ION Setup and Port Forwarding Rules

Bill_Mulkey · ‎2022-02-05

Can ION Setup be configured to take into consideration Port Forwarding rules on routers?

Scenario:

A Wireless Router with WAN IP of 10.10.10.10 and LAN IP of 192.168.1 is connected to two ION 8650 meters via ethernet.

Both meters are configured via ION Setup with IP addresses of 192.168.1.101 and 192.168.1.102, respectively.

ION number 1 is set to listen for SSH/SFTP traffic on port 22.

ION number 2 is set to listen for SSH/SFTP traffic on port 22.

When connecting remotely to the meter via SSH/SFTP, a WAN IP address of 10.10.10.10 is used.

The router, by default, listens for SSH/SFTP traffic on port 22 and a port forwarding rule must be used to forward the traffic to the meters.

The Port Forwarding Rules look like this for SSH/SFTP:

ION-1 --- 10.10.10.10:2201 ---> 192.168.3.101:22

ION-2 --- 10.10.10.10:2202 ---> 192.168.3.102:22

It appears that ION Setup utilizes the value read from the meter configuration and uses that value when attempting a connection to the meter certificate server. Currently, there is no way to update ION Setup to use a different port after the connection is made and a third party application must be used to remotely manage SSL certificates in the meters.

Maybe a new Protocol Tab under Device Properties in Network Viewer mode that sets the ports to be used for that particular meter could be implemented?

Robert_Lee · ‎2022-02-22

Hi Bill,

I've gone ahead and made the preliminary changes to the next update of ION Setup which should be released next week so you should be able to try it out then.

After installation, if you use RegEdit with an admin level account, you should see a new registry key located in:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Schneider Electric\ION Setup\3.2

SFTPPortNumber

default value should be 22

You should be able to modify it to common port number that your routers use and I would recommend that you leave the meter's programmed one to 22 (or if you have to modify it, switch it to match the one used by the router). Any other number will likely make ION Setup connect to the wrong port number.

If this becomes an issue down the road, we'd likely have to make a change to the UI someplace to allow individual port designation which will likely get very messy.

As for the enterprise handling of certificates, Schneider is indeed looking how that can be easily managed at the corporate level and it is very unlikely ION Setup will be doing this.

It is more likely that this will become a future enhancement to EcoStruxure Cybersecurity Admin Expert (CAE) Security Administration Tool. That team is aware of our need for an enterprise wide solution for certificate management and are looking into how to best handle that for metering products.

https://www.se.com/ww/en/product-range/63515-ecostruxure-cybersecurity-admin-expert/

See Answer In Context

N4th4n13L · ‎2022-02-06

Hi Bill,

Have you tried changing the IP Port on the meter? If you set SSH/SFTP to listen to IP Port 2201 on the meter, ION Setup will detect the change. Set the Meter IP Port to match the IP Port setup in your port forwarding rules.

What I can't confirm is if ION Setup uses the IP address used to connect, or if it's reading the IP Address for the communication module when it tries to setup the SFTP connection.

The IP port setup can be viewed in the Ethernet connection modules under Setup Registers. Depending on how your GUI is setup, these values are present. We can also work with you to adjust the files so that it shows up in the setup assistant.

Bill_Mulkey · ‎2022-02-07

The issue is that our Port Forwarding rules are not setup like that. In order to support that, I would need unique configurations at every site that has more than one meter, not to mention the need to update the rules on 7000+ routers to make this work. The SSH/SFTP is really the only protocol that has this issue and it is because IONSetup isn't aware of the Port Forward rules.

Maybe a new Wizard could be added under Tools-->Diagnostics-->Tools for Certificate Management that would allow for the connection with a custom port number?

Robert_Lee · ‎2022-02-09

I'll best try and describe the issues here and possible future solutions. Presently the latest ION Setup is designed as a convenience to read how to transfer various files (web/IO upgrade, CID, COMTRADE, etc.) and in those instances where FTP/SFTP are utilized, it would communicate to the device and determine what IP Port the device is using. This allows when the device is set to a different port # than the expected standard port and will allow software to learn that port # directly from the device and connect using that port.

Ex. You can remap the SFTP port # the device uses to say port 44 instead of 22 for SSH and ION Setup would then open port 44 for SSH use.

However, this does NOT help in the instances I think you are speaking of when an intermediate device (router) is used to port forward to another port # which is located behind say a firewall.

Ex. ION Setup PC <=> Port X => Router <=> Port Y <=> Meter.

So to try and address this we need to tackle 2 issues.

In the instance where only the PC <=> Router requires a specific port # to be used, we could add a new default SFTP (or FTP) registry entry to allow users to specify which port # to use.

Ex. SFTPPortNumber = 44

That would allow where a router is being used to port forward. However, I would likely have to put in some restrictions on its use to that the device could not be set to a different port # other than either the default port or the identical port #. In the above example, the device SFTP port # would have to be either the default 22 or set to 44. The reason being is at some point, ION Setup would have to use the assigned port # given to the meter where there is no port forwarding.

Another drawback with the above solution would be that all sites for that ION Setup would have to use the identical port # (i.e. all of you N routers in your system would have to be using the same port forwarding port #).

The only other means to do this would to be allow to individually assign each device a specific SFTP/FTP port # to be used from the software side.

Alternatively a user could use any SFTP/FTP software to do the transfers themselves although it isn't as convenient and in some cases like upgrade there is no feedback via those client software.

If everyone thinks the above is an acceptable solution, I'll try and implement something in an upcoming update.

By the way, we've also implemented a custom solution for the exact same issue for the ION Port but have done so for each device. In the network viewer, you will now be able to specify the protocol type when specifying a custom port number (ex. if say you have port forwarding on port 5500 => 7700, you will be able to specify whether that 5500 is ION or the upcoming TLS if supported by the firmware).

Bill_Mulkey · ‎2022-02-18

@Robert_Lee Thanks for the detailed reply. Currently, our only solution is to utilize a third party sftp/ftp file transfer utility or directly connect to the ethernet port.

With the myriad of possible network configurations, it would probably be best for the end user to manage this from the router side and have a numerical equivalent port to port forwarding rule to support the sftp/ftp data connections.

I would like to point out, that at some point, TLS certificate management at an Enterprise level will become an issue and there is currently no way, that I am aware of, to manage this via PME or other Schneider supported applications. Is there any ongoing conversation about supporting TLS certificate management at an Enterprise level?

Robert_Lee · ‎2022-02-22

Hi Bill,

I've gone ahead and made the preliminary changes to the next update of ION Setup which should be released next week so you should be able to try it out then.

After installation, if you use RegEdit with an admin level account, you should see a new registry key located in:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Schneider Electric\ION Setup\3.2

SFTPPortNumber

default value should be 22

You should be able to modify it to common port number that your routers use and I would recommend that you leave the meter's programmed one to 22 (or if you have to modify it, switch it to match the one used by the router). Any other number will likely make ION Setup connect to the wrong port number.

If this becomes an issue down the road, we'd likely have to make a change to the UI someplace to allow individual port designation which will likely get very messy.

As for the enterprise handling of certificates, Schneider is indeed looking how that can be easily managed at the corporate level and it is very unlikely ION Setup will be doing this.

It is more likely that this will become a future enhancement to EcoStruxure Cybersecurity Admin Expert (CAE) Security Administration Tool. That team is aware of our need for an enterprise wide solution for certificate management and are looking into how to best handle that for metering products.

https://www.se.com/ww/en/product-range/63515-ecostruxure-cybersecurity-admin-expert/

Bill_Mulkey · ‎2022-03-07

@Robert_Lee

Downloading the latest .exe now. Appreciate the fast response and the information on the EcoStruxure Cybersecurity Admin Expert. It looks very promising from an enterprise security management perspective.