Professional Documents
Culture Documents
Product Names are trademarks of Schneider Electric. All other trademarks are the prop-
erty of their respective owners.
Revision: B
Controller names and version number: NetController II model 9680 version 2.0 and ACX
57x0 first-release firmware.
The information in this document is furnished for informational purposes only, is subject
to change without notice, and should not be construed as a commitment by Schneider Elec-
tric. Schneider Electric assumes no liability for any errors or inaccuracies that may appear
in this document.
Schneider Electric
One High Street
North Andover, MA 01845
Phone: (978) 975-9600
Fax: (978) 975-9782
http://www.schneider-electric.com/buildings
Network Security Configuration
Guide
30-3001-996
Revision B
February, 2010
About this Manual
Related Documentation
For additional or related information, refer to these documents.
Document Document
Number
NetController II Installation Instructions 30-3001-994
NetController II Operation and Technical Reference Guide 30-3001-995
ACX 57xx Series Controller Installation Instructions TBD
ACX 57xx Controller Operation and Technical Reference TBD
Guide
Andover Continuum CyberStation Configurator’s Guide 30-3001-781
Symbols Used
The Notes, Warnings and Cautions used in this manual are listed
below.
CAUTION or WARNING
Type of hazard
How to avoid hazard.
Failure to observe this precaution can result in injury or equipment
damage.
6 Schneider Electric
Contents
2 Schneider Electric
Chapter 1
Security Configuration
Overview
Topics include:
4 Schneider Electric
Chapter 1: Security Configuration Overview
Note: You may need to contact your Network Administrator to get the
IP addresses.
6 Schneider Electric
Chapter 2
Configuring the Controller
Topics include:
Step 2: Select the Options tab on the Infinity Controller editor and
check the value of the Network Security option.
If the Network Security option value is “Enabled,” proceed to:
Configuring a Controller for Secure Communication. If the
Network Security option value says “Disabled,” continue with
the next step.
8 Schneider Electric
Chapter 2: Configuring the Controller
Step 3: Click the Update OS button, and load the appropriate UPD
file, which was provided when you purchased the Network
Security option from Schneider Electric, to enable the Network
Security option for this controller.
Step 4: When you have completed the update, verify that the
controller has returned online.
Step 5: Select the Options tab on the Infinity Controller editor and
verify that the Network Security option is set to “Enabled.”
10 Schneider Electric
Chapter 2: Configuring the Controller
Note: The default secret from the factory is “itsasecret”. You must
remember the secret that you enter here for later use. All
controllers and CyberStations that need to communicate
securely must be configured with the same secret.
Step 2: You must re-enter the same secret in the Confirm Code field
to confirm your secret.
Note: You must remember the option you selected for later use. All
controllers and CyberStations that will communicate securely
MUST be configured with the same option.
Step 1: Selecting Do not apply Security to Web pages will allow all
Web communication to be unsecured and allows sniffing of the
http protocol.
12 Schneider Electric
Chapter 2: Configuring the Controller
14 Schneider Electric
Chapter 2: Configuring the Controller
Step 3: Select “Option Settings” from the menu. The Network Security
option should be listed as “Enabled - FIPS 140-2”
16 Schneider Electric
Chapter 2: Configuring the Controller
18 Schneider Electric
Chapter 2: Configuring the Controller
pages if this option is turned on. Select this option when the
controller is being configured to run in FIPS 140-2 validated mode.
Peer to Peer Security Configuration
Note: The default secret from the factory is “itsasecret”. You must
remember the secret that you enter here for later use. All
controllers and CyberStations that need to communicate
securely must be configured with the same secret.
Note: The first time the controller is configured for Network Security
in FIPS 140-2 validated mode, the connection to the controller is
unsecured. After configuring the controller for Network Security
in FIPS 140-2 validated mode for the first time, you may then go
back and change the Authentication Secret from the factory
default to a more secure secret of your choice.
Step 2: You must re-enter the same secret in the Enter New Code
field.
Step 3: You must re-enter the same secret in the Confirm New Code
field.
Note: You must remember the option you selected for later use. All
controllers and CyberStations that will communicate securely
MUST be configured with the same option.
20 Schneider Electric
Chapter 2: Configuring the Controller
Note: Since security is now applied to the Web pages and the default
Web port changed from 80 to 33920, the following format must
be used to access the controller’s Web page securely:
http://<ip address>:<web port>/
22 Schneider Electric
Chapter 2: Configuring the Controller
24 Schneider Electric
Chapter 3
Configuring the Workstation
Topics include:
24 Schneider Electric
Chapter 3: Configuring the Workstation
Step 4: Select All Tasks from the popup menu, then select Import
Policies from the submenu.
26 Schneider Electric
Chapter 3: Configuring the Workstation
Step 1: Double click the name of the imported security policy. The
TAC Encrypt and Authenticate Properties dialog
appears.
Step 2: If you configured the controller for Web Security, enable the
TAC Web Server Filter in the IP Security rules list by
checking the check box on the Rules tab. If you did not
configure the controller for Web Security, leave the check box
unchecked.
28 Schneider Electric
Chapter 3: Configuring the Workstation
Step 3: For each TAC rule in the list, click Edit. For each, the Edit
Rule Properties dialog appears.
Step 6: Repeat setting the Authentication Secret for each rule in the
list
Note: The secret entered here is not a hidden field. Access to the Local
Security Policy tool is restricted to users with administrative
privileges on the machine. In order to protect access to the
shared secret, all other users of the machine that will run
CyberStation should be restricted to Windows “Power Users.”
30 Schneider Electric
Chapter 3: Configuring the Workstation
Step 2: IPSec Security Policy is now enabled, and the workstation can
communicate to security enabled controllers.
Step 2: Select All Tasks from the popup menu, then select Export
Policies from the submenu.
32 Schneider Electric
Chapter 3: Configuring the Workstation
34 Schneider Electric
Chapter 4
Activating Network Security
for the Controller
Topics include:
Step 3: Check the Network Security check box, and click Apply.
36 Schneider Electric
Chapter 4: Activating Network Security for the Controller
Step 2: On the General tab, select 9680 from the Controller Type
dropdown menu.
38 Schneider Electric
Chapter 4: Activating Network Security for the Controller
40 Schneider Electric
Network Security Configuration Guide
Document Number 30-0001-996
Revision B