s
ConnectionBox Firmware version: 3.2-r0
Page 1
Low cost cRSP connection solution Cost savings and increased flexibility during parameterization parameterization and test phase because no external support from Healthcare (cRSP Helpdesk) is required Easy parameterization through BACnet rerouting Support of additional protocols with the Siemens SSL VPN Gateway Can be configured configured with one or two network adapters (as external or internal router) Vendor Vendor independent remote access acc ess to BACnet and Non-BACnet devices
ConnectionBox 3.2-r0 User Manual
1.
Document History
Version 001
Date November 12
Description First Draft
Author deZem
002 003
November 12 December 12
Siemens deZem
004 005
June.13 October 13
006 007 008
November 13 February 14 February 14
0085
June 14
Updated Updated with FW V1.2 Updated Updated with additional information Updated Updated BACnet Update network interfaces, add Change User Credentials Update Update Adding cRSP Gateway Status Adding pictures and workaround workaround Siemens W in7 client, Log description Update Update with FW V3.2
Page 2
Siemens deZem Siemens deZem Siemens
Siemens
ConnectionBox 3.2-r0 User Manual
Table of Contents 1.
Document History .................................. .................................................. ................................. ................................. ................................. ............................... .............. 2
Table of Contents Contents ............................... ............................................... ................................. .................................. .................................. ................................. ................... ... 3 1.
Introductio Introduction n ............................... ................................................ ................................. ................................. .................................. .................................. ...................... ..... 5 1.1 1.2 1.3
Workflow Checklist ............................................................................... ................................................................................................................. .................................. 6 Commissioning checklist ...................................................................... ........................................................................................................ .................................. 7 General limitations lim itations & precautions .......................................................................................... .......................................................................................... 7
2.
Mechanical installation .................. ......... ................... ................... ................... ................... .................. .................. ................... ................... .................. ......... 8
3.
Electrical connection .................. ......... ................... ................... .................. ................... ................... .................. ................... ................... ................... ............ .. 9 3.1 3.2 3.3 3.4 3.5 3.6
4.
Software configuration .................................................................................................... 11 4.1 4.2 4.3
5.
Power .............................................................. .................................................................................................................................... ........................................................................ 9 IP LAN connector ....................................................................................................... ................................................................................................................... ............ 9 USB connectors / USB IP adapter a dapter (optional) ......................................................................... ......................................................................... 9 DIP switch .............................................................................................................................. .............................................................................................................................. 9 Reset button .................................................................................................... ........................................................................................................................... ....................... 9 Status indication ................................................................................ ................................................................................................................... ................................... 10 Web Browser overview ........................................................................................................ ........................................................................................................ 11 Initial Connection.................................................................... Connection.................................................................................................................. .............................................. 11 ConnectionBox access security ........................................................................................... ........................................................................................... 12
Configuration – Basic Basic Setup ........................................ ......................................................... .................................. ................................. .................. 13 5.1
Network ........................................................... ................................................................................................................................ ..................................................................... 13 5.1.1 One network adapter ....................................................................................................... ....................................................................................................... 13 5.1.2 Two network net work adapters ..................................................................................................... ..................................................................................................... 14 5.2 Proxy Settings ...................................................................................................................... ...................................................................................................................... 15 5.3 Date/Time settings ............................................................................................................... ............................................................................................................... 15 5.4 NTP server settings ............................................................... ............................................................................................................. .............................................. 16
6.
EMC Setup............................................... ............................................................... ................................. .................................. .................................. ....................... ...... 17
7.
VPN Settings Settings ................................ ................................................ ................................. .................................. .................................. ................................. .................. 18 7.1 7.2 7.3 7.4 7.5
8. 9.
Registration of the Client ...................................................................... ...................................................................................................... ................................ 18 Status .............................................................. ................................................................................................................................... ..................................................................... 21 Proxy Server Settings .......................................................................................................... .......................................................................................................... 22 Advanced settings .................................................................. ................................................................................................................ .............................................. 23 De-registration of the Client ................................................................................................. ................................................................................................. 24
cRSP Gateway (SSL VPN Gateway) ................................................................................ 25 BACnet BACnet Settings..... Settings..................... ................................. .................................. ................................. ................................. .................................. ....................... ...... 27 9.1 9.2
10.
BACnet Port Settings ........................................................................................................... ........................................................................................................... 27 WAN Port Settings ............................................................................................................... ............................................................................................................... 31
Administra Administration tion............................... ................................................ ................................. ................................. .................................. .......................... ......... 33 10.1 10.2 10.3
11.
Firmware update .................................................................................................................. .................................................................................................................. 33 Backup and Restore .............................................................. ............................................................................................................ .............................................. 34 User credentials ........................................................................................... ................................................................................................................... ........................ 34
Diagnostics Diagnostics................. .................................. ................................. ................................. ................................. ................................. ............................. ............ 35 11.1
12.
Log files ........................................................................................................... ................................................................................................................................ ..................... 35
Network configuration for Siemens clients clients ................... ......... ................... .................. .................. ................... ............... ..... 36 12.1
Windows 7................................................................... 7............................................................................................................................ ......................................................... 36
13.
Support Support ............................... ................................................ ................................. ................................. .................................. .................................. .................... ... 39
14.
Appendix Appendix A .................................. .................................................. ................................. ................................. ................................. ............................. ............ 40
15.
Appendix Appendix B .................................. .................................................. ................................. ................................. ................................. ............................. ............ 41 15.1
Page 3
Application example: SSL-VPN Client and BACstack with Desigo PX ................................ 41
ConnectionBox 3.2-r0 User Manual
16.
Appendix Appendix B .................................. .................................................. ................................. ................................. ................................. ............................. ............ 42 16.1 FS20
17.
Application example: SSL-VPN Client and SSL-VP N Gateway with Sinteso 42
Appendix Appendix C .................................. .................................................. ................................. ................................. ................................. ............................. ............ 43 17.1
Page 4
ConnectionBox Checklist ..................................................................................................... ..................................................................................................... 43
ConnectionBox 3.2-r0 User Manual
1.
Introduction
The purpose of the ConnectionBox is to provide a secure connection from any local system via the Siemens common Remote Service Platform (cRSP) to any remote device (BACnet and Non-BACnet) using the Energy Monitoring platform EMC (new name Advantage™ Navigator) or cRSP Customer Web Portal. Using the Siemens SSL VPN Client and Siemens BT BACnet Stack, the ConnectionBox allows for local Desigo and 3 rd party controllers to be monitored and configured remotely via BACnet (e.g. XWORKS Plus) over a secure connection. In parallel it also supports Non-BACnet protocols (e.g. Sinteso works).by using the Siemens SSL VPN Gateway functionality.
The ConnectionBox can be configured with either the devices in the same IP segment as the internet access (1-Port Solution) or with an additional network adapter and the devices in a separate IP segment (2-Port Solution). Both configurations can be applied for BACnet as well as Non-BACnet devices by using the Siemens BACnet Stack and / or the SSL VPN Gateway feature.
Web-Configuration
Web-Configuration
Engineering Tools e.g. XWorks plus, FXS 2002
Engineering Tools e.g. XWorks plus, FXS 2002
cRSP
SSLVPN BAC Stack
SSL VPN Gateway
cRSP
SSLVPN BAC Stack
SSL VPN Gateway
Desigo PX Sinteso FS20
Desigo PX Sinteso FS20
2-Port Solution
1-Port Solution
This manual describes how to configure the ConnectionBox.
Page 5
ConnectionBox 3.2-r0 User Manual
1.1
Workflow Checklist
The table below highlights the workflow required to setup a ConnectionBox. The details of each step can be found later in the document. Please follow the menu points from top to down.
Workflow Commissioning Checklist Commission Devices Commission Network Install ConnectionBox
Connect cross-over IP cable Connect USB-LAN adapter (optional) Connect to ConnectionBox Basic Setup configuration
EMC configuration (optional)
Description Read through this workflow list and the commissioning checklist before beginning The target devices must be installed, and commissioned. Where possible read and save the values for comparison The target network should be installed and tested. Testing can be completed with various tools, see the chapter at the end of this document - Mount and check connections, check and adjust DIP Switches - Power up the ConnectionBox, check the indication LEDs Connect the ConnectionBox to a PC using a cross-over Ethernet Patch Cable Connect the USB-LAN adapter to the ConnectionBox. Note the USB port used! Once the SSL -VPN client is installed it cannot be changed. Point internet browser to the address of the ConnectionBox - Configure Network with 1 adapter - Configure Network with 2 adapters - Configure Proxy settings (optional) - Configure Date/ Time - Configure NTP Server Configure the ConnectionBox to backup configuration to -
cRSP Gateway Configuration
-
BACnet Configuration
-
Page 6
17.1
2 3
3.2 3.3
4 5.1.1 5.1.2 5.2 5.3 5.4 6
EMC (Advantage™ Navigator)
VPN configuration
Administration
Chapter
-
Configuration of the SSL VPN client Register the SSL-VPN client with cRSP Access Server Configuration of the SSL VPN Gateway Used for remote access to FS20 and other NonBACnet devices Runs parallel to the BACnet routing Configuration of the BACnet settings Used for remote control of BACnet networks via XWORKS Runs parallel to the SSL VPN gateway Configure firmware updates Backup and restore configuration Change user and password settings
7
8
9
10
Complete
ConnectionBox 3.2-r0 User Manual
1.2
Commissioning checklist
The list below is an overview of the required components needed to commission the ConnectionBox. It does not include the tools needed to install the hardware.
12-40 V DC power supply
Ethernet Crosslink Cable or network with dynamic TCP/IP addressing (DHCP)
Ethernet Cables for BACnet connections
Web browser with JavaScript, HTML 4.01 and CSS 2.1 support
Supported browser: Internet Explorer 9 (IE8 not supported), Firefox or Chrome
Pop ups have to be enabled in your browser
Network configuration settings of the BACnet network
Internet access for VPN communication
If there is an Internet Proxy, proxy settings from the customer IT department
ConnectionBox manual
USB-LAN-Adapter (optional)
1.3
General limitations & precautions
This device is intended for accessing remote networks through a VPN directly from EMC/cRSP. No other usage scenarios are permitted. Please note that the specifications in this document are subject to change. The most recent version is available on our “SWANWEB”: https://intranet.sbt.siemens.com/swanlink/default.php?tabcard=4b73a4b5&src=advantag e_navigator/integrations/ConnectionBox or from Siemens BT Headquarters in Zug, CH (see below for contact information). The terms TCP, TCP/IP, etc. all refer to IP version 4. IP version 6 is not supported. The ConnectionBox may be used with one or two network interfaces. When only one network interface is used all network traffic goes through the internal network interface (RJ45 - IP LAN). If two network interfaces are used, the ConnectionBox’s internal Ethernet interface connects to the remote network. An internet connection can only be established through an additional USB-LAN-adapter which should be purchased with the ConnectionBox. Currently, the ConnectionBox only supports this adapter.
Page 7
ConnectionBox 3.2-r0 User Manual
2.
Mechanical installation
The device is wall and DIN-rail mountable. To mount the ConnectionBox on a DIN-Rail, two plastic brackets are needed. In addition to the physical dimensions of the device, additional space is required for the wiring.
Note: All interface cable connections between the ConnectionBox and other devices should be established before connecting the power supply.
Power supply
DIP switch
RJ45 - IP LAN USB port for USB-LAN adapter
Reset button
Page 8
ConnectionBox 3.2-r0 User Manual
3.
Electrical connection
3.1
Power
The ConnectionBox must be powered with an external 12-40 V DC power supply.
3.2
IP LAN connector
The internal IP LAN connector is used to connect to the local network on which the BACnet devices are installed. If only one network interface is used the whole communication takes place through the internal IP LAN connector.
3.3
USB connectors / USB IP adapter (optional)
This is only necessary when working with two network interfaces. The supported USB IP adapter for the ConnectionBox is a Delock “Adapter USB 2.0 > Ethernet 10/100” Part number 61147.
This adapter can be connected to either USB connector on the ConnectionBox.
NOTE: Once the SSL-VPN client has been registered with cRSP, a registration hash code is generated that includes information on the USB port that the adapter is connected to. The USB/IP adapter must not be connected to the other USB Port after registration.
3.4
DIP switch
All DIP switches must be in the ON position.
3.5
Reset button
If the BACnet Monitor is frozen and you cannot connect to the BACnet Monitor for a software reset - use the reset button. This is a hardware reset.
NOTE: All unsaved data will be lost
Page 9
ConnectionBox 3.2-r0 User Manual
3.6
Status indication
The ConnectionBox has seven LEDs for optical status indication.
Description
Green
Yellow
Power
The power is properly applied.
-
Ready
The system is in operating mode.
-
Link/Act
The Ethernet interface is connected to the network. Flashing: Data is transmitted.
-
P1-P4
-
-
Page 10
ConnectionBox 3.2-r0 User Manual
4.
Software configuration
4.1
Web Browser overview
The ConnectionBox is configured using a web interface; the layout of the interface is shown below.
Menu Current settings Save settings
Firmware version
4.2
Initial Connection
You can easily configure the ConnectionBox by using the integrated web interface. There are two options to connect the PC to the ConnectionBox: 1. Using the built in IP LAN connector. The easiest method is to connect to the ConnectionBox using a Switch or with a crossed network cable connected to a PC. The network interface of the ConnectionBox is assigned a link-local address from the address block 169.254.0.0/16 by default. To connect set the IP address of your PC to 169.254.0.xxx/255.255.0.0 and connect via a switch or crossed network cable. 2. Using the USB IP Adapter (optional) The external USB-LAN-adapter uses DHCP by default and can also be used for configuration. The web interface hostname is generated from the ConnectionBox MAC address according to the pattern: HTTP://nmrxxxxxxxxxxxx (where x represents the hexadecimal characters of the MAC address), e.g. http://nmr001348018C52. Please note that the ConnectionBox is only accessible in this way from the sub network.
Page 11
ConnectionBox 3.2-r0 User Manual
The MAC address is printed on the left side of the device (ie. 001348018C52).
If there are connection problems please check your network settings. A workaround you can find in chapter 12.
4.3
ConnectionBox access security
The access to the ConnectionBox web configuration interface is protected by a user name/password. When you enter the hostname in the internet browser, the ConnectionBox login page appears. Please enter your user name and password. You can obtain the default user name and password from Field Support or from the product manager.
Page 12
ConnectionBox 3.2-r0 User Manual
5.
Configuration – Basic Setup
Once logged into the ConnectionBox, choose “Basic Setup” from the main menu to configure the network, proxy, time and NTP server settings.
5.1
Network
The ConnectionBox can be configured with one or two network adapters. Select “Network” in the main menu to configure the network parameters of the ConnectionBox. To configure two network adapters, the USB-LAN-Adapter has first to be connected to the ConnectionBox.
5.1.1
One network adapter
The built in IP LAN connector is used for all network traffic. The single interface supports both, static IP and DHCP. If your network connected to the built in IP LAN connector uses DHCP, the IP address can be obtained automatically by the ConnectionBox once connected. In any other cases, enter the IP address, subnet mask, gateway and DNS server(s). If you want to configure more than one DNS server, enter the DNS servers' IP addresses as a comma-separated list.
Page 13
ConnectionBox 3.2-r0 User Manual
Once the parameters have been entered press “Save”.
5.1.2
Two network adapters
1. The built in IP LAN connector. The built in IP LAN connector is used for the local network that the BACnet devices are located on. This is referred to as the BACnet Interface. 2. USB IP Adapter This connector is used for Internet access. This is referred to as the WAN Interface
BACnet Interface: Enter the IP address and subnet mask of your BACnet network connected to the internal Ethernet interface. This interface does not require a Default Gateway.
Page 14
ConnectionBox 3.2-r0 User Manual
WAN Interface: The WAN interface supports both static IP and DHCP. If your network connected to the USB-LAN Adapter uses DHCP, the IP address can be obtained automatically by the ConnectionBox once connected. In any other cases, enter the IP address, subnet mask, gateway and DNS server(s). If you want to configure more than one DNS server, enter the DNS servers' IP addresses as a comma-separated list.
Once the parameters have been entered press “Save”.
5.2
Proxy Settings
Proxy Settings are only required to backup the configuration of the ConnectionBox to EMC. To change the proxy server settings, select “Proxy Settings” in the main menu. You can enable or disable the usage of a proxy server. If you enable the usage of a proxy server, enter the server's hostname or IP address and the port. If the proxy server needs authentication, enter the user name and password. HTTP Basic Authentication and Digest Access Authentication are supported.
Note: When using a proxy server you have to configure the same proxy setting in the “VPN settings” again (see chapter 7.3).
Once the parameters have been entered press “Save”.
5.3
Date/Time settings
To manually change the date and time settings, select “ Date/Time Settings” in the main menu. Enter the new date and time and press “Save”. Enabled NTP synchronisation will override any manually configured date or time settings. Do not expect manual date or time adjustments to work if NTP is enabled. If the time is set into the future, a browser timeout may occur and you may have to enter your username and password again.
Page 15
ConnectionBox 3.2-r0 User Manual
Once the parameters have been entered press “Save”.
5.4
NTP server settings
NTP stands for “Network Time Protocol”. To change the NTP server settings, select “NTP Server” in the main menu. You can enable or disable the usage of a NTP server. If you don't use a NTP server, please set the date and time manually. If you want to configure more than one NTP server, enter the NTP servers' hostnames or IP addresses as a comma-separated list. In case the system time differs significantly from the NTP time, refreshing may cause a browser timeout In which case you have to login again.
Once the parameters have been entered press “Save”.
Page 16
ConnectionBox 3.2-r0 User Manual
6.
EMC Setup
EMC Setup is only required to backup the configuration of the ConnectionBox to EMC. The configuration of the EMC connection requires several steps and should be finished with a connection test. At first the server URI of the EMC server needs to be set . It consists of a protocol (“http” or “https”), the hostname or IP address of the server, as well as the path to the import script, as shown in the picture below. You can obtain the EMC server's URI from field support. You can enable or disable the verification of the EMC server's SSL certificate. It is strongly recommended to enable the SSL verification. This option is only relevant if a “https” server URI is used. After creating a ConnectionBox (device) login in EMC, you must now enter it in the ConnectionBox. This information ensures that the values are entered under the correct EMC account (customer).
Configuration Upload provides the opportunity to upload the configuration files to the EMC server once every hour if there have been any changes to it since the last upload. If the option is deactivated there will be no uploads. Save the changes once you are done. In a final step you can choose to finish the setup with a connection test. If you don't test the connection to the EMC server, the settings are adopted as is. If the connection test fails, the new settings will be rejected. If you receive something like a “certificate error” check the time and date settings of the ConnectionBox and set them to the date now and UTC-time. The communication between EMC and the ConnectionBox are secured with a process based on certificates only valid in a given period of time. If these certificates are outdated for the ConnectionBox, the connection process fails.
Page 17
ConnectionBox 3.2-r0 User Manual
7.
VPN Settings
This menu allows you to configure SSL-VPN client settings. When the menu item is selected, an error message dialog is displayed if the client has not been registered.
The VPN Settings page allows you to perform the following operations & functions:
Register and Deregister the SSL-VPN Client
View the Status of the SSL-VPN connection
Configure Proxy Server settings
Modify Log and Tunnel mode configurations
7.1
Registration of the Client
To register the SSL-VPN client a ConnectionBox Checklist (Chapter 17.1) must be completed and sent to the local AOC/cRSP responsible. A One Time Password (OTP) is required to register the client and will be sent via secure email from the local AOC/cRSP responsible once the system has been created in cRSP.
NOTE: Once the SSL-VPN client has been registered with cRSP, a registration hash code is generated that includes information on the USB port that the adapter is connected to. The USB/IP adapter must not be connected to the other USB Port after registration.
Page 18
ConnectionBox 3.2-r0 User Manual
Enter the details of the Host name, Site name and One T ime Password.
The correct SSL-VPN Access Server must be selected for the region that you are located in. The Combo box has the following default servers:
Server DMZ location
Server name
IP address
DMZ Fuerth (Germany)
crsp-sslvpn-fth-p.siemens.com
194.138.37.194
DMZ Malvern (USA)
crsp-sslvpn-nwke-p.siemens.com
12.46.135.194
DMZ Singapore
crsp-sslvpn-sgp-p.siemens.com
194.138.240.119
Release DMZ Fuerth
crsp-sslvpn-fth-r.siemens.com
194.138.37.193
The DMZ servers are separated into three geographical locations. DMZ Fuerth is for Europe, DMZ Malvern for the Americas and DMZ Singapore for Asia Pacific and Middle East. The Release DMZ server in Fuerth is for testing purposes. If you are not sure of the DMZ server that you must register the client to, please contact your local AOC/cRSP responsible. It is also possible to type in the Server name and IP address if required.
For most systems once the Host name, Site name and one-time password are entered and the correct SSL-VPN Server is selected, it is possible to register the client by selecting the “Register” button. Additional settings may be required if a Proxy Server is used for internet access.
Page 19
ConnectionBox 3.2-r0 User Manual
An info message will be displayed if the system was able to register successfully.
Note that the Registration confirmation message will always display the message that the system registered successfully to Fuerth VPN server (displaying the url or IP) even if the system is configured for Malvern or Singapore. This is that the registration takes place is two stages: firstly to the selected server and then finally to the Fuerth VPN server. Final confirmation comes from Fuerth VPN Server.
The “Connectivity Test…” button is also useful to ensure that the ConnectionBox is able to contact (ping) the selected SSL-VPN Server.
Page 20
ConnectionBox 3.2-r0 User Manual
7.2
Status
The status will only be displayed once a VPN connection has been established. Direct access to the ConnectionBox without using VPN is not monitored.
The status information must be manually updated using the “Refresh” button.
The Status information is useful for monitoring the data traffic amount and if the tunnel is active.
Page 21
ConnectionBox 3.2-r0 User Manual
7.3
Proxy Server Settings
To change the proxy server settings, select “ VPN Settings” in the main menu. You can enable or disable the usage of a proxy server.
If you enable the usage of a proxy server, please enter:
The Proxy Server's hostname or IP address and the port.
If the Proxy Server needs authentication, enter the user name and password.
Currently HTTP Basic Authentication and Digest Access Authentication are supported. If the Proxy Server requires authentication, it is recommended to use a password that never expires for this system. This may require requesting this configuration specifically from the customer IT department.
Note: This proxy settings have to be the same settings than in the Proxy Settings in the Basic Setup menu (see chapter 5.2).
Page 22
ConnectionBox 3.2-r0 User Manual
7.4
Advanced settings
The parameters in the advanced settings section usually do not need to be changed. They should only be changed by experts and are therefore by default hidden.
Selecting the expand button allows modification of Tunnel Mode configuration parameters and the Log configuration. Hide or unhide advanced settin s
Tunnel Mode: The options “Tunnel Mode” and “Tunnel active” cannot be changed by the user. The parameters “Idle timer”, “Keep alive timer” and “Response timer” can be set to a value in seconds.
Log configuration: The “log level” dropdown lets you select which messages should appear in the log files. Your options are “detailed”, “debug”, “info”, “warning”, “error” and “fatal”. “Log file size” determines the maximum number of bytes before the log files are rotated. The parameter “Log file number” determines how many rotated log files should be kept available. Page 23
ConnectionBox 3.2-r0 User Manual
Once any parameters are modified, they are updated once the “Save” button is clicked.
7.5
De-registration of the Client
If the ConnectionBox is no longer being used on a system, it is strongly advisable to deregister the SSL-VPN client before removing from the site.
This can be performed by selecting the “Deregister…” button. A message is displayed if the operation was successful.
Page 24
ConnectionBox 3.2-r0 User Manual
8.
cRSP Gateway (SSL VPN Gateway)
To configure the SSL VPN Gateway click on “cRSP Gateway” in the menu bar. The current settings are also shown on this page. The following configurations are possible.
Once the parameters have been entered press “Save”.
Gateway Active: Switches the gateway on or off Gateway UDP Mode: Specifies the mode how datagram (UDP) sockets are used internally: In “connect” mode only replies from the destination are captured that a previous datagram packet had been sent to. In “bind” mode replies from any destination are captured. Gateway UDP Timeout [s]: Specifies the time in seconds after which a UDP “connection” to the target system is closed in order to save resources. Gateway Listener: Specifies listener address/port for the gateway. Attention! Do not specify a port number that may be used by other applications like 80, 443 and 21. Rather chose exotic ports greater than 5000. The best choice is the default 11080 because it is opened in cRSP firewall. Port 11801 however is not allowed as it is already used internally.
Log Level: The dropdown lets you select which messages should appear in the log files. Maximum Log File Size: determines the maximum number of bytes before the log files are rotated Maximum Log File Number: determines how many rotated log files should be kept available Gateway Source White List: List of all source IP addresses that are permitted to use the cRSP Gateway’s proxy functionality in order to connect to systems “behind” this gateway. Normally, this should be the systems in the cRSP DMZ’s.
Page 25
ConnectionBox 3.2-r0 User Manual
Gateway Destination White List: List of all destination IP addresses that are reachable through the cRSP gateway. All managed systems configured in the cRSP database as “behind” this gateway should be included in this list.
The cRSP Gateway Status displays all currently existing and previous gateway connections.
Page 26
ConnectionBox 3.2-r0 User Manual
9.
BACnet Settings
The BACnet settings page provides options to change the BACnet routing configuration of the BACnet Port (LAN) and WAN Port network interfaces. Each Interface is configured in a separate tab. Always “Save” any changes before changing tabs. “Cancel” sets everything back to the last saved configuration and opens the first tab.
9.1
BACnet Port Settings
The BACnet port is a logical interface used to address a specific BACnet network. This interface is connected to the local LAN that contains the BACnet devices.
Port ID: This is the number of the port and has to be a unique number. Network Number: Care must be taken when allocating BACnet Network Numbers to ensure that they are unique for the BACnet Internetwork. The BACnet network numbers are critical when a system is configured with a BACnet router and the connection is made via ConnectionBox. If duplicated network numbers are present in a system, the BACnet communications and remote engineering will not function correctly. When configuring the BACnet settings, ensure that the numbers are Page 27
ConnectionBox 3.2-r0 User Manual
unique for the system. The configuration of the network numbers for PX controllers is performed in XWP Network Configurator. Typically the BACnet/LON network will have Network Number 1 and the BACnet/IP network will have Network Number 2. For larger system this will be dependent on the topology. Example of standard BACnet router configuration with the ConnectionBox:
ConnectionBox – BACnet Settings Port 4 / Network 99 BBMD = 1 FDT = 1 UDP = BACA (47818)
N t r A o P W
Port 3 / Network 98 BBMD = 0 FDT = 0 UDP = BAC1 (47809)
t e t n r C o A P B
BACnet Router Configuration
Port 2 / Network 2 BBMD = 1 FDT = 1 UDP = BAC1 (47809)
t e n I C P A / B
Port 1 / Network 1 LON segment: SEG01
t e N n C O A L / B
The BACnet router has the LON connection configured for NET01 (network number 1) and the IP connection configured for NET02 (network number 2). (Note here that Port 3 could also be configured for Network 2 to be in the same network as the BACnet router IP network and it is functionally correct and would work.) If the remote connection is created using the BBS, it is critical that the network number 1 is not used for defining either of the ConnectionBox networks. This would result in BACnet communication failure.
UDP Port: This is the port used for BACnet routing. The UDP port must match the port that has been configured for the BACnet devices on the LAN. This is typically 47808 (0xBAC0). Attached: This box needs to be ticked so the BACnet deamon establishes a connection. Otherwise the interface will be ignored.
Page 28
ConnectionBox 3.2-r0 User Manual
The BBMD/Foreign Device option should typically never be used. If the system requires BBMD support it is recommended to configure this using XWorks plus Network Configurator on the PX controllers. The possible selections for BBMD/Foreign Device are:
None No BBMD or FD support via ConnectionBox on LAN. This is the recommended option. BBMD (BACnet Broadcast Management Device) This enables the Broadcast Distribution Table and Foreign Device Table options. BBMD. Foreign Device The Foreign Device option can be used to specify an IP and UDP port to allow the ConnectionBox to register as a foreign device on a BACnet server.
BACnet Configuration File Upload: The BACnet Configuration File Upload option is an advanced option that should only be used by expert engineers. The ConnectionBox is installed with the Siemens BT BACnet Stack and once the interface is expanded, it is possible to modify all BACnet settings and parameters on both the L AN and WAN connections.
Modifications to these entries should only be performed in cases where BACnet communication errors occur. The parameters are not checked for consistency.
Page 29
ConnectionBox 3.2-r0 User Manual
After any modifications the configuration file must be first saved by pressing the “Save” button and then reloaded by pressing the “Reload” button on the bottom of the section.
General: After performing any modification to the BACnet configuration on this tab, the Daemon must be restarted for the modifications to come into effect.
Page 30
ConnectionBox 3.2-r0 User Manual
9.2
WAN Port Settings
This interface is connected to the USB IP adapter that connects to the internet / customer network with external access.
Port ID: This has to be a unique number. It should be different to the number used on the BACnet port tab. Network Number: This is the BACnet network number. See description of this setting above for the BACnet port. It is very important that this network number is unique for the BACnet Internetwork. UDP Port: This is the port used for BACnet routing. The UDP port can be f reely defined but the supported range for cRSP connections is 0xBAC0 to 0xBACF (47808 to 47823). This UDP port must match the configuration defined in cRSP for the connection. Attached: This box needs to be ticked so the BACnet daemon establishes a connection. Otherwise the interface will be ignored.
Page 31
ConnectionBox 3.2-r0 User Manual
The BBMD/Foreign Device option should typically be configured for BBMD to allow the support of Foreign Device Table registration. The possible selections for BBMD/Foreign Device are:
None No BBMD or FD support via ConnectionBox on LAN. This selection is not recommended as it will prevent connection remotely to the systems on the L AN. BBMD (BACnet Broadcast Management Device) This is the required option. This enables the Broadcast Distribution Table and Foreign Device Table options. If the system requires BBMD support it is recommended to configure this using XWorks plus Network Configurator. Foreign Device Table support must be enabled and the default Max. FDT Entries is recommended to be set at 16. Foreign Device The Foreign Device option can be used to specify an IP and UDP port to allow the ConnectionBox to register as a foreign device on a BACnet server.
BACnet Configuration File Upload: This option is identical to the functions described for the BACnet Interface tab.
Page 32
ConnectionBox 3.2-r0 User Manual
10.
Administration
10.1
Firmware update
Updating the firmware of the ConnectionBox is a two step process. First, you need to upload the firmware, and then you have to apply the update. To update the firmware of the ConnectionBox, you have to establish a network connection between your PC and the ConnectionBox. Open the web configuration interface, select “Administration” and "Firmware" from the main menu and then browse to the firmware image file on your pc.
Choose the firmware file from the dropdown menu
Once you press the “Upload firmware”-button, the firmware-image is transmitted to the ConnectionBox and validated but not yet applied. To apply the firmware update, choose the firmware file from the drop down menu. Subsequently, click “Update firmware”. The firmware is then copied to the flash memory. The firmware update may take several minutes. The progress is indicated on your screen.
DO NOT RESTART OR POWER OFF THE CONNECTIONBOX WHILE A FIRMWARE UPDATE TAKES PLACE! A message will show once the update has been successfully copied. You need to reboot the ConnectionBox now. Unneeded firmware files should be removed from the dropdown menu. To do so, choose the firmware file and then press “Remove firmware”.
Page 33
ConnectionBox 3.2-r0 User Manual
10.2
B ack up and R estore
To backup, restore or reset the configuration of the ConnectionBox open the web configuration interface, select “Administration” and "Firmware" from the main menu. You can backup the configuration to EMC or as a text file to your local computer. To backup the configuration to EMC you have to create a device login in EMC as described in chapter "EMC Setup". If a proxy is required, it must be configured in "Basic Setup">"Proxy Settings". To backup the configuration to your local computer press the button and select a location and a file name for the configuration file. Then press the Save-button. To restore a configuration, browse to the configuration file on your pc and press the "Restore configuration"-button. If you want to restore a configuration from EMC, you have to download the configuration file from EMC to your pc first. Restore is only from your pc possible.
10.3
Us er credentials
To change the user credentials select "Administration" and "Login". To change the user name you have to enter the new user name and the current password. To change the password you must enter the current password and the new password. As the ConnectionBox allows only secure passwords it has to consist of at least 8 characters, upper and lower case, at least 1 number and 1 special character. The initial password for a brand new box is NMRwebAccess#1. Page 34
ConnectionBox v3.2 User Manual
11.
Diagnostics
11.1
Log files
The ConnectionBox logs important system events in log files. To view the log files, select “Log Viewer” from the main menu. You will see a list with the log files. If you click on a log file name, the recent log messages are shown. You can browse through the log files by clicking the buttons “older” and “newer” or choose a specific page from the drop down menu. Older pages have higher numbers. The “Refresh”-button reloads the page currently viewed.
These log files are intended for advanced diagnostics of the SSL-VPN Client. The SSL-VPN client creates log files for the SSL-VPN tunnel status, the SSL-VPN service and SSL-VPN administration of the client. The cRSP-Gateway creates log files for the Gateway Proxy, the Gateway Service and Gateway Administration. For both the SSL-VPN Client and cRSP-Gateway you can modify the Log Level in the configuration tabs.
Page 35
ConnectionBox v3.2 User Manual
12.
Network configuration for Siemens clients
In case of connection problems with your Siemens client PC with the BACnet Monitor you have to activate the NetBIOS over TCP/IP.
12.1
Windows 7 Step 1: Open the Network Connections in the control panel
Step 2: Choose Properties
Page 36
ConnectionBox v3.2 User Manual
Step 3: Double click on Internet Protocol Version 4
Step 4: Click on Advanced
Page 37
ConnectionBox v3.2 User Manual
Step 5: Activate Default in the WINS register and click OK.
Now the connection to the BACnet Monitor should work
Page 38
ConnectionBox v3.2 User Manual
13.
Support
For 1st level technical Support with ConnectionBox please contact your local AOC Support. The following contact partners are internally available for 2 nd level support and questions from the AOC specialists regarding ConnectionBox:
Field Support
Product Management
Morof, Markus Siemens Switzerland Ltd. Field Support IC BT CPS REM MS FS
Wirth, Winfried Siemens Switzerland Ltd. Head BAU LCM VAS IC BT BAU LCM VAS
@
Gubelstrasse 22, 6301 Zug Switzerland +41 (41) 724-5104
[email protected]
Page 39
@
Gubelstrasse 22, 6301 Zug Switzerland +41 (41) 724-2463
[email protected]
ConnectionBox v3.2 User Manual
14.
Appendix A
Technical Overview Technical Details: Operating voltage: 12 – 40 VDC Energy consumption Max. 5 VA Dimensions: (HxBxT) 108.8 x 102.5 x 25.6 mm Operating Temperature : 0-70°C IP20
Connectivity: 1x Port RS232/RS422/RS485 3x RS232 1x RJ45 Ethernet 10/100 Mbit/s 2x USB 2.0 (one is used for the second Ethernet connection via USB-LAN adapter)
CPU:
ARM920T Processor with 200MIPS at 180MHz Memory Management Unit
Operating System: Embedded Linux Version 2.6.32.27
Memory: 64MB SDRAM 16MB Flash
Page 40
ConnectionBox v3.2 User Manual
15.
Appendix B
15.1
Application example: SSL-VPN Client and BACstack with Desigo PX
In this application example the XWorks plus engineering tool connects to a PXC controller via BACnet. The connection through internet is secured by a VPN tunnel established between the common remote service platform cRSP and the ConnectionBox. The involved ConnectionBox components are SSL-VPN Client and BACstack. Example ip addresses and involved components: WebConfiguration XWorks plus Engineering
cRSP
ConnectionBox
SSLVPN BAC Stac
Network Adapter: USB Adapter IP: 192.168.220.140 SM: 255.255.255.0 DG: 192.168.220.1
Network Adapter: cRSP SSL-VPN IP: 14.252.130.231 SM: 255.255.255.0 DG: -
Port 1 BBMD = 1 FDT = 1 UDP = BAC0 (47808) Cimetrics BACstac Routing Edition V6
Network Adapter: LAN IP: 192.168.1.163 SM: 255.255.255.0 DG: -
PXC: 192.168.1.162 BAC9
Page 41
Port 2 BBMD = 0 FDT = 0 UDP = BAC9 (47817)
ConnectionBox v3.2 User Manual
16.
Appendix B
16.1
Application example: SSL-VPN Client and SSL-VPN Gateway with Sinteso FS20
In this application example the Sinteso Works FXS 2002 engineering tool connection through internet to a Sinteso FS20 panel is secured by a VPN tunnel established between the common remote service platform cRSP and the ConnectionBox. The involved ConnectionBox components are SSL-VPN Client and SSL-VPN Gateway. Example ip addresses and involved components:
Sinteso Works FXS 2002
cRSP
ConnectionBox Network Adapter: USB Adapter IP: 192.168.220.140 SM: 255.255.255.0 DG: 192.168.220.1 Network Adapter: cRSP SSL-VPN IP: 14.252.130.231 SM: 255.255.255.0 DG: -
SSLVPN SSL-VPN GWW
SSL-VPN Gateway - Gateway Destination white list Network Adapter: LAN IP: 192.168.1.163 SM: 255.255.255.0 DG: -
Sinteso FC20xx
Page 42
ConnectionBox v3.2 User Manual
17.
Appendix C
17.1
ConnectionBox Checklist
ConnectionBox Checklist V1.0 This checklist must be completed before installing and commissioning the ConnectionBox. Please complete all fields and send to your country AOC/cRSP responsible. If all the required information is completed you will then receive a One Time Password to register the device with cRSP. 1.
Customer Information
Please enter the information about the customer and the place of installation. If the place of installation is the same as the Customer address leave it empty. Customer Customer Name Street & number Postcode - City Country Place of Installation Customer Name Street & number Postcode - City Country Please indicate the type of system on the customer site: Building Automation
2.
Fire / Security
Contact information
Siemens Project Responsible Name Phone Number Email This email will be used to send the One Time Password once the system has been configured in cRSP.
Customer Local Contact Name Phone Number Email 3.
cRSP SSL-VPN details
Note that there should be a naming convention for the Customer System in your region. The cRSP Customer System Name must be unique within EMC. cRSP Customer Site Name cRSP Customer System Name One Time Password (OTP) Planned date of installation Note: The OTP will be generated by cRSP and sent via secure email. It will then be possible to register the ConnectionBox SSL-VPN client using the information above.
Page 43