Rockwell Automation 1756-EN2TSC User Manual
User Manual
EtherNet/IP Secure Communication
Catalog Number 1756-EN2TSC
Important User Information
IMPORTANT
Read this document and the documents listed in the additional resources section about installation, configuration, and
operation of this equipment before you install, configure, operate, or maintain this product. Users are required to
familiarize themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws,
and standards.
Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required
to be carried out by suitably trained personnel in accordance with applicable code of practice.
If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be
impaired.
In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the
use or application of this equipment.
The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and
requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or
liability for actual use based on the examples and diagrams.
No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or
software described in this manual.
Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation,
Inc., is prohibited.
Throughout this manual, when necessary, we use notes to make you aware of safety considerations.
WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment,
which may lead to personal injury or death, property damage, or economic loss.
ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property
damage, or economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.
Identifies information that is critical for successful application and understanding of the product.
Labels may also be on or inside the equipment to provide specific precautions.
SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous
voltage may be present.
BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may
reach dangerous temperatures.
ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to
potential Arc Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL
Regulatory requirements for safe work practices and for Personal Protective Equipment (PPE).
Allen-Bradley, Rockwell Software, Rockwell Automation,, ControlFLASH, ControlLogix, FactoryTalk View, FLEX, Logix5000, POINT I/O, PowerFlex, RSLinx, RS View, and Studio 5000 are trademarks of Rockwell
Automation, Inc.
Trademarks not belonging to Rockwell Automation are property of their respective companies.
Summary of Changes
This manual contains new and updated information. Changes throughout this
revision are marked by change bars, as shown to the right of this paragraph.
New and Updated Information
This table contains the changes made to this revision.
Top ic Pag e
Clearer information on configuring an L2TP connection for a secure tunnel
between the 1756-EN2TSC module and a Windows client
Chapter 3
Rockwell Automation Publication ENET-UM003B-EN-P - September 2013 3
Summary of Changes
Notes:
4 Rockwell Automation Publication ENET-UM003B-EN-P - September 2013
Table of Contents
Preface
Secure Communication Architecture
Get Started
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Chapter 1
Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Local Chassis Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Network Access Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
IPsec Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Traffic Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Chapter 2
Initial Powerup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Default Credentials. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Configuration Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Assign Network Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Change Network Settings via the Module Web Page . . . . . . . . . . . . 19
Create User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Edit Access Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Generate HTTPS Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Backup / Restore. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Configure a Secure Connection to a
Microsoft Windows Client
Configure Secure Communication
Between Two 1756-EN2TSC Modules
Configure a Secure Connection to a
VPN Appliance
Chapter 3
L2TP Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Configure a Mobile Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Configure a Connection to a Microsoft Windows Client . . . . . . . . . . . . 34
Interface Metric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Open the VPN Connection to the 1756-EN2TSC Module. . . . . . . . . . 42
Communicate to the Module via an RSLinx Driver . . . . . . . . . . . . . . . . . 43
Chapter 4
Configure the First (Local) Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Configure the Second (Remote) Module . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Test the Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Edit the Security Association. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Chapter 5
Configure the Module to Connect to a VPN Appliance . . . . . . . . . . . . . 53
Edit the Security Association. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Chapter 6
Rockwell Automation Publication ENET-UM003B-EN-P - September 2013 5
Table of Contents
Diagnostics
Index
Diagnostic Web Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Secure Tunnel Diagnostics Web Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Status Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Link (LINK) Status Indicator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Network (NET) Status Indicator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
OK Status Indicator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
6 Rockwell Automation Publication ENET-UM003B-EN-P - September 2013
Preface
The 1756-EN2TSC is a security-enhanced version of the 1756-EN2T
EtherNet/IP communication module. This module is designed for applications
that need to limit network access to a control system from within the plant
network. This module is not intended to connect any devices in the local 1756
backplane to devices outside of the plant firewall.
Additional Resources
These documents contain additional information concerning related products
from Rockwell Automation.
Resource Description
1756 ControlLogix Communication Modules Specifications Technical Data, publication
1756-TD003
EtherNet/IP Network Configuration User Manual, publication ENET-UM001
EtherNet/IP Modules Installation Instructions, publication ENET-IN002
Ethernet Design Considerations Reference Manual, publication ENET-RM002
Industrial Automation Wiring and Grounding Guidelines, publication 1770-4.1
Product Certifications website, http://www.ab.com Declarations of conformity, certificates, and other certification details
Specifications for ControlLogix communication modules
Guidelines for configuring EtherNet/IP network parameters
Guidelines for installing EtherNet/IP modules
Guidelines for Ethernet networks
Guidelines for installing a Rockwell Automation industrial system
You can view or download publications at
http:/www.rockwellautomation.com/literature/
. To order paper copies of
technical documentation, contact your local Allen-Bradley distributor or
Rockwell Automation sales representative.
Rockwell Automation Publication ENET-UM003B-EN-P - September 2013 7
Preface
Notes:
8 Rockwell Automation Publication ENET-UM003B-EN-P - September 2013
Chapter 1
Enterprise Zone
Levels 4 and 5
Demilitarized Zone (DMZ)
Demilitarized Zone (DMZ)
Manufacturing Zone
Site Manufacturing
Operations and Control
Level 3
Level 0…2
Secure Tunnel Between 1756-EN2TSC
Module and Windows 7 Client.
Peer-to-Peer Secure Tunnel
Between 1756-EN2TSC Modules
ControlLogix Chassis with
1756-EN2TSC Module
Secure Tunnel Between 1756-EN2TSC
Module and VPN Appliance
Secure Communication Architecture
Top ic Pag e
Network Access Security 12
Performance 14
Many control systems currently use 1756-EN2T and 1756-ENBT modules to
connect ControlLogix® systems to plant-level systems. A 1756-EN2TSC module
offers the same connectivity, as well as additional security options to protect
access to resources on the local backplane from the plant network Use the
1756-EN2TSC module to establish secure tunnels with peer modules,
Windows 7 clients, and VPN appliances.
Rockwell Automation Publication ENET-UM003B-EN-P - September 2013 9
Chapter 1 Secure Communication Architecture
The 1756-EN2TSC module provides a level of protection against unauthorized
network access, either malicious or accidental, to a ControlLogix controller via
an EtherNet/IP connection. The 1756-EN2TSC module uses the IPsec protocol
suite to provide a secure communication tunnel.
The 1756-EN2TSC module is intended for use behind an existing
firewall/DMZ that protects the plant network from outside access. This module
is not intended to be connected directly to the public Internet or to provide a
mechanism by which remote access is provided to a network. The module does
not provide the ability to expose a private network address range via IPsec; only
the module’s IP address is available.
Considerations
Out-of-the-box, the module functions just like a 1756-EN2T module, except
that the module does not support the following :
• Integrated motion on EtherNet/IP networks
• ControlLogix redundancy systems
• SIL 2 applications
• Email capabilities
• EtherNet/IP socket interface
Once security is enabled, modules like POINT I/O™ adapters, FLEX™ I/O
adapters, and PowerFlex® drives are not able to establish a secure connection
because they do not support secure tunnels.
When security is enabled, the module connects with:
• Upper level systems and user workstations with Windows 7 operating
systems
• Cisco ASA security appliances
• Other 1756-EN2TSC modules
The module supports the current versions of common web browsers, such as
Internet Explorer (8 and 9). For security reasons, Secure Sockets Layer (SSL) 2.0
is disabled in the module. Browsers must enable support for cryptographic
protocols SSL 3.0 or Transport Layer Security (TLS) 1.0.
The 1756-EN2TSC module lets only those devices with proper credentials
access the module. This module is intended for use behind an existing
firewall/DMZ that protects the plant network from outside access.
To minimize complexity, the module supports the following authentication and
encryption methods.
• IPsec technology with as many as 8 VPN tunnels (only one of which can
be a Cisco ASA connection)
• Pre-shared key authentication
• AES encryption (128, 192, and 256 bit)'
10 Rockwell Automation Publication ENET-UM003B-EN-P - September 2013
Secure Communication Architecture Chapter 1
Local Chassis Security
You can use the 1756-EN2TSC module with the following features to prevent
unauthorized access to a controller in the local chassis.
• The trusted slot feature (in the controller properties) designates slots in
the local chassis as trusted. When the trusted slot feature is enabled, the
controller denies communication through paths that are not trusted. This
requires authentication to the module for anyone to access the controller
with programming software.
• The serial number lock feature (in the 1756-EN2TSC module properties)
in conjunction with the trusted slot features restricts communication
through a module in the trusted slot with the specific serial number.
Rockwell Automation Publication ENET-UM003B-EN-P - September 2013 11
Chapter 1 Secure Communication Architecture
IMPORTANT
IMPORTANT
EtherNet/IP™
RUNSDOKFORCE
Logix5575
EtherNet/IP™
DeviceNet Access via 1756-DNB
EtherNet/IP Access via 1756-EN2T
Secure Plant Network Access via
1756-EN2TSC
ControlLog ix
Chassis
The trusted slot and serial number lock features are for applications that have
concern with physical access to and tampering with the controller.
Use caution with these features and make sure you have the controller project backed up in a
secure location. If the module becomes disabled for any reason, you have to download to the
controller to recover.
Network Access Security
The 1756-EN2TSC module uses the Internet Protocol Security (IPsec)
technology to provide secure communication over the Ethernet network. IPsec is
widely-deployed, and is often used to create Virtual Private Networks (VPN).
IPsec provides the following security features:
• Authentication of the communication end points (both client and server)
• Data authenticity and integrity (via message integrity checks)
• Data confidentiality (via encryption algorithms)
Use of the IPsec protocol suite lets you use the Microsoft Windows VPN client
to connect securely to the module. IPsec also lets the module create secure
tunnels with other 1756-EN2TSC modules and with off-the-shelf, VPN
appliances.
The module does not provide access to a private network.
While the module supports secure communication, the module is not intended
to be connected directly to the public Internet and provide a VPN function, or be
the mechanism by which remote access is provided to a network. The module
does not provide the ability to expose a private network address range via
IPsec—only the module’s IP address is available.
12 Rockwell Automation Publication ENET-UM003B-EN-P - September 2013
The module does the following:
• Secures access to the controller and I/O modules in the local chassis
• Secures bridge access to other networks accessible within the local chassis
As part of establishing the secure tunnel, both endpoints must authenticate with
each other and exchange information to ensure secure data transfer. When
security is enabled, the module is able to connect only with the following:
• Upper level systems and user workstations with Windows 7 operating
systems
• Cisco ASA security appliances
• Other 1756-EN2TSC modules
IPsec Association
Once the IPsec association is established, data between the two endpoints is fully
encrypted (except for produced/consumed tags) or optionally sent unencrypted,
but with a cryptographic message integrity code.
Capability Description
Authentication Method Pre-shared key (PSK). Configure a secret key on each of the endpoints.
Header Format Encapsulating Security Payload (ESP)
Mode Tunnel mode, default
Transport mode if the module cannot negotiate tunnel mode (such as a Microsoft Windows 7 client)
Internet Key Exchange • IKE version 1
• IKE version 2
Lifetime(s) IKE and IPsec lifetimes user-configurable
PFS Group None
DH Key Group Group 2 = modp1024, default
Groups 5,14,15,16,17, and 18 supported
IKE Encryption Algorithm • AES(128 bit)
• AES(192 bit)
• AES(256 bit)
IKE Authentication Algorithm SHA-1
IPsec Encryption Algorithm • AES(128 bit)
• AES(192 bit)
• AES(256 bit)
• None
IPsec Authentication Algorithm SHA-1
Secure Communication Architecture Chapter 1
As long as the IPsec traffic is received, the connection is considered alive. Your
VPN connection can recover without having to re-authenticate if you lose your
connection for a very short period of time (few seconds). However, if the time
since the last received packet is greater than the timeout interval, the connection
times out. This interval is common to all IPsec connections and is not
configurable. The default keepalive-timeout is 30 seconds.
Rockwell Automation Publication ENET-UM003B-EN-P - September 2013 13
Chapter 1 Secure Communication Architecture
Performance
The basic communication capability of the module is the same as the
1756-EN2T module.
• The module supports the same number of TCP and CIP connections as
the 1756-EN2T module (256 CIP connections and 128 TCP/IP
connections).
• The module supports configuration of IPsec associations with as many as
8 IP addresses (devices); only 1 of which can be a Cisco ASA connection.
• The module supports CIP Sync communication.
Traffic Filtering
When IPsec is enabled, the module blocks traffic that is not received via a VPN
client, another peer with an IPsec connection, or an appliance with an IPsec
connection, with these exceptions:
• BOOTP/DHCP traffic (to let the module obtain an IP address)
• HTTPS traffic (needed to configure the module)
• CIP Sync packets (you have the option to disable CIP Sync)
• Logix produced/consumed tags (the establishment of the
produced/consumed connection occurs over via IPsec)
• 1756 I/O connections in a remote chassis
If the 1756-EN2TSC module is the trusted slot for a ControlLogix chassis, the
following traffic to the controller must go through the 1756-EN2TSC module.
• RSLinx® Classic traffic (such as Studio 5000™ and ControlFLASH
communication)
• RSLinx Enterprise traffic (such as FactoryTalk View® SE and
FactoryTalk View ME communication)
14 Rockwell Automation Publication ENET-UM003B-EN-P - September 2013
Get Started
IMPORTANT
Top ic Pag e
Initial Powerup 16
Configuration Overview 18
Assign Network Settings 19
Configuration Overview 18
Create User Accounts 21
Generate HTTPS Certificate 23
Backup / Restore 25
Chapter 2
This chapter describes the initial configuration settings required for the module.
After setting up the module, see the next chapters for security configuration
examples.
For information on installing the module, see EtherNet/IP Network Modules
Installation Instructions, publication ENET-IN002
.
Add the module to a controller project the same as you add a 1756-EN2T
module. All security-related configuration is via the module web pages.
When you finish using the web pages, close the web browser. This prevents any
user on a shared computer from accessing the web pages.
Rockwell Automation Publication ENET-UM003B-EN-P - August 2013 15
Chapter 2 Get Started
Specify the IP address of the web
server module in the Address
window of your web browser.
This is the module’s Home page.
IMPORTANT
Configure all security parameters via the web server. In the Address field of your
web browser, enter the IP address that displays on the front of the module.
'The 1756-EN2TSC module has an embedded HTTPS server that it uses to
provide secure web communication. An HTTPS server uses a certificate so that
the client can verify server authenticity. For web sites connected to the Internet,
certificates are normally signed by a trusted certificate authority. Web browsers
are then able to verify the authenticity of the web server by virtue of its certificate.
Initial Powerup
The module comes with a self-signed certificate because the module is not
directly connections to the Internet. Self-signed certificates are not signed by a
known, trusted authority, so they must explicitly be accepted by the user when
connecting via the web browser.
On initial powerup, the module generates a new certificate for the embedded
HTTPS server. This can take up to several minutes. During this process, the
message ‘SSL certificate generation in progress’ is shown on the module display.
Wait until the module is fully booted and ‘OK’ is shown on the display before
accessing the module by using a web browser.
1. In the Address field of your web browser, enter the IP address that displays
on the front of the module.
When you enter the IP address, you must enter the prefix https:// in the
address. If you enter an http:// prefix, the module redirects to the
https:// prefix.
16 Rockwell Automation Publication ENET-UM003B-EN-P - August 2013
Get Started Chapter 2
IMPORTANT
2. After the web browser connects to the server, a warning message is shown
about the certificate not being signed by a trusted authority.
Accept this message and continue to the web page.
In general, do not accept the certificate not being signed by a trusted authority.
But in the case of initial powerup, the module has a self-signed certificate, so
continue to the website even though the message says this option is not
recommended.
The self-signed certificate warning continues to display unless you add the
certificate to the list of exceptions for the web browser.
3. After accepting the self-signed certificate, enter the user name and
password.
Rockwell Automation Publication ENET-UM003B-EN-P - August 2013 17
Chapter 2 Get Started
Default Credentials
Default credentials are case sensitive and are as follows:
• User name : Administrator
• Password: admin
You are prompted to change the password on the Administrator account. Enter
the new password and click Change.
The browser prompts you to authenticate again. Use the Administrator user
name and new password.
Configuration Overview
The left pane of the web browser is a navigation tree to configure and maintain
the module.
18 Rockwell Automation Publication ENET-UM003B-EN-P - August 2013
Get Started Chapter 2
IMPORTANT
See the next chapters in this manual for different security configurations.
Assign Network Settings
By default, the module is BOOTP enabled.
Do not simply configure the initial address assigned to the module as a
static IP address. Contact your network administrator for an appropriate
static IP address.
Choose one of the following methods to assign an IP address.
• Rotary switches on the module (before you install the module)
• Rockwell BOOTP/DHCP utility (available with RSLinx and
Studio 5000 software)
• RSLinx software
• Studio 5000 software
For information on assigning network parameters, see EtherNet/IP Network
Configuration User Manual, publication ENET-UM001
.
Change Network Settings via the Module Web Page
Choose Administrative Settings > Device Configuration > Network
Configuration. An authenticated user can modify network parameters.
Rockwell Automation Publication ENET-UM003B-EN-P - August 2013 19
Chapter 2 Get Started
In This Field Specify
Ethernet Interface Configuration The network configuration scheme:
IP Address IP address for the module:
Subnet Mask Subnet mask for the module.
Default Gateway Gateway address for the module.
Primary Ser ver Name
Secondary Server Name
Domain Name Domain name for the web server module, if you are using DNS addressing within your Logix program.
Host Name Host name for the module.
Name Resolution (DNS) Whether the module uses DNS addressing within your Logix program.
Autonegotiate Status How to determine port speed and duplex:
Select Port Speed Port speed (10 Mbps or 100 Mbps), if you chose to force speed and duplex.
Select Duplex Mode Duplex (full or half), if you chose to force speed and duplex.
• Dynamic BOOTP (default)
• Dynamic DHCP
• Static
If you want to specify a static IP address for the module, you must also choose Static for the Ethernet Interface
Configuration field.
DNS server addresses, if you are using DNS addressing within your Logix program.
• Autonegotiate speed and duplex (recommended)
• Force speed and duplex
20 Rockwell Automation Publication ENET-UM003B-EN-P - August 2013
Loading...