MindSphere Remote Services: Advanced Connections¶

This section outlines how to access Devices located in secondary Device Networks. This comprises their onboarding and the setup of involved gateways.

Note: The setup and configuration of this documentation's reference tenant, its users, Sites and Devices can be found in chapter Sample setup used in documentation.

Note: The product structure and the protocol routing capabilities of the individual optional capability packages are described in chapter Product structure and procurement.

Note: Please observe the chapter on system requirements for using IPsec technology, in case you want to use IPsec-capable routers as gateways in primary Device Networks.

Example: Administrator creates Protocol Application for RDP into secondary Device Network¶

A Protocol Application is a template for assigning a particular access protocol to a particular devices. We start with creating an RDP Protocol Application, which will be used for Devices in secondary Device Networks. Please click "Create New Protocol Application".

Now you see the MRS Protocol Hub, which displays the protocols you may use. Please note, that the protocols are tagged with the MRS Option package they belong to. Click "Remote Desktop Protocol".

Now we name the Protocol Application as RDP login Asia and specify aspects such as the default user name (here: userasia), that will be used for the RDP login itself. Click "Save".

The newly created Protocol Appliation RDP login Asia is now available and awaits assignment to Devices.

Example: Administrator configures Device Endpoint as gateway into secondary Device Network¶

In order to connect to Devices in secondary Device Networks we now configure a Device Endpoint on a Device in a primary Device Network as a gateway.

Note: Please ensure, that the secondary network can be reached by configuring your network setup accordingly.

Select the blue hexagon in the top left corner to open the organizational device tree. Then navigate to Device PC i01. Then edit this device via and configure its Device Type as Gateway. Complete this action by pressing "Save".

The device page of PC i01 does not show any Assigned Devices in its bottom right dashboard. Press "Create New Device" to launch the menu for creating Devices in secondary Device Networks.

In the following menu we create a Device named HMI i01 and set its Device Type to Secondary Target. Please provide additional information such as the device's IP address. When done, press "Save".

The device page of PC i01 now displays HMI i01 as an assigned device residing in a secondary Device Network.

We now assign a Protocol Application to HMI i01 so that one may connect to it. Press "Assign Protocol Application".

In this example we selected RDp, so that it shows up on the right hand side of the menu. Press "Save" to complete the action.

The chosen protocol RDP was successfully assigned to Device HMI i01 and is ready for use.

Example: User establishes RDP to HMI in secondary Device Network¶

We assume that User Europe is a remote technician, who now wants to connect HMI i01 via an RDP session to perform some maintenance tasks. In the beginning, there is no connection established. Press the blue "chain" button to launch the connection.

The RDP launcher pops up - press "Connect".

Then provide the credentials associated with the RDP user name configured in an earlier step.

Accept the connection request.

The RDP windows opens now providing the trigged access.

Example: Site Owner disconnects all Devices at a Site¶

Users with the role of Site Owner have a special responsibility for all the Devices within their site. Thus, they may disconnect an entire site including all its devices from MRS by using a special Lock Connectivity button function. This is available in MRS UI V1 under tile "System Management" and then selecting the site to be disconnected from the device tree on the left.

Example: Administrator onboards IPsec router in primary Device Network¶

Instead of using a downloadable Device Endpoint as gateway on a PC-type or Industrial Edge-type Device, it is also possible to use a hardware router instead. This example outlines, how to onboard such a hardware IPsec router to a primary Device Network, so that Devices located in site-internal secondary Device Networks may be reached via the router's public interface.

In this section we use MRS V2 for setting up the router. Please select our exemplary target site Munich from the device menu, which is available under the blue hexagon in the top left corner of the screen. Then we choose "Create Device" at the top right corner of the screen.

The device creation screen pops up. Please enter all required information such as router name Router m01, etc. Then press "Save".

The newly created router Router m01 is now available in the MRS device manager. Press "Add Configuration" for switching to the configuration of the router's public interface.

Now please enter the configuration of the router's public communication interfaces such as the pre-shared key and IP-address. Next, we assign an internal network to the router by clicking "Add Remote Network".

Please provide the required internal network address and network mask before pressing "Save".

The router is now connected to both a public plus an internal secondary network and ready for onboarding devices to the secondary network, as will be outlined in the next example.

Note: Please observe the additional IPsec settings and router configuration hints given further down in this chapter. Using IPsec routers should also be considered for the network and firewall settings described in section Appendix for Experts.

Example: Administrator onboards devices in secondary Device Network to IPsec router¶

Open the device information page of our examplary Router m01 and press "Create New Device" on the bottom right side to register devices connected to the router.
Select our exemplary Router m01 in the MRS device tree and press "Create New Device" on the bottom right side to register a device, which is physically connected to the site-internal interface of the router.

Please provide all information for this new device named IPC m02. Please note, that the selected Router m01 is already displayed as the pre-assigned gateway. Press "Save" when done.

The router's information page now displays the previously created device IPC m02 in the list of assigned devices on the right.

You may select device IPC m02 from the device tree, and its device information page should now display it as "connected". Press "Assign Protocol Application" to assign a pre-configured protocol to this device.

Here we assigned the previously created protocol application VNC login Europe to IPC m02.

Note: Instead of onboarding endpoint-less devices in secondary networks to IPsec routers, is also possible to onboard Devices running a Device Endpoint. That allows for performing UI-based file transfer to or from this particular device. However, endpoints on such devices must not be configured as gateways.

System Requirements for using IPsec technology in MRS¶

This section outlines overarching requirements, which have to be fulfilled in order to use IPsec technology in MRS. Based on these, the succeeding section describes how to setup IPsec devices.

Network Settings on Devices connected to an IPsec router¶

• Service Asset proxy settings: 192.168.20.30:3128c
  
• Additional configuration via MindSphere Asset Manager for a MindSphere Agent residing on same device (Service Asset)
  
• Assign above proxy settings to asset's HTTP proxy and port, set its proxy authentication type to 'basic'
  
• Set the DNS entry to the same IP address as the HTTP proxy IP (without any port information)
  

Settings for connecting IPSec routers to MindSphere MRS¶

• MindSphere public IPsec endpoint for MRS: 54.93.65.172
  
• The IPSec router connected to MindSphere must be configured as gateway for the Service Assets connected to this router. MindSphere IPSec endpoint exposes a CIDR range 192.168.20.0/24 to the connected routers.
  
• MindSphere uses an internal DNS endpoint for receiving notifications on changed IP addresses of connected IPSec routers. Thus, routers must use the following URL for sending notifications on their changed IP addresses:
  
• https://dyndns.eu1.vpnrts.mindsphere.io/<HOSTNAME>?passKey= <PASSKEY>&userName=<USERNAME>&ipAddress=<IPADDRESS>
  
• still supported, but subject to upcoming End-of-Life: https://dedi7nihr5ump.cloudfront.net/<HOSTNAME>?passKey= <PASSKEY>&userName=<USERNAME>&ipAddress=<IPADDRESS>
  
• The parameters needed for the internal DNS endpoint are:
  
• <HOSTNAME> host name of connected IPSec router; for instance, "myipsecrouter" from "myipsecrouter.mydomain.org" where "mydomain.org" is set in ITS application
  
• <USERNAME> specified in ITS application for authentication of the administrative user, who may update the IP addresses of connected IPSec routers
  
• <PASSKEY> password associated with <USERNAME>
  
• <IPADDRESS> changed IP address of connected IPSec router
  
• MindSphere IPSec endpoint supports the following Diffie-Hellman (DH) groups for Internet Key Exchange (ISAKMP) for IPSec phase 1:
  
• Encryption: AES-128, Hash: SHA-256, Key Exchange Security: DH-group-14
  
• Encryption: AES-128, Hash: SHA-256, Key Exchange Security: DH-group-15
  
• Encryption: AES-128, Hash: SHA-256, Key Exchange Security: DH-group-16
  
• Encryption: AES-128, Hash: SHA-256, Key Exchange Security: DH-group-20
  
• Encryption: AES-128, Hash: SHA-256, Key Exchange Security: DH-group-21
  
• Encryption: AES-128, Hash: SHA-256, Key Exchange Security: DH-group-24
  
• Encryption: AES-192, Hash: SHA-256, Key Exchange Security: DH-group-14
  
• Encryption: AES-192, Hash: SHA-256, Key Exchange Security: DH-group-15
  
• Encryption: AES-192, Hash: SHA-256, Key Exchange Security: DH-group-16
  
• Encryption: AES-192, Hash: SHA-256, Key Exchange Security: DH-group-20
  
• Encryption: AES-192, Hash: SHA-256, Key Exchange Security: DH-group-21
  
• Encryption: AES-192, Hash: SHA-256, Key Exchange Security: DH-group-24
  
• Encryption: AES-256, Hash: SHA-256, Key Exchange Security: DH-group-14
  
• Encryption: AES-256, Hash: SHA-256, Key Exchange Security: DH-group-15
  
• Encryption: AES-256, Hash: SHA-256, Key Exchange Security: DH-group-16
  
• Encryption: AES-256, Hash: SHA-256, Key Exchange Security: DH-group-20
  
• Encryption: AES-256, Hash: SHA-256, Key Exchange Security: DH-group-21
  
• Encryption: AES-256, Hash: SHA-256, Key Exchange Security: DH-group-24
  
• Encryption: AES-192, Hash: SHA-384, Key Exchange Security: DH-group-14
  
• Encryption: AES-192, Hash: SHA-384, Key Exchange Security: DH-group-15
  
• Encryption: AES-192, Hash: SHA-384, Key Exchange Security: DH-group-16
  
• Encryption: AES-192, Hash: SHA-384, Key Exchange Security: DH-group-20
  
• Encryption: AES-192, Hash: SHA-384, Key Exchange Security: DH-group-21
  
• Encryption: AES-192, Hash: SHA-384, Key Exchange Security: DH-group-24
  
• Encryption: AES-256, Hash: SHA-512, Key Exchange Security: DH-group-14
  
• Encryption: AES-256, Hash: SHA-512, Key Exchange Security: DH-group-15
  
• Encryption: AES-256, Hash: SHA-512, Key Exchange Security: DH-group-16
  
• Encryption: AES-256, Hash: SHA-512, Key Exchange Security: DH-group-20
  
• Encryption: AES-256, Hash: SHA-512, Key Exchange Security: DH-group-21
  
• Encryption: AES-256, Hash: SHA-512, Key Exchange Security: DH-group-24
  

Configuring an IPsec router as gateway into secondary Device Network¶

This section provides additional information for IT personnel on how to configure the individual network parameters of an IPsec Router within a Device Network.

For IPsec connections the following ports should be opened to allow for IPsec traffic: | Port | Protocol | | --- | --- | | 500 | UDP | | 4500 | UDP | | all | 50 (ESP Encapsulating Security Payload) | | all | 51 (AH, Authentication Header) |

Such router configuration comprises the following steps, which are outlined in the following:
1. DDNS configuration
2. ISAKMP policy configuration
3. Transform-set configuration
4. Crypto Map configuration and application to interface
5. Configure a route to MRS backend on Mindsphere
6. Define an access-list to allow internal traffic

Note: The IP address of the public IPsec endpoint used by MRS can be obtained from release notes.

Example: DDNS Configuration¶

This section is applicable if the public IP of an IPsec router in a primary Device Network is dynamic. For instance, your router might not have an own IP address space but rely on an Internet Service Provider (ISP), who may assign dynamic IP addresses to your router.

ip DDNS update method LabDynDNS 
HTTP
add https://{DDNS server access}/{Dynamic Domain Name}?passKey={Dynamic DNS Password}&userName={Dynamic Domain Name}&ipAddress=
interval maximum 0 0 3 0
!
interface GigabitEthernet1
ip ddns update LabDynDNS

Example: ISAKMP Policy Configuration¶

!
crypto isakmp policy 1
encr aes 256
hash sha256
authentication pre-share
group 15
crypto isakmp key {………………} address {3……….30}
crypto isakmp keepalive 30 5 periodic
!

Example: Transform-Set Configuration¶

!
crypto ipsec transform-set EA6EHS esp-aes 256 esp-sha256-hmac
mode tunnel
!

Example: Configuring the Crypto Map and Applying the Crypto Map to Your Interface¶

!
crypto map CmapTu01 1 ipsec-isakmp
set peer {IP address}
set transform-set EA6EHS
set pfs group15
match address aclTu01
!
!
interface GigabitEthernet1
crypto map CmapTu01

Example: Defining a Route for Traffic from Device Network to MRS¶

ip route 192.168.20.0 255.255.255.0 
!

Example: Defining Firewall Access-List to Allow Traffic to MRS¶

ip access-list extended aclTu01
permit ip 10.10.10.0 0.0.0.127 192.168.20.0 0.0.0.255
!

Additional information
- "10.10.10.0 0.0.0.127" is an example for your internal Device Network's address range in which the devices connected to the router reside
- "192.168.20.0 0.0.0.255" is the static MRS-internal network setup, which must be connected via IPsec to the Device Network side in order to use MRS

Hints for configuring a Siemens SCALANCE Router¶

This section gives hints for configuring a Siemens SCALANCE Router for IPsec connections to a Device Network via SCALANCE Web Management.

1. menu System → cRSP/SRS: WAN_IP is a keyword, which the router replaces with the current external IP address of the device to the destination server
   
2. menu Security → IPsec VPN → tab Connections: enter a connection name and configure it with
   
3. Keying Protocol: IKEv1
   
   • Remote End: Select value from above step 5
     
   • Local Subnet: {target network}
     
4. menu Security → IPsec VPN → tab Authentication: enter the following values in the respective fields:
   
   • Remote Address: {public IPsec endpoint of MRS}
     
   • Remote Subnet: {192.168.20.0/24}
     
   • Authentication: PSK
     
   • Remote ID: {public IPsec endpoint of MRS}
     
   • PSK: {freely generated} [must match value of pre-shared secret in Remote Services app]
     
   • PSK Confirmation: repeat PSK value
     
5. Switch to tab Phase 1: Uncheck Default Ciphers checkbox. Enter the following values:
   
   • Encryption: select the same value as in the Remote Services app
     
   • Authentication: select the same value as in the Remote Services app
     
   • Key Derivation: select the same value as in the Remote Services app
     
   • Lifetime (in seconds): 86400
     
6. Switch to tab Phase 2: Uncheck Default Ciphers checkbox. Enter the following values in the respective fields:
   
   • Encryption: select the same value as in the Remote Services app
     
   • Authentication: select the same value as in the Remote Services app
     
   • Key Derivation: select the same value as in the Remote Services app
     
   • Lifetime: 60
     
   • Check Auto Firewall Rules checkbox.
     
7. Switch to tab Connections tab: select "wait" from Operation dropdown.
   

Any questions left?

Ask the community

Except where otherwise noted, content on this site is licensed under the MindSphere Development License Agreement.