Security Tab

Introduction

Control Expert provides security services for the CPU. Enable and disable these services on the Security tab in Control Expert.

Accessing the Security Tab

View the Security configuration options:

Step	Action
1	Open your Control Expert project.
2	Double-click the Ethernet ports on the CPU in the local rack (or right-click the Ethernet ports and select Open Submodule.
3	Select the Security tab in the RIO DIO Communicator Head window to enable/disable Ethernet services.

Available Ethernet Services

You can enable/disable these Ethernet services:

Field		Comment
Enforce Security and Unlock Security		Refer to the description, below, for details.
FTP		Enable or disable (default) firmware upgrade, SD memory card data remote access, data storage remote access, and device configuration management using the FDR service. NOTE: Local data storage remains operational, but remote access to data storage is disabled.
TFTP		Enable or disable (default) the ability to read RIO drop configuration and device configuration management using the FDR service. NOTE: Enable this service to use eX80 Ethernet adapter modules.
HTTPS		Enable or disable (default) the web access service.
DHCP / BOOTP		Enable or disable (default) the automatic assignment of IP addressing settings. For DHCP, also enable/disable automatic assignment of subnet mask, gateway IP address, and DNS server names.
SNMP		Enable or disable (default) the protocol used to monitor the device.
EIP		Enable or disable (default) access to the EtherNet/IP server.
Access Control		Enable (default) or disable Ethernet access to the multiple servers in the CPU from unauthorized network devices.
Authorized addresses ⁽¹⁾	Subnet	Yes /No
	IP Address	0.0.0.0 ... 223.255.255.255
	Subnet mask	224.0.0.0 ... 255.255.255.252
	FTP	Select this to grant access to the FTP server in the CPU.
	TFTP	Select this to grant access to the TFTP server in the CPU.
	HTTPS	Select this to grant access to the HTTP secured server in the CPU.
	Port 502	Select this to grant access to port 502 (typically used for Modbus messaging) of the CPU.
	EIP	Select this to grant access to the EtherNet/IP server in the CPU.
	SNMP	Select this to grant access to the SNMP agent resident in the CPU.
¹ Set Access Control to Enabled to modify this field.

NOTE: Refer to the ETH_PORT_CTRL topic for information regarding using this function block to control the FTP, TFTP, HTTP, and DHCP/BOOTP protocols.

Enable/Disable Ethernet Services

You can enable/disable Ethernet services on the Security tab as follows:

Enable/disable FTP, TFTP, HTTP, EIP, SNMP, and DHCP/BOOTP for all IP addresses. (You can use this feature offline only. The configuration screen is grayed in online mode.)

– or –
Enable/disable FTP, TFTP, HTTP, Port 502, EIP, and SNMP for each authorized IP address. (You can use this feature online.)

Set the Security tab parameters before you download the application to the CPU. The default settings (maximum security level) reduce the communication capacities and port access.

NOTE: Schneider Electric recommends disabling services that are not being used.

Enforce Security and Unlock Security Fields

When you click Enforce Security (the Security tab default setting):

FTP, TFTP , HTTP, EIP, SNMP, and DHCP/BOOTP are disabled and Access Control is enabled.
When you click Unlock Security :

FTP , TFTP, HTTP, EIP, SNMP, and DHCP/BOOTP are enabled, and Access Control is disabled.

NOTE: You can set each field individually once the global setting is applied.

Using Access Control for Authorized Addresses

Use the Access Control area to restrict device access to the CPU in its role as a server. After you enable access control in the Security dialog, you can add the IP addresses of the devices that you want to communicate with the CPU to the list of Authorized Addresses:

By default, the IP address of the CPU’s embedded Ethernet I/O scanner service with Subnet set to Yes allows any device in the subnet to communicate with the CPU through EtherNet/IP or Modbus TCP.
Add the IP address of any client device that may send a request to the CPU’s Ethernet I/O scanner service, which, in this case, acts as a Modbus TCP or EtherNet/IP server.
Add the IP address of your maintenance PC to communicate with the PAC through the CPU’s Ethernet I/O scanner service via Control Expert to configure and diagnose your application.

NOTE: The subnet in the IP Address column can be the subnet itself or any IP address inside the subnet. If you select Yes for a subnet that does not have a subnet mask, a pop-up window states that the screen cannot be validated because of a detected error.

You can enter a maximum of 127 authorized IP addresses or subnets.

Adding Devices to the Authorized Addresses List

To add devices to the Authorized Addresses list:

Step	Action
1	Set Access Control to Enabled .
2	In the IP Address column of the Authorized Addresses list, enter an IP address.
3	Enter the address of the device to access the CPU’s Ethernet I/O scanner service with either of these methods: Add a single IP address: Enter the IP address of the device and select No in the Subnet column. Add a subnet: Enter a subnet address in the IP Address column. Select Yes in the Subnet column. Enter a subnet mask in the Subnet Mask column. NOTE: The subnet in the IP Address column can be the subnet itself or any IP address in the subnet. If you enter a subnet without a subnet mask, an on-screen message states that the screen cannot be validated. A red exclamation point (!) indicates a detected error in the entry. You can save the configuration only after the detected error is addressed.
4	Select one or more of the following methods of access you are granting the device or subnet: FTP, TFTP, HTTP , Port 502 , EIP, SNMP.
5	Repeat steps 2 - 4 for each additional device or subnet to which you want to grant access to the CPU’s Ethernet I/O scanner service. NOTE: You can enter up to 127 authorized IP addresses or subnets.
6	Click Apply .

Removing Devices from the Authorized Addresses List

To remove devices from the Authorized Addresses list:

Step	Action
1	In the Authorized Addresses list, select the IP address of the device to delete.
2	Press the Delete button.
3	Click Apply .