Scribd Logo
Upload

Welcome to Scribd!

  • SSL-VPN Guide v1.4

    Uploaded by

    VJ87
    32 views10 pages
    VPN Guide

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    VPN Guide

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    32 views10 pages

    SSL-VPN Guide v1.4

    Uploaded by

    VJ87
    VPN Guide

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 10

    SSL-VPN Remote Access Guide

    6 Feb 2013
    IT
    IT Global
    Global Manufacturing
    Manufacturing &
    & Labor
    Labor

    Version 1.4

    Remote Access for Engineering Support Overview


    Allows GM Engineers and machine vendors the capability to support plant floor
    devices remotely which can provide near immediate access and reduce or
    eliminate travel and the associated expenses
    The Remote Access solution is intended to provide access to plant floor devices
    for remote configuration and support
    For Safety and Security purposes access will only be provided on an as
    needed basis by the site and will be disabled when not in use
    No vendor should be allowed into your plant without a GM escort that
    applies to electronic access also.
    Like the logs maintained at Security, it is recommended that sites maintain
    logs of all Remote Access who, what, when, why at a minimum.
    It will be the sole responsibility of the GM Engineer to ensure devices are
    secure for remote access. i.e. if required, machines are powered off, locked
    out, etc

    22
    IT
    IT Global
    Global Manufacturing
    Manufacturing &
    & Labor
    Labor

    Remote Access Roles Required


    Administrator (ME Controls Engineer) Ensure that plant floor devices
    are Safely accessed by actively managing remote access connectivity
    (User IDs and passwords)
    User An offsite GM Engineer or a Vendor responsible to support a
    device or technology.
    Site Network Support Responsible for the operational support related to
    the hardware that is installed to provide this functionality.
    Plant IT Manager Responsible for service availability and approval of
    administrator accounts.

    IT
    IT Global
    Global Manufacturing
    Manufacturing &
    & Labor
    Labor

    Site Standard Configuration


    Administrator Setup
    Each GM Engineer approved as an Administrator will have a unique
    ACS Admin ID.
    1 admin per shift is GMs desired state
    Admin ID Request
    Form
    IT Manager must authorize all requests for Admin IDs
    This form must be submitted via Service Center to the TACACS
    Team for creation of IDs
    User Setup
    3 Remote Access User IDs have been created for each site
    User accounts are reusable and generic
    ID(s) plant code-ssl1, plant code-ssl2 and plant code-ssl3
    User Profiles (defines access to plant floor devices)
    3 Access Control Lists (ACL) have been created and associated
    with the user IDs (user 1 uses acl 1, user 2 uses acl 2, etc.)
    ACLs are to be customized for the devices needing to be
    accessed by a particular vendor
    IT
    IT Global
    Global Manufacturing
    Manufacturing &
    & Labor
    Labor

    Administrator Duties
    User Setup
    Select a reusable User Login
    User Profiles (create access to resources)
    Configure the ACL for the IP Addresses requiring access
    Inform User of Access Provided
    Send an email to the user informing them how to use the tool and
    what the temporary User Login and Password is.
    They will also need to be informed of the IP Addresses that they
    have access to.
    A template email is provided to assist.
    Maintain Contact with User of Access Provided
    Ensure that the environment being accessed remains in a safe
    state so others will not be injured.
    IT
    IT Global
    Global Manufacturing
    Manufacturing &
    & Labor
    Labor

    Site Administrator Quick Reference Guide

    NOTE: Your
    ACL should
    already be
    selected here

    IT
    IT Global
    Global Manufacturing
    Manufacturing &
    & Labor
    Labor

    User Access (GM Engineer and Vendor)


    For remote access, the end-user will require internet access and to
    complete the following steps
    Request access from Site Administrator
    Site Administrator will provide the URL, Login ID, and Password

    Enter the provided URL into an internet web browser


    User must select the URL whether they are inside or outside the GM network
    If logging in from another GM facility you must first login to the Cut Through Proxy.

    Login with access credentials (First time user will be required to install the VPN
    client software when prompted)
    Once connected, the user will be able to access the IP Addresses that have
    been configured for them in the ACL.
    Test the connection with command prompt and Ping
    Open the necessary programming software and connect to the IP Address of the
    device.

    The connection will disconnect after the time or connection limit has been
    reached or when closed by the user. (4 hours max connection time)

    IT
    IT Global
    Global Manufacturing
    Manufacturing &
    & Labor
    Labor

    GM Engineer and Vendor access

    IT
    IT Global
    Global Manufacturing
    Manufacturing &
    & Labor
    Labor

    Frequently Asked Questions


    Users connecting from inside GM
    Need to utilize the Cut-Thru-Proxy
    GM Employees should request Cut-Thru-Proxy access

    Why does my connection always terminate at midnight?


    Security requirements specify that the user account must be set to disable at the end
    of each day by setting Disable when date exceeds todays date. The ACS server is
    set to GMT -5. Be aware of this when configuring your vendors access if your plant
    is not in this timezone. You may need to set it to the next day but NEVER beyond
    that.

    Can the Administrator provide access for more than 4 hours?


    No, User access cannot be modified from the GM Standards of 4 hours per day or 3
    login sessions per day. Reaching either quota will disable the ID for the remainder of
    the day.

    Can each vendor have their own login or ACL?


    No, the tool provides each site 3 generic logins and 3 ACLs.
    Any additional are deemed a security risk and will be removed.

    IT
    IT Global
    Global Manufacturing
    Manufacturing &
    & Labor
    Labor

    Where to go for help

    Remote user should contact GM site administrator with any connection issues.

    The GM site Administrator should review the Failed Attempts report. Most times it will
    clearly define what issue the user encountered that prevented access. This is found
    inside the ACS Application, Reports and Activities, Failed Attempts, Active.csv.

    If unresolved, the Administrator should visit their local network support for assistance
    in troubleshooting.

    If unresolved, the local network support may assist in opening a Service Center ticket
    with the TACACS team.

    If access is required in support of an open incident, the Incident Management


    Process should be followed in order to get immediate assistance. Contact your local
    RC3.

    IT
    IT Global
    Global Manufacturing
    Manufacturing &
    & Labor
    Labor

    You might also like