Professional Documents
Culture Documents
ConnectionBox
Firmware version: 3.2-r0
Page 1
ConnectionBox 3.2-r0 User Manual
1. Document History
Page 2
ConnectionBox 3.2-r0 User Manual
Table of Contents
Page 4
ConnectionBox 3.2-r0 User Manual
1. Introduction
The purpose of the ConnectionBox is to provide a secure connection from any local
system via the Siemens common Remote Service Platform (cRSP) to any remote device
(BACnet and Non-BACnet) using the Energy Monitoring platform EMC (new name
Advantage™ Navigator) or cRSP Customer Web Portal. Using the Siemens SSL VPN Client
and Siemens BT BACnet Stack, the ConnectionBox allows for local Desigo and 3 rd party
controllers to be monitored and configured remotely via BACnet (e.g. XWORKS Plus) over
a secure connection. In parallel it also supports Non-BACnet protocols (e.g. Sinteso
works).by using the Siemens SSL VPN Gateway functionality.
The ConnectionBox can be configured with either the devices in the same IP segment as
the internet access (1-Port Solution) or with an additional network adapter and the
devices in a separate IP segment (2-Port Solution). Both configurations can be applied for
BACnet as well as Non-BACnet devices by using the Siemens BACnet Stack and / or the
SSL VPN Gateway feature.
Web-Configuration Web-Configuration
Engineering Tools Engineering Tools
e.g. XWorks plus, e.g. XWorks plus,
FXS 2002 FXS 2002
cRSP cRSP
SSL- SSL-
VPN VPN
BAC SSL VPN BAC SSL VPN Desigo PX Sinteso FS20
Stack Gateway Stack Gateway
Page 5
ConnectionBox 3.2-r0 User Manual
Page 6
ConnectionBox 3.2-r0 User Manual
Page 7
ConnectionBox 3.2-r0 User Manual
2. Mechanical installation
The device is wall and DIN-rail mountable. To mount the ConnectionBox on a DIN-Rail,
two plastic brackets are needed.
In addition to the physical dimensions of the device, additional space is required for the
wiring.
Note: All interface cable connections between the ConnectionBox and other devices
should be established before connecting the power supply.
Reset button
Page 8
ConnectionBox 3.2-r0 User Manual
3. Electrical connection
3.1 Power
The ConnectionBox must be powered with an external 12-40 V DC power supply.
NOTE: Once the SSL-VPN client has been registered with cRSP, a registration hash code is
generated that includes information on the USB port that the adapter is connected to.
The USB/IP adapter must not be connected to the other USB Port after registration.
Page 9
ConnectionBox 3.2-r0 User Manual
P1-P4 - -
Page 10
ConnectionBox 3.2-r0 User Manual
4. Software configuration
4.1 Web Browser overview
The ConnectionBox is configured using a web interface; the layout of the interface is
shown below.
Menu
Current settings
Save settings
Firmware version
Page 11
ConnectionBox 3.2-r0 User Manual
The MAC address is printed on the left side of the device (ie. 001348018C52).
If there are connection problems please check your network settings. A workaround you
can find in chapter 12.
Page 12
ConnectionBox 3.2-r0 User Manual
5.1 Network
The ConnectionBox can be configured with one or two network adapters. Select
“Network” in the main menu to configure the network parameters of the ConnectionBox.
To configure two network adapters, the USB-LAN-Adapter has first to be connected to the
ConnectionBox.
Page 13
ConnectionBox 3.2-r0 User Manual
BACnet Interface: Enter the IP address and subnet mask of your BACnet network
connected to the internal Ethernet interface. This interface does not require a Default
Gateway.
Page 14
ConnectionBox 3.2-r0 User Manual
WAN Interface: The WAN interface supports both static IP and DHCP.
If your network connected to the USB-LAN Adapter uses DHCP, the IP address can be
obtained automatically by the ConnectionBox once connected.
In any other cases, enter the IP address, subnet mask, gateway and DNS server(s). If you
want to configure more than one DNS server, enter the DNS servers' IP addresses as a
comma-separated list.
Page 15
ConnectionBox 3.2-r0 User Manual
Page 16
ConnectionBox 3.2-r0 User Manual
6. EMC Setup
EMC Setup is only required to backup the configuration of the ConnectionBox to EMC. The
configuration of the EMC connection requires several steps and should be finished with a
connection test.
At first the server URI of the EMC server needs to be set. It consists of a protocol (“http”
or “https”), the hostname or IP address of the server, as well as the path to the import
script, as shown in the picture below. You can obtain the EMC server's URI from field
support.
You can enable or disable the verification of the EMC server's SSL certificate. It is strongly
recommended to enable the SSL verification. This option is only relevant if a “https”
server URI is used.
After creating a ConnectionBox (device) login in EMC, you must now enter it in the
ConnectionBox. This information ensures that the values are entered under the correct
EMC account (customer).
Configuration Upload provides the opportunity to upload the configuration files to the
EMC server once every hour if there have been any changes to it since the last upload. If
the option is deactivated there will be no uploads. Save the changes once you are done.
In a final step you can choose to finish the setup with a connection test. If you don't test
the connection to the EMC server, the settings are adopted as is. If the connection test
fails, the new settings will be rejected.
If you receive something like a “certificate error” check the time and date settings of the
ConnectionBox and set them to the date now and UTC-time. The communication between
EMC and the ConnectionBox are secured with a process based on certificates only valid in
a given period of time. If these certificates are outdated for the ConnectionBox, the
connection process fails.
Page 17
ConnectionBox 3.2-r0 User Manual
7. VPN Settings
This menu allows you to configure SSL-VPN client settings. When the menu item is
selected, an error message dialog is displayed if the client has not been registered.
The VPN Settings page allows you to perform the following operations & functions:
Register and Deregister the SSL-VPN Client
View the Status of the SSL-VPN connection
Configure Proxy Server settings
Modify Log and Tunnel mode configurations
NOTE: Once the SSL-VPN client has been registered with cRSP, a registration hash code is
generated that includes information on the USB port that the adapter is connected to.
The USB/IP adapter must not be connected to the other USB Port after registration.
Page 18
ConnectionBox 3.2-r0 User Manual
Enter the details of the Host name, Site name and One Time Password.
The correct SSL-VPN Access Server must be selected for the region that you are located in.
The Combo box has the following default servers:
The DMZ servers are separated into three geographical locations. DMZ Fuerth is for
Europe, DMZ Malvern for the Americas and DMZ Singapore for Asia Pacific and Middle
East. The Release DMZ server in Fuerth is for testing purposes. If you are not sure of the
DMZ server that you must register the client to, please contact your local AOC/cRSP
responsible.
It is also possible to type in the Server name and IP address if required.
For most systems once the Host name, Site name and one-time password are entered and
the correct SSL-VPN Server is selected, it is possible to register the client by selecting the
“Register” button.
Additional settings may be required if a Proxy Server is used for internet access.
Page 19
ConnectionBox 3.2-r0 User Manual
An info message will be displayed if the system was able to register successfully.
Note that the Registration confirmation message will always display the message that the
system registered successfully to Fuerth VPN server (displaying the url or IP) even if the
system is configured for Malvern or Singapore. This is that the registration takes place is
two stages: firstly to the selected server and then finally to the Fuerth VPN server. Final
confirmation comes from Fuerth VPN Server.
The “Connectivity Test…” button is also useful to ensure that the ConnectionBox is able to
contact (ping) the selected SSL-VPN Server.
Page 20
ConnectionBox 3.2-r0 User Manual
7.2 Status
The status will only be displayed once a VPN connection has been established. Direct
access to the ConnectionBox without using VPN is not monitored.
The status information must be manually updated using the “Refresh” button.
The Status information is useful for monitoring the data traffic amount and if the tunnel is
active.
Page 21
ConnectionBox 3.2-r0 User Manual
Note: This proxy settings have to be the same settings than in the Proxy Settings in the
Basic Setup menu (see chapter 5.2).
Page 22
ConnectionBox 3.2-r0 User Manual
Tunnel Mode:
The options “Tunnel Mode” and “Tunnel active” cannot be changed by the user. The
parameters “Idle timer”, “Keep alive timer” and “Response timer” can be set to a value in
seconds.
Log configuration:
The “log level” dropdown lets you select which messages should appear in the log files.
Your options are “detailed”, “debug”, “info”, “warning”, “error” and “fatal”.
“Log file size” determines the maximum number of bytes before the log files are rotated.
The parameter “Log file number” determines how many rotated log files should be kept
available.
Page 23
ConnectionBox 3.2-r0 User Manual
Once any parameters are modified, they are updated once the “Save” button is clicked.
Page 24
ConnectionBox 3.2-r0 User Manual
Page 25
ConnectionBox 3.2-r0 User Manual
Gateway Destination White List: List of all destination IP addresses that are reachable
through the cRSP gateway. All managed systems configured in the cRSP database as
“behind” this gateway should be included in this list.
The cRSP Gateway Status displays all currently existing and previous gateway connections.
Page 26
ConnectionBox 3.2-r0 User Manual
9. BACnet Settings
The BACnet settings page provides options to change the BACnet routing configuration of
the BACnet Port (LAN) and WAN Port network interfaces. Each Interface is configured in a
separate tab.
Always “Save” any changes before changing tabs. “Cancel” sets everything back to the last
saved configuration and opens the first tab.
Port ID: This is the number of the port and has to be a unique number.
Network Number: Care must be taken when allocating BACnet Network Numbers to
ensure that they are unique for the BACnet Internetwork.
The BACnet network numbers are critical when a system is configured with a BACnet
router and the connection is made via ConnectionBox. If duplicated network numbers are
present in a system, the BACnet communications and remote engineering will not
function correctly. When configuring the BACnet settings, ensure that the numbers are
Page 27
ConnectionBox 3.2-r0 User Manual
Port 4 / Network 99
WAN
Port
BBMD = 1
FDT = 1
UDP = BACA (47818)
Port 2 / Network 2
BACnet
BBMD = 1
/IP
FDT = 1
UDP = BAC1 (47809)
BACnet
/LON
Port 1 / Network 1
LON segment: SEG01
The BACnet router has the LON connection configured for NET01 (network number 1) and
the IP connection configured for NET02 (network number 2). (Note here that Port 3 could
also be configured for Network 2 to be in the same network as the BACnet router IP
network and it is functionally correct and would work.)
If the remote connection is created using the BBS, it is critical that the network number 1
is not used for defining either of the ConnectionBox networks. This would result in BACnet
communication failure.
UDP Port: This is the port used for BACnet routing. The UDP port must match the port
that has been configured for the BACnet devices on the LAN. This is typically 47808
(0xBAC0).
Attached: This box needs to be ticked so the BACnet deamon establishes a connection.
Otherwise the interface will be ignored.
Page 28
ConnectionBox 3.2-r0 User Manual
The BBMD/Foreign Device option should typically never be used. If the system requires
BBMD support it is recommended to configure this using XWorks plus Network
Configurator on the PX controllers.
The possible selections for BBMD/Foreign Device are:
None
No BBMD or FD support via ConnectionBox on LAN. This is the recommended
option.
BBMD (BACnet Broadcast Management Device)
This enables the Broadcast Distribution Table and Foreign Device Table options.
BBMD.
Foreign Device
The Foreign Device option can be used to specify an IP and UDP port to allow the
ConnectionBox to register as a foreign device on a BACnet server.
Page 29
ConnectionBox 3.2-r0 User Manual
After any modifications the configuration file must be first saved by pressing the “Save”
button and then reloaded by pressing the “Reload” button on the bottom of the section.
General:
After performing any modification to the BACnet configuration on this tab, the Daemon
must be restarted for the modifications to come into effect.
Page 30
ConnectionBox 3.2-r0 User Manual
Port ID: This has to be a unique number. It should be different to the number used on the
BACnet port tab.
Network Number: This is the BACnet network number. See description of this setting
above for the BACnet port. It is very important that this network number is unique for the
BACnet Internetwork.
UDP Port: This is the port used for BACnet routing. The UDP port can be freely defined but
the supported range for cRSP connections is 0xBAC0 to 0xBACF (47808 to 47823). This
UDP port must match the configuration defined in cRSP for the connection.
Attached: This box needs to be ticked so the BACnet daemon establishes a connection.
Otherwise the interface will be ignored.
Page 31
ConnectionBox 3.2-r0 User Manual
The BBMD/Foreign Device option should typically be configured for BBMD to allow the
support of Foreign Device Table registration.
The possible selections for BBMD/Foreign Device are:
None
No BBMD or FD support via ConnectionBox on LAN. This selection is not
recommended as it will prevent connection remotely to the systems on the LAN.
BBMD (BACnet Broadcast Management Device)
This is the required option.
This enables the Broadcast Distribution Table and Foreign Device Table options.
If the system requires BBMD support it is recommended to configure this using
XWorks plus Network Configurator.
Foreign Device Table support must be enabled and the default Max. FDT Entries is
recommended to be set at 16.
Foreign Device
The Foreign Device option can be used to specify an IP and UDP port to allow the
ConnectionBox to register as a foreign device on a BACnet server.
Page 32
ConnectionBox 3.2-r0 User Manual
10. Administration
10.1 Firmware update
Updating the firmware of the ConnectionBox is a two step process. First, you need to
upload the firmware, and then you have to apply the update.
To update the firmware of the ConnectionBox, you have to establish a network connection
between your PC and the ConnectionBox. Open the web configuration interface, select
“Administration” and "Firmware" from the main menu and then browse to the firmware
image file on your pc.
Once you press the “Upload firmware”-button, the firmware-image is transmitted to the
ConnectionBox and validated but not yet applied.
To apply the firmware update, choose the firmware file from the drop down menu.
Subsequently, click “Update firmware”. The firmware is then copied to the flash memory.
The firmware update may take several minutes. The progress is indicated on your screen.
DO NOT RESTART OR POWER OFF THE CONNECTIONBOX WHILE A FIRMWARE UPDATE
TAKES PLACE!
A message will show once the update has been successfully copied. You need to reboot
the ConnectionBox now.
Unneeded firmware files should be removed from the dropdown menu. To do so, choose
the firmware file and then press “Remove firmware”.
Page 33
ConnectionBox 3.2-r0 User Manual
To backup, restore or reset the configuration of the ConnectionBox open the web
configuration interface, select “Administration” and "Firmware" from the main menu. You
can backup the configuration to EMC or as a text file to your local computer.
To backup the configuration to EMC you have to create a device login in EMC as described
in chapter "EMC Setup". If a proxy is required, it must be configured in "Basic Setup"-
>"Proxy Settings".
To backup the configuration to your local computer press the button and select a location
and a file name for the configuration file. Then press the Save-button.
To restore a configuration, browse to the configuration file on your pc and press the
"Restore configuration"-button. If you want to restore a configuration from EMC, you have
to download the configuration file from EMC to your pc first. Restore is only from your pc
possible.
To change the user credentials select "Administration" and "Login". To change the user
name you have to enter the new user name and the current password. To change the
password you must enter the current password and the new password.
As the ConnectionBox allows only secure passwords it has to consist of at least 8
characters, upper and lower case, at least 1 number and 1 special character. The initial
password for a brand new box is NMRwebAccess#1.
Page 34
ConnectionBox v3.2 User Manual
11. Diagnostics
11.1 Log files
The ConnectionBox logs important system events in log files. To view the log files,
select “Log Viewer” from the main menu.
You will see a list with the log files. If you click on a log file name, the recent log
messages are shown. You can browse through the log files by clicking the buttons
“older” and “newer” or choose a specific page from the drop down menu. Older
pages have higher numbers. The “Refresh”-button reloads the page currently
viewed.
These log files are intended for advanced diagnostics of the SSL-VPN Client.
The SSL-VPN client creates log files for the SSL-VPN tunnel status, the SSL-VPN
service and SSL-VPN administration of the client.
The cRSP-Gateway creates log files for the Gateway Proxy, the Gateway Service and
Gateway Administration.
For both the SSL-VPN Client and cRSP-Gateway you can modify the Log Level in the
configuration tabs.
Page 35
ConnectionBox v3.2 User Manual
12.1 Windows 7
Step 1:
Open the Network
Connections in the
control panel
Step 2:
Choose Properties
Page 36
ConnectionBox v3.2 User Manual
Step 3:
Double click on Internet
Protocol Version 4
Step 4:
Click on Advanced
Page 37
ConnectionBox v3.2 User Manual
Step 5:
Activate Default in the WINS
register and click OK.
Page 38
ConnectionBox v3.2 User Manual
13. Support
For 1st level technical Support with ConnectionBox please contact your local AOC
Support.
The following contact partners are internally available for 2nd level support and
questions from the AOC specialists regarding ConnectionBox:
Page 39
ConnectionBox v3.2 User Manual
14. Appendix A
Technical Overview
Technical Details:
Operating voltage: 12 – 40 VDC
Energy consumption Max. 5 VA
Dimensions: (HxBxT) 108.8 x 102.5 x 25.6 mm
Operating Temperature : 0-70°C
IP20
Connectivity:
1x Port RS232/RS422/RS485
3x RS232
1x RJ45 Ethernet 10/100 Mbit/s
2x USB 2.0
(one is used for the second Ethernet connection via
USB-LAN adapter)
CPU:
ARM920T Processor with 200MIPS at 180MHz
Memory Management Unit
Operating System:
Embedded Linux Version 2.6.32.27
Memory:
64MB SDRAM
16MB Flash
Page 40
ConnectionBox v3.2 User Manual
15. Appendix B
15.1 Application example: SSL-VPN Client and BACstack
with Desigo PX
In this application example the XWorks plus engineering tool connects to a PXC controller via
BACnet. The connection through internet is secured by a VPN tunnel established between the
common remote service platform cRSP and the ConnectionBox. The involved ConnectionBox
components are SSL-VPN Client and BACstack.
cRSP
ConnectionBox
PXC: 192.168.1.162
BAC9
Page 41
ConnectionBox v3.2 User Manual
16. Appendix B
16.1 Application example: SSL-VPN Client and SSL-VPN
Gateway with Sinteso FS20
In this application example the Sinteso Works FXS 2002 engineering tool connection through
internet to a Sinteso FS20 panel is secured by a VPN tunnel established between the common
remote service platform cRSP and the ConnectionBox. The involved ConnectionBox components
are SSL-VPN Client and SSL-VPN Gateway.
Sinteso Works
FXS 2002
cRSP ConnectionBox
Sinteso
FC20xx
Page 42
ConnectionBox v3.2 User Manual
17. Appendix C
17.1 ConnectionBox Checklist
1. Customer Information
Please enter the information about the customer and the place of installation. If the place of
installation is the same as the Customer address leave it empty.
Customer
Customer Name
Street & number
Postcode - City
Country
Place of Installation
Customer Name
Street & number
Postcode - City
Country
2. Contact information
Note that there should be a naming convention for the Customer System in your region. The
cRSP Customer System Name must be unique within EMC.
Note: The OTP will be generated by cRSP and sent via secure email. It will then be possible
to register the ConnectionBox SSL-VPN client using the information above.
Page 43
ConnectionBox v3.2 User Manual
4. Applications required
By default the following application will be configured for the connection in cRSP. If the
BACnet UDP port used on the WAN connection is not standard (0xBAC0) please specify the
UDP port required.
Application Comment
Ping
Extended Web Application
BACnet
Page 44