ETIC SIG Series User manual
DOC_DEV_SIG_ User guide_A
SIG
VPN Server - Router - Firewall
_________________
USER GUIDE
_________________
DOC_DEV_SIG_ User guide_A Page 3
DECLARATION OF CONFORMITY
The manufacturer, ETIC Telecom –13 chemin du vieux chêne –38240 Meylan –France, Hereby declares
under sole responsibility that the listed devices conform to
-the Radio Equipment Directive (RED) 2014/53/UE,
-the Restriction of the use of certain Hazardous Substances (RoHS) Directive 2011/65/UE.
Type of device: VPN Server
Models:
SIG-E-400, SIG-A-400, SIG-EC-400
The harmonized standards to which these devices comply are:
Standard
Title
EN 61000-6-2 2006
Immunity:
EN61000-4-2 Electrostatic Discharge
EN61000-4-3 RF Radiated Immunity
EN61000-4-4 EFT/Burst Immunity
EN61000-4-5 Surge Immunity
EN61000-4-6 RF Conducted Immunity
EN61000-4-8 Power Frequency Magnetic Field Immunity
EN 61000-6-4 2007
A1/2011
Emission:
EN55022 Radiated and conducted emission
EN 301 489-1 V1.9.2
EN 301 489-3 V1.6.1
EN 301 489-7 V1.3.1
EN 301 489-17 V2.2.1
EN 301 489-24 V1.5.1
Radio - EMC
EN 301 511 V9.0.2
EN 301 908-1 V6.2.1
EN 301 908-2 V6.2.1
EN 300 328 V1.9.1
EN 301893 V1.8.1
Radio - Spectrum
EN 60950-1/A2 2014
EN 62311 2008
Safety and Health
Date : 18th October 2017
Philippe Duchesne
Technical Director
TABLE OF CONTENTS
DOC_DEV_SIG_ User guide_A Page 5
OVERVIEW.....................................................................................................................................7
1Purpose of this manual .................................................................................................................................... 7
2Products Identification ..................................................................................................................................... 7
3Specifications.................................................................................................................................................... 8
4Product overview ............................................................................................................................................11
4.1 Applications ......................................................................................................................................... 11
4.2 Main functions..................................................................................................................................... 12
INSTALLATION ...........................................................................................................................15
1Description ...................................................................................................................................................... 15
1.1 Dimensions .......................................................................................................................................... 15
1.2 Front panel ........................................................................................................................................... 15
1.3 Rear panel ............................................................................................................................................ 16
1.4 Connectors........................................................................................................................................... 16
1.5 Push-buttons........................................................................................................................................ 17
1.6 LED indicators......................................................................................................................................18
2Safety instructions.......................................................................................................................................... 19
3Cooling............................................................................................................................................................. 19
4Earthing ........................................................................................................................................................... 19
5Connecting to the ADSL line........................................................................................................................... 20
6Connecting the to the cellular network.......................................................................................................... 21
6.1 Pre-installation checks........................................................................................................................ 21
6.2 Antenna ................................................................................................................................................ 21
6.3 Coaxial cable........................................................................................................................................21
6.4 Cellular service subscription............................................................................................................... 22
6.5 Installing or removing the SIM card.................................................................................................... 22
6.6 Controlling the conformance of the connection................................................................................ 23
PREPARING THE SETUP............................................................................................................25
1Connecting a PC for configuration ................................................................................................................ 25
1.1 Overview............................................................................................................................................... 25
1.2 First configuration ............................................................................................................................... 26
1.3 Changing the configuration later ........................................................................................................ 26
2Access to the administration server through the WAN interface ................................................................ 27
3Working with HTTPS.......................................................................................................................................27
4Temporary return to the factory settings ...................................................................................................... 28
5Restoring the factory settings........................................................................................................................ 28
6Protecting the access to the administration server...................................................................................... 29
7Configuration steps ........................................................................................................................................ 29
OVERVIEW
DOC_DEV_SIG_ User guide_A Page 7
OVERVIEW
1Purpose of this manual
The present user guide describes the features and the installation of the SIG hardware version which is an
Industrial VPN Server. The commissioning of the virtual VPN server version is described in another document.
In the rest of the document the term "SIG" is used to designate the product.
2Products Identification
This family of Industrial VPN Server consists of these models:
SIG-E-400, SIG-A-400, SIG-EC-100
The main features are summarized below:
Models
SIG-
E-400
A-400
EC-400
WAN Ethernet
•
•
WAN ADSL
•
WAN Cellular
(-HG, -HW : 3G+, -LE : 4G)
•
LAN Ethernet 10-100 Mb/s
4
4
4
USB
•
•
•
Link redundancy
•
Power supply VAC
110-230
110-230
110-230
2 SIM card reader
•
OVERVIEW
Page 8 DOC_DEV_SIG_ User guide_A
3Specifications
General characteristics
Dimensions
With feet: 50 X 220 X 220 mm (h, l, p)
Without foot: 44 X 220 X 220 mm (h, l, p)
Weight
Max 0.65 kg
Casing
Metallic
IP20 –IEC60529
Temperature
Non-operating: -40°/ + 85°C
Operating: -20°/ + 60°C (fanless)
Humidity
10 to 95 % relative (non-condensing)
Power supply
110 to 230 VAC
Consumption
SIG-E : 2W
SIG-A, SIG-C et SIG-EC : 5W
EMC
Immunity EN61000-6-2:
EN61000-4-2 : ESD : 4 kV contact –8kV air
EN61000-4-3 : RF - radiated: 10V/m < 2 GHz
EN61000-4-4 : Burst
EN61000-4-5 : Surge : 4KV line / earth
EN61000-4-6 : RF - conducted
EN61000-4-8 : Magnetic fields
Emission EN61000-6-4:
EN 55022: RF - conducted and radiate
Electrical safety
EN 60950-1
Hazardous substances
2011/65/UE (RoHS)
REACH
OVERVIEW
DOC_DEV_SIG_ User guide_A Page 9
WAN network
Ethernet
RJ45
Auto : 10/100 full & half duplex MDI/MDI-X
ADSL
ADSL2+ and RE-ADSL
ITU G992.5 (ADSL2+ and Reach Extended ADSL)
Max data rate : UL : 1 Mbps, DL : 24 Mbps
PPPoE : PPP over Ethernet
PPPoA : PPP over ATM
EoA : Ethernet over ATM RFC2684 Bridged
IPoA : Routed IP over ATM, RFC2684 Routed
4G/3G+
-LE : 4G LTE Europe
LTE bands: B1, B2, B3, B4, B5, B7, B8, B20
UMTS bands: B1, B2, B5, B8
GSM bands: 850/900/1800/1900
-CH : 4G LTE China
LTE bands: B1, B3, B8, B38, B39, B40, B41
UMTS bands: B1, B5, B8, B9
GSM bands: 900/1800
-HG : 3G+ HSPA worldwide (except. North America)
UMTS bands: B1, B2, B5, B8
GSM bands: 850/900/1800/1900
-HW : 3G+ HSPA worldwide
UMTS bands: B1, B2, B4, B5, B6, B8, B19
GSM bands: 850/900/1800/1900
Max data rate 4G: UL @ 50 Mbps and DL @ 100Mbps
Max data rate 3G+: UL @ 5,7 Mbps and DL @ 21 Mbps
Max data rate 2G: UL @ 237 Kbps and DL @ 237 Kbps
Antenna connector female SMA
LAN network
Ethernet
RJ45 : 4 ports
Auto : 10/100 full & half duplex MDI/MDI-X
Routing / @IP /
IP Routing
Routing tables
Static routes
RIP or OSPF
Address translation (DNAT, SNAT, NAT 1:1)
IP@ assignment
WAN interface: DHCP client or fixed IP
LAN interface: DHCP server
DNS
WAN interface: compatible with DYNDNS, No-IP or ETIC DNS
LAN interface: relay & server
Redundancy
VRRP RFC 3768 protocol
Multi WAN for backup on some SIG models
OVERVIEW
Page 10 DOC_DEV_SIG_ User guide_A
Security
VPN tunnel
OpenVPN (TLS/SSL), IPSEC, L2TP/IPSEC, PPTP
Shared key or X509 certificate
Encryption 3DES & AES 128-192-256
Authentication: MD5 & SHA-1
Up to 100 VPN tunnels
(mix OpenVPN IPSEC allowed)
Firewall
Stafeful packet inspection (SPI: 50 rules)
IP@ and ports filtering
Remote access
Up to 25 remote users
RAS access: Login & Password and Certificate (optional)
Customizable LAN machine network access rights
Log
Timestamped
Events: connection, restart, alarms
Divers
SNMP
Supported MIBs:
RFC1213-MIB (MIB-2)
ADSL-LINE-MIB
SNMP traps
Configuration
Web server
Management
Save and restore configurations
Reset product to return to factory configuration
OVERVIEW
DOC_DEV_SIG_ User guide_A Page 11
4Product overview
The SIG is both a VPN server, a router, a firewall and a remote access server for industrial applications.
It is designed to connect industrial machines on an intranet or the Internet with a high level of security.
It provides depending on model:
•SIG-E : A WAN Ethernet interface
•SIG-A : An ADSL modem
•SIG-EC : A WAN Ethernet interface and a 3G/4G cellular modem
4.1 Applications
High security remote control system up to 100
sites
The SIG connects up to 100 sites using VPNs
with a high level of security.
.
High availability
The SIG manages backup links. Fr example, a
remote site equipped with an ADSL router with
3G backup. In case of failure of the ADSL line,
the VPN will be restored by the cellular
network.
In addition, 2 SIG can work in redundancy
mode. In case of failure of the first one, the
second SIG will take over autoùmatically.
Remote access server for remote operation
A remote user can connect to any device in the
system using a PC, tablet or a smartphone.
His access rights may be limited according to
his identity.
Traffic filtering (Firewall)
OVERVIEW
Page 12 DOC_DEV_SIG_ User guide_A
4.2 Main functions
IPSec VPN and OpenVPN VPN for safety
VPN connection guarantees a high level of performance and security:
Transparency: The VPN interconnects the two networks so that any machine in one network can
communicate with a machine on the other network.
Authentication: The router that establishes the VPN is authenticated by the one that accepts it and any
other connection is rejected.
Confidentiality: Data traffic via the VPN is encrypted.
The SIG allows the simultaneous establishment of IPSec and OpenVPN tunnels (100 in total).
Although the SIG is designed to perform the VPNs concentrator function (also known as VPN server), it can
either behave as a server or as a VPN client.
The SIG provides 4 independant OpenVPN servers. Each of these OpenVPN servers can be set differently to
meet the technical requirements (key refresh period, type of encryption ...).
The IPSec setting can be different for each VPN.
These different characteristics make it possible to accept OpenVPNs or IPSec VPNs originating from routers
of different manufacturers and also to take into account backup paths in order to build high availability remote
control systems.
Remote access server for PCs, tablets and smartphones
The SIG can also behave like a remote access server.
If he is registered in the user list, a remote user can access to particular devices of a machine network
depending on his identity.
The new HTTPS portal make possible to access easily and safely to HMIs or PLCS web servers using a tablet,
a PC or a smartphone.
IP router
The SIG provides powerful, flexible and comprehensive solutions to route IP packets from one network to other
networks :
Static routes, to reach nested networks,
Network address translation d‘adresse (NAT, DNAT, port forwarding),
Routing protocol (RIP),
Domain name management DNS et DynDNS.
Firewall
The firewall protects against the sophisticated attacks coming from the Internet.
It is also able to filter IP frames between the WAN interface or any VPN interface on one hand, and the LAN
interface on the other hand.
OVERVIEW
DOC_DEV_SIG_ User guide_A Page 13
VRRP redundancy
VRRP makes possible to use two routers shaping a redundant solution.
Automatic backup of a private VPN network over the cellular network
The SIG-EC provides a WAN Ethernet interface and a cellular interface. It is designed for critical industrial
remote SCADA systems.
In normal situation the data are transmitted via the main interface (usually the WAN Ethernet).
In case of a failure the data are transmitted via the backup interface (usually the cellular one).
SNMP
The SIG is an SNMP agent; it complies with the MIB2 standard and transmits an SNMP trap when configurable
events occur.
DNS
DNS makes it possible to assign Internet names to devices or organizations independently of their public IP
address.
The SIG behaves like a DNS server for the devices connected to the LAN.
DHCP server
On the LAN interface, the SIG can behave like a DHCP server.
Configuration
The SIG is configured using an HTML browser (HTTP or HTTPS).
EticFinder
The ETICFinder software can easily detect all ETIC branded products connected to an Ethernet network to
display their MAC address and their IP address.
INSTALLATION
DOC_DEV_SIG_ User guide_A Page 15
INSTALLATION
1Description
1.1 Dimensions
1.2 Front panel
SIG-E-400
SIG-EC-400
SIG-A-400
USB
Ethernet
WAN
Ethernet LAN
Push button B1
Ethernet LAN
USB
Ethernet
WAN
Cellular
SIM
cards
Push button B1
Ethernet LAN
USB
ADSL
Push button B1
220 mm
44 mm
6 mm
220 mm
INSTALLATION
Page 16 DOC_DEV_SIG_ User guide_A
1.3 Rear panel
1.4 Connectors
Ethernet RJ45 connector
Position
Signal
Function
RJ45
1
Tx +
Emission polarity +
2
Tx -
Emission polarity -
3
Rx +
Reception polarity +
4
N.C
-
5
N.C
-
6
Rx -
Reception polarity -
7
N.C.
-
8
N.C.
-
SIG-EC-400
Antenna connectors
Antenna
Network
Type
Observation
CEL
Cellular
SMA female
3G et 4G
AUX
Cellular
SMA female
To improve the 4G transmission data rate, 2 antennas can be
connected.
SIG-A-400
ADSL RJ45 connector
Position
Signal
Function
RJ45
1
N.C.
-
2
N.C.
-
3
N.C.
-
4
TIP
ADSL line
5
RING
ADSL line
6
N.C.
-
7
N.C.
-
8
N.C.
-
Power connector 110–230 V
AC
Push button B2
INSTALLATION
DOC_DEV_SIG_ User guide_A Page 17
1.5 Push-buttons
Front panel push-button B1
Pressing the PB
LED
Function
10 seconds
5 flashes
The hotline of ETICTELECOM is authorized to connect remotely
to the router administration server within 1 hour delay.
Rear panel push-button B2
Pressing the PB
LED
Function
During operation
Flashing red
Temporary return to the factory configuration.
(IP address 192.168.0.128)
The current configuration is not lost.
During power-up
Flashing red
Return to the factory configuration.
The current configuration is deleted except if it has been saved
into a file.
INSTALLATION
Page 18 DOC_DEV_SIG_ User guide_A
1.6 LED indicators
LED indicators
Depending on models
Function
LED
Description
Operation
Off Power off
Steady green The unit is ready
Slow blinking green The unit is busy
Steady red Startup (30s) –Hardware or software failure or SIM card missing
or memory flash drive missing
Fast blinking red Firmware download in progress
Application
alarm
Reserved
ADSL
connection
DSL
Off ADSL interface disabled
Flashing 4 s ADSL signal not detected / Line not connected
Slow blinking 2 s Connection in progress 1st step (adsl)
Fast blinking 0,5 s Connection in progress 2nd step (password and @ IP)
Steady green Connected / Brief flashing when traffic on link
ADSL
signal quality
Off No signal measured
1 flash Not sufficient signal
2 flashes Sufficient signal
3 flashes Strong signal
Cellular
connection
CEL
Off SIM card missing - wrong PIN code –Cellular interface disable
Flashing every 4 s Interface enable - not connected
Blinking slowly - 2 s Connection in progress (first step)
Blinking fast - 0,5 s Connection in progress (password and IP@)
Steady green Connected / Brief flashing when traffic on link
Cellular
signal quality
Off No signal measured
1 flash Not sufficient signal
2 flashes Sufficient signal
3 flashes Strong signal
VPN
connexion
VPN
Off No VPN connection in progress
Blinking slowly - 2 s Connection in progress
Steady green At least one VPN is established
Ethernet
WAN
Left LED
Off Not connected or interface disable
Green Connected / Brief flashing when traffic on link
Ethernet LAN
x 4
Left LED
Off Not connected or interface disable
Green Connected / Brief flashing when traffic on link
INSTALLATION
DOC_DEV_SIG_ User guide_A Page 19
2Safety instructions
The product shall be installed in a fire electrical resistant cabinet by a qualified operator.
The product shall be connected only to equipment that complies with the IEC60950-1 or IEC62368-1 standards
and that meets the following classifications:
•IEC60950-1 : Limited power circuits and SELV type –§2.2 and 2.5
•IEC62368-1 : ES1 & PS2
To avoid any risk of burns, it is strongly recommended to wear gloves to handle the product in
operation when the ambient temperature exceeds 30 °C.
Cellular models:
•The antenna should be installed and operated with minimum distance of 20 cm between the radiator
and your body.
•The antenna must not be co-located or operating in conjunction with any other antenna or transmitter.
3Cooling
The product is designed to be mounted into a server cabinet.
To avoid obstructing the airflow around the unit, the spacing must be at least 25 mm above and below, and 10
mm left and right.
4Earthing
For safety and EMC reasons, the product must be connected to the protective earth of the installation by its
power cord.
INSTALLATION
Page 20 DOC_DEV_SIG_ User guide_A
5Connecting to the ADSL line
Line length / signal level :
The SIG-A can be connected to an analogue line telephone line or an unbundled loop when the attenuation of
the reception signal is better than 63 dB
When the reception level is close to the limit, disconnections may occur.
In that situation, we recommend to ask to the ISP to setup the line with the RE-ADSL modulation which is suited
for long line and weak signal.
ADSL filter :
If the line must be used for analogue voice transmission simultaneously with ADSL transmission, it is
necessary to connect an ADSL filter.
Surge arrester :
The ADSL board of the SIG-A is protected very carefully against over voltage coming from the line.
However, when the line is exposed to lightning, we recommend to connect a surge arrester between the line
and the SIG.
IP address :
The IP address assigned by the ISP to the ADSL interface of the SIG can be a fixed or a dynamic public IP
address.
If it is dynamic, it changes frequently; for instance at each ADSL connection.
It is why, the router which owns a dynamic IP address can only initiate the communication (initiate a VPN for
instance) towards a router owning a fixed IP address.
Reciprocally, a router owning a dynamic IP address cannot easily receive a connection except a Dynamic DNS
service is used.
Filter
Surge arrester
PSTN
Router
This manual suits for next models
3
Table of contents
Other ETIC Server manuals
