UM EN MGUARD DEVICES - Innominate Security Technologies AG
Contents
1. Figure 2 1 mGuard rs4000 Switch mGuard rs2000 Switch Innominate Security Technologies 33 m Guard rs4000 rs2000 Switch 2 1 Operating elements and LEDs Reset button LEDs see Table 2 2 DMZ port WAN port LAN port protected LAN port LAN port LAN port protected Plug in screw terminal blocks for assignment refer to page 39 and page 41 protected protected Slot for optional SD card a interface bottom Figure 2 2 Operating elements and LEDs on the mGuard rs4000 Switch Table 2 2 LEDs on the mGuard rs4000 Switch and mGuard rs2000 Switch P2 Green On Power supply 2 is active mGuard rs2000 Switch not used Stat Green Flashing Heartbeat The device is correctly connected and operating Flashing System error Restart the device Press the reset button shortly for 1 5 seconds Alternatively briefly disconnect the device power supply and then connect it again If the error is still present start the recovery procedure see page 47 or contact your dealer Stat Err Flashing alternately Boot process When the device has been connected to the power supply After a green and red few seconds this LED changes to the heartbeat state Mod Green On Connection via modem established On The signal output takes low level due to an error inverted logic The signal output is inactive during a restart 34 Innominate Security Technologies 115007_en_02 m Guard rs4002. e Serial V 24 Reset button gt Ethernet LAN ea USB 2 a Ethernet WAN Serial V 24 Mg V 24 __ _ Ground connection Figure 13 2 Operating elements and LEDs on the EAGLE mGuard Table 13 2 LEDs on the EAGLE mGuard Power supply 1 or 2 is active STATUS Green The mGuard is ready The mGuard is starting ing FAULT Red On The signal contact is open due to an error see Signal contact on page 241 LS DA 1 2 Link present V 24 Yel Flash Data transfer low ing 238 Innominate Security Technologies 115007_en_02 EAGLE mGuard 13 2 Startup 13 2 1 Safety notes To ensure correct operation and the safety of the environment and of personnel the mGuard must be installed operated and maintained correctly NOTE Risk of material damage due to incorrect wiring Only connect the mGuard network ports to LAN installations Some telecommunications connections also use RJ45 sockets these must not be connected to the RJ45 sockets of the mGuard General notes regarding usage NOTE Select suitable ambient conditions Ambient temperature 0 C 60 C Maximum humidity non condensing 10 95 To avoid overheating do not expose the mGuard to direct sunlight or other heat sources Q NOTE Cleaning Clean the device housing with a soft cloth Do not use aggressive solvents 13 2 2 Checking the scope of supply Before startup check the scope of supply to ensu
3. Maximum humidity non condensing 10 95 To avoid overheating do not expose the mGuard to direct sunlight or other heat sources Q NOTE Cleaning Clean the device housing with a soft cloth Do not use aggressive solvents 10 2 2 Checking the scope of supply Before startup check the scope of supply to ensure nothing is missing The scope of supply includes Package slip 19 mGuard bladebase AnmGuard blade as the controller Two power supply units Two power cables 12 place holders 12 labeling plates M1 to M12 Screws for mounting the mGuard bladebase 115007_en_02 Innominate Security Technologies 183 m Guard blade 10 3 Installation of mGuard blade mGuard bladebase mGuard blade Power supply switch P1 and P2 Handling plates Screws O mGuard blade 1 to 12 Control unit CTRL Power supply P1 and P2 Power supply connection P1 and P2 Figure 10 3 Installation of mGuard blade NOTE Always ensure sufficient air circulation for the BladePack If several BladePacks are stacked one or more inches of fan trays must be installed to discharge the accumulated warm air Installation of mGuard bladebase Install the mGuard bladebase in the rack e g close to the patch field Fit the two power supplies and the control unit with the handling plates P1 P2 and Ctrl on the front from left to right Connect both p
4. 90 during operation non condensing 10 90 out of service Degree of protection Front IP20 Temperature range 0 C 50 C operation 20 C 70 C storage Dimensions H x W x D 88 x 482 x 472 mm 2 HE x 19 x 18 58 Weight 10 kg Firmware and power values Firmware compatibility mGuard 7 1 or later Innominate recommends using the latest patch releases For the scope of functions please refer to the relevant firmware data sheet Data throughput router firewall 2000 Mbps bidirectional 2000 Mbps bidirectional Hardware based encryption DES 3DES AES 128 192 256 Encrypted VPN throughput 600 Mbps bidirectional AES 256 Management support Web GUI HTTPS command line interface SSH SNMP v1 2 3 central device management software Diagnostics LEDs 1 x Power 1 x HDD Boot menu Log File Remote Syslog Other Conformance CE developed according to UL requirements 214 Innominate Security Technologies 115007_en_02 mGuard industrial rs 12 m Guard industrial rs 115007_en_02 Table 12 1 Available mGuard industrial rs versions mGuard industrial rs HW 105000 mGuard industrial rs Analog HW 105010 The mGuard industrial rs can be used as a firewall VPN router via Ethernet or via serial dial up connections It is available in three device versions With integrated modem With integrated ISDN terminal adapter Without these devices The mGuard industrial rs is suitable for
5. Connecting the mGuard blade Computer in the patch Patch field Switch mGuard blade Before After Figure 10 4 Connecting the mGuard blade to the network NOTE If your computer is already connected to a network patch the mGuard blade be tween the existing network connection Please note that configuration can only be completed from the local computer via the LAN interface and that the firewall of the mGuard blocks all IP data traffic from the WAN to the LAN interface Driver installation is not required For security reasons we recommend you change the default root and administrator pass words during initial configuration 115007_en_02 Innominate Security Technologies 185 m Guard blade Serial port NOTE The serial interface RJ12 socket must not be connected directly to telecommu nications connections To connect a serial terminal or a modem use a serial cable with RJ12 plug The maximum cable length of the serial cable is 30 m The serial port serial interface can be used as follows To configure the mGuard via the serial interface There are two options APCisconnected directly to the serial interface of the mGuard via the serial interface of the PC The PC user can then use a terminal program to configure the mGuard via the command line Alternatively a modem may be connected to the serial interface of the mGuard This modem is connected to the telephone network fixed line
6. Klicken Sie auf Fertig stellen um den Yorgang abzuschlieBen Abbrechen lt Zuruck Figure 9 8 Driver installation under Windows XP 1 After inserting the data carrier select the Install from a list or specific location Ad vanced option and click Next 2 Click Next Click Continue Anyway 4 Click Finish wo 166 Innominate Security Technologies 115007_en_02 mGuard pci Under Windows 2000 e After installing the hardware switch on the computer e Log on with administrator rights and wait until the following window appears 1 Found New Hardware Wizard a 2 Found New Hardware Wizard i Welcome to the Found New a e oe device driver is a software program that enables a hardware device to work with Sy Hardware Wizard an operating system This wizard helps you install a device driver for a This wizard will complete the installation for this device hardware device Hg Innominate mGuardPCI 4 device driver is a software program that makes a hardware device work Windows needs driver files for your new device To locate driver files and complete the installation click Next What do you want the wizard to do Search for a suitable driver for my device recommended Display a list of the known drivers for this device so that can choose a specific driver To continue click Next Cancel Cancel 4 Found New Hardware Wizard q
7. NOTE The web browser used must support SSL encryption i e HTTPS The mGuard can be accessed via one of the following addresses Table 9 4 Preset addresses Default setting Management IP 1 Management IP 2 mode https 1 1 1 1 https 192 168 1 1 Proceed as follows e Start a web browser e Make sure that the browser when it is started does not automatically establish a con nection as otherwise the connection establishment to the mGuard may be more diffi cult In Internet Explorer make the following settings e Inthe Tools menu select Internet Options and click on the Connections tab e Under Dial up and Virtual Private Network settings select Never dial a connection e Enter the address of the mGuard completely into the address line of the web browser refer to Table 9 4 You access the administrator website of the mGuard If the administrator web page of the mGuard cannot be accessed If the address of the mGuard in Router PPPoE or PPTP mode has been set to a different value and the current address is not known the mGuard must be reset to the default set tings specified above for the IP address using the Recovery procedure see Performing a recovery procedure on page 176 If the web browser repeatedly reports that the page cannot be displayed try the following e Check whether the default gateway of the connected configuration computer is initial ized see Lo
8. Network interfaces Other interfaces Drives Redundancy options Power supply Power consumption Humidity range Degree of protection Temperature range Dimensions H x W x D Weight Firmware and power values Firmware compatibility Data throughput router firewall Hardware based encryption Encrypted VPN throughput AES 256 Management support Diagnostics Other Conformance 115007_en_02 mGuard delta Technical data Intel network processor with 533 MHz clocking 4 LAN ports unmanaged switches 1 WAN port Ethernet IEEE 802 3 10 100 Base TX RJ45 full duplex auto MDIX Serial RS 232 D SUB 9 connector Depending on the firmware used External power supply unit 5 V 3 A DC 110 V 230 V AC 4 5 W typical 5 95 during operation non condensing IP20 0 C 40 C operation 20 C 70 C storage 30 x 239 x 156 mm 1300 g mGuard v5 0 or later Innominate recommends firmware version 6 x or 7 x to be used with the latest patch releases For the scope of functions please refer to the relevant firmware data sheet 99 Mbps bidirectional 99 Mbps bidirectional DES 3DES AES 128 192 256 70 Mbps bidirectional Web GUI HTTPS command line interface SSH SNMP v1 2 3 central device management software 7 LEDs Power Status WAN LAN 1 4 I log file remote syslog CE FCC Innominate Security Technologies 155 mGuard delta 156 Innominate Security Tec
9. Operating a connected on off switch Functional earth ground The functional earth ground can be used by the operator This connection is electrically con nected to the back of the mGuard industrial rs The mGuard industrial rs is grounded when itis mounted on a DIN rail with the metal clamp which connects the back of the device to the DIN rail The DIN rail must be grounded Signal contact WARNING Only SELV circuits with voltage limitations according to EN 60950 1 may be connected to the signal contact The signal contact monitors the mGuard industrial rs and thus enables remote diagnostics Interruption of the contact via the floating signal contact relay contact closed current cir cuit indicates the following Failure of at least one of the two supply voltages Power supply of the mGuard industrial rs below the specified limit value Supply voltage 1 and or 2 is less than 9 V The faulty link status of at least one port The link status message for each port can be masked on the mGuard industrial rs via the management software By default upon delivery there is no connection monitoring Error during selftest During a restart the signal contact is interrupted until the mGuard has started up complete ly This also applies when the signal contact is manually set to Closed in the software con figuration Service contacts WARNING The service contacts _ _ CMD ACK must not be connected to an ext
10. The software you are about to install does not contain a Microsoft digital signature Therefore there is no guarantee that this software works correctly with Windows Innominate mGuardPCl If you want to search for Microsoft digitally signed software visit the Windows Update Web site at http windowsupdate microsoft com to see if one is available Do you want to continue the installation x No More Info 6 Found New Hardware Wizard Completing the Found New Hardware Wizard Ha Innominate mGuardPCl Windows has finished installing the software for this device To close this wizard click Finish Figure 9 10 Driver installation under Windows 2000 2 5 Click Yes 6 Click Finish Under Linux The Linux driver is available in the source code and must be compiled before use First set up and compile the Linux kernel 2 4 25 in the directory usr src linux Extract the drivers from the ZIP to the directory usr src pci driver Execute the following commands cd usr src pci driver make LINUXDIR usr src linux install m0644 mguard o lib modules 2 4 25 kernel drivers net depmod a The driver can now be loaded with the following command modprobe mguard 168 Innominate Security Technologies 115007_en_02 115007_en_02 mGuard pci 9 4 Preparing the configuration 9 4 1 Connection requirements mGuard pci For local configuration The comp
11. e If other LAN connections are active on the computer deactivate them until the configu ration has been completed Under the Windows menu Start Settings Control Panel Network Connections or Network and Dial up Connections right click on the corresponding icon and select Disable in the context menu 24 Innominate Security Technologies 115007_en_02 Explanation 115007_en_02 m Guard rs4000 rs2000 After successful connection establishment Once a connection has been established successfully a security alert may be displayed As administrative tasks can only be performed using encrypted access a self signed certif icate is supplied with the device e Click Yes to acknowledge the security alert The login window is displayed Login to mguard User Name Password Figure 1 5 Login e To log in enter the preset user name and password please note these settings are case sensitive User Name admin Password mGuard The mGuard can then be configured via the web interface For additional information please refer to the software reference manual For security reasons we recommend you change the default root and administrator pass words during initial configuration Innominate Security Technologies 25 m Guard rs4000 rs2000 Requirement How to proceed Example Configuration 1 7 Remote configuration The mGuard must be configured so that remote configuration is permitted
12. 7 5 Establishing a local Configuration CONNECTION ceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeenaes 133 7 6 Remote COMM OUPATION rssicon nna aa aaite oiai 135 7 7 Restart recovery procedure and flashing the firmWware ccccsssseeeeeeeeeeeees 136 7 8 Performing a restan aeiee a a a E a 136 7 9 ESC TAG Uy CAL esmera a tatinetn teresa centises 141 FUNG CSU esns eel rise ein ttae ees dc Casta eet leat oes aA caine S 143 8 1 Operating elements and LEDS isis iisenseicctennttin nie Ratan teas 144 8 2 5 Ke 90 geet nC RNnEnen reenter peace rte tence htt nthe er Rete Renee eee meer ene eet neke Seen et ent nen onee et etre 145 8 3 Connecting the mMGUard Celta scsisveicscas heatecti resi a aveee 146 8 4 Preparing the CONPIQUIATION cecceceeeeeeeeeceaeeeeeeeeeeeaaaaeeeeeeeeaaaneeeesesaaaeeeeeeeeaas 147 8 5 Establishing a local Configuration CONNECTION ceeeeeeeeeeeeeeeeeeeeeeeaeeeeeeeeenaas 149 8 6 Remote COM QUIPATION wiser taientetcecdetl ect a ees A a 151 Innominate Security Technologies 115007_en_02 Table of contents 8 7 Restart recovery procedure and flashing the firmWware ccccseseeeeeseeeeeeees 152 8 8 Technical dalare i ta ntandavanchinsetaetiatacaeatiesebtcateecss 155 T MOJ OC eaaa a team sect ence unen Seccen ee taetee 157 9 1 Operating elements and LEDS ccccccsseeeeeeceeseseeeeeeeeaaseeeeseeaaaaeeeeessaaaneeeees 158 9 2 ML E o cerca EEEE A ees etc as se stee
13. As the first primary partition the USB storage medium must have a VFAT file system and must contain the same files in the same folders as stored on the CD In addition to this as is the case for a CD the specified files can be located in the Rescue Config folder Effect The mGuard downloads all necessary files from the connected USB storage medium With this in mind while the boot menu is displayed and before applying this selection at the very latest connect the USB storage medium containing the firmware to the USB interface For security reasons the mGuard centerport does not boot from the USB storage medium Once the rescue procedure is complete a corresponding message appears on the monitor Follow any further on screen instructions The mGuard is in the delivery state You can now configure it again see Establishing a local configuration connection on page 206 Burning mGuard firmware to CD ROM The firmware for the mGuard can be burnt to CD A zip file is available for download from the download page of www innominate com The content of this zip archive can be burnt as a data CD The following files must be located in the following folders under the following path names on the CD Firmware install x86_64 p7s 115007_en_02 mGuard centerport Firmware firmware img x86_64 p7s In the case of the file install x86_64 p7s ensure that the file version that Innominate has de clared for use for the rescue
14. Configuration 115007_en_02 m Guard rs4000 rs2000 3G 3 7 Remote configuration The mGuard must be configured so that remote configuration is permitted The option for remote configuration is disabled by default Switch on the remote configuration option in the web interface under Management gt gt Web Settings To configure the mGuard via its web user interface from a remote computer establish the connection to the mGuard from there Proceed as follows e Start the web browser on the remote computer e Under address enter the IP address where the mGuard can be accessed externally over the Internet or WAN together with the port number if required If the mGuard can be accessed over the Internet for example via address https 123 45 67 89 and port number 443 has been specified for remote access the fol lowing address must be entered in the web browser of the remote peer https 123 45 67 89 If a different port number is used it should be entered after the IP address e g https 123 45 67 89 442 The mGuard can then be configured via the web interface For additional information please refer to the software reference manual Innominate Security Technologies 67 m Guard rs4000 rs2000 3G 3 8 Restart recovery procedure and flashing the firm ware The Reset button is used to set the device to one of the following states Performing a restart Performing a recovery procedure Flashing t
15. Figure 10 2 Operating elements and LEDs on the mGuard blade Table 10 2 mGuard blade WAN LAN Red Flashing Boot process When the computer is started or restarted Flashing System error Restart the device e Press the Reset button for 1 5 seconds If the error is still present start the recovery procedure see Performing a re covery procedure on page 193 or contact your dealer WAN LAN Green On or flash Ethernet status Indicates the status of the LAN or WAN interface As soon as ing the device is connected a continuous light indicates that there is a connection to the network partner When data packets are transmitted the LED goes out briefly Red gree Various LED Recovery mode After pressing the Reset button n light codes See Restart recovery procedure and flashing the firmware on page 192 182 Innominate Security Technologies 115007_en_02 mGuard blade 10 2 Startup 10 2 1 Safety notes To ensure correct operation and the safety of the environment and of personnel the mGuard must be installed operated and maintained correctly NOTE Risk of material damage due to incorrect wiring Only connect the mGuard network ports to LAN installations Some telecommunications connections also use RJ45 sockets these must not be connected to the RJ45 sockets of the mGuard General notes regarding usage NOTE Select suitable ambient conditions Ambient temperature 5 C 40 C
16. IP Assignment Tool The program opens and the start screen of the addressing tool appears The program is mainly in English However the program buttons change according to the country specific settings The start screen displays the IP address of the PC This helps when addressing the mGuard in the subsequent steps e Click on Next Step 3 IP Address Request Listener All devices sending a BootP request are listed in the window which opens These devices are waiting for a new IP address Phoenix Contact IP Assignment Tool IP Address Request Listener Please select a MAC Address The list box below displays all MAC Addresses that we have received BOOTP requests From MAC Address Last Request Time 00 430 45 04 08 a3 2 14 33 06 If you do not see the Mac address of the device you are looking For try cycling power to that device Show Only Phoenix Contact Devices Abbrechen Figure 14 1 IP Address Request Listener window In this example the mGuard has MAC ID 00 A0 45 04 08 A3 e Select the device to which you would like to assign an IP address e Click on Next Step 4 Set IP address The following information is displayed in the window which opens P address of the PC Innominate Security Technologies 255 Assigning IP addresses and setting up DHCP TFTP servers MAC address of the selected device P parameters of the selected device IP address subnet mask
17. NOTE Do not interrupt the power supply to the device during any stage of the flashing procedure Otherwise the device could be damaged and may have to be reactivated by the manufacturer e Hold down the reset button until the Stat Mod and Sig LEDs light up green The device then is in rescue status e Release the reset button within one second of entering rescue status If the reset button is not released the mGuard is restarted The mGuard now starts the rescue system It first searches for an inserted SD card and for the relevant firmware there If the mGuard does not find an SD card it searches for a DHCP server via the LAN interface in order to obtain an IP address The Stat LED flashes The install p7s file is loaded from the TFTP server or SD card It contains the electron ically signed control procedure for the installation process Only files that are signed are executed The control procedure deletes the current contents of the Flash memory and prepares for a new firmware installation The Stat Mod and Sig LEDs form a running light The jffs2 img p7s firmware file is downloaded from the TFTP server or SD card and written to the Flash memory This file contains the actual operating system and is signed electronically Only files signed by the manufacturer are accepted This process takes around 3 to 5 minutes The Stat LED is lit continuously The new firmware is extracted and configured This procedure takes 1 to 3
18. e If other LAN connections are active on the computer deactivate them until the configu ration has been completed Under the Windows menu Start Settings Control Panel Network Connections or Network and Dial up Connections right click on the corresponding icon and select Disable in the context menu Innominate Security Technologies 83 mGuard delta After successful connection establishment Once a connection has been established successfully a security alert may be displayed Explanation As administrative tasks can only be performed using encrypted access a self signed certif icate is supplied with the device e Click Yes to acknowledge the security alert The login window is displayed Login to mguard User Name Password Figure 4 4 Login e To log in enter the preset user name and password please note these settings are case sensitive User Name admin Password mGuard The mGuard can then be configured via the web interface For additional information please refer to the software reference manual For security reasons we recommend you change the default root and administrator pass words during initial configuration 84 Innominate Security Technologies 115007_en_02 Requirement How to proceed Example Configuration 115007_en_02 mGuard delta 4 7 Remote configuration The mGuard must be configured so that remote configuration is permitted The option f
19. full duplex auto MDIX Serial RS 232 internal connector 128 MB RAM 128 MB Flash SD card replaceable configuration memory Optional VPN router 3 3 Vor5V via PCI mGuard pci SD or PCI Express bus mGuard pcie SD Typical 3 7 W 4 2 W 5 95 during operation and storage non condensing Depending on installation type and on the host system 0 C 70 C operation 20 C 70 C storage 0 C 60 C operation 20 C 60 C storage 950 mm X 18 mm X 130 mm 729g For mGuard v7 5 0 or later Innominate recommends the use of the latest firmware version and patch releases in each case For the scope of functions please refer to the relevant firmware data sheet Router mode default firewall rules bidirectional throughput max 99 Mbps Stealth mode default firewall rules bidirectional throughput max 50 Mbps DES 3DES AES 128 192 256 Router mode default firewall rules bidirectional throughput max 35 Mbps Stealth mode default firewall rules bidirectional throughput max 25 Mbps Web GUI HTTPS command line interface SSH SNMP v1 2 3 central device management software LEDs 2 x LAN 2 x WAN in combination for Ethernet status and speed 1 LED for Power Error State Fault Info log file remote syslog CE FCC Realtime clock Trusted Platform Module TPM temperature sensor mGuard Remote Services Portal ready Innominate Security Technologies 107 mGuard pci
20. procedure Otherwise the device could be damaged and may have to be reactivated by the manufacturer e Hold down the Reset button until the LEDs light up green Then the mGuard is in the recovery state e Release the Reset button within a second of entering the recovery state If the Reset button is not released the mGuard is restarted The mGuard now starts the recovery system It searches fora DHCP server via the LAN interface in order to obtain an IP address The middle LED flashes The install p7s file is loaded from the TFTP server or SD card It contains the electron ically signed control procedure for the installation process Only files that are signed are executed The control procedure deletes the current contents of the Flash memory and prepares for a new firmware installation The three green LEDs form a running light The jffs2 img p7s firmware file is downloaded from the TFTP server or SD card and written to the Flash memory This file contains the actual mGuard operating system and is signed electronically Only files signed by Innominate are accepted This process takes around 3 to 5 minutes The middle LED is lit continuously The new firmware is extracted and configured This procedure takes 1 to 3 minutes e As soon as the procedure is complete all LEDs flash green simultaneously e Restart the mGuard To do this briefly press the Reset button Alternatively you can disconnect and insert the USB cable as
21. 128 Mbyte RAM 128 Mbyte Flash 128 Mbyte RAM 128 Mbyte Flash SD card SD card Replaceable configuration memory Replaceable configuration memory Optional VPN router and firewall Voltage range 11 36 VDC redundant Voltage range 11 36 V DC Typical lt 200 mA 24 V DC Typical lt 200 mA 24 V DC Maximum lt 800 mA 10 V DC Maximum lt 800 mA 10 V DC 5 95 operation storage non con 5 95 operation storage non con densing densing IP20 IP20 20 C 60 C operation 20 C 60 C operation 20 C 70 C storage 20 C 70 C storage 130 mm x 45 mm x 114 mm 130 mm x 45 mm x 114 mm up to DIN rail support up to DIN rail support 835 g 835 g m Guard rs4000 Switch m Guard rs2000 Switch Firmware 8 1 5 Innominate recommends the use of the latest firmware version and patch releases in each case For the scope of functions please refer to the relevant firmware data sheet Router mode default firewall rules bidirectional throughput 99 Mbps maximum Stealth mode default firewall rules bidirectional throughput 50 Mbps maximum When using the DMZ as independent network zone the maximum possible data throughput is distributed to the three zones IPsec IETF standard Up to 250 VPN tunnels DES 3DES AES 128 192 256 IPsec IETF standard Up to 2 VPN tunnels DES 3DES AES 128 1 92 256 Router mode default firewall rules bidirectional throughput 35 Mbps
22. 24V OV 24V0V 24 V OV Jl Al top view top view 3 g H z Q W J J a 1 4 Connecting the supply OS Service 2 Service 2 1 ey CM 4 4 The mGuard rs4000 has a redundant supply voltage If you only connect one supply volt age you will get an error message e Remove the plug in screw terminal blocks for the power supply and the service con tacts e Do not connect the service contacts to an external voltage source e Wire the supply voltage lines with the corresponding screw terminal block P1 P2 of the mGuard Tighten the screws on the screw terminal blocks with 0 5 0 8 Nm e Insert the screw terminal blocks into the intended sockets on the top of the mGuard see Figure 1 4 Status LED P1 lights up green when the supply voltage has been connected properly On the mGuard rs4000 the status indicator P2 also lights up if there is a redundant supply volt age connection The mGuard boots the firmware Status STAT LED flashes green The mGuard is ready for operation as soon as the Ethernet socket LEDs light up Additionally status LEDs P1 P2 light up green and the status STAT LED flashes green at heartbeat Redundant voltage supply mGuard rs4000 A redundant supply voltage can be connected Both inputs are isolated The load is not dis tributed With a redundant supply the power supply unit with the higher output voltage sup plies the mGuard rs4000 alone Th
23. If the web browser repeatedly reports that the page cannot be displayed try the following e Check whether the default gateway of the connected configuration computer is initial ized see Local configuration on startup EIS on page 95 e Disable any active firewalls e Make sure that the browser does not use a proxy server In Internet Explorer Version 8 make the following settings Tools menu Internet Options Connections tab Click on Properties under LAN settings Check that Use a proxy server for your LAN under Proxy server is not activated in the Local Area Network LAN Settings dialog box e If other LAN connections are active on the computer deactivate them until the configu ration has been completed Under the Windows menu Start Settings Control Panel Network Connections or Network and Dial up Connections right click on the corresponding icon and select Disable in the context menu Innominate Security Technologies 101 mGuard pci SD Explanation After successful connection establishment Once a connection has been established successfully a security alert may be displayed As administrative tasks can only be performed using encrypted access a self signed certif icate is supplied with the device e Click Yes to acknowledge the security alert The login window is displayed Login to mguard User Name Password Fi
24. SD 108 Innominate Security Technologies 115007_en_02 mGuard smart smart 6 mGuard smart smart 115007_en_02 Table 6 1 Available mGuard smart mGuard smart versions mGuard smart VPN BD 101030 The mGuard smart is the smallest device version For example it can be inserted be tween the computer or local network and an available router without having to make con figuration changes or perform driver installations on the existing system It is designed for instant use in the office or when traveling The mGuard smart is a further development of the mGuard smart To aid understanding mGuard smart is mostly used for the two device versions in this user manual The proper ties described also apply to the mGuard smart Differences from the mGuard smart are in dicated if applicable Figure 6 1 mGuard smart Innominate Security Technologies 109 mGuard smart smart 6 1 Operating elements and LEDs Reset button Located in the opening Can be pressed with a straightened paper clip for example LED1 LED2 LED3 Figure 6 2 Operating elements and LEDs on the mGuard smart Table 6 2 LEDs on the mGuard smart Green O LAN connection to the network partner is present Flashing LAN data transmission is active Red gree Flashing Boot process When the device has just been connected to the power supply After a n few seconds this LED changes to the heartbeat state Flashing Heartbeat The de
25. Signal contact signal out put Service contacts up to firmware version 8 0 The push button or on off switch is used to establish and release a predefined VPN connec tion The output indicates the status of the VPN connection in the web interface under IPsec VPN gt gt Global gt gt Options e Toestablish the VPN connection hold down the button for a few seconds until the INFO LED flashes Only then release the button Flashing indicates that the mGuard has received the command to establish the VPN connection and is establishing the VPN connection As soon as the VPN connection is established the INFO LED remains lit continuously e Torelease the VPN connection hold down the button for a few seconds until the signal output flashes or goes out Only then release the button As soon as the INFO LED goes out the VPN connection is released e To establish the VPN connection set the switch to the ON position e To release the VPN connection set the switch to the OFF position If the INFO LED does not light up this generally indicates that the defined VPN connection is not present Either the VPN connection was not established or it has failed due to an error If the INFO LED is illuminated the VPN connection is present If the INFO LED is flashing the VPN connection is being established or released The signal contact monitors the function of the mGuard rs4000 rs2000 and thus enables re mote diagnostics The
26. be assigned via BootP On the Internet numerous BootP servers are available You can use any of these programs for address assignment Section 14 1 explains IP address assignment using the free Windows software IP Assignment Tool IPAssign exe Notes for BootP During initial startup the mGuard transmits BootP requests without interruption until it re ceives a valid IP address After receiving a valid IP address the mGuard no longer sends BootP requests The product can then no longer be accessed via IP address 192 168 1 1 After receiving a BootP reply the mGuard no longer sends BootP requests not even after ithas been restarted For the mGuard to send BootP requests again it must either be set to the default settings or one of the procedures recovery or flash must be performed Requirements The mGuard is connected to a computer using a Microsoft Windows operating system 246 Innominate Security Technologies 115007_en_02 Web based administrator interface If you have forgotten the configured address If the administrator web page is not displayed 115007_en_02 EAGLE mGuard 13 6 Establishing a local configuration connection The mGuard is configured via a web browser that is executed on the configuration com puter NOTE The web browser used must support SSL encryption i e HTTPS The mGuard can be accessed via one of the following addresses Table 13 4 Preset addresses Default setting Manageme
27. for connecting to the external network Internet F t MG ji p ih Nf i Hy W e Ne Figure 5 2 Operating elements and LEDs on the mGuard pci SD Table 5 2 LEDs on the mGuard pci SD reds sme fme OOOO WAN 1 Green Full duplex LAN 1 Half duplex Oon Off WAN 2 Yellow On 10 Mbps LAN 2 ao 10 Mbps data transmission active ing Green O 100 Mbps E Flash 100 Mbps data transmission active ing LAN 1 Various LED light Recovery procedure flashing LAN 2 codes WAN 1 STAT Red green Flash Boot process When the device has just been connected to the power supply After a few ng seconds this LED changes to the heartbeat state See Restart recovery procedure and flashing the firmware on page 104 i Heartbeat The mGuard is connected correctly and ready to operate ing Flash System error Restart the device ing e Press the Reset button for 1 5 seconds e Alternatively briefly disconnect the device power supply and then connect it again If the error is still present start the recovery procedure see Performing a recovery proce dure on page 105 or contact your dealer 92 Innominate Security Technologies 115007_en_02 mGuard pci SD 5 2 Startup 5 2 1 Safety notes To ensure correct operation and the safety of the environment and of personnel the mGuard must be installed operated and maintained correctly NOTE Risk of material damage due to incorrect wiring O
28. select Internet Options and click on the Connections tab e Under Dial up and Virtual Private Network settings select Never dial a connection e Enter the address of the mGuard completely into the address line of the web browser refer to Table 12 5 You access the administrator website of the mGuard If the administrator web page of the mGuard cannot be accessed If the address of the mGuard in Router PPPoE or PPTP mode has been set to a different value and the current address is not known the mGuard must be reset to the default set tings specified above for the IP address using the Recovery procedure see Performing a recovery procedure on page 233 If the web browser repeatedly reports that the page cannot be displayed try the following e Check whether the default gateway of the connected configuration computer is initial ized see Local configuration on startup EIS on page 225 e Disable any active firewalls e Make sure that the browser does not use a proxy server In Internet Explorer Version 8 make the following settings Tools menu Internet Options Connections tab Click on Properties under LAN settings Check that Use a proxy server for your LAN under Proxy server is not activated in the Local Area Network LAN Settings dialog box e f other LAN connections are active on the computer deactivate them until the configu ration ha
29. 115007_en_02 m Guard rs4000 rs2000 Switch 2 mQGuard rs4000 rs2000 Switch 115007_en_02 Table 2 1 Available mGuard rs4000 rs2000 Switch versions mGuard rs4000 4TX TX HW 107020 mGuard rs4000 4TX TX VPN BD 702000 mGuard rs2000 5TX TX VPN HW 108020 The mGuard rs4000 Switch is suitable for distributed protection of production cells or in dividual machines against manipulation lt features a 4 port managed LAN switch one WAN port and one DMZ port and a serial in terface The serial interface can be switched to the WAN interface as redundancy path for example A dedicated DMZ port with its own firewall rules enables segmentation and differentiated safety concepts You can integrate automation devices with serial interfaces into networks as a COM server is integrated For software independent remote maintenance the mGuard rs4000 Switch can be used as a VPN router for up to 250 parallel IPSec encrypted VPN tunnels The mGuard rs2000 Switch is a version with basic firewall and can be used as a VPN cli ent for up to two parallel Psec encrypted VPN tunnels It is suitable for secure remote maintenance applications and enables connection of globally distributed machines and controllers Both versions support a replaceable configuration memory in the form of an SD card To in crease safety VPN connections can be switched on or off via a switch contact or software interface The fanless metal housing is mounted on a DIN rail
30. 1300408 upper memory Boot rootfsi1 Boot rootfsz Check the file system s of firmware on rootfel Check the file system s of firmware on rootfs2 start rescue procedure via DHCP BOOTP TFTP start rescue procedure from CD DUD USB stick or SD Card_ Use the T and keys to select which entry is highlighted Press enter to boot the selected 05 or p to enter a password to unlock the next set of features Figure 7 4 mGuard centerport boot menu To select and apply one of the boot options proceed as follows 1 Select one of the displayed options with the direction keys or na 2 Then press the Enter button Boot options Boot rootfs1 Start the primary firmware version on the device A This is the default setting it is ap plied if the user does not intervene during startup Boot rootfs2 Not supported by the current firmware version Check the file system s of firmware on rootfs1 If required checks and repairs all firmware file systems This menu item is only to be used in special cases when the user has the appropriate knowledge or upon instruction from the dealer support team The mGuard firmware checks and repairs the file systems if required even during the normal startup process The firmware uses its file systems in a highly robust manner when the mass storage de vice cache is switched off so that there is not usually any need for repairs Check the file system s of firmware on rootfs2 Not supported by
31. 255 0 Default gateway 192 168 1 1 Depending on the configuration of the mGuard it may then be necessary to adapt the net work interface of the locally connected computer or network accordingly 4 5 2 IP address https 1 1 1 1 In order for the mGuard to be addressed via address https 1 1 1 1 it must be connected to a configured network interface This is the case if it is connected in an existing network connection and if the default gateway can be accessed via the WAN port of the mGuard at the same time In this case the web browser establishes a connection to the mGuard configuration inter face after the address https 1 1 1 1 is entered see Establishing a local configuration con nection on page 83 Continue from this point After access via IP address 1 1 1 1 the FL MGUARD can no longer be accessed via IP address 192 168 1 1 115007_en_02 Innominate Security Technologies 81 mGuard delta a 4 5 3 Assigning the IP address via BootP After assigning an IP address via BootP the FL MGUARD can no longer be accessed via IP address 192 168 1 1 For IP address assignment the mGuard uses the BootP protocol The IP address can also be assigned via BootP On the Internet numerous BootP servers are available You can use any of these programs for address assignment Section 14 1 explains IP address assignment using the free Windows software IP Assignment Tool IPAssign exe Notes for BootP During initia
32. 3 Found New Hardware Wizard Locate Driver Files a Driver Files Search Results a Where do you want Windows to search for driver files SY The wizard has finished searching for driver files for your hardware device Sy Search for driver files for the following hardware device The wizard found a driver for the following device Ha Innominate mGuardPCl Ha Innominate mGuardPCl The wizard searches for suitable drivers in its driver database on your computer and in Windows found a driver for this device To install the driver Windows found click Next any of the following optional search locations that you specify To start the search click Next If you are searching on a floppy disk or CD ROM drive insert the floppy disk or CD before clicking Next d windows net i inf Optional search locations P i T Floppy disk drives l Specify a location Microsoft Windows Update Cancel lt Back Cancel Figure 9 9 Driver installation under Windows 2000 1 1 2 3 4 115007_en_02 Innominate Security Technologies 167 Click Next Select Search for a suitable driver for my device recommended and click Next Select Specify a location and click Next Click Next mGuard pci 5 Digital Signature Not Found The Microsoft digital signature affirms that software has been tested with Windows and that the software has not been altered since it was tested
33. 3 to 5 minutes The State LED is lit continuously The new firmware is extracted and configured This procedure takes 1 to 3 minutes As soon as the procedure is complete the Modem State and LAN LEDs flash green simultaneously Restart the mGuard To do this briefly press the Reset button The mGuard is in the delivery state You can now configure it again see Establishing a local configuration connection on page 229 234 Innominate Security Technologies 115007_en_02 Hardware properties Platform Network interfaces Other interfaces Drives Redundancy options Power supply Power consumption Humidity range Degree of protection Temperature range Dimensions H x W x D Weight Firmware and power values Firmware compatibility Data throughput router firewall Hardware based encryption Encrypted VPN throughput AES 256 Management support Diagnostics Other Conformance 115007_en_02 mGuard industrial rs Technical data Intel network processor with 533 MHz clocking 1 LAN port 1 WAN port Ethernet IEEE 802 3 10 100 Base TX RJ45 full duplex auto MDIX Serial RS 232 RJ11 socket Optional analog modem optional ISDN TA Depending on the firmware used 24 V DC I 170 mA SELV redundant voltage range 9 V 36 V 4 1 W typical 10 95 during operation non condensing IP20 0 C 55 C operation 20 C 70 C storage 100 x 45x 112 mm 250g mGua
34. BootP requests without interruption until it re ceives a valid IP address After receiving a valid IP address the mGuard no longer sends BootP requests The product can then no longer be accessed via IP address 192 168 1 1 After receiving a BootP reply the mGuard no longer sends BootP requests not even after ithas been restarted For the mGuard to send BootP requests again it must either be set to the default settings or one of the procedures recovery or flash must be performed Requirements The mGuard is connected to a computer using a Microsoft Windows operating system Innominate Security Technologies 23 m Guard rs4000 rs2000 Web based administrator interface If you have forgotten the configured address If the administrator web page is not displayed 1 6 Establishing a local configuration connection The mGuard is configured via a web browser that is executed on the configuration com puter NOTE The web browser used must support SSL encryption i e HTTPS The mGuard can be accessed via one of the following addresses Table 1 4 Preset addresses Default setting Management IP 1 Management IP 2 mode mGuard rs4000 https 1 1 1 1 https 192 168 1 1 mGuard rs2000 httos 1 1 1 1 httos 192 168 1 1 Proceed as follows e Start a web browser e Make sure that the browser when it is started does not automatically establish a con nection as otherwise the connection establishment to the mGuard ma
35. CMDACK TIPRING Figure 12 11 Reset button 12 8 1 Performing a restart Objective The device is restarted with the configured settings Action e Press the Reset button for around 1 5 seconds until the middle LED lights up red Alternatively disconnect the power supply and then connect it again 232 Innominate Security Technologies 115007_en_02 mGuard industrial rs 12 8 2 Performing a recovery procedure Objective The network configuration but not the rest of the configuration is to be reset to the delivery state as it is no longer possible to access the mGuard When performing the recovery procedure the default settings are established Table 12 6 Preset addresses Default setting Management IP 1 Management IP 2 mode mGuard industrial rs httos 1 1 1 1 https 192 168 1 1 The mGuard is reset to Stealth mode with the default setting multiple Clients The CIFS integrity monitoring function is also disabled because this only works when the management IP is active Inaddition MAU management is switched on for Ethernet connections HTTPS access is enabled via the local Ethernet connection LAN The settings configured for VPN connections and the firewall are retained including passwords Possible reasons for performing the recovery procedure The mGuard is in Router or PPPoE mode The configured device address of the mGuard differs from the default setting The curr
36. Heartbeat The device is correctly connected and operating in If the error is still present start the recovery procedure see Performing a recovery pro Flash System error Restart the device ing Press the Reset button for 1 5 seconds Alternatively briefly disconnect the device power supply and then connect it again cedure on page 233 or contact your dealer Flashing alter Boot process When the device has just been connected to the power supply After a nately greenand few seconds this LED changes to the heartbeat state Ethernet status Indicates the status of the LAN or WAN port As soon as the device is connected to the relevant network a continuous light indicates that there is a connec tion to the network partner in the LAN or WAN When data packets are transmitted the LED goes out briefly 216 Innominate Security Technologies 115007_en_02 mGuard industrial rs 12 2 Startup 12 2 1 Safety notes To ensure correct operation and the safety of the environment and of personnel the mGuard must be installed operated and maintained correctly NOTE Risk of material damage due to incorrect wiring Only connect the mGuard network ports to LAN installations Some telecommunications connections also use RJ45 sockets these must not be connected to the RJ45 sockets of the mGuard General notes regarding usage NOTE Select suitable ambient conditions Ambient temperature 0 C 5
37. IGuard Configuration of the mGuard Security Appliances Hardware Reference Manual j A af yh Pwl il j W j P a fy g ov Innominate Security Technologies User manual Installing and starting up the mGuard hardware Designation UM EN MGUARD DEVICES Revision 02 Order No 2015 07 24 This user manual is valid for the following devices of the mGuard product range MGuard rs4000 rs2000 rs4000 TX TX rs4000 TX TX VPN rs2000 TX TX VPN MGuard rs4000 rs2000 Switch rs4000 4TX TX rs4000 4TX TX VPN rs2000 5TX TX VPN mGuard rs4000 rs2000 3G rs4000 4TX 3G TX VPN rs2000 4TX 3G VPN Innominate Security Technologies mGuard smart smart mGuard pci SD mGuard pcie SD mGuard pci mGuard blade mGuard delta mGuard delta mGuard centerport mGuard centerport mGuard industrial rs EAGLE mGuard 115007_en_02 Please observe the following notes Target group of this user manual The use of products described in this manual is aimed exclusively at qualified electricians or persons instructed by them who are familiar with applicable national standards and other regulations regarding electrical engineering and in particular the relevant safety concepts Explanation of symbols used and signal words This symbol indicates hazards that could lead to personal injury Obey all safety A N measures that follow this symbol to avoid possible injury
38. If the supply voltage is not redundant the EAGLE mGuard indicates the failure of the supply voltage This message can be prevented by feeding the supply voltage via both inputs Ground connection e To ground the EAGLE mGuard a separate screw connection is available Serial port WARNING The serial interface RJ12 socket must not be connected directly to the tele communications connections To connect a serial terminal or a modem use a serial cable with RJ12 plug The maximum cable length of the serial cable is 30 m The serial port serial interface can be used as follows To configure the mGuard via the serial interface There are two options APCisconnected directly to the serial interface of the mGuard via the serial interface of the PC The PC user can then use a terminal program to configure the mGuard via the command line Oramodem is connected to the serial interface of the mGuard This modem is connect ed to the telephone network fixed line or GSM network The user of a remote PC which is also connected to the telephone network by a modem can then establish a PPP Point to Point Protocol dial up connection to the mGuard and configure it via a web browser To manage data traffic via the serial interface instead of via the WAN interface of the m Guard In this case a modem should be connected to the serial interface Not used Pin 6 CTS Pin 5 TXD Pin 4 RTS Pin3 RXD Pin 2 GND Pin 1 Figure 13 4
39. If you have forgotten the configured address If the administrator web page is not displayed 115007_en_02 m Guard rs4000 rs2000 Switch 2 6 Establishing a local configuration connection The device is configured via a web browser that is executed on the configuration computer NOTE The web browser used must support SSL encryption i e HTTPS The device can be accessed via the following address Table 2 3 Preset address Default setting Network mode Management IP 1 mGuard rs2000 Switch https 192 168 1 1 mGuard rs4000 Switch https 192 168 1 1 Proceed as follows e Start a web browser e Make sure that the browser when it is started does not automatically establish a con nection as otherwise the connection establishment to the device may be more difficult In Internet Explorer make the following settings e Inthe Tools menu select Internet Options and click on the Connections tab e Under Dial up and Virtual Private Network settings select Never dial a connection e Enter the address of the device completely into the address line of the web browser re fer to Table 2 3 You access the administrator website of the device If the administrator web page of the device cannot be accessed If the address of the device in Router PPPoE or PPTP mode has been set to a different value and the current address is not known the device must be reset to the default settings specified ab
40. Pin assignment of the RJ12 socket serial port 115007_en_02 Innominate Security Technologies 241 EAGLE mGuard Mounting The device is ready to operate when it is supplied The recommended sequence for mount ing is as follows e Pull out the terminal block from the EAGLE mGuard and wire the supply voltage lines and signal lines e Mount the EAGLE mGuard on a grounded 35 mm DIN rail according to EN 60715 Yy Ez Figure 13 5 EAGLE mGuard DIN rail mounting e Attach the top snap on foot of the EAGLE mGuard to the DIN rail and then press the EAGLE m Guard down towards the DIN rail until it engages with a click e Connect the device to the local network or the local computer to be protected LAN e Via the socket for connection to the external network establish the connection to the external network e g Internet Connections to the remote device or network are estab lished via this network e The front plate of the EAGLE mGuard housing is grounded via the ground connection Network connection NOTE If your computer is already connected to a network patch the EAGLE mGuard be tween the existing network connection Please note that configuration can only be completed via the LAN interface and that the firewall of the EAGLE mGuard blocks all IP data traffic from the WAN to the LAN interface Driver installation is not required For security reasons we recommend you change the default root and administrator
41. Techmeal dalasi E ENEA 195 i mMmoOuardecemeporn renren E E A eet Maeda 197 11 1 Operating elements and LEDS ssseensnesesennnneeerernnrrresrrtnrrenrrtnrrnnrrnrnnennrrrneeee 198 TEZ OaD a a a a e em nee ee 199 11 3 Installing and booting mGuard CeENterPOrt cccccseeeeeeceeeeeeeceeeeeeseneeeeessaaeees 200 11 4 Preparing the configuration ssseseeennsnseeennrnrersrrnrrrestrtrrrenrntnntennnnnnrennnnnnenee 204 11 5 Establishing a local configuration connection sssssssssessesrrrrrsesrrrrrreserrnnreee 206 11 6 Remo teconfig ratiOnN seiis ain aii opentouaseoncseistuecseuatnnuescenrcosastaehenee 208 11 7 Restart recovery procedure and flashing the firmWware c cccccsseeeeeeeeeeees 209 11 8 Pe rformnga restan erreien e E 209 VT Techncaldald cese e r satan nantasante Oe tuncoetnecaeant 214 12 Mauad GUSTIN AUS sosciss one siecdeee sation O E 215 12 1 Operating elements and LEDS wssci iivensiniictenrthetnsn in dae ie eeiona on eh 216 Aaa g 0 One eee reros terete Renee cnt ete Onn oie nn ee bir ere eeneen ete RPee bere eke teen tre eae rer Serer net ere 217 12 3 Installation of MGuard industrial rs 1 0 0 eee cece eee eeee cece eeaeeeeeeeeeeeaeeeeeeeeeaaaeees 218 12 4 Preparing the CONFIQUIATION ccccceeeeeeeee eee eeeeeeeeeeeaeeeeeeeeeaaaaeeeeeeeeaaaeeeeeeeeaaaeees 225 12 5 Configuration in Stealth MOdC ce cccceceeeseeeeeceeeeeeeeeeeeeaaaeeeeessaaaaeeeeeeeeaaaees 226 12 6 E
42. The option for remote configuration is disabled by default Switch on the remote configuration option in the web interface under Management gt gt Web Settings To configure the mGuard via its web user interface from a remote computer establish the connection to the mGuard from there Proceed as follows e Start the web browser on the remote computer e Under address enter the IP address where the mGuard can be accessed externally over the Internet or WAN together with the port number if required If the mGuard can be accessed over the Internet for example via address https 123 45 67 89 and port number 443 has been specified for remote access the fol lowing address must be entered in the web browser of the remote peer https 123 45 67 89 If a different port number is used it should be entered after the IP address e g https 123 45 67 89 442 The mGuard can then be configured via the web interface For additional information please refer to the software reference manual 26 Innominate Security Technologies 115007_en_02 m Guard rs4000 rs2000 1 8 Restart recovery procedure and flashing the firm ware The Reset button is used to set the device to one of the following states Performing a restart Performing a recovery procedure Flashing the firmware rescue procedure Reset button Figure 1 6 Reset button 1 8 1 Performing a restart Objective The device is restarted with the config
43. as a fixed management IP address After access via IP address 1 1 1 1 or after IP address assignment via BootP the FL MGUARD can no longer be accessed via IP address 192 168 1 1 80 Innominate Security Technologies 115007_en_02 mGuard delta 4 5 1 IP address 192 168 1 1 In Stealth mode the mGuard can be accessed via the LAN interface via IP address 192 168 1 1 within network 192 168 1 0 24 if one of the following conditions applies The mGuard is in the delivery state The mGuard was reset to the default settings via the web interface and restarted The rescue procedure flashing of the mGuard or the recovery procedure has been performed a With a configured network interface To access the configuration interface it may be necessary to adapt the network configura tion of your computer Under Windows 7 proceed as follows e Inthe Control Panel open the Network and Sharing Center e Click on LAN connection The LAN connection item is only displayed if a connection exists from the LAN interface on the computer to a mGuard in operation or another part ner e Click on Properties e Select the menu item Internet protocol Version 4 TCP IPv4 e Click on Properties e First select Use the following IP address under Internet Protocol Version 4 Proper ties then enter the following address for example IP address 192 168 1 2 Subnet mask 255 255
44. button within a second of entering the recovery state If the Reset button is not released the mGuard is restarted The mGuard now starts the recovery system It searches fora DHCP server via the LAN interface in order to obtain an IP address The red LAN LED flashes The install p7s file is loaded from the TFTP server or SD card It contains the electron ically signed control procedure for the installation process Only files that are signed are executed The control procedure deletes the current contents of the Flash memory and prepares for a new firmware installation The green LEDs and the red LAN LED form a running light The jffs2 img p7s firmware file is downloaded from the TFTP server or SD card and written to the Flash memory This file contains the actual mGuard operating system and is signed electronically Only files signed by Innominate are accepted This process takes around 3 to 5 minutes The green LEDs flash while the red LAN LED is lit continuously The new firmware is extracted and configured This procedure takes 1 to 3 minutes e As soon as the procedure has been completed the mGuard restarts The m Guard is in the delivery state You can now configure it again see Establishing a local configuration connection on page 189 194 Innominate Security Technologies 115007_en_02 Hardware properties Platform Network interfaces Other interfaces Drives Redundancy options Power supply Power consum
45. connection exists from the LAN interface on the computer to a mGuard in operation or another part ner Click on Properties Select the menu item Internet protocol Version 4 TCP IPv4 Click on Properties First select Use the following IP address under Internet Protocol Version 4 Proper ties then enter the following address for example IP address 192 168 1 2 Subnet mask 255 255 255 0 Default gateway 192 168 1 1 Depending on the configuration of the mGuard it may then be necessary to adapt the net work interface of the locally connected computer or network accordingly m Innominate Security Technologies 115007_en_02 Web based administrator interface If you have forgotten the configured address If the administrator web page is not displayed 115007_en_02 mGuard delta 8 5 Establishing a local configuration connection The mGuard is configured via a web browser that is executed on the configuration com puter NOTE The web browser used must support SSL encryption i e HTTPS The mGuard can be accessed via one of the following addresses Table 8 4 Preset addresses Default setting Management IP 1 Management IP 2 mode mGuard delta Router SSSS inttp sf 190 168 1 41 Proceed as follows e Start a web browser e Make sure that the browser when it is started does not automatically establish a con nection as otherwise the connection establishmen
46. erating mode of the mGuard is referred to as Power over PCI mode A driver is not installed 9 3 1 Driver mode In this mode a driver for the PCI interface of the mGuard pci available for Windows XP 2000 and Linux must be installed later on the computer In Driver mode no additional network card is required for the computer 160 Innominate Security Technologies 115007_en_02 115007_en_02 mGuard pci Stealth mode in Driver mode default setting In Driver mode the LAN Ethernet socket is switched off The LAN interface of the mGuard is occupied inter nally by the host computer Figure 9 3 Driver mode Stealth mode In Stealth mode the mGuard behaves like a normal network card The IP address that is configured for the network interface of the operating system LAN port is also used by the mGuard for its WAN port This means that the mGuard does not appear as a separate device with its own address for data traffic to and from the computer In Stealth mode PPPoE and PPTP cannot be used Router mode in Driver mode Operating system 192 168 1 2 z a 192 168 1 1 a External IP C o ar e ma IN HS ya ye Figure 9 4 Driver mode Router mode If the mGuard is in Router mode or PPPoE or PPTP mode it essentially creates its own network with the operating system of the computer in which the mGuard is installed Innominate Security Technol
47. flashing the firmware Therefore they do not have to be installed again Possible reasons The administrator and root password have been lost Requirements NOTE To flash the firmware a DHCP and TFTP server or a BootP and TFTP server must be installed on the locally connected computer Install the DHCP and TFTP server if necessary see Technical data on page 253 NOTE Installing a second DHCP server in a network could affect the configuration of the entire network Action Q NOTE Do not interrupt the power supply to the mGuard during any stage of the flashing procedure Otherwise the device could be damaged and may have to be reactivated by the manufacturer e Hold down the Reset button until the 1 2 and V 24 LEDs light up Then the mGuard is in the recovery state e Release the Reset button within a second of entering the recovery state If the Reset button is not released the mGuard is restarted The mGuard now starts the recovery system It searches fora DHCP server via the LAN interface in order to obtain an IP address The 1 2 and V 24 LEDs light up orange The install p7s file is loaded from the TFTP server or SD card It contains the electron ically signed control procedure for the installation process Only files that are signed are executed The control procedure deletes the current contents of the Flash memory and prepares for a new firmware installation The 1 2 and V 24 LEDs form a running
48. in screw terminal blocks assignment refer to Page 16 and Page 19 Connections below AE LEDs see Table 1 2 Configuration SD card Figure 1 2 Operating elements and LEDs on the mGuard rs4000 Table 1 2 LEDs on the mGuard rs4000 and mGuard rs2000 Power supply 1 is active Power supply 2 is active mGuard rs2000 not used Heartbeat The device is correctly connected and operating System error Restart the device Press the Reset button for 1 5 seconds Alternatively briefly disconnect the device power supply and then connect it again If the error is still present start the recovery procedure see Page 28 or contact your dealer Flashing alter Boot process When the device has just been connected to the power supply After nately green and afew seconds this LED changes to the heartbeat state Not used The signal output takes low level due to an error inverted logic see Page 17 or Page 18 The signal output is inactive during a restart Connection via modem established 12 Innominate Security Technologies 115007_en_02 Table 1 2 115007_en_02 m Guard rs4000 rs2000 LEDs on the mGuard rs4000 and mGuard rs2000 Green On Flashing Green On Up to firmware version 8 0 the configured VPN connection has been established As of firmware version 8 1 the configured VPN connections are established or the firewall rule records defined at output O1 are activated Up to firm
49. inputs outputs in serted 3 2 3 mGuard Firmware The device must be operated with mGuard Firmware version 8 0 or higher 54 Innominate Security Technologies 115007_en_02 Mounting Removal 115007_en_02 Q mGuard rs4000 rs2000 3G 3 3 Installation of mGuard rs4000 rs2000 3G 3 3 1 Mounting removal NOTE Device damage Only mount and remove devices when the power supply is disconnected The device is ready to operate when it is supplied The recommended sequence for mount ing and connection is as follows e Mount the mGuard rs4000 rs2000 3G on a grounded 35 mm DIN rail according to DIN EN 60715 Figure 3 3 Mounting the mGuard rs4000 rs2000 3G on a DIN rail e Attach the top snap on foot of the mGuard rs4000 rs2000 3G to the DIN rail and then press the mGuard rs4000 rs2000 3G down towards the DIN rail until it engages with a click e Remove or disconnect the connections e Toremove the mGuard rs4000 rs2000 3G from the DIN rail insert a screwdriver hori zontally in the locking slide under the housing pull it down without tilting the screw driver and then pull up the mGuard rs4000 rs2000 3G Innominate Security Technologies 55 m Guard rs4000 rs2000 3G 3 3 2 Connecting to the network NOTE Risk of material damage due to incorrect wiring Only connect the mGuard network ports to LAN installations Some telecommunications connections also use RJ45 sockets these must not be connected to the
50. into the socket strip Tighten the card slot plate Close the computer cover again Connect the computer power cable again and switch on the computer 9 3 4 Installing drivers Driver installation is only required and supported if the mGuard pci is operating in driver mode see Driver mode on page 160 If necessary follow the steps described in Installing the hardware on page 164 You should have the driver files on a data carrier If not Download the driver files from the download area at www innominate com Extract the files from the ZIP Copy the extracted files to a data carrier e g CD ROM USB memory stick Innominate Security Technologies 165 mGuard pci Under Windows XP e After installing the hardware switch on the computer e Log on with administrator rights and wait until the following window appears 2 Assistent fiir das Suchen neuer Hardware Wahlen Sie die Such und Installationsoptionen ata S Assistent fiir das Suchen neuer Hardware 1 Willkommen Mit diesem Assistenten k nnen Sie Software fur die folgende Hardwarekomponente installieren 8 j E e ee ee olin tesnsterensosssstastssseissccevetss ASEEN AEEA ONAE Verwenden Sie die Kontrollk stchen um die Standardsuche zu erweitern oder einzuschr nken Lokale Pfade und Wechselmedien sind in der Standardsuche mit einbegriffen Der zutreffendste Treiber wird installiert Ethernet Controller C Falls d
51. is permitted The mGuard must be connected i e the required connections must be working 8 4 2 Local configuration on startup EIS As of firmware version 7 2 initial startup of mGuard products provided in Stealth mode is considerably easier From this version onwards the EIS Easy Initial Setup procedure en ables startup to be performed via preset or user defined management addresses without actually having to connect to an external network The mGuard is configured using a web browser on the computer used for configuration NOTE The web browser used must support SSL encryption i e HTTPS According to the default setting the mGuard can be accessed via the following addresses Table 8 3 Preset addresses Default setting Management IP 1 Management IP 2 mode mGuard delta Router httpsmn92 168 1 1 Innominate Security Technologies 147 m Guard delta 148 8 4 3 Configuration in Router mode By default upon delivery following a reset to the default settings or after flashing the m Guard the mGuard can be accessed within network 192 168 1 0 24 via LAN interface 4 to 7 under IP address 192 168 1 1 To access the configuration interface it may be necessary to adapt the network configura tion of your computer Under Windows 7 proceed as follows In the Control Panel open the Network and Sharing Center Click on LAN connection The LAN connection item is only displayed if a
52. light The jffs2 img p7s firmware file is downloaded from the TFTP server or SD card and written to the Flash memory This file contains the actual mGuard operating system and is signed electronically Only files signed by Innominate are accepted This process takes around 3 to 5 minutes The 1 2 and V 24 LEDs are off the P1 P2 and STATUS LEDs light up continuously green The new firmware is extracted and configured This procedure takes 1 to 3 minutes e As soon as the procedure is complete the 1 2 and V 24 LEDs flash green simultane ously e Restart the mGuard To do this briefly press the Reset button The mGuard is in the delivery state You can now configure it again see Establishing a local configuration connection on page 247 252 Innominate Security Technologies 115007_en_02 Hardware properties Platform Network interfaces Other interfaces Drives Redundancy options Power supply Power consumption Humidity range Degree of protection Temperature range Dimensions H x W x D Weight Firmware and power values Firmware compatibility Data throughput router firewall Hardware based encryption Encrypted VPN throughput AES 256 Management support Diagnostics Other Conformance 115007_en_02 EAGLE mGuard Technical data Intel network processor with 533 MHz clocking 1 LAN port 1 WAN port Ethernet IEEE 802 3 10 100 Base TX RJ45 full duplex auto MDIX Optional 1
53. management IP is active Inaddition MAU management is switched on for Ethernet connections HTTPS access is enabled via the local Ethernet connection LAN The settings configured for VPN connections and the firewall are retained including passwords Possible reasons for performing the recovery procedure The mGuard is in Router or PPPoE mode The configured device address of the mGuard differs from the default setting The current IP address of the device is not known Up to date information on the recovery and flashing procedure can be found in the appli cation note for your mGuard firmware version You can find application notes under the following Internet address www innominate com Action e Slowly press the Reset button six times After approximately 2 seconds the STAT LED lights up green e Press the Reset button slowly again six times If successful the STAT LED lights up green If unsuccessful the STAT LED lights up red If successful the device restarts after two seconds and switches to Stealth mode The de vice can then be reached again under the corresponding addresses 115007_en_02 Innominate Security Technologies 105 mGuard pci SD 5 8 3 Flashing the firmware rescue procedure Objective The entire firmware of the mGuard should be reloaded on the device All configured settings are deleted The mGuard is set to the delivery state In Version 5 0 0 or later of the mGua
54. may be more diffi cult In Internet Explorer make the following settings e Inthe Tools menu select Internet Options and click on the Connections tab e Under Dial up and Virtual Private Network settings select Never dial a connection e Enter the address of the mGuard completely into the address line of the web browser refer to Table 4 4 You access the administrator website of the mGuard If the administrator web page of the mGuard cannot be accessed lf the address of the mGuard in Router PPPoE or PPTP mode has been set to a different value and the current address is not known the mGuard must be reset to the default set tings specified above for the IP address using the Recovery procedure see Performing a recovery procedure on page 87 If the web browser repeatedly reports that the page cannot be displayed try the following e Check whether the default gateway of the connected configuration computer is initial ized see Local configuration on startup EIS on page 79 e Disable any active firewalls e Make sure that the browser does not use a proxy server In Internet Explorer Version 8 make the following settings Tools menu Internet Options Connections tab Click on Properties under LAN settings Check that Use a proxy server for your LAN under Proxy server is not activated in the Local Area Network LAN Settings dialog box
55. minutes As soon as the procedure is complete the Stat Mod and Sig LEDs flash green simultane ously e Restart the device To do so press the reset button Alternatively disconnect the power supply and then connect it again The device is in the delivery state You can now configure it again see Establishing a local configuration connection on page 43 115007_en_02 Innominate Security Technologies 49 m Guard rs4000 rs2000 Switch 2 9 Hardware properties Platform Network interfaces Other interfaces Memory Redundancy options Power supply Current consumption Humidity range Degree of protection Temperature range Dimensions H x W x D Weight Firmware and power values Firmware compatibility Data throughput router firewall Virtual Private Network VPN Hardware based encryption Encrypted VPN throughput AES 256 Management support Diagnostics Other Special features 50 Innominate Security Technologies Technical data mGuard rs2000 Switch Freescale network processor m Guard rs4000 Switch Freescale network processor 4 LAN ports managed 1 DMZ port 5 LAN ports unmanaged 1 WAN port Ethernet IEEE 802 3 10 100 BaseTX Ethernet IEEE 802 3 10 100 Base TX RJ45 full duplex auto MDIX RJ45 full duplex auto MDIX Serial RS 232 D SUB 9 connector Serial RS 232 D SUB 9 connector 3 digital inputs and 3 digital outputs 3 digital inputs and 3 digital outputs
56. more diffi cult In Internet Explorer make the following settings e Inthe Tools menu select Internet Options and click on the Connections tab e Under Dial up and Virtual Private Network settings select Never dial a connection e Enter the address of the mGuard completely into the address line of the web browser refer to Table 7 3 You access the administrator website of the mGuard If the administrator web page of the mGuard cannot be accessed If the address of the mGuard in Router PPPoE or PPTP mode has been set to a different value and the current address is not known the mGuard must be reset to the default set tings specified above for the IP address using the Recovery procedure see Performing a recovery procedure on page 136 If the web browser repeatedly reports that the page cannot be displayed try the following e Disable any active firewalls e Make sure that the browser does not use a proxy server In Internet Explorer Version 8 make the following settings Tools menu Internet Options Connections tab Click on Properties under LAN settings Check that Use a proxy server for your LAN under Proxy server is not activated in the Local Area Network LAN Settings dialog box e lf other LAN connections are active on the computer deactivate them until the configu ration has been completed Under the Windows menu Start Setti
57. of Microsoft Windows XP e Set the following in the Internet Protocol TCP IP Properties of the relevant network interface of the configuration computer IP address 192 168 1 10 Subnet mask 255 255 255 0 Default gateway 192 168 1 2 e Enter the address assigned into the browser https 192 168 1 1 Configure the mGuard as described in Configuring the mGuard pci SD on page 97 98 Innominate Security Technologies 115007_en_02 mGuard pci SD 5 5 3 Starting up mGuard pci SD via BootP In initial startup mode the mGuard pci additionally starts a BootP client on the internal net work interface LAN 1 The BootP client is compatible with the IPAssign BootP servers from Phoenix Contact as well as DHCPD under Linux This software can either be downloaded free of charge at phoenixcontact net products or at www innominate com under Downloads gt Software IP address assignment using IPAssign is described in detail in Assigning the IP address using IPAssign exe on page 255 If an non configured mGuard pci SD accesses a BootP server after booting the BootP pro tocol assigns an IP address a subnet mask and optionally a default gateway of the internal network interface to the mGuard pci SD These parameters are saved in the device which can then be immediately accessed under these parameters e Enter the address assigned via BootP in the browser e g https 192 168 1 1 Configure
58. of the D gt se J same or another computer to be protected or of seu na the network to be protected is connected here 3 y gt Tos z y guns y r ERNS qr AR ee ewe AAA WW goias P PER nee p gt 4 WAN port Connections to the external network e g In ternet are established via this interface With the default firewall settings incoming connec tions are blocked here Use a UTP cable CAT5 How to proceed e Configure the mGuard pci for Driver mode or Power over PCI mode see Selection of Driver mode or Power over PCl mode on page 160 e Todo this set the jumper 2 to the relevant position Driver mode Power over PCl mode 3 e 3 D 2 e 1 1 Figure 9 7 Jumper for Driver mode or Power over PCI mode Switch off the computer and any other connected I O devices Observe the safety notes for electrostatic discharge Unplug the power cable 164 Innominate Security Technologies 115007_en_02 Requirements 115007_en_02 mGuard pci Open the computer cover Please refer to the description in the computer user manual for this step Select a free PCI slot 3 3 V or 5 V for the mGuard pci Remove the corresponding slot plate by loosening the relevant screw and pulling out the slot plate Keep the screw for securing the mGuard pci card Carefully align the pin strip of the mGuard pci card over the socket strip of the PCI slot on the motherboard and then press the card evenly
59. of the mGuard has been previously copied to a USB stor age medium USB stick USB Flash drive Firmware install x86_64 p7s Firmware firmware img x86_64 p7s Effect The mGuard downloads all necessary files from the connected USB storage medium For security reasons the mGuard centerport does not boot from the USB storage medium Once the rescue procedure is complete a corresponding message appears on the monitor Follow any further on screen instructions Innominate Security Technologies 139 mGuard centerport Start rescue procedure from SD Card Requirement The firmware of the mGuard has been previously copied to the SD card Firmware install x86_64 p7s Firmware firmware img x86_64 p7s Effect The mGuard downloads all necessary files from the inserted SD card With this in mind while the boot menu is displayed at the latest and before applying this selec tion insert the SD card with the stored firmware into the mGuard For security reasons the mGuard centerport does not boot from an SD card Once the rescue procedure is complete a corresponding message appears on the monitor Follow any further on screen instructions The mGuard is in the delivery state You can now configure it again see Establishing a local configuration connection on page 133 Burning the mGuard firmware to CD DVD ROM The firmware for the mGuard can be burnt to CD DVD A zip file is available for download from the download page of w
60. or GSM network The user of a remote PC which is also connected to the telephone network by a modem can then establish a PPP Point to Point Protocol dial up connection to the mGuard and config ure it via a web browser To manage data traffic via the serial interface instead of the WAN interface of the mGuard In this case a modem should be connected to the serial interface Not used Pin 6 CTS Pin 5 TXD Pin 4 RTS Pin3 RXD Pin 2 GND Pin 1 Figure 10 5 Pin assignment of the RJ12 socket serial port 186 Innominate Security Technologies 115007_en_02 115007_en_02 mGuard blade 10 4 Preparing the configuration 10 4 1 Connection requirements The mGuard blade must be mounted in the mGuard bladebase and at least one of the bladebase device s power supply units must be in operation For local configuration The computer used for configuration Must be connected to the LAN socket of the mGuard Or the computer must be connected to the mGuard via the network For remote configuration The mGuard must be configured so that remote configura tion is permitted The mGuard must be connected i e the required connections must be working 10 4 2 Local configuration on startup EIS As of firmware version 7 2 initial startup of mGuard products provided in Stealth mode is considerably easier From this version onwards the EIS Easy Initial Setup procedure en ables startup to be performed via preset
61. or user defined management addresses without actually having to connect to an external network The mGuard is configured using a web browser on the computer used for configuration NOTE The web browser used must support SSL encryption i e HTTPS According to the default setting the mGuard can be accessed via the following addresses Table 10 3 Preset addresses Default setting Management IP 1 Management IP 2 mode mGuard blade controller Router f https 192 168 1 1 The mGuard is preset to the multiple Clients stealth configuration You need to configure a management IP address and default gateway if you want to use VPN connections see Page 189 Alternatively you can select a different stealth configuration or use another net work mode Innominate Security Technologies 187 m Guard blade 10 4 3 Configuring the mGuard with the Router mode default set ting By default upon delivery following a reset to the default setting or after flashing the m Guard the device can be accessed within network 192 168 1 0 24 via the LAN interface for mGuard blade LAN interfaces 4 to 7 under IP address 192 168 1 1 To access the configuration interface it may be necessary to adapt the network configura tion of your computer Under Windows 7 proceed as follows e Inthe Control Panel open the Network and Sharing Center e Click on LAN connection The LAN connection item is only displayed if
62. plug TC ANT MOBILE GPS 2903590 from Phoenix Contact In the case of the mGuard rs2000 3G the WAN is only available via the mobile network as a WAN interface is not available The mobile network function is preset The mGuard rs2000 3G can only be operated in Router mode Connecting antennas Figure 3 5 Antenna connection e Connect a suitable antenna to the antenna connection Antenna connection SMA for mobile communication ANT RSMA GPS e ifthe bar graph indicates good or very good reception affix the antenna see Bar graph on page 53 60 Innominate Security Technologies 115007_en_02 115007_en_02 m Guard rs4000 rs2000 3G 3 3 5 SIM card To establish a mobile communication connection the mGuard also requires at least one valid mini SIM card in ID 000 format via which it assigns and authenticates itself to a mo bile network The mGuard rs4000 rs2000 3G can be equipped with two SIM cards The SIM card in the SIM 1 slotis the primary SIM card which is normally used to establish the connection If this connection fails the device can optionally turn to the second SIM card in slot SIM 2 You can set whether and under which conditions the connection to the primary SIM card is re stored The state of the SIM cards is indicated via two LEDs on the front The LEDs SIM1 and SIM2 light up green when the SIM card is active If a PIN has not been entered the LED flashes green Qu
63. procedure via CD is used If required these files can be made available in the Rescue Config folder on the CD Rescue Config licence lic License file that should be installed in the device during the rescue procedure Rescue Config lt serial gt lic As above only the wildcard lt serial gt is replaced by the serial number of the device The same CD can be used for various devices simultaneously Rescue Config preconfig atv Configuration profile which should be applied in the firm ware during the rescue procedure The file must be applied by script Rescue Config preconfig sh Rescue Config lt serial gt atv Same as lt serial gt lic Rescue Config preconfig sh Script file which is run directly after installation of the new firmware You can find details in the document Innominate mGuard Application Note Rollout Support under www innominate com 115007_en_02 Innominate Security Technologies 213 mGuard centerport 11 9 Technical data Hardware properties Platform Multi core x86 processor architecture Network interfaces 1 LAN port 1 WAN port Ethernet IEEE 802 3 10 100 1000 Base TX RJ45 full half duplex auto MDIX Other interfaces VGA console 2 x serial RS 232 D SUB 9 connector 6 x USB Drives 1 HDD 1 DVD RW Redundancy options Depending on the firmware used Power supply 2x 100 VAC 240 V AC 250 W at 50 60 Hz redundant Power consumption Dependent on the expansion stage Humidity range 20
64. telecommu nications connections To connect a serial terminal or a modem use a serial cable with D SUB connector The maximum cable length of the serial cable is 30 m The serial interface serial port can be used as follows 115007_en_02 Innominate Security Technologies 129 mGuard centerport To configure the mGuard via the serial interface There are two options APCisconnected directly to the serial interface of the mGuard via the serial interface of the PC The PC user can then use a terminal program to configure the mGuard via the command line Oramodem is connected to the serial interface of the mGuard This modem is connect ed to the telephone network fixed line or GSM network The user of a remote PC which is also connected to the telephone network via a modem can then establish a PPP Point to Point Protocol dial up line connection to the mGuard and configure it via a web browser To manage data traffic via the serial interface instead of via the WAN interface of the m Guard In this case a modem should be connected to the serial interface 7 3 3 Installation in a 19 frame industrial cabinet The mains connecting cables of the power supply units are used as mains disconnect points Sockets that can easily be accessed and that are close to the device must therefore be used for the mains plug Unplug the mains plug to disconnect the device from the mains If the device is installed in a control cabinet w
65. the current firmware version Start rescue procedure via DHCP BootP TFTP Start rescue procedure from CD DVD USB stick or SD Card Restart recovery procedure and flashing the firmware on page 136 115007_en_02 Innominate Security Technologies 131 mGuard centerport Example 132 7 4 Preparing the configuration 7 4 1 Connection requirements For the device the two power supply units must be connected to the power supply source to the mains If only one power supply unit is connected the device can actually be operated but it will output an acoustic signal For local configuration The computer that is to be used for configuration must be connected to the LAN port on the mGuard For remote configuration The mGuard must be configured so that remote configura tion is permitted The mGuard must be connected i e the required connections must be working 7 4 2 Local configuration on startup router mode By default upon delivery following reset to the default settings or after flashing the mGuard the mGuard can be accessed within the network 192 168 1 0 24 via the LAN in terface under IP address 192 168 1 1 To access the configuration interface it may be necessary to adapt the network configura tion of your computer Under Windows 7 proceed as follows In the Control Panel open the Network and Sharing Center Click on LAN connection The LAN connection it
66. the device can actually be operated but it will output an acoustic signal For local configuration The computer that is to be used for configuration must be connected to the LAN socket on the mGuard For remote configuration The mGuard must be configured so that remote configura tion is permitted The mGuard must be connected i e the required connections must be working 11 4 2 Local configuration on startup EIS As of firmware version 7 2 initial startup of mGuard products provided in Stealth mode is considerably easier From this version onwards the EIS Easy Initial Setup procedure en ables startup to be performed via preset or user defined management addresses without actually having to connect to an external network The mGuard is configured using a web browser on the computer used for configuration Q NOTE The web browser used must support SSL encryption i e HTTPS According to the default setting the mGuard can be accessed via the following addresses Table 11 3 Preset addresses Default setting Management IP 1 Management IP 2 mode mGuard centerport Router fs https 192 168 1 1 204 Innominate Security Technologies 115007_en_02 115007_en_02 mGuard centerport 11 4 3 Configuration in Router mode By default upon delivery following reset to the default settings or after flashing the mGuard the mGuard can be accessed within the network 192 168 1 0 24 via the LAN in terface u
67. the tele communications connections To connect a serial terminal or a modem use a serial cable with D SUB plug The maximum cable length of the serial cable is 30 m The serial port serial interface can be used as follows To configure the mGuard via the serial interface There are two options APCisconnected directly to the serial interface of the mGuard via the serial interface of the PC The PC user can then use a terminal program to configure the mGuard via the command line Oramodem is connected to the serial interface of the mGuard This modem is connect ed to the telephone network fixed line or GSM network The user of a remote PC which is also connected to the telephone network by a modem can then establish a PPP Point to Point Protocol dial up connection to the mGuard and configure it via a web browser To manage data traffic via the serial interface instead of via the WAN interface of the m Guard In this case a modem should be connected to the serial interface 115007_en_02 Innominate Security Technologies 201 mGuard centerport 11 3 3 Front flap The safety lock on the front flap enables the front flap to be securely locked so that access is refused to the drives reset button and ON OFF switch Ensure that you keep safe hold of the two keys providedHousing The mGuard centerport housing is from Kontron and is referred to as the KISS 2U platform Visit www kontron de for more information on the
68. up and Virtual Private Network setting select Never dial a connection e Enter the address of the mGuard completely into the address line of the web browser refer to Table 6 4 You access the administrator website of the mGuard If the administrator web page of the mGuard cannot be accessed If the address of the mGuard in Router PPPoE or PPTP mode has been set to a different value and the current address is not known the mGuard must be reset to the default set tings specified above for the IP address using the Recovery procedure see Performing a recovery procedure on page 121 If the web browser repeatedly reports that the page cannot be displayed try the following e Check whether the default gateway of the connected configuration computer is initial ized see Local configuration on startup EIS on page 113 e Disable any active firewalls e Make sure that the browser does not use a proxy server In Internet Explorer Version 8 make the following settings Tools menu Internet Options Connections tab Click on Properties under LAN settings Check that Use a proxy server for your LAN under Proxy server is not activated in the Local Area Network LAN Settings dialog box e f other LAN connections are active on the computer deactivate them until the configu ration has been completed Under the Windows menu Start Settings Control Panel Network Connec
69. words during initial configuration 248 Innominate Security Technologies 115007_en_02 Requirement How to proceed Example Configuration 115007_en_02 EAGLE mGuard 13 7 Remote configuration The mGuard must be configured so that remote configuration is permitted The option for remote configuration is disabled by default Switch on the remote configuration option in the web interface under Management gt gt Web Settings To configure the mGuard via its web user interface from a remote computer establish the connection to the mGuard from there Proceed as follows e Start the web browser on the remote computer e Under address enter the IP address where the mGuard can be accessed externally over the Internet or WAN together with the port number if required If the mGuard can be accessed over the Internet for example via address https 123 45 67 89 and port number 443 has been specified for remote access the fol lowing address must be entered in the web browser of the remote peer https 123 45 67 89 If a different port number is used it should be entered after the IP address e g https 123 45 67 89 442 The mGuard can then be configured via the web interface For additional information please refer to the software reference manual Innominate Security Technologies 249 EAGLE mGuard 13 8 Restart recovery procedure and flashing the firm ware The Reset button is used to set the de
70. works when the management IP is active In addition MAU configuration is activated for the Ethernet connections HTTPS ac cess is enabled via the local Ethernet connection LAN The settings configured for VPN connections and the firewall are retained including passwords Possible reasons for performing the recovery procedure The device is in Router or PPPoE mode The device address has been configured and is not known The current IP address of the device is not known Up to date information on the recovery and flashing procedure can be found in the appli cation note for your firmware version You can find application notes under the following Internet address www innomi nate com Action e Slowly press the reset button six times After approximately two seconds the Stat LED lights up green e When the Stat LED has gone out slowly press the reset button again six times If successful the Stat LED lights up green If unsuccessful the Err LED lights up red If successful the device restarts after two seconds and switches to Router mode The de vice can then be reached again under the corresponding address 115007_en_02 Innominate Security Technologies 47 m Guard rs4000 rs2000 Switch Objective Possible reasons Requirements Q Q 2 8 3 Flashing the firmware rescue procedure The entire firmware of the device should be reloaded on the device All configured settings are del
71. 0 rs2000 Switch Table 2 2 LEDs on the mGuard rs4000 Switch and mGuard rs2000 Switch Green On The configured VPN connections are established at output O1 or the firewall re cords defined at output O1 are activated om The configured VPN connections are being established or aborted at output O1 or bien firewall rule records defined at output O1 are activated or deactivated Green a The configured VPN connections are established at output O2 or the firewall re e defined at output O2 are activated the firewall rule records defined at output O2 are activated or deactivated C a C LEDs are located in the sockets 10 100 and duplex LED DMZ1 Green _ On Ethernet status The LEDs indicate the status of the relevant port As soon as the LAN a Ce On device is connected to the relevant network a continuous light indicates that there is a connection to the network partner in the LAN WAN or DMZ When data pack ets are transmitted the LED goes out briefly Flashing The configured VPN connections are being established or aborted at output O2 or 1 mGuard rs4000 Switch only 2 mGuard rs2000 Switch only 115007_en_02 Innominate Security Technologies 35 m Guard rs4000 rs2000 Switch 2 2 Startup 2 2 1 Safety notes To ensure correct operation and the safety of the environment and of personnel the device must be installed operated and maintained correctly NOTE Risk of material damage due to incorrect wiring Only conne
72. 00 Base FX FO Serial RS 232 RJ11 socket USB Depending on the firmware used 24 V DC max 300 mA PELV SELV redundant 25 25 voltage range max 7 2 W at 24 V 10 95 during operation non condensing IP20 0 C 60 C operation 40 C 80 C storage 131 x 47x 111mm 340 g mGuard v5 0 or later Innominate recommends firmware version 6 x or 7 x to be used with the latest patch releases For the scope of functions please refer to the relevant firmware data sheet 99 Mbps bidirectional 99 Mbps bidirectional DES 3DES AES 128 192 256 70 Mbps bidirectional Web GUI HTTPS command line interface SSH SNMP v1 2 3 central device management software LEDs P1 P2 Status Fault LAN WAN V 24 signal contact 24 V 1 A Log File Remote Syslog CE FCC UL 508 GL Innominate Security Technologies 253 EAGLE mGuard 254 Innominate Security Technologies 115007_en_02 Assigning IP addresses and setting up DHCP TFTP servers 14 Assigning IP addresses and setting up DHCP TFTP serv ers 115007_en_02 14 1 Assigning the IP address using IPAssign exe Step 1 Downloading and executing the program e On the Internet select the link www innominate com downloads e The BooiP IP addressing tool from Innominate can be found under Software amp Misc e Double click on the IPAssign_mGuard exe file e In the window that opens click on Run Step 2
73. 1 1 2 5 1 IP address 192 168 1 1 In Router mode the mGuard can be accessed via the LAN interface via IP address 192 168 1 1 within network 192 168 1 0 24 if one of the following conditions applies The mGuard is in the delivery state The mGuard was reset to the default settings via the web interface and restarted The rescue procedure flashing of the mGuard or the recovery procedure has been performed To access the configuration interface it may be necessary to adapt the network configura tion of your computer Under Windows 7 proceed as follows e Inthe Control Panel open the Network and Sharing Center e Click on LAN connection The LAN connection item is only displayed if a connection exists from the LAN interface on the computer to a mGuard in operation or another part ner e Click on Properties e Select the menu item Internet protocol Version 4 TCP IPv4 e Click on Properties e First select Use the following IP address under Internet Protocol Version 4 Proper ties then enter the following address for example IP address 192 168 1 2 Subnet mask 255 255 255 0 Default gateway 192 168 1 1 Depending on the configuration of the mGuard it may then be necessary to adapt the net work interface of the locally connected computer or network accordingly 42 Innominate Security Technologies 115007_en_02 Web based administrator interface l
74. 5 C Maximum humidity non condensing 10 95 To avoid overheating do not expose the mGuard to direct sunlight or other heat sources Q NOTE Cleaning Clean the device housing with a soft cloth Do not use aggressive solvents 12 2 2 Checking the scope of supply Before startup check the scope of supply to ensure nothing is missing The scope of supply includes mGuard industrial rs Package slip Terminal block for the power supply connection inserted Terminal block for the signal contact button and an optional ISDN or telephone con nection 2 cover caps for RJ45 sockets 115007_en_02 Innominate Security Technologies 217 mGuard industrial rs 12 3 Installation of mGuard industrial rs WARNING The housing must not be opened WARNING The shielding of the connected twisted pair cables is electrically connected to the front plate WARNING This is a Class A item of equipment This equipment can cause radio interfer ence in residential areas in this case the operator may be required to implement appro gt D D priate measures When installed in residential or office areas the mGuard industrial rs may only be operated in control cabinets with fire protection properties according to EN 60950 1 12 3 1 Mounting removal Mounting The device is ready to operate when it is supplied The recommended sequence for mount ing and connection is as follows e Pull out the terminal b
75. 6 5 2 IP address https 1 1 1 1 In order for the mGuard to be addressed via address https 1 1 1 1 it must be connected to a configured network interface This is the case if it is connected in an existing network connection and if the default gateway can be accessed via the WAN port of the mGuard at the same time In this case the web browser establishes a connection to the mGuard configuration inter face after the address https 1 1 1 1 is entered see Establishing a local configuration con nection on page 117 Continue from this point i After access via IP address 1 1 1 1 the product can no longer be accessed via IP address 192 168 1 1 115007_en_02 Innominate Security Technologies 115 mGuard smart smart 116 a 6 5 3 Assigning the IP address via BootP After assigning an IP address via BootP the product can no longer be accessed via IP ad dress 192 168 1 1 For IP address assignment the mGuard uses the BootP protocol The IP address can also be assigned via BootP On the Internet numerous BootP servers are available You can use any of these programs for address assignment Section 14 1 explains IP address assignment using the free Windows software IP Assignment Tool IPAssign exe Notes for BootP During initial startup the mGuard transmits BootP requests without interruption until it re ceives a valid IP address After receiving a valid IP address the mGuard no longer sends BootP requests
76. 72 A 3 10 F 10 16 b gt amen mene ee ewe 75 4 1 Operating elements and LEDS cceccccssseeeeeceeeeneeeeeeeeaaaaeeeeeeseaaaaeeeeeeseaaaeeeees 76 4 2 Xe HC sameeren Raney ne nent enn eons oor ee EA eae en E cea Oe ae ETET ee 77 4 3 Connecting the mGuard delta oo cccccccssccesecessecensecsseceeeesseeeseeessesensessaeeeneess 78 4 4 Preparing the COMMQUIALON siicce ice scetetiecs a oes eee es 79 4 5 Configuration in Stealth MOdC ccc cecceeceeceeeeeeeeeeaeeeeeeeeeeaeaeeeeeeeseaaeeeeeeessaaaeeeees 80 4 6 Establishing a local Configuration CONNECTION cceeeceeeeeeeeeeeeeeeeeaeeeeeeeeeeaaaees 83 4 7 Remote COMM OGUPATION a s2 2cc2 22 enacsesettasscsadriassseacentsaeieosenessageuianesoisuucegiaaaesteebtewmaseae 85 4 8 Restart recovery procedure and flashing the firmWware cccccsseeeeeeeeeeeeeeeees 86 115007_en_02 Innominate Security Technologies T 5 6 7 8 4 9 Technical data neona a a as eee ee 90 Maad pe SD eaae e E a a aa 91 5 1 Operating elements and LEDS si syed eiierieet Sentada nahin nadia axa Re 92 5 2 VAI ULM Oise ss scisies de nds ncn N vases oaalacina unease sande E R 93 5 3 Installation of mGuard pci SD cceccceccesssceseeccsecesseecsseeceaeeceseeeceseeecnecensesens 94 5 4 Preparing the COmlQuranlon asieantedacviestl steiner a e e E 95 5 5 Contiguration in Stealth Modacar a a N 96 5 6 Establishing a local configuration connection ssssssssrsss
77. 7_en_02 m Guard rs4000 rs2000 3G If the supply voltage is not redundant the mGuard rs4000 3G indicates the failure of the supply voltage via the signal contact This message can be prevented by feeding the supply voltage via both inputs or by installing an appropriate wire jumper between the connections 115007_en_02 Innominate Security Technologies 63 m Guard rs4000 rs2000 3G 3 4 Preparing the configuration 3 4 1 Connection requirements The mGuard rs4000 rs2000 3G must be connected to at least one active power sup ply unit For local configuration The computer that is to be used for configuration must be connected to the LAN socket on the mGuard For remote configuration The mGuard must be configured so that remote configura tion is permitted The mGuard must be connected i e the required connections must be working 3 5 Configuration in Router mode On initial startup the mGuard can be accessed via the following address https 192 168 1 1 3 5 1 IP address 192 168 1 1 In Router mode the mGuard can be accessed via the LAN interface via IP address 192 168 1 1 within network 192 168 1 0 24 if one of the following conditions applies The mGuard is in the delivery state The mGuard was reset to the default settings via the web interface and restarted The rescue procedure flashing of the mGuard or the recovery procedure has been performed To access the configuration inte
78. FAULT LED lights up red if the signal output takes low level due to an error inverted logic The voltage at the signal contact corresponds to the supply voltage applied The following is reported when monitoring the output voltage Failure of at least one of the two supply voltages Power supply of the mGuard rs4000 rs2000 below the limit value Supply voltage 1 and or 2 lower than 11 V Link status monitoring of the Ethernet connections if configured By default upon deliv ery the connection is not monitored Monitoring can be activated on the web interface under Management gt gt System Settings gt gt Signal Contact Error during selftest During a restart the signal contact is switched off until the mGuard rs4000 rs2000 has started up completely This also applies when the signal contact is manually set to Closed under Manual settings in the software configuration 18 Innominate Security Technologies 115007_en_02 m Guard rs4000 rs2000 1 3 4 Connecting the supply voltage WARNING The mGuard rs4000 rs2000 is designed for operation with a DC voltage of 11 VDC 36 V DC SELV 1 5 A maximum Therefore only SELV circuits with voltage limitations according to EN 60950 1 may be connected to the supply connections and the signal contact The supply voltage is connected via a plug in screw terminal block which is located on the top of the device mGuard rs4000 P1 P2 mGuard rs2000 P1
79. N Settings dialog box e lf other LAN connections are active on the computer deactivate them until the configu ration has been completed Under the Windows menu Start Settings Control Panel Network Connections or Network and Dial up Connections right click on the corresponding icon and select Disable in the context menu Innominate Security Technologies 189 m Guard blade Explanation After successful connection establishment Once a connection has been established successfully a security alert may be displayed As administrative tasks can only be performed using encrypted access a self signed certif icate is supplied with the device e Click Yes to acknowledge the security alert The login window is displayed Login to mguard User Name Password Figure 10 6 Login e To log in enter the preset user name and password please note these settings are case sensitive User Name admin Password mGuard The mGuard can then be configured via the web interface For additional information please refer to the software reference manual For security reasons we recommend you change the default root and administrator pass words during initial configuration 190 Innominate Security Technologies 115007_en_02 Requirement How to proceed Example Configuration 115007_en_02 mGuard blade 10 6 Remote configuration The mGuard must be configured so that remote confi
80. Operating elements and LEDs RJ45 socket WAN 1 for connecting to the ex ternal network RJ45 socket LAN 1 for connecting to the in SD card slot configuration ternal network memory Reset button i i I LEDs LEDs LEDs Figure 4 2 Operating elements and LEDs on the Table 4 2 LEDs on the mGuard delta reds se WAN1 Green On Full duplex ee Off Half duplex WAN 2 Yellow On 10 Mbps LAN 2 Flash 10 Mbps data transmission active ing 100 Mbps Flash 100 Mbps data transmission active ing pwr Green On soyo O STAT Flash The mGuard is ready to operate ing jenn Rea fon asem o FAULT rea on mGvardinthe booing orfashingstate SSS mo ess S 76 Innominate Security Technologies 115007_en_02 mGuard delta 4 2 Startup 4 2 1 Safety notes To ensure correct operation and the safety of the environment and of personnel the mGuard must be installed operated and maintained correctly NOTE Risk of material damage due to incorrect wiring Only connect the mGuard network ports to LAN installations Some telecommunications connections also use RJ45 sockets these must not be connected to the RJ45 sockets of the mGuard General notes regarding usage NOTE Select suitable ambient conditions Ambient temperature 0 C 40 C Maximum humidity non condensing 5 95 To avoid overheating do not expose the mGuard to direct sunlight or other heat sourc
81. RJ45 sockets of the mGuard e Connect the mGuard to the network To do this you need a suitable UTP cable CAT5 which is not included in the scope of supply Use UTP cables with an impedance of 100 Q e Connect the internal network interface LAN of the mGuard to the corresponding Ether net network card of the configuration computer or a valid network connection of the in ternal network LAN 56 Innominate Security Technologies 115007_en_02 115007_en_02 Q l mGuard rs4000 rs2000 3G 3 3 3 Connecting service contacts NOTE Do not connect the voltage and ground outputs to an external source The plug in screw terminal blocks of the service contacts may be removed or inserted dur ing operation of the mGuard The mGuard rs4000 rs2000 3G has three digital inputs and outputs These are configured in the web interface e g the starting and stopping of VPN sending alarms via SMS etc The digital inputs and outputs are connected as follows al al m US 13 GND O03 IW Figure 3 4 Service contacts a Control switch CMD Signal output digital ACK Voltage output Switching input Ground output Short circuit proof 11 36 VDC switch output maximum 250 mA at11 36 VDC Supply voltage Supply voltage Example Example a ae Let A push button or an on off switch e g key switch can be connected between service contacts US and I The service contacts 01 03 are non floating continuous
82. RS EDGE I UMTS CDMA2000 1 8V13V redundant lt 14 4 Mbps HSDPA Serial RS 232 D SUB 9 connector 3 digital inputs and 3 digital outputs 128 MB RAM 128 MB Flash SD card Replaceable configuration memory Voltage range 11 36 V DC redundant typical lt 200 mA 24 V DC maximum lt 800 mA 10 V DC 5 95 operation storage non con densing IP20 40 C 60 C operation 40 C 70 C storage 130 x 45 x 114 mm up to DIN rail support 835 g m Guard rs2000 3G For mGuard v8 0 or later Innominate recommends the use of the latest firmware ver sion and patch releases in each case For the scope of functions please refer to the relevant firmware data sheet Router mode default firewall rules bidirectional throughput 99 Mbps maximum Stealth mode default firewall rules bidirectional throughput 50 Mbps maximum When using the DMZ as independent network zone the maximum possible data throughput is distributed to the three zones IPsec IETF standard Up to 250 VPN tunnels DES 3DES AES 128 192 256 IPsec IETF standard Up to 2 VPN tunnels DES 3DES AES 128 192 256 Router mode default firewall rules bidirectional throughput 35 Mbps maximum Stealth mode default firewall rules bidirectional throughput 25 Mbps maximum When using the DMZ as independent network zone the maximum possible data throughput is distributed to the three zones Depending on the mobile
83. SD Card To apply the selection press the Enter key The options include Start rescue procedure via DHCP BootP TFTP Effect The mGuard downloads the necessary files from the TFTP server install x86_64 p7s firmware img x86_64 p7s Start rescue procedure from CD DVD USB stick or SD Card General requirements 1 A CD DVD drive connected to the USB port or 2 AUSB stick USB Flash drive connected to the USB port or 3 An SD memory card inserted into the SD card drive 138 Innominate Security Technologies 115007_en_02 115007_en_02 mGuard centerport After the rescue procedure has been started by pressing the Enter key the required data is downloaded from the medium that was connected inserted to into the device Start rescue procedure from CD DVD Requirement The firmware of the mGuard has been previously burnt to CD DVD see below under Burning the mGuard firmware to CD DVD ROM on page 140 Effect The mGuard downloads all necessary files from the inserted CD DVD With this in mind while the boot menu is displayed and before applying this selection insert the CD DVD with the mGuard firmware into the CD DVD drive For security reasons the mGuard centerport does not boot from the CD DVD Once the rescue procedure is complete a corresponding message appears on the monitor Follow any further on screen instructions Start rescue procedure from USB stick USB Flash drive Requirement The firmware
84. SL encryption i e HTTPS According to the default setting the mGuard can be accessed via the following addresses Table 4 3 Preset addresses Default setting Management IP 1 Management IP 2 mode mGuard delta https 1 1 1 1 https 192 168 1 1 The mGuard is preset to the multiple Clients stealth configuration You need to configure a management IP address and default gateway if you want to use VPN connections in the web interface under Network gt gt Interfaces gt gt General Alternatively you can select a dif ferent stealth configuration or use another network mode Innominate Security Technologies 79 mGuard delta 4 5 Configuration in Stealth mode On initial startup the mGuard can be accessed via two addresses https 192 168 1 1 see Page 81 https 1 1 1 1 see Page 81 Alternatively an IP address can be assigned via BootP see Assigning the IP address via BootP on page 82 The mGuard can be accessed via https 192 168 1 1 if the external network interface is not connected on startup Computers can access the mGuard via https 1 1 1 1 if they are directly or indirectly con nected to the LAN port of the mGuard For this purpose the mGuard with LAN port and WAN port must be integrated in an operational network in which the default gateway can be accessed via the WAN port After access via IP address 192 168 1 1 and successful login IP address 192 168 1 1 is set
85. Server or DHCP Server tab page and click on Settings to set the parameters as follows gt Tftpd32 Settings x gt Tftpd32 by Ph Jounin me eE r Base Directory 5 Current Director IES Browse E my Browse 3 wis Browse Server interface 192 168 10 1 v Show Dir m Global Settings Tftp Server DHCP server M TFTP Sewer Syslog Server Syslog server Save syslog message TFTP Client IV DHCP Server Fle IP pool starting address 792 168 10 200 Size of pool 30 g r TFTP Security 1r TFTP configuration Boot File z 2 lag Timeout seconds 3 WINS DNS Sewer 0000 Standard e P l Max Retransmit E Default router 0 0 0 0 9 Tftp port 69 Mask 255 255 255 0 C Read Only Domain Name F Advanced TFTP Options V Option negotiation Hide Window at startup Abot __Hep MV Show Progress bar T Create dir txt files Translate Unix file names l Beep for long tranfer Use anticipation window of Allow VAs virtual root Default Help Cancel Figure 14 5 Settings Under Linux All current Linux distributions include DHCP and TFTP servers e Install the corresponding packages according to the instructions provided for the rele vant distribution e Configure the DHCP server by making the following settings in the etc dhcpd conf file subnet 192 168 134 0 netmask 255 255 255 0 range 192 168 134 100 192 168 134 119 optio
86. TBA b2 gt mGuard Pin 8 Tx Serial port WARNING The serial interface RJ12 socket must not be connected directly to the tele communications connections To connect a serial terminal or a modem use a serial cable with RJ12 plug The maximum cable length of the serial cable is 30 m The serial port serial interface can be used as follows To configure the mGuard via the serial interface There are two options 115007_en_02 Innominate Security Technologies 223 mGuard industrial rs 224 APCisconnected directly to the serial interface of the mGuard via the serial interface of the PC The PC user can then use a terminal program to configure the mGuard via the command line Oramodem is connected to the serial interface of the mGuard This modem is connect ed to the telephone network fixed line or GSM network The user of a remote PC which is also connected to the telephone network by a modem can then establish a PPP Point to Point Protocol dial up connection to the mGuard and configure it via a web browser To manage data traffic via the serial interface instead of via the WAN interface of the m Guard In this case a modem should be connected to the serial interface Not used CTS TXD RTS RXD GND Figure 12 9 Pin 6 Pin 5 Pin 4 Pin 3 Pin 2 Pin 1 Pin assignment of the RJ12 socket serial port On the mGuard industrial rs with integrated modem or ISDN terminal adapter data traf
87. The product can then no longer be accessed via IP address 192 168 1 1 After receiving a BootP reply the mGuard no longer sends BootP requests not even after ithas been restarted For the mGuard to send BootP requests again it must either be set to the default settings or one of the procedures recovery or flash must be performed Requirements The mGuard is connected to a computer using a Microsoft Windows operating system Innominate Security Technologies 115007_en_02 Web based administrator interface If you have forgotten the configured address If the administrator web page is not displayed 115007_en_02 mGuard smart smart 6 6 Establishing a local configuration connection The mGuard is configured via a web browser that is executed on the configuration com puter NOTE The web browser used must support SSL encryption i e HTTPS The mGuard can be accessed via one of the following addresses Table 6 4 Preset addresses Default setting Management IP 1 Management IP 2 mode Stealth https 1 1 1 1 https 192 168 1 1 Proceed as follows e Start a web browser e Make sure that the browser when it is started does not automatically establish a con nection as otherwise the connection establishment to the mGuard may be more diffi cult In Internet Explorer make the following settings e Inthe Tools menu select Internet Options and click on the Connections tab e Under Dial
88. VPN tunnels mGuard centerport mGuard centerport 250 mGuard centerport 1000 Innominate mGuard centerport Figure 11 1 mGuard centerport Innominate Security Technologies 197 mGuard centerport 11 1 Operating elements and LEDs Front Power LED green Hard disk activity LED orange Innominate mGuardcenterport 19 angled connector Interlocking lock front flap 19 angled connector Figure 11 2 Operating elements and LEDs on the mGuard centerport front side Table 11 2 LEDs on the mGuard centerport Gren On Lights up if the system is switched on Lights up while hard disk is accessed Front flap open CD drive LEDs see above Knurled screw for cover guard ON OFF button Reset button 2 x USB For restart without switching the de vice off and on again Figure 11 3 Operating elements for the mGuard centerport with front flap open 198 Innominate Security Technologies 115007_en_02 mGuard centerport 11 2 Startup 11 2 1 Safety notes To ensure correct operation and the safety of the environment and of personnel the mGuard must be installed operated and maintained correctly NOTE Risk of material damage due to incorrect wiring Only connect the mGuard network ports to LAN installations Some telecommunications connections also use RJ45 sockets these must not be connected to the RJ45 sockets of the mGuard General notes regarding usage NOTE Select suitable ambient conditions Am
89. a connection exists from the LAN interface on the computer to a mGuard in operation or another part ner e Click on Properties e Select the menu item Internet protocol Version 4 TCP IPv4 e Click on Properties e First select Use the following IP address under Internet Protocol Version 4 Proper ties then enter the following address for example IP address 192 168 1 2 Subnet mask 255 255 255 0 Default gateway 192 168 1 1 Depending on the configuration of the mGuard it may then be necessary to adapt the net work interface of the locally connected computer or network accordingly 188 Innominate Security Technologies 115007_en_02 Web based administrator interface If you have forgotten the configured address If the administrator web page is not displayed 115007_en_02 mGuard blade 10 5 Establishing a local configuration connection The mGuard is configured via a web browser that is executed on the configuration com puter NOTE The web browser used must support SSL encryption i e HTTPS The mGuard can be accessed via one of the following addresses Table 10 4 Preset addresses Default setting Management IP 1 Management IP 2 mode mGuard blade controller Router f https 192 168 1 1 Proceed as follows e Start a web browser e Make sure that the browser when it is started does not automatically establish a con nection as otherwise the connection esta
90. a valid IP address the mGuard no longer sends BootP requests The FL MGUARD can then no longer be accessed via IP address 192 168 1 1 After receiving a BootP reply the mGuard no longer sends BootP requests not even after ithas been restarted For the mGuard to send BootP requests again it must either be set to the default settings or one of the procedures recovery or flash must be performed Requirements The mGuard is connected to a computer using a Microsoft Windows operating system 228 Innominate Security Technologies 115007_en_02 Web based administrator interface If you have forgotten the configured address If the administrator web page is not displayed 115007_en_02 mGuard industrial rs 12 6 Establishing a local configuration connection The mGuard is configured via a web browser that is executed on the configuration com puter NOTE The web browser used must support SSL encryption i e HTTPS The mGuard can be accessed via one of the following addresses Table 12 5 Preset addresses Default setting Management IP 1 Management IP 2 mode mGuard industrial rs https 1 1 1 1 https 192 168 1 1 Proceed as follows e Start a web browser e Make sure that the browser when it is started does not automatically establish a con nection as otherwise the connection establishment to the mGuard may be more diffi cult In Internet Explorer make the following settings e Inthe Tools menu
91. act corresponds to the supply voltage applied The following is reported when monitoring the output voltage Failure of at least one of the two supply voltages Power supply of the mGuard rs4000 rs2000 below the limit value Supply voltage 1 and or 2 lower than 11 V Link status monitoring of the Ethernet connections if configured By default upon deliv ery the connection is not monitored Monitoring can be activated on the web interface under Management gt gt System Settings gt gt Signal Contact Error during selftest During a restart the signal contact is switched off until the mGuard rs4000 rs2000 has started up completely This also applies when the signal contact is manually set to Closed under Manual settings in the software configuration Innominate Security Technologies 59 m Guard rs4000 rs2000 3G 3 3 4 Antennas To establish a mobile communication connection a matching antenna must be connected to the devices Q NOTE Removing operator permissions Operation of the wireless system is only permitted with accessories supplied by Innominate The use of other accessory components may invalidate the operating li cense You can find the approved accessories for this wireless system listed with the product at www innominate com We recommend combined mobile phone GPS antenna with omnidirectional characteristic antenna cable with SMA round plug GSM UMTS and R SMA round
92. age non con densing IP20 20 C 60 C operation 20 C 60 C storage 130 x 45 x 114mm up to DIN rail support 722 g TX TX m Guard rs2000 For mGuard v7 4 0 or later Innominate recommends the use of the latest firmware ver sion and patch releases in each case For the scope of functions please refer to the relevant firmware data sheet Router mode default firewall rules bidirectional throughput 99 Mbps maximum Stealth mode default firewall rules bidirectional throughput 50 Mbps maximum IPsec IETF standard Up to 250 VPN tunnels DES 3DES AES 128 192 256 IPsec IETF standard Up to 2 VPN tunnels DES 3DES AES 128 1 92 256 Router mode default firewall rules bidirectional throughput 35 Mbps maximum Stealth mode default firewall rules bidirectional throughput 25 Mbps maximum Web GUI HTTPS command line interface SSH SNMP v1 2 3 central device man agement software LEDs Power 1 2 State Error Signal Fault Modem Info signal contacts ser vice contacts log file remote syslog CE I FCC I UL 508 ANSI ISA 12 12 Class Div 2 LEDs Power State Error Signal Fault Modem Info signal contacts service contacts log file remote syslog Realtime clock Trusted Platform Module TPM temperature sensor mGuard Remote Services Portal ready Innominate Security Technologies 31 m Guard rs4000 rs2000 32 Innominate Security Technologies
93. ality of the mobile network connection The signal strength of the mobile network connection is indicated by three LEDs on the front of the mGuard rs4000 rs2000 3G The LEDs function as a bar graph refer to Bar graph on page 53 For stable data transmission we recommend at least good network reception If the network reception is only adequate only SMS messages can be sent and received Inserting the SIM card You will receive a SIM card from the wireless provider on which all data and services for your connection are stored If you use CDMA networks in the USA e g from Verizon Wireless you will not receive a SIM card Change the mGuard rs4000 rs2000 3G to a CDMA provider via the web interface Figure 3 6 Insert the SIM card To insert the SIM card proceed as follows e Press the release button e Remove the SIM card holder e Insert the SIM card so that the SIM chip remains visible e Insertthe SIM card holder together with the SIM card into the device until this ends flush with the housing Innominate Security Technologies 61 m Guard rs4000 rs2000 3G 62 A 3 3 6 Connecting the supply voltage WARNING The device is designed for operation with a DC voltage of 11 VDC 36 V DC SELV 800 mA maximum Therefore only SELV circuits with voltage limitations according to IEC 60950 EN 60950 VDE 0805 may be connected to the supply connections and the signal contact The supply voltage is connected v
94. and TFTP server if necessary see Installing the DHCP and TFTP serv er on page 258 entire network Q NOTE Installing a second DHCP server in a network could affect the configuration of the Action NOTE Do not interrupt the power supply to the mGuard during any stage of the flashing procedure Otherwise the device could be damaged and may have to be reactivated by the manufacturer Hold down the Reset button until the State LAN and WAN LEDs light up green Then the mGuard is in the recovery state Release the Reset button within a second of entering the recovery state If the Reset button is not released the mGuard is restarted The mGuard now starts the recovery system It searches fora DHCP server via the LAN interface in order to obtain an IP address The State LED flashes The install p7s file is loaded from the TFTP server or SD card It contains the electron ically signed control procedure for the installation process Only files that are signed are executed The control procedure deletes the current contents of the Flash memory and prepares for a new firmware installation The Modem State and LAN LEDs form a running light The jffs2 img p7s firmware file is downloaded from the TFTP server or SD card and written to the Flash memory This file contains the actual mGuard operating system and is signed electronically Only files signed by Innominate are accepted This process takes around
95. and gateway address Any incorrect settings Phoenix Contact IP Assignment Tool Set IP Address Please specify an IP Address to use This PC s IP Address 192 168 1 100 Please specify the IP Address to be used below Selected MAC Address 00 a0 45 04 08 a3 IP Address 192 168 22 21 Subnet Mask 0 Gateway Address 0 0 WARNING this address is in a different Subnet Once you have entered a valid IP address click Next lt Zur ck Abbrechen Figure 14 2 Set IP Address window with incorrect settings e Adjust the IP parameters according to your requirements If inconsistencies are no longer detected a message appears indicating that a valid IP ad dress has been set e Click on Next Step 5 Assign IP address The program attempts to transmit the IP parameters set to the mGuard Phoenix Contact IP Assignment Tool Assign IP Address Attempting to Assign IP Address The wizard is attempting to Assign the specified IP Address Attempting to assign MAC Address Wait Time 6 00 a0 45 04 08 a3 If it has been more than a minute or two and the IP is still not assigned ee please try rebooting or power the following cycling your device IP Address 192 168 1 21 IP Mask 255 255 255 0 IP Gateway 0 0 0 0 Once your device has received it s IP Address this wizard will automatically go to the next page Abbrechen Figure 14 3 Assign IP address w
96. ards To flash the firmware from a TFTP server a TFTP server must be installed on the locally connected computer see Installing the DHCP and TFTP server on page 258 NOTE Installing a second DHCP server in a network could affect the configuration of the entire network The mGuard firmware has been obtained from your dealer s support team or the www innominate com website and has been saved on a compatible SD card This SD card has been inserted into the mGuard The relevant firmware files are available for download from the download page of www innominate com The files must be located under the following path names or in the following folders on the SD card Firmware install ubi mpc83xx p7s Firmware ubifs img mpc83xx p7s 88 Innominate Security Technologies 115007_en_02 mGuard delta Action To flash the firmware or to perform the rescue procedure proceed as follows NOTE Do not interrupt the power supply to the mGuard during any stage of the flashing procedure Otherwise the device could be damaged and may have to be reactivated by the manufacturer e Hold down the Reset button until the STAT MOD and SIG LEDs light up green Then the mGuard is in the recovery state e Release the Reset button within a second of entering the recovery state If the Reset button is not released the mGuard is restarted The mGuard now starts the recovery system It searches fora DHCP server via the LAN interfa
97. artup 7 2 1 Safety notes Installation startup and maintenance of the product may only be performed by qualified S pecialist personnel who have been authorized for this by the operator Specialist personnel must have read and understood the instructions in this manual and act accordingly NOTE Risk of material damage due to incorrect wiring Only connect the mGuard network ports to LAN installations Some telecommunications connections also use RJ45 sockets these must not be connected to the RJ45 sockets of the mGuard General notes regarding usage NOTE Select suitable ambient conditions Ambient temperature 0 C 45 C Maximum humidity non condensing 20 90 To avoid overheating do not expose the mGuard to direct sunlight or other heat sources NOTE Risk of material damage caused by cleaning agents Clean the device housing with a soft cloth Do not use aggressive solvents 7 2 2 Checking the scope of supply Before startup check the scope of supply to ensure nothing is missing The scope of supply includes mGuard centerport Package slip 2 x AC mains connecting cables 19 server rails telescopic rails 2 x short 2 x long Screw set Installation instructions for 19 frame industrial cabinet Quickrails installation instruc tions Innominate Security Technologies 127 mGuard centerport 7 3 Installing and booting the mGuard centerport Back IPMI port 4x USB Ether
98. atch releases For the scope of functions please refer to the relevant firmware data sheet 2 000 Mbps bidirectional 2 000 Mbps bidirectional When using the DMZ as independent network zone the maximum possible data throughput is distributed to the three zones DES 3DES AES 128 192 256 600 Mbps bidirectional router mode When using the DMZ as independent network zone the maximum possible data throughput is distributed to the three zones Web GUI HTTPS command line interface SSH SNMP v1 2 3 central device management software Dot matrix display LEDs boot menu log file remote Syslog CE developed according to UL requirements Innominate Security Technologies 141 mGuard centerport 142 Innominate Security Technologies 115007_en_02 mGuard delta 8 mQGuard delta 115007_en_02 Table 8 1 Available mGuard delta versions mGuard delta HW 103050 As acompact LAN switch Ethernet Fast Ethernet the mGuard delta is designed for the connection of up to four LAN segments This device is therefore ideal for use in logically segmented network environments where the locally connected computers networks share the mGuard functions An additional serial interface enables configuration via a telephone dial up connection ora terminal With its robust metal housing the mGuard delta is suitable for installation in distri bution compartments as well as for use as a desktop device LAN SWITCH Fig
99. ate Error LAN WAN E LAN WAN E LAN WAN E E mGuard industrial RS mGuard industrial RS mGuard industrial RS a LAN WAN 7 SDN Line 7 fi i e Fo B Ll CMDACK TXATX RX PX 2 CMDACI ING L CMDACK Lower terminal strip _ gt With ISDN terminal With analog modem WITHOUT modem ISDN Figure 12 5 mGuard industrial rs Lower terminal strip 220 Innominate Security Technologies 115007_en_02 mGuard industrial rs Lower area on front MET late with terminal ae gt __ 1 CMDACK strip Functional earth ground Signal contact in terrupted in the event of an error Button or on off switch Signal LED 20 mA Service contacts CMD ACK for establishing a predefined VPN connection Figure 12 6 mGuard industrial rs Without modem ISDN terminal adapter Analac Lower area on front ne nalog plate with terminal strip Signal contact Service con Telephone line Functional earth tacts as above analog connection ground as above as above Figure 12 7 mGuard industrial rs with modem Lower area on front ISDN Line plate with terminal gt __ CMDACK TX4TX AX PX strip Signal contact Service contacts Functional earth as above ground as above as above Figure 12 8 mGuard industrial rs with ISDN terminal adapter 115007_en_02 Innominate Security Technologies 221 mGuard industrial rs Operating a connected button
100. aved on a compatible SD card This SD card has been inserted into the mGuard The relevant firmware files are available for download from the download page of www innominate com The files must be located under the following path names or in the following folders on the SD card Firmware install ubi mpc83xx p7s Firmware ubifs img mpc83xx p7s Action e Press and hold down the Reset button on the front plate The STAT LED on the front plate briefly lights up orange Then the STAT LED and the upper two LEDs of the Ethernet sockets light up green one after the other e Release the Reset button during the green light phase The flashing procedure is started 106 Innominate Security Technologies 115007_en_02 mGuard pci SD 5 9 Technical data mGuard pci SD mGuard pcie SD Hardware properties Platform Network interfaces Other interfaces Memory Drives Redundancy options Power supply Power consumption Humidity range Degree of protection Temperature range Dimensions H x W x D Weight Firmware and power values Firmware compatibility Data throughput router firewall Hardware based encryption Encrypted VPN throughput AES 256 Management support Diagnostics Other Conformance Special features 115007_en_02 Without battery HT version With battery Freescale network processor with 330 MHz clocking 1 LAN port 1 WAN port Ethernet IEEE 802 3 10 100 Base TX RJ45
101. be accessed via the following addresses Table 1 3 Preset addresses Default setting Network mode Management IP 1 Management IP 2 mGuard rs4000 https 1 1 1 1 https 192 168 1 1 mGuard rs2000 https 1 1 1 1 https 192 168 1 1 The mGuard is preset to the multiple Clients stealth configuration You need to configure a management IP address and default gateway if you want to use VPN connections see Page 24 Alternatively you can select a different stealth configuration or use another net work mode 20 Innominate Security Technologies 115007_en_02 115007_en_02 m Guard rs4000 rs2000 1 5 Configuration in Stealth mode On initial startup the mGuard can be accessed via two addresses https 192 168 1 1 see Page 22 https 1 1 1 1 see Page 22 Alternatively an IP address can be assigned via BootP see Assigning the IP address via BootP on page 23 The mGuard can be accessed via https 192 168 1 1 if the external network interface is not connected on startup Computers can access the mGuard via https 1 1 1 1 if they are directly or indirectly con nected to the LAN port of the mGuard For this purpose the mGuard with LAN port and WAN port must be integrated in an operational network in which the default gateway can be accessed via the WAN port After access via IP address 192 168 1 1 and successful login IP address 192 168 1 1 is set as a fixed management IP address After acce
102. bient temperature 0 C 40 C Maximum humidity non condensing 5 95 To avoid overheating do not expose the mGuard to direct sunlight or other heat sources Q NOTE Cleaning Clean the device housing with a soft cloth Do not use aggressive solvents 11 2 2 Checking the scope of supply Before startup check the scope of supply to ensure nothing is missing The scope of supply includes MGuard centerport Package slip 2xkeys for front flap lock 2xAC mains connecting cables Rubber feet self adhesive 115007_en_02 Innominate Security Technologies 199 mGuard centerport Back 200 11 3 Installing and booting mGuard centerport Unnamed connections sockets are not used Optional Dedicated interface for state syn chronization in redundancy operation Ethernet 10 100 1000 Base TX 2 x USB LAN WAN 2 x power supply mains input socket redun COM1 2x USB dant wide range AC power supply unit Serial console mnodem 100 240 V AC voltage source VGA connection Figure 11 4 mGuard centerport back 11 3 1 Connecting the device 7 Optional Install the device in a 19 industrial cabinet see The safety lock on the front flap en ables the front flap to be securely locked so that access is refused to the drives reset button and ON OFF switch Ensure that you keep safe hold of the two keys provided Housing on page 202 8 Connect the two power supply units to the mains or power supp
103. blishment to the mGuard may be more diffi cult In Internet Explorer make the following settings e Inthe Tools menu select Internet Options and click on the Connections tab e Under Dial up and Virtual Private Network settings select Never dial a connection e Enter the address of the mGuard completely into the address line of the web browser refer to Table 10 4 You access the administrator website of the mGuard If the administrator web page of the mGuard cannot be accessed If the address of the mGuard in Router PPPoE or PPTP mode has been set to a different value and the current address is not known the mGuard must be reset to the default set tings specified above for the IP address using the Recovery procedure see Performing a recovery procedure on page 193 If the web browser repeatedly reports that the page cannot be displayed try the following e Check whether the default gateway of the connected configuration computer is initial ized see Local configuration on startup EIS on page 187 e Disable any active firewalls e Make sure that the browser does not use a proxy server In Internet Explorer Version 8 make the following settings Tools menu Internet Options Connections tab Click on Properties under LAN settings Check that Use a proxy server for your LAN under Proxy server is not activated in the Local Area Network LA
104. cal configuration on startup EIS on page 169 e Disable any active firewalls e Make sure that the browser does not use a proxy server In Internet Explorer Version 8 make the following settings Tools menu Internet Options Connections tab Click on Properties under LAN settings Check that Use a proxy server for your LAN under Proxy server is not activated in the Local Area Network LAN Settings dialog box e If other LAN connections are active on the computer deactivate them until the configu ration has been completed Under the Windows menu Start Settings Control Panel Network Connections or Network and Dial up Connections right click on the corresponding icon and select Disable in the context menu 172 Innominate Security Technologies 115007_en_02 mGuard pci After successful connection establishment Once a connection has been established successfully a security alert may be displayed Explanation As administrative tasks can only be performed using encrypted access a self signed certif icate is supplied with the device e Click Yes to acknowledge the security alert The login window is displayed Login to mguard User Name Password Figure 9 12 Login e To log in enter the preset user name and password please note these settings are case sensitive User Name admin Password mGuard The mGuard can then be configure
105. can be connected between service contacts CMD V and CMD The contacts ACK and FAULT are non floating continuously short circuit proof and supply a maximum of 250 mA 16 Innominate Security Technologies 115007_en_02 Input CMD 11 CMD 12 Operating a connected push button Operating a connected on off switch Signal contact signal out put ACK O1 O2 Alarm output ACK O3 115007_en_02 m Guard rs4000 rs2000 The switching inputs and switching outputs can be connected with signals from external de vices e g with signals from PLCs In this case ensure the same potential as well as voltage and current specifications are defined Depending on the firmware version used the service contacts can be used for various switching or signaling tasks Service contacts as of firmware version 8 1 Via the web interface under Management Service I O you can set whether a push button or an on off switch has been connected to the inputs One or more freely selectable VPN connections or firewall rule records can be switched via the corresponding switch A mixture of VPN connections and firewall rule records is also possible The web interface displays which VPN connections and which firewall rule records are connected to this input The push button or on off switch is used to establish and release predefined VPN connec tions or the defined firewall rule records e To switch on the selected VPN connections or firewall rule
106. card 192 168 1 2 192 168 1 1 External IP Figure 9 6 Power over PCl mode Router mode If the mGuard is in Router mode or PPPoE or PPTP mode the mGuard and the network card connected to its LAN socket installed in the same computer or another computer act as a separate network For the IP configuration of the network interface of the operating system for the computer in which the network card is installed this means that an IP address must be assigned to this network interface that differs from the internal IP address of the mGuard by default upon delivery this is 192 168 1 1 A third IP address is used for the interface of the mGuard to the WAN It is used for connec tion to an external network e g Internet Innominate Security Technologies 163 mGuard pci 9 3 3 Installing the hardware y NOTE Electrostatic discharge AteS Before installation touch the metal frame of the PC in which the mGuard pci is to be in stalled in order to remove electrostatic discharge The device contains components that can be damaged or destroyed by electrostatic dis charge When handling the device observe the necessary safety precautions against electrostatic discharge ESD according to EN 61340 5 1 and IEC 61340 5 1 mGuard pci structure 1 Reset button 2 Jumper for activating deactivating Driver mode 3 LAN port The LAN port is deactivated in Driver mode In Power over PCl mode the network card
107. ce eeeeeeeeeeeeeeeeeeeeenaaeees 37 2 4 Preparing the COMMOULAUOM teszsetscenssesacetcudsstencenoncesualnonacessaepetteerosaensenioodauniaehasesstis 42 2 5 Configuration In Router Mode s ex6 2 srs Sacer cee a atthe atin 42 2 6 Establishing a local Configuration CONNECTION ceeeeceeeeeeeeeeeeeeeeeaeeeeeeeeeeaaeees 43 2 7 Remote configuration seserian T a e e a A 45 2 8 Restart recovery procedure and flashing the firmWware cccccssseeeeeeeeeeeeenees 46 2 9 WEGIIAIC AD CA a osiice sax cies cu niet canes care e detvectientt 50 3 mGWard rs4000 r 2000 3G sssini E a aa or aral 51 3 1 Operating elements and LEDS cceccccssseeeeeceeeeneeeeeeceaaaaeeeeeeseaaaseeeeesseaaeeeees 52 3 2 AULD acerca ad esa sone ale Sense ad desatecins bts aoc E ta alee aden dase suta cad scant Geen taeda 54 3 3 Installation of mGuard rS4000 rS2000 3G cece cece eeeeeee cette eee eeeeeeeeeaneeeeeeeeenaaeees 55 3 4 Preparing the COnfiquraton sacaste E eee 64 3 5 Configuration in Router mode ccccceeeeeeeeeeeeeeeeaeeeeeeeeeeeaeeeeeeeeeseaaaeeeeeesaaaaeeeeees 64 3 6 Establishing a local Configuration connection sssesessssessesrrrreresrnrrrressrrrrrere 65 3 7 Remote coniguratiON cassis ete a a na 67 3 8 Restart recovery procedure and flashing the firmWware ccccsssseeeeeeeeeeeeeees 68 3 9 Technical dala crteaitotai asad iekeecca2hnateeceniarnntesnrdead tacbivssnecnedicoiarabaaidebaieeadsdepce dead ieeteatt
108. ce in order to obtain an IP address The STAT LED flashes The install p7s file is loaded from the TFTP server or SD card It contains the electron ically signed control procedure for the installation process Only files that are signed are executed The control procedure deletes the current contents of the Flash memory and prepares for a new firmware installation The STAT MOD and SIG LEDs form a running light The jffs2 img p7s firmware file is downloaded from the TFTP server or SD card and written to the Flash memory This file contains the actual mGuard operating system and is signed electronically Only files signed by Innominate are accepted This process takes around 3 to 5 minutes The STAT LED is lit continuously The new firmware is extracted and configured This procedure takes 1 to 3 minutes As soon as the procedure is complete the STAT MOD and SIG LEDs flash green simulta neously e Restart the mGuard To do this briefly press the Reset button Alternatively disconnect the power supply and then connect it again The mGuard is in the delivery state You can now configure it again see Establishing a local configuration connection on page 83 115007_en_02 Innominate Security Technologies 89 mGuard delta 4 9 Hardware properties Platform Network interfaces Other interfaces Memory Redundancy options Power supply Power consumption Humidity range Degree of protection Temperature ra
109. ck that Use a proxy server for your LAN under Proxy server is not activated in the Local Area Network LAN Settings dialog box e lf other LAN connections are active on the computer deactivate them until the configu ration has been completed Under the Windows menu Start Settings Control Panel Network Connections or Network and Dial up Connections right click on the corresponding icon and select Disable in the context menu After successful connection establishment Once a connection has been established successfully a security alert may be displayed Innominate Security Technologies 65 m Guard rs4000 rs2000 3G Explanation As administrative tasks can only be performed using encrypted access a self signed certif icate is supplied with the device e Click Yes to acknowledge the security alert The login window is displayed Login to mguard User Name Password Figure 3 8 Login e To log in enter the preset user name and password please note these settings are case sensitive User Name admin Password mGuard The mGuard can then be configured via the web interface For additional information please refer to the software reference manual For security reasons we recommend you change the default root and administrator pass words during initial configuration 66 Innominate Security Technologies 115007_en_02 Requirement How to proceed Example
110. connection lt 14 4 Mbit s HSDPA upload lt 5 7 Mbit s HSDPA download Web GUI HTTPS command line interface SSH SNMP v1 2 3 central device man agement software 13 LEDs Power 1 2 State Error Signal Fault Modem Info Signal Status SIM Sta tus Service I Ol Log File Remote Syslog 115007_en_02 m Guard rs4000 rs2000 3G Other mGuard rs4000 3G mGuard rs2000 3G CE FCC UL 508 electrical isolation VCC PE ANSI ISA 12 12 Class Div 2 GPS GLONASS receiver realtime clock Trusted Platform Module TPM tempera ture sensor mGuard Secure Cloud ready Conformance Special features 115007_en_02 Innominate Security Technologies 73 m Guard rs4000 rs2000 3G 74 Innominate Security Technologies 115007_en_02 mGuard delta 4 mGuard delta 115007_en_02 Table 4 1 Available mGuard delta versions mGuard delta TX TX HW 103060 mGuard delta TX TX VPN BD 211010 The mGuard delta is ideal for use in desktop applications in distribution compartments and other environments close to production processes with low requirements for industrial hardening Individual devices or network segments can be safely networked and comprehensively pro tected The mGuard delta can be used as a firewall between office and production net works as well as a Security router for small and medium sized workgroups Figure 4 1 mGuard delta Innominate Security Technologies 75 mGuard delta 4 1
111. ct the device network ports to LAN installations Some telecommunications connections also use RJ45 sockets these must not be connected to the RJ45 sockets of the device For connecting a modem or serial terminal to the RS 232 interface you will need a null modem cable not exceeding 10 m in length NOTE Risk of damage to equipment due to noise emissions This is a Class A item of equipment This equipment can cause radio interference in resi dential areas in this case the operator may be required to implement appropriate mea sures NOTE Electrostatic discharge When handling the device observe the necessary safety precautions against electrostat ic discharge ESD in accordance with EN 61340 5 1 and IEC 61340 5 1 General notes regarding usage NOTE Select suitable ambient conditions Ambient temperature 20 C 60 C Maximum humidity non condensing 5 95 To avoid overheating do not expose the device to direct sunlight or other heat sources Q NOTE Cleaning Clean the device housing with a soft cloth Do not use aggressive solvents 2 2 2 Checking the scope of supply Before startup check the scope of supply to ensure nothing is missing The scope of supply includes Device Package slip Plug in screw terminal blocks for the power supply connection and inputs outputs in serted 2 2 3 mGuard Firmware The device must be operated with mGuard Firmware version 8 1 5 or hig
112. ct the menu item Internet protocol Version 4 TCP IPv4 e Click on Properties e First select Use the following IP address under Internet Protocol Version 4 Proper ties then enter the following address for example IP address 192 168 1 2 Subnet mask 255 255 255 0 Default gateway 192 168 1 1 Depending on the configuration of the mGuard it may then be necessary to adapt the net work interface of the locally connected computer or network accordingly 13 5 2 IP address https 1 1 1 1 In order for the mGuard to be addressed via address https 1 1 1 1 it must be connected to a configured network interface This is the case if it is connected in an existing network connection and if the default gateway can be accessed via the WAN port of the mGuard at the same time In this case the web browser establishes a connection to the mGuard configuration inter face after the address https 1 1 1 1 is entered see Establishing a local configuration con nection on page 247 Continue from this point After access via IP address 1 1 1 1 the FL MGUARD can no longer be accessed via IP address 192 168 1 1 115007_en_02 Innominate Security Technologies 245 EAGLE mGuard 13 5 3 Assigning the IP address via BootP After assigning an IP address via BootP the FL MGUARD can no longer be accessed via IP address 192 168 1 1 For IP address assignment the mGuard uses the BootP protocol The IP address can also
113. d in the appli cation note for your mGuard firmware version Application notes are available in the download area at www innominate com 136 Innominate Security Technologies 115007_en_02 Action Objective Possible reasons Requirements Preparation 115007_en_02 mGuard centerport Requirement a monitor and a keyboard are connected to the device e Press the following keyboard shortcut lt Alt gt lt SysRq gt lt a gt On English keyboards the German lt S Abf gt corresponds to lt SysRq gt However some keyboards do not feature the lt SysRq gt key In this case use the lt Print gt key After pressing the keyboard shortcut once the same shortcut must be pressed again with in 30 s in order to start the recovery procedure Once the recovery procedure has been performed successfully a corresponding message appears on the monitor 7 8 2 Flashing the firmware rescue procedure The entire firmware of the mGuard should be reloaded on the device All configured settings are deleted The mGuard is set to the delivery state In Version 5 0 0 or later of the mGuard the licenses installed on the mGuard are re tained after flashing the firmware Therefore they do not have to be installed again The administrator and root password have been lost There are three options for flashing the firmware Via the network DHCP and TFTP server Via the USB port USB Flash drive or USB CD DVD
114. d via the web interface For additional information please refer to the software reference manual For security reasons we recommend you change the default root and administrator pass words during initial configuration 115007_en_02 Innominate Security Technologies 173 mGuard pci Requirement How to proceed Example Configuration 9 7 Remote configuration The mGuard must be configured so that remote configuration is permitted The option for remote configuration is disabled by default Switch on the remote configuration option in the web interface under Management gt gt Web Settings To configure the mGuard via its web user interface from a remote computer establish the connection to the mGuard from there Proceed as follows e Start the web browser on the remote computer e Under address enter the IP address where the mGuard can be accessed externally over the Internet or WAN together with the port number if required If the mGuard can be accessed over the Internet for example via address https 123 45 67 89 and port number 443 has been specified for remote access the fol lowing address must be entered in the web browser of the remote peer https 123 45 67 89 If a different port number is used it should be entered after the IP address e g https 123 45 67 89 442 The mGuard can then be configured via the web interface For additional information please refer to the software referenc
115. device is ready for opera tion as soon as the Ethernet socket LEDs light up Additionally the P1 P2 LEDs light up green and Stat LED flashes green at heartbeat Redundant power supply mGuard rs4000 Switch A redundant supply voltage can be connected Both inputs are isolated The load is not dis tributed With a redundant supply the power supply unit with the higher output voltage sup plies the mGuard rs4000 Switch alone The supply voltage is electrically isolated from the housing If the supply voltage is not redundant the mGuard rs4000 Switch indicates the failure of one supply voltage via the signal contact This message can be prevented by feeding the supply voltage via both inputs or by installing an appropriate wire bridge between the connections 115007_en_02 Innominate Security Technologies 41 m Guard rs4000 rs2000 Switch 2 4 Preparing the configuration 2 4 1 Connection requirements The mGuard rs4000 rs2000 Switch must be connected to at least one active power supply unit For local configuration The computer that is to be used for configuration must be connected to the LAN socket on the device For remote configuration The device must be configured so that remote configura tion is permitted The device must be connected i e the required connections must be working 2 5 Configuration in Router mode On initial startup the mGuard can be accessed via the following address https 192 168
116. ding on the configuration of the mGuard it may then be necessary to adapt the net work interface of the locally connected computer or network accordingly 1 5 2 IP address https 1 1 1 1 In order for the mGuard to be addressed via address https 1 1 1 1 it must be connected to a configured network interface This is the case if it is connected in an existing network connection and if the default gateway can be accessed via the WAN port of the mGuard at the same time In this case the web browser establishes a connection to the mGuard configuration inter face after the address https 1 1 1 1 is entered see Establishing a local configuration con nection on page 24 Continue from this point After access via IP address 1 1 1 1 the product can no longer be accessed via IP address 192 168 1 1 22 Innominate Security Technologies 115007_en_02 115007_en_02 m Guard rs4000 rs2000 1 5 3 Assigning the IP address via BootP After assigning an IP address via BootP the product can no longer be accessed via IP ad dress 192 168 1 1 For IP address assignment the mGuard uses the BootP protocol The IP address can also be assigned via BootP On the Internet numerous BootP servers are available You can use any of these programs for address assignment Section 14 1 explains IP address assignment using the free Windows software IP Assignment Tool IPAssign exe Notes for BootP During initial startup the mGuard transmits
117. drive Via the SD memory card The following requirements apply when loading the firmware from an SD card a USB Flash memory All necessary firmware files must be located in a common directory on the first parti tion of the SD card or the USB Flash memory under the following path or in the follow ing folder Firmware install x86_64 p7s Firmware firmware img x86_64 p7s The following requirements apply when loading the firmware from a TFTP server ATFTP server must be installed on the locally connected computer see Installing the DHCP and TFTP server on page 258 The relevant firmware files are available for download from the download page of www innominate com The mGuard firmware has been obtained from your dealer s support team or the www innominate com website and has been saved on the installation medium of your choice or on the local installation computer If your current firmware version is newer than the version by default upon delivery a li cense must be obtained for using this update This applies to major release upgrades e g from Version 6 x y to Version 7 x y to Version 8 x y etc SD card option The SD card has been inserted into the device USB port option A USB Flash memory of a USB CD DVD driver has been connected to the USB port of the device Network option DHCP and TFTP servers can be accessed under the same IP ad dress Innominate Security Technolog
118. e Management IP 1 mGuard rs4000 3G https 192 168 1 1 mGuard rs2000 3G https 192 168 1 1 Proceed as follows e Start a web browser e Make sure that the browser when it is started does not automatically establish a con nection as otherwise the connection establishment to the mGuard may be more diffi cult In Internet Explorer make the following settings e Inthe Tools menu select Internet Options and click on the Connections tab e Under Dial up and Virtual Private Network settings select Never dial a connection e Enter the address of the mGuard completely into the address line of the web browser refer to Table 3 4 You access the administrator website of the mGuard If the administrator web page of the mGuard cannot be accessed If the address of the mGuard in Router PPPoE or PPTP mode has been set to a different value and the current address is not known the mGuard must be reset to the default set tings specified above for the IP address using the Recovery procedure see Performing a recovery procedure on page 69 If the web browser repeatedly reports that the page cannot be displayed try the following e Disable any active firewalls e Make sure that the browser does not use a proxy server In Internet Explorer Version 8 make the following settings Tools menu Internet Options Connections tab Click on Properties under LAN settings Che
119. e local Ethernet connection LAN The settings configured for VPN connections and the firewall are retained including passwords Possible reasons for performing the recovery procedure The mGuard is in Router or PPPoE mode The configured device address of the mGuard differs from the default setting The current IP address of the device is not known Up to date information on the recovery and flashing procedure can be found in the appli cation note for your mGuard firmware version You can find application notes under the following Internet address www innominate com e Slowly press the Reset button six times After approximately 2 seconds the LAN LED lights up red e Press the Reset button slowly again six times If successful the LAN LED lights up red If unsuccessful the WAN LED lights up red If successful the device restarts after two seconds and switches to Stealth mode The de vice can then be reached again under the corresponding addresses 176 Innominate Security Technologies 115007_en_02 mGuard pci 9 8 3 Flashing the firmware rescue procedure The entire firmware of the mGuard should be reloaded on the device All configured settings are deleted The mGuard is set to the delivery state In Version 5 0 0 or later of the mGuard the licenses installed on the mGuard are re tained after flashing the firmware Therefore they do not have to be installed again Objective Possible rea
120. e manual 174 Innominate Security Technologies 115007_en_02 mGuard pci 9 8 Restart recovery procedure and flashing the firm ware The Reset button is used to set the device to one of the following states Performing a restart Performing a recovery procedure Flashing the firmware rescue procedure Reset button lt a A Ea o 2 f k2 x n uns ES Figure 9 13 Reset button 9 8 1 Performing a restart Objective The device is restarted with the configured settings Action e Press the Reset button for around 1 5 seconds until both red LEDs light up Alternatively restart the computer that contains the mGuard pci card 115007_en_02 Innominate Security Technologies 175 mGuard pci Objective Action 9 8 2 Performing a recovery procedure The network configuration but not the rest of the configuration is to be reset to the delivery state as it is no longer possible to access the mGuard When performing the recovery procedure the default settings are established Table 9 5 Preset addresses Default setting Management IP 1 Management IP 2 mode https 1 1 1 1 https 192 168 1 1 The mGuard is reset to Stealth mode with the default setting multiple Clients The CIFS integrity monitoring function is also disabled because this only works when the management IP is active Inaddition MAU management is switched on for Ethernet connections HTTPS access is enabled via th
121. e products in your specific application in particular with regard to ob serving the applicable standards and regulations All information made available in the tech nical data is supplied without any accompanying guarantee whether expressly mentioned implied or tacitly assumed In general the provisions of the current standard Terms and Conditions of Innominate apply exclusively in particular as concerns any warranty liability This user manual including all illustrations contained herein is copyright protected Any changes to the contents or the publication of extracts of this document are prohibited Innominate reserves the right to register its own intellectual property rights for the product identifications of Innominate products that are used here Registration of such intellectual property rights by third parties is prohibited Other product identifications may be afforded legal protection even where they may not be indicated as such Innominate Security Technologies Innominate and mGuard are registered trade names of Innominate Security Technolo gies AG mGuard technology is protected by patents 10138865 and 10305413 granted by the German Patent and Trademark Office Further patents are pending Published by Innominate Security Technologies AG Rudower Chaussee 13 12489 Berlin Germany Phone 49 0 30 92 10 28 0 contact innominate com www innominate com 24 July 2015 Innominate Security Technol
122. e supply voltage is electrically isolated from the housing If the supply voltage is not redundant the mGuard rs4000 indicates the failure of the supply voltage via the signal contact This message can be prevented by feeding the supply volt age via both inputs P1 P2 or by installing an appropriate wire jumper between connections P1 and P2 115007_en_02 Innominate Security Technologies 19 m Guard rs4000 rs2000 1 4 Preparing the configuration 1 4 1 Connection requirements The mGuard rs4000 rs2000 must be connected to at least one active power supply unit For local configuration The computer that is to be used for configuration must be connected to the LAN socket on the mGuard For remote configuration The mGuard must be configured so that remote configura tion is permitted The mGuard must be connected i e the required connections must be working 1 4 2 Local configuration on startup EIS As of firmware version 7 2 initial startup of mGuard products provided in Stealth mode is considerably easier From this version onwards the EIS Easy Initial Setup procedure en ables startup to be performed via preset or user defined management addresses without actually having to connect to an external network The mGuard is configured using a web browser on the computer used for configuration NOTE The web browser used must support SSL encryption i e HTTPS According to the default setting the mGuard can
123. e the following settings Tools menu Internet Options Connections tab Click on Properties under LAN settings Check that Use a proxy server for your LAN under Proxy server is not activated in the Local Area Network LAN Settings dialog box e f other LAN connections are active on the computer deactivate them until the configu ration has been completed Under the Windows menu Start Settings Control Panel Network Connections or Network and Dial up Connections right click on the corresponding icon and select Disable in the context menu Innominate Security Technologies 247 EAGLE mGuard After successful connection establishment Once a connection has been established successfully a security alert may be displayed Explanation As administrative tasks can only be performed using encrypted access a self signed certif icate is supplied with the device e Click Yes to acknowledge the security alert The login window is displayed Login to mguard User Name Password Figure 13 6 Login e To login enter the preset user name and password please note these settings are case sensitive User Name admin Password mGuard The mGuard can then be configured via the web interface For additional information please refer to the software reference manual For security reasons we recommend you change the default root and administrator pass
124. ected VPN connections or firewall rule records press and hold the push button for a few seconds and then release the push button e To switch on the selected VPN connections or firewall rule records set the switch to ON e To switch off the selected VPN connections or firewall rule records set the switch to OFF Via the web interface under Management Service I O you can set whether certain VPN connections or firewall rule records are monitored and displayed via the LED Info 1 out put ACK O1 or LED Info 2 output ACK 02 If VPN connections are being monitored an illuminated Info LED indicates that VPN con nections are established The O3 alarm output monitors the function of the mGuard rs4000 rs2000 and therefore en ables remote diagnostics The Fault LED lights up red if the signal output takes low level due to an error inverted logic The O3 alarm output reports the following when Management Service I O Alarm output has been activated Failure of the redundant supply voltage Monitoring of the link status of the Ethernet connections Monitoring of the temperature condition Monitoring of the connection state of the internal modem Service contacts up to firmware version 8 0 The push button or on off switch is used to establish and release a predefined VPN connec tion The output indicates the status of the VPN connection in the web interface under IPsec VPN gt gt Global gt gt Op
125. ectional throughput max 99 Mbps Stealth mode default firewall rules bidirectional throughput max 50 Mbps DES 3DES AES 128 1 92 256 Router mode default firewall rules bidirectional throughput max 35 Mbps Stealth mode default firewall rules bidirectional throughput max 25 Mbps Web GUI HTTPS command line interface SSH SNMP v1 2 3 central device management software 3 LEDs in combination for boot process heartbeat system error Ethernet status Recovery mode Log File Remote Syslog CE FCC Realtime clock Trusted Platform Module TPM temperature sensor Innominate Security Technologies 123 mGuard smart smart Hardware properties Platform Network interfaces Other interfaces Drives Redundancy options Power supply Power consumption Temperature range Humidity range Degree of protection Dimensions H x W x D Weight Firmware and power values Firmware compatibility Data throughput router firewall Hardware based encryption Encrypted VPN throughput AES 256 Management support Diagnostics Other Conformance 6 9 1 mGuard smart m Guard smart 266 mGuard smart 533 124 Innominate Security Technologies Intel network processor either with 533 MHz or 266 MHz clocking 1 LAN port 1 WAN port Ethernet IEEE 802 3 10 100 Base TX RJ45 full duplex auto MDIX Depending on the firmware used Via USB interface 5 V at 500 mA Optional external powe
126. ed from the TFTP server or SD card It contains the electron ically signed control procedure for the installation process Only files that are signed are executed The control procedure deletes the current contents of the Flash memory and prepares for a new firmware installation The green LEDs and the red LAN LED form a running light The jffs2 img p7s firmware file is downloaded from the TFTP server or SD card and written to the Flash memory This file contains the actual mGuard operating system and is signed electronically Only files signed by Innominate are accepted This process takes around 3 to 5 minutes The green LEDs flash while the red LAN LED is lit continuously The new firmware is extracted and configured This procedure takes 1 to 3 minutes e As soon as the procedure has been completed the mGuard restarts The mGuard is in the delivery state You can now configure it again see Establishing a local configuration connection on page 172 After the restart the mGuard pci is automatically assigned a management IP address This address is assigned by a BootP server that can be accessed on the network and was used during flashing If the recommended DHCP server is also used for Windows see page 258 it also oper ates as the BootP server This does not apply when using a DHCP server under Linux 178 Innominate Security Technologies 115007_en_02 Hardware properties Platform Network interfaces Other i
127. ed to the LAN port of the mGuard For this purpose the mGuard with LAN port and WAN port must be integrated in an operational network in which the default gateway can be accessed via the WAN port After access via IP address 192 168 1 1 and successful login IP address 192 168 1 1 is set as a fixed management IP address After access via IP address 1 1 1 1 or after IP address assignment via BootP the FL MGUARD can no longer be accessed via IP address 192 168 1 1 244 _Innominate Security Technologies 115007_en_02 EAGLE mGuard 13 5 1 IP address 192 168 1 1 In Stealth mode the mGuard can be accessed via the LAN interface via IP address 192 168 1 1 within network 192 168 1 0 24 if one of the following conditions applies The mGuard is in the delivery state The mGuard was reset to the default settings via the web interface and restarted The rescue procedure flashing of the mGuard or the recovery procedure has been performed a With a configured network interface To access the configuration interface it may be necessary to adapt the network configura tion of your computer Under Windows 7 proceed as follows e Inthe Control Panel open the Network and Sharing Center e Click on LAN connection The LAN connection item is only displayed if a connection exists from the LAN interface on the computer to a mGuard in operation or another part ner e Click on Properties e Sele
128. ed to the device e Press the following keyboard shortcut lt Alt gt lt SysRq gt lt a gt On English keyboards the German lt S Abf gt corresponds to lt SysRq gt However some keyboards do not feature the lt SysRq gt key In this case use the lt Print gt key Once the recovery procedure is complete a corresponding message appears on the mon itor 210 Innominate Security Technologies 115007_en_02 Objective Possible reasons Requirements Action 115007_en_02 Q Q Q mGuard centerport 11 8 2 Flashing the firmware rescue procedure The entire firmware of the mGuard should be reloaded on the device All configured settings are deleted The mGuard is set to the delivery state In Version 5 0 0 or later of the mGuard the licenses installed on the mGuard are re tained after flashing the firmware Therefore they do not have to be installed again The administrator and root password have been lost NOTE To flash the firmware a DHCP and TFTP server or a BootP and TFTP server must be installed on the locally connected computer Install the DHCP and TFTP server if necessary see Installing the DHCP and TFTP serv er on page 258 NOTE Installing a second DHCP server in a network could affect the configuration of the entire network Amonitor and a keyboard are connected to the device The mGuard firmware has been obtained from the Support team of your dealer or from www in
129. efault Switch on the remote configuration option in the web interface under Management gt gt Web Settings To configure the mGuard via its web user interface from a remote computer establish the connection to the mGuard from there Proceed as follows e Start the web browser on the remote computer e Under address enter the IP address where the mGuard can be accessed externally over the Internet or WAN together with the port number if required If the mGuard can be accessed over the Internet for example via address https 123 45 67 89 and port number 443 has been specified for remote access the fol lowing address must be entered in the web browser of the remote peer https 123 45 67 89 If a different port number is used it should be entered after the IP address e g https 123 45 67 89 442 The mGuard can then be configured via the web interface For additional information please refer to software reference manual Innominate Security Technologies 135 mGuard centerport Objective Action Objective 7 7 Restart recovery procedure and flashing the firm ware The device must be restarted in order to perform a recovery procedure or to flash the firm ware 7 8 Performing a restart The device is restarted with the configured settings e Press the ON OFF button of the device already started for approximately 5 s to switch off the device Alternatively disconnect the power supply and then c
130. em is only displayed if a connection exists from the LAN interface on the computer to a mGuard in operation or another part ner Click on Properties Select the Internet protocol Version 4 TCP IPv4 menu item Click on Properties First select Use the following IP address under Internet Protocol Version 4 Proper ties then enter the following address for example IP address 192 168 1 2 Subnet mask 255 255 255 0 Default gateway 192 168 1 1 Depending on the configuration of the mGuard it may then be necessary to adapt the net work interface of the locally connected computer or network accordingly Innominate Security Technologies 115007_en_02 Web based administrator interface If you have forgotten the configured address If the administrator web page is not displayed 115007_en_02 mGuard centerport 7 5 Establishing a local configuration connection The mGuard is configured via a web browser that is executed on the configuration com puter NOTE The web browser used must support SSL encryption i e HTTPS The mGuard can be accessed via one of the following addresses Table 7 3 Preset addresses Default setting Management IP 1 Management IP 2 mode Proceed as follows e Starta HTTP capable web browser e Make sure that the browser when it is started does not automatically establish a con nection as otherwise the connection establishment to the mGuard may be
131. ent IP address of the device is not known Up to date information on the recovery and flashing procedure can be found in the appli cation note for your mGuard firmware version You can find application notes under the following Internet address www innominate com Action e Slowly press the Reset button six times After approximately 2 seconds the State LED lights up green e Press the Reset button slowly again six times If successful the State LED lights up green If unsuccessful the Error LED lights up red If successful the device restarts after two seconds and switches to Stealth mode The de vice can then be reached again under the corresponding addresses 115007_en_02 Innominate Security Technologies 233 m Guard industrial rs 12 8 3 Flashing the firmware rescue procedure Objective The entire firmware of the mGuard should be reloaded on the device All configured settings are deleted The mGuard is set to the delivery state In Version 5 0 0 or later of the mGuard the licenses installed on the mGuard are re tained after flashing the firmware Therefore they do not have to be installed again For the mGuard industrial rs only firmware version 5 1 0 or later can be installed Possible reasons The administrator and root password have been lost Requirements NOTE To flash the firmware a DHCP and TFTP server or a BootP and TFTP server must be installed on the locally connected computer Install the DHCP
132. er is used it should be entered after the IP address e g https 123 45 67 89 442 The mGuard can then be configured via the web interface For additional information please refer to the software reference manual Innominate Security Technologies 103 mGuard pci SD 5 8 Restart recovery procedure and flashing the firm ware The Reset button is used to set the device to one of the following states Performing a restart Performing a recovery procedure Flashing the firmware rescue procedure Figure 5 6 Reset button 5 8 1 Performing a restart Objective The device is restarted with the configured settings Action e Press the Reset button until the STAT LED lights up orange e Alternatively restart the computer that contains the mGuard pci card 104 Innominate Security Technologies 115007_en_02 mGuard pci SD 5 8 2 Performing a recovery procedure Objective The network configuration but not the rest of the configuration is to be reset to the delivery state as it is no longer possible to access the mGuard When performing the recovery procedure the default settings are established Table 5 5 Preset addresses Default setting Management IP 1 Management IP 2 mode mGuard pci SD https 1 1 1 1 https 192 168 1 1 The mGuard is reset to Stealth mode with the default setting multiple Clients The CIFS integrity monitoring function is also disabled because this only works when the
133. erfer ence in residential areas in this case the operator may be required to implement appro priate measures 112 Innominate Security Technologies 115007_en_02 115007_en_02 mGuard smart smart 6 4 Preparing the configuration 6 4 1 Connection requirements The mGuard smart must be switched on i e it must be connected to a computer or power supply unit that is switched on via a USB cable in order for it to be supplied with power For local configuration The computer used for configuration Must be connected to the LAN port of the mGuard Ormust be connected to the mGuard via the local network For remote configuration The mGuard must be configured so that remote configura tion is permitted The mGuard must be connected i e the required connections must be working 6 4 2 Local configuration on startup EIS As of firmware version 7 2 initial startup of mGuard products provided in Stealth mode is considerably easier From this version onwards the EIS Easy Initial Setup procedure en ables startup to be performed via preset or user defined management addresses without actually having to connect to an external network The mGuard is configured using a web browser on the computer used for configuration NOTE The web browser used must support SSL encryption i e HTTPS According to the default setting the mGuard can be accessed via the following addresses Table 6 3 Preset addres
134. ermitted The option for remote configuration is disabled by default Switch on the remote configuration option in the web interface under Management gt gt Web Settings To configure the mGuard via its web user interface from a remote computer establish the connection to the mGuard from there Proceed as follows e Start the web browser on the remote computer e Under address enter the IP address where the mGuard can be accessed externally over the Internet or WAN together with the port number if required If the mGuard can be accessed over the Internet for example via address https 123 45 67 89 and port number 443 has been specified for remote access the fol lowing address must be entered in the web browser of the remote peer https 123 45 67 89 If a different port number is used it should be entered after the IP address e g https 123 45 67 89 442 The mGuard can then be configured via the web interface For additional information please refer to the software reference manual Innominate Security Technologies 151 mGuard delta 8 7 Restart recovery procedure and flashing the firm ware The Reset button is used to set the device to one of the following states Performing a restart Performing a recovery procedure Flashing the firmware rescue procedure T eee 3 2 1 Console 7 6 5 4 Reset button bed WC 5 3A Figure 8 5 Reset button 8 7 1 Performing a restart Objecti
135. ernal voltage source they should always be connected as described here A push button or an on off switch e g key switch can be connected between service contacts CMD and _l_ A standard LED up to 3 5 V or a corresponding optocoupler can be connected between contacts ACK and _l_ The contact is short circuit proof and supplies 20 mA max imum The LED or optocoupler must be connected without preresistor for wiring see Figure 12 6 to Figure 12 8 The button or on off switch is used to establish and release a predefined VPN connection The LED indicates the status of the VPN connection in the web interface under IPsec VPN gt gt Global gt gt Options e To establish the VPN connection hold down the button for a few seconds until the sig nal LED flashes Only then release the button Flashing indicates that the mGuard has received the command to establish the VPN connection and is establishing the VPN connection As soon as the VPN connection is established the signal LED remains lit continuously e Torelease the VPN connection hold down the button for a few seconds until the signal LED flashes or goes out Only then release the button As soon as the signal LED goes out the VPN connection is released e To establish the VPN connection set the switch to the ON position e To release the VPN connection set the switch to the OFF position 222 Innominate Security Technologies 115007_en_02 mGuard industr
136. es Q NOTE Cleaning Clean the device housing with a soft cloth Do not use aggressive solvents 4 2 2 Checking the scope of supply Before startup check the scope of supply to ensure nothing is missing The scope of supply includes mGuard delta Package slip 12 V DC power supply including different country adapters 115007_en_02 Innominate Security Technologies V7 mGuard delta 4 3 Connecting the mGuard delta NOTE Notes on mounting and installation Only connect the RJ45 Ethernet ports of the mGuard to matching network installations Some telecommunications connections also use RJ45 sockets You may not connect these to the RJ45 ports of the mGuard Safe isolation of live circuits is only guaranteed if connected devices fulfill requirements specified by VDE 0106 101 safe isolation The supply lines must be isolated or laid sep arately to live circuits 4 3 1 Connecting to the network e Connect the mGuard to the network To do this you need a suitable UTP cable CAT5 which is not included in the scope of supply e Connect the internal network interface LAN 1 of the mGuard to the corresponding Ethernet network card of the configuration computer or a valid network connection of the internal network LAN 4 3 2 Connecting the supply voltage e Connect the wide range power supply unit of the mGuard to a suitable power supply Connect the low voltage plug of the power supply unit on the back of the
137. esrrrrrresrrrrrressrrrreeee 101 5 7 Remote COMTI QUIAUION sessie me a a cede 103 5 8 Restart recovery procedure and flashing the firmWware ccccsesseeeeseeeeeeees 104 5 9 TECNICA data sspe aa tae deeae pera adnate eine a cea iabeeeers 107 MALE 62 fe sman Sma Gene n a E On een nee ee 109 6 1 Operating elements and LEDS cccccceseeeeeeceessseeeeeeeeaueneeeeseeeaaaeeeeessaaaneeeees 110 6 2 ALLO ces cece terse ce teh Bee tc E E 111 6 3 Connecting the MGuard Smart cccccsccssccsseccsecesseceseeceseeesseesaeeeseeessseeseeeenes 112 6 4 PRE Daring the congu atoes a 113 6 5 Configuration in Stealth MOC ccceccccceeeeeeeeeeeeeeeeeeeeeeeaeaeeeeeeeeeaaeeeeeesaaaaeeeees 114 6 6 Establishing a local configuration connection sssssssssrsssesrrrreresrrrrrreeserrreees 117 6 7 FREIMOLS COMI OUPAN OM ine a e E 119 6 8 Restart recovery procedure and flashing the firmWware ccccsssseeeeeeeeeeeees 120 6 9 OCH MIC AN dataro a A S NAE 123 mGuard el 10 21 016 g Gaaee Nene nee nner tet Re PnP ere RE rt fy Pe Eo tre are it Se eee ME 125 7 1 Operating elements and LEDS cccccccesseeeeeceeseseeeeeeceaaseeeeceeeaaeeeeeessaaaneeeees 126 7 2 Stal Dase e a a a e eee ee ae 127 7 3 Installing and booting the mGuard centerport ccccccccessccesseeeseeeeeeeeneeenees 128 7 4 Preparing the CONPIQUIATION cecccceeeececeeceeeeeeeeeeeeeaaaaeeeeeeseauneeeesseeaaeeeeeeeeaas 132
138. eted The device is set to the delivery state The administrator and root password have been lost Requirements for flashing NOTE During flashing the firmware is always loaded from an SD card first The firmware is only loaded from a TFTP server if no SD card is found The following requirements apply when loading the firmware from an SD card All necessary firmware files must be located in a common directory on the first parti tion of the SD card This partition must use a VFAT file system standard type for SD cards To flash the firmware from a TFTP server a TFTP server must be installed on the locally connected computer see Installing the DHCP and TFTP server on page 258 NOTE Installing a second DHCP server in a network could affect the configuration of the entire network The mGuard firmware has been obtained from your dealer s support team or the www innominate com website and has been saved on a compatible SD card This SD card has been inserted into the device The relevant firmware files are available for download from the download page of www innominate com The files must be located under the following path names in the following folders on the SD card Firmware install ubi mpc83xx p7s Firmware ubifs img mpc83xx p7s 48 Innominate Security Technologies 115007_en_02 m Guard rs4000 rs2000 Switch Action To flash the firmware or to perform the rescue procedure proceed as follows
139. etup procedure en ables startup to be performed via preset or user defined management addresses without actually having to connect to an external network The mGuard is configured using a web browser on the computer used for configuration NOTE The web browser used must support SSL encryption i e HTTPS According to the default setting the mGuard can be accessed via the following addresses Table 13 3 Preset addresses Default setting Management IP 1 Management IP 2 mode EAGLE mGuard https 1 1 1 1 https 192 168 1 1 The mGuard is preset to the multiple Clients stealth configuration You need to configure a management IP address and default gateway if you want to use VPN connections in the web interface under Network gt gt Interfaces gt gt General Alternatively you can select a dif ferent stealth configuration or use another network mode Innominate Security Technologies 243 EAGLE mGuard 13 5 Configuration in Stealth mode On initial startup the mGuard can be accessed via two addresses https 192 168 1 1 see Page 245 https 1 1 1 1 see Page 245 Alternatively an IP address can be assigned via BootP see Assigning the IP address via BootP on page 246 The mGuard can be accessed via https 192 168 1 1 if the external network interface is not connected on startup Computers can access the mGuard via https 1 1 1 1 if they are directly or indirectly con nect
140. evice is not known Up to date information on the recovery and flashing procedure can be found in the appli cation note for your mGuard firmware version You can find application notes under the following Internet address www innominate com Action e Slowly press the Reset button six times After approximately two seconds the Stat LED lights up green e When the Stat LED has gone out slowly press the Reset button again six times If successful the Stat LED lights up green If unsuccessful the Err LED lights up red If successful the device restarts after two seconds and switches to Router mode The de vice can then be reached again under the corresponding address 115007_en_02 Innominate Security Technologies 69 m Guard rs4000 rs2000 3G 3 8 3 Flashing the firmware rescue procedure Objective The entire firmware of the mGuard should be reloaded on the device All configured settings are deleted The mGuard is set to the delivery state Possible reasons The administrator and root password have been lost Requirements Requirements for flashing NOTE During flashing the firmware is always loaded from an SD card first The firmware is only loaded from a TFTP server if no SD card is found The following requirements apply when loading the firmware from an SD card All necessary firmware files must be located in a common directory on the first parti tion of the SD card This partition must use a VFAT file sy
141. f the firmware is carried out by flashing the license file pur chased for the upgrade must also be stored here under the name licence lic Make sure that this is the correct license file for the device under Management gt gt Up date on the web interface Tftpd32 by Ph Jounin Ne ol x Curent Directory E my Browse Server interface 192 168 10 1 Show Dir Tftp Server DHCP server Reyd DHCP Discover Msg for IP 0 0 0 0 Mac 00 00 BE 01 00 E8 26 11 09 41 19 694 DHCP proposed address 192 168 10 200 26 11 09 41 19 694 Reyd DHCP Rast Msg for IP 0 0 0 0 Mac 00 0C BE 01 00 EB 26 11 09 41 19 704 Previously allocated address acked 26 11 09 41 19 714 Connection received from 192 168 10 200 on port 1024 26 11 09 41 19 774 Read request for file lt install p7s gt Mode octet 26 11 09 41 19 774 lt install p7s gt sent 4 blks 2048 bytes in 1 s 0 blk resent 26 11 09 41 20 786 Connection received from 192 168 10 200 on port 1024 26 11 09 43 17 053 Read request for file lt jffs2 img p7s gt Mode octet 26 11 09 43 17 053 iffs2 img p s gt sent 14614 blks 7482368 bytes in 11 s 0 blk resent 26 11 09 43 28 008 Current Action lt itfs2 img p s gt sent 14614 biks 7482368 bytes in 11 s 0 bik resent Figure 14 4 Entering the host IP 258 Innominate Security Technologies 115007_en_02 115007_en_02 Assigning IP addresses and setting up DHCP TFTP servers e Switch to the TFTP
142. fic can be transmitted via the analog line or ISDN line connections instead of via the WAN in terface Innominate Security Technologies 115007_en_02 115007_en_02 mGuard industrial rs 12 4 Preparing the configuration 12 4 1 Connection requirements The mGuard industrial rs must be connected to at least one active power supply unit For local configuration The computer that is to be used for configuration must be connected to the LAN socket on the mGuard For remote configuration The mGuard must be configured so that remote configura tion is permitted The mGuard must be connected i e the required connections must be working 12 4 2 Local configuration on startup EIS As of firmware version 7 2 initial startup of mGuard products provided in Stealth mode is considerably easier From this version onwards the EIS Easy Initial Setup procedure en ables startup to be performed via preset or user defined management addresses without actually having to connect to an external network The mGuard is configured using a web browser on the computer used for configuration NOTE The web browser used must support SSL encryption i e HTTPS According to the default setting the mGuard can be accessed via the following addresses Table 12 4 Preset addresses Default setting Management IP 1 Management IP 2 mode mGuard industrial rs https 1 1 1 1 https 192 168 1 1 The mGuard is preset to
143. following Mounting in a 19 industrial cabinet Mounting of housing feet Removing the 19 angled connector from the device Maintenance and care 11 3 4 Starting booting mGuard centerport e Press the ON OFF button The mGuard centerport boots the firmware and is ready to operate 11 3 4 1 Boot options when monitor and keyboard are connected If a monitor and a keyboard are connected to the device the following options are available Following switch on Following a restart After pressing the Reset button If the boot messages from the BIOS are initially displayed on the monitor the mGuard centerport boot menu is shown for a few seconds If the boot menu is displayed for a longer period of time preferably press one of the following direction keys 4 lt or gt GNU GRUB version 0 97 639K lower s 64446K upper memory Boot firmware A Boot firmware E Check the file system s of firmware A Check the file system s of firmware E Start rescue procedure via DHCP BOOTP TFTP start rescue procedure from CD DUD start rescue procedure from USE mass storage Use the t and keys to select which entry is highlighted Press enter to boot the selected 0S e to edit the J J commands before booting or c for a command line Figure 11 5 mGuard centerport boot menu To select and apply one of the boot options proceed as follows 1 Select one of the displayed options with the directio
144. ghts up green If unsuccessful the Status LED remains unlit If successful the device restarts after two seconds and switches to Router mode The de vice can then be reached again under the corresponding addresses 115007_en_02 Innominate Security Technologies 153 m Guard delta Objective Possible reasons Requirements Action Q Q 8 7 3 Flashing the firmware rescue procedure The entire firmware of the mGuard should be reloaded on the device All configured settings are deleted The mGuard is set to the delivery state In Version 5 0 0 or later of the mGuard the licenses installed on the mGuard are re tained after flashing the firmware Therefore they do not have to be installed again The administrator and root password have been lost NOTE To flash the firmware a DHCP and TFTP server or a BootP and TFTP server must be installed on the locally connected computer Install the DHCP and TFTP server if necessary see Installing the DHCP and TFTP serv er on page 258 NOTE Installing a second DHCP server in a network could affect the configuration of the entire network NOTE Do not interrupt the power supply to the mGuard during any stage of the flashing procedure Otherwise the device could be damaged and may have to be reactivated by the manufacturer e Hold down the Reset button until the Status LED slowly becomes dark Then the mGuard is in the recovery state e Release the Reset b
145. gs dialog box e If other LAN connections are active on the computer deactivate them until the configu ration has been completed Under the Windows menu Start Settings Control Panel Network Connections or Network and Dial up Connections right click on the corresponding icon and select Disable in the context menu Innominate Security Technologies 149 m Guard delta Explanation After successful connection establishment Once a connection has been established successfully a security alert may be displayed As administrative tasks can only be performed using encrypted access a self signed certif icate is supplied with the device e Click Yes to acknowledge the security alert The login window is displayed Login to mguard User Name Password Figure 8 4 Login e To log in enter the preset user name and password please note these settings are case sensitive User Name admin Password mGuard The mGuard can then be configured via the web interface For additional information please refer to the software reference manual For security reasons we recommend you change the default root and administrator pass words during initial configuration 150 Innominate Security Technologies 115007_en_02 Requirement How to proceed Example Configuration 115007_en_02 mGuard delta 8 6 Remote configuration The mGuard must be configured so that remote configuration is p
146. guration is permitted The option for remote configuration is disabled by default Switch on the remote configuration option in the web interface under Management gt gt Web Settings To configure the mGuard via its web user interface from a remote computer establish the connection to the mGuard from there Proceed as follows e Start the web browser on the remote computer e Under address enter the IP address where the mGuard can be accessed externally over the Internet or WAN together with the port number if required If the mGuard can be accessed over the Internet for example via address https 123 45 67 89 and port number 443 has been specified for remote access the fol lowing address must be entered in the web browser of the remote peer https 123 45 67 89 If a different port number is used it should be entered after the IP address e g https 123 45 67 89 442 The mGuard can then be configured via the web interface For additional information please refer to the software reference manual Innominate Security Technologies 191 m Guard blade 10 7 Restart recovery procedure and flashing the firm ware The Reset button is used to set the device to one of the following states Performing a restart Performing a recovery procedure Flashing the firmware rescue procedure Te Innominate Reset button Figure 10 7 Reset button 10 7 1 Performing a restart Objective The device
147. gure 5 5 Login e To log in enter the preset user name and password please note these settings are case sensitive User Name admin Password mGuard The mGuard can then be configured via the web interface For additional information please refer to the software reference manual For security reasons we recommend you change the default root and administrator pass words during initial configuration 102 Innominate Security Technologies 115007_en_02 Requirement How to proceed Example Configuration 115007_en_02 mGuard pci SD 5 7 Remote configuration The mGuard must be configured so that remote configuration is permitted The option for remote configuration is disabled by default Switch on the remote configuration option in the web interface under Management gt gt Web Settings To configure the mGuard via its web user interface from a remote computer establish the connection to the mGuard from there Proceed as follows e Start the web browser on the remote computer e Under address enter the IP address where the mGuard can be accessed externally over the Internet or WAN together with the port number if required If the mGuard can be accessed over the Internet for example via address https 123 45 67 89 and port number 443 has been specified for remote access the fol lowing address must be entered in the web browser of the remote peer https 123 45 67 89 If a different port numb
148. he firewall rule records defined at output O1 are activated or deactivated Up to firmware version 8 0 As of firmware version 8 1 The configured VPN connection has The configured VPN connections are been established at output O2 established at output O2 or the firewall rule records defined at output O2 are activated Flashing The configured VPN connection is The configured VPN connections are being established or aborted at output being established or aborted at output 02 O2 or the firewall rule records defined at output O2 are activated or deactivated The LEDs are located in the sockets 10 100 and duplex LED Green Ethernet status The LEDs indicate the status of the relevant port As soon as the device is connected to the relevant network a continuous light indicates that there is a connection to the network partner in the LAN WAN or DMZ When data pack LAN 1 4 Green ets are transmitted the LED goes out briefly Green Signal strength strength Signal strength 113 111qdBm 109 89 dBm 87 67 dBm 65 51 dBm Network reception Very poor to none Sufficient Very good Green On SIM card 1 active pe iry_ normoreemetowesond O Green On SIM card 2 active eer iy normorvemecowesend OO only mGuard rs4000 3G 115007_en_02 Innominate Security Technologies 53 m Guard rs4000 rs2000 3G 3 2 Startup 3 2 1 Safety notes To ensure correct operation and the safety of the environment and of personne
149. he firmware rescue procedure Figure 3 9 Reset button 3 8 1 Performing a restart Objective The device is restarted with the configured settings Action e Press the Reset button for around 1 5 seconds until the Err LED lights up Alternatively disconnect the power supply and then connect it again 68 Innominate Security Technologies 115007_en_02 m Guard rs4000 rs2000 3G 3 8 2 Performing a recovery procedure Objective The network configuration but not the rest of the configuration is to be reset to the delivery state as it is no longer possible to access the mGuard When performing the recovery procedure the default settings are established Table 3 5 Preset address Default setting Network mode Management IP 1 mGuard rs4000 3G https 192 168 1 1 mGuard rs2000 3G https 192 168 1 1 The m Guard is reset to router mode with the fixed IP address The CIFS integrity monitoring function is also disabled because this only works when the management IP is active Inaddition MAU management is switched on for Ethernet connections HTTPS access is enabled via the local Ethernet connection LAN The settings configured for VPN connections and the firewall are retained including passwords Possible reasons for performing the recovery procedure The mGuard is in Router or PPPoE mode The configured device address of the mGuard differs from the default setting The current IP address of the d
150. her 36 Innominate Security Technologies 115007_en_02 Mounting Removal 115007_en_02 Q mGuard rs4000 rs2000 Switch 2 3 Installing the mGuard rs4000 rs2000 Switch 2 3 1 Mounting removal NOTE Device damage Only mount and remove devices when the power supply is disconnected The device is ready to operate when it is supplied The recommended sequence for mount ing and connection is as follows e Mount the mGuard rs4000 rs2000 Switch on a grounded 35 mm DIN rail according to DIN EN 60715 Figure 2 3 Mounting the mGuard rs4000 rs2000 Switch on a DIN rail e Attach the top snap on foot of the mGuard rs4000 rs2000 Switch to the DIN rail and then press the mGuard rs4000 rs2000 Switch down towards the DIN rail until it engag es with a click e Remove or disconnect the connections e Toremove the mGuard rs4000 rs2000 Switch from the DIN rail insert a screwdriver horizontally in the locking slide under the housing pull it down without tilting the screwdriver and then pull up the mGuard rs4000 rs2000 Switch Innominate Security Technologies 37 m Guard rs4000 rs2000 Switch 2 3 2 Connecting to the network NOTE Risk of material damage due to incorrect wiring Only connect the device network ports to LAN installations Some telecommunications connections also use RJ45 sockets these must not be connected to the RJ45 sockets of the device e Connect the device to the network To do this you need a
151. here the sockets cannot be accessed an ad equate disconnecting device must be installed during installation e g an approved discon nector Sufficient air circulation must be ensured If several mGuard centerport devices are stacked one or 19 fan trays must be provided to discharge the accumulated warm air The control cabinets used must conform to the requirements of fire protection casings and me chanical protection according to EN 60950 1 For information on installing the mGuard centerport please refer to the Quickrails instal lation instructions provided with the device 7 3 4 Starting booting the mGuard centerport e Switch on the device by pressing the ON OFF button e After switching on the device the status LED lights up green Another LED orange lights up each time accessing the non volatile memory e The device boots the firmware and is ready to operate e The display shows status messages of the mGuard firmware 7 3 4 1 Boot options when monitor and keyboard are connected Ifa monitor and a keyboard are connected to the device the following options are available Following switch on Following a restart the boot messages from the BIOS are initially displayed on the monitor 130 Innominate Security Technologies 115007_en_02 mGuard centerport If the boot menu is to be displayed press one of the direction keys several times T ie or gt GNU GRUE version 0 97 637K lower s
152. hes for a DHCP server via the LAN interface in order to obtain an IP address Exception if an SD card is inserted into the device with corresponding firmware the rescue system is started from there The Stat LED flashes The install p7s file is loaded from the TFTP server or SD card It contains the electron ically signed control procedure for the installation process Only files that are signed are executed The control procedure deletes the current contents of the Flash memory and prepares for a new firmware installation The Stat Mod and Sig LEDs form a running light The jffs2 img p7s firmware file is downloaded from the TFTP server or SD card and written to the Flash memory This file contains the actual mGuard operating system and is signed electronically Only files signed by Innominate are accepted This process takes around 3 to 5 minutes The Stat LED is lit continuously The new firmware is extracted and configured This procedure takes 1 to 3 minutes As soon as the procedure is complete the Stat Mod and Sig LEDs flash green simultane ously e Restart the mGuard To do so press the Reset button Alternatively disconnect the power supply and then connect it again The mGuard is in the delivery state You can now configure it again see Establishing a local configuration connection on page 65 115007_en_02 Innominate Security Technologies 71 m Guard rs4000 rs2000 3G 3 9 Hardware properties Platf
153. hnologies 115007_en_02 mGuard pci 9 mQGuard pci Table 9 1 Available mGuard pci versions HW 102050 HW 102020 BD 111020 BD 111010 The mGuard pci is a card which can be inserted into a PCI slot and operated in two modes In driver mode the mGuard pci provides the computer in which the card is installed with all mGuard functions as well as acting as a normal network card In Power over PCI mode an existing network card in the computer or another com puter network can be connected Figure 9 1 mGuard pci 115007_en_02 Innominate Security Technologies 157 mGuard pci 9 1 Operating elements and LEDs 9 1 1 mGuard pci LAN green LAN red WAN green WAN red Figure 9 2 Operating elements and LEDs on the mGuard pci Table 9 2 LEDs on the mGuard pci meos State Meaning OOO O WAN LAN Redo Flashing Boot process When the computer is started or restarted Flashing System error Restart the device e Press the Reset button for 1 5 seconds e Alternatively briefly disconnect the device power supply and then connect it again If the error is still present start the recovery procedure see Performing a recov ery procedure on page 176 or contact your dealer WAN LAN Green On or flash Ethernet status Indicates the status of the LAN or WAN interface As soon as ing the device is connected a continuous light indicates that there is a connection to the network partner When data packets a
154. hould be entered after the IP address e g https 123 45 67 89 442 The device can then be configured via the web interface For additional information please refer to software reference manual Innominate Security Technologies 45 m Guard rs4000 rs2000 Switch 2 8 Restart recovery procedure and flashing the firm ware The reset button is used to set the device to one of the following states Performing a restart Performing a recovery procedure Flashing the firmware rescue procedure Figure 2 6 Reset button 2 8 1 Performing a restart Objective The device is restarted with the configured settings Action e Press the reset button for around 1 5 seconds until the Err LED lights up Alternatively disconnect the power supply and then connect it again 46 Innominate Security Technologies 115007_en_02 m Guard rs4000 rs2000 Switch 2 8 2 Performing a recovery procedure Objective The network configuration but not the rest of the configuration is to be reset to the delivery state as it is no longer possible to access the device Use the recovery procedure in case you have forgotten the IP address under which the de vice can be accessed The following network setting is restored Table 2 4 Restored network setting Network mode Management IP 1 Management IP 2 The m Guard is reset to router mode with the fixed IP address The CIFS integrity monitoring function is also disabled because this only
155. ia a plug in screw terminal block which is located on the top of the device Figure 3 7 Connecting the supply voltage mGuard rs4000 3G Table 3 3 Supply voltage mGuard rs4000 rs2000 3G ov 24v OW The mGuard rs4000 3G has a redundant supply voltage If you only connect one supply voltage you will get an error message e Remove the plug in screw terminal blocks for the power supply and the service con tacts e Wire the supply voltage lines of the X4 mGuard screw terminal block Tighten the screws on the screw terminal blocks with 0 5 0 8 Nm e Insert the plug in screw terminal blocks into the intended sockets on the top of the mGuard Status LED P1 lights up green when the supply voltage has been connected properly On the mGuard rs4000 3G the status indicator P2 also lights up if there is a redundant supply voltage connection The mGuard boots the firmware The Stat LED flashes green The mGuard is ready for op eration as soon as the Ethernet socket LEDs light up Additionally the P1 P2 LEDs light up green and Stat LED flashes green at heartbeat Redundant voltage supply mGuard rs4000 3G A redundant supply voltage can be connected Both inputs are isolated The load is not dis tributed With a redundant supply the power supply unit with the higher output voltage sup plies the mGuard rs4000 3G alone The supply voltage is electrically isolated from the hous ing Innominate Security Technologies 11500
156. ial rs Signal LED If the signal LED is OFF this generally indicates that the defined VPN connection is not present Either the VPN connection was not established or it has failed due to an error If the signal LED is illuminated the VPN connection is present If the signal LED is flashing the VPN connection is being established or released Analog line for integrated modem WARNING The analog connections TIP RING should only be connected to the tele communications cable provided The TIP and RING contacts are for connection to the fixed line telephone network analog connection For the contact designations specified on the front plate the following designations are usu ally used in Germany TIP a RING b ISDN line with integrated ISDN terminal adapter WARNING The ISDN connections TX TX RX RX should only be connected to an ISDN S0 bus Contacts TX TX RX and RX are designed for connection to ISDN and identify the mGuard industrial rs as a device in the ISDN network The table below describes the as signment of the contacts to 8 pos connections both for plugs and for sockets for example RJ45 Table 12 3 Assignment of the contacts to 8 pos connections TE Guard a o In the case of direct connection to an ISDN NTBA the mGuard connections must be estab lished as follows NTBA a1 gt mGuard Pin 9 Rx NTBA 22 gt mGuard Pin 7 Tx NTBA b1 gt mGuard Pin 10 Rx N
157. ie Hardwarekomponente mit einer CD A oder Diskette geliefert wurde legen Sie diese jetzt ein IV Wechselmedien durchsuchen Diskette CD 7 Folgende Quelle ebenfalls durchsuchen Drivers Print w in_2kxP v Durchsuchen Nicht suchen sondern den zu installierenden Treiber selbst w hlen Wie m chten Sie vorgehen Software von einer Liste oder bestimmten Quelle installieren fur fortgeschrittene Benutzer Yerwenden Sie diese Option um einen Geratetreiber aus einer Liste zu w hlen Es wird nicht garantiert dass der von Ihnen gew hlte Treiber der Hardware am besten entspricht Klicken Sie auf Weiter um den Vorgang fortzusetzen lt Zuruck Abbrechen lt Zur ck Abbrechen Assistent f r das Suchen neuer Hardware 3 Hardwareinstallation 4 Fertigstellen des Assistenten A Die Software die f r diese Hardware installiert wird Innominate mGuardPCl a eo Die Software fur die folgende Hardware wurde installiert hat den Windows Logo T est nicht bestanden der die Kompatibilit t mit indienne ude Windows XP Uberpruft Warum ist dieser Test wichtig Das Fortsetzen der Installation dieser Software kann die korrekte Funktion des Systems direkt oder in Zukunft beeintrachtigen Microsoft empfiehlt strengstens die Installation jetzt abzubrechen und sich mit dem Hardwarehersteller fur Software die den Windows Logo T est bestanden hat in Yerbindung zu setzen Installation fortsetzen i
158. ies 137 mGuard centerport Action To flash the firmware or to perform the rescue procedure proceed as follows NOTE All configured settings are deleted The mGuard is set to the delivery state In Version 5 0 0 or later of the mGuard the licenses installed on the mGuard are retained after flashing the firmware Therefore they do not have to be installed again NOTE Do not interrupt the power supply to the mGuard during any stage of the flashing procedure Otherwise the device could be damaged and may have to be reactivated by the manufacturer 1 Restart boot the device 2 Assoonas the device boots press one of the arrow keys on the keyboard several times until the boot process is interrupted T lt or gt 3 The boot menu is displayed GNU GRUB version 0 97 637K lower s 130040K upper memory Boot rootfsl Boot rootfs2 Check the file system s of firmware on rootfel Check the file system s of firmware on rootfs2 Start rescue procedure via DHCP BOOTP TFTP start rescue procedure from CD z DUD USB stick or SD Card_ Use the t and keys to select which entry is highlighted Press enter to boot the selected OS or p to enter a password to unlock the next set of features Figure 7 6 mGuard centerport boot menu 4 Select one of the options to perform the rescue procedure using the arrow keys or T Start rescue procedure via DHCP BOOTP TFTP OR Start rescue procedure from CD DVD USB stick or
159. indow Following successful transmission the next window opens 256 Innominate Security Technologies 115007_en_02 Assigning IP addresses and setting up DHCP TFTP servers Step 6 Finishing IP address assignment The window that opens informs you that address assignment has been successfully com pleted It gives an overview of the IP parameters that have been transmitted to the device with the MAC address shown To assign IP parameters for additional devices e Click on Back To exit IP address assignment e Click on Finish If required the IP parameters set here can be changed on the mGuard web interface un der Network gt gt Interfaces 115007_en_02 Innominate Security Technologies 257 Assigning IP addresses and setting up DHCP TFTP servers 14 2 Installing the DHCP and TFTP server Installing a second DHCP server in a network could affect the configuration of the entire network Under Windows Install the program provided in the download area at www innominate com e ifthe Windows computer is connected to a network disconnect it from the network e Copy the firmware to an empty folder on the Windows computer e Start the TFTPD32 EXE program The host IP to be specified is 192 168 10 1 It must also be used as the address for the net work card e Click on Browse to switch to the folder where the mGuard image files are saved in stall p7s jffs2 img p7s e fa major release upgrade o
160. is a reset key which can be used to perform a restart The res cue procedure and therefore the reloading of mGuard firmware is initiated via the boot menu Reset button Figure 11 7 Reset button 11 8 Performing a restart Objective The device is restarted with the configured settings Action e Press the Reset button Alternatively disconnect the power supply and then connect it again 115007_en_02 Innominate Security Technologies 209 mGuard centerport Objective Action 11 8 1 Performing a recovery procedure The network configuration but not the rest of the configuration is to be reset to the delivery state as it is no longer possible to access the mGuard When performing the recovery procedure the default settings are established Table 11 5 Preset addresses Default setting Management IP 1 Management IP 2 mode The settings configured for VPN connections and the firewall are retained including pass words Possible reasons for performing the recovery procedure The mGuard is in PPPoE mode The configured device address of the mGuard differs from the default setting The current IP address of the device is not known Up to date information on the recovery and flashing procedure can be found in the appli cation note for your mGuard firmware version Application notes are available in the download area at www innominate com Requirement a monitor and a keyboard are connect
161. is restarted with the configured settings Action e Press the Reset button for around 1 5 seconds until both red LEDs light up Alternatively disconnect the power supply and then connect it again 192 Innominate Security Technologies 115007_en_02 mGuard blade 10 7 2 Performing a recovery procedure Objective The network configuration but not the rest of the configuration is to be reset to the delivery state as it is no longer possible to access the mGuard When performing the recovery procedure the default settings are established Table 10 5 Preset addresses Default setting Management IP 1 Management IP 2 mode mGuard blade controller Router f https 192 168 1 1 The settings configured for VPN connections and the firewall are retained including pass words Possible reasons for performing the recovery procedure The mGuard is in PPPoE mode The configured device address of the mGuard differs from the default setting The current IP address of the device is not known Up to date information on the recovery and flashing procedure can be found in the appli cation note for your mGuard firmware version You can find application notes under the following Internet address www innominate com Action e Slowly press the Reset button six times After approximately 2 seconds the LAN LED lights up red e Press the Reset button slowly again six times If successful the LAN LED lights up red If
162. issing The scope of supply includes mMGuard delta Package slip One5V DC power supply Two UTP Ethernet cables 115007_en_02 Innominate Security Technologies 145 mGuard delta 8 3 Connecting the mGuard delta WARNING The serial interface DE 9 plug in connection must not be connected directly to the telecommunications connections To connect a serial terminal or a modem use a serial cable with DE 9 connector The maximum cable length of the serial cable is 30 m ae EREE ee o 3 2 1 D Console 7 6 5 4 C 5 V 34 serial console Ethernet LAN Ethernet WAN Reserved Power supply Figure 8 3 mGuard delta connections Connecting the mGuard delta Connect the power supply 5 V DC 3 A to the DC 5V 3A socket of the mGuard delta Connect the local computer or the local network to one of the Ethernet LAN connections 4 to 7 of the mGuard delta using a UTP Ethernet cable CAT5 146 Innominate Security Technologies 115007_en_02 115007_en_02 mGuard delta 8 4 Preparing the configuration 8 4 1 Connection requirements mGuard delta The mGuard delta must be connected to its power supply For local configuration The computer used for configuration Must be connected to the LAN switch Ethernet socket 4 to 7 of the mGuard Or must be connected to the mGuard via the local network For remote configuration The mGuard must be configured so that remote configura tion
163. it is only used for the power supply The mGuard is in the delivery state You can now configure it again see Establishing a local configuration connection on page 117 122 Innominate Security Technologies 115007_en_02 Hardware properties Platform Network interfaces Other interfaces Drives Redundancy options Power supply Power consumption Temperature range Humidity range Degree of protection Dimensions H x W x D Weight Firmware and power values Firmware compatibility Data throughput router firewall Hardware based encryption Encrypted VPN throughput AES 256 Management support Diagnostics Other Conformance Special features 115007_en_02 mGuard smart smart 6 9 Technical data mGuard smart Freescale network processor with 330 MHz clocking 1 LAN port 1 WAN port Ethernet IEEE 802 3 10 100 Base TX RJ45 full duplex auto MDIX Serial via USB connection Depending on the firmware used Via USB interface 5 V at 500 mA Optional external power supply unit 110 V 230 V 2 5 W maximum 0 C 40 C operation 20 C 60 C storage 20 90 during operation non condensing IP30 27x77x115mm 131g For mGuard v7 2 or later Innominate recommends the use of the latest firm ware version and patch releases in each case For the scope of functions please refer to the relevant firmware data sheet Router mode default firewall rules bidir
164. ith FCC RF exposure limits set forth for an uncontrolled environment The antenna s used for this transmitter must be installed and operated with a minimum separation distance of 20 cm from all persons and must not be co located or operating in conjunction with any other antenna or transmitter expect in accor dance with the FCC multi transmitter policy Innominate Security Technologies Innominate Security Technologies Table of contents 1 AGUArdTS4 OOO S2000 ssas aisi nE EEEE SEE E O EREE E rR 11 1 1 Operating elements and LEDS cccccccssseeeeeeeeeeneeeeeeceaaaaeeeeeseaaaeeeeesseaaseeeees 12 1 2 DMAMUPe nhs ted eat ec ident elec EEA E EEE E E EEE E EE 14 1 3 Installation of mGuard rS4000 rS2000 eee cece cece eeeeeeeeeeeaeeeeeeeesaaeeeeeeeeenaaeees 15 1 4 Preparing the COMMQUGAUOM sisi sosen a e E ai 20 1 5 Contig ration im Steat MOHE ssi a 21 1 6 Establishing a local Configuration connection ssessssssessesrrrrrrerrrrrrressrrrrrere 24 1 7 Remote c nigiratiO Missierna e E AA 26 1 8 Restart recovery procedure and flashing the firmWware cccccseseeeeeeeeeeeeeeees 27 1 9 Technical datarie r a steel cos a Sac a ese teatsls 31 2 mGuard rs4000 rS2000 SWIC resine A bias eta ecta ee edes 33 2 1 Operating elements and LEDS siisiccteticsarctasdititettests dickens 34 2 2 SILI o EEEE EEEE N ET E AE ET TEENA E EEEE EAE T 36 2 3 Installing the mGuard rs4000 rs2000 Switch cece eeeeeee ce
165. ity Technologies 115007_en_02 mGuard smart smart 6 5 1 IP address 192 168 1 1 In Stealth mode the mGuard can be accessed via the LAN interface via IP address 192 168 1 1 within network 192 168 1 0 24 if one of the following conditions applies The mGuard is in the delivery state The mGuard was reset to the default settings via the web interface and restarted The rescue procedure flashing of the mGuard or the recovery procedure has been performed a With a configured network interface To access the configuration interface it may be necessary to adapt the network configura tion of your computer Under Windows 7 proceed as follows e Inthe Control Panel open the Network and Sharing Center e Click on LAN connection The LAN connection item is only displayed if a connection exists from the LAN interface on the computer to a mGuard in operation or another part ner e Click on Properties e Select the menu item Internet protocol Version 4 TCP IPv4 e Click on Properties e First select Use the following IP address under Internet Protocol Version 4 Proper ties then enter the following address for example IP address 192 168 1 2 Subnet mask 255 255 255 0 Default gateway 192 168 1 1 Depending on the configuration of the mGuard it may then be necessary to adapt the net work interface of the locally connected computer or network accordingly
166. l the mGuard must be installed operated and maintained correctly NOTE Risk of material damage due to incorrect wiring Only connect the mGuard network ports to LAN installations Some telecommunications connections also use RJ45 sockets these must not be connected to the RJ45 sockets of the mGuard For connecting a modem or serial terminal to the RS 232 interface you will need a null modem cable not exceeding 10 m in length NOTE Risk of material damage due to emissions This is a Class A item of equipment This equipment can cause radio interference in resi dential areas in this case the operator may be required to implement appropriate mea sures NOTE Electrostatic discharge When handling the device observe the necessary safety precautions against electrostat ic discharge ESD according to EN 61340 5 1 and IEC 61340 5 1 General notes regarding usage NOTE Select suitable ambient conditions Ambient temperature 40 C 60 C Maximum humidity non condensing 5 95 To avoid overheating do not expose the mGuard to direct sunlight or other heat sources Q NOTE Cleaning Clean the device housing with a soft cloth Do not use aggressive solvents 3 2 2 Checking the scope of supply Before startup check the scope of supply to ensure nothing is missing The scope of supply includes The device Package slip Plug in screw terminal blocks for the power supply connection and
167. l Version 4 TCP IPv4 ia Allgemein IP Einstellungen k nnen automatisch zugewiesen werden wenn das Netzwerk diese Funktion unterst tzt Wenden Sie sich andernfalls an den Netzwerkadministrator um die geeigneten IP Einstellungen zu beziehen IP Adresse automatisch beziehen Folgende IP Adresse verwenden IP Adresse 192 168 1 2 Subnetzmaske 255 255 255 0 Standardgateway 192 168 1 1l Folgende DNS Serveradressen verwenden Bevorzugter DNS Server Alternativer DNS Server Einstellungen beim Beenden berpr fen Erweitert ox abbrechen Figure 9 11 Internet Protocol TCP IP Properties Default gateway Once you have configured the network interface you should be able to access the mGuard s configuration interface with a web browser by going to the URL https 1 1 1 17 170 Innominate Security Technologies 115007_en_02 115007_en_02 mGuard pci If this is not possible the default gateway of your computer probably cannot be accessed In this case your computer should be simulated as follows Initializing the default gateway Determine the currently valid default gateway address Under Windows XP carry out the steps described under Configuring the network in terface on page 170 to open the Internet Protocol TCP IP Properties dialog box If no IP address has been specified for the default gateway in this dialog box e g be cause Obtain an IP addre
168. l startup the mGuard transmits BootP requests without interruption until it re ceives a valid IP address After receiving a valid IP address the mGuard no longer sends BootP requests The FL MGUARD can then no longer be accessed via IP address 192 168 1 1 After receiving a BootP reply the mGuard no longer sends BootP requests not even after ithas been restarted For the mGuard to send BootP requests again it must either be set to the default settings or one of the procedures recovery or flash must be performed Requirements The mGuard is connected to a computer using a Microsoft Windows operating system 82 Innominate Security Technologies 115007_en_02 Web based administrator interface If you have forgotten the configured address If the administrator web page is not displayed 115007_en_02 mGuard delta 4 6 Establishing a local configuration connection The mGuard is configured via a web browser that is executed on the configuration com puter NOTE The web browser used must support SSL encryption i e HTTPS The mGuard can be accessed via one of the following addresses Table 4 4 Preset addresses Default setting Management IP 1 Management IP 2 mode mGuard delta https 1 1 1 1 https 192 168 1 1 Proceed as follows e Start a web browser e Make sure that the browser when it is started does not automatically establish a con nection as otherwise the connection establishment to the mGuard
169. le 3 2 LEDs on the mGuard rs4000 3G and mGuard rs2000 3G Green On Power supply 1 is active Power supply 2 is active mGuard rs2000 3G not used Flashing Heartbeat The device is correctly connected and operating Flashing System error Restart the device Press the Reset button for 1 5 seconds Alternatively briefly disconnect the device power supply and then connect it again If the error is still present start the recovery procedure see Page 69 or contact your dealer Stat Err Flashing alternately Boot process When the device has just been connected to the power supply green and red After a few seconds this LED changes to the heartbeat state On Connection via modem established On The signal output takes low level due to an error inverted logic The signal output is inactive during a restart 52 Innominate Security Technologies 115007_en_02 m Guard rs4000 rs2000 3G Table 3 2 LEDs on the mGuard rs4000 3G and mGuard rs2000 3G Up to firmware version8 0 to Up to firmware version8 0 version 8 0 As of firmware version 8 1 The configured VPN connection has The configured VPN connections are been established at output O1 established at output O1 or the firewall rule records defined at output O1 are activated Pena J l Flashing The configured VPN connection is The configured VPN connections are being established or aborted at output being established or aborted at output O1 O1 or t
170. les with bend protection on the plugs Cover unused sockets with the dust protection caps provided Some telecommunications connections also use RJ45 sockets these must not be con nected to the RJ45 sockets of the mGuard LAN port e Connect the local computer or the local network to the LAN port of the mGuard using a UTP Ethernet cable CAT5 115007_en_02 Innominate Security Technologies 219 mGuard industrial rs If your computer is already connected to a network patch the mGuard between the existing network connection firewall of the mGuard industrial rs blocks all IP data traffic from the WAN to the LAN in terface a Please note that configuration can only be completed via the LAN interface and that the WAN port e Use a UTP cable CAT5 e Connect the external network via the WAN socket e g WAN Internet Connections to the remote device network are established via this network Driver installation is not required For security reasons we recommend you change the default root and administrator pass words during initial configuration Connection options on the lower terminal block The mGuard industrial rs is available in three versions which can be distinguished by the connection options on the lower terminal strip Joco E QOOQ ZOOO P1 P2 P1 P2 P1 P2 Modem Fault Modem Fault Modem Fault State Error State Error St
171. lock from the bottom of the mGuard industrial rs and wire the sig nal lines and other connections as required see Connection options on the lower ter minal block on page 220 e Tighten the screws on the screw terminal blocks with at least 0 22 Nm Wait to insert the terminal block base e Mount the mGuard industrial rs on a grounded 35 mm DIN rail according to DIN EN 60715 The device conducts the grounding provided by the DIN rail through the left hand con tact ground connection of the lower terminal strip eee es L Yj gp A Yj p f Figure 12 3 Mounting the mGuard industrial rs on a DIN rail W Attach the top snap on foot of the mGuard industrial rs to the DIN rail and then press the mGuard industrial rs down towards the DIN rail until it engages with a click Insert the wired terminal block e Connect the supply voltage at the top of the terminal block see Connecting the supply voltage on page 219 e Make any necessary network connections at the LAN port or WAN port see Connect ing to the network on page 219 e Connect the corresponding device at the Serial port as required see Serial port on page 223 Removal e Remove or disconnect the connections 218 Innominate Security Technologies 115007_en_02 mGuard industrial rs e To remove the mGuard industrial rs from the DIN rail insert a screwdriver horizontally in the locking slide under the housing pull i
172. lth configuration or use another net work mode Innominate Security Technologies 169 mGuard pci 9 5 Configuration in Stealth mode Installing the PCI card e Ifthe PCI card has not yet been installed in your computer first proceed as described under Installing the hardware on page 164 Installing the drivers e If you have configured the mGuard for Driver mode make sure that the drivers are in stalled as described under Installing drivers on page 165 Configuring the network interface If the mGuard ls operated in Driver mode and the LAN interface network interface of the computer has not yet been configured or ls operated in Power over PCI mode and the network interface of the computer that is connected to the LAN interface of the mGuard has not yet been configured This network interface must be configured before the mGuard can be configured Under Windows XP proceed as follows to configure the network interface e Click on Start Control Panel Network Connections e Right click on the LAN adapter icon to open the context menu In the context menu click on Properties e In the Properties of local network LAN connections dialog box select the General tab e Under This connection uses the following items select Internet Protocol TCP IP e Then click on Properties to display the following dialog box a Eigenschaften von Internetprotokol
173. ly short circuit proof and supply a maximum of 250 mA The switching inputs and switching outputs can be connected with signals from external de vices e g with PLC signals In this case ensure the same potential as well as voltage and current specifications are defined Depending on the firmware version used the service contacts can be used for various switching or signaling tasks Innominate Security Technologies 57 m Guard rs4000 rs2000 3G Input CMD 11 CMD 12 Operating a connected push button Operating a connected on off switch Signal contact signal out put ACK O1 O2 Alarm output ACK O3 Operating a connected push button Service contacts as of firmware version 8 1 Via the web interface under Management Service I O you can set whether a push button or an on off switch has been connected to the inputs One or more freely selectable VPN connections or firewall rule records can be switched via the corresponding switch A mixture of VPN connections and firewall rule records is also possible The web interface displays which VPN connections and which firewall rule records are connected to this input The push button or on off switch is used to establish and release predefined VPN connec tions or the defined firewall rule records e To switch on the selected VPN connections or firewall rule records press and hold the push button for a few seconds and then release the push button e To switch off the sel
174. ly source via the two mains input sockets 100 240 V AC 9 Connect the network connections see Connecting network connections on page 201 10 Optional Connect a PC monitor to the VGA port not supplied as standard Connect a PC keyboard to one of the USB connections not supplied as standard The monitor and keyboard must only be connected inorder to use one of the boot options upon starting booting mGuard centerport see Boot options when monitor and keyboard are connected on page 202 inorder to perform a rescue procedure or recovery procedure See Restart recov ery procedure and flashing the firmware on page 209 The keyboard and monitor do not need to be connected to start and operate the device Innominate Security Technologies 115007_en_02 mGuard centerport 11 3 2 Connecting network connections WARNING Only connect the mGuard network ports to LAN installations Some telecommunications connections also use RJ45 sockets these must not be con nected to the RJ45 sockets of the mGuard LAN port e Connect the local computer or the local network to the LAN port of the mGuard using a UTP Ethernet cable CAT5 WAN port e Use a UTP cable CAT5 e Connect the external network via the WAN socket e g WAN Internet Connections to the remote device or network are established via this network COM1 Serial port NOTE The serial interface D SUB socket must not be connected directly to
175. mGuard g o Figure 4 3 Low voltage plug of the power supply unit The status LED PWR lights up green when the supply voltage has been connected properly The mGuard boots the firmware Status LED STAT flashes green The mGuard is ready for operation as soon as the LAN WAN LEDs of the Ethernet socket light up Additionally the status LED PWR lights up green and the status LED STAT flashes green at heartbeat 78 Innominate Security Technologies 115007_en_02 115007_en_02 mGuard delta 4 4 Preparing the configuration 4 4 1 Connection requirements mGuard delta The mGuard delta must be connected to its power supply For local configuration The computer that is to be used for configuration must be connected to the LAN socket on the mGuard For remote configuration The mGuard must be configured so that remote configura tion is permitted The mGuard must be connected i e the required connections must be working 4 4 2 Local configuration on startup EIS As of firmware version 7 2 initial startup of mGuard products provided in Stealth mode is considerably easier From this version onwards the EIS Easy Initial Setup procedure en ables startup to be performed via preset or user defined management addresses without actually having to connect to an external network The mGuard is configured using a web browser on the computer used for configuration NOTE The web browser used must support S
176. mGuard via its web user interface from a remote computer establish the connection to the mGuard from there Proceed as follows e Start the web browser on the remote computer e Under address enter the IP address where the mGuard can be accessed externally over the Internet or WAN together with the port number if required If the mGuard can be accessed over the Internet for example via address https 123 45 67 89 and port number 443 has been specified for remote access the fol lowing address must be entered in the web browser of the remote peer https 123 45 67 89 If a different port number is used it should be entered after the IP address e g https 123 45 67 89 442 The mGuard can then be configured via the web interface For additional information please refer to the software reference manual Innominate Security Technologies 119 mGuard smart smart 6 8 Restart recovery procedure and flashing the firm ware The Reset button is used to set the device to one of the following states Performing a restart Performing a recovery procedure Flashing the firmware rescue procedure Reset button ___ Located in the opening Can be pressed with a straightened paper clip for example Figure 6 5 Reset button 6 8 1 Performing a restart Objective The device is restarted with the configured settings Action e Press the Reset button for around 1 5 seconds until the middle LED lights up i
177. maximum Stealth mode default firewall rules bidirectional throughput 25 Mbps maximum When using the DMZ as independent network zone the maximum possible data throughput is distributed to the three zones Web GUI HTTPS command line interface SSH SNMP v1 2 3 central device man agement software 13 LEDs Power 1 2 State Error Signal Fault Modem Info Signal Status SIM Sta tus service I O log file remote Syslog mGuard rs4000 Switch m Guard rs2000 Switch Realtime clock Trusted Platform Module TPM temperature sensor mGuard Se cure Cloud ready 115007_en_02 m Guard rs4000 rs2000 3G 3 mQGuard rs4000 rs2000 3G 115007_en_02 Table 3 1 Available mGuard rs4000 rs2000 3G versions Available versions Order No mGuard rs4000 4TX 3G TX VPN BD 703000 mGuard rs2000 4TX 3G VPN HW 108030 The mGuard rs4000 3G is suitable for distributed protection of production cells or individ ual machines against manipulation lt features a 4 port managed LAN switch and an industrial 3G mobile communication modem for GPRS UMTS and CDMA networks with a download speed of up to 14 4 Mbps The mobile communication interface can be switched to WAN interface as redundancy path A dedicated DMZ port with its own firewall rules enables segmentation and differenti ated safety concepts The GPS GLONASS receiver enables time synchronization and loca tion services You can integrate automation devices with serial interface
178. mote Syslog CE FCC UL 508 Operating modes with without driver via PoPCI Innominate Security Technologies 179 mGuard pci 180 Innominate Security Technologies 115007_en_02 mGuard blade 10 m Guard blade 115007_en_02 Table 10 1 Available versions mGuard blade 533 HW 104050 mGuard blade 266 HW 104020 mGuard bladebase HW 104500 mGuard bladepack 533 HW 104850 mGuard bladepack 266 HW 104820 The mGuard blade consists of the mGuard bladebase which can be built into standard 3 U racks 19 inch without problems and accommodate up to 12 mGuard blades and one mGuard blade controller This device version is therefore ideal for use in industrial applica tions where several server systems can be protected individually and independently of one another An additional serial interface enables remote configuration via a telephone dial up connec tion or a terminal amp amp C a a 8 gt a nominate ianominate innominate tnominate fnnominste tmnominate ineminate lanominats inaominate innominate innominate Mmnominaie Innominate ionowioste innominate e e F f f F f 4 f i lt 4 lt lt 4 poe Foe ES Fin Fie Fw Fu ee E ee ee Ee Ee e wy pe 7 ro ws po po po ya Figure 10 1 mGuard blade Innominate Security Technologies 181 m Guard blade 10 1 Operating elements and LEDs oS Innominate Serial WAN red WAN green LAN red LAN green Reset button
179. n find application notes under the following Internet address www innominate com Action e Slowly press the Reset button six times After approximately 2 seconds the STAT LED lights up green e Slowly press the Reset button again six times If successful the STAT LED lights up green If unsuccessful the ERR LED lights up red If successful the device restarts after two seconds and switches to Stealth mode The de vice can then be reached again under the corresponding addresses 115007_en_02 Innominate Security Technologies 87 mGuard delta 4 8 3 Flashing the firmware rescue procedure Objective The entire firmware of the mGuard should be reloaded on the device All configured settings are deleted The mGuard is set to the delivery state In Version 5 0 0 or later of the mGuard the licenses installed on the mGuard are re tained after flashing the firmware Therefore they do not have to be installed again Possible reasons The administrator and root password have been lost Requirements Requirements for flashing NOTE During flashing the firmware is always loaded from an SD card first The firmware is only loaded from a TFTP server if no SD card is found The following requirements apply when loading the firmware from an SD card All necessary firmware files must be located in a common directory on the first parti tion of the SD card This partition must use a VFAT file system standard type for SD c
180. n keys or Da 2 Then press the Enter button 202 Innominate Security Technologies 115007_en_02 Boot options 115007_en_02 mGuard centerport Boot firmware A Start the primary firmware version on the device A The default setting it is applied if the user does not intervene during startup Boot firmware B Not supported by the current firmware version Check the file system s of firmware A If required checks and repairs all firmware file systems This menu item is only to be used in special cases when the user has the appropriate knowledge or upon instruction from the dealer support team The mGuard firmware checks and repairs the file systems if required even during the normal startup process The firmware uses its file systems in a highly robust manner when the mass storage de vice cache is switched off so that there is not usually any need for repairs Check the file system s of firmware B Not supported by the current firmware version Start rescue procedure via DHCP BootP TFTP Start rescue procedure from CD DVD Start rescue procedure from USB mass storage Restart recovery procedure and flashing the firmware on page 209 Innominate Security Technologies 203 mGuard centerport 11 4 Preparing the configuration 11 4 1 Connection requirements For mGuard centerport the two power supply units must be connected to the power supply source to the mains If only one power supply unit is connected
181. n red Alternatively you can disconnect and insert the USB cable as it is only used for the power supply 120 Innominate Security Technologies 115007_en_02 mGuard smart smart 6 8 2 Performing a recovery procedure Objective The network configuration but not the rest of the configuration is to be reset to the delivery state as it is no longer possible to access the mGuard When performing the recovery procedure the default settings are established Table 6 5 Preset addresses Default setting Management IP 1 Management IP 2 mode Stealth httos 1 1 1 1 https 192 168 1 1 The mGuard is reset to Stealth mode with the default setting multiple Clients The CIFS integrity monitoring function is also disabled because this only works when the management IP is active Inaddition MAU management is switched on for Ethernet connections HTTPS access is enabled via the local Ethernet connection LAN The settings configured for VPN connections and the firewall are retained including passwords Possible reasons for performing the recovery procedure The mGuard is in Router or PPPoE mode The configured device address of the mGuard differs from the default setting The current IP address of the device is not known Up to date information on the recovery and flashing procedure can be found in the appli cation note for your mGuard firmware version You can find application notes under
182. n routers 192 168 134 1 option subnet mask 255 255 255 0 option broadcast address 192 168 134 255 This example configuration provides 20 IP addresses 100 to 119 It is assumed that the DHCP server has the address 192 168 134 1 settings for ISC DHCP 2 0 The required TFTP server is configured in the following file etc inetd conf e In this file insert the corresponding line or set the necessary parameters for the TFTP service Directory for data tftpboot tftp dgram udp wait root usr sbin in tftpd s tftpboot The mGuard image files must be saved in the tftpboot directory install p7s jffs2 img p7s e Ifa major release upgrade of the firmware is carried out by flashing the license file pur chased for the upgrade must also be stored here under the name licence lic Make sure that this is the correct license file for the device under Management gt gt Up date on the web interface e Then restart the inetd process to apply the configuration changes e When using a different mechanism e g xinetd please consult the relevant documen tation Innominate Security Technologies 259 Assigning IP addresses and setting up DHCP TFTP servers 260 Innominate Security Technologies 115007_en_02
183. n_02 mGuard pci SD Configuring the mGuard pci SD e Enter the following address into the browser https 1 1 1 1 The connection to the mGuard pci SD is established If not see Section 5 5 2 A security message indicating a possible invalid not trusted certificate is displayed This message results from the use of an mGuard certificate from Innominate that is not yet known to the browser but necessary for encryption of the communication e Acknowledge this message with Accept this certificate always temporarily Mozilla Firefox Continue loading this website Internet Explorer Continue anyway Google Chrome e Click Yes to acknowledge the security alert The login window is displayed Login to mquard User Name Password Figure 5 4 Login e To log in enter the preset user name and password please note these settings are case sensitive User Name admin Password mGuard To configure the device make the desired or necessary settings on the individual pages of the mGuard web interface For security reasons we recommend you change the default root and administrator pass words during initial configuration in the web interface under Authentication gt gt Adminis trative Users 115007_en_02 Innominate Security Technologies 97 mGuard pci SD 5 5 2 Starting up the mGuard pci SD via a temporary manage ment IP address If the mGuard pci SD is connected with
184. ndancy options Power supply Power consumption Humidity range Degree of protection Temperature range Dimensions H x W x D Weight Firmware and power values Firmware compatibility Data throughput router firewall Virtual Private Network VPN Hardware based encryption Encrypted VPN throughput AES 256 Management support Diagnostics Other Conformance Special features 115007_en_02 Technical data m Guard rs4000 Freescale network processor with 330 MHz clocking 1 LAN port 1 WAN port Ethernet IEEE 802 3 10 100 BaseTX RJ45 full duplex auto MDIX Serial RS 232 D SUB 9 connector 2 digital inputs and 2 digital outputs 128 MB RAM 128 MB Flash SD card Replaceable configuration memory Optional VPN router and firewall Voltage range 11 36 V DC redundant 2 13 W typical 5 95 operation storage non con densing IP20 20 C 60 C operation 20 C 60 C storage 130 x 45 x 114mm up to DIN rail support 725 g TX TX m Guard rs4000 m Guard rs4000 rs2000 mGuard rs2000 Freescale network processor with 330 MHz clocking 1 LAN port 1 WAN port Ethernet IEEE 802 3 10 100 BaseTX RJ45 full duplex auto MDIX Serial RS 232 D SUB 9 connector 2 digital inputs and 2 digital outputs 128 MB RAM 128 MB Flash SD card Replaceable configuration memory Not available Voltage range 11 36 VDC 2 13 W typical 5 95 operation stor
185. nder IP address 192 168 1 1 To access the configuration interface it may be necessary to adapt the network configura tion of your computer Under Windows 7 proceed as follows In the Control Panel open the Network and Sharing Center Click on LAN connection The LAN connection item is only displayed if a connection exists from the LAN interface on the computer to a mGuard in operation or another part ner Click on Properties Select the menu item Internet protocol Version 4 TCP IPv4 Click on Properties First select Use the following IP address under Internet Protocol Version 4 Proper ties then enter the following address for example IP address 192 168 1 2 Subnet mask 255 255 255 0 Default gateway 192 168 1 1 Depending on the configuration of the mGuard it may then be necessary to adapt the net work interface of the locally connected computer or network accordingly Innominate Security Technologies 205 mGuard centerport Web based administrator interface If you have forgotten the configured address If the administrator web page is not displayed 11 5 Establishing a local configuration connection The mGuard is configured via a web browser that is executed on the configuration com puter NOTE The web browser used must support SSL encryption i e HTTPS The mGuard can be accessed via one of the following addresses Table 11 4 Preset addre
186. nel groups with up to three thousand simultaneously active tunnels which all belong to the same unique public IP address The mGuard centerport performs secure remote services such as remote support remote diagnostics remote maintenance and condition monitoring for a large number of machines and systems via the Internet An encrypted VPN data throughput of 600 Mbps is possible at one interface The mGuard centerport is compatible with all mGuard field devices and the mGuard device manager The mGuard centerport can be provided in three device versions which determine the number of simultaneously supported active VPN tunnels mGuard centerport mGuard centerport VPN 250 mGuard centerport VPN 1000 VPN licenses can be in stalled later if required ES y MG CONFIGURATION uarqd centerport2 Figure 7 1 mGuard centerport Innominate Security Technologies 125 mGuard centerport 7 1 Operating elements and LEDs Front LEDs ON OFF button ey i Guard ce lt etport2 CONFIGURATION AN 19 angled connector SD card slot USB ports Display 19 angled connector Figure 7 2 Operating elements and LEDs on the mGuard centerport front side Table 7 2 LEDs on the mGuard centerport LED State Meaning Gren On Lights up if the system is switched on Orange On Lights up while hard disk is accessed 126 Innominate Security Technologies 115007_en_02 mGuard centerport Personnel 115007_en_02 7 2 St
187. net 10 100 1000 Base TX WAN LAN SYNC DMZ ports ay SYNC sex lid E DMZ a m OOOOOOOLANOOOAOROOOOONININO gt u 2 x power supply mains input socket redun Serial interface VGA port dant wide range AC power supply unit 100 240 V AC voltage source Figure 7 3 mGuard centerport back 7 3 1 Connecting the device 1 Optional Install the device in a 19 frame industrial cabinet Installation in a 19 frame industrial cabinet on page 130 2 Connect the two mains input sockets to the mains or power supply source 100 240 V AC using a mains connecting cable 3 Connect the network connections see Connecting the network connections on page 129 4 Optional Connect a PC monitor to the VGA port not supplied as standard 5 Optional Connect a PC keyboard to one of the USB connections not supplied as stan dard The keyboard and monitor do not need to be connected to start and operate the device The monitor and keyboard must only be connected inorder to use one of the boot options upon starting booting the device see Boot options when monitor and keyboard are connected on page 130 inorder to perform a rescue procedure or recovery procedure See Restart recov ery procedure and flashing the firmware on page 136 128 Innominate Security Technologies 115007_en_02 mGuard centerport 7 3 2 Connecting the network connections WARNING Only connect the mGuard network
188. nge Dimensions H x W x D Weight Firmware and power values Firmware compatibility Data throughput router firewall Virtual Private Network VPN Hardware based encryption Encrypted VPN throughput AES 256 Management support Diagnostics Other Conformance Special features 90 Innominate Security Technologies Technical data Freescale network processor with 330 MHz clocking 1 LAN port 1 WAN port Ethernet IEEE 802 3 10 100 Base TX RJ45 full duplex auto MDIX Serial RS 232 D SUB 9 connector 128 MB RAM 128 MB Flash SD card replaceable configuration memory Optional VPN router External power supply unit 12 V 0 85 A DC 100 240 V 0 4 A AC 2 13 W typical 5 95 during operation non condensing IP20 0 C 40 C operation 0 C 60 C storage 45 x 130 x 114mm 629g For mGuard v7 4 0 or later Innominate recommends the use of the latest firmware version and patch releases in each case For the scope of functions please refer to the relevant firmware data sheet Router mode default firewall rules bidirectional throughput max 99 Mbps Stealth mode default firewall rules bidirectional throughput max 50 Mbps IPsec IETF standard VPN models up to 10 tunnels Optionally up to 250 VPN tunnels DES 3DES AES 128 192 256 Router mode default firewall rules bidirectional throughput max 35 Mbps Stealth mode default firewall rules bidirectional throughput ma
189. nger be accessed via IP address 192 168 1 1 226 Innominate Security Technologies 115007_en_02 mGuard industrial rs 12 5 1 IP address 192 168 1 1 In Stealth mode the mGuard can be accessed via the LAN interface via IP address 192 168 1 1 within network 192 168 1 0 24 if one of the following conditions applies The mGuard is in the delivery state The mGuard was reset to the default settings via the web interface and restarted The rescue procedure flashing of the mGuard or the recovery procedure has been performed a With a configured network interface To access the configuration interface it may be necessary to adapt the network configura tion of your computer Under Windows 7 proceed as follows e Inthe Control Panel open the Network and Sharing Center e Click on LAN connection The LAN connection item is only displayed if a connection exists from the LAN interface on the computer to a mGuard in operation or another part ner e Click on Properties e Select the menu item Internet protocol Version 4 TCP IPv4 e Click on Properties e First select Use the following IP address under Internet Protocol Version 4 Proper ties then enter the following address for example IP address 192 168 1 2 Subnet mask 255 255 255 0 Default gateway 192 168 1 1 Depending on the configuration of the mGuard it may then be necessary to adapt the net w
190. ngs Tools menu Internet Options Connections tab Click on Properties under LAN settings Check that Use a proxy server for your LAN under Proxy server is not activated in the Local Area Network LAN Settings dialog box e If other LAN connections are active on the computer deactivate them until the configu ration has been completed Under the Windows menu Start Settings Control Panel Network Connections or Network and Dial up Connections right click on the corresponding icon and select Disable in the context menu 206 Innominate Security Technologies 115007_en_02 Explanation 115007_en_02 mGuard centerport After successful connection establishment Once a connection has been established successfully a security alert may be displayed As administrative tasks can only be performed using encrypted access a self signed certif icate is supplied with the device e Click Yes to acknowledge the security alert The login window is displayed Login to mguard User Name Password Figure 11 6 Login e To log in enter the preset user name and password please note these settings are case sensitive User Name admin Password mGuard The mGuard can then be configured via the web interface For additional information please refer to the software reference manual For security reasons we recommend you change the default root and administ
191. ngs Control Panel Network Connections or Network and Dial up Connections right click on the corresponding icon and select Disable in the context menu Innominate Security Technologies 133 mGuard centerport After successful connection establishment Once a connection has been established successfully a security alert may be displayed Explanation As administrative tasks can only be performed using encrypted access a self signed certif icate is supplied with the device e Always click Yes to acknowledge the security alert The login window is displayed Login to mguard User Name Password Figure 7 5 Login e Enter your user name and password which are specified for this access type For access type Administration the user name and password are set by default please note these settings are case sensitive UserName admin Password mGuard The mGuard can then be configured via the web interface For additional information please refer to software reference manual For security reasons we recommend you change the default root and administrator pass words during initial configuration 134 Innominate Security Technologies 115007_en_02 Requirement How to proceed Example Configuration 115007_en_02 mGuard centerport 7 6 Remote configuration The mGuard must be configured so that remote configuration is permitted The option for remote configuration is disabled by d
192. nly connect the mGuard network ports to LAN installations Some telecommunications connections also use RJ45 sockets these must not be connected to the RJ45 sockets of the mGuard General notes regarding usage NOTE Connection notes A free PCI slot 3 3 V or 5 V must be available on your PC when using the mGuard pci SD Donot bend connecting cables Only use the network plug for connection to a net work NOTE Select suitable ambient conditions Ambient temperature 0 C 60 C mGuard pci SD with battery 0 C 70 C mGuard pci SD without battery Maximum humidity non condensing 5 95 To avoid overheating do not expose the mGuard to direct sunlight or other heat sources Q NOTE Cleaning Clean the device housing with a soft cloth Do not use aggressive solvents 5 2 2 Checking the scope of supply Before startup check the scope of supply to ensure nothing is missing The scope of supply includes mGuard pci SD Package slip 115007_en_02 Innominate Security Technologies 93 mGuard pci SD 5 3 Installation of mGuard pci SD WARNING This is a Class A item of equipment This equipment can cause radio interfer ence in residential areas in this case the operator may be required to implement appro priate measures WARNING Safe isolation of live circuits is only guaranteed if connected devices fulfill re quirements specified by VDE 0106 101 safe isolation The sup
193. nominate Security Technologies 115007_en_02 m Guard rs4000 rs2000 Switch 2 3 4 Connecting the supply voltage WARNING The device is designed for operation with a DC voltage of 11 V DC 36 V DC SELV Therefore only SELV circuits with voltage limitations according to IEC 60950 EN 60950 VDE 0805 may be connected to the supply connections and the signal contact The supply voltage is connected via a plug in screw terminal block which is located on the top of the device mGuard rs4000 Switch P1 P2 mGuard rs2000 Switch P1 24V OV 24V0V 24 V OV ra F wv Ed top view Service 1 Contact Service 1 Mp Wp A Mo gt Ay g G Y G D Figure 2 4 Connecting the supply voltage The mGuard rs4000 Switch has a redundant supply voltage If you only connect one supply voltage you will get an error message e Remove the plug in screw terminal blocks for the power supply and the service con tacts e Wire the supply voltage lines with the corresponding screw terminal block P1 P2 of the mGuard Tighten the screws on the screw terminal blocks with 0 5 0 8 Nm e Insert the plug in screw terminal blocks into the intended sockets on the top of the de vice The P1 status LED lights up green when the supply voltage has been connected properly On the mGuard rs4000 Switch the P2 LED also lights up if there is a redundant supply volt age connection The device boots the firmware The Stat LED flashes green The
194. nominate com and has been saved on the configuration computer If your current firmware version is newer than the version by default upon delivery a li cense must be obtained for using this update This applies to major release upgrades e g from Version 4 x y to Version 5 x y to Version 6 x y etc DHCP and TFTP servers can be accessed under the same IP address To flash the firmware or to perform the rescue procedure proceed as follows NOTE Do not interrupt the power supply to the mGuard during any stage of the flashing procedure Otherwise the device could be damaged and may have to be reactivated by the manufacturer 1 Restarting booting the mGuard centerport 2 Assoonas the mGuard centerport boot menu appears on the monitor preferably press one of the following direction keys 4 lt or gt The boot menu then continues to be displayed GNU GRUB version 0 97 639K lower 7 64448K upper memory Boot firmware A Boot firmware B Check the file sustem s of firmware A Check the file system s of firmware B Start rescue procedure via DHCP BUOTP TFTP Start rescue procedure from CD 7 DUD Start rescue procedure from USB mass storage Use the f and keys to select which entry is highlighted to edit the for a command line Press enter to boot the selected OS e commands before booting or c Figure 11 8 mGuard centerport boot menu Innominate Security Technologies 211 mGuard cente
195. nt IP 1 Management IP 2 mode EAGLE mGuard httos 1 1 1 1 https 192 168 1 1 Proceed as follows e Start a web browser e Make sure that the browser when it is started does not automatically establish a con nection as otherwise the connection establishment to the mGuard may be more diffi cult In Internet Explorer make the following settings e Inthe Tools menu select Internet Options and click on the Connections tab e Under Dial up and Virtual Private Network settings select Never dial a connection e Enter the address of the mGuard completely into the address line of the web browser refer to Table 13 4 You access the administrator website of the mGuard If the administrator web page of the mGuard cannot be accessed if the address of the mGuard in Router PPPoE or PPTP mode has been set to a different value and the current address is not known the mGuard must be reset to the default set tings specified above for the IP address using the Recovery procedure see Performing a recovery procedure on page 251 If the web browser repeatedly reports that the page cannot be displayed try the following e Check whether the default gateway of the connected configuration computer is initial ized see Local configuration on startup EIS on page 243 e Disable any active firewalls e Make sure that the browser does not use a proxy server In Internet Explorer Version 8 mak
196. nterfaces Drives Redundancy options Power supply Power consumption Humidity range Degree of protection Temperature range Dimensions H x W x D Weight Firmware and power values Firmware compatibility Data throughput router firewall Hardware based encryption Encrypted VPN throughput AES 256 Management support Diagnostics Other Conformance 115007_en_02 mGuard pci Technical data mGuard pci 266 mGuard pci 533 Intel network processor Optionally with 266 MHz or 533 MHz clocking 1 LAN port 1 WAN port Ethernet IEEE 802 3 10 100 Base TX RJ45 full duplex auto MDIX Serial RS 232 internal connector Depending on the firmware used 3 3 V or 5 V via PCI bus Typical 3 7 W 4 2 W 20 90 during operation non condensing Depending on installation type 0 C 70 C operation 20 C 70 C storage Low profile PCI 72g mGuard v5 0 or later Innominate recommends firmware version 6 x or 7 x to be used with the latest patch releases For the scope of functions please refer to the relevant firmware data sheet 99 Mbps bidirectional 99 Mbps bidirectional DES 3DES AES 128 192 256 35 Mbps PCI 256 bidirectional 70 Mbps PCI 533 bidirectional Web GUI HTTPS command line interface SSH SNMP v1 2 3 central device management software LEDs 2 x LAN 2 x WAN in combination for boot process system error Ether net status Recovery mode Log File Re
197. nts 6 2 2 Checking the scope of supply Before startup check the scope of supply to ensure nothing is missing The scope of supply includes mGuard smart Package slip 115007_en_02 Innominate Security Technologies 111 mGuard smart smart 6 3 Connecting the mGuard smart LAN port Ethernet plug for direct connection to the device or network to be protected local device or network USB plug For connection to the USB interface of a computer For the power supply default settings The mGuard smart not the mGuard smart can be configured so that a se rial console is available via the USB plug WAN port Socket for connection to the external network e g WAN Internet Con nections to the remote device or network are established via this network Use a UTP cable CAT5 Before S _ Cp After ALAN canalso be on the left f i pe Figure 6 3 mGuard smart Connection in the network If your computer is already connected to a network insert the mGuard smart between the network interface of the computer i e its network card and the network Driver installation is not required For security reasons we recommend you change the default root and administrator pass words during initial configuration WARNING This is a Class A item of equipment This equipment can cause radio int
198. ogies 161 mGuard pci For the IP configuration of the network interface of the operating system this means that an IP address must be assigned that differs from the internal IP address of the mGuard by de fault upon delivery this is 192 168 1 1 This relationship is shown in the above diagram by two black spheres A third IP address is used for the interface of the mGuard to the WAN It is used for connec tion to an external network e g Internet 9 3 2 Power over PCl mode Stealth mode in Power over PCI mode Network card 192 168 1 1 1 1 1 1 gt mGuard pci External IP 192 168 1 1 Figure 9 5 Power over PCI mode Stealth mode Since the network card functions of the mGuard pci are switched off in Power over PCl mode no driver software is installed for it A previously installed network card is connected to the LAN port of the mGuard pci which is located in the same computer or in another computer see Installing the hardware on page 164 In Stealth mode the IP address configured for the network interface of the operating system LAN port is also used by the mGuard for its WAN port This means that the mGuard does not appear as a separate device with its own address for data traffic to and from the com puter In Stealth mode PPPoE and PPTP cannot be used 162 Innominate Security Technologies 115007_en_02 115007_en_02 mGuard pci Router mode in Power over PCI mode Network
199. ogies AG Notes on CE identification The declarations of conformity are held here in agreement with EU directives for the relevant authorities Innominate Security Technologies AG Rudower Chaussee 13 12489 Berlin Germany Tel 49 0 30 92 10 28 0 Innominate Security Technologies FCC Note The FCC Statement applies to the following devices Class A mGuard rs4000 mGuard rs2000 mGuard rs4000 Switch mGuard rs2000 Switch mGuard centerport mGuard industrial rs mGuard smart mGuard smart mGuard pci mGuard pci SD mGuard delta mGuard delta and EAGLE mGuard Class B mGuard rs4000 3G mGuard rs2000 3G mGuard centerport FCC Statement This device complies with Part 15 of the FCC Rules Operation is subject to the following two conditions 1 this device may not cause harmful interference and 2 this device must accept any interference received including interference that may cause undesired opera tion This equipment has been tested and found to comply with the limits for a Class A digital device persuant to part 15 of the FCC Rules These limits are designed to provide reasonable protec tion against harmful interfer ence when the equipment is operated in a commercial environment This equip ment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instruction manual may cause harmful interference to radio communications Operation of this e
200. onnect it again e Then press the ON OFF button again shortly to restart the device 7 8 1 Performing a recovery procedure The network configuration but not the rest of the configuration is to be reset to the delivery state as it is no longer possible to access the mGuard Use the recovery procedure in case you have forgotten the IP address under which the de vice can be accessed The following network setting is restored Table 7 4 Restored network setting Network mode Management IP 1 Management IP 2 The mGuard is reset to router mode with the fixed IP address The CIFS integrity monitoring function is also disabled because this only works when the management IP is active In addition MAU configuration is activated for the Ethernet connections HTTPS ac cess is enabled via the local Ethernet connection LAN The settings configured for VPN connections and the firewall are retained including passwords NOTE After the recovery procedure has been performed successfully a previously cre ated configuration profile in the mGuard should be loaded and activated again Then the network settings must be adapted Possible reasons for performing the recovery procedure The mGuard is in PPPoE mode The configured device address of the mGuard differs from the default setting The current IP address of the device is not known Up to date information on the recovery and flashing procedure can be foun
201. ope of supply Before startup check the scope of supply to ensure nothing is missing The scope of supply includes The device Package slip Plug in screw terminal blocks for the power supply connection and inputs outputs in serted 14 Innominate Security Technologies 115007_en_02 m Guard rs4000 rs2000 1 3 Installation of mGuard rs4000 rs2000 1 3 1 Mounting removal Mounting The device is ready to operate when it is supplied The recommended sequence for mount ing and connection is as follows e Mount the mGuard rs4000 rs2000 on a grounded 35 mm DIN rail according to DIN EN 60715 Figure 1 3 Mounting the mGuard rs4000 rs2000 on a DIN rail e Attach the top snap on foot of the mGuard rs4000 rs2000 to the DIN rail and then press the mGuard rs4000 rs2000 down towards the DIN rail until it engages with a click Removal e Remove or disconnect the connections e Toremove the mGuard rs4000 rs2000 from the DIN rail insert a screwdriver horizon tally in the locking slide under the housing pull it down without tilting the screwdriver and then pull up the mGuard rs4000 rs2000 115007_en_02 Innominate Security Technologies 15 m Guard rs4000 rs2000 1 3 2 Connecting to the network NOTE Only connect the mGuard network ports to LAN installations Some telecommuni cations connections also use RJ45 sockets these must not be connected to the RJ45 sockets of the mGuard Connect the mGuard to
202. or 24 V DC 25 33 Safety Extra Low Voltage SELV PELV redundant inputs isolated Max 5A Buffer time min 10 ms at 24 V DC Redundant power supply A redundant supply voltage can be connected Both inputs are isolated The load is not dis tributed With a redundant supply the power supply unit with the higher output voltage sup plies the EAGLE mGuard alone The supply voltage is electrically isolated from the housing Startup e Start up the EAGLE mGuard with the connection of the supply voltage via the 6 pos terminal block e Lock the terminal block with the lateral locking screw 240 Innominate Security Technologies 115007_en_02 EAGLE mGuard Signal contact AN WARNING Only PELV circuits or optionally SELV circuits with voltage limitations accord ing to EN 60950 1 may be connected to the signal contact The signal contact monitors the EAGLE mGuard and thus enables remote diagnostics In terruption of the contact via the floating signal contact relay contact closed current circuit indicates the following Failure of at least one of the two supply voltages Permanent error in the EAGLE mGuard internal 3 3 V DC voltage supply voltage 1 or 2 lt 9 6 V etc A faulty link status of at least one port The link status message for each port can be masked on the EAGLE mGuard via the management software By default upon delivery there is no connection monitoring Error during selftest
203. or death There are three different categories of personal injury that are indicated by a sig nal word DANGER This indicates a hazardous situation which if not avoided will re sult in death or serious injury WARNING This indicates a hazardous situation which if not avoided could result in death or serious injury CAUTION This indicates a hazardous situation which if not avoided could result in minor or moderate injury This symbol together with the signal word NOTE and the accompanying text alert the reader to a situation which may cause damage or malfunction to the de vice hardware software or surrounding property This symbol and the accompanying text provide the reader with additional infor mation or refer to detailed sources of information jO General terms and conditions of use for technical documentation Innominate reserves the right to alter correct and or improve the technical documentation and the products described in the technical documentation at its own discretion and without giving prior notice insofar as this is reasonable for the user The same applies to any changes that serve the purpose of technical progress The receipt of technical documentation in particular user documentation does not consti tute any further duty on the part of Innominate to furnish information on modifications to products and or technical documentation You are responsible for verifying the suitability and intended use of th
204. or remote configuration is disabled by default Switch on the remote configuration option in the web interface under Management gt gt Web Settings To configure the mGuard via its web user interface from a remote computer establish the connection to the mGuard from there Proceed as follows e Start the web browser on the remote computer e Under address enter the IP address where the mGuard can be accessed externally over the Internet or WAN together with the port number if required If the mGuard can be accessed over the Internet for example via address https 123 45 67 89 and port number 443 has been specified for remote access the fol lowing address must be entered in the web browser of the remote peer https 123 45 67 89 If a different port number is used it should be entered after the IP address e g https 123 45 67 89 442 The mGuard can then be configured via the web interface For additional information please refer to the software reference manual Innominate Security Technologies 85 mGuard delta 4 8 Restart recovery procedure and flashing the firm ware The Reset button is used to set the device to one of the following states Performing a restart Performing a recovery procedure Flashing the firmware rescue procedure Reset button Figure 4 5 Reset button 4 8 1 Performing a restart Objective The device is restarted with the configured settings Action e Press
205. ork interface of the locally connected computer or network accordingly 12 5 2 IP address https 1 1 1 1 In order for the mGuard to be addressed via address https 1 1 1 1 it must be connected to a configured network interface This is the case if it is connected in an existing network connection and if the default gateway can be accessed via the WAN port of the mGuard at the same time In this case the web browser establishes a connection to the mGuard configuration inter face after the address https 1 1 1 1 is entered see Establishing a local configuration con nection on page 229 Continue from this point After access via IP address 1 1 1 1 the FL MGUARD can no longer be accessed via IP address 192 168 1 1 115007_en_02 Innominate Security Technologies 227 mGuard industrial rs 12 5 3 Assigning the IP address via BootP After assigning an IP address via BootP the FL MGUARD can no longer be accessed via IP address 192 168 1 1 For IP address assignment the mGuard uses the BootP protocol The IP address can also be assigned via BootP On the Internet numerous BootP servers are available You can use any of these programs for address assignment Section 14 1 explains IP address assignment using the free Windows software IP Assignment Tool IPAssign exe Notes for BootP During initial startup the mGuard transmits BootP requests without interruption until it re ceives a valid IP address After receiving
206. orm Network interfaces Wireless interface SIM interfaces 1 2 Data rate Other interfaces Memory Redundancy options Power supply Power consumption Humidity range Degree of protection Temperature range Dimensions H x W x D Weight Firmware and power values Firmware compatibility Data throughput router firewall Virtual Private Network VPN Hardware based encryption Encrypted VPN throughput AES 256 Data throughput mobile Management support Diagnostics 72 Innominate Security Technologies Technical data mGuard rs4000 3G Freescale network processor 4 LAN Ports managed 1 DMZ port 1 WAN port Ethernet IEEE 802 3 10 100 BaseTX RJ45 full duplex auto MDIX WAN I GSM I GPRS EDGE UMTS CDMA2000 1 8V13V redundant lt 14 4 Mbps HSDPA Serial RS 232 D SUB 9 connector 3 digital inputs and 3 digital outputs 128 MB RAM 128 MB Flash SD card Replaceable configuration memory Optional VPN router and firewall Voltage range 11 36 V DC redundant typical lt 200 mA 24 V DC maximum lt 800 mA 10 V DC 5 95 operation storage non con densing IP20 40 C 60 C operation 40 C 70 C storage 130 x 45 x 114 mm up to DIN rail support 850g mGuard rs4000 3G mGuard rs2000 3G Freescale network processor 4 LAN ports unmanaged Ethernet IEEE 802 3 10 100 BaseTX RJ45 full duplex auto MDIX WAN I GSM I GP
207. out a functioning external network in initial startup mode the device cannot be accessed via address https 1 1 1 1 In this case the mGuard pci SD is accessible automatically via management IP address 192 168 1 1 24 This applies to the internal LAN 1 and the external WAN 1 network inter faces An address conflict with the external network interface is not possible as long as WAN 1 is not connected to a functioning network This management IP address is normally non persistent However if the external network interface WAN 1 is connected after booting the mGuard pci SD the management IP address remains valid In this case an address conflict with an existing address in the external network is possible Starting up the mGuard pci SD without external network e Connect the internal network interface LAN 1 of the mGuard pci SD to the corre sponding Ethernet network card of the configuration computer or a valid network con nection of the internal network e Disconnect the external network interface WAN 1 of the mGuard pci SD from the ex ternal network WAN e Switch onthe system The STAT LED lights up green when the supply voltage has been connected properly The mGuard boots the firmware The STAT LED flashes green Adapting the configuration computer In order to access the mGuard pci for configuration the configuration computer must be adapted to the management IP address of the mGuard pci SD Example
208. ove for the IP address using the Recovery procedure see Performing a recov ery procedure on page 47 If the web browser repeatedly reports that the page cannot be displayed try the following e Disable any active firewalls e Make sure that the browser does not use a proxy server In Internet Explorer Version 8 make the following settings Tools menu Internet Options Connections tab Click on Properties under LAN settings Check that Use a proxy server for your LAN under Proxy server is not activated in the Local Area Network LAN Settings dialog box e If other LAN connections are active on the computer deactivate them until the configu ration has been completed Under the Windows menu Start Settings Control Panel Network Connections or Network and Dial up Connections right click on the corresponding icon and select Disable in the context menu Innominate Security Technologies 43 m Guard rs4000 rs2000 Switch Explanation After successful connection establishment Once a connection has been established successfully a security alert may be displayed As administrative tasks can only be performed using encrypted access a self signed certif icate is supplied with the device e Click Yes to acknowledge the security alert The login window is displayed Login to mguard User Name Password Figure 2 5 Login e To login enter
209. ower supplies on the back of the mGuard bladebase with 100 V or 220 240 V Switch on both power supplies The LEDs on the front of the power supplies are now green Installation of mGuard blade The mGuard bladebase does not have to be switched off when installing or removing an mGuard blade Loosen the top and bottom screw on the faceplate or on the mGuard blade to be re placed Remove the faceplate or pull out the old mGuard blade Insert the new mGuard blade and PCB into the plastic guides and push it completely into the mGuard bladebase Secure the mGuard blade by tightening the screws slightly Replace the empty handling plate with the suitable number from the mGuard bladebase accessories or replace it with the plate from the old mGuard blade To do this pull or push the plate sideways 184 Innominate Security Technologies 115007_en_02 mGuard blade Control unit CTRL slot The CTRL slot is located right next to the two power supplies An mGuard blade operated in this slot acts as the controller control unit for all other mGuard blade devices During initial installation of an mGuard blade in the CTRL slot the blade is reconfigured as a control unit as follows The user interface is reconfigured for operation as a controller t switches to Router mode with local IP address 192 168 1 1 The firewall CIFS integrity monitoring and VPN functions are reset and deactivated
210. pass words during initial configuration Both network interfaces of the EAGLE mGuard are configured for connection on a comput er When connecting to a hub please note the following When auto negotiation is deactivated the Auto MDIX function is also deactivated This means that the port of the EAGLE mGuard must either be connected to the uplink port of the hub or connected to the hub using a cross link cable Removal To remove the EAGLE mGuard from the DIN rail insert a screwdriver horizontally in the locking slide under the housing pull it down without tilting the screwdriver and then pull up the EAGLE mGuard 242 Innominate Security Technologies 115007_en_02 115007_en_02 EAGLE mGuard 13 4 Preparing the configuration 13 4 1 Connection requirements The EAGLE mGuard must be connected to at least one active power supply unit For local configuration The computer used for configuration Must be connected to the LAN socket of the mGuard Orthe computer must be connected to the mGuard via the network For remote configuration The mGuard must be configured so that remote configura tion is permitted The mGuard must be connected i e the required connections must be working 13 4 2 Local configuration on startup EIS As of firmware version 7 2 initial startup of mGuard products provided in Stealth mode is considerably easier From this version onwards the EIS Easy Initial S
211. ply lines must be isolated or laid separately to live circuits 5 3 1 Installing the hardware NOTE Electrostatic discharge Before installation touch the metal frame of the PC in which the mGuard pci SD is to be installed in order to remove electrostatic discharge The device contains components that can be damaged or destroyed by electrostatic dis charge When handling the device observe the necessary safety precautions against electrostatic discharge ESD according to EN 61340 5 1 and IEC 61340 5 1 mGuard pci SD structure Extension connection LEDs Reset button SD card SD card slot configuration h A E Battery can be replaced memory i g E Reset button l l RJ45 socket LAN 1 for connecting to the in ternal network Use a UTP cable CAT5 The cable is not supplied as standard RJ45 socket WAN 1 for connecting to the external network Internet Use a UTP cable CAT5 The cable is not supplied as standard Figure 5 3 m Guard pci SD structure e Install the mGuard pci SD in a free PCI or PCI Express slot Observe the notes in the documentation for your system 94 Innominate Security Technologies 115007_en_02 115007_en_02 mGuard pci SD 5 4 Preparing the configuration 5 4 1 Connection requirements For local configuration The computer used for configuration must meet the following requirements The computer must be connected to the mGuard LAN connection or to
212. ports to LAN installations Some telecommunications connections also use RJ45 sockets these must not be con nected to the RJ45 sockets of the mGuard LAN port e Use a UTP cable CAT5 e Connect the LAN port of the device to the corresponding Ethernet network card of the local configuration computer or a network connection of the local network LAN WAN port e Use a UTP cable CAT5 e Connect the WAN port of the device to the external network or the Internet Connec tions to the remote device or network are established via this network SYNC port e Use a UTP cable CAT5 e Connect the SYNC port of the device to the SYNC port of a second mGuard centerport in order to create a redundancy pair A redundancy license for the second mGuard centerport must be purchased separately DMZ port e Use a UTP cable CAT5 e Connect the DMZ port of the device to a network connection of the local network LAN This network is used for communication according to the firewall rules of the demilita rized zone DMZ IPMI port e Use a UTP cable CAT5 By default the IPMI port is deactivated and not documented at this point The IPMI port functions can be activated in the BIOS setup of the motherboard Should you have any questions on the documentation please contact Super Micro Computer Inc http www supermicro com Serial interface NOTE The serial interface D SUB socket must not be connected directly to
213. ption Humidity range Degree of protection Temperature range Dimensions H x W x D Weight Firmware and power values Firmware compatibility Data throughput router firewall Hardware based encryption Encrypted VPN throughput AES 256 Management support Diagnostics Other Conformance 115007_en_02 mGuard blade 10 8 Technical data m Guard blade 266 mGuard blade 533 Intel network processor either with 533 MHz or 266 MHz clocking 1 LAN port 1 WAN port Ethernet IEEE 802 3 10 100 Base TX RJ45 full duplex auto MDIX Serial RS 232 RJ11 socket Depending on the firmware used Via bladebase 100 V AC 240 V AC at 50 60 Hz blade 3 W typical bladebase 42 W typical 10 95 during operation non condensing IP20 5 C 40 C operation 20 C 70 C storage blade 100 x 26 x 160 mm bladebase 133 x 483 x 235 mm 3 HU blade 245 g bladepack 7 7 kg mGuard v5 0 or later Innominate recommends firmware version 6 x or 7 x to be used with the latest patch releases For the scope of functions please refer to the relevant firmware data sheet 99 Mbps bidirectional 99 Mbps bidirectional DES 3DES AES 128 192 256 35 Mbps blade 256 bidirectional 70 Mbps blade 533 bidirectional Web GUI HTTPS command line interface SSH SNMP v1 2 3 central device management software LEDs 2 x LAN 2 x WAN in combination for boot process system error Ether net sta
214. quipment in a residential area is likely to cause harmful interfer ence in which case the user will be required to correct the interference at his own ex pense This equipment has been tested and found to comply with the limits for a Class B digital device pursuant to part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interfer ence in a residential installation This equipment gener ates uses and can radiate radio frequency energy and if not installed and used in accordance with the instruc tions may cause harmful interference to radio commu nications However there is no guarantee that interfer ence will not occur in a particular installation If this equipment does cause harmful interference to radio or television reception which can be determined by turn ing the equipment off and on the user is encouraged to try to correct the interference by one or more of the fol lowing measures Reorient or relocate the receiving antenna Increase the separation between the equipment and receiver Connect the equipment into an outlet on a circuit different from that to which the receiver is connected Consult the dealer or an experienced radio TV technician for help Changes or modifications not expressly approved by the party responsible for compliance could void the user s authority to operate the equipment FCC RF radiation Exposure Statement This equip ment complies w
215. r supply unit 110 V 230 V 2 5 W maximum 0 C 40 C operation 20 C 70 C storage 20 90 during operation non condensing IP30 27x77x115mm 158 g mGuard v5 0 or later Innominate recommends firmware version 6 x or 7 x to be used with the latest patch releases For the scope of functions please refer to the relevant firmware data sheet 99 Mbps bidirectional 99 Mbps bidirectional DES 3DES AES 128 192 256 35 Mbps smart 256 bidirectional 70 Mbps smart 533 bidirectional Web GUI HTTPS command line interface SSH SNMP v1 2 3 central device management software LEDs 3 LEDs in combination for boot process heartbeat system error Ethernet status Recovery mode Log File Remote Syslog CE FCC 115007_en_02 mGuard centerport 7 mGuard centerport 115007_en_02 Table 7 1 Available mGuard centerport versions mGuard centerport HW 106010 mGuard centerport VPN 250 BD 621000 mGuard centerport VPN 1000 BD 622000 The mGuard centerport is a high end firewall and a VPN gateway in 19 format It is suit able as a central network infrastructure for remote service solutions With its Gigabit Ether net interfaces and corresponding throughput as the router and as the stateful inspection fire wall the device can also be used in the backbone in industrial networks As a gateway the mGuard centerport supports the VPN connection to any number of sys tems in the VPN tun
216. rator pass words during initial configuration Innominate Security Technologies 207 mGuard centerport Requirement How to proceed Example Configuration 11 6 Remote configuration The mGuard must be configured so that remote configuration is permitted The option for remote configuration is disabled by default Switch on the remote configuration option in the web interface under Management gt gt Web Settings To configure the mGuard via its web user interface from a remote computer establish the connection to the mGuard from there Proceed as follows e Start the web browser on the remote computer e Under address enter the IP address where the mGuard can be accessed externally over the Internet or WAN together with the port number if required If the mGuard can be accessed over the Internet for example via address https 123 45 67 89 and port number 443 has been specified for remote access the fol lowing address must be entered in the web browser of the remote peer https 123 45 67 89 If a different port number is used it should be entered after the IP address e g https 123 45 67 89 442 The mGuard can then be configured via the web interface For additional information please refer to the software reference manual 208 Innominate Security Technologies 115007_en_02 mGuard centerport 11 7 Restart recovery procedure and flashing the firm ware For mGuard centerport there
217. rd the licenses installed on the mGuard are re tained after flashing the firmware Therefore they do not have to be installed again Possible reasons The administrator and root password have been lost Requirements Requirements for flashing NOTE During flashing the firmware is always loaded from an SD card first The firmware is only loaded from a TFTP server if no SD card is found The following requirements apply when loading the firmware from an SD card All necessary firmware files must be located in a common directory on the first parti tion of the SD card This partition must use a VFAT file system standard type for SD cards To flash the firmware from a TFTP server a TFTP server must be installed on the locally connected computer see Installing the DHCP and TFTP server on page 258 NOTE Installing a second DHCP server in a network could affect the configuration of the entire network During flashing the firmware is always loaded from an SD card first The firmware is only loaded from a TFTP server if no SD card is found The following requirements apply when loading the firmware from an SD card All necessary firmware files must be located ina common directory on the first partition of the SD card This partition must use a VFAT file system standard type for SD cards The mGuard firmware has been obtained from your dealer s support team or the www innominate com website and has been s
218. rd v5 0 or later Innominate recommends firmware version 6 x or 7 x to be used with the latest patch releases For the scope of functions please refer to the relevant firmware data sheet 99 Mbps bidirectional 99 Mbps bidirectional DES 3DES AES 128 192 256 70 Mbps bidirectional Web GUI HTTPS command line interface SSH SNMP v1 2 3 central device management software optional key switch VPN LEDs P1 P2 Modem Fault State Error LAN WAN signal contact SELV service contacts CMD ACK Log File Remote Syslog CE FCC UL 508 Innominate Security Technologies 235 mGuard industrial rs 236 Innominate Security Technologies 115007_en_02 EAGLE mGuard 13 EAGLE mGuard 115007_en_02 Table 13 1 Available EAGLE mGuard versions Available versions Order No EAGLE mGuard HW 201000 EAGLE mGuard VPN BD 301010 The EAGLE mGuard is designed for DIN rail mounting according to DIN EN 60715 and is therefore ideal for use in industrial applications The optional configuration connection and option to establish a phone dial up connection via the RS 232 interface open up a wealth of applications Figure 13 1 EAGLE mGuard Innominate Security Technologies 237 EAGLE mGuard 13 1 Operating elements and LEDs Innominate misuard Power supply 1 P1 FAULT Power supply 2 P2 _ ae 2 oO 19 7 7 i _ STATUS Bes Link status data 1 LAN p vad Link status data 2 WAN F STATUS
219. re nothing is missing The scope of supply includes MGuard pci Package slip 115007_en_02 Innominate Security Technologies 159 mGuard pci 9 3 Installation of mGuard pci WARNING This is a Class A item of equipment This equipment can cause radio interfer ence in residential areas in this case the operator may be required to implement appro priate measures WARNING Conditions of acceptability The device is designed for installation ina PC in the secondary signal circuit and therefore no tests have been performed The user must evaluate any tests The temperature of the PCB must not exceed 105 C Driver mode Power over PCl mode Selection of Driver mode or Power over PCI mode There are two operating modes Driver mode and Power over PCl mode e Before installing it in your PC decide which mode will be used to operate the mGuard pci e The mGuard is set to the desired mode using a jumper The mGuard pci can be used as a normal network card This network card then also pro vides mGuard functions In this case the supplied driver must be installed If the network card functions of the mGuard are not required or should not be used the mGuard pci can be connected after an existing network card on the same computer or on another like an mGuard stand alone device In this operating mode the mGuard pci actu ally only uses the PCI slot of a computer in order to receive power and as housing This op
220. re nothing is missing The scope of supply includes EAGLE mGuard Package slip 115007_en_02 Innominate Security Technologies 239 EAGLE mGuard 13 3 Installation of EAGLE mGuard AN WARNING The housing must not be opened WARNING This is a Class A item of equipment This equipment can cause radio interfer ence in residential areas in this case the operator may be required to implement appro priate measures When installed in residential or office areas the EAGLE mGuard may only be operated in control cabinets with fire protection properties according to EN 60950 1 NOTE The shielding ground of the connected industrial twisted pair cables is electrically connected to the front plate Connecting the voltage supply and signal contact Terminal block The connection of the supply voltage and the signal contact is established via a 6 pos ter minal block Signal contact 24 V P1 24 V P2 Figure 13 3 Terminal block base WARNING The EAGLE mGuard is designed for SELV operation Therefore only PELV circuits or optionally SELV circuits with voltage limitations according to EN 60950 1 may be connected to the supply voltage connections and the signal contact The EAGLE mGuard can be operated at a DC voltage of 9 6 60 V DC max 1 A optionally at an AC voltage of 18 30 V AC max 1 A Use the 24 V and 0 V pins to connect the AC voltage Operating voltage NEC Class 2 power source 12 V DC
221. re transmitted the LED goes out briefly Red gree Various LED Recovery mode After pressing the Reset button n light codes See Restart recovery procedure and flashing the firmware on page 175 Green On the mGuard pci the Reset button is on the PCB see Installing the hardware on page 164 158 Innominate Security Technologies 115007_en_02 mGuard pci 9 2 Startup 9 2 1 Safety notes To ensure correct operation and the safety of the environment and of personnel the mGuard must be installed operated and maintained correctly NOTE Risk of material damage due to incorrect wiring Only connect the mGuard network ports to LAN installations Some telecommunications connections also use RJ45 sockets these must not be connected to the RJ45 sockets of the mGuard General notes regarding usage NOTE Connection notes A free PCI slot 3 3 V or 5 V must be available on your PC when using the mGuard pci Donot bend connecting cables Only use the network plug for connection to a net work NOTE Select suitable ambient conditions Ambient temperature 0 C 70 C Maximum humidity non condensing 20 90 To avoid overheating do not expose the mGuard to direct sunlight or other heat sources Q NOTE Cleaning Clean the device housing with a soft cloth Do not use aggressive solvents 9 2 2 Checking the scope of supply Before startup check the scope of supply to ensu
222. records press and hold the push button for a few seconds and then release the push button e To switch off the selected VPN connections or firewall rule records press and hold the push button for a few seconds and then release the push button e To switch on the selected VPN connections or firewall rule records set the switch to ON e To switch off the selected VPN connections or firewall rule records set the switch to OFF Via the web interface under Management Service I O you can set whether certain VPN connections or firewall rule records are monitored and displayed via the LED Info 1 out put ACK O1 or LED Info 2 output ACK O2 If VPN connections are being monitored an illuminated Info LED indicates that VPN con nections are established The O3 alarm output monitors the function of the mGuard rs4000 rs2000 and therefore en ables remote diagnostics The Fault LED lights up red if the signal output takes low level due to an error inverted logic The O3 alarm output reports the following when Management Service I O Alarm output has been activated Failure of the redundant supply voltage Monitoring of the link status of the Ethernet connections Monitoring of the temperature condition Monitoring of the connection state of the internal modem Innominate Security Technologies 17 m Guard rs4000 rs2000 Operating a connected push button Operating a connected on off switch INFO LED
223. rface it may be necessary to adapt the network configura tion of your computer Under Windows 7 proceed as follows e Inthe Control Panel open the Network and Sharing Center e Click on LAN connection The LAN connection item is only displayed if a connection exists from the LAN interface on the computer to a mGuard in operation or another part ner e Click on Properties e Select the menu item Internet protocol Version 4 TCP IPv4 e Click on Properties e First select Use the following IP address under Internet Protocol Version 4 Proper ties then enter the following address for example IP address 192 168 1 2 Subnet mask 255 255 255 0 Default gateway 192 168 1 1 Depending on the configuration of the mGuard it may then be necessary to adapt the net work interface of the locally connected computer or network accordingly 64 Innominate Security Technologies 115007_en_02 Web based administrator interface If you have forgotten the configured address If the administrator web page is not displayed 115007_en_02 m Guard rs4000 rs2000 3G 3 6 Establishing a local configuration connection The mGuard is configured via a web browser that is executed on the configuration com puter NOTE The web browser used must support SSL encryption i e HTTPS The mGuard can be accessed via the following address Table 3 4 Preset address Default setting Network mod
224. rocedure can be found in the appli cation note for your mGuard firmware version You can find application notes under the following Internet address www innominate com Action e Slowly press the Reset button six times After approximately 2 seconds the STAT LED lights up green e Press the Reset button slowly again six times If successful the STAT LED lights up green If unsuccessful the ERR LED lights up red If successful the device restarts after two seconds and switches to Stealth mode The de vice can then be reached again under the corresponding addresses 28 Innominate Security Technologies 115007_en_02 m Guard rs4000 rs2000 1 8 3 Flashing the firmware rescue procedure Objective The entire firmware of the mGuard should be reloaded on the device All configured settings are deleted The mGuard is set to the delivery state In Version 5 0 0 or later of the mGuard the licenses installed on the mGuard are re tained after flashing the firmware Therefore they do not have to be installed again Possible reasons The administrator and root password have been lost Requirements Requirements for flashing NOTE During flashing the firmware is always loaded from an SD card first The firmware is only loaded from a TFTP server if no SD card is found The following requirements apply when loading the firmware from an SD card All necessary firmware files must be located in a common directory on the fi
225. rport 212 Innominate Security Technologies 3 Then select one of the options to perform the rescue procedure with the arrow keys or Start rescue procedure via DHCP BootP TFTP OR Start rescue procedure from CD DVD OR Start rescue procedure from USB mass storage To apply the selection press the Enter key The options include Start rescue procedure via DHCP BootP TFTP Effect The mGuard downloads all necessary files from the TFTP server The names of the downloaded files correspond to those used from the other models of the mGuard family with the following exceptions _ install p7s gt install x86_64 p7s jffs2 img p7s gt firmware img x86_64 p7s In the case of the file install x86_64 07s ensure that the file version that Innominate has declared for use for the rescue procedure via TF TP is used Start rescue procedure from CD DVDs Requirement The firmware of the mGuard has been previously burnt to CD see below under Burning mGuard firmware to CD ROM on page 212 Effect The mGuard downloads all necessary files from the inserted CD With this in mind while the boot menu is displayed and before applying this selection insert the CD with the mGuard firmware into the CD drive For security reasons the mGuard centerport does not boot from the CD Start rescue procedure from USB mass storage Requirement The firmware of the mGuard has been previously copied to a USB stor age medium USB stick
226. rs EA ate E EEA E ET TAA 159 9 3 Installation of mGUard pClt sisser iena ins en ea EE 160 9 4 Preparing the configuratlON eretenrt i k 169 9 5 Configuration in Stealth MOdGE ccccseecceccsseeececeeseeeeeeeceeeeeaeeeeeesaeeeesneeeeeessaess 170 9 6 Establishing a local configuration connection ssssssssssseesrrrrrresrrrrrressrrrrenee 172 9 7 Remote conig rati r ssis25c2c5 cssasteessasuastendscasaceasacagezesbeciaceden diate Cestuntesacadeeresaniense 174 9 8 Restart recovery procedure and flashing the firmWware ccccsesseeeeeeeeeeees 175 9 9 Technical CAVA raveict det edawtdana tae iteuascineasanieavdantea i a N 179 TO ag IU Es 190 ie F200 epemmemenere teremertrser acts tee veteran a A ee eee ee ean eee 181 10 1 Operating elements and LEDS ec ccceceeeeeeeceeeteeeeeeeeaeaaaeeeeessaaaaeeeeeeseaaaees 182 gy Age g 10 0 fe oemmeeery etme eer a Ue eee ee coer ents se fader ee eee Ne 183 10 3 Installation MGUard Bladene seiscs cence enna e teaeneborieeiys 184 10 4 Preparing the CONFIQUIATION cc cceee cece cece a eeeeeeeeeeeaeeeeeeeeeaaaaaeeeeeesaeeeeeeeeeaaaeees 187 10 5 Establishing a local configuration CONNECTION ceceeceeeeneeeeeeeeeeeeeeeeeeeeeeeaeeees 189 10 6 FREIMOLS COMM OUNATION coe soci sett ccrtct ccs astecet haste sade bts ecteencns areauniastaxtaceh hese 191 10 7 Restart recovery procedure and flashing the firmWware c cccccsseeeeeeeeeeeees 192 10 8
227. rs4000 See Section 2 3 4 Not used Notused Signal out Signal out put put A push button or an on off switch e g key switch can be connected between service contacts CMD V and CMD The contacts ACK and FAULT are non floating continuously short circuit proof and supply a maximum of 250 mA The switching inputs and switching outputs can be connected with signals from external de vices e g with signals from PLCs In this case ensure the same potential as well as voltage and current specifications are defined Depending on the firmware version used the service contacts can be used for various switching or signaling tasks 115007_en_02 Innominate Security Technologies 39 m Guard rs4000 rs2000 Switch Input CMD 11 CMD 12 Operating a connected push button Operating a connected on off switch Signal contact signal out put ACK O1 O2 Alarm output ACK O3 Service contacts as of firmware version 8 1 Via the web interface under Management Service I O you can set whether a push button or an on off switch has been connected to the inputs One or more freely selectable VPN connections or firewall rule records can be switched via the corresponding switch A mixture of VPN connections and firewall rule records is also possible The web interface displays which VPN connections and which firewall rule records are connected to this input The push button or on off switch is used to establi
228. rst parti tion of the SD card This partition must use a VFAT file system standard type for SD cards To flash the firmware from a TFTP server a TFTP server must be installed on the locally connected computer see Installing the DHCP and TFTP server on page 258 NOTE Installing a second DHCP server in a network could affect the configuration of the entire network The mGuard firmware has been obtained from your dealer s support team or the www innominate com website and has been saved on a compatible SD card This SD card has been inserted into the mGuard The relevant firmware files are available for download from the download page of www innominate com The files must be located under the following path names or in the following folders on the SD card Firmware install ubi mpc83xx p7s Firmware ubifs img mpc83xx p7s 115007_en_02 Innominate Security Technologies 29 m Guard rs4000 rs2000 Action To flash the firmware or to perform the rescue procedure proceed as follows NOTE Do not interrupt the power supply to the mGuard during any stage of the flashing procedure Otherwise the device could be damaged and may have to be reactivated by the manufacturer 30 Innominate Security Technologies Hold down the Reset button until the STAT MOD and SIG LEDs light up green Then the mGuard is in the recovery state Release the Reset button within a second of entering the recovery state If
229. s been completed Under the Windows menu Start Settings Control Panel Network Connections or Network and Dial up Connections right click on the corresponding icon and select Disable in the context menu Innominate Security Technologies 229 mGuard industrial rs After successful connection establishment Once a connection has been established successfully a security alert may be displayed Explanation As administrative tasks can only be performed using encrypted access a self signed certif icate is supplied with the device e Click Yes to acknowledge the security alert The login window is displayed Login to mguard User Name Password Figure 12 10 Login e To log in enter the preset user name and password please note these settings are case sensitive User Name admin Password mGuard The mGuard can then be configured via the web interface For additional information please refer to the software reference manual For security reasons we recommend you change the default root and administrator pass words during initial configuration 230 Innominate Security Technologies 115007_en_02 Requirement How to proceed Example Configuration 115007_en_02 m Guard industrial rs 12 7 Remote configuration The mGuard must be configured so that remote configuration is permitted The option for remote configuration is disabled by default Switch on the remote configura
230. s into networks as a COM server is integrated For software independent remote maintenance the mGuard rs4000 3G can be used as a VPN router for up to 250 parallel Psec encrypted VPN tunnels The mGuard rs2000 3G is a version with basic firewall and can be used as a VPN client for up to two parallel Psec encrypted VPN tunnels It is suitable for secure remote mainte nance applications at locations without wired networks and enables global connection of distributed machines and controllers Both versions support a replaceable configuration memory in the form of an SD card To in crease safety VPN connections can be switched on or off via switch contact SMS or soft ware interface The fanless metal housing is mounted on a DIN rail Figure 3 1 mGuard rs4000 3G mGuard rs2000 3G Innominate Security Technologies 51 m Guard rs4000 rs2000 3G 3 1 Operating elements and LEDs Reset button 3 ia For plug in screw terminal LEDs see Table 3 2 blocks assignment refer to WAN port Page 57 and Page 62 DMZ port LAN port protected LAN port protected LAN port LAN port protected protected RS 232 interface O g CN Slot for SIM Slot for optional SD card LEDs see Table 3 2 card 1 Slot for SIM card 2 Figure 3 2 Operating elements and LEDs on the mGuard rs4000 3G Antenna sockets SMA mobile communi cation RSMA GPS OD O we Tab
231. secure remote services remote diagnostics re mote configuration The device is designed for standard DIN rail mounting and is therefore ideal for use in industrial applications The VPN tunnels can be initiated using software or hardware switches A redundant supply voltage can be connected 9 V DC 36 V DC 8 r Modem Fault State Error a LAN WAN Figure 12 1 mGuard industrial rs Innominate Security Technologies 215 mGuard industrial rs 12 1 Operating elements and LEDs Supply voltage 1 Supply voltage 2 see Section 12 2 Startup DDL Power supply 1 P1 Pi P2 Power supply 2 P2 Modem _ _ gal jal RS State Error UZ LAN WAN Fault State Serial Error LAN WAN Reset button qj Located in the opening Can be ig LAN WAN pressed with a straightened paper clip for example Service re Terminal block for the signal contact button ae ee and optional ISDN or telephone connection see Section 12 2 Startup See Restart recovery procedure and flashing the firmware on page 232 lt _ Figure 12 2 Operating elements and LEDs on the mGuard industrial rs Table 12 2 LEDs on the mGuard industrial rs Power supply 1 is active Power supply 2 is active Connection via modem established On The signal contact is open due to an error see Signal contact on page 222 m The signal contact is interrupted during a restart g Green
232. ses Default setting Management IP 1 Management IP 2 mode Stealth https 1 1 1 1 https 192 168 1 1 The mGuard is preset to the multiple Clients stealth configuration You need to configure a management IP address and default gateway if you want to use VPN connections see Page 117 Alternatively you can select a different stealth configuration or use another net work mode Innominate Security Technologies 113 mGuard smart smart 6 5 Configuration in Stealth mode On initial startup the mGuard can be accessed via two addresses https 192 168 1 1 see Page 115 https 1 1 1 1 see Page 115 Alternatively an IP address can be assigned via BootP see Assigning the IP address via BootP on page 116 The mGuard can be accessed via https 192 168 1 1 if the external network interface is not connected on startup Computers can access the mGuard via https 1 1 1 1 if they are directly or indirectly con nected to the LAN port of the mGuard For this purpose the mGuard with LAN port and WAN port must be integrated in an operational network in which the default gateway can be accessed via the WAN port After access via IP address 192 168 1 1 and successful login IP address 192 168 1 1 is set as a fixed management IP address After access via IP address 1 1 1 1 or after IP address assignment via BootP the product can no longer be accessed via IP address 192 168 1 1 114 Innominate Secur
233. sh and release predefined VPN connec tions or the defined firewall rule records e To switch on the selected VPN connections or firewall rule records press and hold the push button for a few seconds and then release the push button e To switch off the selected VPN connections or firewall rule records press and hold the push button for a few seconds and then release the push button e To switch on the selected VPN connections or firewall rule records set the switch to ON e To switch off the selected VPN connections or firewall rule records set the switch to OFF Via the web interface under Management Service I O you can set whether certain VPN connections or firewall rule records are monitored and displayed via the LED Info 1 out put ACK O1 or LED Info 2 output ACK 02 If VPN connections are being monitored an illuminated Info LED indicates that VPN con nections are established The O3 alarm output monitors the function of the mGuard rs4000 rs2000 and therefore en ables remote diagnostics The Fault LED lights up red if the signal output takes low level due to an error inverted logic The O3 alarm output reports the following when Management Service I O Alarm output has been activated Failure of the redundant supply voltage Monitoring of the link status of the Ethernet connections Monitoring of the temperature condition Monitoring of the connection state of the internal modem 40 In
234. sons The administrator and root password have been lost Requirements for flashing NOTE To flash the firmware a DHCP and TFTP server or a BootP and TFTP server must be installed on the locally connected computer Requirements Install the DHCP and TFTP server if necessary see Installing the DHCP and TFTP serv er on page 258 NOTE Installing a second DHCP server in a network could affect the configuration of the entire network If the mGuard is operated in Power over PCI mode the DHCP TFTP server must be connected via the LAN socket of the mGuard If the mGuard is operated in PCI Driver mode the DHCP TFTP server must be oper ated on the computer or operating system that the interface provides for the mGuard 115007_en_02 Innominate Security Technologies 177 mGuard pci Action NOTE Do not interrupt the power supply to the mGuard during any stage of the flashing procedure Otherwise the device could be damaged and may have to be reactivated by the manufacturer e Hold down the Reset button until the green LEDs and the red LAN LED light up Then the mGuard is in the recovery state e Release the Reset button within a second of entering the recovery state If the Reset button is not released the mGuard is restarted The mGuard now starts the recovery system It searches fora DHCP server via the LAN interface in order to obtain an IP address The red LAN LED flashes The install p7s file is load
235. ss automatically has been activated then enter the IP ad dress manually To do so first select Use the following IP address then enter the following addresses for example IP address 192 168 1 2 Do not under any circumstances assign Subnet mask 255 255 255 0 an address such as 1 1 1 2 to the config Default gateway 192 168 1 1 uration computer In DOS Start Programs Accessories Command Prompt enter the following arp s lt IP address of the default gateway gt 00 aa aa aa aa aa Example You have determined or specified the address of the default gateway as 192 168 1 1 The command should then be arp s 192 168 1 1 00 aa aa aa aa aa To proceed with the configuration establish the configuration connection see Estab lishing a local configuration connection on page 172 After configuration reset the default gateway To do this either restart the configuration computer or enter the following command in DOS arp d Depending on the configuration of the mGuard it may then be necessary to adapt the net work interface of the locally connected computer or network accordingly Innominate Security Technologies 171 mGuard pci Web based administrator interface If you have forgotten the configured address If the administrator web page is not displayed 9 6 Establishing a local configuration connection The mGuard is configured via a web browser that is executed on the configuration com puter
236. ss via IP address 1 1 1 1 or after IP address assignment via BootP the product can no longer be accessed via IP address 192 168 1 1 Innominate Security Technologies 21 m Guard rs4000 rs2000 a a With a configured network interface a 1 5 1 IP address 192 168 1 1 In Stealth mode the mGuard can be accessed via the LAN interface via IP address 192 168 1 1 within network 192 168 1 0 24 if one of the following conditions applies The mGuard is in the delivery state The mGuard was reset to the default settings via the web interface and restarted The rescue procedure flashing of the mGuard or the recovery procedure has been performed To access the configuration interface it may be necessary to adapt the network configura tion of your computer Under Windows 7 proceed as follows e Inthe Control Panel open the Network and Sharing Center e Click on LAN connection The LAN connection item is only displayed if a connection exists from the LAN interface on the computer to a mGuard in operation or another part ner e Click on Properties e Select the menu item Internet protocol Version 4 TCP IPv4 e Click on Properties e First select Use the following IP address under Internet Protocol Version 4 Proper ties then enter the following address for example IP address 192 168 1 2 Subnet mask 255 255 255 0 Default gateway 192 168 1 1 Depen
237. ssccceccesseeeceeeeeecceaeeeeceeeeeenscaaeees 258 10 Innominate Security Technologies 115007_en_02 m Guard rs4000 rs2000 1 mQGuard rs4000 rs2000 115007_en_02 Table 1 1 Available mGuard rs4000 rs2000 versions mGuard rs4000 TX TX HW 107010 mGuard rs4000 TX TX VPN BD 701000 mGuard rs2000 TX TX VPN HW 108010 The mGuard rs4000 is a security router with intelligent firewall and optional IPsec VPN 10 to 250 tunnels It has been designed for use in industry to accommodate strict distributed security and high availability requirements The mGuard rs2000 is a version with basic firewall and integrated IPsec VPN maximum of two tunnels Its scope of functions is reduced to the essentials It is suitable for secure remote maintenance applications in industry and enables the quick startup of robust field devices for industrial use thereby facilitating error free independent operation Both versions support a replaceable configuration memory in the form of an SD card The SD cards are not supplied as standard The fanless metal housing is mounted on a DIN rail The following connectivity options are available mGuard rs4000 LAN WAN mGuard rs2000 LAN WAN TX TX Ethernet Ethernet TX TX VPN Ethernet Ethernet VPN TX TX VPN Ethernet Ethernet VPN Figure 1 1 mGuard rs4000 mGuard rs2000 Innominate Security Technologies 11 m Guard rs4000 rs2000 1 1 Operating elements and LEDs Reset button _ amp fi ff For plug
238. sses Default setting Management IP 1 Management IP 2 mode Proceed as follows e Start a web browser e Make sure that the browser when it is started does not automatically establish a con nection as otherwise the connection establishment to the mGuard may be more diffi cult In Internet Explorer make the following settings e Inthe Tools menu select Internet Options and click on the Connections tab e Under Dial up and Virtual Private Network settings select Never dial a connection e Enter the address of the mGuard completely into the address line of the web browser refer to Table 11 4 You access the administrator website of the mGuard If the administrator web page of the mGuard cannot be accessed If the address of the mGuard in Router PPPoE or PPTP mode has been set to a different value and the current address is not known the mGuard must be reset to the default set tings specified above for the IP address using the Recovery procedure see Performing a recovery procedure on page 210 If the web browser repeatedly reports that the page cannot be displayed try the following e Check whether the default gateway of the connected configuration computer is initial ized see Local configuration on startup EIS on page 204 e Disable any active firewalls e Make sure that the browser does not use a proxy server In Internet Explorer Version 8 make the following setti
239. stablishing a local configuration CONNECTION eceeceeeeneeeeeeeeeeeeeeeeeeeeeeeaeeees 229 115007_en_02 Innominate Security Technologies 9 127 SIRAGIMOLS CONMOUPATION 222 n58cscasecetee estates Aca ackicanedddssait Saas dact dental dedueeteaadeteeeane 231 12 8 Restart recovery procedure and flashing the firmWware c ccccsseeeeeeeeeeeees 232 129 Techmcaldata tacttencacecanete A hereto eaten eee eens eae 235 TS EA W gg Wh 0 ameter cress eee noone ti tee Seen en COOP ee Pee PO ae ee eee 237 13 1 Operating elements and LEDS cece ceeeeceeceeeeeeeeeeeeeeaaaeeeeessaaaaeeeeeeesanaees 238 T32 LUI eaa n ela gee e whe le eet ile Net a ee ecceee 239 13 3 instalation O EAGLE mGUard srastao een eee 240 13 4 Preparing the configuration ssseseeennesseeerrrrrenrrtntrtesrrttntnnrrtnntnnnnnnnrennernneeee 243 13 5 Config r tionin Stealth Mode icsi aa ia 244 13 6 Establishing a local configuration connection sssssssssssseerrrrrsesrerrrreserrrnneee 247 T37 JREMOIECONNGULAUON sonsa a a erie 249 13 8 Restart recovery procedure and flashing the firmWware c cccccssseeeeeeeeeeees 250 T9 WOCHIMIG A OAL ee a EA 253 14 Assigning IP addresses and setting up DHCP TFTP servers ccseececeeeeeeseeseeeeeeeeesaaees 255 14 1 Assigning the IP address using IPAssign exe ssnennsseennsnnennsnnennrsennnrerrnnreernnee 255 14 2 Installing the DHCP and TFTP server c c
240. stem standard type for SD cards To flash the firmware from a TFTP server a TFTP server must be installed on the locally connected computer see Installing the DHCP and TFTP server on page 258 NOTE Installing a second DHCP server in a network could affect the configuration of the entire network The mGuard firmware has been obtained from your dealer s support team or the www innominate com website and has been saved on a compatible SD card This SD card has been inserted into the mGuard The relevant firmware files are available for download from the download page of www innominate com The files must be located under the following path names or in the following folders on the SD card Firmware install ubi mpc83xx p7s Firmware ubifs img mpc83xx p7s 70 Innominate Security Technologies 115007_en_02 m Guard rs4000 rs2000 3G Action To flash the firmware or to perform the rescue procedure proceed as follows NOTE Do not interrupt the power supply to the mGuard during any stage of the flashing procedure Otherwise the device could be damaged and may have to be reactivated by the manufacturer e Hold down the Reset button until the Stat Mod and Sig LEDs light up green Then the mGuard is in the recovery state e Release the Reset button within a second of entering the recovery state If the Reset button is not released the mGuard is restarted The mGuard now starts the rescue system It searc
241. suitable UTP cable CAT5 which is not included in the scope of supply e Connect the internal network interface LAN of the device to the corresponding Ethernet network card of the configuration computer or a valid network connection of the internal network LAN 38 Innominate Security Technologies 115007_en_02 2 3 3 j O mGuard rs4000 rs2000 Switch Connecting the service contacts NOTE Do not connect the voltage and ground outputs to an external voltage source The plug in screw terminal blocks of the service contacts may be removed or inserted dur ing operation of the device The mGuard rs4000 rs2000 Switch has three digital inputs and outputs These are config ured in the web interface e g as a control signal for starting and stopping VPN connec tions The digital inputs and outputs are connected as follows CMD Switching input 11 36 V DC CMD V Voltage out put Supply volt age N Q gt i o ep 1 Maximum of 250 mA at 11 36 VDC Service 2 Service 1 Ground out put Supply volt age mGuard rs4000 Switch top view Contact 2 sr os v e cy Short cir cuit proof switching output 2 11 V 36 V when operating correctly disconnected in the event of a fault P1 GND See Section 2 3 4 Service 2 Service 1 top view Contact FFF mGuard rs2000 Switch CARRER Che Only for mGuard
242. t displayed 115007_en_02 mGuard pci SD 5 6 Establishing a local configuration connection The mGuard is configured via a web browser that is executed on the configuration com puter NOTE The web browser used must support SSL encryption i e HTTPS The mGuard can be accessed via the following address Table 5 4 Preset addresses Default setting Management IP 1 Management IP 2 mode mGuard pci SD https 1 1 1 1 https 192 168 1 1 Proceed as follows e Start a web browser e Make sure that the browser when it is started does not automatically establish a con nection as otherwise the connection establishment to the mGuard may be more diffi cult In Internet Explorer make the following settings e Inthe Tools menu select Internet Options and click on the Connections tab e Under Dial up and Virtual Private Network settings select Never dial a connection e Enter the address of the mGuard completely into the address line of the web browser refer to Table 5 4 You access the administrator website of the mGuard If the administrator web page of the mGuard cannot be accessed If the address of the mGuard in Router PPPoE or PPTP mode has been set to a different value and the current address is not known the mGuard must be reset to the default set tings specified above for the IP address using the Recovery procedure see Performing a recovery procedure on page 105
243. t down without tilting the screwdriver and then pull up the mGuard industrial rs 12 3 2 Connecting the supply voltage WARNING The mGuard industrial rs is designed for operation with a DC voltage of 9 V DC 36 V DC SELV 0 5 A maximum Therefore only SELV circuits with voltage limitations according to EN 60950 1 may be connected to the supply connections and the signal contact The supply voltage is connected via a terminal block with screw locking which is located on the top of the device Supply voltage P1 P2 24V 0V 24V OV Figure 12 4 Supply voltage Supply voltage NEC Class 2 power source 12 V DC or 24 V DC 25 33 Safety Extra Low Voltage SELV PELV redundant inputs isolated 5A maximum Buffer time 10 ms minimum at 24 V DC Redundant power supply A redundant supply voltage can be connected Both inputs are isolated The load is not dis tributed With a redundant supply the power supply unit with the higher output voltage sup plies the mGuard industrial rs alone The supply voltage is electrically isolated from the housing If the supply voltage is not redundant the mGuard industrial rs indicates the failure of the supply voltage via the signal contact This message can be prevented by feeding the supply voltage via both inputs 12 3 3 Connecting to the network WARNING Only connect the mGuard network ports to LAN installations When connecting to the network use cab
244. t to the mGuard may be more diffi cult In Internet Explorer make the following settings e Inthe Tools menu select Internet Options and click on the Connections tab e Under Dial up and Virtual Private Network settings select Never dial a connection e Enter the address of the mGuard completely into the address line of the web browser refer to Table 8 4 You access the administrator website of the mGuard If the administrator web page of the mGuard cannot be accessed If the address of the mGuard in Router PPPoE or PPTP mode has been set to a different value and the current address is not known the mGuard must be reset to the default set tings specified above for the IP address using the Recovery procedure see Performing a recovery procedure on page 153 If the web browser repeatedly reports that the page cannot be displayed try the following e Check whether the default gateway of the connected configuration computer is initial ized see Local configuration on startup EIS on page 147 e Disable any active firewalls e Make sure that the browser does not use a proxy server In Internet Explorer Version 8 make the following settings Tools menu Internet Options Connections tab Click on Properties under LAN settings Check that Use a proxy server for your LAN under Proxy server is not activated in the Local Area Network LAN Settin
245. tandard Start up the device via temporary management IP address Start up device via BootP 5 5 1 Start up the device in Stealth mode standard Insert the mGuard pci SD between an existing network connection To connect to the LAN and WAN interfaces a suitable UTP cable CAT5 is required The cables are not supplied as standard e Connect the internal network interface LAN 1 of the mGuard pci SD to the corre sponding Ethernet network card of the configuration computer or a valid network con nection of the internal network e Connect the external network interface WAN 1 of the mGuard pci SD to the external network e g Internet The STAT status LED lights up green when the supply voltage has been connected prop erly The mGuard boots the firmware The STAT status LED flashes green during this time The mGuard is ready for operation as soon as the lower Ethernet socket LEDs light up In addition the STAT status LED flashes green at heartbeat If the lower LEDs in the Ethernet sockets do not light up this indicates a missing connec tion to the internal or external network If no LED lights up the supply voltage is missing The mGuard is configured via a web browser that is executed on the locally connected com puter Q NOTE The web browser used must support SSL encryption i e HTTPS The mGuard is preset and can be accessed via address https 1 1 1 1 96 Innominate Security Technologies 115007_e
246. tched on for Ethernet connections HTTPS access is enabled via the local Ethernet connection LAN The settings configured for VPN connections and the firewall are retained including passwords Possible reasons for performing the recovery procedure The mGuard is in Router or PPPoE mode The configured device address of the mGuard differs from the default setting The current IP address of the device is not known Up to date information on the recovery and flashing procedure can be found in the appli cation note for your mGuard firmware version You can find application notes under the following Internet address www innominate com Action e Slowly press the Reset button six times After approximately 2 seconds the STATUS LED lights up yellow e Press the Reset button slowly again six times If successful the STATUS LED lights up yellow If unsuccessful the FAULT LED lights up red If successful the device restarts after two seconds and switches to Stealth mode The de vice can then be reached again under the corresponding addresses 115007_en_02 Innominate Security Technologies 251 EAGLE mGuard 13 8 3 Flashing the firmware rescue procedure Objective The entire firmware of the mGuard should be reloaded on the device All configured settings are deleted The mGuard is set to the delivery state In Version 5 0 0 or later of the mGuard the licenses installed on the mGuard are re tained after
247. the multiple Clients stealth configuration You need to configure a management IP address and default gateway if you want to use VPN connections in the web interface under Network gt gt Interfaces gt gt General Alternatively you can select a dif ferent stealth configuration or use another network mode If inconsistencies are no longer detected a message appears indicating that a valid IP ad dress has been set e Click on Next Innominate Security Technologies 225 mGuard industrial rs 12 5 Configuration in Stealth mode On initial startup the mGuard can be accessed via two addresses https 192 168 1 1 see page 227 https 1 1 1 1 see page 227 Alternatively an IP address can be assigned via BootP see Assigning the IP address via BootP on page 228 The mGuard can be accessed via https 192 168 1 1 if the external network interface is not connected on startup Computers can access the mGuard via https 1 1 1 1 if they are directly or indirectly con nected to the LAN port of the mGuard For this purpose the mGuard with LAN port and WAN port must be integrated in an operational network in which the default gateway can be accessed via the WAN port After access via IP address 192 168 1 1 and successful login IP address 192 168 1 1 is set as a fixed management IP address After access via IP address 1 1 1 1 or after IP address assignment via BootP the FL MGUARD can no lo
248. the Reset button for around 1 5 seconds until the ERR LED lights up Alternatively disconnect the power supply and then connect it again 86 Innominate Security Technologies 115007_en_02 mGuard delta 4 8 2 Performing a recovery procedure Objective The network configuration but not the rest of the configuration is to be reset to the delivery state as it is no longer possible to access the mGuard When performing the recovery procedure the default settings are established Table 4 5 Preset addresses Default setting Management IP 1 Management IP 2 mode mGuard delta https 1 1 1 1 https 192 168 1 1 The mGuard is reset to Stealth mode with the default setting multiple Clients The CIFS integrity monitoring function is also disabled because this only works when the management IP is active Inaddition MAU management is switched on for Ethernet connections HTTPS access is enabled via the local Ethernet connection LAN The settings configured for VPN connections and the firewall are retained including passwords Possible reasons for performing the recovery procedure The mGuard is in Router or PPPoE mode The configured device address of the mGuard differs from the default setting The current IP address of the device is not known Up to date information on the recovery and flashing procedure can be found in the appli cation note for your mGuard firmware version You ca
249. the Reset button is not released the mGuard is restarted The mGuard now starts the recovery system It searches fora DHCP server via the LAN interface in order to obtain an IP address The STAT LED flashes The install p7s file is loaded from the TFTP server or SD card It contains the electron ically signed control procedure for the installation process Only files that are signed are executed The control procedure deletes the current contents of the Flash memory and prepares for a new firmware installation The STAT MOD and SIG LEDs form a running light The jffs2 img p7s firmware file is downloaded from the TFTP server or SD card and written to the Flash memory This file contains the actual mGuard operating system and is signed electronically Only files signed by Innominate are accepted This process takes around 3 to 5 minutes The STAT LED is lit continuously The new firmware is extracted and configured This procedure takes 1 to 3 minutes As soon as the procedure is complete the STAT MOD and SIG LEDs flash green simulta neously Restart the mGuard To do this briefly press the Reset button Alternatively disconnect the power supply and then connect it again The mGuard is in the delivery state You can now configure it again see Establishing a local configuration connection on page 24 115007_en_02 1 9 Hardware properties Platform Network interfaces Other interfaces Memory Redu
250. the following Internet address www innominate com Action e Slowly press the Reset button six times After approximately 2 seconds the middle LED lights up green e Press the Reset button slowly again six times If successful the middle LED lights up green If unsuccessful the middle LED lights up red If successful the device restarts after two seconds and switches to Stealth mode The de vice can then be reached again under the corresponding addresses 115007_en_02 Innominate Security Technologies 121 mGuard smart smart 6 8 3 Flashing the firmware rescue procedure Objective The entire firmware of the mGuard should be reloaded on the device All configured settings are deleted The mGuard is set to the delivery state In Version 5 0 0 or later of the mGuard the licenses installed on the mGuard are re tained after flashing the firmware Therefore they do not have to be installed again Possible reasons The administrator and root password have been lost Requirements NOTE To flash the firmware a DHCP and TFTP server or a BootP and TFTP server must be installed on the locally connected computer Install the DHCP and TFTP server if necessary see Installing the DHCP and TFTP serv er on page 258 NOTE Installing a second DHCP server in a network could affect the configuration of the entire network Action NOTE Do not interrupt the power supply to the mGuard during any stage of the flashing
251. the mGuard via the local network For remote configuration The mGuard must be configured so that remote configura tion is permitted The mGuard must be connected i e the required connections must be working 5 4 2 Local configuration on startup EIS As of firmware version 7 2 initial startup of mGuard products provided in Stealth mode is considerably easier From this version onwards the EIS Easy Initial Setup procedure en ables startup to be performed via preset or user defined management addresses without actually having to connect to an external network The mGuard is configured using a web browser on the computer used for configuration NOTE The web browser used must support SSL encryption i e HTTPS According to the default setting the mGuard can be accessed via the following addresses Table 5 3 Preset addresses Default setting Management IP 1 Management IP 2 mode mGuard pci SD https 1 1 1 1 https 192 168 1 1 The mGuard is preset to the multiple Clients stealth configuration You need to configure a management IP address and default gateway if you want to use VPN connections see Page 101 Alternatively you can select a different stealth configuration or use another net work mode Innominate Security Technologies 95 mGuard pci SD 5 5 Configuration in Stealth mode The mGuard pci SD can be started up in three different ways Start up the device in Stealth mode s
252. the mGuard as described in Configuring the mGuard pci SD on page 97 115007_en_02 Innominate Security Technologies 99 mGuard pci SD a 5 5 4 Assigning the IP address via BootP After assigning an IP address via BootP the product can no longer be accessed via IP ad dress 192 168 1 1 For IP address assignment the mGuard uses the BootP protocol The IP address can also be assigned via BootP On the Internet numerous BootP servers are available You can use any of these programs for address assignment Section 14 1 explains IP address assignment using the free Windows software IP Assignment Tool IPAssign exe Notes for BootP During initial startup the mGuard transmits BootP requests without interruption until it re ceives a valid IP address After receiving a valid IP address the mGuard no longer sends BootP requests The product can then no longer be accessed via IP address 192 168 1 1 After receiving a BootP reply the mGuard no longer sends BootP requests not even after ithas been restarted For the mGuard to send BootP requests again it must either be set to the default settings or one of the procedures recovery or flash must be performed Requirements The mGuard is connected to a computer using a Microsoft Windows operating system 100 Innominate Security Technologies 115007_en_02 Web based administrator interface If you have forgotten the configured address If the administrator web page is no
253. the network To do this you need a suitable UTP cable CAT5 which is not included in the scope of supply Connect the internal network interface LAN 1 of the mGuard to the corresponding Ethernet network card of the configuration computer or a valid network connection of the internal network LAN 1 3 3 Service contacts NOTE Do not connect the voltage and ground outputs GND CMD V to an external voltage source Please note that only the Service 1 contacts are used with firmware version up to and including 7 6x The Service 2 contacts shall be made available as of firmware version 8 1 The plug in screw terminal blocks of the service contacts may be removed or inserted dur ing operation of the mGuard e fH Service 2 Service 2 top view top view Contact Contact Service 1 Service 1 f P cS c vw mGuard rs4000 i mGuard rs2000 P1 pav fov e o See Section 1 3 4 Only for mGuard rs4000 See Section 1 3 4 CMD V CMD Voltage out Switching Ground out Short cir put input 11 put cuit proof _ 36 VDC switching Supply volt Supply volt outp t age age N Q gt So Q ep Example Example Not used Notused Signal out Signal out put put Maximum of 250 mA at 11 36 VDC t 11 V 36 V when operating correctly disconnected in the event of a fault A push button or an on off switch e g key switch
254. the preset user name and password please note these settings are case sensitive User Name admin Password mGuard The device can then be configured via the web interface For additional information please refer to software reference manual For security reasons we recommend you change the default root and administrator pass words during initial configuration 44 Innominate Security Technologies 115007_en_02 Requirement How to proceed Example Configuration 115007_en_02 m Guard rs4000 rs2000 Switch 2 7 Remote configuration The device must be configured so that remote configuration is permitted By default upon delivery the option for remote configuration is disabled Switch on the remote configuration option in the web interface under Management gt gt Web Settings To configure the device via its web user interface from a remote computer establish the connection to the device from there Proceed as follows e Start the web browser on the remote computer e Under address enter the IP address where the device can be accessed externally over the Internet or WAN together with the port number if required If the device can be accessed over the Internet for example via address https 123 45 67 89 and port number 443 has been specified for remote access the fol lowing address must be entered in the web browser of the remote peer https 123 45 67 89 lf a different port number is used it s
255. tion option in the web interface under Management gt gt Web Settings To configure the mGuard via its web user interface from a remote computer establish the connection to the mGuard from there Proceed as follows e Start the web browser on the remote computer e Under address enter the IP address where the mGuard can be accessed externally over the Internet or WAN together with the port number if required If the mGuard can be accessed over the Internet for example via address https 123 45 67 89 and port number 443 has been specified for remote access the fol lowing address must be entered in the web browser of the remote peer https 123 45 67 89 If a different port number is used it should be entered after the IP address e g https 123 45 67 89 442 The mGuard can then be configured via the web interface For additional information please refer to the software reference manual Innominate Security Technologies 231 mGuard industrial rs 12 8 Restart recovery procedure and flashing the firm ware The Reset button is used to set the device to one of the following states Performing a restart Performing a recovery procedure Flashing the firmware rescue procedure OODD Pi Pe Modem Fault State Error LAN WAN mGuard industrial RS Reset button Located in the opening Can be WAN pressed with a straightened paper clip for example Service Analog
256. tions e Toestablish the VPN connection hold down the button for a few seconds until the INFO LED flashes Only then release the button Flashing indicates that the mGuard has received the command to establish the VPN connection and is establishing the VPN connection As soon as the VPN connection is established the INFO LED remains lit continuously e Torelease the VPN connection hold down the button for a few seconds until the signal output flashes or goes out Only then release the button 58 Innominate Security Technologies 115007_en_02 Operating a connected on off switch INFO LED Signal contact signal out put 115007_en_02 m Guard rs4000 rs2000 3G As soon as the INFO LED goes out the VPN connection is released e To establish the VPN connection set the switch to the ON position e To release the VPN connection set the switch to the OFF position If the INFO LED does not light up this generally indicates that the defined VPN connection is not present Either the VPN connection was not established or it has failed due to an error If the INFO LED is illuminated the VPN connection is present If the INFO LED is flashing the VPN connection is being established or released The signal contact monitors the function of the mGuard rs4000 rs2000 and thus enables re mote diagnostics The FAULT LED lights up red if the signal output takes low level due to an error inverted logic The voltage at the signal cont
257. tions or Network and Dial up Connections right click on the corresponding icon and select Disable in the context menu Innominate Security Technologies 117 mGuard smart smart After successful connection establishment Once a connection has been established successfully a security alert may be displayed Explanation As administrative tasks can only be performed using encrypted access a self signed certif icate is supplied with the device e Click Yes to acknowledge the security alert The login window is displayed Login to mguard User Name Password Figure 6 4 Login e To login enter the preset user name and password please note these settings are case sensitive User Name admin Password mGuard The mGuard can then be configured via the web interface For additional information please refer to the software reference manual For security reasons we recommend you change the default root and administrator pass words during initial configuration 118 Innominate Security Technologies 115007_en_02 Requirement How to proceed Example Configuration 115007_en_02 mGuard smart smart 6 7 Remote configuration The mGuard must be configured so that remote configuration is permitted The option for remote configuration is disabled by default Switch on the remote configuration option in the web interface under Management gt gt Web Settings To configure the
258. tus Recovery mode Log File Remote Syslog CE FCC Innominate Security Technologies 195 m Guard blade 196 Innominate Security Technologies 115007_en_02 mGuard centerport 11 mGuard centerport 115007_en_02 Table 11 1 Available mGuard centerport versionsf mGuard centerport HW 106000 mGuard centerport VPN 250 BD 601000 mGuard centerport VPN 1000 BD 602000 The mGuard centerport is a high end firewall and a VPN gateway in 19 format It is suit able as a central network infrastructure for remote service solutions With its Gigabit Ether net interfaces and corresponding throughput as the router and as the stateful inspection fire wall the device can also be used in the backbone in industrial networks As a gateway the mGuard centerport supports the VPN connection to any number of sys tems in the VPN tunnel groups with up to a thousand simultaneous tunnels which all belong to the same unique public IP address The mGuard centerport performs secure remote services such as remote support remote diagnostics remote maintenance and condition monitoring for a large number of machines and systems via the Internet An encrypted VPN data throughput of 600 Mbps is possible to one interface The mGuard centerport is compatible with all mGuard VPN field devices and the mGuard device manager The mGuard centerport can be provided in three device versions which determine the num ber of simultaneously supported active
259. unsuccessful the WAN LED lights up red If successful the device restarts after two seconds and switches to Router mode The de vice can then be reached again under the corresponding addresses 115007_en_02 Innominate Security Technologies 193 m Guard blade 10 7 3 Flashing the firmware rescue procedure Objective The entire firmware of the mGuard should be reloaded on the device All configured settings are deleted The mGuard is set to the delivery state In Version 5 0 0 or later of the mGuard the licenses installed on the mGuard are re tained after flashing the firmware Therefore they do not have to be installed again Possible reasons The administrator and root password have been lost Requirements Requirements for flashing NOTE To flash the firmware a DHCP and TFTP server or a BootP and TFTP server must be installed on the locally connected computer Install the DHCP and TFTP server if necessary see Installing the DHCP and TFTP serv er on page 258 NOTE Installing a second DHCP server in a network could affect the configuration of the entire network Action NOTE Do not interrupt the power supply to the mGuard during any stage of the flashing procedure Otherwise the device could be damaged and may have to be reactivated by the manufacturer e Hold down the Reset button until the green LEDs and the red LAN LED light up Then the mGuard is in the recovery state e Release the Reset
260. ure 8 1 mGuard delta Innominate Security Technologies 143 mGuard delta 8 1 Operating elements and LEDs 5 6 Innominate r 0 a mG amp uard Power Status LAN SWITCH Current Status Reserved Ethernet WAN Ethernet LAN Figure 8 2 Operating elements and LEDs on the mGuard delta Table 8 2 LEDs on the mGuard delta LED State Means S Ca The power supply is active On The The mGuard starts starts 2o The pemesan is ready Flash flash pause etc Reserved oe O o A T CAN 144 Innominate Security Technologies 115007_en_02 mGuard delta 8 2 Startup 8 2 1 Safety notes To ensure correct operation and the safety of the environment and of personnel the mGuard must be installed operated and maintained correctly NOTE Risk of material damage due to incorrect wiring Only connect the mGuard network ports to LAN installations Some telecommunications connections also use RJ45 sockets these must not be connected to the RJ45 sockets of the mGuard General notes regarding usage NOTE Select suitable ambient conditions Ambient temperature 0 C 40 C Maximum humidity non condensing 5 95 To avoid overheating do not expose the mGuard to direct sunlight or other heat sources Q NOTE Cleaning Clean the device housing with a soft cloth Do not use aggressive solvents 8 2 2 Checking the scope of supply Before startup check the scope of supply to ensure nothing is m
261. ured settings Action e Press the Reset button for around 1 5 seconds until the ERR LED lights up Alternatively disconnect the power supply and then connect it again 115007_en_02 Innominate Security Technologies 27 m Guard rs4000 rs2000 Objective 1 8 2 Performing a recovery procedure The network configuration but not the rest of the configuration is to be reset to the delivery state as it is no longer possible to access the mGuard When performing the recovery procedure the default settings are established Table 1 5 Preset addresses Default setting Management IP 1 Management IP 2 mode mGuard rs4000 https 1 1 1 1 httos 192 168 1 1 mGuard rs2000 https 1 1 1 1 httos 192 168 1 1 The mGuard is reset to Stealth mode with the default setting multiple Clients The CIFS integrity monitoring function is also disabled because this only works when the management IP is active Inaddition MAU management is switched on for Ethernet connections HTTPS access is enabled via the local Ethernet connection LAN The settings configured for VPN connections and the firewall are retained including passwords Possible reasons for performing the recovery procedure The mGuard is in Router or PPPoE mode The configured device address of the mGuard differs from the default setting The current IP address of the device is not known Up to date information on the recovery and flashing p
262. uter used for configuration must meet the following requirements mQGuard in Driver mode The mGuard pci driver must be installed on the comput er mQGuard in Power over PCI mode The computer must be connected to the LAN connection of the mGuard or to the mGuard via the local network For remote configuration The mGuard must be configured so that remote configura tion is permitted The mGuard must be connected i e the required connections must be working 9 4 2 Local configuration on startup EIS As of firmware version 7 2 initial startup of mGuard products provided in Stealth mode is considerably easier From this version onwards the EIS Easy Initial Setup procedure en ables startup to be performed via preset or user defined management addresses without actually having to connect to an external network The mGuard is configured using a web browser on the computer used for configuration NOTE The web browser used must support SSL encryption i e HTTPS According to the default setting the mGuard can be accessed via the following addresses Table 9 3 Preset addresses Default setting Management IP 1 Management IP 2 mode https 1 1 1 1 https 192 168 1 1 The mGuard is preset to the multiple Clients stealth configuration You need to configure a management IP address and default gateway if you want to use VPN connections see page 172 Alternatively you can select a different stea
263. utton within a second of entering the recovery state If the Reset button is not released the mGuard is restarted The mGuard now starts the recovery system It searches fora DHCP server via the LAN interface in order to obtain an IP address The Status LED flashes The install p7s file is loaded from the TFTP server or SD card It contains the electron ically signed control procedure for the installation process Only files that are signed are executed The control procedure deletes the current contents of the Flash memory and prepares for a new firmware installation The Status LED flashes faster The jffs2 img p7s firmware file is downloaded from the TFTP server or SD card and written to the Flash memory This file contains the actual mGuard operating system and is signed electronically Only files signed by Innominate are accepted This process takes around 3 to 5 minutes The Status LED is lit continuously The new firmware is extracted and configured This procedure takes 1 to 3 minutes e As soon as the procedure is complete the Status LED flashes once a second e Restart the mGuard To do this briefly press the Reset button Alternatively disconnect the power supply and then connect it again The mGuard is in the delivery state You can now configure it again see Establishing a local configuration connection on page 149 154 Innominate Security Technologies 115007_en_02 8 8 Hardware properties Platform
264. ve The device is restarted with the configured settings Action e Press the Reset button for around 1 5 seconds until the Status LED stops flashing Alternatively disconnect the power supply and then connect it again 152 Innominate Security Technologies 115007_en_02 mGuard delta 8 7 2 Performing a recovery procedure Objective The network configuration but not the rest of the configuration is to be reset to the delivery state as it is no longer possible to access the mGuard When performing the recovery procedure the default settings are established Table 8 5 Preset addresses Default setting Management IP 1 Management IP 2 mode mGuard delta Router nttps 192 168 1 4 The settings configured for VPN connections and the firewall are retained including pass words Possible reasons for performing the recovery procedure The mGuard is in PPPoE mode The configured device address of the mGuard differs from the default setting The current IP address of the device is not known Up to date information on the recovery and flashing procedure can be found in the appli cation note for your mGuard firmware version You can find application notes under the following Internet address www innominate com Action e Slowly press the Reset button six times After approximately 2 seconds the Status LED lights up green e Press the Reset button slowly again six times If successful the Status LED li
265. vice is correctly connected and operating Flashing System error Restart the device e Press the Reset button for 1 5 seconds e Alternatively briefly disconnect the device power supply and then connect it again If the error is still present start the recovery procedure see Performing a recovery pro cedure on page 121 or contact your dealer Green O WAN connection to the network partner is present Flashing WAN data transmission is active Various LED light Recovery mode After pressing the Reset button codes See Restart recovery procedure and flashing the firmware on page 120 110 Innominate Security Technologies 115007_en_02 mGuard smart smart 6 2 Startup 6 2 1 Safety notes To ensure correct operation and the safety of the environment and of personnel the mGuard must be installed operated and maintained correctly NOTE Risk of material damage due to incorrect wiring Only connect the mGuard network ports to LAN installations Some telecommunications connections also use RJ45 sockets these must not be connected to the RJ45 sockets of the mGuard General notes regarding usage NOTE Select suitable ambient conditions Ambient temperature 0 C 40 C Maximum humidity non condensing 20 90 To avoid overheating do not expose the mGuard to direct sunlight or other heat sources Q NOTE Cleaning Clean the device housing with a soft cloth Do not use aggressive solve
266. vice to one of the following states Performing a restart Performing a recovery procedure Flashing the firmware rescue procedure Innominate misuard Power supply 1 P1 FAULT o oO CG Oo 0 CG Power supply 2 P2 j i R 7 E a qOr Serial V 24 mm OG Link status data 2 WAN p R eae STATUS STATUS Ethernet LAN Reset button USB Ethernet WAN 24 D _ Ground connection Figure 13 7 Reset button Serial V 24 13 8 1 Performing a restart Objective The device is restarted with the configured settings Action e Press the Reset button for around 1 5 seconds until the middle LED lights up in red Alternatively disconnect the power supply and then connect it again 250 Innominate Security Technologies 115007_en_02 EAGLE mGuard 13 8 2 Performing a recovery procedure Objective The network configuration but not the rest of the configuration is to be reset to the delivery state as it is no longer possible to access the mGuard When performing the recovery procedure the default settings are established Table 13 5 Preset addresses Default setting Management IP 1 Management IP 2 mode EAGLE mGuard httos 1 1 1 1 https 192 168 1 1 The mGuard is reset to Stealth mode with the default setting multiple Clients The CIFS integrity monitoring function is also disabled because this only works when the management IP is active Inaddition MAU management is swi
267. ware version 8 0 the configured VPN connection is being established or aborted As of firmware version 8 1 the configured VPN connections are being established or aborted or the defined firewall rule records are activated or deactivated The LAN WAN LEDs are located in the LAN WAN sockets 10 100 and duplex LED Ethernet status Indicates the status of the LAN or WAN port As soon as the device is connected to the relevant network a continuous light indicates that there is a con nection to the network partner in the LAN or WAN When data packets are transmit ted the LED goes out briefly Innominate Security Technologies 13 m Guard rs4000 rs2000 1 2 Startup 1 2 1 Safety notes To ensure correct operation and the safety of the environment and of personnel the mGuard must be installed operated and maintained correctly NOTE Risk of material damage due to incorrect wiring Only connect the mGuard network ports to LAN installations Some telecommunications connections also use RJ45 sockets these must not be connected to the RJ45 sockets of the mGuard General notes regarding usage NOTE Select suitable ambient conditions Ambient temperature 20 C 60 C Maximum humidity non condensing 5 95 To avoid overheating do not expose the mGuard to direct sunlight or other heat sources Q NOTE Cleaning Clean the device housing with a soft cloth Do not use aggressive solvents 1 2 2 Checking the sc
268. ww innominate com Burn the content of this zip archive as a data CD DVD The following files must be located in the following folders under the following path names on the CD DVD Firmware install x86_64 p7s Firmware firmware img x86_64 p7s 140 Innominate Security Technologies 115007_en_02 7 9 Hardware properties Platform Network interfaces Other interfaces Drives Redundancy options Power supply Power consumption Humidity range Degree of protection Temperature range Dimensions H x W x D Weight Firmware and power values Firmware compatibility Data throughput router firewall Hardware based encryption Encrypted VPN throughput AES 256 Management support Diagnostics Other Conformance 115007_en_02 mGuard centerport Technical data Multi core x86 processor architecture 1 LAN port 1 WAN port 1 SYNC port 1 DMZ port Ethernet IEEE 802 3 10 100 1000 Base TX RJ45 full half duplex auto MDIX VGA console serial RS 232 D SUB 9 connector 6 x USB 1 HDD 1 SD card Optional VPN license router and firewall 2x 100 VAC 240 V AC 300 W at 50 60 Hz redundant Dependent on the expansion stage 20 90 during operation non condensing 10 90 out of service Front IP20 0 C 45 C operation 20 C 70 C storage 44 mm x 447 mm x 458 mm 1 HU x 19 x 18 5 9 kg mGuard v8 1 2 or later Innominate recommends using the latest p
269. x 25 Mbps Web GUI HTTPS command line interface SSH SNMP v1 2 3 central device management software LEDs Power State Error Signal Fault Info log file remote syslog CE FCC Realtime clock Trusted Platform Module TPM temperature sensor mGuard Remote Services Portal ready 115007_en_02 mGuard pci SD 5 mGuard pci SD 115007_en_02 Table 5 1 Available mGuard pci SD versions HW 102061 HW 102071 mGuard pci SD VPN BD 111040 mGuard pcie SD VPN BD 111060 The mGuard pci SD has the design of a PCl compatible plug in board It is available in two versions mGuard pci SD for devices or machines with PCI bus mGuard pcie SD for devices or machines with PCI Express bus To aid understanding mGuard pci SD is used for the two device versions in this user man ual The mGuard pci SD is suitable for distributed protection of industrial and panel PCs indi vidual machines or industrial robots It has a configuration memory in the form of a replace able SD card which can be easily accessed on the front Figure 5 1 mGuard pci SD Innominate Security Technologies 91 mGuard pci SD 5 1 Operating elements and LEDs Extension connection LEDs Reset button SD card SD card slot configuration Battery can be replaced memory Reset button STAT LED RJ45 socket LAN 1 for LAN 1 LED connecting to the internal LAN 2 LED EUAN WAN 1 LED WAN 1 LED RJ45 socket WAN 1
270. y be more diffi cult In Internet Explorer make the following settings e Inthe Tools menu select Internet Options and click on the Connections tab e Under Dial up and Virtual Private Network settings select Never dial a connection e Enter the address of the mGuard completely into the address line of the web browser refer to Table 1 4 You access the administrator website of the mGuard If the administrator web page of the mGuard cannot be accessed lf the address of the mGuard in Router PPPoE or PPTP mode has been set to a different value and the current address is not known the mGuard must be reset to the default set tings specified above for the IP address using the Recovery procedure see Performing a recovery procedure on page 28 If the web browser repeatedly reports that the page cannot be displayed try the following e Check whether the default gateway of the connected configuration computer is initial ized see Local configuration on startup EIS on page 20 e Disable any active firewalls e Make sure that the browser does not use a proxy server In Internet Explorer Version 8 make the following settings Tools menu Internet Options Connections tab Click on Properties under LAN settings Check that Use a proxy server for your LAN under Proxy server is not activated in the Local Area Network LAN Settings dialog box
Download Pdf Manuals
Related Search