Page 5
Basic Configuration In this example we set the IP addresses of all 3 interfaces on the Scalance 623 This will demonstrate configuration steps that will be reused in every following example...
Page 6
Basic Configuration 1. Setting up the network 2. Making IP settings for the PC 3. Creating a project and security module 4. Downloading the configuration to the security module...
Page 7
Basic Configuration 1. Setting up the network • Connecting the external interface of the Scalance to the • Scalance interfaces External network Red marking = unprotected network area Internal network Green marking = network protected by Scalance DMZ port Yellow marking = unprotected or protected network...
Page 8
Basic Configuration 2. Making IP settings for the PC IP address Subnet mask 192.168.10.2 255.255.255.0 • “Start” > “Control Panel” Open Control Panel • Open “Network and Sharing Center”...
Page 9
Basic Configuration 2. Making IP settings for the PC IP address Subnet mask 192.168.10.2 255.255.255.0 • Select “Change adapter settings” • Open the Local Area Connection Properties Doubleclick “Local Area Connection”, then click “Properties”...
Page 10
Basic Configuration 2. Making IP settings for the PC IP address Subnet mask 192.168.10.2 255.255.255.0 • Click the “Properties” button • Select “Use the following IP” • Enter the values from the table in the relevant boxes • Close the dialogs with “Ok” and close Control Panel...
Page 11
Basic Configuration 3. Creating a project and security module • Start the Security Configuration Tool • Select the “Project” > “New...” menu command • Create a new user This user is assigned the “administrator” role • Confirm with “OK”...
Page 12
Basic Configuration 3. Creating a project and security module • In the “Product type”, “Module” and “Firmware release” areas, select the following options Product type: Scalance S Module: S623 Firmware release: V4...
Page 13
Basic Configuration 3. Creating a project and security module • In the “Configuration” area, enter the MAC address The MAC address is printed on the front of the SCALANCE...
Page 14
Basic Configuration 3. Creating a project and security module • In the “Configuration” area, enter the external IP address (192.168.10.1) and the external subnet mask (255.255.255.0) • From the drop-down list, select the “Routing Mode” • Enter the internal IP address (192.168.9.1) and the internal subnet mask (255.255.255.0) •...
Page 15
Basic Configuration 3. Creating a project and security module • Select the security module created and select the “Edit” > “Properties” menu command, “Interfaces” tab • Select the “Activate Interface” check box in the “DMZ port (X3)” area • Enter the IP address (192.168.8.1) and the subnet mask (255.255.255.0) for the DMZ interface •...
Page 16
Basic Configuration 4. Downloading the configuration to the security module • Select the “Project” > “Save” menu command • Select the security module in the content area • Select the “Transfer” > “To module(s)…” menu command • Start the download with the “Start” button...
Page 17
Basic Configuration 4. Downloading the configuration to the security module • If the download was completed successfully, the Scalance is restarted automatically and the configuration activated • The Scalance is now in productive operation • Configurations can be download via all interfaces •...
Page 18
Standard mode Firewall In this example, the firewall will be configured to allow IP traffic to only be initiated by the internal network...
Page 19
Standard mode Firewall 1. Setting up the network 2. Making IP settings for the PCs 3. Creating a project and security module 4. Configuring the firewall 5. Downloading the configuration to the security module 6. Testing the firewall function (ping test/logging)
Page 20
Standard mode Firewall 1. Setting up the network • Reset the Scalance to factory settings by pressing the Reset button and holding it down for at least 5 seconds • Connect the PC with the Security Configuration Tool (PC1) to the external network interface •...
Page 21
Standard mode Firewall 2. Making IP settings for the PCs IP address Subnet mask 192.168.10.2 255.255.255.0 192.168.10.3 255.255.255.0 • Set the IP addresses of the PCs as in the table above...
Page 22
Standard mode Firewall 3. Creating a project and security module • Create a new project • In the “Configuration” area enter the MAC address • Enter the external IP address (192.168.10.1) and the external subnet mask (255.255.255.0) • Confirm with “OK”...
Page 23
Standard mode Firewall 4. Configuring the firewall • Select the security module in the content area • Select the “Edit” > “Properties…” menu command • Select the “Firewall” tab in the displayed dialog • Activate the settings shown in the picture Result: IP traffic is only initiated from the internal network •...
Page 24
Standard mode Firewall 5. Downloading the configuration to the security module • Transfer the configuration to the security module...
Page 25
Standard mode Firewall 6. Testing the firewall function (ping test/logging) • Open the command prompt on PC2 “Start” > ”All programs” >”Accessories” > ”Command Prompt” • Enter the ping command from PC2 to PC1 “ping 192.168.10.2” • All packets reach PC1...
Page 26
Standard mode Firewall 6. Testing the firewall function (ping test/logging) • Open the command prompt on PC1 • Enter the ping command from PC1 to PC2 “ping 192.168.10.3” • All packets are blocked at Scalance...
Page 27
Standard mode Firewall 6. Testing the firewall function (ping test/logging) • In the SCT change to online mode by selecting the menu option “View” > “Online” • Select “Edit” > “View Diagnostics” • Select the “Packet filter log” tab...
Page 28
Standard mode Firewall 6. Testing the firewall function (ping test/logging) • Click the “Start reading” button • Acknowledge with “OK” • Log entries are read and displayed here...
Page 29
Advanced Firewall In this example, the firewall is configured to allow IP traffic from PC2 to PC1. The packets are forwarded to the outside with an IP address translated to the IP address of the security module and a dynamically assigned port number. Only replies to these packets can enter the internal network...
Page 30
Advanced Firewall 1. Setting up the network 2. Making IP settings for the PCs 3. Creating a project and security module 4. Configuring the firewall 5. Downloading the configuration to the security module 6. Testing the firewall function (ping test/logging)
Page 31
Advanced Firewall 1. Setting up the network • Reset the Scalance to factory settings by pressing the Reset button and holding it down for at least 5 seconds • Connect the PC with the Security Configuration Tool (PC1) to the external network interface •...
Page 32
Advanced Firewall 2. Making IP settings for the PCs IP address Subnet mask Default Gateway 192.168.10.2 255.255.255.0 192.168.10.1 192.168.9.2 255.255.255.0 192.168.9.1 • Set the IP addresses of the PCs as in the table above...
Page 33
Advanced Firewall 3. Creating a project and security module • Create a new project • In the “Configuration” area enter the MAC address • Enter the external IP address (192.168.10.1) and the external subnet mask (255.255.255.0) • Select the “Routing mode” •...
Page 34
Advanced Firewall 4. Configuring the firewall • Change the configuration view to advance mode with the menu command “View” > “Advanced Mode” • Select the module in the content area • Select the “Edit” > “Properties…” menu command • Go to the “NAT/NAPT” tab...
Page 35
Advanced Firewall 4. Configuring the firewall • Select the “Activate NAT” checkbox • Click the “Add” button in the “NAT” input area • Configure the NAT rule with the following parameters Action: “Source NAT” From: “Internal” To: “External” Source IP address: “*” Source translation: “192.168.10.1 •...
Page 36
Advanced Firewall 4. Configuring the firewall • Select the “Firewall” tab • Expand the firewall rule created by SCT with the following Destination IP address: 192.168.10.2 • Select the “Logging” check box • Confirm with “OK”...
Page 37
Advanced Firewall 5. Downloading the configuration to the security module • Transfer the configuration to the security module...
Page 38
Advanced Firewall 6. Testing the firewall function (ping test/logging) • Open the command prompt on PC2 • Enter the ping command from PC2 to PC1 “ping 192.168.10.2” • All packets reach PC1...
Page 39
Advanced Firewall 6. Testing the firewall function (ping test/logging) • Change to online mode in the SCT with the “View” > “Online” menu command • Select the module in the content area and the menu command “Edit” > “Online diagnostics” •...
Page 40
Advanced Firewall 6. Testing the firewall function (ping test/logging) • Click “Start reading…” • Confirm the dialog with “OK”...
Page 41
User Management In this example, only a specific user is allowed to access PC2 in the internal network from PC1 in the external network. For other users, access is blocked...
Page 42
User Management 1. Setting up the network 2. Making IP settings for the PCs 3. Creating a project and security module 4. Creating remote access users 5. Setting and assigning a user-specific IP rule set 6. Downloading the configuration to the security module 7.
Page 43
User Management 1. Setting up the network • Reset the Scalance to factory settings by pressing the Reset button and holding it down for at least 5 seconds • Connect the PC with the Security Configuration Tool (PC1) to the external network interface •...
Page 44
User Management 2. Making IP settings for the PCs IP address Subnet mask Default Gateway 192.168.10.2 255.255.255.0 192.168.10.1 192.168.9.2 255.255.255.0 192.168.9.1 • Set the IP addresses of the PCs as in the table above...
Page 45
User Management 3. Creating a project and security module • Create a new project • In the “Configuration” area enter the MAC address • Enter the external IP address (192.168.10.1) and the external subnet mask (255.255.255.0) • Select the “Routing mode” •...
Page 46
User Management 4. Creating remote access users • Select the “Options” > “User management…” menu command • Click the “Add…” button in the “User” tab • Create a new user with the settings in the figure • Confirm with “OK”...
Page 47
User Management 5. Setting and assigning a user-specific IP rule set • Change the configuration to advanced mode via “View” > “Advanced Mode” • Select the “User-specific IP rule sets” object in the navigation panel • Select the “Add rule set…” entry in the shortcut menu...
Page 48
User Management 5. Setting and assigning a user-specific IP rule set • Enter a rule in the dialog as shown below • From the “Available users and roles” list, select the “Remote (user)” entry and click the “Assign” button • Confirm with “OK”...
Page 49
User Management 5. Setting and assigning a user-specific IP rule set • Select the security module in the navigation panel and drag it to the newly created user-specific IP rule set • The assignment can be checked by opening the module properties and selecting the “Firewall”...
Page 50
User Management 5. Setting and assigning a user-specific IP rule set...
Page 51
User Management 5. Setting and assigning a user-specific IP rule set • “Expand rule set” shows the user-specific rule in detail...
Page 52
User Management 6. Downloading the configuration to the security module • Transfer the configuration to the security module...
Page 53
User Management 7. Logging in on the Web page • In the Web browser of PC1, enter the address “https://192.168.10.1”...
Page 54
User Management 7. Logging in on the Web page • If the web page does not show the login fields, try changing the language in the upper right corner...
Page 55
User Management 7. Logging in on the Web page • Enter the user name “Remote” and corresponding password and click the “Log in” button...
Page 56
User Management 7. Logging in on the Web page • The defined IP rule set is enabled for the “Remote” user.
Page 57
User Management 8. Testing the firewall function (ping test) • Open the command prompt on PC1 • Enter the ping command from PC1 to PC2 “ping 192.168.9.2” • All packets reach PC2...
Page 58
Advanced User Management Internal network External network DMZ network Radius server In this example, a RADIUS server is set up to manage user accounts. Only users that can authenticate to the RADIUS server can access the internal network from the external network...
Page 59
Advanced User Management 1. Setting up the network 2. Making IP settings for the PCs 3. Creating a project and security module 4. Setting up the RADIUS server 5. Configuring the firewall 6. Linking the RADIUS server and security module 7.
Page 60
Advanced User Management 1. Setting up the network • Reset the Scalance to factory settings by pressing the Reset button and holding it down for at least 5 seconds • Connect the PC with the Security Configuration Tool (PC1) to the external network interface •...
Page 61
Advanced User Management 2. Making IP settings for the PCs IP address Subnet mask Default Gateway 192.168.10.2 255.255.255.0 192.168.10.1 192.168.9.2 255.255.255.0 192.168.9.1 RADIUS 192.168.8.2 255.255.255.0 192.168.8.1 • Set the IP addresses of the PCs as in the table above • The IP address of the Linux PC is preset to the correct value...
Page 62
Advanced User Management 3. Creating a project and security module • Create a new project • In the “Configuration” area enter the MAC address • Enter the external IP address (192.168.10.1) and the external subnet mask (255.255.255.0) • Select the “Routing mode” •...
Page 63
Advanced User Management 3. Creating a project and security module • Select the security module created and select the “Edit” > “Properties” menu command, “Interfaces” tab • Select the “Activate Interface” check box in the “DMZ port (X3)” area • Enter the IP address (192.168.8.1) and the subnet mask (255.255.255.0) for the DMZ interface...
Page 64
Advanced User Management 4. Setting up the RADIUS server • On the Linux PC open the Web browser and go to “http://freeradius.org/download.html” • Download version 3.0.9 of the RADIUS server • Open the Terminal Open the Dash and type “terminal”...
Page 65
Advanced User Management 4. Setting up the RADIUS server • Go to the “Downloads” map (“cd Downloads”) • Unpack the RADIUS server (“tar zxvf freeradius-server- 3.0.9.tar.gz”) • Enter the newly made map (“cd freeradius-server-3.0.9”)
Page 66
Advanced User Management 4. Setting up the RADIUS server • Install the server with the following commands “./configure” “make” “sudo make install” The password is...
Page 67
Advanced User Management 4. Setting up the RADIUS server • The next step is to configure the clients of the server • Open the file explorer with “gksudo nautilus” Enter the sudo password in the following prompt • Using Nautilus browse to “Computer” >...
Page 68
Advanced User Management 4. Setting up the RADIUS server • Open “clients.conf” and add a new client as in the image • Save and close the window • Open “users” and add the following users • Save and close the window...
Page 69
Advanced User Management 4. Setting up the RADIUS server • With the server installed and configured, run “sudo radiusd –X” to start the server in debug mode • If this error shows up, check the OpenSSL version with “openssl version –a” This command should show the following date: ‘built on: Thu Jun 11’...
Page 70
Advanced User Management 4. Setting up the RADIUS server • If this date is not shown update the library with the following command “sudo apt-get update” “sudo apt-get upgrade” • If OpenSSL is correctly updated, open “radius.conf” and change the “allow_vulnerable_openssl” parameter to yes •...
Page 71
Advanced User Management 5. Configuring the firewall • Enter “Advanced mode” in the Security Configuration Tool • Use the menu command “Options” > “User Management“ • Create a new user with the following settings • Confirm with “OK”...
Page 72
Advanced User Management 5. Configuring the firewall • Select the “User-specific IP rule sets” in the navigation window • Select the “Add rule set…” option in the shortcut menu...
Page 73
Advanced User Management 5. Configuring the firewall • Enter a rule in the dialog as shown below...
Page 74
Advanced User Management 5. Configuring the firewall • From the “Available users and roles” list, select the “radius (user)” entry and click the “Assign” button, then select the “radius (role)” entry and click “Assign” • Confirm with “OK”...
Page 75
Advanced User Management 5. Configuring the firewall • Select the security module in the navigation panel and drag it to the newly created user-specific IP rule set • The assignment can be checked by opening the module properties and selecting the “Firewall” tab...
Page 76
Advanced User Management 6. Linking the RADIUS server and security module • Select the menu option “Options” > “Configuration of the RADIUS server…” • Click the “Add…” button in the dialog...
Page 77
Advanced User Management 6. Linking the RADIUS server and security module • Define the server with the following values IP address/FQDN: 192.186.8.2 Shared secret: SiemensSecret Repeat shared secret: SiemensSecret • Confirm with “OK”...
Page 78
Advanced User Management 6. Linking the RADIUS server and security module • Open the SCALANCE S module properties and go to the “RADIUS” tab • Check the “Enable RADIUS authentication” box • Click the “Add” button This adds the newly configured RADIUS server...
Page 79
Advanced User Management 6. Linking the RADIUS server and security module • In the “RADIUS setting” area, check the “Allow RADIUS authentication of non-configured users” box • Confirm with “OK”...
Page 80
Advanced User Management 7. Downloading the configuration to the security module • Transfer the configuration to the SCALANCE S module...
Page 81
Advanced User Management 8. Logging in on the Web page • In the Web browser of PC1, enter the address “https://192.168.10.1”...
Page 82
Advanced User Management 8. Logging in on the Web page • If the web page does not show the login fields, try changing the language in the upper right corner...
Page 83
Advanced User Management 8. Logging in on the Web page • Enter the user name “radius” and corresponding password and click the “Log in” button...
Page 84
Advanced User Management 8. Logging in on the Web page • The defined IP rule set is enabled for the “radius” user.
Page 85
Advanced User Management 8. Logging in on the Web page • Now click the “Log out” button • Enter the user name “radius2” and corresponding password and click the “Log in” button...
Page 86
Advanced User Management 8. Logging in on the Web page • The defined IP rule set for the “radius” role is enabled Users that are not defined on the module can log in...
Page 87
Advanced User Management 9. Testing the firewall function (ping test) • Open the command prompt on PC1 • Enter the ping command from PC1 to PC2 “ping 192.168.9.2” • All packets reach PC2...
Page 88
VPN with Preshared Key In this example, a VPN tunnel is configured between a security module and the SOFTNET Security Client With this configuration, IP traffic is possible only over the established VPN tunnel connection between the two authorized partners...
Page 89
VPN with Preshared Key 1. Setting up the network 2. Making IP settings for the PCs 3. Creating a project and security module 4. Configuring a VPN group 5. Downloading the configuration to the security module and saving the SOFTNET Security Client configuration 6.
Page 90
VPN with Preshared Key 1. Setting up the network • Reset the Scalance to factory settings by pressing the Reset button and holding it down for at least 5 seconds • Connect the switch to the external network interface • Connect the PC with the Security Configuration Tool (PC1) and the PC with the SOFTNET Security Client (PC2) to the switch...
Page 91
VPN with Preshared Key 2. Making IP settings for the PCs IP address Subnet mask Default Gateway 192.168.10.2 255.255.255.0 192.168.10.1 192.168.10.3 255.255.255.0 192.168.10.1 192.168.9.2 255.255.255.0 192.168.9.1 • Set the IP addresses of the PCs as in the table above...
Page 92
VPN with Preshared Key 3. Creating a project and security module • Create a new project • In the “Configuration” area enter the MAC address • Enter the external IP address (192.168.10.1) and the external subnet mask (255.255.255.0) • Select the “Routing mode” •...
Page 93
VPN with Preshared Key 3. Creating a project and security module • Use the “Insert” > “Module” menu command with the following parameters Product type: SOFTNET configuration Module: SOFTNET Security Client Firmware release: V4 • Confirm with “OK”...
Page 94
VPN with Preshared Key 4. Configuring a VPN group • Select “VPN groups” in the navigation • Select the “Insert” > “Group” menu command • In the navigation panel, click the “All modules” entry • Drag the Scalance S Module to the VPN group “Group1” in the navigation panel The module is now assigned to the VPN group The color of the key symbol changes to blue...
Page 95
VPN with Preshared Key 4. Configuring a VPN group • Drag the SOFTNET Security Client module to the VPN group “Group1” in the navigation panel The module is now assigned to the VPN group The color of the key symbol changes to blue •...
Page 96
VPN with Preshared Key 4. Configuring a VPN group • Select the VPN group “Group1” in the Navigation windows and select the menu command “Edit” > “Properties” • Select the “Preshared key” option in the “Authentication method” area • Confirm with “OK”...
Page 97
VPN with Preshared Key 5. Downloading the configuration to the security module and saving the SOFTNET Security Client configuration • Save the project • Use the menu command “Transfer” > “To all modules…” • Start the download with the “Start” button...
Page 98
VPN with Preshared Key 5. Downloading the configuration to the security module and saving the SOFTNET Security Client configuration • Save the configuration file “projectname.Module2.dat” in your project folder • Confirm the popup with “OK”...
Page 99
VPN with Preshared Key 6. Setting up a tunnel with the SOFTNET Security Client • Open the SOFTNET Security Client on PC2 • Select “Load Configuration” and browse to where “projectname.Module2.dat” has been saved • Open the configuration with the “Open” button...
Page 100
VPN with Preshared Key 6. Setting up a tunnel with the SOFTNET Security Client • Loading a new configuration will delete any previous configurations • When the dialog above pops up, select “deleted” and confirm with “Next”...
Page 101
VPN with Preshared Key 6. Setting up a tunnel with the SOFTNET Security Client • The VPN tunnel can now be opened by clicking the “Enable” button...
Page 102
VPN with Preshared Key 6. Setting up a tunnel with the SOFTNET Security Client • “Tunnel Overview” shows the status of the tunnel • The green circle shows that the tunnel has been established...
Page 103
VPN with Preshared Key 6. Setting up a tunnel with the SOFTNET Security Client • If the tunnel does not get set up, check whether the Windows Firewall has been enabled • Open the “Control Panel” > “Windows Firewall” • If the firewall is not enabled, click “Turn Windows Firewall on or off”...
Page 104
VPN with Preshared Key 6. Setting up a tunnel with the SOFTNET Security Client • In the Logging Console, the sequence of executed connection attempts is displayed • The SCALANCE S module and the SOFTNET Security Client have established a communication tunnel...
Page 105
VPN with Preshared Key 7. Test the tunnel function • Open the command prompt on PC2 • Enter the ping command from PC2 to PC3 “ping 192.168.9.2” • All packets reach PC3 through the tunnel...
Page 106
VPN with Preshared Key 7. Test the tunnel function • Open the command prompt on PC1 • Enter the ping command from PC1 to PC3 “ping 192.168.9.2” • The packets cannot reach PC3 since there is no tunnel communication between these two devices...
Page 107
VPN with Certificates In this example, a VPN tunnel is configured between a security module and the SOFTNET Security Client The endpoints authenticate using certificates...
Page 108
VPN with Certificates 1. Setting up the network 2. Making IP settings for the PCs 3. Creating a project and security module 4. Configuring a VPN group 5. Downloading the configuration to the security module and saving the SOFTNET Security Client configuration 6.
Page 109
VPN with Certificates 1. Setting up the network • Reset the Scalance to factory settings by pressing the Reset button and holding it down for at least 5 seconds • Connect the switch to the external network interface • Connect the PC with the Security Configuration Tool (PC1) and the PC with the SOFTNET Security Client (PC2) to the switch •...
Page 110
VPN with Certificates 2. Making IP settings for the PCs IP address Subnet mask Default Gateway 192.168.10.2 255.255.255.0 192.168.10.1 192.168.10.3 255.255.255.0 192.168.10.1 192.168.9.2 255.255.255.0 192.168.9.1 • Set the IP addresses of the PCs as in the table above...
Page 111
VPN with Certificates 3. Creating a project and security module • Create a new project • In the “Configuration” area enter the MAC address • Enter the external IP address (192.168.10.1) and the external subnet mask (255.255.255.0) • Select the “Routing mode” •...
Page 112
VPN with Certificates 3. Creating a project and security module • Use the “Insert” > “Module” menu command with the following parameters Product type: SOFTNET configuration Module: SOFTNET Security Client Firmware release: V4 • Confirm with “OK”...
Page 113
VPN with Certificates 4. Configuring a VPN group • Select “VPN groups” in the navigation • Select the “Insert” > “Group” menu command • In the navigation panel, click the “All modules” entry • Drag the Scalance S Module to the VPN group “Group1” in the navigation panel The module is now assigned to the VPN group The color of the key symbol changes to blue...
Page 114
VPN with Certificates 4. Configuring a VPN group • Drag the SOFTNET Security Client module to the VPN group “Group1” in the navigation panel The module is now assigned to the VPN group The color of the key symbol changes to blue •...
Page 115
VPN with Certificates 4. Configuring a VPN group • Select the VPN group “Group1” in the Navigation windows and select the menu command “Edit” > “Properties” • Select the “Certificate” option in the “Authentication method” area • Confirm with “OK”...
Page 116
VPN with Certificates 5. Downloading the configuration to the security module and saving the SOFTNET Security Client configuration • Save the project • Use the menu command “Transfer” > “To all modules…” • Start the download with the “Start” button...
Page 117
VPN with Certificates 5. Downloading the configuration to the security module and saving the SOFTNET Security Client configuration • Save the configuration file “projectname.Module2.dat” in your project folder • Assign a password to the certificate • Confirm the popup with “OK”...
Page 118
VPN with Certificates 6. Setting up a tunnel with the SOFTNET Security Client • Open the SOFTNET Security Client on PC2 • Select “Load Configuration” and browse to where “projectname.Module2.dat” has been saved • Open the configuration with the “Open” button...
Page 119
VPN with Certificates 6. Setting up a tunnel with the SOFTNET Security Client • Loading a new configuration will delete any previous configurations • When the dialog above pops up, select “deleted” and confirm with “Next”...
Page 120
VPN with Certificates 6. Setting up a tunnel with the SOFTNET Security Client • The VPN tunnel can now be opened by clicking the “Enable” button • Enter the certificate password in the dialog...
Page 121
VPN with Certificates 6. Setting up a tunnel with the SOFTNET Security Client • “Tunnel Overview” shows the status of the tunnel • The green circle shows that the tunnel has been established...
Page 122
VPN with Certificates 6. Setting up a tunnel with the SOFTNET Security Client • If the tunnel does not get set up, check whether the Windows Firewall has been enabled • Open the “Control Panel” > “Windows Firewall” • If the firewall is not enabled, click “Turn Windows Firewall on or off”...
Page 123
VPN with Certificates 6. Setting up a tunnel with the SOFTNET Security Client • In the Logging Console, the sequence of executed connection attempts is displayed • The SCALANCE S module and the SOFTNET Security Client have established a communication tunnel...
Page 124
VPN with Certificates 7. Test the tunnel function • Open the command prompt on PC2 • Enter the ping command from PC2 to PC3 “ping 192.168.9.2” • All packets reach PC3 through the tunnel...
Page 125
VPN with Certificates 7. Test the tunnel function • Open the command prompt on PC2 • Enter the ping command from PC2 to PC3 “ping 192.168.9.2” • The packets cannot reach PC3 since there is no tunnel communication between these two devices...
Page 126
Gateway-to-Gateway with VPN In this example, a VPN tunnel is set up between two security modules With this configuration, IP traffic is possible only over the established tunnel connections with authorized partners...
Page 127
Gateway-to-Gateway with VPN 1. Setting up the network 2. Making IP settings for the PCs 3. Creating a project and security module 4. Configuring a VPN group 5. Downloading the configuration to the security module 6. Testing the tunnel function (ping test)
Page 128
Gateway-to-Gateway with VPN 1. Setting up the network • Connect the PC with the Security Configuration Tool (PC1) to the switch • Connect both SCALANCE S modules to the switch through their external interface • Connect PC2 and PC3 to the internal interface of a SCALANCE S module...
Page 129
Gateway-to-Gateway with VPN 2. Making IP settings for the PCs IP address Subnet mask 192.168.10.2 255.255.0.0 192.168.10.3 255.255.0.0 192.168.10.4 255.255.0.0 • Set the IP addresses of the PCs as in the table above...
Page 130
Gateway-to-Gateway with VPN 3. Creating a project and security module • Create a new project • In the “Configuration” area enter the MAC address • Enter the external IP address (192.168.10.201) and the external subnet mask (255.255.0.0) • Confirm with “OK”...
Page 131
Gateway-to-Gateway with VPN 3. Creating a project and security module • Select the menu command “Insert” > “Module” • Select the same options as for the previous module but with the following address parameters MAC address: MAC address of the module IP address (ext): 192.186.10.202 Subnet mask (ext): 255.255.0.0 •...
Page 132
Gateway-to-Gateway with VPN 4. Configuring a VPN group • Select “VPN groups” in the navigation • Select the “Insert” > “Group” menu command • In the navigation panel, click the “All modules” entry • Drag the SCALANCE S Module to the VPN group “Group1”...
Page 133
Gateway-to-Gateway with VPN 4. Configuring a VPN group • Drag the second SCALANCE S module to the VPN group “Group1” in the navigation panel The module is now assigned to the VPN group The color of the key symbol changes to blue...
Page 134
Gateway-to-Gateway with VPN 5. Downloading the configuration to the security module • Save the project • Use the menu command “Transfer” > “To all modules…” • Start the download with the “Start” button...
Page 135
Gateway-to-Gateway with VPN 6. Testing the tunnel function (ping test) • Open the command prompt on PC2 • Enter the ping command from PC2 to PC3 “ping 192.168.10.4” • All packets reach PC3 through the tunnel...
Page 136
Gateway-to-Gateway with VPN 6. Testing the tunnel function (ping test) • Open the command prompt on PC1 • Enter the ping command from PC1 to PC3 “ping 192.168.10.4” • The packets cannot reach PC3 since there is no tunnel communication between these two devices...
Page 137
VPN with User Authentication PC1 with SOFTNET Security Client RADIUS server In this example, a VPN tunnel is established between a PC and a security module using the SOFTNET Security Client The firewall is configured so that the access from PC1 in the external network to PC2 in the internal network is possible for a specific user only, who needs to log in at the RADIUS server...
Page 138
VPN with User Authentication 1. Setting up the network 2. Making IP settings for the PCs 3. Creating a project and security module 4. Configuring a RADIUS server 5. Configuring the firewall 6. Linking the RADIUS server and security module 7.
Page 139
VPN with User Authentication 1. Setting up the network • Reset the Scalance to factory settings by pressing the Reset button and holding it down for at least 5 seconds • Connect the PC with the Security Configuration Tool (PC1) to the external network interface •...
Page 140
VPN with User Authentication 2. Making IP settings for the PCs IP address Subnet mask Default Gateway 192.168.10.2 255.255.255.0 192.168.10.1 192.168.9.2 255.255.255.0 192.168.9.1 RADIUS 192.168.8.2 255.255.255.0 192.168.8.1 • Set the IP addresses of the PCs as in the table above •...
Page 141
VPN with User Authentication 3. Creating a project and security module • Create a new project • In the “Configuration” area enter the MAC address • Enter the external IP address (192.168.10.1) and the external subnet mask (255.255.255.0) • Select the “Routing mode” •...
Page 142
VPN with User Authentication 3. Creating a project and security module • Select the security module created and select the “Edit” > “Properties” menu command, “Interfaces” tab • Select the “Activate Interface” check box in the “DMZ port (X3)” area •...
Page 143
VPN with User Authentication 3. Creating a project and security module • Use the “Insert” > “Module” menu command with the following parameters Product type: SOFTNET configuration Module: SOFTNET Security Client Firmware release: V4 • Confirm with “OK”...
Page 144
VPN with User Authentication 4. Configuring a RADIUS server • We’ll use the previously configured RADIUS server for this example...
Page 145
VPN with User Authentication 5. Configuring the firewall • Select “VPN groups” in the navigation • Select the “Insert” > “Group” menu command • In the navigation panel, click the “All modules” entry • Drag the SCALANCE S Module to the VPN group “Group1”...
Page 146
VPN with User Authentication 5. Configuring the firewall • Drag the SOFTNET Security Client module to the VPN group “Group1” in the navigation panel The module is now assigned to the VPN group The color of the key symbol changes to blue •...
Page 147
VPN with User Authentication 5. Configuring the firewall • Use the menu command “Options” > “User Management“ • Create a new user with the following settings • Confirm with “OK”...
Page 148
VPN with User Authentication 5. Configuring the firewall • Select the “User-specific IP rule sets” in the navigation window • Select the “Add rule set…” option in the shortcut menu...
Page 149
VPN with User Authentication 5. Configuring the firewall • Enter a rule in the dialog as shown below...
Page 150
VPN with User Authentication 5. Configuring the firewall • From the “Available users and roles” list, select the “radius (user)” entry and click the “Assign” button, then select the “radius (role)” entry and click “Assign” • Confirm with “OK”...
Page 151
VPN with User Authentication 5. Configuring the firewall • Select the security module in the navigation panel and drag it to the newly created user-specific IP rule set • The assignment can be checked by opening the module properties and selecting the “Firewall” tab...
Page 152
VPN with User Authentication 5. Configuring the firewall • Open the properties of the SCALANCE module and go to the “Firewall” tab • Add a firewall rule as in the image • Confirm with “OK”...
Page 153
VPN with User Authentication 6. Linking the RADIUS server and security module • Select the menu option “Options” > “Configuration of the RADIUS server…” • Click the “Add…” button in the dialog...
Page 154
VPN with User Authentication 6. Linking the RADIUS server and security module • Define the server with the following values IP address/FQDN: 192.186.8.2 Shared secret: SiemensSecret Repeat shared secret: SiemensSecret • Confirm with “OK”...
Page 155
VPN with User Authentication 6. Linking the RADIUS server and security module • Open the SCALANCE S module properties and go to the “RADIUS” tab • Check the “Enable RADIUS authentication” box • Click the “Add” button This adds the newly configured RADIUS server...
Page 156
VPN with User Authentication 6. Linking the RADIUS server and security module • In the “RADIUS setting” area, check the “Allow RADIUS authentication of non-configured users” box • Confirm with “OK”...
Page 157
VPN with User Authentication 7. Downloading the configuration to the security module and saving the SOFTNET Security Client configuration • Save the project • Use the menu command “Transfer” > “To all modules…” • Start the download with the “Start” button...
Page 158
VPN with User Authentication 7. Downloading the configuration to the security module and saving the SOFTNET Security Client configuration • Save the configuration file “projectname.Module2.dat” in your project folder • Assign a password to the certificate • Confirm the popup with “OK”...
Page 159
VPN with User Authentication 8. Setting up a tunnel with the SOFTNET Security Client • Open the SOFTNET Security Client on PC2 • Select “Load Configuration” and browse to where “projectname.Module2.dat” has been saved • Open the configuration with the “Open” button...
Page 160
VPN with User Authentication 8. Setting up a tunnel with the SOFTNET Security Client • Loading a new configuration will delete any previous configurations • When the dialog above pops up, select “deleted” and confirm with “Next”...
Page 161
VPN with User Authentication 8. Setting up a tunnel with the SOFTNET Security Client • The VPN tunnel can now be opened by clicking the “Enable” button • Enter the certificate password in the dialog...
Page 162
VPN with User Authentication 8. Setting up a tunnel with the SOFTNET Security Client • “Tunnel Overview” shows the status of the tunnel • The green circle shows that the tunnel has been established...
Page 163
VPN with User Authentication 6. Setting up a tunnel with the SOFTNET Security Client • If the tunnel does not get set up, check whether the Windows Firewall has been enabled • Open the “Control Panel” > “Windows Firewall” • If the firewall is not enabled, click “Turn Windows Firewall on or off”...
Page 164
VPN with User Authentication 9. Logging in on the Web page • In the Web browser of PC1, enter the address “https://192.168.10.1”...
Page 165
VPN with User Authentication 9. Logging in on the Web page • If the web page does not show the login fields, try changing the language in the upper right corner...
Page 166
VPN with User Authentication 9. Logging in on the Web page • Enter the user name “radius” and corresponding password and click the “Log in” button...
Page 167
VPN with User Authentication 9. Logging in on the Web page • The defined IP rule set is enabled for the “radius” user.
Page 168
VPN with User Authentication 10. Testing the firewall function (ping test) • Open the command prompt on PC1 • Enter the ping command from PC1 to PC2 “ping 192.168.9.2” • All packets reach PC2 through the tunnel...