Eurogard ServiceServer User Manual
Eurogard Service-Server
Manual
Falk Schönfeld <schoenfeld@eurogard.de>
Eurogard Service-Server: Manual
by Falk Schönfeld
Copyright © 2011-2014 Eurogard GmbH
iii
Table of Contents
1. System description .................................................................................................... 1
Short overview ................................................................................................... 1
Function overview and concept ............................................................................ 1
Preconditions ..................................................................................................... 3
2. Installation and operation ............................................................................................ 4
Hardware installation ............................................................................................. 4
Connection and control elements on the rear side of the device .............................. 4
Connections on the front panel ........................................................................ 4
Initial contact set-up .............................................................................................. 5
Operating concept ................................................................................................. 5
Installation – quick set up guide .............................................................................. 6
Preparation of the ServiceServer ...................................................................... 7
Connection to the Internet .............................................................................. 8
Time ........................................................................................................... 8
Certificates .................................................................................................. 9
Next steps ................................................................................................... 9
OpenVPN .................................................................................................... 9
3. Configuration options of the ServiceServer ................................................................... 10
Administration area ............................................................................................. 11
Basic settings/LAN .............................................................................................. 12
Host name ................................................................................................. 12
Domain name ............................................................................................. 12
IP-Address of the Server in the LAN network .................................................. 12
Netmask .................................................................................................... 13
DHCP-Server for the LAN ............................................................................ 13
DHCP area ................................................................................................. 13
HTTPS-Port of the web interface ................................................................... 13
Web access/WAN ............................................................................................... 13
WAN-Media ............................................................................................... 13
Configuration of connection .......................................................................... 14
Time ................................................................................................................. 14
Time source ............................................................................................... 15
Time zone .................................................................................................. 15
Device is NTP-Server .................................................................................. 15
NTP-Update interval .................................................................................... 15
NTP-Server chart ........................................................................................ 15
dDNS ................................................................................................................ 15
Certificates ......................................................................................................... 16
Field contents ............................................................................................. 17
Validity in days .......................................................................................... 18
Issue certificates for WAN IP as well ............................................................. 18
Issue certificates for LAN IP as well .............................................................. 19
Generate Server certificates ........................................................................... 19
Import root certificate .................................................................................. 19
Show Server certificate ................................................................................ 27
OpenVPN .......................................................................................................... 27
OpenVPN-Mode ......................................................................................... 28
Logging of client connections in a database ..................................................... 28
DHCP range for VPN-clients of the admin network ........................................... 28
Start port ................................................................................................... 28
Enable client-to-client connections ................................................................. 28
Limit VPN packet size ................................................................................. 28
Keeping a log file ....................................................................................... 29
Detail options of the logs ............................................................................. 29
Maximum size of the logs ............................................................................ 29
Eurogard Service-Server
iv
Allow access to the admin network to VPN-Clients ........................................... 29
Time interval for keep-alive-packets in seconds ................................................ 29
VPN restart after how many unsuccessful Pings ................................................ 30
Cryptoalgorithm .......................................................................................... 30
Service networks ................................................................................................. 30
General overview ....................................................................................... 31
Update network status .................................................................................. 31
Restart all networks ..................................................................................... 31
Add network .............................................................................................. 31
Change service networks .............................................................................. 31
Delete service networks ................................................................................ 32
Accounts ............................................................................................................ 32
Refresh status ............................................................................................. 32
Add new account ........................................................................................ 32
New user certificate ..................................................................................... 33
Download .................................................................................................. 33
Change password ........................................................................................ 34
Delete account ............................................................................................ 34
Logs ................................................................................................................. 34
Firewall ............................................................................................................. 34
Port 22 - ssh .............................................................................................. 34
Port 443 - https ........................................................................................... 34
Allow LAN devices access via external interface .............................................. 35
Allow access service network/LAN ................................................................ 35
4. Messaging .............................................................................................................. 36
Email ................................................................................................................ 36
Emailing .................................................................................................... 36
Email address ............................................................................................. 36
Server/Port ................................................................................................. 36
Username/Password ..................................................................................... 36
Transport encryption .................................................................................... 36
Allow certificates of unknown origin .............................................................. 36
Email account for receiving .......................................................................... 36
Test configuration ....................................................................................... 36
Reports .............................................................................................................. 37
5. Status and diagnosis ................................................................................................. 38
Connections ........................................................................................................ 38
DHCP ............................................................................................................... 38
OpenVPN .......................................................................................................... 38
Logs ................................................................................................................. 38
Firewall ............................................................................................................. 39
dDNS ................................................................................................................ 39
Diagnosis ........................................................................................................... 39
6. Backup-Maintenance ................................................................................................ 41
Backup .............................................................................................................. 41
Restore point .............................................................................................. 41
Upload restore point .................................................................................... 41
Reset ......................................................................................................... 41
Service .............................................................................................................. 41
Maintenance access ..................................................................................... 41
7. Logging of connection data ....................................................................................... 43
General .............................................................................................................. 43
Show logged connection data ................................................................................ 43
Read out log database .......................................................................................... 43
8. Disclaimer .............................................................................................................. 45
General .............................................................................................................. 45
Safety instructions ............................................................................................... 45
Proper use, installation and assembly ...................................................................... 45
Eurogard Service-Server
v
A. Wichtige Begriffe ................................................................................................... 46
vi
List of Figures
1.1. Eurogard ServiceServer ............................................................................................ 1
1.2. VPN-concept of the Remoteserviceproducts ................................................................. 2
vii
List of Examples
3.1. Host- and Domain name ......................................................................................... 12
3.2. URL for HTTPS in case of different port .................................................................. 13
7.1. Syntax URL VPN-Log ........................................................................................... 43
7.2. Example of valid query .......................................................................................... 44
1
Kapitel 1. System description
Short overview
The Eurogard ServiceServer system is a product from the Eurogard remote service family. These
products represent a secure, central access to remote, IP-capable terminal devices via Internet, with
the focus always on automation and control engineering.
Abbildung 1.1. Eurogard ServiceServer
The ServiceServer system connects the user PC and the machine, plant or computer network via a
secure connection, a so-called “virtual private network”, VPN in short.
During this process, the communication between the participants is secured through the encryption
protocol SSL. This guarantees confidentiality and integrity of all exchanged data.
The device includes a complete VPN system with certificate and user administration in order to provide
the user with an optimally secured programming and monitoring access to the machine network.
The protected web administration area can be accessed via HTTPS or VPN and provides the
administrator with all necessary tools for the integration of devices and machine networks and for the
administration of programmers and service staff.
Function overview and concept
The key element of the Eurogard remote service solution is the Eurogard ServiceServer which provides
an especially protected dial-up service for network connections.
Connection is established via software which can be installed on any standard PC.
Since devices in the area of control and automation engineering do not provide possibilities for a VPN
connection or for software installation as standard, the Eurogard ServiceRouter serves as a bridging
device.
The controls of the plants to be monitored are connected to the ServiceRouter. Just as with the
service technicians’ or programmers’ PCs, the ServiceRouter then establishes a connection to the
ServiceServer.
All devices, even though connected via different Internet connections, perform as if in a common
LAN. The only indication for the spatial separation between the network participants may be the higher
latency rates.
With the help of a ServiceRouter, the ServiceServer sets up a separate, independent VPN for each
plant network.
In this context, it is necessary to ensure that the different plant networks each use different IP ranges.
The ServiceRouter which integrates the plant network into the VPN can choose between Ethernet,
UMTS, PPPoE (DSL) or WLAN for the Internet connection.
System description
2
The security architecture provides for two main user groups: administrators and users associated with
a plant network. As a basic principle, administrators have access to all networks und administrative
functions of the ServiceServer; plant network users can only access the allocated plant network.
Abbildung 1.2. VPN-concept of the Remoteserviceproducts
Eurogard offers a free and efficient OpenVPN client which administers your certificates, logs access
times to various plants and securely sets up connections to the routers at the plant via a mouse click.
The Eurogard ServiceServer and router provide a complete solution for the remote access to IP-based
automation structures in machines and plants.
As the ServiceRouter, the ServiceServer has two network sides at its disposal.
• WAN-side
Used to connect the device to the Internet. Here, access to plant networks or to the LAN side is
only possible indirectly via VPN.
• LAN-side
This is the primary “working network”. Here, all units and PC’s have direct access to all plant
networks and their devices.
All data packets from LAN devices sent to the Internet via the Server are masked via Source-NAT by
the Server. As a consequence, only the external Server IP is outwardly visible, in case the device goes
online indirectly on the WAN-side via the in-house network. This helps to keep down the installation
and administration efforts and expenses.
A so-called service network is installed on the ServiceServer for each plant for which a remote
service is to be set up. This is shown on the right hand side of Abbildung 1.2, „VPN-concept of the
Remoteserviceproducts“. In order to allow for admin network access to each single network at the
same time, a unique network IP-address has to be assigned to each of these networks.
The next step is to create an account for an Eurogard ServiceRouter on the Server. A configuration
file is downloaded from the Server into the Router. This Router is parameterised and integrated into
the plant network. It acts as intermediary between the various devices of the plant and the service
network of the ServiceServer. All IP terminals of the plant can now be accessed via the LAN network
at the Server.
System description
3
In the process of generating a new VPN access its range of validity needs to be specified. This range
may be a specifically selected service network or the entire network, in the case of an administrative
account.
In the standard configuration of the Server, devices from a service network are not able to send or
receive data to or from other service networks. Devices from the plant network can also not access
devices in the admin network. Only the admin network is authorised to communicate with terminal
devices in machine networks. This is symbolised on the left hand side of Abbildung 1.2, „VPN-concept
of the Remoteserviceproducts“. All functions shown may be configured separately. Accessibility
within the plant network, either between local or between VPN clients, is not affected and always
ensured.
Preconditions
Prerequisite for an adequate operation of the Eurogard ServiceServer is a sufficiently dimensioned
Internet connection. This will depend on your specific requirements. Depending on the hardware, the
Server can handle bandwidths of a minimum of 100 MBit to 1 GBit.
The Server must have a DNS entry available. This is an essential precondition for the overall concept
to function “out-of- the-box”, even if operation via IP is possible. By means of this entry, the clients
are able to ‘find’ and access the Server.
It may often make sense to attribute a static IP to the ServiceServer in order to guarantee 24-hour
accessibility to the service network. Dynamic IPs may result in “Blackouts” of up to 15 minutes.
In those cases where the Eurogard remote service concept may be required to be used with a dynamic
Internet IP, our devices support the dynamic DNS services of DynDNS [http://www.dyndns.com].
Since the ServiceServer deals with client’s requests from the Internet, the accessibility of the relevant
ports has to be guaranteed. In the case of an NAT-Firewall protecting the device, this means that port
forwarding has to be set up.
Please note the preconditions regarding the operation of the ServiceRouter which are required for
setting up a plant network.
4
Chapter 2. Installation and operation
Hardware installation
The device is designed for installation in a 19“-Rack and requires 1 HE; a mounting depth of 60 cm
will be adequate.
Connection and control elements on the rear side of
the device
On the rear side of the device, the mains power supply, the reset button and an LED signalling errors
and specific operating conditions can be found.
Reset button
For a reset, press the reset button for at least 3 seconds, then release to start the reset process. This
is shown by fast flashing of the Error LED. After a few seconds, the device restarts twice. After
approximately one minute, the device is back in default status.
The reset function is available 15 seconds after power up of the Server, indicated by the one second
interval flashing of the Error LED.
Error-LED
The Error-LED indicates errors and operating status messages.
After set up of the device, the Server requires approximately 15 seconds in order to initialise the
hardware and the operating system.
Subsequently, the LED starts flashing at one second intervals and the Router starts setting up its
configuration.
When this process is terminated, the LED switches off and the Server is in operating mode; should
this not be the case, an error has occurred during installation of the stored configuration.
If a reset is triggered or a restore point is loaded, the LED flashes rapidly for a short period of time
and the device will restart. After re-initialisation, the Server carries out a new configuration which is
also indicated by fast flashing of the LED. Subsequently, the system is restarted again.
Connections on the front panel
Three RJ-45 network connections can be found at the front.
WAN-connector socket
Connect the “WAN” socket to a web-enabled network or DSL connection. Any network traffic via
the Internet has to pass via this connector.
LAN-connector sockets
The “LAN1” and “LAN2” sockets are bridged internally and have switch functionality. All terminal
devices connected to the Server via LAN1/2 can set up a direct connection to all devices in all service
networks.
Installation and operation
5
Communication between devices connected via LAN and devices connected via WAN is not
supported.
USB-connectors
At present, both USB-connectors are deactivated. When required, functionality may be supplied for
customer-specific extensions or future software releases.
Initial contact set-up
The Server should be installed under suitable environmental conditions. Further information can be
found in the separate instruction booklet included.
Start the device and wait for approximately 2 minutes to reach the state of operational readiness.
At initial start of the device or after a reset, the following parameters are set:
• WAN → Ethernet and address assignment via DHCP
• LAN → IP: 192.168.155.1 and address allocation via DHCP
• Admin account/-password: Eurogard/Eurogard
All interactions with the ServiceServer are carried out via a web interface. In order to access the web
interface, the LAN-IP of the Server has to be accessible via your PC. In the simplest case, just connect
the LAN interface of the Server and your PC by means of a switch or directly via cross-over patch
cable. If not previously carried out, configure your PC for address assignment via DHCP.
Calling up http://192.168.155.1 in your browser will show the web interface of the Server.
If an error message is displayed, check the network setting of your computer and – if set – deactivate
the use of a proxy server via your browser.
Operating concept
Since the Eurogard ServiceServer is a network component, the entire interaction with the user is carried
out via a web frontend in the browser. Operation using a monitor, keyboard and mouse is not supported.
The user interface has a main menu and, depending on the menu item chosen, a corresponding submenu.
The main menu is on the left-hand side of the screen. Move the cursor to one of the menu items to
open the corresponding sub-menus.
Installation and operation
6
On the right hand side there is an overview and the option for log-in as administrator on the
ServiceServer.
Some of the menu items only display information, some allow for changing the settings. Menu items
allowing changes to settings, often have a “Save” button in the lower left corner. Only after pressing
the “Save” button will entered data be submitted. Some of the tables apply direct changes and the
"save" button need not be pressed. Additionally, some events require confirmation after a safety query.
This manual can also be found in the device in browser form. The help link in the submenu bar connects
to the relevant chapter of this context-sensitive manual. In this process, the browser opens a new
window or a new tab. Where no help pages are displayed after clicking the help link, please check
to see if a new tab has appeared in the background or if you have received notification from a popup
blocker.
Installation – quick set up guide
This chapter guides you through the configuration. Only the basic operational parameters are set here.
For a more detailed and exhaustive explanation of all menu items, please see Chapter 3 Chapter 3,
Configuration options of the ServiceServer.
Call up the web interface of the ServiceServer. Proceed according to the instructions in paragraph the
section called “Initial contact set-up ”.
Before proceeding, log on to the Server as Admin. Please click the link “Adminlogin” in the upper
right hand corner to do so.
Installation and operation
7
Enter Eurogard both as user name and password.
After successful login the Login-Link changes to the Logout-Link, stating the name of the current
user, in this case "Eurogard".
You are now logged in as administrator on the Eurogard ServiceServer.
Go through the various subsections in sequence.
Preparation of the ServiceServer
Open the main menu item "Server configuration" and the submenu item "Basic settings/LAN".
Settings which should be altered in all cases are the host and domain names. These names will reappear
in the certificates which have to be generated as one of the next steps as well as in the configuration
files for the clients.
On the LAN side the Server has been set to the IP 192.168.155.1. If there is any reason to change this,
please do so under menu item IP address in LAN network.
Where the LAN-IP has been changed, and after pressing the “Save” button, the Server can be accessed
via its new IP. Please adjust the network settings of your PC accordingly.
If your computer is configured for address allocation via DHCP, briefly disconnect the network cable
or make the following entry at the command prompt:
ipconfig /renew
our computer should receive a new IP from the Server and display a similar text:
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
C:\Users\klaus>ipconfig /renew
Windows-IP-Konfiguration
Installation and operation
8
Es kann kein Vorgang auf LAN-Verbindung 2 ausgeführt werden, solange dessen Medium nichtverbunden ist.
Ethernet-Adapter LAN-Verbindung 2:
Medienstatus. . . . . . . . . . . : Medium getrennt
Verbindungsspezifisches DNS-Suffix:
Ethernet-Adapter LAN-Verbindung:
Verbindungsspezifisches DNS-Suffix: example.com
Verbindungslokale IPv6-Adresse . : fe80::cd46:3019:dbd7:c9f1
IPv4-Adresse . . . . . . . . . . : 192.168.155.100
Subnetzmaske . . . . . . . . . . : 255.255.255.0
Standardgateway . . . . . . . . . : 192.168.155.1
Adjust the entry in the address bar of your browser to the newly configured IP of the Server
Please contact your company’s IT-administrator before assigning a valid host and domain name to the
device. In case there is no sufficient infrastructure, for example due to the size of your business, your
Internet provider may be able to supply you with the relevant names.
If your company’s Internet connection has a daily changing IP, the free service for dynamic DNS of
DynDNS [http://www.dyndns.com] will be your best choice.
Alternatively, please contact our support hotline for assistance in making the most suitable choice.
Connection to the Internet
You can set your preferred access to the Internet under the menu item “Server configuration”
→
“Network access/WAN”. You can choose between Ethernet via DHCP or static IP, as well as PPPoE
(DSL).
Select your way of access and test the functionality. Go to Status-Logs → Diagnosis. You should be
able to ping an Internet host such as, for example, google.com. This is precondition for the following
installation steps.
Try restarting if the device is unable to access the Internet in spite of correct settings. This can be done
under Backup-Maintenance → Service.
In accordance with the standard settings, the UDP ports from 1195 onwards have to be reachable via
Internet, so that the Server can be accessed by the VPN-Clients. The number of consecutive ports
depends on the number of service networks to be used. This, on the other hand, is specified by the
Server hardware in use. Set up port-forwarding, if required, Portweiterleitung and/or configure your
firewall correspondingly.
Time
For safe and stable VPN operation between Eurogard ServiceServer and Client-PCs or ServiceRouters,
all subscribers require a synchronised time base.
As standard, the Server synchronises the correct time via Internet per NTP NTP.
The correct time zone for Germany is pre-set.
The correct time of the Server can be viewed in the upper right-hand corner, below the Adminlogin
link. The time displayed is the time of the website access, not the current time.
If the clock has not been set, the time indicated flashes red.
Installation and operation
9
Certificates
As previously stated, all VPN clients require a certificate. The contents of the certificate are determined
by particular specifications. In order to keep the operation of the Server as simple as possible, most
entries are set automatically. Only very few remain to be set by you.
Since a certificate is a kind of digital passport, it should include “personal” data of the owner.
Call up Server configuration → Certificates.
Enter the relevant data for your company. The pre-entered data in the text fields serves as example.
Enter your Internet country code (ISO 3166-2), for example DE for Germany or AT for Austria.
Confirm your settings by pressing the button "save" in the bottom right corner of your screen.
Caution
After expiry of the validity period, access to the VPN network with the expired certificate
is no longer possible. Set up a reminder in due time in order to create and use new
certificates.
Initiate the generation of the certificates for the ServiceServer by clicking "generate new server
certificates". Since this utilises random values, the duration of this process may vary from time to
time. Please be patient as this may take several minutes.
Next steps
Your ServiceServer is ready for operation. Under menu item Server configuration → Web access und
Server configuration → Accounts you can now set up a service network and/or a VPN client account.
OpenVPN
Call up the menu item Server configuration → OpenVPN. Set the select field to "on" and press"save".
When this process is completed, the Server is ready for operation.
10
Chapter 3. Configuration options of
the ServiceServer
This chapter describes in detail the configuration of the Server. In order to quickly put the Server into
operational state, as sufficient for most applications, please refer to the chapter „Installation – Quick
guide“ the section called “Installation – quick set up guide ”.
The structure of this chapter follows the main menu of the Server configuration.
Loading...