ConnectionBox Manual 3.2

(1)

Page Page 11

ConnectionBox

Firmware version: 3.2-r0 Firmware version: 3.2-r0 

 Low cost cRSP connection solutionLow cost cRSP connection solution 

 Cost savings and Cost savings and increased flexibility during parameterizaincreased flexibility during parameterization and testtion and test

phase because no

phase because no external support from Healthcare (cRSP Helpdesk) isexternal support from Healthcare (cRSP Helpdesk) is required

required



 Easy parameterization through BACnet reroutingEasy parameterization through BACnet rerouting 

 Support of additional protocols with the Siemens SSL Support of additional protocols with the Siemens SSL VPN GatewayVPN Gateway 

 Can be Can be configureconfigured with one or d with one or two network adapters (as external ortwo network adapters (as external or

internal router) internal router)



(2)

(3)

Page Page22

1.

1. Document History

Document History

Version

Version DateDate DescriptionDescription AuthorAuthor 001

001 November 12November 12 First DraftFirst Draft deZemdeZem

002

002 November November 12 12 UpdaUpdated ted with with FW FW V1.2 V1.2 SiemensSiemens 003

003 December December 12 U12 Updated pdated with with additionaladditional information

information

deZem deZem

004

004 June.13 June.13 UpdaUpdated ted BACnet BACnet SiemensSiemens 005

005 October October 13 13 Update Update network network interfaces,interfaces, add Change User Credentials add Change User Credentials

deZem deZem

006 November

006 November 13 13 UpdaUpdate te SiemensSiemens 007

007 February February 14 14 Adding Adding cRSP cRSP Gateway Gateway Status Status deZemdeZem 008

008 February February 14 14 Adding Adding pictures pictures andand workar

workaround Siemens Wound Siemens W in7in7 client, Log description client, Log description

Siemens Siemens

0085

(4)

1. Introduction

The purpose of the ConnectionBox is to provide a secure connection from any local system via the Siemens common Remote Service Platform (cRSP) to any remote device (BACnet and Non-BACnet) using the Energy Monitoring platform EMC (new name Advantage™ Navigator) or cRSP Customer Web Portal. Using the Siemens SSL VPN Client and Siemens BT BACnet Stack, the ConnectionBox allows for local Desigo and 3rd_party

controllers to be monitored and configured remotely via BACnet (e.g. XWORKS Plus) over a secure connection. In parallel it also supports Non-BACnet protocols (e.g. Sinteso works).by using the Siemens SSL VPN Gateway functionality.

The ConnectionBox can be configured with either the devices in the same IP segment as the internet access (1-Port Solution) or with an additional network adapter and the devices in a separate IP segment (2-Port Solution). Both configurations can be applied for BACnet as well as Non-BACnet devices by using the Siemens BACnet Stack and / or the SSL VPN Gateway feature.

Engineering Tools e.g. XWorks plus, FXS 2002

Engineering Tools e.g. XWorks plus, FXS 2002 SSL-VPN BAC Stack cRSP Web-Configuration SSL-VPN BAC Stack cRSP Web-Configuration SSL VPN

Gateway Desigo PX Sinteso FS20

Sinteso FS20 Desigo PX

SSL VPN Gateway

(7)

Page6

1.1 Workflow Checklist

The table below highlights the workflow required to setup a ConnectionBox. The details of each step can be found later in the document. Please follow the menu points from top to down.

Workflow Description Chapter Complete

Commissioning Checklist

Read through this workflow list and the commissioning checklist before beginning

17.1

Commission Devices The target devices must be installed, and commissioned. Where possible read and save the values for comparison Commission

Network

The target network should be installed and tested. Testing can be completed with various tools, see the chapter at the end of this document

Install

ConnectionBox

- Mount and check connections, check and adjust DIP Switches

- Power up the ConnectionBox, check the indication LEDs

2 3

Connect cross-over IP cable

Connect the ConnectionBox to a PC using a cross-over Ethernet Patch Cable

3.2 Connect USB-LAN

adapter (optional)

Connect the USB-LAN adapter to the ConnectionBox. Note the USB port used! Once the SSL-VPN client is installed it cannot be changed.

3.3

Connect to ConnectionBox

Point internet browser to the address of the ConnectionBox

4

Basic Setup configuration

- Configure Network with 1 adapter - Configure Network with 2 adapters - Configure Proxy settings (optional) - Configure Date/ Time

- Configure NTP Server 5.1.1 5.1.2 5.2 5.3 5.4 EMC configuration (optional)

Configure the ConnectionBox to backup configuration to

EMC (Advantage™ Navigator)

6 VPN configuration - Configuration of the SSL VPN client

- Register the SSL-VPN client with cRSP Access Server

7

cRSP Gateway Configuration

- Configuration of the SSL VPN Gateway

- Used for remote access to FS20 and other Non-BACnet devices

- Runs parallel to the BACnet routing

8

BACnet

Configuration

- Configuration of the BACnet settings

- Used for remote control of BACnet networks via XWORKS

- Runs parallel to the SSL VPN gateway

9

Administration - Configure firmware updates - Backup and restore configuration - Change user and password settings

(8)

1.2 Commissioning checklist

The list below is an overview of the required components needed to commission the ConnectionBox. It does not include the tools needed to install the hardware.

 12-40 V DC power supply

 Ethernet Crosslink Cable or network with dynamic TCP/IP addressing (DHCP)

 Ethernet Cables for BACnet connections

 Web browser with JavaScript, HTML 4.01 and CSS 2.1 support

 Supported browser: Internet Explorer 9 (IE8 not supported), Firefox or Chrome

 Pop ups have to be enabled in your browser

 Network configuration settings of the BACnet network

 Internet access for VPN communication

 If there is an Internet Proxy, proxy settings from the customer IT department

 ConnectionBox manual

 USB-LAN-Adapter (optional)

1.3 General limitations & precautions

This device is intended for accessing remote networks through a VPN directly from EMC/cRSP. No other usage scenarios are permitted. Please note that the specifications in this document are subject to change. The most recent version is available on our “SWANWEB”:

https://intranet.sbt.siemens.com/swanlink/default.php?tabcard=4b73a4b5&src=advantag e_navigator/integrations/ConnectionBox or from Siemens BT Headquarters in Zug, CH (see below for contact information).

The terms TCP, TCP/IP, etc. all refer to IP version 4. IP version 6 is not supported.

The ConnectionBox may be used with one or two network interfaces. When only one network interface is used all network traffic goes through the internal network interface (RJ45 - IP LAN).

If two network interfaces are used, the ConnectionBox’s internal Ethernet interface connects to the remote network. An internet connection can only be established through an additional USB-LAN-adapter which should be purchased with the ConnectionBox. Currently, the ConnectionBox only supports this adapter.

(9)

Page8

2. Mechanical installation

The device is wall and DIN-rail mountable. To mount the ConnectionBox on a DIN-Rail, two plastic brackets are needed.

In addition to the physical dimensions of the device, additional space is required for the wiring.

Note: All interface cable connections between the ConnectionBox and other devices should be established before connecting the power supply.

USB port for USB-LAN adapter

Power supply DIP switch

Reset button

(10)

3. Electrical connection

3.1 Power

The ConnectionBox must be powered with an external 12-40 V DC power supply.

3.2 IP LAN connector

The internal IP LAN connector is used to connect to the local network on which the BACnet devices are installed. If only one network interface is used the whole communication takes place through the internal IP LAN connector.

3.3 USB connectors / USB IP adapter (optional)

This is only necessary when working with two network interfaces.

The supported USB IP adapter for the ConnectionBox is a Delock “Adapter USB 2.0 > Ethernet 10/100” Part number 61147.

This adapter can be connected to either USB connector on the ConnectionBox.

NOTE: Once the SSL-VPN client has been registered with cRSP, a registration hash code is generated that includes information on the USB port that the adapter is connected to. The USB/IP adapter must not be connected to the other USB Port after registration.

3.4 DIP switch

All DIP switches must be in the ON position.

(11)

Page10

3.6 Status indication

The ConnectionBox has seven LEDs for optical status indication.

Description Green Yellow

Power The power is properly applied.

-Ready The system is in operating mode.

-Link/Act The Ethernet interface is connected to the network. Flashing: Data is transmitted.

(12)

-4.

Software configuration

4.1 Web Browser overview

The ConnectionBox is configured using a web interface; the layout of the interface is shown below.

4.2 Initial Connection

You can easily configure the ConnectionBox by using the integrated web interface. There are two options to connect the PC to the ConnectionBox:

1. Using the built in IP LAN connector.

The easiest method is to connect to the ConnectionBox using a Switch or with a crossed network cable connected to a PC.

The network interface of the ConnectionBox is assigned a link-local address from the address block 169.254.0.0/16 by default. To connect set the IP address of your PC to 169.254.0.xxx/255.255.0.0 and connect via a switch or crossed network cable.

2. Using the USB IP Adapter (optional)

The external USB-LAN-adapter uses DHCP by default and can also be used for configuration.

The web interface hostname is generated from the ConnectionBox MAC address according to the pattern: HTTP://nmrxxxxxxxxxxxx (where x represents the hexadecimal characters of the MAC address), e.g. http://nmr001348018C52. Please note that the ConnectionBox is only accessible in this way from the sub network.

Firmware version Menu

Current settings

(13)

Page12

The MAC address is printed on the left side of the device (ie. 001348018C52).

If there are connection problems please check your network settings. A workaround you can find in chapter 12.

4.3 ConnectionBox access security

The access to the ConnectionBox web configuration interface is protected by a user name/password. When you enter the hostname in the internet browser, the ConnectionBox login page appears. Please enter your user name and password. You can obtain the default user name and password from Field Support or from the product manager.

(14)

5. Configuration

_–

Basic Setup

Once logged into the ConnectionBox, choose “Basic Setup” from the main menu to configure the network, proxy, time and NTP server settings.

5.1 Network

The ConnectionBox can be configured with one or two network adapters. Select “Network” in the main menu to configure the network parameters of the ConnectionBox. To configure two network adapters, the USB-LAN-Adapter has first to be connected to the ConnectionBox.

5.1.1 One network adapter

The built in IP LAN connector is used for all network traffic. The single interface supports both, static IP and DHCP.

If your network connected to the built in IP LAN connector uses DHCP, the IP address can be obtained automatically by the ConnectionBox once connected.

In any other cases, enter the IP address, subnet mask, gateway and DNS server(s). If you want to configure more than one DNS server, enter the DNS servers' IP addresses as a comma-separated list.

(15)

Page14

Once the parameters have been entered press “Save”.

5.1.2 Two network adapters

1. The built in IP LAN connector.

The built in IP LAN connector is used for the local network that the BACnet devices are located on. This is referred to as the BACnet Interface.

2. USB IP Adapter

This connector is used for Internet access. This is referred to as the WAN Interface

BACnet Interface: Enter the IP address and subnet mask of your BACnet network connected to the internal Ethernet interface. This interface does not require a Default Gateway.

(16)

WAN Interface: The WAN interface supports both static IP and DHCP.

If your network connected to the USB-LAN Adapter uses DHCP, the IP address can be obtained automatically by the ConnectionBox once connected.

In any other cases, enter the IP address, subnet mask, gateway and DNS server(s). If you want to configure more than one DNS server, enter the DNS servers' IP addresses as a comma-separated list.

5.2 Proxy Settings

Proxy Settings are only required to backup the configuration of the ConnectionBox to EMC. To change the proxy server settings, select “Proxy Settings” in the main menu. You can enable or disable the usage of a proxy server. If you enable the usage of a proxy server, enter the server's hostname or IP address and the port. If the proxy server needs authentication, enter the user name and password. HTTP Basic Authentication and Digest Access Authentication are supported.

Note: When using a proxy server you have to configure the same proxy setting in the

“VPN settings” again (seechapter 7.3).

5.3 Date/Time settings

To manually change the date and time settings, select “ Date/Time Settings” in the main menu. Enter the new date and time and press “Save”.

Enabled NTP synchronisation will override any manually configured date or time settings. Do not expect manual date or time adjustments to work if NTP is enabled.

(17)

Page16

5.4 NTP server settings

NTP stands for “Network Time Protocol”. To change the NTP server settings, select “NTP Server” in the main menu. You can enable or disable the usage of a NTP server. If you don't use a NTP server, please set the date and time manually.

If you want to configure more than one NTP server, enter the NTP servers' hostnames or IP addresses as a comma-separated list.

In case the system time differs significantly from the NTP time, refreshing may cause a browser timeout In which case you have to login again.

(18)

6. EMC Setup

EMC Setup is only required to backup the configuration of the ConnectionBox to EMC. The configuration of the EMC connection requires several steps and should be finished with a connection test.

At first the server URI of the EMC server needs to be set . It consists of a protocol (“http” or “https”), the hostname or IP address of the server, as well as the path to the import script, as shown in the picture below. You can obtain the EMC server's URI from field support.

You can enable or disable the verification of the EMC server's SSL certificate. It is strongly recommended to enable the SSL verification. This option is only relevant if a “https” server URI is used.

After creating a ConnectionBox (device) login in EMC, you must now enter it in the ConnectionBox. This information ensures that the values are entered under the correct EMC account (customer).

Configuration Upload provides the opportunity to upload the configuration files to the EMC server once every hour if there have been any changes to it since the last upload. If the option is deactivated there will be no uploads. Save the changes once you are done. In a final step you can choose to finish the setup with a connection test. If you don't test the connection to the EMC server, the settings are adopted as is. If the connection test fails, the new settings will be rejected.

If you receive something like a “certificate error” check the time and date settings of the ConnectionBox and set them to the date now and UTC-time. The communication between EMC and the ConnectionBox are secured with a process based on certificates only valid in a given period of time. If these certificates are outdated for the ConnectionBox, the connection process fails.

(19)

Page18

7. VPN Settings

This menu allows you to configure SSL-VPN client settings. When the menu item is selected, an error message dialog is displayed if the client has not been registered.

The VPN Settings page allows you to perform the following operations & functions:

 Register and Deregister the SSL-VPN Client  View the Status of the SSL-VPN connection  Configure Proxy Server settings

 Modify Log and Tunnel mode configurations

7.1 Registration of the Client

To register the SSL-VPN client a ConnectionBox Checklist (Chapter 17.1) must be completed and sent to the local AOC/cRSP responsible. A One Time Password (OTP) is required to register the client and will be sent via secure email from the local AOC/cRSP responsible once the system has been created in cRSP.

NOTE: Once the SSL-VPN client has been registered with cRSP, a registration hash code is generated that includes information on the USB port that the adapter is connected to. The USB/IP adapter must not be connected to the other USB Port after registration.

(20)

Enter the details of the Host name, Site name and One T ime Password.

The correct SSL-VPN Access Server must be selected for the region that you are located in. The Combo box has the following default servers:

Server DMZ location Server name IP address

DMZ Fuerth (Germany) crsp-sslvpn-fth-p.siemens.com 194.138.37.194 DMZ Malvern (USA) crsp-sslvpn-nwke-p.siemens.com 12.46.135.194 DMZ Singapore crsp-sslvpn-sgp-p.siemens.com 194.138.240.119 Release DMZ Fuerth crsp-sslvpn-fth-r.siemens.com 194.138.37.193

The DMZ servers are separated into three geographical locations. DMZ Fuerth is for Europe, DMZ Malvern for the Americas and DMZ Singapore for Asia Pacific and Middle East. The Release DMZ server in Fuerth is for testing purposes. If you are not sure of the DMZ server that you must register the client to, please contact your local AOC/cRSP responsible.

It is also possible to type in the Server name and IP address if required.

For most systems once the Host name, Site name and one-time password are entered and the correct SSL-VPN Server is selected, it is possible to register the client by selecting the

(21)

Page20

An info message will be displayed if the system was able to register successfully.

Note that the Registration confirmation message will always display the message that the system registered successfully to Fuerth VPN server (displaying the url or IP) even if the system is configured for Malvern or Singapore. This is that the registration takes place is two stages: firstly to the selected server and then finally to the Fuerth VPN server. Final confirmation comes from Fuerth VPN Server.

The “Connectivity Test…” button is also useful to ensure that the ConnectionBox is able to contact (ping) the selected SSL-VPN Server.

(22)

7.2 Status

The status will only be displayed once a VPN connection has been established. Direct access to the ConnectionBox without using VPN is not monitored.

The status information must be manually updated using the “Refresh” button.

The Status information is useful for monitoring the data traffic amount and if the tunnel is active.

(23)

Page22

7.3 Proxy Server Settings

To change the proxy server settings, select “ VPN Settings” in the main menu. You can enable or disable the usage of a proxy server.

If you enable the usage of a proxy server, please enter:

 The Proxy Server's hostname or IP address and the port.

 If the Proxy Server needs authentication, enter the user name and password.

Currently HTTP Basic Authentication and Digest Access Authentication are supported. If the Proxy Server requires authentication, it is recommended to use a password that never expires for this system. This may require requesting this configuration specifically from the customer IT department.

Note: This proxy settings have to be the same settings than in the Proxy Settings in the Basic Setup menu (see chapter 5.2).

(24)

7.4 Advanced settings

The parameters in the advanced settings section usually do not need to be changed. They should only be changed by experts and are therefore by default hidden.

Selecting the expand button allows modification of Tunnel Mode configuration parameters and the Log configuration.

Tunnel Mode:

The options “Tunnel Mode” and “Tunnel active” cannot be changed by the user. The parameters “Idle timer”, “Keep alive timer” and “Response timer” can be set to a value in seconds.

Log configuration:

Hide or unhide advanced settin s

(25)

Page24

Once any parameters are modified, they are updated once the “Save” button is clicked.

7.5 De-registration of the Client

If the ConnectionBox is no longer being used on a system, it is strongly advisable to deregister the SSL-VPN client before removing from the site.

This can be performed by selecting the “Deregister…” button. A message is displayed if the operation was successful.

(26)

8. cRSP Gateway (SSL VPN Gateway)

To configure the SSL VPN Gateway click on “cRSP Gateway” in the menu bar. The current settings are also shown on this page.

The following configurations are possible.

Gateway Active: Switches the gateway on or off

Gateway UDP Mode: Specifies the mode how datagram (UDP) sockets are used internally: In “connect” mode only replies from the destination are captured that a previous datagram packet had been sent to. In “bind” mode replies from any destination are captured.

Gateway UDP Timeout [s]: Specifies the time in seconds after which a UDP “connection” to the target system is closed in order to save resources.

Gateway Listener: Specifies listener address/port for the gateway.

Attention! Do not specify a port number that may be used by other applications like 80, 443 and 21. Rather chose exotic ports greater than 5000. The best choice is the default 11080 because it is opened in cRSP firewall. Port 11801 however is not allowed as it is already used internally.

Log Level: The dropdown lets you select which messages should appear in the log files. Maximum Log File Size: determines the maximum number of bytes before the log files are rotated

Maximum Log File Number: determines how many rotated log files should be kept available

(27)

Page26

Gateway Destination White List: List of all destination IP addresses that are reachable through the cRSP gateway. All managed systems configured in the cRSP database as “behind” this gateway should be included in this list.

(28)

9. BACnet Settings

The BACnet settings page provides options to change the BACnet routing configuration of the BACnet Port (LAN) and WAN Port network interfaces. Each Interface is configured in a separate tab.

Always “Save” any changes before changing tabs. “Cancel” sets everything back to the last saved configuration and opens the first tab.

9.1 BACnet Port Settings

The BACnet port is a logical interface used to address a specific BACnet network. This interface is connected to the local LAN that contains the BACnet devices.

(29)

Page28

unique for the system.

The configuration of the network numbers for PX controllers is performed in XWP Network Configurator. Typically the BACnet/LON network will have Network Number 1 and the BACnet/IP network will have Network Number 2. For larger system this will be dependent on the topology.

Example of standard BACnet router configuration with the ConnectionBox:

ConnectionBox – BACnet Settings

Port 4 /Network 99 BBMD = 1 FDT = 1 UDP = BACA (47818) Port 3 /Network 98 BBMD = 0 FDT = 0 UDP = BAC1 (47809)

BACnet Router Configuration

Port 2 /Network 2

BBMD = 1 FDT = 1 UDP = BAC1 (47809)

Port 1 /Network 1

LON segment: SEG01

W A N P o r t B A C n e t P o r t B A C n e t / I P B A C n e t / L O N

The BACnet router has the LON connection configured for NET01 (network number 1) and the IP connection configured for NET02 (network number 2). (Note here that Port 3 could also be configured for Network 2 to be in the same network as the BACnet router IP

network and it is functionally correct and would work.)

If the remote connection is created using the BBS, it is critical that the network number 1 is not used for defining either of the ConnectionBox networks. This would result in BACnet communication failure.

UDP Port: This is the port used for BACnet routing. The UDP port must match the port that has been configured for the BACnet devices on the LAN. This is typically 47808 (0xBAC0).

Attached: This box needs to be ticked so the BACnet deamon establishes a connection. Otherwise the interface will be ignored.

(30)

The BBMD/Foreign Device option should typically never be used. If the system requires BBMD support it is recommended to configure this using XWorks plus Network Configurator on the PX controllers.

The possible selections for BBMD/Foreign Device are:

 None

No BBMD or FD support via ConnectionBox on LAN. This is the recommended option.

 BBMD (BACnet Broadcast Management Device)

This enables the Broadcast Distribution Table and Foreign Device Table options. BBMD.

 Foreign Device

The Foreign Device option can be used to specify an IP and UDP port to allow the ConnectionBox to register as a foreign device on a BACnet server.

BACnet Configuration File Upload:

The BACnet Configuration File Upload option is an advanced option that should only be used by expert engineers. The ConnectionBox is installed with the Siemens BT BACnet Stack and once the interface is expanded, it is possible to modify all BACnet settings and parameters on both the L AN and WAN connections.

Modifications to these entries should only be performed in cases where BACnet communication errors occur. The parameters are not checked for consistency.

(31)

Page30

After any modifications the configuration file must be first saved by pressing the “Save” button and then reloaded by pressing the “Reload” button on the bottom of the section.

General:

After performing any modification to the BACnet configuration on this tab, the Daemon must be restarted for the modifications to come into effect.

(32)

9.2 WAN Port Settings

This interface is connected to the USB IP adapter that connects to the internet / customer network with external access.

Port ID: This has to be a unique number. It should be different to the number used on the BACnet port tab.

Network Number: This is the BACnet network number. See description of this setting above for the BACnet port. It is very important that this network number is unique for the BACnet Internetwork.

UDP Port: This is the port used for BACnet routing. The UDP port can be f reely defined but the supported range for cRSP connections is 0xBAC0 to 0xBACF (47808 to 47823). This UDP port must match the configuration defined in cRSP for the connection.

(33)

Page32

The BBMD/Foreign Device option should typically be configured for BBMD to allow the support of Foreign Device Table registration.

The possible selections for BBMD/Foreign Device are:

 None

No BBMD or FD support via ConnectionBox on LAN. This selection is not recommended as it will prevent connection remotely to the systems on the L AN.

 BBMD (BACnet Broadcast Management Device)

This is the required option.

This enables the Broadcast Distribution Table and Foreign Device Table options. If the system requires BBMD support it is recommended to configure this using XWorks plus Network Configurator.

Foreign Device Table support must be enabled and the default Max. FDT Entries is recommended to be set at 16.

 Foreign Device

The Foreign Device option can be used to specify an IP and UDP port to allow the ConnectionBox to register as a foreign device on a BACnet server.

BACnet Configuration File Upload:

(34)

10. Administration

10.1 Firmware update

Updating the firmware of the ConnectionBox is a two step process. First, you need to upload the firmware, and then you have to apply the update.

To update the firmware of the ConnectionBox, you have to establish a network connection between your PC and the ConnectionBox. Open the web configuration interface, select “Administration” and "Firmware" from the main menu and then browse to the firmware image file on your pc.

Once you press the “Upload firmware”-button, the firmware-image is transmitted to the ConnectionBox and validated but not yet applied.

To apply the firmware update, choose the firmware file from the drop down menu. Subsequently, click “Update firmware”. The firmware is then copied to the flash memory. The firmware update may take several minutes. The progress is indicated on your screen. DO NOT RESTART OR POWER OFF THE CONNECTIONBOX WHILE A FIRMWARE UPDATE TAKES PLACE!

A message will show once the update has been successfully copied. You need to reboot the ConnectionBox now.

Unneeded firmware files should be removed from the dropdown menu. To do so, choose the firmware file and then press “Remove firmware”.

Choose the firmware file from the dropdown menu

(35)

Page34

10.2 B ackup and R estore

To backup, restore or reset the configuration of the ConnectionBox open the web configuration interface, select “Administration” and "Firmware" from the main menu. You can backup the configuration to EMC or as a text file to your local computer.

To backup the configuration to EMC you have to create a device login in EMC as described in chapter "EMC Setup". If a proxy is required, it must be configured in "Basic Setup"->"Proxy Settings".

To backup the configuration to your local computer press the button and select a location and a file name for the configuration file. Then press the Save-button.

To restore a configuration, browse to the configuration file on your pc and press the "Restore configuration"-button. If you want to restore a configuration from EMC, you have to download the configuration file from EMC to your pc first. Restore is only from your pc possible.

10.3 Us er credentials

To change the user credentials select "Administration" and "Login". To change the user name you have to enter the new user name and the current password. To change the password you must enter the current password and the new password.

As the ConnectionBox allows only secure passwords it has to consist of at least 8 characters, upper and lower case, at least 1 number and 1 special character. The initial password for a brand new box is NMRwebAccess#1.

(36)

11. Diagnostics

11.1 Log files

The ConnectionBox logs important system events in log files. To view the log files, select “Log Viewer” from the main menu.

You will see a list with the log files. If you click on a log file name, the recent log messages are shown. You can browse through the log files by clicking the buttons “older” and “newer” or choose a specific page from the drop down menu. Older pages have higher numbers. The “Refresh”-button reloads the page currently viewed.

These log files are intended for advanced diagnostics of the SSL-VPN Client.

The SSL-VPN client creates log files for the SSL-VPN tunnel status, the SSL-VPN service and SSL-VPN administration of the client.

The cRSP-Gateway creates log files for the Gateway Proxy, the Gateway Service and Gateway Administration.

For both the SSL-VPN Client and cRSP-Gateway you can modify the Log Level in the configuration tabs.

(37)

Page36

12. Network configuration for Siemens clients

In case of connection problems with your Siemens client PC with the BACnet Monitor you have to activate the NetBIOS over TCP/IP.

12.1 Windows 7

Step 1:

Open the Network Connections in the control panel

Step 2:

(38)

Step 3:

Double click on Internet Protocol Version 4

Step 4:

(39)

Page38

Step 5:

Activate Default in the WINS register and click OK.

Now the connection to the BACnet Monitor should work

(40)

13. Support

For 1st_{level technical Support with ConnectionBox please contact your local AOC}

Support.

The following contact partners are internally available for 2nd_{level support and}

questions from the AOC specialists regarding ConnectionBox:

Field Support Product Management

Morof, Markus Wirth, Winfried

Siemens Switzerland Ltd. Field Support

Siemens Switzerland Ltd. Head BAU LCM VAS

IC BT CPS REM MS FS IC BT BAU LCM VAS

 Gubelstrasse 22, 6301 Zug Switzerland  Gubelstrasse 22, 6301 Zug Switzerland  +41 (41) 724-5104  +41 (41) 724-2463 @ [email protected] @ [email protected]

(41)

Page40

14. Appendix A

Technical Overview Technical Details:

 Operating voltage: 12 – 40 VDC  Energy consumption Max. 5 VA

 Dimensions: (HxBxT) 108.8 x 102.5 x 25.6 mm  Operating Temperature : 0-70°C  IP20 Connectivity:  1x Port RS232/RS422/RS485  3x RS232  1x RJ45 Ethernet 10/100 Mbit/s  2x USB 2.0

(one is used for the second Ethernet connection via USB-LAN adapter)

CPU:

 ARM920T Processor with 200MIPS at 180MHz  Memory Management Unit

Operating System:

 Embedded Linux Version 2.6.32.27

Memory:

 64MB SDRAM  16MB Flash

(42)

15. Appendix B

15.1 Application example: SSL-VPN Client and BACstack

with Desigo PX

In this application example the XWorks plus engineering tool connects to a PXC controller via BACnet. The connection through internet is secured by a VPN tunnel established between the common remote service platform cRSP and the ConnectionBox. The involved ConnectionBox components are SSL-VPN Client and BACstack.

Example ip addresses and involved components:

PXC: 192.168.1.162 BAC9 XWorks plus Engineering SSL-VPN BAC Stac cRSP Web-Configuration ConnectionBox

Network Adapter: LAN IP: 192.168.1.163 SM: 255.255.255.0 DG: -Network Adapter: cRSP SSL-VPN IP: 14.252.130.231 SM: 255.255.255.0 DG:

-Cimetrics BACstac Routing Edition V6 Port 1 BBMD = 1 FDT = 1 UDP = BAC0 (47808) Port 2 BBMD = 0 FDT = 0 UDP = BAC9 (47817) Network Adapter: USB Adapter

IP: 192.168.220.140 SM: 255.255.255.0 DG: 192.168.220.1

(43)

Page42

16. Appendix B

16.1 Application example: SSL-VPN Client and SSL-VPN

Gateway with Sinteso FS20

In this application example the Sinteso Works FXS 2002 engineering tool connection through internet to a Sinteso FS20 panel is secured by a VPN tunnel established between the common remote service platform cRSP and the ConnectionBox. The involved ConnectionBox components are SSL-VPN Client and SSL-VPN Gateway.

Example ip addresses and involved components:

Sinteso Works FXS 2002 SSL-VPN cRSP Sinteso FC20xx SSL-VPN GWW ConnectionBox

Network Adapter: LAN IP: 192.168.1.163 SM: 255.255.255.0 DG: -Network Adapter: cRSP SSL-VPN IP: 14.252.130.231 SM: 255.255.255.0 DG: -SSL-VPN Gateway - Gateway Destination white list Network Adapter: USB Adapter

IP: 192.168.220.140 SM: 255.255.255.0 DG: 192.168.220.1

(44)

17. Appendix C

17.1 ConnectionBox Checklist

ConnectionBox Checklist V1.0

This checklist must be completed before installing and commissioning the ConnectionBox. Please complete all fields and send to your country AOC/cRSP responsible. If all the required information is completed you will then receive a One Time Password to register the device with cRSP.

1. Customer Information

Please enter the information about the customer and the place of installation. If the place of installation is the same as the Customer address leave it empty.

Customer

Customer Name Street & number Postcode - City Country

Place of Installation Customer Name Street & number Postcode - City Country

Please indicate the type of system on the customer site: Building Automation Fire / Security

2. Contact information Siemens Project Responsible Name

Phone Number Email

This email will be used to send the One Time Password once the system has been configured in cRSP.

Customer Local Contact Name

Phone Number Email

3. cRSP SSL-VPN details

Note that there should be a naming convention for the Customer System in your region. The cRSP Customer System Name must be unique within EMC.

cRSP Customer Site Name cRSP Customer System Name

ConnectionBox Manual 3.2

ConnectionBox

ConnectionBox

1.

1.

Document History

Document History

Table of Contents

Table of Contents

1.

Introduction

1.1

Workflow Checklist

1.2

Commissioning checklist

1.3

General limitations & precautions

2.

Mechanical installation

3.

Electrical connection

3.1

Power

3.2

IP LAN connector

3.3

USB connectors / USB IP adapter (optional)

3.4

DIP switch

3.6

Status indication

-4.

Software configuration

4.1

Web Browser overview

4.2

Initial Connection

4.3

ConnectionBox access security

5.

Configuration

–

Basic Setup

5.1

Network

5.2

Proxy Settings

5.3

Date/Time settings

5.4

NTP server settings

6.

EMC Setup

7.

VPN Settings

7.1

Registration of the Client

7.2

Status

7.3

Proxy Server Settings

7.4

Advanced settings

7.5

De-registration of the Client

8.

cRSP Gateway (SSL VPN Gateway)

9.

BACnet Settings

9.1

BACnet Port Settings

9.2

WAN Port Settings

10.

Administration

10.1 Firmware update

10.2 B ackup and R estore

10.3 Us er credentials

11.

Diagnostics

_–