ConnectionBox Manual 3.2

s
ConnectionBox
Firmware version: 3.2-r0
 Low cost cRSP connection solution

 Cost savings and increased flexibility during parameterization and test
phase because no external support from Healthcare (cRSP Helpdesk) is
required
 Easy parameterization through BACnet rerouting
 Support of additional protocols with the Siemens SSL VPN Gateway
 Can be configured with one or two network adapters (as external or
internal router)
 Vendor independent remote access to BACnet and Non-BACnet devices
Page 1
ConnectionBox 3.2-r0 User Manual
1. Document History
Version Date Description Author

001 November 12 First Draft deZem
002 November 12 Updated with FW V1.2 Siemens
003 December 12 Updated with additional deZem
information
004 June.13 Updated BACnet Siemens
005 October 13 Update network interfaces, deZem
add Change User Credentials
006 November 13 Update Siemens
007 February 14 Adding cRSP Gateway Status deZem
008 February 14 Adding pictures and Siemens
workaround Siemens Win7
client, Log description
0085 June 14 Update with FW V3.2 Siemens
Page 2
Table of Contents
1. Document History .................................................................................................................. 2

Table of Contents ..................................................................................................................... 3
1. Introduction ........................................................................................................................ 5
1.1 Workflow Checklist ................................................................................................................. 6
1.2 Commissioning checklist ........................................................................................................ 7
1.3 General limitations & precautions .......................................................................................... 7
2. Mechanical installation ...................................................................................................... 8
3. Electrical connection ......................................................................................................... 9
3.1 Power ..................................................................................................................................... 9
3.2 IP LAN connector ................................................................................................................... 9
3.3 USB connectors / USB IP adapter (optional) ......................................................................... 9
3.4 DIP switch .............................................................................................................................. 9
3.5 Reset button ........................................................................................................................... 9
3.6 Status indication ................................................................................................................... 10
4. Software configuration .................................................................................................... 11
4.1 Web Browser overview ........................................................................................................ 11
4.2 Initial Connection.................................................................................................................. 11
4.3 ConnectionBox access security ........................................................................................... 12
5. Configuration – Basic Setup ........................................................................................... 13
5.1 Network ................................................................................................................................ 13
5.1.1 One network adapter ....................................................................................................... 13
5.1.2 Two network adapters ..................................................................................................... 14
5.2 Proxy Settings ...................................................................................................................... 15
5.3 Date/Time settings ............................................................................................................... 15
5.4 NTP server settings ............................................................................................................. 16
6. EMC Setup ........................................................................................................................ 17
7. VPN Settings .................................................................................................................... 18
7.1 Registration of the Client ...................................................................................................... 18
7.2 Status ................................................................................................................................... 21
7.3 Proxy Server Settings .......................................................................................................... 22
7.4 Advanced settings ................................................................................................................ 23
7.5 De-registration of the Client ................................................................................................. 24
8. cRSP Gateway (SSL VPN Gateway) ................................................................................ 25
9. BACnet Settings............................................................................................................... 27
9.1 BACnet Port Settings ........................................................................................................... 27
9.2 WAN Port Settings ............................................................................................................... 31
10. Administration........................................................................................................... 33
10.1 Firmware update .................................................................................................................. 33
10.2 Backup and Restore ............................................................................................................ 34
10.3 User credentials ................................................................................................................... 34
11. Diagnostics................................................................................................................ 35
11.1 Log files ................................................................................................................................ 35
12. Network configuration for Siemens clients ............................................................. 36
12.1 Windows 7............................................................................................................................ 36
13. Support ...................................................................................................................... 39
14. Appendix A ................................................................................................................ 40
15. Appendix B ................................................................................................................ 41
15.1 Application example: SSL-VPN Client and BACstack with Desigo PX ................................ 41
Page 3
16. Appendix B ................................................................................................................ 42

16.1 Application example: SSL-VPN Client and SSL-VPN Gateway with Sinteso
FS20 42
17. Appendix C ................................................................................................................ 43
17.1 ConnectionBox Checklist ..................................................................................................... 43
Page 4
1. Introduction
The purpose of the ConnectionBox is to provide a secure connection from any local
system via the Siemens common Remote Service Platform (cRSP) to any remote device
(BACnet and Non-BACnet) using the Energy Monitoring platform EMC (new name
Advantage™ Navigator) or cRSP Customer Web Portal. Using the Siemens SSL VPN Client
and Siemens BT BACnet Stack, the ConnectionBox allows for local Desigo and 3 rd party
controllers to be monitored and configured remotely via BACnet (e.g. XWORKS Plus) over
a secure connection. In parallel it also supports Non-BACnet protocols (e.g. Sinteso
works).by using the Siemens SSL VPN Gateway functionality.
The ConnectionBox can be configured with either the devices in the same IP segment as
the internet access (1-Port Solution) or with an additional network adapter and the
devices in a separate IP segment (2-Port Solution). Both configurations can be applied for
BACnet as well as Non-BACnet devices by using the Siemens BACnet Stack and / or the
SSL VPN Gateway feature.
Web-Configuration Web-Configuration
Engineering Tools Engineering Tools
e.g. XWorks plus, e.g. XWorks plus,
FXS 2002 FXS 2002
cRSP cRSP
SSL- SSL-
VPN VPN
BAC SSL VPN BAC SSL VPN Desigo PX Sinteso FS20
Stack Gateway Stack Gateway
Desigo PX Sinteso FS20
2-Port Solution 1-Port Solution
This manual describes how to configure the ConnectionBox.
Page 5
1.1 Workflow Checklist

The table below highlights the workflow required to setup a ConnectionBox. The details of
each step can be found later in the document. Please follow the menu points from top to
down.
Workflow Description Chapter Complete

Commissioning Read through this workflow list and the commissioning 17.1
Checklist checklist before beginning
Commission Devices The target devices must be installed, and commissioned.
Where possible read and save the values for comparison
Commission The target network should be installed and tested. Testing
Network can be completed with various tools, see the chapter at
the end of this document
Install - Mount and check connections, check and adjust 2
ConnectionBox DIP Switches 3
- Power up the ConnectionBox, check the
indication LEDs
Connect cross-over Connect the ConnectionBox to a PC using a cross-over 3.2
IP cable Ethernet Patch Cable
Connect USB-LAN Connect the USB-LAN adapter to the ConnectionBox. 3.3
adapter (optional) Note the USB port used! Once the SSL-VPN client is
installed it cannot be changed.
Connect to Point internet browser to the address of the 4
ConnectionBox ConnectionBox
Basic Setup - Configure Network with 1 adapter 5.1.1
configuration - Configure Network with 2 adapters 5.1.2
- Configure Proxy settings (optional) 5.2
- Configure Date/ Time 5.3
- Configure NTP Server 5.4
EMC configuration Configure the ConnectionBox to backup configuration to 6
(optional) EMC (Advantage™ Navigator)
VPN configuration - Configuration of the SSL VPN client 7
- Register the SSL-VPN client with cRSP Access
Server
cRSP Gateway - Configuration of the SSL VPN Gateway 8
Configuration - Used for remote access to FS20 and other Non-
BACnet devices
- Runs parallel to the BACnet routing
BACnet - Configuration of the BACnet settings 9
Configuration - Used for remote control of BACnet networks via
XWORKS
- Runs parallel to the SSL VPN gateway
Administration - Configure firmware updates 10
- Backup and restore configuration
- Change user and password settings
Page 6
1.2 Commissioning checklist

The list below is an overview of the required components needed to commission the
ConnectionBox. It does not include the tools needed to install the hardware.
 12-40 V DC power supply

 Ethernet Crosslink Cable or network with dynamic TCP/IP addressing (DHCP)
 Ethernet Cables for BACnet connections
 Web browser with JavaScript, HTML 4.01 and CSS 2.1 support
 Supported browser: Internet Explorer 9 (IE8 not supported), Firefox or Chrome
 Pop ups have to be enabled in your browser
 Network configuration settings of the BACnet network
 Internet access for VPN communication
 If there is an Internet Proxy, proxy settings from the customer IT department
 ConnectionBox manual
 USB-LAN-Adapter (optional)
1.3 General limitations & precautions

This device is intended for accessing remote networks through a VPN directly from
EMC/cRSP. No other usage scenarios are permitted. Please note that the specifications in
this document are subject to change. The most recent version is available on our
“SWANWEB”:
https://intranet.sbt.siemens.com/swanlink/default.php?tabcard=4b73a4b5&src=advantag
e_navigator/integrations/ConnectionBox or from Siemens BT Headquarters in Zug, CH
(see below for contact information).
The terms TCP, TCP/IP, etc. all refer to IP version 4. IP version 6 is not supported.
The ConnectionBox may be used with one or two network interfaces. When only one
network interface is used all network traffic goes through the internal network interface
(RJ45 - IP LAN).
If two network interfaces are used, the ConnectionBox’s internal Ethernet interface
connects to the remote network. An internet connection can only be established through
an additional USB-LAN-adapter which should be purchased with the ConnectionBox.
Currently, the ConnectionBox only supports this adapter.
Page 7
2. Mechanical installation
The device is wall and DIN-rail mountable. To mount the ConnectionBox on a DIN-Rail,
two plastic brackets are needed.
In addition to the physical dimensions of the device, additional space is required for the
wiring.
Note: All interface cable connections between the ConnectionBox and other devices
should be established before connecting the power supply.
Power supply DIP switch RJ45 - IP LAN

USB port for USB-LAN
adapter
Reset button
Page 8
3. Electrical connection
3.1 Power
The ConnectionBox must be powered with an external 12-40 V DC power supply.
3.2 IP LAN connector

The internal IP LAN connector is used to connect to the local network on which the
BACnet devices are installed. If only one network interface is used the whole
communication takes place through the internal IP LAN connector.
3.3 USB connectors / USB IP adapter (optional)

This is only necessary when working with two network interfaces.
The supported USB IP adapter for the ConnectionBox is a Delock “Adapter USB 2.0 >
Ethernet 10/100” Part number 61147.
This adapter can be connected to either USB connector on the ConnectionBox.
NOTE: Once the SSL-VPN client has been registered with cRSP, a registration hash code is
generated that includes information on the USB port that the adapter is connected to.
The USB/IP adapter must not be connected to the other USB Port after registration.
3.4 DIP switch

All DIP switches must be in the ON position.
3.5 Reset button

If the BACnet Monitor is frozen and you cannot connect to the BACnet Monitor for a
software reset - use the reset button. This is a hardware reset.
NOTE: All unsaved data will be lost
Page 9
3.6 Status indication

The ConnectionBox has seven LEDs for optical status indication.
Description Green Yellow
Power The power is properly applied. -
Ready The system is in operating mode. -
Link/Act The Ethernet interface is connected to the network. -

Flashing: Data is transmitted.
P1-P4 - -
Page 10
4. Software configuration
4.1 Web Browser overview
The ConnectionBox is configured using a web interface; the layout of the interface is
shown below.
Menu
Current settings
Save settings
Firmware version
4.2 Initial Connection

You can easily configure the ConnectionBox by using the integrated web interface. There
are two options to connect the PC to the ConnectionBox:
1. Using the built in IP LAN connector.
The easiest method is to connect to the ConnectionBox using a Switch or with a
crossed network cable connected to a PC.
The network interface of the ConnectionBox is assigned a link-local address from
the address block 169.254.0.0/16 by default. To connect set the IP address of your
PC to 169.254.0.xxx/255.255.0.0 and connect via a switch or crossed network
cable.
2. Using the USB IP Adapter (optional)
The external USB-LAN-adapter uses DHCP by default and can also be used for
configuration.
The web interface hostname is generated from the ConnectionBox MAC address according
to the pattern: HTTP://nmrxxxxxxxxxxxx (where x represents the hexadecimal characters
of the MAC address), e.g. http://nmr001348018C52. Please note that the ConnectionBox
is only accessible in this way from the sub network.
Page 11
The MAC address is printed on the left side of the device (ie. 001348018C52).
If there are connection problems please check your network settings. A workaround you
can find in chapter 12.
4.3 ConnectionBox access security

The access to the ConnectionBox web configuration interface is protected by a user
name/password. When you enter the hostname in the internet browser, the
ConnectionBox login page appears. Please enter your user name and password. You can
obtain the default user name and password from Field Support or from the product
manager.
Page 12
5. Configuration – Basic Setup

Once logged into the ConnectionBox, choose “Basic Setup” from the main menu to
configure the network, proxy, time and NTP server settings.
5.1 Network
The ConnectionBox can be configured with one or two network adapters. Select
“Network” in the main menu to configure the network parameters of the ConnectionBox.
To configure two network adapters, the USB-LAN-Adapter has first to be connected to the
ConnectionBox.
5.1.1 One network adapter

The built in IP LAN connector is used for all network traffic.
The single interface supports both, static IP and DHCP.
If your network connected to the built in IP LAN connector uses DHCP, the IP address can
be obtained automatically by the ConnectionBox once connected.
In any other cases, enter the IP address, subnet mask, gateway and DNS server(s). If you
want to configure more than one DNS server, enter the DNS servers' IP addresses as a
comma-separated list.
Page 13
Once the parameters have been entered press “Save”.
5.1.2 Two network adapters

1. The built in IP LAN connector.
The built in IP LAN connector is used for the local network that the BACnet devices
are located on. This is referred to as the BACnet Interface.
2. USB IP Adapter
This connector is used for Internet access. This is referred to as the WAN Interface
BACnet Interface: Enter the IP address and subnet mask of your BACnet network
connected to the internal Ethernet interface. This interface does not require a Default
Gateway.
Page 14
WAN Interface: The WAN interface supports both static IP and DHCP.
If your network connected to the USB-LAN Adapter uses DHCP, the IP address can be
obtained automatically by the ConnectionBox once connected.
In any other cases, enter the IP address, subnet mask, gateway and DNS server(s). If you
want to configure more than one DNS server, enter the DNS servers' IP addresses as a
comma-separated list.
5.2 Proxy Settings

Proxy Settings are only required to backup the configuration of the ConnectionBox to
EMC. To change the proxy server settings, select “Proxy Settings” in the main menu. You
can enable or disable the usage of a proxy server. If you enable the usage of a proxy
server, enter the server's hostname or IP address and the port. If the proxy server needs
authentication, enter the user name and password. HTTP Basic Authentication and Digest
Access Authentication are supported.
Note: When using a proxy server you have to configure the same proxy setting in the
“VPN settings” again (see chapter 7.3).
5.3 Date/Time settings

To manually change the date and time settings, select “Date/Time Settings” in the main
menu. Enter the new date and time and press “Save”.
Enabled NTP synchronisation will override any manually configured date or time settings.
Do not expect manual date or time adjustments to work if NTP is enabled.
If the time is set into the future, a browser timeout may occur and you may have to enter
your username and password again.
Page 15
5.4 NTP server settings

NTP stands for “Network Time Protocol”. To change the NTP server settings, select “NTP
Server” in the main menu. You can enable or disable the usage of a NTP server. If you
don't use a NTP server, please set the date and time manually.
If you want to configure more than one NTP server, enter the NTP servers' hostnames or
IP addresses as a comma-separated list.
In case the system time differs significantly from the NTP time, refreshing may cause a
browser timeout In which case you have to login again.
Page 16
6. EMC Setup
EMC Setup is only required to backup the configuration of the ConnectionBox to EMC. The
configuration of the EMC connection requires several steps and should be finished with a
connection test.
At first the server URI of the EMC server needs to be set. It consists of a protocol (“http”
or “https”), the hostname or IP address of the server, as well as the path to the import
script, as shown in the picture below. You can obtain the EMC server's URI from field
support.
You can enable or disable the verification of the EMC server's SSL certificate. It is strongly
recommended to enable the SSL verification. This option is only relevant if a “https”
server URI is used.
After creating a ConnectionBox (device) login in EMC, you must now enter it in the
ConnectionBox. This information ensures that the values are entered under the correct
EMC account (customer).
Configuration Upload provides the opportunity to upload the configuration files to the
EMC server once every hour if there have been any changes to it since the last upload. If
the option is deactivated there will be no uploads. Save the changes once you are done.
In a final step you can choose to finish the setup with a connection test. If you don't test
the connection to the EMC server, the settings are adopted as is. If the connection test
fails, the new settings will be rejected.
If you receive something like a “certificate error” check the time and date settings of the
ConnectionBox and set them to the date now and UTC-time. The communication between
EMC and the ConnectionBox are secured with a process based on certificates only valid in
a given period of time. If these certificates are outdated for the ConnectionBox, the
connection process fails.
Page 17
7. VPN Settings
This menu allows you to configure SSL-VPN client settings. When the menu item is
selected, an error message dialog is displayed if the client has not been registered.
The VPN Settings page allows you to perform the following operations & functions:
 Register and Deregister the SSL-VPN Client
 View the Status of the SSL-VPN connection
 Configure Proxy Server settings
 Modify Log and Tunnel mode configurations
7.1 Registration of the Client

To register the SSL-VPN client a ConnectionBox Checklist (Chapter 17.1) must be
completed and sent to the local AOC/cRSP responsible. A One Time Password (OTP) is
required to register the client and will be sent via secure email from the local AOC/cRSP
responsible once the system has been created in cRSP.
NOTE: Once the SSL-VPN client has been registered with cRSP, a registration hash code is
generated that includes information on the USB port that the adapter is connected to.
The USB/IP adapter must not be connected to the other USB Port after registration.
Page 18
Enter the details of the Host name, Site name and One Time Password.
The correct SSL-VPN Access Server must be selected for the region that you are located in.
The Combo box has the following default servers:
Server DMZ location Server name IP address

DMZ Fuerth (Germany) crsp-sslvpn-fth-p.siemens.com 194.138.37.194
DMZ Malvern (USA) crsp-sslvpn-nwke-p.siemens.com 12.46.135.194
DMZ Singapore crsp-sslvpn-sgp-p.siemens.com 194.138.240.119
Release DMZ Fuerth crsp-sslvpn-fth-r.siemens.com 194.138.37.193
The DMZ servers are separated into three geographical locations. DMZ Fuerth is for
Europe, DMZ Malvern for the Americas and DMZ Singapore for Asia Pacific and Middle
East. The Release DMZ server in Fuerth is for testing purposes. If you are not sure of the
DMZ server that you must register the client to, please contact your local AOC/cRSP
responsible.
It is also possible to type in the Server name and IP address if required.
For most systems once the Host name, Site name and one-time password are entered and
the correct SSL-VPN Server is selected, it is possible to register the client by selecting the
“Register” button.
Additional settings may be required if a Proxy Server is used for internet access.
Page 19
An info message will be displayed if the system was able to register successfully.
Note that the Registration confirmation message will always display the message that the
system registered successfully to Fuerth VPN server (displaying the url or IP) even if the
system is configured for Malvern or Singapore. This is that the registration takes place is
two stages: firstly to the selected server and then finally to the Fuerth VPN server. Final
confirmation comes from Fuerth VPN Server.
The “Connectivity Test…” button is also useful to ensure that the ConnectionBox is able to
contact (ping) the selected SSL-VPN Server.
Page 20
7.2 Status
The status will only be displayed once a VPN connection has been established. Direct
access to the ConnectionBox without using VPN is not monitored.
The status information must be manually updated using the “Refresh” button.
The Status information is useful for monitoring the data traffic amount and if the tunnel is
active.
Page 21
7.3 Proxy Server Settings

To change the proxy server settings, select “VPN Settings” in the main menu. You can
enable or disable the usage of a proxy server.
If you enable the usage of a proxy server, please enter:

 The Proxy Server's hostname or IP address and the port.
 If the Proxy Server needs authentication, enter the user name and password.
Currently HTTP Basic Authentication and Digest Access Authentication are supported.
If the Proxy Server requires authentication, it is recommended to use a password that
never expires for this system. This may require requesting this configuration specifically
from the customer IT department.
Note: This proxy settings have to be the same settings than in the Proxy Settings in the
Basic Setup menu (see chapter 5.2).
Page 22
7.4 Advanced settings

The parameters in the advanced settings section usually do not need to be changed. They
should only be changed by experts and are therefore by default hidden.
Selecting the expand button allows modification of Tunnel Mode configuration

parameters and the Log configuration.
Hide or unhide
advanced settings
Tunnel Mode:
The options “Tunnel Mode” and “Tunnel active” cannot be changed by the user. The
parameters “Idle timer”, “Keep alive timer” and “Response timer” can be set to a value in
seconds.
Log configuration:
The “log level” dropdown lets you select which messages should appear in the log files.
Your options are “detailed”, “debug”, “info”, “warning”, “error” and “fatal”.
“Log file size” determines the maximum number of bytes before the log files are rotated.
The parameter “Log file number” determines how many rotated log files should be kept
available.
Page 23
Once any parameters are modified, they are updated once the “Save” button is clicked.
7.5 De-registration of the Client

If the ConnectionBox is no longer being used on a system, it is strongly advisable to
deregister the SSL-VPN client before removing from the site.
This can be performed by selecting the “Deregister…” button. A message is displayed if

the operation was successful.
Page 24
8. cRSP Gateway (SSL VPN Gateway)

To configure the SSL VPN Gateway click on “cRSP Gateway” in the menu bar. The current
settings are also shown on this page.
The following configurations are possible.
Gateway Active: Switches the gateway on or off

Gateway UDP Mode: Specifies the mode how datagram (UDP) sockets are used internally:
In “connect” mode only replies from the destination are captured that a previous
datagram packet had been sent to. In “bind” mode replies from any destination are
captured.
Gateway UDP Timeout [s]: Specifies the time in seconds after which a UDP “connection”
to the target system is closed in order to save resources.
Gateway Listener: Specifies listener address/port for the gateway.
Attention! Do not specify a port number that may be used by other applications like 80,
443 and 21. Rather chose exotic ports greater than 5000. The best choice is the default
11080 because it is opened in cRSP firewall. Port 11801 however is not allowed as it is
already used internally.
Log Level: The dropdown lets you select which messages should appear in the log files.
Maximum Log File Size: determines the maximum number of bytes before the log files
are rotated
Maximum Log File Number: determines how many rotated log files should be kept
available
Gateway Source White List: List of all source IP addresses that are permitted to use the
cRSP Gateway’s proxy functionality in order to connect to systems “behind” this gateway.
Normally, this should be the systems in the cRSP DMZ’s.
Page 25
Gateway Destination White List: List of all destination IP addresses that are reachable
through the cRSP gateway. All managed systems configured in the cRSP database as
“behind” this gateway should be included in this list.
The cRSP Gateway Status displays all currently existing and previous gateway connections.
Page 26
9. BACnet Settings
The BACnet settings page provides options to change the BACnet routing configuration of
the BACnet Port (LAN) and WAN Port network interfaces. Each Interface is configured in a
separate tab.
Always “Save” any changes before changing tabs. “Cancel” sets everything back to the last
saved configuration and opens the first tab.
9.1 BACnet Port Settings

The BACnet port is a logical interface used to address a specific BACnet network. This
interface is connected to the local LAN that contains the BACnet devices.
Port ID: This is the number of the port and has to be a unique number.
Network Number: Care must be taken when allocating BACnet Network Numbers to
ensure that they are unique for the BACnet Internetwork.
The BACnet network numbers are critical when a system is configured with a BACnet
router and the connection is made via ConnectionBox. If duplicated network numbers are
present in a system, the BACnet communications and remote engineering will not
function correctly. When configuring the BACnet settings, ensure that the numbers are
Page 27
unique for the system.
The configuration of the network numbers for PX controllers is performed in XWP

Network Configurator. Typically the BACnet/LON network will have Network Number 1
and the BACnet/IP network will have Network Number 2. For larger system this will be
dependent on the topology.
Example of standard BACnet router configuration with the ConnectionBox:
ConnectionBox – BACnet Settings
Port 4 / Network 99
WAN
Port
BBMD = 1
FDT = 1
UDP = BACA (47818)
Port 3 / Network 98 BACnet

BBMD = 0 Port
FDT = 0
UDP = BAC1 (47809)
BACnet Router Configuration
Port 2 / Network 2
BACnet
BBMD = 1
/IP
FDT = 1
UDP = BAC1 (47809)
BACnet
/LON
Port 1 / Network 1
LON segment: SEG01
The BACnet router has the LON connection configured for NET01 (network number 1) and
the IP connection configured for NET02 (network number 2). (Note here that Port 3 could
also be configured for Network 2 to be in the same network as the BACnet router IP
network and it is functionally correct and would work.)
If the remote connection is created using the BBS, it is critical that the network number 1
is not used for defining either of the ConnectionBox networks. This would result in BACnet
communication failure.
UDP Port: This is the port used for BACnet routing. The UDP port must match the port
that has been configured for the BACnet devices on the LAN. This is typically 47808
(0xBAC0).
Attached: This box needs to be ticked so the BACnet deamon establishes a connection.
Otherwise the interface will be ignored.
Page 28
The BBMD/Foreign Device option should typically never be used. If the system requires
BBMD support it is recommended to configure this using XWorks plus Network
Configurator on the PX controllers.
The possible selections for BBMD/Foreign Device are:
 None
No BBMD or FD support via ConnectionBox on LAN. This is the recommended
option.
 BBMD (BACnet Broadcast Management Device)
This enables the Broadcast Distribution Table and Foreign Device Table options.
BBMD.
 Foreign Device
The Foreign Device option can be used to specify an IP and UDP port to allow the
ConnectionBox to register as a foreign device on a BACnet server.
BACnet Configuration File Upload:

The BACnet Configuration File Upload option is an advanced option that should only be
used by expert engineers. The ConnectionBox is installed with the Siemens BT BACnet
Stack and once the interface is expanded, it is possible to modify all BACnet settings and
parameters on both the LAN and WAN connections.
Modifications to these entries should only be performed in cases where BACnet

communication errors occur. The parameters are not checked for consistency.
Page 29
After any modifications the configuration file must be first saved by pressing the “Save”
button and then reloaded by pressing the “Reload” button on the bottom of the section.
General:
After performing any modification to the BACnet configuration on this tab, the Daemon
must be restarted for the modifications to come into effect.
Page 30
9.2 WAN Port Settings

This interface is connected to the USB IP adapter that connects to the internet / customer
network with external access.
Port ID: This has to be a unique number. It should be different to the number used on the
BACnet port tab.
Network Number: This is the BACnet network number. See description of this setting
above for the BACnet port. It is very important that this network number is unique for the
BACnet Internetwork.
UDP Port: This is the port used for BACnet routing. The UDP port can be freely defined but
the supported range for cRSP connections is 0xBAC0 to 0xBACF (47808 to 47823). This
UDP port must match the configuration defined in cRSP for the connection.
Attached: This box needs to be ticked so the BACnet daemon establishes a connection.
Otherwise the interface will be ignored.
Page 31
The BBMD/Foreign Device option should typically be configured for BBMD to allow the
support of Foreign Device Table registration.
The possible selections for BBMD/Foreign Device are:
 None
No BBMD or FD support via ConnectionBox on LAN. This selection is not
recommended as it will prevent connection remotely to the systems on the LAN.
 BBMD (BACnet Broadcast Management Device)
This is the required option.
This enables the Broadcast Distribution Table and Foreign Device Table options.
If the system requires BBMD support it is recommended to configure this using
XWorks plus Network Configurator.
Foreign Device Table support must be enabled and the default Max. FDT Entries is
recommended to be set at 16.
 Foreign Device
The Foreign Device option can be used to specify an IP and UDP port to allow the
ConnectionBox to register as a foreign device on a BACnet server.
BACnet Configuration File Upload:

This option is identical to the functions described for the BACnet Interface tab.
Page 32
10. Administration
10.1 Firmware update
Updating the firmware of the ConnectionBox is a two step process. First, you need to
upload the firmware, and then you have to apply the update.
To update the firmware of the ConnectionBox, you have to establish a network connection
between your PC and the ConnectionBox. Open the web configuration interface, select
“Administration” and "Firmware" from the main menu and then browse to the firmware
image file on your pc.
Choose the firmware file

from the dropdown menu
Once you press the “Upload firmware”-button, the firmware-image is transmitted to the
ConnectionBox and validated but not yet applied.
To apply the firmware update, choose the firmware file from the drop down menu.
Subsequently, click “Update firmware”. The firmware is then copied to the flash memory.
The firmware update may take several minutes. The progress is indicated on your screen.
DO NOT RESTART OR POWER OFF THE CONNECTIONBOX WHILE A FIRMWARE UPDATE
TAKES PLACE!
A message will show once the update has been successfully copied. You need to reboot
the ConnectionBox now.
Unneeded firmware files should be removed from the dropdown menu. To do so, choose
the firmware file and then press “Remove firmware”.
Page 33
10.2 Backup and Restore
To backup, restore or reset the configuration of the ConnectionBox open the web
configuration interface, select “Administration” and "Firmware" from the main menu. You
can backup the configuration to EMC or as a text file to your local computer.
To backup the configuration to EMC you have to create a device login in EMC as described
in chapter "EMC Setup". If a proxy is required, it must be configured in "Basic Setup"-
>"Proxy Settings".
To backup the configuration to your local computer press the button and select a location
and a file name for the configuration file. Then press the Save-button.
To restore a configuration, browse to the configuration file on your pc and press the
"Restore configuration"-button. If you want to restore a configuration from EMC, you have
to download the configuration file from EMC to your pc first. Restore is only from your pc
possible.
10.3 User credentials
To change the user credentials select "Administration" and "Login". To change the user
name you have to enter the new user name and the current password. To change the
password you must enter the current password and the new password.
As the ConnectionBox allows only secure passwords it has to consist of at least 8
characters, upper and lower case, at least 1 number and 1 special character. The initial
password for a brand new box is NMRwebAccess#1.
Page 34
ConnectionBox v3.2 User Manual
11. Diagnostics
11.1 Log files
The ConnectionBox logs important system events in log files. To view the log files,
select “Log Viewer” from the main menu.
You will see a list with the log files. If you click on a log file name, the recent log
messages are shown. You can browse through the log files by clicking the buttons
“older” and “newer” or choose a specific page from the drop down menu. Older
pages have higher numbers. The “Refresh”-button reloads the page currently
viewed.
These log files are intended for advanced diagnostics of the SSL-VPN Client.
The SSL-VPN client creates log files for the SSL-VPN tunnel status, the SSL-VPN
service and SSL-VPN administration of the client.
The cRSP-Gateway creates log files for the Gateway Proxy, the Gateway Service and
Gateway Administration.
For both the SSL-VPN Client and cRSP-Gateway you can modify the Log Level in the
configuration tabs.
Page 35
12. Network configuration for Siemens clients

In case of connection problems with your Siemens client PC with the BACnet
Monitor you have to activate the NetBIOS over TCP/IP.
12.1 Windows 7
Step 1:
Open the Network
Connections in the
control panel
Step 2:
Choose Properties
Page 36
Step 3:
Double click on Internet
Protocol Version 4
Step 4:
Click on Advanced
Page 37
Step 5:
Activate Default in the WINS
register and click OK.
Now the connection to the

BACnet Monitor should work
Page 38
13. Support
For 1st level technical Support with ConnectionBox please contact your local AOC
Support.
The following contact partners are internally available for 2nd level support and
questions from the AOC specialists regarding ConnectionBox:
Field Support Product Management
Morof, Markus Wirth, Winfried

Siemens Switzerland Ltd. Siemens Switzerland Ltd.
Field Support Head BAU LCM VAS
IC BT CPS REM MS FS IC BT BAU LCM VAS
Gubelstrasse 22, 6301 Zug Gubelstrasse 22, 6301 Zug

 
Switzerland Switzerland
 +41 (41) 724-5104  +41 (41) 724-2463
@ markus.morof@siemens.com @ winfried.wirth@siemens.com
Page 39
14. Appendix A
Technical Overview
Technical Details:
 Operating voltage: 12 – 40 VDC
 Energy consumption Max. 5 VA
 Dimensions: (HxBxT) 108.8 x 102.5 x 25.6 mm
 Operating Temperature : 0-70°C
 IP20
Connectivity:
 1x Port RS232/RS422/RS485
 3x RS232
 1x RJ45 Ethernet 10/100 Mbit/s
 2x USB 2.0
(one is used for the second Ethernet connection via
USB-LAN adapter)
CPU:
 ARM920T Processor with 200MIPS at 180MHz
 Memory Management Unit
Operating System:
 Embedded Linux Version 2.6.32.27
Memory:
 64MB SDRAM
 16MB Flash
Page 40
15. Appendix B
15.1 Application example: SSL-VPN Client and BACstack
with Desigo PX
In this application example the XWorks plus engineering tool connects to a PXC controller via
BACnet. The connection through internet is secured by a VPN tunnel established between the
common remote service platform cRSP and the ConnectionBox. The involved ConnectionBox
components are SSL-VPN Client and BACstack.
Example ip addresses and involved components:

Web-
Configuration
XWorks plus
Engineering
cRSP
ConnectionBox
Network Adapter: USB Adapter

IP: 192.168.220.140
SM: 255.255.255.0
DG: 192.168.220.1
SSL-
VPN
BAC
Network Adapter: cRSP SSL-VPN Port 1
Stac BBMD = 1
IP: 14.252.130.231
SM: 255.255.255.0 FDT = 1
DG: - UDP = BAC0 (47808)
Cimetrics BACstac Routing Edition V6
Network Adapter: LAN Port 2

IP: 192.168.1.163 BBMD = 0
SM: 255.255.255.0 FDT = 0
DG: - UDP = BAC9 (47817)
PXC: 192.168.1.162
BAC9
Page 41
16. Appendix B
16.1 Application example: SSL-VPN Client and SSL-VPN
Gateway with Sinteso FS20
In this application example the Sinteso Works FXS 2002 engineering tool connection through
internet to a Sinteso FS20 panel is secured by a VPN tunnel established between the common
remote service platform cRSP and the ConnectionBox. The involved ConnectionBox components
are SSL-VPN Client and SSL-VPN Gateway.
Example ip addresses and involved components:
Sinteso Works
FXS 2002
cRSP ConnectionBox
Network Adapter: USB Adapter

IP: 192.168.220.140
SM: 255.255.255.0
DG: 192.168.220.1
Network Adapter: cRSP SSL-VPN

SSL- IP: 14.252.130.231
VPN SM: 255.255.255.0
DG: -
SSL-VPN SSL-VPN Gateway
GWW
- Gateway Destination white list
Network Adapter: LAN

IP: 192.168.1.163
SM: 255.255.255.0
DG: -
Sinteso
FC20xx
Page 42
17. Appendix C
17.1 ConnectionBox Checklist
ConnectionBox Checklist V1.0

This checklist must be completed before installing and commissioning the ConnectionBox.
Please complete all fields and send to your country AOC/cRSP responsible. If all the
required information is completed you will then receive a One Time Password to register the
device with cRSP.
1. Customer Information
Please enter the information about the customer and the place of installation. If the place of
installation is the same as the Customer address leave it empty.
Customer
Customer Name
Street & number
Postcode - City
Country
Place of Installation
Customer Name
Street & number
Postcode - City
Country
Please indicate the type of system on the customer site:

Building Automation Fire / Security
2. Contact information
Siemens Project Responsible

Name
Phone Number
Email
This email will be used to send the One Time Password
once the system has been configured in cRSP.
Customer Local Contact
Name
Phone Number
Email
3. cRSP SSL-VPN details
Note that there should be a naming convention for the Customer System in your region. The
cRSP Customer System Name must be unique within EMC.
cRSP Customer Site Name

cRSP Customer System Name
One Time Password (OTP)
Planned date of installation
Note: The OTP will be generated by cRSP and sent via secure email. It will then be possible
to register the ConnectionBox SSL-VPN client using the information above.
Page 43
4. Applications required
By default the following application will be configured for the connection in cRSP. If the
BACnet UDP port used on the WAN connection is not standard (0xBAC0) please specify the
UDP port required.
Application Comment
Ping
Extended Web Application
BACnet
5. Comments & Notes
Page 44

ConnectionBox Manual 3.2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ConnectionBox Manual 3.2

Uploaded by

Copyright:

Available Formats

s

 Low cost cRSP connection solution

Version Date Description Author

1. Document History .................................................................................................................. 2

16. Appendix B ................................................................................................................ 42

Desigo PX Sinteso FS20

2-Port Solution 1-Port Solution

This manual describes how to configure the ConnectionBox.

1.1 Workflow Checklist

Workflow Description Chapter Complete

1.2 Commissioning checklist

 12-40 V DC power supply

1.3 General limitations & precautions

Power supply DIP switch RJ45 - IP LAN

3.2 IP LAN connector

3.3 USB connectors / USB IP adapter (optional)

This adapter can be connected to either USB connector on the ConnectionBox.

3.4 DIP switch

3.5 Reset button

3.6 Status indication

Description Green Yellow

Power The power is properly applied. -

Ready The system is in operating mode. -

Link/Act The Ethernet interface is connected to the network. -

4.2 Initial Connection

4.3 ConnectionBox access security

5. Configuration – Basic Setup

5.1.1 One network adapter

Once the parameters have been entered press “Save”.

5.1.2 Two network adapters

Once the parameters have been entered press “Save”.

5.2 Proxy Settings

Once the parameters have been entered press “Save”.

5.3 Date/Time settings

Once the parameters have been entered press “Save”.

5.4 NTP server settings

Once the parameters have been entered press “Save”.

7.1 Registration of the Client

Server DMZ location Server name IP address

7.3 Proxy Server Settings

If you enable the usage of a proxy server, please enter:

7.4 Advanced settings

Selecting the expand button allows modification of Tunnel Mode configuration

7.5 De-registration of the Client

This can be performed by selecting the “Deregister…” button. A message is displayed if

8. cRSP Gateway (SSL VPN Gateway)

Once the parameters have been entered press “Save”.

Gateway Active: Switches the gateway on or off

9.1 BACnet Port Settings

unique for the system.

The configuration of the network numbers for PX controllers is performed in XWP

Example of standard BACnet router configuration with the ConnectionBox:

ConnectionBox – BACnet Settings

Port 3 / Network 98 BACnet

BACnet Router Configuration

BACnet Configuration File Upload:

Modifications to these entries should only be performed in cases where BACnet

9.2 WAN Port Settings

BACnet Configuration File Upload:

Choose the firmware file

10.2 Backup and Restore

10.3 User credentials

12. Network configuration for Siemens clients

Now the connection to the