SSV IGW/936A System Reference Manual
  1. Manuals
  2. Brands
  3. SSV Manuals
  4. Gateway
  5. IGW/936A
  6. System reference manual

SSV IGW/936A System Reference Manual

Ot/it network gateway with dnp/8331
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
OT/IT NETWORK GATEWAY
IGW/936A
with DNP/8331
System Reference
SSV SOFTWARE SYSTEMS
Document Revision 1.1 // 2023-06-13

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the IGW/936A and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for SSV IGW/936A

Summary of Contents for SSV IGW/936A

  • Page 1 OT/IT NETWORK GATEWAY IGW/936A with DNP/8331 System Reference SSV SOFTWARE SYSTEMS Document Revision 1.1 // 2023-06-13...

  • Page 2: Table Of Contents

    Services > DynDNS ....................27 6.4.4 Services > DHCP Server ..................... 28 6.4.5 Services > SNMP ....................... 28 6.4.6 Services > Remote Access (OpenSSH) ..............29 6.4.7 Services > SSV/WebUI ....................30 6.5 Proxies ........................31 IGW/936A // System Reference...
  • Page 3 Proxies > UDP ......................33 6.6 Logout ........................34 7 APPLICATION EXAMPLES ................35 7.1 OT/IT Domain Isolation ................... 35 8 CREATING A VPN CONNECTION ..............39 9 HELPFUL LITERATURE ..................42 CONTACT ......................... 42 DOCUMENT HISTORY ..................... 42 IGW/936A // System Reference...

  • Page 4: Introduction

    IT and OT environment. In addition, various OT modules in RS485-based bus systems, such as Modbus RTU, can be accessed from an IT Ethernet LAN via an IGW/936A. Thereby an access rights management down to the single Modbus data point is possible.

  • Page 5: Checklist

    Introduction Checklist Compare the content of your IGW/936A package with the checklist below. If any item is missing or appears to be damaged, please contact SSV. OT/IT Network Gateway IGW/936A Required Equipment To configure the IGW/936A a computer with the following features is required: •...

  • Page 6: Safety Guidelines

    • The installation of the device should be done only by qualified personnel. • Discharge yourself electrostatic before you work with the device, e.g. by touching a heater of metal, to avoid damages. • Stay grounded while working with the device to avoid damage through electrostatic dis- charge. IGW/936A // System Reference...

  • Page 7: Overview

    Overview OVERVIEW Control Elements Figure 2: Front view IGW/936A // System Reference...

  • Page 8: Features And Technical Data

    SSV Debian Buster Linux Administration SSV/WebUI plus firmware Security TCP/IP protocol stack with IPv4 and IPv6 support and various security protocols Firewall with netfilter + iptables, setup via SSV/WebUI Displays / Control Elements LEDs 1x Power 1x Status 1x System status (programmable)

  • Page 9: Pinouts

    10/100 Mbps LAN, RX- Reserved Reserved Table 4: Pinout Ethernet interface LAN2 USB 2.0 Host Port Pin Name Function VCC5 5 VDC Power Output DATA- USB Host - DATA+ USB Host + Ground Table 5: Pinout USB host port IGW/936A // System Reference...

  • Page 10: Screw Terminals

    COM3 Serial Port: RXD (RS232), RX/TX+ (RS485) Signal Ground Table 6: Pinout screw terminals LED Functions Description Flash Power No Power Power On Reserved Always Off System Not ready Booting Ready Connecting Ready Table 7: LED functions IGW/936A // System Reference...

  • Page 11: Cable Connections

    Cable Connections CABLE CONNECTIONS For the IGW/936A commissioning, only a LAN connection to a PC must be established and the 24 VDC supply voltage must be provided. Ethernet Link Connect the LAN2 interface of the IGW/936A with an Ethernet LAN cable to a PC.

  • Page 12: Power Supply

    Power Supply The IGW/936A needs a supply voltage of 12 .. 24 VDC to work. Connect the cables of the provided plug-in power supply with the screw terminals of the IGW/936A like shown in fig. 4. Figure 4: Connecting the power supply...

  • Page 13: Ssv/Webui

    The SSV/WebUI is the web-based user interface of SSV gateways. It enables configuration of inter- faces, protocols, services and so on. To open the login page of the SSV/WebUI enter the ex-factory IP address and port number of LAN2 of the IGW/936A manually in a web browser: 192.168.1.126:7777...

  • Page 14: Status

    SSV/WebUI Status Figure 7: Status page Figure 7 shows an example system status page with the addresses of all IP interfaces plus additional information about DNS servers and the default gateway. IGW/936A // System Reference...

  • Page 15: System

    Identify device through front LED Clicking on [Flash] causes one of the gateway's front panel LEDs to flash for approx. 5 seconds. This allows a specific gateway to be visually identified. 6.2.2 System > System Management Figure 9: System management IGW/936A // System Reference...

  • Page 16: System > Firmware Update

    Reboot system Clicking on [Reboot] causes the gateway's operating system to shut down. This is followed by a re- boot. The SSV/WebUI session must then be restarted. This action may cause the loss of unsaved set- tings. Configuration download The configuration settings of the gateway can be downloaded and saved as a file to the PC.

  • Page 17: System > Time And Date

    Time and date configuration The internal gateway real-time clock can be synchronized automatically via an external time server (in a LAN or on the Internet) or manually. 6.2.5 System > COM Ports (Serial Ports) Figure 12: Serial port settings IGW/936A // System Reference...

  • Page 18: System > Watchdog

    TCP side can be operated in client or server mode. 6.2.6 System > Watchdog Figure 13: Watchdog settings The gateway has various watchdog timers (or counters) intended to ensure the most trouble-free 24/7 operation possible. There are individual configuration options available for these watchdogs. IGW/936A // System Reference...
  • Page 19 Maximum time that may elapse without reaching the number of bytes per minute specified by the threshold (see Traffic threshold). Otherwise a WAN interface hardware restart is triggered after the set time has elapsed. This function is only useful for gateways with an internal mobile modem. IGW/936A // System Reference...

  • Page 20: System > Logging

    Download log file Download and save the log file to the PC. Download service startup graph Download and save a graph in SVG-format with an overview of the start-up of individual system ser- vices to the PC. IGW/936A // System Reference...

  • Page 21: Network

    WAN interface by ping test must be selected. In addition, the action to be performed in the event of an error in the ping test can be defined (see WAN fallback interface). IGW/936A // System Reference...

  • Page 22: Network > Lan1

    Enable UPnP discovery (UPnP = Universal Plug and Play) is a special case. If this function is enabled, the gateway can be searched in a local network with an UPnP-capable device without know- ing the IP address of the LAN1 interface. IGW/936A // System Reference...

  • Page 23: Network > Lan2

    IPv6 address setting options for the LAN1 interface. Similar to the IPv4 address assignment, automat- ic address assignment via DHCP or manual address entry of IPv6 addresses are possible. Expert configurations Various "expert settings" are available. Changes should only be made by appropriately trained per- sonnel. IGW/936A // System Reference...

  • Page 24: Network > Firewall And Nat

    User uploaded script allows to upload a file with complete firewall and NAT rules from the PC to the gateway. Forwarding with IP-Masquerading and NAT Switch on and off the NAT-based routing between the gateway and the WAN (Wide Area Network). IGW/936A // System Reference...

  • Page 25: Services

    IMPORTANT! The gateway has both a Telnet and FTP server for compatibility with older SSV products. Both protocols are now considered insecure because they are based on unencrypted data transmission. In this respect, these proto- cols should be disabled for practical use of the gateway! General service configuration Enable or disable access to the gateway via Telnet or FTP.

  • Page 26: Services > Openvpn

    Alternatively, you can contact always our support. OpenVPN certificates and keys Here the certificate and key management for a VPN client connection takes place in order to be able to connect to the respective OpenVPN server. IGW/936A // System Reference...

  • Page 27: Services > Dyndns

    Change DynDNS username and password Change the password for a specific username. Notification to webserver after IP address changes Enable/disable a notification service in case the IP address of the gateway has changed on the Inter- net. IGW/936A // System Reference...

  • Page 28: Services > Dhcp Server

    SNMP manages the communication between the monitored modules and the management system. SNMP configuration Enable/Disable SNMP. Selection of the SNMP version and other parameters. IGW/936A // System Reference...

  • Page 29: Services > Remote Access (Openssh)

    Furthermore, the current RSA key fingerprint is displayed. Change password for user "root" SSH access to the gateway is always performed with administrator rights (user "root"). The password for this user can be changed here. IGW/936A // System Reference...

  • Page 30: Services > Ssv/Webui

    Services > SSV/WebUI Figure 25: SSV/WebUI settings The SSV/WebUI of the gateway supports two different user classes: 1. an administrator (admin) with all rights and 2. a user (user) with restricted rights, who is also only presented with an adjustable se- lective view of the SSV/WebUI.

  • Page 31: Proxies

    Furthermore, for an HTTP-to-HTTPS proxy, the Encryption (i.e. the SSL or TLS function) must be ex- plicitly enabled. Otherwise, the result is an HTTP-to-HTTP proxy (i.e., a port redirection for external web access). SSL certificate A certificate is required for the HTTP-to-HTTPS proxy. This certificate can be created here. IGW/936A // System Reference...

  • Page 32: Proxies > Dns

    Create a new FTP proxy connection. This requires the following entries: 1. The TCP port number for the Listen on port (LoP). 2. The IP address and the port number for the Relay to system (RtS) part. IGW/936A // System Reference...

  • Page 33: Proxies > Tcp

    UDP socket (Relay to system, RtS), which can be located on the same gateway or on an external system with a static IP address. IGW/936A // System Reference...

  • Page 34: Logout

    Create a new UDP proxy socket connection. This requires the following entries: 1. The UDP port number for the LoP. 2. The IP address and the port number for the RtS. Logout Logout from the SSV/WebUI session. IGW/936A // System Reference...

  • Page 35: Application Examples

    Both interfaces are only logically connected via the IGW/936A Linux operating system. To establish a connection via the IGW/936A between the two networks, either the proxy server sys- tem plus the internal firewall must be configured accordingly or a suitable Firewall and NAT rules script must be loaded.
  • Page 36 Figure 33: Data flow between LAN1 and LAN2 with firewall enabled and proxy server off Firewall and proxy= On At least one proxy server in the IGW/936A firmware is configured. From the direction of the IT net- work (LAN1), the proxy server can then be reached via the respectively selected listen-on port (LoP).
  • Page 37 Figure 35 shows a configuration example with the TCP proxy server functions. A TCP client in the IT network LAN1 can access the TCP port 80 of a server in the OT network LAN2 via the IGW/936A. Fur- ther access possibilities from the IT to the OT network are not provided with this configuration.
  • Page 38 In addition, a TCP proxy is started with LoP = 80 (Listen-on port) and the RtS = 192.168.1.123:80 (Relay-to system, e.g. the IP address and destination port number of the TCP server in the OT network). IGW/936A // System Reference...

  • Page 39: Creating A Vpn Connection

    Creating a VPN Connection CREATING A VPN CONNECTION The IGW/936A can be used as a VPN (Virtual Private Network) gateway to enable secure access from a remote computer. Therefore the IGW/936A uses the open source software from OpenVPN. To set- up your own VPN infrastructure you need the OpenVPN server and client software which can be ob- tained here: https://openvpn.net.
  • Page 40 VPN server compromises all deployed secrets. Figure 37: Example of a VPN configuration file To import the VPN client configuration into the IGW/936A log into the SSV/WebUI, choose Services > OpenVPN and follow these steps: Click the checkbox Enable service and the radio button expert in the line Configuration mode.
  • Page 41 When the IGW/936A as well as the PC are connected with the OpenVPN server, you can access the SSV/WebUI via VPN. To do this, enter the VPN IP address of the IGW/936A with the port number 7777 in your browser. For example: 10.126.0.10:7777...

  • Page 42: Helpful Literature

    Added chapter 7 and 8 The contents of this document are subject to change without prior notice. SSV does not assume any liability and does not guarantee that the presented information is accurate or complete. The information in this document is provided 'as is' with- out warranty of any kind.

Table of Contents