1. Manuals
  2. Brands
  3. W&T Manuals
  4. Firewall
  5. 55211
  6. Manual

W&T 55211 Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
W&T
w w w . W u T . d e
Manual
Startup and application
Microwall
Valid for the following models:
#55211: Microwall VPN
Firmware 1.30 or higher
#55212: Microwall IO
Firmware 1.10 or higher
Release 1.06 006/2022

Advertisement

Table of Contents
loading

Summary of Contents for W&T 55211

  • Page 1 W&T w w w . W u T . d e Manual Startup and application Microwall Valid for the following models: #55211: Microwall VPN Firmware 1.30 or higher #55212: Microwall IO Firmware 1.10 or higher Release 1.06 006/2022...
  • Page 2 W&T © 06/2022 by Wiesemann und Theis GmbH Microsoft and Windows are registered trademarks of Microsoft Corporation. WireGuard and the WireGuard logo are registered trademarks of Jason A.Donenfeld Subject to error and alteration: Since we can make mistakes, none of our statements may be used unchecked.
  • Page 3 W&T Introduction The Microwall VPN and Microwall IO are industrial-grade IPv4 router with two 1000BaseT network connections, integrated whitelist-based firewall and a WireGuard VPN access. They connect a network island, e.g. with automation components, to a higher-level local network. Parallel to this, secure remote access to the participants of the island network can take place via the Wireguard VPN as a client or server.

  • Page 4: Table Of Contents

    W&T Content 1 Legal information and safety ����������������������������������� 7 1.1 Legal notices ..............8 1.2 Safety notices ..............10 2 Hardware, interfaces and displays ������������������������ 13 2.1 Hardware installation ............14 2.2 Power supply ..............15 2.2.1 PoE- supply ..............15 2.2.2 External power supply ..........15 2.3 Network Interfaces ............
  • Page 5 11.4 Individual certificates ........... 106 11.5 Emergency access to the Microwall ......108 11.6 Reset to default settings ..........110 Appendix ������������������������������������������������������������������� 111 Technical data and form factor ..........112 Microwall VPN, #55211 ............112 Microwall IO, #55212 ............113 Index ������������������������������������������������������������������������� 114...
  • Page 6 W&T...

  • Page 7: Legal Information And Safety

    W&T Legal information and safety Subject to error and alteration...

  • Page 8: Legal Notices

    W&T 1�1 Legal notices Warning concept This manual contains notices that must be observed for your personal safety as well as to prevent damage to equipment. The notices are emphasized using a warning sign. Depending on the hazard level the warning notices are shown in decreasing severity as follows.
  • Page 9 W&T The documentation associated with the respective task must be followed, especially the safety and warning notices contained therein. Qualified personnel are defined as those who are qualified by their training and experience to recognize risks when handling the described products and to avoid possible hazards.

  • Page 10: Safety Notices

    W&T 1�2 Safety notices General notices This manual is intended for the installer of the Microwall described in the manual and must be read and understood before starting work. The devices are to be installed and put in operation only by qualified personnel. Intended use 1DANGER The Microwall VPN is an industrial-grade IPv4 router with two...
  • Page 11 W&T sources. Please observe the limits with respect to maximum ambient temperature. Ventilation openings must be clear of any obstacles. A dis- tance of 10-15 cm between the Microwall and nearby heat sources must be maintained. Input voltage and output currents must not exceed the rated values in the specification.
  • Page 12 W&T...

  • Page 13: Hardware, Interfaces And Displays

    W&T Hardware, interfaces and displays Hardware installation Power supply Network interfaces Service button Digital IOs (only Microwall IO) Subject to error and alteration...

  • Page 14: Hardware Installation

    W&T Hardware, interfaces and displays 2�1 Hardware installation The Microwall is mechanically designed for mounting on a standard DIN rail. In this case, as well as with alternative mounting methods, the outlined air circulation must be gua- ranteed. The installation site must be adapted to the security requi- rements of the respective system environment.

  • Page 15: Power Supply

    W&T Hardware, interfaces and displays 2�2 Power supply The power supply of the Microwall is alternatively via PoE or an external power supply. Simultaneous connection of both power supplies is not permitted. The current consumption can be taken from the technical data. 2�2�1 PoE- supply The Microwall can be supplied via the interface Network 1 (ye- llow) via PoE according to IEEE802.3af.

  • Page 16: Network Interfaces

    W&T 2�3 Network Interfaces The Microwall has two network interfaces: Network 1 (yellow) and Network 2 (green). www.WuT.de www.WuT.de Microwall Microwall IO Network 1 (yellow) is used for connection to the higher-level network in which the island network is to be integrated at the Network 2 (green) connection.
  • Page 17 W&T Hardware, interfaces and displays Galvanic isolation There is an electrical isolation of at least 500Vrms from the supply voltage Auto-Negotiation The transmission speed and duplex method are automatical- ly negotiated with the connected device. To avoid problems such as duplex mismatch, we recommend that the connected devices are also operated in auto-negotiation mode.

  • Page 18: System And Error Led

    W&T Hardware, interfaces and displays 2�4 System and Error LED System LED Service LED 2�4�1 System LED (green) ON: Signals normal operational readiness. Flashing: The Microwall performs a reboot or receives a new firmware. 2�4�2 Service LED (red) The service LED is used to signal the emergency access and factory default reset functions that can be controlled via the service button.

  • Page 19: Service Button

    W&T Hardware, interfaces and displays 2�5 Service button Service button The service button is accessible recessed on the front side of the Microwall to avoid operating errors. It is operated with a suitable, pointed object (e.g. paper clip). The following actions are triggered via the service button: Reset/Restart Pressing the button briefly between 0.2 and 3.5s triggers a restart of the Microwall.
  • Page 20 W&T Hardware, interfaces and displays aborted. The Microwall continues with the standard operation of the current configuration. A reset to the factory setting causes all settings (filter ru- les, IP parameters, log files, etc.) to be lost. Recommissio- ning must be carried out as described in the chapter Start-up.

  • Page 21: Start-Up

    W&T Start-up The commissioning of the can only be done via the interface Network 1 (yellow). In the first step, the IP address required for initial access is assi- gned. Subsequent browser access leads to the initial web page for configu- ration of the basic parameters required for operation, including the system password.

  • Page 22: Ip Assignment Via Dhcp

    W&T Start-up 3�1 IP assignment via DHCP In network environments with DHCP support and a dynamic address pool, the Microwall automatically receives the follo- wing basic IP parameters via the Network 1 port. • IP address • Subnet mask • Gateway address •...

  • Page 23: Initial Assignment Of Ip Parameters With Wutility

    W&T Start-up 3�2 Initial assignment of IP parameters with WuTility From version 4.52, the Windows tool WuTility supports the inventory and management of the basic network parameters of the Microwall • IP address • Subnet mask • Gateway address • DNS server WuTility versions >= 4.52 must be used.
  • Page 24 W&T Start-up inventory list. This search process can be repeated as often as required by pressing the Scan button: Within the inventory list, the desired Microwall can be identified via its MAC address. The default IP address is 190.107.233.110. Select the desired Microwall and then press the IP address button: Enter the desired values for IP address, subnet mask, gateway and DNS server.
  • Page 25 W&T Start-up using standard web-based management. The additional parameters required for initial commissioning are set via an initial web page using a browser. For more in- formation, refer to the chapter Initial Web Page. Subject to error and alteration...

  • Page 26: Start-Up Via The Default Ip Address

    W&T Start-up 3�3 Start-up via the default IP address In the delivery state and after a reset to the factory set- tings, the default IP address of the interface Network 1 is 190.107.233.110. When the interface Network 1 is connected to the network, the initial web page for assigning the system password can be reached via the default IP or the IP address assigned by WuTility.

  • Page 27: Initial Web Page

    W&T Start-up 3�4 Initial web page After the IP assignment, only the initial web page is availa- ble during the initial commissioning. Here, the password of the Microwall required for all further configuration accesses must be assigned. At the same time, the IP basic parameters of both network interfaces and the operating mode can be determined.
  • Page 28 W&T Start-up Login password (mandatory) Assign the password for all configuration/control accesses of the Microwall. We recommend passwords with a minimum length of 15 characters, consisting of upper and lower case letters, numbers and special characters. The maximum length of the password is 51 characters. Operation without a pass- word is not possible.
  • Page 29 W&T Start-up There is no default or master password. A lost password can only be reset to the factory settings via the emergency access that can be activated by means of the service button or a reset. Network 1 (yellow) Specify whether the connection works with a static IP address or whether the IP parameters are obtained via DHCP.
  • Page 30 W&T Start-up before the Upload button is pressed. After the file has been successfully checked, its content is accepted and the Micro- wall operates with the new parameters after an automatic restart. Backup files also contain the new IP address of the Micro- wall.

  • Page 31: Web Based Management

    W&T Web based management The configuration of the Microwall is only possible encrypted via HTTPS. The WBM (Web based management) works session-oriented. Changes made on the respective pages are immediately saved and validated by pressing the Save button. Navigation within WBM Subject to error and alteration...

  • Page 32: Start And Navigation Concept Of The Wbm

    W&T Web based management 4�1 Start and navigation concept of the WBM To access the WBM of the Microwall, you need an up-to-date Internet browser. Session-Cookies, Javascript and Websockets must be supported or activated. The configuration is only possible encrypted via HTTPS. The standard port 443 is preconfigured ex works.

  • Page 33: Login/Logout

    W&T Web based management 4�2 Login/Logout The start page of the Microwall only offers the possibility to enter the password for login and to switch the interface lan- guage via the flag symbol. 4�2�1 Login Enter the password and press the Log in button. After suc- cessful login the extended navigation tree with all configurati- on options is available.

  • Page 34: Help And Description Texts

    W&T Web based management 4�3 Help and description texts If the individual configuration items are not self-explanatory, the assigned info symbols contain the necessary descriptions, explanations and notes. For detailed information on the operating modes, release ru- les and VPN setup, refer to the chapter Operating Modes and Rule Configuration in this manual.

  • Page 35: Dhcp Server & Discover Assistant

    W&T DHCP server & Discover assistant DHCP server for Network 2 Static and dynamic leases Controlled commissioning of new or third-party devices Identification of unwanted connections Subject to error and alteration...

  • Page 36: Dhcp Server

    W&T DHCP server and Discover assistant 5�1 DHCP server The Microwall can work as a DHCP server in Network 2. The DHCP server is activated and configured in the menu branch Basic settings -> DHCP server. Dynamic leases in case of service Exclusively for service applications, e.g.
  • Page 37 W&T DHCP server and Discover assistant Network 1, it must also be noted that a corresponding firewall rule is required. Current DHCP leases Listing of all devices provided with a lease by Microwall. Subject to error and alteration...

  • Page 38: Discover Assistant

    W&T DHCP server and Discover assistant 5�2 Discover assistant The Discover assistant allows the controlled commissioning of new devices in Network 2 (green). Outgoing connection attempts of selected hosts are recorded and displayed to- gether with the previously resolved host name. However, the connections remain blocked until a corresponding release rule is generated for the desired communication by mouse click.

  • Page 39: Operating Modes And Rule Configuration

    W&T Operating modes and rule configuration Mode NAT router Mode Standard router Mode Standard router with static NAT Rule configuration and labels IP inventories Subject to error and alteration...

  • Page 40: Mode Nat Router

    W&T Operation modes and rule configuration 6�1 Mode NAT router In NAT router mode, the Microwall connects the island net- work to the Network 2 port (green) via a fixed IP address of the higher-level network to the Network 1 port (yellow). The operating mode is comparable to many standard DSL routers, which connect the home network to the Internet using only one public IP address.
  • Page 41 W&T Operation modes and rule configuration Activate the NAT router operating mode via the menu tree under Firewall settings -> Operating mode and define the handling of ICMP echo requests/replies (ping) to the local in- terfaces and the forwarding of other ICMP datagrams.. The Save button activates the NAT Router mode and the cor- responding rule set is loaded.

  • Page 42: Mode Standard Router

    W&T Operation modes and rule configuration 6�2 Mode Standard router In standard router mode, the Microwall disconnects the island network at the Network 2 port (green) from the corporate intranet at the Network 1 port (yellow). The island network becomes an official subnet of the intranet-side infrastructure. On the intranet side, the path to the island network must be made known to the participating hosts, usually as a static route.
  • Page 43 W&T Operation modes and rule configuration Activate the Standard router operating mode via the menu tree under Firewall settings -> Operating mode and define the handling of ICMP echo requests/replies (ping) to the local in- terfaces and the forwarding of other ICMP datagrams.. The Save button activates the Standard Router mode and the corresponding rule set is loaded.

  • Page 44: Mode Standard Router With Static Nat

    W&T Operation modes and rule configuration 6�3 Mode Standard router with static NAT The Standard Router mode offers the option of a fixed 1:1 assignment of IP addresses from the corporate intranet at the Network 1 (yellow) port to IP addresses from the island network.
  • Page 45 W&T Operation modes and rule configuration Activate the Standard router operating mode via the menu tree under Firewall settings -> Operating mode and define the handling of ICMP echo requests/replies (ping) to the local in- terfaces and the forwarding of other ICMP datagrams.. The Plus button at the top right of the Static NAT table opens the dialog for creating new mappings.

  • Page 46: Ip Inventories

    W&T Operation modes and rule configuration 6�4 IP inventories In the menu branch Firewall Settings -> IP Address Inventory, the Microwall provides a separate address inventory for each network. The configuration of the destination/source addres- s(es) when creating firewall rules is always done from these address inventories.

  • Page 47: Scan Of Network 2

    W&T Operation modes and rule configuration 6�4�1 Scan of Network 2 Using the magnifying glass in the area of Network 2, it is possible to search the island network for participants. Newly found stations found during a scan can then be automatically added to the inventory list of Network 2.

  • Page 48: Creating Firewall Rules

    W&T Operation modes and rule configuration 6�5 Creating firewall rules Creating firewall rules for the current mode is done on the page Firewall settings -> Firewall rules. The overview contains information about the existing rules with the possibility to activate and deactivate them using the respective slide switch. The Plus button at the upper right edge of the table opens the dialog for creating new rules.
  • Page 49 W&T Operation modes and rule configuration Name Freely assignable name of the rule. Description Optional additional description of the rule. Label For a more clearly arranged display or display filtering in the rule overview, one or more labels can be assigned to the rule.
  • Page 50 W&T Operation modes and rule configuration • single IP address IP address in dot notation (e.g. 10.20.0.4) • Comma-separated IP address list List of IP addresses in dot notation (e.g. 10.10.10.1, 20.20.20.2) • IP range Continuous IP range in the form „from-to“ (e.g. 10.10.10.1 - 10.10.10.20) •...

  • Page 51: Using Hostnames As The Target Of A Rule

    W&T Operation modes and rule configuration be activated. The Microwall will automatically accept an incoming reply datagram within a timeout. Actions Activate rule activates the rule immediately after pressing the Save button. If the option is not set, the rule is created but not applied when you click Save.

  • Page 52: Examples Firewall Rules

    W&T Operation modes and rule configuration 6�6 Examples Firewall rules 6�6�1 Mode Standard router, Network 2 to Network 1 Island host 10.110.0.10/16 at the Network 2 port is to ac- cess the Intranet Web Server 10.20.0.4/16, TCP/80 at the Network 1 port via browser. The respective local IP addresses of the Microwall are 10.110.0.1 and 10.20.0.55.
  • Page 53 W&T Operation modes and rule configuration The rule dialog to be filled out for this example: Subject to error and alteration...

  • Page 54: Mode Nat-Router, Network 1 To Network 2

    W&T Operation modes and rule configuration 6�6�2 Mode NAT-Router, Network 1 to Network 2 Intranet host 10.20.0.4/16 should access the island web server 10.110.0.10/16, TCP/80 via browser. The Microwall itself is integrated into the networks with the IPs 10.110.0.1 and 10.20.0.55. The intranet IP of the Microwall is used as the destination address in the browser, where it is usually replaced by the island IP 10.110.0.10.
  • Page 55 W&T Operation modes and rule configuration The rule dialog to be filled out for this example: Further control examples for many standard applications can be found on our website at https://www.wut.de/rule- examples. Subject to error and alteration...
  • Page 56 W&T Operation modes and rule configuration...

  • Page 57: Wireguard Vpn Server

    W&T Wireguard VPN server Configuration of the microwall as VPN server with permitted clients Creating firewall rules for the VPN server mode Subject to error and alteration...

  • Page 58: Overview Wireguard Vpn Server

    W&T WireGuard VPN server 7�1 Overview WireGuard VPN Server WireGuard is a VPN architecture whose focus is on high se- curity requirements through modern cryptography as well as simple configuration at high speed. Details as well as current information on the concept, function and development status of this open source project can be found under the following link.

  • Page 59: Configuring The Vpn Environment

    W&T WireGuard VPN server 7�2 Configuring the VPN environment On the page VPN settings -> VPN environment the basic set- tings of the VPN server and the activation of the VPN clients are made. Activate VPN The check box activates the VPN server with the set parame- ters on Network 1 (yellow) of the Microwall VPN.
  • Page 60 W&T WireGuard VPN server ranges of Network1 and Network 2. The conflict with the IP range(s) on the VPN client side must also be prevented. VPN server settings -> UDP listen port Defines the UDP list port on which the VPN server accepts connections from VPN clients.

  • Page 61: Vpn Client Inventory

    W&T WireGuard VPN server 7�3 VPN client inventory The page allows the creation, deletion and administration of VPN clients. The VPN Client Inventory page is only used to manage the VPN clients. Activation for actual VPN connections is done on the page VPN Environment. 7�3�1 New VPN clients - Standard configuration The button at the upper right edge of the table starts the...
  • Page 62 W&T WireGuard VPN server The standard configuration assumes that the VPN configura- tion of the client is created manually and that a key pair has already been generated there. Virtual IP address of the VPN client The virtual IP address entered here must be in the same sub- net of the VPN server.

  • Page 63: New Vpn Clients - Advanced Configuration

    W&T WireGuard VPN server Site-to-site IP range If the VPN client is to be used for a site-to-site connection to another Microwall, the Net-ID of the client island must be specified here. Client configuration r Pre-shared Key (PSK) The PSK additionally encrypts the VPN communication. The PSK must be identical on the VPN client and the VPN server.
  • Page 64 W&T WireGuard VPN server Private key and Button Generate Keys The Generate Keys button generates a key pair for use in the VPN client. The public key required for the subsequent au- thentication of the client is automatically stored by the Micro- wall VPN.

  • Page 65: Vpn Rules

    W&T WireGuard VPN server 7�4 VPN rules The participants and services in the island network with which an active VPN client may communicate must be explicitly permitted by corresponding VPN rules. Such firewall rules for the VPN are created on the page VPN settings -> VPN rules. In addition to an overview of the existing rules, new rules can be created and defined using the button Name...
  • Page 66 W&T WireGuard VPN server host or address range is automatically transferred to the IP inventory for Network 2 with the name entered under Name. Permissible entries and formats of addresses and address ranges: • Keyword for any IP address • single IPa address IP address in dot notation (e.g.
  • Page 67 W&T WireGuard VPN server The TCP option FTP must be activated when the rule for FTP connections is formulated. Parallel TCP connections negotiated during an FTP session are automatically allo- wed and blocked. UDP is a connectionless protocol which, however, often works on a request-reply principle (e.g.

  • Page 68: Step By Step: Vpn Access For A Mobile Device

    W&T WireGuard VPN server 7�5 Step by step: VPN access for a mobile device There is a machine in the island network whose internal web interface is to be accessed via the Internet from an Android mobile device. The example assumes that the Microwall is already set up as a NAT router between the intranet at Network1 (yellow) and the network island at Network 2 (green).
  • Page 69 W&T WireGuard VPN server 2� Setting up the VPN server environment Switch to the page VPN settings -> VPN environment: Activate the VPN server Create a key pair for the VPN server. The public part of the key (public key) is displayed. 10.3.3.1/24 Defines the IP address of the VPN server and Net-ID for the virtual VPN network The range is largely freely selectable,...
  • Page 70 W&T WireGuard VPN server 10.3.3.5 The IP address of the VPN client from the virtual VPN net- work area. Android Service 1 Freely selectable name of the VPN client. The VPN client should have access to the configuration interface of the Microwall VPN and should be activated im- mediately after creation.
  • Page 71 W&T WireGuard VPN server This way should only be chosen if it can be guaranteed that the configuration file can be transmitted safely to the client. The Generate Keys button creates a key pair for the VPN client. The private key is saved by the Microwall VPN exclu- sively for the duration of this creation dialog and then deleted.
  • Page 72 W&T WireGuard VPN server Please also note the NAT rule of the perimeter firewall of the intranet described in the Preparations section. 10.3.3.1/32,10.10.0.0/16 IP addresses and IP ranges in CIDR notation, which occur and should be accepted within the VPN connection. If the desired communication partner is located directly in the island network, it is usually not necessary to change the specifications.
  • Page 73 W&T WireGuard VPN server VPN access Android Service 1 Freely selectable name of the VPN rule 10.3.3.5 | Android Service 1 Selection of the VPN client from the VPN inventory as sour- ce of the TCP connection to be released. The source port of the TCP connection is arbitrary.
  • Page 74 W&T WireGuard VPN server 5� Testing the VPN connection On the Android device, open the WireGuard app and activate the VPN tunnel you created earlier. In the Android status bar a key symbol should now signal the VPN connection. Start a browser and enter the IP address of the island host in the address line: http(s)://10.10.0.10...

  • Page 75: Wireguard Vpn Client

    W&T Wireguard VPN client Configuration of the microwall as VPN client Subject to error and alteration...

  • Page 76: Overview Wireguard Vpn-Client

    W&T WireGuard VPN client 8�1 Overview WireGuard VPN-Client WireGuard is a VPN architecture whose focus is not only on high security requirements through modern cryptography but also on simple configuration at high speed. Details as well as current information on concept, function and development status of this open source project can be found under the following link.

  • Page 77: Vpn Client

    W&T WireGuard VPN client 8�2 VPN client The VPN Client menu branch contains the basic settings of the VPN Client mode. Enable client The checkbox activates the VPN connection to the WireGuard VPN server with the specified parameters. If the VPN tunnel is activated, the line below the checkbox contains the current status and the amount of transferred data.
  • Page 78 W&T WireGuard VPN client Client settings r New Key The button New Key generates a new key pair for the client mode of the Mircrowall. The displayed public key is required for the configuration of the VPN server and must be commu- nicated to it.
  • Page 79 W&T WireGuard VPN client Client settingsr Pre-shared Key (PSK) The PSK additionally encrypts the VPN communication. The PSK must be identical on the VPN client and the VPN server. Like the public/private key, the syntax of the PSK is WireGu- ard-specific and cannot be freely selected.
  • Page 80 W&T WireGuard VPN client...

  • Page 81: Wireguard-Vpn Box-To-Box

    W&T Wireguard-VPN Box-to-Box VPN tunnels between island networks Configuring the server Microwall Configuring the client Microwall Subject to error and alteration...

  • Page 82: Overview Wireguard Vpn Box-To-Box

    W&T WireGuard VPN Box-to-Box 9�1 Overview WireGuard VPN Box-to-Box In the Box-to-Box operating mode, a WireGuard tunnel is es- tablished between two microwalls, through which the island networks communicate in an encrypted and authenticated manner. In Box-to-Box-VPN, one microwall operates as a VPN server to which other microwalls configured as VPN clients connect.
  • Page 83 W&T WireGuard VPN Box-to-Box 1� Basic settings & key exchange VPN server In a browser, open the website of the Microwall working as a VPN server and log in. Navigate to the page VPN server r VPN environment Make the following settings and copy the displayed public key to paste it into the configuration of the VPN client later: Save the changes by clicking 2�...
  • Page 84 W&T WireGuard VPN Box-to-Box...
  • Page 85 W&T WireGuard VPN Box-to-Box Download the configuration file via the corresponding button and save it. This file contains the private key of the client as well as the preshared key, if used, and must be kept confiden- tial. Click on Add to return to the inventory overview. Save the changes by clicking 3�...
  • Page 86 W&T WireGuard VPN Box-to-Box Save the changes by clicking The configuration of the VPN client is now complete. The VPN tunnel is now established and both sent and received data are displayed in the status after a few seconds. Switch to the web page with the configuration session of the VPN server and navigate to the page 4�...
  • Page 87 W&T WireGuard VPN Box-to-Box Basic settings r Network Under Static Routes click on and make the following set- tings: VPN server: VPN client: In the VPN server and VPN client, save the changes by clicking 5� Creating the whitelist rule in the VPN server All communication connections between the two island net- works must be explicitly permitted in the VPN firewall in the form of a corresponding rule.
  • Page 88 W&T WireGuard VPN Box-to-Box In the VPN server, navigate to the page VPN server r VPN rules Click on in the rules overview and make the following settings: T h i s r u l e a l l o w s a n i n c o m i n g T C P c o n n e c t i o n f r o m 192.168.20.100 to the machine 192.168.10.100 connected in the island network on port TCP/443 at the VPN server via the VPN.
  • Page 89 W&T 10 Digital inputs and outputs (only Microwall IO) Wiring of the inputs/outputs Functions of the digital inputs Functions of the digital outputs The following chapter is exclusively valid for the Microwall IO and its digital inputs and outputs. Subject to error and alteration...

  • Page 90: Digital Inputs And Outputs (Only Microwall Io)

    W&T Digital Inputs and outputs 10�1 Digital inputs The Microwall IO has 2 screw terminal accessible digital in- puts with the following electrical properties: • Permissible input voltage -30VDC - +30VDC • Switching threshold 8V +/-1,5V • Current drawing (current ON approx. 2,2 mA) The current status of the inputs is indicated by two associated LEDs.
  • Page 91 W&T Digital inputs and outputs The following actions are available: • Activation/deactivation of the VPN tunnel as client or server • Activation/deactivation of the network interface • Activation/deactivation of firewall rules with specific labels Subject to error and alteration...

  • Page 92: Digital Outputs

    W&T Digital Inputs and outputs 10�2 Digital outputs The Microwall IO has 2 screw terminal accessible digital out- puts with the following electrical properties: • Separate output voltage 6-30VDC • max. current 500mA/output, short-circuit protected The current status of the outputs is indicated by two associ- ated LEDs.

  • Page 93: 11 Security & Maintenance

    W&T 11 Security & Maintenance Security and operating notes Firmware updates Individual certificates Emergency access via service button Reset to factory defaults Subject to error and alteration...

  • Page 94: Security Notes

    W&T Security & Maintenanceh 11�1 Security notes The following sections contain information and recommenda- tions relevant from an IT security perspective for commissio- ning, configuring, operating and maintaining the Microwall. 11�1�1 Function and typical use The Microwall is a strictly whitelist-based small firewall desi- gned as an IPv4 router with two Ethernet ports and an integ- rated WireGuard VPN access, which can be used either as a client (outgoing) or as a server (incoming).

  • Page 95: Installation Location

    W&T Security & Maintenance - Choice of a secure password in terms of length and compo- sition - Deactivation of unneeded services or limitation of their avai- lability to the required network interface - Firewall rules formulated as narrowly as possible (e.g., avoi- dance of Any/Any shares) - Installation of an individual device certificate within a PKI environment...

  • Page 96: Operation And Configuration

    W&T Security & Maintenanceh password and the basic network parameters are configured. Only after this step is access to the management interface of the Microwall VPN protected by the password. IP assignment During initial commissioning, ensure that there is no unau- thorized access to the Microwall until the password has been assigned on the initial web page.
  • Page 97 W&T Security & Maintenance Deactivation of services not required The Microwall supports the following incoming and outgoing services: Configu- rable/can Pass- be deacti- Portno� Service word? vated? Incoming: 443 (TCP) HTTPS management yes/yes Default: activated/Ne- teork1 8513 (UDP) Inventory WuTility no/yes Default: activated/Ne- teork1...
  • Page 98 W&T Security & Maintenanceh Configuration and activation/deactivation of outgoing ser- vices are done in the menu tree under Settings -> Network. For each service it can be determined on which port it is avai- lable. For web-based management, the TCP port used can also be changed.

  • Page 99: Service, Maintenance And Decommissioning

    W&T Security & Maintenance 11�1�6 Service, maintenance and decommissioning Despite high quality standards, electronics can fail at any time, e.g. due to external events. Depending on the availabili- ty requirements of the respective application, we recommend taking appropriate precautions. - Backup / storage of the device configuration - If necessary, provision of a replacement device - Documentation of the procedure for device replacement During decommissioning, all confidential information stored...

  • Page 100: Up-/Download Configuration Data

    W&T Security & Maintenanceh 11�2 Up-/Download Configuration data On the web page Maintenance there is a possibility to backup the current configuration of the Microwall or to restore a pre- viously downloaded backup file. Configuration or backup files contain operational parameters (firewall/VPN rules, VPN keys, inventory lists, etc.) as well as data relevant for administrative access to the microwall (IP pa- rameters, system password, certificate, etc.).
  • Page 101 W&T Security & Maintenance or a previously programmed Microwall are no longer connec- ted to the network before uploading. Subject to error and alteration...

  • Page 102: Firmware Updates

    W&T Security & Maintenanceh 11�3 Firmware updates W&T publishes firmware updates for the Microwall in order to eliminate functional errors, possibly discovered vulnerabilities or also to extend functions. The upload to the device is car- ried out either with the help of the WuTility management tool or via the Microwall‘s web-based management.

  • Page 103: Firmware Update With Wutility

    W&T Security & Maintenance On the Microwall web data sheet, follow the Firmware link and start the download of the desired version. Before uploa- ding to the Microwall, the actual firmware file must be unpa- cked from the zip archive. 11�3�2 Firmware update with WuTility For the firmware update with WuTility, it must be installed on a Windows PC.

  • Page 104: Firmware Update Via Web-Based Management

    W&T Security & Maintenanceh To transfer the new firmware to the Microwall, select the desi- red Microwall in the WuTility inventory list and click on the Firmware button. In the following dialog select the firmware file (*.uhd) to be transferred and click on the Next button. After the successful transfer, the Microwall decrypts the firmware file, checks the signature and writes the firmware to its internal flash.
  • Page 105 W&T Security & Maintenance The Upload File button starts the selection dialog for the firm- ware file. Select here the previously downloaded and unzip- ped firmware file (*.uhd). After the upload, the Install Update button starts the actual installation of the new firmware. Subject to error and alteration...

  • Page 106: Individual Certificates

    W&T Security & Maintenanceh 11�4 Individual certificates For security reasons, access to the web-based management of the Microwall is only possible in encrypted form using the HTTPS protocol. The Microwall‘s self-signed certificate, which is pre-installed ex works, generates corresponding security warnings for cur- rent browsers.
  • Page 107 W&T Security & Maintenance Installing a self-signed certificate By clicking on Install under Self-Signed Certificate, the pre- viously generated signing request can be provided with a self-signature. Browsers will display a corresponding security warning when the web pages are accessed. Externally signed certificate The generated signing request can be downloaded from the Microwall using the Download button for external signature.

  • Page 108: Emergency Access To The Microwall

    W&T Security & Maintenanceh 11�5 Emergency access to the Microwall In case of a forgotten password or if web-based management has been deactivated for security reasons, emergency access can be activated via the recessed mounted service button on the front panel. Service button Start emergency access Press the button with a suitable pointed object (e.g.
  • Page 109 W&T Security & Maintenance We recommend passwords with a minimum length of 15 cha- racters, consisting of upper and lower case letters, numbers and special characters. The maximum length of the password is 51 characters. Activating standard Web-Based Management Under Management, define on which connection and under which port the web management of the Microwall should sub- sequently be accessible.

  • Page 110: Reset To Default Settings

    W&T Security & Maintenanceh 11�6 Reset to default settings A reset to the factory settings of the Microwall can be perfor- med using the recessed mounted service button on the front panel. Service button Press the service button with a suitable pointed object (e.g. paper clip) and keep it pressed for at least 20s.

  • Page 111: Appendix

    W&T Appendix Technical data and form factor Subject to error and alteration...

  • Page 112: Technical Data And Form Factor

    W&T Appendix Technical data and form factor Microwall VPN, #55211 Power supply ��� Power-over-Ethernet: 37-57V DC from PSE External power supply, screw terminal DC 24-48V (+/-10%) Current consumption ��� Power-over-Ethernet: PoE Class 2 (3,84 W - 6,49W) Ext. supply typ. 150mA@24V DC max.

  • Page 113: Microwall Io, #55212

    W&T Appendix Microwall IO, #55212 Power supply ��� Power-over-Ethernet: 37-57V DC from PSE External power supply, screw terminal DC 24-48V (+/-10%) Current consumption ��� Power-over-Ethernet: PoE Class 2 (3,84 W - 6,49W) Ext. supply typ. 150mA@24V DC max. 200mA@24V DC Galvanic isolation Network interfaces: min 500V LAN-Port Network 1...

  • Page 114: Index

    W&T Index navigation concept 32 Index Network Interfaces 16 certificates 106 PoE 15 Certificate Signing Request Power supply 15 Preshared Key 63, 79 Configuration backup 29 PSK 63, 79 default IP address 26 Reset 19 DHCP 22 DHCP server 36 Digitale inputs 82, 90 Security 93 Digital outputs 92...

This manual is also suitable for:

55212

Table of Contents