Siemens Step7 remote connection via VPN

I have a client site with a network of S7-400 PLCs on a LAN (CP 443's) about 400 km from my office. My client's IT people have set up a Citrix VPN connection so that I can securely connect onto the remote LAN from my office and 'ping' selected PCs at the remote site. They get to control what 'targets' I have access to and what ports I can access - i.e. all the normal security stuff.

Step-7 seems to want to behave as though it is connected locally to the remote network, which of course doesn't work via the VPN tunnel. When I try to work through Siemens support they keep referring me to either Teleservice or the Scalance Switches.

Surely there has to be a way to make a secure VPN work without any additional hardware? I could install another copy of Step-7 on a networked PC and then use RDP via the VPN to remotely control that PC but that seems like a whole lot of unnecessary work and expense.

Can anyone confirm what is happening and offer a solution?

Thanks,

Syphax

Hi

Best way (security+price) to touch directly with VPN S7 Plc is to use Scalance switches. The other way is to use PC connected to the PLC and remote control. For second decision you must also buy PC and must install Step 7 + license (price around 2000 Euro with PC). I think this is more expensive then just buy one Scalance S612 (price around 1200 Euro )

regards

Hi

You can insert "fake" CP card in your project, in that way you can anssing adress within local IP range. then you have to use this CP card when you want to go online from the office.



You also have to Nat the port 102 in the routers,

Hi
Remember that on router you need unlock TCP port 1723

I'm not quite sure I understand exactly what you are able to ping. Are these PCs engineering stations or are they simply PCs which are also connected to the same network as the PLCs. I had a similar case a couple of years back and there I got a VPN connection to the engineering station and when I dialed in from home, it was as if I was sitting in front of the ES (well not quite, the ES was set up for 1600 x 1280 on a 21" monitor and I was running 1280 x 1050 on my laptop, but apart from that ... ).

That certainly worked well and must be the easiest way to do it. Depending on how much remote work you're going to be doing, it might be worth adding a dedicated (minimum configuration) ES connected directly (and only) to the PLCs.

Thanks for the reply.

The PCs are on the same subnet as the PLCs and are running third-party SCADA softfware (iFix) exchanging data with the PLCs. I could install Step-7 on one of these machines and then connect via VPN as you suggest. Disadvantages with that is that it requires very good coordination with operations staff who otherwise use both these PC workstations. Not to mention having to transfer Step-7 licences.

Hi

This is not correct (safety of the process) to have remote control to operator PC. I thought for new PC, separate from operators, for example in your office in the plant. But yes, you can use for VPN operator's PC. When operator has a problem and can't solve it, you take control and you'll be "master"

regards

Not to mention having to transfer Step-7 licences.

Click to expand...

I agree that the coordination could be a problem.

Depending on how much and what sort of work you have to do, the licence might be less of a problem. Once a licence has been installed one time and then removed to another PC, you can still work on with Step7 (from V5.3, I believe) and you only have to put up with a nag screen every ten minutes + every time you open a new program (editor, HW-Config, etc.) or when you save a block you've been workng on. Depending on what you have to do, you can usually live with it.
Not really suitable for full scale development, though, I must admit.

¿IPSec?

Hi!

Can you ping the S7-400's CP? i.e. ping 192.168.1.3
If the VPN is IPSec you shouldn't have any prolblem. I've connected to several S7 and TP using IPSec routing via Siemens and non-Siemens firewalls.

Best regars,
Kelkoon

P.S. When I say connecting to S7, I mean connecting using STEP 7. Remember to configure CP with their adderess, mask and ROUTER ADDRESS (So they can answer you).