Siemens Industry Online Support
Siemens AG
Entry type: Product note Entry ID: 83130181, Entry date: 11/18/2013

Sales Release and Restricted Delivery Release for SCALANCE S627-2M

  • Entry
  • Associated product(s)
The SCALANCE S627-2M security module is herewith released for ordering and for restricted delivery release ex-stock Germany.   SCALANCE S627-2M is released with the following restriction: ...

The SCALANCE S627-2M security module is herewith released for ordering and for restricted delivery release ex-stock Germany.

SCALANCE S627-2M is released with the following restriction:

The following approval is not yet available: UL - expected for Jan. 2014.

SCALANCE S627-2M is a further model of the SCALANCE S family with 10/100/1000 Mbit/s Industrial Ethernet ports; it features 2 media module slots for the connection of SCALANCE S to fiber-optic and Gigabit networks.

SCALANCE S627-2M provides the complete scope of functions of the previous versions and additionally offers the following functions:

  • Support of PROFINET basic services
  • Two additional slots for 2-port media modules for direct integration into ring or line structures
  • Direct connection to FO networks with FO media modules
  • Protection of redundant rings (MRP, HRP)
  • Secure, redundant connection of lower level networks with standby coupling (firewall/router redundancy)


1. Product Description


Scalance S is a security module that provides protection for equipment, automation cells and network segments of Ethernet networks. This allows production networks to be effectively protected against external and internal threats, such as unauthorized access or unnecessary communication load. Moreover, communication can be secured with encryption against data espionage and manipulation, e.g. for remote access via insecure networks such as Internet or WAN.


SCALANCE S627-2M provides the same functionality and features as the previous SCALANCE S models:

  • VPN (Virtual Private Network): For secure authentication (identification) of the network participants, as well as for data encryption and data integrity checking. Secure encryption is required to protect data traffic against espionage and manipulation. This makes the data traffic on the network unintelligible to eavesdroppers. The security module establishes an IPSec VPN tunnel to other VPN-capable devices in this case.
  • Stateful Inspection Firewall: Filters data packets and blocks or enables communication links according to the filter list. Both incoming and outgoing communication can be filtered. IP and MAC addresses, as well as communication protocols (ports) are filtered. The firewall can be used as alternative or in addition to VPN. Stateful inspection means that communication can also be filtered depending on its state. This means, for example, that response message frames for communication initiated from the internal network may be allowed to pass, whereas communication of the same type initiated externally is blocked.
  • Logging (Syslog): In order to monitor access and detect attempted attacks, all access or rejected access attempts are stored in a log file that can be read by the configuration tool. It is also possible to automatically send log data to a Syslog server.
  • NAT/NAPT (Network Address and Port Translation): It is possible to use private IP addresses in the internal network. Public IP addresses can therefore be saved (NAPT) and automation cells identical to the same private IP addresses can be established (NAT). Support of NAT in conjunction with IPSec.
  • Symbolic names for IP addresses: Simplifies configuration and the readability of the firewall rules.
  • Globale Firewall rules: Easy and fast commissioning, whereby firewall rules which are to be applied to several Scalance S devices can be grouped into global firewall rules.
  • Robust, industrial-grade design,  tailored to the needs of the industrial environment.
  • User-specific firewall rules and user authentication using login and password: Users can log on to a SCALANCE S and, after identification, be assigned with specific firewall rules which restrict their access to certain devices and, if necessary, communication protocols that can be used. For example, access by various equipment manufacturers to their respective machines can be restricted. Additional security can be gained with user-specific firewall rules that permit VPN traffic only, therefore requiring the user to also establish a VPN connection.
  • SNMP (V1 + V3): Simple Network Management Protocol for standard network diagnostics and transmission of network analysis information to the network management system. SNMP V3 also offers tap-proof transmission and increased security compared to SNMP V1.
  • PPPoE: Point-to-point protocol over Ethernet for automatically obtaining IP addresses from the provider, making separate configuration of a DSL router unnecessary.
  • DynamicDNS: Dynamic Domain Name Service for using dynamic IP addresses even for server operation of SCALANCE S for remote maintenance via Internet Provider
  • "Yellow" separate third port, e.g. to build a DMZ or as service access 
  • Support of Radius authentication
  • Support of Android VPN-Client
  • Firewall & Router redundancy.


The following functions are additionally available with SCALANCE S627-2M:

  • Two freely configurable module slots (one module for expansion with 2 "red" ports, 1 module for expansion with 2 "green" ports) for direct integration in ring or line structures
  • Support of PROFINET basic services
  • Direct connection to FO networks with FO media modules
  • Protection of redundant rings (MRP, HRP)
  • Secure, redundant connection of lower level networks with standby coupling (firewall/router redundancy)

The modules are configured with the Security Configuration Tool (SCT), which is included in the product package and which is also included in Step7 V5.5 SP2 HF1 and higher.


SCALANCE S627-2M has all the advantages of the SCALANCE design:

  • Robust metal housing for space-saving cabinet mounting on standard rail, S7-300 mounting rail or wall mounting
  • Rugged, industry-compatible subscriber connections with PROFINET-compatible RJ45 plug-in connectors that provide an additional strain and bending relief with latching on the housing
  • Redundant power infeed
  • Fault signal contact
  • Diagnostics on the device using LEDs (power, link status, data traffic)
  • C-PLUG (Configuration Plug) can be inserted as a removable medium, allowing a fast module replacement in case of failure, without a programming device
  • 2 Media module slots (compatible with SCALANCE X300)

SCALANCE S627-2M: 3 RJ-45 ports (red/green/yellow) + 2 module slots (red/green)

      The devices to be protected are connected to the ports marked green, and the ports marked red are the interface to the external network. The yellow DMZ port is used as connection for remote access via Internet or can be used as local connection for laptops or another network. The yellow port is secured against the red and the green ports by means of a firewall and can also terminate VPN connections like the red ports.
The green ports and the red ports are switched within their respective groups.

2. Ordering Data


Product Name

Order Number





3. Application

SCALANCE S is used for access control to automation equipment and to protect data transmission in industrial environments. The security here is completely independent of the protocol, meaning that all IP-based (Layer 3) and MAC-based (Layer 2) communication can be protected. Lower-level networks are thereby secured in accordance with the cell protection concept. Secure data communication between automation systems and protection against espionage and manipulation is ensured by encrypting the data. SCALANCE S is designed for use in cabinets. The SCALANCE S627-2M in addition offers the possibility to securely couple a MRP/HRP ring on the green port with a MRP/HRP ring on the red port. It is furthermore now possible to connect and synchronize two devices for redundancy purposes (firewall, router, NAT) via the yellow port.

Customer benefits:

  • Access protection for any device in Ethernet networks.
  • Secure connection of a lower level network ring to the higher level network
  • Secure redundant connection of rings
  • Secure remote access via Internet (e.g. with a DSL modem) can be implemented
  • Integration into network management systems via SNMP (V1 + V3) is possible, thereby enabling integrated network diagnostics
  • Bridge-Mode or Double-NAT enables easy integration into existing networks; no terminal needs to be reconfigured and no new IP subnets must be introduced.
  • Use of private IP addresses in the internal network possible through NAT or NAPT (Network Address and Port Translation) functionality
  • Enables the use of fiber-optic technology
  • For use in industrial environments with robust, industry-compatible design

4. Technical Data



Connection of terminal devices or network components via twisted pair 

10/100/1000 Mbit/s (half / full duplex)



3x RJ-45 jacks with MDI-X assignment

2x media module slots for 2-port media modules resp.

Voltage supply

1x 4-pole plug-in terminal block

Signaling contact

1x 2-pole plug-in terminal block

Electrical Data

Supply voltage

24V DC (19.2 to 28.8 V)

•  redundant infeed

•  safety extra-low voltage (SELV)

Typical power consumption at 24V DC, 1000 Mbit/s

12.0 W w/o media modules / max. 2.5 W additional per media module

Max. current consumption at rated voltage

0.7 A

Permitted ambient conditions for SCALANCE S627-2M

Operating temp. (with mounting position):


Horizontal mounting rail (normal position):

-40 °C to +60 °C

All other positions (e.g. vertical mounting rail):

-40 °C to +50 °C

Storage / transport temperature:

-40 °C to +80 °C

Max. relative humidity during operation

95 % (non-condensing)

Please note: Some media modules can result in a reduction of the max. operating temp. (see data in user manual)!

Mechanical Design


Mounting options

• DIN rail 35 mm
• S7-300 mounting rail
• wall mounting

Dimensions (W x H x D) in mm

120 x 125 x 124

Weight in g



Radio interference level

EN 61000-6-4: 2007 

Noise immunity

EN 61000-6-2: 2005


IP 20



UL 60950 / CSA C22.2 No. 60950-00
UL 508 / CSA C22.2 No. 142

c-Ul-us for Hazardous Locations

UL 1604 Div. 2 or UL 2279 Zone 2


FM 3611


AS/NZS 2064


EN 61000-6-4, EN 61000-6-2

ATEX Zone 2 

EN 60079-15

MTBF (40 °C)

38.13 a



Security functions of SCALANCE S627-2M

  • Stateful Inspection Firewall

+ Globale firewall rules

+ User-specific firewall rules

  • Redundancy for firewall, router and NAT
  • Max. no. of IPSec-VPN connections:    128



Security information
In order to protect technical infrastructures, systems, machines and networks against cyber threats, it is necessary to implement – and continuously maintain – a holistic, state-of-the-art IT security concept. Siemens’ products and solutions constitute one element of such a concept. For more information about cyber security, please visit