Setting up a secure VPN Connection between the TS Adapter IE Advanced and Windows 7

Similar documents
Setting up a secure VPN connection between two SCALANCE S Modules Using a static IP Address

Setting up a secure VPN Connection between SCALANCE S and SSC Using a static IP Address. SCALANCE S, SOFTNET Security Client

Setting up a secure VPN Connection between SCALANCE S and CP x43-1 Adv. Using a static IP Address. SCALANCE S, CP Advanced, CP Advanced

Setting up a secure VPN Connection between CP x43-1 Adv. and SOFTNET Security Client Using a static IP Address

Setting up a secure VPN Connection between two M812-1 Using a static IP Address

Setting up a secure VPN Connection between SCALANCE S and M812-1 Using a static IP Address

Setting up a secure VPN Connection between SCALANCE M-800 and SSC

Setting up a secure VPN Connection between a Tablet (ios), SCALANCE S615 and SINEMA Remote Connect Server. SINEMA Remote Connect, SCALANCE S615

Setting up a secure VPN Connection between CP x43-1 Adv. and M812-1 Using a static IP Address

Generating the Parameters for the Modbus/TCP Communication

Transmitting HMI data to an external monitor

Windows firewall settings for X-Tools Server Pro. CMS X-Tools / V / CPU PN/DP. Application description 6/2016

Networking a SINUMERIK 828D

X-Tools Loading Profile Files (LPF)


Setting up time synchronization of Process Historian and Information Server

Applikationen & Tools. Network Address Translation (NAT) and Network Port Address Translation (NAPT) SCALANCE W. Application Description July 2009

I-Device Function in Standard PN Communication SIMATIC S7-CPU, CP, SIMOTION, SINUMERIK. Configuration Example 08/2015

Configuration of an MRP Ring and a Topology with Two Projects

Configuring the F-I-Device function with the SENDDP and RCVDP blocks.

Checking of STEP 7 Programs for the Migration of S7-318 to S CPU318 Migration Check. Application description 01/2015

Moving a Process Historian/ Information Server from Workgroup A to Workgroup B


Application example 02/2017. SIMATIC IOT2000 Connection to IBM Watson IoT Platform SIMATIC IOT2040

TeleService of a S station via mobile network

SINAMICS G/S: Integrating Warning and Error Messages into STEP 7 V5.x or WinCC flexible

Improving the performance of the Process Historian

Library Description 08/2015. HMI Templates. TIA Portal WinCC V13.

Application example 12/2016. SIMATIC IOT2000 OPC UA Client SIMATIC IOT2020, SIMATIC IOT2040

Multiuser Engineering in the TIA Portal

Setting up 08/2017. Setting up the SIMATIC IOT2000 SIMATIC IOT2020, SIMATIC IOT2040


Setting up 01/2017. Setting up the SIMATIC IOT2000 SIMATIC IOT2020, SIMATIC IOT2040

Display of SINAMICS Error Messages in Runtime Professional

PCS 7 Process Visualization on Mobile Devices with RDP

SINAMICS G/S: Tool for transforming Warning and Error Messages in CSV format


Determination of suitable hardware for the Process Historian 2014 with the PH-HWAdvisor tool


Key Panel Library / TIA Portal

User Login with RFID Card Reader

Integration of Process Historian / Information Server in a Domain

Position Control with SIMATIC S and SINAMICS V90 via IRT PROFINET SINAMICS V90 PROFINET. Application description 03/2016

IP-based Remote Networks

Configuration of an MRP ring with SIMOCODE and SIMATIC S SIMOCODE pro V PN, SIMATIC S Siemens Industry Online Support

Data Storage on Windows Server or NAS Hard Drives

X-Tools configuration to connect with OPC servers and clients


SIMATIC PCS 7 Minimal Configuration

STEP 7 function block to control a MICROMASTER 4 or SINAMICS G120/G120D via PROFIBUS DP

Exchange of large data volumes between S control system and WinCC

Communication between HMI and Frequency Converter. Basic Panel, Comfort Panel, Runtime Advanced, SINAMICS G120. Application Example 04/2016

Cover. WinAC Command. User documentation. V1.5 November Applikationen & Tools. Answers for industry.

Configuration Control with the S and ET 200SP


Tracking the MOP setpoint to another setpoint source to bumplessly changeover the setpoint

Display of SINAMICS Fault Messages in WinCC V7.4


Applications & Tools. Security Configurations in LAN and WAN (DSL) with SCALANCE S61x Modules and the Softnet Security Client. Industrial Security




Check List for Programming Styleguide for S7-1200/S7-1500

Application for Process Automation


Integral calculation in PCS 7 with "Integral" FB or "TotalL" FB

Data Synchronization between Head and Field PLCs with Storage of the Process Values in CSV Files




Check List for Programming Styleguide for S7-1200/S7-1500

SINAMICS V: Speed Control of a V20 with S (TIA Portal) via MODBUS RTU, with HMI

Application on Control Technology

Engineering of the Configuration Control for IO Systems


SIMATIC NET OPC Server Implementation

Automatic Visualization of the Sample Blocks in WinCC Advanced



Application for Communication

PNDriver V2.1 Quick Start Guide for IOT2040 SIMATIC IOT


APF report templates based on data from the WinCC User Archive

Siemens Spares. Setting up security in STEP 7. Professional SIMATIC NET. Industrial Ethernet Security Setting up security in STEP 7 Professional

Migration of a Process Historian database

Universal Parameter Server

Monitoring of 24 V load circuits

Topology Reporter Tool Description April 2012 Applications & Tools Answers for industry.




House Control with Touch Panel


Acyclic communication between S and V90PN via PROFINET. Application example 12/

Application Description 03/2014. Detecting PROFINET Topologies and Activating IO Devices.



Monitoring Energy Consumption with LOGO! 8 and LOGO! CMR

SIMATIC NET. Industrial Ethernet Security SCALANCE S615 Getting Started. Preface. Connecting SCALANCE S615 to the WAN 1

S Data Transfer with SEND/RECEIVE Interface

Transcription:

Configuration Example 09/2014 Setting up a secure VPN Connection between the TS Adapter IE Advanced and Windows 7 TS Adapter IE Advanced http://support.automation.siemens.com/ww/view/en/99681037

Warranty and liability Warranty and liability Note The Application Examples are not binding and do not claim to be complete regarding the circuits shown, equipping and any eventuality. The Application Examples do not represent customer-specific solutions. They are only intended to provide support for typical applications. You are responsible for ensuring that the described products are used correctly. These application examples do not relieve you of the responsibility to use safe practices in application, installation, operation and maintenance. When using these Application Examples, you recognize that we cannot be made liable for any damage/claims beyond the liability clause described. We reserve the right to make changes to these Application Examples at any time without prior notice. If there are any deviations between the recommendations provided in these application examples and other Siemens publications e.g. Catalogs the contents of the other documents have priority. We do not accept any liability for the information contained in this document. Any claims against us based on whatever legal reason resulting from the use of the examples, information, programs, engineering and performance data etc., described in this Application Example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act ( Produkthaftungsgesetz ), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or breach of a condition which goes to the root of the contract ( wesentliche Vertragspflichten ). The damages for a breach of a substantial contractual obligation are, however, limited to the foreseeable damage, typical for the type of contract, except in the event of intent or gross negligence or injury to life, body or health. The above provisions do not imply a change of the burden of proof to your detriment. Any form of duplication or distribution of these Application Examples or excerpts hereof is prohibited without the expressed consent of Siemens Industry Sector. Security information Siemens provides products and solutions with industrial security functions that support the secure operation of plants, solutions, machines, equipment and/or networks. They are important components in a holistic industrial security concept. With this in mind, Siemens products and solutions undergo continuous development. Siemens recommends strongly that you regularly check for product updates. For the secure operation of Siemens products and solutions, it is necessary to take suitable preventive action (e.g. cell protection concept) and integrate each component into a holistic, state-of-the-art industrial security concept. Third-party products that may be in use should also be considered. For more information about industrial security, visit http://www.siemens.com/industrialsecurity. To stay informed about product updates as they occur, sign up for a productspecific newsletter. For more information, visit http://support.automation.siemens.com. Entry ID: 99681037, V1.0, 09/2014 2

Table of Contents Table of Contents Warranty and liability... 2 1 Task and Solution... 4 1.1 Task... 4 1.2 Possible solution... 4 1.3 Characteristics of the solution... 5 2 Configuration and Project Engineering... 6 2.1 Setting up the environment... 6 2.1.1 Required components and IP address overview... 6 2.1.2 Service PC... 7 2.1.3 DSL access for the TS Adapter IE Advanced (DSL router2)... 8 2.1.4 TS Adapter IE Advanced... 9 2.1.5 Setting up the infrastructure... 10 2.2 Commissioning remote maintenance... 11 2.2.1 Preparation... 11 2.2.2 Initial configuration of the TS Adapter IE Advanced... 12 2.2.3 Parameterizing remote access... 16 2.2.4 Final steps... 22 2.3 Establishing the VPN connection... 23 3 Testing the Tunnel Function... 29 4 Appendix: Handling CA Certificates... 30 4.1 Deleting CA certificates... 30 4.2 Installing CA certificates... 31 5 History... 32 Entry ID: 99681037, V1.0, 09/2014 3

1 Task and Solution 1 Task and Solution 1.1 Task The task is to establish a secure connection between two networks (e.g., automation networks or individual devices) via the Internet or a company's internal network. The following customer requirements have to be considered: Protection against spying and data manipulation. Prevention of unauthorized access. Easy handling and integration. Use of existing addresses and addressing schemes. Transparency (or easy use) for users. 1.2 Possible solution Complete overview The figure below shows one way of implementing the customer requirements: Service Service PC PC Win 7 VPN Client VPN tunnel Tunnel Industrial Ethernet Internet Internet Modem/Router Router Statische WAN-IP-Adresse Internet Router Static WAN IP Address SCALANCE TS Adapter M874-x IE Advanced VPN Server VPN-Server The connection between the service PC and the automation cell (for example, SIMATIC stations, panels, drives, PCs) is protected by a VPN tunnel. In this example, the service PC and the TS Adapter IE Advanced form the two tunnel endpoints for the secure connection. The TS Adapter IE acts as the VPN server, the PC acts as the VPN client. Access to the TS Adapter IE (VPN server) from the WAN is predefined by the use of a static WAN IP address. WAN access on the client side is flexible; the IP address of the WAN port is not relevant. When establishing the VPN tunnel, the roles are defined as follows: Table 1-1 Service PC Component TS Adapter IE Advanced VPN role Initiator (VPN client); starts the VPN connection Responder (VPN server); waits for the VPN connection Automatisierungszelle Automation Cell SIMATIC S7 Stationen Stations Entry ID: 99681037, V1.0, 09/2014 4

1 Task and Solution TS Adapter IE Advanced The TS Adapter IE Advanced allows access, through the Internet, to all automation components of a plant - e.g., S7 CPUs - that are connected to Industrial Ethernet. A PG/PC with at least Windows 7 or Windows Server 2008 allows convenient remote maintenance of a plant through the Internet, including enhanced security mechanisms. They provide the following functions: SSTP VPN (data encryption and authentication) for remote maintenance. IPv4 and IPv6 support on the WAN interface (IPv6 for firmware version 1.1.0 or higher). Time-controlled WAN connectivity. Packet filter configuration. Enabling and disabling routes (VPN tunnel, Internet access). Router functionality (port forwarding, NAT, DynDNS (with IPv6)). 1.3 Characteristics of the solution High security standard due to VPN, certificates, random numbers generated in hardware and consideration of the strict Siemens Security Guidelines. Customized solution for remote maintenance in the automation environment. The same range of functions (STEP 7 functions, diagnostics) as on site without having to install additional programs. Easy integration into existing networks and protection of devices that do not have their own security functions. Generally, enabling or configuring by IT administrators is not necessary. Entry ID: 99681037, V1.0, 09/2014 5

2 Configuration and Project Engineering 2.1 Setting up the environment 2.1.1 Required components and IP address overview Software packages To work with the TS Adapter IE Advanced, you need a PC with a "Windows 7" operating system (or higher) and the "Primary Setup Tool" (PST) software (V4.1 or higher). Install these software packages on a PC/PG. Note The Primary Setup Tool is used to set the LAN interface of the TS Adapter IE Advanced. This tool can be downloaded for free from Online Support, Entry ID: 19440762 Required devices/components: To set up the environment, use the following components: A TS Adapter IE Advanced (optional: A DIN rail installed accordingly, including fitting accessories). A 24V power supply with cable connector and terminal block plug. DSL access with a dynamic WAN IP address and a DSL router (e.g. SCALANCE M81x-1). DSL access with a static WAN IP address and a DSL router (e.g. SCALANCE M81x-1). A PC on which "Windows 7" and the "PST" are installed. The necessary network cables, TP cables (twisted pair) according to the IE FC RJ45 standard for Industrial Ethernet. Note You can also use another Internet access method (e.g., UTMS). The configuration described below explicitly refers only to the components listed in "Required devices/components". Entry ID: 99681037, V1.0, 09/2014 6

IP addresses For this example, the IP addresses are assigned as follows: Service PC Win 7 DSL Router1 Internet Modem/ Router DSL Router2 SCALANCE TS Adapter M874-x IE Advanced Statische WAN-IP-Adresse VPN tunnel Dynamic Static 192.168.2.89 192.168.2.1 172.16.0.1 172.16.47.1 WAN IP WAN IP VPN-Server 172.22.80.2 Industrial Ethernet Table 2-1 Component Port IP address Router Subnet mask Service PC LAN port 192.168.2.89 192.168.2.1 255.255.255.0 DSL router1 LAN port 192.168.2.1-255.255.255.0 DSL router1 WAN port Dynamic IP address from provider DSL router2 WAN port Static IP address from provider - Assigned by provider - Assigned by provider DSL router2 LAN port 172.16.0.1-255.255.0.0 TS Adapter IE WAN port 172.16.47.1 172.16.0.1 255.255.0.0 TS Adapter IE LAN port 172.22.80.2-255.255.255.0 2.1.2 Service PC Installed software The following software packages are relevant on the service PC: PC with the Windows 7 operating system as the remote end for the VPN connection to the TS Adapter IE Advanced. Web browser to parameterize the TS Adapters IE Advanced. Primary Setup Tool to set the IP address. Deleting the CA certificate If you suspect that a CA certificate is misused, you should generate a new CA certificate for security reasons. Make sure that the new CA certificate is replaced for all service PCs involved (delete the old CA certificate and import the new one). For security reasons, you should regularly generate new CA certificates. To delete a CA certificate, please follow the instructions from Chapter 4 (Appendix: Handling CA Certificates). Entry ID: 99681037, V1.0, 09/2014 7

Installing the CA certificate The initial configuration of the TS Adapter IE Advanced is done via a local HTTPS connection. As, at this time, a CA certificate for this TS Adapter IE Advanced has not yet been installed on the service PC, a security warning is displayed. You can acknowledge this security warning or install the CA certificate supplied on the CD in the Windows certificate store before first commissioning. To do this, please follow the instructions from Chapter 4 (Appendix: Handling CA Certificates). Note To manage CA certificates, you need administrator rights. Web interface of the TS Adapter IE Advanced To open the Web interface, you have the following options: Open a directly connected Web browser with TIA Portal. Open a Web browser via a remote connection with TIA Portal. Directly connected standard Web browser. This example uses the "Directly connected standard Web browser" method. Note More information on the options to open the Web interface can be found in the appropriate chapter in the TS Adapter manual at the following link: https://www.automation.siemens.com/mdm/default.aspx?docversionid=6573950 2731&Language=en-EN&TopicId=65449369483&guiLanguage=en 2.1.3 DSL access for the TS Adapter IE Advanced (DSL router2) Static IP address for DSL router2 WAN access of the service PC (VPN client) to the TS Adapter IE Advanced (VPN server) is implemented using a fixed public IP address. This IP address must be requested from the provider and then stored in DSL router2. Port forwarding on DSL router2 Due to the use of a DSL router as an Internet gateway, you have to enable the following port on DSL router2 and forward the data packets to the TS Adapter IE Advanced (VPN server; IP address on the WAN port): TCP port 443 (HTTPS) Note Some routers allow remote access via an Internet connection (HTTPS port 443). In this case, it is not possible to forward port 443 to the TS Adapter IE Advanced using port forwarding. For remote access to the router, you have to use another port (e.g., port 5443). Port 443 is the default port for VPN connections (SSTP) in Windows - and therefore also for the TS Adapter IE - and cannot be changed. Entry ID: 99681037, V1.0, 09/2014 8

2.1.4 TS Adapter IE Advanced Resetting to factory default To make sure that no old configurations and certificates are stored in the TS Adapter IE Advanced, reset the module to factory default. For the appropriate chapter in the TS Adapter manual, please use the following link: https://www.automation.siemens.com/mdm/default.aspx?docversionid=65739502 731&Language=en-EN&TopicId=49826068875&guiLanguage=en Physical connection between the PC and the TS Adapter IE Advanced Connect the PC to a LAN port of the TS Adapter IE Advanced. Assigning the IP address In the as-supplied state and after resetting the parameters, the TS Adapter IE Advanced has no valid IP address. To be able to work with the module, first set its IP parameters as described in Table 2-1. To do this, use the Primary Setup Tool. Note For information on the Primary Setup Tool such as installation, configuration and handling, please refer to the manual - Entry ID:19440762 Entry ID: 99681037, V1.0, 09/2014 9

2.1.5 Setting up the infrastructure Connect all the components involved in this solution. Service PC Service PC Win 7 DSL Router1 Internet Modem/ Router DSL Router2 SCALANCE TS Adapter M874-x IE Advanced Statische WAN-IP-Adresse LAN Port LAN Port WAN Port WAN Port LAN Port WAN Port LAN Port VPN-Server Table 2-2 Component Local port Partner Partner port Service PC LAN port DSL router1 LAN port TS Adapter IE WAN port DSL router2 LAN port TS Adapter IE LAN port E.g., an automation network (does not exist in this solution) Entry ID: 99681037, V1.0, 09/2014 10

2.2 Commissioning remote maintenance 2.2.1 Preparation Components used This solution uses the following components: TS Adapter IE Advanced and a standard Internet browser. Physical connection between the PC and the TS Adapter IE Advanced Connect the service PC to a free LAN port of the TS Adapter IE Advanced and change the network settings on the service PC as follows: IP address: 172.22.80.100 Subnet mask: 255.255.255.0 Opening the Web interface The TS Adapter IE Advanced is configured on a "directly connected" basis with a standard Internet browser. 1. In the address field of the browser, enter the IP address of the TS Adapter IE Advanced in the following form: https://172.22.80.2:5443. In particular, make sure to specify port 5443 on which the Web interface can be accessed. 2. Enter the user name and password. When you log on for the first time or after setting to factory default, the login data is defined as follows: Name: Administrator Password: admin 3. Click "Login". Result: The Web interface of the TS Adapter opens. Entry ID: 99681037, V1.0, 09/2014 11

2.2.2 Initial configuration of the TS Adapter IE Advanced System Clock When you first log on, a guided tour takes you through all the settings required to commission the TS Adapter IE Advanced. The following section lists and explains the individual steps of the guided tour. Among other things, the system time is used to generate certificates. Set the time as follows: 1. Enter the system time parameters. The time must be entered in UTC format. 2. Apply the settings with "Save settings". Entry ID: 99681037, V1.0, 09/2014 12

Specific Password Settings Each password that is newly created or changed in the TS Adapter must follow specific rules. In the Web interface of the TS Adapter IE Advanced, you can define these rules yourself, for example the minimum length and minimum number of password elements. 1. Define the settings for entering the password. 2. Apply the settings with "Save settings". Entry ID: 99681037, V1.0, 09/2014 13

Changing the administrator password When you first log on, you are prompted to replace the default password of the default user, "Administrator", with a new password. 1. In the "Password" field, enter a new administrator password and reenter the password to confirm it. When choosing the password, make sure that it complies with the password check rules ("Specific Password Settings"). 2. Apply the settings with "Save settings". Entry ID: 99681037, V1.0, 09/2014 14

CA certificate generation The last step of the guided tour prompts you to generate a new CA certificate. This overwrites the default CA certificate. 1. In "Common name", add the name to "SIMATIC TeleService Adapter". In the CA certificate, this name is stored as the subject name and issuer information. 2. Use the "Generate CA certificate" button to generate the CA certificate. Result The initial configuration of the TS Adapter is complete. Entry ID: 99681037, V1.0, 09/2014 15

2.2.3 Parameterizing remote access Preparation Open the Web interface of the TS Adapter IE Advanced. To do this, please follow the instructions from Chapter 2.2.1 (Preparation). Log on as an administrator and use the new password (see Chapter 2.2.2). IP parameters - Public Network Now you define how the TS Adapter IE Advanced can be accessed remotely. 1. In the navigation bar, go to "Parameters" > "Public Network". In "Remote address assignment", select "Free entry". 2. In "Remote address", enter the static WAN IP address of your DSL access point. Entry ID: 99681037, V1.0, 09/2014 16

3. For the WAN interface, select "Static" in "IP address assignment" and enter the IP address for the WAN interface as listed in Table 2-1. As the DNS server, use the IP address of the DSL router's LAN interface. 4. Apply the settings with "Save settings". Entry ID: 99681037, V1.0, 09/2014 17

IP parameters - Plant Network Now you define which IP address is assigned to the service PC when establishing the VPN connection. 1. In the navigation bar, go to "Parameters" > "Plant Network" > "IP parameters". Enter any available IP address that is in the same subnet as the plant network (automation network on the LAN interface of the TS Adapter). 2. Apply the settings with "Save settings". Entry ID: 99681037, V1.0, 09/2014 18

Connection parameters Depending on the application, access to the TS Adapter via the WAN interface can be configured differently. Remote maintenance via VPN is desired for this example. To enable it, proceed as follows: 1. In the navigation bar, go to "Information" > "Connections". Change the connection control of the WAN interface to "ONLINE + VPN". 2. Apply the settings with "Save settings". Entry ID: 99681037, V1.0, 09/2014 19

Creating a user To enable the service PC to establish a VPN connection to the TS Adapter IE Advanced, a login with a user name and password is required. During the initial configuration, only the "Administrator" user is entered in the TS Adapter. As this user cannot establish a VPN connection, another user has to be entered. To create a new user, proceed as follows: 1. In the navigation bar, go to "Security" > "User Management". Use "Edit" to create another user. 2. In the appropriate text boxes, enter a user name and password. Confirm the password. When choosing the password, make sure that it complies with the password check rules ("Specific Password Settings"). Entry ID: 99681037, V1.0, 09/2014 20

3. Apply the settings with "Save settings". Result You have created a new user with the right to establish a VPN connection. Exporting the CA certificate To allow the service PC to uniquely identify the TS Adapter IE Advanced as the connection partner, the TS Adapter IE Advanced generates a CA certificate with a unique fingerprint (see Chapter 2.2.2 (Initial configuration of the TS Adapter IE Advanced). To establish a VPN connection, it is mandatory to store this CA certificate in the Windows certificate store (local computer). To export the certificate, proceed as follows: 1. In the navigation bar, go to "Security" > "Certificates". Use the "Exporting CA certificate" button to export the CA certificate. Entry ID: 99681037, V1.0, 09/2014 21

2. Save the certificate to your project folder. 3. The CA certificate of the TS Adapter IE Advanced is stored in your project folder. Result The parameterization of the TS Adapter for remote maintenance is complete. 2.2.4 Final steps Service PC Infrastructure To establish a VPN connection, it is mandatory to store the CA certificate generated by the TS Adapter in the Windows certificate store (local computer). To do this, please follow the instructions from Chapter 4 (Appendix: Handling CA Certificates). 1. Connect the service PC to the LAN interface of DSL router1. 2. Assign the required network configuration to the network card as shown in Table 2-1. 3. In all devices on the LAN port of the TS Adapter IE Advanced, enter the default gateway (IP address of the LAN port). Entry ID: 99681037, V1.0, 09/2014 22

2.3 Establishing the VPN connection When the TS Adapter IE Advanced has been parameterized for remote maintenance and the infrastructure has been connected as shown in Table 2-2, the service PC (VPN client) can initialize the VPN tunnel to the TS Adapter IE Advanced (VPN server). To establish a remote connection to the TS Adapter IE Advanced, proceed as follows: 1. On the service PC (Windows 7), open Control Panel. 2. In the search bar, enter "network" and select "Set up a connection or network". 3. Select the "Connect to a workplace" option and click "Next". Entry ID: 99681037, V1.0, 09/2014 23

4. Select "Use my Internet connection (VPN)". 5. In the appropriate text boxes, enter the WAN IP address of DSL router2 (DSL router of the TS Adapter IE Advanced to be contacted) and a name for the connection. Entry ID: 99681037, V1.0, 09/2014 24

6. Check the "Don't connect now; just set it up so I can connect later" option and click "Next". 7. Enter the user name and the associated password of the newly created user (see page 20) in the appropriate text boxes. Click "Create". Entry ID: 99681037, V1.0, 09/2014 25

8. Select "Close" to close the dialog. 9. Click the network icon in the SysTray. The new connection is displayed in "Dial-up and VPN". Select the new connection and right-click > "Properties" to open the appropriate dialog. Entry ID: 99681037, V1.0, 09/2014 26

10. Go to the "Security" tab and select "Secure Socket Tunneling Protocol (SSTP)" as the VPN type. Close the properties with "OK". 11. Once again, click the network icon in the SysTray and select the new connection. Click "Connect" to establish the remote connection to the TS Adapter IE Advanced. Entry ID: 99681037, V1.0, 09/2014 27

12. Enter the password for the user (see page 20) and select "Connect" to start connection establishment. Result The VPN connection to the TS Adapter is being established. Once the VPN connection has been established, the dialog closes. The following status message appears: "Connected" Note If a connection cannot be established, try to find the cause. More information and troubleshooting help can be found in the appropriate chapter in the TIA manual at the following link: https://www.automation.siemens.com/mdm/default.aspx?docversionid=6397252 0715&Language=en-EN&TopicId=58521033355&guiLanguage=en Entry ID: 99681037, V1.0, 09/2014 28

3 Testing the Tunnel Function 3 Testing the Tunnel Function Chapter 2 completes the commissioning of the configuration and the service PC and the TS Adapter IE Advanced have established a VPN tunnel for secure communication. You can test the established tunnel connection using a ping command on an internal node. This is described below. Alternatively, you can also use other methods to test the configuration (for example, by opening the internal Web page when using a PROFINET CPU). 1. On the service PC, select "Start" > "All Programs" > "Accessories" > "Command Prompt" in the start bar. 2. In the command line of the "Command Prompt" window that appears, enter the "ping <IP address of internal node of remote end>" command at the cursor position. Result You get a positive response from the internal node. Note In Windows, the default settings of the firewall may prevent ping commands from passing. You may have to enable the ICMP services of the "Request" and "Response" type. Entry ID: 99681037, V1.0, 09/2014 29

4 Appendix: Handling CA Certificates 4 Appendix: Handling CA Certificates 4.1 Deleting CA certificates To delete existing CA certificates, proceed as follows: 1. Log on to the system as an administrator. 2. Use Microsoft Management Console to open Windows Certificate Manager on your PG/PC. 3. To do this, click "Start", enter mmc in the search box and press the ENTER KEY. The console opens. 4. In the "File" menu, click "Add/Remove Snap-In ". The snap-in selection dialog box opens. 5. In the "Snap-In" list, double-click "Certificates" and in the next dialog, select "Computer account". 6. In the next dialog, select the "Local Computer" item and click "Finish" and "OK". The Console Root opens and displays the "Certificates (Local Computer)" folder. 7. Open the displayed "Certificates (Local Computer)" folder and click "Trusted Root Certification Authorities". 8. Open the "Certificates" folder, select the desired CA certificate and select "Delete" in the context menu. 9. Confirm the following prompt with "Yes". Result The selected CA certificate is deleted from the list of available certificates. Entry ID: 99681037, V1.0, 09/2014 30

4 Appendix: Handling CA Certificates 4.2 Installing CA certificates To install a CA certificate, proceed as follows: 1. Log on to the system as an administrator. 2. Use Microsoft Management Console to open Windows Certificate Manager on your PG/PC. 3. Click "Start", enter mmc in the search box and press the ENTER KEY. The console opens. 4. In the "File" menu, click "Add/Remove Snap-In ". The snap-in selection dialog box opens. 5. In the "Snap-In" list, double-click "Certificates" and in the next dialog, select "Computer account". 6. In the next dialog, select the "Local Computer" item and click "Finish" and "OK". The Console Root opens and displays the "Certificates (Local Computer)" folder. 7. Open the displayed "Certificates (Local Computer)" folder and click "Trusted Root Certification Authorities". 8. Click the "Certificates" folder and use the context menu to select the "Action" > "All Tasks" > "Import " command. 9. Read the information displayed in the "Certificate Import Wizard" dialog and click "Next". 10. In the following dialog, click "Search ", select the desired CA certificate and apply it with "Open". 11. Double-click "Next" and then "Finish" to install the CA certificate. Entry ID: 99681037, V1.0, 09/2014 31

5 History Result The selected CA certificate is installed in the specified location in the Windows certificate store. 5 History Table 5-1 Version Date Modifications V1.0 09/2014 First version Entry ID: 99681037, V1.0, 09/2014 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback