Help
  • Explore Community
  • Get Started
  • Ask the Community
  • How-To & Best Practices
  • Contact Support
Notifications
Login / Register
Community
Community
Notifications
close
  • Forums
  • Knowledge Center
  • Events & Webinars
  • Ideas
  • Blogs
Help
Help
  • Explore Community
  • Get Started
  • Ask the Community
  • How-To & Best Practices
  • Contact Support
Login / Register
Sustainability
Sustainability

Join our "Ask Me About" community webinar on May 20th at 9 AM CET and 5 PM CET to explore cybersecurity and monitoring for Data Center and edge IT. Learn about market trends, cutting-edge technologies, and best practices from industry experts.
Register and secure your Critical IT infrastructure

Using a VPN with I/A Series Niagara G3 Systems

Building Automation Knowledge Base

Schneider Electric Building Automation Knowledge Base is a self-service resource to answer all your questions about EcoStruxure Building suite, Andover Continuum, Satchwell, TAC…

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • Home
  • Schneider Electric Community
  • Knowledge Center
  • Building Automation Knowledge Base
  • Using a VPN with I/A Series Niagara G3 Systems
Options
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
Invite a Co-worker
Send a co-worker an invite to the portal.Just enter their email address and we'll connect them to register. After joining, they will belong to the same company.
You have entered an invalid email address. Please re-enter the email address.
This co-worker has already been invited to the Exchange portal. Please invite another co-worker.
Please enter email address
Send Invite Cancel
Invitation Sent
Your invitation was sent.Thanks for sharing Exchange with your co-worker.
Send New Invite Close

Related Forums

  • Intelligent Devices Forum

Previous Next
Contributors
  • RandyDavis
    RandyDavis
  • WaynePeters
    WaynePeters
  • Product_Support
    Product_Support

Invite a Colleague

Found this content useful? Share it with a Colleague!

Invite a Colleague Invite
Back to Building Automation Knowledge Base
Options
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
0 Likes
2391 Views

Link copied. Please paste this link to share this article on your social media post.

Trying to translate this page to your language?
Select your language from the translate dropdown in the upper right. arrow
Translate to: English
  • (Français) French
  • (Deutsche) German
  • (Italiano) Italian
  • (Português) Portuguese
  • (Русский) Russian
  • (Español) Spanish

Using a VPN with I/A Series Niagara G3 Systems

Picard Product_Support
‎2018-09-11 08:25 AM

Last Updated: Guinan RandyDavis Guinan ‎2023-09-06 10:26 AM

Issue

Using a VPN with I/A Series Niagara Systems

Product Line

TAC IA Series

Environment

I/A Series Systems

Cause

A VPN's purpose is to provide a secure and reliable private connection between computer networks over an existing public network, typically the Internet.

Resolution

What is a VPN?

"Virtual Private Network" or VPN is a mechanism to extend a private network across a public network such as the Internet. A VPN creates a point-to-point connection or "tunnel" across the Internet between two computers. The tunnel encrypts the data between VPN endpoints, preventing data from being deciphered without the required encryption keys.

Why use a VPN?

VPN provides an additional layer of security to your Niagara system without compromising your ability to access Niagara. A VPN can help protect your Niagara system from Internet-based attacks by requiring an additional layer of authentication to access Niagara resources. It can prevent automated Internet port scan tools from detecting the Niagara system.

How can I set up a VPN?

The following document describes how to use an Internet Security Gateway to provide VPN access to your ENC/JACE.  Click on the link to download Using a VPN with Niagara Systems for more details.

In addition, the document describes setting up a VPN using a ZyWALL gateway.  The ZyWALL USG-20 unified security gateway (from ZyXEL) is a cost-effective device that you can add to an existing installation to provide VPN server capability.

IMPORTANT NOTE: The information in this document is based on the assumption that the only IP devices on the network are Niagara devices. If Niagara devices share a network with other devices (such as a corporate LAN), DO NOT follow the approach described in the following pages. Instead, work with the customer’s IT department to determine the best method to protect both the Niagara and corporate systems while providing required access to the Niagara systems.

In any scenario, if the VPN is installed or configured improperly, you can expose devices to the public Internet. If you are unsure about how to best configure and test your configuration, please consult an IT expert.


Frequently Asked Questions

I already use SSL, do I still need to use a VPN?
The use of a VPN is still recommended as an additional layer of security. Attacks can come from both inside and outside of your network.

Once I set up a VPN, do I still need to use SSL?
Yes. The VPN only provides encryption between the VPN endpoints – the VPN client and server. Traffic from the VPN endpoint to and from the Niagara Station is not encrypted unless SSL is used.

I’m running AX 3.6 or earlier without SSL support – should I still install a VPN?
Yes. The VPN still helps protect against Internet-based attacks on your system.

Do I still need a firewall?
Yes. You should set up firewall rules to restrict Internet access to the VPN server port only. You should also consider setting up rules with the VPN server to restrict VPN access to only the required IP addresses and ports. For example, there may be non-Niagara devices on the LAN, but the VPN should be configured to only allow access to the Niagara systems. Additionally, you should only allow access to required Niagara services.

Will a VPN affect LAN access to ENC/JACEs?
No. LAN access to the Niagara devices remains the same as always. VPN only affects the ability to reach Niagara devices from external networks such as the Internet.

If I use a VPN, will Niagara HTTP, Fox, and Platform tunneling work?
Tunneling works normally over a VPN. You will need to update IP address assignments.

What is the impact of VPN on Niagara Networking?
Niagara Networking between systems on the LAN still functions the same whether or not there is a VPN installed.

When I connect to a VPN, do I lose all other network connectivity?
While your VPN client is connected to the remote VPN network, your Workbench (client) PC will have a new "Default Gateway" to allow you to make connections to stations on the VPN network. Typically, this happens without your knowledge and is mostly transparent. The change is undone after disconnecting from the VPN, and re-done when you reconnect.

However (while you are connected to the VPN network) if your Workbench (client) PC tries to connect to sites on the [public] Internet or any other network through any router, you will find that you cannot reach those sites.

If you must be able to reach those sites while connected to the VPN network, you will need to add static routes (temporary or permanent) to your Workbench PC’s TCP/IP configuration. The setting of those routes is beyond the scope of this document because they are specific to your PC’s network, your VPN network, and any other networks you try to reach.

It is possible (but unlikely) that you cannot resolve these routing issues. This may happen if one or more of these networks have overlapping addresses. Consult with a TCP/IP expert if necessary.

Likewise, if you use L2TP, PPOE, PPTP, or PPP for any part of your underlying network connection, the VPN client will probably conflict with it. Specifically, Windows only allows one connection of these four protocol types to be active at any given time.

What is the impact on Single Sign On?
You will need to define the SSO Domain and the hosts of the SSO Domain in your Workbench PC’s "hosts" file or default DNS server. The DNS server of the VPN will not be able to provide name services without changing your Workbench PC’s TCP/IP configuration.

I use Dynamic DNS, can I still use a dynamic DNS provider with VPN?
Yes. You will need to register the IP address of the VPN gateway and firewall with the DDNS provider.

What is the impact of VPN on my system performance?
Impact on performance should be minimal. It does take a little longer to set up the connection.

References:
Microsoft TechNet VPN Overview 

Labels (1)
Labels:
  • TAC IA Series
Attachments
Tags (3)
  • Find more articles tagged with:
  • 14707
  • RandyDavis23
  • vulnerability
Was this article helpful? Yes No
No ratings

Link copied. Please paste this link to share this article on your social media post.

To The Top!

Forums

  • APC UPS Data Center Backup Solutions
  • EcoStruxure IT
  • EcoStruxure Geo SCADA Expert
  • Metering & Power Quality
  • Schneider Electric Wiser

Knowledge Center

Events & webinars

Ideas

Blogs

Get Started

  • Ask the Community
  • Community Guidelines
  • Community User Guide
  • How-To & Best Practice
  • Experts Leaderboard
  • Contact Support
Brand-Logo
Subscribing is a smart move!
You can subscribe to this board after you log in or create your free account.
Forum-Icon

Create your free account or log in to subscribe to the board - and gain access to more than 10,000+ support articles along with insights from experts and peers.

Register today for FREE

Register Now

Already have an account? Login

Terms & Conditions Privacy Notice Change your Cookie Settings © 2025 Schneider Electric

This is a heading

With achievable small steps, users progress and continually feel satisfaction in task accomplishment.

Usetiful Onboarding Checklist remembers the progress of every user, allowing them to take bite-sized journeys and continue where they left.

of