Schneider Electric ConneXium Industrial Ethernet Firewall Installation Manual

ConneXium
TCSEFEC Industrial Firewall
Installation Manual
ConneXium Industrial Firewall
2
LNK/
ACT
1
2
1
PWR
Fault
Status
LNK/
ACT
2 V.24
1
PWR
LNK/
ACT
R
IP-ADDRESS
R
INTERNAL
2
1
Fault
Status
2 V.24
1
Fault
Status
2 V.24
R
IP-ADDRESS
1
PWR
ConneXium Industrial Firewall
INTERNAL
IP-ADDRESS
ConneXium Industrial Firewall
INTERNAL
ETH 1
ETH 1
ETH 1
ETH 2
EXTERNAL
S1B64656.00
V.24
TCSEFEC23FCF20
www.schneider-electric.com
Fault
+/L (P2)
-/N
-/N
Fault
+/L (P2)
-/N
-/N
24V DC/AC
24V DC/AC
V.24
TCSEFEC23F3F20
ETH 2
EXTERNAL
+/L (P1)
Fault
+/L (P2)
-/N
-/N
+/L (P1)
EXTERNAL
USB
MAC-Adress
ETH 2
+/L (P1)
MAC-Adress
ETH 2
MAC-Adress
USB
USB
24V DC/AC
V.24
TCSEFEC2CF3F20
S1B64656 - 02/2012
Contents
About this Manual
4
Key
5
Safety instructions
5
1
Device description
11
1.1
General device description
11
1.2
Device versions
13
1.3
Description of the device variants
1.3.1 Device variants with 2 TX ports
1.3.2 Device variants with 1 TX port and 1 FX port
1.3.3 Device variants with 1 FX port and 1 TX port
13
14
15
15
2
Assembly and start-up
16
2.1
Safety instructions
16
2.2
Installing the device
2.2.1 Overview of installation
2.2.2 Unpacking and checking
2.2.3 Terminal block for supply voltage and signal contact
2.2.4 Connecting the terminal block, start-up procedure
2.2.5 Installing the device on the DIN rail, grounding
2.2.6 Connecting the data lines
2.2.7 Connection to the network
16
16
17
17
19
19
20
22
2.3
Display elements
22
2.4
Controls
23
2.5
Basic set-up
23
2.6
Configuration
2.6.1 Firewall and VPN functions
2.6.2 Operating modes
2.6.3 Start configuration
25
25
26
27
2.7
Maintenance
28
2.8
Disassembly
28
3
Technical data
29
S1B64656 - 02/2012
3
About this Manual
Validity Note
The data and illustrations found in this book are not binding. We reserve the
right to modify our products in line with our policy of continuous product
development. The information in this document is subject to change without
notice and should not be construed as a commitment by Schneider Electric.
Product Related Information
Schneider Electric assumes no responsibility for any errors that may appear
in this document. If you have any suggestions for improvements or
amendments or have found errors in this publication, please notify us.
No part of this document may be reproduced in any form or by any means,
electronic or mechanical, including photocopying, without express written
permission of Schneider Electric.
All pertinent state, regional, and local safety regulations must be observed
when installing and using this product. For reasons of safety and to ensure
compliance with documented system data, only the manufacturer should
perform repairs to components.
When devices are used for applications with technical safety requirements,
please follow the relevant instructions.
Failure to use Schneider Electric software or approved software with our
hardware products may result in improper operating results.
Failure to observe this product related warning can result in injury or
equipment damage.
User Comments
We welcome your comments about this document. You can reach us by
e-mail at [email protected]
Related Documents
Title
ConneXium TCSEFEC Industrial Firewall
Configuration User Manual
ConneXium TCSEFEC Industrial Firewall
Command Line Interface Reference Manual
ConneXium TCSEFEC Industrial Firewall
Web-based Interface Reference Manual
ConneXium TCSEFEC Industrial Firewall
Installation User Manual
4
Reference Number
S1B64663
S1B64695
S1B64648
S1B64656
S1B64656 - 02/2012
The “Configuration“ user manual contains the information you need to start
operating the Industrial Firewall TCSEFEC. It takes you step by step from the
first startup operation through to the basic settings for operation in your
environment.
The “Command Line Interface” Reference Manual contains detailed
information on using the Command Line Interface to operate the individual
functions of the device.
The “Web-based Interface” reference manual contains detailed information
on using the Web interface to operate the individual functions of the device.
The “Installation” user manual contains a device description, safety
instructions, a description of the display, and the other information that you
need to install the device.
Key
The symbols used in this manual have the following meanings:



Listing
Work step
Subheading
I/O Robot
Safety instructions
 Important Information
Notice: Read these instructions carefully, and look at the equipment to
become familiar with the device before trying to install, operate, or
maintain it. The following special messages may appear throughout this
documentation or on the equipment to warn of potential hazards or to call
attention to information that clarifies or simplifies a procedure.
S1B64656 - 02/2012
5
The addition of this symbol to a Danger or Warning safety label
indicates that an electrical hazard exists, which will result in
personal injury if the instructions are not followed.
This is the safety alert symbol. It is used to alert you to potential
personal injury hazards. Obey all safety messages that follow
this symbol to avoid possible injury or death.
DANGER
DANGER indicates an imminently hazardous situation which, if not
avoided, will result in death or serious injury.
WARNING
WARNING indicates a potentially hazardous situation which, if not avoided,
can result in death or serious injury.
CAUTION
CAUTION indicates a potentially hazardous situation which, if not avoided,
can result in minor or moderate injury.
PLEASE NOTE: Electrical equipment should be installed, operated,
serviced, and maintained only by qualified personnel.
No responsibility is assumed by Schneider Electric for any consequences
arising out of the use of this material.
© 2012 Schneider Electric. All Rights Reserved.
 Usage
The device may only be employed for the purposes described in the
catalog, technical description, and manuals.
 Password security note
This device is a security product. For your own security, change the
password during the first startup procedure.
 Supply voltage
For safety reasons the devices have been designed to operate at low
voltages. Thus, they may only be connected to the supply voltage
connections and to the signal contact with SELV circuits with the voltage
restrictions in accordance with IEC/EN 60950-1.
6
S1B64656 - 02/2012
The supply voltage is electrically isolated from the housing.
 Relevant for North America:
The device may only be connected to a supply voltage of class 2 that
fulfills the requirements of the National Electrical Code, Table 11(b). If
the voltage is being supplied redundantly (two different voltage
sources), the combined supply voltages must fulfill the requirements of
the National Electrical Code, Table 11(b).
 Relevant for North America: For use in Class 2 circuits.
Only use copper wire/conductors of class 1, 140/167 °F (60/75 °C) or
167 °F (75 °C).
 Shielding ground
The shielding ground of the connectable twisted pairs lines is connected
to the front panel as a conductor.
 Housing
DANGER
HAZARD OF ELECTRIC SHOCK
Never insert sharp objects (small screwdrivers, wires, etc.) into the inside of
the product.
Failure to follow these instructions will result in death, serious injury,
or equipment damage.
CAUTION
EQUIPMENT OVERHEATING
When installing the device, make sure any ventilation slots remain free.
Maintain a clearance of at least 10 cm (3.94 in).
Failure to follow these instructions can result in injury or equipment
damage.
Only technicians authorized by the manufacturer are permitted to open
the housing.
S1B64656 - 02/2012
7
The lower panel of the device is grounded by means of the DIN rail and
optionally by means of the separate ground screw.
 Make sure that the electrical installation meets local or nationally
applicable safety regulations.
 The device must be installed in the vertical position (see fig. 6).
 If installed in a living area or office environment, the device must be
operated exclusively in switch cabinets with fire protection
characteristics according to EN 60950-1.
 Environment
The device may only be operated at the specified surrounding air
temperature (temperature of the surrounding air at a distance of up to 5
cm (1.97 in) from the device) and relative air humidity specified in the
technical data.
 Install the device in a location where the climatic threshold values
specified in the technical data will be observed.
 Use the device only in an environment within the pollution degree
specified in the technical data.
 General safety instructions
Electricity is used to operate this equipment. Comply with every detail of
the safety requirements specified in the operating instructions regarding
the voltages to apply (see page 6).
 Only appropriately qualified personnel should work on this device or in
its vicinity. These personnel must be thoroughly familiar with the
hazard messages and maintenance procedures in accordance with
this operating manual.
 The proper and safe operation of this device depends on proper
handling during transport, proper storage and assembly, and
conscientious operation and maintenance procedures.
 Never start operation with damaged components.
 Only use the devices in accordance with this manual. In particular,
observe the hazard messages and safety-related information.
 Any work that may be required on the electrical installation may only
be carried out by personnel trained for this purpose.
Note: LED or LASER components in compliance with IEC 60825-1
(2007):
CLASS 1 LASER PRODUCT
CLASS 1 LED PRODUCT
8
S1B64656 - 02/2012
Light is emitted from the optical connections or from the ends of the
connected optical fibers that are connected to the optical connections.
LIGHT EMITTING DIODE CLASS 2 M, wave length 650 nm, power
<2 mW in accordance with DIN EN 60825-1:2003-10.
LIGHT EMITTING DIODE CLASS 1 - CLASS 1 LED PRODUCT
WARNING
EYE DAMAGE DUE TO LASER LIGHT
Do not look into the beam or view the beam directly with optical instruments
(magnifying glasses, microscope) at a distance of less than 100 mm
(3.94 in).
Failure to follow these instructions can result in death, serious injury,
or equipment damage.
 National and international safety regulations
 Make sure that the electrical installation meets local or nationally
applicable safety regulations.
S1B64656 - 02/2012
9
 CE marking
The devices comply with the regulations contained in the following
European directive(s):
2004/108/EC
Directive of the European Parliament and the council for standardizing
the regulations of member states with regard to electromagnetic
compatibility.
In accordance with the above-named EU directive(s), the EU conformity
declaration will be at the disposal of the relevant authorities at the
following address:
Schneider Electric
35 rue Joseph Monier
CS30323
92506 Rueil-Malmaison-France
The product can be used in the industrial sector.
 Interference immunity: EN 61000-6-2:2005
 Emitted interference: EN 55022:2010
 FCC note:
This device complies with part 15 of FCC rules. Operation is subject to the
following two conditions : (1) This device may not cause harmful
interference; (2) this device must accept any interference received,
including interference that may cause undesired operation.
Appropriate testing has established that this device fulfills the
requirements of a class A digital device in line with part 15 of the FCC
regulations.
These requirements are designed to provide sufficient protection against
interference when the device is being used in a business environment.
The device creates and uses high frequencies and can radiate same, and
if it is not installed and used in accordance with this operating manual, it
can cause radio transmission interference. The use of this device in a
living area can also cause interference, and in this case the user is
obliged to cover the costs of removing the interference.
10
S1B64656 - 02/2012
1
Device description
1.1
General device description
The industrial Firewall/VPN system
 TCSEFEC23F3F20
 TCSEFEC23FCF20
 TCSEFEC2CF3F20
subsequently referred to as TCSEFEC, helps provide for the authentication,
security and confidentiality of communication within production networks,
and also beyond company boundaries.
The TCSEFEC has the following interfaces:
 depending on the type, up to two 10/100 Mbit/s twisted pair (TP/TX) ports
(RJ45 socket) and/or
 depending on the type, up to one 100 Mbit/s FX port (multimode) with
DSC connection and
 additionally a V.24 input for external management or a modem connection
and
 a USB interface.
The TCSEFEC supports the following network modes:
 Transparent Mode
 Router Mode
 PPPoE Mode
The Industrial Firewall is used everywhere that security-sensitive network
cells require a connection from the internal network into an external network.
The Industrial Firewall is the link between the internal network and the
external network from which unauthorized accesses are to be expected. In
its function as a link, the Industrial Firewall helps protect the internal network
from undesired data traffic along the connection to the external network.
Typical uses are:






Helping protect individual production cells in a flat company network
Helping protect individual production cells in a routed company network
Coupling identical production cells to a company network
Connecting a production cell with the office network via a public network
Helping provide protected service access
Separation of machine common parts
S1B64656 - 02/2012
11
1
ConneXium Industrial Firewall
2
1
PWR
LNK/
ACT
1
Fault
Status
2
3
2 V.24
R
4
IP-ADDRESS
INTERNAL
5
ETH 1
MAC-Adress
USB
ETH 2
ETH 2
7
Fault
8
+/L (P2)
-/N
-/N
+/L (P1)
EXTERNAL
24V DC/AC
V.24
6
9
10
Figure 1: Overview of interfaces, display and operating elements on the TCSEFEC
1 - 6-pin terminal block, pluggable
2 - LED display elements
3 - Reset button
4 - IP address field
5 - Port 1: Depending on device model,
TX (RJ45 connector) and/or FX (DSC connector)
6 - USB connection
7 - Port 2: Depending on device model,
TX (RJ45 connector) and/or FX (DSC connector)
8 - MAC address field
9 - V.24 interface: external management and modem
10 - Grounding screw
The devices are designed for the special requirements of industrial
automation. They meet the relevant industry standards, provide high
operational reliability, even under extreme conditions, and also long-term
reliability and flexibility. The devices operate without fans and have a
redundant voltage supply. The devices are quickly mounted by snapping
them onto a DIN rail, which also automatically contacts the function ground.
The devices provide you with the following features:
 Firewall (FW)
 Virtual Private Network (VPN) functions
 ARP Limiter
 Redundancy support
 TCSEAM0100 adapter support
12
S1B64656 - 02/2012




Management: HTTPS, SNMPv1, SNMPv2, SNMPv3, SSH, V.24
Redundant power supply
Temperature range: +32 °F to +140 °F (0 °C to +60 °C), without fan
Housing: mountable on DIN rail, IP20
1.2
Device versions
Part Number
2 Port Version
Accessories
1.3
Part Number
TCSEFEC23F3F20
TCSEFEC23FCF20
Description
2 10/100 TX Managed
1 10/100 TX Managed, 1 100 FX-MM
Managed
TCSEFEC2CF3F20
1 100 FX-MM Managed, 1 10/100 TX
Managed
TCSEAM0100-Adapter Memory Back-up Adapter
490NTRJ11-Cable
Terminal cable
Description of the device variants
These devices can be managed. They have the following properties:
 Voltage range: 12 to 48 V DC or 24 V AC
 Temperature range: +32 °F to +140 °F (0 °C to +60 °C)
The device conforms to the specifications of standard
 ISO/IEC 8802-3u 100BASE-TX
 ISO/IEC 8802-3 100BASE-FX
The device contains the function units, such as: Firewall/VPN function,
Management function, voltage connection, management connection (V.24),
operation element (reset button).
S1B64656 - 02/2012
13
 Interfaces
Device
TCSEFEC23F3F20
TCSEFEC23FCF20
TCSEFEC2CF3F20
Port 1 (internal)
TX
MM
X
—
X
—
—
X
Port 2 (external)
TX
MM
X
—
—
X
X
—
Table 1: Interfaces of the TCSEFEC types
TX = Twisted pair 100BASE-TX
MM = F/O multimode 100BASE-FX
1.3.1
Device variants with 2 TX ports
ConneXium Industrial Firewall
2
1
PWR
LNK/
ACT
1
Fault
Status
2 V.24
IP-ADDRESS
R
INTERNAL
ETH 1
MAC-Adress
USB
ETH 2
Fault
+/L (P2)
-/N
-/N
+/L (P1)
EXTERNAL
24V DC/AC
V.24
Figure 2: Interfaces of the TCSEFEC23F3F20
1- Port 1 (internal port): 100BASE-TX, RJ45 connector,
Autonegotiaton, autopolarity, autocrossing
2 - Port 2 (external port): 100BASE-TX, RJ45 connector,
Autonegotiaton, autopolarity, autocrossing
14
S1B64656 - 02/2012
1.3.2
Device variants with 1 TX port and 1 FX port
ConneXium Industrial Firewall
2
1
PWR
LNK/
ACT
1
Fault
Status
2 V.24
IP-ADDRESS
R
INTERNAL
ETH 1
MAC-Adress
USB
ETH 2
ETH 2
Fault
-/N
-/N
+/L (P1)
+/L (P2)
EXTERNAL
24V DC/AC
V.24
Figure 3: Interfaces of the TCSEFEC23FCF20
1 - Port 1 (internal port): 100BASE-TX, RJ45 connector,
Autonegotiaton, autopolarity, autocrossing
2 - Port 2 (external port): 100BASE-FX, DSC connector,
Multimode
1.3.3
Device variants with 1 FX port and 1 TX port
ConneXium Industrial Firewall
2
1
PWR
LNK/
ACT
1
Fault
Status
2 V.24
IP-ADDRESS
R
INTERNAL
ETH 1
MAC-Adress
USB
ETH 2
Fault
+/L (P2)
-/N
-/N
+/L (P1)
EXTERNAL
24V DC/AC
V.24
Figure 4: Interfaces of the TCSEFEC2CF3F20
1 - Port 1 (internal port): 100BASE-FX, DSC connector, Multimode
2 - Port 2 (external port): 100BASE-TX, RJ45 connector,
Autonegotiaton, autopolarity, autocrossing
S1B64656 - 02/2012
15
2
2.1
Assembly and start-up
Safety instructions
 Staff qualification requirements
Only appropriately qualified staff should work on or near this equipment.
Such staff must be thoroughly acquainted with all the hazard messages
and maintenance measures contained in these operating instructions.
The proper and safe operation of this equipment assumes proper
transport, appropriate storage and assembly, and careful operation and
maintenance.
Qualified staff are persons familiar with setting up, assembling,
installation, starting up, and operating this product, and who have
appropriate qualifications to cover their activities, such as:
 knowledge of how to switch circuits and equipment/systems on and
off, ground them, and identify them in accordance with current safety
standards
 training or instruction in accordance with current safety standards of
using and maintaining appropriate safety equipment
 first aid training
 Recycling note
After usage, this product must be disposed of properly as electronic
waste, in accordance with the current disposal regulations of your county,
state and country.
2.2
Installing the device
Before installing and starting up the device, note the safety instructions (see
page 5 onwards).
2.2.1
Overview of installation
Two or more devices configured with the same IP address can cause
unpredictable operation of your network.
16
S1B64656 - 02/2012
WARNING
UNINTENDED EQUIPMENT OPERATION
Establish and maintain a process for assigning unique IP addresses to all
devices on the network.
Failure to follow these instructions can result in death, serious injury,
or equipment damage.
The devices have been developed for practical application in a harsh
industrial environment.
On delivery, the device is ready for operation.
The following steps should be performed to install and configure a
ConneXium Industrial Firewall product:
 Unpacking and checking
 Connect the terminal block for voltage supply and signal
contact and connect the supply voltage
 Install the terminal block, start-up procedure
 Install the device on the DIN rail, grounding
 Connect the data lines
2.2.2
Unpacking and checking
 Check that the contents of the package are complete (see page 31
“Scope of delivery”).
 Check the individual parts for transport damage.
2.2.3
Terminal block for supply voltage and signal contact
The supply voltage and the signal contact are connected via a 6-pin terminal
block with a snap lock.
S1B64656 - 02/2012
17
 Supply voltage
DANGER
HAZARD OF ELECTRIC SHOCK OR BURN
When the module is operated with direct plug-in power units, use only:
– SELV supply units that comply with IEC 60950/EN 60950 and
– (in USA and Canada) Class 2 power units that comply with applicable
national or regional electrical codes
Connect the ground wire to the PE terminal (where applicable) before you
establish any further connections. When you remove connections,
disconnect the ground wire last.
Failure to follow these instructions will result in death, serious injury,
or equipment damage.
Redundant power supplies can be used. Both inputs are uncoupled.
There is no distributed load. With redundant supply, the power supply unit
supplies the device only with the higher output voltage. The supply
voltage is electrically isolated from the housing.
You can choose between DC or AC voltage when connecting the supply
voltage (fig. 5).
+/L (P2)
Fault
-/N
-/N
+/L (P1)
Note: With non-redundant supply of the main voltage, the device reports
a loss of power. You can avert this message by applying the supply
voltage via both inputs, or by changing the configuration in the
Management.
24V DC/AC
Figure 5: Pin assignment of the 6-pin terminal block
18
S1B64656 - 02/2012
 Signal contacts
 The signal contact (“FAULT”, for pin assignment see fig. 5) is used for
the remote monitoring of the device to enable remote diagnostics. You
can specify the type of function monitoring in the Management.
 You can also use the Management to set the signal contact manually
and thus control external devices.
A break in contact is used to report the following conditions via the
potential-free signal contact (relay contact, closed circuit):
 The detected inoperability of at least one of the two voltage supplies
(voltage supply 1 or 2 is below the threshold value).
 A continuous detected error in the device (internal supply voltage).
 The detected error of the link status of at least one port. The report of
the link status can be masked by the Management for each port. In the
default state, link status monitoring is deactivated.
 The temperature of the device is outside the range specified in the
threshold values.
 The removal of the TCSEAM0100 adapter.
A break in contact is used to report the following via the potential-free
signal contact (relay contact, closed circuit):
 a continuous detected error in the device (internal supply voltage)
2.2.4
Connecting the terminal block, start-up procedure
 Pull the terminal block off the device and connect the voltage supply lines
and the signal lines.
 Startup procedure
 Mount the terminal block for the voltage supply and signal contact on
the front of the device by snapping the lock into place.
Connecting the voltage supply via the terminal block starts the operation
of the device.
2.2.5
Installing the device on the DIN rail, grounding
 Mount the device on a 35 mm DIN rail in accordance with DIN EN 60175.
 Attach the upper snap-in guide of the device into the DIN rail and press it
down against the DIN rail until it snaps into place.
Note: The shielding ground of the industrial connectable twisted pair lines is
connected to the lower panel as a conductor.
S1B64656 - 02/2012
19
Figure 6: Mounting on the DIN rail
 Grounding
The lower panel of the device housing is grounded by means of the DIN
rail and optionally by means of the separate ground screw. (see fig. 1).
2.2.6
Connecting the data lines
 10/100 Mbit/s twisted pair connection
These connections are RJ45 sockets.
10/100 Mbit/s TP ports enable the connection of terminal devices or
independent network segments according to the IEEE 802.3 10BASE-T/
100BASE-TX standard.
These ports support:
 Autonegotiation
 Autopolarity
 Autocrossing (if autonegotiation is activated)
 100 Mbit/s half-duplex mode, 100 Mbit/s full duplex mode
 10 Mbit/s half-duplex mode, 10 Mbit/s full duplex mode
State on delivery: autonegotiation activated.
The socket housing is electrically connected to the bottom panel.
20
S1B64656 - 02/2012
Figure
Pin
1+2
3+6
4,5,7,8
8
7
6
5
4
3
2
1
Table 2:
Function
One line pair: receiver path
One line pair: sender path
Not used
Pin assignment of a TP/TX interface in MDI-X mode, RJ45 socket
 100 Mbit/s F/O connection
These connections are DSC connectors.
100 MBit/s F/O ports enable the connection of terminal devices or
independent network segments in compliance with the IEEE 802.3
100BASE-FX standard.
These ports support:
 Full or half duplex mode
State on delivery: full duplex FDX
Note: LED or LASER components in compliance with IEC 60825-1
(2007):
CLASS 1 LASER PRODUCT
CLASS 1 LED PRODUCT
Light is emitted from the optical connections or from the ends of the
connected optical fibers that are connected to the optical connections.
LIGHT EMITTING DIODE CLASS 2 M, wave length 650 nm, power
<2 mW in accordance with DIN EN 60825-1:2003-10.
LIGHT EMITTING DIODE CLASS 1 - CLASS 1 LED PRODUCT
WARNING
EYE DAMAGE DUE TO LASER LIGHT
Do not look into the beam or view the beam directly with optical instruments
(magnifying glasses, microscope) at a distance of less than 100 mm
(3.94 in).
Failure to follow these instructions can result in death, serious injury,
or equipment damage.
S1B64656 - 02/2012
21
2.2.7
Connection to the network
 Connect the device via the INTERNAL port to the internal network or the
local computer that you want to help protect.
 Connect the device via the EXTERNAL port to the external network, e.g.
the Internet. This network is used to set up the connections to the external
device or external network.
2.3
Display elements
After the operating voltage is applied, the software starts and initializes itself.
Afterwards, the device performs a self-test. During these actions, the
STATUS LED flashes. The process takes around 40 seconds.
2
1
PWR
LNK/
ACT
1
Fault
Status
2 V.24
 Device state
These LEDs provide information about conditions which affect the
operation of the whole device.
PWR1 - Power 1 (green LED)
Glowing green
Supply voltage 1 is present
Not glowing
Supply voltage 1 is too low
PWR2 - Power 2 (green LED)
Glowing green
Supply voltage 2 is present
Not glowing
Supply voltage 2 is too low
FAULT - detected error, signal contact (red LED) a
Glowing red
The signal contact is open, i.e. it is reporting a detected error.
Not glowing
The signal contact is closed, i.e. it is not reporting
a detected error.
a. If the manual adjustment is active on the “FAULT” signal contact, then the detected error
display is independent of the setting of the signal contact.
STATUS (green/yellow LED)
Flashing green
Initialization phase of the device.
Glowing green
Device is ready for operation.
Slowly flashing yellow
The device is in Router Redundancy Backup Mode.
Glowing yellow
The device is operating in the Router Redundancy Master
Mode and there is no communication with the backup device
Flashing alternately green and The VPN status indication is switched on and at least
1 VPN connection is active. The flashing of the STATUS LED
yellow
as an indication of EAM loading or EAM saving operations
(1 change per second)
takes precedence over the flashing as an indication of
VPN connections.
22
S1B64656 - 02/2012
STATUS and V.24 - saving
processes of the Memory
Backup Adapter (EAM)
Flashing alternately
Detected error during saving process.
LEDs flash synchronously, two Loading configuration from the EAM.
times a second
LEDs flash synchronously,
Saving the configuration in the EAM.
once a second
 Port state
These LEDs display port-related information.
LNK/ACT, V.24 - data, link
status (green/yellow LEDs)
Not glowing
Glowing green
Flashing green (3 times a
period)
Flashing yellow
2.4
Meaning
No valid connection.
Valid connection.
Port is switched off.
Data reception.
Controls
The TCSEFEC has a Reset button (see fig. 1).
 Reset button R (restart)
The reset button is used to restart the device.
 To perform the restart, press the reset button for longer than 1.5
seconds until the STATUS LED goes dark and the FAULT LED lights
up red.
Note: The system monitor is used to flash the software. You will find a
more detailed description of how to perform this action in the
“Configuration” user manual of the TCSEFEC.
2.5
Basic set-up
Enter the IP parameters when you install the device for the first time. The
device provides multiple options for configuring IP addresses:
 Entry via V.24 connection
 Entry via the Ethernet Switch Configurator protocol via the application
Ethernet Switch Configurator
S1B64656 - 02/2012
23
 Memory Backup Adapter
 Web Interface
Further information on the basic settings of the device can be found in the
“Configuration” user manual.
 Default settings
 IP address: DHCP default setting off
 Management password:
user, password: public (read only)
admin, password: private (read and write)
 V.24 data rate: 9,600 Baud
 Ethernet ports: link status is not evaluated (signal contact)
 Optical 100 Mbit/s ports: 100 Mbit/s full duplex
Other ports: autonegotiation
 USB interface
The USB socket has an interface for the local connection of an Memory
Backup Adapter TCSEAM0100 or another approved USB storage device.
It is used for saving and loading the configuration and for updating the
software.
Contact number
1
2
3
4
Signal name
VCC
- Data
+ Data
Ground
 V.24 interface (external management)
A serial interface is provided on the RJ11 socket (V.24 interface) for the
local connection of an external management station (VT100 terminal or
PC with corresponding terminal emulation). This enables you to set up a
connection to the Command Line Interface (CLI) and to the system
monitor.
VT 100 terminal settings
Speed
Data
Stopbit
Handshake
Parity
9,600 Baud
8 bit
1 bit
off
none
The socket housing is electrically connected to the housing of the device.
24
S1B64656 - 02/2012
RJ11
RJ11
DB9
5
8
6
1
1
CTS
n.c.
TX
GND
RX
RTS
1
2
3
4
5
6
DB9
2
3
5
Figure 7: Pin assignment of the V.24 interface and the DB9 connector
Note: You will find the order number for the terminal cable, which is
ordered separately, in the Technical Data chapter (see on page 29
“Technical data”).
2.6
Configuration
2.6.1
Firewall and VPN functions
 Firewall functions
The TCSEFEC supports the following firewall functions:
 Stateful Inspection Firewall
 Transparent Firewall
 Configurable Firewall rules:
 Incoming/outgoing data traffic
 Modem access
 External Management access
 IP Masquerading, 1-to-1 NAT, Port Forwarding
 IP Spoofing Protection
 VPN functions
The TCSEFEC supports the following Virtual Private Network (VPN)
functions:
 Multipoint VPN: Router Mode
 VPN protocols: IPsec
 Encryption algorithms:
 DES-56
 3DES-168
 AES-128, AES-192, AES-256
S1B64656 - 02/2012
25
 Authentication:
 Pre-shared key (PSK)
 X.509v3 certificates
 Hashing algorithms: MD5, SHA-1
 NAT-T support
2.6.2
Operating modes
This device helps protect the internal network from the influences of the
external network. These influences can include unauthorized access
attempts, as well as interfering network events such as overloads.
 State on delivery
On delivery, the device works in the Transparent Mode. In this mode, no
network settings (e.g., for subnetworks) are required for operation.
The firewall has been preconfigured so that the IP data traffic from the
internal network is possible; however, traffic from the external network to
the internal network is not possible. Thus, already the delivery state helps
protect against unauthorized accesses from the external network.
 Transparent Mode
The Transparent Mode is a transparent bridge mode. In this mode, the
device works as a 2-port bridge, whereby only IP and ARP frames
corresponding to the firewall rules are transmitted.
In the state on delivery, you can access the device via address
192.168.1.1/24 without configuring the IP address.
 Router Mode
In Router Mode, the device works as a 2-port router. You will find a
detailed description of the IP configuration in the “Configuration” user
manual of the TCSEFEC.
Note: In the Router and Transparent modes, an additional network
access option to the internal network is provided over the V.24 interface
of the TCSEFEC, via PPP. In this case, communication is possible with
the TCSEFEC itself or with the devices in the internal network (according
to the firewall rules for the modem connection).
 PPPoE Mode
In PPPoE Mode, the TCSEFEC works like in the router mode, with the
difference that the PPPoE protocol is used at the external port. This
enables Internet connections via a DSL modem, for example.
26
S1B64656 - 02/2012
2.6.3
Start configuration
To access the TCSEFEC, you proceed as follows (device in state on
delivery):
 Install the required Java plug-in on your computer.
You will find information about the plug-in and its installation in the
Configuration user manual.
 Start an https-capable Web browser on the computer connected to the
internal port (e.g. Mozilla Firefox from version 1.5 on, or Microsoft Internet
Explorer from version 6 on) in order to configure the TCSEFEC.
 Connect the external port to your network.
 Enter the following address in the Web browser:
https://192.168.1.1/
Result: The HTTPS connection to the TCSEFEC is set up. A security
message is displayed.
 Confirm the security message with “Yes”.
 To login, enter:
– Login: admin
– Password: private
(case-sensitive!)
Result: The Administrator website of the TCSEFEC is displayed.
 Configure the device in accordance with the Configuration user manual.
Alternatively, you can perform the IP configuration for the Transparent Mode
using the Ethernet Switch Configurator protocol. You will find the Ethernet
Switch Configurator software in the CD ROM included in the delivery.
Note: If the configuration connection to the TCSEFEC is not set up, you will
find detailed information in the “Configuration User Manual - Industrial
Firewall TCSEFEC”.
Figure 8: Configuration before the installation of the TCSEFEC
S1B64656 - 02/2012
27
1
2
Figure 9: Configuration after the installation of the TCSEFEC
2.7
Maintenance
Depending on the degree of pollution in the operating environment, check at
regular intervals that the ventilation slots in the device are not obstructed.
Operate this device according to the specifications (see “Technical data”).
2.8
Disassembly
 Removing the device from the DIN rail
 In order to remove the device from the DIN rail, insert the screwdriver
horizontally under the chassis in the locking slide, pull this down –
without tilting the screwdriver – and lift the device upwards.
Figure 10: Removing the device from the DIN rail
28
S1B64656 - 02/2012
3
Technical data
 General technical data
Dimensions
W×H×D
Weight
Power supply
TCSEFEC...
2.36 in. × 5.71 in. × 4.92 in.
(60 mm × 145 mm × 125 mm)
TCSEFEC...
21.16 oz - 22.22 oz (depending on variant)
(600 g - 630 g)
Redundant power supply
Safety extra-low voltage (SELV), redundant inputs disconnected.
Relevant for North America: NEC Class 2 power source max. 5A.
Operating voltage
Rated voltage range DC
12 to 48 V DC
Max. voltage range DC
min. 9.6 to max. 60 V DC
Rated voltage range AC
24 V AC
Max. voltage range AC
min. 18 to max. 30 V AC
Non-replaceable fuse
Overload current
protection at input
Insulation voltage between operating voltage
connections and housing
“FAULT”
signal contact
Switching current
Switching voltage
Environment
Storage temperature
(ambient air)
Humidity
Air pressure
Operating
temperature
Protection classes
Mounting
Pollution degree
Surrounding air
800 V DC
Protective elements limit the insulation
voltage to 90 V DC (1mA)
max. 1 A, SELV
max. 60 V DC or max. 30 V AC, SELV
Relevant for North America: NEC Class 2
−40 °F ... +158 °F (−40 °C ... +70 °C)
10% ... 95%
(non-condensing)
Up to 2000 m (795 hPa), higher altitudes
on request
+32 °F ... +140 °F (0 °C ... +60 °C)
Laser protection
Class 1 according to EN 60825-1 (2007)
Protection class
IP 20
35 mm DIN rail (DIN EN 60175)
2
 EMC and immunity
EMC interference
immunity
EN 61000-4-2
EN 61000-4-3
S1B64656 - 02/2012
Electrostatic discharge
Contact discharge
Air discharge
Electromagnetic field
80 - 2,700 MHz
4 kV
8 KV
10 V/m
29
EMC interference
immunity
EN 61000-4-4
EN 61000-4-5
EN 61000-4-6
EN 61000-4-9
EMC emitted
interference
EN 55022
FCC 47 CFR Part 15
Germanischer Lloyd
Stability
Vibration
Shock
Fast transients (burst)
- Power line
- Data line
Voltage surges
- Power line, line/line
- Power line, line/earth
- Data line
Line-conducted interference voltages
150 kHz - 80 MHz
Impulse-shaped magnetic fields
10 V
-
Class A
Class A
Classification and Construction Guidelines VI-7-3 Part 1
Yes
Yes
-
IEC 60068-2-6 Test FC test level according to IEC 61131-2
Germanischer Lloyd Guidelines for the Performance of Type
Tests Part 1
IEC 870-2-2 table 3 normal, requirements according to
EN61850-3
EN 61373, Category 1, Class A (broadband noise),
requirements according to EN 50155
IEC 60068-2-27 Test Ea test level according to IEC 61131-2
IEC 870-2-2 table 3 normal, requirements according to
EN61850-3
EN 61373, Category 1, Class A
requirements according to
EN 50155
Yes
-
2 kV
1 kV
0.5 kV
1 kV
1 kV
Yes
-
 Network range
TP port
Length of a twisted pair segment
max. 100 m
Table 3: TP port 10BASE-T / 100BASE-TX
Ports
Wave
length
Fiber
MM
MM
1300 nm 50/125 µm
1300 nm 62.5/125 µm
System Extenta
attenuati
on
0-8 dB
0-5 km
0-11 dB 0-4 km
Fiber
attenuation
BLP/
dispersion
1.0 dB/km
1.0 dB/km
800 MHz*km
500 MHz*km
Table 4: LWL port 100BASE-FX
a. including 3 dB system reserve when compliance with the fiber data is observed
MM = Multimode
30
S1B64656 - 02/2012
 Power consumption/power output
Device variant
...TX/TX
...TX/MM
...MM/TX
Power
consumption
at 24 V DC
6.9 W
8.1 W
Power output
at 24 V DC
23.5 Btu (IT)/h
27.6 Btu (IT)/h
Power
consumption
at 24 V AC
7.2 W
8.1 W
Power output
at 24 V AC
24.6 Btu (IT)/h
27.6 Btu (IT)/h
 Interfaces
TCSEFEC ...
Additionally 2 typedependent ports each
V.24 port: external management, modem
terminal block, 6-pin: signal contact, max. 1 A, 24 V
and voltage supply
USB interface: TCSEAM0100-Adapter
Up to two 10/100 Mbit/s twisted pair (TP/TX) ports with RJ45
sockets and/or one 100 Mbit/s FX port (multimode) with DSC
connection
 Scope of delivery
TCSEFEC device
Terminal block
6-pin
Connection
Power supply
Signal contact
CD ROM with Installation manual
 Order numbers/product description
Part Number
2 Port Version
Accessories
S1B64656 - 02/2012
Part Number
TCSEFEC23F3F20
TCSEFEC23FCF20
Description
2 10/100 TX Managed
1 10/100 TX Managed, 1 100 FX-MM
Managed
TCSEFEC2CF3F20
1 100 FX-MM Managed, 1 10/100 TX
Managed
TCSEAM0100-Adapter Memory Back-up Adapter
490NTRJ11-Cable
Terminal cable
31
 Underlying norms and standards
Name
EN 61000-6-2:2005
EN 55022:2010
EN 60950-1:2006 + A11:20
09 + A1:2010
EN 61131-2:2008
EN 50121-4:2000
FCC 47 CFR Part 15:2009
German Lloyd
cUL 508:1998
EN 60079-15
EN 50155
IEC/EN 61850-3
IEEE 1613
Table 5:
Generic norm – immunity in industrial environments
IT equipment – radio interference characteristics
Safety for the installation of IT equipment
Programmable logic controllers
Railway applications - EMC - emitted interference and
interference immunity for signal and telecommunication systems
Code of Federal Regulations
Classification and Construction Guidelines VI-7-3 Part 1 Ed.2003
Safety for Industrial Control Equipment
Electrical equipment for explosive gas atmospheres – part 15:
Construction, testing and marking of protection type "n" electrical
apparatus.
Declaration (Railways)
Communications networks and systems in stations
Standard Environment and Testing Requirements for
Communication Networking Devices in Electric Power
Substations
List of norms and standards
IEEE 802.1AB
IEEE 802.3-2002
IEEE 802.3ac
Topology Discovery (LLDP)
Ethernet
VLAN Tagging
Table 6: List of IEEE norms
The device has a certification based on a specific standard only if the
certification indicator appears on the housing.
32
S1B64656 - 02/2012

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project