Controllogix digital safety i/o modules (136 pages)
Summary of Contents for Allen-Bradley 1756-EN2TSC
Page 1
User Manual EtherNet/IP Secure Communication Catalog Number 1756-EN2TSC...
Page 2
Arc Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL Regulatory requirements for safe work practices and for Personal Protective Equipment (PPE). Allen-Bradley, Rockwell Software, Rockwell Automation, ControlFLASH, ControlLogix, FactoryTalk, FLEX, Logix5000, POINT I/O, PowerFlex, RSLinx, RSView, Stratix 5900, and Studio 5000 are trademarks of Rockwell Automation, Inc.
Page 3
Summary of Changes This manual contains new and updated information. Changes throughout this revision are marked by change bars, as shown to the right of this paragraph. New and Updated This table contains the changes made to this revision. Information Topic Page Updated all web page interface screens from Series A to Series B module...
Page 4
Summary of Changes Notes: Rockwell Automation Publication ENET-UM003C-EN-P - November 2015...
Preface The 1756-EN2TSC is a security-enhanced version of the 1756-EN2T EtherNet/IP communication module. This module is designed for applications that limit network access to a control system from within the plant network. This module is not intended to connect any devices in the local 1756 backplane to devices outside of the plant firewall.
Page 9
Traffic Filtering Many control systems currently use 1756-EN2T and 1756-ENBT modules to connect ControlLogix® systems to plant-level systems. A 1756-EN2TSC module offers the same connectivity and additional security options that help protect access to resources on the local backplane from the plant network. Use the 1756-EN2TSC module to establish secure tunnels with peer modules, Windows 7 clients, and VPN appliances.
Chapter 1 Secure Communication Architecture Figure 1 - 1756-EN2TSC module Establishes Secure Tunnels with Peer Modules, Windows 7 Clients, and VPN Appliances Enterprise Zone Levels 4 and 5 Demilitarized Zone (DMZ) Secure Tunnel Between 1756-EN2TSC Module and VPN Appliance Demilitarized Zone (DMZ)
3.0 are disabled in the module. Browsers must enable support for Transport Layer Security (TLS) 1.2. The 1756-EN2TSC module lets only those devices with proper credentials access the module. This module is intended for use behind an existing firewall/DMZ that help protects the plant network from outside access.
Chapter 1 Secure Communication Architecture Local Chassis Security You can use the 1756-EN2TSC module with the following features to prevent unauthorized access to a controller in the local chassis. • The trusted slot feature (in the controller properties) designates slots in the local chassis as trusted.
Network Access Security The 1756-EN2TSC module uses the Internet Protocol Security (IPsec) technology to provide secure communication over the Ethernet network. IPsec is widely deployed, and is often used to create Virtual Private Networks (VPN).
Chapter 1 Secure Communication Architecture As part of establishing the secure tunnel, both endpoints must authenticate with each other and exchange information to help ensure secure data transfer. IPsec Association Once the IPsec association is established, data between the two endpoints is fully encrypted (except for produced/consumed tags) or optionally sent unencrypted, but with a cryptographic message integrity code.
IPsec) • 1756 I/O connections in a remote chassis If the 1756-EN2TSC module is the trusted slot for a ControlLogix® chassis, the following traffic to the controller must go through the 1756-EN2TSC module. • RSLinx® Classic traffic (such as Studio 5000® and ControlFLASH™...
IPsec security association name. Profile Profiles have values that are preconfigured for a specific type of connection. The generic client profile offers full customization. • Peer-to-peer (two 1756-EN2TSC modules) • Windows Client • VPN Appliance (CISCO ASA 5500 series, Stratix 5900™) Negotiation mode If active, the module tries to initiate connection.
Page 17
Secure Communication Architecture Chapter 1 Table 2 - IKE and IPsec SA Parameter Descriptions (continued) Parameter Description Remote device identifier Identifier of remote device. It must match other side local identifier. (Except Windows and Mobile client) • IP address • FQDN (fully qualified domain name) •...
Page 18
Chapter 1 Secure Communication Architecture Notes: Rockwell Automation Publication ENET-UM003C-EN-P - November 2015...
Page 19
Chapter Get Started Topic Page Initial Powerup Configuration Overview Assign Network Settings Configuration Overview Create User Accounts Generate HTTPS Certificate Backup / Restore This chapter describes the initial configuration settings that are required for the module. After installing the module, see the next chapters for security configuration examples.
After you login, the Home page appears. The 1756-EN2TSC module has an embedded HTTPS server that it uses to provide secure web communication. An HTTPS server uses a certificate so that the client can verify server authenticity. For websites connected to the Internet, certificates are normally signed by a trusted certificate authority.
Page 21
Get Started Chapter 2 2. Accept this message and continue to the web page. In general, do not accept the certificate not being signed by a trusted authority. IMPORTANT But in the case of initial powerup, the module has a self-signed certificate, so continue to the website even though the message says that this option is not recommended.
Chapter 2 Get Started Default Credentials Default credentials are case-sensitive and are as follows: • User name: Administrator • Password: admin You are prompted to change the password on the Administrator account. Enter the new password and click Change. After you change Administrator password, the module home page appears. Configuration Overview The left pane of the web browser is a navigation tree to configure and maintain the module.
Get Started Chapter 2 Assign Network Settings By default, the module is BOOTP enabled. Do not simply configure the initial address that is assigned to the module as IMPORTANT a static IP address. Contact your network administrator for an appropriate static IP address.
Page 24
Chapter 2 Get Started Table 3 - Network Configuration Parameter Descriptions Parameter Description Ethernet Interface Configuration The network configuration scheme: • Dynamic BOOTP (default) • Dynamic DHCP • Static IP address IP address for the module: If you want to specify a static IP address for the module, you must also choose Static for the Ethernet Interface Configuration field.
Get Started Chapter 2 Create User Accounts You can define user accounts for the web interface to the module. Every user is authenticated by a user name and a password. These accounts are typically for administrators or others who need access to diagnostic information. •...
Chapter 2 Get Started Bad Login Attempts The module logs bad login attempts and present statistics on the main page. After 3 bad login attempts, logging ability is disabled for 5 minutes. Generate HTTPS Certificate You can generate a new HTTPS certificate if needed. Generating a new HTTPS certificate is optional as the module automatically generates a certificate when the module is turned on for the first time after factory reset.
Get Started Chapter 2 Certificates On initial powerup, the subject common name (CN) of the self-generated certificate is set to Rockwell Automation®. When you generate a new certificate, the CN is changed to the IP address of the module and the new certificate is applied at the next restart of the module. Rockwell Automation Publication ENET-UM003C-EN-P - November 2015...
Chapter 2 Get Started Backup / Restore To back up module configuration, choose Administrative Settings > Backup / Restore > Backup. Choose which items to include in the backup configuration. Parameter Description Secure Tunnel Configuration Secure tunnel settings: • IPsec Configuration •...
Page 29
3. When prompted that the restore overwrites the module, click OK. A 1756-EN2TSC series B module can import a series A configuration but a series A cannot import a series B configuration. When the restore is complete, the module displays a status message.
Page 30
Chapter 2 Get Started Notes: Rockwell Automation Publication ENET-UM003C-EN-P - November 2015...
Page 31
Configure an L2TP Connection Configure a Connection from a Microsoft Windows Client Open the VPN Connection to the 1756-EN2TSC Module Communicate to the Module Via an RSLinx Driver In this scenario, a Microsoft Windows 7 client establishes an IPsec association with the 1756-EN2TSC module.
All communication that software products generate, such as RSLinx® software, to an L2TP server address of a 1756-EN2TSC module is sent via an IPsec connection. This diagram shows how the physical and L2TP IP addresses differ. Rockwell Automation Publication ENET-UM003C-EN-P - November 2015...
Page 33
This is only true if you want to connect from one Windows client to two or more 1756-EN2TSC modules at the same time. If only one module is connected with a given client at a given time, there is no need for different subnets.
Page 34
Chapter 3 Configure a Secure Connection to a Microsoft Windows Client Figure 4 - Two 1756-EN2TSC Modules Connected to the Same Windows Client First 1756-EN2TSC Module Personal Computer (L2TP Client) First L2TP Server First L2TP Client (192.168.1.2) (192.168.1.1) 1756-EN2TSC 10.10.10.1 10.10.10.2...
Connection By Using a Windows Profile 1. Log in to the 1756-EN2TSC module and choose Administrative Settings > Secure Tunnel Configuration> IPsec Configuration. 2. On the right side of the screen, check Enable to enable IPsec connections. 3. In the Add a Security Association (SA) area, do the following.
Page 36
Chapter 3 Configure a Secure Connection to a Microsoft Windows Client 5. Click Apply Changes. 6. Verify IPsec connections are enabled. Rockwell Automation Publication ENET-UM003C-EN-P - November 2015...
Configure a Secure Connection to a Microsoft Windows Client Chapter 3 Configure Mobile Client A mobile client does not have a predetermined IP address that is explicitly configured in the module. For example, a personal computer that is configured for DHCP connects to the module. If the IP address of the personal computer changes, no configuration changes are required on the module.
Chapter 3 Configure a Secure Connection to a Microsoft Windows Client Configure an L2TP Follow these steps to configure an L2TP connection. Connection 1. Choose Administrative Settings > Secure Tunnel Configuration> L2TP Users. 2. For each user, define a user ID and password. Each L2TP user must authenticate when establishing a tunnel to the module.
Page 39
5. If needed, change the range of available client IP addresses The IP addresses on this screen are the virtual IP addresses for the L2TP server (in the 1756-EN2TSC module) and the pool of virtual IP addresses (for Windows clients).
Configure a Connection from This section explains a connection from Windows Client where the Windows computer is a client and the 1756-EN2TSC module is a server. a Microsoft Windows Client An IPsec client is required to make a secure connection to the module. Without an active IPsec association, the module drops packets, which appear as message timeouts.
Page 41
Internet. 6. If prompted, choose I’ll set up an Internet connection later. 7. Enter the physical IP address of the 1756-EN2TSC module and a name for the connection. 8. Select Don’t connect now; just set it up so I can connect later and click Next.
Page 42
9. Enter the appropriate user name and password. The user name and password must have already been configured as an L2TP user on the 1756-EN2TSC module. See the L2TP Edit Users tab as part of configuring the 1756-EN2TSC module (page 38).
Page 43
Configure a Secure Connection to a Microsoft Windows Client Chapter 3 14. Select the created connection, right-click, and choose Properties. 15. On the Options tab, do the following. a. Check Display progress while connecting. b. Check Prompt for name and password, certificate, etc. c.
Page 44
Chapter 3 Configure a Secure Connection to a Microsoft Windows Client 16. On the Security tab, do the following. a. Choose Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec) as the type of VPN. b. Choose Optional encryption (connect even if no encryption) as the type of data encryption.
Page 45
19. On the Networking tab, click Properties and then click Advanced. By default all traffic is forwarded through the established VPN tunnel. To have both the VPN tunnel to the 1756-EN2TSC module and preserve access to the local network (such as Internet or corporate mail server), do the following.
Chapter 3 Configure a Secure Connection to a Microsoft Windows Client c. In the Interface metric field, enter a value larger than the metric of the default gateway route in the routing table. 20. Click OK until you exit the configuration tabs. Interface Metric The interface metric specifies an integer cost metric (1…9999) for the route.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Once the Windows client and 1756-EN2TSC module are configured, you must Open the VPN Connection to establish the VPN connection.
Page 48
Chapter 3 Configure a Secure Connection to a Microsoft Windows Client It can take 30 seconds or more to connect. If you want to delete a VPN connection on the Windows client, for example, it does not work and you want to create a new connection. 1.
If you communicate to the module through an RSLinx® driver, you must use an L2TP connection and the Ethernet devices driver. Via an RSLinx Driver Once the secure tunnel exists to the 1756-EN2TSC module, RSLinx® software uses the L2TP server IP addresses to communicate with the controller through the 1756-EN2TSC module.
Page 50
Chapter 3 Configure a Secure Connection to a Microsoft Windows Client If you connect to the 1756-EN2TSC module without knowing the L2TP server IP address, you can find that after the connection is established. 1. Click the network icon in the right, bottom of the Windows taskbar.
Page 51
Test the Connection Edit the Security Association In this scenario, an IPsec association is established between two 1756-EN2TSC modules (peer-to-peer). In this case, a VPN tunnel services the remote and local IP networks. There is one IP address at either end of the IPsec association.
Chapter 4 Configure Secure Communication Between Two 1756-EN2TSC Modules To create a security association with another module, each module must be configured with the pre-shared key of the other module. Enterprise Zone Levels 4 and 5 Demilitarized Zone (DMZ) Demilitarized Zone (DMZ)
Configure Secure Communication Between Two 1756-EN2TSC Modules Chapter 4 Configure the First (Local) Follow these steps to configure the first (local) module. Module 1. Choose Administrative Settings > Secure Tunnel Configuration > IPsec Configuration and make sure that Enable IPsec is enabled.
Chapter 4 Configure Secure Communication Between Two 1756-EN2TSC Modules Configure the Second Follow these steps to configure the second (remote) module. (Remote) Module 1. Choose Administrative Settings > Secure Tunnel Configuration > IPsec Configuration and make sure that Enable IPsec is enabled.
Configure Secure Communication Between Two 1756-EN2TSC Modules Chapter 4 Test the Connection When the security association is added on both sides of connection, the modules take a few seconds to establish the IPsec tunnel between the modules. To verify that the connection is established, access Diagnostics > Advanced Diagnostics >...
Page 56
Chapter 4 Configure Secure Communication Between Two 1756-EN2TSC Modules Notes: Rockwell Automation Publication ENET-UM003C-EN-P - November 2015...
Page 57
Edit the Security Association In this scenario, a VPN appliance (such as a firewall) establishes the IPsec association with the 1756-EN2TSC module. Client workstations or other modules then establish IPsec associations with the VPN appliance. The VPN appliance then routes packets between the IPsec associations.
Operations and Control Level 3 Level 0…2 ControlLogix Chassis with 1756-EN2TSC Module An appliance like the Cisco ASA supports multiple methods for authentication, multiple encryption algorithms, and multiple types of VPN technology (such as SSL VPN.) Rockwell Automation Publication ENET-UM003C-EN-P - November 2015...
Configure a Secure Connection to a VPN Appliance Chapter 5 Configure the Module to Follow these steps to configure the Module to Connect to a VPN appliance. Connect to a VPN Appliance 1. Choose Administrative Settings > Secure Tunnel Configuration > IPsec Configuration and make sure that Enable IPsec is enabled.
Chapter 5 Configure a Secure Connection to a VPN Appliance 4. Click Apply Changes. Do not use IKE v1 configuration for the Stratix 5900 appliance. The IKE v1 connection can be unreliable. Use the IKE v2 connection instead. If you want to edit the settings for the association you created, click the Edit the Security Association Edit button next to the association in the list.
Page 61
You must disable the TCP Sequence Randomization feature in Cisco ASA. The IMPORTANT 1756-EN2TSC/B module uses its own TCP sequence randomization so there is no need to enable additional one in Cisco ASA. If this setting is enabled in ASA, VPN connection to Cisco ASA is unreliable.
Page 62
Chapter 5 Configure a Secure Connection to a VPN Appliance Notes: Rockwell Automation Publication ENET-UM003C-EN-P - November 2015...
Secure Tunnel Diagnostics Web Page Status Indicators Diagnostic Web Pages The 1756-EN2TSC module supports the same diagnostic web pages as the 1756-EN2T modules, including these pages. • Diagnostic Overview for a summary of the configuration and overall status of the module •...
Chapter 6 Diagnostics Secure Tunnel Diagnostics For specific diagnostics regarding secure connections, choose Diagnostics > Advanced Diagnostics > Secure Tunnel. Web Page This Diagnostic Web Page Displays IKE Security Associations (SA) Active IKE security associations IKE Statistics Statistics of active exchanges and IKE security associations IPsec Security Associations (SA) Active IPsec security associations IPsec Output Flows...
Diagnostics Chapter 6 Status Indicators The 1756-EN2TSC module uses the same status indicators as the 1756-EN2T module: • Module Status Display • Link Status Indicator (LINK) • Network Status Indicator (NET) • OK Status Indicator (OK) Module Status Display Link Status...
Chapter 6 Diagnostics Network (NET) Status Indicator Status Description One of these conditions exists: • The module is not powered. – Verify that there is chassis power. – Verify that the module is completely inserted into the chassis and backplane. –...
Page 67
Index additional resources 7 HTTPS certificate architecture generate 26 Microsoft Windows client to module 31 module to module 51 secure communication 9 VPN appliance to module 57 interface metric 46 Internet Protocol Security See IPsec 13 IPsec backup 28 capability 13 BOOTP 23 modes 14 browers 11...
Page 68
Index scenario Microsoft Windows client to module 31 module to module 51 VPN appliance to module 57 secure communication architecture 9 scenarios 31 secure tunnel diagnostics 64 security association 55 self-signed 20 serial number lock 12 status indicators 65 test connection 55 traffic filtering 15 trusted slot 12 user account 25...
Page 70
Rockwell Automation Support Rockwell Automation provides technical information on the Web to assist you in using its products. http://www.rockwellautomation.com/support you can find technical and application notes, sample code, and links to software service packs. You can also visit our Support Center at https://rockwellautomation.custhelp.com/ for software updates, support chats and forums, technical information, FAQs, and to sign up for product notification updates.