manualshive.com logo in svg

Siemens SCALANCE S623, Manual

The Siemens SCALANCE S623 is a powerful networking device designed to enhance connectivity in industrial settings. With its user-friendly interface and advanced features, this device simplifies network management and maximizes efficiency. Discover its capabilities by downloading the free user manual from manualshive.com to unleash the full potential of this exceptional product.

Share
Download
background image

Siemens 
Scalance S623

Summary of Contents for SCALANCE S623

Page 1: ...Siemens Scalance S623 ...

Page 2: ...w Basic Configuration Standard mode Firewall Advanced Firewall Password Management Advanced Password Management VPN with PreShared Key VPN with Certificates Gateway to Gateway VPN VPN with User Authentication ...

Page 3: ...Technology Overview User Authentication o On device o Connection with RADIUS server VPN o IPsec end to end ...

Page 4: ...Necessary Software Siemens Security Configuration Tool Siemens SOFTNET Security Client Siemens Automation License Manager Optional Siemens Primary Setup Tool ...

Page 5: ...Basic Configuration In this example we set the IP addresses of all 3 interfaces on the Scalance 623 This will demonstrate configuration steps that will be reused in every following example ...

Page 6: ...Basic Configuration 1 Setting up the network 2 Making IP settings for the PC 3 Creating a project and security module 4 Downloading the configuration to the security module ...

Page 7: ...ace of the Scalance to the PC Scalance interfaces o External network Red marking unprotected network area o Internal network Green marking network protected by Scalance o DMZ port Yellow marking unprotected or protected network 1 Setting up the network ...

Page 8: ...Basic Configuration Open Control Panel Start Control Panel Open Network and Sharing Center 2 Making IP settings for the PC PC IP address Subnet mask PC 192 168 10 2 255 255 255 0 ...

Page 9: ...on Select Change adapter settings Open the Local Area Connection Properties Doubleclick Local Area Connection then click Properties 2 Making IP settings for the PC PC IP address Subnet mask PC 192 168 10 2 255 255 255 0 ...

Page 10: ...perties button Select Use the following IP Enter the values from the table in the relevant boxes Close the dialogs with Ok and close Control Panel 2 Making IP settings for the PC PC IP address Subnet mask PC 192 168 10 2 255 255 255 0 ...

Page 11: ...Configuration Start the Security Configuration Tool Select the Project New menu command Create a new user This user is assigned the administrator role Confirm with OK 3 Creating a project and security module ...

Page 12: ...sic Configuration In the Product type Module and Firmware release areas select the following options o Product type Scalance S o Module S623 o Firmware release V4 3 Creating a project and security module ...

Page 13: ...Basic Configuration In the Configuration area enter the MAC address The MAC address is printed on the front of the SCALANCE 3 Creating a project and security module ...

Page 14: ...rnal IP address 192 168 10 1 and the external subnet mask 255 255 255 0 From the drop down list select the Routing Mode Enter the internal IP address 192 168 9 1 and the internal subnet mask 255 255 255 0 Confirm with OK 3 Creating a project and security module ...

Page 15: ...lect the Edit Properties menu command Interfaces tab Select the Activate Interface check box in the DMZ port X3 area Enter the IP address 192 168 8 1 and the subnet mask 255 255 255 0 for the DMZ interface Confirm with OK 3 Creating a project and security module ...

Page 16: ...elect the Project Save menu command Select the security module in the content area Select the Transfer To module s menu command Start the download with the Start button 4 Downloading the configuration to the security module ...

Page 17: ...the Scalance is restarted automatically and the configuration activated The Scalance is now in productive operation Configurations can be download via all interfaces The configured IP addresses can be modified 4 Downloading the configuration to the security module ...

Page 18: ...Standard mode Firewall In this example the firewall will be configured to allow IP traffic to only be initiated by the internal network ...

Page 19: ...etting up the network 2 Making IP settings for the PCs 3 Creating a project and security module 6 Testing the firewall function ping test logging 4 Configuring the firewall 5 Downloading the configuration to the security module ...

Page 20: ...actory settings by pressing the Reset button and holding it down for at least 5 seconds Connect the PC with the Security Configuration Tool PC1 to the external network interface Connect PC2 to the internal network interface 1 Setting up the network ...

Page 21: ... Set the IP addresses of the PCs as in the table above Standard mode Firewall 2 Making IP settings for the PCs PC IP address Subnet mask PC1 192 168 10 2 255 255 255 0 PC2 192 168 10 3 255 255 255 0 ...

Page 22: ...rewall Create a new project In the Configuration area enter the MAC address Enter the external IP address 192 168 10 1 and the external subnet mask 255 255 255 0 Confirm with OK 3 Creating a project and security module ...

Page 23: ...Edit Properties menu command Select the Firewall tab in the displayed dialog Activate the settings shown in the picture Result IP traffic is only initiated from the internal network Logging is selected to record data traffic Close with OK Save the project 4 Configuring the firewall ...

Page 24: ...Standard mode Firewall Transfer the configuration to the security module 5 Downloading the configuration to the security module ...

Page 25: ... Firewall Open the command prompt on PC2 Start All programs Accessories Command Prompt Enter the ping command from PC2 to PC1 ping 192 168 10 2 All packets reach PC1 6 Testing the firewall function ping test logging ...

Page 26: ...Standard mode Firewall Open the command prompt on PC1 Enter the ping command from PC1 to PC2 ping 192 168 10 3 All packets are blocked at Scalance 6 Testing the firewall function ping test logging ...

Page 27: ...ndard mode Firewall In the SCT change to online mode by selecting the menu option View Online Select Edit View Diagnostics Select the Packet filter log tab 6 Testing the firewall function ping test logging ...

Page 28: ...Standard mode Firewall Click the Start reading button Acknowledge with OK Log entries are read and displayed here 6 Testing the firewall function ping test logging ...

Page 29: ...figured to allow IP traffic from PC2 to PC1 The packets are forwarded to the outside with an IP address translated to the IP address of the security module and a dynamically assigned port number Only replies to these packets can enter the internal network ...

Page 30: ...ting up the network 2 Making IP settings for the PCs 3 Creating a project and security module 6 Testing the firewall function ping test logging 4 Configuring the firewall 5 Downloading the configuration to the security module ...

Page 31: ...eset the Scalance to factory settings by pressing the Reset button and holding it down for at least 5 seconds Connect the PC with the Security Configuration Tool PC1 to the external network interface Connect PC2 to the internal network interface ...

Page 32: ...tings for the PCs Advanced Firewall Set the IP addresses of the PCs as in the table above PC IP address Subnet mask Default Gateway PC1 192 168 10 2 255 255 255 0 192 168 10 1 PC2 192 168 9 2 255 255 255 0 192 168 9 1 ...

Page 33: ...ate a new project In the Configuration area enter the MAC address Enter the external IP address 192 168 10 1 and the external subnet mask 255 255 255 0 Select the Routing mode Enter the internal IP address 192 168 9 1 and subnet mask 255 255 255 0 Confirm with OK ...

Page 34: ...iguration view to advance mode with the menu command View Advanced Mode Select the module in the content area Select the Edit Properties menu command Go to the NAT NAPT tab 4 Configuring the firewall Advanced Firewall ...

Page 35: ...box Click the Add button in the NAT input area Configure the NAT rule with the following parameters o Action Source NAT o From Internal o To External o Source IP address o Source translation 192 168 10 1 Confirm with Apply 4 Configuring the firewall ...

Page 36: ...nced Firewall Select the Firewall tab Expand the firewall rule created by SCT with the following o Destination IP address 192 168 10 2 Select the Logging check box Confirm with OK 4 Configuring the firewall ...

Page 37: ...Advanced Firewall Transfer the configuration to the security module 5 Downloading the configuration to the security module ...

Page 38: ...Advanced Firewall Open the command prompt on PC2 Enter the ping command from PC2 to PC1 ping 192 168 10 2 All packets reach PC1 6 Testing the firewall function ping test logging ...

Page 39: ... to online mode in the SCT with the View Online menu command Select the module in the content area and the menu command Edit Online diagnostics Go to the Packet filter log tab 6 Testing the firewall function ping test logging ...

Page 40: ...Advanced Firewall Click Start reading Confirm the dialog with OK 6 Testing the firewall function ping test logging ...

Page 41: ...User Management In this example only a specific user is allowed to access PC2 in the internal network from PC1 in the external network For other users access is blocked ...

Page 42: ... for the PCs 3 Creating a project and security module 8 Testing the firewall function ping test 6 Downloading the configuration to the security module 7 Logging in on the Web page 4 Creating remote access users 5 Setting and assigning a user specific IP rule set ...

Page 43: ...set the Scalance to factory settings by pressing the Reset button and holding it down for at least 5 seconds Connect the PC with the Security Configuration Tool PC1 to the external network interface Connect PC2 to the internal network interface ...

Page 44: ...ttings for the PCs User Management Set the IP addresses of the PCs as in the table above PC IP address Subnet mask Default Gateway PC1 192 168 10 2 255 255 255 0 192 168 10 1 PC2 192 168 9 2 255 255 255 0 192 168 9 1 ...

Page 45: ...te a new project In the Configuration area enter the MAC address Enter the external IP address 192 168 10 1 and the external subnet mask 255 255 255 0 Select the Routing mode Enter the internal IP address 192 168 9 1 and subnet mask 255 255 255 0 Confirm with OK ...

Page 46: ...User Management Select the Options User management menu command Click the Add button in the User tab Create a new user with the settings in the figure Confirm with OK 4 Creating remote access users ...

Page 47: ...e configuration to advanced mode via View Advanced Mode Select the User specific IP rule sets object in the navigation panel Select the Add rule set entry in the shortcut menu 5 Setting and assigning a user specific IP rule set ...

Page 48: ...ement Enter a rule in the dialog as shown below From the Available users and roles list select the Remote user entry and click the Assign button Confirm with OK 5 Setting and assigning a user specific IP rule set ...

Page 49: ... module in the navigation panel and drag it to the newly created user specific IP rule set The assignment can be checked by opening the module properties and selecting the Firewall tab 5 Setting and assigning a user specific IP rule set ...

Page 50: ...User Management 5 Setting and assigning a user specific IP rule set ...

Page 51: ...User Management Expand rule set shows the user specific rule in detail 5 Setting and assigning a user specific IP rule set ...

Page 52: ...User Management Transfer the configuration to the security module 6 Downloading the configuration to the security module ...

Page 53: ...User Management In the Web browser of PC1 enter the address https 192 168 10 1 7 Logging in on the Web page ...

Page 54: ...User Management If the web page does not show the login fields try changing the language in the upper right corner 7 Logging in on the Web page ...

Page 55: ...User Management Enter the user name Remote and corresponding password and click the Log in button 7 Logging in on the Web page ...

Page 56: ...User Management The defined IP rule set is enabled for the Remote user 7 Logging in on the Web page ...

Page 57: ...User Management Open the command prompt on PC1 Enter the ping command from PC1 to PC2 ping 192 168 9 2 All packets reach PC2 8 Testing the firewall function ping test ...

Page 58: ...xample a RADIUS server is set up to manage user accounts Only users that can authenticate to the RADIUS server can access the internal network from the external network Radius server DMZ network External network Internal network PC2 PC1 ...

Page 59: ...e PCs 3 Creating a project and security module 9 Testing the firewall function ping test 7 Downloading the configuration to the security module 8 Logging in on the Web page 4 Setting up the RADIUS server 6 Linking the RADIUS server and security module 5 Configuring the firewall ...

Page 60: ...button and holding it down for at least 5 seconds Connect the PC with the Security Configuration Tool PC1 to the external network interface Connect PC2 to the internal network interface Connect the Linux PC that will be used as RADIUS server to the DMZ interface 1 Setting up the network ...

Page 61: ... above The IP address of the Linux PC is preset to the correct value 2 Making IP settings for the PCs PC IP address Subnet mask Default Gateway PC1 192 168 10 2 255 255 255 0 192 168 10 1 PC2 192 168 9 2 255 255 255 0 192 168 9 1 RADIUS 192 168 8 2 255 255 255 0 192 168 8 1 ...

Page 62: ...ess Enter the external IP address 192 168 10 1 and the external subnet mask 255 255 255 0 Select the Routing mode Enter the internal IP address 192 168 9 1 and subnet mask 255 255 255 0 Confirm with OK Advanced User Management 3 Creating a project and security module ...

Page 63: ...le Select the security module created and select the Edit Properties menu command Interfaces tab Select the Activate Interface check box in the DMZ port X3 area Enter the IP address 192 168 8 1 and the subnet mask 255 255 255 0 for the DMZ interface Confirm with OK ...

Page 64: ...Management On the Linux PC open the Web browser and go to http freeradius org download html Download version 3 0 9 of the RADIUS server Open the Terminal Open the Dash and type terminal 4 Setting up the RADIUS server ...

Page 65: ...nced User Management Go to the Downloads map cd Downloads Unpack the RADIUS server tar zxvf freeradius server 3 0 9 tar gz Enter the newly made map cd freeradius server 3 0 9 4 Setting up the RADIUS server ...

Page 66: ...Advanced User Management Install the server with the following commands configure make sudo make install The password is TBD 4 Setting up the RADIUS server ...

Page 67: ... next step is to configure the clients of the server Open the file explorer with gksudo nautilus Enter the sudo password in the following prompt Using Nautilus browse to Computer usr local etc raddb 4 Setting up the RADIUS server ...

Page 68: ...Advanced User Management Open clients conf and add a new client as in the image Save and close the window Open users and add the following users Save and close the window 4 Setting up the RADIUS server ...

Page 69: ...nstalled and configured run sudo radiusd X to start the server in debug mode If this error shows up check the OpenSSL version with openssl version a This command should show the following date built on Thu Jun 11 4 Setting up the RADIUS server ...

Page 70: ... the following command sudo apt get update sudo apt get upgrade If OpenSSL is correctly updated open radius conf and change the allow_vulnerable_openssl parameter to yes Save and close the window Try starting the server again with sudo radiusd X 4 Setting up the RADIUS server ...

Page 71: ...ed User Management Enter Advanced mode in the Security Configuration Tool Use the menu command Options User Management Create a new user with the following settings Confirm with OK 5 Configuring the firewall ...

Page 72: ...Advanced User Management Select the User specific IP rule sets in the navigation window Select the Add rule set option in the shortcut menu 5 Configuring the firewall ...

Page 73: ...Advanced User Management Enter a rule in the dialog as shown below 5 Configuring the firewall ...

Page 74: ...d User Management From the Available users and roles list select the radius user entry and click the Assign button then select the radius role entry and click Assign Confirm with OK 5 Configuring the firewall ...

Page 75: ...lect the security module in the navigation panel and drag it to the newly created user specific IP rule set The assignment can be checked by opening the module properties and selecting the Firewall tab 5 Configuring the firewall ...

Page 76: ...Advanced User Management Select the menu option Options Configuration of the RADIUS server Click the Add button in the dialog 6 Linking the RADIUS server and security module ...

Page 77: ...Management Define the server with the following values o IP address FQDN 192 186 8 2 o Shared secret SiemensSecret o Repeat shared secret SiemensSecret Confirm with OK 6 Linking the RADIUS server and security module ...

Page 78: ...ent Open the SCALANCE S module properties and go to the RADIUS tab Check the Enable RADIUS authentication box Click the Add button This adds the newly configured RADIUS server 6 Linking the RADIUS server and security module ...

Page 79: ...Advanced User Management In the RADIUS setting area check the Allow RADIUS authentication of non configured users box Confirm with OK 6 Linking the RADIUS server and security module ...

Page 80: ...Advanced User Management Transfer the configuration to the SCALANCE S module 7 Downloading the configuration to the security module ...

Page 81: ...Advanced User Management In the Web browser of PC1 enter the address https 192 168 10 1 8 Logging in on the Web page ...

Page 82: ...Advanced User Management If the web page does not show the login fields try changing the language in the upper right corner 8 Logging in on the Web page ...

Page 83: ...Advanced User Management Enter the user name radius and corresponding password and click the Log in button 8 Logging in on the Web page ...

Page 84: ...Advanced User Management The defined IP rule set is enabled for the radius user 8 Logging in on the Web page ...

Page 85: ...Advanced User Management Now click the Log out button Enter the user name radius2 and corresponding password and click the Log in button 8 Logging in on the Web page ...

Page 86: ...Advanced User Management The defined IP rule set for the radius role is enabled Users that are not defined on the module can log in 8 Logging in on the Web page ...

Page 87: ...Advanced User Management Open the command prompt on PC1 Enter the ping command from PC1 to PC2 ping 192 168 9 2 All packets reach PC2 9 Testing the firewall function ping test ...

Page 88: ... example a VPN tunnel is configured between a security module and the SOFTNET Security Client With this configuration IP traffic is possible only over the established VPN tunnel connection between the two authorized partners PC3 PC1 ...

Page 89: ... for the PCs 3 Creating a project and security module 6 Setting up a tunnel with the SOFTNET Security Client 7 Test the tunnel function 4 Configuring a VPN group 5 Downloading the configuration to the security module and saving the SOFTNET Security Client configuration ...

Page 90: ...ton and holding it down for at least 5 seconds Connect the switch to the external network interface Connect the PC with the Security Configuration Tool PC1 and the PC with the SOFTNET Security Client PC2 to the switch Connect PC3 to the internal network interface 1 Setting up the network ...

Page 91: ...ngs for the PCs Set the IP addresses of the PCs as in the table above PC IP address Subnet mask Default Gateway PC1 192 168 10 2 255 255 255 0 192 168 10 1 PC2 192 168 10 3 255 255 255 0 192 168 10 1 PC3 192 168 9 2 255 255 255 0 192 168 9 1 ...

Page 92: ...ress Enter the external IP address 192 168 10 1 and the external subnet mask 255 255 255 0 Select the Routing mode Enter the internal IP address 192 168 9 1 and subnet mask 255 255 255 0 Confirm with OK VPN with Preshared Key 3 Creating a project and security module ...

Page 93: ...d Key Use the Insert Module menu command with the following parameters o Product type SOFTNET configuration o Module SOFTNET Security Client o Firmware release V4 Confirm with OK 3 Creating a project and security module ...

Page 94: ...mmand In the navigation panel click the All modules entry Drag the Scalance S Module to the VPN group Group1 in the navigation panel The module is now assigned to the VPN group The color of the key symbol changes to blue VPN with Preshared Key 4 Configuring a VPN group ...

Page 95: ...Drag the SOFTNET Security Client module to the VPN group Group1 in the navigation panel The module is now assigned to the VPN group The color of the key symbol changes to blue Activate Advanced Mode 4 Configuring a VPN group ...

Page 96: ...hared Key Select the VPN group Group1 in the Navigation windows and select the menu command Edit Properties Select the Preshared key option in the Authentication method area Confirm with OK 4 Configuring a VPN group ...

Page 97: ...ed Key Save the project Use the menu command Transfer To all modules Start the download with the Start button 5 Downloading the configuration to the security module and saving the SOFTNET Security Client configuration ...

Page 98: ...red Key Save the configuration file projectname Module2 dat in your project folder Confirm the popup with OK 5 Downloading the configuration to the security module and saving the SOFTNET Security Client configuration ...

Page 99: ... Open the SOFTNET Security Client on PC2 Select Load Configuration and browse to where projectname Module2 dat has been saved Open the configuration with the Open button 6 Setting up a tunnel with the SOFTNET Security Client ...

Page 100: ...ith Preshared Key Loading a new configuration will delete any previous configurations When the dialog above pops up select deleted and confirm with Next 6 Setting up a tunnel with the SOFTNET Security Client ...

Page 101: ...VPN with Preshared Key The VPN tunnel can now be opened by clicking the Enable button 6 Setting up a tunnel with the SOFTNET Security Client ...

Page 102: ...VPN with Preshared Key Tunnel Overview shows the status of the tunnel The green circle shows that the tunnel has been established 6 Setting up a tunnel with the SOFTNET Security Client ...

Page 103: ...not get set up check whether the Windows Firewall has been enabled Open the Control Panel Windows Firewall If the firewall is not enabled click Turn Windows Firewall on or off and enable it 6 Setting up a tunnel with the SOFTNET Security Client ...

Page 104: ... the Logging Console the sequence of executed connection attempts is displayed The SCALANCE S module and the SOFTNET Security Client have established a communication tunnel 6 Setting up a tunnel with the SOFTNET Security Client ...

Page 105: ...VPN with Preshared Key Open the command prompt on PC2 Enter the ping command from PC2 to PC3 ping 192 168 9 2 All packets reach PC3 through the tunnel 7 Test the tunnel function ...

Page 106: ...ared Key Open the command prompt on PC1 Enter the ping command from PC1 to PC3 ping 192 168 9 2 The packets cannot reach PC3 since there is no tunnel communication between these two devices 7 Test the tunnel function ...

Page 107: ...VPN with Certificates In this example a VPN tunnel is configured between a security module and the SOFTNET Security Client The endpoints authenticate using certificates PC3 PC1 ...

Page 108: ... for the PCs 3 Creating a project and security module 6 Setting up a tunnel with the SOFTNET Security Client 7 Test the tunnel function 4 Configuring a VPN group 5 Downloading the configuration to the security module and saving the SOFTNET Security Client configuration ...

Page 109: ...ton and holding it down for at least 5 seconds Connect the switch to the external network interface Connect the PC with the Security Configuration Tool PC1 and the PC with the SOFTNET Security Client PC2 to the switch Connect PC3 to the internal network interface 1 Setting up the network ...

Page 110: ...ngs for the PCs Set the IP addresses of the PCs as in the table above PC IP address Subnet mask Default Gateway PC1 192 168 10 2 255 255 255 0 192 168 10 1 PC2 192 168 10 3 255 255 255 0 192 168 10 1 PC3 192 168 9 2 255 255 255 0 192 168 9 1 ...

Page 111: ...dress Enter the external IP address 192 168 10 1 and the external subnet mask 255 255 255 0 Select the Routing mode Enter the internal IP address 192 168 9 1 and subnet mask 255 255 255 0 Confirm with OK VPN with Certificates 3 Creating a project and security module ...

Page 112: ...ates Use the Insert Module menu command with the following parameters o Product type SOFTNET configuration o Module SOFTNET Security Client o Firmware release V4 Confirm with OK 3 Creating a project and security module ...

Page 113: ...ommand In the navigation panel click the All modules entry Drag the Scalance S Module to the VPN group Group1 in the navigation panel The module is now assigned to the VPN group The color of the key symbol changes to blue VPN with Certificates 4 Configuring a VPN group ...

Page 114: ...Drag the SOFTNET Security Client module to the VPN group Group1 in the navigation panel The module is now assigned to the VPN group The color of the key symbol changes to blue Activate Advanced Mode 4 Configuring a VPN group ...

Page 115: ...tificates Select the VPN group Group1 in the Navigation windows and select the menu command Edit Properties Select the Certificate option in the Authentication method area Confirm with OK 4 Configuring a VPN group ...

Page 116: ...icates Save the project Use the menu command Transfer To all modules Start the download with the Start button 5 Downloading the configuration to the security module and saving the SOFTNET Security Client configuration ...

Page 117: ...nfiguration file projectname Module2 dat in your project folder Assign a password to the certificate Confirm the popup with OK 5 Downloading the configuration to the security module and saving the SOFTNET Security Client configuration ...

Page 118: ...Open the SOFTNET Security Client on PC2 Select Load Configuration and browse to where projectname Module2 dat has been saved Open the configuration with the Open button 6 Setting up a tunnel with the SOFTNET Security Client ...

Page 119: ...ith Certificates Loading a new configuration will delete any previous configurations When the dialog above pops up select deleted and confirm with Next 6 Setting up a tunnel with the SOFTNET Security Client ...

Page 120: ...VPN with Certificates The VPN tunnel can now be opened by clicking the Enable button Enter the certificate password in the dialog 6 Setting up a tunnel with the SOFTNET Security Client ...

Page 121: ...VPN with Certificates Tunnel Overview shows the status of the tunnel The green circle shows that the tunnel has been established 6 Setting up a tunnel with the SOFTNET Security Client ...

Page 122: ...ot get set up check whether the Windows Firewall has been enabled Open the Control Panel Windows Firewall If the firewall is not enabled click Turn Windows Firewall on or off and enable it 6 Setting up a tunnel with the SOFTNET Security Client ...

Page 123: ...the Logging Console the sequence of executed connection attempts is displayed The SCALANCE S module and the SOFTNET Security Client have established a communication tunnel 6 Setting up a tunnel with the SOFTNET Security Client ...

Page 124: ...VPN with Certificates Open the command prompt on PC2 Enter the ping command from PC2 to PC3 ping 192 168 9 2 All packets reach PC3 through the tunnel 7 Test the tunnel function ...

Page 125: ...ficates Open the command prompt on PC2 Enter the ping command from PC2 to PC3 ping 192 168 9 2 The packets cannot reach PC3 since there is no tunnel communication between these two devices 7 Test the tunnel function ...

Page 126: ...o Gateway with VPN In this example a VPN tunnel is set up between two security modules With this configuration IP traffic is possible only over the established tunnel connections with authorized partners PC3 PC1 ...

Page 127: ... VPN 1 Setting up the network 2 Making IP settings for the PCs 3 Creating a project and security module 6 Testing the tunnel function ping test 4 Configuring a VPN group 5 Downloading the configuration to the security module ...

Page 128: ...t the PC with the Security Configuration Tool PC1 to the switch Connect both SCALANCE S modules to the switch through their external interface Connect PC2 and PC3 to the internal interface of a SCALANCE S module 1 Setting up the network ...

Page 129: ...teway with VPN Set the IP addresses of the PCs as in the table above 2 Making IP settings for the PCs PC IP address Subnet mask PC1 192 168 10 2 255 255 0 0 PC2 192 168 10 3 255 255 0 0 PC3 192 168 10 4 255 255 0 0 ...

Page 130: ...ct In the Configuration area enter the MAC address Enter the external IP address 192 168 10 201 and the external subnet mask 255 255 0 0 Confirm with OK Gateway to Gateway with VPN 3 Creating a project and security module ...

Page 131: ... Module Select the same options as for the previous module but with the following address parameters o MAC address MAC address of the module o IP address ext 192 186 10 202 o Subnet mask ext 255 255 0 0 Confirm with OK 3 Creating a project and security module ...

Page 132: ...and In the navigation panel click the All modules entry Drag the SCALANCE S Module to the VPN group Group1 in the navigation panel The module is now assigned to the VPN group The color of the key symbol changes to blue Gateway to Gateway with VPN 4 Configuring a VPN group ...

Page 133: ...Gateway with VPN Drag the second SCALANCE S module to the VPN group Group1 in the navigation panel The module is now assigned to the VPN group The color of the key symbol changes to blue 4 Configuring a VPN group ...

Page 134: ...Gateway to Gateway with VPN Save the project Use the menu command Transfer To all modules Start the download with the Start button 5 Downloading the configuration to the security module ...

Page 135: ...Gateway to Gateway with VPN Open the command prompt on PC2 Enter the ping command from PC2 to PC3 ping 192 168 10 4 All packets reach PC3 through the tunnel 6 Testing the tunnel function ping test ...

Page 136: ...VPN Open the command prompt on PC1 Enter the ping command from PC1 to PC3 ping 192 168 10 4 The packets cannot reach PC3 since there is no tunnel communication between these two devices 6 Testing the tunnel function ping test ...

Page 137: ... security module using the SOFTNET Security Client The firewall is configured so that the access from PC1 in the external network to PC2 in the internal network is possible for a specific user only who needs to log in at the RADIUS server DMZ RADIUS server PC2 PC1 with SOFTNET Security Client ...

Page 138: ...ting up a tunnel with the SOFTNET Security Client 9 Logging in on the Web page 4 Configuring a RADIUS server 7 Downloading the configuration to the security module and saving the SOFTNET Security Client configuration 10 Testing the firewall function ping test 5 Configuring the firewall 6 Linking the RADIUS server and security module ...

Page 139: ...t button and holding it down for at least 5 seconds Connect the PC with the Security Configuration Tool PC1 to the external network interface Connect PC2 to the internal network interface Connect the Linux PC that will be used as RADIUS server to the DMZ interface 1 Setting up the network ...

Page 140: ...le above The IP address of the Linux PC is preset to the correct value 2 Making IP settings for the PCs PC IP address Subnet mask Default Gateway PC1 192 168 10 2 255 255 255 0 192 168 10 1 PC2 192 168 9 2 255 255 255 0 192 168 9 1 RADIUS 192 168 8 2 255 255 255 0 192 168 8 1 ...

Page 141: ...s Enter the external IP address 192 168 10 1 and the external subnet mask 255 255 255 0 Select the Routing mode Enter the internal IP address 192 168 9 1 and subnet mask 255 255 255 0 Confirm with OK VPN with User Authentication 3 Creating a project and security module ...

Page 142: ...dule Select the security module created and select the Edit Properties menu command Interfaces tab Select the Activate Interface check box in the DMZ port X3 area Enter the IP address 192 168 8 1 and the subnet mask 255 255 255 0 for the DMZ interface Confirm with OK ...

Page 143: ...tication Use the Insert Module menu command with the following parameters o Product type SOFTNET configuration o Module SOFTNET Security Client o Firmware release V4 Confirm with OK 3 Creating a project and security module ...

Page 144: ...VPN with User Authentication We ll use the previously configured RADIUS server for this example 4 Configuring a RADIUS server ...

Page 145: ... the Insert Group menu command In the navigation panel click the All modules entry Drag the SCALANCE S Module to the VPN group Group1 in the navigation panel The module is now assigned to the VPN group The color of the key symbol changes to blue 5 Configuring the firewall ...

Page 146: ...on Drag the SOFTNET Security Client module to the VPN group Group1 in the navigation panel The module is now assigned to the VPN group The color of the key symbol changes to blue Activate Advanced Mode 5 Configuring the firewall ...

Page 147: ...VPN with User Authentication Use the menu command Options User Management Create a new user with the following settings Confirm with OK 5 Configuring the firewall ...

Page 148: ...VPN with User Authentication Select the User specific IP rule sets in the navigation window Select the Add rule set option in the shortcut menu 5 Configuring the firewall ...

Page 149: ...VPN with User Authentication Enter a rule in the dialog as shown below 5 Configuring the firewall ...

Page 150: ...User Authentication From the Available users and roles list select the radius user entry and click the Assign button then select the radius role entry and click Assign Confirm with OK 5 Configuring the firewall ...

Page 151: ...Select the security module in the navigation panel and drag it to the newly created user specific IP rule set The assignment can be checked by opening the module properties and selecting the Firewall tab 5 Configuring the firewall ...

Page 152: ...VPN with User Authentication Open the properties of the SCALANCE module and go to the Firewall tab Add a firewall rule as in the image Confirm with OK 5 Configuring the firewall ...

Page 153: ...VPN with User Authentication Select the menu option Options Configuration of the RADIUS server Click the Add button in the dialog 6 Linking the RADIUS server and security module ...

Page 154: ...thentication Define the server with the following values o IP address FQDN 192 186 8 2 o Shared secret SiemensSecret o Repeat shared secret SiemensSecret Confirm with OK 6 Linking the RADIUS server and security module ...

Page 155: ...ation Open the SCALANCE S module properties and go to the RADIUS tab Check the Enable RADIUS authentication box Click the Add button This adds the newly configured RADIUS server 6 Linking the RADIUS server and security module ...

Page 156: ...VPN with User Authentication In the RADIUS setting area check the Allow RADIUS authentication of non configured users box Confirm with OK 6 Linking the RADIUS server and security module ...

Page 157: ...ntication Save the project Use the menu command Transfer To all modules Start the download with the Start button 7 Downloading the configuration to the security module and saving the SOFTNET Security Client configuration ...

Page 158: ...e configuration file projectname Module2 dat in your project folder Assign a password to the certificate Confirm the popup with OK 7 Downloading the configuration to the security module and saving the SOFTNET Security Client configuration ...

Page 159: ...ion Open the SOFTNET Security Client on PC2 Select Load Configuration and browse to where projectname Module2 dat has been saved Open the configuration with the Open button 8 Setting up a tunnel with the SOFTNET Security Client ...

Page 160: ... User Authentication Loading a new configuration will delete any previous configurations When the dialog above pops up select deleted and confirm with Next 8 Setting up a tunnel with the SOFTNET Security Client ...

Page 161: ...VPN with User Authentication The VPN tunnel can now be opened by clicking the Enable button Enter the certificate password in the dialog 8 Setting up a tunnel with the SOFTNET Security Client ...

Page 162: ...VPN with User Authentication Tunnel Overview shows the status of the tunnel The green circle shows that the tunnel has been established 8 Setting up a tunnel with the SOFTNET Security Client ...

Page 163: ...es not get set up check whether the Windows Firewall has been enabled Open the Control Panel Windows Firewall If the firewall is not enabled click Turn Windows Firewall on or off and enable it 6 Setting up a tunnel with the SOFTNET Security Client ...

Page 164: ...VPN with User Authentication In the Web browser of PC1 enter the address https 192 168 10 1 9 Logging in on the Web page ...

Page 165: ...VPN with User Authentication If the web page does not show the login fields try changing the language in the upper right corner 9 Logging in on the Web page ...

Page 166: ...VPN with User Authentication Enter the user name radius and corresponding password and click the Log in button 9 Logging in on the Web page ...

Page 167: ...VPN with User Authentication The defined IP rule set is enabled for the radius user 9 Logging in on the Web page ...

Page 168: ...VPN with User Authentication Open the command prompt on PC1 Enter the ping command from PC1 to PC2 ping 192 168 9 2 All packets reach PC2 through the tunnel 10 Testing the firewall function ping test ...

Reviews:

No comments

Related manuals for SCALANCE S623

Nelsen Corporation C Series Programming Manual preview
C Series
Brand: Nelsen Corporation Pages: 16
National Instruments C Series Getting Started preview
C Series
Brand: National Instruments Pages: 34
OMC W150 Installation And Maintenance Instruction preview
W150
Brand: OMC Pages: 18
Paradox REM3 Reference And Installation Manual preview
REM3
Brand: Paradox Pages: 2
Paradox IP150+ Programming Manual preview
IP150+
Brand: Paradox Pages: 2
Paradyne FrameSaver 9120 Installation Instructions Manual preview
FrameSaver 9120
Brand: Paradyne Pages: 20
Panduit VeriSafe VS2-NET Installation Manual preview
VeriSafe VS2-NET
Brand: Panduit Pages: 6
Talgil DREAM 2 Manual preview
DREAM 2
Brand: Talgil Pages: 14
Tadao Musashi 3 Upgrade preview
Musashi 3
Brand: Tadao Pages: 2
L-Acoustics LA4X Maintenance Manual preview
LA4X
Brand: L-Acoustics Pages: 24
L-Acoustics LA8 Maintenance Manual preview
LA8
Brand: L-Acoustics Pages: 21
M&S Systems MC960 Installation Manual preview
MC960
Brand: M&S Systems Pages: 4
Yamaha MusicCAST MCX-CA15 Install Manual preview
MusicCAST MCX-CA15
Brand: Yamaha Pages: 176
YASKAWA FSDrive-MV1000 Series Instructions For Use Manual preview
FSDrive-MV1000 Series
Brand: YASKAWA Pages: 260
YASKAWA iQpump1000 Installation & Start?Up Manual preview
iQpump1000
Brand: YASKAWA Pages: 114
YASKAWA MOTOMAN FS100 Operator'S Manual preview
MOTOMAN FS100
Brand: YASKAWA Pages: 20
YASKAWA yasnac lx3 Maintenance Manual preview
yasnac lx3
Brand: YASKAWA Pages: 152
YASKAWA GPD 506/P5 Technical Manual preview
GPD 506/P5
Brand: YASKAWA Pages: 66

Brands by name

Popular brands

Load more brands