Remote Networks Overview DOKU V4 1 en

Overview document:
Secure remote access

with VPN
Siemens
Industrial security Industry
Online
https://support.industry.siemens.com/cs/ww/en/view/26662448 Support
Legal information
Legal information
Use of application examples
Application examples illustrate the solution of automation tasks through an interaction of several components in
the form of text, graphics and/or software modules. The application examples are a free service by Siemens AG
and/or a subsidiary of Siemens AG ("Siemens"). They are non-binding and make no claim to completeness or
functionality regarding configuration and equipment. The application examples merely offer help with typical
tasks; they do not constitute customer-specific solutions. You yourself are responsible for the proper and safe
operation of the products in accordance with applicable regulations and must also check the function of the
respective application example and customize it for your system.
Siemens grants you the non-exclusive, non-sublicensable and non-transferable right to have the application
examples used by technically trained personnel. Any change to the application examples is your responsibility.
Sharing the application examples with third parties or copying the application examples or excerpts thereof is
permitted only in combination with your own products. The application examples are not required to undergo the
customary tests and quality inspections of a chargeable product; they may have functional and performance
defects as well as errors. It is your responsibility to use them in such a manner that any malfunctions that may
occur do not result in property damage or injury to persons.
Disclaimer of liability
Siemens shall not assume any liability, for any legal reason whatsoever, including, without limitation, liability for
the usability, availability, completeness and freedom from defects of the application examples as well as for
related information, configuration and performance data and any damage caused thereby. This shall not apply in
cases of mandatory liability, for example under the German Product Liability Act, or in cases of intent, gross
negligence, or culpable loss of life, bodily injury or damage to health, non-compliance with a guarantee,
fraudulent non-disclosure of a defect, or culpable breach of material contractual obligations. Claims for damages
arising from a breach of material contractual obligations shall however be limited to the foreseeable damage
typical of the type of agreement, unless liability arises from intent or gross negligence or is based on loss of life,
bodily injury or damage to health. The foregoing provisions do not imply any change in the burden of proof to
© Siemens AG 2022 All rights reserved
your detriment. You shall indemnify Siemens against existing or future claims of third parties in this connection
except where Siemens is mandatorily liable.
By using the application examples you acknowledge that Siemens cannot be held liable for any damage beyond
the liability provisions described.
Other information
Siemens reserves the right to make changes to the application examples at any time without notice. In case of
discrepancies between the suggestions in the application examples and other Siemens publications such as
catalogs, the content of the other documentation shall have precedence.
The Siemens terms of use (https://support.industry.siemens.com) shall also apply.
Security information
Siemens provides products and solutions with Industrial Security functions that support the secure operation of
plants, systems, machines and networks.
In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement –
and continuously maintain – a holistic, state-of-the-art industrial security concept. Siemens’ products and
solutions constitute one element of such a concept.
Customers are responsible for preventing unauthorized access to their plants, systems, machines and networks.
Such systems, machines and components should only be connected to an enterprise network or the Internet if
and to the extent such a connection is necessary and only when appropriate security measures (e.g. firewalls
and/or network segmentation) are in place.
For additional information on industrial security measures that may be implemented, please visit
https://www.siemens.com/industrialsecurity.
Siemens’ products and solutions undergo continuous development to make them more secure. Siemens strongly
recommends that product updates are applied as soon as they are available and that the latest product versions
are used. Use of product versions that are no longer supported, and failure to apply the latest updates may
increase customer’s exposure to cyber threats.
To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed at:
https://www.siemens.com/industrialsecurity.
Remote Access
Article ID: 26662448, V4.1, 10/2022 2
Table of contents
Table of contents
Legal information .............................................................................................................................. 2
1 Comments on this document ................................................................................................ 4
1.1 Motivation and objective ............................................................................................ 4
1.2 Features and benefits ................................................................................................ 4
1.3 Document structure ................................................................................................... 5
2 Introduction to Remote Access ............................................................................................. 6
2.1 Remote Access & industrial security ......................................................................... 6
2.2 Security Integrated product portfolio ......................................................................... 8
2.2.1 SINEMA Remote Connect ......................................................................................... 8
2.2.2 SCALANCE S industrial security appliances ...........................................................10
2.2.3 SCALANCE M industrial routers ..............................................................................11
2.2.4 Security communications processors ......................................................................12
2.2.5 RTU .........................................................................................................................13
2.2.6 LOGO! .....................................................................................................................13
3 Point-to-point solutions .......................................................................................................14
3.1 VPN tunnel between SCALANCE SC devices ........................................................14
3.2 OpenVPN tunnel between SCALANCE SC devices on Layer 2 .............................15
3.3 VPN tunnel between SCALANCE SC (VPN server) and MS Windows 10 (VPN
client) .......................................................................................................................16
3.4 VPN tunnel between CP 1x43-1 (VPN server) and CP 1x43-1 ...............................17
3.5 VPN tunnel between CP 1543SP-1 (VPN server) and SCALANCE S615 ..............18
3.6 VPN tunnel between LOGO! (VPN server) and a PC .............................................19
4 SINEMA RC remote maintenance platform ........................................................................20
4.1 Simple solutions.......................................................................................................20
4.1.1 VPN tunnel between SCALANCE SC and SINEMA RC client via the
SINEMA RC server ..................................................................................................20
4.1.2 VPN tunnel between and a mobile end device (iOS) and SCALANCE SC via
the SINEMA RC server ............................................................................................21
4.1.3 VPN tunnel between a mobile end device (Android) and SCALANCE SC via
the SINEMA RC server ............................................................................................22
4.2 Advanced solutions .................................................................................................23
4.2.1 VPN tunnel between two identical plant components with S615 and SINEMA
RC client via the SINEMA RC server by using the NAT function ............................23
4.2.2 JumpHost application with SINEMA RC server .......................................................24
4.2.3 Dedicated remote access with SINEMA Remote Connect .....................................25
4.2.4 Setting up a secure VPN connection to a PROFIBUS / MPI system with Two-
Factor-Authentication ..............................................................................................26
5 Appendix ................................................................................................................................28
5.1 Service and support .................................................................................................28
5.2 Industry Mall ............................................................................................................29
5.3 Links and literature ..................................................................................................29
5.4 Change documentation ...........................................................................................29
Remote Access
Article ID: 26662448, V4.1, 10/2022 3
1 Comments on this document
1.1 Motivation and objective

1.1 Motivation and objective
Motivation
To implement secure communication, there are countless different options, each
suited to a different application. All options are based on the Security Integrated
product portfolio.
The following questions therefore arise for the user in search of an optimal solution:
• What solutions exist in the first place?
• How do the solutions differ?
Objective
The Security Integrated portfolio comprises many products that can be combined
with one another. This results in many possible configurations.
This document will help you to find an optimal solution for secure VPN-based
communication.
1.2 Features and benefits

Features
This document has the following features:
• Easy-to-read and compact structure
• Summarized contents and overview diagram of individual configurations
• No details are described; details are given in the specific configurations.
Benefits
This document offers the reader the following benefits:
• Support in design and project engineering
• Quick access to information about possible configurations
• Concise and compact overview of features
• Reference to the specific configurations
Remote Access
Article ID: 26662448, V4.1, 10/2022 4
1.3 Document structure
1.3 Document structure

The Security Integrated portfolio from Siemens comprises many products that can
be combined with one another. This results in many possible configurations.
This document contains a selection of the possible constellations.

Each configuration is broken down as follows:
• Representation in an overview diagram
• List of requirements
• Link to the detailed configuration description
SIMATIC-independent
The VPN solutions with the SCALANCE modules or SINEMA Remote Connect are
SIMATIC-independent, meaning that the application behind the VPN tunnel does
not need to be a SIMATIC application. As such, access to other applications is
possible.
SIMATIC-based
The VPN solutions with the communications processors (short: CP) are SIMATIC-
based because a SIMATIC CPU is required to operate the CP. However, with
these configurations it is also possible to access "non-SIMATIC" plant components
via the CP.
Remote Access
Article ID: 26662448, V4.1, 10/2022 5
2 Introduction to Remote Access
2.1 Remote Access & industrial security

Remote networks
Remote networks are public or private communication infrastructures for covering
wide areas or long distances, for example mobile radio or landline telephone
networks. Remote networks make it possible to spread out automation cells
geographically.
The geographic distribution of automation cell increases the need for remote
access in a remote network.
Remote access
Remote access over a network connection gives an authorized person access to a
computer or network to maintain the functional integrity of machines and plants
even from a great geographic distance.
Maintenance of functional integrity is performed primarily by exchanging data for
the purpose of troubleshooting, diagnostics, servicing, repair and optimization.
Various technical solutions have become established to provide secure and
reliable access to machines.
Integration into the industrial security concept

The connection to the remote system is made over a public network (e.g. the
internet), making protection against data manipulation and espionage
especially important. Virtual private networks (VPNs) are employed for this
purpose.
Therefore, a connection means a virtual private network connection inside of which
the actual remote maintenance can be performed on other protocols.
VPN
A VPN refers to a private network that uses a public network (e.g. the internet) as a
transit network to transmit data to a private destination network. The private
networks and the transit network do not need to be compatible with one another for
this to happen.
While VPNs use the addressing mechanisms of the transit network to work, they
use their own network packets to separate the transport of private data packets
from the others. This fact allows the private networks to appear as a contiguous
logical (virtual) network.
VPN routers are required to set up a VPN.
Various protocols are available for setting up a VPN, e.g. IPsec or OpenVPN.
Remote Access
Article ID: 26662448, V4.1, 10/2022 6
VPN client and VPN server

The nodes in a secure data communication link over VPN assume different roles:
• VPN server
• VPN client
The tunnel endpoint that actively starts the VPN connection setup is called the VPN
client.
The counterparty that waits for the VPN client is called the VPN server.
Note More information about the Siemens security concept can be found in
chapter 5.3.
Remote Access
Article ID: 26662448, V4.1, 10/2022 7
2.2 Security Integrated product portfolio

By combining various security mechanisms such as firewall and VPN, security
modules protect single devices or whole automation cells against:
• Data espionage
• Data manipulation
• Unauthorized access
2.2.1 SINEMA Remote Connect
The SINEMA Remote Connect server application is a management platform for

remote networks that centrally manages secure OpenVPN tunnel connections. This
way, widely distributed plants or machines can be maintained conveniently and
safely via remote access – even if the machines are integrated within third-party
networks like in the facilities of machine manufacturers' end customers, for
example.
The connection to SINEMA Remote Connect can be established using cellular
phone networks, DSL, or existing private network infrastructure.
SINEMA Remote Connect comprises the following components:
• SINEMA Remote Connect (VPN server)

• SINEMA Remote Connect clients (VPN client)
SINEMA Remote Connect Server

SINEMA Remote Connect Server is a server application; it forms the basis for
remote access to distant machines and plants via VPN.
It coordinates secure connection setup between users, widely distributed systems
and machines.
SINEMA Remote Connect client

SINEMA Remote Connect clients are offered in either a hardware-based or
software-based form.
Possible end devices that can be used as a VPN client for SINEMA Remote
Connect are:
– SCALANCE S industrial security appliances
– SCALANCE M industrial routers
– SIMATIC TeleControl - RTU30x0C/RTU30x1C
– Security communications processors
– SINEMA Remote Connect Client software
– LOGO! CMR20x0
The SINEMA RC Client software is available on the software side. It is an
OpenVPN client software application for optimal connection of programming
devices, PCs and notebooks to SINEMA Remote Connect Server.
The SINEMA Remote Connect clients have an autoconfiguration interface for easy
configuration of a connection to SINEMA Remote Connect.
Remote Access
Article ID: 26662448, V4.1, 10/2022 8
Example
The following diagram shows a remote access scenario with SINEMA Remote
Connect:
Figure 2-1
Remote Access
Article ID: 26662448, V4.1, 10/2022 9
2.2.2 SCALANCE S industrial security appliances
The SCALANCE S industrial security appliances are a component of network

security and support the industrial security concept of "defense in depth".
They offer protection of devices and networks in discrete manufacturing and in the
process industry, and protect industrial communication with mechanisms such as
stateful inspection firewalls and virtual private networks (VPN).
The devices are suitable for industry-related applications and, depending on the
requirement, are available with different port configurations (2 to 6 ports) and range
of functions (firewall or firewall + VPN). All variants support configuration via WBM,
CLI, SNMP, SINEC NMS network management and TIA Portal.
The following Figure shows a group of the industrial security appliances:

Figure 2-2
Remote Access
Article ID: 26662448, V4.1, 10/2022 10
2.2.3 SCALANCE M industrial routers
The SCALANCE M portfolio comprises cellular radio routers and routers for wired
communication. They allow for secure remote access to facilities with the
integrated firewall and VPN security functions to protect against unauthorized
access and guard data transmission.
All versions enable configuration over Web Based Management (WBM), command
line interface (CLI), Simple Network Management Protocol (SNMP), SINEC NMS
network management as well as TIA Portal.
Wireless link
The SCALANCE M-87x routers are suitable for mobile radio networks. With these
routers, it is possible to link both fixed-location stations as well as mobile nodes to
a central monitoring and control system – with GSM (2G), UMTS (3G) or LTE (4G).
Wired link
The wired routers from the SCALANCE M product family, SCALANCE M804PB,
SCALANCE M826 and SCALANCE M81x support secure, cost-effective linking of
remote machines and facilities – with SHDSL, ADSL or PROFIBUS/MPI.
Family portrait
The following Figure shows the SCALANCE M product family:

Figure 2-3
Remote Access
Article ID: 26662448, V4.1, 10/2022 11
2.2.4 Security communications processors
Security communications processors protect controllers using integrated firewalls

(control of data flow) and VPN for protection against data manipulation and
espionage.
Security communications processors are configured in TIA Portal.
• Communications processors for the SIMATIC S7-1200 for secure connection
of the SIMATIC Basic Controller to Industrial Ethernet networks or remote
networks.
• Communications processors for the SIMATIC S7-1500 for secure connection
of the SIMATIC Advanced Controller to Industrial Ethernet networks.
• Communications processors for ET 200SP Distributed Controllers for adding
an Industrial Ethernet interface to the SIMATIC ET 200SP Distributed
Controller for secure network connections.
The Figure below shows a SIMATIC S7-1500 with the

CP 1543-1 as an example:
Figure 2-4
Remote Access
Article ID: 26662448, V4.1, 10/2022 12
2.2.5 RTU
The RTU is intended for monitoring and controlling small outlying stations without a
connection to a power supply network.
In telecontrol networks or cloud systems, the RTU is used to connect the outlying
stations to the master station or cloud via mobile wireless or via the LAN interface
of the RTU and an optional external router.
Figure 2-5
2.2.6 LOGO!
LOGO! is an intelligent logic module ideally suited for implementing simple

automation tasks in industry and building management systems. With the use of
expansion modules, LOGO! can control even the most complex plants without any
problems.
The LOGO! CMR in combination with the LOGO! 8 Basic Modules (BM) enable you
to monitor and control distributed plants and systems via SMS. You can access the
web interface of the LOGO! CMR and LOGO! BM remotely via a secure cellular
connection. You can use remote access to start the LOGO! BM program even from
off-site, for example.
Figure 2-6
Remote Access
Article ID: 26662448, V4.1, 10/2022 13
3 Point-to-point solutions
3.1 VPN tunnel between SCALANCE SC devices
3.1 VPN tunnel between SCALANCE SC devices
Overview
Figure 3-1
Service PC Automation cell

SCALANCE SC Internet Internet SCALANCE SC
router Modem/Router
Static WAN IP
address
VPN server VPN client
VPN tunnel SIMATIC S7
Industrial Ethernet stations
Requirements
• Static public IP address for the internet router of the VPN server
• Internet router with port forwarding feature (VPN server-side)
• Standard internet modem, router or UMTS router, e.g. SCALANCE M-800 (VPN client-side)
Note The SCALANCE SC can be replaced with a SCALANCE S615 or a SCALANCE M.
Link to the configuration description:

http://support.automation.siemens.com/WW/view/en/99681360
Remote Access
Article ID: 26662448, V4.1, 10/2022 14
3.2 OpenVPN tunnel between SCALANCE SC devices on Layer 2
3.2 OpenVPN tunnel between SCALANCE SC devices on Layer 2

Overview
Figure 3-2
Requirements
The SCALANCE SC64x 2C establishes a Layer 2 VPN connection to a remote network via OpenVPN. The function is implemented from
firmware V2.1.1.

https://support.industry.siemens.com/cs/af/en/view/109792357
Remote Access
Article ID: 26662448, V4.1, 10/2022 15
3.3 VPN tunnel between SCALANCE SC (VPN server) and MS Windows 10 (VPN client)
3.3 VPN tunnel between SCALANCE SC (VPN server) and MS Windows 10 (VPN client)
Overview
Figure 3-3
Automation cell
Service PC with SCALANCE
Windows 10 SC
Internet Internet
Modem/Router router
Win10
Static WAN IP
address
VPN server
VPN-Client
SIMATIC S7
VPN tunnel stations
Industrial Ethernet
Requirements
• Static public IP address for the internet router of the VPN server
• Internet router with port forwarding feature (VPN server-side)
• Standard internet modem, router or UMTS router, e.g. SCALANCE M873 (VPN client-side)
Note The SCALANCE SC can be replaced with a SCALANCE S615 or a SCALANCE M.

Remote Access
Article ID: 26662448, V4.1, 10/2022 16
3.4 VPN tunnel between CP 1x43-1 (VPN server) and CP 1x43-1
3.4 VPN tunnel between CP 1x43-1 (VPN server) and CP 1x43-1

Overview
Figure 3-4
Automation cell A Automation cell B

SIMATIC S7-1200 or Internet Internet SIMATIC S7-1200 or
S7-1500 with CP 1x43-1 router Modem/Router S7-1500 with CP 1x43-1
Static WAN IP address

VPN tunnel VPN server VPN client

Industrial Ethernet
Requirements
• Static public IP address for the internet router of the VPN server.
• Internet router with port forwarding feature (VPN server-side).

https://support.industry.siemens.com/cs/ww/en/view/109737287
Remote Access
Article ID: 26662448, V4.1, 10/2022 17
3.5 VPN tunnel between CP 1543SP-1 (VPN server) and SCALANCE S615
3.5 VPN tunnel between CP 1543SP-1 (VPN server) and SCALANCE S615
Overview
Figure 3-5
Service PC
SCALANCE ET 200SP CPU
S615 Internet Internet with CP 1543SP-1
Modem/ Router router
Static WAN IP
address VPN server

VPN tunnel
Industrial Ethernet VPN client
Requirements

Remote Access
Article ID: 26662448, V4.1, 10/2022 18
3.6 VPN tunnel between LOGO! (VPN server) and a PC

Overview
Figure 3-6
Service PC LOGO! CMR with

LOGO! BM
Internet
router
WAN
VPN client
VPN tunnel VPN server

Industrial Ethernet
Requirements
• Static public IP address for the SIM card of the VPN server.

Remote Access
Article ID: 26662448, V4.1, 10/2022 19
4 SINEMA RC remote maintenance platform

4.1 Simple solutions
4.1.1 VPN tunnel between SCALANCE SC and SINEMA RC client via the SINEMA RC server
Overview
Figure 4-1
Central SC646- Automation cell

2C
SINEMA Remote Connect
Internet
Server Internet
Router Router
WAN
VPN server Static
WAN IP address
VPN client 1
Service technician
Internet
Router
VPN Tunnel VPN client 2

Industrial Ethernet
Requirements

Remote Access
Article ID: 26662448, V4.1, 10/2022 20
4.1.2 VPN tunnel between and a mobile end device (iOS) and SCALANCE SC via the SINEMA RC server
Overview
Figure 4-2

2C
Server Internet Internet
Router Router
WAN
VPN server Static
WAN IP address
VPN client 1
Service technician
Internet
Router

Industrial Ethernet
Requirements
• Tablet with "OpenVPN client" app and iOS operating system (VPN client-side).
Remote Access
Article ID: 26662448, V4.1, 10/2022 21
4.1.3 VPN tunnel between a mobile end device (Android) and SCALANCE SC via the SINEMA RC server
Overview
Figure 4-3

2C
Server Internet Internet
Router Router
WAN
VPN server Static
WAN IP address
VPN client 1
Service technician
Internet
Router

Industrial Ethernet
Requirements
• Default APN of the mobile network operator (VPN client-side).
• Smartphone with "OpenVPN client" app and Android operating system (VPN client-side).
Remote Access
Article ID: 26662448, V4.1, 10/2022 22
4.2 Advanced solutions

4.2.1 VPN tunnel between two identical plant components with S615 and SINEMA RC client via the SINEMA RC server by using
the NAT function
Overview
Figure 4-4
Service
Cell 1
VPN client S615
WAN Central
Server
VPN client
VPN server Cell 2

S615
VPN tunnel
Industrial Ethernet
VPN client
Requirements
• Static public IP address and port forwarding feature for the internet router of the VPN server.
• Identical IP address range in the plant elements
Link to the configuration description: http://support.automation.siemens.com/WW/view/en/109744972
Remote Access
Article ID: 26662448, V4.1, 10/2022 23
4.2.2 JumpHost application with SINEMA RC server
Overview
Figure 4-5
Service technician
VPN client
WAN
Data Center / DMZ
SINEMA System network

JumpHost
RC Server Virtual S615
Desktop
VPN server VPN client
VPN client
Company network
VPN tunnel
Industrial Ethernet
Requirements
• Static public IP address and port forwarding feature for the internet router of the VPN server.
• DMZ with SINEMA Remote Connect server and JumpHost virtual desktop

Remote Access
Article ID: 26662448, V4.1, 10/2022 24
4.2.3 Dedicated remote access with SINEMA Remote Connect
Overview
Figure 4-6
User (SINEMA RC client)
WAN
SINEMA
RC Server
CPU_A CPU_B
SCALANCE SC-600
Requirements
• Static public IP address and port forwarding feature for the internet router of the VPN server
• SINEMA Remote Connect V2.0 or higher

Remote Access
Article ID: 26662448, V4.1, 10/2022 25
4.2.4 Setting up a secure VPN connection to a PROFIBUS / MPI system with Two-Factor-Authentication
Overview
Figure 4-7
Service center Service technician

SINEMA RC server
• TIA Portal Cloud
Connector (client)
• SINEMA RC client
• TIA Portal/ STEP 7
VPN
Communication
tunnel via TIA Portal Online connection
Cloud Connector VPN
to SIMATIC S7-300
• TIA Portal Cloud

Connector (server)
• SINEMA RC device
• Access point to
SIMATIC S7-300
Station
Remote Access
Article ID: 26662448, V4.1, 10/2022 26
Requirements
• SCALANCE M804PB on the station side
• SINEMA Remote Connect V2.0 or higher

Remote Access
Article ID: 26662448, V4.1, 10/2022 27
5 Appendix
5 Appendix
5.1 Service and support
Industry Online Support
Do you have any questions or need assistance?
Siemens Industry Online Support offers round the clock access to our entire service and support
know-how and portfolio.
The Industry Online Support is the central address for information about our products, solutions
and services.
Product information, manuals, downloads, FAQs, application examples and videos – all
information is accessible with just a few mouse clicks:
support.industry.siemens.com
Technical Support
The Technical Support of Siemens Industry provides you fast and competent support regarding
all technical queries with numerous tailor-made offers
– ranging from basic support to individual support contracts.
Please send queries to Technical Support via Web form:
siemens.com/SupportRequest
SITRAIN – Digital Industry Academy

We support you with our globally available training courses for industry with practical
experience, innovative learning methods and a concept that’s tailored to the customer’s specific
needs.
For more information on our offered trainings and courses, as well as their locations and dates,
refer to our web page:
siemens.com/sitrain
Service offer
Our range of services includes the following:
• Plant data services
• Spare parts services
• Repair services
• On-site and maintenance services
• Retrofitting and modernization services
• Service programs and contracts
You can find detailed information on our range of services in the service catalog web page:
support.industry.siemens.com/cs/sc
Industry Online Support app

You will receive optimum support wherever you are with the "Siemens Industry Online Support"
app. The app is available for iOS and Android:
support.industry.siemens.com/cs/ww/en/sc/2067
Remote Access
Article ID: 26662448, V4.1, 10/2022 28
5 Appendix
5.2 Industry Mall
The Siemens Industry Mall is the platform on which the entire siemens Industry product portfolio
is accessible. From the selection of products to the order and the delivery tracking, the Industry
Mall enables the complete purchasing processing – directly and independently of time and
location:
mall.industry.siemens.com
5.3 Links and literature

Table 5-1
No. Topic
\1\ Siemens Industry Online Support
https://support.industry.siemens.com
\2\ Link to the article page of the application example
\3\ "Industrial Security" topic page
5.4 Change documentation

Table 5-2
Version Date Change
V1.0 08/2014 First edition
V1.1 09/2015 Integration of SINEMA Remote Connect as new VPN server
V2.0 11/2015 New clustering (combined the SCALANCE M cluster and
integrated SCALANCE S615)
Deleted chapters for dynamic IP access
V2.1 03/2017 New configuration example (chapter 5.6)
V3.0 05/2018 Updated modules and clustering
V4.0 05/2022 Updated chapter 2, restructured content
V4.1 06/2022 Updated chapter 4
V4.1 10/22 Insert chapter 3.2
Remote Access
Article ID: 26662448, V4.1, 10/2022 29

Remote Networks Overview DOKU V4 1 en

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Remote Networks Overview DOKU V4 1 en

Uploaded by

Copyright:

Available Formats

Overview document:

Secure remote access

1 Comments on this document

1.2 Features and benefits

1.3 Document structure

This document contains a selection of the possible constellations.

2 Introduction to Remote Access

Integration into the industrial security concept

VPN client and VPN server

2.2 Security Integrated product portfolio

2.2.1 SINEMA Remote Connect

The SINEMA Remote Connect server application is a management platform for

• SINEMA Remote Connect (VPN server)

• SINEMA Remote Connect clients (VPN client)

SINEMA Remote Connect Server

SINEMA Remote Connect client

2.2.2 SCALANCE S industrial security appliances

The SCALANCE S industrial security appliances are a component of network

The following Figure shows a group of the industrial security appliances:

2.2.3 SCALANCE M industrial routers

The following Figure shows the SCALANCE M product family:

2.2.4 Security communications processors

Security communications processors protect controllers using integrated firewalls

The Figure below shows a SIMATIC S7-1500 with the

LOGO! is an intelligent logic module ideally suited for implementing simple

Service PC Automation cell

Note The SCALANCE SC can be replaced with a SCALANCE S615 or a SCALANCE M.

Link to the configuration description:

3.2 OpenVPN tunnel between SCALANCE SC devices on Layer 2

Link to the configuration description:

Note The SCALANCE SC can be replaced with a SCALANCE S615 or a SCALANCE M.

Link to the configuration description:

3.4 VPN tunnel between CP 1x43-1 (VPN server) and CP 1x43-1

Automation cell A Automation cell B

Static WAN IP address

VPN tunnel VPN server VPN client

Link to the configuration description:

address VPN server

Link to the configuration description:

3.6 VPN tunnel between LOGO! (VPN server) and a PC

Service PC LOGO! CMR with

VPN tunnel VPN server

Link to the configuration description:

4 SINEMA RC remote maintenance platform

Central SC646- Automation cell

VPN Tunnel VPN client 2

Link to the configuration description:

Central SC646- Automation cell

VPN Tunnel VPN client 2

Central SC646- Automation cell

VPN Tunnel VPN client 2

4.2 Advanced solutions

VPN server Cell 2

4.2.2 JumpHost application with SINEMA RC server

SINEMA System network

VPN server VPN client

Link to the configuration description:

4.2.3 Dedicated remote access with SINEMA Remote Connect

Link to the configuration description:

Service center Service technician

• TIA Portal Cloud

Link to the configuration description:

SITRAIN – Digital Industry Academy