EtherNet/IP Secure Communication User Manual
Contents
1. E Connect to the Inter et up a wireless bre Sagu Set up a new network a Configure a new router or acce PN connection to your workplace z Setup a dial up connection Connect to the Internet using ac 4 Cancel 4 Select No create a new connection and click Next You do not see this screen if there are no connections set 2 ea E Lin Connect to a Workplace Do you want to use a connection that you already have No create a new connection Yes I ll choose an existing connection 40 Rockwell Automation Publication ENET UM003C EN P November 2015 Configure a Secure Connection to a Microsoft Windows Client Chapter 3 5 Choose Connect using a virtual private network VPN connection through the Internet i E Lin Connect to a Workplace How do you want to connect Use my Intern nection VPN Connect using a virtual private network VPN connection through the Internet uw T Dial directly Connect directly to a phone number without going through the Internet _ pe What is a VPN connection 6 If prompted choose I ll set up an Internet connection later 7 Enter the physical IP address of the 1756 EN2TSC module and a name for the connection 8 Select Don t connect now just set it up so I can connect later and click Next d i Connect to a Workplace Type the Internet address to connect to Your network administrator ca2. Follow ALL Regulatory requirements for safe work practices and for Personal Protective Equipment PPE Allen Bradley Rockwell Software Rockwell Automation Control FLASH ControlLogix FactoryTalk FLEX Logix5000 POINT I O PowerFlex RSLinx RSView Stratix 5900 and Studio 5000 are trademarks of Rockwell Automation Inc Trademarks not belonging to Rockwell Automation are property of their respective companies Summary of Changes This manual contains new and updated information Changes throughout this revision are marked by change bars as shown to the right of this paragraph New and Updated This table contains the changes made to this revision Information Topic Page Updated all web page interface screens from Series A to Series B module Throughout firmware Added references to the Stratix 5900 Security Appliance 11 9 51 51 Added information about mobile clients 15 Updated information about Transport Layer Security TLS 1 2 11 Added new features Throughout Added Security Configuration Parameter Descriptions 16 Rockwell Automation Publication ENET UM003C EN P November 2015 3 Summary of Changes Notes 4 Rockwell Automation Publication ENET UM003C EN P November 2015 Preface Table of Contents Additional Resources cece cece eee e cence eeeeeeeceuneeeaas Chapter 1 Secure Communication Architecture Considerations cies dizaieds Foch es econ a Nie reels Get Started Configur
3. Verify that the RJ45 connector in the Ethernet port is completely inserted and the other end of the cable is connected to a device in your network Flashing green Activity exists on the port Green Alink exists on the port Rockwell Automation Publication ENET UM003C EN P November 2015 65 Chapter6 Diagnostics Network NET Status Indicator Status Off Description One of these conditions exists e The module is not powered Verify that there is chassis power Verify that the module is completely inserted into the chassis and backplane Make sure that the module has been configured The module is powered but does not have an IP address Assign an IP address to the module Flashing green The controller has an IP address and one of these conditions exists e The module has not established any CIP connections If connections are configured for this module check the connection originator for the connection error code e One or more connections have timed out For example an HMI or 1 0 connection has timed out Re establish the connection Green The module has established at least one CIP connection and is operating properly The IP address for the module scrolls across the Module Status display Red The module is in conflict mode The module shares an IP address with another device on the network The current IP address for the module scrolls across the Module Status display T
4. Client 10 10 10 2 Peer to Peer 10 10 10 1 ERREKA 5X I a e a Sx XI tatata Apply Changes Configuration changed press Apply button to proceed Rockwell Automation Publication ENET UM003C EN P November 2015 53 Chapter4 Configure Secure Communication Between Two 1756 EN2TSC Modules Configure the Second Follow these steps to configure the second remote module Remote Module 1 Choose Administrative Settings gt Secure Tunnel Configuration gt IPsec Configuration and make sure that Enable IPsec is enabled Logout Rockwell 1756 EN2TSC B ae loner sel Ailend eter Allen Bradley Automation Expand Minimize IPsec Configuration Peer to Peer Peer to Peer 10 10 10 2 a amp fal a X a X aK Bal a amp a X 10 10 10 1 Revert Changes Apply Changes Configuration changed press Apply button to proceed 2 To create a secure association do the following a Enter the Identifier as a text description of the connection b Choose the Peer to Peer as the Profile c Enter the IP address of the first local module d Enter the pre shared key and confirm the pre shared key 3 Click Add 4 Click Apply Changes after entering all configurations 1756 EN2TSC B EE TEES E ORE ae Expand Minimize IPsec Configuration 10 208 50 51 Peer to Peer 10 208 50 52 Peer to Peer 10 208 50 53 Peer to Peer 10 208 50 54 Windows Client 10 10 10 2 aca Peer to Peer 10 10 10 1
5. Connection ATs test feck Broadcom NetXtreme 57xx Gigabit Controller Qe sprayer arg VMware Virtual Ethernet Adapter for VMnet1 08 narin VMware Virtual Ethernet Adapter for VMnet8 a E A ib gees E EA Software Loopback Interface 1 00 00 e0 Microsoft ISATAP Adapter 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo Interface 00 00 e0 Microsoft ISATAP Adapter 2 00 00 e0 Microsoft ISATAP Adapter 3 Rockwell Automation Publication ENET UM003C EN P November 2015 Configure a Secure Connection to a Microsoft Windows Client Chapter 3 22 00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter 4 Active Routes Network Destination Netmask Gateway Interface Metric 0 0 0 0 0 0 0 0 10 22 23 1 10 22 23 123 10 lt metric of default gateway 10 76 16 0 255 255 252 0 On link 10 22 23 123 266 10376 16 127 255 255 255 255 On link 10 22 23 123 266 10 76 18 120 255 255 255 255 On link 10 22 23 123 11 10 76 19 265 255 255 255 255 On link 10 22 23 123 266 127 0 0 0 255 0 0 0 On link 127 0 0 1 306 127 0 0 1 255 255 255 255 On link 2270 01 306 127 255 255 255 255 255 255 255 On link 127 0 0 1 306 192 168 2 0 255 255 255 0 192 168 1 192 158 1 2 11 lt interface field metric for client Open the VPN Connection to Once the Windows client and 1756 EN2TSC module are configured you must the 1756 EN2TSC Module establish the VPN connection 1 From the Windows notifi
6. Networks VPN IPsec provides the following security features e Authentication of the communication end points both client and server e Data authenticity and integrity via message integrity checks e Data confidentiality via encryption algorithms Use of the IPsec protocol suite lets you use the Microsoft Windows VPN client to connect securely to the module IPsec also lets the module create secure tunnels with other 1756 EN2TSC modules and with off the shelf VPN appliances IMPORTANT The module does not provide access to a private network While the module supports secure communication the module is not intended to be connected directly to the public Internet and provide a VPN function or be the mechanism by which remote access is provided to a network The module does not provide the ability to expose a private network address range via IPsec only the module s IP address is available The module does the following e Secures access to the controller and I O modules in the local chassis e Secures bridge access to other networks accessible within the local chassis Secure Plant Network Access via 1756 EN2TSC ControlLogix Chassis DeviceNet Access Via 1756 DNB EtherNet IP Access Via 1756 EN2T Rockwell Automation Publication ENET UM003C EN P November 2015 13 Chapter 1 14 Secure Communication Architecture As part of establishing the secure tunnel both endpo
7. Peer to Peer 10 208 50 53 PeerVPN_4 Peer to Peer 10 208 50 54 EN2TSC_Client Windows Client 10 10 10 2 Identifier EN2TSC_VPN Profile VPN Appliance EN2TSC_Local Peer to Peer 10 10 10 1 Enable M aaa E EN2TSC_Remote Peer to Peer 10 10 10 6 Remote IP 10 10 10 8 Pre shared key Confirm Pre shared Revert Changes Apply Changes Configuration changed press Apply button to proceed Add Add and Edit 2 To create a secure association do the following a Enter the Identifier as a text description of the connection b Choose the VPN Appliance as the Profile c Enter the IP address of the VPN appliance d Enter the pre shared key and confirm the pre shared key Parameter Description Identifier Name for the security association such as VPN_connection Profile VPN Appliance Remote IP IP address of the VPN appliance Pre shared key Pre shared key for the connection Confirm Pre shared key Same pre shared key for the connection as entered above 3 Click Add Rockwell Automation Publication ENET UM003C EN P November 2015 59 Chapter5 Configure a Secure Connection to a VPN Appliance 4 Click Apply Changes 1756 EN2TSC Allen Bradiey Autownation You are logged as Administrator Logout Expand Minimize IPsec Configuration 10 208 50 51 10 208 50 52 10 208 50 53 10 208 50 54 10 10 10 2 10 10 10 1 10 10 10 6 XO x D e FB a aaa vi M vi
8. QRXGGee Ba Ba 5x Bx a x x 10 10 10 6 Pa at ait at at ald Configuration changed press Apply button to proceed 54 Rockwell Automation Publication ENET UM003C EN P November 2015 Configure Secure Communication Between Two 1756 EN2TSC Modules Chapter 4 Test the Connection When the security association is added on both sides of connection the modules take a few seconds to establish the IPsec tunnel between the modules To verify that the connection is established access Diagnostics gt Advanced Diagnostics gt Secure Tunnel gt IPsec Security Associations Rockwell 1756 EN2TSC B Yon are logged as Ralrnarsetrate Logout Allen Bradley Automation Expand Minimize sa Ta ta tal ta E tl a tal La dac 10 208 50 50 ge 10 208 150 53 20 10 200 50 50 dae 10 208 150 54 Seconds Between Refresh Disable Refresh with 0 Edit the Security Association If you want to edit the settings for the association you created click the m Edit button next to the association in the list 1756 EN2TSC B Expanc Minimize SA Identifier EN2TSC_Local Profile Peer to Peer Negotiation mode Active Exchange version IKE v2 Authentication method PSK Local device identifier 1P vV 10 208 50 50 Remote device identifier TP V 10 10 10 1 Remote Device IP address 10 10 10 1 IKE encryption algorithm AES 256 V DH MO
9. Server IP address 192 168 2 1 Client IP address pool start 192 168 2 2 Client IP address pool end 192 168 2 20 Authentication method PAP CHAP 5 Ifneeded change the range of available client IP addresses The IP addresses on this screen are the virtual IP addresses for the L2TP server in the 1756 EN2TSC module and the pool of virtual IP addresses for Windows clients Once the secure tunnel is established use the L2TP server IP address to identify the 1756 EN2TSC module The Windows client uses an IP address from the L2TP pool 6 Click Apply Changes Rockwell Automation Publication ENET UM003C EN P November 2015 39 Chapter3 Configure a Secure Connection to a Microsoft Windows Client Configure a Connection from This section ce a ges saad Vea ire a where the Windows E i i 1756 EN2 module is a server a Microsoft Windows Client O PU ST 8 a cient and the An IPsec client is required to make a secure connection to the module Without an active IPsec association the module drops packets which appear as message timeouts The IPsec client comes pre installed in the Windows 7 operating system To configure a Microsoft Windows client do the following 1 From the Control Panel open the Network and Sharing Center 2 Click Setup a new connection or network 3 Select Connect to a workplace and click Next W SF Set Up a Connection or Network Choose a connection option
10. VPN client as you need only one secure tunnel between the 1756 EN2TSC module and the VPN appliance Rockwell Automation Publication ENET UM003C EN P November 2015 57 Chapter5 Configure a Secure Connection to a VPN Appliance Figure 5 Consolidate Multiple VPN Clients Through One Location Enterprise Zone Levels 4 and 5 Demilitarized Zone DMZ Demilitarized Zone DMZ Secure Tunnel to VPN Appliance Manufacturing Zone Site Manufacturing Operations and Control Level 3 Level 0 2 ControlLogix Chassis with 1756 EN2TSC Module An appliance like the Cisco ASA supports multiple methods for authentication multiple encryption algorithms and multiple types of VPN technology such as SSL VPN 58 Rockwell Automation Publication ENET UM003C EN P November 2015 Configure a Secure Connection toa VPN Appliance Chapter 5 Configure the Module to Follow these steps to configure the Module to Connect to a VPN appliance Connect to a VPN Appliance 1 Choose Administrative Settings gt Secure Tunnel Configuration gt IPsec Configuration and make sure that Enable IPsec is enabled Rockwell al 7 5 6 z N 205 C B You are logged as Administrator Logout Allen Bradley Automation Expand Minimize IPsec Configuration Mobile Clients _L2TP Configuration N _L2TP Edit Users SA Identifier Profile Remote IP PeerVPN_1 Peer to Peer 10 208 50 51 PeerVPN_2 Peer to Peer 10 208 50 52 PeerVPN_3
11. View SE and FactoryTalk View ME communication Rockwell Automation Publication ENET UM003C EN P November 2015 15 Chapter1 Secure Communication Architecture Secu rity Configuration You can enable and disable features of the module to enhance security 16 e The USB port can be disabled e The remote factory reset via a CIP message can be disabled e The remote reset via a CIP message can be disabled When you disable the remote reset the ControlFlash update is also disabled Rockwell 1 7i 5 6 z E N 2TS C B You are logged as Administrator Logout Allen Bradley Automation Security Configuration Current Status Descripti Enable USB Port Enabled i 5 Remote Factory Reset Enabled vi Network Configuration Security Configuration Remote Reset Enabled vi UR cag yl Control Flash update requires Remote Reset Enabled P User Management r Certificate Management A Al Changes Backup Restore pply 9 Browse Chassis Copyright 2015 Rockwell Automation Inc All Rights Reserved Table 2 describes the IKE and IPsec SA parameters that you can configure The module profile dictates whether some parameters are configurable or not There are also other parameters that you cannot configure some of them are displayed for example hash algorithm Table 2 IKE and IPsec SA Parameter Descriptions Parameter Description General SA Identifier IPsec security association name Profile Prof
12. a Secure Connection to a Microsoft Windows Client c gt route print c In the Interface metric field enter a value larger than the metric of the default gateway route in the routing table m Advanced TCP IP Settings a IP Settings DNS_ WINS This checkbox only applies when you are connected to a local network and a dial up network simultaneously When checked data that cannot be sent on the local network is forwarded to the dial up network Use default gateway on remote network Disable class based route addition Automatic metric Interface metric sq Cancel 20 Click OK until you exit the configuration tabs Interface Metric The interface metric specifies an integer cost metric 1 9999 for the route This metric is used when choosing among multiple routes in the routing table that most closely match the destination address of a packet being forwarded e Use the ipconfig command to identify the IP address of the default gateway e Use the route print command to identify the metric of the default gateway If you do not want all network traffic to go through the VPN tunnel set the metric of the route though the VPN connection to be larger than the metric of the route through the default gateway In the example below the metric is 10 the interface field metric must be 11 or greater FCs Peers LBS 3 20 ee DD eos sie ae HG er Zale oes se eaves ath tee vide ai lene EEE 1 EN2TSC VPN
13. are disabled in the module Browsers must enable support for Transport Layer Security TLS 1 2 The 1756 EN2TSC module lets only those devices with proper credentials access the module This module is intended for use behind an existing firewall DMZ that help protects the plant network from outside access To minimize complexity the module supports the following authentication and encryption methods e IPsec technology with as many as eight VPN tunnels only one of which can be a VPN appliance e Mobile Client e Pre shared key authentication e AES encryption 128 bit 192 bit and 256 bit Rockwell Automation Publication ENET UM003C EN P November 2015 11 Chapter1 Secure Communication Architecture Local Chassis Security You can use the 1756 EN2TSC module with the following features to prevent unauthorized access to a controller in the local chassis e The trusted slot feature in the controller properties designates slots in the local chassis as trusted When the trusted slot feature is enabled the controller denies communication through paths that are not trusted This requires authentication to the module for anyone to access the controller with programming software Major Faults Project Redundancy Security Authority No Protection C Use only the selected Security Authority for Authentication and Authorization flij2 3 4 5 e6 7 8 Communication restricted through c
14. configuration and overall status of the module e Network Settings for the Ethernet configuration parameters of the module e Ethernet Statistics for a summary of the status of communication activity on the Ethernet network For information on these standard diagnostic web pages see EtherNet IP Network Configuration User Manual publication ENET UMO01 Rockwell Automation Publication ENET UM003C EN P November 2015 63 Chapter6 Diagnostics Secure Tunnel Diag nostics For specific diagnostics regarding secure connections choose Diagnostics gt Web Page Advanced Diagnostics gt Secure Tunnel This Diagnostic Web Page Displays IKE Security Associations SA Active IKE security associations 1756 EN2TSC B rou wong scnaminisrane go Q Allen Bradley AmtownaYion Expand Mini P home IKE Security Associations SA To intriacor cookie dacLenee77s6i secd responder cookie 0K0S3954740aF34035 SxOSiSesB6ben77ro3 responder cookie Onteadea1se3550984 created 7666 seconds ago as anituator ref c TVE peer adar 10 208 50 56 local adaz 10 208 30 50 Seat bytes 1004 zeoived bytes 1124 IKE Statistics 1756 EN2TSC B Yau ara logga as Administrator Laat O Allar Bradiey Austorastion Expand Minimi Go Seconds Between Refresh Disable Refresh with 0 IPsec Security Associations SA 1756 EN2TSC B eee Alen Bradey Automation Expand Mini iz aurnesns1 hac encreenaceche 30 7
15. connected to t E STTest com Internet access Unidentified network No Internet access Dial up and VPN a m Rockwell SSL VPN Network Access Go to conne EN2TSC_VPN_Connection 3 Rockwell SSL VPN Network Access Go to conne 4 A Wireless Network Connection Network123456 Connected Ji NETWORKABCD M Open Network and Sharing Center 15 On the Options tab do the following a Check Display progress while connecting b Check Prompt for name and password certificate etc c Clear Include Windows logon domain d Accept the defaults for PPP settings Dialing options V Display progress while connecting V Prompt for name and password certificate etc Include Windows logon domain Redialing options Redial attempts Time between redial attempts Idle time before hanging up Idle threshold V Redial i line is dropped f a PPP Settings Enable LCP extensions Enable software compression Negotiate multi4ink for singledink connections Cox canoa Rockwell Automation Publication ENET UM003C EN P November 2015 43 Chapter 3 Configure a Secure Connection to a Microsoft Windows Client 16 On the Security tab do the following a Choose Layer 2 Tunneling Protocol with IPsec L2TP IPsec as the type of VPN b Choose Optional encryption connect ev
16. edit an existing user click the Edit icon Rockwell You are logged as Administrator Logout TAD Allen Bradley Automation User Administrator From this form you can change the following e Password e User can change own password e Group membership e Status enabled or disabled Rockwell Automation Publication ENET UM003C EN P November 2015 25 Chapter 2 Get Started Bad Login Attempts The module logs bad login attempts and present statistics on the main page After 3 bad login attempts logging ability is disabled for 5 minutes Generate HTTPS Certificate You can generate a new HTTPS certificate if needed Generating a new HTTPS 26 certificate is optional as the module automatically generates a certificate when the module is turned on for the first time after factory reset e The certificate that is generated at first powerup of the module is not bound to any specific IP address This can cause the browser to report a certificate error and you can decide whether to generate a new certificate e Ifyou generate a new certificate and then later change the IP address of the module the current certificate becomes invalid Generate a new certificate that uses the new IP address otherwise the browser reports a certificate error A newly generated certificate has an advantage that the module uses the current IP address This can limit web browser certificate warnings even though the browser can still report an erro
17. predetermined on the L2TP configuration tab for all communication to the module including RSLinx and Studio 5000 connections The original IP address for the module is not in the VPN tunnel and cannot be used In the driver configuration field enter the L2TP server IP address virtual IP address of the 1756 EN2TSC module to the Station Mapping dialog box Configure driver AB_ETH 2 Station Mapping Station Host Name Add New 0 192 168 1 1 63 Delete Cancel Apply Help Rockwell Automation Publication ENET UM003C EN P November 2015 49 Chapter3 Configure a Secure Connection to a Microsoft Windows Client If you connect to the 1756 EN2TSC module without knowing the L2TP server IP address you can find that after the connection is established 1 Click the network icon in the right bottom of the Windows taskbar 2 Choose Status 50 3 Click the Details tab Currently connected to ad root Internet access Unidentified network No Internet access J EN2TSC 2 gt No network access Dial up and VPN EN2TSC ASAWIN Disconnect Status Properties Open Network and Sharing Center RSLinx software uses the L2TP server IP address to communicate with the 1756 EN2TSC module inside the secure tunnel Device Type Authentication Encryption Compression PPP multilink framing Client IPv4 address Server IPv4 address NAP State Network Adapter Used Orig
18. v vi Mi 10 10 10 8 TIP Do not use IKE v1 configuration for the Stratix 5900 appliance The IKE v1 connection can be unreliable Use the IKE v2 connection instead Edit the Security Association If you want to edit the settings for the association you created click the Edit button next to the association in the list 1756 EN2TSC B Expand Ainimize Edit IPsec SA G Genet SA Identifier EN2TSC_VPN Profile VPN Appliance Negotiation mode Active Exchange version IKE v2 v Phase Authentication method PSK Local device identifier IP v Remote device identifier TP VJ10 10 10 8 Remote Device IP address 10 10 10 8 Remote Network IP 0 0 0 0 Remote Network Netmask 0 0 0 0 IKE encryption algorithm AES 256 V DH MODP group At least 2 1024 bit New Pre Shared Key Cont on re hared Key _ _ Key life time limit 24 hours v Ee a il Encryption algorithm AES 256 Protocol Hash algorithm SHA1 PFS key group None Key life time limit 8 hours v Key life data limit 0 to disable 4608000 Kilobytes Set the key life time 10 min 8 hr and key life data 1000 10000000 KB values to the same value as on the VPN appliance If these values differ there can be issues with rekeying even though the initial connection is successful 60 Rockwell Automation Publication ENET UM003C EN P November 2015 Configure a Secure Connection toa VPN Applianc
19. web server by virtue of its certificate The module uses a self signed certificate The module uses this certificate because the IP address is not known at manufacture time and cannot be signed by certificate authority CA Self signed certificates are not signed by a known trusted authority so they must explicitly be accepted by you the user when connecting via the web browser Initial Powerup On initial powerup the module generates a new certificate for the embedded HTTPS server The certificate generation process can take up to a minute During this process the message SSL certificate generation in progress is shown on the module display Wait until the module is fully booted and OK is shown on the display before accessing the module by using a web browser 1 In the Address field of your web browser enter the IP address that displays on the front of the module IMPORTANT When you enter the IP address you must enter the prefix https in the address If you enter an http prefix the module redirects to the https prefix After the web browser connects to the server a warning message is shown about the certificate that is not signed by a trusted authority 20 Rockwell Automation Publication ENET UM003C EN P November 2015 Get Started Chapter 2 2 Accept this message and continue to the web page IMPORTANT In general do not accept the certificate not being signed by a trusted authority But in the c
20. z det 10 208 50 50 Spi ow75d341e sre 10 208 50 50 det 10 208 50 52 aarh ahal hmas enowsepAastie 12 SAs ir Seconds Between Refresh I5 Disable Refresh with 0 P rpsec security Associations SA camel Gl IPsec Output Flows 1756 EN2TSC B meaane C lee pand Minimize spiz0xztzc6899 sro 10 205 50 53 dst 19 208 50 50 20810158 aat 10 208 50 5 4 S Spistxeasses9 sy0 10 200 80 51 ds Spintxesrsecec srei0 200 90 92 Ost 10 208 90 90 spi oxf25 2dcd sro 10 208 50 50 dotw19 208 50 55 sbictxesseiee3 sror10 203 50 59 dav 19 208 50 54 spior7aeszq sre 19 208 50 50 ast Seconds Between Refrash Disable Refresh with o 64 Rockwell Automation Publication ENET UM003C EN P November 2015 Diagnostics Chapter 6 Status Indicators The 1756 EN2TSC module uses the same status indicators as the 1756 EN2T module e Module Status Display e Link Status Indicator LINK e Network Status Indicator NET e OK Status Indicator OK oo n BY cs E xs Module Status Display Link Status Indicator LINK UNK NET Gk OK Status Indicator Network Status Indicator NET Link LINK Status Indicator Status Description off One of these conditions exists e The module is not powered Verify that there is chassis power Verify that the module is completely inserted into the chassis and backplane e No link exists on the port
21. 15 Traffic Filtering 15 Many control systems currently use 1756 EN2T and 1756 ENBT modules to connect ControlLogix systems to plant level systems A 1756 EN2TSC module offers the same connectivity and additional security options that help protect access to resources on the local backplane from the plant network Use the 1756 EN2TSC module to establish secure tunnels with peer modules Windows 7 clients and VPN appliances Rockwell Automation Publication ENET UM003C EN P November 2015 9 Chapter1 Secure Communication Architecture Figure 1 1756 EN2TSC module Establishes Secure Tunnels with Peer Modules Windows 7 Clients and VPN Appliances Enterprise Zone Levels 4 and 5 Demilitarized Zone DMZ Secure Tunnel Between 1756 EN2TSC Demilitarized Zone DMZ Module and VPN Appliance Manufacturing Zone Site Manufacturing Operations and Control Secure Tunnel Between 1756 EN2TSC Level 3 lt Module and Windows 7 Client Level 0 2 Peer to peer Secure Tunnel ControlLogix Chassis with Between 1756 EN2TSC Modules 1756 EN2TSC Module IMPORTANT HMisare not supported by the 1756 EN2TSC B HMls don t support IPsec The 1756 EN2TSC module provides a level of protection against unauthorized network access either malicious or accidental to a ControlLogix controller via an EtherNet IP connection The 1756 EN2TSC module uses the Internet Protocol Security IPsec protocol suite to pr
22. 414 382 2000 Fax 1 414 382 4444 Europe Middle East Africa Rockwell Automation NV Pegasus Park De Kleetlaan 12a 1831 Diegem Belgium Tel 32 2 663 0600 Fax 32 2 663 0640 Asia Pacific Rockwell Automation Level 14 Core F Cyberport 3 100 Cyberport Road Hong Kong Tel 852 2887 4788 Fax 852 2508 1846 Publication ENET UM003C EN P November 2015 Supersedes Publication ENET UM003B EN P September 2013 Copyright 2015 Rockwell Automation Inc All rights reserved Printed in the U S A
23. 8 1 100 The client uses IP address 10 10 10 2 to establish a connection with the 1756 EN2TSC module at IP address 10 10 10 1 The L2TP server on the 1756 EN2TSC module at IP address 192 168 1 1 establishes a secure connection with the L2TP client at an IP address from the pool 192 168 1 2 through 192 168 1 100 Once the pool of addresses is configured that pool is reserved for that specific 1756 EN2TSC module Ifyou have a second 1756 EN2TSC module in the same controller chassis you must use a separate subnet such as 192 168 2 1 even though the pool from the first address is not completely used This is only true if you want to connect from one Windows client to two or more 1756 EN2TSC modules at the same time If only one module is connected with a given client at a given time there is no need for different subnets The Microsoft IPSec client uses classful network addressing architecture e The traffic from a Windows client is directed to a specific VPN based on the class of the IP address set in the L2TP configuration e Class C addresses 192 0 0 0 223 255 255 255 e Range 192 168 0 0 192 168 255 255 is a set of private addresses in this class Because by default class C network uses a netmask 255 255 255 0 there are 256 non overlapping subnets in this range Using an IP address from class C private range in order to set up a Windows client L2TP connection helps ensure that the VPN connection is less likely to mask any e
24. 8 50 53 10 208 50 54 10 208 50 55 4 X M vi vi vi vi vi Cae at at ait ait aC ald xX 10 10 10 2 6 Verify IPsec connections are enabled 36 Rockwell Automation Publication ENET UM003C EN P November 2015 Configure a Secure Connection to a Microsoft Windows Client Chapter 3 Configure Mobile Client A mobile client does not have a predetermined IP address that is explicitly configured in the module For example a personal computer that is configured for DHCP connects to the module If the IP address of the personal computer changes no configuration changes are required on the module If the Windows client is a mobile client make the following configurations on the module Follow these steps to configure a mobile client 1 Choose Administrative Settings gt Secure Tunnel Configuration gt Mobile Clients 2 Make the following configuration selections a Check Enable Mobile Clients b Enter the pre shared key and confirm the pre shared key c Choose an encryption algorithm Rockwell 1756 EN2TSC B Yon are logged as Aikrinisirator Logo Allen Bradley Automation xpand Minimize is Enable Mobile Clients o Windows Passive IKE v1 Main mode Authentication method PSK IKE encryption algorithm AES 256 DH MODP group At least 2 1024 bit New Pre Shared Key Confirm new Pre Shared Key Key life time limit hours Encryption algorithm AES 128 v Protocol ESP
25. DN fully qualified domain name e User FQDN in form user domain Remote device IP address IP address of other side of IKE IPsec connection Remote network IP Base address of subnet reachable through VPN appliance tunnel Only for VPN appliance Remote network netmask Netmask of subnet reachable through VPN appliance tunnel Only for VPN appliance Encryption algorithm Encryption algorithm for IKE exchange e AES 256 for Windows and Mobile client e AES 128 192 256 otherwise user selectable Pre shared key PSK text Must match other side PSK DH groups MODP Groups 2 5 and 14 are supported Higher number of group offers increased security but requires more time and resources to establish connection e Atleast 2 accepts 2 5 and 14 initiates connection with 2 e Atleast 5 accepts 5 and 14 initiates connection with 5 Atleast 14 accepts only 14 initiates with 14 Key life time limit After this time Phase 1 IKE keys are renegotiated 8hours by default for Windows and Mobile Client 24 hours by default otherwise 10 minutes minimum We recommended that you use the default values Phase 2 IPsec negotiation Encryption algorithm Encryption algorithm for data inside IPsec tunnel NULL or AES 128 for Windows and Mobile client NULL AES 128 192 256 otherwise user selectable Key life time limit After this time Phase 2 IPsec keys are renegotiated 8hours by default for VP
26. DP group At least 2 1024 bit V New Pre Shared Key Confirm new Pre Shared Key Key life time limit 24 hours v Encryption algorithm AES 256 V Protocol ESP Hash algorithm SHAL PFS key group None Key life time limit 1 hours v Key life data limit 0 to disable 100000 Kilobytes cancer save Changes Rockwell Automation Publication ENET UM003C EN P November 2015 55 Chapter4 Configure Secure Communication Between Two 1756 EN2TSC Modules Notes 56 Rockwell Automation Publication ENET UM003C EN P November 2015 Chapter 5 Configure a Secure Connection to a VPN Appliance Topic Page Configure the Module to Connect to a VPN Appliance 59 Edit the Security Association 60 In this scenario a VPN appliance such as a firewall establishes the IPsec association with the 1756 EN2TSC module Client workstations or other modules then establish IPsec associations with the VPN appliance The VPN appliance then routes packets between the IPsec associations The IPsec association between the VPN appliance and module services multiple remote from the point of view of the module devices and networks You configure the module to know which remote networks are routed via the VPN appliance This configuration lets you consolidate multiple VPN clients through one location the VPN appliance This consolidation limits the need for multiple secure tunnels to each
27. ENET UM003C EN P November 2015 Configure a Secure Connection to a Microsoft Windows Client Chapter 3 The pre shared key must be same as defined for the mobile client as part of configuring the 1756 EN2TSC module page 35 L2TP Use preshared key for authentication Key rockwell Use certificate for authentication Verify the Name and Usage attributes of the server s certificate Cancel 18 On the Networking tab check Internet Protocol Version 4 TCP IPv4 General Options Security Networking This connection uses the following items Intemet Protocol Version 6 TCP IPv6 Intemet Proto io M J File and Printer Sharing for Microsoft Networks I Client for Microsoft Networks Description Transmission Control Protocol Intemet Protocol The default wide area network protocol that provides communication across diverse interconnected netw 19 On the Networking tab click Properties and then click Advanced By default all traffic is forwarded through the established VPN tunnel To have both the VPN tunnel to the 1756 EN2TSC module and preserve access to the local network such as Internet or corporate mail server do the following a Clear the Use default gateway on remote network checkbox b Clear the Automatic metric checkbox Rockwell Automation Publication ENET UM003C EN P November 2015 45 Chapter 3 46 Configure
28. Hash algorithm SHAL PFS key group Key life time limit Key life data limit 0 to disable Apply Changes 3 Click Apply Changes Rockwell Automation Publication ENET UM003C EN P November 2015 37 Chapter3 Configure a Secure Connection to a Microsoft Windows Client Configure an L2TP Follow these steps to configure an L2TP connection Connection 1 Choose Administrative Settings gt Secure Tunnel Configuration gt L2TP Users Rockwell 1756 EN2TS G B You are logged as Administrator Logout Allen Bradley Automation Expand Minimi 2 For each user define a user ID and password Each L2TP user must authenticate when establishing a tunnel to the module Configure a user name and password for each LT2P user Remember the user names and passwords You enter the same values when you configure the connection from a Windows client see page 40 3 Click Add Rockwell 1756 EN2TSC B You are logged as Administrator Logout Allen Bradley Automation Minimize 4 Choose Administrative Settings gt Secure Tunnel Configuration gt L2TP Configuration 38 Rockwell Automation Publication ENET UM003C EN P November 2015 Configure a Secure Connection to a Microsoft Windows Client Chapter 3 Make sure that L2TP is enabled Rockwell 1756 EN2TSC B Te T Se ieee Allen Bradley Automation Expand Minimize IPsec Configuration N Mobile Client L2TP Configuration Enable L2TP Tj
29. N appliance 1 hour by default otherwise 10 minutes minimum We recommended that you use the default values Key life data limit When this amount of data has been transferred inside IPsec tunnel Phase 2 IPsec keys are renegotiated Disabled 0 by default for Windows and Mobile Client e 100000 KiB by default for peer to peer and Generic Client 4608000 KiB by default for VPN appliance We recommended that you use the default values Rockwell Automation Publication ENET UM003C EN P November 2015 17 Chapter1 Secure Communication Architecture Notes 18 Rockwell Automation Publication ENET UM003C EN P November 2015 Chapter 2 Get Started Topic Page Initial Powerup 20 Configuration Overview 22 Assign Network Settings 23 Configuration Overview 22 Create User Accounts 25 Generate HTTPS Certificate 26 Backup Restore 28 This chapter describes the initial configuration settings that are required for the module After installing the module see the next chapters for security configuration examples For information on how to install the module see EtherNet IP Network Modules Installation Instructions publication ENET IN002 Add the module to a controller project the same as you add a 1756 EN2T module All security related configuration is via the module web pages IMPORTANT When you finish using the web pages make sure to use the logout link in the upper right corner of the web page Clo
30. TP 23 browers 11 C certificate generate 26 powerup 20 configure client via RSLinx driver 49 interface metric 46 Microsoft Windows client 40 mobile client 35 module to module 53 54 network settings 23 overview 22 powerup 20 security association 55 60 user account 25 VPN appliance 59 web pages 20 connection client 37 L2TP 32 38 Microsoft Windows client 40 mobile 37 credentials 22 default 22 D default credentials 22 diagnostics secure tunnel 64 status indicators 65 web pages 63 F features 11 G generate certificate 26 Index HTTPS certificate generate 26 interface metric 46 Internet Protocol Security See IPsec 13 IPsec capability 13 modes 14 L2TP RSLinx driver 49 local chassis security 12 login attempts 26 M Microsoft Windows client to module scenario 31 mobile client scenario 35 module backup 28 browsers 11 certificate 26 default credentials 22 diagnostics 63 features 11 performance 15 restore 28 status indicators 65 traffic filtering 15 module to module scenario 51 network settings 23 P password change 25 performance 15 powerup 20 restore 28 rotary switches 23 RSLinx driver 49 Rockwell Automation Publication ENET UM003C EN P November 2015 67 Index S scenario Microsoft Windows client to module 31 module to module 51 VPN appliance to module 57 secure communication architecture 9 scenarios 31 51 57 secure tunnel d
31. This interval is common to all IPsec connections and is not configurable The default keepalive timeout is 30 seconds Rockwell Automation Publication ENET UM003C EN P November 2015 Secure Communication Architecture Chapter 1 Performance The communication capability of the module is the same as the 1756 EN2T module The 1756 EN2TSC supports the following The same number of TCP and CIP connections as the 1756 EN2T module 256 CIP connections and 128 TCP IP connections The configuration of IPsec associations with as many as eight IP addresses devices only one of which can be a VPN appliance connection Mobile clients CIP Sync communication Traffic Filtering When IPsec is enabled the module blocks traffic that is not received via a VPN client another peer with an IPsec connection or an appliance with an IPsec connection with these exceptions BOOTP DHCP traffic to let the module obtain an IP address HTTPS traffic configure the module CIP Sync packets disable CIP Sync option Logix produced consumed tags the establishment of the produced consumed connection occurs over via IPsec 1756 I O connections in a remote chassis If the 1756 EN2TSC module is the trusted slot for a ControlLogix chassis the following traffic to the controller must go through the 1756 EN2TSC module RSLinx Classic traffic such as Studio 5000 and ControlFLASH communication RSLinx Enterprise traffic such as FactoryTalk
32. User Manual Allen Bradley EtherNet IP Secure Communication Catalog Number 1756 EN2TSC Allen Bradley Rockwell Software Automation Important User Information Read this document and the documents listed in the additional resources section about installation configuration and operation of this equipment before you install configure operate or maintain this product Users are required to familiarize themselves with installation and wiring instructions in addition to requirements of all applicable codes laws and standards Activities including installation adjustments putting into service use assembly disassembly and maintenance are required to be carried out by suitably trained personnel in accordance with applicable code of practice If this equipment is used in a manner not specified by the manufacturer the protection provided by the equipment may be impaired In no event will Rockwell Automation Inc be responsible or liable for indirect or consequential damages resulting from the use or application of this equipment The examples and diagrams in this manual are included solely for illustrative purposes Because of the many variables and requirements associated with any particular installation Rockwell Automation Inc cannot assume responsibility or liability for actual use based on the examples and diagrams No patent liability is assumed by Rockwell Automation Inc with respect to use of information circuits equ
33. View or RSLinx software To configure this secure connection do the following 1 Configure the 1756 EN2TSC module to support a connection to a mobile client 2 Configure a connection to the Microsoft Windows client 3 Open the connection L2TP Connections The 1756 EN2TSC module uses Layer 2 Tunneling Protocol L2TP connections for Windows clients Communication occurs within an L2TP tunnel after VPN is already running The server IP address is used to communicate with the module The client IP address is assigned from the client address pool All communication that software products generate such as RSLinx software to an L2TP server address of a 1756 EN2TSC module is sent via an IPsec connection This diagram shows how the physical and L2TP IP addresses differ 32 Rockwell Automation Publication ENET UM003C EN P November 2015 Configure a Secure Connection to a Microsoft Windows Client Chapter 3 Figure 3 Differences Between L2TP IP Address and IP Address of a Physical Interface i 1756 EN2TSC Module Personal Computer L2TP Client L2TP Server L2TP Client 192 168 1 1 192 168 1 2 1756 EN2TSC PC 10 10 10 1 p gt 10 10 10 2 e Client physical IP address 10 10 10 2 e 1756 EN2TSC module physical IP address 10 10 10 1 e L2TP server virtual IP address 192 168 1 1 e L2TP client pool of virtual IP addresses starts 192 168 1 2 and ends 192 16
34. ase of initial powerup the module has a self signed certificate so continue to the website even though the message says that this option is not recommended The self signed certificate warning continues to display unless you add the certificate to the list of exceptions for the web browser Fe nomny E x iconvert v PSelect Certificate Error Navigation X JA in RAIN Product Downloads Rockwell Automation Fo Web Slice Gallery v x There is a problem with this website s security certificate The security certificate presented by this website was not issued by a trusted certificate authority Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server We recommend that you close this webpage and do not continue to this website Click borotonrcte Continue to this website not recommended More information 3 After accepting the self signed certificate enter the user ID and password 1756 EN2TSC B Allen Bradley Fe et oe Rockwell Automation Publication ENET UM003C EN P November 2015 21 Chapter2 Get Started Default Credentials Default credentials are case sensitive and are as follows e User name Administrator e Password admin You are prompted to change the password on the Administrator account Enter the new password and click Change Rockwell 1756 EN2TS C B jogged as Administra
35. automation com rockwellautomation support overview page or contact your local Rockwell Automation representative New Product Satisfaction Return Rockwell Automation tests all of its products to help ensure that they are fully operational when shipped from the manufacturing facility However if your product is not functioning and needs to be returned follow these procedures United States Contact your distributor You must provide a Customer Support case number call the phone number above to obtain one to your distributor to complete the return process Outside United States Please contact your local Rockwell Automation representative for the return procedure Documentation Feedback Your comments will help us serve your documentation needs better If you have any suggestions on how to improve this document complete this form publication RA DU002 available at http www rockwellautomation com literature Rockwell Automation maintains current product environmental information on its website at http www rockwellautomation com rockwellautomation about us sustainability ethics product environmental compliance page Rockwell Otomasyon Ticaret A S Kar Plaza Merkezi E Blok Kat 6 34752 erenk y stanbul Tel 90 216 5698400 www rockwellautomation com Power Control and Information Solutions Headquarters Americas Rockwell Automation 1201 South Second Street Milwaukee WI 53204 2496 USA Tel 1
36. cation area select the network icon 2 Right click the EN2TSC VPN Connection and click Connect 3 Logon with your 1756 EN2TSC user name and password ff amp Connect EN2TSC_VPN_Connection User name user Password eovccecs 7 Save this user name and password for the following users Me only E Anyone who uses this computer Connect Cancel Properties Help Rockwell Automation Publication ENET UM003C EN P November 2015 47 Chapter3 Configure a Secure Connection to a Microsoft Windows Client It can take 30 seconds or more to connect TIP If you want to delete a VPN connection on the Windows client for example it does not work and you want to create a new connection 1 Choose Control Panel gt Network and Sharing Center gt Change Adapter Settings 2 Right click the connection and choose Delete 48 Rockwell Automation Publication ENET UM003C EN P November 2015 Communicate to the Module Via an RSLinx Driver Configure a Secure Connection to a Microsoft Windows Client Chapter 3 If you communicate to the module through an RSLinx driver you must use an L2TP connection and the Ethernet devices driver Once the secure tunnel exists to the 1756 EN2TSC module RSLinx software uses the L2TP server IP addresses to communicate with the controller through the 1756 EN2TSC module IMPORTANT The Microsoft Windows client must use the module IP address specified
37. e Communicate to the Module Via an RSLinx Driver Chapter 4 Configure the First Local Module s acu ctvasayitieeeeelghehsey Between Two 1756 EN2TSC Modules Configure the Second Remote Module 00 eee Configure a Secure Connection toa VPN Appliance Test th Conpegtion sinarieun arene aa ae e aala Edit the Security Associationiwwiotr e 3504 via deeee eet ees Chapter 5 Configure the Module to Connect toa VPN Appliance Edit the Security Associations oss sitsder2 iisdecideeeeressed ees Rockwell Automation Publication ENET UM003C EN P November 2015 Table of Contents Chapter 6 Diagnostics Diagnostic Web Pages co cgots Gn cikier bs i aval a ea es 63 Secure Tunnel Diagnostics Web Page n nesy onetsine dens eves 64 Status Indicators e a RAI T R E TR 65 Link LINK Status Indicates oad stamcanwhsoieeaceteod cutesy 65 Network NET Status Indicator ccceccecescscesevcess 66 OK Status Indicator 2a G Sock eedesss au esau ees 66 Index 6 Rockwell Automation Publication ENET UM003C EN P November 2015 Additional Resources Resource Preface The 1756 EN2TSC is a security enhanced version of the 1756 EN2T EtherNet IP communication module This module is designed for applications that limit network access to a control system from within the plant network This module is not intended to connect any devices in the local 1756 backplane to devices outside of
38. e Chapter 5 You must specify a value for key life time If key life data is not used set the value to 0 You can specify a subnetwork accessible via the VPN appliance by specifying addresses for Remote Network IP and Remote Network Netmask Default values of all zeroes direct all VPN network traffic to the VPN appliance However other security associations such as peer to peer connections still work as narrower address ranges take precedence over the wider range that is specified for VPN appliance For more information about the parameters that you can configure in the Local IPsec Security Association see Security Configuration on page 16 IMPORTANT You must disable the TCP Sequence Randomization feature in Cisco ASA The 1756 EN2TSC B module uses its own TCP sequence randomization so there is no need to enable additional one in Cisco ASA If this setting is enabled in ASA VPN connection to Cisco ASA is unreliable Rockwell Automation Publication ENET UM003C EN P November 2015 61 Chapter5 Configure a Secure Connection to a VPN Appliance Notes 62 Rockwell Automation Publication ENET UM003C EN P November 2015 Chapter 6 Diagnostics Topic Page Diagnostic Web Pages 63 Secure Tunnel Diagnostics Web Page 64 Status Indicators 65 Diagnostic Web Pages The 1756 EN2TSC module supports the same diagnostic web pages as the 1756 EN2T modules including these pages e Diagnostic Overview for a summary of the
39. e a Secure Connection toa Microsoft Windows Client Configure Secure Communication Local Chassis Security 21 i ehvating i ei eacae eee eee sees Network Access Security aie onieticwtas sa geeeede ae asuehonde gah sdeet UD SEGANSSGCTAU ORG gia idle a Nok hohe a nies oe Performances 23 ot tes oe Oeh oe wieanie E A E E Canal ose Traffic Filtering eiee een cb cuat Mit eda tt aa ERY Security Configuration soeren saad E EN S IE TETTE Chapter 2 Initial Powerip erecta a e tata E E E a EE Default Credentialsscwis4 4 eter a tee eye aes Configuration Oveivic Wrenn tcunvatveun Sous water es teetananan Assign Network Settingsievcnisesseinae hd bean ete comeeee beaes Change Network Settings Via the Module Web Page Create User Accounts 0 0 cece cece ence roren e ene eenneeeens Bad Login Astempts nije ver teomenecaian a E E REE Generate HTTPS Certificates csecu2 ies hcl rave tienes benedeni Cochti estes a E doe teint ae see ia ed ap ania ende as aia Backup A Restores aranin ianen eat ole ane irre Deut are tos E EE Chapter 3 EZT P Connections 252 ite oe eS Is Create Windows Client Connection By Using a Windows Profile Configure Mobile Client scot ins cencihitia setae moneuneies aes Configure an L2TP Connection is sh avacsewechesidexeoegcnerees Configure a Connection from a Microsoft Windows Client Interface Metric ssssccccnnnserrreeerrererrrrrrerersreee Open the VPN Connection to the 1756 EN2TSC Modul
40. en if no encryption as the type of data encryption IMPORTANT Depending on how the modules are configured encryption can be enabled according to these options e If Windows Mobile Client SA was configured to use AES128 Optional Encryption and Require encryption work In this case IPsec encryption secures the communication e If Windows Mobile Client SA was configured to use NONE encryption in IPsec Optional Encryption and No encryption allowed work In this case there is no encryption e The option Maximum strength encryption does not work c Click Allow these protocols d Check Unencrypted password PAP Check Challenge Handshake Authentication Protocol CHAP Clear the Microsoft CHAP version 2 MS CHAP v2 checkbox za 2 lan EN2TSC VPN Connection Properties Sc General Options Securty Networking Shaving Type of VPN l Layer 2 Tunneling Protocol with IPsec L2TP IPSec z Advanced settings Data encryption Optional encryption conne even if no encryption Authentication Use Extensible Authentication Protocol EAP Allow these protocols J Unencrypted password PAP Challenge Handshake Authentication Protocol CHAP F Microsoft CHAP Version 2 MS CHAP v2 Automatically use my Windows lagon name and password and domain if any cerce 17 On the Security tab click Advanced Settings and enter the pre shared key Rockwell Automation Publication
41. he display scrolls OK lt IP_address_of_this_module gt Duplicate IP lt Mac_address_of_duplicate_node_detected gt For example OK 10 88 60 196 Duplicate IP 00 00 BC 02 34 B4 Change the IP address of the module Flashing The module is performing its power up testing green flashing red OK Status Indicator Status Description Off The module is not powered Verify that there is chassis power Verify that the module is completely inserted into the chassis and backplane Make sure that the module has been configured Flashing green The module is not configured The Module Status display scrolls BOOTP or DHCP lt Mac_address_of_module gt For example BOOTP 00 0b db 14 55 35 Configure the module Green The module is operating correctly The IP address of the module scrolls across the Module Status display Flashing red The module detected a recoverable minor fault Check the module configuration If necessary reconfigure the module Red The module detected an unrecoverable major fault Cycle power to the module If the power cycle does not clear the fault replace the module Flashing red flashing green The module is performing its power up testing 66 Rockwell Automation Publication ENET UM003C EN P November 2015 A additional resources 7 19 architecture Microsoft Windows client to module 31 module to module 51 secure communication 9 VPN appliance to module 57 backup 28 BOO
42. iagnostics 64 security association 55 60 self signed 20 serial number lock 12 status indicators 65 T test connection 55 traffic filtering 15 trusted slot 12 U user account 25 V VPM appliance to module scenario 57 W web pages diagnostics 63 network settings 23 68 Rockwell Automation Publication ENET UM003C EN P November 2015 Rockwell Automation Support Rockwell Automation provides technical information on the Web to assist you in using its products At http www rockwellautomation com support you can find technical and application notes sample code and links to software service packs You can also visit our Support Center at https rockwellautomation custhelp com for software updates support chats and forums technical information FAQs and to sign up for product notification updates In addition we offer multiple support programs for installation configuration and troubleshooting For more information contact your local distributor or Rockwell Automation representative or visit http www rockwellautomation com services online phone Installation Assistance If you experience a problem within the first 24 hours of installation review the information that is contained in this manual You can contact Customer Support for initial help in getting your product up and running United States or Canada 1 440 646 3434 Outside United States or Canada Use the Worldwide Locator at http www rockwell
43. iles have values that are preconfigured for a specific type of connection The generic client profile offers full customization e Peer to peer two 1756 EN2TSC modules e Windows Client e VPN Appliance CISCO ASA 5500 series Stratix 5900 Negotiation mode If active the module tries to initiate connection If passive the module waits for the other side to initiate connection e Passive for Windows and Mobile client Active for peer to peer and VPN Appliance e Active or passive for Generic Client user selectable Exchange version Phase 1 IKE exchange version We recommend IKEv2 e IKEv1 Main mode for Windows and Mobile client IKEv2 for peer to peer IKEv1 Main mode IKEv1 Aggressive mode or IKEv2 for Generic Client and VPN Appliance user selectable IKEv1 Aggressive mode is faster but less secure than Main mode Phase 1 IKE negotiation Local device identifier Identifier of this device It must match other side remote identifier Except Windows and Mobile client P address FQDN fully qualified domain name e User FQDN in form user domain Rockwell Automation Publication ENET UM003C EN P November 2015 Secure Communication Architecture Chapter 1 Table 2 IKE and IPsec SA Parameter Descriptions continued Parameter Description Remote device identifier Identifier of remote device It must match other side local identifier Except Windows and Mobile client P address FQ
44. in address Destination address Value WAN Miniport LZTP vpn CHAP IPsec AES 128 none Off 192 168 1 2 192 168 1 1 Not NAP capable SEC 10 192 15 60 10 192 15 71 Rockwell Automation Publication ENET UM003C EN P November 2015 Chapter 4 Configure Secure Communication Between Two 1756 EN2TSC Modules Topic Page Configure the First Local Module 53 Configure the Second Remote Module 54 Test the Connection 55 Edit the Security Association 55 In this scenario an IPsec association is established between two 1756 EN2TSC modules peer to peer In this case a VPN tunnel services the remote and local IP networks There is one IP address at either end of the IPsec association Rockwell Automation Publication ENET UM003C EN P November 2015 51 Chapter4 Configure Secure Communication Between Two 1756 EN2TSC Modules To create a security association with another module each module must be configured with the pre shared key of the other module Enterprise Zone Levels 4 and 5 Demilitarized Zone DMZ Demilitarized Zone DMZ Manufacturing Zone Site Manufacturing Operations and Control Level 3 EtherNet IP Level 0 2 Remote ControlLogix Chassis Local ControlLogix Chassis with with 1756 EN2TSC Module 1756 EN2TSC Module IMPORTANT This peer to peer configuration does not maintain the security features of the module if you use produced con
45. ints must authenticate with each other and exchange information to help ensure secure data transfer IPsec Association Once the IPsec association is established data between the two endpoints is fully encrypted except for produced consumed tags or optionally sent unencrypted but with a cryptographic message integrity code Table 1 IPsec Capability Descriptions Capability Description Authentication Method Pre shared key PSK Configure a secret key on each of the endpoints Header Format Encapsulating Security Payload ESP Tunnel mode default Transport mode used with Microsoft Windows 7 client Encapsulation Mode Internet Key Exchange e IKE version 1 e IKE version 2 Negotiation Mode e Passive Active Lifetime s IKE and IPsec lifetimes user configurable PFS Group None DH Key Group MODP groups e 2 1024 bit default 5 1536 bit e 14 2048 bit IKE Encryption Algorithm e AES 128 bit AES 192 bit AES 256 bit IKE Authentication Algorithm SHA 1 IPsec Encryption Algorithm e AES 128 bit e AES 192 bit AES 256 bit e None IPsec Authentication Algorithm SHA 1 As long as the IPsec traffic is received the connection is considered alive Your VPN connection can recover without having to reauthenticate if you lose your connection for a short time few seconds However if the time since the last received packet is greater than the timeout interval the connection times out
46. ipment or software described in this manual Reproduction of the contents of this manual in whole or in part without written permission of Rockwell Automation Inc is prohibited Throughout this manual when necessary we use notes to make you aware of safety considerations WARNING Identifies information about practices or circumstances that can cause an explosion in a hazardous environment which may lead to personal injury or death property damage or economic loss ATTENTION Identifies information about practices or circumstances that can lead to personal injury or death property damage or economic loss Attentions help you identify a hazard avoid a hazard and recognize the consequence gt gt IMPORTANT Identifies information that is critical for successful application and understanding of the product Labels may also be on or inside the equipment to provide specific precautions SHOCK HAZARD Labels may be on or inside the equipment for example a drive or motor to alert people that dangerous voltage may be present BURN HAZARD Labels may be on or inside the equipment for example a drive or motor to alert people that surfaces may reach dangerous temperatures gt amp ARC FLASH HAZARD Labels may be on or inside the equipment for example a motor control center to alert people to potential Arc Flash Arc Flash will cause severe injury or death Wear proper Personal Protective Equipment PPE
47. len Bradley Automation iG Home ld Diagnostics Initial Network Configuration Administrative Settings Ethernet Interface Configuration Static G Device Configuration Sey aie sese Network Configuration aA IP Address 10 10 Security Configuration C Secure Tunnel Configuration Subnet Mask 255 255 255 0 Ca User Management fa Default Gateway Certificate Management Gi Backup Restore Primary Name Server Browse Chassis Secondary Name Server Domain Name Hostname Name Resolution DNS DNS Enabled V Ethernet Link Autonegotiate Status Autonegotiate Speed and Duplex Vv Select Port Speed 100 Mbps Y Select Duplex Mode Full Duplex V Apply Changes Copyright 2015 Rockwell Automation Inc All Rights Reserved Rockwell Automation Publication ENET UM003C EN P November 2015 23 Chapter 2 24 Table 3 Network Configuration Parameter Descriptions Parameter Ethernet Interface Configuration Description The network configuration scheme e Dynamic BOOTP default e Dynamic DHCP Static IP address IP address for the module If you want to specify a static IP address for the module you must also choose Static for the Ethernet Interface Configuration field Subnet Mask Subnet mask for the module Default Gateway Gateway address for the module Primary Server Name DNS server addresses if you are using DNS addressing within your Logix program Seco
48. n give you this address Internet address 1010101 Destination name EN2TSC_VPN_Connection E Use a smart card A Allow other people to use this connection This option allows anyone with access to this computer to use this connection 7 Don t connect now just set it up so I can connect later Rockwell Automation Publication ENET UM003C EN P November 2015 41 Chapter 3 42 Configure a Secure Connection to a Microsoft Windows Client 9 Enter the appropriate user name and password The user name and password must have already been configured as an L2TP user on the 1756 EN2TSC module See the L2TP Edit Users tab as part of configuring the 1756 EN2TSC module page 38 ea E i amp Connect to a Workplace Type your user name and password User name userl Password eeecccee Show characters 7 Remember this password Domain optional cones x 10 Check Remember this password 11 Click Create 12 Once the connection is created click Close E Lim Connect to a Workplace The connection is ready to use W I gt Connect now 13 Click the network icon in the right bottom corner of the Windows taskbar Rockwell Automation Publication ENET UM003C EN P November 2015 Configure a Secure Connection to a Microsoft Windows Client Chapter 3 14 Select the created connection right click and choose Properties Currently
49. ndary Server Name Domain Name Domain name for the web server module if you are using DNS addressing within your Logix program Host Name Host name for the module Name Resolution DNS Whether the module uses DNS addressing within your Logix program Autonegotiate Status How to determine port speed and duplex Autonegotiate speed and duplex recommended e Force speed and duplex Select Port Speed Port speed 10 Mbps or 100 Mbps if you chose to force speed and duplex Select Duplex Mode Duplex full or half if you chose to force speed and duplex Rockwell Automation Publication ENET UM003C EN P November 2015 Get Started Chapter 2 Create User Accounts 1756 EN2TSC B Expand Minimize 1756 EN2TSC B Minimize You can define user accounts for the web interface to the module Every user is authenticated by a user name and a password These accounts are typically for administrators or others who need access to diagnostic information e Assign user accounts with access levels to manage who has access to change configuration or to view module information e Define each user as a member of the Users group or the Administrators group Members of the Administrators group have all access rights to the module e Cannot change a user name To add or remove a user access Administrative Settings gt User Management gt Edit Users Rockwell tomation You are logged as adkeninistratns Logout Allen Bradley Aw To
50. nistrator Logout AB Allen Bradley Pett oan em Expand inimize Restore Configuration Items G Rockwell Automation Publication ENET UM003C EN P November 2015 29 Chapter2 Get Started Notes 30 Rockwell Automation Publication ENET UM003C EN P November 2015 Chapter 3 Configure a Secure Connection to a Microsoft Windows Client Topic Page Create Windows Client Connection By Using a Windows Profile 35 Configure Mobile Client 37 Configure an L2TP Connection 38 Configure a Connection from a Microsoft Windows Client 40 Open the VPN Connection to the 1756 EN2TSC Module 47 Communicate to the Module Via an RSLinx Driver 49 In this scenario a Microsoft Windows 7 client establishes an IPsec association with the 1756 EN2TSC module Rockwell Automation Publication ENET UM003C EN P November 2015 31 Chapter3 Configure a Secure Connection to a Microsoft Windows Client Figure 2 Enterprise Zone Levels 4 and 5 Demilitarized Zone DMZ Demilitarized Zone DMZ Manufacturing Zone Site Manufacturing Any servers or devices on this level need a Operations and Control Windows 7 VPN client to connect to the Level 3 chassis with the 1756 EN2TSC module er ta el ME in Em B r te m ED an E i nat id Level 0 2 m wt ControlLogix Chassis with 1756 EN2TSC Module An example of a Windows 7 client is a personal computer running Studio 5000 Factorylalk
51. ontroller ports Changes To Detect 1GHFFFF_FFFF_FFFF_FFFF Configure Audit Value e The serial number lock feature in the 1756 EN2TSC module properties with the trusted slot features restricts communication through a module in the trusted slot with the specific serial number Connection RSNetWonc Module Info Intemet Protocol Port Configuration Time Sync 1756 EN2TSC 1756 10 100 Mbps Ethemet Bridge Twisted Pair Media Secure Co Allen Bradley Local Ethemet Address EN2TSC_module Private Network 192 168 1 es IP Address 10 10 10 1 Host Name Electronic Keying Rack Connection None Time Sync Connection None Lock Serial Number No 12 Rockwell Automation Publication ENET UM003C EN P November 2015 Network Access Security Secure Communication Architecture Chapter 1 The trusted slot and serial number lock features are for applications that have concern with physical access to and tampering with the controller IMPORTANT Use caution with these features and make sure you have the controller project backed up in a secure location If the module becomes disabled for any reason you have to download to the controller to recover The 1756 EN2TSC module uses the Internet Protocol Security IPsec technology to provide secure communication over the Ethernet network IPsec is widely deployed and is often used to create Virtual Private
52. ovide a secure communication tunnel The 1756 EN2TSC module is intended for use behind an existing firewall DMZ that help protect the plant network from outside access This module is not intended to be connected directly to the public Internet or to provide a mechanism by which remote access is provided to a network The module does not provide the ability to expose a private network address range via IPsec only the module s IP address is available 10 Rockwell Automation Publication ENET UM003C EN P November 2015 Secure Communication Architecture Chapter 1 Considerations Out of the box the module functions just like a 1756 EN2T module except that the module does not support the following e Integrated motion on EtherNet IP networks e ControlLogix redundancy systems e SIL 2 applications e Email capabilities e EtherNet IP socket interface Once security is enabled modules like POINT I O adapters FLEX I O adapters and PowerFlex drives are not able to establish a secure connection because they do not support secure tunnels When security is enabled the module connects with e Upper level systems and user workstations with Windows 7 operating systems e Stratix 5900 Services Router e Cisco ASA security appliances e Other 1756 EN2TSC modules The module supports the current versions of common web browsers such as Internet Explorer 8 and 9 For security reasons Secure Sockets Layer SSL 2 0 and 3 0
53. r due to a self signed certificate You can specify the validity period of the certificate you generate The period is set from the current time on the module to a specified end time Synchronize the real time clock on the Logix5000 controller with the current time Generating a short validity period without the clock being synchronized can generate an outdated certificate To generate a new certificate choose Administrative Settings gt Certificate Management gt Generate HTTPS Certificate 1 7 5 6 E E N 215 C B You are logged as Administrator Logout AB Allen Bradley PE e i e Generate HTTPS Certificate Self Signed Certificate Options 7 month ear Certificate Validity Period Minimize Generate a new certificate Generate HTTPS Certificate Backup Restore Browse Chassis WARNING Certificate generation may take up to 1 minute to complete Use the pull down menu to choose a valid length of time for the certificate to be enabled Rockwell Automation Publication ENET UM003C EN P November 2015 Get Started Chapter 2 Certificates On initial powerup the subject common name CN of the self generated certificate is set to Rockwell Automation General Details Certification Path Show lt All gt X Field E Signature algorithm signature hash algorithm Elissuer valid from valid to lt Subiect Tune Fnd Entitw Da
54. ration 1 Windows Client 10 208 50 191 Windows Client 10 208 50 192 Peer to Peer 10 208 50 51 Peer to Peer 10 208 50 52 Peer to Peer 10 208 50 53 Peer to Peer 10 208 50 54 Peer to Peer 10 208 50 55 Windows Client 10 10 10 2 a X m K M X a K m K yw X tatata Revert Changes 2 On the right side of the screen check Enable to enable IPsec connections 3 In the Add a Security Association SA area do the following a Enter the Identifier as a text description of the connection b Choose the Windows Client profile c Enter the Remote IP address d Enter the pre shared key and confirm the pre shared key A pre shared key is similar to a password Enter a phrase or set of characters For example you could enter rockwell as a pre shared key Remember the pre shared key You enter the same value when you configure the connection from the Windows client see page 40 EN2TSC_Client Windows Client 10 10 10 2 4 Click Add Rockwell Automation Publication ENET UM003C EN P November 2015 35 Chapter3 Configure a Secure Connection to a Microsoft Windows Client 5 Click Apply Changes Rockwell 1756 EN2TS C B You are logged as Administrator Logout AB Allen Bradley Automation xpa Minimi IPsec Configuration L2TP_1 Windows Client 10 208 50 191 L2TP_2 Windows Client 10 208 50 192 PeerVPN_1 Peer to Peer 10 208 50 51 PeerVPN_2 Peer to Peer 10 208 50 52 PeerVPN_3 10 20
55. se all browsers to prevent others from potentially accessing the web pages Rockwell Automation Publication ENET UM003C EN P November 2015 19 Chapter2 Get Started Configure all security parameters via the web server In the Address field of your web browser enter the IP address that displays on the front of the module Specify the IP address of the web server modulein the Ades window four JE your el web browser File Edit View Favorites Tools Help 1756 EN2TS E B You are logged as Administrator Logout Allen Bradley plas Minimize Home After you login the Home page appears A viagnostcs Device Name 1756 ENzTSC B Administrative Settings Device Description D Browse Chassis Device Location PEER Ethernet Address MAC 00 1D 9C CB BF 80 Visit AB com for additional IP Address 10 208 50 50 information Product Revision 10 010 Contacts Firmware Version Date Aug 18 2015 12 24 20 Serial Number 00BD2F51 Status Run Uptime 5 days 15h 28m 17s Bad logins Login lockdowns 6 1 Reset Copyright 2015 Rockwell Automation Inc All Rights Reserved The 1756 EN2TSC module has an embedded HTTPS server that it uses to provide secure web communication An HTTPS server uses a certificate so that the client can verify server authenticity For websites connected to the Internet certificates are normally signed by a trusted certificate authority Web browsers are then able to verify the authenticity of the
56. sumed tags CIP Sync packets or multicast communication Use MSG instructions rather than produced consumed tags to share data 52 Rockwell Automation Publication ENET UM003C EN P November 2015 Configure Secure Communication Between Two 1756 EN2TSC Modules Chapter 4 Configure the First Local Follow these steps to configure the first local module Module 1 Choose Administrative Settings gt Secure Tunnel Configuration gt IPsec Configuration and make sure that Enable IPsec is enabled Rockwell 1756 EN2TS C B You are logged as Administrator Logout Allen Bradley Automation Minimize IPsec Configuration 10 208 50 191 10 208 50 192 10 208 50 51 10 208 50 52 10 208 50 53 10 208 50 54 10 208 50 55 vi vi M M m M 10 10 10 2 X Bd DA Be KX BI tat at at at ait a alt dl Apply Changes configuration changed press Apply button to proceed 2 To create a secure association do the following a Enter the Identifier as a text description of the connection b Choose the Peer to Peer as the Profile c Enter the IP address of the second remote module d Enter the pre shared key and confirm the pre shared key 3 Click Add 4 Click Apply Changes after entering all configurations Logout Rockwell ANPA Teter EE EEE Allen Bradley Automation and Minimize IPsec Configuration 10 208 50 51 10 208 50 52 Peer to Peer 10 208 50 53 Peer to Peer 10 208 50 54 Peer to Peer 10 208 50 55 Windows
57. t Edit Properties Copy to File Learn more about certificate details Cox When you generate a new certificate the CN is changed to the IP address of the module and the new certificate is applied at the next restart of the module Generate HTTPS Certificate Certificate Validity Period Until 2050 lt E Serial number E Signature algorithm E Signature hash algorithm Issuer 10 192 78 7 Rockwell Autom valid from Tuesday February 17 1970 2 vaid to 50 0 Learn more about certificate details Ca Rockwell Automation Publication ENET UM003C EN P November 2015 27 28 Chapter2 Get Started Backup Restore 1756 EN2TSC B Expand To back up module configuration choose Administrative Settings gt Backup Restore gt Backup You are logged as Administrator Logout Minimize Backup Configuration Configuration Item Secure Tunnel Configuration USB Configuration Security Configuration Resets Control Flash Update User Management Configuration Backup Configuration Password Optional Confirm Password To perform a backup select the appropriate configuration items then click Backup and save resulting file to a known location Choose which items to include in the backup configuration Parameter Description Secure Tunnel Configuration Secure tunnel settings IPsec Configuration Mobile Clients L2TP Config
58. the plant firewall These documents contain additional information concerning related products from Rockwell Automation Description 1756 ControlLogix Communication Modules Specifications Technical Data publication 1756 TD003 Specifications for ControlLogix communication modules EtherNet IP Network Configuration User Manual publication ENET UM001 Guidelines for configuring EtherNet IP network parameters EtherNet IP Modules Installation Instructions publication ENET IN002 Guidelines for installing EtherNet IP modules Ethernet Design Considerations Reference Manual publication ENET RM002 Guidelines for Ethernet networks Industrial Automation Wiring and Grounding Guidelines publication 1770 4 1 Guidelines for installing a Rockwell Automation industrial system Product Certifications website http www ab com Rockwell Automation Publication ENET UM003C EN P November 2015 Declarations of conformity certificates and other certification details You can view or download publications at http www rockwellautomation com literature To order paper copies of technical documentation contact your local Allen Bradley distributor or Rockwell Automation sales representative Preface Notes 8 Rockwell Automation Publication ENET UM003C EN P November 2015 Chapter 1 Secure Communication Architecture Topic Page Local Chassis Security 12 Network Access Security 13 IPsec Association 14 Performance
59. tor Logout An Allen Bradley Automation Expand Minimize After you change Administrator password the module home page appears Configuration Overview The left pane of the web browser is a navigation tree to configure and maintain the module Only members of the Administrators group can see all features See the next chapters in this manual for different security configurations 22 Rockwell Automation Publication ENET UM003C EN P November 2015 Get Started Chapter 2 Assign Network Settings By default the module is BOOTP enabled IMPORTANT Do not simply configure the initial address that is assigned to the module as a static IP address Contact your network administrator for an appropriate static IP address To assign an IP address choose one of the following methods e Rotary switches on the module before you install the module e Rockwell Automation BOOTP DHCP utility available with RSLinx and Studio 5000 environments e RSLinx software e Studio 5000 environments For information on how to assign network parameters see EtherNet IP Network Configuration User Manual publication ENET UM001 Change Network Settings Via the Module Web Page Choose Administrative Settings gt Device Configuration gt Network Configuration An authenticated user can modify network parameters Rockwell 1 7 5 6 EN AE Ci B You are logged as Administrator Logout Al
60. uration L2TP Users Rockwell Allen Bradley Automation eg USB Configuration USB port enable disable status Security Configuration Security settings Remote Factory Reset Remote Reset e Control Flash Update User Management Configuration User management settings Users passwords groups You can also enter a password if you need to protect the backup file Rockwell Automation Publication ENET UM003C EN P November 2015 Get Started Chapter 2 To restore module configuration choose Administrative Settings gt Backup Restore gt Restore IMPORTANT When you restore a configuration it overwrites the current configuration settings in the module including user names and passwords The restore operation can result in changes that do not allow further web access to the device 1 Specify the back up file Rockwell 1756 EN2TSC B oll aren ged r n MICRA Allen Bradley Automation Expand Minimize 2 Ifthe back up file is password protected enter the password when prompted 3 When prompted that the restore overwrites the module click OK Restore will overwrite current configration password s and will reset the module Continue Coa eoa TIP A 1756 EN2TSC series B module can import a series A configuration but a series A cannot import a series B configuration When the restore is complete the module displays a status message al I 5 e i E N ZS Tj B You d as Admi
61. xisting IP addresses normally used by the host PC e Two 1756 EN2TSC modules that are connected to the same Windows client at the same time must be assigned to non overlapping subnets Once the secure tunnel exists RSLinx software uses the L2TP server IP addresses to communicate with the controllers through the 1756 EN2TSC modules Rockwell Automation Publication ENET UM003C EN P November 2015 33 Chapter3 Configure a Secure Connection to a Microsoft Windows Client Figure 4 Two 1756 EN2TSC Modules Connected to the Same Windows Client First 1756 EN2TSC Module Personal Computer L2TP Client First L2TP Server First L2TP Client 192 168 1 1 192 168 1 2 1756 EN2TSC PC 10 10 10 1 Po 10 10 10 2 p Second 1756 EN2TSC Module Second L27P Client Second L2TP Server 192 168 2 2 192 168 2 1 1756 EN2TSC 10 10 10 6 34 Rockwell Automation Publication ENET UM003C EN P November 2015 Configure a Secure Connection to a Microsoft Windows Client Chapter 3 Create Windows Client Follow these steps to create a Windows client connection by using a Windows Connection By Using a profile Windows Profile 1 Login to the 1756 EN2TSC module and choose Administrative Settings gt Secure Tunnel Configuration gt IPsec Configuration Rockwell 1756 EN2TSC B enira E a Eco Allen Bradley Automation Expanc Minimize IPsec Configu
Download Pdf Manuals
Related Search