Siemens MD741-1 EGPRS/GSM Router User Manual 3173AD021 09 SIE EN

Siemens AG EGPRS/GSM Router 3173AD021 09 SIE EN

UserMan

Download: Siemens MD741-1 EGPRS/GSM Router User Manual 3173AD021 09 SIE EN
Mirror Download [FCC.gov]Siemens MD741-1 EGPRS/GSM Router User Manual 3173AD021 09 SIE EN
Document ID941598
Application IDFhlIGC0oHzxnOqFpevbtCw==
Document DescriptionUserMan
Short Term ConfidentialNo
Permanent ConfidentialNo
SupercedeNo
Document TypeUser Manual
Display FormatAdobe Acrobat PDF - pdf
Filesize139.96kB (1749543 bits)
Date Submitted2008-05-15 00:00:00
Date Available2008-05-15 00:00:00
Creation Date2008-05-06 13:21:37
Producing SoftwareAcrobat Distiller 7.0 (Windows)
Document Lastmod2008-05-14 12:54:06
Document TitleMicrosoft Word - 3173AD021_09_SIE_EN.doc
Document CreatorPScript5.dll Version 5.2.2
Document Author: PAU

Preface, Contents
SIMATIC NET
Applications and functions
EGPRS/GPRS-Router
SINAUT MD741-1
Setup
Configuration
Local interface
External interface
Security functions
Remote access
Status, log and diagnosis
Additional functions
System manual
C79000-G8976-C212
Release 4/2008
Technical Data
10
Applied Standards and
Approvals
11
Glossary
Safety Guidelines
This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent
damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert
symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are
graded according to the degree of danger.
Danger
indicates that death or severe personal injury will result if proper precautions are not taken
Warning
indicates that death or severe personal injury may result if proper precautions are not taken.
Caution
with a safety alert symbol, indicates that minor personal injury can result if proper precautions are not taken..
Caution
without a safety alert symbol, indicates that property damage can result if proper precautions are not taken.
Notice
indicates that an unintended result or situation can occur if the corresponding information is not taken into
account.
If more than one degree of danger is present, the warning notice representing the highest degree of danger will
be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to
property damage.
Qualified Personnel
The device/system may only be set up and used in conjunction with this documentation. Commissioning and
operation of a device/system may only be performed by qualified personnel. Within the context of the safety notes
in this documentation qualified persons are defined as persons who are authorized to commission, ground and
label devices, systems and circuits in accordance with established safety practices and standards.
Prescribed Usage
Note the following:
Warning
This device may only be used for the applications described in the catalog or the technical description and only in
connection with devices or components from other manufacturers which have been approved or recommended by
Siemens. Correct, reliable operation of the product requires proper transport, storage, positioning and assembly
as well as careful operation and maintenance
Trademarks
All names identified by ® are registered trademarks of the Siemens AG. The remaining trademarks in this
publication may be trademarks whose use by third parties for their own purposes could violate the rights of the
owner.
Disclaimer of Liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software
described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the
information in this publication is reviewed regularly and any necessary corrections are included in subsequent
editions.
Siemens AG
Automation and Drives
Postfach 48 48
90437 NÜRNBERG
GERMANY
Order No.: C79000-G8976-C212
Release 04/2008
Copyright © Siemens AG 2008
Technical data subject to change
SINAUT MD741-1
C79000- G8976-C212
General
The product MD741-1 complies with European standard EN60950, 05.2003, Safety
of Information Technology Equipment.
Read the installation instructions carefully before using the device.
Keep the device away from children, especially small children.
The device must not be installed or operated outdoors or at damp locations.
Do not operate the device if the connecting leads or the device itself are damaged.
External power supply
Use only an external power supply which also complies with EN60950. The output
voltage of the external power supply must not exceed 30V DC. The output of the
external power supply must be short-circuit proof.
Warning
The power supply unit to supply the SINAUT MD741-1 must comply with the
requirements for a Limited Power Source according to IEC/EN 60950-1
The power supply unit to supply the SINAUT MD741-1 must comply with NEC Class 2
circuits as outlined in the National Electrical Code ® (ANSI/NFPA 70) only.
Please pay regard to section 2.6 of the system manual, as well as the installation
and utilisation regulations of the respective manufacturers of the power supply, the
battery or the accumulator.
SIM card
To install the SIM card the device must be opened. Before opening the device,
disconnect it from the supply voltage. Static charges can damage the device when
it is open. Discharge the electric static of your body before opening the device. To
do so, touch an earthed surface, e.g. the metal casing of the switch cabinet. Please
pay regard to section 2.6 of this system manual.
Handling cables
Never pull a cable connector out of a socket by its cable, but pull on the connector
itself. Cable connectors with screw fasteners (D-Sub) must always be screwed on
tightly. Do not lay the cable over sharp corners and edges without edge protection.
If necessary, provide sufficient strain relief for the cables.
For safety reasons, make sure that the bending radius of the cables is observed.
SINAUT MD741-1
C79000- G8976-C212
Failure to observe the bending radius of the antenna cable results in the
deterioration of the system's transmission and reception properties. The minimum
bending radius static must not fall below 5 times the cable diameter and dynamic
below 15 times the cable diameter.
Radio device
Warning
Never use the device in places where the operation of radio devices is prohibited. The
device contains a radio transmitter which could in certain circumstances impair the
functionality of electronic medical devices such as hearing aids or pacemakers. You
can obtain advice from your physician or the manufacturer of such devices. To prevent
data carriers from being demagnetised, do not keep disks, credit cards or other
magnetic data carriers near the device.
Installing antennas
Warning
The emission limits as recommended by the German Commission on Radiological
Protection (13/14 September 2001; www.ssk.de) must be observed.
Installing an external antenna
Caution
When installing an antenna outdoors it is essential that the antenna is fitted correctly
by a qualified person.
When the antenna is installed outdoors it must be earthed for lightning protection. The
outdoor antennas shield must be reliable connective to protective earth.
The installation shall be done according the national installation codes
For US this is the National Electric Code NFPA 70, article 810.
For Germany, observe the current version of the Lightning Protection Standard VDE
0185 (DIN EN 62305) Sections 1 to 4 for buildings with lightning protection, or the
standard VDE 0855 (DIN EN 60728-11) in case there is no lightning protection.
This work must be carried out by qualified personnel only.
SINAUT MD741-1
C79000- G8976-C212
Requirements for compliance to Safety, Telecom, EMC and other standards
Caution
Observe the regulations listed in chapter 12 before putting the SINAUT MD741-1 into
operation.
Operating costs
Caution: GPRS costs
Note that data packets exchanged for setting up connections, reconnecting, connect
attempts (e.g. Server switched off, wrong destination address, etc.) as well as keeping
the connection alive are also subject to charge.
SINAUT MD741-1
C79000- G8976-C212
Firmware with Open Source GPL/LGPL
The firmware of the SINAUT MD741-1 includes open Source Software under terms
of GPL/LGPL. According to section 3b of GPL and of section 6b of LGPL we
provide you the source code. Please write to
s_opsource@gmx.net
s_opsource@gmx.de
Please enter 'Open Source MD741' as subject of your e-mail, that we can filter your
e-mail easier.
Firmware with OpenBSD
The firmware of SINAUT MD741-1 contains sections from the OpenBSD software.
The use of OpenBSD software is subject to the following copyright notice
Copyright (c) 1982, 1986, 1990, 1991, 1993
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software
must display the following acknowledgement:
This product includes software developed by the University of
California, Berkeley and its contributors.
4. Neither the name of the University nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
SINAUT MD741-1
C79000- G8976-C212
Preface
Purpose of this documentation
This documentation will support you on your way to successful application of
GSM/GPRS modem SINAUT MD741-1. It will introduce you to the topic in
clear and straightforward steps and provide you with an overview of the
hardware of the SINAUT MD741-1 GSM/GPRS modem. This documentation
will help you during installation and commissioning of SINAUT GSM/GPRS
modem and explains the diagnostics and service options available.
Validity of the documentation
This manual relates to the following product versions
•
GPRS/GSM modem MD741-1 hardware release 2.x
SIMATIC Technical Support
You can contact Technical Support for all A&D products
•
Phone: +49 (0) 180 5050 222
•
Fax: +49 (0) 180 5050 223
You will find further information on our Technical Support on the Web at
http://www.siemens.com/automation/service
Service & Support on the Internet
In addition to our documentation services, you can also make use of all our
knowledge on the Internet:
http://www.siemens.com/automation/service&support
Here, you will find:
SINAUT MD741-1
C79000- G8976-C212
•
Up-to-date product information (Updates), FAQs (Frequently Asked
Questions), Downloads, Tips and Tricks.
•
The Newsletter keeps you constantly up to date with the latest
information on the products you use.
•
The Knowledge Manager will find the documents you need.
•
In the Forum, users and specialists exchange information and
experience.
•
You can find your local contact for Industry Automation in our contacts
database.
•
You will find information on local service, repairs, spares and much more
under the rubric "Service".
You will find the latest version of this documentation under the entry ID
22550242.
Do you still have questions relating to the use of the products described in
the manual? If so, then please talk to your local Siemens contact.
You will find the addresses in the following sources:
•
On the Internet at: http://www.siemens.com/automation/partner
•
On the Internet at http://www.siemens.com/simatic-net specifically for
SIMATIC NET products
•
In the catalog CA 01
•
In the catalog IK PI specifically for SIMATIC NET products
Statements, certificates and other useful information about SINAUT
MD741-1 are available at:
•
http://support.automation.siemens.com/WW/view/de/22811843
SIMATIC training center
To familiarize you with the systems and products, we offer a range of
courses. Please contact your regional training center or the central training
center in
D-90327 Nuernberg.
Phone: +49 (911) 895-3200
http://www.sitrain.com
SIMATIC NET training center
For courses specifically on products from SIMATIC NET, please contact:
SIEMENS AG
Siemens AG, A&D Informations- und Trainings-Center
Dynamostr. 4
D-68165 Mannheim
Phone: +49 (621) 4 56-23 77
Fax: +49 (621) 4 56-32 68
SINAUT MD741-1
C79000- G8976-C212
Contents
Applications and functions ......................................................................................... 11
Setup.............................................................................................................................. 15
2.1
Step by step....................................................................................................... 15
2.2
Preconditions for operation................................................................................ 16
2.3
Device front........................................................................................................ 17
2.4
Service button (SET) ......................................................................................... 17
2.5
Operating state indicators.................................................................................. 18
2.6
Connections....................................................................................................... 19
2.7
Inserting the SIM card........................................................................................ 21
2.8
Top rail mounting ............................................................................................... 22
Configuration ................................................................................................................ 23
3.1
TCP/IP configuration of the network adapter in Windows XP ........................... 24
3.2
Establishing a configuration connection ............................................................ 25
3.3
Start page of the Web user interface................................................................. 28
3.4
Language selection............................................................................................ 31
3.5
Configuration procedure .................................................................................... 32
3.6
Configuration Profiles ........................................................................................ 33
3.7
Changing the password ..................................................................................... 34
3.8
Reboot ............................................................................................................... 35
3.9
Load factory settings.......................................................................................... 37
Local interface .............................................................................................................. 39
4.1
IP addresses of the local interface .................................................................... 39
4.2
DHCP server to local network ........................................................................... 41
4.3
DNS to local network ......................................................................................... 43
4.4
Local hostname ................................................................................................. 45
4.5
System Time/NTP.............................................................................................. 46
4.6
Additional Internal Routes ................................................................................. 48
External interface ......................................................................................................... 49
5.1
Access parameters to EGPRS/GPRS ............................................................... 49
5.2
EGPRS/GPRS Connection Monitoring.............................................................. 51
5.3
Hostname via DynDNS...................................................................................... 53
Security functions ........................................................................................................ 57
6.1
Packet Filter....................................................................................................... 57
6.2
Port Forwarding ................................................................................................. 62
6.3
Advanced security functions.............................................................................. 64
6.4
Firewall Log ....................................................................................................... 66
VPN connection ............................................................................................................ 67
SINAUT MD741-1
C79000- G8976-C212
Contents
7.1
7.2
7.3
7.4
7.5
7.6
VPN Roadwarrior Mode..................................................................................... 69
VPN IPsec Standard Mode................................................................................ 76
Loading VPN certificates ................................................................................... 85
Firewall rules for VPN tunnel ............................................................................. 87
Advanced settings for VPN connections ........................................................... 88
Status of the VPN connections.......................................................................... 90
Remote access ............................................................................................................. 91
8.1
HTTPS remote access....................................................................................... 91
8.2
SSH remote access ........................................................................................... 93
8.3
Remote access via dial-in connection ............................................................... 95
Status, log and diagnosis ............................................................................................ 99
9.1
System status display ........................................................................................ 99
9.2
Log ................................................................................................................... 103
9.3
Remote logging................................................................................................ 105
9.4
Snapshot.......................................................................................................... 107
9.5
Hardware information ...................................................................................... 109
9.6
Software information........................................................................................ 110
10
Additional functions................................................................................................... 111
10.1
Alarm SMS....................................................................................................... 111
10.2
Software Update .............................................................................................. 112
11
Technical Data ............................................................................................................ 115
12
Applied Standards and Approvals............................................................................ 119
12.1
Equipment........................................................................................................ 119
12.2
EU Declaration of Conformance...................................................................... 119
12.3
Compliance to FM, UL and CSA ..................................................................... 121
12.4
Compliance to FCC ......................................................................................... 122
Glossary ...................................................................................................................... 125
10
SINAUT MD741-1
C79000- G8976-C212
Applications and functions
The SINAUT MD741-1 provides a wireless connection to the Internet or to a private
network. The SINAUT MD741-1 can provide this connection in any location where
a GSM network (Global System for Mobile Communication = mobile phone
network) is available which provides the services EGPRS (Enhanced General
Packet Radio Service = EDGE) or GPRS (General Packet Radio Service). A
precondition for this is a SIM card of a GSM network operator with the appropriate
services activated.
The SINAUT MD741-1 thus links a locally connected application or entire networks
to the Internet via wireless IP connections. It is also possible to connect directly to
an intranet, to which in turn the external remote stations are connected.
The SINAUT MD741-1 can establish a VPN (Virtual Private Network) between a
locally connected application / a network and an external network, and can protect
this connection against access by third parties through the use of IPsec (Internet
Protocol Security).
In order to perform these tasks in the scenarios described, the device combines the
following functions:
•
EDGE modem for flexible data communication via EGPRS or GPRS
•
Firewall for protection against unauthorized access. The dynamic packet filter
examines data packets based on their source and destination addresses
(stateful inspection firewall) and blocks undesirable data traffic (anti-spoofing)
•
The SINAUT MD741-1 can establish via the wireless IP connections a VPN
Virtual Private Network) between the locally connected application or network
and en external network and can protect this connection by IPsec (Internet
Protocol Security) against unwanted access by third parties.
SINAUT MD741-1
C79000- G8976-C212
11
Applications and functions
Application examples of the SINAUT MD741-1
S7-300
CPU
Central
Station
ST7cc
TIM
MD741-1
DSL-Modem
VPN-Router
INTERNET
(E-)GPRS
APN
VPN-Tunnel
Figure 1-1
CPU
Connection between CPU and Central Station
Central
Station
ST7cc
TIM
MD741-1
VPN-Tunnel
TIM
DSL-Modem VPN-Router
Logical
connection
INTERNET
(E-)GPRS
CPU
TIM
MD741-1
APN
VPN-Tunnel
Figure 1-2
Connection between two CPU
Configuration
The device can be configured via a Web user interface that can simply be
displayed using a Web browser. It can be accessed by means of the following:
12
•
the local interface
•
EGPRS/GPRS
•
CSD (Circuit Switched Data = dial-in data connection) of the GSM
SINAUT MD741-1
C79000- G8976-C212
Applications and functions
Connection via
GSM-CSD
PC with
Web browser
MD741-1
PC with
Web browser
Figure 1-3
Connection
via (E-)GPRS
PC with
Web browser
Configuration
Firewall functions
The SINAUT MD741-1 provides the following firewall functions in order to protect
the local network and itself from external attacks:
●
Stateful inspection firewall
●
Anti-spoofing
●
Port forwarding
●
NAT
Additional functions
The SINAUT MD741-1 provides the following additional functions:
●
DNS cache
●
DHCP server
●
NTP
●
Remote logging
●
In Port
●
Web user interface for configuration
●
Sending alarm SMS
●
SSH console for configuration
●
DynDNS client
●
Dial-in data connection for maintenance and remote configuration
SINAUT MD741-1
C79000- G8976-C212
13
Applications and functions
14
SINAUT MD741-1
C79000- G8976-C212
2
Setup
2.1
Step by step
Set up the SINAUT MD741-1 in the following steps:
Step
1. First familiarise yourself with the preconditions for operation
of the SINAUT MD741-1.
2. Read the safety instructions and other instructions at the
beginning of this document very carefully, and be sure to
follow them.
3. Familiarise yourself with the control elements, connections
and operating state indicators of the SINAUT MD741-1.
4. Connect a PC with a Web browser (Admin PC) to the local
interface (X2) of the SINAUT MD741-1.
5. Using the Web user interface of the SINAUT MD741-1, enter
the PIN (Personal Identification Number) of the SIM card.
6. Disconnect the SINAUT MD741-1 from the power supply.
Chapter
2.2
2.4 -2.6
5.1
2.6
7.
Insert the SIM card in the device.
2.7
8.
Connect the antenna.
2.6
9.
Connect the SINAUT MD741-1 to the power supply.
2.6
10.
Set the SINAUT MD741-1 up in accordance with your
requirements.
11.
Connect your local application.
SINAUT MD741-1
C79000- G8976-C212
3 - 10
2.6
15
Setup
2.2
Preconditions for operation
In order to operate the SINAUT MD741-1, the following information must be on
hand and the following preconditions must be fulfilled:
Antenna
An antenna, adapted to the frequency bands of the GSM network operator you
have chosen: 850 MHz, 900 MHz, 1800 MHz or 1900 MHz. Use only antennas
from the accessories for the SINAUT MD741-1.
See Chapter 2.6.
Power supply
A power supply with a voltage between 12 VDC and 30 VDC that can provide
sufficient current.
See Chapter 2.6.
SIM card
A SIM card from the chosen GSM network operator.
PIN
The PIN for the SIM card.
EGPRS / GPRS activation
The SIM card must be activated by your GSM network operator for the services
EGPRS or GPRS.
The EGPRS / GPRS access data must be known:
●
Access Point Name (APN)
●
User name
●
Password
CSD 9600 bit/s activation
The SIM card must be activated by your GSM network operator for the CSD
service if you wish to use remote configuration via a dial-in data connection, see
Chapter 8.3.
16
SINAUT MD741-1
C79000- G8976-C212
Setup
2.3
Device front
Here are definitions of terms frequently used in this manual:
A–
B–
Connection terminals for the
power supply
Set button
C–
Antenna jack type SMA
D–
Operating state indicators S,
Q,
X1 (Service; USB) – without
function
Connection terminals for the
gate inputs and outputs
E–
F–
G–
H–
Figure 2-1
2.4
10/100 Base-T - RJ45 jack for
connecting the local network
Operating state indicators
Power, LAN, VPN
Operating elements
Service button (SET)
On the front side of the SINAUT MD741-1 there is a small hole (see B) which is
SET marked and has a button behind it. Use a pointed object, e.g. a straightenedout paperclip, to press this button.
●
If you press the button for longer than 5 seconds, the SINAUT MD741-1
reboots and loads the factory settings.
SINAUT MD741-1
C79000- G8976-C212
17
Setup
2.5
Operating state indicators
The SINAUT MD741-1 has 7 indicator lamps (LEDs) to indicate the operating state.
The 3 indicator lamps on the left-hand side of the device indicate the state of the
EGPRS wireless modem:
LED
S (Status)
(Quality)
(Connect)
S, Q, C
together
State
Meaning
Flashing slowly
PIN transfer
Flashing quickly
PIN error / SIM error
ON
PIN transfer successful
OFF
Not logged into GSM network
Flashing briefly
Poor signal strength
(CSQ < 6)
Flashing slowly
Medium signal strength
(CSQ= 6..10)
ON, with brief interruptions
Good signal strength
(CSQ=11-18)
ON
Very good signal strength
(CSQ > 18)
OFF
No connection
Flashing quickly
Service call via CSD active
ON with brief interruptions
GPRS connection active
ON
EGPRS connection active
Light up in sequence quickly
Booting
Light up in sequence slowly
Update
Flashing quickly in unison
Error
The 3 indicator lamps on the right-hand side of the device indicate the state of
additional device functions:
LED
DC5V
LINK
VPN
18
State
Meaning
ON
Device switched on, operating
voltage present
OFF
Device switched off, operating
voltage not present
ON
Ethernet connection established to the
local application / the local network
OFF
No Ethernet connection to the local
application / the local network
ON with brief interruptions
Data transfer via the Ethernet
connection
ON
VPN connection active
OFF
VPN connection active
SINAUT MD741-1
C79000- G8976-C212
Setup
2.6
Connections
X2 (10/100 Base-T)
The local network is connected to the local applications at the 10/100 Base-T
connection, e.g. a programmable controller, a machine with an Ethernet interface
for remote monitoring, or a notebook or desktop PC.
To set up the SINAUT MD741-1, connect the Admin PC with Web browser here.
The interface supports autonegation. It is thus detected automatically whether a
transmission speed of 10 Mbit/s or 100 Mbit/s is used on the Ethernet.
A connecting cable with a RJ45 plug must be used. It can be a cross-over cable or
a patch cable.
X1 (USB; Service)
In the SINAUT MD741-1 this interface has no function and is reserved for later
applications. Do not connect any devices here. Doing so could interfere with the
SINAUT MD741-1's operation.
SMA antenna jack
The SINAUT MD741-1 has an antenna jack of the type SMA for connecting the
antenna.
The antenna that is used should have an impedance of about 50 ohms. It must be
matched for GSM 900MHz and DCS 1800MHz or GSM 850 MHz and PCS 1900
MHz, depending on which frequency bands your GSM network operator uses. In
Europe and China GSM 900MHz and DCS 1800MHz are used, in the USA GSM
850 MHz and PCS 1900 MHz are used. Obtain this information from your network
operator.
The match (VSWR) of the antenna must be 1:2.5 or better.
Caution:
Use only antennas from the accessories line for the SINAUT MD741-1. Other
antennas could interfere with product characteristics or even lead to defects.
When installing the antenna, a sufficiently good signal quality must be ensured
(CSQ > 11). Use the indicator lamps of the SINAUT MD741-1 which show the
signal quality. Make sure that there are no large metal objects (e.g. reinforced
concrete) close to the antenna.
Observe the installation and user instructions for the antenna being used.
SINAUT MD741-1
C79000- G8976-C212
19
Setup
Warning:
When the antenna is installed outdoors it must be earthed for lightning protection.
The outdoor antennas shield must be reliable connective to protective earth. The
installation shall be done according the national installation codes (For US this is
the National Electric Code NFPA 70, article 810).
This work must be carried out by qualified personnel only.
Screw terminals power supply (24V / 0V)
Power supply
Figure 2-2
Screw terminals
The SINAUT MD741-1 operates with direct current of from 12-30 V DC, nominally
24 V DC. This power supply is connected at the screw terminals on the left-hand
side of the device.
Connect the positive supply voltage to one or both screw terminals marked 24V
and the negative supply voltage to one or both screw terminals marked 0V.
The rated current consumption is about 510mA at 12V and 230mA at 30V.
Warning:
The power supply unit of the SINAUT MD741-1 is not galvanic isolated. Observe
the safety instructions at the beginning of this manual.
20
SINAUT MD741-1
C79000- G8976-C212
Setup
Field wiring instruction
Use copper wires only.
2.7
Solid wire:
0,5...3mm2 (AWG 20...18)
Strained wire:
0,5...2,5mm2
Torque of screw clamps:
0,6...0,8Nm
Inserting the SIM card
Caution:
Before inserting the SIM card, enter the PIN of the SIM card in the SINAUT
MD741-1 via the Web user interface. See Chapter 5.1.
Figure 2-3
Inserting the SIM card
1. After you have entered the PIN of the SIM card, disconnect the SINAUT
MD741-1 completely from the power supply.
2. The drawer for the SIM card is located on the back of the device. Right next to
the drawer for the SIM card in the housing aperture there is a small yellow
button. Press on this button with a pointed object, for example a pencil.
When the button is pressed the SIM card drawer comes out of the housing.
3. Place the SIM card in the drawer so that its gold-plated contacts remain visible.
4. Then push the drawer with the SIM card completely into the housing.
SINAUT MD741-1
C79000- G8976-C212
21
Setup
Caution:
Do not under any circumstances insert or remove the SIM card during operation.
Doing so could damage the SIM card and the SINAUT MD741-1.
2.8
Top rail mounting
The SINAUT MD741-1 is suitable for top-hat rail mounting on DIN EN 50022 rails.
A corresponding bracket can be found at the rear of the device.
Figure 2-4
22
Top rail mounting
SINAUT MD741-1
C79000- G8976-C212
Configuration
Configuration of the router and firewall functions is carried out locally or remotely
via the Web-based administration interface of the SINAUT MD741-1.
Remote configuration
Remote configuration via HTTPS or CSD access is only possible if the SINAUT
MD741-1 is configured for remote access. In this case proceed exactly as
described in Chapter 8.
Configuration via the local interface
The preconditions for configuration via the local interface are:
●
The computer (Admin PC) that you use to carry out configuration must be
either connected directly to the Ethernet jack of the SINAUT MD741-1 via a
network cable or it must have direct access to the SINAUT MD741-1 via the
local network.
●
The network adapter of the computer (Admin PC) that you use to carry out
configuration must have the following TCP/IP configuration:
IP address: 192.168.1.2
Subnet mask: 255.255.255.0
Instead of the IP address 192.168.1.2 you can also use other IP addresses
from the range 192.169.1.x.
●
If you also wish to use the Admin PC to access the external network via the
SINAUT MD741-1, the following additional settings are necessary:
Standard gateway: 192.168.1.1
Preferred DNS server: Address of the domain name server
23
SINAUT MD741-1
C79000- G8976-C212
Configuration
3.1
TCP/IP configuration of the network adapter in Windows
XP
Configure the LAN connection
Click on Start, Connect To ..., Show All Connections…
Then click on LAN Connection. In the dialog box Properties of LAN Connection,
click on the General tab and select there the entry Internet Protocol (TCP/IP). Open
Properties by clicking on the corresponding button.
The window Properties of Internet Protocol (TCP/IP) appears (see illustration
below).
Note:
The path leading to the dialog box Properties of LAN Connection depends on your
Windows settings. If you are not able to find this dialog box, search in the Windows
Help function for LAN Connection or Properties of Internet Protocol (TCP/IP).
Figure 3-1
24
Properties of Windows Internet Protocol
SINAUT MD741-1
C79000- G8976-C212
Configuration
Enter the following values in order to get to the Web user interface of the SINAUT
MD741-1:
IP address: 192.168.1.2
Subnet mask: 255.255.255.0
In addition, enter the following values if you want to use the Admin PC to access
the external network via the SINAUT MD741-1:
Standard gateway: 192.168.1.1
Preferred DNS server: 192.168.1.1
Preferred DNS server
If you call up addresses via a domain name (e.g. www.neuhaus.de), then you must
refer to a domain name server (DNS) to find out what IP address is behind the
name. You can define the following as the domain name server:
●
The DNS address of the network operator,
or
●
The local IP address of the SINAUT MD741-1, as long as it is configured for
breaking out host names into IP addresses
(see Chapter 4.3; Factory setting).
To define the domain name server in the TCP/IP configuration of your network
adapter, proceed as described above.
3.2
Establishing a configuration connection
Setting up a Web browser
Proceed as follows:
1. Launch a Web browser.
(e.g. MS Internet Explorer Version 7 or later or Mozilla Firefox Version 2 or
later; the Web browser must support SSL (i.e. HTTPS).)
2. Make sure that the browser does not automatically dial a connection when it is
launched.
In MS Internet Explorer, make this setting as follows: Menu Tools, Internet
Options..., tab Connections: Under Dial-up and VPN Settings, make sure that
Never dial a connection is activated.
SINAUT MD741-1
C79000- G8976-C212
25
Configuration
Calling up the start page of the SINAUT MD741-1
3. In the address line of the browser, enter the address of the SINAUT MD741-1
in full. In the factory settings this is:
https://192.168.1.1
Result: A security message appears. In Internet Explorer 7, for example, this
one:
Figure 3-2
Confirming the security message
4. Acknowledge the corresponding safety message with "Continue loading this
page …"
Note
Because the device can only be administered via encrypted access, it is delivered
with a self-signed certificate. In the case of certificates with signatures that the
operating system does not know, a security message is generated. You can
display the certificate.
It must be clear from the certificate that it was issued for SIEMENS AG. The Web
user interface is addressed via an IP address and not using a name, which is why
the name specified in the security certificate, is not the same as the one in the
certificate.
Entering the user name and password
5. You will be asked to enter the user name and the password:
26
SINAUT MD741-1
C79000- G8976-C212
Configuration
Figure 3-3
Enter user name and password
The factory setting is:
User name:
admin
Password:
sinaut
Note
You should change the password in any event. The factory setting is general
knowledge and does not provide sufficient protection. Chapter 3.7 contains a
description of how to change the password.
The start page is displayed
After the user name and password are entered, the start page of the SINAUT
MD741-1 appears in the Web browser with an overview of the operating state, see
Chapter 3.3.
The start page is not displayed
If after several tries the browser still reports that the page cannot be displayed, try
the following:
●
Check the hardware connection. On a Windows computer, go to the DOS
prompt (Menu Start, Programs, Accessories, Command Prompt) and enter the
following command:
ping 192.168.1.1
SINAUT MD741-1
C79000- G8976-C212
27
Configuration
If a return receipt message for the 4 packets that were sent out does not
appear within the specified time period, check the cable, the connections and
the network card.
●
Make sure that the browser does not use a proxy server. In MS Internet
Explorer (Version 7.0), make this setting as follows: Menu Tools, Internet
Options..., tab Connections: Under LAN Settings, click on the Settings... button,
then in the dialog box Settings for local network (LAN), make sure that under
Proxy Server the entry Use proxy server for LAN is not activated.
●
If other LAN connections are active on the computer, deactivate them for the
duration of the configuration process.
Under the Windows menu Start, Connect To ..., Show All Connections… ,
under LAN or High-Speed Internet right-click on the connection concerned and
select Deactivate in the pop-up menu.
●
Enter the address of the SINAUT MD741-1 with a slash:
https://192.168.1.1/
3.3
Start page of the Web user interface
After the Web user interface of the SINAUT MD741-1 is called up and the user
name and password are entered, an overview of the current operating state of the
SINAUT MD741-1 appears.
Figure 3-4
Overview
Note
Use the Refresh function of the Web browser to update the displayed values.
28
SINAUT MD741-1
C79000- G8976-C212
Configuration
Current system time
Shows the current system time of the SINAUT MD741-1 in the format:
Year – Month – Day, Hours – Minutes
Connection
Shows if a wireless connection exists, and which one:
●
EDGE connection (IP connection via EGPRS)
●
GPRS connection (IP connection via GPRS)
●
CSD connection (service connection via CSD)
External hostname
Shows the hostname (e.g. md741.mydns.org) of the SINAUT MD741-1, if a
DynDNS service is being used.
Signal (CSQ level)
Indicates the strength of the GSM signal as a CSQ value.
●
CSQ < 6:
Poor signal strength
●
CSQ= 6..10:
Medium signal strength
●
CSQ=11-18:
Good field strength
●
CSQ > 18:
Very good field strength
●
CSQ = 99:
No connection to the GSM network
Assigned IP address
Shoes the IP address at which the SINAUT MD741-1 can be reached in EGPRS or
GPRS. This IP address is assigned to the SINAUT MD741-1 by EGPRS or GPRS.
Note
It may occur that an EDGE (EGPRS) or GPRS connection and an assigned IP
address are both shown, but the connection quality is still not good enough to
transmit data. For this reason we recommend using the active connection
monitoring (see Chapter 5.2).
SINAUT MD741-1
C79000- G8976-C212
29
Configuration
Remote HTTPS
Shows whether remote access to the Web user interface of the SINAUT MD741-1
via EGPRS, GPRS or CSD is permitted (see Chapter 8.1).
●
White check mark at green dot: Access is allowed.
●
White cross at red dot: Access is not allowed.
Remote SSH
Shows whether remote access to the SSH console of the SINAUT MD741-1 via
EGPRS, GPRS or CSD is permitted (see Chapter 8.2).
●
White check mark at green dot: Access is allowed.
●
White cross at red dot: Access is not allowed.
CSD Dial-In
Shows whether remote CSD service calls are allowed (see Chapter 8.3).
30
●
White check mark at green dot: Access is allowed.
●
White cross at red dot: Access is not allowed.
SINAUT MD741-1
C79000- G8976-C212
Configuration
3.4
Language selection
The Web user interface of the SINAUT MD741-1 supports English and German
language.
Figure 3-5
Language selection
Automatic
The SINAUT MD741-1 selects the language of the Web user interface in
accordance to the selected language of the used Web browser:
●
German, if the Web browser uses the German language,
●
English, in all other cases.
Deutsch
The SINAUT MD741-1 uses the German language, irrespective of the Web
browser setting.
English
The SINAUT MD741-1 uses the English language, irrespective of the Web browser
setting.
Click the GO and refresh your Web browser to change the language.
SINAUT MD741-1
C79000- G8976-C212
31
Configuration
3.5
Configuration procedure
The procedure for configuration is as follows:
Carrying out configuration
1. Use the menu to call up the desired settings
area
2. Make the desired entries on the page
concerned or use Reset to delete the current
entry which has not been saved.
3. Use Save to confirm the entries so that they
are accepted by the device.
Figure 3-6
Configuration
Note
Depending on how you configure the SINAUT MD741-1, you may then have to
adapt the network interface of the locally connected computer or network
accordingly.
When entering IP addresses, always enter the IP address component numbers
without leading zeros, e.g.: 192.168.0.8.
Invalid entries
The SINAUT MD741-1 checks your entries. Obvious errors are detected during
saving and the input box in question is marked.
Figure 3-7
32
Indication of invalid entries
SINAUT MD741-1
C79000- G8976-C212
Configuration
3.6
Configuration Profiles
The settings of the SINAUT MD741-1 can be saved in configuration profiles (files)
and re-loaded at any time.
Figure 3-8
Maintenance > Configurations Profiles
Upload Profile
Loads to the SINAUT MD741-1 a configuration profile that was created before and
saved on the Admin PC. Files with configuration profiles have the file extension
*.epr.
Browse can be used to search the Admin PC for configuration profiles,
Submit loads the configuration profile to the SINAUT MD741-1.
It will then be shown in the table of saved configuration profiles.
Create profile
Saves the current settings of the SINAUT MD741-1 in a configuration profile.
First enter a name for the profile in the input box. Create saves the settings in a
profile with this names and then displays them in the table of saved configuration
profiles.
Saved Configuration Profiles
The table of saved configuration profiles shows all of the profiles that are saved in
the SINAUT MD741-1.
SINAUT MD741-1
C79000- G8976-C212
33
Configuration
Download
Loads the profile to the Admin PC.
Activate
The SINAUT MD741-1 accepts the settings from the selected configuration profile
and continues to work using them.
Delete
The configuration profile is deleted.
The profile Default configuration contains the factory settings, and cannot be
deleted.
3.7
Changing the password
Access to the SINAUT MD741-1 is protected by an access password. This access
password protects access both via the
●
local interface to the Web user interface, and
●
via the local interface to the SSH console,
and also access via
●
EGPRS or GPRS by https to the Web user interface, and
●
EGPRS or GPRS to the SSH console
Figure 3-9
34
Access > Password
SINAUT MD741-1
C79000- G8976-C212
Configuration
Access password (factory setting)
The factory setting for the SINAUT MD741-1 is:
●
Password: sinaut
●
User name: admin (cannot be changed)
Note
Change the password immediately after initial start-up. The factory setting is
general knowledge and does not provide sufficient protection.
Note
The user name for the SSH access is different from the user name for the WebInterface.
User name: root (cannot be changed)
The password for the SSH access is the same as for the Web-Interface.
New access password (with confirmation)
To change the password, enter the new password you have selected in New
access password and confirm the entry in Retype new access password.
Reset can be used to discard any entries that have not yet been saved. Save
accepts the new password.
3.8
Reboot
Although the SINAUT MD741-1 is designed for continuous operation, in such a
complex system faults may occur, often triggered by external influences. A reboot
can rectify these faults.
The reboot resets the functions of the SINAUT MD741-1. Current settings
according to the configuration profile do not change. The SINAUT MD741-1
continues to work using these settings after the reboot.
SINAUT MD741-1
C79000- G8976-C212
35
Configuration
Figure 3-10
Maintenance > Reboot
Enable daily reboot
The reboot is carried out automatically once a day if you switch the function on with
Yes.
Specify the Time of the daily reboot. The reboot will be carried out at the specified
system time. Existing connections will be interrupted.
Factory setting
36
Enable daily reboot:
No
Time of the daily reboot:
01:00
SINAUT MD741-1
C79000- G8976-C212
Configuration
3.9
Load factory settings
The factory settings of the SINAUT MD741-1 can be restored by the following
means:
Figure 3-11
Maintenance > Factory Reset
Reset to factory settings
A click on the push button Reset loads the factory settings, resets the passwords
and deletes the stored certificates, the configuration profiles and the archived log
files.
Service button (SET)
The load of the factory settings can also be activated by pushing the service button
(see chapter 2.4).
Default configuration
If just the factory settings shall be loaded, without to delete the certificates,
configuration profiles and the archived log files, just activate the default
configuration as being described in chapter 3.6.
SINAUT MD741-1
C79000- G8976-C212
37
Configuration
38
SINAUT MD741-1
C79000- G8976-C212
4
Local interface
The local interface is the interface of the SINAUT MD741-1 for connecting the local
network. The interface is labeled X2 on the device. This is an Ethernet interface
with a data rate of 10Mbit/s or 100Mbit/s.
The Local network is the Network connected to the local interface of the SINAUT
MD741-1. The local network contains at least one local application.
Local applications are network components in the local network, for example a
programmable controller, a machine with an Ethernet interface for remote
monitoring, or a notebook or desktop PC or the Admin PC.
Configure the local interface and the related functions according to the your
requirements and the advices in this chapter.
4.1
IP addresses of the local interface
This is where the IP addresses and the netmasks at which the SINAUT MD741-1
can be reached by local applications are set.
Figure 4-1
39
Local Network > Basic Settings > Local IPs
SINAUT MD741-1
C79000- G8976-C212
Local interface
The factory settings for the SINAUT MD741-1 are as follows:
IP
192.168.1.1
Netmask
255.255.255.0
These factory-set IP addresses and netmasks can be changed freely, but should
follow the applicable recommendations (RFC 1918).
Local
application
Local
application
Local
application
MD741-1
Admin PC
Figure 4-2
Local IP
and
netmask
Local interface
You can define additional addresses at which the SINAUT MD741-1 can be
reached by local applications. This is useful, for example, when the local network is
subdivided into subnetworks. Then multiple local applications from different
subnetworks can reach the SINAUT MD741-1 under various addresses.
New
Adds additional IP addresses and netmasks, which you can then modify in turn.
Delete
Removes the respective IP address and netmask. The first entry cannot be
deleted.
40
SINAUT MD741-1
C79000- G8976-C212
Local interface
4.2
DHCP server to local network
The SINAUT MD741-1 contains a DHCP server (DHCP = Dynamic Host
Configuration Protocol). If the DHCP server is switched on, it automatically assigns
to the applications that are connected to the local interface of the SINAUT MD7411 the IP addresses, netmasks, the gateway and the DNS server. This is only
possible the setting for obtaining the IP address and the configuration parameter
automatically via DHCP is activated for the local applications.
Local
application
Local
application
Local
application
MD741-1
IP addresses
and so forth
PC with
Web browser
Figure 4-3
DHCP function on local interface
Figure 4-4
Local Network > Basic Settings > Local IPs
Start DHCP server
Start DHCP server – Yes switches on the DHCP server of the SINAUT MD741-1;
No switches it off.
SINAUT MD741-1
C79000- G8976-C212
41
Local interface
Local netmask
Here enter the local netmask that should be assigned to the local applications.
Default gateway
Here enter the default gateway that should be assigned to the local applications.
DNS server
Here enter the DNS server that should be assigned to the local applications.
Enable dynamic IP address pool
With Yes the IO addresses that the DHCP server of the SINAUT MD741-1 assigns
are drawn from a dynamic address pool.
With No the IP addresses must be assigned to the MAC addresses of the local
application under Static Leases.
DHCP range start
Specifies the first address of the dynamic address pool.
DHCP range end
Specifies the last address of the dynamic address pool.
Static Leases
In Static Leases of the IP addresses you can assign corresponding IP addresses to
the MAC addresses of local applications.
If a local application requests assignment of an IP address via DHCP, the
application communicates its MAC address with the DHCP query. If an IP address
is statically assigned to this MAC address the SINAUT MD741-1 assigns the
corresponding IP address to the application.
MAC address of the client – MAC address of the querying local application
IP address of the client – assigned IP address
42
SINAUT MD741-1
C79000- G8976-C212
Local interface
Factory setting
The factory settings for the SINAUT MD741-1 are as follows:
4.3
Start DHCP server
No
Local netmask
255.255.255.0
Default gateway
192.168.1.1
DNS server
192.168.1.1
Enable dynamic IP address pool
No
DHCP range start
192.168.1.100
DHCP range end
192.168.1.199
DNS to local network
The SINAUT MD741-1 provides a domain name server (DNS) to the local network.
If you enter the IP address of the SINAUT MD741-1 in your local application as the
domain name server (DNS), then the SINAUT MD741-1 answers the DNS queries
from its cache. If it does not know the corresponding IP address for a domain
address, then the SINAUT MD741-1 forwards the query to an external domain name
server (DNS).
Remote network
DNS of the
network provider
Local
application
DNS in the
Internet
MD741-1
Private
DNS
Router/
Firewall
INTERNET
(E-)GPRS
APN
DNS query
to MD741-1
Figure 4-5
DNS query
by MD741-1
DNS function on local interface
The time period for which the SINAUT MD741-1 holds a domain address in the
cache depends on the host being addressed. In addition to the IP address, a DNS
query to an external domain name server also supplies the life span of this
information.
SINAUT MD741-1
C79000- G8976-C212
43
Local interface
The external domain name server (DNS) used can be a server of the network
operator, a server on the Internet, or a server in a private external network.
Figure 4-6
Local Network > Basic Settings > DNS
Selected nameserver
Select which domain name server (DNS) the SINAUT MD741-1 should query.
Provider Defined
When a connection is established to EGPRS or GPRS the network operator
automatically communicates one or more DNS addresses. These are then used.
Root Nameserver
Queries are directed to the root nameservers on the Internet whose IP addresses
are stored in the SINAUT MD741-1. Select this setting only if the alternative
settings do not work.
User Defined
As the user you select your preferred DNS. The DNSes can be connected to the
Internet, or it can be a private DNS in your network.
User defined nameserver
If you have selected the option User Defined then enter the IP address of the
selected DNS as the Server IP Address.
New can be used to add additional DNSes.
44
SINAUT MD741-1
C79000- G8976-C212
Local interface
Factory setting
The factory settings for the SINAUT MD741-1 are as follows:
Selected nameserver
Provider Defined
User defined nameserver
for new entry
4.4
0.0.0.0
Local hostname
The SINAUT MD741-1 can also be addressed from the local network using a host
name. To do this, define a host name, e.g. MD741.
Figure 4-7
Local Network > Basic Settings > DNS
The SINAUT MD741-1 can then be called up, for example from a Web browser as
MD741.
Note
The security concept of the SINAUT MD741-1 requires the creation of an outgoing
firewall rule for each local application that is to use this hostname function. See
Chapter 6.1.
If you do not use DHCP (see Chapter 4.2), then identical search paths have to be
entered manually in the SINAUT MD741-1 and in the local applications. If you do
use DHCP, the local applications received the search path entered in the SINAUT
MD741-1 via DHCP.
Factory setting
The factory settings for the SINAUT MD741-1 are as follows:
Searchpath
example.local
Hostname
md741
SINAUT MD741-1
C79000- G8976-C212
45
Local interface
4.5
System Time/NTP
This is where you set the system time for the SINAUT MD741-1. This system time
is:
●
used as a time stamp for all log entries, and
●
serves as a time basis for all time-controlled functions.
Select the year, month, day, hour and minute.
Figure 4-8
System > System Time/NTP
Activate NTP synchronization
The SINAUT MD741-1 can also obtain the system time from a time server via NTP
(= Network Time Protocol). There are a number of time servers on the Internet that
can be used to obtain the current time very precisely via NTP.
Local timezone / region
The NTP time servers communicate the UTC (= Universal Time Coordinated). To
specify the time zone, select a city near the location near where the SINAUT
MD741-1 will be operating. The time in this time zone will then be used as the
system time.
46
SINAUT MD741-1
C79000- G8976-C212
Local interface
NTP server
Click on New to add an NTP server, and enter the IP address of such an NTP
server, or use the NTP server preset at the factory. You can specify multiple NTP
servers at the same time.
It is not possible to enter the NTP address as a hostname (e.g. timeserver.org).
Poll interval
The time synchronization is carried out cyclically. The interval at which
synchronization is performed is determined by the SINAUT MD741-1 automatically.
A new synchronization will be carried out at least once every 36 hours. The poll
interval defines the minimum period that the SINAUT MD741-1 waits until the next
synchronization.
Note
Synchronization of the system time via NTP creates additional data traffic on the
EGPRS or GPRS interfaces. This may result in additional costs, depending on your
user agreement with the GSM network operator.
Serve system time to local network
The SINAUT MD741-1 can serve itself as an NTP time server for the applications
that are connected to its local network interface. To activate this function select
Yes.
The NTP time server in the SINAUT MD741-1 can be reached via the local IP
address set for the SINAUT MD741-1, see Chapter 4.1.
Factory setting
The factory settings for the SINAUT MD741-1 are as follows:
Local timezone
UTC
Activate NTP synchronization
No
NTP server
192.53.103.108
Poll interval
1.1 hours
Serve system time to local network
No
SINAUT MD741-1
C79000- G8976-C212
47
Local interface
4.6
Additional Internal Routes
If the local network is subdivided into subnetworks, you can define additional
routes.
See also the Glossary.
To define an additional route to a subnetwork, click on New.
Specify the following:
●
the IP address of the subnetwork (network), and also
●
the IP address of the gateway via which the subnet is connected.
You can define any desired number of internal routes.
To delete an internal route, click on Delete.
Factory setting
The factory settings for the SINAUT MD741-1 are as follows:
48
Additional Internal Routes
Default for new routes:
No
Network:
192.168.2.0/24
Gateway:
192.168.0.254
SINAUT MD741-1
C79000- G8976-C212
5
External interface
The external interface of the SINAUT MD741-1 connects the SINAUT MD741-1 to
the external network. EGPRS, GPRS or GSM are used for the communication at
this interface.
External networks are the Internet or a private intranet.
External remote stations are network components in an external network, e.g. Web
servers on the Internet, routers on an intranet, a central company server, an Admin
PC, and much more.
Configure the external interface and the related functions according to the your
requirements and the advices in this chapter.
5.1
Access parameters to EGPRS/GPRS
The SINAUT MD741-1 uses EGPRS or GPRS for communication with the external
network. For access to the services EGPRS and GPRS and to the underlying GSM
wireless network, access parameters are necessary, which you will receive from
your GSM network operator.
PIN
Username
and password
APN
(public)
INTERNET
MD741-1
Local
application
SIM
(E-)GPRS
VPN
APN
(private)
Figure 5-1
SINAUT MD741-1
C79000- G8976-C212
Access parameters to EGPRS/GPRS
49
External interface
The PIN protects the SIM card against unauthorised use. The user name and
password protect the access to EGPRS and GPRS and the APN (Access Point
Name) defines the transition from EGPRS or GPRS to additional connected IP
networks, for example a public APN to the Internet or a private APN to a virtual
private network (VPN).
Figure 5-2
External Network > EDGE/GPRS
PIN
Enter the PIN for your SIM card here. You will receive the PIN from your network
operator.
The SINAUT MD741-1 also works with SIM cards that have no PIN; in this case
enter NONE. In this case the input box is left empty.
Note
If no entry is made, the input box for the PIN is shown with a red outline after
saving.
User name
Enter the user name for EGPRS and GPRS here. Some GSM/GPRS network
operators do not use access control with user names and/or passwords. In this
case enter guest in the corresponding box.
Password
Enter the password for EGPRS and GPRS here. Some GSM/GPRS network
operators do not use access control with user names and/or passwords. In this
case enter guest in the corresponding box.
50
SINAUT MD741-1
C79000- G8976-C212
External interface
APN
Enter the name of the transition from EGPRS and GPRS to other networks here.
You can find the APN in your GSM/GPRS network operator's documentation, on
your operator's Website, or ask your operator's hotline.
Factory setting
The factory settings for the SINAUT MD741-1 are as follows:
5.2
PIN
NONE
User name
guest
Password
guest
APN
NONE
EGPRS/GPRS Connection Monitoring
With the function Connection Check the SINAUT MD741-1 checks its connection to
EGPRS or GPRS and to the connected external networks, such as the Internet or
an intranet. To do this, the SINAUT MD741-1 sends ping packets (ICMPs) to up to
four remote stations (target hosts) at regular intervals. This takes place
independently of the user data connections. If after such a ping the SINAUT
MD741-1 receives a response from at least one of the remote stations addressed,
then the SINAUT MD741-1 is still connected with the EGPRS or GPRS and ready
for operation.
Some network operators interrupt connections when they are inactive. This is
likewise prevented by the Connection Check function.
Destination host
on the Internet
Ping for connection
monitoring
Local
application
MD741-1
Remote network
Destination host
on the Intranet
Router/
Firewall
INTERNET
(E-)GPRS
APN
User data connection
Figure 5-3
SINAUT MD741-1
C79000- G8976-C212
Connection Monitoring
51
External interface
Warning
Sending ping packets (ICMPs) increases the amount of data sent and received via
EGPRS or GPRS. This can lead to increased costs.
Figure 5-4
External Network > Connection Check
Enable connection check
Yes activates the function.
Ping Targets – Hostname
Select up to four remote stations that the SINAUT MD741-1 can ping. The remote
stations must be available continuously and must answer pings.
Note
Make sure that the selected remote stations will not be disturbed.
Connection check interval (minutes)
Specifies the interval at which the connection check ping packets are sent by the
SINAUT MD741-1. This is specified in minutes.
52
SINAUT MD741-1
C79000- G8976-C212
External interface
Allowable number of failures
Specifies how many times it is allowed for all ping packets of an interval not to
receive an answer, i.e. for none of four pinged remote stations to answer, before
the specified action is carried out.
Activity on faulty connection
Renew Connection
The SINAUT MD741-1 re-establishes the connection to EGPRS or GPRS if the
ping packets sent were not answered.
Reboot MD741
The SINAUT MD741-1 carries out a reboot if the ping packets sent were not
answered.
Factory setting
The factory settings for the SINAUT MD741-1 are as follows:
5.3
Enable connection check
No (switched off)
Hostname
Connection check interval
5 (minutes)
Allowable number of failures
3 (failed attempts)
Activity on faulty connection
Renew Connection
Hostname via DynDNS
Dynamic domain name servers (DynDNS) make it possible for applications to be
accessible on the Internet under a hostname (e.g. myHost.org), even if these
applications do not have a fixed IP address and the hostname is not registered. If
you log the SINAUT MD741-1 on to a DynDNS service, you also can reach the
SINAUT MD741-1 from external network under a hostname, e.g.
mySINAUT.dyndns.org.
For more information on DynDNS see the Glossary.
SINAUT MD741-1
C79000- G8976-C212
53
External interface
External network
DynDNS
INFO: IP address +
hostname
Local
application
Question: IP for the
hostname
MD741-1
Response: IP
INTERNET
(E-)GPRS
APN
Router/
Firewall
User data connection
Figure 5-5
DynDNS Function
Figure 5-6
External Network > DynDNS
Log this SINAUT MD741-1 on to a DynDNS server
Select Yes if you want to use a DynDNS service.
DynDNS provider
The SINAUT MD741-1 is compatible to dyndns.org.
DynDNS username / password
Enter here the username and the password that authorise you to use the DynDNS
service. Your DynDNS provider will give you this information.
54
SINAUT MD741-1
C79000- G8976-C212
External interface
DynDNS hostname
Here enter the hostname that you have agreed with your DynDNS provider for the
SINAUT MD741-1, e.g. myMD741.dyndns.org.
Factory setting
The factory settings for the SINAUT MD741-1 are as follows:
Log the MD741-1 on to DynDNS server
No (switched off)
DynDNS username
guest
DynDNS password
guest
DynDNS hostname
myname.dyndns.org
SINAUT MD741-1
C79000- G8976-C212
55
External interface
56
SINAUT MD741-1
C79000- G8976-C212
Security functions
6.1
Packet Filter
The SINAUT MD741-1 contains a stateful inspection firewall.
A stateful inspection firewall is a packet filtering method. Packet filters only let IP
packets through if this has been defined previously using firewall rules. The
following is defined in the firewall rules:
●
which protocol (TCP, UDP, ICMP) can go through,
●
the permitted source of the IP packets (From IP / From port)
●
the permitted destination of the IP packets (To IP / To port)
It is likewise defined here what will be done with IP packets that are not allowed
through (discard, reject).
For a simple packet filter it is always necessary to create two firewall rules for a
connection:
●
One rule for the query direction from the source to the destination, and
●
a second rule for the query direction from the destination to the source.
It is different for a SINAUT MD741-1 with a stateful inspection firewall. Here a
firewall rule is only created for the query direction from the source to the
destination. The firewall rule for the response direction from the destination to the
source results from analysis of the data previously sent. The firewall rule for the
responses is closed again after the responses are received or after a short time
period has elapsed. Thus responses can only go through if there was a previous
query. This means that the response rule cannot be used for unauthorised access.
What is more, special procedures make it possible for UDP and ICMP data to also
go through, even though these data were not requested before.
SINAUT MD741-1
C79000- G8976-C212
57
Security functions
Figure 6-1
Security > Packet Filter
Firewall Rules (Incoming)
The Firewall Rules (Incoming) are used to define how to handle IP packets that are
received from external networks (e.g. the Internet) via EGPRS or GPRS. The
source is the sender of this IP packet. The destination is the local applications on
the SINAUT MD741-1.
In the factory setting, no incoming firewall rule is set initially, i.e. no IP packets can
go through.
New
Adds an additional firewall rule that you can then fill out.
Delete
Removes firewall rules that have been created.
Protocol
Select the protocol for which this rule will be valid. The following selections are
available: TCP, UDP, ICMP. If you select All, the rule is valid for all three protocols.
From IP
Enter the IP address of the external remote station that is allowed to send IP
packets to the local network. Do this by specifying the IP address or an IP range for
the remote station. 0.0.0.0/0 means all addresses.
To specify a range, use the CIDR notation - see the Glossary.
From port
Enter the port from which the external remote station is allowed to send IP packets.
(is only evaluated for the protocols TCP and UDP)
58
SINAUT MD741-1
C79000- G8976-C212
Security functions
To IP
Enter the IP address in the local network to which IP packets may be sent. Do this
by specifying the IP address or an IP range of the application in the local network.
0.0.0.0/0 means all addresses.
To specify a range, use the CIDR notation - see the Glossary.
To port
Enter the port to which the external remote station is allowed to send IP packets.
Action
Select how incoming IP packets are to be handled:
Accept – The data packets can go through,
Reject – The data packets are rejected, and the sender receives a corresponding
message.
Drop – The data packets are discarded without any feedback to the sender.
Firewall Rules (Outgoing)
The Firewall Rules (Outgoing) are used to define how to handle IP packets that are
received from the local network. The source is an application in the local network.
The destination is an external remote station, e.g. on the Internet or in a private
network.
In the factory setting, no outgoing firewall rule is set initially, i.e. no IP packets can
go through.
New
Adds an additional firewall rule that you can then fill out.
Protocol
Select the protocol for which this rule will be valid. The following selections are
available: TCP, UDP, ICMP. If you select All, the rule is valid for all three protocols.
From IP
Enter the IP address of the local application that is allowed to send IP packets to
the external network. Do this by specifying the IP address or an IP range for the
local application. 0.0.0.0/0 means all addresses.
To specify a range, use the CIDR notation - see the Glossary.
SINAUT MD741-1
C79000- G8976-C212
59
Security functions
From port
Enter the port from which the local network is allowed to send IP packets. Do this
by specifying the port number.
(is only evaluated for the protocols TCP and UDP)
To IP
Enter the IP address in the external network to which IP packets may be sent. Do
this by specifying the IP address or an IP range of the application in the network.
0.0.0.0/0 means all addresses.
To specify a range, use the CIDR notation - see the Glossary.
To port
Enter the port to which the external remote station is allowed to send IP packets.
Do this by specifying the port number.
(is only evaluated for the protocols TCP and UDP)
Action
Select how outgoing IP packets are to be handled:
Accept – The data packets can go through,
Reject – The data packets are rejected, and the sender receives a corresponding
message.
Drop – The data packets are discarded without any feedback to the sender.
Firewall Rules Incoming / Outgoing
Log
For each individual firewall rule you can define whether the event should be
●
logged when the rule takes effect - set Log to Yes
●
or not - set Log to No (factory setting)
The log is kept in the firewall log, see Chapter 6.4.
Log Unknown Connection Attempts
This logs all connection attempts that are not covered by the defined rules.
60
SINAUT MD741-1
C79000- G8976-C212
Security functions
Factory setting
The factory settings for the SINAUT MD741-1 are as follows:
Incoming firewall
Firewall Rules (Incoming)
- (Everything blocked)
Protocol
All
From IP
0.0.0.0/0
From port
Any
To IP
0.0.0.0/0
To port
Any
Action
Accept
Log
No (switched off)
Log Unknown Connection Attempts
No (switched off)
Outgoing firewall
Firewall Rules (Outgoing)
- (Everything blocked)
Protocol
All
From IP
0.0.0.0/0
From port
Any
To IP
0.0.0.0/0
To port
Any
Action
Accept
Log
No (switched off)
Log Unknown Connection Attempts
No (switched off)
SINAUT MD741-1
C79000- G8976-C212
61
Security functions
6.2
Port Forwarding
If a rule has been created for port forwarding, then data packets received at a
defined IP port of the SINAUT MD741-1 from the external network will be
forwarded. The incoming data packets are then forwarded to a specified IP address
and port number in the local network. The port forwarding can be configured for
TCP or UDP.
In port forwarding the following occurs: The header of incoming data packets from
the external network that are addressed to the external IP address of the SINAUT
MD741-1 and to a specific port are adapted so that they are forwarded to the
internal network to a specific computer and to a specific port of that computer.
This means that the IP address and port number in the header of incoming data
packets are modified.
This process is also called Destination NAT or Port Forwarding.
Note
In order for incoming data packets to be forwarded to the defined IP address in the
local network, a corresponding incoming firewall rule must be set up for this IP
address in the packet filter. See Chapter 6.1.
Figure 6-2
Security > Port Forwarding
New
Adds a new forwarding rule that you can then fill out.
Delete
Removes forwarding rules that have been created.
Protocol
Specify here the protocol (TCP or UDP) to which the rule should refer.
62
SINAUT MD741-1
C79000- G8976-C212
Security functions
Destination port
Specify here the port number (e.g. 80) at which the data packets which are to be
forwarded arrive from the external network.
Forward to IP
Specify here the IP address in the local network to which the incoming data
packets should be forwarded.
Forward to port
Specify here the port number (e.g.) for the IP address in the local network to which
the incoming data packets should be forwarded.
Log
For each port forwarding rule you can define whether the event should be
●
logged when the rule takes effect - set Log to Yes
●
or not - set Log to No (factory setting)
The log is kept in the firewall log, see Chapter 6.4.
Factory setting
The factory settings for the SINAUT MD741-1 are as follows:
Forwarding Rules
Protocol
All
Destination port
80
Forward to IP
127.0.0.1
Forward to port
80
Log
No (switched off)
SINAUT MD741-1
C79000- G8976-C212
63
Security functions
6.3
Advanced security functions
The advanced security functions serve to protect the SINAUT MD741-1 and the
local applications against attacks. For protective purposes it is assumed that only a
certain number of connections or received PING packets are permissible and
desirable in normal operation, and that a sudden burst represents an attack.
Figure 6-3
Security > Advanced Settings
Maximum number …
The entries
●
Maximum number of parallel connections
●
Maximum number of new incoming TCP connections per second
●
Maximum number of new outgoing TCP connections per second
●
Maximum number of new incoming ping packets per second
●
Maximum number of new outgoing ping packets per second
set the upper limits. The settings (see illustration) have been selected so that they
will in practice never be reached in normal use. In the event of an attack, however,
they can be reached very easily, which means that the limitations constitute
additional protection. If your operating environment contains special requirements,
then you can change the values accordingly.
64
SINAUT MD741-1
C79000- G8976-C212
Security functions
External ICMP to the SINAUT MD741-1
You can use this option to affect the response when ICMP packets are received
that are sent from the external network in the direction of the SINAUT MD741-1.
You have the following options:
●
Drop: All ICMP packets to the SINAUT MD741-1 are discarded.
●
Allow Ping: Only ping packets (ICMP type 8) to the SINAUT MD741-1 are
accepted.
●
Accept: All types of ICMP packets to the SINAUT MD741-1 are accepted.
Factory setting
The factory settings for the SINAUT MD741-1 are as follows:
Maximum number of parallel connections
4096
Maximum number of new incoming TCP
connections per second
25
Maximum number of new outgoing TCP
connections per second
75
Maximum number of new incoming ping
packets per second
Maximum number of new outgoing ping
packets per second
External ICMP to the MD741-1
Drop
SINAUT MD741-1
C79000- G8976-C212
65
Security functions
6.4
Firewall Log
The application of individual firewall rules is recorded in the firewall log. To do this,
the LOG function must be activated for the various firewall functions.
Figure 6-4
Security > Firewall Log
Caution
The firewall log is lost in the event of a reboot.
66
SINAUT MD741-1
C79000- G8976-C212
7
VPN connection
The SINAUT MD741-1 can connect the local network to a friendly remote network via a VPN
tunnel. The IP data packets that are exchanged between the two networks are encrypted, and
are protected against unauthorised tampering by the VPN tunnel. This means that even
unprotected public networks like the Internet can be used to transfer data without endangering
the confidentiality or integrity of the data.
Figure 7-1
IPsec VPN > Connections
For the SINAUT MD741-1 to establish a VPN tunnel, the remote network must
have a VPN gateway as the remote station for the SINAUT MD741-1.
Remote network
Local network
Admin PC
Admin PC
MD741-1
VPN gateway
Local
applikation
INTERNET
(E-)GPRS
APN
External
remote
stations
Local
application
VPN tunnel
Figure 7-2
67
IPsec VPN - Connections
SINAUT MD741-1
C79000- G8976-C212
VPN connection
For the VPN tunnel, the SINAUT MD741-1 uses the IPsec method in tunnel mode.
In this method the IP data packets to be transmitted are completely encrypted and
provided with a new header before they are sent to the remote station's VPN
gateway. There the data packets are received, decrypted, and used to reconstruct
the original data packets. These are then forwarded to their destination in the
remote network.
Differences between two VPN connection modes:
●
In VPN Roadwarrior Mode the SINAUT MD741-1 VPN can accept connections
from remote stations with an unknown address. These can be, for example,
remote stations in mobile use that obtain their IP address dynamically.
The VPN connection must be established by the remote station. Only one VPN
connection is possible in Roadwarrior Mode. VPN connections in Standard
Mode can be used at the same time.
●
In VPN Standard Mode the address (IP address or hostname) of the remote
station's VPN gateway must be known for the VPN connection to be
established. The VPN connection can be established either by the SINAUT
MD741-1 or by the remote station's VPN gateway as desired.
Establishment of the VPN connection is subdivided into two phases: First in Phase
1 (ISAKMP = Internet Security Association and Key Management Protocol) the
Security Association (SA) for the key exchange between the SINAUT MD741-1 and
the VPN gateway of the remote station is established.
After that in Phase 2 (IPsec = Internet Protocol Security) the Security Association
(SA) for the actual IPsec connection between the SINAUT MD741-1 and the
remote station's VPN gateway is established.
Requirements for the remote network's VPN gateway
In order to successfully establish an IPsec connection, the VPN remote station
must support IPsec with the following configuration:
68
●
Authentication via X.509 certificates, CA certificates or pre-shared key (PSK)
●
ESP
●
Diffie-Hellman group 1, 2 or 5
●
3DES or AES encryption
●
MD5 or SHA-1 hash algorithms
●
Tunnel Mode
●
Quick Mode
●
Main Mode
●
SA Lifetime (1 second to 24 hours)
SINAUT MD741-1
C79000- G8976-C212
VPN connection
If the remote station is a computer running under Windows 2000, then the
Microsoft Windows 2000 High Encryption Pack or at least Service Pack 2 must
also be installed.
If the remote station is on the other side of a NAT router, then the remote station
must support NAT-T. Or else the NAT router must know the IPsec protocol
(IPsec/VPN passthrough).
7.1
VPN Roadwarrior Mode
The Roadwarrior Mode makes it possible for the SINAUT MD741-1 VPN to accept
a VPN connection initiated by a remote station with an unknown IP address. The
remote station must authenticate itself properly; in this VPN connection there is no
identification of the remote station based on the IP address or the hostname of the
remote station.
Figure 7-3
IPsec VPN > Connections
Set the SINAUT MD741-1 up in accordance with what has been agreed with the
system administrator of the remote station.
SINAUT MD741-1
C79000- G8976-C212
69
VPN connection
Roadwarrior Mode Edit Settings
Figure 7-4
IPsec VPN > Connection Settings
Function
Set the SINAUT MD741-1 up in accordance with what has been agreed with the
system administrator of the remote station.
Authentication method
Select the authentication method in accordance with what you have agreed with
the system administrator of the remote station.
The SINAUT MD741-1 supports three methods:
●
X.509 certificate
●
CA certificate
●
Pre-shared key
X.509 certificate, CA certificate
In the authentication methods X.509 certificate and CA certificate, the keys used
for authentication have first been signed by a Certification Authority (CA). This
method is considered especially secure. A CA can be a service provider, but also,
for example, the system administrator for your project, provided that he has the
necessary software tools.
70
SINAUT MD741-1
C79000- G8976-C212
VPN connection
The CA creates a certificate file (PKCS12) with the file extension *p12 for each of
the two remote stations. This certificate file contains the public and private keys for
the own station, the signed certificate from the CA, and the public key of the CA.
For the authentication method X.509 there is additionally a key file (*.pem, *cer or
*.crt) for each of the two remote stations with the public key of the own station.
X.509 certificate
The public keys (files with extension *.pem, *cer or *.crt) are exchanged between
the SINAUT MD741-1 and the remote station's VPN gateway takes place
manually, for example on a CD-ROM or vie e-mail. To load the certificate, proceed
as described in Chapter 7.3.
CA certificate
The public keys are exchanged between the SINAUT MD741-1 and the remote
station's VPN gateway via the data connection when the VPN connection is
established. Manual exchange of the key files is not necessary.
Pre-shared secret key (PSK)
This method is primarily supported by older IPsec implementations. Here
authentication is performed with a character string agreed on beforehand. In order
to obtain high security, the character string should consist of about randomlyselected 30 lower-case and upper-case letters and numerals.
Remote certificate
If you have selected X.509 certificate as the authentication method, then a list of
the remote certificates that you have already loaded into the SINAUT MD741-1 is
displayed here. Select the certificate for the VPN connection.
Remote ID, Local ID
The Local ID and the Remote ID are used by IPsec to identify the remote stations
uniquely when establishing the VPN connection. The own Local ID constitutes the
Remote ID of the remote station and vice versa.
For authentication with X.509 certificate or CA certificate:
●
•
If you keep the factory setting NONE, then the Distinguished Names from the
own certificate and from the certificate communicated by the remote station are
automatically used as the Local ID and Remote ID.
If you manually change the entry for the Local ID or the Remote ID, then the
corresponding entries must be adapted at the remote station. The manual entry
for Local or Remote ID must be made in the ASN.1 format, e.g. "C=XY/O=XY
Org/CN=xy.org.org"
SINAUT MD741-1
C79000- G8976-C212
71
VPN connection
For authentication with pre-shared secret key (PSK):
●
In Roadwarrior Mode the Remote ID must be entered manually. The Remote
ID must have the format of a hostname (e.g. RemoteStation.de) or the format
of an e-mail address (remote@station.de), and must be the same as the Local
ID of the remote station.
The Local ID can be left on NONE. In this case the IP address is used as the
local IP address. If you enter a Local ID; then it must have the format of a
hostname (e.g. RemoteStation.de) or the format of an e-mail address
(remote@station.de), and must be the same as the Local ID of the remote
station.
Roadwarrior Mode Edit IKE
Here you can define the properties of the VPN connection according to your
requirements and what you have agreed with the system administrator of the
remote station.
Figure 7-5
72
IPsec VPN > IKE bearbeiten
SINAUT MD741-1
C79000- G8976-C212
VPN connection
ISAKMP-SA encryption, IPsec-SA encryption
Agree with the administrator of the remote station which encryption method will be
used for the ISAKMP-SA and the IPsec-SA. The SINAUT MD741-1 supports the
following methods:
●
3DES-168
●
AES-128
●
AES-192
●
AES-256
3DES-168 is a commonly used method and is therefore set as the default.
The method can be defined differently for ISAKMP-SA and IPsec-SA.
Note:
The more bits in the encryption algorithm - indicated by the appended number - the
more secure it is. The method AES-256 is therefore considered the most secure.
However, the longer the key, the more time the encryption process takes and the
more computing power is required.
ISAKMP-SA hash, IPsec-SA hash
Agree with the administrator of the remote station which method will be used for
computing checksums/hashes during the ISAKMP phase and the IPsec phase. The
following selections are available:
●
MD5 or SHA-1 (automatic detection)
●
MD5
●
SHA-1
The method can be defined differently for ISAKMP-SA and IPsec-SA.
ISAKMP-SA mode
Agree with the administrator of the remote station which method will be used for
negotiating the ISAKMP-SA. The following selections are available:
●
Main mode
●
Aggressive mode
SINAUT MD741-1
C79000- G8976-C212
73
VPN connection
Note:
When the authentication method Pre-Shared Key is used, Aggressive mode must
be set in Roadwarrior mode.
ISAKMP-SA lifetime, IPsec-SA lifetime
The keys for an IPsec connection are renewed at certain intervals in order to
increase the effort required to attack an IPsec connection.
Specify the lifetime (in seconds) of the keys agreed on for the ISAKMP-SA and
IPsec-SA.
The lifetime can be defined differently for ISAKMP-SA and IPsec-SA.
NAT-T
There may be a NAT router between the SINAUT MD741-1 and the VPN gateway
of the remote network. Not all NAT routers allow IPsec data packets to go through.
It may therefore be necessary to encapsulate the IPsec data packets in UDP
packets so that they can go through the NAT router.
On:
If the SINAUT MD741-1 detects a NAT router that does not let the IPsec data
packets through, then UDP encapsulation is started automatically.
Force:
During negotiation of the connection parameters for the VPN connection,
encapsulated transmission of the data packets during the connection is insisted
upon.
Off:
The NAT-T function is switched off.
Enable dead peer detection
If the remote station supports the dead peer detection (DPD) protocol, then the
partner in question can detect whether the IPsec connection is still valid or not,
meaning that it may have to be re-established. Without DPD, depending on the
configuration it may be necessary to wait until the SA lifetime elapses or the
connection has to be re-initiated manually. To check whether the IPsec connection
is still valid, the dead peer detection sends DPD requests to the remote station
itself. If there is no answer, then after the permitted number of failed attempts the
IPsec connection is considered to be interrupted.
Yes
74
SINAUT MD741-1
C79000- G8976-C212
VPN connection
Dead peer detection is switched on. Independently of the transmission of user
data, the SINAUT MD741-1 detects if the connection is lost, in which case it waits
for the connection to be re-established by the remote stations.
No
Dead peer detection is switched off.
DPD - delay (seconds)
Time period in seconds after which DPD requests will be sent. These requests test
whether the remote station is still available.
DPD - timeout (seconds)
Time period in seconds after which the connection to the remote station will be
declared dead if no response has been made to the DPD requests.
DPD - maximum failures
Number of failed attempts permitted before the IPsec connection is considered to
be interrupted.
Factory setting
The factory settings for the SINAUT MD741-1 are as follows:
Name
Any
Enabled
No (switched off)
Authentication method
CA certificate
Remote ID
NONE
Local ID
NONE
Remote certificate
ISAKMP-SA encryption
3DES-168
IPsec-SA encryption
3DES-168
ISAKMP-SA hash
MD5
IPsec-SA hash
MD5
ISAKMP-SA mode
Main
ISAKMP-SA lifetime (seconds)
86400
SINAUT MD741-1
C79000- G8976-C212
75
VPN connection
7.2
IPsec-SA lifetime (seconds)
86400
NAT-T
On
Enable dead peer detection
Yes
DPD - delay (seconds)
150
DPD – timeout (seconds)
60
DPD – maximum failures
VPN IPsec Standard Mode
The VPN connections already created are shown. You can enable (Enabled = Yes)
or disable (Enabled = No) each individual connection. You can use New to add
additional VPN connections, Edit Settings and Advanced Settings to set them up,
and Delete to remove a connection.
Figure 7-6
76
IPsec VPN > Connections
SINAUT MD741-1
C79000- G8976-C212
VPN connection
VPN Standard Mode - Edit Settings
Figure 7-7
IPsec VPN > Connection Settings
Connection name
Give the new connection a connection name here.
Remote host
Specify the address of the remote station here, either as a hostname (e.g.
myadress.com) or as an IP address.
SINAUT MD741-1
C79000- G8976-C212
77
VPN connection
Local network
Remote network
Admin PC
Address of
the remote
network
MD741-1
Admin PC
VPN gateway
Local
application
INTERNET
(E-)GPRS
External
remote
stations
APN
Local
application
VPN tunnel
Figure 7-8
Address of the remote host
X.509 certificate, CA certificate
In the authentication methods X.509 certificate and CA certificate, the keys used
for authentication have first been signed by a Certification Authority (CA). This
method is considered especially secure. A CA can be a service provider, but also,
for example, the system administrator for your project, provided that he has the
necessary software tools. The CA creates a certificate file (PKCS12) with the file
extension *p12 for each of the two remote stations. This certificate file contains the
public and private keys for the own station, the signed certificate from the CA, and
the public key of the CA. For the authentication method X.509 there is additionally
a key file (*.pem, *cer or *.crt) for each of the two remote stations with the public
key of the own station.
X.509 certificate
The public keys (files with extension *.pem, *cer or *.crt) are exchanged between
the SINAUT MD741-1 and the remote station's VPN gateway takes place
manually, for example on a CD-ROM or vie e-mail. To load the certificate, proceed
as described in Chapter 7.3.
CA certificate
The public keys are exchanged between the SINAUT MD741-1 and the remote
station's VPN gateway via the data connection when the VPN connection is
established. Manual exchange of the key files is not necessary.
Pre-shared secret key (PSK)
This method is primarily supported by older IPsec implementations. Here
authentication is performed with a character string agreed on beforehand. In order
to obtain high security, the character string should consist of about randomlyselected 30 lower-case and upper-case letters and numerals.
78
SINAUT MD741-1
C79000- G8976-C212
VPN connection
Remote ID, Local ID
The Local ID and the Remote ID are used by IPsec to identify the remote stations
uniquely when establishing the VPN connection.
For authentication with X.509 certificate or CA certificate:
●
If you keep the factory setting NONE, then the Distinguished Names from the
own certificate and from the certificate communicated by the remote station are
automatically applied and used as the Local ID and Remote ID.
●
If you manually change the entry for the Local ID or the Remote ID, then the
corresponding entries must be adapted at the remote station. The own Local ID
must be the same as the Remote ID of the remote station and vice versa. The
entries for Local or Remote IDs must be made in the ASN.1 format, e.g.
"C=XY/O=XY Org/CN=xy.org.org"
For authentication with pre-shared secret key (PSK):
●
If you keep the factory setting NONE, then the own IP address is automatically
used as the Local ID, and the IP address of the remote station is used as the
Remote ID:
●
If you manually change the entry for the Local ID or for the Remote ID, then the
entries must have the format of a hostname (e.g. RemoteStation.de) or the
format of an e-mail address (remote@station.de). The own Local ID must be
the same as the Remote ID of the remote station and vice versa.
Note:
If with pre-shared secret key (PSK) the IP address is not used as the Remote ID,
then the Aggressive Mode has to be set as the ISAKMP-SA mode.
Scalance S ID
If you have loaded a Scalance S certificate, by clicking the Scalance S button, you
can load the Remote ID from the certificate.
Wait for remote connection
Yes
The SINAUT MD741-1 waits for the VPN gateway of the remote network to initiate
establishment of the VPN connection.
No
The SINAUT MD741-1 initiates establishment of the connection.
SINAUT MD741-1
C79000- G8976-C212
79
VPN connection
Remote net address
Here enter the IP address (e.g. 123.123.123.123) of the remote network. The
remote network can also be only a single computer.
Local network
Gegenüberliegendes Netz
Address of
the local
network
Admin PC
Address of
the remote
network
Admin PC
MD741-1
VPN gateway
Local
applikation
INTERNET
(E-)GPRS
External
remote
stations
APN
Local
application
VPN tunnel
Figure 7-9
Remote net address
Remote subnet mask
Here enter the subnet mask (e.g. 255.255.255.0) of the remote network. The
remote network can also be only a single computer.
Local net address
Here enter the IP address (e.g. 123.123.123.123) of the local network. The local
network can also be only a single computer.
Local subnet subnet mask
Here enter the subnet mask (e.g. 255.255.255.0) of the local network. The local
network can also be only a single computer.
Firewall rules for VPN tunnel
See Chapter 7.4
VPN Standard Mode - Edit IKE
Here you can define the properties of the VPN connection according to your
requirements and what you have agreed with the system administrator of the
remote station.
80
SINAUT MD741-1
C79000- G8976-C212
VPN connection
Figure 7-10
IPsec > IKE Settings
ISAKMP-SA encryption, IPsec-SA encryption
Agree with the administrator of the remote station which encryption method will be
used for the ISAKMP-SA and the IPsec-SA. The SINAUT MD741-1 supports the
following methods:
●
3DES-168
●
AES-128
●
AES-192
●
AES-256
3DES-168 is a commonly used, and is therefore set as the default. The method
can be defined differently for ISAKMP-SA and IPsec-SA.
SINAUT MD741-1
C79000- G8976-C212
81
VPN connection
Note:
The more bits in the encryption algorithm - indicated by the appended number - the
more secure it is. The method AES-256 is therefore considered the most secure.
However, the longer the key, the more time the encryption process takes and the
more computing power is required.
ISAKMP-SA hash, IPsec-SA hash
Agree with the administrator of the remote station which method will be used for
computing checksums/hashes during the ISAKMP phase and the IPsec phase. The
following selections are available:
●
MD5 or SHA-1 (automatic detection)
●
MD5
●
SHA-1
The method can be defined differently for ISAKMP-SA and IPsec-SA.
ISAKMP-SA mode
Agree with the administrator of the remote station which method will be used for
negotiating the ISAKMP-SA. The following selections are available:
●
Main mode
●
Aggressive mode
DH/PFS group
Agree with the administrator of the remote station the DH group for the key
exchange.
ISAKMP-SA lifetime, IPsec-SA lifetime
The keys for an IPsec connection are renewed at certain intervals in order to
increase the effort required to attack an IPsec connection.
Specify the lifetime (in seconds) of the keys agreed on for the ISAKMP-SA and
IPsec-SA.
The lifetime can be defined differently for ISAKMP-SA and IPsec-SA.
82
SINAUT MD741-1
C79000- G8976-C212
VPN connection
NAT-T
There may be a NAT router between the SINAUT MD741-1 and the VPN gateway
of the remote network. Not all NAT routers allow IPsec data packets to go through.
It may therefore be necessary to encapsulate the IPsec data packets in UDP
packets so that they can go through the NAT router.
On:
If the SINAUT MD741-1 detects a NAT router that does not let the IPsec data
packets through, then UDP encapsulation is started automatically.
Force:
During negotiation of the connection parameters for the VPN connection,
encapsulated transmission of the data packets during the connection is insisted
upon.
Off:
The NAT-T function is switched off.
Enable dead peer detection
If the remote station supports the dead peer detection (DPD) protocol, then the
partner in question can detect whether the IPsec connection is still valid or not,
meaning that it may have to be re-established. Without DPD, depending on the
configuration it may be necessary to wait until the SA lifetime elapses or the
connection has to be re-initiated manually. To check whether the IPsec connection
is still valid, the dead peer detection sends DPD requests to the remote station
itself. If there is no answer, then after the permitted number of failed attempts the
IPsec connection is considered to be interrupted.
Yes
Dead peer detection is switched on. Attempts are made to re-establish the IPsec
connection if it has been declared dead, independently of the transmission of user
data.
No
Dead peer detection is switched off.
DPD - delay (seconds)
Time period in seconds after which DPD requests will be sent. These requests test
whether the remote station is still available.
SINAUT MD741-1
C79000- G8976-C212
83
VPN connection
DPD - timeout (seconds)
Time period in seconds after which the connection to the remote station will be
declared dead if no response has been made to the DPD requests.
DPD – maximum failures
Number of failed attempts permitted before the IPsec connection is considered to
be interrupted.
Factory setting
The factory settings for the SINAUT MD741-1 are as follows:
84
Name
NewConnection
Enabled
No (switched off)
Authentication method
CA certificate
Remote ID
NONE
Local ID
NONE
Remote certificate
Wait for remote connection
No
Remote net address
192.168.2.1
Remote subnet mask
255.255.255.0
Local net address
192.168.1.1
Local subnet subnet mask
255.255.255.0
ISAKMP-SA encryption
3DES-168
IPsec-SA encryption
3DES-168
ISAKMP-SA hash
MD5
IPsec-SA hash
MD5
DH/PFS group
DH-2 1024
ISAKMP-SA mode
Main
ISAKMP-SA lifetime (seconds)
86400
IPsec-SA lifetime (seconds)
86400
NAT-T
On
SINAUT MD741-1
C79000- G8976-C212
VPN connection
7.3
Enable dead peer detection
Yes
DPD - delay (seconds)
150
DPD – timeout (seconds)
60
DPD – maximum failures
Loading VPN certificates
Loading and administering certificates and keys.
Figure 7-11
IPsec > Certificates
Upload remote certificate
Here load key files (*.pem, *.cer or *.crt) with remote certificates and public key
from remote stations into the SINAUT MD741-1. To do this, the files must be saved
on the Admin PC. A remote certificate is only required for the authentication
method with X.509 certificate.
Upload PKCS12 file (.p12)
Here load the certificate file (PKCS12 file) with the file extension .p12 into the
SINAUT MD741-1. To do this, the certificate file must be saved on the Admin PC.
SINAUT MD741-1
C79000- G8976-C212
85
VPN connection
Caution
If there is already a certificate file in the device, then it must be deleted before
loading a new file.
Password
The certificate file (PKCS12 file) is password-protected. Here enter the password
that you received with the certificate file.
Remote certificates (*.pem, *cer, .crt,)
A list with all of the loaded remote certificates is shown here. You can use Delete to
remove a remote certificates that is no longer needed.
Device certificates (.p12)
The name and status of the loaded certificate file (PKCS12 file) is shown here. A
white check mark on a green dot indicates that the corresponding component of
the certificate file is present, a white cross on a red dot indicates that the
corresponding component is missing or that the wrong password was entered.
86
SINAUT MD741-1
C79000- G8976-C212
VPN connection
7.4
Firewall rules for VPN tunnel
The user interface for setting up the firewall rules for VPN tunnels can be found
under IPsec VPN > Connections:
Figure 7-12
IPsec > Connection Settings
IPsec VPN – Edit Firewall Rules
Figure 7-13
SINAUT MD741-1
C79000- G8976-C212
IPsec > Edit Firewall Rules
87
VPN connection
Function
The IPsec VPN connection is viewed as fundamentally secure. Thus data traffic
over this connection is not limited by default. It is possible, however, to create
firewall rules for the VPN connection
To set up firewall rules for the VPN connection, proceed in the same way as for
setting up the packet filter function of the general firewall (see Chapter 6.1).
However, the rules defined here apply only to the specific VPN connection.
Factory setting
The factory settings for the SINAUT MD741-1 are as follows:
Firewall rules for VPN tunnel
7.5
No limitations
Advanced settings for VPN connections
Setting special timeouts and intervals for VPN connections.
Figure 7-14
IPsec > Advanced Settings
NAT-T keepalive interval (seconds)
If NAT-T is enabled (cf. Chapter 7.2), then keepalive data packets will be sent
periodically by the SINAUT MD741-1 through the VPN connection. The purpose of
this is to prevent a NAT router between the SINAUT MD741-1 and the remote
station from interrupting the connection during idle periods without data traffic.
Here you can change the interval between the keepalive data packets.
88
SINAUT MD741-1
C79000- G8976-C212
VPN connection
Phase 1 timeout (seconds)
The Phase 1 timeout determines how long the SINAUT MD741-1 waits for
completion of an authentication process of the ISAKMP-SA. If the set timeout is
exceeded, the authentication will be aborted and restarted.
Here you change the timeout.
Phase 2 timeout (seconds)
The Phase 2 timeout determines how long the SINAUT MD741-1 waits for
completion of an authentication process of the IPsec-SA. If the set timeout is
exceeded, the authentication will be aborted and restarted.
Here you change the timeout.
DynDNS tracking
If the VPN gateway of the remote stations uses a DynDNS service to get an IP
address and no Dead Peer Detection is used, the SINAUT MD741-1 should
periodically check, if the remote VPN gateway is still reachable. The DynDNS
tracking function provides this function. Yes activates this function, No deactivate
this function.
DynDNS tracking interval (minutes)
Configure here the interval it shall be checked, if the remote station is still
reachable.
Factory setting
The factory settings for the SINAUT MD741-1 are as follows:
NAT-T keepalive interval (seconds)
60
Phase 1 timeout (seconds)
15
Phase 2 timeout (seconds)
10
DynDNS tracking
Yes
DynDNS tracking interval (minutes)
SINAUT MD741-1
C79000- G8976-C212
89
VPN connection
7.6
Status of the VPN connections
Indicates the status of the enabled VPN connections and the option for loading a
protocol file to the Admin PC.
Figure 7-15
IPsec > Status
Enabled VPN Connections
A white check mark on a green dot indicates that the specific Security Association
(SA) has been successfully established- A white cross on a red dot indicates that
the Security Association does not exist.
Download VPN protocol
This function can be used to download the VPN protocol file to the Admin PC.
90
SINAUT MD741-1
C79000- G8976-C212
8
Remote access
8.1
HTTPS remote access
The HTTPS remote access (= HyperText Transfer Protocol Secure) allows secure
access to the Web user interface of the SINAUT MD741-1 from an external
network via EGPRS, GPRS or CSD.
Configuration of the SINAUT MD741-1 via the HTTPS remote access then takes
place exactly like configuration via a Web browser via the local interface (see
chapter 3).
Figure 8-1
Access > HTTPS remote access
Enable HTTPS remote access
Yes
Access to the Web user interface of the SINAUT MD741-1 from the external
network via HTTPS is allowed.
No
Access via HTTPS is not allowed.
91
SINAUT MD741-1
C79000- G8976-C212
Remote access
HTTPS remote access port
Default: 443 (factory setting)
You can define a different port. However, if you have defined a different port, then
the external remote station conducting the remote access must specify the port
number after the IP address when specifying the address.
Example:
If this SINAUT MD741-1 can be accessed via the Internet using the address
192.144.112.5, and if port number 442 has been defined for the remote access,
then the following must be specified in the Web browser at the external remote
station:
https://192.144.112.5:442
Firewall rules for HTTPS remote access
New
Adds a new firewall rule for HTTPS remote access that you can then fill out.
Delete
Removes a firewall rule for HTTPS remote access that has been created.
From IP (External)
Specify here the address(es) of the computer(s) for which remote access is
allowed. You have the following options:
IP address or address range: 0.0.0.0/0 means all addresses. To specify a range,
use the CIDR notation - see the Glossary.
Action
Define how access to the specified HTTPS port will be handled:
Accept means that the data packets can go through.
Reject means that the data packets are rejected, and the sender receives a
message about the rejection.
Drop means that the data packets are not allowed through. They are discarded
without the sender receiving any information about where they went.
Log
For each individual firewall rule you can define whether the event should be logged
when the rule takes effect - set Log toYes, or not - set Log to No (factory setting).
The log is kept in the firewall log, see Chapter 6.4.
92
SINAUT MD741-1
C79000- G8976-C212
Remote access
Factory setting
The factory settings for the SINAUT MD741-1 are as follows:
Enable HTTPS remote access
No (switched off)
HTTPS remote access port
443
Default for new rules:
8.2
From IP (External)
0.0.0.0/0
Action
Accept
Log
No (switched off)
SSH remote access
The SSH remote access (= Secured SHell) allows secure access to the file system
of the SINAUT MD741-1 from an external network via EGPRS, GPRS or CSD.
To do this, a connection must be established using an SSH-capable program from
the external remote station to the SINAUT MD741-1.
Use the SSH remote access only if you are familiar with the LINUX file system.
In the factory setting this option is deactivated.
Figure 8-2
Access >SSH remote access
Warning
Via SSH remote access it is possible to derange the configuration of the device in
such a way that it will have to be sent in for servicing. In this case contact your
dealer or distributor.
SINAUT MD741-1
C79000- G8976-C212
93
Remote access
Enable SSH remote access
Yes
Access to the file system of the SINAUT MD741-1 from the external network via
SSH is allowed.
No
Access via SSH is not allowed.
SSH remote access port
Default: 22 (factory setting)
You can define a different port. However, if you have defined a different port, then
the external remote station conducting the remote access must specify the port
number defined here in front of the IP address when specifying the address.
Example:
If this SINAUT MD741-1 can be accessed from the external network using the
address 192.144.112.5, and if port 22222 has been defined for the remote access,
then this port number must be specified in the SSH client (e.g. PUTTY) at the
external remote station:
ssh -p 22222 192.144.112.5
Firewall rules for SSH remote access
New
Adds a new firewall rule for SSH remote access that you can then fill out.
Delete
Removes a firewall rule for SSH remote access that has been created.
From IP (External)
Specify here the address(es) of the computer(s) for which remote access is
allowed. You have the following options:
IP address or address range: 0.0.0.0/0 means all addresses. To specify a range,
use the CIDR notation - see the Glossary.
Action
Define how access to the specified SSH port will be handled:
Accept means that the data packets can go through.
94
SINAUT MD741-1
C79000- G8976-C212
Remote access
Reject means that the data packets are rejected, and the sender receives a
message about the rejection.
Drop means that the data packets are not allowed through. They are discarded
without the sender receiving any information about where they went.
Log
For each individual firewall rule you can define whether the event should be logged
when the rule takes effect - set Log to Yes, or not - set Log to No (factory setting).
The log is kept in the firewall log, see Chapter 6.4.
Factory setting
The factory settings for the SINAUT MD741-1 are as follows:
Enable SSH remote access
No (switched off)
HTTPS remote access port
22
Default for new rules:
8.3
From IP (External)
0.0.0.0/0
Action
Accept
Log
No (switched off)
Remote access via dial-in connection
The CSD dial-in access makes it possible to access the Web user interface of the
SINAUT MD741-1 via a dial-in data connection (CSD = Circuit Switched Data). To
do this, call the SINAUT MD741-1 at the data call number using an analogue
modem, or at the voice or data call number of its SIM card using a GSM modem.
The SINAUT MD741-1 accepts the call if:
●
the call number of the telephone connection that you call from is saved in the
list of permitted numbers in SINAUT MD741-1, and
●
the call number is transmitted by the telephone network (CLIP function)
Dialling must be performed by a PPP client, for example via a Windows dial-up
connection. In Windows, use the New Connection Wizard, and under Connect to
the network at my workplace set up a Dial-up connection.
SINAUT MD741-1
C79000- G8976-C212
95
Remote access
Figure 8-3
Access > CSD Dial-In
Enable CSD dial-in
Yes
Access to the Web user interface of the SINAUT MD741-1 from a dial-in data
connection is allowed.
No
Access via dial-in data connection is not allowed.
PPP username / password
Select a username and a password that must be used by a PPP client (e.g. a
Windows dial-up connection) to log on to the SINAUT MD741-1. The same
username and the same password must be entered in the PPP client.
Approved Call Numbers
Specify the call number of the telephone connection from which the dial-in data
connection is established. The telephone connection must support Calling Line
Identification Presentation (CLIP), and this function must be activated.
The call number entered in the SINAUT MD741-1 must be exactly the same as the
call number reported, any may also have to include the country code and prefix,
e.g. +494012345678.
If multiple call numbers of a private branch exchange are to have access
authorisation, you can use the "*" symbol as a wildcard, e.g. +49401234*. Then all
call numbers that begin with +49401234 will be accepted.
96
SINAUT MD741-1
C79000- G8976-C212
Remote access
Note
Firewall rules entered for HTTPS and SSH access also apply for CSD access. The
source IP address ("From IP") for CSD access is defined as 10.99.99.2.
New
Adds a new approved call number for CSD remote access that you can then fill out.
Delete
Removes a firewall rule for CSD remote access.
Factory setting
The factory settings for the SINAUT MD741-1 are as follows:
Enable CSD dial-in
No (switched off)
PPP username
service
PPP password
service
Approved Call Numbers
SINAUT MD741-1
C79000- G8976-C212
97
Remote access
98
SINAUT MD741-1
C79000- G8976-C212
9
Status, log and diagnosis
9.1
System status display
The System-Status gives an overview about the current operating status of the
SINAUT MD741-1.
Figure 9-1
System > Status
Note
Use the Refresh function of the Web browser to update the displayed values.
99
SINAUT MD741-1
C79000- G8976-C212
Status, log and diagnosis
Current system time
Shows the current system time of the SINAUT MD741-1 in the format:
Year – Month – Day, Hours – Minutes
Connection
Shows if a wireless connection exists, and which one:
●
EDGE connection (IP connection via EGPRS)
●
GPRS connection (IP connection via GPRS)
●
CSD connection (service connection via CSD)
Note
It may occur that an EDGE (EGPRS) or GPRS connection and an assigned IP
address are both shown, but the connection quality is still not good enough to
transmit data. For this reason we recommend using the active connection
monitoring (see Chapter 5.2).
Connected since
Shows how long the current connection to EGPRS or GPRS has existed.
Used APN
Shows the APN (= Access Point Name) of the EGPRS or GPRS that is being used.
External hostname
Shows the hostname (e.g. md741-1.mydns.org) of the SINAUT MD741-1, if a
DynDNS service is being used.
DynDNS
Shows if a DynDNS service is activated.
100
●
White check mark at green dot: DynDNS service activated.
●
White cross at red dot: DynDNS service not activated
SINAUT MD741-1
C79000- G8976-C212
Status, log and diagnosis
Assigned IP address
Shoes the IP address at which the SINAUT MD741-1 can be reached in EGPRS or
GPRS. This IP address is assigned to the SINAUT MD741-1 by the EGPRS or
GPRS service.
Signal (CSQ level)
Indicates the strength of the GSM signal as a CSQ value.
●
CSQ < 6:
Poor signal strength
●
CSQ= 6..10:
Medium signal strength
●
CSQ=11-18:
Good field strength
●
CSQ > 18:
Very good field strength
●
CSQ = 99:
No connection to the GSM network
IMSI
Shows the subscriber identity that is saved on the SIM card being used.
The IMSI (= International Mobile Subscriber Identity) is used by the GSM network
operator to detect the authorisations and agreed services for the SIM card.
IMEI
Shows the serial number of the SINAUT MD741-1 as a GSM wireless device. The
IMEI (= International Mobile Equipment Identity) is assign uniquely worldwide.
Bytes sent / Bytes received
Shows the number of bytes that have been sent or received during the existing
connection to GPRS. The counter is reset when a new connection is established.
Note
These figures serve only as a general indication of the data volume, and can differ
significantly from the GSM network operator's accounting.
SINAUT MD741-1
C79000- G8976-C212
101
Status, log and diagnosis
Bytes sent / Bytes received since initial operation
Shows the number of bytes that have been sent via GPRS or received since the
last time the factory settings were loaded. The counter is reset when the factory
settings are loaded.
Remote HTTPS
Shows whether remote access to the Web user interface of the SINAUT MD741-1
via EGPRS or GPRS is permitted.
●
White check mark at green dot: Access is allowed.
●
White cross at red dot: Access is not allowed.
Remote SSH
Shows whether remote access to the SSH console of the SINAUT MD741-1 via
EGPRS or GPRS is permitted.
●
White check mark at green dot: Access is allowed.
●
White cross at red dot: Access is not allowed.
CSD Dial-In
Shows whether remote CSD service calls are allowed.
●
White check mark at green dot: CSD service calls are possible.
●
White cross at red dot: CSD service calls are not possible.
Number of active firewall rules
Shows how many firewall rules are active.
Current system version
Shows the version number of the SINAUT MD741-1's software.
102
SINAUT MD741-1
C79000- G8976-C212
Status, log and diagnosis
9.2
Log
Figure 9-2
System > Log
Logfile
Important events in the operation of the SINAUT MD741-1 are saved in the log.
●
Reboot
●
Changes to the configuration
●
Establishing of connections
●
Interruption of connections
●
Signal strength
●
and operating messages
The log is saved to the log archive of the SINAUT MD741-1 when a file size
1 MByte, is reached, but after 24 hours at the latest.
Download current logfile
Download - the current log is loaded to the Admin PC. You can select the directory
to save the file to, and can view the file there.
Download - The archived log files are loaded to the Admin PC. You can select the
directory to save the files to, and can view the files there.
SINAUT MD741-1
C79000- G8976-C212
103
Status, log and diagnosis
Example:
Entries in log
Column A:
Time stamp
Column B:
Product number
Column C:
Signal quality (CSQ value)
Column D:
GSM login status
STAT = --- = Function not activated yet
STAT = 1 = Logged in to home network
STAT = 2 = Not logged in; searching for network
STAT = 3 = Login rejected
STAT = 5 = Logged in to third-party network (roaming)
Column E:
Indication of the network operator identification with the 3-digit country code (MCC)
and the 2-3-digit network operator code (MNC).
104
SINAUT MD741-1
C79000- G8976-C212
Status, log and diagnosis
Example: 26201 (262 = country code / 01 = network operator code)
Column F:
Coded operating status (for Hotline)
Column G:
Category of the log report (for Hotline)
Column H:
Internal source of the log report (for Hotline)
Column I:
Internal report number (for Hotline)
Column J:
Log report in plain text
Columns K-P:
Additional information on the plain text report, such as:
9.3
●
Cell ID (identification number of the active GSM cell)
●
Software version
●
TXS, RXS (IP packets transmitted in the current connection)
●
TX, RX (IP packets transmitted since the last factory settings reboot)
Remote logging
The SINAUT MD741-1 can transfer the system log once per day via FTP (= File
Transfer Protocol) to an FTP server.
The current system log and the system log files in the archive are transferred. After
successful transfer the transferred logs are deleted in the SINAUT MD741-1.
If the transfer fails, the SINAUT MD741-1 tries once again to transfer the data after
24 hours.
SINAUT MD741-1
C79000- G8976-C212
105
Status, log and diagnosis
Figure 9-3
Maintenance > Remote Logging
Enable remote logging (FTP upload)
Yes activates the function.
Time
Specifies the address of the FTP server to which the log files are to be transferred.
The address can be specified as a hostname (e.g. ftp.server.de) or as an IP
address.
Username
Specifies the username for logging in to the FTP server.
Password
Specifies the password for logging in to the FTP server.
106
SINAUT MD741-1
C79000- G8976-C212
Status, log and diagnosis
Factory setting
The factory settings for the SINAUT MD741-1 are as follows:
9.4
Enable remote logging (FTP upload)
No (switched off)
Time
00:00
FTP Server
NONE
Username
guest
Password
guest
Snapshot
This function is used for support purposes.
The service snapshot downloads important log files and current device settings that
could be important for fault diagnosis and saves them in a file.
If you contact our Hotline in the event of a problem with the SINAUT MD741-1, in
many cases they will ask you for the snapshot file.
Note
This file contains the access parameters for EGPRS and GPRS and the addresses
of the remote station. It does not contain the username and password for access to
the SINAUT MD741-1.
Figure 9-4
Maintenance > Snapshot
This function is used for support purposes.
SINAUT MD741-1
C79000- G8976-C212
107
Status, log and diagnosis
The service snapshot downloads important log files and current device settings that
could be important for fault diagnosis and saves them in a file.
If you contact our Hotline in the event of a problem with the SINAUT MD741-1, in
many cases they will ask you for the snapshot file.
Note
This file contains the access parameters for EGPRS and GPRS and the addresses
of the remote station. It does not contain the username and password for access to
the SINAUT MD741-1.
Download service snapshot
Click on download. You can select the location on the Admin PC where the
snapshot file will be saved.
The filename of the snapshot file has the following structure:
_Snapshot_.tgz,
e.g.: md741_Snapshot_200711252237.tgz
Advanced diagnosis
Only Activate the Advanced diagnosis if asked to do so by our Hotline. In operation
with advanced diagnosis, information is written to the diagnosis logs much more
often. Some additional information is also saved. This is useful for systematic
troubleshooting.
Note
When advanced diagnosis is active, the frequent write access to the non-volatile
memory of the SINAUT MD741-1 can lead to a reduction of its service life.
Factory setting
The factory settings for the SINAUT MD741-1 are as follows:
Advanced diagnosis
108
Off (Activate)
SINAUT MD741-1
C79000- G8976-C212
Status, log and diagnosis
9.5
Hardware information
Shows important information for hardware identification. This information is often
needed in the event of queries to our Hotline.
Figure 9-5
SINAUT MD741-1
C79000- G8976-C212
Maintenance > Hardware info
109
Status, log and diagnosis
9.6
Software information
Shows important information for software identification. This information is often
needed in the event of queries to our Hotline.
Planned updates are additionally shown. See also Chapter 10.2.
Figure 9-6
110
Maintenance > Software info
SINAUT MD741-1
C79000- G8976-C212
Additional functions
10.1
10
Alarm SMS
The SINAUT MD741-1 can transmit short alarm messages via the SMS
(= Short Message Service) of the GSM network. Two events can trigger
transmission of an alarm message via SMS:
●
Event 1: No GPRS connection
A separate call number for sending the alarm message to can be specified for each
of these two events. The text of the alarm message can also be freely defined. The
following characters are available: A-Z a-z 0123456789,!?
Figure 10-1
Maintenance > Alarm SMS
Alarm SMS Event 1: No GPRS Connection In Port
The GPRS connection is not established despite multiple attempts. The SINAUT
MD741-1 then transmits an alarm message.
111
SINAUT MD741-1
C79000- G8976-C212
Additional functions
SMS service center call number
So that the SMS function will function reliably, enter the call number of the service
center here. Without an entry in this location the default SMS service center of your
network operator will be used.
Settings
Enable
With Yes the alarm message is sent when the event occurs, with No it is not.
Call number
Here enter the call number of the end device to which the alarm message is to be
sent via SMS. The end device must support SMS reception via GSM or fixed
network.
Text
Here enter the text that should be sent as an alarm message.
Factory setting
The factory settings for the SINAUT MD741-1 are as follows:
10.2
SMS service center call number
Alarm SMS Event 1: No GPRS
No (switched off)
Call number
Text
Software Update
The Update function can be used to load new operating software to the SINAUT
MD741-1 and activate this software.
In an immediate update the new software will be unzipped. This process can take
several minutes. After that the actual update process begins, which is indicated by
the LEDs lighting up in sequence.
The settings of the SINAUT MD741-1 will be accepted insofar as the settings still
have the same effect in the new software version as they did before the update.
112
SINAUT MD741-1
C79000- G8976-C212
Additional functions
Figure 10-2
Maintenance > Update
Define the update time
No
Immediate update - The new operating software is activated immediately after you
load the software and click on Submit.
Yes
Time-controlled update - The new operating software is activated at the defined
update time. The software must have been loaded already.
Define the update time
If you want to have the update carried out with time control, specify the time when
the new operating software is to be activated.
Specify the Year – Month – Day – Hour – Minute.
Select update file
Use Browse to select the file, which includes the new operating software, for
example:
MD741_v1.024-v1.027.tgz
Load the firmware to the device with Open.
SINAUT MD741-1
C79000- G8976-C212
113
Additional functions
Submit
With Submit the operating software is either activated immediately or the operating
software is activated at the specified time.
114
SINAUT MD741-1
C79000- G8976-C212
11
Technical Data
Interfaces
Application
interface
Service interface
10/100 Base-T (RJ45 plug)
Ethernet IEEE802
10/100 Mbit/s
USB-A (reserved for later applications)
EDGE / GPRS
Stateful inspection firewall
Anti-spoofing
Port forwarding
DNS cache, DHCP server, NTP, remote logging,
connection monitoring, alarm-SMS
Web-based administration user interface, ssh console
EDGE Multislot class 12 / EDGE Multislot class 12
Security
functions
Additional
functions
Management
Wireless
connection
Coding schemes
GSM Module
EDGE (EGPRS)
GPRS
EDGE / GPRS
CSD / MTC
SMS (TX)
SINAUT MD741-1
C79000- G8976-C212
CS-1, CS-2, CS-3, CS-4
EGPRS (EDGE) / Quad band
Multislot Class 12
Mobile Station Class B
Modulation and Coding Scheme MCS 1 – 9
Multislot Class 12
Full PBCCH support
Mobile Station Class B
Coding Scheme 1 – 4
During the data transmission via EGPRS or GPRS the
device automatically selects from the following
classes:
from EGPRS Multislot Class 12 (4Tx slots)
to EGPRS Multislot Class 10 (2Tx slots),
from EGPRS Multislot Class 10 (2Tx slots)
to EGPRS Multislot Class 8 (1Tx),
from GPRS Multislot Class 12 (4Tx slots)
to GPRS Multislot Class 8 (1Tx)
from GPRS Multislot Class 10 (2Tx slots)
to GPRS Multislot Class 8 (1Tx)
V.110, RLP, non-transparent
2.4, 4.8, 9.6, 14.4kbps
Point to point, MO (outgoing)
115
Technical Data
Ambient
conditions
Housing
DE
Power supply
Max. transmitting Class 4 (+33dBm ±2dB) for EGSM850
power (acc. to
Class 4 (+33dBm ±2dB) for EGSM900
output 99, V5)
Class 1 (+30dBm ±2dB) for GSM1800
Class 1 (+30dBm ±2dB) for GSM1900
Class E2 (+27dBm ± 3dB) for GSM 850 8-PSK
Class E2 (+27dBm ± 3dB) for GSM 900 8-PSK
Class E2 (+26dBm +3 /-4dB) for GSM 1800 8-PSK
Class E2 (+26dBm +3 /-4dB) for GSM 1900 8-PSK
Antenna
Nominal impedance: 50 ohms, jack: SMA
connection
Temperature
Operation: -20 °C to +60 °C
range
Storage:
-40 °C to +70 °C
Air humidity
0-95 %, non-condensing
Design
Top-hat rail housing
Material
Plastic
Protection class IP20
Dimensions
114 mm x 45 mm x 99 mm
Weight
approx. 280g
CE
Yes
GSM/EGPRS
Conforms to GCF, PTCRB
module
Environment
The device complies with the European Directives
RoHS and WEEE.
Input voltage
12 - 30 V DC (24 V DC nominal)
Input Current
510 – 230 mA DC
Power input
4.4 W typical at 12 V
4.0 W typical at 24 V
4.5 W typical at 30 V
Current
See table below.
consumption
Input current
[mA]
characteristic
IBurst at 12V
1400
1200
1000
800
600
400
200
[ms]
10
20
30
40
50
60
70
80
90
70
80
90
100
4,62ms burst repeat rate
[mA]
IBurst at 24V
800
600
400
200
[ms]
10
20
30
40
50
60
100
4,62ms burst repeat rate
116
SINAUT MD741-1
C79000- G8976-C212
Technical Data
Current
consumption (3)
Input voltage
Connected, no
data transfer
Continuous
data transfer
with low signal
quality (1)
Continuous
data transfer
with medium
signal quality (2)
Burst
Operating mode
[V]
[mA]
[mA]
[mA]
[mA]
GSM-CSD
12
174
315
263
1000
24
97
168
137
450
30
82
137
116
360
12
174
365
282
1260
24
97
182
147
550
30
82
150
121
420
EGPRS / GPRS
(1)
Measured at GSM900 Power Level 5 (33dBm transmitting power)
(2)
Measured at GSM900 Power Level 10 (23dBm transmitting power)
(3)
USB port not used
SINAUT MD741-1
C79000- G8976-C212
117
Technical Data
118
SINAUT MD741-1
C79000- G8976-C212
Applied Standards and Approvals
Applied Standards and Approvals
12.1
12
Equipment
Product name
SINAUT MD741-1
Manufacturer
Siemens Aktiengesellschaft, Industry Automation
Intended purpose
(E-)GPRS-VPN-Router for industrial application
12.2
EU Declaration of Conformance
Marking
Applied European directives
When used within the intended purpose, the equipment is compliant to the
requirements of the following European directives:
SINAUT MD741-1
C79000- G8976-C212
119
Applied Standards and Approvals
●
Directive 1999/5/EC (R&TTE) of the European Parliament and of the Council of
9 March 1999 on radio equipment and telecommunications terminal equipment
and the mutual recognition of their conformity,
●
Directive 2006/95/EC (LVD) of the European Parliament and of the Council of
12 December 2006 on the harmonization of the laws of Member States relating
to electrical equipment designed for use within certain voltage limits,
●
Directive 2004/108/EC (EMC) of the European Parliament and of the Council of
15 December 2004 on the approximation of the laws of the Member States
relating to electromagnetic compatibility and repealing Directive 89/336/EEC
●
Directive 94/9/EC (ATEX) of the European Parliament and the Council of 23
March 1994 on the approximation of the laws of the Member States concerning
equipment and protective systems intended for use in potentially explosive
atmospheres.
Directive 1999/5/EC (R&TTE)
Applied standards
●
EN301 511: v.9.0.2
●
3GPP TS 51.010-1: v. 5.10.0
Classification
Telecommunication equipment, Radio equipment, Device class 1
Directive 2006/95/EC (LVD)
Applied standards
●
EN 60950:2006
Directive 2004/108/EC (EMC)
Applied standards
120
●
EN55022: 2006 Limit A
●
EN55024:1998 + A1 : 2001 + A2 : 2003
●
EN61000-6-2: 2001
SINAUT MD741-1
C79000- G8976-C212
Applied Standards and Approvals
Warning
The SINAUT MD741-1 is a Class A device. This device can cause radio
interference in residential areas; in this case the user may be required to take
appropriate measures.
Directive 94/9/EC (ATEX) – Approval pending – applied for approval
Additional marking
II 3 G EEx nA T4A Ta=-20°C-60°C
FM xx ATEX xxxx X
Applied standards
●
EN50021 (Type of protection “n”)
Classification
Group II, Category 3, Gas Atmosphere, Non-sparking equipment, 135°C maximum,
surface temperature, Ambient temperature range: -20°C … +60°C
12.3
Compliance to FM, UL and CSA
FM certification – Approval pending – applied for approval
Marking
FM
APPROVED
CLI, DIV2, GP. A,B,C,D T4 Ta=-20°C-60°C
CLI, Zone 2 IIC, T4 Ta=-20°C-60°C
Applied standards
●
Factory Mutual Approval Standard Class Number 3611
Classification
Class I, Division 2, Group A, B, C, D, 135°C maximum, surface temperature,
Ambient temperature range: -20°C … +60°C
Class I, Zone 2, Group IIC, 135°C maximum, surface temperature, Ambient
temperature range: -20°C … +65°C
SINAUT MD741-1
C79000- G8976-C212
121
Applied Standards and Approvals
UL/CSA Certification
Marking
Applied standards
12.4
•
UL 60950, 1st edition
•
CSA C22.2 No.60950
Compliance to FCC
Approval pending – applied for approval
Marking
SINAUT MD741-1
FCC ID: LYHMD741-1
contains MC75 FCC ID: QIPMC75
Applied standards
●
FCC Part 15
●
FCC Part 15.19
●
FCC Part 15.21
Mandatory user information
FCC Part 15
This equipment has been tested and found to comply with the limits for a Class A
digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to
provide reasonable protection against harmful interference in a residential
installation. This equipment generates, uses and can radiate radio frequency
energy and, if not installed and used in accordance with the instructions, may
cause harmful interference to radio communications. However, there is no
guarantee that interference will not occur in a particular installation. If this
equipment does cause harmful interference to radio or television reception, which
can be determined by turning the equipment off and on, the user is encouraged to
try to correct the interference by one or more of the following measures:
122
SINAUT MD741-1
C79000- G8976-C212
Applied Standards and Approvals
●
Reorient or relocate the receiving antenna.
●
Increase the separation between the equipment and receiver.
●
Connect the equipment into an outlet on a circuit different from that to which
the receiver is connected.
●
Consult the dealer / installer or an experienced radio/TV technician for help.
FCC Part 15.19
This device complies with Part 15 of the FCC Rules. Operation is subject to the
following two conditions:
1. this device may not cause harmful interference, and
2. this device must accept any interference received, including interference
that may cause undesired operation.
FCC Part 15.21
Modifications not expressly approved by this company could void the user's
authority to operate the equipment.
Installation by qualified personnel only
You may only use the SINAUT MD741-1 with an antenna of the SINAUT MD741-1
accessory program.
The installation of the SINAUT MD741-1 and the antenna as well as servicing is to
be performed by qualified technical personnel only. When servicing the antenna, or
working at distances closer than those listed below, ensure the transmitter has
been disabled.
RF Exposure mobile
Caution
Typically, the antenna connected to the transmitter is an omni-directional antenna with
0dB gain. Using this antenna the total composite power in PCS mode is smaller than 1
watt ERP.
The internal / external antennas used for this mobile transmitter must provide a
separation distance of at least 20 cm from all persons and must not be co-located
or operating in conjunction with any other antenna or transmitter."
SINAUT MD741-1
C79000- G8976-C212
123
Applied Standards and Approvals
Contains FCC ID: QIPMC75
This device contains GSM, GPRS Class12 and EGPRS Class 10 functions in the
900 and 1800 MHz Band which are not operational in U.S. Territories.
This device is to be used only for mobile and fixed applications. The antenna(s)
used for this transmitter must be installed to provide a separation distance of at
least 20cm from all persons and must not be co-located or operating in conjunction
with any other antenna or transmitter.
Users and installers must be provided with antenna installation instructions and
transmitter operating conditions for satisfying RF exposure compliance. Antennas
used for this OEM module must not exceed 4.4dBi gain (GSM 1900) and 2.9dBi
(GSM 850) for mobile and fixed operating configurations. This device is approved
as a module to be installed in other devices.
124
SINAUT MD741-1
C79000- G8976-C212
Glossary
AES
Advanced Encryption Standard. The NIST (National Institute of
Standards and Technology) has been developing the AES encryption
standard jointly with industrial companies for years. This Æ
symmetrical encryption is designed to replace the previous DES
standard. The AES standard specifies three different key sizes with
128, 192 and 256 bits.
In 1997, the NIST launched the AES initiative and announced its
conditions for the algorithm. Of the encryption algorithms proposed,
the NIST short-listed five; the algorithms MARS, RC6, Rijndael,
Serpent and Twofish. In October 2000, the encryption algorithm
chosen was Rijndael.
APN (Access Point
Name)
Trans-network connections, e.g. from a GPRS network to the Internet,
are created in the GPRS network via so-called APNs.
APN
(public)
Local
application
Public
INTERNET
MD741-1
(E-)GPRS
Private
INTRANET
APN
(private)
An end device that wants to establish a connection via the GPRS
network specifies an APN to indicate which network it wants to be
connected to: the Internet or a private company network that is
connected via a dedicated line.
The APN designates the transfer point to the other network. It is
communicated to the user by the network operator.
125
SINAUT MD741-1
C79000- G8976-C212
Glossary
Additional Internal
Routes
The following sketch shows how the IP addresses could be distributed
in a local network with subnetworks, what network addresses result
from this, and what the specification for an additional internal route
could look like.
MD741-1 external address:
(assigned by provider)
e.g. 80.81.192.37
MD741-1
MD741-1 internal address:
192.168.11.1
(E-)GPRS
APN
Switch
Network A
Network address: 192.168.11.0 / 24
Netmask: 255.255.255.0
Router
IP external: 192.168.11.2
A1
A2
A3
A4
A5
Router
IP internal: 192.168.15.254
Netmask: 255.255.255.0
Switch
Network B
Network address: 192.168.15.0 / 24
Netmask: 255.255.255.0
Router
B1
B2
B3
B4
IP external: 192.168.15.1
Router
IP internal: 192.168.27.254
Netmask: 255.255.255.0
Switch
Network C
Network address: 192.168.27.0 / 24
Netmask: 255.255.255.0
Additional
internal routes
C1
C2
C3
C4
Network A is connected to the SINAUT MD741-1 and via it to a remote
network. Additional internal routes show the path to additional
networks (networks B, C), which are connected to each other via
gateways (routers). For the SINAUT MD741-1, in the example shown
networks B and C can both be reached via gateway 192.168.11.2 and
network address 192.168.11.0/24.
126
SINAUT MD741-1
C79000- G8976-C212
Glossary
Network A
Computer
A1
IP address
192.168.11.3
Network mask 255.255.255.0
Network B
A2
192.168.11.4
255.255.255.0
A3
192.168.11.5
255.255.255.0
A4
A5
192.168.11.6 192.168.11.7
255.255.255.0 255.255.255.0
Computer
B1
IP address
192.168.15.3
Network mask 255.255.255.0
Network C
B2
192.168.15.4
255.255.255.0
B3
192.168.15.5
255.255.255.0
B4
192.168.15.6
255.255.255.0
Computer
C1
IP address
192.168.27.3
Network mask 255.255.255.0
C2
192.168.27.4
255.255.255.0
C3
192.168.27.5
255.255.255.0
C4
192.168.27.6
255.255.255.0
Additional
internal
routes:
Network:
192.168.15.0/24
Gateway:
192.168.11.2
Network:
192.168.27.0/24
Gateway:
192.168.11.2
Asymmetrical
encryption
In asymmetrical encryption, data are encrypted with one key and
decrypted with a second key. Both keys are suitable for encryption and
decryption. One of the keys is kept secret by its owner (Private Key),
the other is issued to the public (Public Key), i.e. possible
communication partners.
A message encrypted with a Public Key can only be decrypted and
read by the recipient who has the corresponding Private Key. A
message encrypted with the Private Key can be decrypted by any
recipient who has the corresponding Public Key. Encryption with the
Private Key shows that the message actually originates from the owner
of the corresponding Public Key. We therefore speak of a digital
signature.
Asymmetrical encryption methods such as RSA are, however, slow
and vulnerable to certain attacks, which is why they are often
combined with a symmetrical method (Æ symmetrical encryption). On
the other hand, concepts are also possible which avoid the complex
administration of symmetrical keys.
CIDR
Classless Inter-Domain Routing
IP netmasks and CIDR are notations for grouping a number of IP
addresses into an address space. Thus a range of contiguous
addresses is treated as a network.
The CIDR method reduces, for example the routing tables stored in
routers by means of a postfix in the IP address. This postfix can be
used to designate a network together with its subnetworks. This
method is described in RFC 1518.
In order to specify a range of IP addresses to the SINAUT MD741-1, or
when configuring the firewall, it may be necessary to specify the
address space in the CIDR notation. The following table shows the IP
netmask on the left-hand side, and to the far right the corresponding
CIDR notation.
SINAUT MD741-1
C79000- G8976-C212
127
Glossary
IP netmask
binary
CIDR
255.255.255.255
255.255.255.254
255.255.255.252
255.255.255.248
255.255.255.240
255.255.255.224
255.255.255.192
255.255.255.128
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111110
11111100
11111000
11110000
11100000
11000000
10000000
32
31
30
29
28
27
26
25
255.255.255.0
255.255.254.0
255.255.252.0
255.255.248.0
255.255.240.0
255.255.224.0
255.255.192.0
255.255.128.0
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111110
11111100
11111000
11110000
11100000
11000000
10000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
24
23
22
21
20
19
18
17
255.255.0.0
255.254.0.0
255.252.0.0
255.248.0.0
255.240.0.0
255.224.0.0
255.192.0.0
255.128.0.0
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111111
11111110
11111100
11111000
11110000
11100000
11000000
10000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
16
15
14
13
12
11
10
255.0.0.0
254.0.0.0
252.0.0.0
248.0.0.0
240.0.0.0
224.0.0.0
192.0.0.0
128.0.0.0
11111111
11111110
11111100
11111000
11110000
11100000
11000000
10000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
0.0.0.0
00000000 00000000 00000000 00000000 0
Example: 192.168.1.0 / 255.255.255.0 corresponds to CIDR:
192.168.1.0/24
Client / Server
128
In a client/server environment, a server is a program or computer that
receives queries from a client program or client computer and answers
them.
In data communication, a computer that establishes a connection to a
server (or host) is also referred to as a client. That means that the
client is the computer that is calling and the server (or host) is the one
being called.
SINAUT MD741-1
C79000- G8976-C212
Glossary
CSD 9600
CSD (9600) stands for Circuit Switched Data or dial-in data
connection. Here a connection is created between two users (end
points of the connection), similar to a telephone call over a public
telephone network. User 1 dials the telephone number of user 2. The
network signals to user 2 that there is a call, user 2 accepts the call
and the network establishes the connection until one of the users
terminates the connection again.
In a GSM network this service is called CSD, and allows data
transmission at 9600 bit/s or 14400 bit/s, with transmission being either
secured or unsecured. Possible connections are GSM modem to GSM
modem, analog modem to GSM and ISDN modem to GSM modem.
CSQ / RSSI
The CSQ value is a value defined in the GSM standard for indicating
the signal quality. CSQ values correspond to the received field
strength RSSI (= Received Signal Strength Indication):
CSQ
<6
6 - 10
11 – 18
> 18
99
Datagram
RSSI
< -101 dBm
-101 … - 93 dBm
- 91 dBm … -77 dBm
> 75 dBm
Not logged in
In the transmission protocol TCP/IP, data are sent in the form of data
packets, the so-called IP datagrams. An IP datagram has the following
structure:
1. IP Header
2. TCP/UDP Header
3. Data (Payload)
The IP Header contains:
•
the IP address of the sender (source IP address)
•
the IP address of the recipient (destination IP address)
•
the protocol number of the protocol of the next higher protocol
layer (according to the OSI layer model)
•
the IP Header Checksum for checking the integrity of the header
upon receipt.
TCP/UDP Header contains the following information:
SINAUT MD741-1
C79000- G8976-C212
•
the port of the sender (source port)
•
the port of the recipient (destination port)
•
a checksum for the TCP Header and a few items of information
from the IP Header (source and destination IP addresses, etc.)
129
Glossary
DES/3DES
The symmetrical encryption algorithm (Æ symmetrical encryption)
DES, originally developed by IBM and checked by the NSA, was
determined in 1977 by the American National Bureau of Standards, the
predecessor of today's National Institute of Standards and Technology
(NIST), as the standard for American government institutions.
As this was the first standardized encryption algorithm of all, it quickly
established itself in industry and hence outside the USA.
DES works with a key length of 56 bits, which is no longer considered
secure due to the increase in computing power since 1977.
3DES is a variant of DES. It works with 3-times larger keys, i.e. 168
bits long. It is still considered secure today and is, among other things,
also part of the IPsec standard.
DHCP
The Dynamic Host Configuration Protocol (DHCP) performs automatic
dynamic assignment of IP addresses and other parameters in a
network. The Dynamic Host Configuration Protocol uses UDP. It was
defined in RFC 2131 and was assigned the UDP ports 67 and 68.
DHCP uses the client – server method, in which the client is assigned
the IP addresses by the server.
DNS
Addressing in IP networks is always by means of IP addresses. It is
generally preferable, however, to specify the addressing in the form of
a domain address (i.e. in the form www.abc.xyz.de). If the addressing
is by means of the domain address, then the sender first sends the
domain address to a domain name server (DNS) and gets back the
associated IP address. Only then does the sender address its data to
this IP address.
DynDNS provider
Also Dynamic DNS provider. Every computer that is connected to the
Internet has an IP address (IP = Internet Protocol). An IP address
consists of up to 4 three-digit numbers, with dots separating each of
the numbers. If the computer is online via the telephone line via
modem, ISDN or ADSL, then the Internet service provider dynamically
assigns it an IP address, i.e. the address changes from session to
session. Even if the computer is online for more than 24 hours without
interruption (e.g. in the case of a flat rate), the IP address is changed
periodically.
For a local computer to be accessible via the Internet, its address must
be known to the external remote station. This is necessary for it to
establish a connection to the local computer. This is not possible,
however, if the address of the local computer constantly changes. It is
possible, however, if the user of the local computer has an account
with a DynamicDNS provider (DNS = Domain Name Server).
Then he can specify there a hostname under which the computer can
be accessed in the future, e.g.: www.xyz.abc.de. Moreover, the
DynamicDNS provider makes available a small program that has to be
installed and executed on the computer concerned. In each Internet
session of the local computer this tool reports to the DynamicDNS
provider which IP address the computer has at the moment. Its domain
name server registers the current hostname - IP address assignment
and reports this to other domain name servers in the Internet.
If now an external computer wants to establish a connection with a
130
SINAUT MD741-1
C79000- G8976-C212
Glossary
local computer which is registered with the DynamicDNS provider, the
external computer uses the hostname of the local computer as the
address. In this way a connection is established with the responsible
DNS (Domain Name Server) in order to look up there the IP address
which is currently assigned to this hostname. The IP address is
transmitted back to the external computer, and then used by it as the
destination address. This now leads precisely to the desired local
computer.
As a rule, all Internet addresses are based on this method: First a
connection is established to a DNS in order to determine the IP
addresses assigned to this hostname. Once that has been done, the
IP address that was "looked up" is used to establish the connection to
the desired remote station, which can be any Web site.
EDGE
EDGE (= Enhanced Data Rates for GSM Evolution) refers to a method
in which the available data rates in GSM mobile phone networks are
increased by introducing an additional modulation process. With
EDGE, GPRS is expanded to become EGPRS (Enhanced GPRS), and
HSCSD is expanded to become ECSD.
EGPRS
EGPRS stands for "Enhanced General Packet Radio Service", which
describes a packet-oriented data service based on GPRS, which is
accelerated by means of EDGE technology.
GPRS
GPRS is the abbreviation for "General Packet Radio Service", a data
transmission system of GSM2+ mobile phone systems. GPRS systems
use the basestations of GSM networks as their wireless equipment,
and their own infrastructure for coupling to other IP networks, such as
the Internet. Data communication is packet-oriented; the Internet
Protocol (IP) is used. GPRS provides data rates of up to 115.2 KBit/s.
GSM
GSM (= Global System for Mobile Communication) is a standard that is
used worldwide for digital mobile phone networks. In addition to the
voice service for telephone calls, GSM supports various data services,
such as fax, SMS, CSD and GPRS. Depending on the legal
requirements in the various countries, the frequency bands 900 MHz,
1800 MHz or 850 MHz and 1900 MHz are used.
HTTPS
HTTPS (=HyperText Transfer Protocol Secure) is a variant of the
familiar HTTP, which is used by any Web browser for navigation and
data exchange in the Internet.
In HTTPS the original protocol is supplemented with an additional
component for data protection. While in HTTP data are transmitted
unprotected in plain text, in HTTPS data are transmitted only after an
exchange of digital certificates, and in encrypted form.
IP address
Every host or router on the Internet / an intranet has a unique IP
address (IP = Internet Protocol). The IP address is 32 bits (= 4 bytes)
long, and is written as 4 numbers (each in the range from 0 to 255),
which are separated from each other by dots.
An IP address has 2 parts: the network address and the host address.
All hosts of a network have the same network address, but different
host addresses. Depending on the size of the network in question - a
SINAUT MD741-1
C79000- G8976-C212
131
Glossary
distinction is made between networks of Class A, B and C - the two
address components may be of different sizes:
1st byte
2nd byte
3rd byte
4th byte
Netw. addr.
Host addr.
Netw. addr.
Host addr.
Netw. addr.
Host addr.
Class A
Class B
Class C
It can be seen from the first byte of the IP address whether the IP
address designates a network of Class A, B or C. The following
definitions apply:
Value of the
1st byte
Class A
Class B
Class C
1-126
128-191
192-223
Bytes for the
network
address
Bytes for the host
address
If you do the arithmetic, you can see that there can be a maximum of
126 Class A networks worldwide, and each of these networks can
comprise a maximum of 256 x 256 x 256 hosts (3 bytes of address
space). There can be 64 x 256 Class B networks, each of which can
contain up to 65,536 hosts (2 bytes of address space: 256 x 256).
There can be 32 x 256 x 256 Class C networks, each of which can
contain up to 256 hosts (1 byte of address space).
IP packet
See Datagram
IPsec
IP security (IPsec) is a standard that makes it possible to ensure the
authenticity of the sender, the confidentiality and the integrity of the
data in IP datagrams by means of encryption. The components of
IPSec are the Authentication Header (AH), the Encapsulating Security
Payload (ESP), the Security Association (SA), the Security Parameter
Index (SPI) and the Internet Key Exchange (IKE).
When communication starts the computers involved clarify the method
used and its implications, e.g. Transport Mode or Tunnel Mode.
In Transport Mode an IPSec header is inserted into each IP datagram
between the IP header and the TCP or UDP header. As the IP header
is not changed this mode is suitable only for a host-to-host connection.
In Tunnel Mode an IPSec header and a new IP header are inserted in
front of the entire IP datagram. This means that the original datagram
is contained, encrypted as a whole, in the payload of the new
datagram.
The Tunnel Mode is used in the VPN: the devices at the tunnel ends
perform the encryption and decryption of the datagrams, while the
datagrams themselves remain completely protected as they pass
through the tunnel, i.e. during transmission via a public network.
132
SINAUT MD741-1
C79000- G8976-C212
Glossary
NAT (Network Address In Network Address Translation (NAT) - often also referred to as IP
Translation)
Masquerading - an entire network is "hidden" behind a single device,
the NAT router. This device is usually a router. The internal computers
in the local network remain hidden with their IP addresses when they
communicate to the outside via the NAT router. For the external
communication partners only the NAT router with its own IP address
appears.
However, in order for internal computers to be able to communicate
direct with external computers (on the Internet) the NAT router must
change the IP datagrams passing from internal computers to the
outside and from the outside to an internal computer.
If an IP datagram is sent from the internal network to the outside the
NAT router changes the datagram's IP and TCP headers. It replaces
the source IP address and the source port with its own official IP
address and its own, previously unused port. To this end it creates a
table showing the correlation between the original values and the new
ones.
When receiving a reply datagram the NAT router recognises by means
of the destination port specified that the datagram is actually intended
for an internal computer. Using the table the NAT box exchanges the
destination IP address and the destination port and forwards the
datagram to the internal network.
Network mask / Subnet A company network with access to the Internet is normally officially
mask
assigned only a single IP address, e.g. 134.76.0.0. In this example
address it can be seen from the 1st byte that this company network is
a Class B network, i.e. the last 2 bytes can be used freely for host
addressing. Arithmetically that represents an address space of 65,536
possible hosts (256 x 256).
Such a huge network is not very practical. It is necessary here to form
subnetworks. This is done using a subnet mask. Like an IP address,
this is a field 4 bytes long. The value 255 is assigned to each of the
bytes that represent the network address. The main purpose of this is
to "hide" a part of the host address range in order to use it for the
addressing of subnetworks. For example, in a Class B network (2
bytes for the network address, 2 bytes for the host address), by means
of the subnet mask 255.255.255.0 it is possible to take the 3rd byte,
which was actually intended for host addressing, and use it now for
subnet addressing. Arithmetically that means that 256 subnets with
256 hosts each could be created.
Port number
SINAUT MD741-1
C79000- G8976-C212
The Port Number field is a 2-byte field in UDP and TCP headers. The
assignment of port numbers serves to identify various data flows that
are processed simultaneously by UDP/TCP. The entire data exchange
between UDP/TCP and the application processes takes place via
these port numbers. The assignment of port numbers to application
processes is performed dynamically and randomly. Fixed port numbers
are assigned for certain frequently-used application processes. These
are called Assigned Numbers.
133
Glossary
PPPoE
Acronym for Point-to-Point Protocol over Ethernet. It is based on the
standards PPP and Ethernet. PPPoE is a specification for connecting
users to the Internet via Ethernet using a jointly used broadband
medium such as DSL, Wireless LAN or cable modem.
PPTP
Acronym for Point-to-Point Tunneling Protocol. This protocol was
developed by Microsoft, U.S. Robotics and others in order to transmit
data securely between two VPN nodes (Æ VPN) over a public network.
Private Key, Public
key; Certification
(X.509)
In asymmetrical encryption algorithms 2 keys are used: a Private Key
and a Public Key. The public key serves to encrypt data and the
private key to decrypt them.
The public key is provided by the future recipient of the data to those
who will send the data to him in encrypted form. The private key is
possessed only by the recipient and serves to decrypt the received
data.
Certification:
So that the user of the public key (for encryption) can be certain that
the public key conveyed to him really does come from the entity that is
to receive the data to be sent, certification can be used: the verification
of the authenticity of the public key and the consequent link between
the identity of the sender and his key is performed by a Certification
Authority or CA. This is done according to the rules of the CA, for
example by the sender being required to appear in person. Following
successful inspection the CA signed the sender's public key with its
(digital) signature. A certificate is created.
An X.509 certificate makes a connection between an identity in the
form of an 'X.500 Distinguished Name' (DN) and a public key. This
connection is authenticated by the digital signature of an X.509
Certification Authority (CA). The signature - an encryption with the
signature key - can be checked with the private key issued by the CA
to the certificate holder.
Protocol, Transfer
protocol
Devices that communicate with each other must use the same rules.
They have to "speak the same language". Such rules and standards
are called protocols or transfer protocols. Frequently used protocols
include IP, TCP, PPP, HTTP and SMTP. TCP/IP is the umbrella term
for all protocols that are based on IP.
Service provider
Supplier, company or institution that gives users access to the Internet
or to an online service.
Spoofing, AntiSpoofing
In Internet terminology, spoofing means to specify a forged address.
The forged Internet address is used to pose as an authorised user.
Anti-spoofing means mechanisms to reveal or prevent spoofing.
SSH
SSH (Secure Shell) is a protocol that enables secure, encrypted data
exchange between computers. Secure SHell is used for remote access
to the input console from LINUX-based machines.
134
SINAUT MD741-1
C79000- G8976-C212
Glossary
Stateful inspection
firewall
A stateful inspection firewall is a packet filtering method. Packet filters
only let IP packets through if this has been defined previously using
firewall rules. The following is defined in the firewall rules:
•
which protocol (TCP, UDP, ICMP) can go through,
•
the permitted source of the IP packets (From IP / From port)
•
the permitted destination of the IP packets (To IP / To port)
It is likewise defined here what will be done with IP packets that are
not allowed through (discard, reject).
For a simple packet filter it is always necessary to create two firewall
rules for a connection:
•
One rule for the query direction from the source to the destination,
and
•
a second rule for the query direction from the destination to the
source.
It is different with a stateful inspection firewall. Here a firewall rule is
only created for the query direction from the source to the destination.
The firewall rule for the response direction from the destination to the
source results from analysis of the data previously sent. The firewall
rule for the responses is closed again after the responses are received
or after a short time period has elapsed. Thus responses can only go
through if there was a previous query. This means that the response
rule cannot be used for unauthorised access. What is more, special
procedures make it possible for UDP and ICMP data to also go
through, even though these data were not requested before.
Symmetrical
encryption
SINAUT MD741-1
C79000- G8976-C212
With symmetrical encryption the data are encrypted and decrypted
using the same key. Examples of symmetrical encryption algorithms
are DES and AES. These are fast, but require complex administration
as the number of users increases.
135
Glossary
TCP/IP (Transmission
Control
Protocol/Internet
Protocol
Network protocol that is used to connect two computers on the
Internet.
IP is the basic protocol.
UDP builds on IP, and sends individual packets. These can arrive at
the recipient in a different sequence from the one they were sent in, or
they can even get lost.
TCP serves to secure the connection, and ensures, for example, that
the data packets are forwarded to the application in the right
sequence.
UDP and TCP provide, in addition to the IP addresses, port numbers
between 1 and 65535, which can be used to distinguish the various
services.
A number of additional protocols are based on UDP and TCP, such as
HTTP (Hyper Text Transfer Protocol), HTTPS (Secure Hyper Text
Transfer Protocol), SMTP (Simple Mail Transfer Protocol), POP3 (Post
Office Protocol, Version 3), DNS (Domain Name Service).
ICMP builds on IP, and contains control messages.
SMTP is an e-mail protocol based on TCP.
IKE is an IPsec protocol based on UDP.
ESP is IPsec protocol based on IP.
On a Windows PC, WINSOCK.DLL (or WSOCK32.DLL) handles both
of these protocols.
(Æ Datagram)
UDP
See TCP/IP
VPN (Virtual Private
Network)
A Virtual Private Network (VPN) connects several separate private
networks (subnets) via a public network, e.g. the Internet, to form a
shared network. Confidentiality and authenticity are ensured by using
cryptographic protocols. A VPN therefore provides an inexpensive
alternative to dedicated lines when it comes to setting up a
supraregional corporate network.
136
SINAUT MD741-1
C79000- G8976-C212
Glossary
X.509
SINAUT MD741-1
C79000- G8976-C212
A kind of "seal" which proves the authenticity of a Public Key (Æ
asymmetrical encryption) and appendant data.
So that the user of the public key for encryption can be certain that the
public key conveyed to him really does come from its issuer and hence
from the entity that is to receive the data to be sent, certification can be
used. This verification of the authenticity of the public key and the
consequent link between the identity of the issuer and his key is
performed by a Certification Authority or CA. This is done according to
the rules of the CA, for example by the issuer of the public key being
required to appear in person. Following successful inspection the CA
signs the public key with its (digital) signature. A certificate is created.
An X.509(v3) certificate therefore contains a public key, information
about the key owner (given as Distinguished Name (DN)), permitted
designated uses, etc. and the signature of the CA.
The signature is created as follows: from the bit sequence of the public
key, the data on its owner and other data, the CA creates an individual
bit sequence which can be up to 160 bits long, the HASH value. This is
encrypted by the CA using its private key and added to the certificate.
Encryption with the CA's private key is proof of authenticity, i.e. the
encrypted HASH character sequence is the digital signature of the CA.
Should the data of the certificate be changed without authorization, the
HASH value is no longer correct and the certificate then becomes
worthless.
The HASH value is also known as the fingerprint. As it is encrypted
with the private key of the CA, anyone in possession of the
corresponding public key can decrypt the bit sequence and thus check
the authenticity of the fingerprint or signature in question.
Involving certification authorities means that not every key owner
needs to know the other one, but only the certification authority used.
The additional key information also simplifies the administrability of the
key.
X.509 certificates are employed, e.g. in e-mail encryption, using
S/MIME or IPsec.
137

Source Exif Data:
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : No
Create Date                     : 2008:05:06 13:21:37+02:00
Modify Date                     : 2008:05:14 12:54:06+03:00
Producer                        : Acrobat Distiller 7.0 (Windows)
Mod Date                        : 2008:05:14 12:54:06+03:00
Creation Date                   : 2008:05:06 13:21:37+02:00
Author                          : PAU
Creator Tool                    : PScript5.dll Version 5.2.2
Metadata Date                   : 2008:05:14 12:54:06+03:00
Document ID                     : uuid:d3a45699-53aa-41f1-8a9d-51a34132ca72
Instance ID                     : uuid:54136bac-586e-4517-aa78-fd36866ddde4
Format                          : application/pdf
Title                           : Microsoft Word - 3173AD021_09_SIE_EN.doc
Creator                         : PAU
Page Count                      : 137
EXIF Metadata provided by EXIF.tools
FCC ID Filing: LYHMD741-1

Navigation menu