Professional Documents
Culture Documents
Remote Networks Overview DOKU V4 1 en
Remote Networks Overview DOKU V4 1 en
Legal information
Use of application examples
Application examples illustrate the solution of automation tasks through an interaction of several components in
the form of text, graphics and/or software modules. The application examples are a free service by Siemens AG
and/or a subsidiary of Siemens AG ("Siemens"). They are non-binding and make no claim to completeness or
functionality regarding configuration and equipment. The application examples merely offer help with typical
tasks; they do not constitute customer-specific solutions. You yourself are responsible for the proper and safe
operation of the products in accordance with applicable regulations and must also check the function of the
respective application example and customize it for your system.
Siemens grants you the non-exclusive, non-sublicensable and non-transferable right to have the application
examples used by technically trained personnel. Any change to the application examples is your responsibility.
Sharing the application examples with third parties or copying the application examples or excerpts thereof is
permitted only in combination with your own products. The application examples are not required to undergo the
customary tests and quality inspections of a chargeable product; they may have functional and performance
defects as well as errors. It is your responsibility to use them in such a manner that any malfunctions that may
occur do not result in property damage or injury to persons.
Disclaimer of liability
Siemens shall not assume any liability, for any legal reason whatsoever, including, without limitation, liability for
the usability, availability, completeness and freedom from defects of the application examples as well as for
related information, configuration and performance data and any damage caused thereby. This shall not apply in
cases of mandatory liability, for example under the German Product Liability Act, or in cases of intent, gross
negligence, or culpable loss of life, bodily injury or damage to health, non-compliance with a guarantee,
fraudulent non-disclosure of a defect, or culpable breach of material contractual obligations. Claims for damages
arising from a breach of material contractual obligations shall however be limited to the foreseeable damage
typical of the type of agreement, unless liability arises from intent or gross negligence or is based on loss of life,
bodily injury or damage to health. The foregoing provisions do not imply any change in the burden of proof to
© Siemens AG 2022 All rights reserved
your detriment. You shall indemnify Siemens against existing or future claims of third parties in this connection
except where Siemens is mandatorily liable.
By using the application examples you acknowledge that Siemens cannot be held liable for any damage beyond
the liability provisions described.
Other information
Siemens reserves the right to make changes to the application examples at any time without notice. In case of
discrepancies between the suggestions in the application examples and other Siemens publications such as
catalogs, the content of the other documentation shall have precedence.
The Siemens terms of use (https://support.industry.siemens.com) shall also apply.
Security information
Siemens provides products and solutions with Industrial Security functions that support the secure operation of
plants, systems, machines and networks.
In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement –
and continuously maintain – a holistic, state-of-the-art industrial security concept. Siemens’ products and
solutions constitute one element of such a concept.
Customers are responsible for preventing unauthorized access to their plants, systems, machines and networks.
Such systems, machines and components should only be connected to an enterprise network or the Internet if
and to the extent such a connection is necessary and only when appropriate security measures (e.g. firewalls
and/or network segmentation) are in place.
For additional information on industrial security measures that may be implemented, please visit
https://www.siemens.com/industrialsecurity.
Siemens’ products and solutions undergo continuous development to make them more secure. Siemens strongly
recommends that product updates are applied as soon as they are available and that the latest product versions
are used. Use of product versions that are no longer supported, and failure to apply the latest updates may
increase customer’s exposure to cyber threats.
To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed at:
https://www.siemens.com/industrialsecurity.
Remote Access
Article ID: 26662448, V4.1, 10/2022 2
Table of contents
Table of contents
Legal information .............................................................................................................................. 2
1 Comments on this document ................................................................................................ 4
1.1 Motivation and objective ............................................................................................ 4
1.2 Features and benefits ................................................................................................ 4
1.3 Document structure ................................................................................................... 5
2 Introduction to Remote Access ............................................................................................. 6
2.1 Remote Access & industrial security ......................................................................... 6
2.2 Security Integrated product portfolio ......................................................................... 8
2.2.1 SINEMA Remote Connect ......................................................................................... 8
2.2.2 SCALANCE S industrial security appliances ...........................................................10
2.2.3 SCALANCE M industrial routers ..............................................................................11
2.2.4 Security communications processors ......................................................................12
2.2.5 RTU .........................................................................................................................13
2.2.6 LOGO! .....................................................................................................................13
3 Point-to-point solutions .......................................................................................................14
3.1 VPN tunnel between SCALANCE SC devices ........................................................14
3.2 OpenVPN tunnel between SCALANCE SC devices on Layer 2 .............................15
© Siemens AG 2022 All rights reserved
3.3 VPN tunnel between SCALANCE SC (VPN server) and MS Windows 10 (VPN
client) .......................................................................................................................16
3.4 VPN tunnel between CP 1x43-1 (VPN server) and CP 1x43-1 ...............................17
3.5 VPN tunnel between CP 1543SP-1 (VPN server) and SCALANCE S615 ..............18
3.6 VPN tunnel between LOGO! (VPN server) and a PC .............................................19
4 SINEMA RC remote maintenance platform ........................................................................20
4.1 Simple solutions.......................................................................................................20
4.1.1 VPN tunnel between SCALANCE SC and SINEMA RC client via the
SINEMA RC server ..................................................................................................20
4.1.2 VPN tunnel between and a mobile end device (iOS) and SCALANCE SC via
the SINEMA RC server ............................................................................................21
4.1.3 VPN tunnel between a mobile end device (Android) and SCALANCE SC via
the SINEMA RC server ............................................................................................22
4.2 Advanced solutions .................................................................................................23
4.2.1 VPN tunnel between two identical plant components with S615 and SINEMA
RC client via the SINEMA RC server by using the NAT function ............................23
4.2.2 JumpHost application with SINEMA RC server .......................................................24
4.2.3 Dedicated remote access with SINEMA Remote Connect .....................................25
4.2.4 Setting up a secure VPN connection to a PROFIBUS / MPI system with Two-
Factor-Authentication ..............................................................................................26
5 Appendix ................................................................................................................................28
5.1 Service and support .................................................................................................28
5.2 Industry Mall ............................................................................................................29
5.3 Links and literature ..................................................................................................29
5.4 Change documentation ...........................................................................................29
Remote Access
Article ID: 26662448, V4.1, 10/2022 3
1 Comments on this document
1.1 Motivation and objective
Objective
The Security Integrated portfolio comprises many products that can be combined
with one another. This results in many possible configurations.
This document will help you to find an optimal solution for secure VPN-based
communication.
© Siemens AG 2022 All rights reserved
Features
This document has the following features:
• Easy-to-read and compact structure
• Summarized contents and overview diagram of individual configurations
• No details are described; details are given in the specific configurations.
Benefits
This document offers the reader the following benefits:
• Support in design and project engineering
• Quick access to information about possible configurations
• Concise and compact overview of features
• Reference to the specific configurations
Remote Access
Article ID: 26662448, V4.1, 10/2022 4
1 Comments on this document
1.3 Document structure
SIMATIC-independent
The VPN solutions with the SCALANCE modules or SINEMA Remote Connect are
SIMATIC-independent, meaning that the application behind the VPN tunnel does
not need to be a SIMATIC application. As such, access to other applications is
possible.
SIMATIC-based
© Siemens AG 2022 All rights reserved
The VPN solutions with the communications processors (short: CP) are SIMATIC-
© Siemens AG 2022 All rights reserved
based because a SIMATIC CPU is required to operate the CP. However, with
these configurations it is also possible to access "non-SIMATIC" plant components
via the CP.
Remote Access
Article ID: 26662448, V4.1, 10/2022 5
2 Introduction to Remote Access
2.1 Remote Access & industrial security
Remote access
Remote access over a network connection gives an authorized person access to a
computer or network to maintain the functional integrity of machines and plants
even from a great geographic distance.
Maintenance of functional integrity is performed primarily by exchanging data for
the purpose of troubleshooting, diagnostics, servicing, repair and optimization.
Various technical solutions have become established to provide secure and
reliable access to machines.
© Siemens AG 2022 All rights reserved
© Siemens AG 2022 All rights reserved
VPN
A VPN refers to a private network that uses a public network (e.g. the internet) as a
transit network to transmit data to a private destination network. The private
networks and the transit network do not need to be compatible with one another for
this to happen.
While VPNs use the addressing mechanisms of the transit network to work, they
use their own network packets to separate the transport of private data packets
from the others. This fact allows the private networks to appear as a contiguous
logical (virtual) network.
VPN routers are required to set up a VPN.
Various protocols are available for setting up a VPN, e.g. IPsec or OpenVPN.
Remote Access
Article ID: 26662448, V4.1, 10/2022 6
2 Introduction to Remote Access
2.1 Remote Access & industrial security
Note More information about the Siemens security concept can be found in
chapter 5.3.
© Siemens AG 2022 All rights reserved
© Siemens AG 2022 All rights reserved
Remote Access
Article ID: 26662448, V4.1, 10/2022 7
2 Introduction to Remote Access
2.2 Security Integrated product portfolio
Remote Access
Article ID: 26662448, V4.1, 10/2022 8
2 Introduction to Remote Access
2.2 Security Integrated product portfolio
Example
The following diagram shows a remote access scenario with SINEMA Remote
Connect:
Figure 2-1
© Siemens AG 2022 All rights reserved
© Siemens AG 2022 All rights reserved
Remote Access
Article ID: 26662448, V4.1, 10/2022 9
2 Introduction to Remote Access
2.2 Security Integrated product portfolio
Remote Access
Article ID: 26662448, V4.1, 10/2022 10
2 Introduction to Remote Access
2.2 Security Integrated product portfolio
The SCALANCE M portfolio comprises cellular radio routers and routers for wired
communication. They allow for secure remote access to facilities with the
integrated firewall and VPN security functions to protect against unauthorized
access and guard data transmission.
All versions enable configuration over Web Based Management (WBM), command
line interface (CLI), Simple Network Management Protocol (SNMP), SINEC NMS
network management as well as TIA Portal.
Wireless link
The SCALANCE M-87x routers are suitable for mobile radio networks. With these
routers, it is possible to link both fixed-location stations as well as mobile nodes to
a central monitoring and control system – with GSM (2G), UMTS (3G) or LTE (4G).
Wired link
The wired routers from the SCALANCE M product family, SCALANCE M804PB,
SCALANCE M826 and SCALANCE M81x support secure, cost-effective linking of
remote machines and facilities – with SHDSL, ADSL or PROFIBUS/MPI.
Family portrait
© Siemens AG 2022 All rights reserved
© Siemens AG 2022 All rights reserved
Remote Access
Article ID: 26662448, V4.1, 10/2022 11
2 Introduction to Remote Access
2.2 Security Integrated product portfolio
Remote Access
Article ID: 26662448, V4.1, 10/2022 12
2 Introduction to Remote Access
2.2 Security Integrated product portfolio
2.2.5 RTU
The RTU is intended for monitoring and controlling small outlying stations without a
connection to a power supply network.
In telecontrol networks or cloud systems, the RTU is used to connect the outlying
stations to the master station or cloud via mobile wireless or via the LAN interface
of the RTU and an optional external router.
Figure 2-5
© Siemens AG 2022 All rights reserved
© Siemens AG 2022 All rights reserved
2.2.6 LOGO!
Remote Access
Article ID: 26662448, V4.1, 10/2022 13
© Siemens AG 2022 All rights reserved
3 Point-to-point solutions
3.1 VPN tunnel between SCALANCE SC devices
3 Point-to-point solutions
3.1 VPN tunnel between SCALANCE SC devices
Overview
Figure 3-1
Static WAN IP
address
VPN server VPN client
VPN tunnel SIMATIC S7
Industrial Ethernet stations
Requirements
• Static public IP address for the internet router of the VPN server
• Internet router with port forwarding feature (VPN server-side)
• Standard internet modem, router or UMTS router, e.g. SCALANCE M-800 (VPN client-side)
3 Point-to-point solutions
3.2 OpenVPN tunnel between SCALANCE SC devices on Layer 2
Requirements
The SCALANCE SC64x 2C establishes a Layer 2 VPN connection to a remote network via OpenVPN. The function is implemented from
firmware V2.1.1.
Remote Access
Article ID: 26662448, V4.1, 10/2022 15
© Siemens AG 2022 All rights reserved
3 Point-to-point solutions
3.3 VPN tunnel between SCALANCE SC (VPN server) and MS Windows 10 (VPN client)
3.3 VPN tunnel between SCALANCE SC (VPN server) and MS Windows 10 (VPN client)
Overview
Figure 3-3
Automation cell
Service PC with SCALANCE
Windows 10 SC
Internet Internet
Modem/Router router
Win10
Static WAN IP
© Siemens AG 2022 All rights reserved
address
VPN server
VPN-Client
SIMATIC S7
VPN tunnel stations
Industrial Ethernet
Requirements
• Static public IP address for the internet router of the VPN server
• Internet router with port forwarding feature (VPN server-side)
• Standard internet modem, router or UMTS router, e.g. SCALANCE M873 (VPN client-side)
3 Point-to-point solutions
3.4 VPN tunnel between CP 1x43-1 (VPN server) and CP 1x43-1
Requirements
• Static public IP address for the internet router of the VPN server.
• Internet router with port forwarding feature (VPN server-side).
• Standard internet modem, router or UMTS router, e.g. SCALANCE M873 (VPN client-side)
Remote Access
Article ID: 26662448, V4.1, 10/2022 17
© Siemens AG 2022 All rights reserved
3 Point-to-point solutions
3.5 VPN tunnel between CP 1543SP-1 (VPN server) and SCALANCE S615
3.5 VPN tunnel between CP 1543SP-1 (VPN server) and SCALANCE S615
Overview
Figure 3-5
Service PC
SCALANCE ET 200SP CPU
S615 Internet Internet with CP 1543SP-1
Modem/ Router router
Static WAN IP
© Siemens AG 2022 All rights reserved
Requirements
• Static public IP address for the internet router of the VPN server.
• Internet router with port forwarding feature (VPN server-side).
• Standard internet modem, router or UMTS router, e.g. SCALANCE M873 (VPN client-side)
Remote Access
Article ID: 26662448, V4.1, 10/2022 18
3 Point-to-point solutions
VPN client
Requirements
• Static public IP address for the SIM card of the VPN server.
• Standard internet modem, router or UMTS router, e.g. SCALANCE M873 (VPN client-side)
Remote Access
Article ID: 26662448, V4.1, 10/2022 19
4 SINEMA RC remote maintenance platform
Overview
Figure 4-1
Server Internet
Router Router
WAN
VPN server Static
WAN IP address
VPN client 1
Service technician
Internet
Router
Requirements
• Static public IP address for the internet router of the VPN server.
• Internet router with port forwarding feature (VPN server-side).
• Standard internet modem, router or UMTS router, e.g. SCALANCE M873 (VPN client-side)
Remote Access
Article ID: 26662448, V4.1, 10/2022 20
4 SINEMA RC remote maintenance platform
4.1.2 VPN tunnel between and a mobile end device (iOS) and SCALANCE SC via the SINEMA RC server
Overview
Figure 4-2
WAN
VPN server Static
WAN IP address
© Siemens AG 2022 All rights reserved
VPN client 1
Service technician
Internet
Router
Requirements
• Static public IP address for the internet router of the VPN server.
• Internet router with port forwarding feature (VPN server-side).
• Standard internet modem, router or UMTS router, e.g. SCALANCE M873 (VPN client-side)
• Tablet with "OpenVPN client" app and iOS operating system (VPN client-side).
Link to the configuration description:
http://support.automation.siemens.com/WW/view/en/109479578
Remote Access
Article ID: 26662448, V4.1, 10/2022 21
4 SINEMA RC remote maintenance platform
4.1.3 VPN tunnel between a mobile end device (Android) and SCALANCE SC via the SINEMA RC server
Overview
Figure 4-3
WAN
VPN server Static
WAN IP address
© Siemens AG 2022 All rights reserved
VPN client 1
Service technician
Internet
Router
Requirements
• Static public IP address for the internet router of the VPN server.
• Internet router with port forwarding feature (VPN server-side).
• Default APN of the mobile network operator (VPN client-side).
• Smartphone with "OpenVPN client" app and Android operating system (VPN client-side).
Link to the configuration description:
http://support.automation.siemens.com/WW/view/en/109479641
Remote Access
Article ID: 26662448, V4.1, 10/2022 22
4 SINEMA RC remote maintenance platform
Overview
Figure 4-4
Service
Cell 1
VPN client S615
© Siemens AG 2022 All rights reserved
WAN Central
SINEMA Remote Connect
Server
VPN client
VPN tunnel
Industrial Ethernet
VPN client
Requirements
• Static public IP address and port forwarding feature for the internet router of the VPN server.
• Identical IP address range in the plant elements
Link to the configuration description: http://support.automation.siemens.com/WW/view/en/109744972
Remote Access
Article ID: 26662448, V4.1, 10/2022 23
4 SINEMA RC remote maintenance platform
Overview
Figure 4-5
Service technician
VPN client
WAN
Data Center / DMZ
© Siemens AG 2022 All rights reserved
VPN client
Company network
VPN tunnel
Industrial Ethernet
Requirements
• Static public IP address and port forwarding feature for the internet router of the VPN server.
• DMZ with SINEMA Remote Connect server and JumpHost virtual desktop
Remote Access
Article ID: 26662448, V4.1, 10/2022 24
4 SINEMA RC remote maintenance platform
Overview
Figure 4-6
User (SINEMA RC client)
WAN
© Siemens AG 2022 All rights reserved
SINEMA
RC Server
CPU_A CPU_B
SCALANCE SC-600
Requirements
• Static public IP address and port forwarding feature for the internet router of the VPN server
• SINEMA Remote Connect V2.0 or higher
Remote Access
Article ID: 26662448, V4.1, 10/2022 25
4 SINEMA RC remote maintenance platform
4.2.4 Setting up a secure VPN connection to a PROFIBUS / MPI system with Two-Factor-Authentication
Overview
Figure 4-7
VPN
© Siemens AG 2022 All rights reserved
Communication
tunnel via TIA Portal Online connection
Cloud Connector VPN
to SIMATIC S7-300
Station
Remote Access
Article ID: 26662448, V4.1, 10/2022 26
4 SINEMA RC remote maintenance platform
Requirements
• SCALANCE M804PB on the station side
• SINEMA Remote Connect V2.0 or higher
Remote Access
Article ID: 26662448, V4.1, 10/2022 27
5 Appendix
5 Appendix
5.1 Service and support
Industry Online Support
Do you have any questions or need assistance?
Siemens Industry Online Support offers round the clock access to our entire service and support
know-how and portfolio.
The Industry Online Support is the central address for information about our products, solutions
and services.
Product information, manuals, downloads, FAQs, application examples and videos – all
information is accessible with just a few mouse clicks:
support.industry.siemens.com
Technical Support
The Technical Support of Siemens Industry provides you fast and competent support regarding
all technical queries with numerous tailor-made offers
– ranging from basic support to individual support contracts.
Please send queries to Technical Support via Web form:
siemens.com/SupportRequest
Service offer
Our range of services includes the following:
• Plant data services
• Spare parts services
• Repair services
• On-site and maintenance services
• Retrofitting and modernization services
• Service programs and contracts
You can find detailed information on our range of services in the service catalog web page:
support.industry.siemens.com/cs/sc
Remote Access
Article ID: 26662448, V4.1, 10/2022 28
5 Appendix
The Siemens Industry Mall is the platform on which the entire siemens Industry product portfolio
is accessible. From the selection of products to the order and the delivery tracking, the Industry
Mall enables the complete purchasing processing – directly and independently of time and
location:
mall.industry.siemens.com
Remote Access
Article ID: 26662448, V4.1, 10/2022 29