Siemens SINEMA Remote Connect Скачать руководство пользователя

Страница: 103 / 122

Configuring with Web Based Management

4.9 Security

SINEMA Remote Connect - Server
Operating Instructions, 11/2017, C79000-G8976-C383-04

103

Specify the settings of phase 2 - IKE (KE/key exchange):

Box

Meaning

Protocol

Selection of the protocol
AH: The IP Authentication Header (AH) handles the authentication

and identification of the source.
ESP: The Encapsulation Security Payload (ESP) encrypts the data.

Encryption algorithm:

The selection depends on the phase und the key exchange method

(IKE)

Hash method

Selection of the authentication algorithm:
SHA 1, 256, 384, 512

Key derivation

Select the required Diffie-Hellmann group (DH) from which a key will

be generated.

Lifetime

The lifetime of the authentication. When the time has elapsed, the

VPN endpoints involved must authenticate themselves with each

other again and generate a new key

Click "Finish".

Changing an IPsec profile

Change the corresponding user settings. Then click the "Save" button.

Encryption algorithm

Phase 1

Phase 2

IKEv1

IKEv2

IKEv1

IKEv2

3DES

AES128 CBC

AES192 CBC

AES256 CBC

AES128 CTR

AES192 CTR

AES256 CTR

AES128 CCM 16

AES192 CCM 16

AES256 CCM 16

AES128 GCM 16

AES192 GCM 16

AES256 GCM 16

x: is supported

-: is not supported

Содержание SINEMA Remote Connect

Страница 1: ..._______________ SIMATIC NET Industrial Remote Communication Remote Networks SINEMA Remote Connect Server Operating Instructions 11 2017 C79000 G8976 C383 04 Preface Application and properties 1 Requirements for operation 2 Installation and commissioning 3 Configuring with Web Based Management 4 Upkeep and maintenance 5 Appendix A A Appendix B B ...

Страница 2: ...e operated only by personnel qualified for the specific task in accordance with the relevant documentation in particular its warning notices and safety instructions Qualified personnel are those who based on their training and experience are capable of identifying risks and avoiding potential hazards when working with these products systems Proper use of Siemens products Note the following WARNING...

Страница 3: ...e numbers licenses The following licenses are available for the product Product name Article number Number of configurable participants users and devices SINEMA Remote Connect 6GK1720 1AH01 0BV0 4 SINEMA Remote Connect 64 6GK1722 1JH01 0BV0 64 SINEMA Remote Connect 256 6GK1722 1MH01 0BV0 256 SINEMA Remote Connect 1024 6GK1722 1QH01 0BV0 1024 Also available for enabling connection to the SINEMA Rem...

Страница 4: ...versions are compatible with each other RTU3030C CP1243 1 CP1543 1 Abbreviations acronyms and terminology SINEMA RC In the remainder of the manual the SINEMA Remote Connect software is abbreviated to SINEMA RC SCALANCE M 800 This abbreviation applies to the following devices if the content of the description applies equally to these devices in the relevant context SCALANCE M874 2 SCALANCE M874 3 S...

Страница 5: ...n of SINEMA Remote Connect is shown Current manuals and further information You will find the current manuals and further information on remote networks products on the Internet pages of Siemens Industry Online Support Using the search function Link to Siemens Industry Online Support http support automation siemens com WW view en Enter the entry ID of the relevant manual as the search item via the...

Страница 6: ... visit https www siemens com industrialsecurity Siemens products and solutions undergo continuous development to make them more secure Siemens strongly recommends that product updates are applied as soon as they are available and that the latest product versions are used Use of product versions that are no longer supported and failure to apply the latest updates may increase customers exposure to ...

Страница 7: ...g 23 3 1 Security recommendations 23 3 2 Installing SINEMA RC Server 26 3 3 Initial commissioning of end devices using the WBM 33 4 Configuring with Web Based Management 35 4 1 Opening Web Based Management 35 4 2 Starting the WBM 36 4 2 1 Logon with user name and password 36 4 2 2 Logon with the Smartcard user certificates 37 4 3 Layout of the window 42 4 4 Start page of the Web user interface 45 ...

Страница 8: ...counts 78 4 8 2 Managing roles and rights 80 4 8 3 Create a new user 83 4 8 4 User agreement 86 4 9 Security 87 4 9 1 Managing certificates 87 4 9 1 1 Overview of certificate management 87 4 9 1 2 Certificate overview 89 4 9 1 3 CA certificate 90 4 9 1 4 Server certificate 91 4 9 1 5 Importing the Web server certificate 92 4 9 1 6 Making settings for certificates 94 4 9 1 7 Device certificate 95 4...

Страница 9: ...er Operating Instructions 11 2017 C79000 G8976 C383 04 9 A 2 Using a virtual machine 114 B Appendix B 115 B 1 Enabling the e mail address 115 B 2 Monitoring and time response of wake up SMS messages 116 B 3 Structure of the csv file 116 Index 119 ...

Страница 10: ...Table of contents SINEMA Remote Connect Server 10 Operating Instructions 11 2017 C79000 G8976 C383 04 ...

Страница 11: ...users must log on by entering a user name and password or with a Smartcard Supported products The following products are suitable for connecting to the SINEMA RC Server SCALANCE M 800 SCALANCE S615 SINEMA RC Client SCALANCE S602 SCALANCE S612 SCALANCE S623 SCALANCE S627 2M In the section Connectable nodes Page 19 you will find information about which product versions and SINEMA RC versions are com...

Страница 12: ...ent of roles and rights Assignment of participant groups Configuration of connections Creation of communication relations between the participant groups Commissioning configuration of end devices You can create partial configurations globally for the end devices This includes for example configuration of NAT etc Via the server configuration information can be loaded on the end device Management of...

Страница 13: ...the most important tasks of an administrator This should therefore be planned and configured to meet the specific requirements while taking into account security relevant aspects We strongly advise you to familiarize yourself with the user and roles concept of SINEMA RC Server New or modified settings should always be checked in terms of their intended effect Basics The access rights in SINEMA RC ...

Страница 14: ...tion Managing roles and rights Page 80 This administrator is listed with the user accounts and can neither be edited or deleted The admin user is no longer available Logging on The following options are available Logon with user name and password Logon with the Smartcard Logon with PKI certificate Roles In SINEMA Server there are two predefined roles available with corresponding access rights Stan...

Страница 15: ...via SCALANCE M or the SCALANCE S615 that establish a VPN tunnel to the SINEMA RC Server In the master station the SINEMA RC Client establishes a VPN tunnel to the SINEMA RC Server To establish the VPN tunnel OpenVPN is used The devices must log on to the SINEMA RC server For this a WBM is available The VPN tunnel between the device and the SINEMA RC Server is established only after successful auth...

Страница 16: ...master station follow the steps below 1 Establish the Ethernet connection between the device and the connected configuration PC 2 Establish a connection to the WAN 3 Log the new device on to the SINEMA RC Server 4 Set up the connection to the SINEMA RC Server on the device 5 Put the new device into operation You will find instructions on the procedure in the Getting Started for SINEMA Remote Conne...

Страница 17: ...g disabled RAM 2 GB 4 GB 8 GB Network adapter 1 1 Note SINEMA RC Server supports up to four network adapters 1x Gbps Ethernet Note SINEMA RC Server sup ports up to four network adapters Hard disk 60 GB 60 GB 250 GB SSD Used hardware of the vSphere Server ESXi 5 5 Component PC 847D 6AG4114 2KV83 0XX6 Processor Xeon E3 1268L v3 4C 8T 2 3 3 3 GHz 8 MB cache VT d AMT RAM 32 GB DDR3 SDRAM 4X 8GB Networ...

Страница 18: ...ly for one subnet per device 1024 User device combinations can be freely selected up to the maximum overall quantity structure As the number of subnets is also dependent on the communication relationships permitted among one another for example these must be checked questioned and restricted where necessary If devices do not need to communicate with one another this function should be disabled to ...

Страница 19: ... SINEMA RC client Version 1 0 1 0 SP1 1 0 SP2 1 0 SP3 SINEMA RC version 1 0 1 1 1 2 1 3 SCALANCE M 800 S615 S615 S615 M874 x M876 x S615 M 800 S615 M 800 Version V4 0 V4 1 V4 2 V4 3 SINEMA RC version 1 0 1 1 1 2 1 3 SCALANCE S 600 SC 600 S612 S623 S627 2M SC632 2C SC636 2C SC642 2C SC646 2C Version as of 4 0 1 1 as of 4 0 1 1 as of 4 0 1 1 as of 1 0 SINEMA RC version 1 0 1 1 1 2 1 3 SCALANCE S 600...

Страница 20: ...ports up to 64 participants SINEMA Remote Connect 256 This license supports up to 256 participants SINEMA Remote Connect 1024 This license supports up to 1024 participants License update To expand the license to a higher number of participants you require an update to a new license To be able to make a license update you need to obtain a new license key and enter the corresponding license number i...

Страница 21: ...allowed Length of the device user or group name 1 to 30 characters Length of the role name 1 to 80 characters Length of the password at least 8 characters and maximum 128 characters Note User names and passwords As an important measure to increase security make sure that user names and passwords are as long as possible Passwords must be at least 8 characters long and contain special characters upp...

Страница 22: ...t Server 22 Operating Instructions 11 2017 C79000 G8976 C383 04 2 5 Performance data Maximum number of participant groups Unlimited Maximum number of participants per participant group Unlimited Maximum number of local backup copies 30 Maximum number of log archives 100 ...

Страница 23: ...to the SINEMA RC Server to qualified personnel The SINEMA RC Server has an extensive system of access rights This system allows you to grant or deny access to certain program objects individually and according to need Physical access Restrict physical access to the device to qualified personnel Use the security mechanisms of the operating system Protect SINEMA RC Server from unauthorized access by...

Страница 24: ... section deals with the security keys and certificates you require to establish a connection We recommend that you use certificates with a key length of 4096 bits The product supports RSA 1024 8192 bits key length Available protocols The following list provides you with an overview of all used services of the product Keep this in mind when configuring a firewall The table includes the following co...

Страница 25: ...thentication required yes TCP 5443 Open authentication required yes IPsec ESP n a Open authentication required no IPsec encap sulated UDP 500 Open authentication required no IPsec encap sulated NAPT UDP 4500 Open authentication required no SSH TCP 22 Open when configured authenti cation necessary yes Table 3 2 Services used Protocol Port number Port status NTP UDP 123 Outgoing when configured DNS ...

Страница 26: ... the following No system installed Perform a new installation SINEMA RC Server V1 2 pre installed Perform an update using the DVD for SINEMA RC Server see section System update V1 2 V1 3 SINEMA RC Server V1 0 or V1 1 pre installed First update the version of SINEMA RC Server to V1 2 from the System update Page 59 WBM page and to version 1 3 using the DVD The update must be performed in the correct...

Страница 27: ...lly 2 Switch on the PC or restart the server Installation starts automatically 3 In the following dialog select the entry Install Update SINEMA Remote Connect Server Press Return to confirm the selection If SINEMA RC Server V1 2 is already installed in the following dialog select Install Fresh installation The previous configurations of the SINEMA RC Server are not adopted 4 Follow the further ins...

Страница 28: ...n area and select the menu command Info A SINEMA RC Client with a version V1 0 SP3 cannot connect to a SINEMA RC Server V1 3 Update the SINEMA RC Client Procedure 1 Back up your configuration using SINEMA RC Server V1 2 WBM and export this backup file to your PC or SFTP server You can find more detailed information on this in the sections Backup Restore Page 61 and Server upload Page 60 2 Insert t...

Страница 29: ...nstallation two boot partitions are available One partition also contains your operational V1 2 server version The other partition now contains an operational V1 3 server version with the same server configuration including devices users and certificates Your SINEMA RC Server license has not been automatically transferred to V1 3 The license has to be released in the V1 2 version in order to activ...

Страница 30: ...ntry SINEMA RC 1 2 0 and confirm by pressing the Enter key 8 Log on with your user credentials and select System Licenses Page 57 in the navigation Release the licenses to reactivate them in V1 3 Note If it is not possible to deactivate the license in the WBM for example there is no connection to the license server you need to contact our hotline All further steps for a renewed activation of the l...

Страница 31: ... SINEMA RC Server SINEMA Remote Connect Server Operating Instructions 11 2017 C79000 G8976 C383 04 31 9 Perform a restart from the Energy Management Page 59 WBM page 10 Select SINEMA RC 1 3 0 in the Boot menu and confirm by pressing the Enter key ...

Страница 32: ...formation on this in the section Managing licenses Page 57 Result SINEMA RC Server was licensed for version 1 3 The previous configurations of the server are retained Alongside this updated server version there is a further partition on the PC with the original V1 2 server version as a backup Version 1 2 can continue to be started via the boot menu of the PC if it becomes necessary to undo the upd...

Страница 33: ...d information refer to the section Assigning a node to a group Page 77 When the device is configured the certificate is created automatically For more detailed information refer to the section Overview of certificate management Page 87 2 Configure the device To identify the device to the SINEMA RC Server transfer the certificate to the device and enter the password Enter the IP address of the SINE...

Страница 34: ...Installation and commissioning 3 3 Initial commissioning of end devices using the WBM SINEMA Remote Connect Server 34 Operating Instructions 11 2017 C79000 G8976 C383 04 ...

Страница 35: ...rowser enter https IP address You specify the IP address during installation If you use a port other than 443 as the HTTPS standard port enter the port number along with the IP address A colon must be entered between the IP address and the port number as a delimiter e g https 192 168 234 1 6443 Note You set the port for access to the Web server in the System Network configuration Web server settin...

Страница 36: ...password Page 105 Logging on after installing new 1 After the new installation log on as user name and password admin 2 Click on Log on The WBM page Change password opens 3 Specify the user name and the password for the administrator The new password must be at least 8 characters long and contain special characters upper and lowercase characters as well as numbers refer to the section Permitted ch...

Страница 37: ...curity system The 1st level is possession of the card and the 2nd level is the personal identification number PIN for unlocking the smart card On the smart card there must be the PKI certificate and the private key belonging to it As an alternative the PKI certificate can also be on the hard disk of the SINEMA RC client The private key is then however not protected by the Smartcard but must be pro...

Страница 38: ...rver the user can log on with his or her PKI certificate After successfully logging on a check is made to establish whether the contained PKI certificate of the user is valid Then a check is made as to whether the attributes of the PKI DN filter rules are included in the PKI certificate There are the following types of logon User identification if the PKI DN filter rule applies to a user this user...

Страница 39: ...ur PIN and click on Log on Possibly a user agreement will be displayed see section User agreement If you click the Accept button the start page appears Logon with a user certificate Requirement The PKI CA certificate chain is installed on the SINEMA RC Server see section PKI CA certificate The valid user certificate derived from one of the PKI CA certificates imported into SINEMA RC exists on the ...

Страница 40: ... receives the right and the access to the participant groups assigned to the role In the role you also specify when the temporary user will be deleted see section Managing role and rights You can also delete the temporary user in User accounts Users Roles Locking out Smartcard user certificate To lock out users you have the following options Revocation list PKI DN blacklist Expired user certificat...

Страница 41: ... JohnDoe who is assigned the admin role The role has all access rights For the role Service the following filter rule is defined CN OU Service_Group_Plant_1 O Siemens C DE Only PKI card users obtain access for whom the relevant attribute values exist for OU O and C This restricts access to a certain service group The system creates a temporary user who receives the rights assigned to the Service r...

Страница 42: ...ructions 11 2017 C79000 G8976 C383 04 4 3 Layout of the window View of the Start page When you enter the IP address the start page is displayed after a successful login You cannot configure anything on this page Figure 4 1 Help General layout of the WBM page The following areas are available on every WBM page ...

Страница 43: ... the current page Note If you click Update before the configuration changes have been saved with the Save button your changes will be deleted Navigation area In the navigation area you have various menus available Click the individual menus to display the submenus The submenus contain pages on which information is available to you or with which you can create configurations These pages are always ...

Страница 44: ...ke immediate effect It can however take some time before changes are saved in the configuration Creating entries with Create WBM pages on which you can create new entries have the Create button Click this button to create a new entry Deleting entries with Delete WBM pages on which you can delete entries have the Delete button Click this button to delete the previously selected entries Deleting als...

Страница 45: ...select System Overview Displayed entries The following entries are displayed Box Meaning Software version Version number of the current software License usage activated partici pant of total Number of currently activated participants and how many partici pants can be configured in total Configured users Number of users created in the project Configured devices Number of devices created in the proj...

Страница 46: ...on Changing the language setting 1 Open the drop down list for the language setting at the top right of the start page 2 Select the required language Result The user interface of the SINEMA RC Server is displayed in the selected language regardless of the Web browser being used If the language is not changed immediately use the Update button or the F5 function key ...

Страница 47: ...essages Calling the Web page In the navigation panel select System Logfile and the Logfile messages tab Displayed entries The following entries are displayed Box Meaning Date Time stamp with the date and time Message level The message levels are possible Emergency Alert Critical Error e g when exporting the server certificate fails Warning e g when a CA is deleted Notice e g when a CA is created I...

Страница 48: ...and archived on a weekly basis When you click the Export button a dialog opens for opening or saving the current log file in csv format All the entries are exported even if you have filtered the entries You can save the data locally and for example send it in if requested by support Note Protecting exported log files from unauthorized access Exported log files can contain information relevant for ...

Страница 49: ...ut must keep to the specification RFC 1918 Note So that the SINEMA RC can be reached via the Internet router on the router port forwarding needs to be set up for the following ports For the WBM see Web server settings Page 52 for HTTPS TCP port 443 preset can be changed For the establishment of the OpenVPN tunnel see OpenVPN settings Page 99 the UDP port 1194 preset can be changed the TCP port 544...

Страница 50: ...s are longer than the set MTU they are fragmented Maximum size 1500 bytes Enter a value 1 500 IP address Enter the IP address of the interface The IP address must be unique Network mask Enter the subnet mask of the subnet you are creating Additional settings for the WAN interface Box Meaning Default gateway When operating a VPN over the Internet additional IP addresses are generally required for t...

Страница 51: ...lling the Web page In the navigation panel select System Network configuration and the DNS tab Creating a new DNS server Make the following settings and then click the Save button Box Meaning Hostname Enter the host name under which SINEMA RC can be reached e g sinemarc example org Externally resolvable host name When activated the host name is included in the VPN configuration and in the configur...

Страница 52: ...t is not otherwise being used e g by the TCP port in OpenVPN Ports 0 1023 are standardized well known ports From the registered ports as of 1024 for example no 1024 is reserved If you use another port as the default port 443 the port number along with the IP address must be entered A colon must be entered between the IP address and the port number as a delimiter Example If SINEMA RC can be reached...

Страница 53: ...ime synchronization was performed The follow ing methods are possible not synchronized synchronized Primary NTP server Enter the IP address or host name of the primary NTP server Secondary NTP server Enter the IP address or host name of the primary secondary NTP server 4 6 4 SMS messages and e mails 4 6 4 1 SMS To wake a station the SINEMA RC Server sends an e mail The e mail is sent to an SMS gat...

Страница 54: ...r SMS NO the phone number the device is used automatically Sender num ber Identification that is transferred in the e mail Subject Subject of the e mail CC E mail address of another recipient The recipient receives only an e mail This could for example be a service techni cian who always wants to be informed when a certain device is woken Text MSG The message text of the wake up SMS message is ent...

Страница 55: ...d does not arrive Calling the Web page In the navigation select System SMS E mail Settings Making settings for the SMTP client Make the following settings in the Settings tab Then click the Save button Box Meaning Method of delivery Direct The e mail is forwarded directly to the SMTP server Via relay host The e mail is forwarded via an SMTP relay server to the recip ient Make the additional settin...

Страница 56: ...d unencrypted via TSL Opportunistic The e mail can be transferred encrypted via TSL If the receiving mail server does not support encrypted transfer the e mail is forwarded via an unencrypted connection This setting is used automatically if you have selected Direct as the Trans mission method Binding The e mail is transferred encrypted via TSL If the receiving mail serv er does not support encrypt...

Страница 57: ...umber of currently activated participants and how many participants can be configured in total Status Active The license is activated and is being used Locked The license is invalid or damaged e g if you have changed the hardware equipment Actions You obtain an overview of the license information This is also displayed for users with the right read only Online license Activating the online license...

Страница 58: ...c WibuCmRaC is stored 3 Send an e mail to your Siemens contact with the following File sinemarc WibuCmRaC License number of the license package 4 If the license package is activated you will receive the offline license sinemarc WibuCmRaU by e mail Save the file in your storage directory 5 Click the Select file button 6 Navigate to the storage directory and select the file 7 Confirm your selection ...

Страница 59: ... is downloaded The update file has the format tar gz The user has access to the storage directory System update Procedure 1 In the navigation select System Update and click on the System update tab 2 Click the Select file button 3 Navigate to the storage directory and select the file tar gz 4 Confirm your selection with the Open button 5 Click the Import button Result The system has been updated D...

Страница 60: ... address A colon must be entered between the IP address and the port number as a delimiter e g 192 168 234 1 622 Fingerprint SFTP server Display of the current fingerprint last working connection If the fingerprint changes e g after renewing the fingerprint the func tion is disabled and a warning message to this effect is entered in the log To be able to upload files to the SFTP server again you n...

Страница 61: ... backup copy was created Name of the creator Name of the user who created the backup copy Size File size of the backup copy Comment Comment on the backup copy The text can be entered when creating or importing a backup copy Status Done The backup copy has been created Restore The system settings from the selected backup copy are restored Actions For this action you require the user right Restore t...

Страница 62: ... backup copies are configured With this function you create a new backup copy with the current settings of the system 1 Click the Create new backup copy button 2 In the dialog that follows if required enter a comment on the backup copy 3 Click the Finish button Result The backup copy is created and displayed in the list of backup copies Note Settings that are not taken The following settings are n...

Страница 63: ...Open button 5 Click the Finish button 6 In Actions click on the Restore button to adopt the system configuration of the selected backup copy Result SINEMA RC Server takes the system settings from the selected backup copy and continues working with these settings All settings made up to this point that have not been saved in a backup copy are lost For more detailed information refer to section Upke...

Страница 64: ...ess When this time elapses user is automatically logged off Debug login port Specify the TCP port via which the system of the SINEMA RC Server is accessed You may need to set up PORT forwarding to SINEMA RC on the Internet router Debug login password Enter the password The new password must be at least 8 characters long and contain special characters upper and lowercase characters as well as numbe...

Страница 65: ...n the navigation select Remote connections Device Displaying entries A list of the devices that have already been created is displayed Box Meaning Name of the device Name of the device VPN address The IP address of the device used during communication via VPN The address is automatically as signed by SINEMA RC If communication via VPN is not active none is displayed Remote subnet The IP address of...

Страница 66: ...the device During connection establishment the device authenti cates itself with the SINEMA RC Server using this information Changing device settings The configuration file with the OpenVPN settings for this device is created and can be saved The file can be exported to the end device A password protected PKCS 12 file is created and can be saved The certificate is derived from the last valid CA Th...

Страница 67: ...ating a new device Page 68 Creating using a CSV file The required settings are stored in a csv file With the Import button the file is loaded on the SINEMA RC Server and the devices are created according to the settings refer to Creating several devices Page 72 Filtering entries 1 Select an entry in Search filter 2 Enter a name or part of the name in the search box 3 Click the Apply filter button ...

Страница 68: ...Z 0 9 and _ conn cannot be used as a name Type of connection 1 Permanent The VPN connection exists permanently 2 Digital input The VPN connection is established as soon as a signal is applied to the digital input 3 Wake up SMS An alarm SMS message is sent to the device 4 Digital input Wake up SMS SMS gateway provider Can only be selected with the type of connection Wake up SMS or Digital input Wak...

Страница 69: ... always enabled and cannot be modi fied IPsec Enable or disable the setting Use fixed VPN address When enabled you can assign the device a fixed VPN address Via the VPN connection the device can always be reached at this VPN address This is only possible when the parameter Activate fixed IP address space is enabled The parameter depends on the VPN connection mode OpenVPN Remote connections Address...

Страница 70: ...D Enter the ID of the VPN tunnel partner Necessary when the VPN tunnel partner evaluates the entry Click the Continue button 4 Using the local subnet If the subnet downstream from the device also needs to be exported enable the check box Connected local subnets Enter the following connection parameters as well Box Meaning Local IP address IP address at which the device in the remote subnet can be ...

Страница 71: ...for local hosts Enable the option NAT for local hosts if a specific destination IP address in the remote subnet needs to be reached via the NAT IP address of the device Enter the following parameters as well Box Meaning Virtual subnet IP ad dress Select the subnet matching the NAT IP address of the device Local host The destination IP address to be reached in the remote subnet Click the Add button...

Страница 72: ...the SINEMA Server Creating a device 1 Check the status of the devices The devices can have the following status Symbol Status Description Valid All settings are OK The device can be created without prob lems Warning A device with this name already exists The settings of this device will be overwritten by the settings from the csv file Invalid The device cannot be imported Either there is a conflic...

Страница 73: ...en the device last requested the firmware Status The device is connected to SINEMA RC Server via VPN The device is disabled The device is not connected to SINEMA RC Server via VPN Actions Deactivate device If the device is connected the existing connection is also deac tivated If the device attempts to establish a VPN connection the device is ignored by the SINEMA RC Server Activate the device aga...

Страница 74: ...End address End address of the address space The address space is limited by the start address and the network mask The end address must be within this range Available networks in total Number of available networks determined from the start address and the end address So that the address space is used for the virtual subnet enable the setting Activate the network address space on the Virtual subne...

Страница 75: ...ons via TCP UDP Applies to OpenVPN connections via UDP Location of the fixed IP address space First The fixed IP addresses are from the starting area of the address space The first IP address is reserved for the SINEMA RC Server The first fixed IP address is always the second IP address after the start IP address Last The fixed IP addresses are from the end area of the address space The last fixed...

Страница 76: ...ber of roles assigned to the group Actions In the participant list all the devices and users belonging to the partic ipant group and their status online or offline are displayed Open the overview for changing the settings for the participant groups Open the overview for changing the communication relations Creating individual participant groups 1 Click the Create button 2 In the following dialog e...

Страница 77: ... connections from the source group are permitted 4 Click the Save button Result The communication between the participant groups is specified You have specified whether communication between the members of this group is permitted or forbidden Changing communication relations between the participant groups 1 In the navigation select Remote connections Communication relations 2 Click on the icon Cha...

Страница 78: ...lready been created along with their status is displayed In addition the temporary users are shown that are created when logging on with Smartcard or the PKI certificate Box Meaning User name The name assigned to the user The user name must be unique throughout the system and can be changed Refer to the note in the section Creating a new user Page 83 VPN address The IP address of the device used d...

Страница 79: ...includes changing the contact data assigning new roles and rights and changing the password Display of which participant group the selected user is assigned to The user can be assigned to one or more groups Deactivate user If the user is online the existing VPN connection is also deactivated When the user attempts to log on the message Account is deactivated is displayed Activate the user again Th...

Страница 80: ...ions Certificate management Create new CA certificates and server certificates edit and delete existing certificates Security Certificates Manage firmware updates Load the update file with the new firmware on the device and start the update process System Devices Update Create backup copies Create delete export and import a backup copy System Backup restore Manage address spaces Edit parameters of...

Страница 81: ...Click the Create button 3 Enter a role name 4 Assign rights to the role according to the next table Click the Next button 5 Specify the password policy Field Description Password expires in days Specifies that the password expires after a certain period Never set as default 30 days 90 days 360 days 14 days before expiry the user receives an e mail Require ment An e mail address is configured for t...

Страница 82: ... made at the logon The attributes of the names Distinguished Name acc to the X 509 standard are used as filter criteria This requires that the attributes are included in the PKI certificate of the user For more detailed information refer to the section Logon with the Smartcard PKI certificates Delete temporary user in hours 0 The setting is disabled The temporary user must be deleted manually 1 72...

Страница 83: ...llowing characters are permitted a z A Z 0 9 and _ The following user name is not allowed admin User names admin As default after the installation the predefined user admin is available admin With this user name and the password admin you can log on once after the installation After this you will be prompted to create a new user The admin role is assigned to this user automatically This administra...

Страница 84: ...utes of the names Distinguished Name acc to the X 509 standard are used as filter criteria This requires that the attributes are included in the end entity certificate of the user As placeholder use the character Click the Next button 4 Assignment of rights and roles Assignment of rights via role assignment In the drop down list select the required role and click Add The user receives the rights a...

Страница 85: ...s of the SINEMA RC Server is translated with NAT IP address of the connection Enter the IP address via which the SINEMA RC Server can be reached Port of the connection Enter the port at which the SINEMA RC Server receives the OpenVPN connection IP protocol Specify whether the OpenVPN connection goes via TCP or UDP Actions To delete click on in the actions 6 Creating participant groups Select one o...

Страница 86: ...ogin Every time the user logs on the user agreement is displayed After accepting the user agreement the user can access the WBM of the SINEMA RC Server Message In the editor enter the text for the user agreement In the toolbar there are tools available for formatting the text The symbols provide brief information in the form of a tooltip After making your entry click the Save button Export Exports...

Страница 87: ... can be re newed The server device and user certificates are derived from the currently valid CA certificate The key exchange between the device and the VPN gateway of the partner takes place automatically when establishing the OpenVPN connection No manual exchange of key files is necessary crt CA certificate Page 90 Server certificate Server certificates are required to establish secure communi c...

Страница 88: ...and private key of the local station the signed certificate of the CA and the public key of the CA pem Certificate and or key as Base64 coded ASCII text key Unprotected Base64 coded private key Additional functions In addition in conjunction with certificates the following functions are also available Exporting used certificates Importing certificates Renewal of expired certificates Replacing exis...

Страница 89: ...which the certificate expires Key length bits Specifies the key length being used The value can be set in the menu Security Certificates Settings tab under Pre ferred key length Signature method Specifies which digital signature method with the corresponding signature key hash value was used for the certificate The value can be set in the menu Security Certificates Settings tab under Pre ferred ha...

Страница 90: ...cate name The name of the CA is generated automatically by the system Expiry time Shows how long the CA certificate is valid You can specify the validity date in the Settings tab There you can also set how many days before expiry of the CA certificate it is automatically renewed Status Active The CA certificate is valid Out of service A newer CA certificate was generated or the CA certificate has ...

Страница 91: ... bits Key length that was set in Settings when this certificate was generated Signature method Signature method with corresponding signature key hash value that was set in Set tings when this certificate was generated SHA1 fingerprint Fingerprint with SHA1 as hash algorithm SHA256 fingerprint Fingerprint with SHA256 SH2 as hash algorithm Alternative names IP The IP address of the WAN interface see...

Страница 92: ... require the following files Certificate file Examples of the content of a certificate file crt pem BEGIN CERTIFICATE END CERTIFICATE BEGIN X509 CERTIFICATE END X509 CERTIFICATE Key file The RSA key file that belongs to the certificate file Examples of the content of a certificate file of a key file pem key Encrypted BEGIN ENCRYPTED PRIVATE KEY END ENCRYPTED PRIVATE KEY Unencrypted BEGIN PRIVATE K...

Страница 93: ... Select file button in Select the CA chain file 7 Select the CA certificate file and confirm your selection with the Open button 8 Click the Next button Details of the signed certificate are displayed on the Activate certificate tab You can for example check whether the certificate is still valid Box Meaning Serial number Number to identify the certificate The serial number is automatically increm...

Страница 94: ...e keys for the procedure Preferred hash method Select the hash method for the certificate SHA256 or SHA512 CA certificate renewal days before expiry Specify how many days before it expires the certificate will be automatically renewed As default the CA certificate of the server is valid for 10 years If for example you specify 365 days a new CA certificate will be generated after 9 years The previo...

Страница 95: ... uses the certificate Importing device certificates 1 To import device certificates click the Import button 2 Select the PKCS12 file p12 and confirm your selection with the Open button 3 The files are password protected To load the files on the device enter the password and repeat the input 4 Click the Next button Details of the CA certificate are displayed on the Activate certificate tab You can ...

Страница 96: ...gned in the certificate Issuer Display of the certificate authority that issued the certificate Valid from Date from which the certificate is valid Valid to Date on which the certificate expires Fingerprint Checksum of the certificate ensure the integrity Delete Deletes the PKI CA certificate Importing PKI CA certificates 1 To import PKI CA certificates click the Import button 2 Select the CA cert...

Страница 97: ...er valid are listed in the certificate revocation list If for example employees leave the company their certificates are called back and included in the list Logging on with this certificate is then no longer possible So that the revocation list is used activate the CRL check on the Settings tab On the Revocation list tab you can see an overview of the available revocation lists Box Meaning Issuer...

Страница 98: ...is stored To use this function the attribute must exist in the PKI CA certificate At certain intervals SINEMA RC downloads the file and uses it You specify the interval on the Settings tab Settings of the certificate revocation list Box Meaning Enable CRL checking When enabled the validity of the user certificate is checked based on the certificate revocation list CRL update interval Specify the i...

Страница 99: ...icate management Page 87 The file must be loaded on the participant in the remote network to which the SINEMA RC Server establishes a VPN connection The SINEMA RC Client always fetches this data automatically The S615 either fetches the data automatically or the file must be loaded This depends on the configuration Downloading an OpenVPN file For devices the file is called in the device list refer...

Страница 100: ...g Connection timeout s Specify the maximum time in seconds that the communications partner waits for a re sponse from the server before the connection is considered to be interrupted This setting is automatically transferred to the client when the connection is established Detection of a connection interruption is achieved with keep alive packets see setting Keep alive interval If the client detec...

Страница 101: ...y s Period after which DPD queries are sent These queries test whether or not the remote station is still reachable Timeout after after DPD query s If there is no response to the DPD query the VPN connection to the re mote station is declared to be invalid after this time interval has elapsed Interface The interface is the local endpoint of the VPN connection Via this inter face the VPN connection...

Страница 102: ...le This also includes changing the settings for phase 1 and 2 4 9 2 5 Creating IPsec profiles Requirement for changing the IPsecVPN settings The user has been assigned the right Edit system parameters Creating a new IPsec profile 1 Open the IPsec profile tab 2 Click the Create button 3 Enter a name for the IPsec profile 4 In Key exchange method specify whether IKEv2 or IKEv1 will be used 5 Make th...

Страница 103: ...rithm SHA 1 256 384 512 Key derivation Select the required Diffie Hellmann group DH from which a key will be generated Lifetime The lifetime of the authentication When the time has elapsed the VPN endpoints involved must authenticate themselves with each other again and generate a new key 7 Click Finish Changing an IPsec profile Change the corresponding user settings Then click the Save button Enc...

Страница 104: ...certificate is created Common name The name used is generated automatically by the system Issuer Display of the certificate authority that issued the certificate The system uses the last valid CA certificate Valid from Date from which the certificate is valid Valid to Date on which the certificate expires Key length bits Specifies the key length being used The value can be set in the menu Security...

Страница 105: ...nter the relevant user password The serial number is automatically incremented by one Exporting a user certificate In the Exports tab you can download personal certificates These include Box Meaning PKCS 12 Download a container in the Personal Information Exchange format PFX PEM Download certificate and key as Base64 coded ASCII text OVPN Download OpenVPN configuration for user 4 10 2 Changing the...

Страница 106: ...Configuring with Web Based Management 4 10 My account SINEMA Remote Connect Server 106 Operating Instructions 11 2017 C79000 G8976 C383 04 ...

Страница 107: ... cannot be read into a system with SINEMA RC version V1 3 Configuring settings Requirement The user has been assigned the right Edit system parameters Procedure 1 In the navigation panel System Backup restore select the Settings tab Enter the number of permitted backup copies An entry between 10 and 30 is permitted When the maximum number is reached the oldest backup copy is overwritten 2 If the s...

Страница 108: ...with the system settings of the SINEMA RC Server has been created Restoring the configuration Requirement On the system the SINEMA RC version is installed with which the backup copy was created Importing the backup 1 In the navigation panel System Backup restore select the Settings tab 2 Enter the same coding key with which the backup was created and save the settings 3 Click the Import backup cop...

Страница 109: ...these All settings made up to this point that have not been saved in a backup copy are lost Backup was imported into a different server hardware with a new installation and the same network settings After adoption the system is restarted and the logon page of SINEMA RC Server is opened The backed up certificates are imported Backup was imported into a different server hardware and a new installati...

Страница 110: ...Upkeep and maintenance 5 1 Backing up and restoring the system configuration SINEMA Remote Connect Server 110 Operating Instructions 11 2017 C79000 G8976 C383 04 ...

Страница 111: ...stablish an OpenVPN connection to an iOS device follow the steps below 1 Log on to the SINEMA RC Server with your user data 2 In the navigation select My account User certificate and click on the Exports tab 3 Click on PKCS 12 to load the user certificate on the iOS device in the format PKCS 12 Install the user certificate 4 Click on PEM to load the CA certificate on the iOS device ...

Страница 112: ...ile with an editor and copy the certificate area to the clipboard With SINEMA RC V1 0 this is the 3rd section As of SINEMA RC V 1 1 6 Click on OVPN to download the OpenVPN configuration file username ovpn 7 Open the file and delete the user certificate from the configuration file Remove everything from pkcs12 BEGIN CERTIFICATE to END CERTIFICATE pkcs12 ...

Страница 113: ... configuration file With SINEMA RC V1 0 Insert ca ca Insert the content of the clipboard between ca and ca As of SINEMA RC V 1 1 Insert everything from ca BEGIN CERTIFICATE to END CERTIFICATE ca 9 Save the configuration file 10 Load the OpenVPN configuration file on the iOS device You can also send yourself the file in an e mail 11 Start the OpenVPN app ...

Страница 114: ...ver application on a virtual machine VM create a partition for a 64 bit Ubuntu system SINEMA RC itself is an application that already brings the 64 bit Ubuntu system with it as the operating system and installs it like an operating system When assigning parameters to the virtual machines base the assignment on the hardware requirements for SINEMA Remote Connect See also Requirements Page 17 ...

Страница 115: ...ateway name of your network provider for example 0123412345678 providersms com Note Check with your network provider whether or not it is necessary to send activation and deactivation SMS messages Your network provider will inform you of the texts and short number Table B 1 Activation and deactivation SMS examples E Plus O2 Germany T Mobile Vodafone SMS gateway name smsmail eplus de o2online de t ...

Страница 116: ...device because it does not establish a connection within a short time wait a suitable time between repetitions Check the log entries Messages such as Mail appeared to be SPAM or forged indicate that this is the case If necessary check with your network provider Not executed The wake up job was transferred to SINEMA RC but not executed Check the connections of SINEMA RC Server including the connect...

Страница 117: ...MS Provider Name of the SMS gateway provider Comment Comment Group Participant group The requirement is that the participant group has already been created Local subnet Local LAN IP address Network mask Network mask of the local LAN IP address Network gateway Device is a network gateway If the device is a network gateway enter Yes Virtual subnet Virtual subnet IP address Network mask Network mask ...

Страница 118: ...Appendix B B 3 Structure of the csv file SINEMA Remote Connect Server 118 Operating Instructions 11 2017 C79000 G8976 C383 04 ...

Страница 119: ...s 54 csv file Importing 72 Structure 116 D Definition of terms 4 Device Creating 68 Import csv 72 Update 73 Device certificate 87 Generating 66 DNS 51 91 Download configuration file 90 105 Downloading the configuration file 66 E Entries Creating 44 Deleting 44 Saving 44 Event log Log archives 49 Log messages 47 F Filter Device list 67 User list 79 G Glossary 6 H Hash method 94 Hostname Guidelines ...

Страница 120: ...mitted characters 21 PKI CA certificates 96 Processor 17 Protection concept 11 R RAM 17 Recommended requirements 17 17 Rights 13 Role Administrator 14 VPN user 14 Roles 13 Running a search 44 S Server Uploading files 60 Server certificate 87 91 Renewing 91 Server certificate 87 91 Service Support 6 SHA256 94 SHA512 94 SIMATIC NET glossary 6 SIMATIC NET manual 5 Start page 42 System Restart 59 Shut...

Страница 121: ...ctions 11 2017 C79000 G8976 C383 04 121 V VPN IPsec 101 OpenVPN 99 101 W Wake up SMS Unsuccessful attempts 116 WAN IP address 91 external 50 WBM Buttons 43 Layout of the window 42 WBM changing the language Web user interface 35 Wrong entry user name 37 ...

Страница 122: ...Index SINEMA Remote Connect Server 122 Operating Instructions 11 2017 C79000 G8976 C383 04 ...

Результаты поиска

Содержание SINEMA Remote Connect

Отзывы:

Похожие инструкции для SINEMA Remote Connect

Бренды по названию

Популярные бренды

Siemens SINEMA Remote Connect, Руководство по эксплуатации

Результаты поиска

Содержание SINEMA Remote Connect

Отзывы:

Похожие инструкции для SINEMA Remote Connect

Бренды по названию

Популярные бренды