99681624 tsadapter tiav13 doku v10 en

http://support.automation.siemens.com/WW/view/en/99681624

Configuration Example y 09/2014

Setting up da secure VPNConnection between the TSAdapter IE Advanced and TIAPortal V13TS Adapter IE Advanced

Warranty and liability

Security: TSAdapter_TIAV13Entry ID: 99681624, V1.0, 09/2014 2

Si

emen

sAG

2014

Allr

ight

sre

serv

ed

Warranty and liability

Note The Application Examples are not binding and do not claim to be completeregarding the circuits shown, equipping and any eventuality. The ApplicationExamples do not represent customer-specific solutions. They are only intendedto provide support for typical applications. You are responsible for ensuring thatthe described products are used correctly. These application examples do notrelieve you of the responsibility to use safe practices in application, installation,operation and maintenance. When using these Application Examples, yourecognize that we cannot be made liable for any damage/claims beyond theliability clause described. We reserve the right to make changes to theseApplication Examples at any time without prior notice.If there are any deviations between the recommendations provided in theseapplication examples and other Siemens publications e.g. Catalogs thecontents of the other documents have priority.

We do not accept any liability for the information contained in this document.

Any claims against us based on whatever legal reason resulting from the use ofthe examples, information, programs, engineering and performance data etc.,described in this Application Example shall be excluded. Such an exclusion shallnot apply in the case of mandatory liability, e.g. under the German Product LiabilityAct (Produkthaftungsgesetz), in case of intent, gross negligence, or injury of life,body or health, guarantee for the quality of a product, fraudulent concealment of adeficiency or breach of a condition which goes to the root of the contract(wesentliche Vertragspflichten). The damages for a breach of a substantialcontractual obligation are, however, limited to the foreseeable damage, typical forthe type of contract, except in the event of intent or gross negligence or injury tolife, body or health. The above provisions do not imply a change of the burden ofproof to your detriment.

Any form of duplication or distribution of these Application Examples or excerptshereof is prohibited without the expressed consent of Siemens Industry Sector.

Securityinforma-tion

Siemens provides products and solutions with industrial security functions thatsupport the secure operation of plants, solutions, machines, equipment and/ornetworks. They are important components in a holistic industrial securityconcept. With this in mind, Siemens products and solutions undergo continuousdevelopment. Siemens recommends strongly that you regularly check forproduct updates.

For the secure operation of Siemens products and solutions, it is necessary totake suitable preventive action (e.g. cell protection concept) and integrate eachcomponent into a holistic, state-of-the-art industrial security concept. Third-partyproducts that may be in use should also be considered. For more informationabout industrial security, visit http://www.siemens.com/industrialsecurity.

To stay informed about product updates as they occur, sign up for a product-specific newsletter. For more information, visithttp://support.automation.siemens.com.

Table of Contents


Si

emen

sAG

2014

Allr

ight

sre

serv

ed

Table of ContentsWarranty and liability ................................................................................................... 2

1 Task and Solution .............................................................................................. 4

1.1 Task ...................................................................................................... 41.2 Possible solution .................................................................................. 41.3 Characteristics of the solution .............................................................. 5

2 Configuration and Project Engineering ........................................................... 6

2.1 Setting up the environment .................................................................. 62.1.1 Required components and IP address overview ................................. 62.1.2 Service PC ........................................................................................... 72.1.3 DSL access for the TS Adapter IE Advanced (DSL router2) ............... 82.1.4 TS Adapter IE Advanced ...................................................................... 92.1.5 Setting up the infrastructure ................................................................. 92.2 Commissioning remote maintenance ................................................. 102.2.1 Preparation ......................................................................................... 102.2.2 Initial configuration of the TS Adapter IE Advanced .......................... 112.2.3 Parameterizing remote access ........................................................... 152.2.4 Final steps .......................................................................................... 212.3 Establishing the VPN connection ....................................................... 22

3 Testing the Tunnel Function .......................................................................... 25

4 Appendix: Using TIA Online Functions ......................................................... 26

4.1 Accessible devices ............................................................................. 264.2 Assigning an IP address..................................................................... 264.3 TeleService functions ......................................................................... 27

5 Appendix: Handling CA Certificates .............................................................. 28

5.1 Deleting CA certificates ...................................................................... 285.2 Installing CA certificates ..................................................................... 29

6 History............................................................................................................... 30

1 Task and Solution


Si

emen

sAG

2014

Allr

ight

sre

serv

ed

1 Task and Solution1.1 Task

The task is to establish a secure connection between two networks (e.g.,automation networks or individual devices) via the Internet or a company's internalnetwork.The following customer requirements have to be considered:x Protection against spying and data manipulation.x Prevention of unauthorized access.x Easy handling and integration.x Use of existing addresses and addressing schemes.x Transparency (or easy use) for users.

1.2 Possible solution

Complete overviewThe figure below shows one way of implementing the customer requirements:

InternetModem/ Router

StatischeWAN-IP-Adresse

SCALANCEM874-x

VPN-Server

Automatisierungszelle

SIMATIC S7Stationen

Service PC

VPN tunnelIndustrial EthernetVPN TunnelIndustrial Ethernet

InternetModem/Router

VPN Client

TS AdapterIE Advanced

VPN Server

Automation Cell

SIMATIC S7Stations

Service PC

StaticWAN IP Address

InternetRouterTIA

Portal

The connection between the service PC and the automation cell (nodes such asSIMATIC stations, panels, drives, PCs) is protected by a VPN tunnel.In this example, TIA Portal (V12 SP1 or higher) and the TS Adapter IE Advancedform the two tunnel endpoints for the secure connection. The TS Adapter IE actsas the VPN server, the PC with TIA Portal acts as the VPN client.Access to the TS Adapter IE (VPN server) from the WAN is predefined by the useof a static WAN IP address.WAN access on the client side is flexible; the IP address of the WAN port is notrelevant.When establishing the VPN tunnel, the roles are defined as follows:Table 1-1

Component VPN role

TIA Portal (V12 SP1 or higher) Initiator (VPN client); starts the VPN connectionTS Adapter IE Advanced Responder (VPN server); waits for the VPN connection

1 Task and Solution


Si

emen

sAG

2014

Allr

ight

sre

serv

ed

TS Adapter IE AdvancedThe TS Adapter IE Advanced allows access, through the Internet, to all automationcomponents of a plant - e.g., S7 CPUs - that are connected to Industrial Ethernet.TIA Portal V12 SP1 or higher running on a PG/PC with at least Windows 7 orWindows Server 2008 allows convenient remote maintenance of a plant throughthe Internet, including enhanced security mechanisms.They provide the following functions:x SSTP VPN (data encryption and authentication) for remote maintenancex IPv4 and IPv6 support on the WAN interface (IPv6 for firmware version 1.1.0 or

higher)x Time-controlled WAN connectivityx Packet filter configurationx Enabling and disabling routes (VPN tunnel, Internet access)x Router functionality (port forwarding, NAT, DynDNS (with IPv6))

1.3 Characteristics of the solution

x High security standard due to VPN, certificates, random numbers generated in hardware and consideration of the strict Siemens Security Guidelines.

x Customized solution for remote maintenance in the automation environment.x The same range of functions (STEP 7 functions, diagnostics) as on site without

having to install additional programs.x Easy integration into existing networks and protection of devices that do not

have their own security functions.x Enabling or configuring by IT administrators is generally not necessary.

2 Configuration and Project Engineering


Si

emen

sAG

2014

Allr

ight

sre

serv

ed

2 Configuration and Project Engineering2.1 Setting up the environment

2.1.1 Required components and IP address overview

Software packagesTo work with the TS Adapter IE Advanced, you need a PC with a "Windows 7"operating system (or higher) and the "TIA Portal" software (V12 SP1 or higher).Install this software on a PC/PG.

Note This example uses the TIA Portal V13 Update 3 software.

Required devices/components:To set up the environment, use the following components:x A TS Adapter IE Advanced (optional: A DIN rail installed accordingly, including

fitting accessories).x A 24V power supply with cable connector and terminal block plug.x DSL access with a dynamic WAN IP address and a DSL router (e.g.

SCALANCE M81x-1).x DSL access with a static WAN IP address and a DSL router (e.g. SCALANCE

M81x-1).x A PC on which "Windows 7" and "TIA Portal" are installed.x The necessary network cables, TP cables (twisted pair) according to the IE FC

RJ45 standard for Industrial Ethernet.

Note You can also use another Internet access method (e.g., UTMS).The configuration described below refers explicitly to the components listed in"Required devices/components".



Si

emen

sAG

2014

Allr

ight

sre

serv

ed

IP addressesFor this example, the IP addresses are assigned as follows:



SCALANCEM874-x

VPN-ServerVPN tunnelIndustrial Ethernet

DSL Router1 TS AdapterIE Advanced

Service PCDSL Router2

TIAPortal

DynamicWAN IP192.168.2.1

StaticWAN IP 172.16.0.1 172.16.47.1192.168.2.89 172.22.80.2

Table 2-1

Component Port IP address Router Subnet mask

Service PC LAN port 192.168.2.89 192.168.2.1 255.255.255.0DSL router1 LAN port 192.168.2.1 - 255.255.255.0DSL router1 WAN port Dynamic IP address from

provider- Assigned by

providerDSL router2 WAN port Static IP address from

provider- Assigned by

providerDSL router2 LAN port 172.16.0.1 - 255.255.0.0TS Adapter IE WAN port 172.16.47.1 172.16.0.1 255.255.0.0TS Adapter IE LAN port 172.22.80.2 - 255.255.255.0

2.1.2 Service PC

Installed softwareThe following software packages are relevant on the service PC:x TIA Portal software as the remote end for the VPN connection to the TS

Adapter IE Advanced.x Web browser to parameterize the TS Adapter IE Advanced.

Deleting the CA certificateIf you suspect that a CA certificate is misused, you should generate a new CAcertificate for security reasons. Make sure that the new CA certificate is replacedfor all service PCs involved (delete the old CA certificate and import the new one).For security reasons, you should regularly generate new CA certificates.To delete a CA certificate, please follow the instructions from Chapter 5 (Appendix:Handling CA Certificates).

Installing the CA certificateThe initial configuration of the TS Adapter IE Advanced is done via a local HTTPSconnection. As, at this time, a CA certificate for this TS Adapter IE Advanced hasnot yet been installed on the service PC, a security warning is displayed. You canacknowledge this security warning or install the CA certificate supplied on the CDin the Windows certificate store before first commissioning. To do this, pleasefollow the instructions from Chapter 5 (Appendix: Handling CA Certificates).



Si

emen

sAG

2014

Allr

ight

sre

serv

ed

Note To manage CA certificates, you need administrator rights.

TIA PortalUse the TIA Portal V13 engineering software to create a new project.

Web interface of the TS Adapter IE AdvancedTo open the Web interface, you have the following options:x Open a directly connected Web browser with TIA Portal.x Open a Web browser via a remote connection with TIA Portal.x Directly connected standard Web browser.This example uses the "Open a directly connected Web browser with TIA Portal"method.Please follow the instructions from Chapter 4 (Appendix: Using TIA OnlineFunctions).

Note More information on the options to open the Web interface can be found in theappropriate chapter in the TS Adapter manual at the following link:https://www.automation.siemens.com/mdm/default.aspx?DocVersionId=65739502731&Language=en-EN&TopicId=65449369483&guiLanguage=en

2.1.3 DSL access for the TS Adapter IE Advanced (DSL router2)

Static IP address for DSL router2WAN access of the service PC (VPN client) to the TS Adapter IE Advanced (VPNserver) is implemented using a fixed public IP address. This IP address must berequested from the provider and then stored in DSL router2.

Port forwarding on DSL router2Due to the use of a DSL router as an Internet gateway, you have to enable thefollowing port on DSL router2 and forward the data packets to the TS Adapter IEAdvanced (VPN server; IP address on the WAN port):x TCP port 443 (HTTPS)

Note Some routers allow remote access via an Internet connection (HTTPS port 443).In this case, it is not possible to forward port 443 to the TS Adapter IE Advancedusing port forwarding. For remote access to the router, you have to use anotherport (e.g., port 5443).

Port 443 is the default port for VPN connections (SSTP) in Windows - andtherefore also for the TS Adapter IE - and cannot be changed.



Si

emen

sAG

2014

Allr

ight

sre

serv

ed

2.1.4 TS Adapter IE Advanced

Resetting to factory defaultTo make sure that no old configurations and certificates are stored in the TSAdapter IE Advanced, reset the module to factory default.For the appropriate chapter in the TS Adapter manual, please use the followinglink:https://www.automation.siemens.com/mdm/default.aspx?DocVersionId=65739502731&Language=en-EN&TopicId=49826068875&guiLanguage=en

Physical connection between the PC and the TS Adapter IE AdvancedConnect the PC to a free LAN port of the TS Adapter IE Advanced.

Assigning the IP addressIn the as-supplied state and after resetting the parameters, the TS Adapter IEAdvanced has no valid IP address. To be able to work with the module, first set itsIP parameters as described in Table 2-1.To do this, please follow the instructions from Chapter 4 (Appendix: Using TIAOnline Functions).

2.1.5 Setting up the infrastructure

Connect all the components involved in this solution.



SCALANCEM874-x

VPN-Server

Service PCDSL Router1 TS AdapterIE Advanced

Service PCDSL Router2

TIAPortal

WAN PortLAN Port WAN PortLA Port LAN Port WAN Port LAN Port

Table 2-2

Component Local port Partner Partner port

Service PC LAN port DSL router1 LAN portTS Adapter IE WAN port DSL router2 LAN portTS Adapter IE LAN port E.g., an automation network (does not exist in

this solution)



Si

emen

sAG

2014

Allr

ight

sre

serv

ed

2.2 Commissioning remote maintenance

2.2.1 Preparation

Components usedThis solution uses the following components: TS Adapter IE Advanced and "TIAPortal V13 Update 3".

Physical connection between the PC and the TS Adapter IE AdvancedConnect the service PC to a free LAN port of the TS Adapter IE Advanced andchange the network settings on the service PC as follows:IP address: 172.22.80.100Subnet mask: 255.255.255.0

Opening the Web interfaceOpen the Web interface of the TS Adapter IE Advanced via TIA Portal.To do this, please follow the instructions from Chapter 4 (Appendix: Using TIAOnline Functions).



Si

emen

sAG

2014

Allr

ight

sre

serv

ed

2.2.2 Initial configuration of the TS Adapter IE Advanced

When you first log on, a guided tour takes you through all the settings required tocommission the TS Adapter IE Advanced.The following section lists and explains the individual steps of the guided tour.

System ClockAmong other things, the system time is used to generate certificates. Set the timeas follows:

1. Enter the system time parameters. The time must be entered in UTC format.

2. Apply the settings with "Save settings".



Si

emen

sAG

2014

Allr

ight

sre

serv

ed

Specific Password SettingsEach password that is newly created or changed in the TS Adapter must followspecific rules. In the Web interface of the TS Adapter IE Advanced, you can definethese rules yourself, for example the minimum length and minimum number ofpassword elements.

1. Define the settings for entering the password.




Si

emen

sAG

2014

Allr

ight

sre

serv

ed

Changing the administrator passwordWhen you first log on, you are prompted to replace the default password of thedefault user, "Administrator", with a new password.

1. In the "Password" field, enter a new administrator password and reenter thepassword to confirm it.When choosing the password, make sure that it complies with the passwordcheck rules ("Specific Password Settings").




Si

emen

sAG

2014

Allr

ight

sre

serv

ed

CA certificate generationThe last step of the guided tour prompts you to generate a new CA certificate. Thisoverwrites the default CA certificate.

1. In "Common name", add the name to "SIMATIC TeleService Adapter". In theCA certificate, this name is stored as the subject name and issuer information.

2. Use the "Generate CA certificate" button to generate the CA certificate.

ResultThe initial configuration of the TS Adapter is complete.



Si

emen

sAG

2014

Allr

ight

sre

serv

ed

2.2.3 Parameterizing remote access

PreparationOpen the Web interface of the TS Adapter IE Advanced via TIA Portal.To do this, please follow the instructions from Chapter 4 (Appendix: Using TIAOnline Functions).Log on as an administrator and use the new password (see Chapter 2.2.2).

IP parameters - Public NetworkNow you define how the TS Adapter IE Advanced can be accessed remotely.

1. In the navigation bar, go to "Parameters" > "Public Network". In "Remoteaddress assignment", select "Free entry".

2. In "Remote address", enter the static WAN IP address of your DSL accesspoint.



Si

emen

sAG

2014

Allr

ight

sre

serv

ed

3. For the WAN interface, select "Static" in "IP address assignment" and enter theIP address for the WAN interface as listed in Table 2-1.As the DNS server, use the IP address of the DSL router's LAN interface.




Si

emen

sAG

2014

Allr

ight

sre

serv

ed

IP parameters - Plant NetworkNow you define which IP address is assigned to the service PC when establishingthe VPN connection.

1. In the navigation bar, go to "Parameters" > "Plant Network" > "IP parameters".Enter any available IP address that is in the same subnet as the plant network(automation network on the LAN interface of the TS Adapter).




Si

emen

sAG

2014

Allr

ight

sre

serv

ed

Connection parametersDepending on the application, access to the TS Adapter via the WAN interface canbe configured differently. Remote maintenance via VPN is desired for this example.

To enable it, proceed as follows:

1. In the navigation bar, go to "Information" > "Connections". Change theconnection control of the WAN interface to "ONLINE + VPN".




Si

emen

sAG

2014

Allr

ight

sre

serv

ed

Creating a userTo enable the service PC to establish a VPN connection to the TS Adapter IEAdvanced, a login with a user name and password is required.During the initial configuration, only the "Administrator" user is entered in the TSAdapter. As this user cannot establish a VPN connection, another user has to beentered.To create a new user, proceed as follows:

1. In the navigation bar, go to "Security" > "User Management". Use "Edit" tocreate a new user.

2. In the appropriate text boxes, enter a user name and password. Confirm thepassword.When choosing the password, make sure that it complies with the passwordcheck rules ("Specific Password Settings").



Si

emen

sAG

2014

Allr

ight

sre

serv

ed


ResultYou have created a new user with the right to establish a VPN connection.

Exporting the CA certificateTo allow the service PC to uniquely identify the TS Adapter IE Advanced as theconnection partner, the TS Adapter IE Advanced generates a CA certificate with aunique fingerprint(see Chapter 2.2.2 (Initial configuration of the TS Adapter IE Advanced).To establish a VPN connection, it is mandatory to store this CA certificate in theWindows certificate store (local computer).To export the certificate, proceed as follows:

1. In the navigation bar, go to "Security" > "Certificate". Use the "Exporting CAcertificate" button to export the CA certificate.



Si

emen

sAG

2014

Allr

ight

sre

serv

ed

2. Save the certificate to your project folder.

3. The CA certificate of the TS Adapter IE Advanced is stored in your projectfolder.

ResultThe parameterization of the TS Adapter for remote maintenance is complete.

2.2.4 Final steps

Service PCTo establish a VPN connection, it is mandatory to store the CA certificategenerated by the TS Adapter in the Windows certificate store (local computer).To do this, please follow the instructions from Chapter 5 (Appendix: Handling CACertificates).

Infrastructure1. Connect the PC (TIA Portal) to the LAN interface of DSL router1.

2. Assign the required network configuration to the network card as shown inTable 2-1.

3. In all devices on the LAN port of the TS Adapter IE Advanced, enter the defaultgateway (IP address of the LAN port).



Si

emen

sAG

2014

Allr

ight

sre

serv

ed

2.3 Establishing the VPN connection

When the TS Adapter IE Advanced has been parameterized for remotemaintenance and the infrastructure has been connected as shown in Table 2-2, theservice PC (VPN client) can initialize the VPN tunnel to the TS Adapter IEAdvanced (VPN server).To establish a remote connection to the TS Adapter IE Advanced, proceed asfollows:

1. Open the Project view of TIA Portal and in the project navigation, click the"Online access" folder.

2. Click the "TeleService" folder included in it.

3. Double-click the "Establish/terminate remote connection" item.

4. The "Set up remote connection to the remote system" dialog opens.In the "Adapter type" drop-down list, select TS Adapter IE and in "Connectiontype", select VPN.



Si

emen

sAG

2014

Allr

ight

sre

serv

ed

5. In the appropriate text boxes, enter the WAN IP address of DSL router2 (DSLrouter of the TS Adapter IE Advanced to be contacted) and the user name andthe associated password of the newly created user (see page 19).

6. Click the "Connect" button to establish the desired VPN connection.This button is only active when you have entered all the parameters necessaryto establish the remote connection.



Si

emen

sAG

2014

Allr

ight

sre

serv

ed

ResultThe VPN connection to the TS Adapter is being established. "Status" shows theprogress of the connection establishment process.Once the VPN connection has been established, the dialog closes. The followingmessage appears in the status bar of TIA Portal:"Remote connection is established"In TIA Portal, the new remote connection appears in the project navigation underthe "TeleService" folder.

This remote connection allows you to open the Web browser of the TS Adapterfrom TIA Portal. Log on with the newly created user."Information" > "Status" shows the connection status of the remote connection.

Note If a connection cannot be established, try to find the cause. More information andtroubleshooting help can be found in the appropriate chapter in the TIA manualat the following link:

https://www.automation.siemens.com/mdm/default.aspx?DocVersionId=63972520715&Language=en-EN&TopicId=58521033355&guiLanguage=en

3 Testing the Tunnel Function


Si

emen

sAG

2014

Allr

ight

sre

serv

ed

3 Testing the Tunnel FunctionChapter 2 completes the commissioning of the configuration and the service PCand the TS Adapter IE Advanced have established a VPN tunnel for securecommunication.You can test the established tunnel connection using a ping command on aninternal node. This is described below.Alternatively, you can also use other methods to test the configuration (forexample, by opening the internal Web page when using a PROFINET CPU).

1. On the service PC, select"Start" > "All Programs" > "Accessories" > "Command Prompt" in the start bar.

2. In the command line of the "Command Prompt" window that appears, enter the"ping " command at the cursorposition.

ResultYou get a positive response from the internal node.

Note In Windows, the default settings of the firewall may prevent ping commands frompassing. You may have to enable the ICMP services of the "Request" and"Response" type.

4 Appendix: Using TIA Online Functions


Si

emen

sAG

2014

Allr

ight

sre

serv

ed

4 Appendix: Using TIA Online Functions4.1 Accessible devices

"Accessible devices" means all devices that are connected to an interface of thePG/PC and switched on.To display the accessible devices on a single interface of the PG/PC, proceed asfollows:

1. Open the Project view of TIA Portal and in the project navigation, click the"Online access" folder.

2. Click the arrow icon to the left of the interface to show all objects located belowthe interface.

3. Double-click the "Update accessible devices" command below the interface.

Result:All devices that can be accessed through this interface are displayed in the projectnavigation.

Note When a large number of devices are connected, updating may take some time.The status bar shows the progress of the update process.

4.2 Assigning an IP address

RequirementTo assign an IP address to a device, you have to open the Online and Diagnosticsview of the module using the "Update accessible devices" command (in the projectnavigation) (see Chapter 4.1 (Accessible devices)).

Assigning an IP addressTo assign an IP address specified by you to the module, proceed as follows:

1. Open the Online and Diagnostics view of the IO device.

2. In the "Functions" folder, select the"Assign IP address" group.

3. Enter the desired IP parameters.

4 Appendix: Using TIA Online Functions


Si

emen

sAG

2014

Allr

ight

sre

serv

ed

4. Click the "Assign IP address" button.

Result:The IP address is permanently assigned to the Ethernet port of the module. It isalso retained after startup or a power failure.

4.3 TeleService functions

RequirementTo use the TeleService functions, you have to open the Online and Diagnosticsview of the module using the "Update accessible devices" command (in the projectnavigation) (see Chapter 4.1 (Accessible devices)).

Opening the Web interfaceTo parameterize the TS Adapter IE Advanced from TIA Portal, proceed as follows:

1. Open the "TS Adapter IE Advanced" folder in the list of devices.

2. Double-click the "Assign TS Adapter Parameters" command. The assignedWeb interface opens where you can parameterize the TS Adapter.

3. Perform the "logon" for the Web interface.

4. When you log on for the first time or after setting to factory default, the logindata is defined as follows:Name: AdministratorPassword: admin

5 Appendix: Handling CA Certificates


Si

emen

sAG

2014

Allr

ight

sre

serv

ed

5 Appendix: Handling CA Certificates5.1 Deleting CA certificates

To delete existing CA certificates, proceed as follows.

1. Log on to the system as an administrator.

2. Use Microsoft Management Console to open Windows Certificate Manageron your PG/PC.

3. To do this, click "Start", enter mmc in the search box and press the ENTERKEY.The console opens.

4. In the "File" menu, click "Add/Remove Snap-In".The snap-in selection dialog opens.

5. In the "Snap-In" list, double-click "Certificates" and in the next dialog, select"Computer account".

6. In the next dialog, select the "Local Computer" item and click "Finish" and"OK".The Console Root opens and displays the "Certificates (Local Computer)"folder.

7. Open the displayed "Certificates (Local Computer)" folder and click "TrustedRoot Certification Authorities".

8. Open the "Certificates" folder, select the desired CA certificate and select"Delete" in the context menu.

9. Confirm the following prompt with "Yes".

ResultThe selected CA certificate is deleted from the list of available certificates.

5 Appendix: Handling CA Certificates


Si

emen

sAG

2014

Allr

ight

sre

serv

ed

5.2 Installing CA certificates

To install a CA certificate, proceed as follows:

10. Log on to the system as an administrator.

11. Use Microsoft Management Console to open Windows Certificate Manageron your PG/PC.

12. Click "Start", enter mmc in the search box and press the ENTER KEY.The console opens.

13. In the "File" menu, click "Add/Remove Snap-In".The snap-in selection dialog opens.

14. In the "Snap-In" list, double-click "Certificates" and in the next dialog, select"Computer account".

15. In the next dialog, select the "Local Computer" item and click "Finish" and"OK".The Console Root opens and displays the "Certificates (Local Computer)"folder.

16. Open the displayed "Certificates (Local Computer)" folder and click "TrustedRoot Certification Authorities".

17. Click the "Certificates" folder and use the context menu to select the"Action" > "All Tasks" > "Import" command.

18. Read the information displayed in the "Certificate Import Wizard" dialog andclick "Next".

19. In the following dialog, click "Search", select the desired CA certificate andapply it with "Open".

20. Double-click "Next" and then "Finish" to install the CA certificate.

6 History


Si

emen

sAG

2014

Allr

ight

sre

serv

ed

ResultThe selected CA certificate is installed in the specified location in the Windowscertificate store.

6 History

Table 6-1

Version Date Modifications

V1.0 09/2014 First version

Setting up da secure VPN Connection between the TS Adapter IE Advanced and TIA Portal V13Table of ContentsWarranty and liability1 Task and Solution1.1 Task1.2 Possible solution1.3 Characteristics of the solution

2 Configuration and Project Engineering2.1 Setting up the environment2.1.1 Required components and IP address overview2.1.2 Service PC2.1.3 DSL access for the TS Adapter IE Advanced (DSL router2)2.1.4 TS Adapter IE Advanced2.1.5 Setting up the infrastructure

2.2 Commissioning remote maintenance2.2.1 Preparation2.2.2 Initial configuration of the TS Adapter IE Advanced2.2.3 Parameterizing remote access2.2.4 Final steps

2.3 Establishing the VPN connection

3 Testing the Tunnel Function4 Appendix: Using TIA Online Functions4.1 Accessible devices4.2 Assigning an IP address4.3 TeleService functions

5 Appendix: Handling CA Certificates5.1 Deleting CA certificates5.2 Installing CA certificates

6 History

99681624 tsadapter tiav13 doku v10 en

Documents

theseapplication examples

use ofthe examples

siemens publications

secure operation of

customerspecific solutions

case of intent

gross negligence

secure vpnconnection