Energy cRSP Checklist v7.

0
SIEMENS
cRSP Checklist for Energy Reset Form

After completing this network checklist please send it by email to crsp-helpdesk.energy@siemens.com

and in addition to BU Responsible.

1. Order and Contact Information

Purchase Order Number:*
cRSP Site Name:*
1.1 Customer
IfA number - https://cmd.siemens.com
Company / Customer name:* ENGIE BRASIL ENERGIA
Site:* PAMPA SUL
Street:*
Restricted / Copyright © Siemens Healthcare GmbH, 2018. All rights reserved.

Postcode - City:* -
Country:*
1.2 cRSP Customer Site Adminstrator
Name:*
Phone Number:*
Email:*
1.3 cRSP Customer Site Owner
Name:*
Phone Number:*
Email:*
(This email address is used to keep you notified about the connection process.)
1.4 On-Site engineer
Name:*
Phone Number:*
Email:*
1.5 Customer Firewall and Network Contact
Name:*
Phone Number:*
Email:*

Remarks

Place, Date Signature / Name

Note: The Orderer / Site Owner is responsible for the compliance with the Siemens guidelines and policies.

Legal notice: The collected data is processed and stored according to the German Data Protection Act (BDSG). The
sender of this checklist is responsible to ensure that collection and storage of data is in line with the country of origin's
legislation.

*Mandatory fields

cRSP Energy v7.0 10/2016 Page 1/9

 SIEMENS Energy cRSP Checklist v7.0

2. Ordered cRSP Connection

2.1 New cRSP connection
via Siemens Owned Access (SOA) router with
 please fill out sections 4 and 7
dedicated WAN access
via Siemens Owned Access (SOA) router behind
 please fill out sections 5 and 7
customer router (see Appendix B)
via Customer Owned Access (COA) router/firewall  please fill out sections 6 and 7
via Internet Based Connectivity (SSL VPN)  please fill out sections 7
via Intranet Access Server  please fill out sections 7
2.2 Adding systems to existing cRSP site
to existing SOA or COA cRSP site  please fill out sections 3 and 7
Restricted / Copyright © Siemens Healthcare GmbH, 2018. All rights reserved.

3. Existing SOA Router or Customer Owned Access

Please fill out at least one of the following options:
cRSP Site Name PAMPA SUL
cRSP Communication Interface or Router Name
Continue with section 7

4. Siemens Owned Access (SOA)

Router is already installed or will be installed on . .20 (MM.DD.YYYY)
4.1 LAN - IP configuration parameters for the network interface connected to I&C* LAN or DMZ
IP Address (LAN Interface)
Netmask
IP Gateway (only needed if target systems are not in the
same network)
4.2 Internet (Broadband DSL, 3G, 4G / LTE)
Static WAN IP of the dedicated internet connection
(provided by ISP - Internet Service Provider)
Dynamic WAN IP - Please enter Router Serial Number
Continue with section 7

*I&C = Instrumentation and Controls

cRSP Energy v7.0 10/2018 Page 2/9

 SIEMENS Energy cRSP Checklist v7.0

5. SOA router behind customer router (see Appendix B)

Router is already installed or will be installed on . .20 (MM.DD.YYYY)
5.1 LAN - IP configuration parameters for the network interface connected to I&C* LAN or DMZ
IP Address (LAN Interface)
Netmask
IP Gateway (only needed if target systems are not in the
same network)
5.2 WAN interface
Static WAN IP address of the customer internet endpoint
(provided by ISP - Internet Service Provider)
IP Address (WAN interface) of the SOA router on the
customer LAN
Restricted / Copyright © Siemens Healthcare GmbH, 2018. All rights reserved.

Default Gateway of the WAN interface

of the SOA router
Continue with section 7

*I&C = Instrumentation and Controls

6. Customer Owned Access (COA)

cRSP Site Name PAMPA SUL
Static WAN interface IP address / Endpoint IP address 200.9.2.254
172.22.0.0 / 27
Encryption domain (not bigger than class C). If this is not
/
possible, the encryption domain will be treated as host based.
/
Session Key Setup / IPSec Phase 1 (at lifetime 24 hours)
IKE Protocol v1 IKE Protocol v2
Authentication SHA-256 Encryption AES-CBC-256
Key-Exchange operation security DH-group-14 (2048 bit)
Tunnel Transformation / IPSec Phase 2 (at lifetime 1 hour)
AH-AuthenticationSHA-256 ESP-Authentication SHA-256 ESP-Encryption AES-256
PfS DH-group-14 (2048 bit)
Preshared Secret #@fLJ2Fu6NL_4wsJ
Please note: if a preshared is indicated above, the checklist must be securely transferred (encrypted
email or SecuFex e.g...). Otherwise the secret must be negotiated via telephone.
Continue with section 7

cRSP Energy v7.0 10/2018 Page 3/9

 SIEMENS Energy cRSP Checklist v7.0
7. Serviced Systems***
Product System Operating Router-
Hostname IP Address Netmask Gateway(s)** Application*
Type Type* System HW Port
Restricted / Copyright © Siemens Healthcare GmbH, 2018. All rights reserved.

* Optional fields *** In case of SPPA-T3000, please refer to the details in appendix A7.
** Mandatory if cRSP Router and System are in a different subnet

Please check whether all fields are filled out and correct.

cRSP Energy v7.0 10/2018 Page 4/9

 SIEMENS Energy cRSP Checklist v7.0
APPENDIX A
In case of any doubts filling out the cRSP Configuration Management checklist, please read the
corresponding section in this Appendix carefully.
If you still have questions after having read the appendix, please feel free to contact the cRSP
Helpdesk:
Hotline: +49 (9131) 611-2895
crsp-helpdesk.energy@siemens.com
Service time: Mo – So 00.00 - 24.00

1. Order and Contact Information:

Purchase Order Number:
Restricted / Copyright © Siemens Healthcare GmbH, 2018. All rights reserved.

The cRSP Solution Package is required to be ordered by SAP. We require this SAP order number to
proceed with the configuration process. You may get this number from the person who has performed
this order in SAP.
1.1 Customer:
Please state here the company or rather the customer name and the location of the cRSP-connection.
1.2 cRSP Customer Site Adminstrator:
This contact is the administrative person for that site. This contact give you the right grants to access the
site/system and/or give you access into the cRSP platform. This person will be contacted by the cRSP
helpdesk in cases where there are further questions regarding the connection or a SIEMENS service
technician is required on site to offer assistance. This person grants access for users to the site via the
standard grant request procedure.
1.3 cRSP Customer Site Owner
This contact is the SIEMENS representative who takes responsibility for the cRSP connection. This
person will be contacted by the cRSP helpdesk in cases where there are further questions regarding the
connection or a SIEMENS service technician is required on site to offer assistance. This person will be
informed about any status change of this connection until it is successfully completed and also grants
access for users to the site via the standard grant request procedure.
1.4 On-Site engineer
This person is the on-site expert (customer, engineer bureau, Siemens engineer, etc.), who will install,
connect and preconfigure a SOA router according the provided hardware installation guide or
configure/adapt network settings on serviced system.
1.5 Customer Firewall and Network Contact
This contact is the person who takes responsibility for the customer’s IT network. This person will be
contacted to establish a cRSP connection using customer owned access equipment. Furthermore, this
person will be contacted (either from the cRSP helpdesk employee or via the Siemens contact) when
there are further questions or tasks to perform regarding the network infrastructure between the cRSP
access router and the serviced systems (e.g. additional routers or firewalls).

2. Ordered cRSP Connection:

Please choose depending of your ordered solution one of the options below
2.1 New cRSP connection
via SOA (Siemens Owned Access) router
SIEMENS owned access uses equipment which is delivered and installed by the Siemens contact (1.3).
To use SOA, the customer has to supply an ADSL/SDSL/Cable modem or an Ethernet line which meets
cRSP Energy v7.0 10/2018 Page 5/9
 SIEMENS Energy cRSP Checklist v7.0
the following requirements:
1. The IP address must be assigned either by a static assignment which can be directly configured into
the device, DHCP or PPPoE/PPPoA.
2. The IP address assigned must be public internet routable. (No private address range like 192.168.x.x,
10.x.x.x, 172.16.x.x, 169.254.x.x is allowed).
3. The IP address assigned may be either static or dynamically assigned. If the address is dynamically
assigned, please ensure that the router ordered is capable of handling dynamic dns.
4. The line should be capable of handling at least 4MBit/768kBit in downstream/upstream. Due to the fact
that the data volume depends on the number/type of systems and services used we strongly recommend
using a volume independent plan.
If you are unsure about the line the customer has ordered or should order please confirm with the
cRSP Helpdesk. Please read Appendix B about routing and where to place the router in the customer’s
network.
via SOA router behind customer router
Restricted / Copyright © Siemens Healthcare GmbH, 2018. All rights reserved.

This means that the SOA router is located behind a customer router/firewall and has no Internet
reachable IP adress assigned.
Please see Appendix B. Also please ensure that all neccesarry ports and protocol-forwarding listed there
are correctly configured by the customer IT-Administration.
via COA (Customer Owned Access) router/firewall
Customer owned access is used if the customer wants to establish the connection to the cRSP via
existing IT infrastructure which is managed by himself or external consultants. In this case we need to
know which technology the customer wants to use. Please check if 1.4 is correctly filled out to ensure we
can reach the person who will be managing the equipment on the customer site. Please note that even
though we can offer help for a large number of IT equipment, the final responsibility for configuring the
customer owned equipment is on the customer’s side.
In case of COA the customer network contact will be contacted directly after receiving the checklist by a
cRSP helpdesk specialist. If you wish to specify a special time frame for that contact, please note it in the
remark section on the first page of the checklist. The customer has to offer a standard compliant IPSEC
endpoint (this may be a VPN concentrator, a firewall or a router with IPSEC feature) where a tunnel-mode
(network to network) IPSEC connection can be established.
For the supported encryption and tunnel parameters, please refer to section 6.
via Internet Based Connectivity (SSL VPN)
SSL VPN communication port is 443; VPN endpoints are as follows:
Europe / Africa America / Canada Asia / Pacific
VPN Endpoint VPN Endpoint VPN Endpoint
Primary 194.138.37.194 Primary 12.46.135.194 Primary 194.138.240.119
Fallback 12.46.135.194 Fallback 194.138.37.194 Fallback 194.138.37.194

via Intranet Access Server

Connecting Siemens Intranet systems to cRSP
- Host addresses must be reachable via Siemens Intranet
- Department specific firewall or router must be opened for traffic from and to cRSP IAS Server
(responsibility at customer)

2.2 Adding systems to existing cRSP site

to existing SOA or COA cRSP site
If you want to connect systems to already existing cRSP sites, which are connected via SOA or COA
router.
cRSP Energy v7.0 10/2018 Page 6/9
 SIEMENS Energy cRSP Checklist v7.0

3. Existing SOA Router or Customer Owned Access

If there is already an existing cRSP connection, please state at least one of the properties.

7. Serviced Systems

Please fill in all systems which shall be reachable over the cRSP platform:

Hostname
This is the name of the system under which it is found in the cRSP. This is not required to be unique.

Product
This is the product that system belongs to (e.g. T2000, T3000, WIN TS).
Restricted / Copyright © Siemens Healthcare GmbH, 2018. All rights reserved.

System Type
This is the system type which describes the system. (e.g.: GT11RSB for PGP or u01es1 for PGL). This is
not a mandatory section, but if provided in most cases it is not also necessary to specify the service
application(s).

Operating System
Due to find out what protocols / applications are needed to service this system, it may be necessary to
know which operating system (e. g. Microsoft Windows Server 2003, Linux, Solaris etc.) is installed on the
device. This only applies to Product types which may occur with different operating systems in the field.

IP Address
The IP address from which the system can be reached from the cRSP platform. In the case of COA this
may differ from the IP address seen in the system itself (e.g. if the customer is using NAT (network
address translation) somewhere inside of the network. If you are in doubt, please ask the Local Network
Contact. This field is mandatory.

Netmask
The netmask describes the size of the local IP network and is configured in the serviced system. This field
is mandatory.

Routerport / Gateway
If the cRSP router exists in another subnet, the system needs the next hop (router) to reach the cRSP
platform. Completing this section is recommended, even if we only need this information for
troubleshooting purposes. Please enter the relevant router information of the system towards the cRSP,
either the gateway (should the system not be connected directly) or the specific port used on the Cisco.

Application
There is a requirement that we are informed of which application should be enabled to perform service for
the system.

Please enter the name of the application from the list below.

cRSP Energy v7.0 10/2018 Page 7/9

 SIEMENS Energy cRSP Checklist v7.0
The following applications are currently supported by the cRSP platform:

http
ftp
Citrix Terminal Server
BACnet
FS Remote Control
Scp
MS Terminal Server
NetOP
Netmeeting
pcAnywhere
OSM
Tarantella
Restricted / Copyright © Siemens Healthcare GmbH, 2018. All rights reserved.

Timbuktu
VNC
X11
HP Unicenter SysMgmt
CA SysMgmt
UUCP
telnet
netbios
http
Stratus CallHome / ping

Note for T3000:

According to the T3000 security requirements, direct access from cRSP to the Application
Server(s) is prohibited. Remote access to the Application Servers must happen via a
Terminal Server (TS). Two options are possible:

1. If a dedicated T3000 TS is existing, please enter the Terminal Server´s data into the
“Serviced Systems List”.
Application: Remote Desktop Protocol RDP

2. If NO dedicated T3000 TS is existing, a Thin Client (e.g. the Swap out Server) shall be
configured as "Remote Client" (with RDP enabled). Please enter the Remote Client´s data
into the “Serviced Systems List”.
Application: Remote Desktop Protocol RDP

Special Requirement for STRATUS Application Servers

The feature "Call Home" must be configured on all Stratus Application Servers. As a
consequence, Call Home requires an outgoing connection (Stratus Server -> cRSP)

If a Stratus Server is on site, the Server´s data must be entered into the „Serviced Systems
List" with Application Type "CallHome/ping" and System Type „Hidden"

cRSP Energy v7.0 10/2018 Page 8/9

 SIEMENS Energy cRSP Checklist v7.0
APPENDIX B
1. cRSP VPN-Endpoints
EUROPE / AFRICA AMERICAS / CANADA
VPN ENDPOINT cRSP Network VPN ENDPOINT cRSP Network
Primary 194.138.39.1 194.138.39.0/27 Primary 12.46.135.193 129.73.116.64/27
Fallback 12.46.135.193 129.73.116.64/27 Fallback 194.138.39.1 194.138.39.0/27

ASIA / PACIFIC
VPN ENDPOINT cRSP Network
Primary 194.138.240.3 194.138.243.160/27
Fallback 194.138.39.1 194.138.39.0/27

2. Siemens Router (SOA) behind customer router/firewall

Restricted / Copyright © Siemens Healthcare GmbH, 2018. All rights reserved.

If you are performing a SOA connection and the Siemens router is behind a customer Firewall or border router, please
perform a Port Forwarding of the following ports to Siemens router WAN interface, see bellow:

Please forward and open bidirectionally following ports on your router/firewall:

Source Direction Destination Protocol Port-Nr.
194.138.39.1
12.46.135.193
IKE Siemens router UDP 500
194.138.240.3

194.138.39.1
IKE NAT 12.46.135.193
Siemens router UDP 4500
Traversal 194.138.240.3

194.138.39.1
12.46.135.193
ESP Siemens router IP 50
194.138.240.3

Port Forwarding from Internet to Siemens router:

Source Direction Destination Protocol Port-Nr.
SSH 213.146.112.253
Siemens router TCP 22
(Administration) 213.146.112.254

Allow from Siemens router to Internet:

Source Direction Destination Protocol Port-Nr.

194.138.39.3
12.46.135.196
194.138.240.114
HTTPS Siemens router 185.181.24.2 TCP 443
206.208.5.2
213.146.112.253
213.146.112.254

*I&C = Instrumentation and Controls

v7.0 10/2018 Page 9/9
cRSP Energy