Page 1
Configuration of the mGuard Security Appliances Hardware Reference Manual Innominate S e c u r i t y Te c h n o l o g i e s...
Page 2
Installing and starting up the mGuard hardware 2015-07-24 Designation: UM EN MGUARD DEVICES Revision: Order No.: — This user manual is valid for the following devices of the mGuard product range: – mGuard rs4000/rs2000 – mGuard smart²/smart – rs4000 TX/TX – mGuard pci² SD –...
Page 3
The receipt of technical documentation (in particular user documentation) does not consti- tute any further duty on the part of Innominate to furnish information on modifications to products and/or technical documentation. You are responsible for verifying the suitability and intended use of the products in your specific application, in particular with regard to ob- serving the applicable standards and regulations.
Page 4
“Innominate” and “mGuard” are registered trade names of Innominate Security Technolo- gies AG. mGuard technology is protected by patents 10138865 and 10305413, granted by the German Patent and Trademark Office. Further patents are pending. Published by Innominate Security Technologies AG...
Restart, recovery procedure, and flashing the firmware........27 Technical data .....................31 mGuard rs4000/rs2000 Switch ....................33 Operating elements and LEDs................34 Startup .........................36 Installing the mGuard rs4000/rs2000 Switch ............37 Preparing the configuration..................42 Configuration in Router mode ................42 Establishing a local configuration connection ............43 Remote configuration ..................45 Restart, recovery procedure, and flashing the firmware........46...
Page 8
Technical data .....................90 mGuard pci² SD ........................91 Operating elements and LEDs................92 Startup .........................93 Installation of mGuard pci² SD ................94 Preparing the configuration..................95 Configuration in Stealth mode................96 Establishing a local configuration connection ............101 Remote configuration ..................103 Restart, recovery procedure, and flashing the firmware........104 Technical data ....................107...
Page 9
10.8 Technical data ....................195 11 mGuard centerport .........................197 11.1 Operating elements and LEDs................198 11.2 Startup .......................199 11.3 Installing and booting mGuard centerport ............200 11.4 Preparing the configuration................204 11.5 Establishing a local configuration connection ............206 11.6 Remote configuration ..................208 11.7 Restart, recovery procedure, and flashing the firmware........209 11.8...
Page 10
12.9 Technical data ....................235 13 EAGLE mGuard ........................237 13.1 Operating elements and LEDs................238 13.2 Startup .......................239 13.3 Installation of EAGLE mGuard ................240 13.4 Preparing the configuration................243 13.5 Configuration in Stealth mode................244 13.6 Establishing a local configuration connection ............247 13.7 Remote configuration ..................249 13.8...
TX/TX VPN HW-108010 The mGuard rs4000 is a security router with intelligent firewall and optional IPsec VPN (10 to 250 tunnels). It has been designed for use in industry to accommodate strict distributed security and high availability requirements.
LEDs on the mGuard rs4000 and mGuard rs2000 State Meaning Green On Power supply 1 is active Green On Power supply 2 is active (mGuard rs2000: not used) STAT Green Flashing Heartbeat. The device is correctly connected and operating. Flashing System error. Restart the device.
Page 13
Table 1-2 LEDs on the mGuard rs4000 and mGuard rs2000 [...] State Meaning INFO Green On Up to firmware version 8.0: the configured VPN connection has been established As of firmware version 8.1, the configured VPN connections are established or the...
-20°C ... +60°C – Maximum humidity, non-condensing 5% ... 95% To avoid overheating, do not expose the mGuard to direct sunlight or other heat sources. NOTE: Cleaning Clean the device housing with a soft cloth. Do not use aggressive solvents. 1.2.2 Checking the scope of supply Before startup, check the scope of supply to ensure nothing is missing.
Mounting the mGuard rs4000/rs2000 on a DIN rail • Attach the top snap-on foot of the mGuard rs4000/rs2000 to the DIN rail and then press the mGuard rs4000/rs2000 down towards the DIN rail until it engages with a click. Removal •...
Page 16
RJ45 sockets; these must not be connected to the RJ45 sockets of the mGuard. • Connect the mGuard to the network. To do this, you need a suitable UTP cable (CAT5) which is not included in the scope of supply. •...
Page 17
Alarm output ACK O3 The O3 alarm output monitors the function of the mGuard rs4000/rs2000 and therefore en- ables remote diagnostics. The Fault LED lights up red if the signal output takes low level due to an error (inverted logic).
Page 18
If the INFO LED is illuminated, the VPN connection is present. If the INFO LED is flashing, the VPN connection is being established or released. Signal contact (signal out- The signal contact monitors the function of the mGuard rs4000/rs2000 and thus enables re- put) mote diagnostics.
Page 19
Figure 1-4). Status LED P1 lights up green when the supply voltage has been connected properly. On the mGuard rs4000, the status indicator P2 also lights up if there is a redundant supply volt- age connection. The mGuard boots the firmware. Status STAT LED flashes green. The mGuard is ready for operation as soon as the Ethernet socket LEDs light up.
1.4.2 Local configuration on startup (EIS) As of firmware version 7.2, initial startup of mGuard products provided in Stealth mode is considerably easier. From this version onwards, the EIS (Easy Initial Setup) procedure en- ables startup to be performed via preset or user-defined management addresses without actually having to connect to an external network.
Computers can access the mGuard via https://1.1.1.1/ if they are directly or indirectly con- nected to the LAN port of the mGuard. For this purpose, the mGuard with LAN port and WAN port must be integrated in an operational network in which the default gateway can be accessed via the WAN port.
Page 22
This is the case if it is connected in an existing network connection and if the default gateway can be accessed via the WAN port of the mGuard at the same time. In this case, the web browser establishes a connection to the mGuard configuration inter- face after the address https://1.1.1.1/ is entered (see “Establishing a local configuration con-...
Page 23
After receiving a BootP reply, the mGuard no longer sends BootP requests, not even after it has been restarted. For the mGuard to send BootP requests again, it must either be set to the default settings or one of the procedures (recovery or flash) must be performed.
If the administrator web page of the mGuard cannot be accessed If you have forgotten the If the address of the mGuard in Router, PPPoE or PPTP mode has been set to a different configured address value, and the current address is not known, the mGuard must be reset to the default set- tings specified above for the IP address using the Recovery procedure (see “Performing a...
Page 25
Password: mGuard The mGuard can then be configured via the web interface. For additional information, please refer to the software reference manual. For security reasons, we recommend you change the default root and administrator pass- words during initial configuration.
Switch on the remote configuration option in the web interface under “Management >> Web Settings”. How to proceed To configure the mGuard via its web user interface from a remote computer, establish the connection to the mGuard from there. Proceed as follows: •...
Restart, recovery procedure, and flashing the firm- ware The Reset button is used to set the device to one of the following states: – Performing a restart – Performing a recovery procedure – Flashing the firmware/rescue procedure Reset button...
Page 28
Stealth https://1.1.1.1/ https://192.168.1.1/ The mGuard is reset to Stealth mode with the default setting “multiple Clients”. – The CIFS integrity monitoring function is also disabled because this only works when the management IP is active. – In addition, MAU management is switched on for Ethernet connections. HTTPS access is enabled via the local Ethernet connection (LAN).
Page 29
All configured settings are deleted. The mGuard is set to the delivery state. – In Version 5.0.0 or later of the mGuard, the licenses installed on the mGuard are re- tained after flashing the firmware. Therefore, they do not have to be installed again.
Page 30
To flash the firmware or to perform the rescue procedure, proceed as follows: NOTE: Do not interrupt the power supply to the mGuard during any stage of the flashing procedure. Otherwise, the device could be damaged and may have to be reactivated by the manufacturer.
Firmware compatibility For mGuard v7.4.0 or later: Innominate recommends the use of the latest firmware ver- sion and patch releases in each case. For the scope of functions, please refer to the relevant firmware data sheet.
VPN router for up to 250 parallel, IPsec-encrypted VPN tunnels. The mGuard rs2000 Switch is a version with basic firewall and can be used as a VPN cli- ent for up to two parallel, IPsec-encrypted VPN tunnels. It is suitable for secure remote maintenance applications and enables connection of globally distributed machines and controllers.
Slot for optional SD card RS-232 interface (bottom) Figure 2-2 Operating elements and LEDs on the mGuard rs4000 Switch Table 2-2 LEDs on the mGuard rs4000 Switch and mGuard rs2000 Switch State Meaning Green Power supply 1 is active Green...
Page 35
Switch Table 2-2 LEDs on the mGuard rs4000 Switch and mGuard rs2000 Switch [...] State Meaning Info2 Green The configured VPN connections are established at output O1 or the firewall re- cords defined at output O1 are activated.
The scope of supply includes: – Device – Package slip – Plug-in screw terminal blocks for the power supply connection and inputs/outputs (in- serted) 2.2.3 mGuard-Firmware The device must be operated with mGuard-Firmware version 8.1.5 or higher. Innominate Security Technologies I15007_en_02...
Mounting the mGuard rs4000/rs2000 Switch on a DIN rail • Attach the top snap-on foot of the mGuard rs4000/rs2000 Switch to the DIN rail and then press the mGuard rs4000/rs2000 Switch down towards the DIN rail until it engag- es with a click.
Page 38
Switch 2.3.2 Connecting to the network NOTE: Risk of material damage due to incorrect wiring Only connect the device network ports to LAN installations. Some telecommunications connections also use RJ45 sockets; these must not be connected to the RJ45 sockets of the device.
Page 39
The plug-in screw terminal blocks of the service contacts may be removed or inserted dur- ing operation of the device. The mGuard rs4000/rs2000 Switch has three digital inputs and outputs. These are config- ured in the web interface, e.g., as a control signal for starting and stopping VPN connec- tions.
Page 40
Alarm output ACK O3 The O3 alarm output monitors the function of the mGuard rs4000/rs2000 and therefore en- ables remote diagnostics. The Fault LED lights up red if the signal output takes low level due to an error (inverted logic).
Page 41
The P1 status LED lights up green when the supply voltage has been connected properly. On the mGuard rs4000 Switch, the P2 LED also lights up if there is a redundant supply volt- age connection. The device boots the firmware. The Stat LED flashes green. The device is ready for opera- tion as soon as the Ethernet socket LEDs light up.
In the Control Panel, open the “Network and Sharing Center”. • Click on “LAN connection”. (The “LAN connection” item is only displayed if a connection exists from the LAN interface on the computer to a mGuard in operation or another part- ner). •...
Switch Establishing a local configuration connection Web-based administrator The device is configured via a web browser that is executed on the configuration computer. interface NOTE: The web browser used must support SSL encryption (i.e., HTTPS). The device can be accessed via the following address:...
Page 44
Switch After successful connection establishment Once a connection has been established successfully, a security alert may be displayed. Explanation As administrative tasks can only be performed using encrypted access, a self-signed certif- icate is supplied with the device.
Switch Remote configuration Requirement The device must be configured so that remote configuration is permitted. By default upon delivery, the option for remote configuration is disabled. Switch on the remote configuration option in the web interface under “Management >> Web Settings”.
Switch Restart, recovery procedure, and flashing the firm- ware The reset button is used to set the device to one of the following states: – Performing a restart – Performing a recovery procedure – Flashing the firmware/rescue procedure...
Page 47
Management IP #1 Management IP #2 Router https://192.168.1.1/ The mGuard is reset to router mode with the fixed IP address. – The CIFS integrity monitoring function is also disabled because this only works when the management IP is active. –...
Page 48
NOTE: Installing a second DHCP server in a network could affect the configuration of the entire network. – The mGuard firmware has been obtained from your dealer's support team or the www.innominate.com website and has been saved on a compatible SD card.
Page 49
The mGuard now starts the rescue system: It first searches for an inserted SD card and for the relevant firmware there. If the mGuard does not find an SD card, it searches for a DHCP server via the LAN interface in order to obtain an IP address.
VPN router for up to 250 parallel, IPsec-encrypted VPN tunnels. The mGuard rs2000 3G is a version with basic firewall and can be used as a VPN client for up to two parallel, IPsec-encrypted VPN tunnels. It is suitable for secure remote mainte- nance applications at locations without wired networks and enables global connection of distributed machines and controllers.
– RSMA (GPS) Figure 3-2 Operating elements and LEDs on the mGuard rs4000 3G Table 3-2 LEDs on the mGuard rs4000 3G and mGuard rs2000 3G State Meaning Green Power supply 1 is active Green Power supply 2 is active (mGuard rs2000 3G: not used)
Page 53
3G Table 3-2 LEDs on the mGuard rs4000 3G and mGuard rs2000 3G [...] State Meaning Info2 Green Up to firmware version 8.0 As of firmware version 8.1 The configured VPN connection has The configured VPN connections are been established at output O1.
-40°C ... +60°C – Maximum humidity, non-condensing: 5% ... 95% To avoid overheating, do not expose the mGuard to direct sunlight or other heat sources. NOTE: Cleaning Clean the device housing with a soft cloth. Do not use aggressive solvents. 3.2.2 Checking the scope of supply Before startup, check the scope of supply to ensure nothing is missing.
Mounting the mGuard rs4000/rs2000 3G on a DIN rail • Attach the top snap-on foot of the mGuard rs4000/rs2000 3G to the DIN rail and then press the mGuard rs4000/rs2000 3G down towards the DIN rail until it engages with a click.
Page 56
RJ45 sockets; these must not be connected to the RJ45 sockets of the mGuard. • Connect the mGuard to the network. To do this, you need a suitable UTP cable (CAT5) which is not included in the scope of supply. Use UTP cables with an impedance of 100 Ω.
Page 57
The plug-in screw terminal blocks of the service contacts may be removed or inserted dur- ing operation of the mGuard. The mGuard rs4000/rs2000 3G has three digital inputs and outputs. These are configured in the web interface, e.g., the starting and stopping of VPN, sending alarms via SMS etc..
Page 58
Alarm output ACK O3 The O3 alarm output monitors the function of the mGuard rs4000/rs2000 and therefore en- ables remote diagnostics. The Fault LED lights up red if the signal output takes low level due to an error (inverted logic).
Page 59
If the INFO LED is illuminated, the VPN connection is present. If the INFO LED is flashing, the VPN connection is being established or released. Signal contact (signal out- The signal contact monitors the function of the mGuard rs4000/rs2000 and thus enables re- put) mote diagnostics.
Page 60
SMA round plug (GSM/UMTS) and R-SMA round plug (TC ANT MOBILE/GPS, 2903590 from Phoenix Contact). In the case of the mGuard rs2000 3G, the WAN is only available via the mobile network, as a WAN interface is not available. The mobile network function is preset. The mGuard rs2000 3G can only be operated in Router mode.
Page 61
Quality of the mobile network connection The signal strength of the mobile network connection is indicated by three LEDs on the front of the mGuard rs4000/rs2000 3G. The LEDs function as a bar graph (refer to “Bar graph” on page 53).
Page 62
Status LED P1 lights up green when the supply voltage has been connected properly. On the mGuard rs4000 3G, the status indicator P2 also lights up if there is a redundant supply voltage connection. The mGuard boots the firmware. The Stat LED flashes green. The mGuard is ready for op- eration as soon as the Ethernet socket LEDs light up.
Page 63
3G If the supply voltage is not redundant, the mGuard rs4000 3G indicates the failure of the supply voltage via the signal contact. This message can be prevented by feeding the supply voltage via both inputs or by installing an appropriate wire jumper between the connections.
In the Control Panel, open the “Network and Sharing Center”. • Click on “LAN connection”. (The “LAN connection” item is only displayed if a connection exists from the LAN interface on the computer to a mGuard in operation or another part- ner). •...
If the administrator web page of the mGuard cannot be accessed If you have forgotten the If the address of the mGuard in Router, PPPoE or PPTP mode has been set to a different configured address value, and the current address is not known, the mGuard must be reset to the default set- tings specified above for the IP address using the Recovery procedure (see “Performing a...
Page 66
Password: mGuard The mGuard can then be configured via the web interface. For additional information, please refer to the software reference manual. For security reasons, we recommend you change the default root and administrator pass- words during initial configuration.
Switch on the remote configuration option in the web interface under “Management >> Web Settings”. How to proceed To configure the mGuard via its web user interface from a remote computer, establish the connection to the mGuard from there. Proceed as follows: •...
3G Restart, recovery procedure, and flashing the firm- ware The Reset button is used to set the device to one of the following states: – Performing a restart – Performing a recovery procedure – Flashing the firmware/rescue procedure...
Page 69
Router https://192.168.1.1/ mGuard rs2000 3G Router https://192.168.1.1/ The mGuard is reset to router mode with the fixed IP address. – The CIFS integrity monitoring function is also disabled because this only works when the management IP is active. – In addition, MAU management is switched on for Ethernet connections. HTTPS access is enabled via the local Ethernet connection (LAN).
Page 70
Flashing the firmware/rescue procedure Objective The entire firmware of the mGuard should be reloaded on the device. – All configured settings are deleted. The mGuard is set to the delivery state. Possible reasons The administrator and root password have been lost. Requirements Requirements for flashing NOTE: During flashing, the firmware is always loaded from an SD card first.
Page 71
To flash the firmware or to perform the rescue procedure, proceed as follows: NOTE: Do not interrupt the power supply to the mGuard during any stage of the flashing procedure. Otherwise, the device could be damaged and may have to be reactivated by the manufacturer.
3G mGuard rs2000 3G Firmware compatibility For mGuard v8.0 or later: Innominate recommends the use of the latest firmware ver- sion and patch releases in each case. For the scope of functions, please refer to the relevant firmware data sheet.
Page 73
CE | FCC | UL 508 | electrical isolation (VCC//PE) | ANSI / ISA 12.12 Class I Div. 2 Special features GPS / GLONASS receiver | realtime clock | Trusted Platform Module (TPM) | tempera- ture sensor | mGuard Secure Cloud ready I15007_en_02 Innominate Security Technologies...
Individual devices or network segments can be safely networked and comprehensively pro- tected. The mGuard delta² can be used as a firewall between office and production net- works as well as a security router for small and medium-sized workgroups.
LAN 2 Green 100 Mbps Flash- 100 Mbps, data transmission active Green Supply voltage OK STAT Green Flash- The mGuard is ready to operate. System error FAULT mGuard in the booting or flashing state INFO Not used Innominate Security Technologies I15007_en_02...
0°C ... +40°C – Maximum humidity, non-condensing: 5% ... 95% To avoid overheating, do not expose the mGuard to direct sunlight or other heat sources. NOTE: Cleaning Clean the device housing with a soft cloth. Do not use aggressive solvents.
4.3.1 Connecting to the network • Connect the mGuard to the network. To do this, you need a suitable UTP cable (CAT5) which is not included in the scope of supply. • Connect the internal network interface LAN 1 of the mGuard to the corresponding Ethernet network card of the configuration computer or a valid network connection of the internal network (LAN).
4.4.2 Local configuration on startup (EIS) As of firmware version 7.2, initial startup of mGuard products provided in Stealth mode is considerably easier. From this version onwards, the EIS (Easy Initial Setup) procedure en- ables startup to be performed via preset or user-defined management addresses without actually having to connect to an external network.
Computers can access the mGuard via https://1.1.1.1/ if they are directly or indirectly con- nected to the LAN port of the mGuard. For this purpose, the mGuard with LAN port and WAN port must be integrated in an operational network in which the default gateway can be accessed via the WAN port.
Page 81
This is the case if it is connected in an existing network connection and if the default gateway can be accessed via the WAN port of the mGuard at the same time. In this case, the web browser establishes a connection to the mGuard configuration inter- face after the address https://1.1.1.1/ is entered (see “Establishing a local configuration con-...
Page 82
After receiving a BootP reply, the mGuard no longer sends BootP requests, not even after it has been restarted. For the mGuard to send BootP requests again, it must either be set to the default settings or one of the procedures (recovery or flash) must be performed.
If the administrator web page of the mGuard cannot be accessed If you have forgotten the If the address of the mGuard in Router, PPPoE or PPTP mode has been set to a different configured address value, and the current address is not known, the mGuard must be reset to the default set- tings specified above for the IP address using the Recovery procedure (see “Performing a...
Page 84
Password: mGuard The mGuard can then be configured via the web interface. For additional information, please refer to the software reference manual. For security reasons, we recommend you change the default root and administrator pass- words during initial configuration.
Switch on the remote configuration option in the web interface under “Management >> Web Settings”. How to proceed To configure the mGuard via its web user interface from a remote computer, establish the connection to the mGuard from there. Proceed as follows: •...
Restart, recovery procedure, and flashing the firm- ware The Reset button is used to set the device to one of the following states: – Performing a restart – Performing a recovery procedure – Flashing the firmware/rescue procedure Reset button...
Page 87
Stealth https://1.1.1.1/ https://192.168.1.1/ The mGuard is reset to Stealth mode with the default setting “multiple Clients”. – The CIFS integrity monitoring function is also disabled because this only works when the management IP is active. – In addition, MAU management is switched on for Ethernet connections. HTTPS access is enabled via the local Ethernet connection (LAN).
Page 88
All configured settings are deleted. The mGuard is set to the delivery state. – In Version 5.0.0 or later of the mGuard, the licenses installed on the mGuard are re- tained after flashing the firmware. Therefore, they do not have to be installed again.
Page 89
To flash the firmware or to perform the rescue procedure, proceed as follows: NOTE: Do not interrupt the power supply to the mGuard during any stage of the flashing procedure. Otherwise, the device could be damaged and may have to be reactivated by the manufacturer.
629 g Firmware and power values Firmware compatibility For mGuard v7.4.0 or later: Innominate recommends the use of the latest firmware version and patch releases in each case. For the scope of functions, please refer to the relevant firmware data sheet.
SD VPN BD-111040 mGuard pcie² SD VPN BD-111060 The mGuard pci² SD has the design of a PCI-compatible plug-in board. It is available in two versions: – mGuard pci² SD for devices or machines with PCI bus –...
Boot process. When the device has just been connected to the power supply. After a few seconds, this LED changes to the heartbeat state. Green Flash- Heartbeat. The mGuard is connected correctly and ready to operate. Flash- System error. Restart the device. •...
0°C ... +70°C (mGuard pci² SD without battery) – Maximum humidity, non-condensing: 5% ... 95% To avoid overheating, do not expose the mGuard to direct sunlight or other heat sources. NOTE: Cleaning Clean the device housing with a soft cloth. Do not use aggressive solvents. 5.2.2 Checking the scope of supply Before startup, check the scope of supply to ensure nothing is missing.
Installing the hardware NOTE: Electrostatic discharge Before installation, touch the metal frame of the PC in which the mGuard pci² SD is to be installed, in order to remove electrostatic discharge. The device contains components that can be damaged or destroyed by electrostatic dis- charge.
5.4.2 Local configuration on startup (EIS) As of firmware version 7.2, initial startup of mGuard products provided in Stealth mode is considerably easier. From this version onwards, the EIS (Easy Initial Setup) procedure en- ables startup to be performed via preset or user-defined management addresses without actually having to connect to an external network.
The mGuard boots the firmware. The STAT status LED flashes green during this time. The mGuard is ready for operation as soon as the lower Ethernet socket LEDs light up. In addition, the STAT status LED flashes green at heartbeat.
Page 97
The connection to the mGuard pci² SD is established. (If not, see Section 5.5.2). A security message indicating a possible invalid/not trusted certificate is displayed. This message results from the use of an mGuard certificate from Innominate that is not yet known to the browser but necessary for encryption of the communication.
Page 98
Starting up the mGuard pci² SD via a temporary manage- ment IP address If the mGuard pci² SD is connected without a functioning external network in initial startup mode, the device cannot be accessed via address https://1.1.1.1/. In this case, the mGuard pci² SD is accessible automatically via management IP address 192.168.1.1/24.
Page 99
5.5.3 Starting up mGuard pci² SD via BootP In initial startup mode, the mGuard pci² additionally starts a BootP client on the internal net- work interface (LAN 1). The BootP client is compatible with the “IPAssign” BootP servers from Phoenix Contact as well as “DHCPD” under Linux.
Page 100
After receiving a BootP reply, the mGuard no longer sends BootP requests, not even after it has been restarted. For the mGuard to send BootP requests again, it must either be set to the default settings or one of the procedures (recovery or flash) must be performed.
If the administrator web page of the mGuard cannot be accessed If you have forgotten the If the address of the mGuard in Router, PPPoE or PPTP mode has been set to a different configured address value, and the current address is not known, the mGuard must be reset to the default set- tings specified above for the IP address using the Recovery procedure (see “Performing a...
Page 102
Password: mGuard The mGuard can then be configured via the web interface. For additional information, please refer to the software reference manual. For security reasons, we recommend you change the default root and administrator pass- words during initial configuration.
Switch on the remote configuration option in the web interface under “Management >> Web Settings”. How to proceed To configure the mGuard via its web user interface from a remote computer, establish the connection to the mGuard from there. Proceed as follows: •...
Performing a restart Objective The device is restarted with the configured settings. Action • Press the Reset button until the STAT LED lights up orange. • Alternatively, restart the computer that contains the mGuard pci card. Innominate Security Technologies I15007_en_02...
Page 105
SD Stealth https://1.1.1.1/ https://192.168.1.1/ The mGuard is reset to Stealth mode with the default setting “multiple Clients”. – The CIFS integrity monitoring function is also disabled because this only works when the management IP is active. –...
Page 106
All configured settings are deleted. The mGuard is set to the delivery state. – In Version 5.0.0 or later of the mGuard, the licenses installed on the mGuard are re- tained after flashing the firmware. Therefore, they do not have to be installed again.
Redundancy options Optional: VPN | router Power supply 3.3 V or 5 V via PCI (mGuard pci² SD) or PCI Express bus (mGuard pcie² SD) Power consumption Typical, 3.7 W ... 4.2 W Humidity range 5% ... 95% during operation and storage, non-condensing...
The mGuard smart² is a further development of the mGuard smart. To aid understanding, mGuard smart² is mostly used for the two device versions in this user manual. The proper- ties described also apply to the mGuard smart. Differences from the mGuard smart are in- dicated, if applicable.
Can be pressed with a straightened paper clip, LED 1 LED 2 LED 3 for example.) Figure 6-2 Operating elements and LEDs on the mGuard smart² Table 6-2 LEDs on the mGuard smart² State Meaning Green LAN: connection to the network partner is present...
0°C ... +40°C – Maximum humidity, non-condensing 20% ... 90% To avoid overheating, do not expose the mGuard to direct sunlight or other heat sources. NOTE: Cleaning Clean the device housing with a soft cloth. Do not use aggressive solvents. 6.2.2 Checking the scope of supply Before startup, check the scope of supply to ensure nothing is missing.
Figure 6-3 mGuard smart²: Connection in the network If your computer is already connected to a network, insert the mGuard smart² between the network interface of the computer (i.e., its network card) and the network. Driver installation is not required.
6.4.1 Connection requirements – The mGuard smart² must be switched on, i.e., it must be connected to a computer (or power supply unit) that is switched on via a USB cable in order for it to be supplied with power.
Computers can access the mGuard via https://1.1.1.1/ if they are directly or indirectly con- nected to the LAN port of the mGuard. For this purpose, the mGuard with LAN port and WAN port must be integrated in an operational network in which the default gateway can be accessed via the WAN port.
Page 115
This is the case if it is connected in an existing network connection and if the default gateway can be accessed via the WAN port of the mGuard at the same time. In this case, the web browser establishes a connection to the mGuard configuration inter- face after the address https://1.1.1.1/ is entered (see “Establishing a local configuration con-...
Page 116
After receiving a BootP reply, the mGuard no longer sends BootP requests, not even after it has been restarted. For the mGuard to send BootP requests again, it must either be set to the default settings or one of the procedures (recovery or flash) must be performed.
If the administrator web page of the mGuard cannot be accessed If you have forgotten the If the address of the mGuard in Router, PPPoE or PPTP mode has been set to a different configured address value, and the current address is not known, the mGuard must be reset to the default set- tings specified above for the IP address using the Recovery procedure (see “Performing a...
Page 118
Password: mGuard The mGuard can then be configured via the web interface. For additional information, please refer to the software reference manual. For security reasons, we recommend you change the default root and administrator pass- words during initial configuration.
Switch on the remote configuration option in the web interface under “Management >> Web Settings”. How to proceed To configure the mGuard via its web user interface from a remote computer, establish the connection to the mGuard from there. Proceed as follows: •...
Restart, recovery procedure, and flashing the firm- ware The Reset button is used to set the device to one of the following states: – Performing a restart – Performing a recovery procedure – Flashing the firmware/rescue procedure Reset button (Located in the opening.
Page 121
Stealth https://1.1.1.1/ https://192.168.1.1/ The mGuard is reset to Stealth mode with the default setting “multiple Clients”. – The CIFS integrity monitoring function is also disabled because this only works when the management IP is active. – In addition, MAU management is switched on for Ethernet connections. HTTPS access is enabled via the local Ethernet connection (LAN).
Page 122
Otherwise, the device could be damaged and may have to be reactivated by the manufacturer. • Hold down the Reset button until the LEDs light up green. Then, the mGuard is in the recovery state. • Release the Reset button within a second of entering the recovery state.
Firmware and power values Firmware compatibility For mGuard v7.2 or later: Innominate recommends the use of the latest firm- ware version and patch releases in each case. For the scope of functions, please refer to the relevant firmware data sheet.
Page 124
158 g Firmware and power values Firmware compatibility mGuard v5.0 or later: Innominate recommends firmware version 6.x or 7.x to be used with the latest patch releases; For the scope of functions, please refer to the relevant firmware data sheet.
VPN 1000 BD-622000 The mGuard centerport² is a high-end firewall and a VPN gateway in 19" format. It is suit- able as a central network infrastructure for remote service solutions. With its Gigabit Ether- net interfaces and corresponding throughput as the router and as the stateful inspection fire- wall, the device can also be used in the backbone in industrial networks.
USB ports Display SD card slot 19" angled connector 19" angled connector Figure 7-2 Operating elements and LEDs on the mGuard centerport² front side Table 7-2 LEDs on the mGuard centerport² State Meaning Green Lights up if the system is switched on...
Maximum humidity, non-condensing: 20% ... 90% To avoid overheating, do not expose the mGuard to direct sunlight or other heat sources. NOTE: Risk of material damage caused by cleaning agents Clean the device housing with a soft cloth. Do not use aggressive solvents.
Installing and booting the mGuard centerport² Back IPMI port 4 x USB Ethernet (10/100/1000 Base-TX) (WAN | LAN | SYNC | DMZ ports) 2 x power supply/mains input socket, redun- Serial interface VGA port dant wide-range AC power supply unit...
Page 129
Use a UTP cable (CAT5). • Connect the SYNC port of the device to the SYNC port of a second mGuard centerport² in order to create a redundancy pair. A redundancy license for the second mGuard centerport² must be purchased separately.
Page 130
To configure the mGuard via the serial interface. There are two options: – A PC is connected directly to the serial interface of the mGuard (via the serial interface of the PC). The PC user can then use a terminal program to configure the mGuard via the command line. –...
Page 131
This menu item is only to be used in special cases when the user has the appropriate knowledge or upon instruction from the dealer support team. The mGuard firmware checks and repairs the file systems, if required, even during the normal startup process.
In the Control Panel, open the “Network and Sharing Center”. • Click on “LAN connection”. (The “LAN connection” item is only displayed if a connection exists from the LAN interface on the computer to a mGuard in operation or another part- ner). •...
If the administrator web page of the mGuard cannot be accessed If you have forgotten the If the address of the mGuard in Router, PPPoE or PPTP mode has been set to a different configured address value, and the current address is not known, the mGuard must be reset to the default set- tings specified above for the IP address using the Recovery procedure (see “Performing a...
Page 134
UserName: admin Password: mGuard The mGuard can then be configured via the web interface. For additional information, please refer to software reference manual. For security reasons, we recommend you change the default root and administrator pass- words during initial configuration.
Switch on the remote configuration option in the web interface under “Management >> Web Settings”. How to proceed To configure the mGuard via its web user interface from a remote computer, establish the connection to the mGuard from there. Proceed as follows: •...
The settings configured for VPN connections and the firewall are retained, including passwords. NOTE: After the recovery procedure has been performed successfully, a previously cre- ated configuration profile in the mGuard should be loaded and activated again. Then the network settings must be adapted. Possible reasons for performing the recovery procedure: –...
Page 137
All configured settings are deleted. The mGuard is set to the delivery state. – In Version 5.0.0 or later of the mGuard, the licenses installed on the mGuard are re- tained after flashing the firmware. Therefore, they do not have to be installed again.
Page 138
NOTE: All configured settings are deleted. The mGuard is set to the delivery state. In Version 5.0.0 or later of the mGuard, the licenses installed on the mGuard are retained after flashing the firmware. Therefore, they do not have to be installed again.
Page 139
Once the rescue procedure is complete, a corresponding message appears on the monitor. Follow any further on-screen instructions. Start rescue procedure from USB stick (USB Flash drive) Requirement: The firmware of the mGuard has been previously copied to a USB stor- age medium (USB stick, USB Flash drive). /Firmware/install.x86_64.p7s /Firmware/firmware.img.x86_64.p7s...
Page 140
133): Burning the mGuard firmware to CD/DVD-ROM The firmware for the mGuard can be burnt to CD/DVD. A zip file is available for download from the download page of www.innominate.com. Burn the content of this zip archive as a data CD/DVD. The following files must be located in the following folders/under the following path names on the CD/DVD: –...
Firmware and power values Firmware compatibility mGuard v8.1.2 or later; Innominate recommends using the latest patch releases; For the scope of functions, please refer to the relevant firmware data sheet. Data throughput (router | firewall) 2,000 Mbps bidirectional | 2,000 Mbps bidirectional When using the DMZ as independent network zone, the maximum possible data throughput is distributed to the three zones.
An additional serial interface enables configuration via a telephone dial-up connection or a terminal. With its robust metal housing, the mGuard delta is suitable for installation in distri- bution compartments as well as for use as a desktop device.
Operating elements and LEDs Current Status Reserved Ethernet WAN Ethernet LAN Figure 8-2 Operating elements and LEDs on the mGuard delta Table 8-2 LEDs on the mGuard delta State Meaning Power The power supply is active. Status The mGuard starts.
0°C ... +40°C – Maximum humidity, non-condensing: 5% ... 95% To avoid overheating, do not expose the mGuard to direct sunlight or other heat sources. NOTE: Cleaning Clean the device housing with a soft cloth. Do not use aggressive solvents.
Connect the power supply (5 V DC, 3 A) to the “DC +5V, 3A” socket of the mGuard delta. – Connect the local computer or the local network to one of the Ethernet LAN connections (4 to 7) of the mGuard delta using a UTP Ethernet cable (CAT5). Innominate Security Technologies I15007_en_02...
The mGuard delta must be connected to its power supply. – For local configuration: The computer used for configuration: – Must be connected to the LAN switch (Ethernet socket 4 to 7) of the mGuard, – Or must be connected to the mGuard via the local network. –...
Page 148
In the Control Panel, open the “Network and Sharing Center”. • Click on “LAN connection”. (The “LAN connection” item is only displayed if a connection exists from the LAN interface on the computer to a mGuard in operation or another part- ner). •...
If the administrator web page of the mGuard cannot be accessed If you have forgotten the If the address of the mGuard in Router, PPPoE or PPTP mode has been set to a different configured address value, and the current address is not known, the mGuard must be reset to the default set- tings specified above for the IP address using the Recovery procedure (see “Performing a...
Page 150
Password: mGuard The mGuard can then be configured via the web interface. For additional information, please refer to the software reference manual. For security reasons, we recommend you change the default root and administrator pass- words during initial configuration.
Switch on the remote configuration option in the web interface under “Management >> Web Settings”. How to proceed To configure the mGuard via its web user interface from a remote computer, establish the connection to the mGuard from there. Proceed as follows: •...
Restart, recovery procedure, and flashing the firm- ware The Reset button is used to set the device to one of the following states: – Performing a restart – Performing a recovery procedure – Flashing the firmware/rescue procedure Reset button...
Page 153
– The mGuard is in PPPoE mode. – The configured device address of the mGuard differs from the default setting. – The current IP address of the device is not known. Up-to-date information on the recovery and flashing procedure can be found in the appli- cation note for your mGuard firmware version.
Page 154
All configured settings are deleted. The mGuard is set to the delivery state. – In Version 5.0.0 or later of the mGuard, the licenses installed on the mGuard are re- tained after flashing the firmware. Therefore, they do not have to be installed again.
1300 g Firmware and power values Firmware compatibility mGuard v5.0 or later: Innominate recommends firmware version 6.x or 7.x to be used with the latest patch releases; For the scope of functions, please refer to the relevant firmware data sheet.
BD-111020 mGuard pci / 266 VPN BD-111010 The mGuard pci is a card which can be inserted into a PCI slot and operated in two modes. – In driver mode, the mGuard pci provides the computer in which the card is installed with all mGuard functions, as well as acting as a normal network card.
Recovery mode. After pressing the Reset button*. light codes See “Restart, recovery procedure, and flashing the firmware” on page 175 Green * On the mGuard pci, the Reset button is on the PCB (see “Installing the hardware” on page 164). Innominate Security Technologies I15007_en_02...
0°C ... +70°C – Maximum humidity, non-condensing: 20% ... 90% To avoid overheating, do not expose the mGuard to direct sunlight or other heat sources. NOTE: Cleaning Clean the device housing with a soft cloth. Do not use aggressive solvents. 9.2.2 Checking the scope of supply Before startup, check the scope of supply to ensure nothing is missing.
The mGuard is set to the desired mode using a jumper. Driver mode The mGuard pci can be used as a normal network card. This network card then also pro- vides mGuard functions. In this case, the supplied driver must be installed.
Page 161
The IP address that is configured for the network interface of the operating system (LAN port) is also used by the mGuard for its WAN port. This means that the mGuard does not appear as a separate device with its own address for data traffic to and from the computer.
Page 162
192.168.1.1). (This relationship is shown in the above diagram by two black spheres.) A third IP address is used for the interface of the mGuard to the WAN. It is used for connec- tion to an external network (e.g., Internet).
Page 163
IP address of the mGuard (by default upon delivery this is 192.168.1.1). A third IP address is used for the interface of the mGuard to the WAN. It is used for connec- tion to an external network (e.g., Internet).
Page 164
Installing the hardware NOTE: Electrostatic discharge Before installation, touch the metal frame of the PC in which the mGuard pci is to be in- stalled, in order to remove electrostatic discharge. The device contains components that can be damaged or destroyed by electrostatic dis- charge.
Page 165
Keep the screw for securing the mGuard pci card. • Carefully align the pin strip of the mGuard pci card over the socket strip of the PCI slot on the motherboard and then press the card evenly into the socket strip.
Page 166
Under Windows XP • After installing the hardware, switch on the computer. • Log on with administrator rights and wait until the following window appears: Figure 9-8 Driver installation under Windows XP After inserting the data carrier, select the “Install from a list or specific location (Ad- vanced)”...
Page 167
Under Windows 2000 • After installing the hardware, switch on the computer. • Log on with administrator rights and wait until the following window appears: Figure 9-9 Driver installation under Windows 2000 (1) Click “Next”. Select “Search for a suitable driver for my device (recommended)” and click “Next”.
Page 168
Extract the drivers from the ZIP to the directory /usr/src/pci-driver – Execute the following commands: cd /usr/src/pci-driver make LINUXDIR=/usr/src/linux install -m0644 mguard.o /lib/modules/2.4.25/kernel/drivers/net/ depmod -a – The driver can now be loaded with the following command: modprobe mguard Innominate Security Technologies...
9.4.2 Local configuration on startup (EIS) As of firmware version 7.2, initial startup of mGuard products provided in Stealth mode is considerably easier. From this version onwards, the EIS (Easy Initial Setup) procedure en- ables startup to be performed via preset or user-defined management addresses without actually having to connect to an external network.
“Installing the hardware” on page 164. Installing the drivers • If you have configured the mGuard for Driver mode, make sure that the drivers are in- stalled as described under “Installing drivers” on page 165. Configuring the network interface If the mGuard –...
Page 171
After configuration, reset the default gateway. To do this, either restart the configuration computer or enter the following command in DOS: arp -d Depending on the configuration of the mGuard, it may then be necessary to adapt the net- work interface of the locally connected computer or network accordingly. I15007_en_02...
If the administrator web page of the mGuard cannot be accessed If you have forgotten the If the address of the mGuard in Router, PPPoE or PPTP mode has been set to a different configured address value, and the current address is not known, the mGuard must be reset to the default set- tings specified above for the IP address using the Recovery procedure (see “Performing a...
Page 173
Password: mGuard The mGuard can then be configured via the web interface. For additional information, please refer to the software reference manual. For security reasons, we recommend you change the default root and administrator pass- words during initial configuration.
Switch on the remote configuration option in the web interface under “Management >> Web Settings”. How to proceed To configure the mGuard via its web user interface from a remote computer, establish the connection to the mGuard from there. Proceed as follows: •...
Performing a restart Objective The device is restarted with the configured settings. Action • Press the Reset button for around 1.5 seconds until both red LEDs light up. Alternatively, restart the computer that contains the mGuard pci card. I15007_en_02 Innominate Security Technologies...
Page 176
Stealth https://1.1.1.1/ https://192.168.1.1/ The mGuard is reset to Stealth mode with the default setting “multiple Clients”. – The CIFS integrity monitoring function is also disabled because this only works when the management IP is active. – In addition, MAU management is switched on for Ethernet connections. HTTPS access is enabled via the local Ethernet connection (LAN).
Page 177
All configured settings are deleted. The mGuard is set to the delivery state. – In Version 5.0.0 or later of the mGuard, the licenses installed on the mGuard are re- tained after flashing the firmware. Therefore, they do not have to be installed again.
Page 178
Action NOTE: Do not interrupt the power supply to the mGuard during any stage of the flashing procedure. Otherwise, the device could be damaged and may have to be reactivated by the manufacturer. • Hold down the Reset button until the green LEDs and the red LAN LED light up. Then, the mGuard is in the recovery state.
72 g Firmware and power values Firmware compatibility mGuard v5.0 or later: Innominate recommends firmware version 6.x or 7.x to be used with the latest patch releases; For the scope of functions, please refer to the relevant firmware data sheet.
/ 266 HW-104820 The mGuard blade consists of the mGuard bladebase, which can be built into standard 3- U racks (19 inch) without problems and accommodate up to 12 mGuard blades and one mGuard blade controller. This device version is therefore ideal for use in industrial applica- tions, where several server systems can be protected individually and independently of one another.
Operating elements and LEDs Serial WAN red WAN green LAN red LAN green Reset button Figure 10-2 Operating elements and LEDs on the mGuard blade Table 10-2 mGuard blade State Meaning WAN, LAN Flashing Boot process. When the computer is started or restarted.
+5°C ... +40°C – Maximum humidity, non-condensing: 10% ... 95% To avoid overheating, do not expose the mGuard to direct sunlight or other heat sources. NOTE: Cleaning Clean the device housing with a soft cloth. Do not use aggressive solvents. 10.2.2 Checking the scope of supply Before startup, check the scope of supply to ensure nothing is missing.
The mGuard bladebase does not have to be switched off when installing or removing an mGuard blade. – Loosen the top and bottom screw on the faceplate or on the mGuard blade to be re- placed. – Remove the faceplate or pull out the old mGuard blade.
Page 185
Please note that configuration can only be completed from the local computer via the LAN interface and that the firewall of the mGuard blocks all IP data traffic from the WAN to the LAN interface.
Page 186
To configure the mGuard via the serial interface. There are two options: – A PC is connected directly to the serial interface of the mGuard (via the serial interface of the PC). The PC user can then use a terminal program to configure the mGuard via the command line. –...
Preparing the configuration 10.4.1 Connection requirements – The mGuard blade must be mounted in the mGuard bladebase and at least one of the bladebase device's power supply units must be in operation. – For local configuration: The computer used for configuration: –...
Page 188
In the Control Panel, open the “Network and Sharing Center”. • Click on “LAN connection”. (The “LAN connection” item is only displayed if a connection exists from the LAN interface on the computer to a mGuard in operation or another part- ner). •...
If the administrator web page of the mGuard cannot be accessed If you have forgotten the If the address of the mGuard in Router, PPPoE or PPTP mode has been set to a different configured address value, and the current address is not known, the mGuard must be reset to the default set- tings specified above for the IP address using the Recovery procedure (see “Performing a...
Page 190
Password: mGuard The mGuard can then be configured via the web interface. For additional information, please refer to the software reference manual. For security reasons, we recommend you change the default root and administrator pass- words during initial configuration.
Switch on the remote configuration option in the web interface under “Management >> Web Settings”. How to proceed To configure the mGuard via its web user interface from a remote computer, establish the connection to the mGuard from there. Proceed as follows: •...
10.7 Restart, recovery procedure, and flashing the firm- ware The Reset button is used to set the device to one of the following states: – Performing a restart – Performing a recovery procedure – Flashing the firmware/rescue procedure...
Page 193
– The mGuard is in PPPoE mode. – The configured device address of the mGuard differs from the default setting. – The current IP address of the device is not known. Up-to-date information on the recovery and flashing procedure can be found in the appli- cation note for your mGuard firmware version.
Page 194
All configured settings are deleted. The mGuard is set to the delivery state. – In Version 5.0.0 or later of the mGuard, the licenses installed on the mGuard are re- tained after flashing the firmware. Therefore, they do not have to be installed again.
245 g | bladepack: 7.7 kg Firmware and power values Firmware compatibility mGuard v5.0 or later: Innominate recommends firmware version 6.x or 7.x to be used with the latest patch releases; For the scope of functions, please refer to the relevant firmware data sheet.
VPN-1000 BD-602000 The mGuard centerport is a high-end firewall and a VPN gateway in 19" format. It is suit- able as a central network infrastructure for remote service solutions, With its Gigabit Ether- net interfaces and corresponding throughput as the router and as the stateful inspection fire- wall, the device can also be used in the backbone in industrial networks.
Power LED (green) Hard disk activity LED (orange) Interlocking lock, front flap 19" angled connector 19" angled connector Figure 11-2 Operating elements and LEDs on the mGuard centerport front side Table 11-2 LEDs on the mGuard centerport State Meaning Green...
0°C ... +40°C – Maximum humidity, non-condensing: 5% ... 95% To avoid overheating, do not expose the mGuard to direct sunlight or other heat sources. NOTE: Cleaning Clean the device housing with a soft cloth. Do not use aggressive solvents. 11.2.2 Checking the scope of supply Before startup, check the scope of supply to ensure nothing is missing.
Connect a PC keyboard to one of the USB connections (not supplied as standard). The monitor and keyboard must only be connected – in order to use one of the boot options upon starting (booting) mGuard centerport - see “Boot options - when monitor and keyboard are connected” on page 202, –...
Page 201
Some telecommunications connections also use RJ45 sockets; these must not be con- nected to the RJ45 sockets of the mGuard. LAN port • Connect the local computer or the local network to the LAN port of the mGuard using a UTP Ethernet cable (CAT5). WAN port •...
Page 202
ON/OFF switch. Ensure that you keep safe hold of the two keys providedHousing The mGuard centerport housing is from Kontron and is referred to as the KISS 2U platform. Visit www.kontron.de for more information on the following: –...
Page 203
This menu item is only to be used in special cases when the user has the appropriate knowledge or upon instruction from the dealer support team. The mGuard firmware checks and repairs the file systems, if required, even during the normal startup process.
11.4.2 Local configuration on startup (EIS) As of firmware version 7.2, initial startup of mGuard products provided in Stealth mode is considerably easier. From this version onwards, the EIS (Easy Initial Setup) procedure en- ables startup to be performed via preset or user-defined management addresses without actually having to connect to an external network.
Page 205
In the Control Panel, open the “Network and Sharing Center”. • Click on “LAN connection”. (The “LAN connection” item is only displayed if a connection exists from the LAN interface on the computer to a mGuard in operation or another part- ner). •...
If the administrator web page of the mGuard cannot be accessed If you have forgotten the If the address of the mGuard in Router, PPPoE or PPTP mode has been set to a different configured address value, and the current address is not known, the mGuard must be reset to the default set- tings specified above for the IP address using the Recovery procedure (see “Performing a...
Page 207
Password: mGuard The mGuard can then be configured via the web interface. For additional information, please refer to the software reference manual. For security reasons, we recommend you change the default root and administrator pass- words during initial configuration.
Switch on the remote configuration option in the web interface under “Management >> Web Settings”. How to proceed To configure the mGuard via its web user interface from a remote computer, establish the connection to the mGuard from there. Proceed as follows: •...
Restart, recovery procedure, and flashing the firm- ware For mGuard centerport, there is a reset key which can be used to perform a restart. The res- cue procedure and therefore the reloading of mGuard firmware is initiated via the boot menu.
Page 210
– The mGuard is in PPPoE mode. – The configured device address of the mGuard differs from the default setting. – The current IP address of the device is not known. Up-to-date information on the recovery and flashing procedure can be found in the appli- cation note for your mGuard firmware version.
Page 211
All configured settings are deleted. The mGuard is set to the delivery state. – In Version 5.0.0 or later of the mGuard, the licenses installed on the mGuard are re- tained after flashing the firmware. Therefore, they do not have to be installed again.
Page 212
206): Burning mGuard firmware to CD-ROM The firmware for the mGuard can be burnt to CD. A zip file is available for download from the download page of www.innominate.com. The content of this zip archive can be burnt as a data CD. The following files must be located in the following folders/under the following path names on the CD: –...
Page 213
– Firmware/firmware.img.x86_64.p7s In the case of the file install.x86_64.p7s, ensure that the file version that Innominate has de- clared for use for the rescue procedure via CD is used. If required, these files can be made available in the Rescue Config folder on the CD: Rescue Config/licence.lic...
10 kg Firmware and power values Firmware compatibility mGuard 7.1 or later: Innominate recommends using the latest patch releases; For the scope of functions, please refer to the relevant firmware data sheet. Data throughput (router | firewall) 2000 Mbps bidirectional | 2000 Mbps bidirectional...
VPN Analog BD-501010 mGuard industrial rs VPN ISDN BD-501020 The mGuard industrial rs can be used as a firewall/VPN router via Ethernet or via serial dial-up connections. It is available in three device versions: – With integrated modem –...
ISDN or telephone connection See “Restart, recovery procedure, (see Section 12.2, “Startup”) and flashing the firmware” on page 232. Figure 12-2 Operating elements and LEDs on the mGuard industrial rs Table 12-2 LEDs on the mGuard industrial rs State Meaning Green...
0°C ... +55°C – Maximum humidity, non-condensing: 10% ... 95% To avoid overheating, do not expose the mGuard to direct sunlight or other heat sources. NOTE: Cleaning Clean the device housing with a soft cloth. Do not use aggressive solvents. 12.2.2 Checking the scope of supply Before startup, check the scope of supply to ensure nothing is missing.
• Pull out the terminal block from the bottom of the mGuard industrial rs and wire the sig- nal lines and other connections as required (see “Connection options on the lower ter- minal block” on page 220).
Page 219
Some telecommunications connections also use RJ45 sockets; these must not be con- nected to the RJ45 sockets of the mGuard. LAN port • Connect the local computer or the local network to the LAN port of the mGuard using a UTP Ethernet cable (CAT5). I15007_en_02 Innominate Security Technologies...
Page 220
Please note that configuration can only be completed via the LAN interface and that the firewall of the mGuard industrial rs blocks all IP data traffic from the WAN to the LAN in- terface. WAN port •...
Page 221
Button or on/off switch Signal LED (20 mA) Service contacts: , CMD, ACK (for establishing a predefined VPN connection) Figure 12-6 mGuard industrial rs: Without modem/ISDN terminal adapter Lower area on front plate with terminal strip Telephone line Signal contact...
Page 222
The functional earth ground can be used by the operator. This connection is electrically con- nected to the back of the mGuard industrial rs. The mGuard industrial rs is grounded when it is mounted on a DIN rail with the metal clamp, which connects the back of the device to the DIN rail.
Page 223
Contacts TX+, TX-, RX+, and RX- are designed for connection to ISDN and identify the mGuard industrial rs as a device in the ISDN network. The table below describes the as- signment of the contacts to 8-pos. connections both for plugs and for sockets, for example...
Page 224
– A PC is connected directly to the serial interface of the mGuard (via the serial interface of the PC). The PC user can then use a terminal program to configure the mGuard via the command line. –...
12.4.1 Connection requirements – The mGuard industrial rs must be connected to at least one active power supply unit. – For local configuration: The computer that is to be used for configuration must be connected to the LAN socket on the mGuard.
Computers can access the mGuard via https://1.1.1.1/ if they are directly or indirectly con- nected to the LAN port of the mGuard. For this purpose, the mGuard with LAN port and WAN port must be integrated in an operational network in which the default gateway can be accessed via the WAN port.
Page 227
This is the case if it is connected in an existing network connection and if the default gateway can be accessed via the WAN port of the mGuard at the same time. In this case, the web browser establishes a connection to the mGuard configuration inter- face after the address https://1.1.1.1/ is entered (see “Establishing a local configuration con-...
Page 228
After receiving a BootP reply, the mGuard no longer sends BootP requests, not even after it has been restarted. For the mGuard to send BootP requests again, it must either be set to the default settings or one of the procedures (recovery or flash) must be performed.
If the administrator web page of the mGuard cannot be accessed If you have forgotten the If the address of the mGuard in Router, PPPoE or PPTP mode has been set to a different configured address value, and the current address is not known, the mGuard must be reset to the default set- tings specified above for the IP address using the Recovery procedure (see “Performing a...
Page 230
Password: mGuard The mGuard can then be configured via the web interface. For additional information, please refer to the software reference manual. For security reasons, we recommend you change the default root and administrator pass- words during initial configuration.
Switch on the remote configuration option in the web interface under “Management >> Web Settings”. How to proceed To configure the mGuard via its web user interface from a remote computer, establish the connection to the mGuard from there. Proceed as follows: •...
12.8 Restart, recovery procedure, and flashing the firm- ware The Reset button is used to set the device to one of the following states: – Performing a restart – Performing a recovery procedure – Flashing the firmware/rescue procedure Reset button Located in the opening.
Page 233
Stealth https://1.1.1.1/ https://192.168.1.1/ The mGuard is reset to Stealth mode with the default setting “multiple Clients”. – The CIFS integrity monitoring function is also disabled because this only works when the management IP is active. –...
Page 234
All configured settings are deleted. The mGuard is set to the delivery state. – In Version 5.0.0 or later of the mGuard, the licenses installed on the mGuard are re- tained after flashing the firmware. Therefore, they do not have to be installed again.
Page 235
250 g Firmware and power values Firmware compatibility mGuard v5.0 or later: Innominate recommends firmware version 6.x or 7.x to be used with the latest patch releases; For the scope of functions, please refer to the relevant firmware data sheet.
HW-201000 EAGLE mGuard VPN BD-301010 The EAGLE mGuard is designed for DIN rail mounting (according to DIN EN 60715) and is therefore ideal for use in industrial applications. The optional configuration connection and option to establish a phone dial-up connection via the RS-232 interface open up a wealth of applications.
Link status/data 2 (WAN) Ethernet LAN Reset button Ethernet WAN Serial V.24 Ground connection Figure 13-2 Operating elements and LEDs on the EAGLE mGuard Table 13-2 LEDs on the EAGLE mGuard State Meaning P1, P2 Green On Power supply 1 or 2 is active.
0°C ... +60°C – Maximum humidity, non-condensing: 10% ... 95% To avoid overheating, do not expose the mGuard to direct sunlight or other heat sources. NOTE: Cleaning Clean the device housing with a soft cloth. Do not use aggressive solvents. 13.2.2 Checking the scope of supply Before startup, check the scope of supply to ensure nothing is missing.
The EAGLE mGuard can be operated at a DC voltage of 9.6 ... 60 V DC, max. 1 A optionally at an AC voltage of 18 ... 30 V AC, max. 1 A. Use the +24 V and 0 V pins to connect the AC voltage.
Page 241
To configure the mGuard via the serial interface. There are two options: – A PC is connected directly to the serial interface of the mGuard (via the serial interface of the PC). The PC user can then use a terminal program to configure the mGuard via the command line. –...
Page 242
Figure 13-5 EAGLE mGuard: DIN rail mounting • Attach the top snap-on foot of the EAGLE mGuard to the DIN rail and then press the EAGLE mGuard down towards the DIN rail until it engages with a click. • Connect the device to the local network or the local computer to be protected (LAN).
13.4.2 Local configuration on startup (EIS) As of firmware version 7.2, initial startup of mGuard products provided in Stealth mode is considerably easier. From this version onwards, the EIS (Easy Initial Setup) procedure en- ables startup to be performed via preset or user-defined management addresses without actually having to connect to an external network.
Computers can access the mGuard via https://1.1.1.1/ if they are directly or indirectly con- nected to the LAN port of the mGuard. For this purpose, the mGuard with LAN port and WAN port must be integrated in an operational network in which the default gateway can be accessed via the WAN port.
Page 245
This is the case if it is connected in an existing network connection and if the default gateway can be accessed via the WAN port of the mGuard at the same time. In this case, the web browser establishes a connection to the mGuard configuration inter- face after the address https://1.1.1.1/ is entered (see “Establishing a local configuration con-...
Page 246
After receiving a BootP reply, the mGuard no longer sends BootP requests, not even after it has been restarted. For the mGuard to send BootP requests again, it must either be set to the default settings or one of the procedures (recovery or flash) must be performed.
If the administrator web page of the mGuard cannot be accessed If you have forgotten the If the address of the mGuard in Router, PPPoE or PPTP mode has been set to a different configured address value, and the current address is not known, the mGuard must be reset to the default set- tings specified above for the IP address using the Recovery procedure (see “Performing a...
Page 248
Password: mGuard The mGuard can then be configured via the web interface. For additional information, please refer to the software reference manual. For security reasons, we recommend you change the default root and administrator pass- words during initial configuration.
Switch on the remote configuration option in the web interface under “Management >> Web Settings”. How to proceed To configure the mGuard via its web user interface from a remote computer, establish the connection to the mGuard from there. Proceed as follows: •...
EAGLE mGuard 13.8 Restart, recovery procedure, and flashing the firm- ware The Reset button is used to set the device to one of the following states: – Performing a restart – Performing a recovery procedure – Flashing the firmware/rescue procedure...
Page 251
EAGLE mGuard Stealth https://1.1.1.1/ https://192.168.1.1/ The mGuard is reset to Stealth mode with the default setting “multiple Clients”. – The CIFS integrity monitoring function is also disabled because this only works when the management IP is active. – In addition, MAU management is switched on for Ethernet connections. HTTPS access is enabled via the local Ethernet connection (LAN).
Page 252
Otherwise, the device could be damaged and may have to be reactivated by the manufacturer. • Hold down the Reset button until the 1, 2, and V.24 LEDs light up. Then, the mGuard is in the recovery state. •...
340 g Firmware and power values Firmware compatibility mGuard v5.0 or later: Innominate recommends firmware version 6.x or 7.x to be used with the latest patch releases; For the scope of functions, please refer to the relevant firmware data sheet.
The program opens and the start screen of the addressing tool appears. The program is mainly in English. However, the program buttons change according to the country-specific settings. The start screen displays the IP address of the PC. This helps when addressing the mGuard in the subsequent steps. •...
Page 256
• Click on “Next”. Step 5: “Assign IP address” The program attempts to transmit the IP parameters set to the mGuard. Figure 14-3 “Assign IP address” window Following successful transmission, the next window opens. Innominate Security Technologies...
Page 257
To assign IP parameters for additional devices: • Click on “Back”. To exit IP address assignment: • Click on “Finish”. If required, the IP parameters set here can be changed on the mGuard web interface un- der “Network >> Interfaces”. I15007_en_02 Innominate Security Technologies...
The host IP to be specified is: 192.168.10.1. It must also be used as the address for the net- work card. • Click on Browse to switch to the folder where the mGuard image files are saved: in- stall.p7s, jffs2.img.p7s •...
Page 259
In this file, insert the corresponding line or set the necessary parameters for the TFTP service. (Directory for data: /tftpboot) tftp dgram udp wait root /usr/sbin/in.tftpd -s /tftpboot/ The mGuard image files must be saved in the /tftpboot directory: install.p7s, jffs2.img.p7s •...
Page 260
Assigning IP addresses and setting up DHCP/TFTP servers Innominate Security Technologies I15007_en_02...