show the entry list
Industrial Ethernet PC CPs -- Operation and maintenance -- Teleservicing
Which ports are used by the various services for data transfer by means of TCP and UDP and what should you watch out for when using routers and firewalls?
What should you watch out for with a remote access to a SIMATIC S7 with STEP 7 via the Internet?
Alternative routes when setting up connections with the PG Channel Routing function
Teleprogramming via INDUSTRIAL ETHERNET with STEP 5 (PG BUS functions)
Teleprogramming via INDUSTRIAL ETHERNET with STEP 7
What requirements must be fulfilled and what should I watch out for when executing Routing?
S7-300 CPU 31x -- Configuring and programming communication -- Configuring PROFINETinterfaces
In the user program, how do you read out the Link State of the PROFINET interface of a S7-300 CPU?
Which settings do you have to make in the TIA Portal to read out messages and status information over the CPU's web server and display them in the web browser?
How do you display the diagnostics buffer of a SIMATIC CPU with integrated web server on a SIMATIC Panel?
Which "local_device_id" do you parameterize in order to establish a connection to FB65 "TCON" for open communication via Industrial Ethernet?
How do you reset the IP address and device name of an I device?
Why is the message "This page is not available" displayed in the web browser when you call the HTML page "Topology", for example, to read out the topology via the web server of the CPU?
How do you activate the "Prioritized OCM communication" function to improve the OP communication performance?
What should you watch out for when parameterizing the watchdog time when a ring redundancy is established with the Media Redundancy Protocol?
Which CPU can you operate as a PROFINET I device?
What should you watch out for with a remote access to a SIMATIC S7 with STEP 7 via the Internet?
In the user program of an S7-300 or S7-400 CPU with integrated PN interface, how can you read out the current topology of the PROFINET IO system connected?
Where can you find sample S7 programs and documentation for communication via PROFINET on the SIMATIC NET Quick Start Collection?
What differences are there when configuring S7 connections?
Which settings are required to access the web server of the CPU via a PC with a second network card even though a proxy server is set?
Can you implement an S7 317-2 PN/DP CPU instead of an S7 315-2 PN/DP CPU configured in iMap?
How do you read data consistently from a DP standard slave/PROFINET IO device and write it consistently to a DP standard slave/PROFINET IO device?
What can you do when communication errors occur sporadically with a PROFINET interface of the S7 300 CPU 31x-2 PN/DP?
From which library should you take the communications FBs?
What are the commonalities and differences between configured communication connections and the open Ethernet communication?
What are the differences when assigning the MAC address?
S7-400 CPU 41x -- Configuring and programming communication -- Configuring the PROFINET interface
Which settings do you have to make in the TIA Portal to read out messages and status information over the CPU's web server and display them in the web browser?
Why is the "Certificate error" message shown in the address line when downloading the web page of an S7-300/400/1200 CPU over "https://..."?
How do you display the diagnostics buffer of a SIMATIC CPU with integrated web server on a SIMATIC Panel?
Which "local_device_id" do you parameterize in order to establish a connection to FB65 "TCON" for open communication via Industrial Ethernet?
Why is the message "This page is not available" displayed in the web browser when you call the HTML page "Topology", for example, to read out the topology via the web server of the CPU?
How do you reset the IP address and device name of an I device?
What should you watch out for when parameterizing the watchdog time when a ring redundancy is established with the Media Redundancy Protocol?
Which CPU can you operate as a PROFINET I device?
What should you watch out for with a remote access to a SIMATIC S7 with STEP 7 via the Internet?
In the user program of an S7-300 or S7-400 CPU with integrated PN interface, how can you read out the current topology of the PROFINET IO system connected?
Where can you find sample S7 programs and documentation for communication via PROFINET on the SIMATIC NET Quick Start Collection?
Which settings are required to access the web server of the CPU via a PC with a second network card even though a proxy server is set?
What differences are there when configuring S7 connections?
How do you read data consistently from a DP standard slave/PROFINET IO device and write it consistently to a DP standard slave/PROFINET IO device?
What should you watch out for with a remote access to a SIMATIC S7 with STEP 7 via the Internet?
Part number:

Description:
Remote access is made to an automation system (e.g. SIMATIC S7) via the Internet. In this case, only one controller can be reached by the remote access via port forwarding. Access to other controllers in the automation cell is via PG routing.


Fig. 01

PG functions are used with STEP 7 to access an automation system (e.g. SIMATIC S7) in the local network from the external network. Access is made via a gateway that uses the NAT (Network Address Translation) and NAPT (Network Address Port Translation) services. 


Fig. 02

In the above-mentioned examples, the PG functions permit the following with STEP 7:

  • Downloading of the configuration and user program to the CPU
  • Monitoring of blocks and tags

The PG functions, S7 communication etc. use Port 102 (TCP).
Information on the which protocol uses which TCP port is available in Entry ID: 8970169.

In the above-mentioned applications, you set the port forwarding in the DSL Modem/Router on the plant side and in the gateway so that the messages of Port 102 from the external network are forwarded to Port 102 of the IP address of the SIMATIC S7. The IP address of the SIMATIC S7 is in the local network.

Example of port forwarding:
 
Example External
IP address
External
port
Internal
IP address
Internal
port
Application
Remote access via Internet
using port forwarding
217.91.8.166 102 172.168.2.10 102 STEP 7
Access via NAT/NAPT 192.168.2.1 102 172.168.2.10 102 STEP 7

For the following applications, attention must be paid to the fixed external IP address of the standard DSL modem/router on the plant side and the external IP address of the gateway:

  • Monitor blocks,
    so that it is possible to monitor blocks on the SIMATIC S7 CPU online via STEP 7.
  • Download interface,
    so that it is possible to download the configuration via STEP 7.

Monitor blocks
You must make the following change in the hardware configuration of the SIMATIC S7 to enable monitoring of blocks on the SIMATIC S7 CPU online via STEP 7.

In the hardware configuration of the SIMATIC S7, you replace the IP address of the interface that enables access to the Internet (e.g. IE CP or integrated PN interface of the CPU) with the external IP address of the DSL modem/router on the plant side.

The changed hardware configuration is only for monitoring the blocks and must not be loaded into the CPU, because this information is stored in the project and thus the system data is changed in the project. A download changes the settings of the CPs or the CPU and thus renders further online monitoring impossible.

A download of the system data or the hardware configuration with changed IP address prevents further online monitoring via port forwarding.

Download interface
No changes are made in the project when you set the download interface in STEP 7. The original IP address is retained in the project. Only the IP address of the download target is replaced by the external IP address of the DSL modem/router on the plant side.

Thus, it is also possible to download the system data and hardware configuration without the online connection being cut after the download. However, no block monitoring is possible here.


Fig. 03

Note:
With the remote access options mentioned above, the local network is not protected against unauthorized access. We therefore recommend that you use a VPN (Virtual Private Network) for remote access via the Internet. Via VPN, you can use the PG functions with STEP 7:

  • without changing the IP address of the Industrial Ethernet interface in the hardware configuration to monitor the blocks and
  • without changing the IP address of the download interfaces to download the hardware configuration or user program into the CPU.

Instructions for configuring a VPN with SCALANCE S6x and SOFTNET Security Client are available in the following entries:

A description of the various WAN access methods for remote access to automation systems (e.g. SIMATIC S7) is available in Entry ID: 26662448.

 Entry ID:38571711   Date:2009-12-14 
I regard this article....as helpfulas not helpful                                 
mySupport
My Documentation Manager 
Newsletter 
CAx-Download-Manager 
Support Request
To this entry
Print
Create PDF 
Send to a friend
QuickLinks
Compatibility tool 
Help
Online Help
Guided Tour