EN

Connectivity options
F.A.Q

Carel local supervisors communication with RED optimise

Product: RED optimise

Document version: 1.0
Document date: 30/05/2024

Technical requirements
and guidelines

For any issue contact [email protected] or visit www.carel.com

Version 1.0.0 - 30/05/2024

1
EN
INTRODUCTION

The purpose of this document is to provide the configuration parameters needed to permit the
correct communication between the local supervisors and the RED optimise cloud environment
offered by Carel (red-opti-carel.digital-service.com).

2 Connectivity Options RED optimise

 EN

Index
1. Web access for end users ............................................................................................... 2

2. Internet connection option .............................................................................................. 2

2.1 Access from Internet for local supervisors ............................................................................................. 4
2.1 ACL (Access Control List) firewall rules for Internet connectivity ....................................................... 4

3. VPN connection option .................................................................................................... 5

3.1 Access from VPN (without cross-VPN DNS) for local supervisors ....................................................... 5
3.2 Access from VPN (with cross-VPN DNS) for local supervisors ............................................................ 5
3.3 ACL (Access Control List) firewall rules for VPN connectivity ............................................................. 5
3.4 VPN configuration ...................................................................................................................................... 6

4. OpenVPN client embedded on Boss Family .................................................................. 7

4.1 OpenVPN configuration up to version 1.7.0 ............................................................................................ 7
4.2 OpenVPN configuration starting from Service Pack 1.8.0 ................................................................... 10

Version 1.0.0 - 30/05/2024

3
EN

1. Web access for end users

The URL used by the user to reach the website is https://red-opti-carel.digital-service.com

2. Internet connection option

2.1. Access from Internet for local supervisors

The parameters to set on local supervisors to communicate with RED optimise in case of
access from internet are defined as follows:

 pCOWeb – not supported

 PlantWatchPRO – address: s1.remotepro.io
 PlantVisorPRO – address: 34.249.149.242
 boss (until version 1.1.1) – address: 34.249.149.242
(from version 1.2.0) – address: s1.remotepro.io

NOTE: In this scenario a valid DNS server is needed in order to correctly solve the FQDN (Fully
Qualified Domain Name) mentioned above.

2.2. ACL (Access Control List) firewall rules for Internet connectivity

In order to guarantee the communication between RED optimise and supervisors devices
connected via Internet, the network needs to permit traffic for the following IP addresses and
ports:

Traffic type

FROM local supervisors FROM RED optimise

IP Addresses Description
TO RED optimise TO local supervisors

Boss family: TCP 443,8443

Stateful related traffic
34.249.149.242 Load Balancer PlantWatchPRO: TCP 2008
PlantVisorPRO: TCP 443,8443

Boss family: TCP 443,8443

PlantWatchPRO: TCP 80,1981
RED optimise PlantVisorPRO: TCP 443Other
34.249.247.225 Stateful related traffic
clusters traffic could be needed for
debugging
(e.g.: SSH, Telnet, VNC, etc.)

TIP: In order to simplify the ACL firewall rule configuration, it can be set to accept any
connection from and to both the IP addresses reported above.

4 Connectivity Options RED optimise

 EN

3. VPN connection option

3.1. Access from VPN (without cross-VPN DNS) for local supervisors

The parameter to set on local supervisors to communicate with RED optimise in case of
access from VPN without cross-VPN DNS support are defined as follows:

- pCOWeb – 10.160.0.3
- PlantWatchPRO – address: 10.160.0.3
- PlantVisorPRO – address: 10.160.0.3
- Boss Family – address: 10.160.0.3

3.2. Access from VPN (with cross-VPN DNS) for local supervisors

The parameters to set on local supervisors to communicate with RED optimise in case of
access from VPN with cross-VPN DNS support are defined as follows:

- pCOWeb – s1.remotepro.io
- PlantWatchPRO – address: s1.remotepro.io
- PlantVisorPRO – address: 10.160.0.3
- Boss (until version 1.1.1) – address: 10.160.0.3
- Boss (from version 1.1.1) – address: s1.remotepro.io

3.3. ACL (Access Control List) firewall rules for VPN connectivity

In order to guarantee the communication between RED optimise cloud and supervisors
devices connected via VPN the network need to permit the traffic for the following IP
addresses and ports.

Traffic type

IP FROM local supervisors FROM RED optimise

Description
Addresses TO RED optimise TO local supervisors

Boss family: TCP 443,8443

PlantWatchPRO: TCP 2008
pCOWeb: TCP 21,10000- Stateful related traffic
10.160.0.3/32 Load Balancer VIP
15000 Passive-FTP connections
PlantVisorPRO: TCP
443,8443

Boss family: TCP 443,8443

PlantWatchPRO: TCP 80,1981
Stateful related traffic pCOWeb: TCP 80,20,21
10.160.0.0/24 RED optimise clusters PlantVisorPRO: TCP 443,8443
Active-FTP connections
Other traffic could be needed for
debugging
(eg: SSH, Telnet, VNC, etc)
TIP: In order to simplify the ACL firewall rule configuration, it can be set to accept any connection
from and to both the IP addresses reported above.

Version 1.0.0 - 30/05/2024

5
EN

3.4. VPN configuration

If the connection with RED optimise is performed via VPN, the following detail configuration
need to be respected:

Suggested value are underlined.

VPN Type IPSEC (site to site)

IKEv1 or IKEv2
IKE TYPE
Main Mode (not aggressive mode)

ENABLED (mandatory) – but static public IP is

NAT TRAVERSAL
mandatory

We can accept all modern secure ciphers, but for

security, performance and supportability, the
following rules apply:
IKE Phase1 Ciphers Encryption Algorithm: AES only
AES Modes: CBC, GCM
AES Bits: 128, 192, 256
Integrity Algorithms: SHA256, SHA384, SHA512

IKE Phase1 Diffie-Hellman Group 5, 14, 15, 16, 21

IKE Phase1 Lifetime 28800 seconds (other values can be agreed upon)

ESP Phase2 Ciphers Same as IKE Phase1

ESP Phase2 Diffie-Hellman Group 5, 14, 15, 16, 21

ESP Phase2 Lifetime 3600 seconds (other values can be agreed upon)

Optional, to be evaluated during initial setup

Dead Peer Detection We also suggest that you can provide with a static
private IP address that can be probed (via ICMP
ping) to verify VPN tunnel health periodically

Phase 2 Subnet 10.160.0.0/24 – cannot be changed

In case of overlapping subnets, a subnet NAT will

be attempted on our side, but support cannot be
Phase 2 Subnet (your side)
guaranteed.

6 Connectivity Options RED optimise

 EN
4. OpenVPN client embedded on boss family (VPN Client)

4.1. OpenVPN configuration client up to version 1.7.0

In order to integrate boss family devices with RED optimise Cloud, it is possible to use the
“OpenVPN client” feature.

Below the requirements for the correct functioning of OpenVPN:

· A boss family supervisor with version equal or higher of version 1.5.0 should be present;
· Enable DHCP on both router and boss;
· Possibility to exit on UDP port 1194, UDP port 1194 must be OPEN (OpenVPN port);
·In order to safely assign a static IP Address to the supervisor connected in a network with a
DHCP server, it is mandatory to perform an IP reservation to avoid address conflicts;
· Verify that boss is able to reach the internet and a correct DNS server must be set up (e.g. you
can ping from "Terminal", available as Integrator user, a common website provider e.g.
www.google.com);
· Always check that the date and time indicated on the supervisor are correct.

Here is described the procedure to follow:

a) Connect the supervisor to a 4G router/LAN connection already configured to reach internet.

b) Send the.REQ file to [email protected] after generating it following the procedure below:
· access System Administration section of boss as administrator or higher user
· click on security services
· press on the gear symbol corresponding to the “VPN client” item
· download the *.REQ file, we suggest to reset the file before downloading it

Version 1.0.0 - 30/05/2024

7
EN
c) Import the .P7MB64 file received from [email protected] following the steps of the image below

leave UDP (strongly suggested) and click on the “Save” button.

d) Press the “Play” button on the VPN Client

after few seconds the VPN Client icon should become green.

8 Connectivity Options RED optimise

 EN
e) Configure boss on RED optimise, using as IP the composed string:

boss-<uuid>.prod.rmpro.openvpn

where <uuid> is the filename (without the extension) of the .P7MB64 file

Example:
filename: b45d8f60-f17b-11e9-a73c-000babc76dc7.P7MB64
uuid: b45d8f60-f17b-11e9-a73c-000babc76dc7
composed string to use in RED optimise as supervisor IP address:
boss-b45d8f60-f17b-11e9-a73c-000babc76dc7.prod.rmpro.openvpn

h) Configure boss to call RED optimise on IP address 198.19.255.3

Configuration > I/O Configuration > RemotePRO tab and then restart the Engine

Version 1.0.0 - 30/05/2024

9
EN
4.2. OpenVPN configuration starting from Service Pack 1.8.0

The requirement indicated in chapter 4.1 remain valid and mandatory.

Starting from release 1.8.0 of the Boss family supervisory service pack, the procedure for activating
the VPN Client service has slightly changed.

The user must follow the steps below:

a) Access System Administration section of boss as administrator or higher user

b) Go to Settings -> VPN Client Config -> Add RemotePRO VPN

c) Download the REQ file, we suggest to reset the file before downloading it (Reset Request
Button)

10 Connectivity Options RED optimise

 EN
d) Import the P7MB64 certificate file received back from [email protected] following the
steps of the image below.

leave UDP (strongly suggested) and click on the “Save” button.

e) Press the “Play” button on the VPN Client from “Security services”:

after few seconds the VPN Client icon should become green .

Version 1.0.0 - 30/05/2024

11
EN
f) Configure boss on RED optimise, using as IP the composed string:

boss-<uuid>.prod.rmpro.openvpn

where <uuid> is the filename (without the extension) of the .P7MB64 file

Example:
filename: b45d8f60-f17b-11e9-a73c-000babc76dc7.P7MB64
uuid: b45d8f60-f17b-11e9-a73c-000babc76dc7
composed string to use in RED optimise as supervisor IP address:
boss-b45d8f60-f17b-11e9-a73c-000babc76dc7.prod.rmpro.openvpn

g) Configure boss to call RED optimise on IP address 198.19.255.3 from

I/O Configuration -> RemotePRO and then restart the engine.

12 Connectivity Options RED optimise

 EN

Version 1.0.0 - 30/05/2024

13
EN

x. RELEASE NOTES

Versione software - data Versione manuale - data Rilascio

14 Connectivity Options RED optimise

 EN

CAREL INDUSTRIES - Headquarters

Via dell’Industria, 11 - 35020 Brugine - Padova (Italy)
Tel. (+39) 049.9716611 - Fax (+39) 049.9716600
e-mail: [email protected] - www.carel.com

Version 1.0.0 - 30/05/2024

15