Ba Scalance-S 76
Ba Scalance-S 76
Ba Scalance-S 76
Preface
Client ___________________
Introduction and basics 1
Product properties and
___________________
commissioning 2
SIMATIC NET
___________________
GETTING STARTED 3
Configuring with the Security
SCALANCE S and SOFTNET ___________________
Configuration Tool 4
Security Client Firewall, router and other
___________________
module properties 5
Operating Instructions
Secure communication in the
___________
6
VPN over an IPSec tunnel
(S612/S613)
___________________
Tips and help on problems A
___________________
Notes on the CE Mark B
___________________
References C
___________________
Dimension drawing D
___________________
Document history E
07/2011
C79000-G8976-C196-08
Legal information
Legal information
Warning notice system
This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent
damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert
symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are
graded according to the degree of danger.
DANGER
indicates that death or severe personal injury will result if proper precautions are not taken.
WARNING
indicates that death or severe personal injury may result if proper precautions are not taken.
CAUTION
with a safety alert symbol, indicates that minor personal injury can result if proper precautions are not taken.
CAUTION
without a safety alert symbol, indicates that property damage can result if proper precautions are not taken.
NOTICE
indicates that an unintended result or situation can occur if the relevant information is not taken into account.
If more than one degree of danger is present, the warning notice representing the highest degree of danger will
be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to
property damage.
Qualified Personnel
The product/system described in this documentation may be operated only by personnel qualified for the specific
task in accordance with the relevant documentation, in particular its warning notices and safety instructions.
Qualified personnel are those who, based on their training and experience, are capable of identifying risks and
avoiding potential hazards when working with these products/systems.
Proper use of Siemens products
Note the following:
WARNING
Siemens products may only be used for the applications described in the catalog and in the relevant technical
documentation. If products and components from other manufacturers are used, these must be recommended
or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and
maintenance are required to ensure that the products operate safely and without any problems. The permissible
ambient conditions must be complied with. The information in the relevant documentation must be observed.
Trademarks
All names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication
may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.
Disclaimer of Liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software
described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the
information in this publication is reviewed regularly and any necessary corrections are included in subsequent
editions.
This manual…
...supports you when commissioning the SCALANCE S602 / S612 / S613 security modules
and the SOFTNET Security Client. The variants SCALANCE S602 / S612 / S613 are simply
called SCALANCE S in the rest of the manual.
Audience
This manual is intended for personnel involved in the commissioning of SCALANCE S
Security Modules and the SOFTNET Security Client in a network.
Further documentation
The "SIMATIC NET Industrial Ethernet Twisted Pair and Fiber Optic Networks“ manual
contains additional information on other SIMATIC NET products that you can operate along
with the SCALANCE S security module in an Industrial Ethernet network.
You can download this network manual in electronic format from Customer Support at the
following address:
http://support.automation.siemens.com/WW/view/de/1172207
(http://support.automation.siemens.com/WW/view/de/1172207)
This symbol indicates that detailed help texts are available in the context help. You can call
this with the F1 key or using the "Help" button in the relevant dialog.
F1
References /.../
References to other documentation are shown in slashes /.../. Based on these numbers, you
can find the title of the documentation in the references at the end of the manual.
See also
Example 5: Remote access - VPN tunnel example with MD741-1 and SOFTNET Security
Client (Page 86)
Preface ...................................................................................................................................................... 3
1 Introduction and basics.............................................................................................................................. 9
1.1 Uses of the SCALANCE S612, S613 and SOFTNET Security Client ...........................................9
1.2 Using the SCALANCE S602 ........................................................................................................12
1.3 Configuration and administration .................................................................................................14
2 Product properties and commissioning .................................................................................................... 15
2.1 Product Characteristics................................................................................................................15
2.1.1 Hardware characteristics and overview of the functions .............................................................15
2.1.2 Components of the product..........................................................................................................17
2.1.3 Unpacking and checking..............................................................................................................17
2.1.4 Attachment to Ethernet ................................................................................................................17
2.1.5 Power supply................................................................................................................................18
2.1.6 Signaling contact..........................................................................................................................19
2.1.7 Reset button - resetting the configuration to factory defaults ......................................................20
2.1.8 Displays........................................................................................................................................21
2.1.9 Technical specifications ...............................................................................................................23
2.2 Installation ....................................................................................................................................25
2.2.1 Important notes on using the device............................................................................................26
2.2.2 Installation on a DIN rail...............................................................................................................28
2.2.3 Installation on a standard rail .......................................................................................................29
2.2.4 Wall mounting ..............................................................................................................................30
2.2.5 Grounding ....................................................................................................................................30
2.3 Commissioning.............................................................................................................................31
2.3.1 Step 1: Connecting the SCALANCE S module............................................................................33
2.3.2 Step 2: Configuring and downloading..........................................................................................33
2.4 C-PLUG (configuration plug)........................................................................................................35
2.5 Transferring firmware...................................................................................................................37
3 GETTING STARTED ............................................................................................................................... 39
3.1 Example 1: VPN tunnel - IPsec tunnel example with SCALANCE S612 / S613 .........................40
3.1.1 Overview ......................................................................................................................................40
3.1.2 Set up SCALANCE S and the network ........................................................................................41
3.1.3 Make the IP settings for the PCs .................................................................................................42
3.1.4 Create the project and modules...................................................................................................43
3.1.5 Configuring a tunnel connection ..................................................................................................45
3.1.6 Download the configuration to the SCALANCE S module ..........................................................46
3.1.7 Test the tunnel function (ping test) ..............................................................................................47
3.2 Example 2: Firewall - Operating a SCALANCE S as a firewall ...................................................48
3.2.1 Overview ......................................................................................................................................48
3.2.2 Set up SCALANCE S and the network ........................................................................................50
3.2.3 Make the IP settings for the PCs .................................................................................................51
1.1 Uses of the SCALANCE S612, S613 and SOFTNET Security Client
Service computer
with
62)71(7
Security client
External
Internal 931YLD,3VHFWXQQHO
+RVWFRPSXWHU
external network
ವ1$71$37
5RXWHU
IE/PB
Link
ET 200X
HMI
0 1
Security functions
● Firewall
– IP firewall with stateful packet inspection;
– Firewall also for Ethernet "non-IP" frames according to IEEE 802.3
(layer 2 frames; does not apply if router mode is used)
– Bandwidth limitation
All network nodes located in the internal network segment of a SCALANCE S are
protected by its firewall.
● Communication made secure by IPsec tunnels
SCALANCE S612 / S613 devices and SOFTNET Security Clients can be configured to
form groups. IPsec tunnels are created between all SCALANCE S612 / S613 devices and
a SOFTNET Security Client of a group (VPN, Virtual Private Network). All internal nodes
of this SCALANCE S can communicate securely with each other through these tunnels.
● Protocol-independent
Tunneling also includes Ethernet frames according to IEEE 802.3 (layer 2 frames; does
not apply if router mode is used).
Both IP and non-IP frames are transmitted through the IPsec tunnel.
● Router mode
By operating the SCALANCE S as a router, you connect the internal network with the
external network. The internal network connected by SCALANCE S therefore becomes a
separate subnet.
● Protection for devices and network segments
The firewall and VPN protective function can be applied to the operation of single
devices, several devices, or entire network segments.
● No repercussions when included in flat networks (bridge mode)
Internal network nodes can be found without configuration. This means that when a
SCALANCE S612 / S613 is installed in an existing network infrastructure, the end
devices do not need to be reconfigured.
The module attempts to find internal nodes; internal nodes that cannot be found in this
way must nevertheless be configured.
NOTICE
H[WHUQDOQHWZRUN
• )LUHZDOO
ವ5RXWHU
ವ1$71$37 ET 200X
URXWHU
IE/PB
Link
HMI
0 1
"internal": Operator control & monitoring "internal": Automation cell "internal": Automation cell
Security functions
● Firewall
– IP firewall with stateful packet inspection;
– Firewall also for Ethernet "non-IP" frames according to IEEE 802.3
(layer 2 frames; does not apply to S602 if router mode is used);
– Bandwidth limitation
All network nodes located in the internal network segment of a SCALANCE S are
protected by its firewall.
● Router mode
By operating the SCALANCE S as a router, you separate the internal network from the
external network. The internal network connected over SCALANCE S therefore becomes
a separate subnet; SCALANCE S must be addressed explicitly as a router using its IP
address.
● Protection for devices and network segments
The firewall protective function can be applied to the operation of single devices, several
devices, or entire network segments.
● No repercussions when included in flat networks (bridge mode)
This means that when a SCALANCE S602 is installed in an existing network
infrastructure, the settings of end devices do not need to be made again.
NOTICE
Further information
How to configure the device for standard applications is shown in a condensed form in the
Chapter "GETTING STARTED".
For details on configuration and the online functions, refer to the reference section of the
manual.
Note
The specified approvals apply only when the corresponding mark is printed on the product.
Hardware
● Robust housing with degree of protection IP30
● Optional mounting on an S7-300 or DIN 35 mm rail
● Redundant power supply
● Signaling contact
● Extended temperature range (-20 °C to +70 °C SCALANCE S613)
Note
This manual describes all functions. Based on the following table, you can recognize which
descriptions apply to the device you are using.
You should also note the additional information in the titles of the sections.
x Function supported
- Function not supported
Unpacking, checking
1. Make sure that the package is complete.
2. Check all the parts for transport damage.
WARNING
Possible attachments
SCALANCE S has 2 RJ-45 jacks for attachment to Ethernet.
Note
TP cords or TP-XP cords with a maximum length of 10 m can be connected at the RJ-45 TP
port.
In conjunction with the Industrial Ethernet FastConnect IE FC Standard Cable and IE FC RJ-
45 Plug 180, a total cable length of maximum 100 m is possible between two devices.
NOTICE
The Ethernet attachments at port 1 and port 2 are handled differently by the SCALANCE S
and must not be swapped over when connecting to the communication network:
• Port 1 - external network
upper RJ-45 jack, marked red = unprotected network area;
• Port 2 - Internal Network
Lower RJ-45 jack, marked green = network protected by SCALANCE S;
If the ports are swapped over, the device loses its protective function.
Autonegotiation
SCALANCE S supports autonegotiation.
Autonegotiation means that the connection and transmission parameters are negotiated
automatically with the addressed network node.
WARNING
The SCALANCE S is designed for operation with safety extra-low voltage. This means that
only safety extra-low voltages (SELV) complying with IEC950/EN60950/ VDE0805 can be
connected to the power supply terminals.
The power supply unit to supply the SCALANCE S must comply with NEC Class 2 (voltage
range 18 - 32 V, current requirement 250 mA).
The device may only be supplied by a power unit that meets the requirements of class 2 for
power supply units of the "National Electrical Code, Table 11 (b)". If the device is connected
to a redundant power supply (two separate power supplies), both must meet these
requirements.
NOTICE
The power supply is connected using a 4-pin plug-in terminal block. The power supply can
be connected redundantly. Both inputs are isolated. There is no distribution of load. When a
redundant power supply is used, the power supply unit with the higher output voltage
supplies the SCALANCE S alone. The power supply is connected over a high resistance
with the enclosure to allow an ungrounded set up.
NOTICE
The signaling contact can be subjected to a maximum load of 100 mA (safety extra-low
voltage (SELV), DC 24 V).
Never connect the SCALANCE S to AC voltage or to DC voltage higher than 32 V DC.
The signaling contact is connected to a 2-pin plug-in terminal block. The signaling contact is
a floating switch with which error/fault states can be signaled by breaking the contact.
The following errors/faults can be signaled by the signaling contact:
● Fault in the power supply
● Internal fault
If a fault occurs or if no power is applied to the SCALANCE S, the signaling contact is
opened. In normal operation, it is closed.
NOTICE
Make sure that only authorized personnel has access to the SCALANCE S.
NOTICE
If a C-PLUG is plugged in when you reset to factory settings, the C-PLUG is erased!
1. If necessary, remove the SCALANCE S module from its mounting to allow access to the
recess.
2. Remove the M32 plug on the rear of the device.
The reset button is in a recess on the rear of the SCALANCE S directory beside the slot
for the C-PLUG. This recess is protected by a screw plug. The button is located in a
narrow hole and is therefore protected from being activated accidentally.
3. Press the reset button and keep it pressed for longer than 5 seconds until the fault LED
flashes yellow-red.
Resetting takes up to 2 minutes. During the reset, the fault LED flashes yellow-red. Make
sure that the power supply is not interrupted during the reset.
On completion of the reset, the device starts up again automatically. The fault LED is
then lit yellow.
4. Close the recess with the M32 plug and mount the device again.
2.1.8 Displays
3RUWVWDWXV/('V3DQG7;
3RUWVWDWXV/('V3DQG7;
)DXOWDQGSRZHU/('V
Fault LED
Display of the operating state:
Status Meaning
Lit red Module detects an error.
(Signaling contact is open).
The following faults are detected:
• Internal error/fault (for example: startup failed)
• Invalid C-PLUG (invalid formatting)
Lit green Module in productive operation
(Signaling contact closed).
NOT lit Module failure; no power supply
(Signaling contact open).
Lit yellow (constant) Module in startup.
(Signaling contact open).
If no IP address exists, the module remains in this status.
Flashes yellow and red Module resets itself to factory settings.
alternately (Signaling contact open).
Status Meaning
Lit green Power supply L1 or L2 is connected.
Not lit Power supply L1 or L2 not connected or < 14 V (L+)
Lit red Power supply L1 or L2 failed during operation or < 14 V (L+)
Status Meaning
LED P1 / P2
Lit green TP link exists
Flashes / lit yellow Receiving data at RX
off No TP link or no data being received
LED TX
Flashes / lit yellow Data being sent
off No data being sent
Connectors
Attachment of end devices or network 2xRJ–45 jacks with MDI-X pinning 10/100 Mbps
components over twisted pair (half/full duplex)
Connector for power supply 1x4-pin plug-in terminal block
Connector for signaling contact 1x2-pin plug-in terminal block
Electrical data
Power supply 24 V DC power supply (18 through 32 V DC)
• Implemented redundantly
• Safety extra-low voltage (SELV)
Power loss at 24 V DC 3.84 W
Current consumption at rated voltage 250 mA maximum
Permitted cable lengths
Connection over
Industrial Ethernet FC TP cables:
0 - 100 m Industrial Ethernet FC TP standard cable with
IE FC RJ-45 plug 180
or
Over Industrial Ethernet FC outlet RJ-45 with 0 -
90 m Industrial Ethernet FC TP standard cable
+ 10 m TP cord
0 - 85 m Industrial Ethernet FC TP marine/trailing cable
with IE FC RJ-45 plug 180
or
0 - 75 m
Industrial Ethernet FC TP marine/trailing cable +
10 m TP cord
Software configuration limits for VPN
Number of IPsec tunnels
SCALANCE S612 64 maximum
SCALANCE S613 128 maximum
Software "firewall" configuration limits
Number of firewall rules
SCALANCE S602 256 maximum
SCALANCE S612 256 maximum
SCALANCE S613 256 maximum
Permitted environmental conditions / EMC
Operating temperature SCALANCE S602 0 °C through +60 °C
Operating temperature SCALANCE S612 0 °C through +60 °C
Operating temperature SCALANCE S613 -20 °C through +70 °C
Storage/transport temperature -40 °C through +80 °C
Relative humidity in operation 95% (no condensation)
2.2 Installation
Note
The requirements of EN61000-4-5, surge test on power supply lines are met only when a
Blitzductor VT AD 24V type no. 918 402 is used.
Manufacturer:
DEHN+SÖHNE GmbH+Co.KG Hans Dehn Str.1 Postfach 1640 D-92306 Neumarkt,
Germany
WARNING
When used under hazardous conditions (zone 2), the SCALANCE S product must be
installed in an enclosure.
To comply with ATEX 95 (EN 50021), this enclosure must meet the requirements of at least
IP54 in compliance with EN 60529.
WARNING
EXPLOSION HAZARD: DO NOT DISCONNECT EQUIPMENT WHEN A FLAMMABLE OR
COMBUSTIBLE ATMOSPHERE IS PRESENT.
Types of installation
The SCALANCE S can be installed in various ways:
● Installation on a 35 mm DIN rail
● Installation on a SIMATIC S7-300 standard rail
● Wall mounting
Note
When installing and operating the device, keep to the installation instructions and safety-
related notices as described here and in the manual SIMATIC NET Industrial Ethernet
Twisted Pair and Fiber Optic Networks /1/.
NOTICE
We recommend that you provide suitable shade to protect the device from direct
sunlight.
This avoids unwanted warming of the device and prevents premature aging of the
device and cabling.
General notices
WARNING
Safety extra low voltage
The equipment is designed for operation with Safety Extra-Low Voltage (SELV) by a
Limited Power Source (LPS).
This means that only SELV / LPS complying with IEC 60950-1 / EN 60950-1 / VDE 0805-1
must be connected to the power supply terminals. The power supply unit for the equipment
power supply must comply with NEC Class 2, as described by the National Electrical Code
(r) (ANSI / NFPA 70).
There is an additional requirement if devices are operated with a redundant power supply:
If the equipment is connected to a redundant power supply (two separate power supplies),
both must meet these requirements.
WARNING
Opening the device
DO NOT OPEN WHEN ENERGIZED.
WARNING
Risk of explosion when connecting or disconnecting the device
EXPLOSION HAZARD
DO NOT CONNECT OR DISCONNECT EQUIPMENT WHEN A FLAMMABLE OR
COMBUSTIBLE ATMOSPHERE IS PRESENT.
WARNING
Replacing components
EXPLOSION HAZARD
SUBSTITUTION OF COMPONENTS MAY IMPAIR SUITABILITY FOR CLASS I, DIVISION
2 OR ZONE 2.
WARNING
Restricted area of application
This equipment is suitable for use in Class I, Division 2, Groups A, B, C and D or non-
hazardous locations only.
WARNING
Restricted area of application
This equipment is suitable for use in Class I, Zone 2, Group IIC or non-hazardous locations
only.
WARNING
Requirements for the cabinet/enclosure
When used in hazardous environments corresponding to Class I, Division 2 or Class I,
Zone 2, the device must be installed in a cabinet or a suitable enclosure.
To comply with EU Directive 94/9 (ATEX95), this enclosure must meet the requirements of
at least IP54 in compliance with EN 60529.
WARNING
Suitable cables for temperatures in excess of 70 °C
If the cable or conduit entry point exceeds 70°C or the branching point of conductors
exceeds 80°C, special precautions must be taken.
If the equipment is operated in an air ambient in excess of 50 °C, only use cables with
admitted maximum operating temperature of at least 80 °C.
WARNING
Protection against transient voltage surges
Provisions shall be made to prevent the rated voltage from being exceeded by transient
voltage surges of more than 40%. This criterion is fulfilled, if supplies are derived from
SELV (Safety Extra-Low Voltage) only.
WARNING
WARNING - EXPLOSION HAZARD -
DO NOT DISCONNECT WHILE CIRCUIT IS LIVE UNLESS AREA IS KNOWN TO BE
NON-HAZARDOUS.
Installation
Install the SCALANCE S on a 35 mm DIN rail complying with DIN EN 50022.
1. Place the upper catch of the device over the top of the DIN rail and then push in the lower
part of the device against the rail until it clips into place.
2. Install the electrical connecting cables and the terminal block for the signaling contact.
Uninstalling
To remove the SCALANCE S from the DIN rail:
1. First disconnect the TP cables and pull out the terminal blocks for the power supply and
the signaling contact.
2. Use a screwdriver to release the lower rail catch of the device and pull the lower part of
the device away from the rail.
2. Screw the SCALANCE S device to the lower part of the standard rail.
Installation fittings
Use the following fittings, for example when mounting on a concrete wall:
● 4 wall plugs, 6 mm in diameter and 30 mm long
● Screws 3.5 mm in diameter and 40 mm long
Note
The wall mounting must be capable of supporting at least four times the weight of the
device.
2.2.5 Grounding
S7 standard rail
The device is grounded over its rear panel and the neck of the screw.
Wall mounting
The device is grounded by the securing screw in the unpainted hole.
NOTICE
Please note that the SCALANCE S must be grounded over one securing screw with
minimum resistance.
2.3 Commissioning
NOTICE
Before putting the device into operation, make sure that you read the information in the
sections "Product properties" and "Installation" carefully and follow the instructions there,
particularly those in the safety notices.
Principle
To operate the SCALANCE S, you need to download a configuration created with the
Security Configuration Tool. This procedure is described below.
A SCALANCE S configuration includes the IP parameters and the setting for firewall rules
and, if applicable, the setting for IPsec tunnels (S612 / S613) or router mode.
Before putting the device into operation, you can first create the entire configuration offline
and then download it. For the first configuration (device with factory settings), use the MAC
address printed on the device.
Depending on the application, you will download the configuration to one or more modules
during the commissioning phase.
6HFXULW\
&RQILJXUDWLRQ 2IIOLQH
7RRO &RQILJXUDWLRQGDWD
0HQXFRPPDQG
7UDQVIHUಶ7R0RGXOH
6&$/$1&(6 6&$/$1&(6
External External
Internal Internal
+XE6ZLWFK
Factory defaults
With the factory defaults (settings as supplied or after resetting to factory defaults), the
SCALANCE S behaves as follows after turning on the power supply:
● IP communication is not possible since the IP settings are missing; the SCALANCE S
itself does not yet have an IP address.
As soon as the SCALANCE S module is assigned a valid IP address by the configuration,
the module is accessible even over routers (IP communication is then possible).
● The device has a fixed, default MAC address; the MAC address is printed on the device
and must be used during configuration.
● The firewall is preconfigured with the following basic firewall rules:
– Unsecured data traffic from internal port to external port and vice versa
(external ↔ internal) is not possible;
The unconfigured status can be recognized when the F LED is lit yellow.
See also
Product Characteristics (Page 15)
Installation (Page 25)
5. In the box for the "MAC Address" in the "Configuration" area, enter the MAC address
printed on the module housing in the specified format.
You will find this address on the front of the SCALANCE S module (see figure).
6. Enter the external IP address and the external subnet mask in the relevant boxes in the
"Configuration" area and confirm the dialog with "OK". Your module will then be included
in the list of configured modules.
7. Select your module and, if necessary, enter the IP address of the default router by
clicking in the "Default Router" column.
Optional: Configure any other properties of the module and module groups if required.
8. Save the project under a suitable name with the following menu command:
Project ▶ Save As...
10.If you click on the "Start" button, you transfer the configuration to the SCALANCE S
module.
Result: The SCALANCE S module is now configured and can communicate at the IP
level. This mode is indicated by the Fault LED being lit green.
Area of application
The C-PLUG is an exchangeable medium for storage of the configuration and project
engineering data of the basic device (SCALANCE S). This means that the configuration data
remains available if the basic device is replaced.
How it works
Power is supplied by the end device. The C-PLUG retains all data permanently when the
power is turned off.
NOTICE
Check the operating status
The C-PLUG may only be inserted or removed when the power is off!
Figure 2-7 Inserting the C-PLUG in the device and removing the C-PLUG from the device with a
screwdriver
Function
If an empty C-PLUG (factory settings) is inserted, all configuration data of the SCALANCE S
is saved to it when the device starts up. Changes to the configuration during operation are
also saved on the C-PLUG without any operator intervention being necessary.
A basic device with an inserted C-PLUG automatically uses the configuration data of the C-
PLUG when it starts up. This is, however, only possible when the data was written by a
compatible device type.
This allows fast and simple replacement of the basic device. If a device is replaced, the C-
PLUG is taken from the failed component and inserted in the replacement. After it has
started up, the replacement device has the same device configuration as the failed device.
Note
Consistent project data - adapting the MAC address
After replacing the device with a spare, the project engineering data should be consistent. To
achieve this, you should adapt the MAC address from the project engineering to the MAC
address printed on the replacement device.
If you use the previously configured C_PLUG of the device you are replacing, this is not
absolutely necessary to start up and run the device.
NOTICE
Reset to factory settings
If a C-PLUG is plugged in when you reset to factory settings, the C-PLUG is erased!
NOTICE
Check the operating status
The C-PLUG may only be removed when the power is off!
Diagnostics
Inserting a C-PLUG that does not contain the configuration of a compatible device type,
inadvertently removing the C-PLUG, or general malfunctions of the C-PLUG are indicated by
the diagnostic mechanisms of the end device (fault LED red).
Requirements
To transfer new firmware to a SCALANCE S module, the following conditions must be met:
● You must have administrator permissions for the project;
● SCALANCE S must already have been configured with an IP address.
Note
The IP settings in the examples are freely selected and do not cause any conflicts in the
isolated test network.
In a real network, you would need to adapt these IP settings to avoid possible address
conflicts.
3.1.1 Overview
In this example, the tunnel function is configured in the "standard mode" project engineering
view. SCALANCE S module 1 and SCALANCE S module 2 are the two tunnel endpoints for
the secure tunnel connection in this example.
With this configuration, IP traffic and layer 2 traffic (bridge mode only) is possible only over
the established tunnel connections with authorized partners.
PC3
PC1
7XQQHO
PC2
internes Netz 1
LQWHUQDOQHWZRUN externes Netz internes Netz 2
H[WHUQDOQHWZRUN LQWHUQDOQHWZRUN
Required devices/components:
Use the following components to set up to the network:
● 2 x SCALANCE S modules, (optional: one or two suitably installed standard rails with
fittings);
● 1 x or 2 x 24 V power supplies with cable connections and terminal block plugs (both
modules can also be operated from a common power supply);
● 1 x PC on which the "Security Configuration Tool" is installed;
● 2 x PCs in the internal networks to test the configuration;
● 1 x network hub or switch to set up the network connections with the two SCALANCE S
modules and the PCs/PGs;
● The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45
standard for Industrial Ethernet.
6HWXS6&$/$1&(6DQGWKHQHWZRUN
0DNHWKH,3VHWWLQJVIRUWKH3&V
&UHDWHWKHSURMHFWDQGPRGXOH
&RQILJXUHWKHWXQQHOIXQFWLRQ
'RZQORDGWKHFRQILJXUDWLRQWRWKH6&$/$1&(6PRGXOH
7HVWWKHILUHZDOOIXQFWLRQ SLQJWHVW
Result: After connecting the power, the Fault LED (F) is lit yellow.
WARNING
The SCALANCE S is designed for operation with safety extra-low voltage. This means that
only safety extra-low voltages (SELV) complying with IEC950/EN60950/ VDE0805 can be
connected to the power supply terminals.
The power supply unit to supply the SCALANCE S must comply with NEC Class 2 (voltage
range 18 - 32 V, current requirement approx. 250 mA).
When installing and connecting the SCALANCE S modules, refer to Chapter 2 "Product
characteristics and commissioning".
1. Now establish the physical network connections by plugging the network cable
connectors into the ports being used (RJ-45 jacks):
– Connect PC1 with port 2 of module 1 and PC2 with port 2 of module 2.
– Connect port 1 of module 1 and port 1 of module 2 with the hub/switch.
– Connect PC3 to the hub/switch as well.
2. Now turn on the PCs.
NOTICE
The Ethernet attachments at port 1 and port 2 are handled differently by the SCALANCE
S and must not be swapped over when connecting to the communication network:
• Port 1 - external network
Upper RJ-45 jack, marked red = unprotected network area;
• Port 2 - internal network
Lower RJ-45 jack, marked green = network protected by SCALANCE S;
If the ports are swapped over, the device loses its protective function.
4. In the "Internet Protocol Version 4 (TCP/IPv4) Properties" dialog, select the "Use the
following IP address" radio button: and enter the values assigned to the PC from the table
"Make the IP setting of the PCs" in the respective fields.
Close the dialogs with "OK" and exit the Control Panel.
6. In the navigation area, click on "All Modules" and then on the row with "Module1" in the
content area.
7. Now click on the "MAC Address" column and enter the MAC address in the specified
format.
You will find this address on the front panel of the SCALANCE S module (see figure).
8. Now click on the "IP Address ext." column and enter the IP address in the specified
format and adapt the subnet mask accordingly.
– For module 1: IP address: 191.0.0.201 subnet mask: 255.255.0.0
– For module 2: IP address: 191.0.0.202 subnet mask: 255.255.0.0
2. Select the SCALANCE S module "Module1" in the content area and drag it to "Group1" in
the navigation area.
The module is now assigned to this group (is a member of the group).
The color of the key symbol of the module icon changes from gray to blue.
3. Select the SCALANCE S module "Module2" in the content area and drag it to the
"Group1" in the navigation area.
The module is now also assigned to this group.
4. Save this project under a suitable name with the following menu command:
Project ▶Save As...
The configuration of the tunnel connection is now complete.
NOTICE
In Windows, the firewall can be set so that as default the PING commands do not pass
through. If necessary, you will need to enable the ICMP services of the type Request and
Response.
Test phase 1
Now test the function of the tunnel connection established between PC1 and PC2:
1. Open the following menu command from the taskbar Start menu on PC2:
Start ▶ All Programs ▶ Accessories ▶ Command Prompt
2. Enter the Ping command from PC1 to PC2 (IP address 191.0.0.2)
In the command line of the "Command Prompt" window, enter the following command
ping 191.0.0.2
.
You will then receive the following message: (positive reply from PC2).
Result
If the IP packets have reached PC2, the "Ping statistics for 191.0.0.2" display the following:
● Sent = 4
● Received = 4
● Lost = 0 (0% loss)
Since no other communication is permitted, these packets must have been transported
through the VPN tunnel.
Test phase 2
Now repeat the test by sending a ping command from PC3.
1. Open the following menu command from the taskbar Start menu on PC3:
Start ► All Programs ► Accessories ► Command Prompt
2. Send the same ping command (ping 191.0.0.2) in the Command Prompt window of PC3.
You will then receive the following message: (no reply from PC2).
Result
The IP frames from PC3 cannot reach PC2 since neither tunnel communication between
these two devices is configured nor is normal IP data traffic permitted.
This is shown in the "Ping statistics" for 191.0.0.2 as follows:
● Sent = 4
● Received = 0
● Lost = 4 (100% loss)
3.2.1 Overview
In this example, the firewall is configured in the "standard mode" project engineering view.
The standard mode includes predefined sets of rules for data traffic.
With this configuration, IP traffic can only be initiated from the internal network; only the
response is permitted from the external network.
3&
6&$/$1&(6PRGXOH
External
Internal
3&
H[WHUQDOQHWZRUN
LQWHUQDOQHWZRUN
)LUHZDOO
Required devices/components:
Use the following components to set up to the network:
● 1 x SCALANCE S module, (additional option: a suitably installed DIN rail with fittings)
● 1 x 24 V power supply with cable connector and terminal block plug
● 1 x PC on which the Security Configuration Tool is installed
● 1 x PC in the internal network to test the configuration
● The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45
standard for Industrial Ethernet
6HWXS6&$/$1&(6DQGWKHQHWZRUN
0DNHWKH,3VHWWLQJVIRUWKH3&V
&UHDWHWKHSURMHFWDQGPRGXOH
&RQILJXUHWKHILUHZDOO
'RZQORDGWKHFRQILJXUDWLRQWRWKH6&$/$1&(6PRGXOH
7HVWWKHILUHZDOOIXQFWLRQ SLQJWHVWORJJLQJ
WARNING
The SCALANCE S is designed for operation with safety extra-low voltage. This means that
only safety extra-low voltages (SELV) complying with IEC950/EN60950/ VDE0805 can be
connected to the power supply terminals.
The power supply unit to supply the SCALANCE S must comply with NEC Class 2 (voltage
range 18 - 32 V, current requirement approx. 250 mA).
When installing and connecting the SCALANCE S modules, refer to Chapter 2 "Product
characteristics and commissioning"
3. Now establish the physical network connections by plugging the network cable
connectors into the ports being used (RJ-45 jacks):
– Connect PC2 with port 2 of module 1.
– Connect PC1 with port 1 of module 1.
4. Now turn on the PCs.
NOTICE
The Ethernet attachments at port 1 and port 2 are handled differently by the SCALANCE
S and must not be swapped over when connecting to the communication network:
• Port 1 - external network
Upper RJ-45 jack, marked red = unprotected network area;
• Port 2 - Internal Network
Lower RJ-45 jack, marked green = network protected by SCALANCE S;
If the ports are swapped over, the device loses its protective function.
3. In the "Local Area Connection Properties" dialog, enable the "Internet Protocol Version 4
(TCP/IPv4)" check box and click the "Properties" button.
4. In the "Internet Protocol Version 4 (TCP/IPv4) Properties" dialog, select the "Use the
following IP address" radio button: and enter the values assigned to the PC from the table
"Make the IP setting of the PCs" in the respective fields.
Close the dialogs with "OK" and exit the Control Panel.
6. Enter the external IP address also in the required format (191.0.0.200) and the external
subnet mask (255.255.0.0) and confirm the dialog with "OK". Your module will then be
included in the list of configured modules.
This means that IP traffic can only be initiated from the internal network; only the
response is permitted from the external network.
5. You should also select the Logging options to record data traffic.
6. Close the dialog with "OK".
7. Save this project under a suitable name with the following menu command:
Project ▶ Save As...
NOTICE
In Windows, the firewall can be set so that as default the PING commands do not pass
through. If necessary, you will need to enable the ICMP services of the type Request and
Response.
Test phase 1
Now test the function of the firewall configuration, first with allowed outgoing IP data traffic as
follows:
1. Open the following menu command from the taskbar Start menu on PC2:
Result
If the IP packets have reached PC1, the "Ping statistics for 191.0.01" display the following:
● Sent = 4
● Received = 4
● Lost = 0 (0% loss)
Due to the configuration, the ping packets can pass from the internal network to the external
network. The PC in the external network has replied to the ping packets. Due to the "stateful
inspection" function of the firewall, the reply packets arriving from the external network are
automatically passed into the internal network.
Test phase 2
Now test the function of the firewall configuration with blocked outgoing IP data traffic as
follows:
1. Now reopen the firewall dialog as described above.
2. Deselect the "Allow IP traffic from internal to external network" box in the "Firewall
Settings" tab.
Close the dialog with "OK".
Result
The IP packets from PC2 now cannot reach PC1 since the data traffic from the "internal
network" (PC2) to the "external network" (PC1) is not permitted.
This is shown in the "Ping statistics for 191.0.0.1" as follows:
● Sent = 4
● Received = 0
● Lost = 4 (100% loss)
3.3.1 Overview
In this example, you configure the NAT router mode. You configure in the "advanced mode"
configuration view.
With the configuration introduced here, you have the situation that all the packets sent from
the internal subnet to the PC1 node in the external network are allowed to pass the firewall.
The packets are forwarded to the outside with an IP address transformed to the IP address
of the SCALANCE S and with a dynamically assigned port number.
Only the replies to these packets is allowed to pass from the external network.
3&
6&$/$1&(6PRGXOH
External
Internal
3&
H[WHUQDOQHWZRUN
LQWHUQDOQHWZRUN
)LUHZDOO
Required devices/components:
Use the following components to set up to the network:
● 1 x SCALANCE S module, (additional option: a suitably installed DIN rail with fittings);
● 1 x 24 V power supply with cable connector and terminal block plug;
● 1 x PC on which the Security Configuration Tool is installed;
● 1 x PC in the internal network to test the configuration;
● The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45
standard for Industrial Ethernet.
6HWXS6&$/$1&(6DQGWKHQHWZRUN
0DNHWKH,3VHWWLQJVIRUWKH3&V
&UHDWHWKHSURMHFWDQGPRGXOH
&RQILJXUHWKH1$7URXWHUPRGH
&RQILJXUHWKHILUHZDOO
'RZQORDGWKHFRQILJXUDWLRQWRWKH6&$/$1&(6PRGXOH
7HVWWKH1$7URXWHUIXQFWLRQ SLQJWHVW
/RJGDWDWUDIILF
WARNING
The SCALANCE S is designed for operation with safety extra-low voltage. This means that
only safety extra-low voltages (SELV) complying with IEC950/EN60950/ VDE0805 can be
connected to the power supply terminals.
The power supply unit to supply the SCALANCE S must comply with NEC Class 2 (voltage
range 18 - 32 V, current requirement approx. 250 mA).
When installing and connecting the SCALANCE S modules, refer to Chapter 2 "Product
characteristics and commissioning"
3. Now establish the physical network connections by plugging the network cable
connectors into the ports being used (RJ-45 jacks):
– Connect PC2 with port 2 of module 1.
– Connect PC1 with port 1 of module 1.
4. Now turn on the PCs.
NOTICE
The Ethernet attachments at port 1 and port 2 are handled differently by the SCALANCE
S and must not be swapped over when connecting to the communication network:
• Port 1 - External Network
Upper RJ-45 jack, marked red = unprotected network area;
• Port 2 - Internal Network
Lower RJ-45 jack, marked green = network protected by SCALANCE S;
If the ports are swapped over, the device loses its protective function.
For standard gateway, you specify the IP addresses that will be assigned to the SCALANCE
S module for the internal and external interface in the subsequent project engineering:
● PC1 uses the external interface.
● PC2 uses the internal interface.
4. In the "Internet Protocol Version 4 (TCP/IPv4) Properties" dialog, select the "Use the
following IP address" radio button: and enter the values assigned to the PC from the table
"Make the IP setting of the PCs" in the respective fields.
Close the dialogs with "OK" and exit the Control Panel.
6. Enter the external IP address also in the required format (192.168.10.1) and the external
subnet mask (255.255.255.0) and confirm the dialog with "OK". Your module will then be
included in the list of configured modules.
To enable NAT router mode for internal nodes - follow the steps below:
The next step is to configure the required address conversion for NAT mode.
1. Select the options "NAT active" and "Allow Internal > External for all users" in the NAT
group box.
You will see that an entry has been added to the end of the address conversion list in the
"NAT" group box. The "*" entry in the "internal IP address" column now stands for all
nodes in the internal network.
2. Select the following menu command with the right mouse button:
Insert > Firewall rule set
4. Click in the "Log" column in the row for the new rule set. This enables the packet filter
logging option. Packets to which the defined rule is applied are then logged.
You will use this log in the example shown here in the final test of the configuration.
5. Close the dialog with "OK".
2. You can check the assignment by reopening the dialog for setting the module properties
and selecting the "Firewall" tab.
You will see that the global firewall rule was saved there.
3. If you click the "Expand Rulesets" button, you can view the rule set in detail.
This completes offline configuration.
Note on the ping command: As an alternative, you can also use other communication
programs to test the configuration.
NOTICE
In Windows, the firewall can be set so that as default the PING commands do not pass
through. If necessary, you will need to enable the ICMP services of the type Request and
Response.
View ▶ Online
2. Select the module you want to edit and then select the following menu command to open
the online dialog
Edit ▶ Online Diagnostics...
Select the "Packet Filter Log" tab.
3. Click the "Start Reading" button.
4. Acknowledge the displayed dialog with "OK".
Result: The log entries are read from the SCALANCE S and displayed here.
Result
You will see the following in the log output:
● Output row 1
The IP addresses of the packets from PC2 to PC1 are displayed on the interface to the
external network with the external IP address of the SCALANCE S module
(192.168.10.01). This matches the expected address conversion (note: the additional port
assignment is not shown here).
● Output row 2
The reply packets are displayed with the destination address of the node in the internal
subnet (PC2: 172.10.10.100). You can see that the address conversion had already
taken place before the reply packet passed the firewall.
3.4.1 Overview
In this example, the VPN tunnel function is configured in the "standard mode" configuration
view. In this example, a SCALANCE S and the SOFTNET Security Client form the two tunnel
endpoints for the secure tunnel connection via a public network.
With this configuration, IP traffic is possible only over the established VPN tunnel
connections with authorized partners.
6&$/$1&(6
0RGXOH PC2
PC1
External
Internal
LQWHUQDOQHWZRUN
H[WHUQDOSXEOLFQHWZRUN
Note
In the example, a local area network is used as a substitute for an external public WAN to
illustrate the principles of the functionality.
Explanations relating to the use of a WAN are provided where necessary.
Required devices/components:
Use the following components to set up to the network:
● 1 x SCALANCE S module, (optional: a suitably installed DIN rail with fittings);
● 1 x 24 V power supply with cable connector and terminal block plug;
● 1 x PC on which the "Security Configuration Tool" and VPN client "SOFTNET Security
Client" are installed;
● 1 x PC in the internal network to test the configuration;
● 1 x PC in the external network to test the configuration;
● 1 x network hub or switch to set up the network connections with the SCALANCE S
module and the PCs;
● The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45
standard for Industrial Ethernet.
6HWXS6&$/$1&(6DQGWKHQHWZRUN
0DNHWKH,3VHWWLQJVIRUWKH3&V
&UHDWHWKHSURMHFWDQGPRGXOHV
&RQILJXUHWKHWXQQHOIXQFWLRQ
/RDGWKHFRQILJXUDWLRQRQWKH6&$/$1&(6DQGVDYHWKH
62)71(76HFXULW\&OLHQWFRQILJXUDWLRQ
6HWXSDWXQQHOZLWKWKH62)71(76HFXULW\&OLHQW
7HVWWKHWXQQHOIXQFWLRQ
Result: After connecting the power, the Fault LED (F) is lit yellow.
WARNING
The SCALANCE S is designed for operation with safety extra-low voltage. This means that
only safety extra-low voltages (SELV) complying with IEC950/EN60950/ VDE0805 can be
connected to the power supply terminals.
The power supply unit to supply the SCALANCE S must comply with NEC Class 2 (voltage
range 18 - 32 V, current requirement approx. 250 mA).
When installing and connecting the SCALANCE S modules, refer to Chapter 2 "Product
characteristics and commissioning".
1. Now establish the physical network connections by plugging the network cable
connectors into the ports being used (RJ-45 jacks):
Note
To use a WAN as an external public network, the connections to the hub/switch must be
replaced by the connections to the WAN (Internet access).
NOTICE
The Ethernet attachments at port 1 and port 2 are handled differently by the SCALANCE
S and must not be swapped over when connecting to the communication network:
• Port 1 - "external network"
Upper RJ-45 jack, marked red = unprotected network area;
• Port 2 - "internal network"
Lower RJ-45 jack, marked green = network protected by SCALANCE S;
If the ports are swapped over, the device loses its protective function.
For standard gateway, you specify the IP addresses that will be assigned to the SCALANCE
S module for the internal and external interface in the subsequent project engineering:
● PC1 uses the internal interface.
● PC2 and PC3 use the external interface.
Note
To use a WAN as an external public network, the relevant IP settings for the connection
to the WAN (Internet) must be made on PC2 and PC3.
4. In the "Internet Protocol Version 4 (TCP/IPv4) Properties" dialog, select the "Use the
following IP address" radio button: and enter the values assigned to the PC from the table
"Make the IP setting of the PCs" in the respective fields.
Close the dialogs with "OK" and exit the Control Panel.
8. Now click on the "IP Address ext." column and enter the IP address in the specified
format and adapt the subnet mask accordingly.
For module 1: IP address: 191.0.0.201, subnet mask: 255.255.0.0
Note
To use a WAN as an external public network, enter the static IP address you received
from your provider as the "IP Address ext." via which the SCALANCE S module will then
be accessible in the WAN (Internet).
Before the SCALANCE S module can send packets in the WAN (Internet), you will need
to enter your DSL router as the "Default Router".
If you use a DSL router as Internet gateway, the following ports (at least) must be
forwarded on it:
• Port 500 (ISAKMP)
• Port 4500 (NAT-T)
For configuration downloads (not through an active tunneL), port 443 (HTTPS) must also
be forwarded.
9. Now open the properties menu of "Module1" by right-clicking on the entry and selecting
the "Properties..." menu command.
10.Now activate routing mode as shown below in the "Routing Mode" tab, enter the internal
IP address (192.168.0.201) and the subnet mask (255.255.255.0) of the SCALANCE S
module and confirm with "OK".
11.In the navigation area, click on "All Modules" and then on the row with "Module2" in the
content area.
12.Click in the "Name" column and enter the name "SSC-PC2".
The SOFTNET Security Client does not require any further settings.
Your screen should now resemble the following screenshot.
2. Select the SCALANCE S module "Module1" in the content area and drag it to "Group1" in
the navigation area.
The module is now assigned to this group (is a member of the group).
The color of the key symbol of the module icon changes from gray to blue.
3. Select the SOFTNET Security Client in the content area and drag it to "Group1" in the
navigation area.
The module is now also assigned to this group.
4. Save this project under a suitable name with the following menu command:
Project ► Save As...
The configuration of the tunnel connection is now complete.
3.4.6 Loading the configuration on the SCALANCE S and saving the SOFTNET
Security Client configuration
Note
To use a WAN as an external public network, you cannot configure a SCALANCE S module
with the factory settings via the WAN. In this case, configure the SCALANCE S module from
within the internal network.
The configuration has now been commissioned and the SCALANCE S module and the
SOFTNET Security Client have established a communication tunnel over which network
nodes can communicate securely with PC2 from within the internal network.
NOTICE
In Windows, the firewall can be set so that as default the PING commands do not pass
through. If necessary, you will need to enable the ICMP services of the type Request and
Response.
Test phase 1
Now test the function of the tunnel connection established between PC1 and PC2:
1. Open the following menu command from the taskbar Start menu on PC2:
Start ► All Programs ► Accessories ► Command Prompt
2. Enter the ping command from PC2 to PC1 (IP address 192.168.0.1).
In the command line of the "Command Prompt" window, enter the following command
ping 192.168.0.1
.
You will then receive the following message: (positive reply from PC1).
Result
If the IP packets have reached PC1, the "Ping statistics for 192.168.0.1" display the
following:
● Sent = 4
● Received = 4
● Lost = 0 (0% loss)
Since no other communication is permitted, these packets must have been transported
through the VPN tunnel.
Test phase 2
Now repeat the test by sending a ping command from PC3.
1. Open the following menu command from the taskbar Start menu on PC3:
Start ► All Programs ► Accessories ► Command Prompt
2. Send the same ping command (ping 192.168.0.1) in the Command Prompt window of
PC3.
You will then receive the following message: (no reply from PC1).
Result
The IP frames from PC3 cannot reach PC1 since neither tunnel communication between
these two devices is configured nor is normal IP data traffic permitted.
This is shown in the "Ping statistics" for 192.168.0.1 as follows:
● Sent = 4
● Received = 0
● Lost = 4 (100% loss)
3.5.1 Overview
In this example, the VPN tunnel function is configured in the "advanced mode" project
engineering view. An MD741-1 and the SOFTNET Security Client form the two tunnel
endpoints for the secure tunnel connection via a public network.
With this configuration, IP traffic is possible only over the established VPN tunnel connection
with authorized partners.
Note
To configure this example, you need a public, fixed IP address from your provider (mobile
wireless provider) for the SIM card of the MD741-1 that can also be reached from the
Internet.
(As an alternative, it is also possible to work with a DynDNS address for the MD741-1.)
0'
3&
3& '6/5RXWHU
:$1
7XQQHO
H[WHUQDOSXEOLFQHWZRUN
LQWHUQDOQHWZRUN
Required devices/components:
Use the following components to set up to the network:
● 1 x MD741-1 module with SIM card, (optional: a suitably installed DIN rail with fittings);
● 1 x 24 V power supply with cable connector and terminal block plug;
● 1 x PC on which the "Security Configuration Tool" and VPN client "SOFTNET Security
Client" are installed;
● 1 x PC in the internal network of the MD741-1 with a browser for configuring the MD741-1
and testing the configuration;
● 1 x DSL router (connection to the Internet for the PC with the VPN client (ISDN, DSL,
UMTS etc.))
● The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45
standard for Industrial Ethernet.
6HWWLQJXSWKH0'DQGWKHQHWZRUN
0DNHWKH,3VHWWLQJVIRUWKH3&V
&UHDWHWKHSURMHFWDQGPRGXOHV
&RQILJXUHWKHWXQQHOIXQFWLRQ
6DYLQJWKHFRQILJXUDWLRQRIWKH0'DQGWKH62)7
1(76HFXULW\&OLHQW
&RQILJXULQJWKH0'
6HWXSDWXQQHOZLWKWKH62)71(76HFXULW\&OLHQW
7HVWWKHWXQQHOIXQFWLRQ
Under Default gateway for PC1, specify the IP address that you will assign to the MD741-1
module (for the internal network interface) in the subsequent configuration. For PC2, specify
the IP address of the DSL router (for the internal network interface).
Follow the steps below with PC1 and PC2 to open the network connections on the relevant PC:
1. On the relevant PC, open the Control Panel with the following menu command:
Start ► Control Panel
2. Open the "Network and Sharing Center" icon.
3. In the "Local Area Connection Properties" dialog, enable the "Internet Protocol Version 4
(TCP/IPv4)" check box and click the "Properties" button.
4. In the "Internet Protocol Version 4 (TCP/IPv4) Properties" dialog, select the "Use the
following IP address" radio button: off. Now enter the values assigned to the PC from the
table "Make the IP settings for the PCs" in the relevant boxes.
Close the dialogs with "OK" and exit the Control Panel.
3. Enter a user name and a password and confirm your entries to create a new project.
The "Selection of a module or software configuration" dialog opens automatically.
4. Now configure the product type "SOFTNET Configuration (SOFTNET Security Client,
MD74x)", the module "SOFTNET Security Client", the firmware version "V4.0" and assign
the module name "SSC-PC2".
5. Close the dialog with "OK".
6. Create a second module with the following menu command:
Insert ► Module
Now configure the product type "SOFTNET Configuration (SOFTNET Security Client,
MD74x)", the module "MD74x" and assign the module name "MD741-1".
7. Now click on the "IP Address (ext.)" box in the "Configuration" area and enter the IP
address in the specified format. Configure the corresponding external subnet mask as
well.
Note
To configure this example, you need a public, fixed IP address from your provider (mobile
wireless provider) for the SIM card of the MD741-1 that can also be reached from the
Internet. Enter this IP address as the external IP address for your module.
If you work with dynamic addresses for the MD741-1, you require a DynDNS address for
the module. In this case, you do not need to adapt the external IP address at this point.
The IP address entered therefore serves simply as a placeholder.
When configuring the SOFTNET Security Client later, specify a DNS name instead of an
external IP address.
8. Now click on the "IP Address (int.)" box in the "Configuration" area and enter the IP
address in the specified format. (IP address: 192.168.1.1) Configure the corresponding
internal subnet mask as well. (Subnet mask: 255.255.255.0)
9. Now close the dialog with "OK".
You obtain a view similar to that in the following figure.
2. Select the MD741-1 module "MD741-1" in the content area and drag it to "Group1" in the
navigation area.
The module is now assigned to this group (is a member of the group).
The color of the key symbol of the module icon changes from gray to blue. Which
indicates that an IPsec connection was configured for the module.
3. Select the SOFTNET Security Client module "SSC-PC2" in the content area and drag it to
"Group1" in the navigation area.
The module is now also assigned to this group.
4. Now change your project to advanced mode with the following menu command:
View ► Advanced Mode
5. Open the group properties of Group1 by selecting the "Properties..." shortcut menu.
6. Change the SA Life for Phase 1 and Phase 2 to 1440 minutes and leave all other settings
at their default values.
NOTICE
A successful tunnel connection between MD741-1 and the SOFTNET Security Client
can only be established if you keep exactly to the parameters listed below.
If you use different parameter settings, it is possible that the two tunnel partners will not
be able to set up a VPN connection between them.
Authentication method: Certificate
Advanced Settings Phase 1:
• IKE Mode: Main
• Phase 1 DH Group: Group2
• Phase 1 Encryption: 3DES-168
• SA Life (minutes): 1440
• Phase 1 Authentication: SHA1
Advanced Settings Phase 2:
• SA Lifetype: Time
• Phase 2 Encryption: 3DES-168
• SA Life (minutes): 1440
• Phase 2 Authentication: SHA1
7. Save this project under a suitable name with the following menu command:
Project ► Save As...
The configuration of the tunnel connection is now complete.
3.5.6 Saving the configuration of the MD741-1 and the SOFTNET Security Client
3. Edit the IKE settings of the Roadwarrior VPN as shown in the following figure and save
your entries.
NOTICE
A successful tunnel connection between MD741-1 and the SOFTNET Security Client
can only be established if you keep exactly to the parameters listed below.
If you use different parameter settings, the two tunnel partners will not be able to set up
a VPN connection between them. You should therefore always keep to the settings in
the exported text file (as shown extra below).
Authentication method: X.509 partner certificate
Phase 1 - ISKAMP SA:
• ISAKMP-SA encryption:3DES-168
• ISAKMP-SA hash: SHA-1
• ISAKMP-SA mode: Main mode
• ISAKMP-SA Lifetime (seconds): 86400
Phase 2 - IPSec SA:
• IPSec SA encryption: 3DES-168
• IPSec SA hash: SHA-1
• IPSec SA lifetime (seconds): 86400
DH/PFS group: DH-2 1024
4. To be able to use the diagnostics function of the SOFTNET Security Client for
successfully established VPN tunnels in conjunction with the MD741-1, you need to allow
a ping from the external network of the MD741-1.
To do this, go to the directory:
Security ► Advanced Settings
Set the "External ICMP to the MD741-1" function to the value "Allow Ping" and save your
entry. Note also the following figure.
Note
If you do not enable this function, you will not be able to use the diagnostics function of
the SOFTNET Security Client for successfully established VPN tunnels in conjunction
with the MD741-1. You then do not receive any feedback as to whether the tunnel was
successfully established but can nevertheless communicate securely via the tunnel.
5. To allow you to access the Web interface of the MD741-1 module via the external
interface as well, enable the HTTPS remote access.
This gives you the opportunity of configuring and diagnosing the MD741-1 remotely via
an established tunnel.
To do this, go to the directory:
Access ► HTTPS
Set in the "Enable HTTPS remote access" function to the value "Yes" as shown in the
following figure and save your entry.
Note
If you want to access the MD741-1 using a DNS name, make the settings for the
DynDNS server connection in the following directory:
External Network ► Advanced Settings ► DynDNS
1. Change the setting "Log on to to DynDNS server" to the value "Yes".
2. Specify your username and the password of your DynDNS account.
3. Enter the full DynDNS address in the "DynDNS hostname" box. Remember to specify
the domain for this address as well. (Example: "mydns.dyndns.org")
The commissioning of the MD741-1 module is now complete. The module and the
SOFTNET Security Client can establish a communication tunnel over which network nodes
can communicate securely with PC2 from within the internal network.
4. Enter the password for the certificate and confirm with "Next".
5. Confirm the "Enable all statically configured nodes?" dialog with "Yes".
6. Click the "Tunnel Overview" button.
Note
If you want to reach the MD741-1 module using a DNS name, set the full DynDNS
address in the "DNS Name" input box in step 3. (Example: "mydns.dyndns.org")
Note
Remember that this function depends on enabling the ping function on the MD741-1 module.
In the Logging Console of the tunnel view of the SOFTNET Security Client, you will see
additional feedback from your system from which you can deduce the following:
● How did the connection attempt go?
● Was the policy created for your communication connection?
The commissioning of the configuration is now complete. The MD741-1 module and the
SOFTNET Security Client have established a communication tunnel over which network
nodes can communicate securely with PC2 from within the internal network.
NOTICE
In Windows, the firewall can be set so that as default the ping commands do not pass
through. If necessary, you will need to enable the ICMP services of the type Request and
Response.
Testing
Now test the function of the tunnel connection established between PC1 and PC2:
1. Open the following menu command from the taskbar Start menu on PC2:
Start ► All Programs ► Accessories ► Command Prompt
2. Enter the ping command from PC2 to PC1 (IP address 192.168.1.101).
In the command line of the "Command Prompt" window, enter the following command
Ping 192.168.1.101
.
You will then receive the following message: (positive reply from PC1).
Result
If the IP packets have reached PC1, the "Ping statistics for 192.168.1.101" display the
following:
● Sent = 4
● Received = 4
● Lost = 0 (0 % loss)
Since no other communication is permitted, these packets must have been transported
through the VPN tunnel.
Further information
How to configure modules and IPsec tunnels is described in detail in the next chapters of this
manual.
You will find detailed information on the dialogs and parameter settings in the online help.
You can call this with the F1 key or using the "Help" button in the relevant dialog.
F1
Scope of performance
You use the Security Configuration Tool for the following tasks:
● Configuration of SCALANCE S
● Configuration of SOFTNET Security Client (S612 / S613 / MD 741-1)
● Creating the configuration data for MD 740-1 / MD 741-1
● Test and diagnostic functions, status displays
Modes
The Security Configuration Tool has two modes:
● Offline - configuration view
In offline mode, you create the configuration data for the SCALANCE S modules and
SOFTNET Security Clients. Prior to downloading, there must already be a connection to
a SCALANCE S.
● Online
The online mode is used for testing and diagnostics of a SCALANCE S.
2IIOLQH
&RQILJXUDWLRQGDWD
'RZQORDG
2QOLQH'LDJQRVWLFVDQGWHVW
4.2 Installation
You install the Security Configuration Tool from the supplied SCALANCE S CD.
Requirements
The prerequisites for installation and operation of the Security Configuration Tool on a
PC/PG are as follows:
● Operating system Windows XP SP2 or SP3 (not Home), Windows 7 (not Home);
● PC/PG with at least 128 Mbytes of RAM and a 1 GHz CPU or faster.
NOTICE
Before you install the Security Configuration Tool, make sure that you read the "README"
file on the CD. This file contains important notes and any late modifications.
● Insert the SCALANCE S CD in your CD-ROM drive; if the Autorun function is active, the
user interface with which you make the installation starts automatically.
or
● Start the "start.exe" application on the supplied SCALANCE S CD.
① The navigation area functions as a project Explorer with the following main folders:
• Global firewall rules
The node contains the configured global firewall rule sets. Other folders:
– IP rule set
– MAC rule set
• All Modules
The node contains the configured SCALANCE S modules or SOFTNET Security Clients of the project.
• All Groups
② Content area:
When you select an object in the navigation area, you will see detailed information on this object in the content
area.
Several parameters can be entered here.
By double clicking on the objects, you open properties dialogs in which you can enter further parameters.
③ Status bar
The status bar displays operating states and current status messages; these include:
• The current user and user type
• The operator view - standard mode/advanced mode
• The mode - online/offline
Menu bar
Below, you will see an overview of the available menu commands and their meaning.
Edit ▶… Note:
If you have selected an object, some of the functions listed here
are also available in the popup menu available with the right
mouse button.
Copy Copy the selected object. Ctrl+C
Paste Fetch object from the clipboard and paste. Ctrl+V
Delete Delete the selected object. Del
Rename Rename the selected object. Ctrl+R
Properties Open the properties dialog for the selected object. F4
Online Diagnostics… Access test and diagnostic functions.
This menu command is only available in the online view.
Transfer ▶…
To Module… Download data to the selected modules.
Note: Only consistent project data can be downloaded.
To All Modules… Download data to all configured modules.
Note: Only consistent project data can be downloaded.
Configuration Status… Display configuration status of the configured modules in a list.
Firmware Update... Download new firmware to the selected SCALANCE S.
View ▶…
Advanced mode Switch from the standard to the advanced mode. Ctrl+E
Notice: If you switch to the advanced mode for the current project,
you can only switch back as long as you have made no
modifications.
The standard mode is the default.
Offline Is the default. Ctrl+Shift+D
Online Ctrl+D
Options ▶…
IP Service Definitions … Open a dialog for service definitions for IP firewall rules.
This menu command is only available in the "advanced mode"
view.
MAC Service Open a dialog for service definitions for MAC firewall rules.
Definitions… This menu command is only available in the "advanced mode"
view.
Change Project Function for changing the user password.
Password...
Network adapter... Function for selecting the local network adapter over which a
connection will be established to a SCALANCE S.
Log Files… Displays log files.
Log files can be read and logs can be started.
Symbolic Names... You can assign symbolic names for IP addresses or MAC
addresses.
Consistency checks Check the consistency of the entire project. A result list is
displayed.
Help ▶…
Contents ... Help on the functions and parameters required in the Security Ctrl+Shift+F1
Configuration Tool.
4.4.1 Overview
SCALANCE S project
A project in the Security Configuration Tool includes all the configuration and management
information for one or more SCALANCE S devices, SOFTNET Security Clients and MD74x
devices.
You create a module for each SCALANCE S device, each SOFTNET Security Client and
each MD74x device in the project.
You will find a detailed description of this function in the section "Firewall, routers and other
module properties".
Group assignments for IPsec tunnel (S612 / S613 / SOFTNET Security Client)
These specify which SCALANCE S modules, SOFTNET Security Clients and MD74x
modules can communicate with each other over an IPsec tunnel.
By assigning SCALANCE S modules, SOFTNET Security Clients and MD74x modules to a
group, these modules can establish a communication tunnel over a VPN (virtual private
network).
Only modules in the same group can communicate securely with each other over tunnels
and SCALANCE S modules, SOFTNET Security Clients and MD74x modules can belong to
several groups at the same time.
As default, the Security Configuration Tool then creates a project and automatically opens
the "Selection of a module or software configuration" dialog in which you can configure your
first module.
See also
Firewall, router and other module properties (Page 129)
User authentication
The users of the project must authenticate themselves during access. For each user, you
can specify a password authentication.
NOTICE
NOTICE
if the authentication settings are changed, the configuration must be downloaded to the
SCALANCE S modules again before the settings (for example, new users, password
changes) become active on the modules.
Overview
The Security Configuration Tool distinguishes between:
● Local consistency checks
● Project-wide consistency checks
Refer to the "Consistency check" sections of the dialog descriptions in the manual for
information on the rules that are checked during input in the dialogs.
NOTICE
You can only download configuration data when the entire project is consistent.
Tip:
The use of the project-wide consistency check is especially practical for the symbol table
described here. Based on the list, you can recognize every inconsistency and correct it.
You can start a consistency check for an open project with the following menu command:
Options ▶ Check Consistency
Legend:
1) Note the explanations in the section "Consistency checks".
2) DNS-compliance according to RFC1035 involves the following rules:
Requirements
● Ports
In principle, you can download the configuration data both over device port 1 or device
port 2.
Ideally, you should configure the modules of a group over the common external network
of these modules (device port 1).
If the configuration computer is located in an internal network, you must enable the IP
addresses of the other modules of the group explicitly in the firewall of this SCALANCE S
and configure this module first. (This procedure is only supported when all SCALANCE S
modules have already been assigned an IP address: see "Point note during initial
configuration")
NOTICE
Using multiple network adapters during initial configuration
If you operate more than one network adapter in your PC/PG, first select the network
adapter over which you can reach the SCALANCE S module prior to initial configuration.
Use the menu command "Options ▶ Network Adapter…"
● Operating state
Configurations can be downloaded while the SCALANCE S devices are operating. After
downloading, the devices are automatically restarted. Following the download, there may
be a short interruption in communication between the internal and external network.
NOTICE
Point note during initial configuration
As long as a module has not yet set IP parameters; in other words, prior to the first
configuration, there must be no router or SCALANCE S between the module and the
configuration computer.
NOTICE
Changing the PC port
If you swap a PC from the internal to the external interface of the SCALANCE S, access
from this PC to the SCALANCE S is blocked for approximately 10 minutes (security
function to defend against "ARP cache spoofing").
NOTICE
The project must be consistent
You can only download configuration data when the entire project is consistent. If there
is an inconsistency, a detailed check list is displayed.
Secure transfer
The data is transferred with a secure protocol.
Transferring to a module
You can generate your VPN information for the assignment of parameters to an MD 740-1 /
MD 741-1 using the Security Configuration Tool. Once you have generated files, you can
use them to configure the MD 740-1 / MD 741-1.
The following file types are generated:
● Export file with the configuration data
– File type: ".txt" file in ASCII format
– Contains the exported configuration information for the MD 740 / MD 741 including
information on the additionally generated certificates.
● Module certificate
– File type: ".p12" file
– The file contains the module certificate and the key material.
– Access is password protected.
● Group certificate
– File type: ".cer" file
The configuration files for the MD 740-1 / MD 741-1 can also be used to configure other VPN
client types that are not included in the module selection. Minimum requirement for the use
of these VPN clients is support of IPsec VPNs in tunnel mode.
Note
No configuration files are transferred to the module. Only an ASCII file is generated with
which you can configure the MD 740-1 / MD 741-1. This is, however, only possible when the
module is located in at least one VPN group in which there is also a SCALANCE S module
or a SOFTNET Security Client V3.0 or higher.
2. In the save dialog that then opens, enter the path and file name of the configuration file
and click "Save".
3. You will then be asked whether you want to create your own password for the two
created certificate files.
If you select "No", the name of the configuration is assigned as the password (for
example DHCP_without_Routing_02), not the project password.
If you select "Yes" (recommended), you enter your password in the next dialog.
Result: The files (and certificates) are stored in the folder you specify.
Note
After the files have been stored, a message reminds of the upwards compatibility of the
project. Projects stored, for example, with the Security Configuration Tool V2.1 cannot be
loaded with the Security Configuration Tool V2.
Note
For more information on the configuration of the MD 740-1 / MD 741-1, refer to the
system manual MD 741-1 / MD 740-1.
Note
S612/S613
The firewall settings you can make for the individual modules can also influence
communication handled over the IPSec tunnel connections in the internal network (VPN).
Further information
How to configure IPSec tunnels is described in detail in the next chapter of this manual.
You will find detailed information on the dialogs and parameter settings in the online help.
You can call this with the F1 key or using the "Help" button in the relevant dialog.
F1
NOTICE
Performance features and device types
Note which functions the device type you are using supports.
See also
Online functions - test, diagnostics, and logging (Page 221)
Hardware characteristics and overview of the functions (Page 15)
Meaning
The firewall functionality of SCALANCE S has the task of protecting the internal network
from influences or disturbances from the external network. This means that; depending on
the configuration, only certain previously specified communication relations between network
nodes from the internal network and network nodes from the external network are allowed.
All network nodes located in the internal network segment of a SCALANCE S are protected
by its firewall.
The firewall functionality can be configured for the following protocol levels:
● IP firewall with stateful packet inspection;
● Firewall also for Ethernet "non-IP" frames according to IEEE 802.3; (Layer 2 frames)
● Bandwidth limitation
Firewall rules
Firewall rules rules for data traffic in the following directions:
● from the internal to the external network and vice versa;
● from the internal network into an IPsec tunnel and vice versa (S612/S613).
Project engineering
A distinction must be made between the two operating views:
● In standard mode, simple, predefined rules are used.
● In advanced mode, you can define specific rules.
In advanced mode, a further distinction must be made between local firewall rules and
global firewall rules for modules:
– Local firewall rules are always assigned to a module. They are configured in the
properties dialog of the modules.
– Global firewall rules can be assigned to several modules at the same time. This option
simplifies configuration in many situations.
With the aid of service definitions, you can also define firewall rules clearly in a compact
form. You can reference these service definitions both directly in the local firewall rules and
in the global firewall rule sets.
Meaning
By operating the SCALANCE S as a router, you connect the internal network with the
external network. The internal network connected by SCALANCE S therefore becomes a
separate subnet.
You have the following options:
● Routing - can be set in both standard and advanced mode
● NAT/NAPT routing - can be set in advanced mode
Meaning
You can operate SCALANCE S on the internal network as a DHCP server. This allows IP
addresses to be assigned automatically to the devices connected to the internal network.
The IP addresses are assigned either dynamically from an address band you have specified
or you can select a specific IP address for a particular device.
Project engineering
Configuration as a DHCP server is possible in the "advanced mode" view
Creating modules
When you create a new project, the Security Configuration Tool opens the "Selection of a
module or software configuration" dialog in which you can configure your first module.
You can create further modules with the following menu commands:
Insert ▶ Module
As an alternative: Using the context menu with the "All Modules" object selected.
In the next step in this dialog, select your product type, the module and the firmware release.
Address parameters
You can configure some address parameters in the "Selection of a module or software
configuration" dialog when you create a module.
You can also enter the address parameters in the content area by selecting the "All
Modules" object in the navigation area:
The following properties of the modules are displayed in columns:
The currently valid MAC addresses are displayed in the "Status" tab in the online dialog of
the Security Configuration Tool.
See also
Overview of the functions in the online dialog (Page 222)
Note
Routing mode
If you have enabled the routing mode for the SCALANCE S module, MAC rules are
irrelevant.
Dialog
Select the module you want to edit and then select the following menu command to set up
the firewall:
Edit ▶ Properties..., "Firewall" tab
NOTICE
Please remember that the risks increase the more options you enable.
The standard mode includes the following predefined rules for the firewall that you can select
in the "Configuration" input area:
1 3
2
4
,3VHFWXQQHO
)LUHZDOO
1
2
3
5
,3VHFWXQQHO
l
)LUHZDOO
Note
If you switch to the advanced mode for the current project, you can no longer switch back if
you make any modifications.
Note
Routing mode
If you have enabled the routing mode for the SCALANCE S module, MAC rules are
irrelevant (dialogs are disabled).
Application
Global firewall rules are configured outside the module at the project level. Just like the
modules, they are visible in the navigation area of the Security Configuration Tool.
By selecting a configured module and dragging it to the global firewall rule, you assign the
firewall rule to the module. This global firewall rule then appears automatically in the module-
specific list of firewall rules.
You can define firewall rules for the following:
● IP rule sets
● MAC rule sets
The following schematic illustrates the relationship between globally defined rule sets and
locally used rule sets.
3URMHFW
JOREDOUXOHVHWQ
0RGXOH
JOREDOUXOHVHW
ORFDOUXOHVHW
JOREDOUXOHVHW ORFDOUXOHO
5XOHJ JOREDOUXOHVHW
5XOHJ
ORFDOUXOHO
5XOHJ
JOREDOUXOHVHW
Result:
The global rule set is used by the selected module as a local rule set.
F1
Parameter
The configuration of an IP rule includes the following parameters:
Example
The packet filter rules shown as examples in the dialog above have the following effects:
1 2
3DFNHWILOWHUUXOH
3
3DFNHWILOWHUUXOH
4
3DFNHWILOWHUUXOH 5
6
,3VHFWXQQHO
)LUHZDOO
① All packet types from internal to external are blocked as default, except for those explicitly allowed.
② All packet types from external to internal are blocked as default, except for those explicitly allowed.
③ IP packet filter rule 1 allows packets with the service definition "Service X1" from internal to external.
④ IP packet filter rule 2 allows packets from external to internal when the following conditions are met:
• IP address of the sender: 196.65.254.2
• IP address of the recipient: 197.54.199.4
• Service definition: "Service X2"
⑤ IP packet filter rule 3 blocks packets with the service definition "Service X2" in the VPN (IPsec tunnel).
⑥ IPsec tunnel communication is allowed as default except for the explicitly blocked packet types.
Dialog / tab
Open the dialog as follows:
● Using the menu command Options ▶ IP/MAC Service Definition...
or
● From the "Firewall/IP Rules" tab with the "IP Service Definitions..." button.
Dialog / tab
Open the dialog as follows:
● With the menu command
Options ▶ IP Service Definition...
or
● From the "Firewall" tab with the "IP Service Definitions.." button .
Note
Routing mode
If you have enabled the routing mode for the SCALANCE S module, MAC rules are
irrelevant (dialogs are disabled).
Dialog / tab
Select the module you want to edit and then select the following menu command to set up
the firewall:
Edit ▶ Properties..., "Firewall", "MAC Rules" tab
F1
5.4.8 MAC packet filter rules
MAC packet filter rules are processed based on the following evaluations:
● Parameters entered in the rule;
● Priority of the rule within the rule set.
NOTICE
In bridge mode: IP rules apply to IP packets, MAC rules apply to layer 2 packets
If a module is in bridge mode, both IP and MAC rules can be defined for the firewall.
Rules for editing in the firewall are based on the Ethertype.
IP packets are forwarded or blocked depending on the IP rules and layer 2 packets are
forwarded or blocked depending on the MAC rules.
It is not possible to filter an IP packet using a MAC firewall rule, for example based on a
MAC address.
Examples
You can apply the example of an IP packet filter in Section 5.4.3 analogously to the MAC
packet filter rules.
Dialog
Open the dialog as follows:
● With the following menu command:
Options ▶ MAC Service Definition...
or
● From the "Firewall/MAC Rules" tab with the "MAC Service Definitions..." button .
Dialogs / tabs
Open the dialog as follows:
● With the following menu command:
Options ▶ IP/MAC Service Definition...
or
● From the "Firewall/IP Rules" tab or "Firewall/MAC Rules" with the "IP/MAC Service
Definitions.." button. .
Meaning
The date and time are kept on the SCALANCE S module to check the validity (time) of a
certificate and for the time stamps of log entries.
Note
Time-of-day synchronization relates solely to the SCALANCE S module and cannot be used
to synchronize devices in the internal network of the SCALANCE S.
NOTICE
If the NTP server cannot be reached by the SCALANCE S over an IPsec tunnel
connection, you must allow the packets from the NTP server explicitly in the firewall
(UDP, Port 123).
Meaning
SSL certificates are sued for authentication of the communication between a device and
SCALANCE S in online communication.
5.7.1 Routing
Meaning
If you have enabled routing mode, packets intended for an existing IP address in the subnets
(internal or external) are forwarded. The firewall rules for the direction of transmission also
apply.
For this mode, you configure an internal IP address and an internal subnet mask for
addressing the router in the internal subnet in the dialog shown below.
Operating view
Configuration of this function is identical in standard and advanced mode.
Meaning
By configuring address conversion in the "Routing Mode" dialog, you operate the
SCALANCE S as NAT/NAPT router. With this technique, the addresses of the nodes in the
internal subnet are not known in the external network; the internal nodes are visible in the
external network only under the external IP addresses defined in the address conversion list
(NAT table and NAPT table) and are therefore protected from direct access.
● NAT: Network Address Translation
● NAPT: Network Address Port Translation
Operating view
This function is available in advanced mode.
To use all the functions and menu commands described in section, switch over the mode:
View ▶ Advanced Mode
The mode described here includes operation as default router. You should therefore refer to
the information in the section "Routing".
)LUHZDOO
FRPSDUHGILUHZDOOUXOH
ZLWKLPSOHPHQWHG,3
DGGUHVV
Restrictions
The list described here contains a static, specified address conversion for the nodes on the
internal network (subnet).
Overview
The section contains the following examples of configuring the NAT/NAPT router:
● Example 1: NAT address conversion "External → Internal"
● Example 2: NAT address conversion "Internal → External"
● Example 3: NAT address conversion "Bidirectional"
● Example 4: NAPT address conversion
Project engineering
In the following routing configurations, you will find address assignments according to the
NAT and NAP address conversion:
Description
● Example 1: NAT address conversion "External → Internal"
A node in the external network can send a packet to the node with the internal IP address
192.168.12.3 in the internal subnet by using the external IP address 192.168.10.123 as
destination address.
● Example 2: NAT address conversion "Internal → External"
Packets of an internal node with the internal IP address 192.168.12.3 are forwarded to
the external network with the external IP address 192.168.10.124 as the source address.
In the example, the firewall is set so that packets with the source IP address
192.168.10.124 are allowed from internal to external and that nodes with the IP address
192.168.10.11 can be reached.
● Example 3: NAT address conversion "Bidirectional"
In this example, the address conversion is made both for internal and external incoming
packets as follows:
– A node in the external network can send a packet to the node with the internal IP
address 192.168.12.4 in the internal subnet by using the external IP address
192.168.10.101 as destination address.
– Packets of an internal node with the internal IP address 192.168.12.4 are forwarded
on the external network with the external IP address 192.168.10.101 as the source
address. The firewall is set so that frames with the source IP address 192.168.10.101
are allowed from internal to external.
● Example 4: NAPT address conversion
Addresses are converted according to NAPT so that additional port numbers are also
assigned. The destination IP address and destination port number of all TCP and UDP
packets entering the external network are checked.
– A node in the external network can send a packet to the node with IP address
192.168.12.4 and port number 345 in the internal subnet by using the external module
IP address 192.160.10.1 and the external or number 8000 as the destination address.
Overview
The section contains the following examples of configuring the NAT/NAPT router:
● Example 1: Allow external communication for all internal nodes
● Example 2: Also allow frames from external to internal.
Project engineering
In the following routing configurations, you will find address assignments according to the
NAT address conversion:
Description
Overview
You can operate SCALANCE S on the internal network as a DHCP server. This allows IP
addresses to be assigned automatically to the devices connected to the internal network.
The IP addresses are assigned either dynamically from an address band you have specified
or you can select a specific IP address for a particular device.
Prerequisite
You configure the devices in the internal network so that they obtain the IP address from a
DHCP server.
Depending on the mode, SCALANCE S informs the nodes in the subnet of a router IP
address otherwise you must make the router IP address known to the nodes in the subnet.
Variants
You have the following configuration options:
● Static address assignment
Devices with a specific MAC address or client ID are assigned the specified IP
addresses. You specify these addresses by entering the devices in the address list in the
"Static IP addresses" group box.
● Dynamic address assignment
Devices whose MAC address or whose client ID was not specified specifically, are
assigned a random IP address from a specified address range. You set this address
range in the "Dynamic IP addresses" group box.
NOTICE
Dynamic address assignment - reaction after interrupting the power supply
Please note that dynamically assigned IP addresses are not saved if the power supply is
interrupted. On return of the power, you must therefore make sure that the nodes
request an IP address again.
You should therefore only use dynamic address assignment for the following nodes:
• Nodes that are used temporarily in the subnet (such as service devices);
• Nodes that have been assigned an IP address and send this as the "preferred
address" the next time they request an address from the DHCP server (for example
PC stations).
For nodes in permanent operation, use of a static address assignment by specifying a
client ID (recommended for S7-CPs because it is simpler to replace modules) or the
MAC address
The range of the free IP address band must be in the network defined by
SCALANCE S.
• Router mode
The range of the free IP address band must be in the internal subnet defined
by SCALANCE S.
Legend:
1) Note the explanations in the section "Consistency checks".
Further information
You will find detailed information on the dialogs and parameter settings in the online help.
You can call this with the F1 key or using the "Help" button in the relevant dialog.
F1
See also
Online functions - test, diagnostics, and logging (Page 221)
6HUYLFHFRPSXWHU
ZLWK62)71(7
6HFXULW\FOLHQW
External
Internal
931RYHU
,3VHFWXQQHO
+RVWFRPSXWHU
H[WHUQDOQHWZRUN
IE/PB
Link
HMI ET 200X
0 1
LQWHUQDORSHUDWRU
LQWHUQDO$XWRPDWLRQFHOO LQWHUQDO$XWRPDWLRQFHOO
FRQWURO PRQLWRULQJ
SCALANCE S modules can belong to several different groups at the same time in one
project.
NOTICE
If the name of a SCALANCE S module is changed, all the SCALANCE S modules of the
groups to which the changed SCALANCE S module belongs must be reconfigured (menu
commandTransfer▶ To All Modules...).
If the name of a group is changed, all SCALANCE S modules of this group must be
reconfigured in (menu commandTransfer ▶ To All Modules...).
NOTICE
Layer 2 frames are tunneled only when there is no router between two SCALANCE S
modules.
The following applies in general: Non-IP packets are transferred through a tunnel only when
the devices that send or receive the packets were able to communicate previously; in other
words, without using the SCALANCE S.
Whether or not the network nodes were able to communicate prior to the use of the
SCALANCE S is decided based on the IP networks in which the SCALANCE S devices are
located. If the SCALANCE S modules are located in the same IP subnet, it is assumed that
the end devices in the networks secured by the SCALANCE S were able to communicate
with non-IP packets prior to the use of the SCALANCE S. The non-IP packets are then
tunneled.
Authentication method
The authentication method is specified within a group (within a VPN) and decides the type of
authentication used.
Key-based or certificate-based authentication methods are supported:
● Preshared keys
The preshared key is distributed to all modules in the group.
First enter a password in the "Preshared Key" box in the "Group Properties" dialog.
● Certificate
Certificate-based authentication is the default that is also active in standard mode. The
procedure is as follows:
– When a group is generated, a group certificate is generated (group certificate = CA
certificate).
– Each SCALANCE S in the group receives a certificate signed with the key of the group
CA.
All certificates are based on the ITU standard X.509v3 (ITU, International
Telecommunications Union).
The certificates are generated by a certification function in the Security Configuration
Tool.
NOTICE
Restriction in VLAN operation
NO VLAN tagging is transferred within a VPN tunnel set up with SCALANCE S.
Reason: The VLAN tags are lost in unicast packets when they pass through the
SCALANCE S because IPsec is used to transfer the IP packets. Only IP packets (not
Ethernet packets) are transferred through an IPsec tunnel and the VLAN tags are
therefore lost.
As default, broadcast or multicast packets cannot be transferred with IPsec. With
SCALANCE S, IP broadcast packets are "packaged" and transferred just like MAC
packets in UDP including the Ethernet header. With these packets, the VLAN tagging is
therefore retained.
6.2 Groups
Configuring properties
Just as when configuring modules, the two selectable operating views in the Security
Configuration Tool have an effect on configuring groups:
(View ▶ Advanced Mode menu command)
● Standard mode
In standard mode, you retain the defaults set by the system. Even if you are not an IT
expert, you can nevertheless configure IPsec tunnels and operate secure data
communication in your internal networks.
● Advanced mode
The advanced mode provides you with options for setting specific configurations for
tunnel communication.
Note
Setting parameters for MD 740 / MD 741 or other VPN clients
To set the parameter for MD 740 / MD 741 or other VPN clients, you configure VPN
properties for the specific modules in advanced mode.
NOTICE
Module types
You can configure the following module types in groups with the Security Configuration Tool:
● SCALANCE S612
● SCALANCE S613
● SOFTNET Security Client
● MD 74x (stands for MD740-1 or MD741-1)
Group properties
The following properties apply in standard mode:
● All parameters of the IPsec tunnel and the authentication are preset.
You can display the set default values in the properties dialog for the group.
● The learning mode is active for all modules.
Note
If you switch to the advanced mode for the current project, you can no longer switch back.
Unless you exit the project without saving and the open it again.
Group properties
The following group properties can be set in the "advanced mode" operating view:
● Authentication method
● IKE settings (dialog area: Advanced Settings Phase 1)
● IPsec settings (dialog area: Advanced Settings Phase 2)
NOTICE
If you do not make or modify any settings, the defaults of standard mode apply.
Table 6- 2 IKE protocol parameters (parameter group "Advanced Settings Phase 1" in the dialog)
Table 6- 3 IPsec protocol parameters (parameter group "Advanced Settings Phase 2" in the dialog)
Advantage
Existing SCALANCE S modules that have already been commissioned do not need to be
reconfigured and downloaded. There is no effect on or interruption of active communication.
NOTICE
The settings of the parameters for a SOFTNET Security Client configuration must match
the default proposals of the SCALANCE S modules since a SOFTNET Security Client is
usually mobile and obtains its IP address dynamically, the SCALANCE S can only allow a
connection using these default proposals.
Please make sure that your Phase 1 settings match one of the three following proposals to
be able to establish a tunnel with a SCALANCE S.
If you use other settings in the Security Configuration Tool, when you try to export the
configuration, the consistency check cuts in and you cannot export your configuration for
the SOFTNET Security Client until you have adapted the settings accordingly.
Note
You can only select the "VPN" tab when the module you are configuring is in a VPN group.
Mode Meaning
Start connection to remote VPN gateway If this option is selected, the module is "active", in other words, it
(standard) attempts to establish the connection to the partner.
This option is recommended when you obtain a dynamic IP address
from your provider for the gateway of the SCALANCE S module you
are configuring.
The partner is addressed over its configured WAN IP address or its
external module IP address.
Wait for connection from remote VPN gateway If this option is selected, the module is "passive", in other words, it
waits for the partner to establish the connection.
This option is recommended when you obtain a static IP address from
your provider for the gateway of the module you are configuring. With
this setting, only the partner attempts to establish the connection.
NOTICE
Make sure that you do not set all the modules in a VPN group to "Wait for connection from
remote VPN gateway" otherwise a connection will never be established.
WAN IP address - IP addresses of the modules and gateways in a VPN over Internet
When operating a VPN with IPsec tunnel over the Internet, additional IP addresses are
generally required for the Internet gateways such as DSL routers. The individual SCALANCE
S modules or MD 740-1 / MD 741-1 modules must know the external IP addresses of the
partner modules in the VPN.
Note
If you use a DSL router as Internet gateway, the following ports (at least) must be opened on
it:
• Port 500 (ISAKMP)
• Port 4500 (NAT-T)
For configuration downloads (via the WAN without active tunnel), port 443 (HTTPS) must
also be open.
To allow this, when you configure the module, you have the option of assigning this external
IP address as a "WAN IP address". When you download the module configuration, the
modules are then informed of these WAN IP addresses of the partner modules.
If no WAN IP address is assigned, the external IP address of the module is used.
The following schematic illustrates the relationship between the IP addresses.
External External
:$1
Internal Internal
,QWHUQHW*DWHZD\ ,QWHUQHW*DWHZD\
/$1 /$1
*356,QWHUQHW*DWHZD\
6&$/$1&(66 6&$/$1&(66
0'
/$1
Requirements
The following nodes are detected:
● Network nodes with IP capability
Network nodes with IP capability are found when they send an ICMP response to the
ICMP subnet broadcast.
IP nodes downstream from routers can be found if the routers pass on ICMP broadcasts.
● ISO network nodes
Network nodes without IP capability but that can be addressed over ISO protocols can
also be learnt.
This is only possible if they reply to XID or TEST packets. TEST and XID (Exchange
Identification) are auxiliary protocols for exchanging information on layer 2. By sending
these packets with a broadcast address, these network nodes can be located.
● PROFINET nodes
Using DCP (Discovery and basic Configuration Protocol), it is possible to find PROFINET
nodes.
Network nodes that do not meet these conditions must be configured.
Subnets
Subnets located downstream from internal routers must also be configured.
Note: In the learning mode, all nodes in the internal network are detected. The information
relating to numbers of stations etc. in the VPN relates only to nodes that communicate over
VPN in the internal network.
NOTICE
If more than 64 (with SCALANCE S613) or 32 (with SCALANCE S612) internal nodes are
being operated, the permitted configuration limits are exceeded and an illegal operating
state is generated. Due to the dynamics in the network traffic, this causes internal nodes
that have already been learned to be replaced by new previously unknown internal nodes.
Dialog / tab
You can open the dialog in which you configure the nodes as follows:
● With a module selected, with the menu command
Edit ▶ Properties..., "Nodes" tab.
Here, in the various tabs, enter the required address parameters for all network nodes to be
protected by the selected SCALANCE S module.
Further information
You will also find detailed information on the dialogs and parameter settings in the online
help of the SOFTNET Security Client.
You can call this with the F1 key or using the "Help" button in the relevant dialog.
F1
See also
Secure communication in the VPN over an IPSec tunnel (S612/S613) (Page 177)
3URGXFWLRQ :RUNVWDWLRQ
FRQWURO &RPSXWHU
FRPSXWHU
([SRUWRIWKHFRQILJXUDWLRQIRU
62)71(76HFXULW\&OLHQWYLD
SRUWDEOHPHGLD
62)71(7
6HFXULW\&OLHQW
6
,(3%/LQN 6
(7;
23
NOTICE
Please note that only IP-based communication between the SOFTNET Security Client and
SCALANCE S is possible over the IPsec tunnel.
Operation
The SOFTNET Security Client PC software has a straightforward user interface for
configuration of the security properties required for communication with devices protected by
SCALANCE S. Following configuration, the SOFTNET Security Client runs in the
background - visible as an icon in the SYSTRAY on your PG/PC.
F1
SCALANCE S and SOFTNET Security Client
202 Operating Instructions, 07/2011, C79000-G8976-C196-08
SOFTNET Security Client (S612/S613)
7.1 Using the SOFTNET Security Client
You can open the online help with the "Help" button or the F1 key.
NOTICE
On a Windows system, the IP security policies are stored separately for specific users. Only
one IP security policy can ever be valid at one time for a user.
If you do not want an existing IP security policy to be overwritten by installing the SOFTNET
Security Client, you should install and use the SOFTNET Security Client under a user
specifically set up for it.
Environment
The SOFTNET Security Client is designed for use with the Windows XP SP2 and SP3 (not
"Home Edition") operating systems and Windows 7 (not "Home Edition").
Response to problems
If problems occur on your PG/PC, SOFTNET Security Client reacts as follows:
● Established security policies are retained when you turn your PG/PC off and on again;
● Messages are displayed if a configuration is not found.
Startup behavior
With a maximum configuration and depending on the system, the SOFTNET Security Client
can require up to 15 minutes to load the security rules. The CPU of the on PG/PC is at 100%
usage during this time.
NOTICE
Please refer to the information on the parameters in Section 6.4, subsection "Compatible
settings for SOFTNET Security Client".
Note
If you create several SOFTNET Security Clients within a group, no tunnels are set up
between these clients but only from the relevant client to the SCALANCE S modules!
:RUNVWDWLRQ
FRPSXWHU
([SRUWLHUHQGHU.RQILJXUDWLRQI¾U
62)71(76HFXULW\&OLHQWPLWWHOV
'DWHQWU¦JHU
62)71(7
6HFXULW\FOLHQW
Procedure
Follow the steps below in the Security Configuration Tool to create the configuration files:
1. First, create a module of the type SOFTNET Security Client in your project.
2. Assign the module to the module groups in which the PC/PG will communicate over
IPsec tunnels.
3. Select the required SOFTNET Security Client with the right mouse button and then select
the following menu command:
Transfer ▶ To Module...
4. In the dialog that appears, select the storage location for the configuration file.
5. If you selected certificate as the authentication method, in the next step you will prompted
to specify a password for the certificate of the VPN configuration. Here, you have the
option of assigning your own password. If you do not assign a password, the project
name is used as the password.
As usual, the password you enter must be repeated.
This completes export of the configuration files.
6. Apply the files of the type *.dat, *.p12, *.cer on the PC/PG on which you want to operate
the SOFTNET Security Client.
Configurable properties
You can use the following individual services:
● Setting up secure IPsec tunnel communication (VPN) between the PC/PG and all
SCALANCE S modules of a project or individual SCALANCE S modules. The PC/PG can
access the internal nodes over this IPsec tunnel.
● Enable and disable existing secure connections;
● Set up connections when end devices are added later; (only possible when the learning
mode is activated)
● Check a configuration; in other words, which connections are set up or possible.
Button Meaning
Load Configuration Data Import the configuration
You open a file dialog in which you select the configuration file.
After closing the dialog, the configuration is loaded and you are asked to assign a password
for each configuration file.
In the dialog, you are asked whether you want to set up the tunnels for all SCALANCE S
modules immediately. If IP addresses of SCALANCE S modules are entered in the
configuration or if the learning mode is active, the tunnels for all configured or detected
addresses are set up.
This procedure is fast and efficient particularly with small configurations.
As an option, you can set up all tunnels in the "Tunnel overview" dialog.
Note: You can import the configuration files from several projects created in the Security
Configuration Tool one after the other (see also the explanation of the procedure below).
Tunnel Overview Dialog for setting up and editing tunnels.
This is the dialog in which you actually configure the SOFTNET Security Client.
In this dialog, you will find a list of the existing secure tunnels.
You can display and check the IP addresses for the SCALANCE S modules.
If you have more than one network adapter on your PG/PC, the SOFTNET Security Client
automatically selects one via which an attempt is made to set up a tunnel. In some cases,
the SOFTNET Security Client does not find an adapter to suit your node and enters any
one of the adapters. In this case, you will need to adapt the network adapter setting
manually in the context menu of the nodes and SCALANCE S modules in the "Network
Adapters" dialog.
Disable Disable all secure tunnels.
Use case:
If you change the configuration of a SCALANCE S612 / S613 module and download it
again, you should disable the tunnel to the SOFTNET Security Client. This speeds up the
reestablishment of the tunnel.
Minimize The user interface of the SOFTNET Security Client is closed.
The icon for the SOFTNET Security Client remains in the Windows taskbar.
Quit Quit configuration; SOFTNET Security Client is closed; all tunnels are deactivated.
Button Meaning
Help Open online help.
Info Information on the version of the SOFTNET Security Client
Details: List of all the files required for the SOFTNET Security Client to function with
feedback as to whether these could be found on the system.
5. Now decide whether or not to enable the tunnel connections for the nodes included in the
configuration (statically configured nodes).
If you do not enable the tunnel connections here, you can do this at any time in the tunnel
dialog described below.
If you have decided to enable the tunnel connections, the tunnel connections between the
SOFTNET Security Client and the SCALANCE S modules are now established.
This can take several seconds.
7. If you now recognize that required nodes or members are not displayed in the table,
follow the steps outlined below:
Open the command prompt and send a PING command to the required node.
As a result of the ping, the SCALANCE S detects the node and passes this information
on to SOFTNET Security Client.
Note:
If the dialog is not open while a node is detected, the dialog is displayed automatically.
Note
Statically configured nodes and subnets
If you configure nodes or subnets statically when using the SCALANCE S612 / S613, you
will also need to download the configuration for a SOFTNET Security Client used in the
VPN.
8. Activate the nodes for which the status display indicates that no tunnel connection has
yet established.
Once the connection has been established, you can start your application - for example
STEP 7 - and establish a communication connection to one of the nodes.
NOTICE
If you have more than one network adapter on your PG/PC, the SOFTNET Security
Client automatically selects one via which an attempt is made to set up a tunnel. In
some cases, the SOFTNET Security Client does not find an adapter to suit your project
and enters any one of the adapters. In this case, you will need to adapt the network
adapter setting manually using the context menu of the nodes and SCALANCE S
modules.
Symbol Meaning
There is no connection to the module or node.
There are more nodes to be displayed. Double-click on the symbol to display further
nodes.
The node cannot be activated.
Symbol Meaning
Disabled SCALANCE S module.
NOTICE
If several IP addresses are used for a network adapter, you may need to assign the IP
address you want to use in the "Tunnel" dialog for each individual entry.
Logging Console
The Logging Console is in the lower part of the "Tunnel Overview" dialog and supplies
diagnostics information on the connection establishment with the configured SCALANCE S /
MD741-1 modules and internal nodes / subnets.
The times of relevant events can be recorded with a date and time stamp.
The establishment and termination of a security association is shown. The result of a test
ping (reachability test) to the configured nodes is displayed it the result is negative.
You can configure what is displayed in the "Settings" dialog.
"Clear" button
If you click this, you delete the entries from the logging console of the tunnel overview.
Further information
For detailed information on the dialogs and the parameters recorded in diagnostics and
logging, please refer to the online help of the Security Configuration Tool.
You can call this with the F1 key or using the "Help" button in the relevant dialog.
F1
See also
Overview of the functions in the online dialog (Page 222)
Warning if the configuration is not up-to-date or the wrong project has been selected
When you open the online dialog, the program checks whether the current configuration on
the SCALANCE S module matches the configuration of the loaded project. If there are
differences between the two configurations, a warning is displayed. This signals that you
have either not yet updated the configuration or have selected the wrong project.
Overview
You can record events on the SCALANCE S. Depending on the event type, they are stored
in volatile or non-volatile buffers. As an alternative, you can also record on a network server.
Note
Firewall - Syslog server not active in the external network
If the Syslog server is not enabled on the addressed computer, this computer generally
returns ICMP responses "port not reachable". If these reply packets are logged due to the
firewall configuration and sent to the Syslog server, the procedure can become never ending
(storm of events).
Remedies:
• Start the Syslog server;
• Change the firewall rules;
• Take the computer with the disabled Syslog server out of the network;
NOTICE
The C-PLUG may only be inserted or removed when the power is off!
Key compromised
If a private key from the configuration data of the SCALANCE S module is compromised, the
key must be changed using the configuration tool of the SCALANCE S module.
EMC directive
89/336/EEC "Electromagnetic Compatibility"
Area of application
The product is designed for use in an industrial environment:
Installation guidelines
The product meets the requirements if you keep to the installation instructions and safety-
related notices as described here and in the manual "SIMATIC NET Industrial Ethernet
Twisted Pair and Fiber Optic Networks" /1/ when installing and operating the device.
Conformity certificates
The EC Declaration of Conformity is available for the responsible authorities according to the
above-mentioned EC Directive at the following address:
Siemens Aktiengesellschaft
Bereich Automatisierungs- und Antriebstechnik
Industrielle Kommunikation (A&D SC IC)
Postfach 4848
D-90327 Nürnberg
/2/
The GPRS/GSM Modem SINAUT MD740-1 system manual is available at:
http://support.automation.siemens.com/WW/view/de/23940893
AAA
AAA is an acronym for a security concept and stands for Authentication, Authorization and
Accounting.
AES
Advanced Encryption Standard
A symmetrical block cipher. It can be selected with SCALANCE S to encrypt data.
ARP
Address Resolution Protocol
A protocol used for address resolution. Its task is to find the corresponding network hardware
address (MAC address) for a given protocol address. An ARP protocol implementation is
often found on hosts on which the Internet protocol family is used. IP forms a virtual network
on the basis of IP addresses. These must be mapped to the given hardware addresses
when the data is transported. To achieve this mapping, the ARP protocol is often used.
Bandwidth
Maximum throughput of a connecting cable (normally specified in bps).
BDC
Backup Domain Controller
The backup domain controllers have a backup copy of the user and logon data that is
updated at regular intervals.
BRI
Basic Rate Interface
Standard network connection to ISDN.
CA
Certification Authority
Certification authority for authentication and encryption and decryption of confidential data
transmitted via the Internet and other networks, for example by issuing and signing digital
certificates.
CA certificate
A certificate authority (CA) is an organization that issues digital certificates. For
communication in computer networks, a digital certificate is the equivalent of an identity card.
A certificate authority issues certificates to network users and attests them.
With SCALANCE S, a CA certificate is generated for each group. The group issues
certificates to the group members and attests them with the group certificate (group
certificate = CA certificate).
CHAP
Challenge Handshake Authentication Protocol
Authentication protocol used within the framework of the Point-to-Point Protocol (PPP). PPP
is located at the data link layer in the Internet protocol family.
Client
A client is a device, or more generally an object, that requests a -> server to provide a
service.
CTRL
The control field (CTRL) contains control information for the LLC protocol. Logical Link
Control (LLC) is the name of a network protocol standardized by the IEEE. It is a protocol
mainly intended for data reliability in the data link layer and therefore belongs to layer 2 of
the OSI model.
DCP
Discovery and basic Configuration Protocol
A protocol that is suitable for obtaining address parameters from PROFINET components.
DES
Data Encryption Standard
A symmetrical encryption algorithm
DES3
Data Encryption Standard
A symmetrical encryption scheme; in other words the same key is used to encode and
decode the data. DES3 means that the algorithm is used three times to increase security.
DHCP
Dynamic Host Configuration Protocol
You can operate SCALANCE S on the internal network as a DHCP server. This allows IP
addresses to be assigned automatically to the devices connected to the internal network.
The IP addresses are assigned either dynamically from an address band you have specified
or you can select a specific IP address for a particular device.
Diffie-Hellmann groups
Selectable cryptographic algorithms in the Oakley key determination protocol
DMZ
Demilitarized Zone
Computer network with security controlled access options to the connected servers.
ESP
Encapsulating Security Payload
The ESP protocol provides authenticity, integrity and confidentiality of the transferred data.
With ESP, it is also possible to have only the authenticity of data checked or to have only the
data encrypted. With SCALANCE S, ESP is always used with authentication check and
encryption.
HTTPS
Secure Hypertext Transfer Protocol or HyperText Transfer Protocol Secured Socket Layer
(SSL)
Protocol for transmission of encrypted data. Expansion of HTTP for secure transmission of
confidential data with the aid of SSL.
ICMP
Internet Control Message Protocol
is an auxiliary protocol of the IP protocol family and is based on the IP protocol. It is used to
exchange information and error messages.
Identity protection
The difference between main and aggressive mode is the "identity protection" used in main
mode. The identity is transferred encrypted in main mode but not in aggressive mode.
IKE
Internet Key Exchange
Protocol for automatic key management for IPsec. IKE works in two phases. In the first
phase, the two nodes requiring secure communication identify themselves. Authentication is
achieved either using certificates or using pre shared keys. In the second phase, the keys for
data communication are exchanged and the encryption algorithms selected.
IP subnet ID
Network ID of the subnet: Based on the network ID, the router recognizes whether a target
address is inside or outside the subnet.
IP traffic
Term for communication in computer networks using the IP protocol as the network protocol.
ISAKMP
Internet Security Association and Key Management Protocol
Protocol for establishing Security Associations (SA) and exchange of cryptographic keys on
the Internet.
ISP
Internet Service Provider
Provider of Internet services
L2F
Layer 2 Forwarding
Network protocol (similar to PPTP) that supports various protocols and multiple independent
tunnels.
L2TP
Layer 2 Tunneling Protocol
Network protocol that tunnels frames of protocols of the data link layer (layer 2) of the OSI
model between two networks via the Internet to establish a virtual private network (VPN).
Logging
Events can be recorded. They are recorded in logs (log files). Even during configuration, you
can specify which data will be recorded and whether the recording is activated when the
configuration is loaded.
MAC protocol
Controls access to a transmission medium
MD
Message Digest
Name of a group of cryptographic protocols.
MD5
Message Digest Version 5
A widely used cryptographic hash function. MD5 is used by numerous security applications
to verify the integrity of data. With SCALANCE S, MD5 can be selected to check the integrity
of the data transmitted in a tunnel.
NAPT
Network Address Port Translation
A procedure with which an IP address is replaced on the router by another address and the
port number by another port number.
NAT
Network Address Translation
A routine with which an IP address in a message is replaced on the router by another.
NAT traversal
Is a method with which IPsec data can traverse NAT devices.
NAT/NAPT router
With this technique, you can avoid addresses of node in the internal subnet becoming known
in the external network. They are visible in the external network only over the external IP
addresses defined in the translation list.
One-shot buffer
Recording stops when the buffer is full.
OUI
Organizationally Unique Identifier
24-bit number issued by the IEEE Registration Authority to companies. Companies use the
OUI for various hardware products among other things as the first 24 bits of the MAC
address.
PAP
Password Authentication Protocol
Password authentication protocol
PEM
Privacy Enhanced Mail; Privacy Enhanced Mail
is a standard for the encryption of e-mails on the Internet
PGP
Pretty Good Privacy
is a program for encryption and for adding a signature to data.
Ping
A test protocol belonging to the IP protocol family. This protocol exists on every MS Windows
computer under the same name as a console application (command prompt level). With
"Ping", you can prompt a reply (sign of life) from an IP network node within a network as long
as you know its IP address. You can find out whether this network node can be reached at
the IP level and therefore check the effectiveness of the configured SCALANCE S
functionality.
PKCS
Public Key Cryptography Standards
are specifications for cryptographic keys developed by RSA Security and others. A certificate
links data of a cryptographic key (or key pair consisting of a public and private key) with data
of the owner and a certification issuer.
PKCS#12 format
The standard specifies a PKCS format suitable for exchange of the public key and an
additional password-protected private key.
PKI
Public Key Infrastructure
In cryptology, this describes a system that allows digital certificates to be issued, distributed
and checked. The certificates issued within a PKI are used for the security of computer-
supported communication.
PoP
Point of Presence
Dial-in node of an Internet provider
PPP
Point-to-Point Protocol
PPTP
Point-to-Point Tunneling Protocol
is a protocol for establishing a Virtual Private Network (VPN). It allows tunneling of PPP
through an IP network.
Preshared keys
Designates a symmetric key method. The key must be known at both ends prior to
communication. This key is also generated automatically when a group is created. However,
you must first enter a password in the "Key" box in the Security Configuration Tool "Group
Properties" dialog from which the key is generated.
PST (tool)
Primary Setup Tool
With the Primary Setup Tool (PST), you can assign an address (for example an IP address)
to SIMATIC NET network components, SIMATIC NET Ethernet CPs and gateways.
PSTN
Public Switched Telephone Network
Public communications system for voice traffic between remote subscribers.
RAS
Remote Access Service
With the Remote Access Service, you have the option of connecting clients via a modem,
ISDN, or X.25 connection to the local area network. Not only different clients are supported
but there is also great flexibility in the selection and possible combinations of the network
protocols used.
RSA
Rivest, Shamir & Adleman Algorithm
is an asymmetrical cryptography system that can be used both for encryption and for digital
signatures. It uses a pair of keys consisting of a private key that is used to decode or sign
data and a public key for encryption and checking signatures. The private key is kept secret
and cannot be calculated from the public key or at least not without considerable effort.
Server
A server is a device, or more generally an object, that can provide certain services; the
service is provided when requested by a -> client.
Services
Services provided by a communication protocol.
SHA1
Secure Hash Algorithm 1
A widely used cryptographic hash function. With SCALANCE S, SHA1 can be selected to
check the integrity of the data transmitted in a tunnel.
SIMATIC NET
Siemens SIMATIC Network and Communication. Product name for networks and network
components from Siemens. (previously SINEC)
SNAP
Subnetwork Access Protocol
Mechanism for multiplexing protocols in networks that use IEEE 802.2 LLC.
SOHO
Small Office, Home Office
SSL certificate
SSL certificates are used for authentication of communication between
PG/PC and SCALANCE S when downloading the configuration and when logging.
SSL connection
The SSL protocol is located between the TCP (OSI layer 4) and the transmission services
(such as HTTP, FTP, IMAP etc.) and is used for a secure transaction. With SSL, the user is
sure that it is connected to the required server (authentication) and that the sensitive data is
transferred over a secure (encrypted) connection.
SSN = DMZ
Secure Server Net = Demilitarized Zone
Syslog
A service on a server (Syslog-Server) that receives system messages and, for example,
records them in log files.
TACACS
Terminal Access Controller Access Control System; the Terminal Access Controller Access
Control System (TACACS) is an AAA protocol. It is used for client-server communication
between AAA servers and a Network Access Server (NAS). TACACS servers provide a
central authentication instance for remote users that want to establish an IP connection to an
NAS.
Tunnel
A tunnel or tunneling means the use of the communications protocol of a network service as
a vehicle for data that does not belong to this service.
VLAN identifier
An Ethernet packet has a VLAN identifier if a field in the Ethernet packet header (EtherType)
has a certain value. In this case, the Ethernet packet header contains information on the
virtual LAN and possibly also a packet priority.
D
A Data espionage, 9, 12
AC voltage, 18 Data manipulation, 9
Access protection, 14 DCP (Primary Setup Tool), 158
Address conversion, 164 Dead peer detection (DPD), 191
Address parameters, 133 Default Router, 134
Administrator privileges, 38 Default setting, 20
Advanced mode, 108, 231 Degree of protection, 15
Approvals, 15 DHCP
Approvals, see Standards, Approvals, 24 Symbolic names, 121
ATEX, 27 DHCP server, 132
Authentication Configuration, 172
User, 118 DIN rail, 15, 25, 28
Authentication method, 180, 185 Displays, 22
Autocrossover, 18 Fault display, 22
Autonegotiation, 18 Downloading, 124
B E
Basic rules for firewall, 32 Electrical data, 23
Broadcast, 180 Encryption, 108, 117
Environmental conditions / EMC, 23
ESP protocol, 140
C Ethernet cable
Crossover, 18
Cable lengths, 23 Exchangeable memory medium
CD, 17, 109 C-PLUG, 14
Certificate, 180 External nodes, 12, 14
Check Consistency, 174
Local, 120
Project wide, 120 F
Commissioning, 31
Components of the product, 17 Factory defaults, 32
Configuration Fault LED (F), 22
Initial, 31 Firewall, 11, 13, 136
Loading, 31 Default, 139
Configuring offline, 31 Firewall rules, 130
Connectors, 23 Predefined rules, 137
C-PLUG, 14, 35 Symbolic names, 121
Empty, 36 Firewall for Ethernet non IP frames
Removing, 37 according to IEEE 802.3, 130
Reset, 37 Firewall rule sets
C-PLUG slot, 35 Global, 114
Firmware update, 37
L O
Layer 2 frames, 11, 13 Offline, 108
Learning capability, 13 Online, 108
Learning functionality, 11, 193 Order numbers, 24
Learning mode, 194 Overview of the functions
Life of certificates, 182 Device types, 16
Load distribution, 19
Local firewall rules, 130
Local PC clock, 160 P
Logging
Port status LEDs, 22
Event classes, 229
Ports, 125
Possible attachments, 17
Power LEDs (L1, L2), 22
M
Power supply, 15, 18
M32 screw cover, 35 Preshared keys, 180
S U
S7 standard rail, 31 User
Safety notices, 26 Authorized, 108
SCALANCE S CD, 109 Setting up, 118
SCALANCE S Security Module, 9 User management, 113, 118
Security Configuration Tool, 14, 107
Menu bar, 111
Modes, 108 V
Operating views, 108
VLAN operation, 180
Security settings, 203
VLAN tagging, 180
Service group, 159
VPN, 11, 177
Service groups, 159
Module-specific properties, 190
SiClock, 158
SOFTNET Security Client, 201
Signaling contact, 16, 19
VPN tunnel, 11, 13
SOFTNET Security Client, 9
Database, 206
Enable active learning, 216
W
Environment, 203
Load Configuration Data, 209 Wall mounting, 25, 30
Startup behavior, 204 Windows 2000, 109
Uninstalling, 205 Windows XP / SP1 or SP2, 109
Software configuration limits, 23
SSL certificates, 162
Standard applications, 15
Standard mode, 108, 230
Standard rail, 25, 29
Standards, approvals, 24
ATEX 95, 25