Anda di halaman 1dari 22

Security information 1

Preface 2

Support and Remote Dialup 3


SIMATIC
Dialup 4
PCS 7 Process Control System
Support and Remote Dialup 5
Practical information

Commissioning Manual

11/2016
A5E39249952-AA
Legal information
Warning notice system
This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent
damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert
symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are
graded according to the degree of danger.

DANGER
indicates that death or severe personal injury will result if proper precautions are not taken.

WARNING
indicates that death or severe personal injury may result if proper precautions are not taken.

CAUTION
indicates that minor personal injury can result if proper precautions are not taken.

NOTICE
indicates that property damage can result if proper precautions are not taken.
If more than one degree of danger is present, the warning notice representing the highest degree of danger will be
used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property
damage.
Qualified Personnel
The product/system described in this documentation may be operated only by personnel qualified for the specific
task in accordance with the relevant documentation, in particular its warning notices and safety instructions. Qualified
personnel are those who, based on their training and experience, are capable of identifying risks and avoiding
potential hazards when working with these products/systems.
Proper use of Siemens products
Note the following:

WARNING
Siemens products may only be used for the applications described in the catalog and in the relevant technical
documentation. If products and components from other manufacturers are used, these must be recommended or
approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and
maintenance are required to ensure that the products operate safely and without any problems. The permissible
ambient conditions must be complied with. The information in the relevant documentation must be observed.

Trademarks
All names identified by are registered trademarks of Siemens AG. The remaining trademarks in this publication
may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.
Disclaimer of Liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software described.
Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the information in
this publication is reviewed regularly and any necessary corrections are included in subsequent editions.

Siemens AG A5E39249952-AA Copyright Siemens AG 2016.


Division Process Industries and Drives 02/2017 Subject to change All rights reserved
Postfach 48 48
90026 NRNBERG
GERMANY
Table of contents

1 Security information......................................................................................................................................5
2 Preface.........................................................................................................................................................7
2.1 Structure and organization of the document............................................................................7
2.2 Special Notes...........................................................................................................................7
3 Support and Remote Dialup.........................................................................................................................9
3.1 Definitions................................................................................................................................9
3.2 Concept..................................................................................................................................10
4 Dialup.........................................................................................................................................................13
4.1 Local dialup............................................................................................................................13
4.2 Remote dialup........................................................................................................................14
4.2.1 Network medium....................................................................................................................14
4.2.2 Support device.......................................................................................................................15
4.2.3 Control System Network Access............................................................................................15
4.3 Choice of technology..............................................................................................................15
5 Practical information...................................................................................................................................21
5.1 General information................................................................................................................21
5.2 Siemens Remote Service (SRS)............................................................................................21

Support and Remote Dialup


Commissioning Manual, 11/2016, A5E39249952-AA 3
Table of contents

Support and Remote Dialup


4 Commissioning Manual, 11/2016, A5E39249952-AA
Security information 1
Siemens provides products and solutions with industrial security functions that support the
secure operation of plants, systems, machines and networks.
In order to protect plants, systems, machines and networks against cyber threats, it is
necessary to implement and continuously maintain a holistic, state-of-the-art industrial
security concept. Siemens products and solutions only form one element of such a concept.
Customer is responsible to prevent unauthorized access to its plants, systems, machines and
networks. Systems, machines and components should only be connected to the enterprise
network or the internet if and to the extent necessary and with appropriate security measures
(e.g. use of firewalls and network segmentation) in place.
Additionally, Siemens guidance on appropriate security measures should be taken into
account. For more information about industrial security, please visit:
http://www.siemens.com/industrialsecurity
Siemens products and solutions undergo continuous development to make them more secure.
Siemens strongly recommends to apply product updates as soon as available and to always
use the latest product versions. Use of product versions that are no longer supported, and
failure to apply latest updates may increase customers exposure to cyber threats.
To stay informed about product updates, subscribe to the Siemens Industrial Security RSS
Feed under:
http://www.siemens.com/industrialsecurity

Support and Remote Dialup


Commissioning Manual, 11/2016, A5E39249952-AA 5
Security information

Support and Remote Dialup


6 Commissioning Manual, 11/2016, A5E39249952-AA
Preface 2
2.1 Structure and organization of the document
The Security Concept PCS 7 & WinCC has several parts:
The basic document provides a central overview and path through Security Concept
PCS 7 & WinCC.
This document describes the basic principles and security strategies of the security concept
in systematized form. All additional detail documents assume the reader has read the basic
document.
The detail documents (this is one such detail document) explain the individual principles,
solutions and configuration recommended there in detailed form, and each focuses on a
particular detailed issue. The detail documents are supplemented, updated and published
independently of one another to ensure that they are always up-to-date.
PCS 7 Compendium F: Compendium F describes in detail how the solutions can be
implemented in the PCS 7 environment. You can find this documentation on the Internet
at: https://support.industry.siemens.com/tf/ww/en/posts/69921/. (https://
support.industry.siemens.com/tf/ww/en/posts/69921)

2.2 Special Notes

Objective of the Security Concept PCS 7 & WinCC


The main priority of automation is to maintain control over production and process. Measures
intended to prevent the spread of a security threat must not impair this aim.
The security concept PCS 7 & WinCC is intended to provide support in creating a plant in
which only authenticated users can perform authorized (permitted) operations using operating
options assigned to them for authenticated devices. These operations should only be
performed via defined and planned access routes to ensure safe production or coordination
of a job without danger to humans, the environment, product, goods to be coordinated and the
business of the enterprise.
Security Concept PCS 7 & WinCC, therefore, recommends the use of the latest available
security mechanisms. To achieve the highest possible level of security, scaled, system-specific
configurations should never contradict the basic principles of this security concept.
Security Concept PCS 7 & WinCC is intended to facilitate the cooperation between network
administrators of company networks (IT administrators) and automation networks (automation
engineers) to exploit the advantages provided by the networking of process control technology
and the data processing of other production levels, without increasing security risks at either
end.

Support and Remote Dialup


Commissioning Manual, 11/2016, A5E39249952-AA 7
Preface
2.2 Special Notes

Required Knowledge
This documentation is aimed at anyone who is involved in configuring, commissioning and
operating automated systems based on SIMATIC. It is assumed that readers have appropriate
management knowledge of office IT.

Validity
Security Concept PCS 7 & WinCC incrementally replaces the following previous documents
and recommendations: "Security Concept PCS 7" and "Security Concept WinCC", and is valid
as of WinCC V6.2 and PCS 7 V7.0.

Support and Remote Dialup


8 Commissioning Manual, 11/2016, A5E39249952-AA
Support and Remote Dialup 3
This detailed report focuses exclusively on remote maintenance, remote support and remote
administration of a system. A description of remote control of a system is not included in this
detailed report. However, information on remote control is provided in the detailed report
Management of Communication within and between Security Cells.

3.1 Definitions

Virtual Private Network (VPN)


An extension of a private network which encompasses encapsulated, encrypted and
authenticated connections over shared or public networks. Private networks can establish
remote access and routing connections over the Internet using VPN connections.

Point-to-Point Tunneling Protocol (PPTP)


A network technology that supports multi-protocol VPNs (Virtual Private Networks). This
provides remote users with secure access to internal company networks over the Internet or
other networks by connecting via an Internet Service Provider (ISP) or by establishing a direct
connection over the Internet. PPTP encapsulates IP (Internet Protocol) data, IPX (Internetwork
Packet Exchange) data and NetBEUI (NetBIOS Extended User Interface) data in IP packets.
Such encapsulation is also referred to as tunneling. This means that users can remotely run
applications that are dependent on specific network protocols.

Layer 2 Tunneling Protocol (L2TP)


An industry-standard Internet tunneling protocol that provides encapsulation to send PPP
(Point-to-Point Protocol) frames for packet-oriented media. On IP networks, L2TP traffic is
transmitted in the form of UDP (User Datagram Protocol) messages. On Microsoft operating
systems, L2TP is used in conjunction with IPsec (Internet Protocol Security) as the VPN (Virtual
Private Network) technology to provide VPN connections via RAS (Remote Access) or router-
to-router. L2TP is described in RFC 2661.

Source: Microsoft

Support and Remote Dialup


Commissioning Manual, 11/2016, A5E39249952-AA 9
Support and Remote Dialup
3.2 Concept

3.2 Concept

Description of the concept


Owing to the increase in networking and as systems are connected to company networks and
the Internet and distances increase between support employees and systems (e.g. onshore
support employee; system requiring support is located on a ship), support and remote dialup
is growing in significance.
However, support and remote dialup is associated with additional dangers. On the one hand,
exceptions for support and remote dial-up have to be defined for the access point firewalls,
which creates additional points of attack. On the other hand, support staff may thereby
inadvertently introduce malicious software (malware) to the plant, including viruses, Trojans,
etc.
To minimize this risk, it is recommended to implement a "defense in depth" strategy for support
and remote dial-up, just like the overall security concept for PCS 7 & WinCC. This means that
there is no direct dialup to the endpoint for maintenance, but dialup is achieved with a
combination of multiple technologies and security mechanisms over a central access point to
ensure the highest possible security for the entire system.
The VPN server described in the following is part of the back-end firewall and is therefore the
responsibility of the system administrator. It is published to the WAN (intranet/office network)
via the front-end firewall. The external VPN solution preferred by Siemens for PCS 7 systems,
the Siemens Remote Service (SRS), may be used as an alternative to an internal VPN solution.
The Siemens Remote Service is based on a platform technology. "Common Remote Service
Platform (cRSP)" (for more details, see section Practical information (Page 21)).
This configuration ensures that the front firewall has absolutely no routing information for the
Process Control Network (PCN) or information on the network structure in the Manufacturing
Control System (MCS) level. Hence, even if the front firewall is bypassed by an attacker, there
is no access to the system. A Microsoft Internet Security and Acceleration Server
(MS ISA Server) is shown as the firewall in the following diagrams. The successor Microsoft
Threat Management Gateway (TMG MS) introduced in 2010 can also be used or the
Automation Firewall 2 offered by Siemens. Further information on the configuration of an
ISA Server/TMG as a firewall is provided in the detailed report Managing the MS ISA Server/
MS TMG as an Access Point.

Support and Remote Dialup


10 Commissioning Manual, 11/2016, A5E39249952-AA
Support and Remote Dialup
3.2 Concept

Demo System
The following figure shows an example system with front-end and back-end firewall as well as
all devices described in the section AUTOHOTSPOT, for example, the support / dial-up
stations of support staff.

(QWHUSULVH&RQWURO
1HWZRUN

)LUHZDOO
:$1
,QWUDQHW
'RPDLQ&RQWUROOHU 6XSSRUW6WDWLRQ
+LVWRULDQ 6,0$7,&,76HUYHU 6,0$7,&,764/6HUYHU
:HE&OLHQW 5RXWHU,6'1

9LUXVVFDQ6HUYHU
0DQXIDFWXULQJ
2SHUDWLRQV1HWZRUN )LUHZDOO 3HULPHWHU1HWZRUN
,6$6HUYHU
6XSSRUW6WDWLRQ
)URQW)LUHZDOO

'RPDLQ&RQWUROOHU 7HUPLQDO6HUYHU :6866HUYHU

5RXWHU,6'1
)LUHZDOO
,6$6HUYHU
%DFN)LUHZDOO 'RPDLQ&RQWUROOHU
:LQFF 26 3URFHVV&RQWURO
&OLHQW &OLHQW 1HWZRUN
6FDODQFH;EDVHGUHGXQGDQWULQJ

:LQFF :LQFF 26 266HUYHU (QJLQHHULQJ 0DLQWDQHQFH


6HUYHU 6HUYHU 6HUYHU 6WDWLRQ 6HUYHU
&RQWURO6\VWHP
1HWZRUN
6FDODQFH;EDVHGUHGXQGDQWULQJ

6+ 6 6 6)+

Figure 3-1 Demo system with front and back firewall

Support and Remote Dialup


Commissioning Manual, 11/2016, A5E39249952-AA 11
Support and Remote Dialup
3.2 Concept

Support and Remote Dialup


12 Commissioning Manual, 11/2016, A5E39249952-AA
Dialup 4
In principle, there are two different dialup options:
local dialup, when the support employee is on site
remote dialup over the intranet/office network, Internet or telephone network

4.1 Local dialup

Support station belonging to the system


The support station is a stationary support PC that is either physically located on the system
as an ES in the Process Control Network (PCN) and is therefore part of the system or physically
located as a remote ES in a perimeter network / Manufacturing Operating Network (MON) of
the Manufacturing Execution Systems (MES) and therefore a trusted, remote system PC. In
both cases, security is ensured by correctly implementing the Security Concept PCS 7 &
WinCC basic document. As project files and backup copies are frequently changed on
engineering stations in contrast to process control computers, external data media (USB sticks,
CDs etc.) must also be scanned for viruses and malware before being inserted into engineering
stations.

Mobile Support PC / PG (Support Laptop)


If the support employee brings his/her own support PC onto site, he/she should only be allowed
to connect to the network at the access points specifically provided so-called support ports.
This can be done, for example, with modern devices from the SCALANCE X 300 and 400
ranges. Individual ports can be configured so that connected computers can only participate
in network communication if they have a valid certificate for each connection, which the
SCALANCE device can verify on a RADIUS server, which in turn grants access. This ensures
that only support employees who have been granted an applicable certificate can participate
in network communication.
The support employee then creates a VPN connection to the back firewall. As the support
employee is on site and system personnel are supervising constantly, a PPTP dialup with a
standard support user account is sufficient. In this case, a user account is queried (in
conjunction with the MS Remote Access Server (RAS)) via a user authentication server (e.g.
the MS Internet Authentication Server (IAS) / RADIUS server) and this can be used by all
support employees for dialup on site. Each time the support job is completed, the system
administrator must change the password for the standard support user. Using the quarantine
functionality of MS ISA server \ MS TMG on the back-end firewall, the support PC is now
checked to ensure that the virus scanner is up to date, the local firewall is activated, etc.
Depending on the desired security requirements, the content and type of the verification can
be defined by the operator himself. Only after checking has completed successfully can the
support employee access the system PCN or a specific engineering station. When access to
the Control System Network (CSN) is required as well, quarantine scripts should be written

Support and Remote Dialup


Commissioning Manual, 11/2016, A5E39249952-AA 13
Dialup
4.2 Remote dialup

that the additional network cards of an engineering station reactivated (for example, CP 1623)
in contact with the CSN are deactivated at the beginning and only reactivated after successful
verification.

4.2 Remote dialup

4.2.1 Network medium

Direct connection between devices


Direct connections are initialized between two devices, e.g. two ISDN routers or two Siemens
Teleservice devices. A Point-to-Point connection over which data can be exchanged is always
established between the two devices. It is usually possible to configure the devices so that
they only allow or accept connections to or from defined call numbers or devices. In addition,
they can frequently be set up so that the dialup has to be manually confirmed before the
connection is established. It is therefore possible to ensure that the connection is in fact
established by the support employee via a telephone conversation. For the above reasons,
use of a PPTP-VPN connection is sufficient in this scenario.

Internet
If dialup is via the Internet, maximum possible security must be guaranteed, as in principle
every user on the Internet can attempt to establish a dialup connection to the VPN server. The
VPN server is part of the back firewall and therefore the responsibility of the system
administrator and is published over the front firewall to the WAN (Internet/intranet/office
network). In this scenario, the front firewall accepts VPN connections by proxy and then
forwards them to the back firewall. This configuration ensures that the front firewall has
absolutely no routing information for the PCN or information on the network structure within
the MCS level.
A unique user with a strong password must be created for each support employee for access
to be transparent. Users should only be enabled temporarily and following consultation by
telephone. A particularly secure tunnel protocol, such as L2TP-IPsec VPN, must be used for
communication to guarantee the integrity and confidentiality of the data via a high level of
security and encryption depth.

Support and Remote Dialup


14 Commissioning Manual, 11/2016, A5E39249952-AA
Dialup
4.3 Choice of technology

4.2.2 Support device

Defined Support PC
If the support employee is an internal company employee who has to access the system
regularly or, for example, the software manufacturer who has a maintenance contract with the
system operator, it is recommended that a system support PC is made available to the support
service provider for the support employee. The system operator installs this support PC as per
the internal company security policies, configures it for support dialup (IPsec, certificates,
user), installs the required programs and deploys the PC to the support service provider. After
successful VPN dial-up (either through the Internet or a direct connection), the support PC is
in a quarantine network and is checked by the quarantine functionality of the MS ISA server /
MS TMG (back firewall). A simple check is sufficient to determine that the settings have not
been changed and that they still conform to internal company security policies. After checking
has completed successfully, the support PC is granted access to the PCN and can provide
support on the PCN. Organizational measures (e.g. contractual conditions) must be
implemented to ensure that the support employee is informed that the support PC may only
be used for this defined task.

Any PC
If the support employee works with his/her own PC, i.e. a device that is completely unknown
to the system operator and which the system operator cannot configure, greater security
requirements must be applied to access. After successful VPN dial-up (either via the Internet
or a direct connection) the PC is in a quarantine network and is checked by the quarantine
functionality of MS ISA server / MS TMG (back firewall). A detailed test should be performed,
including a complete virus scan, installation of any missing security updates, activation of the
local firewall, etc. Once the PC has passed this test, remote access is granted to it either by
an engineering station located directly in the plant or one installed in the perimeter network for
this purpose.

4.2.3 Control System Network Access


Support access to the CSN may only be provided via a remote connection to an engineering
station that is connected to the CSN.
Either Remote Desktop or NetMeeting (in future, Windows Live Meeting) should be used for
the reasons mentioned above.

4.3 Choice of technology


The following decision trees are designed to help choose remote dialup technology to suit
requirements and the situation.

Support and Remote Dialup


Commissioning Manual, 11/2016, A5E39249952-AA 15
Dialup
4.3 Choice of technology

Support access to the Process Control Network

3&6:LQ&&6XSSRUW
RQO\3URFHVV&RQWURO
1HWZRUN

'LUHFWFRQQHFWLRQ ,QWHUQHW
EHWZHHQGHYLFHV

'HILQHGVXSSRUW3& $Q\ QRQVSHFLILF 3& 'HILQHGVXSSRUW3& $Q\ QRQVSHFLILF 3&


EHORQJLQJWRWKHV\VWHP EHORQJLQJWRWKHV\VWHP
RSHUDWRU RSHUDWRU

931GLDOXSYLD3373ZLWK 931GLDOXSYLD3373ZLWK 931GLDOXSYLD/73 931GLDOXSYLD/73ZLWK


TXDUDQWLQHFKHFN$FFHVV FRPSUHKHQVLYHTXDUDQWLQH ZLWKFRPSUHKHQVLYH FRPSUHKHQVLYHTXDUDQWLQH
WRWKHV\VWHPYLDORFDO(6 FKHFN$FFHVVWRDQ(6LQ TXDUDQWLQHFKHFN FKHFN$FFHVVWRDQ(6LQ
LQVWDOODWLRQ WKHSHULPHWHUQHWZRUNRURQ $FFHVVWRWKHV\VWHPYLD WKHSHULPHWHUQHWZRUNRURQ
WKHV\VWHPYLD5HPRWH ORFDO(6LQVWDOODWLRQ WKHV\VWHPYLD5HPRWH
'HVNWRSRU1HW0HHWLQJ 'HVNWRSRU1HW0HHWLQJ
ZLWKRXWFRQQHFWLRQWRWKH ZLWKRXWFRQQHFWLRQWRWKH
V\VWHPEXV V\VWHPEXV

Figure 4-1 Support access to the Process Control Network

Support and Remote Dialup


16 Commissioning Manual, 11/2016, A5E39249952-AA
Dialup
4.3 Choice of technology

Support access to the entire system

3&6:LQ&&6XSSRUW
FRPSOHWHLQFOXGLQJ
&RQWURO1HWZRUN

'LUHFWFRQQHFWLRQ ,QWHUQHW
EHWZHHQGHYLFHV

'HILQHGVXSSRUW3& $Q\ QRQVSHFLILF 3& 'HILQHGVXSSRUW3& $Q\ QRQVSHFLILF 3&


EHORQJLQJWRWKHV\VWHP EHORQJLQJWRWKHV\VWHP
RSHUDWRU RSHUDWRU

931GLDOXSYLD3373ZLWK 931GLDOXSYLD/73ZLWK
TXDUDQWLQHFKHFN$FFHVVWR FRPSUHKHQVLYHTXDUDQWLQH
DQ(6RQWKHV\VWHPYLD 1RWSHUPLWWHG FKHFN$FFHVVWRDQ(6RQ 1RWSHUPLWWHG
5HPRWH'HVNWRSRU WKHV\VWHPYLD5HPRWH
1HW0HHWLQJZLWKFRQQHFWLRQ 'HVNWRSRU1HW0HHWLQJZLWK
WRWKHV\VWHPEXV FRQQHFWLRQWRWKHV\VWHPEXV

Figure 4-2 Support access to the entire system

Support and Remote Dialup


Commissioning Manual, 11/2016, A5E39249952-AA 17
Dialup
4.3 Choice of technology

Non-administrative remote access to third-party programs

1RQDGPLQLVWUDWLYHDFFHVV
WRQRQ6,0$7,&SURJUDPV

'LUHFWFRQQHFWLRQ ,QWHUQHW
EHWZHHQGHYLFHV

'HILQHGVXSSRUW3& $Q\ QRQVSHFLILF 3& 'HILQHGVXSSRUW3& $Q\ QRQVSHFLILF 3&


EHORQJLQJWRWKHV\VWHP EHORQJLQJWRWKHV\VWHP
RSHUDWRU RSHUDWRU

931GLDOXSYLD3373ZLWK 931GLDOXSYLD3373ZLWK 931GLDOXSYLD/73ZLWK 931GLDOXSYLD/73ZLWK


TXDUDQWLQHFKHFN$FFHVV FRPSUHKHQVLYHTXDUDQWLQH TXDUDQWLQHFKHFN$FFHVV FRPSUHKHQVLYHTXDUDQWLQH
WRSURJUDPVYLDSHULPHWHU FKHFN$FFHVVWRSURJUDPV WRSURJUDPVYLDSHULPHWHU FKHFN$FFHVVWRSURJUDPV
QHWZRUNWHUPLQDOVHUYHURU YLDSHULPHWHUQHWZRUN QHWZRUNWHUPLQDOVHUYHURU YLDSHULPHWHUQHWZRUN
UHPRWHWRROV WHUPLQDOVHUYHURUUHPRWH UHPRWHWRROV WHUPLQDOVHUYHURUUHPRWH
FOLHQWV FOLHQWV

Figure 4-3 Non-administrative remote access to third-party programs

Support and Remote Dialup


18 Commissioning Manual, 11/2016, A5E39249952-AA
Dialup
4.3 Choice of technology

Administrative remote access to system programs

$GPLQLVWUDWLYHDFFHVVWR
V\VWHPSURJUDPV

'LUHFWFRQQHFWLRQ ,QWHUQHW
EHWZHHQGHYLFHV

'HILQHGVXSSRUW3& $Q\ QRQVSHFLILF 3& 'HILQHGVXSSRUW3& $Q\ QRQVSHFLILF 3&


EHORQJLQJWRWKHV\VWHP EHORQJLQJWRWKHV\VWHP
RSHUDWRU RSHUDWRU

931GLDOXSYLD3373ZLWK 931GLDOXSYLD/73ZLWK
FRPSUHKHQVLYHTXDUDQWLQH FRPSUHKHQVLYHTXDUDQWLQH
FKHFN$FFHVVWRWKH 1RWSHUPLWWHG FKHFN$FFHVVWRWKH 1RWSHUPLWWHG
SURJUDPYLDVSHFLDOUHPRWH SURJUDPYLDVSHFLDOUHPRWH
WRROV UHPRWH00& WRROV UHPRWH00&

Figure 4-4 Administrative remote access to system programs

Support and Remote Dialup


Commissioning Manual, 11/2016, A5E39249952-AA 19
Dialup
4.3 Choice of technology

Administrative remote access to the entire system

$GPLQLVWUDWLYHDFFHVVWR
WKHHQWLUHV\VWHP

'LUHFWFRQQHFWLRQ ,QWHUQHW
EHWZHHQGHYLFHV

'HILQHGVXSSRUW3& $Q\ QRQVSHFLILF 3& 'HILQHGVXSSRUW3& $Q\ QRQVSHFLILF 3&


EHORQJLQJWRWKHV\VWHP EHORQJLQJWRWKHV\VWHP
RSHUDWRU RSHUDWRU

931GLDOXSYLD3373ZLWK 931GLDOXSYLD/73ZLWK
FRPSUHKHQVLYHTXDUDQWLQH FRPSUHKHQVLYHTXDUDQWLQH
FKHFN 1RWSHUPLWWHG FKHFN 1RWSHUPLWWHG
5HPRWH'HVNWRSWRWKH 5HPRWH'HVNWRSWRWKH
FRPSXWHU FRPSXWHU

Figure 4-5 Administrative remote access to the entire system

Support and Remote Dialup


20 Commissioning Manual, 11/2016, A5E39249952-AA
Practical information 5
5.1 General information
If remote administration and support tools are used, it must be ensured that the programs are
activated in the local firewall of the computer to be serviced.

NetMeeting
Information on NetMeeting is available here:
http://support.microsoft.com/kb/878451/de (http://support.microsoft.com/kb/878451/en)

Remote support
The help wizard account (installed during a remote support session) is the primary account
used to set up a remote support session. This account is created automatically when you
initiate a remote support session and has limited access to the computer. The help wizard
account is managed by the service session manager for Remote Desktop help and is
automatically deleted if remote support is no longer required/has been completed.
You can find additional information on remote support here: http://go.microsoft.com/fwlink/?
LinkId=38569 (http://go.microsoft.com/fwlink/?LinkId=38569)

Remote Desktop Protocol


Please also refer to the section "Remote Service and Remote Operation" in the PCS 7 Readme
(online).

VNC
Please also refer to the section "Remote Service and Remote Operation" in the PCS 7 Readme
(online).

5.2 Siemens Remote Service (SRS)


SRS can be used as an alternative to an internal VPN solution or a direct connection between
devices. SRS can be used for all the scenarios described in the previous chapters that require
use of any (non-specific) support PC.
SRS is an external, central VPN solution. Only an SRS router is installed on the system, which
functions in the same way as an ISDN router in the aforementioned scenarios, or the existing
infrastructure is used to create a site-to-site coupling with the Siemens DMZ. A secure channel
between the dialup support PC and the SRS router is created on the system via a central
server center (DMZ). The advantage for the customer is that he/she relinquishes responsibility
for administration, maintenance and service. I.e. securing the channel, the type of encryption,
checking the dialup support PC and defining which users are permitted to dial up falls under

Support and Remote Dialup


Commissioning Manual, 11/2016, A5E39249952-AA 21
Practical information
5.2 Siemens Remote Service (SRS)

the responsibility of the SRS provider and is contractually agreed between the customer and
the SRS provider.
Furthermore, SRS also decides which tools may be used for plant support and, since all tools
are provided via the terminal server in the SRS server center, it ensures the timeliness and
reliability of these tools.
All tools recommended by PCS 7 & WinCC for remote access are supported by SRS.
For further information about cRSP, contact your sales partners and visit https://
support.industry.siemens.com/cs/ww/en/sc/2281 (https://support.industry.siemens.com/cs/
ww/en/sc/2281).
The SRS solution is described in detail in a separate manual.

Support and Remote Dialup


22 Commissioning Manual, 11/2016, A5E39249952-AA