrypts packets. Choosing this option does not allow snooping of the Schneider Electric Andover Continuum Protocol on the wire, as the data are encrypted. Packets may not be replayed to the controller and the controller will disregard any packets that have had their data altered by an intrusive third party. Note: You must remember the option you selected for later use. All controllers and CyberStations that will communicate securely MUST be configured with the same option. Web Server Security Options To configure the Web Server Security Options, complete this procedure: Step 1: Selecting Do not apply Security to Web pages will allow all Web communication to be unsecured and allows sniffing of the http protocol. 12 Schneider Electric

Chapter 2: Configuring the Controller Step 2: Selecting Apply Security to Web Pages secures the Web communication with the selected Network Security Option. Note: If this option is selected, it is recommended that the default Web port be changed from TCP Port 80, to Port 33920. You can make this change on the controller s Controller Network Configuration Web page. Refer to the NetController Operation and Technical Reference Guide, 30-3001-995, and the ACX 57xx Series Controller Operational and Technical Reference Guide, 30-3001-999. Submit the Changes for Network Security Configuration Submit the Changes for Network Security Configuration To submit changes, follow this procedure. Step 1: Review all changes. Network Security Configuration Guide 13

Chapter 2: Configuring the Controller Note: After submitting changes, informational messages that signify the configuration changes are displayed on the bottom of the page. Step 2: To commit the changes and restart the controller, navigate to the Commit Changes page and then click Commit Changes/Restart Controller. Changes take effect when the controller restarts. 14 Schneider Electric

Chapter 2: Configuring the Controller Configuring a Controller for Secure Communication in FIPS 140-2 Validated Mode To configure a controller for Secure Communication in FIPS 140-2 validated mode, complete the steps in the following sections. In order to configure the controller to operate in a FIPS 140-2 validated mode, the controller must have the Network Security - FIPS 140-2 validated option enabled. To verify the FIPS 140-2 option is enabled: Step 1: Step 2: Navigate to the controller s Web configuration page. Log in as an administrator Note: For instructions on logging in and navigating, refer to the NetController II Operation and Technical Reference Guide, 30-3001-995, or the ACX 57xx Series Controller Operation and Technical Reference Guide, 30-3001-999. Step 3: Select Option Settings from the menu. The Network Security option should be listed as Enabled - FIPS 140-2 Network Security Configuration Guide 15

Chapter 2: Configuring the Controller. Accessing the Network Security Configuration Web Page When configuring the controller to operate in FIPS 140-2 validated mode, specific steps must be taken for the initial security configuration. In order to complete these steps you must connect directly from your laptop or PC s Ethernet port to the controller s Ethernet port using a RJ-45 cable. Perform the following steps to start the initial configuration. Step 1: Be sure to have a copy of the TACEncryptAndAuthenticatePolicy.ipsec file on the laptop or PC that you will be using to configure the controller. This file can be found at: <install drive>:\program Files\Continuum\Network Security\ 16 Schneider Electric

Chapter 2: Configuring the Controller Step 2: Step 3: Step 4: Step 5: Set your laptop or PC s IP address to an address in the range of 169.254.1.2-254 Directly connect an RJ-45 cable between your laptop or PC and the controller s Ethernet port. Access the controller s Web configuration page using a Web browser on your laptop or PC by navigating to the controller s default IP address at http://169.254.1.1 Log in as an administrative user and navigate to the Network Security Configuration Web page. Note: For instructions on logging in and navigating, refer to the NetController II Operation and Technical Reference Guide, 30-3001-995, or the ACX 57xx Series Controller Operation and Technical Reference Guide, 30-3001-999. Network Security Configuration Guide 17

Chapter 2: Configuring the Controller Configuring the Controller for the Preferred Security When configuring the controller on the Network Security Configuration Web page, you can set the following security options: Peer to Peer Security Configuration - These options allow each workstation and controller to communicate with each other and authenticate each other s identity using the same Shared Authorization Secret. Network Security Options - These options allow for different levels of network security, including no security (the factory default), a network security policy requiring that all Andover Continuum traffic be authenticated, or a network security policy requiring that all Andover Continuum traffic be authenticated and encrypted. Web Server Security Options - This option allows for applying the network security level selected under Network Security Options to the controller s Web server. The network security level will be applied to all of the Web Configuration and Plain English Web 18 Schneider Electric

Chapter 2: Configuring the Controller pages if this option is turned on. Select this option when the controller is being configured to run in FIPS 140-2 validated mode. Peer to Peer Security Configuration To configure Peer to Peer Security, complete this procedure: Step 1: In the Enter Previous Code field, enter an Authentication Secret for Key Negotiation. The secret may be any ASCII string with a minimum length of 8 characters and a maximum of 32 characters. Note: The default secret from the factory is itsasecret. You must remember the secret that you enter here for later use. All controllers and CyberStations that need to communicate securely must be configured with the same secret. Note: The first time the controller is configured for Network Security in FIPS 140-2 validated mode, the connection to the controller is unsecured. After configuring the controller for Network Security in FIPS 140-2 validated mode for the first time, you may then go back and change the Authentication Secret from the factory default to a more secure secret of your choice. Step 2: Step 3: Step 4: Step 5: You must re-enter the same secret in the Enter New Code field. You must re-enter the same secret in the Confirm New Code field. If this controller will be required to communicate with legacy controllers that do not support the network security or controllers that have network security disabled on the same logical network, select Allow communication with unsecured controllers. If this controller will only communicate with secure peers, select Do not allow communication with unsecured controllers. Network Security Configuration Guide 19

Chapter 2: Configuring the Controller Network Security Options To configure the Network Security Options, complete this procedure: Step 1: Step 2: Step 3: Keeping the default selection, No Network Security, allows this controller to communicate unsecurely, without network security. In this configuration, FIPS 140-2 validated mode will be disabled. Selecting Authentication Only authenticates packets only. Choosing this option will allow packet snooping of the Schneider Electric Andover Continuum Protocol on the wire. However, packets may not be replayed to the controller and the controller will disregard any packets that have had their data altered by an intrusive third party. Selecting Authentication and Encryption authenticates and encrypts packets. Choosing this option does not allow snooping of the Schneider Electric Andover Continuum Protocol on the wire, as the data are encrypted. Packets may not be replayed to the controller and the controller will disregard any packets that have had their data altered by an intrusive third party. Web Server Security Options Note: You must remember the option you selected for later use. All controllers and CyberStations that will communicate securely MUST be configured with the same option. To configure the Web Server Security Options, complete this procedure: Step 1: Step 2: Selecting Do not apply Security to Web Pages will allow all Web communication to be unsecured and allow sniffing of the http protocol. Selecting Apply Security to Web Pages secures the Web communication with the selected Network Security Option. 20 Schneider Electric

Chapter 2: Configuring the Controller Note: This option should be selected when the controller is being configured to run in FIPS 140-2 validated mode. If this option is selected, it is recommended that the default Web port be changed from TCP Port 80 to Port 33920. You can make this change on the controller s Controller Network Configuration Web page. Refer to the NetController Operation and Technical Reference Guide, 30-3001-995, and the ACX 57xx Series Controller Operational and Technical Reference Guide, 30-3001-999. Submit the Changes for Network Security Configuration To submit the changes, follow this procedure: Step 1: Review all changes. Note: After submitting changes, informational messages that signify the configuration changes are displayed on the bottom of the page. Network Security Configuration Guide 21

Chapter 2: Configuring the Controller Step 2: To commit the changes and restart the controller, navigate to the Commit Changes page and then click Commit Changes/Restart Controller. Changes take effect when the controller restarts. Step 3: Step 4: Follow the procedure in Chapter 3 Configuring the Workstation, being sure to configure the workstation for Web Security. Once the workstation has been configured for Network Security, access the controller s Web configuration pages again. You will now be accessing the controller s Web pages securely and the controller will be operating in FIPS 140-2 validated mode. Log in to the controller s Web page as an administrative user and navigate to the Network Security Configuration page. Validate that the controller displays that all Encryption Algorithm Known Answer Tests have passed and that the controller is running in FIPS 140-2 validated mode. Note: Since security is now applied to the Web pages and the default Web port changed from 80 to 33920, the following format must be used to access the controller s Web page securely: http://<ip address>:<web port>/ 22 Schneider Electric

Chapter 2: Configuring the Controller Step 5: At this time you may securely enter an authorization secret of your choosing. Step 6: Now that the controller is operating in FIPS 140-2 validate mode, you may configure the controller to use an IP address that is appropriate for your network. Once the appropriate IP address has been entered, you may disconnect your laptop or PC from the controller and connect the controller to your network. Network Security Configuration Guide 23

Chapter 2: Configuring the Controller 24 Schneider Electric

Chapter 3 Configuring the Workstation This chapter describes the procedures for configuring a CyberStation workstation s local security policy. The security configuration for each workstation that communicates with a Schneider Electric network controller must match the controller s security configuration. Topics include: Importing the IPSec Security Policy Editing the Imported Security Policy Assigning the Imported Security Policy Exporting the Modified Security Policy Note: These procedures must be performed by a system administrator and they must be performed on each CyberStation workstation with which the controller will communicate. Network Security Configuration Guide 23

Chapter 3: Configuring the Workstation Importing the IPSec Security Policy To import IPSec Security Policies, complete this procedure: Step 1: From the Windows Control Panel, double click on Administrative Tools. 24 Schneider Electric

Chapter 3: Configuring the Workstation Step 2: From the Administrative Tools display, double click Local Security Policy. Step 3: From the Local Security Settings dialog, right click on IP Security Policies on Local Computer. Network Security Configuration Guide 25

Chapter 3: Configuring the Workstation Step 4: Select All Tasks from the popup menu, then select Import Policies from the submenu. Step 5: Step 6: From the Open dialog, navigate to the Network Security Policy folder: <install drive>:\program Files\Continuum\Network Security. If you installed Continuum to another directory other than the default, the files will reside at: <install path>\network Security. If you configured the controller for Authentication Only, select the TACAuthenticatePolicy.ipsec file. If you configured the controller for Authentication and Encryption, select the TACEncryptAndAuthenticatePolicy.ipsec file. 26 Schneider Electric

Chapter 3: Configuring the Workstation Step 7: Step 8: Click Open to import the policy. Verify that the appropriate policy--tac Encrypt and Authenticate or TAC Authenticate--is now available under Local Security Settings. Network Security Configuration Guide 27

Chapter 3: Configuring the Workstation Editing the Imported Security Policy To edit imported security policies, complete this procedure: Step 1: Step 2: Double click the name of the imported security policy. The TAC Encrypt and Authenticate Properties dialog appears. If you configured the controller for Web Security, enable the TAC Web Server Filter in the IP Security rules list by checking the check box on the Rules tab. If you did not configure the controller for Web Security, leave the check box unchecked. 28 Schneider Electric

Chapter 3: Configuring the Workstation Step 3: For each TAC rule in the list, click Edit. For each, the Edit Rule Properties dialog appears. Step 4: Select the Authentication Methods tab, select the Preshared Key method, and click Edit. Network Security Configuration Guide 29

Chapter 3: Configuring the Workstation Step 5: In the Edit Authentication Method Properties dialog, enter the same secret here that was entered in the controller. Step 6: Repeat setting the Authentication Secret for each rule in the list Note: The secret entered here is not a hidden field. Access to the Local Security Policy tool is restricted to users with administrative privileges on the machine. In order to protect access to the shared secret, all other users of the machine that will run CyberStation should be restricted to Windows Power Users. 30 Schneider Electric

Chapter 3: Configuring the Workstation Assigning the Imported Security Policy To assign imported security policies, complete this procedure: Step 1: Right click on TAC Encrypt and Authenticate or TAC Authenticate, depending on which Security Policy you imported, and select Assign. Step 2: IPSec Security Policy is now enabled, and the workstation can communicate to security enabled controllers. Network Security Configuration Guide 31

Chapter 3: Configuring the Workstation Exporting the Modified Security Policy For installations where there are multiple CyberStation workstations, the edited security policy may be exported for use on other CyberStations. This will allow for importing the modified policy on the other CyberStation workstations without having to edit the policy on each. Step 1: Step 2: From the Local Security Settings dialog, right click on IP Security Policies on Local Computer. Select All Tasks from the popup menu, then select Export Policies from the submenu. Step 3: From the Save As dialog, select an appropriate directory, or create a new directory, to which the modified policy will be exported. 32 Schneider Electric

Chapter 3: Configuring the Workstation Step 4: Provide an appropriate file name for the modified policy to be exported and click the Save button. Step 5: Import the exported IPSec policy file to the other CyberStations that are installed, and assign the policy. Network Security Configuration Guide 33

Chapter 3: Configuring the Workstation 34 Schneider Electric

Chapter 4 Activating Network Security for the Controller When a CyberStation workstation has the local security policy that allows it to communicate securely with the controller's devices, the security attribute of the existing controllers can be turned on, or a new controller with the security attribute can be created. This chapter describes the following procedures. Topics include: Setting the Network Security Attribute of an Existing Controller Creating a New Controller in CyberStation Network Security Configuration Guide 35

Chapter 4: Activating Network Security for the Controller Setting the Network Security Attribute of an Existing Controller In CyberStation, set the Network Security attribute of an existing controller, complete the procedure: Step 1: Step 2: Step 3: Enter offline editing mode in CyberStation. Bring up the InfinityController editor for that controller. Check the Network Security check box, and click Apply. 36 Schneider Electric

Chapter 4: Activating Network Security for the Controller Step 4: Step 5: Step 6: Enter online editing mode. Verify that the controller is online. Teach the controller. For more information on configuring controllers in CyberStation and the teach function, please see the Continuum online help and the Andover Continuum CyberStation Configurator s guide, 30-3001-781. Network Security Configuration Guide 37

Chapter 4: Activating Network Security for the Controller Creating a New Controller in CyberStation To create a new controller in CyberStation, complete this procedure: Step 1: Step 2: In the Continuum Explorer, create a new InfinityController object. On the General tab, select 9680 from the Controller Type dropdown menu. Step 3: Step 4: Step 5: Step 6: Enter the appropriate ACCNetID. Check the Network Security checkbox. On the Network tab, enter the appropriate network settings. Click Apply. 38 Schneider Electric

Chapter 4: Activating Network Security for the Controller Step 7: Step 8: Verify that the controller is online. Teach the controller. For more information on configuring controllers in CyberStation and the teach function, please see the Continuum online help and the Andover Continuum CyberStation Configurator s guide, 30-3001-781. Network Security Configuration Guide 39

Chapter 4: Activating Network Security for the Controller 40 Schneider Electric

Network Security Configuration Guide Document Number 30-0001-996 Revision B

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information