Siemens SINEMA Remote Connect, SINEMA Remote Connect 64, SINEMA Remote Connect 256, SINEMA Remote Connect 1024 Operating Instructions Manual

___________________

SIMATIC NET

Industrial Remote Communication Remote Networks SINEMA Remote Connect - Server

Operating Instructions

11/2017

C79000

Preface

Application and properties

Requirements for operation

Installation and commissioning

Configuring with Web Based Management

Upkeep and maintenance

Appendix A

Appendix B

-G8976-C383-04

Siemens AG Division Process Industries and Drives Postfach 48 48 90026 NÜRNBERG GERMANY

C79000-G8976-C383-04

Ⓟ

Legal information

Warning notice system

DANGER

indicates that death or severe personal injury will result if proper precautions are not taken.

WARNING

indicates that death or severe personal injury may result if proper precautions are not taken.

CAUTION

indicates that minor personal injury can result if proper precautions are not taken.

NOTICE

indicates that property damage can result if proper precautions are not taken.

Qualified Personnel

personnel qualified

Proper use of Siemens products

WARNING

Siemens products may only be used for the applications described in the catalog and in the relevant technical

maintenance are required to ensure that the products operate safely and without any problems. The permissible ambient conditions must be complied with. The information in the relevant documentation must be observed.

Trademarks

Disclaimer of Liability

This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are graded according to the degree of danger.

If more than one degree of danger is present, the warning notice representing the highest degree of danger will be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property damage.

The product/system described in this documentation may be operated only by task in accordance with the relevant documentation, in particular its warning notices and safety instructions. Qualified personnel are those who, based on their training and experience, are capable of identifying risks and avoiding potential hazards when working with these products/systems.

Note the following:

documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and

All names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.

We have reviewed the contents of this publication to ensure consistency with the hardware and software described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the information in this publication is reviewed regularly and any necessary corrections are included in subsequent editions.

for the specific

12/2017 Subject to change

Preface

Purpose of this documentation

Validity of this documentation

Article numbers - licenses

Product name

Article number

Number of configurable participants (users and devices)

SINEMA Remote Connect

6GK1720-1AH01-0BV0

SINEMA Remote Connect 64

6GK1722-1JH01-0BV0

+64

SINEMA Remote Connect 1024

6GK1722-1QH01-0BV0

+1024

Product name

Article number

SINEMA Remote Connect Client

6GK1721-1XG01-0AA0

SCALANCE S615)

This manual supports you when installing, configuring and operating the application SINEMA RC Server.

This manual is valid for the following software version:

● SINEMA Remote Connect as of version V1.3

The following licenses are available for the product:

SINEMA Remote Connect 256 6GK1722-1MH01-0BV0 +256

Also available for enabling connection to the SINEMA Remote Connect server:

KEY-PLUG SINEMA RC (SCALANCE M-800,

6GK5908-0PB00

SINEMA Remote Connect - Server Operating Instructions, 11/2017, C79000-G8976-C383-04

Preface

Supported products

Abbreviations/acronyms and terminology

SINEMA RC

SCALANCE M-800

New in this release

Replaced documentation

The following products are suitable for connecting to the SINEMA RC Server:

● SCALANCE M-800

● SCALANCE S615

● SINEMA RC Client

● SCALANCE S602, SCALANCE S612, SCALANCE S623, SCALANCE S627-2M

● SCALANCE SC632-2C, SCALANCE SC636-2C, SCALANCE SC642-2C, SCALANCE

SC646-2C

In the section "Connectable nodes (Page 19)" you will find information about which product versions and SINEMA RC versions are compatible with each other.

● RTU3030C

● CP1243-1

● CP1543-1

●

In the remainder of the manual, the "SINEMA Remote Connect" software is abbreviated to "SINEMA RC".

●

This abbreviation applies to the following devices if the content of the description applies equally to these devices in the relevant context:

– SCALANCE M874-2

– SCALANCE M874-3

– SCALANCE M876-3

– SCALANCE M876-4

– SCALANCE M812

– SCALANCE M816

● Smartcard authentication (PKI, 2-factor authentication)

● Debug login

● Variable fallback port - port for automatic renewal of the certificates via the function

"Autoenrollment"

None

SINEMA Remote Connect - Server

4 Operating Instructions, 11/2017, C79000-G8976-C383-04

Preface

Required experience

Further documentation

Current manuals and further information

To be able to configure and operate the system described in this document, you require experience of the following products, systems and technologies:

● SIMATIC NET - Remote Networks

● IP-based communication

● STEP 7 Basic / Professional

● SIMATIC S7

● Operating instructions "SINEMA Remote Connect Client"

This manual supports you when installing, configuring and operating the application SINEMA RC Client.

● Getting Started "SINEMA Remote Connect"

Based on an example, the configuration of SINEMA Remote Connect is shown.

You will find the current manuals and further information on remote networks products on the Internet pages of Siemens Industry Online Support:

● Using the search function:

Link to Siemens Industry Online Support (http://support.automation.siemens.com/WW/view/en

Enter the entry ID of the relevant manual as the search item.

● via the navigation in the "Remote Networks" area:

Link to the "Remote Networks" area (https://support.industry.siemens.com/cs/ww/en/ps/21778

Go to the required product group and make the following settings: "Entry list" tab, Entry type "Manuals"

You will find the documentation for the products relevant here on the data storage medium that ships with some products:

● Product CD / product DVD

● SIMATIC NET Manual Collection

)

SINEMA Remote Connect - Server Operating Instructions, 11/2017, C79000-G8976-C383-04

Preface

Security information

Training, Service & Support

SIMATIC NET glossary

Trademarks

Siemens provides products and solutions with industrial security functions that support the secure operation of plants, systems, machines and networks.

In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement – and continuously maintain – a holistic, state-of-the-art industrial security concept. Siemens’ products and solutions constitute one element of such a concept.

Customers are responsible for preventing unauthorized access to their plants, systems, machines and networks. Such systems, machines and components should only be connected to an enterprise network or the internet if and to the extent such a connection is necessary and only when appropriate security measures (e.g. firewalls and/or network segmentation) are in place.

Additionally, Siemens’ guidance on appropriate security measures should be taken into account. For additional information on industrial security measures that may be implemented, please visit https://www.siemens.com/industrialsecurity

Siemens’ products and solutions undergo continuous development to make them more secure. Siemens strongly recommends that product updates are applied as soon as they are available and that the latest product versions are used. Use of product versions that are no longer supported, and failure to apply the latest updates may increase customers’ exposure to cyber threats.

To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed under https://www.siemens.com/industrialsecurity

You will find information on Training, Service & Support in the multi--language document "DC_support_99.pdf" on the data medium supplied with the documentation.

Explanations of many of the specialist terms used in this documentation can be found in the SIMATIC NET glossary.

You will find the SIMATIC NET glossary here:

● SIMATIC NET Manual Collection or product DVD

The DVD ships with certain SIMATIC NET products.

● On the Internet under the following entry ID:

50305045 (http://support.automation.siemens.com/WW/view/en/50305045

)

The following and possibly other names not identified by the registered trademark sign ® are registered trademarks of Siemens AG:

SINEMA, SCALANCE

SINEMA Remote Connect - Server

6 Operating Instructions, 11/2017, C79000-G8976-C383-04

Preface ................................................................................................................................................... 3

1 Application and properties ..................................................................................................................... 11

2 Requirements for operation ................................................................................................................... 17

3 Installation and commissioning .............................................................................................................. 23

4 Configuring with Web Based Management ............................................................................................ 35

1.1 Application .............................................................................................................................. 11

1.2 Overview of functions.............................................................................................................. 12

1.3 User concept ........................................................................................................................... 13

1.4 Configuration example ............................................................................................................ 15

1.4.1 TeleControl with SINEMA RC ................................................................................................. 15

2.1 Requirements .......................................................................................................................... 17

2.2 Connectable nodes ................................................................................................................. 19

2.3 License information ................................................................................................................. 20

2.4 Permitted characters ............................................................................................................... 21

2.5 Performance data ................................................................................................................... 22

3.1 Security recommendations ..................................................................................................... 23

3.2 Installing SINEMA RC Server ................................................................................................. 26

3.3 Initial commissioning of end devices using the WBM ............................................................. 33

4.1 Opening Web Based Management ......................................................................................... 35

4.2 Starting the WBM .................................................................................................................... 36

4.2.1 Logon with user name and password ..................................................................................... 36

4.2.2 Logon with the Smartcard / user certificates .......................................................................... 37

4.3 Layout of the window .............................................................................................................. 42

4.4 Start page of the Web user interface ...................................................................................... 45

4.5 Language selection ................................................................................................................. 46

4.6 System .................................................................................................................................... 47

4.6.1 Log .......................................................................................................................................... 47

4.6.1.1 Log messages ......................................................................................................................... 47

4.6.1.2 Log archives ............................................................................................................................ 48

4.6.2 Network configuration ............................................................................................................. 49

4.6.2.1 Interfaces ................................................................................................................................ 49

4.6.2.2 DNS......................................................................................................................................... 51

4.6.2.3 Web server settings ................................................................................................................ 52

4.6.3 Date and time settings ............................................................................................................ 52

4.6.4 SMS messages and e-mails ................................................................................................... 53

SINEMA Remote Connect - Server Operating Instructions, 11/2017, C79000-G8976-C383-04

Table of contents

5 Upkeep and maintenance .................................................................................................................... 107

A Appendix A .......................................................................................................................................... 111

4.6.4.1 SMS ....................................................................................................................................... 53

4.6.4.2 Settings .................................................................................................................................. 55

4.6.5 Managing licenses ................................................................................................................. 57

4.6.6 Update .................................................................................................................................... 59

4.6.7 Server upload ......................................................................................................................... 60

4.6.8 Backing up & restoring ........................................................................................................... 61

4.6.9 Debug login ............................................................................................................................ 64

4.7 Remote connections .............................................................................................................. 65

4.7.1 Managing devices .................................................................................................................. 65

4.7.1.1 Overview of device management........................................................................................... 65

4.7.1.2 Create new device ................................................................................................................. 68

4.7.1.3 Creating several new devices ................................................................................................ 72

4.7.1.4 Updating devices.................................................................................................................... 73

4.7.2 Address spaces...................................................................................................................... 74

4.7.2.1 Network address space ......................................................................................................... 74

4.7.2.2 VPN address spaces ............................................................................................................. 74

4.7.3 Creating node groups ............................................................................................................ 75

4.7.4 Specifying communications relations between node groups ................................................. 77

4.7.5 Assigning a node to a group .................................................................................................. 77

4.8 User accounts ........................................................................................................................ 78

4.8.1 Overview of the user accounts ............................................................................................... 78

4.8.2 Managing roles and rights ...................................................................................................... 80

4.8.3 Create a new user ..................................................................................................................

4.8.4 User agreement ..................................................................................................................... 86

4.9 Security .................................................................................................................................. 87

4.9.1 Managing certificates ............................................................................................................. 87

4.9.1.1 Overview of certificate management...................................................................................... 87

4.9.1.2 Certificate overview ................................................................................................................ 89

4.9.1.3 CA certificate .......................................................................................................................... 90

4.9.1.4 Server certificate .................................................................................................................... 91

4.9.1.5 Importing the Web server certificate ...................................................................................... 92

4.9.1.6 Making settings for certificates ............................................................................................... 94

4.9.1.7 Device certificate .................................................................................................................... 95

4.9.1.8 PKI CA certificate ................................................................................................................... 96

4.9.1.9 Locking out Smartcard / user certificate ................................................................................ 96

4.9.2 VPN connections.................................................................................................................... 99

4.9.2.1 Making VPN basic settings .................................................................................................... 99

4.9.2.2 Making OpenVPN settings ..................................................................................................... 99

4.9.2.3 Making the IPsec settings .................................................................................................... 101

4.9.2.4 IPsec profiles ........................................................................................................................ 101

4.9.2.5 Creating IPsec profiles ......................................................................................................... 102

4.10 My account ........................................................................................................................... 104

4.10.1 User certificate ..................................................................................................................... 104

4.10.2 Changing the current password ........................................................................................... 105

5.1 Backing up and restoring the system configuration ............................................................. 107

A.1 OpenVPN connection to an iOS device ............................................................................... 111

SINEMA Remote Connect - Server

8 Operating Instructions, 11/2017, C79000-G8976-C383-04

Table of contents

B Appendix B ......................................................................................................................................... 115

Index................................................................................................................................................... 119

A.2 Using a "virtual machine" ...................................................................................................... 114

B.1 Enabling the e-mail address ................................................................................................. 115

B.2 Monitoring and time response of wake-up SMS messages ................................................. 116

B.3 Structure of the csv file ......................................................................................................... 116

SINEMA Remote Connect - Server Operating Instructions, 11/2017, C79000-G8976-C383-04

Table of contents

SINEMA Remote Connect - Server

10 Operating Instructions, 11/2017, C79000-G8976-C383-04

1.1

Application

Use of the SINEMA Remote Connect server

Supported products

Protection concept

The SINEMA RC Server provides end-to-end connection management of distributed networks via the Internet. This also includes secure remote access to underlying networks for maintenance, control and diagnostics purposes. The communication between SINEMA RC Server and the remote participants is via a VPN tunnel taking into account the stored access rights. The connection is established encoded using IPsec or OpenVPN.

The SINEMA RC Server can be configured via the Web Based Management (WBM).

The connection via the Internet/WAN to the WBM uses the HTTPS protocol. To establish a connection to the WBM of the server, users must log on by entering a user name and password or with a Smartcard.

The following products are suitable for connecting to the SINEMA RC Server:

● SCALANCE M-800

● SCALANCE S615

● SINEMA RC Client

● SCALANCE S602, SCALANCE S612, SCALANCE S623, SCALANCE S627-2M

In the section "Connectable nodes (Page 19)" you will find information about which product versions and SINEMA RC versions are compatible with each other.

To protect the SINEMA RC Server from unauthorized access, system access is protected in several ways:

● Authentication

● User rights and roles

– Access is password protected by entering the user name and password, see section

Create a new user (Page 83).

– Access is achieved using a Smartcard with a PIN procedure (Personal Identification

Number). To check the identity a certificate is used.

The task-dependent access rights are specified using roles and user rights. For more detailed information, refer to the section Managing roles and rights (Page 80).

SINEMA Remote Connect - Server Operating Instructions, 11/2017, C79000-G8976-C383-04

Application and properties

1.2

Overview of functions

Configuring the SINEMA Remote Connect server

Configuration of the SINEMA RC Server

Commissioning/configuration of end devices

Management of the server

Connection management

1.2 Overview of functions

The SINEMA RC Server can be configured via a Web Based Management (WBM).

In the WBM, you can use the following functions:

● Basic settings of the system

– Settings of the system and address parameters

– Language of the WBM

● Specifying users, groups and their rights

– Creation of users and devices including password assignment

– Creation and assignment of roles and rights

– Assignment of participant groups

● Configuration of connections

– Creation of communication relations between the participant groups

● You can create partial configurations globally for the end devices. This includes, for example, configuration of NAT etc.

● Via the server, configuration information can be loaded on the end device.

● Changing settings of the system or participants

● Activating / deactivating connections between participants

● Display of all connections available online and offline

● Connection configuration with creation of certificates

● Establishment and termination of connections

● Sending a wake-up SMS message to a device, for example to establish a secure

connection

SINEMA Remote Connect - Server

12 Operating Instructions, 11/2017, C79000-G8976-C383-04

Application and properties

1.3

User concept

Note The management of rights is one of the most important tasks of an administrator

This should therefore be planned and configured to meet the specific requirements while taking into account security with the user and roles concept of SINEMA RC Server. New or always be checked in terms of their intended effect.

Basics

1.3 User concept

SINEMA RC Server has an extensive system of access rights. This system allows the administrator to grant or deny user access to certain program objects individually and according to need. During configuration, you should take into account the following criteria in the role:

● Network security

● IT experience of the users

● The necessity for certain functions

● User friendliness

-relevant aspects. We strongly advise you to familiarize yourself modified settings should

The access rights in SINEMA RC are specified using the following objects:

● Users

● Roles

● Rights

● Participant groups

In principle, the following applies:

Every user can be assigned certain rights.

Every role can be assigned various rights that are transferred automatically to all its members (users, participant groups).

Each user can have several roles and be a member of several participant groups.

SINEMA Remote Connect - Server Operating Instructions, 11/2017, C79000-G8976-C383-04

Application and properties

Users

"admin" user

Logging on

Roles

Standard role

Description

long to a participant group.

vpn_user_group.

Participant group

Standard participant group

Description

permitted.

1.3 User concept

So that a created user can create and manage other users, the user must have the user right "Manage users" assigned.

As default, after the installation the predefined user "admin" is available. With this user name you can log on once after the installation. After this you will be prompted to create a new user. The "admin" role is assigned to this user automatically.

This administrator has the right to access all functions and can set up the system. This includes creating users and assigning roles and rights to them. For more detailed information, refer to the section "Managing roles and rights (Page 80)".

This administrator is listed with the user accounts and can neither be edited or deleted. The "admin" user is no longer available.

The following options are available:

● Logon with user name and password

● Logon with the Smartcard

● Logon with PKI certificate

In SINEMA Server, there are two predefined roles available with corresponding access rights.

admin The role has all access rights and does not be-

vpn_user The role has no access rights and is assigned to

the participant group automatically. The role may only establish VPN connections to

the nodes that belong to the participant group

in SINEMA RC Server, there is a predefined participant group available.

vpn_user_group The communication between the nodes is not

SINEMA Remote Connect - Server

14 Operating Instructions, 11/2017, C79000-G8976-C383-04

Application and properties

1.4

Configuration example

1.4.1

TeleControl with SINEMA RC

1.4 Configuration example

In this configuration, the remote maintenance master station is a connected to the Internet/intranet via the SINEMA RC Server. The plants communicate via SCALANCE M or the SCALANCE S615 that establish a VPN tunnel to the SINEMA RC Server. In the master station, the SINEMA RC Client establishes a VPN tunnel to the SINEMA RC Server. To establish the VPN tunnel, OpenVPN is used.

The devices must log on to the SINEMA RC server. For this, a WBM is available. The VPN tunnel between the device and the SINEMA RC Server is established only after successful authentication. Depending on the configured communication relations and the security settings, the SINEMA RC server connects the individual VPN tunnels.

SINEMA Remote Connect - Server Operating Instructions, 11/2017, C79000-G8976-C383-04

Application and properties

Procedure

1.4 Configuration example

To be able to access a plant via a remote maintenance master station, follow the steps below:

1. Establish the Ethernet connection between the device and the connected configuration PC.

2. Establish a connection to the WAN.

3. Log the new device on to the SINEMA RC Server.

4. Set up the connection to the SINEMA RC Server on the device.

5. Put the new device into operation.

You will find instructions on the procedure in the Getting Started for SINEMA Remote Connect.

SINEMA Remote Connect - Server

16 Operating Instructions, 11/2017, C79000-G8976-C383-04

2.1

Requirements

Hardware requirements

Component

Minimum requirements

Recommended requirements

Recommended requirements for the maximum quantity structure (see below)

RAM

2 GB

4 GB

8 GB

Note:

adapters.

Note:

Hard disk

> 60 GB

250 GB SSD

Used hardware of the vSphere Server (ESXi 5.5)

Component

PC 847D (6AG4114-2KV83-0XX6)

Processor

Xeon E3-1268L v3 (4C/8T, 2.3 (3.3) GHz, 8 MB cache, VT-d, AMT)

RAM

32 GB DDR3 SDRAM (4X 8GB)

Network adapter

2x Gbit Ethernet (IE/PN)

RAID5, 2 TB(3x 1 TB HDD SAS, Stripping with Parity), in the removable

drive bay

Processor Dual Core

CPU 2.4 GHz

Network adapter

1 1

Quad Core CPU 2.66 GHz Quad Core CPU 3.6 GHz

supports up to four network

Hard disk

drive bay, hot swap; and 1 TB HDD SAS as hot spare in the removable

SINEMA RC Server

4 threads and hyperthreading disabled

1x Gbps Ethernet

SINEMA RC Server sup-

ports up to four network adapters.

SINEMA Remote Connect - Server Operating Instructions, 11/2017, C79000-G8976-C383-04

Requirements for operation

Maximum configuration limits

1024

2.2 Connectable nodes

The connection to SINEMA RC can be established via various media such as mobile wireless, DSL or existing private network infrastructures.

For connecting to SINEMA RC, the following SCALANCE products were tested.

1.1 ✓ - -

1.3

- - - ✓

1.3

- - - ✓

SINEMA Remote Connect - Server Operating Instructions, 11/2017, C79000-G8976-C383-04

1.3

SCALANCE S-600 VPN to SINEMA RC: In contrast to SCALANCE M-800 , S615 and SC-600 the

Configuration is performed with autoenrollment (OpenVPN) via SCT (IPsec) with export/import

✓ ✓ ✓ ✓

Requirements for operation

2.3

License information

Licenses

License update

2.3 License information

To run the SINEMA RC Server application, you require a license for the product SINEMA RC.

The license SINEMA Remote Connect is already included in the installation of the SINEMA RC Server. With this license you can configure up to 4 participants. The number of participants can be increased with the following licenses.

● SINEMA Remote Connect 64: This license supports up to +64 participants.

● SINEMA Remote Connect 256: This license supports up to +256 participants.

● SINEMA Remote Connect 1024: This license supports up to +1024 participants.

To expand the license to a higher number of participants, you require an update to a new license. To be able to make a license update, you need to obtain a new license key and enter the corresponding license number in the WBM.

The procedure for activating the license in the WBM is described in the section "Managing licenses (Page 57)".

License types 64/256/1024 can be combined. The license type is expanded according to the addition.

How many connections can actually be established simultaneously depends on the performance of the server platform.

SINEMA Remote Connect - Server

20 Operating Instructions, 11/2017, C79000-G8976-C383-04

Requirements for operation

2.4

Permitted characters

User names, passwords

1986 character set

!#$%&()*+,-./:;<=>?@[\]_{|}~^

Characters not allowed

" ' `

group name

Length of the role name

1 to 80 characters

Length of the password

at least 8 characters and maximum 128 characters

Note User names and passwords

As an important measure to increase security, make sure that user names and passwords are as long as

Passwords must be at least 8 characters long and contain special characters, upper and lowercase characters as well as numbers.

Hostname

2.4 Permitted characters

When creating or changing, remember the following rules:

Permitted characters

The following characters from the ANSI X 3.4-

are permitted:

0123456789

A...Z a...z

Length of the device, user or

1 to 30 characters

possible.

Permitted characters The following characters from the ANSI X 3.4-1986 character

set are permitted:

0123456789

A...Z a...z

SINEMA Remote Connect - Server Operating Instructions, 11/2017, C79000-G8976-C383-04

Requirements for operation

2.5

Performance data

Maximum number of participant groups

Unlimited

group

Maximum number of log archives

100

2.5 Performance data

Maximum number of participants per participant

Maximum number of local backup copies 30

Unlimited

SINEMA Remote Connect - Server

22 Operating Instructions, 11/2017, C79000-G8976-C383-04

3.1

Security recommendations

General

Access to the server

Physical access

Security functions of the software

Keep to the following security recommendations to prevent unauthorized access to the system.

● You should make regular checks to make sure that the device meets these

recommendations and other internal security guidelines if applicable.

● Evaluate your plant as a whole in terms of security. Use a cell protection concept with

suitable products (

security/network-security/Pages/Default.aspx).

● Do not connect the device directly to the Internet. Operate the device within a protected

network area.

https://www.industry.siemens.com/topics/global/en/industrial-

● Restrict physical access to the SINEMA RC Server to qualified personnel.

The SINEMA RC Server has an extensive system of access rights. This system allows you to grant or deny access to certain program objects individually and according to need.

● Restrict physical access to the device to qualified personnel. Use the security

mechanisms of the operating system.

● Protect SINEMA RC Server from unauthorized access by installing it in lockable racks / in

lockable cabinets / control rooms.

● Keep the software up to date.

– Check regularly for security updates for the product. You will find information on this at

(https://support.industry.siemens.com/cs/ww/en/ps/21713/dl

– Inform yourself regularly about security recommendations by published by Siemens

ProductCERT (http://www.siemens.com/cert/en/cert-security-advisories.htm

● The SINEMA RC Server includes an automatic logging function. Check this information

regularly for unauthorized access.

SINEMA Remote Connect - Server Operating Instructions, 11/2017, C79000-G8976-C383-04

Installation and commissioning

Passwords

Keys and certificates

Available protocols

3.1 Security recommendations

● Define rules for the use of devices and assignment of passwords.

● Regularly update the passwords to increase security.

● Only use passwords with a high password strength. Avoid weak passwords for example

"password1", "123456789" or similar.

● Make sure that all passwords are protected and inaccessible to unauthorized personnel.

● Do not use one password for different users and systems.

This section deals with the security keys and certificates you require to establish a connection.

● We recommend that you use certificates with a key length of 4096 bits.

● The product supports RSA 1024 - 8192 bits key length.

The following list provides you with an overview of all used services of the product.

Keep this in mind when configuring a firewall.

The table includes the following columns:

● Protocol

● Port number

● Port status

All protocols that the device supports

Port number assigned to the protocol

– Open, authentication required

The port is always open and cannot be closed. To use it, authentication is necessary.

– Open (when configured), authentication necessary

The port is open if it has been configured. To use it, authentication is necessary.

SINEMA Remote Connect - Server

24 Operating Instructions, 11/2017, C79000-G8976-C383-04

Installation and commissioning

Protocol

Port number

Port status

Port changeable

HTTPS

TCP

443

Open, authentication required

yes

ment

UDP

1194

Open, authentication required

yes

TCP

5443

Open, authentication required

yes

IPsec

ESP

n/a

Open, authentication required

sulated

NAPT

cation necessary

Protocol

Port number

Port status

NTP

UDP

123

Outgoing when configured

DNS

TCP

Outgoing when configured

E-mail client

TCP

25 or other

Outgoing

retrieval

activation

3.1 Security recommendations

Table 3- 1 Services available

HTTPS for

TCP 6220 Open, authentication required yes certificate auto enroll-

OpenVPN

IPsec encap-

UDP 500 Open, authentication required no

UDP 4500 Open, authentication required no sulated

SSH TCP 22 Open (when configured), authenti-

yes

Table 3- 2 Services used

HTTPS - CRL

TCP according to URL Outgoing

HTTPS - license

SINEMA Remote Connect - Server Operating Instructions, 11/2017, C79000-G8976-C383-04

TCP 443 Activating the product

Installation and commissioning

3.2

Installing SINEMA RC Server

Note Keyboard layout during installation

During installation the keyboard layout "English (USA, International)" is set.

Note

To install SINEMA RC V1.3 Server, note the following:

•

installed: Perform an update using the DVD for SINEMA RC

•

Requirement

3.2 Installing SINEMA RC Server

No system installed: Perform a new installation. SINEMA RC Server V1.2 pre-

Server, see section "System update V1.2 > V1.3".

SINEMA RC Server V1.0 or V1.1 pre-installed: First, update the version of SINEMA RC

Server to V1.2 from the " the DVD. The update must be performed in the correct order: V1.0 > V1.1 > V1.2 > V1.3

System update (Page 59)" WBM page and to version 1.3 using

● In the startup order, the CD/DVD is set as the first boot medium.

● The hardware requirements are met.

SINEMA Remote Connect - Server

26 Operating Instructions, 11/2017, C79000-G8976-C383-04

Installation and commissioning

New installation

NOTICE

Re-installation formats the hard disk

Result

3.2 Installing SINEMA RC Server

The re-installation of the SINEMA RC Server includes its own operating system. If you use a PC on which an operating system already exists, the hard disk will be formatted. This means that existing data is lost. Make sure that all important data on the PC has been backed up.

1. Insert the data medium in the drive. Installation starts automatically.

2. Switch on the PC or restart the server. Installation starts automatically.

3. In the following dialog, select the entry "Install/Update SINEMA Remote Connect Server". Press <Return> to confirm the selection.

If SINEMA RC Server V1.2 is already installed, in the following dialog select "Install Fresh installation". The previous configurations of the SINEMA RC Server are not adopted.

4. Follow the further instructions on the screen.

During the installation, make the following settings for the WAN interface:

– IP address

– Network mask

– Gateway

The SINEMA RC Server V1.3 is installed. Login with the predefined user "admin".

Before you can configure further settings with the WBM, you will be requested to create a new user and to check the network configuration.

SINEMA Remote Connect - Server Operating Instructions, 11/2017, C79000-G8976-C383-04

Installation and commissioning

System update V1.2 > V1.3

Check the firmware version of the devices

Check the SINEMA RC Client version

Procedure

3.2 Installing SINEMA RC Server

●

Before updating the server, ensure that the firmware versions of the connected SCALANCE M-800 / S615 devices are compatible.

●

Before updating the server, check the version of the SINEMA RC Client. Click "?" in the selection area and select the menu command "Info".

A SINEMA RC Client with a version < V1.0 SP3 cannot connect to a SINEMA RC Server >= V1.3. Update the SINEMA RC Client.

1. Back up your configuration using SINEMA RC Server V1.2 WBM and export this backup file to your PC or SFTP server. You can find more detailed information on this in the sections "Backup & Restore (Page 61)" and "Server upload (Page 60)".

2. Insert the V1.3 data medium into the drive.

3. Perform a restart from the "Energy Management (Page 59)" WBM page. Installation starts automatically.

4. Select the "Install/Update SINEMA Remote Connect Server" entry in the following dialog. Confirm the selection with the Enter key.

SINEMA Remote Connect - Server

28 Operating Instructions, 11/2017, C79000-G8976-C383-04

Installation and commissioning

3.2 Installing SINEMA RC Server

5. Select the "Update - Update an existing SINEMA Remote Connect" entry in the following

dialog.

The SINEMA RC Server was updated to version 1.3. After this update installation, two boot partitions are available. One partition also contains your operational V1.2 server version. The other partition now contains an operational V1.3 server version with the same server configuration including devices, users and certificates. Your SINEMA RC Server license has not been automatically transferred to V1.3. The license has to be released in the V1.2 version in order to activate it on your new V1.3 server.

6. Remove the V1.3 data medium from the drive and press OK. Restart the server.

SINEMA Remote Connect - Server Operating Instructions, 11/2017, C79000-G8976-C383-04

Installation and commissioning

Note

If it is not possible to deactivate the license in the WBM (for example, there is no connection to the license server), you need to conta renewed activation of the license will then be coordinated with the hotline.

3.2 Installing SINEMA RC Server

7. In the boot menu you can see the partitions of both server versions, V1.2 and V1.3. Select the far entry "SINEMA RC (1.2.0)" and confirm by pressing the Enter key.

8. Log on with your user credentials and select "System > Licenses (Page 57)" in the navigation. Release the licenses to reactivate them in V1.3.

ct our hotline. All further steps for a

SINEMA Remote Connect - Server

30 Operating Instructions, 11/2017, C79000-G8976-C383-04

+ 92 hidden pages

Siemens SINEMA Remote Connect, SINEMA Remote Connect 64, SINEMA Remote Connect 256, SINEMA Remote Connect 1024 Operating Instructions Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Legal information

Preface

Table of contents

Application

1.2 Overview of functions

1.3 User concept

TeleControl with SINEMA RC

1.4 Configuration example

Requirements

2.2 Connectable nodes

2.3 License information

2.4 Permitted characters

2.5 Performance data

Security recommendations

3.2 Installing SINEMA RC Server