setting up vpn access for remote diagnostics support · microsoft point-to-point tunneling protocol...

S:\Engineering\Integration - Any\VPN Access\Setup Server for VPN Access to 3G IBC1.doc

3GIBC1 9/16/2010

Setting up VPN Access for Remote Diagnostics Support D. R. Joseph, Inc. supports both dial-up and Internet access for remote support of 3GIBC1 and LF-Sizer control systems. This document describes how to setup the remote site to allow a VPN client to log in and then route to the DRJ equipment. The following diagram shows the overall schematic of the connection.

The first step to the process is to setup the Remote VPN Host to accept a request from a VPN client to access the Remote IBC System. The steps for this process are generally known by IT personnel, but for convenience the basic steps follow and are based on the data found at this web site: http://technet.microsoft.com/en-us/library/cc736357(WS.10).aspx


3GIBC1 9/16/2010

Summary

Virtual Private Networks (VPN) allow users working at home, on the road or at a branch office to connect in a secure manner to a remote corporate server using the public Internet. VPN server or host is a computer that accepts VPN connections from VPN clients. A VPN server or host can be a NT/W2K server or W2K/XP Pro. VPN client is a computer that initiates a VPN connection to a VPN server or host. A VPN client can be an individual computer running MS Windows NT version 4.0, Windows 2000, 9x. VPN clients can also be any non-Microsoft Point-to-Point Tunneling Protocol (PPTP) client or Layer Two Tunneling Protocol (L2TP) client using IPSec.

Network Design

The following items should be established prior to setting up the VPN and access permissions:

• VPN address: This is the static public IP address that is assigned to the Remote VPN Host. Remote clients will reference this IP address when attempting to establish a VPN connection.

• VPN protocol: PPTP • VPN username: Decide on a user name for the remote VPN client. • VPN password: Decide on a password for the remote VPN client • IBC static IP address: This is the IP address that matches the sub-net of

the Remote Host’s Intranet. This should be a local IP address and NOT a public IP address. It must be static. The current setting in the IBC system is 10.10.226.100 (see steps 1-13 for setting this value).

• IBC gateway IP address: If there is no Intranet gateway, set this to 0.0.0.0, otherwise set to the gateway IP address (see steps 1-13 for setting this value).

• IBC subnet mask: in most cases, this will be a class C subnet of 255.255.255.0 (see steps 1-13 for setting this value).

• Touch Screen IP Address: This value must match the subnet of the IBC system. The current value is 10.10.226.160 (see steps 14-26 for setting this value.

• Ethernet Switch IP Address: This value must also match the subnet of the IBC system. The current value is 10.10.226.253 (see separate document for Ethernet Modem for setting this value).

• Remote Client IP Address: This value must match the IBC system subnet. The current value is 10.10.226.254 (see separate document: Integrating 3GIBC1 Ethernet Modem To Your Company Network for setting this value).


3GIBC1 9/16/2010

Basic VPN Requirement On the Remote VPN Host machine, you will need to create a user account that the VPN client will use to log in.

• User Permission. Enable a user to access the VPN. To do this, go to ADD Users and Computers, select or create the user who needs to access the VPN, click Dial-in. Check Allow access on the Remote Access Permission (Dial-in or VPN).

• IP Configuration. The VPN server should have a static IP address and assign the arranged IP addresses to VPN clients. The VPN server must also be configured with DNS and WINS server addresses to assign to the VPN client during the connection.

• Data Encryption. Data carried on the public network should be rendered unreadable to unauthorized clients on the network.

• Protocol Support. The TCP/IP is a common protocol used in the public network. The VPN also includes IP, Internetwork Packet Exchange (IPX), NetBEUI and so on.

• Firewall Ports. When you place a VPN server behind your firewall, be sure to enable IP protocol 47 (GRE) and TCP port 1723.

• Interface(s) for VPN server. If your network doesn't have a router or the VPN is also a gateway, your computer must have at least two interfaces, one connecting to the Internet and another connecting to the LAN. If it is behind a router, you just need one NIC.

• One interface for VPN client. The interface can be a dial-in modem, or a dedicated connection to the Internet.

• Security. See the diagram on the following page and let DRJ know what settings you selected:


3GIBC1 9/16/2010


3GIBC1 9/16/2010

IBC System Setup

Access Service Menus Once the VPN access is setup, you will need to configure the IBC system for the static intranet IP address you assigned, along with the subnet and gateway (if any). To do this you will need to access the service menus. Access Service: 1. From the main screen press the

BACK button. The SYSTEM Selection screen will display.

2. Press the SERVICE button and

the SERVICE ACCESS screen will display. Note: the SYSTEM SELECTION screen also shows the current IBC software revision, the job# and the valve size.

3. Press the Password button and

enter the current service password. The factory default for the service password is 4095.

4. Press the ACCESS button to

access the service menus. 5. The SERVICE MENU displays

all the available parameter groups. Not all systems have the Cage Controller group shown here.


3GIBC1 9/16/2010

Configure Ethernet Settings

6. Select the EXPERT MODE button.

7. Enter the Expert Mode

Password of 8747 then press the ENT key

8. This symbol verifies

you are in expert mode. If you get a red X then the password was entered incorrectly. Retry steps 6 and 7.


3GIBC1 9/16/2010

9. Press the

COMMUNICATION CONFIGURATION button.

10. Select ETHERNET

CONFIG button. (note: make a note of what the IP settings are before you change anything)

11. You must enter the

Level 2 security credentials to access the Ethernet settings. The User ID is ISIBC1. The password is 4095


3GIBC1 9/16/2010

12. Set the IP address,

Subnet and gateway as required. Port must be 502, Addr must be 12, Mstr TO must be 10, Slv TO 250. Press the OK button when you are sure the settings are correct.

13. If you are certain you

have the correct settings, press the ACCEPT key.

Write these values down BEFORE pressing the ACCEPT button. You will not be able to get back to these settings if you forget the values.

Touch Screen will Stop Communicating at this point

14. After about 1 minute, you will see the following error message. If you want to see the full message, press the Window Button.


3GIBC1 9/16/2010

15. This is information

only. Press the X button when you are done and then proceed to step 16.

Reconfiguring Touch Screen IP Settings

16. Touch the upper left corner THEN the lower right corner. Do not touch both positions at the same time.

Note: It does not matter which screen you are on.

17. Select the Offline

mode button


3GIBC1 9/16/2010

18. This is the system

password screen. Press the box to enter the password.

19. Enter the password

using the popup keypad. The password is 73226213. Press the ENT key when finished.

20. This is the main menu

screen. Select the Main Unit button first.


3GIBC1 9/16/2010

21. You are now on the

Main Unit menu. Select the Ethernet button.

Set Touch Screen IP Address and Subnet

22. At the point you must identify the Touch Screen IP address. It must be unique from the IBC IP address you set in steps 12 and 13.

The Subnet Mask must match what you entered in step 12. Do not change the Port value. It must remain 8000. Press the Back key when finished with this step.

23. Now select the

Peripheral button to tell the touch screen what the new IBC system IP address is.


3GIBC1 9/16/2010

24. Press in the area shown

to select the current Modbus TCP Master driver.

25. You are now at the

Peripheral Configuration Menu. Press on the Device button. DO NOT CHANGE ANY VALUES ON THIS SCREEN

26. Touch the IP Address

box and enter the new IP address you entered in step 12 for the IBC System. DO NOT CHANGE THE PORT No. or the UNIT ID! Press the Exit button when finished.


3GIBC1 9/16/2010

27. If you have completed

all the steps, press the Yes button. The touch screen will automatically restart. If you did everything correctly, it will start communicating.

You can repeat the entire process if it is still not working.


3GIBC1 9/16/2010

Connecting the IBC System The cable connection to the IBC system should be a CAT5 or CAT5e style cable. Whether a cross-over or straight cable is used depends on if the Remote Host is using a switch or a router. The cable should be a cross over cable if a switch is used. It should be straight through if a router is used.

How to Build an Ethernet Crossover Cable The crossover Ethernet cable is used when connecting two Ethernet devices without a router or managed switch between the devices. Use this diagram when building your own Ethernet cables.

• For more details, please visit www.wiringwizard.com, select CAT-5 in the column on the left.

Connect the Ethernet Cable to IBC or LF-Sizer The Ethernet or LAN port is located near the bottom of the panel. There are four RJ45 connectors across the bottom of the main controller. The LAN port is the left most connector. The LAN cable should be connected to the Sixnet Managed Switch/Ethernet modem provided by D. R. Joseph, Inc.


3GIBC1 9/16/2010

Verify Link Level is Functioning If the cable is configured properly, you will see the LINK led turn on. It will stay on at all times. If the LINK LED is off, then recheck your cable configuration. On the Sixnet

Ethernet Modem, only the Yellow LED will come on. This means the connection is a 10 MHz connection. For the company intranet, you will probably see both the green and yellow LEDs come on which indicates a 100 MHz connection.

One important note: If you are connecting a laptop directly to the IBC, you need the cross-over cable. If you use a straight through cable, you will still get the LINK led. The LINK led is not an indication of correct cable; it is only an indication that the hardware level is active.

Verify that Remote VPN Host Can Ping IBC Using the Ping command to make sure you can ping the IBC system from the Remote VPN Host.

Contact DRJ and Provide Connection Details Send an email to [email protected] with “VPN Connection Details for custname” in the subject. Custname is the name of the customer. Make sure you send the following: 1. Static IP Address of Remote VPN Host 2. User Name 3. Password 4. Static IP Address of IBC System 5. Contact name and phone number in case we have problems connecting.

To IBC System

To Company Intranet

setting up vpn access for remote diagnostics support · microsoft point-to-point tunneling protocol...

Documents