Rockwell Automation Stratix 4300 User manual
Stratix 4300 Remote Access
Routers
Catalog Number 1783-RA2TGB, 1783-RA5TGB
User Manual Original Instructions
2Rockwell Automation Publication 1783-UM014A-EN-P - October 2021
Stratix 4300 Remote Access Routers User Manual
Important User Information
Read this document and the documents listed in the additional resources section about installation, configuration, and
operation of this equipment before you install, configure, operate, or maintain this product. Users are required to familiarize
themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws, and standards.
Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required to
be carried out by suitably trained personnel in accordance with applicable code of practice.
If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be
impaired.
In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the use
or application of this equipment.
The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and
requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or liability for
actual use based on the examples and diagrams.
No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or software
described in this manual.
Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc., is
prohibited.
Throughout this manual, when necessary, we use notes to make you aware of safety considerations.
Labels may also be on or inside the equipment to provide specific precautions.
WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment, which
may lead to personal injury or death, property damage, or economic loss.
ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property
damage, or economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.
IMPORTANT Identifies information that is critical for successful application and understanding of the product.
SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous
voltage may be present.
BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may
reach dangerous temperatures.
ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to potential
Arc Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL Regulatory
requirements for safe work practices and for Personal Protective Equipment (PPE).
Rockwell Automation Publication 1783-UM014A-EN-P - October 2021 3
Table of Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
About This Publication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Chapter 1
Remote Access Solution Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Remote Access Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1783-RA2TGB. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1783-RA5TGB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Multi-factor Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Typical Remote Access Architectures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Secure Remote Connectivity - Use Case: Cell/Area Zone SRA. . . . . 14
Secure Remote Connectivity - Use Case: Modem Direct/Isolated
Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Chapter 2
Connect Via Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Add an IP Address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Associate the Router with a Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Protect Against Unwanted Domain Change . . . . . . . . . . . . . . . . . . . . . . . 31
Remove and Move Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Firewall Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Create a Firewall Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Update the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Factory Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Router Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
4Rockwell Automation Publication 1783-UM014A-EN-P - October 2021
Appendix A
Status Indicators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Status Indicators Descriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Export Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Audit Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Rockwell Automation Publication 1783-UM014A-EN-P - October 2021 5
Preface
About This Publication This manual describes how to use Stratix® 4300 Remote Access Routers.
Make sure that you are familiar with use of an Ethernet/IP network.
Product compatibility information and release notes are available online
within the Product Compatibility and Download Center.
Additional Resources These documents contain additional information concerning related products
from Rockwell Automation.
You can view or download publications at rok.auto/literature.
Resource Description
Cloud Connectivity to a Converged Plantwide Ethernet Architecture Design Guide,
publication ENET-TD017
Converged Plantwide Ethernet (CPwE) is a collection of architected, tested, and validated
designs. The testing and validation follow the Cisco® Validated Design (CVD) and Cisco Reference
Design (CRD) methodologies.
Converged Plantwide Ethernet (CPwE) Design and Implementation
Guide, publication ENET-TD001
The Implementation Guide represents a collaborative development effort from Cisco Systems
and Rockwell Automation®. It is built on, and adds to, design guidelines from the Cisco Ethernet-
to-the-Factory (EttF) solution and the Rockwell Automation Integrated Architecture®.
Deploying Industrial Firewalls within a Converged Plantwide Ethernet
Architecture Design and Implementation Guide, publication ENET-TD002
The Deploying Industrial Firewalls within a Converged Plantwide Ethernet Architecture Design
and Implementation Guide (DIG) outlines several use cases for designing, deploying and
managing industrial firewalls throughout a plant-wide Industrial Automation and Control System
(IACS) network infrastructure.
EtherNet/IP Network Devices User Manual, publication ENET-UM006 Describes how to configure and use EtherNet/IP™ devices to communicate on the EtherNet/IP
network.
Ethernet Reference Manual, publication ENET-RM002 Describes basic Ethernet concepts, infrastructure components, and infrastructure features.
FactoryTalk Remote Access Help website, rok.auto/help Describes how to use and troubleshoot FactoryTalk® Remote Access.
Industrial Automation Wiring and Grounding Guidelines, publication 1770-4.1 Provides general guidelines for installing a Rockwell Automation industrial system.
Industrial Components Preventive Maintenance, Enclosures, and Contact Ratings
Specifications, publication IC-TD002 Provides a quick reference tool for Allen-Bradley® industrial automation controls and
assemblies.
Product Certifications website, rok.auto/certifications. Provides declarations of conformity, certificates, and other certification details.
Safety Guidelines for the Application, Installation, and Maintenance of Solid-state
Control, publication SGI-1.1
Designed to harmonize with NEMA Standards Publication No. ICS 1.1-1987 and provides general
guidelines for the application, installation, and maintenance of solid-state control in the form of
individual devices or packaged assemblies incorporating solid-state components.
Stratix 4300 Remote Access Routers Installation Instructions,
publication 1783-IN020 Describes how to install a Stratix 4300 Remote Access Router.
Stratix Ethernet Device Specifications Technical Data, publication , 1783-TD002 Describes the technical specifications of Stratix Devices.
System Security Design Guidelines Reference Manual, publication SECURE-RM001 Provides guidance on how to conduct security assessments, implement Rockwell Automation
products in a secure system, harden the control system, manage user access, and dispose of
equipment.
6Rockwell Automation Publication 1783-UM014A-EN-P - October 2021
Notes:
Rockwell Automation Publication 1783-UM014A-EN-P - October 2021 7
Chapter 1
Remote Access Architecture
The Stratix® 4300 remote access router provides the ability for manufactures
and OEMs to apply the appropriate skills and resources independent of their
physical location by enabling our customers to continue to maintain their
operations with remote access via VPN. The solution helps reduce costs, add
value to customer operations, and encourage collaboration between OEMs and
customers.
The Stratix 4300 router:
• Full gigabit router
• Supports configuration via FactoryTalk® Remote Access software
• Uses VPN connections that are optimized for industrial communications
with reduced latency
Factory Talk Remote Access software:
• Manages user and group configurations to segment network access and
permissions
• Provides log and audit trails for activities for established connections
Topic Page
Remote Access Solution Overview 8
Remote Access Routers 10
Multi-factor Authentication 13
Typical Remote Access Architectures 14
8Rockwell Automation Publication 1783-UM014A-EN-P - October 2021
Chapter 1 Remote Access Architecture
Remote Access Solution
Overview
Before You Begin
Remote Access for Industrial Equipment enables connectivity to remote
machines by leveraging optimized VPN technologies. The remote access
solution includes hardware and software.
There are three key components for remote access.
1. The Stratix 4300 Remote Access Router enables access to remote
equipment through a VPN connection.
2. Server infrastructure is a distributed cloud-based server infrastructure
that facilitates the connections.
3. FactoryTalk Remote access is a web-based client that is used to maintain
and initiate remote connections.
Together, these products enable secure access to industrial machines, skids,
and assets.
The Stratix 4300 must be registered to FactoryTalk Remote Access before a
connection can be initiated.
Cloud Server
Infrastructure
Stratix 4300
FactoryTalk
Remote Access
VPN Tunnel
Remote Equipment
Stratix 4300
FactoryTalk Remote Access
Secure Secure
Server
Infrastructure
Rockwell Automation Publication 1783-UM014A-EN-P - October 2021 9
Chapter 1 Remote Access Architecture
Best Practices
• FactoryTalk Remote Access Administrator enforces two-factor-
authentication.
• The FactoryTalk Remote Access software must be up to date in case
security improvements are released.
• Configure strong, complex user passwords.
• Stratix 4300 routers must be connected to the internet through its WAN
port. Stratix 4300 routers do not enable any service through that port and
only need an outgoing connection through to the configured outgoing
port (TCP port 443, 80, or 5935). An additional firewall can provide more
protection.
• Undertake a formal threat and risk assessment in relation to remote
access.
• Use the provided role-based access control.
• Use the provided physical controls to enable or disable remote access.
• Monitor security incidents and logs pro-actively to provide timely
incident response and accurate forensics.
• Conduct regular reviews and assessments of the secure remote access
solution and technologies to maintain compliance with policies and
procedures.
• Apply defense in depth practices for the secure remote access solution,
including practices to secure the remote computer.
10 Rockwell Automation Publication 1783-UM014A-EN-P - October 2021
Chapter 1 Remote Access Architecture
Remote Access Routers 1783-RA2TGB
Figure 1 - 1783-RA2TGB
1
2
3
4
5
6
7
8
9
10
Table 1 - 1783-RA2TGB Router Front View
1 Restart Status Indicator
2 Server/USB Status Indicator
3 COM RX Status Indicator
4USB2.0
5WAN
6LAN
7COM
8 Power Status Indicator
9 Remote Connect Status Indicator
10 COM TX Status Indicator
Rockwell Automation Publication 1783-UM014A-EN-P - October 2021 11
Chapter 1 Remote Access Architecture
1783-RA5TGB
Figure 2 - 1783-RA5TGB
1
2
3
4
5
6
7
8
9
10
Table 2 - 1783-RA5TGB Router Front View
1 Restart Status Indicator
2 Server/USB Status Indicator
3 COM RX Status Indicator
4USB2.0
5WAN
6
LAN1
LAN2
LAN3
LAN4
7COM
8 Power Status Indicator
9 Remote Connect Status Indicator
10 COM TX Status Indicator
12 Rockwell Automation Publication 1783-UM014A-EN-P - October 2021
Chapter 1 Remote Access Architecture
Figure 3 - Router Top View
1
2
3
4
Table 3 - Router Top View
1 Power Connector
2 Digital Input/Output Connector
3 Factory Reset Button
4 Restart Button
WARNING: When you press the Factory Reset button while power is on,
an electric arc can occur, which could cause an explosion in hazardous
location installations.
Table 4 - Router Top View Definitions
Digital input/output
IN0
This input works as a Connection mode, also referred as selector key input.
By default, the status of this input is ignored. When the router is configured to
handle the input, it can be controlled from outside the connection to the server.
The input can be driven by a mechanical selector, by a key selector, or by a PLC
output.
IN1 This input controls the device restart from outside. The operation corresponds to
the restart button. Once the command is received a proper feedback is returned
by the status indicator.
OUT0 The output is active when the router is connected to its associated Domain.
The simple connection to the server does not activate the output. The Stratix 4300
is required to be successfully authenticated to the Domain
OUT1 The output is active when at least one user is remotely connected to the Router.
Factory Reset
A factory reset reverts the router to factory settings. The system software is reset
to original versions including the operating system. To execute the reset, turn off
the device. Press and hold down the restart button for at least 10 seconds. To
reach the button, use a small tool, such as a paper clip. The status indicator blinks
from red to green multiple times when the reset process has started. Wait for the
process to be completed and restart the system.
Restart Forces the device to restart. This command verifies a complete initialization of all
internal electronics and software. The restart status indicator turns on.
Rockwell Automation Publication 1783-UM014A-EN-P - October 2021 13
Chapter 1 Remote Access Architecture
Multi-factor Authentication Multi-factor authentication is a secure way to protect access to your account,
available through FactoryTalk Remote Access.
Multi-factor authentication is enabled when you first sign-in to FactoryTalk
Remote Access. You receive a message that multi-factor authentication must
be configured and activated before use.
1. To display a QR code for configuration, click the activation link.
This link can be scanned with any application that supports the Google
Authenticator standard.
2. Use one of the following links from your device to download an
authenticator app:
•Authy
•Google Authenticator
•Duo
•Microsoft Authenticator
If your device cannot scan the QR code, click the link “Cant Read?” to view the
security code to be used with your authentication application as an alternative
to scanning the QR code.
After the first login, each following login asks for your authenticator code. This
code is updated every 3 minutes.
3. Open the authenticator application on your device and type in the
current code that is assigned to your account.
14 Rockwell Automation Publication 1783-UM014A-EN-P - October 2021
Chapter 1 Remote Access Architecture
Typical Remote Access
Architectures
The following examples are common remote access architecture diagrams.
Secure Remote Connectivity - Use Case: Cell/Area Zone SRA
This architecture is highlighting the usage of the Stratix 4300 for remote
access purposes and, if needed, for NAT/Routing purposes for the cell/area
zone. Without NAT or Routing there are no North or South data flows through
the Stratix 4300. East or West data flow (for example from the HMI to the
Safety Controller) within the cell/area zone occurs in the embedded switch of
the Stratix 4300.
Internet
Core Switches
Distribution
Switch Stack
Internet Enterprise Zone
Levels 4…5
Industrial Demilitarized Zone
(IDMZ)
Industrial Zone Levels 0…3
(Plant-wide Network)
HMI Safety
Controller
EtherNet/IP
Servo
Drive
Safety I/O
Rockwell Automation Publication 1783-UM014A-EN-P - October 2021 15
Chapter 1 Remote Access Architecture
The following architecture is highlighting the use of the Stratix 4300 for
remote access purposes and NAT/Routing purposes. The Stratix 4300 provides
remote access to each individual cell/area zone. If there is a need for peer-to-
peer or machine-to-machine communication, the Stratix 4300 NAT or Routing
features can be configured to allow successful communication.
WAN
LAN
Internet
Core Switches
Distribution
Switch Stack
Industrial Zone Levels 0…3
(Plant-wide Network)
Servo
Drive
Safety
Controller
HMI Safety I/O
EtherNet/IP EtherNet/IP
Robot
Drive
HMI
Runtime
Safety
Controller
Servo
Drive
M2M Connectivity
Internet Enterprise Zone
Levels 4…5
Industrial Demilitarized Zone
(IDMZ)
Safety I/O
16 Rockwell Automation Publication 1783-UM014A-EN-P - October 2021
Chapter 1 Remote Access Architecture
The following architecture is highlighting the use of the Stratix 4300 for
remote access purposes. The switch optionally provides some NAT/Routing
services for the Cell/Area Zone for LAN to WAN communication. Without NAT
or Routing there are no North/South data flows. Most other data flows in the
cell occur at the industrial Ethernet switch.
WAN
LAN
Internet
Core Switches
Distribution
Switch Stack
Safety I/O
Safety
Controller
HMI Robot Drive
EtherNet/IP
Internet Enterprise Zone
Industrial Demilitarized Zone
(IDMZ)
Industrial Zone Levels 0…3
(Plant-wide Network)
Servo
Drive
Rockwell Automation Publication 1783-UM014A-EN-P - October 2021 17
Chapter 1 Remote Access Architecture
The following architecture is highlighting the use of the Stratix 4300 for
remote access purposes. An IES is positioned in the cell for any other North/
South and East/West traffic. The IES switching infrastructure also provides
routing and switching services to all devices including the Stratix 4300. The
VLAN required for Internet access or WAN must be extended into the cell/area
zone IES to provide. This is to verify that the Stratix 4300 has Internet access
for remote access.
WAN
LAN
Internet
Core Switches
Distribution
Switch Stack
Safety I/O
Safety
Controller
HMI Robot Drive
EtherNet/IP
Internet Enterprise Zone
Industrial Demilitarized Zone
(IDMZ)
Industrial Zone Levels 0…3
(Plant-wide Network)
18 Rockwell Automation Publication 1783-UM014A-EN-P - October 2021
Chapter 1 Remote Access Architecture
The following architecture is highlighting the usage of the Stratix 4300 for
remote access purposes. An IES is positioned in the cell for any other North/
South and East/West traffic. The IES switching infrastructure also provides
routing and switching services to all devices. In this case, the IES is not
providing routing to the Stratix 4300 WAN connection.
The WAN is connected directly to distribution to ease routing requirements.
Any cloud or remote access related traffic from the Stratix 4300 goes directly to
the distribution switch. Generally, the distribution switch is the central router
for the industrial architecture before the Core routes traffic. No VLAN or
routing would extend to the Cell/Area Zone in this architecture unless it is
required by the industrial application.
WAN
LAN
Internet
Core Switches
Distribution
Switch Stack
Internet Enterprise Zone
Industrial Demilitarized Zone
(IDMZ)
Industrial Zone Levels 0…3
(Plant-wide Network)
Safety I/O
Safety
Controller
HMI Robot
Drive
EtherNet/IP
Rockwell Automation Publication 1783-UM014A-EN-P - October 2021 19
Chapter 1 Remote Access Architecture
Secure Remote Connectivity - Use Case: Modem Direct/Isolated
Machine
The following architecture highlights a remote isolated cell. For the Internet
connection in this architecture, an Internet modem like those provided by
most Internet service providers is used.
WAN
LAN
Internet
Isolated Machines
Modem
Controller
Stratix 4300
Drive HMI
20 Rockwell Automation Publication 1783-UM014A-EN-P - October 2021
Chapter 1 Remote Access Architecture
Notes:
This manual suits for next models
2
Table of contents
Other Rockwell Automation Network Router manuals
Popular Network Router manuals by other brands
KUMA
KUMA My-WiFi Easy setup guide
Huawei
Huawei NE20E-S Series Hardware description
Phoenix Contact
Phoenix Contact FL NAT SMN 8TX user manual
TeleWell
TeleWell TW-EA510v3(c) 3G/4G user manual
ZyXEL Communications
ZyXEL Communications P-662HW-D - V3.40 quick start guide
Solectek
Solectek SKYWAY 5000 Series user guide