Manuals+

Secure TCP/IP Connection

For UMG 508, UMG 509-PRO, UMG 511, UMG 512-PRO, UMG 604-PRO and UMG 605-PRO

General

Copyright

This functional description is subject to the legal provisions of copyright protection and may not be photocopied, reprinted, reproduced or otherwise duplicated or republished in whole or in part by mechanical or electronic means without the legally binding, written consent of Janitza electronics GmbH, Vor dem Polstück 6, 35633 Lahnau, Germany.

Trademarks

All trademarks and the rights arising from them are the property of the respective owners of these rights.

Disclaimer

Janitza electronics GmbH assumes no responsibility for errors or defects within this functional description and assumes no obligation to keep the contents of this functional description up to date.

Comments on the manual

Your comments are welcome. If anything in this manual seems unclear, please let us know and send us an email at: info@janitza.com

Secure TCP/IP Connection

Communication with the measuring devices of the UMG series is usually via Ethernet. The measuring devices provide different protocols with the respective connection ports for this purpose. Software applications such as the GridVis® communicate with the measuring devices via the FTP, Modbus or HTTP protocol. Network security in the company network plays an increasingly important role here.

This guide is intended to support you in securely integrating the measuring devices into the network, thus effectively protecting the measuring devices from unauthorized access.

Key changes for firmware > 4.057:

  • Improvement of the challenge calculation
  • After three incorrect logins, the IP (of the client) is blocked for 900 seconds
  • GridVis® settings revised
  • HTML password: can be set, 8 digits
  • HTML configuration completely lockable

If the measuring device is used in the GridVis®, several connection protocols are available. A standard protocol is the FTP protocol - i.e. the GridVis® reads files from the measuring device via FTP port 21 with the respective data ports 1024 to 1027. In the "TCP/IP" setting, the connection is made unsecured via FTP. A secured connection can be established using the "TCP secured" connection type.

Description of screenshot: A dialog box titled "Verbindung konfigurieren (UMG512)" showing options for connection type (TCP/IP, TCP gesichert, HTTP, HTTP gesichert, Modbus RTU, Ethernet-Gateway, EasyGateway) and host settings.

Change Password

A user and password are required for the secure connection. By default, the user is admin and the password is Janitza. For a secure connection, the password for administrator access (admin) can be changed in the configuration menu.

1. Step: Configure Connection

To configure the connection:

  • Open the "Configure connection" dialog. This can be done by highlighting the device in the projects window and selecting "Configure connection" from the context menu, or by double-clicking the device to open its overview window and selecting the "Configure connection" button.
  • Select the connection type "TCP secured".
  • Set the host address of the device.
  • Fill in the username and password. Factory settings: Username: admin, Password: Janitza.
  • Set the "Encrypted" menu item. This activates AES256-bit encryption of the data.

Description of screenshots: One shows the project window with a device selected, and the other shows the "Verbindung konfigurieren (UMG512)" dialog with "TCP gesichert" selected, host, username, password, and encryption options.

2. Step: Change Administrator Password

To change the administrator password:

  • Open the configuration window.
  • Select the "Passwords" button in the configuration window.
  • Change the administrator password if desired.
  • Save the changes by transferring the data to the device using the "Transfer" button.

Important Note on Passwords:

⚠️ DO NOT FORGET THE PASSWORD UNDER ANY CIRCUMSTANCES. THERE IS NO MASTER PASSWORD. IF THE PASSWORD IS FORGOTTEN, THE DEVICE MUST BE SENT TO THE FACTORY!

The admin password can be a maximum of 30 digits long and can consist of numbers, letters, and special characters (ASCII code 32 to 126, excluding ", \, ^, `, |). The password field must not be left blank. Space (ASCII code 32) is allowed only within the password, not as the first or last character.

? Note: When using a GridVis® version > 9.0.20 with special characters, you will be prompted to change the password according to these rules. The description "Change password" with its password rules also applies to the connection type "HTTP secured".

Description of screenshots: One shows the project window and configuration options, including "Passwörter". The other shows the "Konfiguration [UMG512]" dialog with the "Passwörter" tab selected, showing fields for username, password, and user password for programming mode.

Firewall Settings

The measurement devices have an integrated firewall that allows you to block ports you don't need.

1. Step: Configure Connection

To configure the connection for firewall settings:

  • Open the "Configure connection" dialog. This can be done by highlighting the device in the projects window and selecting "Configure connection" from the context menu, or by double-clicking the device to open its overview window and selecting the "Configure connection" button.
  • Select the connection type "TCP secured".
  • Log in as administrator.

Description of screenshot: A "Verbindung konfigurieren (UMG512)" dialog box showing "TCP gesichert" selected, host, username, password, and encryption options.

2. Step: Configure Firewall

To configure the firewall:

  • Open the configuration window.
  • Select the "Firewall" button in the configuration window.

Description of screenshot: The "Konfiguration [UMG512]" dialog with the "Firewall" tab selected, showing a checkbox to enable the firewall and a list of protocols with checkboxes for activation.

Firewall Operation:

The firewall is switched on via the "Firewall" button. As of release X.XXX, this is the default setting. Protocols that you do not need can be deactivated here. When the firewall is switched on, the device only allows requests on the protocols activated in each case.

Default Protocols and Ports:

ProtocolPort
FTPPort 21, data port 1024 to 1027
HTTPPort 80
SNMPPort 161
Modbus RTUPort 8000
DebugPORT 1239 (for service purposes)
Modbus TCP/IPPort 502
BACnetPort 47808
DHCPUTP port 67 and 68
NTPPort 123
Server namePort 53

? Note: For rudimentary communication with the GridVis® and via the homepage, the settings shown in the configuration dialog suffice. Please choose the closed ports carefully! Depending on the selected connection protocol, it may only be possible to communicate via HTTP, for example.

Save the changes with the transfer of the data to the device ("Transfer" button).

Display Password

The device configuration via the device keys can also be protected. This means that configuration is only possible after entering a password. The password can be set on the device itself or via the GridVis® in the configuration window.

Password Rules:

⚠️ The display password must be a maximum of 5 digits long and only contain numbers.

Procedure:

To set the display password:

  • Open the configuration window. This can be done by highlighting the device in the projects window and selecting "Configuration" from the context menu, or by double-clicking the device to open its overview window and selecting the "Configuration" button.
  • Select the "Passwords" button in the configuration window.
  • If desired, change the option "User password for the programming mode on the device".
  • Save the changes with the transfer of the data to the device ("Transfer" button).

The configuration on the device can then only be changed by entering a password.

Description of screenshot: A "Konfiguration [UMG512]" dialog with the "Passwörter" tab selected, showing fields for user password and display password. Another image shows a device display with input fields for password.

Homepage Password

The homepage can also be protected from unauthorized access. The following options are available:

  • Do not lock homepage: The homepage is accessible without login; configurations can be made without logging in.
  • Lock homepage: After a login, the homepage and the configuration for the user's IP will be unlocked for 3 minutes. With each access, the time is reset to 3 minutes again.
  • Lock configuration separately: The homepage is accessible without login; configurations can only be made by logging in.
  • Lock homepage and configuration separately: After a login, the homepage is unlocked for the user's IP for 3 minutes. With each access, the time is reset to 3 minutes again. Configurations can only be made by logging in.

? Note: Only the variables that are in the init.jas or have "Admin" authorization are considered as configuration.

Password Rules:

⚠️ The homepage password must be a maximum of 8 digits long and only contain numbers.

Description of screenshot: A "Konfiguration [UMG512]" dialog with the "Passwörter" tab selected, showing a field for "Password for HTML access".

After activation, a login window appears after opening the device homepage.

Description of screenshot: A "Janitza - Homepage login" dialog with fields for Username and Password.

Modbus TCP/IP Communication Security

It is not possible to secure the Modbus TCP/IP communication (port 502). The Modbus standard does not provide for any protection. Integrated encryption would no longer be according to Modbus standard and interoperability with other devices would no longer be guaranteed. For this reason, no password can be assigned during Modbus communication.

If IT specifies that only secured protocols may be used, the Modbus TCP/IP port must be deactivated in the device firewall. The device administrator password must be changed and communication must take place via "TCP secured" (FTP) or "HTTP secured".

Modbus RS485 Communication Security

Protection of the Modbus RS485 communication is not possible. The Modbus standard does not provide for any protection. Integrated encryption would no longer be according to Modbus standard and interoperability with other devices would no longer be guaranteed. This also concerns the Modbus master functionality. I.e. no encryption can be activated for devices at the RS-485 interface.

If IT specifies that only secured protocols may be used, the Modbus TCP/IP port must be deactivated in the device firewall. The device administrator password must be changed and communication must take place via "TCP secured" (FTP) or "HTTP secured". However, devices at the RS485 interface can then no longer be read out!

The alternative in this case is to dispense with the Modbus master functionality and to exclusively use Ethernet devices such as the UMG 604 / 605 / 508 / 509 / 511 or UMG 512.

"UMG 96RM-E" Communication Security

The UMG 96RM-E does not offer a secured protocol. Communication with this device is exclusively via Modbus TCP/IP. It is not possible to secure the Modbus TCP/IP communication (port 502). The Modbus standard does not provide for any protection. I.e. if encryption were to be integrated, it would no longer be in accordance with the Modbus standard and interoperability with other devices would no longer be guaranteed. For this reason, no password can be assigned during Modbus communication.

Models: UMG 508, UMG 509-PRO, UMG 511, UMG 512-PRO, UMG 604-PRO, UMG 605-PRO, Secure TCP or IP Connection for UMG 508, Secure TCP or IP Connection

File Info : application/pdf, 16 Pages, 3.19MB

janitza-fkt-secure-con-tcp-ip-en

References

Adobe PDF Library 17.0 Adobe InDesign 18.1 (Windows)

Related Documents

Preview Janitza IEC 61000-2-4 Watchdog Apps: Functional Description and Integration Guide
This document provides a functional description and integration guide for Janitza's IEC 61000-2-4 Watchdog Apps. It covers installation, configuration, and usage of the apps with Janitza UMG power analyzers to monitor power quality according to the IEC 61000-2-4 standard, including detailed explanations of features, settings, and troubleshooting.
Preview Janitza Hauptkatalog 2025: Energiemesstechnik & Power Quality Lösungen
Der Janitza Hauptkatalog 2025 bietet einen umfassenden Überblick über Janitza's fortschrittliche Lösungen im Bereich Energiemesstechnik und Power Quality. Entdecken Sie eine breite Palette an Energieanalysatoren, Netzanalysatoren und Spannungsqualitätsanalysatoren, die für industrielle und gewerbliche Anwendungen konzipiert sind, um Energieeffizienz zu optimieren und die Netzstabilität zu gewährleisten.
Preview Janitza Hauptkatalog 2022: Smart Energy & Power Quality Solutions
Der Janitza Hauptkatalog 2022 bietet umfassende Lösungen für Energiemanagement, Spannungsqualität und Differenzstromüberwachung. Entdecken Sie Messgeräte, Controller und Zubehör für industrielle und gewerbliche Anwendungen.
Preview Janitza UMG 604-PRO: Modbus-Adressenliste und Formelsammlung
Umfassende Modbus-Adressenliste und Formelsammlung für den Janitza UMG 604-PRO Power Analyzer, einschließlich Modbus-Funktionen, Messwertdefinitionen und Datenadressen für die Energieüberwachung.
Preview Janitza UMG 512-PRO Class A Power Quality Analyser - Technical Specification
Comprehensive technical overview of the Janitza UMG 512-PRO Class A power quality analyser, detailing its features for monitoring power quality standards, advanced communication capabilities, programming functions, and the integrated GridVis® software for energy management.
Preview Janitza UMG 96 PQ-L-LP PowerProAnalyzer Installation Manual and Technical Data
Comprehensive installation instructions and technical specifications for the Janitza UMG 96 PQ-L-LP PowerProAnalyzer, covering safety precautions, mounting, electrical connections, configuration of settings, measurement principles, and troubleshooting.
Preview Janitza UMG 512: Power Quality Analyser Operation Manual & Technical Data
Comprehensive operation manual and technical data for the Janitza UMG 512 Power Quality Analyser, detailing installation, features, measurement capabilities, and specifications.
Preview Janitza GridVis Commissioning Prerequisites and Guide
A comprehensive guide detailing the prerequisites and confirmation steps for commissioning Janitza measurement devices and the GridVis software, covering electrical installation, software setup, and system requirements.