W&T 55211, Manual

Page 1: ...Manual Startup and application Microwall Valid for the following models 55211 Microwall VPN Firmware 1 30 or higher 55212 Microwall IO Firmware 1 10 or higher Release 1 06 006 2022 W T w w w Wu T d e ...

Page 2: ...as possible Only carry out work on or with W T products if you are de scribed here and have read and understood the instructions completely Unauthorized action can cause dangers We are not liable for the consequences of arbitrary action In case of doubt please ask us or your dealer again This device contains software components that are licensed under one or more open source licenses For more info...

Page 3: ... a higher level local network Parallel to this secure remote access to the participants of the island network can take place via the Wireguard VPN as a client or server Suitable filter rules at TCP IP level protect all networks from unauthorized undesired and harmful communication The Microwall IO has 2 digital inputs and 2 digital outputs which allow the control of router firewall functions and t...

Page 4: ...p via the default IP address 26 3 4 Initial web page 27 4 Web based management 31 4 1 Start and navigation concept of the WBM 32 4 2 Login Logout 33 4 3 Help and description texts 34 5 DHCP server Discover assistant 35 5 1 DHCP server 36 5 2 Discover assistant 38 6 Operating modes and rule configuration 39 6 1 Mode NAT router 40 6 2 Mode Standard router 42 6 3 Mode Standard router with static NAT ...

Page 5: ...e digital inputs 90 10 2 Digital outputs 92 10 2 1 Wiring of the digital outputs 92 11 Security Maintenance 93 11 1 Security notes 94 11 1 1 Function and typical use 94 11 1 2 Requirements for integrators and operators 94 11 1 3 Installation location 95 11 1 4 Commissioning 95 11 1 5 Operation and configuration 96 11 1 6 Service maintenance and decommissioning 99 11 2 Up Download Configuration dat...

Page 6: ...W T ...

Page 7: ...7 W T Subject to error and alteration 1 Legal information and safety ...

Page 8: ...re injury if no appropriate preventive actions are taken 1CAUTION Indicates a hazard that can result in slight injury if no appropriate preventive actions are taken 1NOTE Indicates a hazard which can result in equipment damage if no appropriate preventive actions are taken If more than one hazard level pertains the highest level of warning is always used If the warning sign is used in a warning no...

Page 9: ...uipment may not be disposed of with normal waste but rather must be brought to a proper electrical scrap processing facility The complete declarations of conformity for the devices de scribed in the instructions can be found on the respective In ternet data sheet page on the W T homepage at http www wut de Symbols on the product Symbol Explanation CE mark The product conforms to the requirements o...

Page 10: ...nd network can be provided via the WireGuard VPN Suitable filter rules on TCP IP level protect all networks from unauthorized undesi red and harmful communication The Microwall IO has 2 digital inputs and 2 digital outputs which allow the control of router firewall functions and the evaluation of messages in automation environments Any other use or modification of the described devices is not inte...

Page 11: ...screws are tightly fastened Fully tighten screws on unused terminals The power supply used for the Microwall VPN must absolutely ensure safe isolation of the low voltage side from the supply mains according to EN62368 1 and must have LPS designation EMV 1NOTE Only shielded network cables may be used for connecting the Microwall to the network In this case the Microwall meet the noise immunity limi...

Page 12: ...12 W T ...

Page 13: ...13 W T Subject to error and alteration 2 Hardware interfaces and displays Hardware installation Power supply Network interfaces Service button Digital IOs only Microwall IO ...

Page 14: ... with alternative mounting methods the outlined air circulation must be gua ranteed A i r c i r c u l a t i o n iThe installation site must be adapted to the security requi rements of the respective system environment Physical access to the Microwall enables a potential attacker to take the device out of operation or to replace the password via the service button ...

Page 15: ...W 2 2 2 External power supply As an alternative to the PoE supply the Microwall can be sup plied externally via the pluggable screw terminal located on the underside of the housing The DC voltage used must be within the following range and the polarity must be observed DC voltage 24V 10 48V 10 1WARNING Only a floating power supply unit may be used for the ex ternal supply of the Microwall Its refe...

Page 16: ...the Network 2 green connection Commissioning with the factory settings and a possible sup ply via PoE is only possible via Network 1 yellow 2 3 1 Gigabit Ethernet Features Both Gigabit Ethernet connections have the following features RJ45 jack shielded Connections to the network infrastructure are via shielded patch cables with a maximum length of 100m Autocrossing Auto MDI X The transmit receive ...

Page 17: ...end that the connected devices are also operated in auto negotiation mode 2 3 2 Link state The link status is indicated by LEDs integrated in the RJ45 sockets Pin 1 2 3 4 5 6 7 8 Richtung Out Out In In IN In In In Funktion Tx Tx Rx Vcc positive Vcc positive Rx Vcc negative Vcc negative 8 7 6 5 4 3 2 1 Speed Activity FD HD Speed Activity green orange Green 1000MBit s Link Green flashing 1000MBit s ...

Page 18: ...nd 10s The emergency access of the Microwall is activated Further information on emergency access can be found in the chapter on emergency access iThe emergency access opens a non password protected HTTPS access TCP port 446 with the possibility to over write the current password Therefore only start the emer gency access in an appropriately secure environment e g direct connection to a configurat...

Page 19: ...on both network connections via TCP port 446 Pressing the button again briefly performs a reset and ends the emergency access Further information on emergency access can be found in the chapter emergency access iThe emergency access opens a non password protected HTTPS access TCP port 446 with the possibility to over write the current password Therefore only start the emer gency access in an appro...

Page 20: ...icrowall continues with the standard operation of the current configuration iA reset to the factory setting causes all settings filter ru les IP parameters log files etc to be lost Recommissio ning must be carried out as described in the chapter Start up ...

Page 21: ...ress required for initial access is assi gned Subsequent browser access leads to the initial web page for configu ration of the basic parameters required for operation including the system password IP assignment via DHCP Setting the IP address with the WuTility management tool Changing the IP parameters via Web Based Management Initial access via browser ...

Page 22: ...Network 1 is connected to the network the initial web page for assigning the system password is accessible via the default IP or the IP address assigned via WuTility or DHCP Make sure that no unauthorized access to the Microwall occurs until the password is assigned on the in itial web page e g by commissioning with a direct connection to the respective PC iFor operational use of the Microwall we ...

Page 23: ...ntil the password is assigned on the initial web page e g by commissioning with a direct connection to the respective PC To assign the IP address the PC and the Interface Network 1 of the Microwall must be located in the same physical net work Installing WuTility The download link for the Windows installation package of the latest version of WuTility can be found on our website https www wut de wu...

Page 24: ... IP address is 190 107 233 110 Select the desired Microwall and then press the IP address button Enter the desired values for IP address subnet mask gateway and DNS server When you click Next the network parameters are saved by the Microwall The IP assignment with WuTility can be repeated until the Microwall has received a system password via the initial web page Afterwards the IP parameters can o...

Page 25: ...o error and alteration using standard web based management The additional parameters required for initial commissioning are set via an initial web page using a browser For more in formation refer to the chapter Initial Web Page ...

Page 26: ... direct connection to the respective PC iThe commissioning of several Microwalls via their default IP can only take place one after the other Only after one Microwall has received a new IP address may the next Micro wall be connected to the network On the computer side the following requirement must be met The network connection of the computer used must have an IP address in the range 190 107 233...

Page 27: ...dress assigned by WuTility Make sure that no unauthorized access to the Microwall occurs until the password is assigned on the initial web page e g by commissioning with a direct connection to the respective PC If the IP address was assigned using the WuTility tool select the desired Microwall and click on the Browser button If access is to take place via the default IP address of the Microwall st...

Page 28: ...guration control accesses of the Microwall We recommend passwords with a minimum length of 15 characters consisting of upper and lower case letters numbers and special characters The maximum length of the password is 51 characters Operation without a pass word is not possible ...

Page 29: ...the microwall For more informati on refer to the chapter Standard Router Mode Network 2 green Assign the IP parameters for the connection Network 2 green The Net IDs of Network 1 and Network 2 must be different If there are additional routers in Network 2 in remote net works these can be configured later in the network settings of the Web based management using static routes Operation mode mandato...

Page 30: ... with the new parameters after an automatic restart iBackup files also contain the new IP address of the Micro wall To avoid an IP conflict make sure that the original or a previously programmed Microwall is no longer connected to the network before uploading For details on configuration backups see the chapter Up Downloading Configuration Backups ...

Page 31: ...nagement The configuration of the Microwall is only possible encrypted via HTTPS The WBM Web based management works session oriented Changes made on the respective pages are immediately saved and validated by pressing the Save button Navigation within WBM ...

Page 32: ...he IP address of the Microwall VPN and if necessary the port number to be used https IP address Port no 4 1 1 Navigation concept of the Microwall The WBM of the Microwall works session oriented via a password protected login Operation without password is not possible After login any changes made are immediately applied by clicking the Save button on the respective page If a restart of the Microwal...

Page 33: ...1 Login Enter the password and press the Log in button After suc cessful login the extended navigation tree with all configurati on options is available iTo protect against brute force attacks password entry is protected with an escalating timeout After each incorrect password entry the password can only be re entered after a timeout that doubles with each attempt 4 2 2 Logout To end a configurati...

Page 34: ...onfiguration items are not self explanatory the assigned info symbols contain the necessary descriptions explanations and notes For detailed information on the operating modes release ru les and VPN setup refer to the chapter Operating Modes and Rule Configuration in this manual ...

Page 35: ...ubject to error and alteration 5 DHCP server Discover assistant DHCP server for Network 2 Static and dynamic leases Controlled commissioning of new or third party devices Identification of unwanted connections ...

Page 36: ...ave been previously assigned a diffe rent address For this reason static leases must be created for DHCP clients that are used in release rules during operation Static leases To support static DHCP leases the Microwall provides on 3 lists DHCP lease requests All requests received by the Microwall on network 2 for which no static lease has yet been assigned are listed here The button starts the dia...

Page 37: ...rver and Discover assistant Subject to error and alteration Network 1 it must also be noted that a corresponding firewall rule is required Current DHCP leases Listing of all devices provided with a lease by Microwall ...

Page 38: ...lled commissioning of new devices in Network 2 green Outgoing connection attempts of selected hosts are recorded and displayed to gether with the previously resolved host name However the connections remain blocked until a corresponding release rule is generated for the desired communication by mouse click ...

Page 39: ...39 W T Subject to error and alteration 6 Operating modes and rule configuration Mode NAT router Mode Standard router Mode Standard router with static NAT Rule configuration and labels IP inventories ...

Page 40: ...ate network by the local IP address of the Microwall and are therefore not visible in the intranet at any time The island IP range can be selected completely freely in NAT mode Even several islands with identical IP ranges can be connected to the company intranet simultaneously in this way An interven tion in its routing concept is not necessary Network 1 Intranet 10 20 0 0 16 Network 2 Island 192...

Page 41: ... ICMP echo requests replies ping to the local in terfaces and the forwarding of other ICMP datagrams The Save button activates the NAT Router mode and the cor responding rule set is loaded To allow communication between nodes from the intranet and the island network after enabling the NAT router mode expli cit allow rules must be configured in the following submenu There are no factory default rul...

Page 42: ... the participating hosts usually as a static route If the island network is a marginal network without connecti on to further networks the local IP address of the Mircowall is configured as default gateway on the island hosts If further routers to other networks exist in the island network then these paths must be made known to all island hosts as a static route Network 1 Intranet 10 20 0 0 16 10 ...

Page 43: ...CMP echo requests replies ping to the local in terfaces and the forwarding of other ICMP datagrams The Save button activates the Standard Router mode and the corresponding rule set is loaded To allow communication between nodes from the intranet and the island network after enabling the Standard router mode explicit allow rules must be configured in the following sub menu There are no factory defa...

Page 44: ... to the desired hosts in the island The secondary IP addresses do not provide access to Microwall services WBM Update Ping etc With the help of static NAT island hosts appear on the intra net as if they were members of the local network Suitable firewall rules must be configured for communication with the island hosts No modification of the intranet side routing con cept is required Network 1 Intr...

Page 45: ...le opens the dialog for creating new mappings In the following dialog determine which IP address of the intranet Network 1 yellow should be assigned to the desired IP address in the island net work Network 2 green The Save button activates the Standard Router mode with the associated table for the Static NAT and loads the associated rule set To allow communication between nodes from the intranet a...

Page 46: ...lways done from these address inventories Inventory entries can consist of individual IP addresses as well as areas or lists The following entries are permitted any Keyword for any IP address single IP address IP address in dot notation e g 10 20 0 4 Comma separated IP address list List of IP addresses in dot notation e g 10 10 10 1 20 20 20 2 IP range Continuous IP range in the form from to e g 1...

Page 47: ...or and alteration 6 4 1 Scan of Network 2 Using the magnifying glass in the area of Network 2 it is possible to search the island network for participants Newly found stations found during a scan can then be automatically added to the inventory list of Network 2 ...

Page 48: ...irewall rules The overview contains information about the existing rules with the possibility to activate and deactivate them using the respective slide switch The Plus button at the upper right edge of the table opens the dialog for creating new rules iRule examples for many standard applications can be found on our website at https www wut de rule examples ...

Page 49: ... of the destination source IP addresses and destination source port numbers used for the rule Which network the source or destination is on is determined dy namically by the selected direction of the rule Depending on the current operating mode either only individual ad dresses and or ports can be configured or entire ranges and lists can be configured Details can be found in the respective help t...

Page 50: ...ntries Permissible entries and formats of port numbers and port number ranges any Keyword for any port number Single port number e g 8000 Comma separated port number list e g 80 443 8000 Port number range e g 100 1000 Different input forms cannot be combined This means for example 8000 10 1000 is an invalid inpu Protocol Specifies whether the rule applies to TCP or UDP The TCP option FTP must be a...

Page 51: ...the data traffic defined by the rule 6 5 1 Using hostnames as the target of a rule In rules that enable connections in the direction of Network 1 the destination can also be specified in the form of a host name e g www wut de The prerequisite for this is that the initiating participants in Network 2 use the IP address of the microwall there as the DNS server iIf the microwall works as a DNS proxy ...

Page 52: ...are 10 110 0 1 and 10 20 0 55 For view fil tering in the rule overview the rule is marked with the label Normal mode Network 1 Intranet Net ID 10 20 0 0 16 Standard Gateway 10 20 0 1 10 20 0 55 Network 2 Island Net ID 10 110 0 0 16 Standard Gateway 10 110 0 1 10 110 0 1 Web server IP 10 20 0 4 16 Gateway 10 20 0 1 Static route 10 110 0 0 16 via 10 20 0 55 Host x IP 10 110 0 10 16 Gateway 10 110 0 ...

Page 53: ...53 W T Operation modes and rule configuration Subject to error and alteration The rule dialog to be filled out for this example ...

Page 54: ...t IP of the Microwall is used as the destination address in the browser where it is usually replaced by the island IP 10 110 0 10 Network 1 Intranet Net ID 10 20 0 0 16 Standard Gateway 10 20 0 1 10 20 0 55 Network 2 Island Net ID 10 110 0 0 16 Standard Gateway 10 110 0 1h 10 110 0 1 Web server IP 10 110 10 16 Gateway 10 110 0 1 Host n IP 10 20 0 4 16 Gateway 10 20 0 1 Browser Dest IP 10 20 0 55 A...

Page 55: ... and rule configuration Subject to error and alteration The rule dialog to be filled out for this example iFurther control examples for many standard applications can be found on our website at https www wut de rule examples ...

Page 56: ...56 W T Operation modes and rule configuration ...

Page 57: ...57 W T Subject to error and alteration 7 Wireguard VPN server Configuration of the microwall as VPN server with permitted clients Creating firewall rules for the VPN server mode ...

Page 58: ...ough an encrypted UDP channel between the VPN client and VPN server in a virtual IP subnet Encryption and mutual authentication are carried out asymmetrically using key pairs with public and private parts public key private key The public keys of a VPN server and client must be mutually known WireGuard Server mode The microwall provides a WIreGuard server on the LAN side on which registered VPN cl...

Page 59: ... known to every VPN client and can be copied here from the text field e g into a file The button New Key generates a new key pair private key and public key for the VPN server iWithin an existing VPN environment the public key of a newly generated key pair must be rolled out to all VPN clients Communication via the old key pair is no longer pos sible VPN server settings Virtual IP subnet The virtu...

Page 60: ...router or a perimeter firewall upstream of the server this port number with the IP address of Network 2 must be enabled via a firewall or NAT rule Activated Clients This section contains all VPN Clients created in the VPN Client inventory The checkbox activates the respective client and allows the connection to the VPN server For connections to participants in the island network corresponding appr...

Page 61: ...ion and administration of VPN clients iThe VPN Client Inventory page is only used to manage the VPN clients Activation for actual VPN connections is done on the page VPN Environment 7 3 1 New VPN clients Standard configuration The button at the upper right edge of the table starts the dialog for creating new VPN clients ...

Page 62: ...eady been generated there Virtual IP address of the VPN client The virtual IP address entered here must be in the same sub net of the VPN server It must not collide with the address of other VPN clients Name Description Freely selectable name s mandatory and description of the VPN client Public key Public key of the key pair generated on the VPN client ...

Page 63: ...ting this option allows the VPN client to access the con figuration pages of the Microwall Option Enable VPN client If this option is activated the created VPN client is immedia tely activated by clicking the Add button For access to parti cipants of the island network corresponding rules must be created under VPN rules 7 3 2 New VPN clients Advanced configuration Enabling the Advanced configurati...

Page 64: ...rmat URL IP address UDP listen port The default is the IP address of Network 1 and the UDP list port configured in the VPN environment Allowed IPs A comma separated list of IP addresses in CIDR notation from which incoming traffic is allowed for this peer and to which outgoing traffic is forwarded for this peer The default is the virtual IP range of the VPN and the IP range of the island network t...

Page 65: ...ge can be used to create additional labels Direction Clicking on the direction arrow sets the direction for the rule from the point of view of the tunneled connection For TCP the direction is determined by the connection setup For UDP it is determined by the initial UDP datagram VPN client Network 1 yellow Network 2 green Configuration of the communication connections permit ted within the VPN tun...

Page 66: ...o e g 10 10 10 1 10 10 10 20 IP range CIDR notation CIDR listed IP range e g 10 10 0 0 16 Different input forms and concatenation of IP ranges within one input field are not possible This means that 10 20 0 4 10 20 0 10 10 20 0 20 or 10 20 0 0 16 10 10 0 0 16 are invalid entries Permissible entries and formats of port numbers and port number ranges any Keyword for any port number Single port numbe...

Page 67: ...in reverse direction must be activated The Microwall will automatically accept an incoming reply datagram within a timeout Actions Activate rule activates the rule immediately after pressing the Save button If the option is not set the rule is created but not applied when you click Save Data traffic according to the rule is not possible The rule can be activated later in the rule overview Create l...

Page 68: ...l possibly a DSL router responsible for connecting the intranet to the Internet or other higher level network This must forward incoming UDP packets from the Internet side with the destination port 10001 to the intra net side IP address of the Microwall VPN Dynamic IP addresses If the Internet connection of the intra net only has dynamic IP addresses of the provider on the WAN side the service of ...

Page 69: ...d 10 3 3 1 24 Defines the IP address of the VPN server and Net ID for the virtual VPN network The range is largely freely selectable but must not collide with any of the other ranges involved 10001 The UDP list port on which the VPN server accepts inco ming client connections saves and activates the changes 3 Creating the VPN Client in the inventory Switch to the page VPN Settings VPN Inventory an...

Page 70: ...ctable name of the VPN client The VPN client should have access to the configuration interface of the Microwall VPN and should be activated im mediately after creation Therefore activate both options The Microwall should generate the entire configuration file for the VPN client To do this activate the Advanced configuration check box ...

Page 71: ...eates a key pair for the VPN client The private key is saved by the Microwall VPN exclu sively for the duration of this creation dialog and then deleted 92 200 200 100 10001 End point under which the VPN server can be reached In this example this is the WAN side official IP address of the DSL router that connects the intranet to the Internet Colon separated the UDP list port of the VPN server must...

Page 72: ...PN client generates Keep Alive packets to maintain the UDP tunnel in the participa ting routers Finally the button Show QR Code generates the QR Code with the content of the VPN Client configuration Start the WireGuard app on the mobile device and select the Import from QR Code option If the QR Code was read successful ly assign a name for the new VPN connection Add closes the configuration dialog...

Page 73: ...destination host in the island network as the destination of the TCP connection to be released 80 443 The destination port of the TCP connection The Web ser vice on the target system is addressed via TCP ports 80 or 443 The protocol of the connection is TCP Connections ac cording to the settings should be accepted and documen ted in the log file of the Microwall VPN The formulated rule should be a...

Page 74: ...nel you created earlier In the Android status bar a key symbol should now signal the VPN connection Start a browser and enter the IP address of the island host in the address line http s 10 10 0 10 To access the configuration pages of the Microwall VPN use the virtual IP address of the VPN server as destination https 10 3 3 1 ...

Page 75: ...75 W T Subject to error and alteration 8 Wireguard VPN client Configuration of the microwall as VPN client ...

Page 76: ...yption and mutual authentication are carried out asymmetrically using key pairs with public and private parts public key private key The public keys of a VPN server and client must be mutually known WireGuard client mode As an alternative to server mode the Microwall can also be operated as a WireGuard client on the Network 1 port It esta blishes the VPN tunnel to a WireGuard VPN server iThe Micro...

Page 77: ...le client The checkbox activates the VPN connection to the WireGuard VPN server with the specified parameters If the VPN tunnel is activated the line below the checkbox contains the current status and the amount of transferred data Due to the connectionless UDP protocol used by Wire Guard the update of the tunnel status can be delayed up to about 3 minutes ...

Page 78: ...under which the WireGuard VPN server can be reached Usually you will receive the port number from the operator of the VPN server and must enter it here Client settings r VPN server public key Public key of the WireGuard VPN server You will receive it from the operator of the VPN server and must enter it here Client settings r Allowed IPs List of IP addresses or address ranges CIDR notation that ar...

Page 79: ...ion allows access to the web based ma nagement of the Microwall through the tunnel connection Import configuratiomn The entire configuration of the VPN client including the pri vate key can also be generated externally in a config file and loaded into the microwall VPN Configuration template A configuration template can be downloaded which can be used to configure the VPN client externally Configu...

Page 80: ...80 W T WireGuard VPN client ...

Page 81: ...81 W T Subject to error and alteration 9 Wireguard VPN Box to Box VPN tunnels between island networks Configuring the server Microwall Configuring the client Microwall ...

Page 82: ...crowall VPN client Island 2 192 168 20 0 24 10 20 0 20 192 168 20 100 192 168 20 1 192 168 10 1 Requirements The microwalls are preconfigured with the addresses shown in the sketch and can be reached via browser from the intra net The local microwall is set as the gateway in the network participants of the island networks iIn this example the configuration file for the VPN client is created on the...

Page 83: ... the following settings and copy the displayed public key to paste it into the configuration of the VPN client later Save the changes by clicking 2 Basic settings key exchange VPN client In a browser open the website of the Microwall working as a VPN client and log in Navigate to the page VPN client To add a new VPN client click on and make the following settings To generate the keys click the cor...

Page 84: ...84 W T WireGuard VPN Box to Box ...

Page 85: ...l Click on Add to return to the inventory overview Save the changes by clicking 3 Basic settings VPN client In a browser open the website of the Microwall working as a VPN client and log in Navigate to the page VPN client Under Import configuration click the Upload button and send the configuration file generated on the VPN server to the VPN client All input fields will be filled in automatically ...

Page 86: ... are displayed in the status after a few seconds Switch to the web page with the configuration session of the VPN server and navigate to the page 4 Configuration of the static routes The island network of the respective opposite side must be made known to both the VPN server and the VPN client in the form of a static route In the VPN server and VPN client navigate to the pages ...

Page 87: ... on and make the following set tings VPN server VPN client In the VPN server and VPN client save the changes by clicking 5 Creating the whitelist rule in the VPN server All communication connections between the two island net works must be explicitly permitted in the VPN firewall in the form of a corresponding rule ...

Page 88: ... on in the rules overview and make the following settings This rule allows an incoming TCP connection from 192 168 20 100 to the machine 192 168 10 100 connected in the island network on port TCP 443 at the VPN server via the VPN Click on Add and in the rule overview on to save and ac tivate the rule ...

Page 89: ...10 Digital inputs and outputs only Microwall IO Wiring of the inputs outputs Functions of the digital inputs Functions of the digital outputs The following chapter is exclusively valid for the Microwall IO and its digital inputs and outputs ...

Page 90: ...wing and must be assigned with active outputs which must supply at least 2 2mA current Example Connection of active PLC output Outputs Inputs Vdd GND 0 1 1 0 SPS Output SPS GND Example Connection of potential free output switch Outputs Inputs Vdd GND 0 1 1 0 Auxiliary voltage max 30VDC Passive output 10 1 2 Available actions of the digital inputs The assignment of the actions to be executed in the...

Page 91: ...ject to error and alteration The following actions are available Activation deactivation of the VPN tunnel as client or server Activation deactivation of the network interface Activation deactivation of firewall rules with specific labels ...

Page 92: ...parate supply voltage and switch th rough the voltage applied to the Vdd terminal in the ON sta tus Example wiring output Outputs Inputs Vdd GND 0 1 1 0 Supply voltage outputs 6 30VDC 10 2 2 Available actions of the digital outputs The assignment of which internal event of the Microwall switches which output is made in the WBM menu branch I O events Events can switch an output on off or toggle it ...

Page 93: ...93 W T Subject to error and alteration 11 Security Maintenance Security and operating notes Firmware updates Individual certificates Emergency access via service button Reset to factory defaults ...

Page 94: ...dditional rou ters and perimeter firewalls From the perspective of a defen se in depth strategy the microwall is therefore always deplo yed behind at least one perimeter firewall and outside a DMZ For the purpose of remote maintenance the Microwall has a WireGuard VPN endpoint on the intranet side Network 1 yel low As a client or server this enables encrypted authentica ted remote access to subscr...

Page 95: ... of this manual 11 1 3 Installation location The installation location of the Microwall must ensure that no unauthorized physical access can occur e g suitably secured room network cabinet etc Physical access to the Microwall involves the following risks for example Decommissioning of the device removal of network cable power supply and loss of all connections to the participants of the island net...

Page 96: ...t of the Microwall We recommend using a secure password with a length of at least 15 characters consisting of upper and lower case letters digits and special characters Registration for security related information Devices can be registered with W T via the inventory tool In the event of security relevant updates and or information we will notify you immediately by email In addition to the perso n...

Page 97: ... 5555 TCP Firmw update WuTility Default activated Net work 1 yes no yes 446 TCP HTTPS emergency access Default deactivated Manual activation via service button no no yes 161 UDP SNMP Default deactivated Activatio via Web Ma nagement read only yes SNMPv3 yes yes ICMP Echo request Default deactivated no yes Outgoing 123 UDP NTP timeserver Default deactivated no yes 53 UDP DNS client Default deactiva...

Page 98: ...etween the two network ports or for a VPN client When formulating rules we recommend formulating them as narrowly as possible according to the need to know principle For example using a unicast address provides grea ter security than an IP range Confidentiality of Private Keys Asymmetric encryption with the associated public private key pairs are used in the Microwall for the TLS protocol for web ...

Page 99: ...ective application we recommend taking appropriate precautions Backup storage of the device configuration If necessary provision of a replacement device Documentation of the procedure for device replacement During decommissioning all confidential information stored in the Microwall IP ranges sharing rules VPN accesses etc should be reset to the factory settings to protect them This can be done eit...

Page 100: ...download of all current configuration parameters of the Microwall If the file is to receive an individual backup password this must be ente red in the Backup password field before the download iThe upload of a password provided backup file is only pos sible with knowledge of this password Therefore save the password in a suitable form separately from the backup file Upload configuration Uploading ...

Page 101: ...101 W T Security Maintenance Subject to error and alteration or a previously programmed Microwall are no longer connec ted to the network before uploading ...

Page 102: ...s reason firmware updates are always associated with a restart of the Microwall and thus also an interruption of the operational mode Individual configura tion data IP parameters firewall rules etc are not affected by a firmware update and remain intact 11 3 1 Where is the latest firmware available The latest firmware including the available update tools and a revision list is published on our web...

Page 103: ...e firmware update with WuTility it must be installed on a Windows PC Its IP settings must allow communication with the Microwall and its current IP parameters A prerequisite for firmware updates with WuTility is the acti vated update service to TCP 5555 in the Microwall With the factory settings the update with WuTility is only possible via the interface Network 1 iThe network communication during...

Page 104: ...rypts the firmware file checks the signature and writes the firmware to its internal flash Finally a restart is performed automatically and the Microwall is rea dy for operation again 11 3 3 Firmware Update via Web Based Management In network environments that do not permit the use of WuTi lity or in which the update service in the Microwall has been deactivated for security reasons the firmware u...

Page 105: ...d alteration The Upload File button starts the selection dialog for the firm ware file Select here the previously downloaded and unzip ped firmware file uhd After the upload the Install Update button starts the actual installation of the new firmware ...

Page 106: ...ficate Signing Request with asso ciated private key in the Microwall Download the CSR and external signature to a certificate by a trusted certificate authority Upload and installation of the certificate into the Microwall Navigate in the menu tree to the page Basic settings Cer tificate In addition to information on the currently installed certificate all functions for handling individual certifi...

Page 107: ...d button for external signature The download is in PEM format After the signature by a trustworthy certification authority CA the certificate and any certificate chain that may be re quired can be loaded into the Microwall using the correspon ding upload buttons All files must be in PEM format After a formal check the certificate is integrated into the sys tem by clicking on Install under External...

Page 108: ...is activated The router firewall function is completely retained in this state iThe emergency access activates a non password protected web page on the Microwall with the possibility to overwrite the current password You should therefore take appropriate measures against unauthorized access in advance Calling and function of the emergency access Emergency access is provided by browser with HTTPS v...

Page 109: ...ction and under which port the web management of the Microwall should sub sequently be accessible Terminating the emergency access Changes are applied with a click on Apply and the Microwall restarts the affected services Afterwards access to the pass word protected standard web interface is possible via the previously configured TCP port A click on Cancel discards any changes made and the Micro w...

Page 110: ...shing slowly and after approx 10s it starts flashing fast After a total of approx 20s the device is reset to the factory settings If the service button is released while the service LED is flashing quickly within a time window of 10 20s the factory default reset is aborted and the Microwall continues with standard operation according to the current configuration The reset is completed as soon as t...

Page 111: ...111 W T Subject to error and alteration Appendix Technical data and form factor ...

Page 112: ... DC max 200mA 24V DC Galvanic isolation Network interfaces min 500V LAN Port Network 1 10 100 1000BaseT RJ45 au tosensing autocrossing PoE LAN Port Network 2 10 100 1000BaseT RJ45 autosensing autocrossing Permissible ambient temperature Storage Operation non cascaded 40 85 C 0 50 C Permissible rel humidity 0 95 non condensing Dimensions 105 x 75 x 22mm Weight ca 120g Front view 55211 Bottom side 5...

Page 113: ...ensing autocrossing PoE LAN Port Network 2 10 100 1000BaseT RJ45 autosensing autocrossing Digital inputs 2 x on screw terminal input voltage 30VDC switch threshiold 8V 1 5V inout current min 2 2mA Digital outputs 2 x on screw terminal 6 30VDC 500mA output Permissible ambient temperature Storage Operation non cascaded 40 85 C 0 50 C Permissible rel humidity 0 95 non condensing Dimensions 105 x 75 x...

Page 114: ...tor 112 H Hardware installation 14 hostnames 51 I Initial web page 27 IP inventories 46 K Konfigurationsdateien 100 L Link state 17 Login 33 Logout 33 N NAT router 40 navigation concept 32 Network Interfaces 16 P PoE 15 Power supply 15 Preshared Key 63 79 PSK 63 79 R Reset 19 S Security 93 service button 108 Standard router 42 static NAT 44 System and Error LED 18 V VPN clients 60 VPN rules 65 W W...