Professional Documents
Culture Documents
http://support.automation.siemens.com/WW/view/en/99681624
The Application Examples are not binding and do not claim to be complete
regarding the circuits shown, equipping and any eventuality. The Application
Examples do not represent customer-specific solutions. They are only intended
to provide support for typical applications. You are responsible for ensuring that
the described products are used correctly. These application examples do not
relieve you of the responsibility to use safe practices in application, installation,
operation and maintenance. When using these Application Examples, you
recognize that we cannot be made liable for any damage/claims beyond the
liability clause described. We reserve the right to make changes to these
Application Examples at any time without prior notice.
If there are any deviations between the recommendations provided in these
application examples and other Siemens publications e.g. Catalogs the
contents of the other documents have priority.
We do not accept any liability for the information contained in this document.
Any claims against us based on whatever legal reason resulting from the use of
the examples, information, programs, engineering and performance data etc.,
described in this Application Example shall be excluded. Such an exclusion shall
not apply in the case of mandatory liability, e.g. under the German Product Liability
Act (Produkthaftungsgesetz), in case of intent, gross negligence, or injury of life,
body or health, guarantee for the quality of a product, fraudulent concealment of a
deficiency or breach of a condition which goes to the root of the contract
(wesentliche Vertragspflichten). The damages for a breach of a substantial
contractual obligation are, however, limited to the foreseeable damage, typical for
the type of contract, except in the event of intent or gross negligence or injury to
life, body or health. The above provisions do not imply a change of the burden of
proof to your detriment.
Any form of duplication or distribution of these Application Examples or excerpts
hereof is prohibited without the expressed consent of Siemens Industry Sector.
Security
information
Siemens provides products and solutions with industrial security functions that
support the secure operation of plants, solutions, machines, equipment and/or
networks. They are important components in a holistic industrial security
concept. With this in mind, Siemens products and solutions undergo continuous
development. Siemens recommends strongly that you regularly check for
product updates.
For the secure operation of Siemens products and solutions, it is necessary to
take suitable preventive action (e.g. cell protection concept) and integrate each
component into a holistic, state-of-the-art industrial security concept. Third-party
products that may be in use should also be considered. For more information
about industrial security, visit http://www.siemens.com/industrialsecurity.
To stay informed about product updates as they occur, sign up for a productspecific newsletter. For more information, visit
http://support.automation.siemens.com.
Security: TSAdapter_TIAV13
Entry ID: 99681624, V1.0, 09/2014
Table of Contents
Table of Contents
Warranty and liability................................................................................................... 2
1
Task ...................................................................................................... 4
Possible solution .................................................................................. 4
Characteristics of the solution .............................................................. 5
History............................................................................................................... 30
Security: TSAdapter_TIAV13
Entry ID: 99681624, V1.0, 09/2014
1.1
Task
The task is to establish a secure connection between two networks (e.g.,
automation networks or individual devices) via the Internet or a company's internal
network.
The following customer requirements have to be considered:
Protection against spying and data manipulation.
Prevention of unauthorized access.
Easy handling and integration.
Use of existing addresses and addressing schemes.
Transparency (or easy use) for users.
1.2
Possible solution
Complete overview
The figure below shows one way of implementing the customer requirements:
Automatisierungszelle
Automation Cell
Service
Service
PC PC
TIA
Portal
Internet
Internet
Modem/Router
Modem/ Router
Statische
WAN-IP-Adresse
Internet
Router
SCALANCE
TS Adapter
M874-x
IE Advanced
Static
WAN IP Address
VPN Server
VPN-Server
VPN Client
VPN
Tunnel
VPN tunnel
IndustrialEthernet
Ethernet
Industrial
SIMATIC S7
Stationen
Stations
The connection between the service PC and the automation cell (nodes such as
SIMATIC stations, panels, drives, PCs) is protected by a VPN tunnel.
In this example, TIA Portal (V12 SP1 or higher) and the TS Adapter IE Advanced
form the two tunnel endpoints for the secure connection. The TS Adapter IE acts
as the VPN server, the PC with TIA Portal acts as the VPN client.
Access to the TS Adapter IE (VPN server) from the WAN is predefined by the use
of a static WAN IP address.
WAN access on the client side is flexible; the IP address of the WAN port is not
relevant.
When establishing the VPN tunnel, the roles are defined as follows:
Table 1-1
Component
VPN role
TS Adapter IE Advanced
Security: TSAdapter_TIAV13
Entry ID: 99681624, V1.0, 09/2014
TS Adapter IE Advanced
The TS Adapter IE Advanced allows access, through the Internet, to all automation
components of a plant - e.g., S7 CPUs - that are connected to Industrial Ethernet.
TIA Portal V12 SP1 or higher running on a PG/PC with at least Windows 7 or
Windows Server 2008 allows convenient remote maintenance of a plant through
the Internet, including enhanced security mechanisms.
They provide the following functions:
SSTP VPN (data encryption and authentication) for remote maintenance
IPv4 and IPv6 support on the WAN interface (IPv6 for firmware version 1.1.0 or
higher)
Time-controlled WAN connectivity
Packet filter configuration
Enabling and disabling routes (VPN tunnel, Internet access)
Router functionality (port forwarding, NAT, DynDNS (with IPv6))
1.3
VPN,
certificates,
Security: TSAdapter_TIAV13
Entry ID: 99681624, V1.0, 09/2014
2.1
2.1.1
Software packages
To work with the TS Adapter IE Advanced, you need a PC with a "Windows 7"
operating system (or higher) and the "TIA Portal" software (V12 SP1 or higher).
Install this software on a PC/PG.
Note
Required devices/components:
To set up the environment, use the following components:
A TS Adapter IE Advanced (optional: A DIN rail installed accordingly, including
fitting accessories).
Siemens AG 2014 All rights reserved
A 24V power supply with cable connector and terminal block plug.
DSL access with a dynamic WAN IP address and a DSL router (e.g.
SCALANCE M81x-1).
DSL access with a static WAN IP address and a DSL router (e.g. SCALANCE
M81x-1).
A PC on which "Windows 7" and "TIA Portal" are installed.
The necessary network cables, TP cables (twisted pair) according to the IE FC
RJ45 standard for Industrial Ethernet.
Note
You can also use another Internet access method (e.g., UTMS).
The configuration described below refers explicitly to the components listed in
"Required devices/components".
Security: TSAdapter_TIAV13
Entry ID: 99681624, V1.0, 09/2014
IP addresses
For this example, the IP addresses are assigned as follows:
Service PC
DSL Router1
Internet
Modem/ Router
TIA
Portal
DSL Router2
SCALANCE
TS Adapter
M874-x
IE Advanced
Statische
WAN-IP-Adresse
VPN tunnel
192.168.2.89
192.168.2.1
Industrial Ethernet
Dynamic
WAN IP
Static
WAN IP
172.16.0.1
172.16.47.1
172.22.80.2
VPN-Server
Table 2-1
Component
Port
IP address
Router
Subnet mask
Service PC
LAN port
192.168.2.89
192.168.2.1
255.255.255.0
DSL router1
LAN port
192.168.2.1
255.255.255.0
DSL router1
WAN port
Assigned by
provider
DSL router2
WAN port
Assigned by
provider
DSL router2
LAN port
172.16.0.1
255.255.0.0
TS Adapter IE
WAN port
172.16.47.1
172.16.0.1
255.255.0.0
TS Adapter IE
LAN port
172.22.80.2
255.255.255.0
2.1.2
Service PC
Installed software
The following software packages are relevant on the service PC:
TIA Portal software as the remote end for the VPN connection to the TS
Adapter IE Advanced.
Web browser to parameterize the TS Adapter IE Advanced.
Deleting the CA certificate
If you suspect that a CA certificate is misused, you should generate a new CA
certificate for security reasons. Make sure that the new CA certificate is replaced
for all service PCs involved (delete the old CA certificate and import the new one).
For security reasons, you should regularly generate new CA certificates.
To delete a CA certificate, please follow the instructions from Chapter 5 (Appendix:
Handling CA Certificates).
Installing the CA certificate
The initial configuration of the TS Adapter IE Advanced is done via a local HTTPS
connection. As, at this time, a CA certificate for this TS Adapter IE Advanced has
not yet been installed on the service PC, a security warning is displayed. You can
acknowledge this security warning or install the CA certificate supplied on the CD
in the Windows certificate store before first commissioning. To do this, please
follow the instructions from Chapter 5 (Appendix: Handling CA Certificates).
Security: TSAdapter_TIAV13
Entry ID: 99681624, V1.0, 09/2014
Note
TIA Portal
Use the TIA Portal V13 engineering software to create a new project.
Web interface of the TS Adapter IE Advanced
To open the Web interface, you have the following options:
Open a directly connected Web browser with TIA Portal.
Open a Web browser via a remote connection with TIA Portal.
Directly connected standard Web browser.
This example uses the "Open a directly connected Web browser with TIA Portal"
method.
Please follow the instructions from Chapter 4 (Appendix: Using TIA Online
Functions).
Note
2.1.3
More information on the options to open the Web interface can be found in the
appropriate chapter in the TS Adapter manual at the following link:
https://www.automation.siemens.com/mdm/default.aspx?DocVersionId=6573950
2731&Language=en-EN&TopicId=65449369483&guiLanguage=en
Note
Some routers allow remote access via an Internet connection (HTTPS port 443).
In this case, it is not possible to forward port 443 to the TS Adapter IE Advanced
using port forwarding. For remote access to the router, you have to use another
port (e.g., port 5443).
Port 443 is the default port for VPN connections (SSTP) in Windows - and
therefore also for the TS Adapter IE - and cannot be changed.
Security: TSAdapter_TIAV13
Entry ID: 99681624, V1.0, 09/2014
2.1.4
TS Adapter IE Advanced
2.1.5
Service PC
Service PC
DSL Router1
Internet
Modem/ Router
TIA
Portal
DSL Router2
SCALANCE
TS Adapter
M874-x
IE Advanced
Statische
WAN-IP-Adresse
LA Port
LAN Port
WAN Port
WAN Port
LAN Port
WAN Port
LAN Port
VPN-Server
Table 2-2
Component
Local port
Partner
Partner port
Service PC
LAN port
DSL router1
LAN port
TS Adapter IE
WAN port
DSL router2
LAN port
TS Adapter IE
LAN port
Security: TSAdapter_TIAV13
Entry ID: 99681624, V1.0, 09/2014
2.2
2.2.1
Components used
This solution uses the following components: TS Adapter IE Advanced and "TIA
Portal V13 Update 3".
Physical connection between the PC and the TS Adapter IE Advanced
Connect the service PC to a free LAN port of the TS Adapter IE Advanced and
change the network settings on the service PC as follows:
IP address: 172.22.80.100
Subnet mask: 255.255.255.0
Opening the Web interface
Open the Web interface of the TS Adapter IE Advanced via TIA Portal.
To do this, please follow the instructions from Chapter 4 (Appendix: Using TIA
Online Functions).
Security: TSAdapter_TIAV13
Entry ID: 99681624, V1.0, 09/2014
10
2.2.2
System Clock
Among other things, the system time is used to generate certificates. Set the time
as follows:
1. Enter the system time parameters. The time must be entered in UTC format.
Security: TSAdapter_TIAV13
Entry ID: 99681624, V1.0, 09/2014
11
Security: TSAdapter_TIAV13
Entry ID: 99681624, V1.0, 09/2014
12
1. In the "Password" field, enter a new administrator password and reenter the
password to confirm it.
When choosing the password, make sure that it complies with the password
check rules ("Specific Password Settings").
Security: TSAdapter_TIAV13
Entry ID: 99681624, V1.0, 09/2014
13
CA certificate generation
The last step of the guided tour prompts you to generate a new CA certificate. This
overwrites the default CA certificate.
Security: TSAdapter_TIAV13
Entry ID: 99681624, V1.0, 09/2014
14
2.2.3
Preparation
Open the Web interface of the TS Adapter IE Advanced via TIA Portal.
To do this, please follow the instructions from Chapter 4 (Appendix: Using TIA
Online Functions).
Log on as an administrator and use the new password (see Chapter 2.2.2).
IP parameters - Public Network
Now you define how the TS Adapter IE Advanced can be accessed remotely.
2. In "Remote address", enter the static WAN IP address of your DSL access
point.
Security: TSAdapter_TIAV13
Entry ID: 99681624, V1.0, 09/2014
15
3. For the WAN interface, select "Static" in "IP address assignment" and enter the
IP address for the WAN interface as listed in Table 2-1.
As the DNS server, use the IP address of the DSL router's LAN interface.
Security: TSAdapter_TIAV13
Entry ID: 99681624, V1.0, 09/2014
16
1. In the navigation bar, go to "Parameters" > "Plant Network" > "IP parameters".
Enter any available IP address that is in the same subnet as the plant network
(automation network on the LAN interface of the TS Adapter).
Security: TSAdapter_TIAV13
Entry ID: 99681624, V1.0, 09/2014
17
Connection parameters
Depending on the application, access to the TS Adapter via the WAN interface can
be configured differently. Remote maintenance via VPN is desired for this example.
To enable it, proceed as follows:
Security: TSAdapter_TIAV13
Entry ID: 99681624, V1.0, 09/2014
18
Creating a user
To enable the service PC to establish a VPN connection to the TS Adapter IE
Advanced, a login with a user name and password is required.
During the initial configuration, only the "Administrator" user is entered in the TS
Adapter. As this user cannot establish a VPN connection, another user has to be
entered.
To create a new user, proceed as follows:
2. In the appropriate text boxes, enter a user name and password. Confirm the
password.
When choosing the password, make sure that it complies with the password
check rules ("Specific Password Settings").
Security: TSAdapter_TIAV13
Entry ID: 99681624, V1.0, 09/2014
19
Security: TSAdapter_TIAV13
Entry ID: 99681624, V1.0, 09/2014
20
Result
The parameterization of the TS Adapter for remote maintenance is complete.
2.2.4
Final steps
Service PC
To establish a VPN connection, it is mandatory to store the CA certificate
generated by the TS Adapter in the Windows certificate store (local computer).
To do this, please follow the instructions from Chapter 5 (Appendix: Handling CA
Certificates).
Infrastructure
1. Connect the PC (TIA Portal) to the LAN interface of DSL router1.
2. Assign the required network configuration to the network card as shown in
Table 2-1.
3. In all devices on the LAN port of the TS Adapter IE Advanced, enter the default
gateway (IP address of the LAN port).
Security: TSAdapter_TIAV13
Entry ID: 99681624, V1.0, 09/2014
21
2.3
Security: TSAdapter_TIAV13
Entry ID: 99681624, V1.0, 09/2014
22
5. In the appropriate text boxes, enter the WAN IP address of DSL router2 (DSL
router of the TS Adapter IE Advanced to be contacted) and the user name and
the associated password of the newly created user (see page 19).
Security: TSAdapter_TIAV13
Entry ID: 99681624, V1.0, 09/2014
23
Result
The VPN connection to the TS Adapter is being established. "Status" shows the
progress of the connection establishment process.
Once the VPN connection has been established, the dialog closes. The following
message appears in the status bar of TIA Portal:
"Remote connection is established"
In TIA Portal, the new remote connection appears in the project navigation under
the "TeleService" folder.
This remote connection allows you to open the Web browser of the TS Adapter
from TIA Portal. Log on with the newly created user.
"Information" > "Status" shows the connection status of the remote connection.
Note
If a connection cannot be established, try to find the cause. More information and
troubleshooting help can be found in the appropriate chapter in the TIA manual
at the following link:
https://www.automation.siemens.com/mdm/default.aspx?DocVersionId=6397252
0715&Language=en-EN&TopicId=58521033355&guiLanguage=en
Security: TSAdapter_TIAV13
Entry ID: 99681624, V1.0, 09/2014
24
Result
You get a positive response from the internal node.
Note
In Windows, the default settings of the firewall may prevent ping commands from
passing. You may have to enable the ICMP services of the "Request" and
"Response" type.
Security: TSAdapter_TIAV13
Entry ID: 99681624, V1.0, 09/2014
25
4.1
Accessible devices
"Accessible devices" means all devices that are connected to an interface of the
PG/PC and switched on.
To display the accessible devices on a single interface of the PG/PC, proceed as
follows:
1. Open the Project view of TIA Portal and in the project navigation, click the
"Online access" folder.
2. Click the arrow icon to the left of the interface to show all objects located below
the interface.
Note
When a large number of devices are connected, updating may take some time.
The status bar shows the progress of the update process.
4.2
Assigning an IP address
Requirement
To assign an IP address to a device, you have to open the Online and Diagnostics
view of the module using the "Update accessible devices" command (in the project
navigation) (see Chapter 4.1 (Accessible devices)).
Assigning an IP address
To assign an IP address specified by you to the module, proceed as follows:
1. Open the Online and Diagnostics view of the IO device.
2. In the "Functions" folder, select the
"Assign IP address" group.
3. Enter the desired IP parameters.
Security: TSAdapter_TIAV13
Entry ID: 99681624, V1.0, 09/2014
26
Result:
The IP address is permanently assigned to the Ethernet port of the module. It is
also retained after startup or a power failure.
4.3
TeleService functions
Requirement
To use the TeleService functions, you have to open the Online and Diagnostics
view of the module using the "Update accessible devices" command (in the project
navigation) (see Chapter 4.1 (Accessible devices)).
Opening the Web interface
To parameterize the TS Adapter IE Advanced from TIA Portal, proceed as follows:
1. Open the "TS Adapter IE Advanced" folder in the list of devices.
2. Double-click the "Assign TS Adapter Parameters" command. The assigned
Web interface opens where you can parameterize the TS Adapter.
3. Perform the "logon" for the Web interface.
4. When you log on for the first time or after setting to factory default, the login
data is defined as follows:
Name: Administrator
Password: admin
Security: TSAdapter_TIAV13
Entry ID: 99681624, V1.0, 09/2014
27
5.1
Deleting CA certificates
To delete existing CA certificates, proceed as follows.
1. Log on to the system as an administrator.
2. Use Microsoft Management Console to open Windows Certificate Manager
on your PG/PC.
3. To do this, click "Start", enter mmc in the search box and press the ENTER
KEY.
The console opens.
Security: TSAdapter_TIAV13
Entry ID: 99681624, V1.0, 09/2014
28
5.2
Installing CA certificates
To install a CA certificate, proceed as follows:
10. Log on to the system as an administrator.
11. Use Microsoft Management Console to open Windows Certificate Manager
on your PG/PC.
12. Click "Start", enter mmc in the search box and press the ENTER KEY.
The console opens.
13. In the "File" menu, click "Add/Remove Snap-In".
The snap-in selection dialog opens.
14. In the "Snap-In" list, double-click "Certificates" and in the next dialog, select
"Computer account".
15. In the next dialog, select the "Local Computer" item and click "Finish" and
"OK".
The Console Root opens and displays the "Certificates (Local Computer)"
folder.
16. Open the displayed "Certificates (Local Computer)" folder and click "Trusted
Root Certification Authorities".
17. Click the "Certificates" folder and use the context menu to select the
"Action" > "All Tasks" > "Import" command.
18. Read the information displayed in the "Certificate Import Wizard" dialog and
click "Next".
19. In the following dialog, click "Search", select the desired CA certificate and
apply it with "Open".
20. Double-click "Next" and then "Finish" to install the CA certificate.
Security: TSAdapter_TIAV13
Entry ID: 99681624, V1.0, 09/2014
29
6 History
Result
The selected CA certificate is installed in the specified location in the Windows
certificate store.
History
Table 6-1
Date
V1.0
09/2014
Modifications
First version
Version
Security: TSAdapter_TIAV13
Entry ID: 99681624, V1.0, 09/2014
30