What should you watch out for with a remote access to a SIMATIC S7 with STEP 7 via the Internet?
Remote access is made to an automation system (e.g. SIMATIC S7) via the Internet. In this case, only one controller can be reached by the remote access via port forwarding. Access to other controllers in the automation cell is via PG routing.
PG functions are used with STEP 7 to access an automation system (e.g. SIMATIC S7) in the local network from the external network. Access is made via a gateway that uses the NAT (Network Address Translation) and NAPT (Network Address Port Translation) services.
In the above-mentioned examples, the PG functions permit the following with STEP 7:
- Downloading of the configuration and user program to the CPU
- Monitoring of blocks and tags
The PG functions, S7 communication etc. use Port 102 (TCP).
Information on the which protocol uses which TCP port is available in Entry ID: 8970169.
In the above-mentioned applications, you set the port forwarding in the DSL Modem/Router on the plant side and in the gateway so that the messages of Port 102 from the external network are forwarded to Port 102 of the IP address of the SIMATIC S7. The IP address of the SIMATIC S7 is in the local network.
Example of port forwarding:
|Remote access via Internet
using port forwarding
|Access via NAT/NAPT||192.168.2.1||102||18.104.22.168||102||STEP 7|
For the following applications, attention must be paid to the fixed external IP address of the standard DSL modem/router on the plant side and the external IP address of the gateway:
- Monitor blocks,
so that it is possible to monitor blocks on the SIMATIC S7 CPU online via STEP 7.
- Download interface,
so that it is possible to download the configuration via STEP 7.
You must make the following change in the hardware configuration of the SIMATIC S7 to enable monitoring of blocks on the SIMATIC S7 CPU online via STEP 7.
In the hardware configuration of the SIMATIC S7, you replace the IP address of the interface that enables access to the Internet (e.g. IE CP or integrated PN interface of the CPU) with the external IP address of the DSL modem/router on the plant side.
The changed hardware configuration is only for monitoring the blocks and must not be loaded into the CPU, because this information is stored in the project and thus the system data is changed in the project. A download changes the settings of the CPs or the CPU and thus renders further online monitoring impossible.
A download of the system data or the hardware configuration with changed IP address prevents further online monitoring via port forwarding.
No changes are made in the project when you set the download interface in STEP 7. The original IP address is retained in the project. Only the IP address of the download target is replaced by the external IP address of the DSL modem/router on the plant side.
Thus, it is also possible to download the system data and hardware configuration without the online connection being cut after the download. However, no block monitoring is possible here.
With the remote access options mentioned above, the local network is not protected against unauthorized access. We therefore recommend that you use a VPN (Virtual Private Network) for remote access via the Internet. Via VPN, you can use the PG functions with STEP 7:
- without changing the IP address of the Industrial Ethernet interface in the hardware configuration to monitor the blocks and
- without changing the IP address of the download interfaces to download the hardware configuration or user program into the CPU.
Instructions for configuring a VPN with SCALANCE S6x and SOFTNET Security Client are available in the following entries:
A description of the various WAN access methods for remote access to automation systems (e.g. SIMATIC S7) is available in Entry ID: 26662448.