Issue
Using a VPN with I/A Series Niagara Systems
Product Line
TAC IA Series
Environment
I/A Series Systems
Cause
A VPN's purpose is to provide a secure and reliable private connection between computer networks over an existing public network, typically the Internet.
Resolution
What is a VPN?
"Virtual Private Network" or VPN is a mechanism to extend a private network across a public network such as the Internet. A VPN creates a point-to-point connection or "tunnel" across the Internet between two computers. The tunnel encrypts the data between VPN endpoints, preventing data from being deciphered without the required encryption keys.
Why use a VPN?
VPN provides an additional layer of security to your Niagara system without compromising your ability to access Niagara. A VPN can help protect your Niagara system from Internet-based attacks by requiring an additional layer of authentication to access Niagara resources. It can prevent automated Internet port scan tools from detecting the Niagara system.
How can I set up a VPN?
The following document describes how to use an Internet Security Gateway to provide VPN access to your ENC/JACE. Click on the link to download Using a VPN with Niagara Systems for more details.
In addition, the document describes setting up a VPN using a ZyWALL gateway. The ZyWALL USG-20 unified security gateway (from ZyXEL) is a cost-effective device that you can add to an existing installation to provide VPN server capability.
IMPORTANT NOTE: The information in this document is based on the assumption that the only IP devices on the network are Niagara devices. If Niagara devices share a network with other devices (such as a corporate LAN), DO NOT follow the approach described in the following pages. Instead, work with the customer’s IT department to determine the best method to protect both the Niagara and corporate systems while providing required access to the Niagara systems.
In any scenario, if the VPN is installed or configured improperly, you can expose devices to the public Internet. If you are unsure about how to best configure and test your configuration, please consult an IT expert.
Frequently Asked Questions
I already use SSL, do I still need to use a VPN?
The use of a VPN is still recommended as an additional layer of security. Attacks can come from both inside and outside of your network.
Once I set up a VPN, do I still need to use SSL?
Yes. The VPN only provides encryption between the VPN endpoints – the VPN client and server. Traffic from the VPN endpoint to and from the Niagara Station is not encrypted unless SSL is used.
I’m running AX 3.6 or earlier without SSL support – should I still install a VPN?
Yes. The VPN still helps protect against Internet-based attacks on your system.
Do I still need a firewall?
Yes. You should set up firewall rules to restrict Internet access to the VPN server port only. You should also consider setting up rules with the VPN server to restrict VPN access to only the required IP addresses and ports. For example, there may be non-Niagara devices on the LAN, but the VPN should be configured to only allow access to the Niagara systems. Additionally, you should only allow access to required Niagara services.
Will a VPN affect LAN access to ENC/JACEs?
No. LAN access to the Niagara devices remains the same as always. VPN only affects the ability to reach Niagara devices from external networks such as the Internet.
If I use a VPN, will Niagara HTTP, Fox, and Platform tunneling work?
Tunneling works normally over a VPN. You will need to update IP address assignments.
What is the impact of VPN on Niagara Networking?
Niagara Networking between systems on the LAN still functions the same whether or not there is a VPN installed.
When I connect to a VPN, do I lose all other network connectivity?
While your VPN client is connected to the remote VPN network, your Workbench (client) PC will have a new "Default Gateway" to allow you to make connections to stations on the VPN network. Typically, this happens without your knowledge and is mostly transparent. The change is undone after disconnecting from the VPN, and re-done when you reconnect.
However (while you are connected to the VPN network) if your Workbench (client) PC tries to connect to sites on the [public] Internet or any other network through any router, you will find that you cannot reach those sites.
If you must be able to reach those sites while connected to the VPN network, you will need to add static routes (temporary or permanent) to your Workbench PC’s TCP/IP configuration. The setting of those routes is beyond the scope of this document because they are specific to your PC’s network, your VPN network, and any other networks you try to reach.
It is possible (but unlikely) that you cannot resolve these routing issues. This may happen if one or more of these networks have overlapping addresses. Consult with a TCP/IP expert if necessary.
Likewise, if you use L2TP, PPOE, PPTP, or PPP for any part of your underlying network connection, the VPN client will probably conflict with it. Specifically, Windows only allows one connection of these four protocol types to be active at any given time.
What is the impact on Single Sign On?
You will need to define the SSO Domain and the hosts of the SSO Domain in your Workbench PC’s "hosts" file or default DNS server. The DNS server of the VPN will not be able to provide name services without changing your Workbench PC’s TCP/IP configuration.
I use Dynamic DNS, can I still use a dynamic DNS provider with VPN?
Yes. You will need to register the IP address of the VPN gateway and firewall with the DDNS provider.
What is the impact of VPN on my system performance?
Impact on performance should be minimal. It does take a little longer to set up the connection.
References:
Microsoft TechNet VPN Overview
