Tsadapter Tiav13 Doku v10 en

Configuration Example 09/2014
Setting up da secure VPN

Connection between the TS
Adapter IE Advanced and TIA
Portal V13
TS Adapter IE Advanced
http://support.automation.siemens.com/WW/view/en/99681624
Warranty and liability
Warranty and liability

Note
The Application Examples are not binding and do not claim to be complete
regarding the circuits shown, equipping and any eventuality. The Application
Examples do not represent customer-specific solutions. They are only intended
to provide support for typical applications. You are responsible for ensuring that
the described products are used correctly. These application examples do not
relieve you of the responsibility to use safe practices in application, installation,
operation and maintenance. When using these Application Examples, you
recognize that we cannot be made liable for any damage/claims beyond the
liability clause described. We reserve the right to make changes to these
Application Examples at any time without prior notice.
If there are any deviations between the recommendations provided in these
application examples and other Siemens publications e.g. Catalogs the
contents of the other documents have priority.
We do not accept any liability for the information contained in this document.
Siemens AG 2014 All rights reserved
Any claims against us based on whatever legal reason resulting from the use of
the examples, information, programs, engineering and performance data etc.,
described in this Application Example shall be excluded. Such an exclusion shall
not apply in the case of mandatory liability, e.g. under the German Product Liability
Act (Produkthaftungsgesetz), in case of intent, gross negligence, or injury of life,
body or health, guarantee for the quality of a product, fraudulent concealment of a
deficiency or breach of a condition which goes to the root of the contract
(wesentliche Vertragspflichten). The damages for a breach of a substantial
contractual obligation are, however, limited to the foreseeable damage, typical for
the type of contract, except in the event of intent or gross negligence or injury to
life, body or health. The above provisions do not imply a change of the burden of
proof to your detriment.
Any form of duplication or distribution of these Application Examples or excerpts
hereof is prohibited without the expressed consent of Siemens Industry Sector.
Security
information
Siemens provides products and solutions with industrial security functions that
support the secure operation of plants, solutions, machines, equipment and/or
networks. They are important components in a holistic industrial security
concept. With this in mind, Siemens products and solutions undergo continuous
development. Siemens recommends strongly that you regularly check for
product updates.
For the secure operation of Siemens products and solutions, it is necessary to
take suitable preventive action (e.g. cell protection concept) and integrate each
component into a holistic, state-of-the-art industrial security concept. Third-party
products that may be in use should also be considered. For more information
about industrial security, visit http://www.siemens.com/industrialsecurity.
To stay informed about product updates as they occur, sign up for a productspecific newsletter. For more information, visit
http://support.automation.siemens.com.
Security: TSAdapter_TIAV13
Entry ID: 99681624, V1.0, 09/2014
Table of Contents
Table of Contents
Warranty and liability................................................................................................... 2
1
Task and Solution .............................................................................................. 4

1.1
1.2
1.3
Configuration and Project Engineering ........................................................... 6

2.1
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.2
2.2.1
2.2.2
2.2.3
2.2.4
2.3
Task ...................................................................................................... 4
Possible solution .................................................................................. 4
Characteristics of the solution .............................................................. 5
Setting up the environment .................................................................. 6

Required components and IP address overview ................................. 6
Service PC ........................................................................................... 7
DSL access for the TS Adapter IE Advanced (DSL router2) ............... 8
TS Adapter IE Advanced ...................................................................... 9
Setting up the infrastructure ................................................................. 9
Commissioning remote maintenance ................................................. 10
Preparation ......................................................................................... 10
Initial configuration of the TS Adapter IE Advanced .......................... 11
Parameterizing remote access ........................................................... 15
Final steps .......................................................................................... 21
Establishing the VPN connection ....................................................... 22
Testing the Tunnel Function .......................................................................... 25
Appendix: Using TIA Online Functions ......................................................... 26

4.1
4.2
4.3
Appendix: Handling CA Certificates .............................................................. 28

5.1
5.2
Accessible devices ............................................................................. 26

Assigning an IP address..................................................................... 26
TeleService functions ......................................................................... 27
Deleting CA certificates ...................................................................... 28

Installing CA certificates ..................................................................... 29
History............................................................................................................... 30
Entry ID: 99681624, V1.0, 09/2014
1 Task and Solution
Task and Solution
1.1
Task
The task is to establish a secure connection between two networks (e.g.,
automation networks or individual devices) via the Internet or a company's internal
network.
The following customer requirements have to be considered:
Protection against spying and data manipulation.
Prevention of unauthorized access.
Easy handling and integration.
Use of existing addresses and addressing schemes.
Transparency (or easy use) for users.
1.2
Possible solution
Complete overview
The figure below shows one way of implementing the customer requirements:
Automatisierungszelle
Automation Cell
Service
Service
PC PC
TIA
Portal
Internet
Internet
Modem/Router
Modem/ Router
Statische
WAN-IP-Adresse
Internet
Router
SCALANCE
TS Adapter
M874-x
IE Advanced
Static
WAN IP Address
VPN Server
VPN-Server
VPN Client
VPN
Tunnel
VPN tunnel
IndustrialEthernet
Ethernet
Industrial
SIMATIC S7
Stationen
Stations
The connection between the service PC and the automation cell (nodes such as
SIMATIC stations, panels, drives, PCs) is protected by a VPN tunnel.
In this example, TIA Portal (V12 SP1 or higher) and the TS Adapter IE Advanced
form the two tunnel endpoints for the secure connection. The TS Adapter IE acts
as the VPN server, the PC with TIA Portal acts as the VPN client.
Access to the TS Adapter IE (VPN server) from the WAN is predefined by the use
of a static WAN IP address.
WAN access on the client side is flexible; the IP address of the WAN port is not
relevant.
When establishing the VPN tunnel, the roles are defined as follows:
Table 1-1
Component
VPN role
TIA Portal (V12 SP1 or higher)
Initiator (VPN client); starts the VPN connection
Responder (VPN server); waits for the VPN connection
Entry ID: 99681624, V1.0, 09/2014
1 Task and Solution
The TS Adapter IE Advanced allows access, through the Internet, to all automation
components of a plant - e.g., S7 CPUs - that are connected to Industrial Ethernet.
TIA Portal V12 SP1 or higher running on a PG/PC with at least Windows 7 or
Windows Server 2008 allows convenient remote maintenance of a plant through
the Internet, including enhanced security mechanisms.
They provide the following functions:
SSTP VPN (data encryption and authentication) for remote maintenance
IPv4 and IPv6 support on the WAN interface (IPv6 for firmware version 1.1.0 or
higher)
Time-controlled WAN connectivity
Packet filter configuration
Enabling and disabling routes (VPN tunnel, Internet access)
Router functionality (port forwarding, NAT, DynDNS (with IPv6))
1.3
Characteristics of the solution
High security standard due to
VPN,
certificates,
random numbers generated in hardware and
consideration of the strict Siemens Security Guidelines.
Customized solution for remote maintenance in the automation environment.

The same range of functions (STEP 7 functions, diagnostics) as on site without
having to install additional programs.
Easy integration into existing networks and protection of devices that do not
have their own security functions.
Enabling or configuring by IT administrators is generally not necessary.
Entry ID: 99681624, V1.0, 09/2014
2 Configuration and Project Engineering
Configuration and Project Engineering
2.1
Setting up the environment
2.1.1
Required components and IP address overview
Software packages
To work with the TS Adapter IE Advanced, you need a PC with a "Windows 7"
operating system (or higher) and the "TIA Portal" software (V12 SP1 or higher).
Install this software on a PC/PG.
Note
This example uses the TIA Portal V13 Update 3 software.
Required devices/components:
To set up the environment, use the following components:
A TS Adapter IE Advanced (optional: A DIN rail installed accordingly, including
fitting accessories).
A 24V power supply with cable connector and terminal block plug.
DSL access with a dynamic WAN IP address and a DSL router (e.g.
SCALANCE M81x-1).
DSL access with a static WAN IP address and a DSL router (e.g. SCALANCE
M81x-1).
A PC on which "Windows 7" and "TIA Portal" are installed.
The necessary network cables, TP cables (twisted pair) according to the IE FC
RJ45 standard for Industrial Ethernet.
Note
You can also use another Internet access method (e.g., UTMS).
The configuration described below refers explicitly to the components listed in
"Required devices/components".
Entry ID: 99681624, V1.0, 09/2014
IP addresses
For this example, the IP addresses are assigned as follows:
Service PC
DSL Router1
Internet
Modem/ Router
TIA
Portal
DSL Router2
SCALANCE
TS Adapter
M874-x
IE Advanced
Statische
WAN-IP-Adresse
VPN tunnel
192.168.2.89
192.168.2.1
Industrial Ethernet
Dynamic
WAN IP
Static
WAN IP
172.16.0.1
172.16.47.1
172.22.80.2
VPN-Server
Table 2-1
Component
Port
IP address
Router
Subnet mask
Service PC
LAN port
192.168.2.89
192.168.2.1
255.255.255.0
DSL router1
LAN port
192.168.2.1
255.255.255.0
DSL router1
WAN port
Dynamic IP address from

provider
Assigned by
provider
DSL router2
WAN port
Static IP address from

provider
Assigned by
provider
DSL router2
LAN port
172.16.0.1
255.255.0.0
TS Adapter IE
WAN port
172.16.47.1
172.16.0.1
255.255.0.0
TS Adapter IE
LAN port
172.22.80.2
255.255.255.0
2.1.2
Service PC
Installed software
The following software packages are relevant on the service PC:
TIA Portal software as the remote end for the VPN connection to the TS
Adapter IE Advanced.
Web browser to parameterize the TS Adapter IE Advanced.
Deleting the CA certificate
If you suspect that a CA certificate is misused, you should generate a new CA
certificate for security reasons. Make sure that the new CA certificate is replaced
for all service PCs involved (delete the old CA certificate and import the new one).
For security reasons, you should regularly generate new CA certificates.
To delete a CA certificate, please follow the instructions from Chapter 5 (Appendix:
Handling CA Certificates).
Installing the CA certificate
The initial configuration of the TS Adapter IE Advanced is done via a local HTTPS
connection. As, at this time, a CA certificate for this TS Adapter IE Advanced has
not yet been installed on the service PC, a security warning is displayed. You can
acknowledge this security warning or install the CA certificate supplied on the CD
in the Windows certificate store before first commissioning. To do this, please
follow the instructions from Chapter 5 (Appendix: Handling CA Certificates).
Entry ID: 99681624, V1.0, 09/2014
Note
To manage CA certificates, you need administrator rights.
TIA Portal
Use the TIA Portal V13 engineering software to create a new project.
Web interface of the TS Adapter IE Advanced
To open the Web interface, you have the following options:
Open a directly connected Web browser with TIA Portal.
Open a Web browser via a remote connection with TIA Portal.
Directly connected standard Web browser.
This example uses the "Open a directly connected Web browser with TIA Portal"
method.
Please follow the instructions from Chapter 4 (Appendix: Using TIA Online
Functions).
Note
2.1.3
More information on the options to open the Web interface can be found in the
appropriate chapter in the TS Adapter manual at the following link:
https://www.automation.siemens.com/mdm/default.aspx?DocVersionId=6573950
2731&Language=en-EN&TopicId=65449369483&guiLanguage=en
DSL access for the TS Adapter IE Advanced (DSL router2)
Static IP address for DSL router2

WAN access of the service PC (VPN client) to the TS Adapter IE Advanced (VPN
server) is implemented using a fixed public IP address. This IP address must be
requested from the provider and then stored in DSL router2.
Port forwarding on DSL router2
Due to the use of a DSL router as an Internet gateway, you have to enable the
following port on DSL router2 and forward the data packets to the TS Adapter IE
Advanced (VPN server; IP address on the WAN port):
TCP port 443 (HTTPS)
Note
Some routers allow remote access via an Internet connection (HTTPS port 443).
In this case, it is not possible to forward port 443 to the TS Adapter IE Advanced
using port forwarding. For remote access to the router, you have to use another
port (e.g., port 5443).
Port 443 is the default port for VPN connections (SSTP) in Windows - and
therefore also for the TS Adapter IE - and cannot be changed.
Entry ID: 99681624, V1.0, 09/2014
2.1.4
Resetting to factory default

To make sure that no old configurations and certificates are stored in the TS
Adapter IE Advanced, reset the module to factory default.
For the appropriate chapter in the TS Adapter manual, please use the following
link:
Physical connection between the PC and the TS Adapter IE Advanced
Connect the PC to a free LAN port of the TS Adapter IE Advanced.
Assigning the IP address
In the as-supplied state and after resetting the parameters, the TS Adapter IE
Advanced has no valid IP address. To be able to work with the module, first set its
IP parameters as described in Table 2-1.
To do this, please follow the instructions from Chapter 4 (Appendix: Using TIA
Online Functions).
2.1.5
Setting up the infrastructure

Connect all the components involved in this solution.
Service PC
Service PC
DSL Router1
Internet
Modem/ Router
TIA
Portal
DSL Router2
SCALANCE
TS Adapter
M874-x
IE Advanced
Statische
WAN-IP-Adresse
LA Port
LAN Port
WAN Port
WAN Port
LAN Port
WAN Port
LAN Port
VPN-Server
Table 2-2
Component
Local port
Partner
Partner port
Service PC
LAN port
DSL router1
LAN port
TS Adapter IE
WAN port
DSL router2
LAN port
TS Adapter IE
LAN port
E.g., an automation network (does not exist in

this solution)
Entry ID: 99681624, V1.0, 09/2014
2.2
2.2.1
Commissioning remote maintenance

Preparation
Components used
This solution uses the following components: TS Adapter IE Advanced and "TIA
Portal V13 Update 3".
Physical connection between the PC and the TS Adapter IE Advanced
Connect the service PC to a free LAN port of the TS Adapter IE Advanced and
change the network settings on the service PC as follows:
IP address: 172.22.80.100
Subnet mask: 255.255.255.0
Opening the Web interface
Open the Web interface of the TS Adapter IE Advanced via TIA Portal.
Online Functions).
Entry ID: 99681624, V1.0, 09/2014
10
2.2.2
Initial configuration of the TS Adapter IE Advanced

When you first log on, a guided tour takes you through all the settings required to
commission the TS Adapter IE Advanced.
The following section lists and explains the individual steps of the guided tour.
System Clock
Among other things, the system time is used to generate certificates. Set the time
as follows:
1. Enter the system time parameters. The time must be entered in UTC format.
2. Apply the settings with "Save settings".
Entry ID: 99681624, V1.0, 09/2014
11
Specific Password Settings

Each password that is newly created or changed in the TS Adapter must follow
specific rules. In the Web interface of the TS Adapter IE Advanced, you can define
these rules yourself, for example the minimum length and minimum number of
password elements.
1. Define the settings for entering the password.
Entry ID: 99681624, V1.0, 09/2014
12
Changing the administrator password

When you first log on, you are prompted to replace the default password of the
default user, "Administrator", with a new password.
1. In the "Password" field, enter a new administrator password and reenter the
password to confirm it.
When choosing the password, make sure that it complies with the password
check rules ("Specific Password Settings").
Entry ID: 99681624, V1.0, 09/2014
13
CA certificate generation
The last step of the guided tour prompts you to generate a new CA certificate. This
overwrites the default CA certificate.
1. In "Common name", add the name to "SIMATIC TeleService Adapter". In the

CA certificate, this name is stored as the subject name and issuer information.
2. Use the "Generate CA certificate" button to generate the CA certificate.

Result
The initial configuration of the TS Adapter is complete.
Entry ID: 99681624, V1.0, 09/2014
14
2.2.3
Parameterizing remote access
Preparation
Open the Web interface of the TS Adapter IE Advanced via TIA Portal.
Online Functions).
Log on as an administrator and use the new password (see Chapter 2.2.2).
IP parameters - Public Network
Now you define how the TS Adapter IE Advanced can be accessed remotely.
1. In the navigation bar, go to "Parameters" > "Public Network". In "Remote

address assignment", select "Free entry".
2. In "Remote address", enter the static WAN IP address of your DSL access
point.
Entry ID: 99681624, V1.0, 09/2014
15
3. For the WAN interface, select "Static" in "IP address assignment" and enter the
IP address for the WAN interface as listed in Table 2-1.
As the DNS server, use the IP address of the DSL router's LAN interface.
Entry ID: 99681624, V1.0, 09/2014
16
IP parameters - Plant Network

Now you define which IP address is assigned to the service PC when establishing
the VPN connection.
1. In the navigation bar, go to "Parameters" > "Plant Network" > "IP parameters".
Enter any available IP address that is in the same subnet as the plant network
(automation network on the LAN interface of the TS Adapter).
Entry ID: 99681624, V1.0, 09/2014
17
Connection parameters
Depending on the application, access to the TS Adapter via the WAN interface can
be configured differently. Remote maintenance via VPN is desired for this example.
To enable it, proceed as follows:
1. In the navigation bar, go to "Information" > "Connections". Change the

connection control of the WAN interface to "ONLINE + VPN".
Entry ID: 99681624, V1.0, 09/2014
18
Creating a user
To enable the service PC to establish a VPN connection to the TS Adapter IE
Advanced, a login with a user name and password is required.
During the initial configuration, only the "Administrator" user is entered in the TS
Adapter. As this user cannot establish a VPN connection, another user has to be
entered.
To create a new user, proceed as follows:
1. In the navigation bar, go to "Security" > "User Management". Use "Edit" to

create a new user.
2. In the appropriate text boxes, enter a user name and password. Confirm the
password.
When choosing the password, make sure that it complies with the password
check rules ("Specific Password Settings").
Entry ID: 99681624, V1.0, 09/2014
19

Result
You have created a new user with the right to establish a VPN connection.
Exporting the CA certificate
To allow the service PC to uniquely identify the TS Adapter IE Advanced as the
connection partner, the TS Adapter IE Advanced generates a CA certificate with a
unique fingerprint
(see Chapter 2.2.2 (Initial configuration of the TS Adapter IE Advanced).
To establish a VPN connection, it is mandatory to store this CA certificate in the
Windows certificate store (local computer).
To export the certificate, proceed as follows:
1. In the navigation bar, go to "Security" > "Certificate". Use the "Exporting CA

certificate" button to export the CA certificate.
Entry ID: 99681624, V1.0, 09/2014
20
2. Save the certificate to your project folder.
3. The CA certificate of the TS Adapter IE Advanced is stored in your project

folder.
Result
The parameterization of the TS Adapter for remote maintenance is complete.
2.2.4
Final steps
Service PC
To establish a VPN connection, it is mandatory to store the CA certificate
generated by the TS Adapter in the Windows certificate store (local computer).
To do this, please follow the instructions from Chapter 5 (Appendix: Handling CA
Certificates).
Infrastructure
1. Connect the PC (TIA Portal) to the LAN interface of DSL router1.
2. Assign the required network configuration to the network card as shown in
Table 2-1.
3. In all devices on the LAN port of the TS Adapter IE Advanced, enter the default
gateway (IP address of the LAN port).
Entry ID: 99681624, V1.0, 09/2014
21
2.3
Establishing the VPN connection

When the TS Adapter IE Advanced has been parameterized for remote
maintenance and the infrastructure has been connected as shown in Table 2-2, the
service PC (VPN client) can initialize the VPN tunnel to the TS Adapter IE
Advanced (VPN server).
To establish a remote connection to the TS Adapter IE Advanced, proceed as
follows:
1. Open the Project view of TIA Portal and in the project navigation, click the
"Online access" folder.
2. Click the "TeleService" folder included in it.
3. Double-click the "Establish/terminate remote connection" item.
4. The "Set up remote connection to the remote system" dialog opens.

In the "Adapter type" drop-down list, select TS Adapter IE and in "Connection
type", select VPN.
Entry ID: 99681624, V1.0, 09/2014
22
5. In the appropriate text boxes, enter the WAN IP address of DSL router2 (DSL
router of the TS Adapter IE Advanced to be contacted) and the user name and
the associated password of the newly created user (see page 19).
6. Click the "Connect" button to establish the desired VPN connection.

This button is only active when you have entered all the parameters necessary
to establish the remote connection.
Entry ID: 99681624, V1.0, 09/2014
23
Result
The VPN connection to the TS Adapter is being established. "Status" shows the
progress of the connection establishment process.
Once the VPN connection has been established, the dialog closes. The following
message appears in the status bar of TIA Portal:
"Remote connection is established"
In TIA Portal, the new remote connection appears in the project navigation under
the "TeleService" folder.
This remote connection allows you to open the Web browser of the TS Adapter
from TIA Portal. Log on with the newly created user.
"Information" > "Status" shows the connection status of the remote connection.
Note
If a connection cannot be established, try to find the cause. More information and
troubleshooting help can be found in the appropriate chapter in the TIA manual
at the following link:
Entry ID: 99681624, V1.0, 09/2014
24
3 Testing the Tunnel Function
Testing the Tunnel Function

Chapter 2 completes the commissioning of the configuration and the service PC
and the TS Adapter IE Advanced have established a VPN tunnel for secure
communication.
You can test the established tunnel connection using a ping command on an
internal node. This is described below.
Alternatively, you can also use other methods to test the configuration (for
example, by opening the internal Web page when using a PROFINET CPU).
1. On the service PC, select
"Start" > "All Programs" > "Accessories" > "Command Prompt" in the start bar.
2. In the command line of the "Command Prompt" window that appears, enter the
"ping <IP address of internal node of remote end>" command at the cursor
position.
Result
You get a positive response from the internal node.
Note
In Windows, the default settings of the firewall may prevent ping commands from
passing. You may have to enable the ICMP services of the "Request" and
"Response" type.
Entry ID: 99681624, V1.0, 09/2014
25
4 Appendix: Using TIA Online Functions
Appendix: Using TIA Online Functions
4.1
Accessible devices
"Accessible devices" means all devices that are connected to an interface of the
PG/PC and switched on.
To display the accessible devices on a single interface of the PG/PC, proceed as
follows:
1. Open the Project view of TIA Portal and in the project navigation, click the
"Online access" folder.
2. Click the arrow icon to the left of the interface to show all objects located below
the interface.
3. Double-click the "Update accessible devices" command below the interface.

Result:
All devices that can be accessed through this interface are displayed in the project
navigation.
Note
When a large number of devices are connected, updating may take some time.
The status bar shows the progress of the update process.
4.2
Assigning an IP address
Requirement
To assign an IP address to a device, you have to open the Online and Diagnostics
view of the module using the "Update accessible devices" command (in the project
navigation) (see Chapter 4.1 (Accessible devices)).
Assigning an IP address
To assign an IP address specified by you to the module, proceed as follows:
1. Open the Online and Diagnostics view of the IO device.
2. In the "Functions" folder, select the
"Assign IP address" group.
3. Enter the desired IP parameters.
Entry ID: 99681624, V1.0, 09/2014
26
4 Appendix: Using TIA Online Functions
4. Click the "Assign IP address" button.
Result:
The IP address is permanently assigned to the Ethernet port of the module. It is
also retained after startup or a power failure.
4.3
TeleService functions
Requirement
To use the TeleService functions, you have to open the Online and Diagnostics
view of the module using the "Update accessible devices" command (in the project
navigation) (see Chapter 4.1 (Accessible devices)).
Opening the Web interface
To parameterize the TS Adapter IE Advanced from TIA Portal, proceed as follows:
1. Open the "TS Adapter IE Advanced" folder in the list of devices.
2. Double-click the "Assign TS Adapter Parameters" command. The assigned
Web interface opens where you can parameterize the TS Adapter.
3. Perform the "logon" for the Web interface.
4. When you log on for the first time or after setting to factory default, the login
data is defined as follows:
Name: Administrator
Password: admin
Entry ID: 99681624, V1.0, 09/2014
27
5 Appendix: Handling CA Certificates
Appendix: Handling CA Certificates
5.1
Deleting CA certificates
To delete existing CA certificates, proceed as follows.
1. Log on to the system as an administrator.
2. Use Microsoft Management Console to open Windows Certificate Manager
on your PG/PC.
3. To do this, click "Start", enter mmc in the search box and press the ENTER
KEY.
The console opens.
4. In the "File" menu, click "Add/Remove Snap-In".

The snap-in selection dialog opens.
5. In the "Snap-In" list, double-click "Certificates" and in the next dialog, select
"Computer account".
6. In the next dialog, select the "Local Computer" item and click "Finish" and
"OK".
The Console Root opens and displays the "Certificates (Local Computer)"
folder.
7. Open the displayed "Certificates (Local Computer)" folder and click "Trusted
Root Certification Authorities".
8. Open the "Certificates" folder, select the desired CA certificate and select
"Delete" in the context menu.
9. Confirm the following prompt with "Yes".
Result
The selected CA certificate is deleted from the list of available certificates.
Entry ID: 99681624, V1.0, 09/2014
28
5 Appendix: Handling CA Certificates
5.2
Installing CA certificates
To install a CA certificate, proceed as follows:
10. Log on to the system as an administrator.
11. Use Microsoft Management Console to open Windows Certificate Manager
on your PG/PC.
12. Click "Start", enter mmc in the search box and press the ENTER KEY.
The console opens.
13. In the "File" menu, click "Add/Remove Snap-In".
The snap-in selection dialog opens.
14. In the "Snap-In" list, double-click "Certificates" and in the next dialog, select
"Computer account".
15. In the next dialog, select the "Local Computer" item and click "Finish" and
"OK".
The Console Root opens and displays the "Certificates (Local Computer)"
folder.
16. Open the displayed "Certificates (Local Computer)" folder and click "Trusted
Root Certification Authorities".
17. Click the "Certificates" folder and use the context menu to select the
"Action" > "All Tasks" > "Import" command.
18. Read the information displayed in the "Certificate Import Wizard" dialog and
click "Next".
19. In the following dialog, click "Search", select the desired CA certificate and
apply it with "Open".
20. Double-click "Next" and then "Finish" to install the CA certificate.
Entry ID: 99681624, V1.0, 09/2014
29
6 History
Result
The selected CA certificate is installed in the specified location in the Windows
certificate store.
History
Table 6-1
Date
V1.0
09/2014
Modifications
First version
Version
Entry ID: 99681624, V1.0, 09/2014
30

Tsadapter Tiav13 Doku v10 en

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Tsadapter Tiav13 Doku v10 en

Hochgeladen von

Copyright:

Verfügbare Formate

Configuration Example 09/2014

Setting up da secure VPN

Warranty and liability

Warranty and liability

Siemens AG 2014 All rights reserved

Task and Solution .............................................................................................. 4

Configuration and Project Engineering ........................................................... 6

Siemens AG 2014 All rights reserved

Setting up the environment .................................................................. 6

Testing the Tunnel Function .......................................................................... 25

Appendix: Using TIA Online Functions ......................................................... 26

Appendix: Handling CA Certificates .............................................................. 28

Accessible devices ............................................................................. 26

Deleting CA certificates ...................................................................... 28

1 Task and Solution

Task and Solution

Siemens AG 2014 All rights reserved

TIA Portal (V12 SP1 or higher)

Initiator (VPN client); starts the VPN connection

Responder (VPN server); waits for the VPN connection

1 Task and Solution

Characteristics of the solution

Siemens AG 2014 All rights reserved

High security standard due to

random numbers generated in hardware and

consideration of the strict Siemens Security Guidelines.

Customized solution for remote maintenance in the automation environment.

2 Configuration and Project Engineering

Configuration and Project Engineering

Setting up the environment

Required components and IP address overview

This example uses the TIA Portal V13 Update 3 software.

2 Configuration and Project Engineering

Siemens AG 2014 All rights reserved

Dynamic IP address from

Static IP address from

2 Configuration and Project Engineering

To manage CA certificates, you need administrator rights.

Siemens AG 2014 All rights reserved

DSL access for the TS Adapter IE Advanced (DSL router2)

Static IP address for DSL router2

2 Configuration and Project Engineering

Resetting to factory default

Siemens AG 2014 All rights reserved

Setting up the infrastructure

E.g., an automation network (does not exist in

2 Configuration and Project Engineering

Commissioning remote maintenance

Siemens AG 2014 All rights reserved

2 Configuration and Project Engineering

Initial configuration of the TS Adapter IE Advanced

Siemens AG 2014 All rights reserved

2. Apply the settings with "Save settings".

2 Configuration and Project Engineering

Specific Password Settings

Siemens AG 2014 All rights reserved

1. Define the settings for entering the password.

2. Apply the settings with "Save settings".

2 Configuration and Project Engineering

Changing the administrator password

Siemens AG 2014 All rights reserved

2. Apply the settings with "Save settings".

2 Configuration and Project Engineering