Allen-Bradley 1756-EN2TSC User Manual
  1. Manuals
  2. Brands
  3. Allen-Bradley Manuals
  4. Control Unit
  5. 1756-EN2TSC
  6. User manual
Allen-Bradley 1756-EN2TSC User Manual

Allen-Bradley 1756-EN2TSC User Manual

Ethernet/ip secure communication
Hide thumbs Also See for 1756-EN2TSC:
Table of Contents

Advertisement

Quick Links

Download this manual
User Manual
EtherNet/IP Secure Communication
Catalog Number 1756-EN2TSC

Advertisement

Table of Contents
loading

Related Manuals for Allen-Bradley 1756-EN2TSC

Summary of Contents for Allen-Bradley 1756-EN2TSC

  • Page 1 User Manual EtherNet/IP Secure Communication Catalog Number 1756-EN2TSC...
  • Page 2 Arc Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL Regulatory requirements for safe work practices and for Personal Protective Equipment (PPE). Allen-Bradley, Rockwell Software, Rockwell Automation, ControlFLASH, ControlLogix, FactoryTalk, FLEX, Logix5000, POINT I/O, PowerFlex, RSLinx, RSView, Stratix 5900, and Studio 5000 are trademarks of Rockwell Automation, Inc.
  • Page 3 Summary of Changes This manual contains new and updated information. Changes throughout this revision are marked by change bars, as shown to the right of this paragraph. New and Updated This table contains the changes made to this revision. Information Topic Page Updated all web page interface screens from Series A to Series B module...
  • Page 4 Summary of Changes Notes: Rockwell Automation Publication ENET-UM003C-EN-P - November 2015...

  • Page 5: Table Of Contents

    Interface Metric ..........46 Open the VPN Connection to the 1756-EN2TSC Module..47 Communicate to the Module Via an RSLinx Driver.
  • Page 6 Table of Contents Chapter 6 Diagnostics Diagnostic Web Pages ..........63 Secure Tunnel Diagnostics Web Page .

  • Page 7: Additional Resources

    Preface The 1756-EN2TSC is a security-enhanced version of the 1756-EN2T EtherNet/IP communication module. This module is designed for applications that limit network access to a control system from within the plant network. This module is not intended to connect any devices in the local 1756 backplane to devices outside of the plant firewall.
  • Page 8 Preface Notes: Rockwell Automation Publication ENET-UM003C-EN-P - November 2015...
  • Page 9 Traffic Filtering Many control systems currently use 1756-EN2T and 1756-ENBT modules to connect ControlLogix® systems to plant-level systems. A 1756-EN2TSC module offers the same connectivity and additional security options that help protect access to resources on the local backplane from the plant network. Use the 1756-EN2TSC module to establish secure tunnels with peer modules, Windows 7 clients, and VPN appliances.

  • Page 10: Chapter 1

    Chapter 1 Secure Communication Architecture Figure 1 - 1756-EN2TSC module Establishes Secure Tunnels with Peer Modules, Windows 7 Clients, and VPN Appliances Enterprise Zone Levels 4 and 5 Demilitarized Zone (DMZ) Secure Tunnel Between 1756-EN2TSC Module and VPN Appliance Demilitarized Zone (DMZ)

  • Page 11: Considerations

    3.0 are disabled in the module. Browsers must enable support for Transport Layer Security (TLS) 1.2. The 1756-EN2TSC module lets only those devices with proper credentials access the module. This module is intended for use behind an existing firewall/DMZ that help protects the plant network from outside access.

  • Page 12: Local Chassis Security

    Chapter 1 Secure Communication Architecture Local Chassis Security You can use the 1756-EN2TSC module with the following features to prevent unauthorized access to a controller in the local chassis. • The trusted slot feature (in the controller properties) designates slots in the local chassis as trusted.

  • Page 13: Network Access Security

    Network Access Security The 1756-EN2TSC module uses the Internet Protocol Security (IPsec) technology to provide secure communication over the Ethernet network. IPsec is widely deployed, and is often used to create Virtual Private Networks (VPN).

  • Page 14: Ipsec Association

    Chapter 1 Secure Communication Architecture As part of establishing the secure tunnel, both endpoints must authenticate with each other and exchange information to help ensure secure data transfer. IPsec Association Once the IPsec association is established, data between the two endpoints is fully encrypted (except for produced/consumed tags) or optionally sent unencrypted, but with a cryptographic message integrity code.

  • Page 15: Performance

    IPsec) • 1756 I/O connections in a remote chassis If the 1756-EN2TSC module is the trusted slot for a ControlLogix® chassis, the following traffic to the controller must go through the 1756-EN2TSC module. • RSLinx® Classic traffic (such as Studio 5000® and ControlFLASH™...

  • Page 16: Security Configuration

    IPsec security association name. Profile Profiles have values that are preconfigured for a specific type of connection. The generic client profile offers full customization. • Peer-to-peer (two 1756-EN2TSC modules) • Windows Client • VPN Appliance (CISCO ASA 5500 series, Stratix 5900™) Negotiation mode If active, the module tries to initiate connection.
  • Page 17 Secure Communication Architecture Chapter 1 Table 2 - IKE and IPsec SA Parameter Descriptions (continued) Parameter Description Remote device identifier Identifier of remote device. It must match other side local identifier. (Except Windows and Mobile client) • IP address • FQDN (fully qualified domain name) •...
  • Page 18 Chapter 1 Secure Communication Architecture Notes: Rockwell Automation Publication ENET-UM003C-EN-P - November 2015...
  • Page 19 Chapter Get Started Topic Page Initial Powerup Configuration Overview Assign Network Settings Configuration Overview Create User Accounts Generate HTTPS Certificate Backup / Restore This chapter describes the initial configuration settings that are required for the module. After installing the module, see the next chapters for security configuration examples.

  • Page 20: Initial Powerup

    After you login, the Home page appears. The 1756-EN2TSC module has an embedded HTTPS server that it uses to provide secure web communication. An HTTPS server uses a certificate so that the client can verify server authenticity. For websites connected to the Internet, certificates are normally signed by a trusted certificate authority.
  • Page 21 Get Started Chapter 2 2. Accept this message and continue to the web page. In general, do not accept the certificate not being signed by a trusted authority. IMPORTANT But in the case of initial powerup, the module has a self-signed certificate, so continue to the website even though the message says that this option is not recommended.

  • Page 22: Default Credentials

    Chapter 2 Get Started Default Credentials Default credentials are case-sensitive and are as follows: • User name: Administrator • Password: admin You are prompted to change the password on the Administrator account. Enter the new password and click Change. After you change Administrator password, the module home page appears. Configuration Overview The left pane of the web browser is a navigation tree to configure and maintain the module.

  • Page 23: Assign Network Settings

    Get Started Chapter 2 Assign Network Settings By default, the module is BOOTP enabled. Do not simply configure the initial address that is assigned to the module as IMPORTANT a static IP address. Contact your network administrator for an appropriate static IP address.
  • Page 24 Chapter 2 Get Started Table 3 - Network Configuration Parameter Descriptions Parameter Description Ethernet Interface Configuration The network configuration scheme: • Dynamic BOOTP (default) • Dynamic DHCP • Static IP address IP address for the module: If you want to specify a static IP address for the module, you must also choose Static for the Ethernet Interface Configuration field.

  • Page 25: Create User Accounts

    Get Started Chapter 2 Create User Accounts You can define user accounts for the web interface to the module. Every user is authenticated by a user name and a password. These accounts are typically for administrators or others who need access to diagnostic information. •...

  • Page 26: Bad Login Attempts

    Chapter 2 Get Started Bad Login Attempts The module logs bad login attempts and present statistics on the main page. After 3 bad login attempts, logging ability is disabled for 5 minutes. Generate HTTPS Certificate You can generate a new HTTPS certificate if needed. Generating a new HTTPS certificate is optional as the module automatically generates a certificate when the module is turned on for the first time after factory reset.

  • Page 27: Certificates

    Get Started Chapter 2 Certificates On initial powerup, the subject common name (CN) of the self-generated certificate is set to Rockwell Automation®. When you generate a new certificate, the CN is changed to the IP address of the module and the new certificate is applied at the next restart of the module. Rockwell Automation Publication ENET-UM003C-EN-P - November 2015...

  • Page 28: Backup / Restore

    Chapter 2 Get Started Backup / Restore To back up module configuration, choose Administrative Settings > Backup / Restore > Backup. Choose which items to include in the backup configuration. Parameter Description Secure Tunnel Configuration Secure tunnel settings: • IPsec Configuration •...
  • Page 29 3. When prompted that the restore overwrites the module, click OK. A 1756-EN2TSC series B module can import a series A configuration but a series A cannot import a series B configuration. When the restore is complete, the module displays a status message.
  • Page 30 Chapter 2 Get Started Notes: Rockwell Automation Publication ENET-UM003C-EN-P - November 2015...
  • Page 31 Configure an L2TP Connection Configure a Connection from a Microsoft Windows Client Open the VPN Connection to the 1756-EN2TSC Module Communicate to the Module Via an RSLinx Driver In this scenario, a Microsoft Windows 7 client establishes an IPsec association with the 1756-EN2TSC module.

  • Page 32: L2Tp Connections

    All communication that software products generate, such as RSLinx® software, to an L2TP server address of a 1756-EN2TSC module is sent via an IPsec connection. This diagram shows how the physical and L2TP IP addresses differ. Rockwell Automation Publication ENET-UM003C-EN-P - November 2015...
  • Page 33 This is only true if you want to connect from one Windows client to two or more 1756-EN2TSC modules at the same time. If only one module is connected with a given client at a given time, there is no need for different subnets.
  • Page 34 Chapter 3 Configure a Secure Connection to a Microsoft Windows Client Figure 4 - Two 1756-EN2TSC Modules Connected to the Same Windows Client First 1756-EN2TSC Module Personal Computer (L2TP Client) First L2TP Server First L2TP Client (192.168.1.2) (192.168.1.1) 1756-EN2TSC 10.10.10.1 10.10.10.2...

  • Page 35: Create Windows Client Connection By Using A Windows Profile

    Connection By Using a Windows Profile 1. Log in to the 1756-EN2TSC module and choose Administrative Settings > Secure Tunnel Configuration> IPsec Configuration. 2. On the right side of the screen, check Enable to enable IPsec connections. 3. In the Add a Security Association (SA) area, do the following.
  • Page 36 Chapter 3 Configure a Secure Connection to a Microsoft Windows Client 5. Click Apply Changes. 6. Verify IPsec connections are enabled. Rockwell Automation Publication ENET-UM003C-EN-P - November 2015...

  • Page 37: Configure Mobile Client

    Configure a Secure Connection to a Microsoft Windows Client Chapter 3 Configure Mobile Client A mobile client does not have a predetermined IP address that is explicitly configured in the module. For example, a personal computer that is configured for DHCP connects to the module. If the IP address of the personal computer changes, no configuration changes are required on the module.

  • Page 38: Configure An L2Tp Connection

    Chapter 3 Configure a Secure Connection to a Microsoft Windows Client Configure an L2TP Follow these steps to configure an L2TP connection. Connection 1. Choose Administrative Settings > Secure Tunnel Configuration> L2TP Users. 2. For each user, define a user ID and password. Each L2TP user must authenticate when establishing a tunnel to the module.
  • Page 39 5. If needed, change the range of available client IP addresses The IP addresses on this screen are the virtual IP addresses for the L2TP server (in the 1756-EN2TSC module) and the pool of virtual IP addresses (for Windows clients).

  • Page 40: Configure A Connection From A Microsoft Windows Client

    Configure a Connection from This section explains a connection from Windows Client where the Windows computer is a client and the 1756-EN2TSC module is a server. a Microsoft Windows Client An IPsec client is required to make a secure connection to the module. Without an active IPsec association, the module drops packets, which appear as message timeouts.
  • Page 41 Internet. 6. If prompted, choose I’ll set up an Internet connection later. 7. Enter the physical IP address of the 1756-EN2TSC module and a name for the connection. 8. Select Don’t connect now; just set it up so I can connect later and click Next.
  • Page 42 9. Enter the appropriate user name and password. The user name and password must have already been configured as an L2TP user on the 1756-EN2TSC module. See the L2TP Edit Users tab as part of configuring the 1756-EN2TSC module (page 38).
  • Page 43 Configure a Secure Connection to a Microsoft Windows Client Chapter 3 14. Select the created connection, right-click, and choose Properties. 15. On the Options tab, do the following. a. Check Display progress while connecting. b. Check Prompt for name and password, certificate, etc. c.
  • Page 44 Chapter 3 Configure a Secure Connection to a Microsoft Windows Client 16. On the Security tab, do the following. a. Choose Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec) as the type of VPN. b. Choose Optional encryption (connect even if no encryption) as the type of data encryption.
  • Page 45 19. On the Networking tab, click Properties and then click Advanced. By default all traffic is forwarded through the established VPN tunnel. To have both the VPN tunnel to the 1756-EN2TSC module and preserve access to the local network (such as Internet or corporate mail server), do the following.

  • Page 46: Interface Metric

    Chapter 3 Configure a Secure Connection to a Microsoft Windows Client c. In the Interface metric field, enter a value larger than the metric of the default gateway route in the routing table. 20. Click OK until you exit the configuration tabs. Interface Metric The interface metric specifies an integer cost metric (1…9999) for the route.

  • Page 47: Open The Vpn Connection To The 1756-En2Tsc Module

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Once the Windows client and 1756-EN2TSC module are configured, you must Open the VPN Connection to establish the VPN connection.
  • Page 48 Chapter 3 Configure a Secure Connection to a Microsoft Windows Client It can take 30 seconds or more to connect. If you want to delete a VPN connection on the Windows client, for example, it does not work and you want to create a new connection. 1.

  • Page 49: Communicate To The Module Via An Rslinx Driver

    If you communicate to the module through an RSLinx® driver, you must use an L2TP connection and the Ethernet devices driver. Via an RSLinx Driver Once the secure tunnel exists to the 1756-EN2TSC module, RSLinx® software uses the L2TP server IP addresses to communicate with the controller through the 1756-EN2TSC module.
  • Page 50 Chapter 3 Configure a Secure Connection to a Microsoft Windows Client If you connect to the 1756-EN2TSC module without knowing the L2TP server IP address, you can find that after the connection is established. 1. Click the network icon in the right, bottom of the Windows taskbar.
  • Page 51 Test the Connection Edit the Security Association In this scenario, an IPsec association is established between two 1756-EN2TSC modules (peer-to-peer). In this case, a VPN tunnel services the remote and local IP networks. There is one IP address at either end of the IPsec association.

  • Page 52: Chapter 4

    Chapter 4 Configure Secure Communication Between Two 1756-EN2TSC Modules To create a security association with another module, each module must be configured with the pre-shared key of the other module. Enterprise Zone Levels 4 and 5 Demilitarized Zone (DMZ) Demilitarized Zone (DMZ)

  • Page 53: Configure The First (Local) Module

    Configure Secure Communication Between Two 1756-EN2TSC Modules Chapter 4 Configure the First (Local) Follow these steps to configure the first (local) module. Module 1. Choose Administrative Settings > Secure Tunnel Configuration > IPsec Configuration and make sure that Enable IPsec is enabled.

  • Page 54: Configure The Second (Remote) Module

    Chapter 4 Configure Secure Communication Between Two 1756-EN2TSC Modules Configure the Second Follow these steps to configure the second (remote) module. (Remote) Module 1. Choose Administrative Settings > Secure Tunnel Configuration > IPsec Configuration and make sure that Enable IPsec is enabled.

  • Page 55: Test The Connection

    Configure Secure Communication Between Two 1756-EN2TSC Modules Chapter 4 Test the Connection When the security association is added on both sides of connection, the modules take a few seconds to establish the IPsec tunnel between the modules. To verify that the connection is established, access Diagnostics > Advanced Diagnostics >...
  • Page 56 Chapter 4 Configure Secure Communication Between Two 1756-EN2TSC Modules Notes: Rockwell Automation Publication ENET-UM003C-EN-P - November 2015...
  • Page 57 Edit the Security Association In this scenario, a VPN appliance (such as a firewall) establishes the IPsec association with the 1756-EN2TSC module. Client workstations or other modules then establish IPsec associations with the VPN appliance. The VPN appliance then routes packets between the IPsec associations.

  • Page 58: Chapter 5

    Operations and Control Level 3 Level 0…2 ControlLogix Chassis with 1756-EN2TSC Module An appliance like the Cisco ASA supports multiple methods for authentication, multiple encryption algorithms, and multiple types of VPN technology (such as SSL VPN.) Rockwell Automation Publication ENET-UM003C-EN-P - November 2015...

  • Page 59: Configure The Module To Connect To A Vpn Appliance

    Configure a Secure Connection to a VPN Appliance Chapter 5 Configure the Module to Follow these steps to configure the Module to Connect to a VPN appliance. Connect to a VPN Appliance 1. Choose Administrative Settings > Secure Tunnel Configuration > IPsec Configuration and make sure that Enable IPsec is enabled.

  • Page 60: Edit The Security Association

    Chapter 5 Configure a Secure Connection to a VPN Appliance 4. Click Apply Changes. Do not use IKE v1 configuration for the Stratix 5900 appliance. The IKE v1 connection can be unreliable. Use the IKE v2 connection instead. If you want to edit the settings for the association you created, click the Edit the Security Association Edit button next to the association in the list.
  • Page 61 You must disable the TCP Sequence Randomization feature in Cisco ASA. The IMPORTANT 1756-EN2TSC/B module uses its own TCP sequence randomization so there is no need to enable additional one in Cisco ASA. If this setting is enabled in ASA, VPN connection to Cisco ASA is unreliable.
  • Page 62 Chapter 5 Configure a Secure Connection to a VPN Appliance Notes: Rockwell Automation Publication ENET-UM003C-EN-P - November 2015...

  • Page 63: Diagnostic Web Pages

    Secure Tunnel Diagnostics Web Page Status Indicators Diagnostic Web Pages The 1756-EN2TSC module supports the same diagnostic web pages as the 1756-EN2T modules, including these pages. • Diagnostic Overview for a summary of the configuration and overall status of the module •...

  • Page 64: Secure Tunnel Diagnostics Web Page

    Chapter 6 Diagnostics Secure Tunnel Diagnostics For specific diagnostics regarding secure connections, choose Diagnostics > Advanced Diagnostics > Secure Tunnel. Web Page This Diagnostic Web Page Displays IKE Security Associations (SA) Active IKE security associations IKE Statistics Statistics of active exchanges and IKE security associations IPsec Security Associations (SA) Active IPsec security associations IPsec Output Flows...

  • Page 65: Status Indicators

    Diagnostics Chapter 6 Status Indicators The 1756-EN2TSC module uses the same status indicators as the 1756-EN2T module: • Module Status Display • Link Status Indicator (LINK) • Network Status Indicator (NET) • OK Status Indicator (OK) Module Status Display Link Status...

  • Page 66: Network (Net) Status Indicator

    Chapter 6 Diagnostics Network (NET) Status Indicator Status Description One of these conditions exists: • The module is not powered. – Verify that there is chassis power. – Verify that the module is completely inserted into the chassis and backplane. –...
  • Page 67 Index additional resources 7 HTTPS certificate architecture generate 26 Microsoft Windows client to module 31 module to module 51 secure communication 9 VPN appliance to module 57 interface metric 46 Internet Protocol Security See IPsec 13 IPsec backup 28 capability 13 BOOTP 23 modes 14 browers 11...
  • Page 68 Index scenario Microsoft Windows client to module 31 module to module 51 VPN appliance to module 57 secure communication architecture 9 scenarios 31 secure tunnel diagnostics 64 security association 55 self-signed 20 serial number lock 12 status indicators 65 test connection 55 traffic filtering 15 trusted slot 12 user account 25...
  • Page 70 Rockwell Automation Support Rockwell Automation provides technical information on the Web to assist you in using its products. http://www.rockwellautomation.com/support you can find technical and application notes, sample code, and links to software service packs. You can also visit our Support Center at https://rockwellautomation.custhelp.com/ for software updates, support chats and forums, technical information, FAQs, and to sign up for product notification updates.

Table of Contents