How it Works
Phoenix Contact
Loading...
R
S
T
U
Loading...
Loading...
TC MGUARD RS4000 4G VPN
User Manual
270 pgs5.31 Mb0
Table of contents
Loading...

Phoenix Contact FL MGUARD RS2000 TX/TX VPN, FL MGUARD RS4004 TX/TX VPN, FL MGUARD RS2005 TX VPN, TC MGUARD RS4000 3G VPN, TC MGUARD RS4000 3G User Manual

...
Download
Installing and starting up the mGuard hardware
User manual
User manual
Installing and starting up the mGuard hardware
2018-02-21
Designation:
Revision:
Order No.:
This user manual is valid for the following devices of the mGuard product range: – FL MGUARD RS4000 – FL MGUARD RS2000 – FL MGUARD RS4004 – FL MGUARD RS2005 – TC MGUARD RS4000 3G – TC MGUARD RS2000 3G – TC MGUARD RS4000 4G – TC MGUARD RS2000 4G – FL MGUARD RS2000 TX/TX-B – FL MGUARD RS4000 TX/TX-P – FL MGUARD RS4000 TX/TX VPN-M – FL MGUARD GT/GT –FLMGUARDSMART2 – FL MGUARD PCI(E)4000 –FLMGUARDCENTERPORT – FL MGUARD DELTA TX/TX
UM EN MGUARD DEVICES
05
PHOENIX CONTACT 105656_en_05

Please observe the following notes

User group of this manual

The use of products described in this manual is oriented exclusively to qualified electricians or persons instructed by them, who are familiar with applicable standards and other regula­tions regarding electrical engineering and, in particular, the relevant safety concepts.

Explanation of symbols used and signal words

This is the safety alert symbol. It is used to alert you to potential personal injury hazards. Obey all safety measures that follow this symbol to avoid possible in­jury or death.
There are three different categories of personal injury that are indicated with a signal word.
DANGER This indicates a hazardous situation which, if not avoided, will re-
sult in death or serious injury.
WARNING This indicates a hazardous situation which, if not avoided, could
result in death or serious injury.
CAUTION This indicates a hazardous situation which, if not avoided, could
result in minor or moderate injury.
This symbol together with the signal word NOTE and the accompanying text alert the reader to a situation which may cause damage or malfunction to the device, hardware/software, or surrounding property.
This symbol and the accompanying text provide the reader with additional in­formation or refer to detailed sources of information.

How to contact us

Internet Up-to-date information on Phoenix Contact products and our Terms and Conditions can be
found on the Internet at:
phoenixcontact.com
Make sure you always use the latest documentation. It can be downloaded at:
phoenixcontact.net/products
Subsidiaries If there are any problems that cannot be solved using the documentation, please contact
your Phoenix Contact subsidiary. Subsidiary contact information is available at phoenixcontact.com
Published by PHOENIX CONTACT GmbH & Co. KG
Flachsmarktstraße 8 32825 Blomberg GERMANY
Should you have any suggestions or recommendations for improvement of the contents and layout of our manuals, please send your comments to:
tecdoc@phoenixcontact.com
.
PHOENIX CONTACT
General terms and conditions of use for technical documentation
Phoenix Contact reserves the right to alter, correct, and/or improve the technical documen­tation and the products described in the technical documentation at its own discretion and without giving prior notice, insofar as this is reasonable for the user. The same applies to any technical changes that serve the purpose of technical progress.
The receipt of technical documentation (in particular user documentation) does not consti­tute any further duty on the part of Phoenix Contact to furnish information on modifications to products and/or technical documentation. You are responsible to verify the suitability and intended use of the products in your specific application, in particular with regard to observ­ing the applicable standards and regulations. All information made available in the technical data is supplied without any accompanying guarantee, whether expressly mentioned, im­plied or tacitly assumed.
In general, the provisions of the current standard Terms and Conditions of Phoenix Contact apply exclusively, in particular as concerns any warranty liability.
This manual, including all illustrations contained herein, is copyright protected. Any changes to the contents or the publication of extracts of this document is prohibited.
Phoenix Contact reserves the right to register its own intellectual property rights for the product identifications of Phoenix Contact products that are used here. Registration of such intellectual property rights by third parties is prohibited.
Other product identifications may be afforded legal protection, even where they may not be indicated as such.

FCC Note

The FCC Statement applies to the following devices:
Class A: FL MGUARD RS4000, FL MGUARD RS2000, FL MGUARD RS4004, FL MGUARD RS2005, FL MGUARD SMART2, FL MGUARD PCI4000, FL MGUARD DELTA TX/TX, FL MGUARD GT/GT, FL MGUARD RS2000 TX/TX-B, FL MGUARD RS4000 TX/TX-P, FL MGUARD RS2000 TX/TX VPN-M. Class B: TC MGUARD RS4000 3G, TC MGUARD RS2000 3G, FL MGUARD CENTERPORT.
PHOENIX CONTACT

FCC Statement

This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) this device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired opera­tion.

FCC Statement

Class A Class B
This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protec­tion against harmful interfer­ence when the equipment is operated in a commercial environment. This equip­ment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely
This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interfer­ence in a residential installation. This equipment gener­ates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruc­tions, may cause harmful interference to radio commu­nications. However, there is no guarantee that interfer­ence will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turn­ing the equipment off and on, the user is encouraged to try to correct the interference by one or more of the fol­lowing measures:
Reorient or relocate the receiving antenna. – Increase the separation between the equipment
Connect the equipment into an outlet on a circuit
to cause harmful interfer­ence in which case the user will be required to correct the
Consult the dealer or an experienced radio/TV
interference at his own ex­pense.
Changes or modifications not expressly approved by the party responsible for compliance could void the user’s authority to operate the equipment.
FCC RF radiation Exposure Statement: This equip­ment complies with FCC RF exposure limits set forth for an uncontrolled environment. The antenna(s) used for this transmitter must be installed and operated with a minimum separation distance of 20 cm from all persons and must not be co-located or operating in conjunction with any other antenna or transmitter expect in accor­dance with the FCC multi-transmitter policy.
and receiver.
different from that to which the receiver is connected.
technician for help.
PHOENIX CONTACT
PHOENIX CONTACT

Table of contents

1 FL MGUARD RS4000/RS2000 ................................................................................................11
1.1 Operating elements and LEDs.............................................................................12
1.2 Startup.................................................................................................................14
1.3 Installation of FL MGUARD RS4000/RS2000...................................................... 15
1.4 Preparing the configuration..................................................................................21
1.5 Configuration in Stealth mode .............................................................................22
1.6 Establishing a local configuration connection......................................................25
1.7 Remote configuration .......................................................................................... 27
1.8 Serial interface..................................................................................................... 27
1.9 Restart, recovery procedure, and flashing the firmware.......................................28
1.10 Technical data..................................................................................................... 33
2 FL MGUARD RS4004/RS2005 ................................................................................................35
2.1 Operating elements and LEDs.............................................................................36
2.2 Startup.................................................................................................................38
2.3 Installing the FL MGUARD RS4004/RS2005.......................................................39
2.4 Preparing the configuration..................................................................................44
2.5 Configuration in Router mode..............................................................................44
2.6 Establishing a local configuration connection......................................................45
2.7 Remote configuration .......................................................................................... 47
2.8 Serial interface..................................................................................................... 47
2.9 Restart, recovery procedure, and flashing the firmware.......................................48
2.10 Technical data..................................................................................................... 53
3 TC MGUARD RS4000/RS2000 3G ..........................................................................................55
3.1 Operating elements and LEDs.............................................................................56
3.2 Startup.................................................................................................................58
3.3 Installation of TC MGUARD RS4000/RS2000 3G ...............................................59
3.4 Preparing the configuration..................................................................................66
3.5 Configuration in Router mode..............................................................................66
3.6 Establishing a local configuration connection......................................................67
3.7 Remote configuration .......................................................................................... 69
3.8 Serial interface..................................................................................................... 69
3.9 Restart, recovery procedure, and flashing the firmware.......................................70
3.10 Technical data..................................................................................................... 75
105656_en_05 PHOENIX CONTACT 7
4 TC MGUARD RS4000/RS2000 4G ..........................................................................................77
4.1 Operating elements and LEDs.............................................................................78
4.2 Startup.................................................................................................................80
4.3 Installation of TC MGUARD RS4000/RS2000 4G ...............................................81
4.4 Preparing the configuration..................................................................................88
4.5 Configuration in Router mode..............................................................................88
4.6 Establishing a local configuration connection...................................................... 89
4.7 Remote configuration .......................................................................................... 91
4.8 Serial interface..................................................................................................... 91
4.9 Restart, recovery procedure, and flashing the firmware....................................... 92
4.10 Technical data..................................................................................................... 96
5 FL MGUARD RS2000 TX/TX-B ...............................................................................................99
5.1 Operating elements and LEDs...........................................................................100
5.2 Startup...............................................................................................................101
5.3 Installation of FL MGUARD RS2000 TX/TX-B................................................... 102
5.4 Preparing the configuration................................................................................108
5.5 Serial interface................................................................................................... 110
5.6 Restart, recovery procedure, and flashing the firmware.....................................111
5.7 Technical data................................................................................................... 117
6 FL MGUARD RS4000 TX/TX-P .............................................................................................119
6.1 Operating elements and LEDs...........................................................................120
6.2 Safety notes ......................................................................................................122
6.3 Startup...............................................................................................................123
6.4 Installation of FL MGUARD RS4000 TX/TX-P...................................................124
6.5 Preparing the configuration................................................................................129
6.6 Configuration in Stealth mode ...........................................................................130
6.7 Establishing a local configuration connection....................................................132
6.8 Remote configuration ........................................................................................134
6.9 Serial interface................................................................................................... 134
6.10 Restart, recovery procedure, and flashing the firmware.....................................135
6.11 Technical Data ..................................................................................................140
8 PHOENIX CONTACT 105656_en_05
Table of contents
7 FL MGUARD RS4000 TX/TX VPN-M ....................................................................................143
7.1 Operating elements and LEDs........................................................................... 144
7.2 Startup...............................................................................................................146
7.3 Installation of FL MGUARD RS4000 TX/TX VPN-M ..........................................147
7.4 Preparing the configuration................................................................................152
7.5 Configuration in Stealth mode ...........................................................................153
7.6 Establishing a local configuration connection....................................................156
7.7 Remote configuration ........................................................................................158
7.8 Serial interface................................................................................................... 158
7.9 Restart, recovery procedure, and flashing the firmware.....................................159
7.10 Technical data................................................................................................... 164
8 FL MGUARD GT/GT ..............................................................................................................165
8.1 Operating elements and LEDs........................................................................... 166
8.2 Startup...............................................................................................................170
8.3 Installation of FL MGUARD GT/GT ...................................................................171
8.4 Preparing the configuration................................................................................181
8.5 Establishing a local configuration connection....................................................183
8.6 Remote configuration ........................................................................................185
8.7 Serial interface................................................................................................... 185
8.8 Restart, recovery procedure, and flashing the firmware.....................................186
8.9 Technical data................................................................................................... 192
9 FL MGUARD PCI(E)4000 ......................................................................................................195
9.1 Operating elements and LEDs........................................................................... 196
9.2 Startup...............................................................................................................197
9.3 Installation of FL MGUARD PCI4000 ................................................................ 198
9.4 Preparing the configuration................................................................................199
9.5 Configuration in Stealth mode ...........................................................................200
9.6 Establishing a local configuration connection....................................................205
9.7 Remote configuration ........................................................................................207
9.8 Restart, recovery procedure, and flashing the firmware.....................................208
9.9 Technical data................................................................................................... 212
105656_en_05 PHOENIX CONTACT 9
10 FL MGUARD SMART2 ..........................................................................................................213
10.1 Operating elements and LEDs...........................................................................214
10.2 Startup...............................................................................................................215
10.3 Connecting the FL MGUARD SMART2 ............................................................216
10.4 Preparing the configuration................................................................................217
10.5 Configuration in Stealth mode ...........................................................................218
10.6 Establishing a local configuration connection....................................................221
10.7 Remote configuration ........................................................................................223
10.8 Restart, recovery procedure, and flashing the firmware.....................................224
10.9 Technical data ..................................................................................................228
11 FL MGUARD CENTERPORT ................................................................................................229
11.1 Operating elements and LEDs...........................................................................230
11.2 Startup...............................................................................................................231
11.3 Installing and booting the FL MGUARD CENTERPORT ................................... 232
11.4 Preparing the configuration................................................................................236
11.5 Establishing a local configuration connection....................................................237
11.6 Remote configuration ........................................................................................239
11.7 Serial interface................................................................................................... 239
11.8 Restart, recovery procedure, and flashing the firmware.....................................240
11.9 Technical data................................................................................................... 246
12 FL MGUARD DELTA TX/TX ..................................................................................................247
12.1 Operating elements and LEDs...........................................................................248
12.2 Startup...............................................................................................................249
12.3 Connecting the FL MGUARD DELTA TX/TX .................................................... 250
12.4 Preparing the configuration................................................................................251
12.5 Configuration in Stealth mode ...........................................................................252
12.6 Establishing a local configuration connection....................................................255
12.7 Remote configuration ........................................................................................257
12.8 Serial interface................................................................................................... 257
12.9 Restart, recovery procedure, and flashing the firmware.....................................258
12.10 Technical data................................................................................................... 263
13 Assigning IP addresses and setting up DHCP/TFTP servers .................................................265
13.1 Assigning the IP address using IPAssign.exe....................................................265
13.2 Installing the DHCP and TFTP server................................................................ 268
10 PHOENIX CONTACT 105656_en_05

1 FL MGUARD RS4000/RS2000

Table 1-1 Currently available products

Product designation Phoenix Contact order number

FL MGUARD RS4000 TX/TX 2700634 FL MGUARD RS4000 TX/TX VPN 2200515 FL MGUARD RS2000 TX/TX VPN 2700642
Product description
The FL MGUARD RS4000 is a security router with intelligent firewall and optional IPsec VPN (optionally up to 10 or up to 250 tunnels). It has been designed for use in industry to accommodate strict distributed security and high availability requirements.
The FL MGUARD RS2000 is a version with basic firewall and integrated IPsec VPN (max­imum of two tunnels). Its scope of functions is reduced to the essentials. It is suitable for se­cure remote maintenance applications in industry and enables the quick startup of robust field devices for industrial use, thereby facilitating error-free, independent operation.
Both versions support a replaceable configuration memory in the form of an SD card. (The SD cards are not supplied as standard.) The fanless metal housing is mounted on a DIN rail.
The following connectivity options are available
FL MGUARD RS4000/RS2000
FL MGUARD RS4000: (LAN/WAN) FL MGUARD RS2000: (LAN/WAN)
TX/TX Ethernet/Ethernet TX/TX VPN Ethernet/Ethernet + VPN TX/TX VPN Ethernet/Ethernet + VPN
Figure 1-1 FL MGUARD RS4000/RS2000
105656_en_05 PHOENIX CONTACT 11
FL MGUARD RS4000/RS2000
LEDs, see Table 1-2
For plug-in screw terminal blocks, assignment, refer to Page 16 and Page 20
Configuration
(SD card)
Connections below: RS-232 interface
Reset button

1.1 Operating elements and LEDs

Figure 1-2 Operating elements and LEDs on the FL MGUARD RS4000
Table 1-2 LEDs on the FL MGUARD RS4000 and FL MGUARD RS2000
LED State Meaning P1 Green On Power supply 1 is active P2 Green On Power supply 2 is active (FL MGUARD RS2000: not used) STAT Green Flashing Heartbeat. The device is correctly connected and operating. ERR Red Flashing System error. Restart the device.
Press the Reset button (for 1.5 seconds). – Alternatively, briefly disconnect the device power supply and then connect it
again.
If the error is still present, start the recovery procedure (see Page 29) or contact your dealer.
STAT+ E R R Flashing alter-
nately: green and red
SIG –(Not used) FAULT Red On The signal output changes to the low level due to an error (inverted control logic) (see
MOD Green On Connection via modem established
Boot process. When the device has just been connected to the power supply. After
a few seconds, this LED changes to the heartbeat state.
Page 18 or Page 19). The signal output is inactive during a restart.
12
PHOENIX CONTACT 105656_en_05
FL MGUARD RS4000/RS2000
Table 1-2 LEDs on the FL MGUARD RS4000 and FL MGUARD RS2000 [...]
LED State Meaning INFO Green On Up to firmware version 8.0: the configured VPN connection has been established
As of firmware version 8.1, the configured VPN connections are established or the firewall rule records defined at output O1 are activated
Flashing Up to firmware version 8.0: the configured VPN connection is being established or
aborted
As of firmware version 8.1: the configured VPN connections are being established or aborted or the defined firewall rule records are activated or deactivated.
LAN Green On The LAN/WAN LEDs are located in the LAN/WAN sockets (10/100 and duplex LED) WAN Green On
Ethernet status. Indicates the status of the LAN or WAN port. As soon as the device
is connected to the relevant network, a continuous light indicates that there is a con­nection to the network partner in the LAN or WAN. When data packets are transmit­ted, the LED goes out briefly.
105656_en_05 PHOENIX CONTACT 13
FL MGUARD RS4000/RS2000

1.2 Startup

1.2.1 Safety notes

To ensure correct operation and the safety of the environment and of personnel, the device must be installed, operated, and maintained correctly.
NOTE: Risk of material damage due to incorrect wiring
Only connect the device network ports to LAN installations. Some telecommunications connections also use RJ45 sockets; these must not be connected to the RJ45 sockets of the device.
General notes regarding usage
NOTE: Select suitable ambient conditions
Ambient temperature:
-20°C ... +60°C
Maximum humidity, non-condensing
5% ... 95%
To avoid overheating, do not expose the device to direct sunlight or other heat sources.
NOTE: Cleaning
Clean the device housing with a soft cloth. Do not use aggressive solvents.

1.2.2 Checking the scope of supply

Before startup, check the scope of supply to ensure nothing is missing.
The scope of supply includes:
–The device – Package slip – Plug-in screw terminal blocks for the power supply connection and inputs/outputs (in-
serted)
14
PHOENIX CONTACT 105656_en_05
FL MGUARD RS4000/RS2000

1.3 Installation of FL MGUARD RS4000/RS2000

1.3.1 Mounting/removal

Mounting The device is ready to operate when it is supplied. The recommended sequence for mount-
ing and connection is as follows:
Mount the FL MGUARD RS4000/RS2000 on a grounded 35 mm DIN rail according to DINEN60715.
Figure 1-3 Mounting the FL MGUARD RS4000/RS2000 on a DIN rail
Attach the top snap-on foot of the FL MGUARD RS4000/RS2000 to the DIN rail and then press the FL MGUARD RS4000/RS2000 down towards the DIN rail until it engag­es with a click.
Removal Remove or disconnect the connections.
To remove the FL MGUARD RS4000/RS2000 from the DIN rail, insert a screwdriver
horizontally in the locking slide under the housing, pull it down – without tilting the screwdriver – and then pull up the FL MGUARD RS4000/RS2000.
105656_en_05 PHOENIX CONTACT 15
FL MGUARD RS4000/RS2000

1.3.2 Connecting to the network

NOTE: Only connect the device network ports to LAN installations. Some telecommuni-
cations connections also use RJ45 sockets; these must not be connected to the RJ45 sockets of the device.
Connect the device to the network. To do this, you need a suitable UTP cable (CAT5) which is not included in the scope of supply.
Connect the internal network interface LAN 1 of the device to the corresponding Ether­net network card of the configuration computer or a valid network connection of the in­ternal network (LAN).

1.3.3 Service contacts

NOTE: Do not connect the voltage and ground outputs US (resp. CMD V+) and GND to
an external voltage source.
Please note that only the “Service 1” contacts are used with firmware version up to and including 7.6.x. The “Service 2” contacts shall be made available as of firmware version
8.1.
The plug-in screw terminal blocks of the service contacts may be removed or inserted during operation of the device.
16
PHOENIX CONTACT 105656_en_05
FL MGUARD RS4000/RS2000
FL MGUARD RS4000
FL MGUARD RS2000
US I1/I2 GND O1/O2
Voltage out­put (+)
Supply volt­age
Service 1 + 2
Example Example
1
Maximum of 250 mA at 11 ... 36 V DC
2
11 V ... 36 V when operating correctly; disconnected in the event of a fault
Switching input 11 ... 36 V DC
Ground out­put (-)
Supply volt­age
Short-cir­cuit-proof switching output
The following description of the contacts is also possible:
24V 0V 24V 0V
+24 V 0 V +24 V 0 V See Section 1.3.4 Only for
1
Power
FL MGUARD RS4000
See Section 1.3.4
GND O3 GND O4
Not used Not used Signal out-
put (-)
Signal out-
2
put (+)
Contact
CMD V+ CMD GND ACK
Voltage out­put (+)
Supply volt­age
Service 1 + 2
Example Example
1
Maximum of 250 mA at 11 ... 36 V DC
2
11 V ... 36 V when operating correctly; disconnected in the event of a fault
Switching input 11 ... 36 V DC
Ground out­put (-)
Supply volt­age
Short-cir­cuit-proof switching output
A push button or an on/off switch (e.g., key switch) can be connected between service contacts US and I (resp. CMD V+ and CMD).
The contacts O1/O2 (+) and O4 (+) (resp. ACK and FAULT) are non-floating, continuously short-circuit-proof and supply a maximum of 250 mA.
US1 GND US2 GND
+24 V 0 V +24 V 0 V See Section 1.3.4 Only for
1
Power
FL MGUARD RS4000
See Section 1.3.4
GND AUX GND FAU LT
Not used Not used Signal out-
put (-)
Signal out-
2
put (+)
Contact
105656_en_05 PHOENIX CONTACT 17
FL MGUARD RS4000/RS2000
The switching inputs and switching outputs can be connected with signals from external de­vices, e.g., with signals from PLCs. In this case, ensure the same potential as well as voltage and current specifications are defined.
Depending on the firmware version used, the service contacts can be used for various switching or signaling tasks.
Service contacts as of firmware version 8.1
Input/CMD I1, CMD I2 Via the web interface under “Management, Service I/O”, you can set whether a push button
or an on/off switch has been connected to the inputs. One or more freely selectable VPN connections or firewall rule records can be switched via the corresponding switch. A mixture of VPN connections and firewall rule records is also possible. The web interface displays which VPN connections and which firewall rule records are connected to this input.
The push button or on/off switch is used to establish and release predefined VPN connec­tions or the defined firewall rule records.
Operating a connected push button
Operating a connected on/off switch
Signal contact (signal out­put) O1, O2 resp. ACK
Alarm output O4 resp. FAULT
To switch on the selected VPN connections or firewall rule records, press and hold the
push button for a few seconds and then release the push button.
To switch off the selected VPN connections or firewall rule records, press and hold the push button for a few seconds and then release the push button.
To switch on the selected VPN connections or firewall rule records, set the switch to ON.
To switch off the selected VPN connections or firewall rule records, set the switch to OFF.
Via the web interface under “Management, Service I/O” you can set whether certain VPN connections or firewall rule records are monitored and displayed via the LED Info 1 (out­put/O1 resp. ACK) or LED Info 2 (output/O2 resp. ACK).
If VPN connections are being monitored, an illuminated Info LED indicates that VPN con­nections are established.
The O4 alarm output monitors the function of the FL MGUARD RS4000/RS2000 and there­fore enables remote diagnostics.
The Fault LED lights up red if the signal output changes to the low level due to an error (in­verted control logic).
The O4 alarm output reports the following when “Management, Service I/O, Alarm output” has been activated.
Failure of the redundant supply voltage – Monitoring of the link status of the Ethernet connections – Monitoring of the temperature condition – Monitoring of the redundancy status – Monitoring of the connection state of the internal modem
18
PHOENIX CONTACT 105656_en_05
FL MGUARD RS4000/RS2000
Service contacts up to firmware version 8.0
The push button or on/off switch is used to establish and release a predefined VPN connec­tion.
The output indicates the status of the VPN connection (in the web interface under “IPsec VPN >> Global >> Options”).
Operating a connected push button
To establish the VPN connection, hold down the button for a few seconds until the INFO
LED flashes. Only then release the button. Flashing indicates that the device has received the command to establish the VPN con-
nection and is establishing the VPN connection. As soon as the VPN connection is es­tablished, the INFO LED remains lit continuously.
To release the VPN connection, hold down the button for a few seconds until the signal output flashes or goes out. Only then release the button.
As soon as the INFO LED goes out, the VPN connection is released.
Operating a connected on/off switch
To establish the VPN connection, set the switch to the ON position.
To release the VPN connection, set the switch to the OFF position.
INFO LED If the INFO LED does not light up, this generally indicates that the defined VPN connection
is not present. Either the VPN connection was not established or it has failed due to an error.
If the INFO LED is illuminated, the VPN connection is present.
If the INFO LED is flashing, the VPN connection is being established or released.
Signal contact (signal out­put)
The signal contact monitors the function of the FL MGUARD RS4000/RS2000 and thus en­ables remote diagnostics.
The FAULT LED lights up red if the signal output changes to the low level due to an error (inverted control logic).
The voltage at the signal contact corresponds to the supply voltage applied. The following is reported when monitoring the output voltage:
Failure of at least one of the two supply voltages. – Power supply of the FL MGUARD RS4000/RS2000 below the limit value (supply volt-
age 1 and/or 2 lower than 11 V).
Link status monitoring of the Ethernet connections, if configured. By default upon deliv-
ery, the connection is not monitored. Monitoring can be activated (on the web interface under “Management >> System Settings >> Signal Contact”).
Error during selftest.
During a restart, the signal contact is switched off until the FL MGUARD RS4000/RS2000 has started up completely. This also applies when the signal contact is manually set to “Closed” under “Manual settings” in the software configuration.
105656_en_05 PHOENIX CONTACT 19
FL MGUARD RS4000/RS2000
FL MGUARD RS4000
FL MGUARD RS2000

1.3.4 Connecting the supply voltage

WARNING: The FL MGUARD RS4000/RS2000 is designed for operation with a DC volt-
age of 11 V DC ... 36 V DC/SELV, 1.5 A, maximum. Therefore, only SELV circuits with voltage limitations according to EN 60950-1 may be
connected to the supply connections and the signal contact.
The supply voltage is connected via a plug-in screw terminal block, which is located on the top of the device.
Figure 1-4 Connecting the supply voltage
Instead of the designation 24V/24V the designation US1/US2 is also used.
The FL MGUARD RS4000 has a redundant supply voltage. If you only connect one supply voltage, you will get an error message.
Remove the plug-in screw terminal blocks for the power supply and the service con­tacts.
Do not connect the service contacts to an external voltage source.
Wire the supply voltage lines with the corresponding screw terminal block 24V/24V (re-
sp. US1/US2) of the device. Tighten the screws on the screw terminal blocks with
0.5 ... 0.8 Nm.
Insert the screw terminal blocks into the intended sockets on the top of the device (see Figure 1-4).
Status LED P1 lights up green when the supply voltage has been connected properly. On the FL MGUARD RS4000, the status indicator P2 also lights up if there is a redundant sup­ply voltage connection.
The device boots the firmware. Status STAT LED flashes green. The device is ready for op­eration as soon as the Ethernet socket LEDs light up. Additionally, status LEDs P1/P2 light up green and the status STAT LED flashes green at heartbeat.
Redundant voltage supply (FL MGUARD RS4000)
A redundant supply voltage can be connected. Both inputs are isolated. The load is not dis­tributed. With a redundant supply, the power supply unit with the higher output voltage sup­plies the FL MGUARD RS4000 alone. The supply voltage is electrically isolated from the housing.
If the supply voltage is not redundant, the FL MGUARD RS4000 indicates the failure of the supply voltage via the signal contact. This message can be prevented by feeding the supply voltage via both inputs 24V/24V (resp. US1/US2)) or by installing an appropriate wire jump­er between connections 24V and 24V (resp. US1 and US2).
20
PHOENIX CONTACT 105656_en_05
FL MGUARD RS4000/RS2000

1.4 Preparing the configuration

1.4.1 Connection requirements

–The FL MGUARD RS4000/RS2000 must be connected to at least one active power
supply unit.
For local configuration: The computer that is to be used for configuration must be
connected to the LAN socket on the device.
For remote configuration: The device must be configured so that remote configura-
tion is permitted.
The device must be connected, i.e., the required connections must be working.

1.4.2 Local configuration on startup (EIS)

As of firmware version 7.2, initial startup of mGuard products provided in Stealth mode is considerably easier. From this version onwards, the EIS (Easy Initial Setup) procedure en­ables startup to be performed via preset or user-defined management addresses without actually having to connect to an external network.
The device is configured using a web browser on the computer used for configuration.
NOTE: The web browser used must support SSL encryption (i.e., HTTPS).
According to the default setting, the device can be accessed via the following addresses:
Table 1-3 Preset addresses
Default setting Network mode Management IP #1 Management IP #2
FL MGUARD RS4000 Stealth https://1.1.1.1/ https://192.168.1.1/ FL MGUARD RS2000 Stealth https://1.1.1.1/ https://192.168.1.1/
The device is preset to the “multiple Clients” stealth configuration. You need to configure a management IP address and default gateway if you want to use VPN connections (see Page 25). Alternatively, you can select a different stealth configuration or use another net­work mode.
105656_en_05 PHOENIX CONTACT 21
FL MGUARD RS4000/RS2000

1.5 Configuration in Stealth mode

On initial startup, the device can be accessed via two addresses: – https://192.168.1.1/ (see Page 23) – https://1.1.1.1/ (see Page 23)
Alternatively, an IP address can be assigned via BootP (see “Assigning the IP address via BootP” on page 24).
The device can be accessed via https://192.168.1.1/ if the external network interface is not connected on startup.
Computers can access the device via https://1.1.1.1/ if they are directly or indirectly con­nected to the LAN port of the device. For this purpose, the device with LAN port and WAN port must be integrated in an operational network in which the default gateway can be ac­cessed via the WAN port.
After access via IP address 192.168.1.1 and successful login, IP address
192.168.1.1 is set as a fixed management IP address.
After access via IP address 1.1.1.1 or after IP address assignment via BootP, the
product can no longer be accessed via IP address 192.168.1.1.
22
PHOENIX CONTACT 105656_en_05
FL MGUARD RS4000/RS2000

1.5.1 IP address 192.168.1.1

In Stealth mode, the device can be accessed via the LAN interface via IP address
192.168.1.1 within network 192.168.1.0/24, if one of the following conditions applies. – The device is in the delivery state. – The device was reset to the default settings via the web interface and restarted. – The rescue procedure (flashing of the device) or the recovery procedure has been
performed.
To access the configuration interface, it may be necessary to adapt the network configura­tion of your computer.
Under Windows 7, proceed as follows:
In the Control Panel, open the “Network and Sharing Center”.
Click on “LAN connection”. (The “LAN connection” item is only displayed if a connection
exists from the LAN interface on the computer to a mGuard device in operation or an­other partner).
Click on “Properties”.
Select the menu item “Internet protocol Version 4 (TCP/IPv4)”.
Click on “Properties”.
First select “Use the following IP address” under “Internet Protocol Version 4 Proper-
ties”, then enter the following address, for example:
IP address: 192.168.1.2 Subnet mask: 255.255.255.0 Default gateway: 192.168.1.1
With a configured network interface
Depending on the configuration of the device, it may then be necessary to adapt the net­work interface of the locally connected computer or network accordingly.

1.5.2 IP address https://1.1.1.1/

In order for the device to be addressed via address https://1.1.1.1/, it must be connected to a configured network interface. This is the case if it is connected in an existing network connection and if the default gateway can be accessed via the WAN port of the device at the same time.
In this case, the web browser establishes a connection to the mGuard configuration inter­face after the address https://1.1.1.1/ is entered (see “Establishing a local configuration con­nection” on page 25). Continue from this point.
After access via IP address 1.1.1.1, the product can no longer be accessed via IP address
192.168.1.1
105656_en_05 PHOENIX CONTACT 23
FL MGUARD RS4000/RS2000

1.5.3 Assigning the IP address via BootP

After assigning an IP address via BootP, the product can no longer be accessed via IP ad­dress 192.168.1.1
For IP address assignment, the device uses the BootP protocol. The IP address can also be assigned via BootP. On the Internet, numerous BootP servers are available. You can use any of these programs for address assignment.
Section 13.1 explains IP address assignment using the free Windows software “IP Assignment Tool” (IPAssign.exe).
Notes for BootP
During initial startup, the device transmits BootP requests without interruption until it re­ceives a valid IP address. After receiving a valid IP address, the device no longer sends BootP requests. The product can then no longer be accessed via IP address 192.168.1.1.
After receiving a BootP reply, the device no longer sends BootP requests, not even after it has been restarted. For the device to send BootP requests again, it must either be set to the default settings or one of the procedures (recovery or flash) must be performed.
24
PHOENIX CONTACT 105656_en_05
FL MGUARD RS4000/RS2000

1.6 Establishing a local configuration connection

Web-based administrator interface
The device is configured via a web browser that is executed on the configuration computer.
NOTE: The web browser used must support SSL encryption (i.e., HTTPS).
The device can be accessed via one of the following addresses:
Table 1-4 Preset addresses
Default setting Network
mode
FL MGUARD RS4000 Stealth https://1.1.1.1/ https://192.168.1.1/ FL MGUARD RS2000 Stealth https://1.1.1.1/ https://192.168.1.1/
Proceed as follows:
Start a web browser.
Make sure that the browser, when it is started, does not automatically establish a con-
nection as otherwise the connection establishment to the device may be more difficult.
In Internet Explorer, make the following settings:
In the “Tools” menu, select “Internet Options” and click on the “Connections” tab:
Under “Dial-up and Virtual Private Network settings”, select “Never dial a connection”.
Enter the address of the device completely into the address line of the web browser (re-
fer to Table 1-4).
You access the administrator website of the device.
If the administrator web page of the device cannot be accessed
Management IP #1 Management IP #2
If you have forgotten the configured address
If the administrator web page is not displayed
105656_en_05 PHOENIX CONTACT 25
If the address of the device in Router, PPPoE or PPTP mode has been set to a different value, and the current address is not known, the device must be reset to the default settings specified above for the IP address using the Recovery procedure (see “Performing a recov­ery procedure” on page 29).
If the web browser repeatedly reports that the page cannot be displayed, try the following:
Check whether the default gateway of the connected configuration computer is initial­ized (see “Local configuration on startup (EIS)” on page 21).
Disable any active firewalls.
Make sure that the browser does not use a proxy server.
In Internet Explorer (Version 8), make the following settings: “Tools” menu, “Internet Options”, “Connections” tab.
Click on “Properties” under “LAN settings”. Check that “Use a proxy server for your LAN” (under “Proxy server”) is not activated in the “Local Area Network (LAN) Settings” dialog box.
If other LAN connections are active on the computer, deactivate them until the configu­ration has been completed.
Under the Windows menu “Start, Settings, Control Panel, Network Connections” or “Network and Dial-up Connections”, right-click on the corresponding icon and select “Disable” in the context menu.
FL MGUARD RS4000/RS2000
After successful connection establishment
Once a connection has been established successfully, a security alert may be displayed.
Explanation: As administrative tasks can only be performed using encrypted access, a self-signed certif-
icate is supplied with the device.
Click “Yes to acknowledge the security alert.
The login window is displayed.
Figure 1-5 Login
To log in, enter the preset user name and password (please note these settings are case-sensitive):
User Name: admin Password: mGuard
The device can then be configured via the web interface. For additional information, please refer to the software reference manual.
For security reasons, we recommend you change the default root and administrator pass­words during initial configuration.
26
PHOENIX CONTACT 105656_en_05
FL MGUARD RS4000/RS2000

1.7 Remote configuration

Requirement The device must be configured so that remote configuration is permitted.
The option for remote configuration is disabled by default. Switch on the remote configuration option in the web interface under “Management >> Web
Settings”.
How to proceed To configure the device via its web user interface from a remote computer, establish the
Example If the device can be accessed over the Internet, for example, via address
Configuration The device can then be configured via the web interface. For additional information, please
connection to the device from there. Proceed as follows:
Start the web browser on the remote computer.
Under address, enter the IP address where the device can be accessed externally over
the Internet or WAN, together with the port number (if required).
https://123.45.67.89/ and port number 443 has been specified for remote access, the fol­lowing address must be entered in the web browser of the remote peer: https://123.45.67.89/
If a different port number is used, it should be entered after the IP address, e.g., https://123.45.67.89:442/
refer to the software reference manual.

1.8 Serial interface

Via the serial interface (RS232), a user can access the command line of the device. The fol­lowing parameters must be configured device-specific:
Baud rate: 57600 – Data bits / parity bit / stop bit: 8-N-1 – Hardware handshake RTS/CTS: Off (Default)
105656_en_05 PHOENIX CONTACT 27
FL MGUARD RS4000/RS2000
Reset button
1.9 Restart, recovery procedure, and flashing the firm-
ware
The Reset button is used to set the device to one of the following states: – Performing a restart – Performing a recovery procedure – Flashing the firmware/rescue procedure
Figure 1-6 Reset button

1.9.1 Performing a restart

Objective The device is restarted with the configured settings.
Action Press the Reset button for around 1.5 seconds until the ERR LED lights up.
(Alternatively, disconnect the power supply and then connect it again.)
28
PHOENIX CONTACT 105656_en_05

1.9.2 Performing a recovery procedure

Objective (up to 8.3.x) Up to mGuard firmware version 8.3.x
The network configuration (but not the rest of the configuration) is to be reset to the de-
livery state, as it is no longer possible to access the device. When performing the recovery procedure, the default network settings are established:
Table 1-5 Preset addresses
FL MGUARD RS4000/RS2000
Default setting Network
mode
FL MGUARD RS4000 Stealth https://1.1.1.1/ https://192.168.1.1/ FL MGUARD RS2000 Stealth https://1.1.1.1/ https://192.168.1.1/
The device is reset to Stealth mode with the default setting “multiple Clients”. – The CIFS integrity monitoring function is also disabled because this only works when
the management IP is active.
In addition, MAU management is switched on for Ethernet connections. HTTPS access
is enabled via the local Ethernet connection (LAN).
The settings configured for VPN connections and the firewall are retained, including
passwords.
Possible reasons for performing the recovery procedure:
The device is in Router or PPPoE mode. – The configured IP address of the device differs from the default setting. – The current IP address of the device is not known.
Up-to-date information on the recovery and flashing procedure can be found in the appli­cation note for your mGuard firmware version. You can find application notes under the following Internet address:
phoenixcontact.net/products.
Objective (8.4.0 or later) mGuard firmware version 8.4.0 or later
The complete configuration (and not only the network configuration) is to be reset to the
delivery state, as it is no longer possible to access the device.
The current configuration will be automatically be saved on the device and can be restored after the recovery procedure is finished.
When performing the recovery procedure, the default network settings are established:
Management IP #1 Management IP #2
Table 1-6 Preset addresses
Default setting Network
Management IP #1 Management IP #2
mode
FL MGUARD RS4000 Stealth https://1.1.1.1/ https://192.168.1.1/ FL MGUARD RS2000 Stealth https://1.1.1.1/ https://192.168.1.1/
Activity during the recovery procedure (mGuard firmware version 8.4.0 or later)
Before performing the recovery procedure, the current configuration of the device is stored in a newly generated configuration profile ( "Recovery-DATE"). After the recovery proce­dure has finished, the device starts with the Factory Default settings.
105656_en_05 PHOENIX CONTACT 29
FL MGUARD RS4000/RS2000
The configuration profile named "Recovery DATE" subsequently appears in the list of con­figuration profiles and can be edited and restored with or without changes.
Action Slowly press the Reset button six times.
After approximately 2 seconds, the STAT LED lights up green.
Press the Reset button slowly again six times. If successful, the STAT LED lights up green.
If unsuccessful, the ERR LED lights up red.
If successful, the device restarts after two seconds and switches to Stealth mode. The de­vice can then be reached again under the corresponding addresses.
mGuard firmware version 8.4.0 or later
After the recovery procedure has finished, log in to the web interface of the device.
Open the menu Management >> Configuration Profiles.
Choose the configuration profile, generated during the recovery procedure: „Recov-
ery-DATE“ (e.g. “Recovery-2016.12.01-18:02:50).
Click on the Icon „Edit profile“ to analyze the configuration profile and to restore it with or without changes.
Click on the Icon „Save“ to apply the changes.
30
PHOENIX CONTACT 105656_en_05
FL MGUARD RS4000/RS2000

1.9.3 Flashing the firmware/rescue procedure

Objective The entire mGuard firmware should be reloaded on the device.
All configured settings are deleted. The device is set to the delivery state. – In mGuard firmware version 5.0.0 or later, the licenses installed on the device are re-
tained after flashing the firmware. Therefore, they do not have to be installed again.
Possible reasons The administrator and root password have been lost.
Requirements Requirements for flashing
NOTE: During flashing, the firmware is always loaded from an SD card first. The firmware
is only loaded from a TFTP server if no SD card is found. The following requirements apply when loading the firmware from an SD card: – All necessary firmware files must be located in a common directory on the first parti-
tion of the SD card – This partition must use a VFAT file system (standard type for SD cards). To flash the firmware from a TFTP server, a TFTP server must be installed on the locally
connected computer (see “Installing the DHCP and TFTP server” on page 268).
NOTE: Installing a second DHCP server in a network could affect the configuration of the entire network.
The mGuard firmware has been obtained from your dealer's support team or the
nixcontact.net/products website and has been saved on a compatible SD card.
This SD card has been inserted into the device. – The relevant firmware files are available for download from the download page of
nixcontact.net/products. The files must be located under the following path names or in
the following folders on the SD card:
Firmware/install-ubi.mpc83xx.p7s
Firmware/ubifs.img.mpc83xx.p7s
phoe-
phoe-
105656_en_05 PHOENIX CONTACT 31
FL MGUARD RS4000/RS2000
Action To flash the firmware or to perform the rescue procedure, proceed as follows:
NOTE: Do not interrupt the power supply to the device during any stage of the flashing
procedure. Otherwise, the device could be damaged and may have to be reactivated by the manufacturer.
Hold down the Reset button until the STAT, MOD, and SIG LEDs light up green. Then,
the device is in the recovery state.
Release the Reset button within a second of entering the recovery state.
If the Reset button is not released, the device is restarted.
The device now starts the recovery system: It searches for a DHCP server via the LAN
interface in order to obtain an IP address.
The STAT LED flashes.
The “install.p7s” file is loaded from the TFTP server or SD card. It contains the electron-
ically signed control procedure for the installation process. Only files that are signed are
executed.
The control procedure deletes the current contents of the Flash memory and prepares
for a new firmware installation.
The STAT, MOD, and SIG LEDs form a running light.
The “jffs2.img.p7s” firmware file is downloaded from the TFTP server or SD card and
written to the Flash memory. This file contains the actual mGuard operating system and
is signed electronically. Only files signed by Phoenix Contact are accepted.
This process takes around 3 to 5 minutes. The STAT LED is lit continuously.
The new firmware is extracted and configured. This procedure takes 1 to 3 minutes.
As soon as the procedure is complete, the STAT, MOD, and SIG LEDs flash green simulta­neously.
Restart the device. To do this, briefly press the Reset button.
(Alternatively, disconnect the power supply and then connect it again.)
The device is in the delivery state. You can now configure it again (see “Establishing a local configuration connection” on page 25).
32
PHOENIX CONTACT 105656_en_05
FL MGUARD RS4000/RS2000

1.10 Technical data

Hardware properties FL MGUARD RS4000 FL MGUARD RS2000
Platform Freescale network processor with
Network interfaces 1 LAN port | 1 WAN port
Other interfaces Serial RS-232 | D-SUB 9 connector
Memory 128 MB RAM | 128 MB Flash | SD card
Redundancy options Optional: VPN | router and firewall Not available
Power supply Voltage range 11 ... 36 V DC, redundant Voltage range 11 ... 36 V DC
Power consumption 2.13 W, typical 2.13 W, typical
Humidity range 5% ... 95% (operation, storage), non-con-
Degree of protection IP20 IP20
Temperature range -20°C ... +60°C (operation)
Dimensions (H x W x D) 130 x 45 x 114 mm (up to DIN rail support) 130 x 45 x 114 mm (up to DIN rail support)
Weight 725 g (TX/TX) 725 g (TX/TX)
Weight (incl. packaging) 900 g (TX/TX) 900 g (TX/TX)
330 MHz clocking
Ethernet IEEE 802.3 10/100-BaseTX RJ45 | full duplex | auto MDIX
2 digital inputs and 2 digital outputs
Replaceable configuration memory
densing
-20°C ... +60°C (storage)
Freescale network processor with 330 MHz clocking
1 LAN port | 1 WAN port Ethernet IEEE 802.3 10/100-BaseTX RJ45 | full duplex | auto MDIX
Serial RS-232 | D-SUB 9 connector 2 digital inputs and 2 digital outputs
128 MB RAM | 128 MB Flash | SD card Replaceable configuration memory
5% ... 95% (operation, storage), non-con­densing
-20°C ... +60°C (operation)
-20°C ... +60°C (storage)
Firmware and power values FL MGUARD RS4000 FL MGUARD RS2000
Firmware compatibility For mGuard v7.4.0 or later: Phoenix Contact recommends the use of the latest firm-
Data throughput (Firewall) Router mode, default firewall rules, bidirectional throughput: 120 Mbps, maximum
Virtual Private Network (VPN) IPsec (IETF standard)
Hardware-based encryption DES | 3DES | AES-128/192/256 DES | 3DES | AES-128/192/256
Data throughput encrypted (IPsec VPN) Router mode, default firewall rules, bidirectional throughput: 30 Mbps, maximum
Management support Web GUI (HTTPS) | command line interface (SSH) | SNMP v1/2/3 | central device man-
Diagnostics LEDs (Power 1 + 2, State, Error, Signal,
ware version and patch releases in each case. For the scope of functions, please refer to the relevant firmware data sheet.
Stealth mode, default firewall rules, bidirectional throughput: 50 Mbps, maximum.
IPsec (IETF standard)
Optionally up to 250 VPN tunnels
Stealth mode, default firewall rules, bidirectional throughput: 20 Mbps, maximum
agement software
Fault, Modem, Info) signal contacts | ser­vice contacts | log file | remote syslog
Up to 2 VPN tunnels
LEDs (Power, State, Error, Signal, Fault, Modem, Info) signal contacts | service contacts | log file | remote syslog
Other FL MGUARD RS4000 FL MGUARD RS2000
Conformance CE | FCC | UL 508
ANSI/ISA 12.12 Class I Div. 2
Special features Realtime clock | Trusted Platform Module (TPM) | temperature sensor |
mGuard Remote Services Portal ready
105656_en_05 PHOENIX CONTACT 33
FL MGUARD RS4000/RS2000
34
PHOENIX CONTACT 105656_en_05

2 FL MGUARD RS4004/RS2005

Table 2-1 Currently available products

Product designation Phoenix Contact order number

FL MGUARD RS4004 DTX/TX 2701876 FL MGUARD RS4004 TX/TX VPN 2701877 FL MGUARD RS2005 TX VPN 2701875
Product description
The FL MGUARD RS4004 is suitable for distributed protection of production cells or indi­vidual machines against manipulation.
It features a 4-port managed LAN switch, one WAN port and one DMZ port, and a serial in­terface.
The serial interface can be switched to the WAN interface as redundancy path, for example. A dedicated DMZ port with its own firewall rules enables segmentation and differentiated safety concepts. You can integrate automation devices with serial interfaces into networks, as a COM server is integrated.
For software-independent remote maintenance, the FL MGUARD RS4004 can be used as a VPN router for optionally up to 250 parallel, IPsec-encrypted VPN tunnels.
The FL MGUARD RS2005 is a version with basic firewall and can be used as a VPN client for up to two parallel, IPsec-encrypted VPN tunnels. It is suitable for secure remote mainte­nance applications and enables connection of globally distributed machines and control­lers.
Both versions support a replaceable configuration memory in the form of an SD card. To in­crease safety, VPN connections can be switched on or off via a switch contact or software interface. The fanless metal housing is mounted on a DIN rail.
FL MGUARD RS4004/RS2005
Figure 2-1 FL MGUARD RS2005/FL MGUARD RS4004
105656_en_05 PHOENIX CONTACT 35
FL MGUARD RS4004/RS2005
Plug-in screw terminal blocks, for assignment, refer to page 40 and page 43
Reset button
LEDs, see Table 2-2
DMZ port
WAN port
LAN port (protected)
LAN port (protected)
LAN port (protected)
Slot for optional SD card
LAN port (protected)
RS-232 interface (bottom)

2.1 Operating elements and LEDs

Figure 2-2 Operating elements and LEDs on the FL MGUARD RS4004
Table 2-2 LEDs on the FL MGUARD RS4004 and FL MGUARD RS2005
LED State Meaning P1 Green On Power supply 1 is active P2 Green On Power supply 2 is active (FL MGUARD RS2005: not used) Stat Green Flashing Heartbeat. The device is correctly connected and operating. Err Red Flashing System error. Restart the device.
Stat + Err Flashing alternately:
Mod Green On Connection via modem established Fault Red On The signal output changes to the low level due to an error (inverted control logic).
36
PHOENIX CONTACT 105656_en_05
green and red
Press the reset button shortly (for 1.5 seconds). – Alternatively, briefly disconnect the device power supply and then connect it
again.
If the error is still present, start the recovery procedure (see page 49) or contact your dealer.
Boot process. When the device has been connected to the power supply. After a few seconds, this LED changes to the heartbeat state.
The signal output is inactive during a restart.
FL MGUARD RS4004/RS2005
Table 2-2 LEDs on the FL MGUARD RS4004 and FL MGUARD RS2005 [...]
LED State Meaning Info2 Green On The configured VPN connections are established at output O1 or the firewall re-
cords defined at output O1 are activated.
Flashing The configured VPN connections are being established or aborted at output O1 or
the firewall rule records defined at output O1 are activated or deactivated.
Info1 Green On The configured VPN connections are established at output O2 or the firewall re-
cords defined at output O2 are activated.
Flashing The configured VPN connections are being established or aborted at output O2 or
the firewall rule records defined at output O2 are activated or deactivated.
WAN 1 Green On The LEDs are located in the sockets (10/100 and duplex LED)
1
DMZ1
LAN 1–4/5
2
Green On Green On
Ethernet status. The LEDs indicate the status of the relevant port. As soon as the device is connected to the relevant network, a continuous light indicates that there is a connection to the network partner in the LAN, WAN or DMZ. When data pack­ets are transmitted, the LED goes out briefly.
1
FL MGUARD RS4004 only
2
FL MGUARD RS2005 only
105656_en_05 PHOENIX CONTACT 37
FL MGUARD RS4004/RS2005

2.2 Startup

2.2.1 Safety notes

To ensure correct operation and the safety of the environment and of personnel, the device must be installed, operated, and maintained correctly.
NOTE: Risk of material damage due to incorrect wiring
Only connect the device network ports to LAN installations. Some telecommunications connections also use RJ45 sockets; these must not be connected to the RJ45 sockets of the device.
For connecting a modem or serial terminal to the RS-232 interface, you will need a null modem cable not exceeding 10 m in length.
NOTE: Risk of damage to equipment due to noise emissions
This is a Class A item of equipment. This equipment can cause radio interference in resi­dential areas; in this case, the operator may be required to implement appropriate mea­sures.
NOTE: Electrostatic discharge
When handling the device, observe the necessary safety precautions against electrostat­ic discharge (ESD) in accordance with EN 61340-5-1 and IEC 61340-5-1.
General notes regarding usage
NOTE: Select suitable ambient conditions
Ambient temperature:
-20°C ... +60°C
Maximum humidity, non-condensing:
5% ... 95%
To avoid overheating, do not expose the device to direct sunlight or other heat sources.
NOTE: Cleaning
Clean the device housing with a soft cloth. Do not use aggressive solvents.

2.2.2 Checking the scope of supply

Before startup, check the scope of supply to ensure nothing is missing.
The scope of supply includes:
–Device – Package slip – Plug-in screw terminal blocks for the power supply connection and inputs/outputs (in-
serted)

2.2.3 mGuard-Firmware

The device must be operated with mGuard firmware version 8.1.5 or higher.
38
PHOENIX CONTACT 105656_en_05
FL MGUARD RS4004/RS2005

2.3 Installing the FL MGUARD RS4004/RS2005

2.3.1 Mounting/removal

NOTE: Device damage
Only mount and remove devices when the power supply is disconnected.
Mounting The device is ready to operate when it is supplied. The recommended sequence for mount-
ing and connection is as follows:
Mount the FL MGUARD RS4004/RS2005 on a grounded 35 mm DIN rail according to
DINEN60715.
Figure 2-3 Mounting the FL MGUARD RS4004/RS2005 on a DIN rail
Attach the top snap-on foot of the FL MGUARD RS4004/RS2005 to the DIN rail and
then press the FL MGUARD RS4004/RS2005 down towards the DIN rail until it engag-
es with a click.
Removal Remove or disconnect the connections.
To remove the FL MGUARD RS4004/RS2005 from the DIN rail, insert a screwdriver
horizontally in the locking slide under the housing, pull it down – without tilting the
screwdriver – and then pull up the FL MGUARD RS4004/RS2005.
105656_en_05 PHOENIX CONTACT 39
FL MGUARD RS4004/RS2005

2.3.2 Connecting to the network

NOTE: Risk of material damage due to incorrect wiring
Only connect the device network ports to LAN installations. Some telecommunications connections also use RJ45 sockets; these must not be connected to the RJ45 sockets of the device.
Connect the device to the network. To do this, you need a suitable UTP cable (CAT5)
which is not included in the scope of supply.
Connect the internal network interface LAN of the device to the corresponding Ethernet
network card of the configuration computer or a valid network connection of the internal
network (LAN).

2.3.3 Connecting the service contacts

NOTE: Do not connect the voltage and ground outputs US (resp. CMD V+) and GND to
an external voltage source.
The plug-in screw terminal blocks of the service contacts may be removed or inserted during operation of the device.
40
PHOENIX CONTACT 105656_en_05
FL MGUARD RS4004/RS2005
FL MGUARD RS4004
FL MGUARD RS2005
US I1/I2 GND O1/O2
Voltage out­put (+)
Supply volt­age
Service 1 + 2
Example Example
1
Maximum of 250 mA at 11 ... 36 V DC
2
11 V ... 36 V when operating correctly; disconnected in the event of a fault
Switching input 11 ... 36 V DC
Ground out­put (-)
Supply volt­age
Short-cir­cuit-proof switching output
The following description of the contacts is also possible:
24V 0V 24V 0V
+24 V 0 V +24 V 0 V See Section 2.3.4 Only for
1
Power
FL MGUARD RS4000
See Section 2.3.4
GND O3 GND O4
Not used Not used Signal out-
put (-)
Signal out-
2
put (+)
Contact
CMD V+ CMD GND ACK
Voltage out­put (+)
Supply volt­age
Service 1 + 2
Example Example
1
Maximum of 250 mA at 11 ... 36 V DC
2
11 V ... 36 V when operating correctly; disconnected in the event of a fault
Switching input 11 ... 36 V DC
Ground out­put (-)
Supply volt­age
Short-cir­cuit-proof switching output
A push button or an on/off switch (e.g., key switch) can be connected between service contacts US and I (resp. CMD V+ and CMD).
The contacts O1/O2 (+) and O4 (+) (resp. ACK and FAULT) are non-floating, continuously short-circuit-proof and supply a maximum of 250 mA.
US1 GND US2 GND
+24 V 0 V +24 V 0 V See Section 2.3.4 Only for
1
Power
FL MGUARD RS4004
See Section 2.3.4
GND AUX GND FAU LT
Not used Not used Signal out-
put (-)
Signal out-
2
put (+)
Contact
105656_en_05 PHOENIX CONTACT 41
FL MGUARD RS4004/RS2005
The switching inputs and switching outputs can be connected with signals from external de­vices, e.g., with signals from PLCs. In this case, ensure the same potential as well as voltage and current specifications are defined.
Depending on the firmware version used, the service contacts can be used for various switching or signaling tasks.
42
PHOENIX CONTACT 105656_en_05
FL MGUARD RS4004/RS2005
FL MGUARD RS4004
FL MGUARD RS2005

2.3.4 Connecting the supply voltage

WARNING: The FL MGUARD RS4000/RS2000 is designed for operation with a DC volt-
age of 11 V DC ... 36 V DC/SELV, 1.5 A, maximum. Therefore, only SELV circuits with voltage limitations according to EN 60950-1 may be
connected to the supply connections and the signal contact.
The supply voltage is connected via a plug-in screw terminal block, which is located on the top of the device.
Figure 2-4 Connecting the supply voltage
Instead of the designation 24V/24V the designation US1/US2 is also used.
The FL MGUARD RS4004 has a redundant supply voltage. If you only connect one supply voltage, you will get an error message.
Remove the plug-in screw terminal blocks for the power supply and the service con-
tacts.
Do not connect the service contacts to an external voltage source.
Wire the supply voltage lines with the corresponding screw terminal block 24V/24V (re-
sp. US1/US2) of the device. Tighten the screws on the screw terminal blocks with
0.5...0.8Nm.
Insert the screw terminal blocks into the intended sockets on the top of the device (see
Figure 2-4).
Status LED P1 lights up green when the supply voltage has been connected properly. On the FL MGUARD RS4004, the status indicator P2 also lights up if there is a redundant sup­ply voltage connection.
The device boots the firmware. Status STAT LED flashes green. The device is ready for op­eration as soon as the Ethernet socket LEDs light up. Additionally, status LEDs P1/P2 light up green and the status STAT LED flashes green at heartbeat.
Redundant voltage supply (FL MGUARD RS4004)
A redundant supply voltage can be connected. Both inputs are isolated. The load is not dis­tributed. With a redundant supply, the power supply unit with the higher output voltage sup­plies the FL MGUARD RS4004 alone. The supply voltage is electrically isolated from the housing.
If the supply voltage is not redundant, the FL MGUARD RS4004 indicates the failure of the supply voltage via the signal contact. This message can be prevented by feeding the supply voltage via both inputs 24V/24V (resp. US1/US2)) or by installing an appropriate wire jump­er between connections 24V and 24V (resp. US1 and US2).
105656_en_05 PHOENIX CONTACT 43
FL MGUARD RS4004/RS2005

2.4 Preparing the configuration

2.4.1 Connection requirements

–The FL MGUARD RS4004/RS2005 must be connected to at least one active power
supply unit. – For local configuration: The computer that is to be used for configuration must be
connected to the LAN socket on the device. – For remote configuration: The device must be configured so that remote configura-
tion is permitted. – The device must be connected, i.e., the required connections must be working.

2.5 Configuration in Router mode

On initial startup, the device can be accessed via the following address: – https://192.168.1.1

2.5.1 IP address 192.168.1.1

In Router mode, the device can be accessed via the LAN interface via IP address
192.168.1.1 within network 192.168.1.0/24, if one of the following conditions applies. – The device is in the delivery state. – The device was reset to the default settings via the web interface and restarted. – The rescue procedure (flashing of the device) or the recovery procedure has been
performed.
To access the configuration interface, it may be necessary to adapt the network configura­tion of your computer.
Under Windows 7, proceed as follows:
In the Control Panel, open the “Network and Sharing Center”.
Click on “LAN connection”. (The “LAN connection” item is only displayed if a connection
exists from the LAN interface on the computer to a device in operation or another part-
ner).
Click on “Properties”.
Select the menu item “Internet protocol Version 4 (TCP/IPv4)”.
Click on “Properties”.
First select “Use the following IP address” under “Internet Protocol Version 4 Proper-
ties”, then enter the following address, for example:
IP address: 192.168.1.2 Subnet mask: 255.255.255.0 Default gateway: 192.168.1.1
Depending on the configuration of the device, it may then be necessary to adapt the net­work interface of the locally connected computer or network accordingly.
44
PHOENIX CONTACT 105656_en_05
FL MGUARD RS4004/RS2005

2.6 Establishing a local configuration connection

Web-based administrator interface
The device is configured via a web browser that is executed on the configuration computer.
NOTE: The web browser used must support SSL encryption (i.e., HTTPS).
The device can be accessed via the following address:
Table 2-3 Preset address
Default setting Network mode Management IP #1 (IP address of the
internal interface)
FL MGUARD RS2005 Router https://192.168.1.1/ FL MGUARD RS4004 Router https://192.168.1.1/
Proceed as follows:
Start a web browser.
Make sure that the browser, when it is started, does not automatically establish a con-
nection as otherwise the connection establishment to the device may be more difficult.
In Internet Explorer, make the following settings:
In the “Tools” menu, select “Internet Options” and click on the “Connections” tab:
Under “Dial-up and Virtual Private Network settings”, select “Never dial a connection”.
Enter the address of the device completely into the address line of the web browser (re-
fer to Table 2-3).
You access the administrator website of the device.
If you have forgotten the configured address
If the administrator web page is not displayed
If the administrator web page of the device cannot be accessed
If the address of the device in Router, PPPoE or PPTP mode has been set to a different value, and the current address is not known, the device must be reset to the default settings specified above for the IP address using the Recovery procedure (see “Performing a recov­ery procedure” on page 49).
If the web browser repeatedly reports that the page cannot be displayed, try the following:
Disable any active firewalls.
Make sure that the browser does not use a proxy server.
In Internet Explorer (Version 8), make the following settings: “Tools” menu, “Internet
Options”, “Connections” tab.
Click on “Properties” under “LAN settings”.
Check that “Use a proxy server for your LAN” (under “Proxy server”) is not activated in
the “Local Area Network (LAN) Settings” dialog box.
If other LAN connections are active on the computer, deactivate them until the configu-
ration has been completed.
Under the Windows menu “Start, Settings, Control Panel, Network Connections” or
“Network and Dial-up Connections”, right-click on the corresponding icon and select
“Disable” in the context menu.
105656_en_05 PHOENIX CONTACT 45
FL MGUARD RS4004/RS2005
After successful connection establishment
Once a connection has been established successfully, a security alert may be displayed.
Explanation As administrative tasks can only be performed using encrypted access, a self-signed certif-
icate is supplied with the device.
Click “Yes to acknowledge the security alert.
The login window is displayed.
Figure 2-5 Login
To log in, enter the preset user name and password (please note these settings are
case-sensitive):
User Name: admin Password: mGuard
The device can then be configured via the web interface. For additional information, please refer to software reference manual.
For security reasons, we recommend you change the default root and administrator pass­words during initial configuration.
46
PHOENIX CONTACT 105656_en_05
FL MGUARD RS4004/RS2005

2.7 Remote configuration

Requirement The device must be configured so that remote configuration is permitted.
By default upon delivery, the option for remote configuration is disabled.
Switch on the remote configuration option in the web interface under “Management >> Web Settings”.
How to proceed To configure the device via its web user interface from a remote computer, establish the
connection to the device from there.
Proceed as follows:
Start the web browser on the remote computer.
Under address, enter the IP address where the device can be accessed externally over
the Internet or WAN, together with the port number (if required).
Example If the device can be accessed over the Internet, for example, via address
https://123.45.67.89/ and port number 443 has been specified for remote access, the fol­lowing address must be entered in the web browser of the remote peer: https://123.45.67.89/
If a different port number is used, it should be entered after the IP address, e.g., https://123.45.67.89:442/
Configuration The device can then be configured via the web interface. For additional information, please
refer to software reference manual.

2.8 Serial interface

Via the serial interface (RS232), a user can access the command line of the device. The fol­lowing parameters must be configured device-specific:
Baud rate: 57600 – Data bits / parity bit / stop bit: 8-N-1 – Hardware handshake RTS/CTS: Off (default)
105656_en_05 PHOENIX CONTACT 47
FL MGUARD RS4004/RS2005
Reset button
2.9 Restart, recovery procedure, and flashing the firm-
ware
The reset button is used to set the device to one of the following states: – Performing a restart – Performing a recovery procedure – Flashing the firmware/rescue procedure
Figure 2-6 Reset button

2.9.1 Performing a restart

Objective The device is restarted with the configured settings.
Action Press the reset button for around 1.5 seconds until the Err LED lights up.
(Alternatively, disconnect the power supply and then connect it again.)
48
PHOENIX CONTACT 105656_en_05

2.9.2 Performing a recovery procedure

Objective (up to 8.3.x) Up to mGuard firmware version 8.3.x
The network configuration (but not the rest of the configuration) is to be reset to the de-
livery state, as it is no longer possible to access the device.
Use the recovery procedure in case you have forgotten the IP address under which the de­vice can be accessed.
The following network setting is restored:
Table 2-4 Restored network setting
Network mode Management IP #1 (IP address of the internal interface)
Router https://192.168.1.1/
The device is reset to router mode with the fixed IP address. – The CIFS integrity monitoring function is also disabled because this only works when
the management IP is active. – In addition, MAU configuration is activated for the Ethernet connections. HTTPS ac-
cess is enabled via the local Ethernet connection (LAN). – The settings configured for VPN connections and the firewall are retained, including
passwords.
Possible reasons for performing the recovery procedure:
The device is in Router or PPPoE mode. – The IP address of the device has been configured and is not known. – The current IP address of the device is not known.
FL MGUARD RS4004/RS2005
Up-to-date information on the recovery and flashing procedure can be found in the appli­cation note for your firmware version. You can find application notes under the following Internet address:
phoenixcontact.net/products.
Objective (8.4.0 or later) mGuard firmware version 8.4.0 or later
The complete configuration (and not only the network configuration) is to be reset to the
delivery state, as it is no longer possible to access the device.
The current configuration will be automatically be saved on the device and can be restored after the recovery procedure is finished.
When performing the recovery procedure, the default network settings are established:
Table 2-5 Restored network setting
Network mode Management IP #1 (IP address of the internal interface)
Router https://192.168.1.1/
Activity during the recovery procedure (mGuard firmware version 8.4.0 or later)
Before performing the recovery procedure, the current configuration of the device is stored in a newly generated configuration profile ( "Recovery-DATE"). After the recovery proce­dure has finished, the device starts with the Factory Default settings.
The configuration profile named "Recovery DATE" subsequently appears in the list of con­figuration profiles and can be edited and restored with or without changes.
105656_en_05 PHOENIX CONTACT 49
FL MGUARD RS4004/RS2005
Action Slowly press the reset button six times.
After approximately two seconds, the Stat LED lights up green.
When the Stat LED has gone out, slowly press the reset button again six times.
If successful, the Stat LED lights up green.
If unsuccessful, the Err LED lights up red.
If successful, the device restarts after two seconds and switches to Router mode. The de­vice can then be reached again under the corresponding address.
mGuard firmware version 8.4.0 or later
After the recovery procedure has finished, log in to the web interface of the device.
Open the menu Management >> Configuration Profiles.
Choose the configuration profile, generated during the recovery procedure: „Recov-
ery-DATE“ (e.g. “Recovery-2016.12.01-18:02:50).
Click on the Icon „Edit profile“ to analyze the configuration profile and to restore it
with or without changes.
Click on the Icon „Save“ to apply the changes.
50
PHOENIX CONTACT 105656_en_05
FL MGUARD RS4004/RS2005

2.9.3 Flashing the firmware/rescue procedure

Objective The entire firmware of the device should be reloaded on the device.
All configured settings are deleted. The device is set to the delivery state.
Possible reasons The administrator and root password have been lost.
Requirements Requirements for flashing
NOTE: During flashing, the firmware is always loaded from an SD card first. The firmware
is only loaded from a TFTP server if no SD card is found. The following requirements apply when loading the firmware from an SD card: – All necessary firmware files must be located in a common directory on the first parti-
tion of the SD card – This partition must use a VFAT file system (standard type for SD cards) To flash the firmware from a TFTP server, a TFTP server must be installed on the locally
connected computer (see “Installing the DHCP and TFTP server” on page 268).
NOTE: Installing a second DHCP server in a network could affect the configuration of the entire network.
The mGuard firmware has been obtained from your dealer's support team or the
nixcontact.net/products website and has been saved on a compatible SD card.
This SD card has been inserted into the device. – The relevant firmware files are available for download from the download page of
nixcontact.net/products. The files must be located under the following path names in
the following folders on the SD card:
Firmware/install-ubi.mpc83xx.p7s
Firmware/ubifs.img.mpc83xx.p7s
phoe-
phoe-
105656_en_05 PHOENIX CONTACT 51
FL MGUARD RS4004/RS2005
Action To flash the firmware or to perform the rescue procedure, proceed as follows:
NOTE: Do not interrupt the power supply to the device during any stage of the flashing
procedure. Otherwise, the device could be damaged and may have to be reactivated by the manufacturer.
Hold down the reset button until the Stat, Mod, and Sig LEDs light up green. The device
then is in rescue status.
Release the reset button within one second of entering rescue status.
If the reset button is not released, the device is restarted.
The device now starts the rescue system: It first searches for an inserted SD card and
for the relevant firmware there. If the device does not find an SD card, it searches for a
DHCP server via the LAN interface in order to obtain an IP address.
The Stat LED flashes.
The “install.p7s” file is loaded from the TFTP server or SD card. It contains the electron-
ically signed control procedure for the installation process. Only files that are signed are
executed.
The control procedure deletes the current contents of the Flash memory and prepares
for a new firmware installation.
The Stat, Mod, and Sig LEDs form a running light.
The “jffs2.img.p7s” firmware file is downloaded from the TFTP server or SD card and
written to the Flash memory. This file contains the actual operating system and is
signed electronically. Only files signed by the manufacturer are accepted.
This process takes around 3 to 5 minutes. The Stat LED is lit continuously.
The new firmware is extracted and configured. This procedure takes 1 to 3 minutes.
As soon as the procedure is complete, the Stat, Mod, and Sig LEDs flash green simultane­ously.
Restart the device. To do so, press the reset button.
(Alternatively, disconnect the power supply and then connect it again.)
The device is in the delivery state. You can now configure it again (see “Establishing a local configuration connection” on page 45).
52
PHOENIX CONTACT 105656_en_05
FL MGUARD RS4004/RS2005

2.10 Technical data

Hardware properties FL MGUARD RS4004 FL MGUARD RS2005
Platform Freescale network processor Freescale network processor
Network interfaces 4 LAN ports (managed) | 1 DMZ port |
Other interfaces Serial RS-232 | D-SUB 9 connector
Memory 128-Mbyte RAM | 128-Mbyte Flash
Redundancy options Optional: VPN | router and firewall
Power supply Voltage range 11 ... 36 V DC, redundant Voltage range 11 ... 36 V DC
Current consumption Typical < 200 mA (24 V DC) |
Humidity range 5% ... 95% (operation, storage), non-con-
Degree of protection IP20 IP20
Temperature range -20°C ... +60°C (operation)
Dimensions (H x W x D) 130 mm x 45 mm x 114 mm
Weight 749 g (TX/DTX) 749 g (TX)
Weight (incl. packaging) 906 g (TX/DTX) 906 g (TX)
1WAN port Ethernet IEEE 802.3 10/100 Base TX RJ45 | full duplex | auto MDIX
3 digital inputs and 3 digital outputs
SD card Replaceable configuration memory
Maximum < 800 mA (10 V DC)
densing
-20°C ... +70°C (storage)
(up to DIN rail support)
5 LAN ports (unmanaged) Ethernet IEEE 802.3 10/100-BaseTX RJ45 | full duplex | auto MDIX
Serial RS-232 | D-SUB 9 connector 3 digital inputs and 3 digital outputs
128-Mbyte RAM | 128-Mbyte Flash SD card Replaceable configuration memory
Typical < 200 mA (24 V DC) | Maximum < 800 mA (10 V DC)
5% ... 95% (operation, storage), non-con­densing
-20°C ... +60°C (operation)
-20°C ... +70°C (storage)
130 mm x 45 mm x 114 mm (up to DIN rail support)
Firmware and power values FL MGUARD RS4004 FL MGUARD RS2005
Firmware compatibility Firmware 8.1.5: Phoenix Contact recommends the use of the latest firmware version
Data throughput (Firewall) Router mode, default firewall rules, bidirectional throughput: 120 Mbps, maximum
Virtual Private Network (VPN) IPsec (IETF standard)
Hardware-based encryption DES | 3DES | AES-128/192/256 DES | 3DES | AES-128/192/256
Data throughput encrypted (IPsec VPN) Router mode, default firewall rules, bidirectional throughput: 30 Mbps, maximum
Management support Web GUI (HTTPS) | command line interface (SSH) | SNMP v1/2/3 | central device man-
Diagnostics 13 LEDs (Power 1 + 2, State, Error, Signal, Fault, Modem, Info, Signal Status, SIM Sta-
and patch releases in each case. For the scope of functions, please refer to the relevant firmware data sheet.
Stealth mode, default firewall rules, bidirectional throughput: 50 Mbps, maximum When using the DMZ as independent network zone, the maximum possible data
throughput is distributed to the three zones.
IPsec (IETF standard)
Optionally up to 250 VPN tunnels
Stealth mode, default firewall rules, bidirectional throughput: 20 Mbps, maximum When using the DMZ as independent network zone, the maximum possible data
throughput is distributed to the three zones.
agement software
tus) | service I/O | log file | remote Syslog
Up to 2 VPN tunnels
Other FL MGUARD RS4004 FL MGUARD RS2005
Special features Realtime clock | Trusted Platform Module (TPM) | temperature sensor | mGuard Se-
cure Cloud ready
105656_en_05 PHOENIX CONTACT 53
FL MGUARD RS4004/RS2005
54
PHOENIX CONTACT 105656_en_05

3 TC MGUARD RS4000/RS2000 3G

Table 3-1 Currently available products

Product designation Phoenix Contact order number

TC MGUARD RS4000 3G VPN 2903440 TC MGUARD RS2000 3G VPN 2903441
Product description
The TC MGUARD RS4000 3G is suitable for distributed protection of production cells or in­dividual machines against manipulation.
It features a 4-port managed LAN switch and an industrial 3G mobile communication modem for GPRS, UMTS, and CDMA networks with a download speed of up to 14.4 Mbps.
The mobile communication interface can be switched to WAN interface as redundancy path. A dedicated DMZ port with its own firewall rules enables segmentation and differenti­ated safety concepts. The GPS/GLONASS receiver enables time synchronization and loca­tion services. You can integrate automation devices with serial interfaces into networks, as a COM server is integrated.
For software-independent remote maintenance, the TC MGUARD RS4000 3G can be used as a VPN router for up to 10 (optionally up to 250) parallel, IPsec-encrypted VPN tunnels.
The TC MGUARD RS2000 3G is a version with basic firewall and can be used as a VPN client for up to two parallel, IPsec-encrypted VPN tunnels. It is suitable for secure remote maintenance applications at locations without wired networks and enables global connec­tion of distributed machines and controllers.
Both versions support a replaceable configuration memory in the form of an SD card. To in­crease safety, VPN connections can be switched on or off via switch contact, SMS or soft­ware interface. The fanless metal housing is mounted on a DIN rail.
TC MGUARD RS4000/RS2000 3G
Figure 3-1 TC MGUARD RS2000 3G/TC MGUARD RS4000 3G
105656_en_05 PHOENIX CONTACT 55
TC MGUARD RS4000/RS2000 3G
5
4
7
9
8
6
10
11
12
1
2
3
13
14
15
For plug-in screw terminal blocks, assignment, refer to Page 61 and Page 64
Reset button
LEDs, see Table 3-2
WAN port
DMZ port
LAN port (protected)
LAN port (protected)
LAN port (protected)
Slot for optional SD card
LAN port (protected)
LEDs, see Table 3-2
SMA
RS-232 interface
Slot for SIM card 1
Slot for SIM card 2
RSMA
Antenna connection – SMA for mobile commu-
nication (ANT)
–RSMA (GPS)

3.1 Operating elements and LEDs

Figure 3-2 Operating elements and LEDs on the TC MGUARD RS4000 3G
Table 3-2 LEDs on the TC MGUARD RS4000 3G and TC MGUARD RS2000 3G
LED State Meaning P1 Green On Power supply 1 is active P2 Green On Power supply 2 is active (TC MGUARD RS2000 3G: not used) Stat Green Flashing Heartbeat. The device is correctly connected and operating. Err Red Flashing System error. Restart the device.
Stat + Err Flashing alternately:
green and red
Mod Green On Connection via modem established Fault Red On The signal output changes to the low level due to an error (inverted control logic).
56
PHOENIX CONTACT 105656_en_05
Press the Reset button (for 1.5 seconds). – Alternatively, briefly disconnect the device power supply and then connect it
again.
If the error is still present, start the recovery procedure (see Page 71) or contact your dealer.
Boot process. When the device has just been connected to the power supply. After a few seconds, this LED changes to the heartbeat state.
The signal output is inactive during a restart.
TC MGUARD RS4000/RS2000 3G
Table 3-2 LEDs on the TC MGUARD RS4000 3G and TC MGUARD RS2000 3G [...]
LED State Meaning Info2 Green On Up to firmware version 8.0 As of firmware version 8.1
The configured VPN connection has been established at output O1.
The configured VPN connections are established at output O1 or the firewall rule records defined at output O1 are activated.
Flashing The configured VPN connection is
being established or aborted at output O1.
The configured VPN connections are being established or aborted at output O1 or the firewall rule records defined at output O1 are activated or deactivated.
Info1 Green On Up to firmware version 8.0 As of firmware version 8.1
The configured VPN connection has been established at output O2.
The configured VPN connections are established at output O2 or the firewall rule records defined at output O2 are activated.
Flashing The configured VPN connection is
being established or aborted at output O2.
The configured VPN connections are being established or aborted at output O2 or the firewall rule records defined at output O2 are activated or deactivated.
1
WAN 1 DMZ1 Green On LAN 1–4 Green On
Green On The LEDs are located in the sockets (10/100 and duplex LED)
Ethernet status. The LEDs indicate the status of the relevant port. As soon as the device is connected to the relevant network, a continuous light indicates that there is a connection to the network partner in the LAN, WAN or DMZ. When data pack­ets are transmitted, the LED goes out briefly.
Bar graph LED 3 Top Off Off Off Green
LED 2 Middle Off Off Green Green LED 1 Bottom Off Yellow Yellow Yellow Signal strength -113 ... 111 dBm -109 ... 89 dBm -87 ... 67 dBm -65 ... 51 dBm Network reception Very poor to none Sufficient Good Very good
SIM 1 Green On
Flashing
SIM 2 Green On
Flashing
1
only TC MGUARD RS4000 3G
SIM card 1 active
No PIN or incorrect one entered SIM card 2 active
No PIN or incorrect one entered
105656_en_05 PHOENIX CONTACT 57
TC MGUARD RS4000/RS2000 3G

3.2 Startup

3.2.1 Safety notes

To ensure correct operation and the safety of the environment and of personnel, the device must be installed, operated, and maintained correctly.
NOTE: Risk of material damage due to incorrect wiring
Only connect the device network ports to LAN installations. Some telecommunications connections also use RJ45 sockets; these must not be connected to the RJ45 sockets of the device.
For connecting a modem or serial terminal to the RS-232 interface, you will need a null modem cable not exceeding 10 m in length.
NOTE: Risk of material damage due to emissions
This is a Class A item of equipment. This equipment can cause radio interference in resi­dential areas; in this case, the operator may be required to implement appropriate mea­sures.
NOTE: Electrostatic discharge
When handling the device, observe the necessary safety precautions against electrostat­ic discharge (ESD) according to EN 61340-5-1 and IEC 61340-5-1.
General notes regarding usage
NOTE: Select suitable ambient conditions
Ambient temperature: -40°C ... +60°C – Maximum humidity, non-condensing: 5% ... 95% To avoid overheating, do not expose the device to direct sunlight or other heat sources.
NOTE: Extended run-up time at low temperatures
Low temperatures result in a prolonged run-up time of the device. Operational availability is reached after a maximum of 5 minutes.
NOTE: Cleaning
Clean the device housing with a soft cloth. Do not use aggressive solvents.

3.2.2 Checking the scope of supply

Before startup, check the scope of supply to ensure nothing is missing.
The scope of supply includes:
–The device – Package slip – Plug-in screw terminal blocks for the power supply connection and inputs/outputs (in-
serted)

3.2.3 mGuard-Firmware

The device must be operated with mGuard firmware version 8.0 or higher.
58
PHOENIX CONTACT 105656_en_05
TC MGUARD RS4000/RS2000 3G

3.3 Installation of TC MGUARD RS4000/RS2000 3G

3.3.1 Mounting/removal

NOTE: Device damage
Only mount and remove devices when the power supply is disconnected.
Mounting The device is ready to operate when it is supplied. The recommended sequence for mount-
ing and connection is as follows:
Mount the TC MGUARD RS4000/RS2000 3G on a grounded 35 mm DIN rail according
to DIN EN 60715.
Figure 3-3 Mounting the TC MGUARD RS4000/RS2000 3G on a DIN rail
Attach the top snap-on foot of the TC MGUARD RS4000/RS2000 3G to the DIN rail
and then press the TC MGUARD RS4000/RS2000 3G down towards the DIN rail until
it engages with a click.
Removal Remove or disconnect the connections.
To remove the TC MGUARD RS4000/RS2000 3G from the DIN rail, insert a screw-
driver horizontally in the locking slide under the housing, pull it down – without tilting the
screwdriver – and then pull up the TC MGUARD RS4000/RS2000 3G.
105656_en_05 PHOENIX CONTACT 59
TC MGUARD RS4000/RS2000 3G

3.3.2 Connecting to the network

NOTE: Risk of material damage due to incorrect wiring
Only connect the device network ports to LAN installations. Some telecommunications connections also use RJ45 sockets; these must not be connected to the RJ45 sockets of the device.
Connect the device to the network. To do this, you need a suitable UTP cable (CAT5)
Connect the internal network interface LAN of the device to the corresponding Ethernet
which is not included in the scope of supply. Use UTP cables with an impedance of
100 Ω.
network card of the configuration computer or a valid network connection of the internal
network (LAN).
60
PHOENIX CONTACT 105656_en_05
TC MGUARD RS4000/RS2000 3G
US I2 GND O2
X2
US I3 GND O3
X3
US I1 GND O1
X1

3.3.3 Connecting service contacts

NOTE: Do not connect the voltage and ground outputs to an external source.
The plug-in screw terminal blocks of the service contacts may be removed or inserted during operation of the device.
The TC MGUARD RS4000/RS2000 3G has three digital inputs and outputs. These are con­figured in the web interface, e.g., the starting and stopping of VPN, sending alarms via SMS etc..
The digital inputs and outputs are connected as follows.
Figure 3-4 Service contacts
Control switch CMD Signal output (digital) ACK
US I1, I2, I3 GND O1, O2, O3
Voltage output (+)
Supply voltage
Switching input 11 ... 36 V DC
Ground output (-)
Supply voltage
Short-circuit-proof switch output, maximum 250 mA at 11 ... 36 V DC
X1 ... X3
Example Example
A push button or an on/off switch (e.g., key switch) can be connected between service contacts US and I.
The service contacts O1–O3 are non-floating, continuously short-circuit-proof and supply a maximum of 250 mA.
The switching inputs and switching outputs can be connected with signals from external de­vices, e.g., with PLC signals. In this case, ensure the same potential as well as voltage and current specifications are defined.
Depending on the firmware version used, the service contacts can be used for various switching or signaling tasks.
105656_en_05 PHOENIX CONTACT 61
TC MGUARD RS4000/RS2000 3G
GPS
ANT

3.3.4 Antennas

To establish a mobile communication connection, a matching antenna must be connected to the devices.
NOTE: Health effects due to RF radiation
A distance of at least 20 cm between persons and the antennas must be maintained during normal operation.
NOTE: Removing operator permissions
Operation of the wireless system is only permitted with accessories supplied by Phoenix Contact. The use of other accessory components may invalidate the operating license.
You can find the approved accessories for this wireless system listed with the product at:
phoenixcontact.net/products.
We recommend combined mobile phone GPS antenna with omnidirectional characteristic, antenna cable with SMA round plug (GSM/UMTS) and R-SMA round plug (TC ANT MOBILE/GPS, 2903590 from Phoenix Contact).
In the case of the TC MGUARD RS2000 3G, the WAN is only available via the mobile net­work, as a WAN interface is not available. The mobile network function is preset. The TC MGUARD RS2000 3G can only be operated in Router mode.
Connecting antennas
Figure 3-5 Antenna connection
Connect a suitable antenna to the antenna connection.
Antenna connection
SMA for mobile communication (ANT)
–RSMA (GPS)
If the bar graph indicates good or very good reception, affix the antenna (see “Bar
graph” on page 57).
62
PHOENIX CONTACT 105656_en_05
TC MGUARD RS4000/RS2000 3G
A
B
D
C

3.3.5 SIM card

To establish a mobile communication connection, the device also requires at least one valid mini SIM card in ID-000 format, via which it assigns and authenticates itself to a mobile net­work.
The TC MGUARD RS4000/RS2000 3G can be equipped with two SIM cards. The SIM card in the SIM 1 slot is the primary SIM card which is normally used to establish the connection. If this connection fails, the device can optionally turn to the second SIM card in slot SIM 2. You can set whether, and under which conditions, the connection to the primary SIM card is restored.
The state of the SIM cards is indicated via two LEDs on the front. The LEDs SIM1 and SIM2 light up green when the SIM card is active. If a PIN has not been entered, the LED flashes green.
Quality of the mobile network connection
The signal strength of the mobile network connection is indicated by three LEDs on the front of the TC MGUARD RS4000/RS2000 3G. The LEDs function as a bar graph (refer to “Bar graph” on page 57).
For stable data transmission, we recommend at least good network reception. If the network reception is only adequate, only SMS messages can be sent and received.
Inserting the SIM card
You will receive a SIM card from the wireless provider on which all data and services for your connection are stored. If you use CDMA networks in the USA (e.g., from Verizon Wireless), you will not receive a SIM card. Change the TC MGUARD RS4000/RS2000 3G to a CDMA provider via the web interface.
Figure 3-6 Insert the SIM card
To insert the SIM card, proceed as follows:
Press the release button.
Remove the SIM card holder.
105656_en_05 PHOENIX CONTACT 63
Insert the SIM card so that the SIM chip remains visible.
Insert the SIM card holder together with the SIM card into the device until this ends flush
with the housing.
TC MGUARD RS4000/RS2000 3G
24V 0V 24V 0V
X4

3.3.6 Connecting the supply voltage

WARNING: The device is designed for operation with a DC voltage of
11 V DC ... 36 V DC/SELV, 800 mA maximum. Therefore, only SELV circuits with voltage limitations according to
IEC 60950/EN 60950/VDE 0805 may be connected to the supply connections and the signal contact.
The supply voltage is connected via a plug-in screw terminal block, which is located on the top of the device.
Figure 3-7 Connecting the supply voltage (TC MGUARD RS4000 3G)
Table 3-3 Supply voltage TC MGUARD RS4000/RS2000 3G
TC MGUARD RS4000 3G TC MGUARD RS2000 3G
The TC MGUARD RS4000 3G has a redundant supply voltage. If you only connect one supply voltage, you will get an error message.
Remove the plug-in screw terminal blocks for the power supply and the service con-
tacts.
Wire the supply voltage lines of the X4 mGuard screw terminal block. Tighten the
screws on the screw terminal blocks with 0.5 ... 0.8 Nm.
Insert the plug-in screw terminal blocks into the intended sockets on the top of the de-
vice.
Status LED P1 lights up green when the supply voltage has been connected properly. On the TC MGUARD RS4000 3G, the status indicator P2 also lights up if there is a redundant supply voltage connection.
The device boots the firmware. The Stat LED flashes green. The device is ready for opera­tion as soon as the Ethernet socket LEDs light up. Additionally, the P1/P2 LEDs light up green and Stat LED flashes green at heartbeat.
Redundant voltage supply (TC MGUARD RS4000 3G)
A redundant supply voltage can be connected. Both inputs are isolated. The load is not dis­tributed. With a redundant supply, the power supply unit with the higher output voltage sup­plies the TC MGUARD RS4000 3G alone. The supply voltage is electrically isolated from the housing.
64
PHOENIX CONTACT 105656_en_05
TC MGUARD RS4000/RS2000 3G
If the supply voltage is not redundant, the TC MGUARD RS4000 3G indicates the failure of the supply voltage via the signal contact. This message can be prevented by feeding the supply voltage via both inputs or by installing an appropriate wire jumper between the con­nections.
105656_en_05 PHOENIX CONTACT 65
TC MGUARD RS4000/RS2000 3G

3.4 Preparing the configuration

3.4.1 Connection requirements

–The TC MGUARD RS4000/RS2000 3G must be connected to at least one active pow-
For local configuration: The computer that is to be used for configuration must be
For remote configuration: The device must be configured so that remote configura-
The device must be connected, i.e., the required connections must be working.

3.5 Configuration in Router mode

On initial startup, the device can be accessed via the following address: – https://192.168.1.1

3.5.1 IP address 192.168.1.1

In Router mode, the device can be accessed via the LAN interface via IP address
192.168.1.1 within network 192.168.1.0/24, if one of the following conditions applies. – The device is in the delivery state. – The device was reset to the default settings via the web interface and restarted. – The rescue procedure (flashing of the device) or the recovery procedure has been
er supply unit.
connected to the LAN socket on the device.
tion is permitted.
performed.
To access the configuration interface, it may be necessary to adapt the network configura­tion of your computer.
Under Windows 7, proceed as follows:
In the Control Panel, open the “Network and Sharing Center”.
Click on “LAN connection”. (The “LAN connection” item is only displayed if a connection
exists from the LAN interface on the computer to a mGuard device in operation or an-
other partner).
Click on “Properties”.
Select the menu item “Internet protocol Version 4 (TCP/IPv4)”.
Click on “Properties”.
First select “Use the following IP address” under “Internet Protocol Version 4 Proper-
ties”, then enter the following address, for example:
IP address: 192.168.1.2 Subnet mask: 255.255.255.0 Default gateway: 192.168.1.1
Depending on the configuration of the device, it may then be necessary to adapt the net­work interface of the locally connected computer or network accordingly.
66
PHOENIX CONTACT 105656_en_05
TC MGUARD RS4000/RS2000 3G

3.6 Establishing a local configuration connection

Web-based administrator interface
The device is configured via a web browser that is executed on the configuration computer.
NOTE: The web browser used must support SSL encryption (i.e., HTTPS).
The device can be accessed via the following address:
Table 3-4 Preset address
Default setting Network mode Management IP #1 (IP
address of the internal interface)
TC MGUARD RS4000 3G Router https://192.168.1.1/ TC MGUARD RS2000 3G Router https://192.168.1.1/
Proceed as follows:
Start a web browser.
Make sure that the browser, when it is started, does not automatically establish a con-
nection as otherwise the connection establishment to the device may be more difficult.
In Internet Explorer, make the following settings:
In the “Tools” menu, select “Internet Options” and click on the “Connections” tab:
Under “Dial-up and Virtual Private Network settings”, select “Never dial a connection”.
Enter the address of the device completely into the address line of the web browser (re-
fer to Table 3-4).
You access the administrator website of the device.
If you have forgotten the configured address
If the administrator web page is not displayed
If the administrator web page of the device cannot be accessed
If the address of the device in Router, PPPoE or PPTP mode has been set to a different value, and the current address is not known, the device must be reset to the default settings specified above for the IP address using the Recovery procedure (see “Performing a recov­ery procedure” on page 71).
If the web browser repeatedly reports that the page cannot be displayed, try the following:
Disable any active firewalls.
Make sure that the browser does not use a proxy server.
In Internet Explorer (Version 8), make the following settings: “Tools” menu, “Internet
Options”, “Connections” tab.
Click on “Properties” under “LAN settings”.
Check that “Use a proxy server for your LAN” (under “Proxy server”) is not activated in
the “Local Area Network (LAN) Settings” dialog box.
If other LAN connections are active on the computer, deactivate them until the configu-
ration has been completed.
Under the Windows menu “Start, Settings, Control Panel, Network Connections” or
“Network and Dial-up Connections”, right-click on the corresponding icon and select
“Disable” in the context menu.
After successful connection establishment
Once a connection has been established successfully, a security alert may be displayed.
105656_en_05 PHOENIX CONTACT 67
TC MGUARD RS4000/RS2000 3G
Explanation: As administrative tasks can only be performed using encrypted access, a self-signed certif-
icate is supplied with the device.
Click “Yes to acknowledge the security alert.
The login window is displayed.
Figure 3-8 Login
To log in, enter the preset user name and password (please note these settings are
case-sensitive):
User Name: admin Password: mGuard
The device can then be configured via the web interface. For additional information, please refer to the software reference manual.
For security reasons, we recommend you change the default root and administrator pass­words during initial configuration.
68
PHOENIX CONTACT 105656_en_05
TC MGUARD RS4000/RS2000 3G

3.7 Remote configuration

Requirement The device must be configured so that remote configuration is permitted.
The option for remote configuration is disabled by default.
Switch on the remote configuration option in the web interface under “Management >> Web Settings”.
How to proceed To configure the device via its web user interface from a remote computer, establish the
connection to the device from there.
Proceed as follows:
Start the web browser on the remote computer.
Under address, enter the IP address where the device can be accessed externally over
the Internet or WAN, together with the port number (if required).
Example If the device can be accessed over the Internet, for example, via address
https://123.45.67.89/ and port number 443 has been specified for remote access, the fol­lowing address must be entered in the web browser of the remote peer: https://123.45.67.89/
If a different port number is used, it should be entered after the IP address, e.g., https://123.45.67.89:442/
Configuration The device can then be configured via the web interface. For additional information, please
refer to the software reference manual.

3.8 Serial interface

Via the serial interface (RS232), a user can access the command line of the device. The fol­lowing parameters must be configured device-specific:
Baud rate: 57600 – Data bits / parity bit / stop bit: 8-N-1 – Hardware handshake RTS/CTS: Off (default)
105656_en_05 PHOENIX CONTACT 69
TC MGUARD RS4000/RS2000 3G
Reset button
3.9 Restart, recovery procedure, and flashing the firm-
The Reset button is used to set the device to one of the following states: – Performing a restart – Performing a recovery procedure – Flashing the firmware/rescue procedure
Figure 3-9 Reset button
ware

3.9.1 Performing a restart

Objective The device is restarted with the configured settings.
Action Press the Reset button for around 1.5 seconds until the Err LED lights up.
(Alternatively, disconnect the power supply and then connect it again.)
70
PHOENIX CONTACT 105656_en_05

3.9.2 Performing a recovery procedure

Objective (up to 8.3.x) Up to mGuard firmware version 8.3.x
The network configuration (but not the rest of the configuration) is to be reset to the de-
livery state, as it is no longer possible to access the device.
When performing the recovery procedure, the default network settings are established:
Table 3-5 Preset address
Network mode Management IP #1 (IP address of the internal interface)
Router https://192.168.1.1/
The device is reset to router mode with the fixed IP address. – The CIFS integrity monitoring function is also disabled because this only works when
the management IP is active. – In addition, MAU management is switched on for Ethernet connections. HTTPS access
is enabled via the local Ethernet connection (LAN). – The settings configured for VPN connections and the firewall are retained, including
passwords.
Possible reasons for performing the recovery procedure:
The device is in Router or PPPoE mode. – The configured IP address of the device differs from the default setting. – The current IP address of the device is not known.
TC MGUARD RS4000/RS2000 3G
Up-to-date information on the recovery and flashing procedure can be found in the appli­cation note for your mGuard firmware version. You can find application notes under the following Internet address:
phoenixcontact.net/products.
Objective (8.4.0 or later) mGuard firmware version 8.4.0 or later
The complete configuration (and not only the network configuration) is to be reset to the
delivery state, as it is no longer possible to access the device.
The current configuration will be automatically be saved on the device and can be restored after the recovery procedure is finished.
When performing the recovery procedure, the default network settings are established:
Table 3-6 Preset address
Network mode Management IP #1 (IP address of the internal interface)
Router https://192.168.1.1/
Activity during the recovery procedure (mGuard firmware version 8.4.0 or later)
Before performing the recovery procedure, the current configuration of the device is stored in a newly generated configuration profile ( "Recovery-DATE"). After the recovery proce­dure has finished, the device starts with the Factory Default settings.
The configuration profile named "Recovery DATE" subsequently appears in the list of con­figuration profiles and can be edited and restored with or without changes.
Action Slowly press the Reset button six times.
After approximately two seconds, the Stat LED lights up green.
105656_en_05 PHOENIX CONTACT 71
TC MGUARD RS4000/RS2000 3G
When the Stat LED has gone out, slowly press the Reset button again six times.
If successful, the device restarts after two seconds and switches to Router mode. The de­vice can then be reached again under the corresponding address.
mGuard firmware version 8.4.0 or later
After the recovery procedure has finished, log in to the web interface of the device.
Open the menu Management >> Configuration Profiles.
Choose the configuration profile, generated during the recovery procedure: „Recov-
Click on the Icon „Edit profile“ to analyze the configuration profile and to restore it
Click on the Icon „Save“ to apply the changes.
If successful, the Stat LED lights up green.
If unsuccessful, the Err LED lights up red.
ery-DATE“ (e.g. “Recovery-2016.12.01-18:02:50).
with or without changes.
72
PHOENIX CONTACT 105656_en_05
TC MGUARD RS4000/RS2000 3G

3.9.3 Flashing the firmware/rescue procedure

Objective The entire mGuard firmware should be reloaded on the device.
All configured settings are deleted. The device is set to the delivery state.
Possible reasons The administrator and root password have been lost.
Requirements Requirements for flashing
NOTE: During flashing, the firmware is always loaded from an SD card first. The firmware
is only loaded from a TFTP server if no SD card is found. The following requirements apply when loading the firmware from an SD card: – All necessary firmware files must be located in a common directory on the first parti-
tion of the SD card – This partition must use a VFAT file system (standard type for SD cards). To flash the firmware from a TFTP server, a TFTP server must be installed on the locally
connected computer (see “Installing the DHCP and TFTP server” on page 268).
NOTE: Installing a second DHCP server in a network could affect the configuration of the entire network.
The mGuard firmware has been obtained from your dealer's support team or the
nixcontact.net/products website and has been saved on a compatible SD card.
This SD card has been inserted into the device. – The relevant firmware files are available for download from the download page of
nixcontact.net/products. The files must be located under the following path names or in
the following folders on the SD card:
Firmware/install-ubi.mpc83xx.p7s
Firmware/ubifs.img.mpc83xx.p7s
phoe-
phoe-
105656_en_05 PHOENIX CONTACT 73
TC MGUARD RS4000/RS2000 3G
Action To flash the firmware or to perform the rescue procedure, proceed as follows:
NOTE: Do not interrupt the power supply to the device during any stage of the flashing
procedure. Otherwise, the device could be damaged and may have to be reactivated by the manufacturer.
Hold down the Reset button until the Stat, Mod, and Sig LEDs light up green. Then, the
device is in the recovery state.
Release the Reset button within a second of entering the recovery state.
If the Reset button is not released, the device is restarted.
The device now starts the rescue system: It searches for a DHCP server via the LAN
interface in order to obtain an IP address. (Exception: if an SD card is inserted into the
device with corresponding firmware, the rescue system is started from there).
The Stat LED flashes.
The “install.p7s” file is loaded from the TFTP server or SD card. It contains the electron-
ically signed control procedure for the installation process. Only files that are signed are
executed.
The control procedure deletes the current contents of the Flash memory and prepares
for a new firmware installation.
The Stat, Mod, and Sig LEDs form a running light.
The “jffs2.img.p7s” firmware file is downloaded from the TFTP server or SD card and
written to the Flash memory. This file contains the actual mGuard operating system and
is signed electronically. Only files signed by Phoenix Contact are accepted.
This process takes around 3 to 5 minutes. The Stat LED is lit continuously.
The new firmware is extracted and configured. This procedure takes 1 to 3 minutes.
As soon as the procedure is complete, the Stat, Mod, and Sig LEDs flash green simultane­ously.
Restart the device. To do so, press the Reset button.
(Alternatively, disconnect the power supply and then connect it again.)
The device is in the delivery state. You can now configure it again (see “Establishing a local configuration connection” on page 67):
74
PHOENIX CONTACT 105656_en_05
TC MGUARD RS4000/RS2000 3G

3.10 Technical data

Hardware properties TC MGUARD RS4000 3G TC MGUARD RS2000 3G
Platform Freescale network processor Freescale network processor
Network interfaces 4 LAN Ports (managed) | 1 DMZ port |
Wireless interface WAN | GSM | GPRS | EDGE | UMTS | CD-
SIM interfaces (1 + 2) 1.8 V | 3 V, redundant 1.8 V | 3 V, redundant
Data rate 14.4 Mbps (HSDPA) 14.4 Mbps (HSDPA)
Other interfaces Serial RS-232 | D-SUB 9 connector
Memory 128 MB RAM | 128 MB Flash | SD card
Redundancy options Optional: VPN | router and firewall
Power supply Voltage range 11 ... 36 V DC, redundant Voltage range 11 ... 36 V DC, redundant
Power consumption typical < 200 mA (24 V DC) |
Humidity range 5% ... 95% (operation, storage), non-con-
Degree of protection IP20 IP20
Temperature range -40°C ... +60°C (operation)
Vibration resistance in acc. with EN 60068-2-6/IEC 60068-2-6 5g, 10-150 Hz, 2.5 h, in XYZ direction 5g, 10-150 Hz, 2.5 h, in XYZ direction
Dimensions (H x W x D) 130 x 45 x 114 mm (up to DIN rail support) 130 x 45 x 114 mm (up to DIN rail support)
Weight 850 g 835 g
1WAN port Ethernet IEEE 802.3 10/100-BaseTX RJ45 | full duplex | auto MDIX
MA2000
3 digital inputs and 3 digital outputs
Replaceable configuration memory
maximum < 800 mA (10 V DC)
densing
-40°C ... +70°C (storage)
4 LAN ports (unmanaged) Ethernet IEEE 802.3 10/100-BaseTX RJ45 | full duplex | auto MDIX
WAN | GSM | GPRS | EDGE | UMTS | CD­MA2000
Serial RS-232 | D-SUB 9 connector 3 digital inputs and 3 digital outputs
128 MB RAM | 128 MB Flash | SD card Replaceable configuration memory
typical < 200 mA (24 V DC) | maximum < 800 mA (10 V DC)
5% ... 95% (operation, storage), non-con­densing
-40°C ... +60°C (operation)
-40°C ... +70°C (storage)
Firmware and power values TC MGUARD RS4000 3G TC MGUARD RS2000 3G
Firmware compatibility For mGuard v8.0 or later: Phoenix Contact recommends the use of the latest firmware
Data throughput (Firewall) Router mode, default firewall rules, bidirectional throughput: 110 Mbps, maximum
Virtual Private Network (VPN) IPsec (IETF standard)
Hardware-based encryption DES | 3DES | AES-128/192/256 DES | 3DES | AES-128/192/256
Data throughput encrypted (IPsec VPN) Router mode, default firewall rules, bidirectional throughput: 30 Mbps, maximum
Data throughput (mobile) Depending on the mobile connection
Management support Web GUI (HTTPS) | command line interface (SSH) | SNMP v1/2/3 | central device man-
Diagnostics 13 LEDs (Power 1 + 2, State, Error, Signal, Fault, Modem, Info, Signal Status, SIM Sta-
105656_en_05 PHOENIX CONTACT 75
version and patch releases in each case. For the scope of functions, please refer to the relevant firmware data sheet.
Stealth mode, default firewall rules, bidirectional throughput: 50 Mbps, maximum When using the DMZ as independent network zone, the maximum possible data
throughput is distributed to the three zones.
IPsec (IETF standard)
Optionally up to 250 VPN tunnels
Stealth mode, default firewall rules, bidirectional throughput: 20 Mbps, maximum When using the DMZ as independent network zone, the maximum possible data
throughput is distributed to the three zones.
5,7 Mbit/s (HSDPA) upload 14,4 Mbit/s (HSDPA) download
agement software
tus) | Service I/O| Log File | Remote Syslog
Up to 2 VPN tunnels
TC MGUARD RS4000/RS2000 3G
Emitted interference in acc. with EN 61000-6-4 TC MGUARD RS4000 3G TC MGUARD RS2000 3G
Radio interference voltage in acc. with EN 55011 EN 55011 class A industrial area of application
Emitted radio interference in acc. with EN 55011 EN 55011 class A industrial area of application
Noise emission Criterion A Criterion B
EN 61000-6-4 Normal operating behavior within the specified limits Criterion B Temporary impairment of operating behavior that is corrected by the device
itself
Other TC MGUARD RS4000 3G TC MGUARD RS2000 3G
Conformance CE | FCC | UL 508 | electrical isolation (VCC//PE) | ANSI / ISA 12.12 Class I Div. 2
Special features GPS / GLONASS receiver | realtime clock | Trusted Platform Module (TPM) | tempera-
ture sensor | mGuard Secure Cloud ready
76
PHOENIX CONTACT 105656_en_05

4 TC MGUARD RS4000/RS2000 4G

Table 4-1 Currently available products

Product designation Phoenix Contact order number

TC MGUARD RS4000 4G VPN 2903586 TC MGUARD RS2000 4G VPN 2903588
Product description
The TC MGUARD RS4000 4G is suitable for distributed protection of production cells or in­dividual machines against manipulation.
It features a 4-port managed LAN switch and an industrial 4G mobile communication modem for GPRS, UMTS, LTE, and CDMA networks with a download speed of up to 150 Mbps.
The mobile communication interface can be switched to WAN interface as redundancy path. A dedicated DMZ port with its own firewall rules enables segmentation and differenti­ated safety concepts. The GPS/GLONASS receiver enables time synchronization and loca­tion services. You can integrate automation devices with serial interfaces into networks, as a COM server is integrated.
For software-independent remote maintenance, the TC MGUARD RS4000 4G can be used as a VPN router for up to 10 (optionally up to 250) parallel, IPsec-encrypted VPN tunnels.
The TC MGUARD RS2000 4G is a version with basic firewall and can be used as a VPN client for up to two parallel, IPsec-encrypted VPN tunnels. It is suitable for secure remote maintenance applications at locations without wired networks and enables global connec­tion of distributed machines and controllers.
Both versions support a replaceable configuration memory in the form of an SD card. To in­crease safety, VPN connections can be switched on or off via switch contact, SMS or soft­ware interface. The fanless metal housing is mounted on a DIN rail.
TC MGUARD RS4000/RS2000 4G
Figure 4-1 TC MGUARD RS2000 4G/TC MGUARD RS4000 4G
105656_en_05 PHOENIX CONTACT 77
TC MGUARD RS4000/RS2000 4G
For plug-in screw terminal blocks, assignment, refer to Page 83 and Page 86
Reset button
LEDs, see Table 4-2
WAN port
DMZ port
LAN port (protected)
LAN port (protected)
LAN port (protected)
Slot for optional SD card
LAN port (protected)
LEDs, see Table 4-2
SMA
RS-232 interface
Slot for SIM card 1
Slot for SIM card 2
RSMA Antenna connection – SMA for mobile communica-
tion (ANT 1/2)
–RSMA (GPS)
SMA

4.1 Operating elements and LEDs

Figure 4-2 Operating elements and LEDs on the TC MGUARD RS4000 4G
Table 4-2 LEDs on the TC MGUARD RS4000 4G and TC MGUARD RS2000 4G
LED State Meaning P1 Green On Power supply 1 is active P2 Green On Power supply 2 is active (TC MGUARD RS2000 4G: not used) Stat Green Flashing Heartbeat. The device is correctly connected and operating. Err Red Flashing System error. Restart the device.
Stat + Err Flashing alternately:
Mod Green On Connection via modem established Fault Red On The signal output changes to the low level due to an error (inverted control logic).
78
PHOENIX CONTACT 105656_en_05
green and red
Press the Reset button (for 1.5 seconds). – Alternatively, briefly disconnect the device power supply and then connect it
again.
If the error is still present, start the recovery procedure (see Page 93) or contact your dealer.
Boot process. When the device has just been connected to the power supply. After a few seconds, this LED changes to the heartbeat state.
The signal output is inactive during a restart.
TC MGUARD RS4000/RS2000 4G
Table 4-2 LEDs on the TC MGUARD RS4000 4G and TC MGUARD RS2000 4G [...]
LED State Meaning Info2 Green On Up to firmware version 8.0 As of firmware version 8.1
The configured VPN connection has been established at output O1.
The configured VPN connections are established at output O1 or the firewall rule records defined at output O1 are activated.
Flashing The configured VPN connection is
being established or aborted at output O1.
The configured VPN connections are being established or aborted at output O1 or the firewall rule records defined at output O1 are activated or deactivated.
Info1 Green On Up to firmware version 8.0 As of firmware version 8.1
The configured VPN connection has been established at output O2.
The configured VPN connections are established at output O2 or the firewall rule records defined at output O2 are activated.
Flashing The configured VPN connection is
being established or aborted at output O2.
The configured VPN connections are being established or aborted at output O2 or the firewall rule records defined at output O2 are activated or deactivated.
1
WAN 1 DMZ1 Green On LAN 1–4 Green On
Green On The LEDs are located in the sockets (10/100 and duplex LED)
Ethernet status. The LEDs indicate the status of the relevant port. As soon as the device is connected to the relevant network, a continuous light indicates that there is a connection to the network partner in the LAN, WAN or DMZ. When data pack­ets are transmitted, the LED goes out briefly.
Bar graph LED 3 Top Off Off Off Green
LED 2 Middle Off Off Green Green LED 1 Bottom Off Yellow Yellow Yellow Signal strength -113 ... 111 dBm -109 ... 89 dBm -87 ... 67 dBm -65 ... 51 dBm Network reception Very poor to none Sufficient Good Very good
SIM 1 Green On
Flashing
SIM 2 Green On
Flashing
1
only TC MGUARD RS4000 4G
SIM card 1 active
No PIN or incorrect one entered SIM card 2 active
No PIN or incorrect one entered
105656_en_05 PHOENIX CONTACT 79
TC MGUARD RS4000/RS2000 4G

4.2 Startup

4.2.1 Safety notes

To ensure correct operation and the safety of the environment and of personnel, the device must be installed, operated, and maintained correctly.
NOTE: Risk of material damage due to incorrect wiring
Only connect the device network ports to LAN installations. Some telecommunications connections also use RJ45 sockets; these must not be connected to the RJ45 sockets of the device.
For connecting a modem or serial terminal to the RS-232 interface, you will need a null modem cable not exceeding 10 m in length.
NOTE: Risk of material damage due to emissions
This is a Class A item of equipment. This equipment can cause radio interference in resi­dential areas; in this case, the operator may be required to implement appropriate mea­sures.
NOTE: Electrostatic discharge
When handling the device, observe the necessary safety precautions against electrostat­ic discharge (ESD) according to EN 61340-5-1 and IEC 61340-5-1.
General notes regarding usage
NOTE: Select suitable ambient conditions
Ambient temperature:
-40°C ... +60°C
Maximum humidity, non-condensing:
5% ... 95%
To avoid overheating, do not expose the device to direct sunlight or other heat sources.
NOTE: Extended run-up time at low temperatures
Low temperatures result in a prolonged run-up time of the device. Operational availability is reached after a maximum of 5 minutes.
NOTE: Cleaning
Clean the device housing with a soft cloth. Do not use aggressive solvents.

4.2.2 Checking the scope of supply

Before startup, check the scope of supply to ensure nothing is missing.
The scope of supply includes:
–The device – Package slip – Plug-in screw terminal blocks for the power supply connection and inputs/outputs (in-
serted)

4.2.3 mGuard-Firmware

The device must be operated with mGuard firmware version 8.4 or higher.
80
PHOENIX CONTACT 105656_en_05
TC MGUARD RS4000/RS2000 4G

4.3 Installation of TC MGUARD RS4000/RS2000 4G

4.3.1 Mounting/removal

NOTE: Device damage
Only mount and remove devices when the power supply is disconnected.
Mounting The device is ready to operate when it is supplied. The recommended sequence for mount-
ing and connection is as follows:
Mount the TC MGUARD RS4000/RS2000 4G on a grounded 35 mm DIN rail according to DIN EN 60715.
Figure 4-3 Mounting the TC MGUARD RS4000/RS2000 4G on a DIN rail
Attach the top snap-on foot of the TC MGUARD RS4000/RS2000 4G to the DIN rail and then press the TC MGUARD RS4000/RS2000 4G down towards the DIN rail until it engages with a click.
Removal Remove or disconnect the connections.
To remove the TC MGUARD RS4000/RS2000 4G from the DIN rail, insert a screw-
driver horizontally in the locking slide under the housing, pull it down – without tilting the screwdriver – and then pull up the TC MGUARD RS4000/RS2000 4G.
105656_en_05 PHOENIX CONTACT 81
TC MGUARD RS4000/RS2000 4G

4.3.2 Connecting to the network

NOTE: Risk of material damage due to incorrect wiring
Only connect the device network ports to LAN installations. Some telecommunications connections also use RJ45 sockets; these must not be connected to the RJ45 sockets of the device.
Connect the device to the network. To do this, you need a suitable UTP cable (CAT5)
Connect the internal network interface LAN of the device to the corresponding Ethernet
which is not included in the scope of supply. Use UTP cables with an impedance of 100 Ω.
network card of the configuration computer or a valid network connection of the internal network (LAN).
82
PHOENIX CONTACT 105656_en_05
TC MGUARD RS4000/RS2000 4G
US I2 GND O2
X2
US I3 GND O3
X3
US I1 GND O1
X1

4.3.3 Connecting service contacts

NOTE: Do not connect the voltage and ground outputs to an external source.
The plug-in screw terminal blocks of the service contacts may be removed or inserted during operation of the device.
The TC MGUARD RS4000/RS2000 4G has three digital inputs and outputs. These are con­figured in the web interface, e.g., the starting and stopping of VPN, sending alarms via SMS etc..
The digital inputs and outputs are connected as follows.
Figure 4-4 Service contacts
Control switch CMD Signal output (digital) ACK
US I1, I2, I3 GND O1, O2, O3
Voltage output (+)
Supply voltage
Switching input 11 ... 36 V DC
Ground output (-)
Supply voltage
Short-circuit-proof switch output, maximum 250 mA at 11 ... 36 V DC
X1 ... X3
Example Example
A push button or an on/off switch (e.g., key switch) can be connected between service contacts US and I.
The service contacts O1–O3 are non-floating, continuously short-circuit-proof and supply a maximum of 250 mA.
The switching inputs and switching outputs can be connected with signals from external de­vices, e.g., with PLC signals. In this case, ensure the same potential as well as voltage and current specifications are defined.
Depending on the firmware version used, the service contacts can be used for various switching or signaling tasks.
105656_en_05 PHOENIX CONTACT 83
TC MGUARD RS4000/RS2000 4G

4.3.4 Antennas

To establish a mobile communication connection, matching antennas must be connected to the devices. TC MGUARD RS4000/RS2000 4G have two SMA round plugs for the anten­nas. For optimum LTE reception, always connect two antennas to the devices.
NOTE: Health effects due to RF radiation
A distance of at least 20 cm between persons and the antennas must be maintained during normal operation.
NOTE: Removing operator permissions
Operation of the wireless system is only permitted with accessories supplied by Phoenix Contact. The use of other accessory components may invalidate the operating license.
You can find the approved accessories for this wireless system listed with the product at:
phoenixcontact.net/products.
We recommend the multiband mobile phone antenna with mounting bracket for outdoor in­stallation (TC ANT MOBILE WALL 5M, Article No. 2702273). Also refer to the antenna doc­umentation at phoenixcontact.net/product/2702273
In the case of the TC MGUARD RS2000 4G, the WAN is only available via the mobile net­work, as a WAN interface is not available. The mobile network function is preset. The TC MGUARD RS2000 4G can only be operated in Router mode.
.
Connecting antennas
Figure 4-5 Antenna connection
Connect one or two suitable antennas to the antenna connection. Antenna connection – SMA for mobile communication (ANT1/ANT2“, primary/secondary antenna) –RSMA (GPS)
If the bar graph indicates good or very good reception, affix the antenna (see “Bar graph” on page 79).
84
PHOENIX CONTACT 105656_en_05
TC MGUARD RS4000/RS2000 4G
A
B
D
C

4.3.5 SIM card

To establish a mobile communication connection, the device also requires at least one valid mini SIM card in ID-000 format, via which it assigns and authenticates itself to a mobile net­work.
The TC MGUARD RS4000/RS2000 4G can be equipped with two SIM cards. The SIM card in the SIM 1 slot is the primary SIM card which is normally used to establish the connection. If this connection fails, the device can optionally turn to the second SIM card in slot SIM 2. You can set whether, and under which conditions, the connection to the primary SIM card is restored.
The state of the SIM cards is indicated via two LEDs on the front. The LEDs SIM1 and SIM2 light up green when the SIM card is active. If a PIN has not been entered, the LED flashes green.
Quality of the mobile network connection
The signal strength of the mobile network connection is indicated by three LEDs on the front of the TC MGUARD RS4000/RS2000 4G. The LEDs function as a bar graph (refer to “Bar graph” on page 79).
For stable data transmission, we recommend at least good network reception. If the network reception is only adequate, only SMS messages can be sent and received.
Inserting the SIM card
You will receive a SIM card from the wireless provider on which all data and services for your connection are stored. If you use CDMA networks in the USA (e.g., from Verizon Wireless), you will not receive a SIM card. Change the TC MGUARD RS4000/RS2000 4G to a CDMA provider via the web interface.
Figure 4-6 Insert the SIM card
To insert the SIM card, proceed as follows:
Press the release button.
Remove the SIM card holder.
105656_en_05 PHOENIX CONTACT 85
Insert the SIM card so that the SIM chip remains visible.
Insert the SIM card holder together with the SIM card into the device until this ends flush
with the housing.
TC MGUARD RS4000/RS2000 4G
24V 0V 24V 0V
X4

4.3.6 Connecting the supply voltage

WARNING: The device is designed for operation with a DC voltage of
11 V DC ... 36 V DC/SELV, 800 mA maximum. Therefore, only SELV circuits with voltage limitations according to
IEC 60950/EN 60950/VDE 0805 may be connected to the supply connections and the signal contact.
The supply voltage is connected via a plug-in screw terminal block, which is located on the top of the device.
Figure 4-7 Connecting the supply voltage (TC MGUARD RS4000 4G)
Table 4-3 Supply voltage TC MGUARD RS4000/RS2000 4G
TC MGUARD RS4000 4G TC MGUARD RS2000 4G
The TC MGUARD RS4000 4G has a redundant supply voltage. If you only connect one supply voltage, you will get an error message.
Remove the plug-in screw terminal blocks for the power supply and the service con­tacts.
Wire the supply voltage lines of the X4 mGuard screw terminal block. Tighten the screws on the screw terminal blocks with 0.5 ... 0.8 Nm.
Insert the plug-in screw terminal blocks into the intended sockets on the top of the de­vice.
Status LED P1 lights up green when the supply voltage has been connected properly. On the TC MGUARD RS4000 4G, the status indicator P2 also lights up if there is a redundant supply voltage connection.
The device boots the firmware. The Stat LED flashes green. The device is ready for opera­tion as soon as the Ethernet socket LEDs light up. Additionally, the P1/P2 LEDs light up green and Stat LED flashes green at heartbeat.
Redundant voltage supply (TC MGUARD RS4000 4G)
A redundant supply voltage can be connected. Both inputs are isolated. The load is not dis­tributed. With a redundant supply, the power supply unit with the higher output voltage sup­plies the TC MGUARD RS4000 4G alone. The supply voltage is electrically isolated from the housing.
86
PHOENIX CONTACT 105656_en_05
TC MGUARD RS4000/RS2000 4G
If the supply voltage is not redundant, the TC MGUARD RS4000 4G indicates the failure of the supply voltage via the signal contact. This message can be prevented by feeding the supply voltage via both inputs or by installing an appropriate wire jumper between the con­nections.
105656_en_05 PHOENIX CONTACT 87
TC MGUARD RS4000/RS2000 4G

4.4 Preparing the configuration

4.4.1 Connection requirements

–The TC MGUARD RS4000/RS2000 4G must be connected to at least one active pow-
For local configuration: The computer that is to be used for configuration must be
For remote configuration: The device must be configured so that remote configura-
The device must be connected, i.e., the required connections must be working.

4.5 Configuration in Router mode

On initial startup, the device can be accessed via the following address: – https://192.168.1.1

4.5.1 IP address 192.168.1.1

In Router mode, the device can be accessed via the LAN interface via IP address
192.168.1.1 within network 192.168.1.0/24, if one of the following conditions applies. – The device is in the delivery state. – The device was reset to the default settings via the web interface and restarted. – The rescue procedure (flashing of the device) or the recovery procedure has been
er supply unit.
connected to the LAN socket on the device.
tion is permitted.
performed.
To access the configuration interface, it may be necessary to adapt the network configura­tion of your computer.
Under Windows 7, proceed as follows:
In the Control Panel, open the “Network and Sharing Center”.
Click on “LAN connection”. (The “LAN connection” item is only displayed if a connection
exists from the LAN interface on the computer to a mGuard device in operation or an­other partner).
Click on “Properties”.
Select the menu item “Internet protocol Version 4 (TCP/IPv4)”.
Click on “Properties”.
First select “Use the following IP address” under “Internet Protocol Version 4 Proper-
ties”, then enter the following address, for example:
IP address: 192.168.1.2 Subnet mask: 255.255.255.0 Default gateway: 192.168.1.1
Depending on the configuration of the device, it may then be necessary to adapt the net­work interface of the locally connected computer or network accordingly.
88
PHOENIX CONTACT 105656_en_05
TC MGUARD RS4000/RS2000 4G

4.6 Establishing a local configuration connection

Web-based administrator interface
If you have forgotten the configured address
The device is configured via a web browser that is executed on the configuration computer.
NOTE: The web browser used must support SSL encryption (i.e., HTTPS).
The device can be accessed via the following address:
Table 4-4 Preset address
Network mode Management IP #1 (IP address of the internal interface)
Router https://192.168.1.1/
Proceed as follows:
Start a web browser.
Make sure that the browser, when it is started, does not automatically establish a con-
nection as otherwise the connection establishment to the device may be more difficult.
In Internet Explorer, make the following settings:
In the “Tools” menu, select “Internet Options” and click on the “Connections” tab:
Under “Dial-up and Virtual Private Network settings”, select “Never dial a connection”.
Enter the address of the device completely into the address line of the web browser (re-
fer to Table 4-4).
You access the administrator website of the device.
If the administrator web page of the device cannot be accessed
If the address of the device in Router, PPPoE or PPTP mode has been set to a different value, and the current address is not known, the device must be reset to the default settings specified above for the IP address using the Recovery procedure (see “Performing a recov­ery procedure” on page 93).
If the administrator web page is not displayed
Explanation: As administrative tasks can only be performed using encrypted access, a self-signed certif-
105656_en_05 PHOENIX CONTACT 89
If the web browser repeatedly reports that the page cannot be displayed, try the following:
Disable any active firewalls.
Make sure that the browser does not use a proxy server.
In Internet Explorer (Version 8), make the following settings: “Tools” menu, “Internet Options”, “Connections” tab. Click on “Properties” under “LAN settings”. Check that “Use a proxy server for your LAN” (under “Proxy server”) is not activated in the “Local Area Network (LAN) Settings” dialog box.
If other LAN connections are active on the computer, deactivate them until the configu­ration has been completed.
Under the Windows menu “Start, Settings, Control Panel, Network Connections” or “Network and Dial-up Connections”, right-click on the corresponding icon and select “Disable” in the context menu.
After successful connection establishment
Once a connection has been established successfully, a security alert may be displayed.
icate is supplied with the device.
TC MGUARD RS4000/RS2000 4G
Click “Yes to acknowledge the security alert.
The login window is displayed.
Figure 4-8 Login
To log in, enter the preset user name and password (please note these settings are
User Name: admin Password: mGuard
The device can then be configured via the web interface. For additional information, please refer to the software reference manual.
For security reasons, we recommend you change the default root and administrator pass­words during initial configuration.
case-sensitive):
90
PHOENIX CONTACT 105656_en_05
TC MGUARD RS4000/RS2000 4G

4.7 Remote configuration

Requirement The device must be configured so that remote configuration is permitted.
The option for remote configuration is disabled by default.
Switch on the remote configuration option in the web interface under “Management >> Web Settings”.
How to proceed To configure the device via its web user interface from a remote computer, establish the
connection to the device from there.
Proceed as follows:
Start the web browser on the remote computer.
Under address, enter the IP address where the device can be accessed externally over
the Internet or WAN, together with the port number (if required).
Example If the device can be accessed over the Internet, for example, via address
https://123.45.67.89/ and port number 443 has been specified for remote access, the fol­lowing address must be entered in the web browser of the remote peer: https://123.45.67.89/
If a different port number is used, it should be entered after the IP address, e.g., https://123.45.67.89:442/
Configuration The device can then be configured via the web interface. For additional information, please
refer to the software reference manual.

4.8 Serial interface

Via the serial interface (RS232), a user can access the command line of the device. The fol­lowing parameters must be configured device-specific:
Baud rate: 57600 – Data bits / parity bit / stop bit: 8-N-1 – Hardware handshake RTS/CTS: Off (default)
105656_en_05 PHOENIX CONTACT 91
TC MGUARD RS4000/RS2000 4G
Reset button
4.9 Restart, recovery procedure, and flashing the firm-
The Reset button is used to set the device to one of the following states: – Performing a restart – Performing a recovery procedure – Flashing the firmware/rescue procedure
Figure 4-9 Reset button
ware

4.9.1 Performing a restart

Objective The device is restarted with the configured settings.
Action Press the Reset button for around 1.5 seconds until the Err LED lights up.
(Alternatively, disconnect the power supply and then connect it again.)
92
PHOENIX CONTACT 105656_en_05

4.9.2 Performing a recovery procedure

Objective (8.4.0 or later) mGuard firmware version 8.4.0 or later
The complete configuration (and not only the network configuration) is to be reset to the
delivery state, as it is no longer possible to access the device.
The current configuration will be automatically be saved on the device and can be restored after the recovery procedure is finished.
When performing the recovery procedure, the default network settings are established:
Table 4-5 Preset address
Network mode Management IP #1 (IP address of the internal interface)
Router https://192.168.1.1/
Activity during the recovery procedure (mGuard firmware version 8.4.0 or later)
Before performing the recovery procedure, the current configuration of the device is stored in a newly generated configuration profile ( "Recovery-DATE"). After the recovery proce­dure has finished, the device starts with the Factory Default settings.
The configuration profile named "Recovery DATE" subsequently appears in the list of con­figuration profiles and can be edited and restored with or without changes.
Action Slowly press the Reset button six times.
After approximately two seconds, the Stat LED lights up green.
When the Stat LED has gone out, slowly press the Reset button again six times. If successful, the Stat LED lights up green.
If unsuccessful, the Err LED lights up red.
If successful, the device restarts after two seconds and switches to Router mode. The de­vice can then be reached again under the corresponding address.
TC MGUARD RS4000/RS2000 4G
mGuard firmware version 8.4.0 or later
After the recovery procedure has finished, log in to the web interface of the device.
Open the menu Management >> Configuration Profiles.
Choose the configuration profile, generated during the recovery procedure: „Recov-
ery-DATE“ (e.g. “Recovery-2016.12.01-18:02:50).
Click on the Icon „Edit profile“ to analyze the configuration profile and to restore it with or without changes.
Click on the Icon „Save“ to apply the changes.
105656_en_05 PHOENIX CONTACT 93
TC MGUARD RS4000/RS2000 4G

4.9.3 Flashing the firmware/rescue procedure

Objective The entire mGuard firmware should be reloaded on the device.
All configured settings are deleted. The device is set to the delivery state.
Possible reasons The administrator and root password have been lost.
Requirements Requirements for flashing
NOTE: During flashing, the firmware is always loaded from an SD card first. The firmware
is only loaded from a TFTP server if no SD card is found. The following requirements apply when loading the firmware from an SD card: – All necessary firmware files must be located in a common directory on the first parti-
tion of the SD card – This partition must use a VFAT file system (standard type for SD cards). To flash the firmware from a TFTP server, a TFTP server must be installed on the locally
connected computer (see “Installing the DHCP and TFTP server” on page 268).
NOTE: Installing a second DHCP server in a network could affect the configuration of the entire network.
The mGuard firmware has been obtained from your dealer's support team or the
nixcontact.net/products website and has been saved on a compatible SD card.
This SD card has been inserted into the device. – The relevant firmware files are available for download from the download page of
nixcontact.net/products. The files must be located under the following path names or in
the following folders on the SD card:
Firmware/install-ubi.mpc83xx.p7s
Firmware/ubifs.img.mpc83xx.p7s
phoe-
phoe-
94
PHOENIX CONTACT 105656_en_05
TC MGUARD RS4000/RS2000 4G
Action To flash the firmware or to perform the rescue procedure, proceed as follows:
NOTE: Do not interrupt the power supply to the device during any stage of the flashing
procedure. Otherwise, the device could be damaged and may have to be reactivated by the manufacturer.
Hold down the Reset button until the Stat, Mod, and Sig LEDs light up green. Then, the
device is in the recovery state.
Release the Reset button within a second of entering the recovery state.
If the Reset button is not released, the device is restarted.
The device now starts the rescue system: It searches for a DHCP server via the LAN
interface in order to obtain an IP address. (Exception: if an SD card is inserted into the
device with corresponding firmware, the rescue system is started from there).
The Stat LED flashes.
The “install.p7s” file is loaded from the TFTP server or SD card. It contains the electron-
ically signed control procedure for the installation process. Only files that are signed are
executed.
The control procedure deletes the current contents of the Flash memory and prepares
for a new firmware installation.
The Stat, Mod, and Sig LEDs form a running light.
The “jffs2.img.p7s” firmware file is downloaded from the TFTP server or SD card and
written to the Flash memory. This file contains the actual mGuard operating system and
is signed electronically. Only files signed by Phoenix Contact are accepted.
This process takes around 3 to 5 minutes. The Stat LED is lit continuously.
The new firmware is extracted and configured. This procedure takes 1 to 3 minutes.
As soon as the procedure is complete, the Stat, Mod, and Sig LEDs flash green simultane­ously.
Restart the device. To do so, press the Reset button.
(Alternatively, disconnect the power supply and then connect it again.)
The device is in the delivery state. You can now configure it again (see “Establishing a local configuration connection” on page 89):
105656_en_05 PHOENIX CONTACT 95
TC MGUARD RS4000/RS2000 4G

4.10 Technical data

Hardware properties TC MGUARD RS4000 4G TC MGUARD RS2000 4G
Platform Freescale network processor Freescale network processor
Network interfaces 4 LAN Ports (managed) | 1 DMZ port |
Wireless interface WAN | GSM | GPRS | EDGE | UMTS | CD-
SIM interfaces (1 + 2) 1.8 V | 3 V, redundant 1.8 V | 3 V, redundant
Data rate 14.4 Mbps (HSDPA) 14.4 Mbps (HSDPA)
Other interfaces Serial RS-232 | D-SUB 9 connector
Memory 128 MB RAM | 128 MB Flash | SD card
Redundancy options Optional: VPN | router and firewall
Power supply Voltage range 11 ... 36 V DC, redundant Voltage range 11 ... 36 V DC, redundant
Power consumption typical < 200 mA (24 V DC) |
Humidity range 5% ... 95% (operation, storage), non-con-
Degree of protection IP20 IP20
Temperature range -40°C ... +60°C (operation)
Vibration resistance in acc. with EN 60068-2-6/IEC 60068-2-6 5g, 10-150 Hz, 2.5 h, in XYZ direction 5g, 10-150 Hz, 2.5 h, in XYZ direction
Dimensions (H x W x D) 130 x 45 x 114 mm (up to DIN rail support) 130 x 45 x 114 mm (up to DIN rail support)
Weight 850 g 835 g
1WAN port Ethernet IEEE 802.3 10/100-BaseTX RJ45 | full duplex | auto MDIX
MA2000
3 digital inputs and 3 digital outputs
Replaceable configuration memory
maximum < 800 mA (10 V DC)
densing
-40°C ... +70°C (storage)
4 LAN ports (unmanaged) Ethernet IEEE 802.3 10/100-BaseTX RJ45 | full duplex | auto MDIX
WAN | GSM | GPRS | EDGE | UMTS | CD­MA2000
Serial RS-232 | D-SUB 9 connector 3 digital inputs and 3 digital outputs
128 MB RAM | 128 MB Flash | SD card Replaceable configuration memory
typical < 200 mA (24 V DC) | maximum < 800 mA (10 V DC)
5% ... 95% (operation, storage), non-con­densing
-40°C ... +60°C (operation)
-40°C ... +70°C (storage)
Firmware and power values TC MGUARD RS4000 4G TC MGUARD RS2000 4G
Firmware compatibility For mGuard v8.4.1 or later: Phoenix Contact recommends the use of the latest firm-
Data throughput (Firewall) Router mode, default firewall rules, bidirectional throughput: 110 Mbps, maximum
Virtual Private Network (VPN) IPsec (IETF standard)
Hardware-based encryption DES | 3DES | AES-128/192/256 DES | 3DES | AES-128/192/256
Data throughput encrypted (IPsec VPN) Router mode, default firewall rules, bidirectional throughput: 30 Mbps, maximum
Data throughput (mobile) Depending on the mobile connection
Management support Web GUI (HTTPS) | command line interface (SSH) | SNMP v1/2/3 | central device man-
Diagnostics 13 LEDs (Power 1 + 2, State, Error, Signal, Fault, Modem, Info, Signal Status, SIM Sta-
96
PHOENIX CONTACT 105656_en_05
ware version and patch releases in each case. For the scope of functions, please refer to the relevant firmware data sheet.
Stealth mode, default firewall rules, bidirectional throughput: 50 Mbps, maximum When using the DMZ as independent network zone, the maximum possible data
throughput is distributed to the three zones.
IPsec (IETF standard)
Optionally up to 250 VPN tunnels
Stealth mode, default firewall rules, bidirectional throughput: 20 Mbps, maximum When using the DMZ as independent network zone, the maximum possible data
throughput is distributed to the three zones.
50 Mbit/s (LTE) upload 150 Mbit/s (LTE) download
agement software
tus) | Service I/O| Log File | Remote Syslog
Up to 2 VPN tunnels
TC MGUARD RS4000/RS2000 4G
Emitted interference in acc. with EN 61000-6-4 TC MGUARD RS4000 4G TC MGUARD RS2000 4G
Radio interference voltage in acc. with EN 55011 EN 55011 class A industrial area of application
Emitted radio interference in acc. with EN 55011 EN 55011 class A industrial area of application
Noise emission Criterion A Criterion B
EN 61000-6-4 Normal operating behavior within the specified limits Criterion B Temporary impairment of operating behavior that is corrected by the device
itself
Other TC MGUARD RS4000 4G TC MGUARD RS2000 4G
Conformance CE | electrical isolation (VCC//PE)
Special features GPS / GLONASS receiver | realtime clock | Trusted Platform Module (TPM) | tempera-
ture sensor | mGuard Secure Cloud ready
105656_en_05 PHOENIX CONTACT 97
TC MGUARD RS4000/RS2000 4G
98
PHOENIX CONTACT 105656_en_05

5 FL MGUARD RS2000 TX/TX-B

Table 5-1 Currently available products

Product designation Phoenix Contact order number

FL MGUARD RS2000 TX/TX-B 2702139
Product description
The FL MGUARD RS2000 TX/TX-B is an industrial router which offers static routing, NAT routing, 1:1 NAT routing, and port forwarding functions.
The device supports a replaceable configuration memory in the form of an SD card (an SD card is not supplied as standard). The fanless metal housing is mounted on a DIN rail.
FL MGUARD RS2000 TX/TX-B
Figure 5-1 FL MGUARD RS2000 TX/TX-B
105656_en_05 PHOENIX CONTACT 99
FL MGUARD RS2000 TX/TX-B
LEDs, see Table 5-2
For plug-in screw terminal blocks, assign­ment, refer to Page 103 and Page 107
Configuration
(SD card)
Connections at bottom: 9-pos. serial interface (console)
Reset button

5.1 Operating elements and LEDs

Figure 5-2 Operating elements and LEDs on the FL MGUARD RS2000 TX/TX-B
Table 5-2 LEDs on the FL MGUARD RS2000 TX/TX-B
LED State Meaning P1 Green On Power supply 1 is active P2 Green Off Redundant supply not provided STAT Green Flashing Heartbeat. The device is correctly connected and operating. ERR Red Flashing System error. Restart the device.
Press the Reset button (for 1.5 seconds). – Alternatively, briefly disconnect the device power supply and then connect it
again.
If the error is still present, start the recovery procedure (see Page 112) or contact your dealer.
STAT+ E R R Flashing alter-
nately: green and red
SIG –(Not used) FAULT Red On The signal output is open due to an error at “low” signal (see Page 105). The signal
MOD Green Off (Connection via modem is not provided) INFO Green Off (VPN connection is not provided) LAN Green On The LAN/WAN LEDs are located in the LAN/WAN sockets (10/100 and duplex LED) WAN Green On
Boot process. When the device has just been connected to the power supply. After
a few seconds, this LED changes to the heartbeat state.
output is inactive during a restart.
Ethernet status: Indicates the status of the LAN or WAN port. As soon as the device is connected to the relevant network, a continuous light indicates that there is a con­nection to the network partner in the LAN or WAN. When data packets are transmit­ted, the LED goes out briefly.
100
PHOENIX CONTACT 105656_en_05
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use