manualshive.com logo in svg

Pilz 311502, Руководство по эксплуатации, Страница: 24 / 51

Поделиться
Скачать
Pilz 311502 Скачать руководство пользователя страница 24

Configuration

Operating Manual PCOM sec br2
1004534-EN-04

| 24

8.3

Managing users

In order to access the device in the protected network via the SecurityBridge, a user must
log in from a client PC via VPN client, using his login data. A user account must be created
for each user in user management on the user interface.

Different access permissions can be defined for users. For this purpose user groups are

created, which are assigned specific, pre-defined 

permissions [

 24]

.

The registration process is described in the chapter entitled 

Log in to client [

 34]

.

See the user interface's online help for details of how to configure the user management.

8.3.1

Permissions

The permissions are used to define which actions a user group is permitted to perform.

The following permissions can be assigned to a user group:

Permission

Description

ID for 
RADIUS

System permissions

Administration

User can perform administrative functions on the Se-
curityBridge. However, he has no access to the pro-
tected system (PNOZmulti, PSS 4000)

1

User management

User may create, change or delete entries in the
user management.

2

PSS 4000 permis-
sions

DeviceAdmin

User may perform all online functions on the 

PSS

4000

 system.

50

PNOZmulti permis-
sions

DeviceAdmin

User may perform all online functions on the

PNOZmulti

 system.

100

ReadOnly

On the 

PNOZmulti

 system, the user may only per-

form online functions that do not influence the status
of the system

101

Operator

User may perform all online functions on the

PNOZmulti

 system, except changes to the project.

102

Network permissions

Modbus TCP

User may access the Modbus/TCP server in the pro-
tected 

PNOZmulti

 system.

150

Generic Device per-
missions

AccessGroup-1

User is allowed to access the Generic Device be-
longing to one of these three groups if he is assigned
to a user group with the same permission.

160

AccessGroup-2

161

AccessGroup-3

162

Содержание 311502

Страница 1: ...PCOM sec br2 Operating Manual 1004534 EN 04...

Страница 2: ...KG Copies may be made for internal purposes Suggestions and comments for improving this documentation will be gratefully received Pilz PIT PMI PNOZ Primo PSEN PSS PVIS SafetyBUS p SafetyEYE SafetyNET...

Страница 3: ...10 3 4 Commissioning 11 3 5 User accounts 11 3 6 Operation 11 3 7 Decommissioning 12 4 Overview 13 4 1 Unit features 13 4 2 Front view 14 5 Function description 15 5 1 Block diagram 16 5 2 VPN tunnel...

Страница 4: ...client 33 9 2 Create new client connection 33 9 3 Log in to client 34 9 4 Authentication procedure 34 10 Firmware update 37 11 Operation 38 11 1 LED indicators 38 11 2 Recovery 39 11 3 Error mode 40...

Страница 5: ...t is particularly important is identified as follows DANGER This warning must be heeded It warns of a hazardous situation that poses an immediate threat of serious injury and death and indicates preve...

Страница 6: ...s if possible Pilz can charge a fee for the data medium and for sending The request for the source code must be received 3 years at the latest after the receipt of the relevant GPL or LPGL Irrespectiv...

Страница 7: ...other environments If installed in other environments measures should be taken to comply with the applicable standards and directives for the respective installation site with regard to in terference...

Страница 8: ...ll be rendered invalid if The product was used contrary to the purpose for which it is intended Damage can be attributed to not having followed the guidelines in the manual Operating personnel are not...

Страница 9: ...y security problems of the SecurityBridge to the following E mail ad dress security pilz de 3 2 Defense in depth Defense in depth is a security design concept Several different security measures to pr...

Страница 10: ...n depth concept provided the product has to be arranged in the network as shown in the figure Network overview The chapter Network data 48 de scribes the network protocols that the product uses to com...

Страница 11: ...Make sure you regularly change the passwords of the user accounts on the system and or ask the users to change their passwords themselves Retain the passwords safely and train the personnel to deal wi...

Страница 12: ...Unless otherwise documented you should ensure that all the files created by the Secur ityBridge can only be used by authorised users 3 7 Decommissioning Make sure that the SecurityBridge is safely dec...

Страница 13: ...face VPN server to build a VPN tunnel for safe transfer of data Forwarding rules for IP connections and fieldbuses Bypass mode temporary deactivation of security functions for diagnostic purposes Setu...

Страница 14: ...XXXXXX XXXXXX XX Firmware XXXX Fig PCOM sec br2 Legend X1 Network Ethernet port for connecting the configuration PC X2 Device Ethernet port for connecting to the protected system X3 24 V 0 V Peripher...

Страница 15: ...mpany network Fig Overview The SecurityBridge is used with in the company network to prevent unauthorised access to downstream devices in a protected network The access from the client PC to the devic...

Страница 16: ...uration PC This enables tap proof manip ulation proof data transfer between the client PC and SecurityBridge Only the VPN client from Pilz is supported Up to 5 client connections can exist simultaneou...

Страница 17: ...there is at least one VPN Client connected If there is a 0 signal at the output then no VPN Client is connected BYPASS Bypass mode is signalled via the digital output If there is a 1 signal at the ou...

Страница 18: ...event of an ambient temperature of over 45 C note that the temperature of the connected USB memory could rise to over 70 C Using the USB memory An inserted USB stick can be formatted and incorporated...

Страница 19: ...g rail in an upright position so that the earthing springs on the device are pressed on to the mounting rail The ambient temperature of the devices in the control cabinet must not exceed the figure st...

Страница 20: ...put must be a max of 30 m The supply of the module and the supply of the SC outputs are galvanically isolated Module supply Polarity protection Overvoltage protection Protect the supply voltage as fol...

Страница 21: ...X1 network port Connection to the unprotected network company network Ethernet interface X2 device port Connection to the protected network Supported Internet protocol IPv4 Supported functions Autoneg...

Страница 22: ...a a standard browser The following web browsers will always be supported Internet Explorer IE from Version 9 Microsoft Edge Mozilla Firefox from Version 23 7 0 Google Chrome from Version 27 Safari fro...

Страница 23: ...e password see Security 9 6 Change network settings To access the SecurityBridge PCOM sec br2 from the company network change the network settings of the SecurityBridge The settings are adapted in the...

Страница 24: ...r RADIUS System permissions Administration User can perform administrative functions on the Se curityBridge However he has no access to the pro tected system PNOZmulti PSS 4000 1 User management User...

Страница 25: ...owing actions can then be delegated List users Create new user Change user data 8 3 3 Create user A user account must be created for each user who wants to access the protected system via VPN client o...

Страница 26: ...d in the Security Bridge for the RADIUS server are accepted INFORMATION Via the RADIUS server a user can either be assigned to a user group or be assigned one or more permissions If you attempt to ass...

Страница 27: ...of 5 OPC servers can be created 4 OPC servers for the product range PSS 4000 and 1 OPC server for the product range PVIS Create Generic Devices Generic Devices are all devices with a network interface...

Страница 28: ...n the protected network A maximum of 25 rules administrative rules and forward ing rules can be defined per device Administrative access rules The system allows the definition of administrative access...

Страница 29: ...secure the configuration 31 Certificate download You can download the CA certificate and server certificate from the user interface to your PC You can import the CA certificate into the browser PC see...

Страница 30: ...n automatically download the certificate The download is secured by a passphrase Further information on the password policy can be found in the Online Help on the SecurityBridge Generate certificates...

Страница 31: ...ed The status is displayed on the user interface and on the device via a configurable LED CAUTION Loss of security when bypass mode is activated The security functions are deactivated in bypass mode M...

Страница 32: ...the configuration is loaded automatic ally When you saved a configuration on the computer the configuration can be restored by uploading the backup file to the user interface If you did not generate...

Страница 33: ...rsion 9 2 Create new client connection To create a connection to SecurityBridge for the first time a new client connection has to be created Proceed as follows 1 Start the VPN client by clicking All p...

Страница 34: ...entials must be created on the user interface of the SecurityBridge a Open the VPN client click Connect select a connection and enter your user name and your password 9 4 Authentication procedure Duri...

Страница 35: ...ind user name in the user management Found No No No No No Ye s Ye s Ye s Ye s Ye s Ye s RADIUS server configured Authentication via RADIUS server Successful Check Setup mode User permitted Check passw...

Страница 36: ...ocedure via the RADIUS server Request to the primary RADIUS server Request to the secondary RADIUS server Authentication successful Check group or permissions from the response Authentication failed V...

Страница 37: ...ce The firmware can only be updated by users with Administration permission The update packet is digitally signed to prevent manipulation An update packet can be downloaded to the device from the down...

Страница 38: ...n Green No error present Red One or more recoverable errors on the Security Bridge for more information see event log Red One or more internal errors on the SecurityBridge for more information see eve...

Страница 39: ...e Meaning No network connection Green Network connection exists 11 2 Recovery If you experience problems with the configuration a failed firmware update or any other situation in which the system is n...

Страница 40: ...r interface opens in Recovery mode This interface is only available in English 7 To restore the system you can choose between the following options Firmware Recovery The firmware is reset and restored...

Страница 41: ...e deleted from the device Proceed as follows Reset the configuration to the factory settings as described in the chapter Recovery 39 Switch off the SecurityBridge If you used an USB memory remove the...

Страница 42: ...er net interfaces at the base unit The project is changed via this connection and transferred to the PNOZmulti This connection is protected The PNOZmulti base unit is in the protec ted network Access...

Страница 43: ...pening contact of the key switch to the input I0 protected connection unprotected connection PAS4000 or PNOZmulti Configurator Key switch PNOZmulti PSS 4000 VPN tunnel Input I0 or 24 VDC SecurityBridg...

Страница 44: ...tablish connection to SecurityBridge 22 2 Create user 25 3 Create device 27 4 Forwarding rules for PSS 4000 27 Here you have to configure the forwarding rule for the communication of both PSS 4000 in...

Страница 45: ...5 5 W Status indicator LED Inputs Number 1 Voltage at inputs 24 V DC Input type in accordance with EN 61131 2 3 Input current at rated voltage 10 mA Semiconductor outputs Number 1 Voltage 24 V Curren...

Страница 46: ...ccordance with the standard EN 61131 2 Overvoltage category II Pollution degree 2 Rated insulation voltage 30 V Protection type In accordance with the standard EN 60529 Housing IP20 Terminals IP20 Mou...

Страница 47: ...r cross section with spring loaded terminals Flexible with without crimp connector 0 2 2 5 mm 24 12 AWG Spring loaded terminals Terminal points per connec tion 2 Stripping length with spring loaded te...

Страница 48: ...ser name and pass word The server is au thenticated via X 509 certificate VPN Web Service HTTP In TCP 4080 Yes Def Active Critical services are only accessible via the VPN tunnel NTP Server NTP In UDP...

Страница 49: ...rc 701 Device name IP address ip The device s MAC address was changed to mac 702 Device name IP address ip Device is not active 1000 The start configuration was reset and the logging events were delet...

Страница 50: ...e Features Order no PCOM sec br2 Module for secure authentication and communication with PNOZmulti 2 and PSS 4000 311 502 16 2 Accessories Connection terminals Product type Features Order no Set4 Spri...

Страница 51: ...XXXX en 0X 2021 01 Printed in Germany Pilz GmbH Co KG 2021 Support Technical support is available from Pilz round the clock Pilz develops environmentally friendly products using ecological materials a...

Отзывы:

Нет отзывов