—

AP P L I CATI O N NOT E

SECURE REMOTE ACCESS VIA

SECOMEA GATEWAY
REMOTE ACCESS
 Contents
1 Introduction ................................................................................................................................ 3
1.1 Scope of the document ..............................................................................................................3
1.2 Compatibility ................................................................................................................................3
1.3 Components .................................................................................................................................3
1.4 Roles referred to in this Guide ..................................................................................................3

2 Remote Connections ................................................................................................................. 4

2.1 What is VPN .................................................................................................................................. 4
2.2 What is DynDNS .......................................................................................................................... 4
2.3 Conclusion .................................................................................................................................... 4
2.4 What is the benefit of using Secomea ....................................................................................5
2.5 Remote Access benefits .............................................................................................................5

3 GateManager Introduction ....................................................................................................... 6

3.1 GateManager Setup .................................................................................................................... 7
3.1.1 Logging on to the GateManager ............................................................................ 7
3.1.2 Adding a LinkManager user to Domain ............................................................... 9

4 LinkManager Setup ................................................................................................................... 11

4.1 Setting up LinkManager on your computer ......................................................................... 11

5 SiteManager Setup ...................................................................................................................14

5.1 Using Appliance Launcher to setup a SiteManager ...........................................................14
5.2 SiteManager Connection ......................................................................................................... 19
5.2.1 Connection to the SiteManager GUI .................................................................... 19
5.3 AC500 V2 on SiteManager .......................................................................................................22
5.3.1 Setting up the SiteManager to run with AC500 V2 ..........................................22
5.4 AC500 V3 on SiteManager ...................................................................................................... 24
5.4.1 Setting up the SiteManager to run with AC500 V3 ......................................... 24
5.5 CP600 HMI on SiteManager ................................................................................................... 26
5.5.1 Setting up the SiteManager to run with CP600 Panel .................................... 26
5.5.2 BSP V1.3.x .................................................................................................................. 26
5.5.3 BSP V1.0.x .................................................................................................................. 28

6 Appliance agent connections ................................................................................................. 30

6.1 Connecting to the ABB appliances on the Site Manager ................................................. 30

2 3ADR010650, 2, en_US
 S ECUR E REMOT E ACCESS VI A S ECOM EA GAT EWAY

1 Introduction

1.1 Scope of the document

This document describes how to establish a secure connection to an ABB AC500 PLC or
CP600 panel using Secomea gateway.

The Gateway provides monitoring and control functions of field devices via internet access or
cellular network from a central site or control center. The devices offer industrial quality con-
nectivity for TCP/IP based protocols.

1.2 Compatibility
The application note explained in this document have been used with the below engineering
system versions. They should also work with other versions, nevertheless some small adapta-
tions may be necessary, for future versions.

• AC500 V2, V3 PLC and CP600 HMIs

• Automation Builder in any version, we recommend using the latest version

• Internet access or Sim card to access the internet

1.3 Components
The three main components, used in this document are explained here:

SiteManager™

• On site in the factory (hardware)

LinkManager™

• Internet or Windows based client for the technician or end user (for desktops

and mobile devices)

GateManager™

• M2M server that connects the SiteManager and the LinkManager (cloud-based or
standalone)

1.4 Roles referred to in this Guide

LinkManager User

This role is held by the PLC programmer or service engineer:

• Connect remotely to equipment for servicing/programming the equipment.

SiteManager Installer

This role covers the following tasks:

• Physically Install SiteManagers (often done by the service engineer or the customer)

• Configure network settings (primarily GateManager access)

3ADR010650, 2, en_US 3
2 Remote Connections

2.1 What is VPN

A VPN is a “Virtual Private Network”. This meant that there was no separate physical connec-
tion, but an existing communication network that was used as a transport medium. So, it's
kind of like connecting directly to the other company network via a network cable, but with-
out doing this physically. Nowadays it is normal that a VPN connection is encrypted and you
can only connect to a network where the necessary information is known.

In short, you connect to an end device (firewall, router) in the network and then work in the
target network as if you were connected locally.

2.2 What is DynDNS

DynDNS or “Dynamic Domain Name System” is a method with which DNS entries in domains
can be updated dynamically. This is particularly advantageous if the connection destination
does not have a fixed IP address and you do not always want to search for the new IP in order
to connect.

This could be the case if you want to login to a router without a fix IP address.

You can configure such a DynDNS address for the terminal server and then log in from any-
where on the server using this address.

2.3 Conclusion
Advantages of VPN:

• Secure connection through encryption

• Can be configured for a permanent connection

Disadvantages of VPN:

• An additional client is required

Advantages of DynDNS:

• No additional software required

Disadvantages of DynDNS:

• Unencrypted access.

• Open to the outside world. Anyone who knows the URL can access it.

If you want a secure connection, you should definitely use VPN to work on the terminal server
from outside. It is much safer to work with this method thanks to the encryption of the data
transfer and the general access protection.

However, if you don't want an extra client or for whom security is not so important, because
it is a sealed off system and no sensitive data is used there anyway, you can also use DynDNS.

It’s really recommended to use a secure connection. A proven solution that has already
been qualified with AC500 and CP600 devices is to use the 3rd party Secomea gateway.

4 3ADR010650, 2, en_US
 S ECUR E REMOT E ACCESS VI A S ECO M EA GAT EWAY

2.4 What is the benefit of using Secomea

Allowing remote access to PLCs and connected equipment like the robots and HMI. This ena-
bles configuration, programming and diagnostics with the standard PC-based configuration
tool from anywhere, just as if you were there on site. Once a customer grants permission, af-
ter ensuring hardware and software related security conditions are met, ABB or partner ser-
vice personnel can access and supervise connected equipment remotely. Ultimately leading
to increased efficiency and fast troubleshooting.

2.5 Remote Access benefits

Remote Access helps reduce commissioning and warranty costs. It ensures quick access to
the site to react to unplanned tasks. You will be able to obtain instant detailed information on
cell performance, process quality and health. Benefits include:
• Remote Access and Remote Monitoring on the same secure platform
• Remote solution to perfect troubleshooting
• Reduction of service incidents
• Faster issue resolution
• Improved Technical Support efficiency
• Access to all benefits of the Automation Builder platform
• Increased flexibility with common support platform

Functionalities Automation Builder PLC HMI

Connection to a controller X X X
Modifying or loading of a X X X
project

Viewing Event Logs X X X

Backup and restore X X X

Reboot the controller X X X

File Transfer X X X

Debug program X X X

View and configure in- X X X

put/output

Cyber Security
• Security certified ref. IEC 62443 / NIST / BSI
• Strong end-to-end encryption
• Two-factor and three-factor authentication
• Event test logs
• Role-based account management
• Standard measures to mitigate the risk of vulnerabilities due to incorrect configura-
tion or human inattention

3ADR010650, 2, en_US 5
3 GateManager Introduction
The GateManager is your central drag’n’drop tool for seamless user and device management,
providing secure access to PLCs, HMIs and other equipment remotely. It operates as a secure
termination point for LinkManager Clients and SiteManager Gateways. All encrypted traffic
between LinkManager Clients and industrial devices controlled by the SiteManagers is han-
dled by the GateManager.

With the GateManager IoT server, you administer accounts and individualized access, manage
devices, configure alarms, send invitations to users and much more.

The GateManager Server hosted by Secomea is designed to deliver the convenience of fast
and easy web access, while avoiding internal server setups. When you choose the
GateManager cloud server, you receive an isolated private domain on the GateManager
server, and you are ready to go.

6 3ADR010650, 2, en_US
 S ECUR E REMOT E ACCESS VI A S ECOM EA GAT EWAY

3.1 GateManager Setup

3.1.1 Logging on to the GateManager

The Secomea GateManager is a web-based utility that can be accessed through any browser
you will need the following to access your GateManager Portal.
Login information:

• gmc license file and a password

All this information is sent to you in an e‐mail by the local administrator.

The steps below will describe how to login with the credentials and how to utilize the
portal to setup your Secomea based solution.

In the e‐mail you will receive all the following information:

1. The. gmc security file, you will need to save this to a folder on your computer
2. The password attached to the. gmc file
3. The link to the specific GateManager server
4. The GateManager address in IP address format [used in the setup of SiteManager(s)]
5. The GateManager domain token [used in the setup of SiteManager(s)]

Source: http://www.gate-manager.it/app_notes/GateManager_5_Server_STEP2_v2.pdf

Please note:
• The e‐mail that you receive from the global domain administrator is only for the in-
tended administrator(s) of this domain
• All the information in this mail will enable you to setup and administrate the domain

3ADR010650, 2, en_US 7
 Logging into the GateManager is a three-step process:

Step 1

Save the. gmc logon encryption file to a directory on your computer

1. Click on the” ˅” to open the options menu for the attached file
2. Click on” Save As”
3. Select the folder you want to save the logon encryption file to
4. Click on” Save” to save the. gmc file to the selected folder

Step 2
Copy the assigned password and clicking on the link to the GateManager domain
1. High‐light and copy the password that you have been assigned in the mail
2. Click on the link to the GateManager Service to open it up in the default browser
3. Please remember to bookmark this page in your default browser

Step 3
Logging in to the GateManager

1. Your default browser will open up a GateManager login screen

2. Select” Certificate”
3. Click on” Choose File” and select the file from the saved location
4. Paste in the previously copied password in the” Password” field
5. Click” Login”
6. Create a new password for your GateManager account
7. Click” Continue”

8 3ADR010650, 2, en_US
 S ECUR E REMOT E ACCESS VI A S ECOM EA GAT EWAY

3.1.2 Adding a LinkManager user to Domain

The LinkManager user is a way to gain access to all the resources within the GateManager do-
main, this user will be able to login to all of the SiteManagers on the domain. The
GateManager administrator must setup and send the LinkManager login details to the users
that are needed on the domain.
You will need to be logged on as GateManager administrator to be able to create or edit Link-
Manager / SiteManager users / utilities.
Current domain setup is shown below

3ADR010650, 2, en_US 9
 Creating a new LinkManager user is a two-step process

Step 1

Creation of a new account

1. Right‐click on the top of the domain (here” ABB Test Domain”)

2. Select” Create Account”

Step 2

Setting up account details and sending an e‐mail to the LinkManager User

1. Fill in the LinkManager account name and select ”LinkManager User in the drop‐down
menu
2. Fill in the account user details
3. Select the method of signing in and set, if needed, a fixed time limit on the account
4. Fill in the contact details of the person that you want to send the e‐mail containing
the security certificate and login details
5. To send the e‐mail and activate the account click ”Save”

10 3ADR010650, 2, en_US
 S ECUR E REMOT E ACCESS VI A S ECOM EA GAT EWAY

4 LinkManager Setup

4.1 Setting up LinkManager on your computer

The LinkManager user is a way to gain access to all of the resources within the GateManager
domain, this user will be able to login to all of the SiteManagers on the domain. The
GateManager domain administrator will send you an e‐mail containing all the login infor-
mation and certificates, this section is an instruction on how to setup the LinkManager and
on how to access the domain data providers.
This can be done in 3 steps:

Step 1

Downloading and installing the latest version of LinkManager from Secomea

1. Open your default browser and go to:

https://ftp.secomea.com/pub/download-linkmanager.html
2. Select the version of link manager that you need 32/64 bit and download it
3. Right‐click and run it as administrator
4. LinkManager will now run as a plug‐in in your default browser

3ADR010650, 2, en_US 11
 Step 2

Setting up the LinkManager connection in your browser

1. Open the e‐mail you have received from the GateManager administrator containing
the LinkManager. lmc security certificate.
2. Save the. lmc to a folder on your computer
3. Copy the password from the mail using ”CTRL‐C” command
4. Click on the link in the e‐mail to the LinkManager account to open it in your default
browser

Step 3

Logging in to your LinkManager account

1. After opening the link you will see the login screen to the GateManager domain
2. Click on ”Choose File” to be able to select the .lmc file that you have just saved to
your computer
3. Click on the ”Password field” and then right‐click and paste in the password to the
Link-Manager
4. Click on ”Login” to login to the GateManager domain
5. You should now be logged into the LinkManager account on the GateManager do-
main

12 3ADR010650, 2, en_US
 S ECUR E REMOT E ACCESS VI A S ECOM EA GAT EWAY

Please note:
• There are no attached SiteManager applications in this example.

3ADR010650, 2, en_US 13
5 SiteManager Setup

5.1 Using Appliance Launcher to setup a SiteManager

The SiteManager is a transparent access gateway that will permit both access to and from
the application(s) attached to the device ports on the unit. This supports network, USB and
serial traffic, since there are all these types of ports on the SiteManager hardware.
We will be setting up a SiteManager to run on our GateManager domain in this section, to do
this we will go through 3 steps.

Step 1

Downloading and installing the latest version of Secomea Appliance Launcher

1. Open your default browser and go to:

https://kb.secomea.com/helpdesk/KB/View/25067532-downloads-appliance-
launcher

2. Install it on your computer

3. Connect your SiteManager to a 24VDC power supply and then connect your com-
puter to one of the SiteManager device ports.
4. Connect the ”Uplink1” port to the internet either through your router / firewall or di-
rectly

Step 2

Installing and run Secomea Appliance Launcher

1. Download the application

2. Right‐click and then run the Appliance Launcher as an administrator
3. Click Search to get up the list of appliances
4. Select the SiteManager you want to set up
5. Click ”Next >” to proceed to the next step of the setup

14 3ADR010650, 2, en_US
 S ECUR E REMOT E ACCESS VI A S ECOM EA GAT EWAY

Step 3.1

Setup the SiteManager—LAN/DEV1 Port Parameters

1. Type in the IP and SubNet that you need to communicate with your hardware
2. Click ”Next >” to proceed to the next step

Step 3.2

Setup the SiteManager—WAN/UPLINK Parameters

1. Type in the configuration needed to connect through your firewall or with your Inter-
net Service Provider (ISP)
2. Click ”Next >” to proceed to the next step

3ADR010650, 2, en_US 15
 Step 3.3

Setup the SiteManager—WAN2/UPLINK2 Parameters (only if needed to run this)

1. Setup the secondary ISP settings in these parameters either on WAN2 or as a 3/4/5G
provider
2. Click ”Next >” to proceed to the next step

Step 3.4

Setup the SiteManager—GateManager Connection

1. Type in the GateManager IP address and the Domain Token, this is provided in the
mail with the login information (see section describing the LinkManager setup)
2. Now type in the appliance name, this will be visible when
3. Click ”Next >” to proceed to the next / final step
4. Click ”Save/Reboot” and then finish the setup and exit the Appliance Launcher

16 3ADR010650, 2, en_US
 S ECUR E REMOT E ACCESS VI A S ECOM EA GAT EWAY

The SiteManager is a transparent access gateway that will permit both access to and from
the application(s) attached to the device ports on the unit. This supports network, USB and
serial traffic, since there are all these types of ports on the SiteManager hardware.
We will be setting up a SiteManager to run on our GateManager domain in this section, to do
this we will go through 3 steps.

3ADR010650, 2, en_US 17
 Step 1

Connect the device to the WAN / Internet

1. Connect the ”Uplink1” port to the internet either through your router / firewall or di-
rectly

Step 2

Creation of the SiteManager configuration as GateManager administrator

1. Login to the GateManager and press the root folder of the domain that you wish for
the SiteManager to be part of.

2. In the right hand click the USB icon next to the “Domain token:” field.

3. GateManager will open the window seen bellow – fill out the “Appliance Name:” – you
can also fill out the other fields if you already know what they are going to be.

4. Click the “Create” button – and save the file – after that copy it to the root of your
USB-stick.

18 3ADR010650, 2, en_US
 S ECUR E REMOT E ACCESS VI A S ECOM EA GAT EWAY

5. Power on the SiteManager and wait for “POWER” to have a permanent green light
and “STATUS” to have a permanent red light or it is blinking 2 times red.
6. Insert the USB stick into one of the USB slots and wait “STATUS” led to start blinking
2 times red.
7. When both the “POWER” and “STATUS” have a green light your SiteManager is ready
to be used
8. It will show up in GateManager with Appliance Name you gave it and have a green
checkmark

5.2 SiteManager Connection

5.2.1 Connection to the SiteManager GUI
The SiteManager is a transparent access gateway that will permit both access to and from
the application(s) attached to the device ports on the unit. This supports network, USB and
serial traffic, since there are all these types of ports on the SiteManager hardware.
This section will go through the way to setup the devices attached to the SiteManager
through the connection and the Graphical User Interface (GUI).

Step 1

Connect to the device through your LinkManager application

1. Open the bookmark that you have created for your logon to the Secomea utilities
2. Click on the LinkManager utility
3. Select the correct certificate, type in the password for the certificate
4. Click on ”Login” to log in to the LinkManager account
5. Select the appliance that you need to add appliances to
6. Click on the ”SiteManager GUI” to open and log in to the SiteManager GUI

3ADR010650, 2, en_US 19
 When you log in to the SiteManager GUI you are able to setup the appliance agents for the
hardware that you wish to connect to. With the correct setup you are able to access all the
features that you want in the connected appliance.

Step 2

How to add an appliance agent on your SiteManager

1. Click on ”GateManager” to access the setup of appliance agents

2. Click on ”Agents” to access the setup of appliance agents
3. Click on ”New” to add an appliance agent to the SiteManager
4. You are now ready to continue with the setup of the appliance agent that you need

20 3ADR010650, 2, en_US
 S ECUR E REMOT E ACCESS VI A S ECOM EA GAT EWAY

3ADR010650, 2, en_US 21
5.3 AC500 V2 on SiteManager
5.3.1 Setting up the SiteManager to run with AC500 V2
Now that you have added the appliance agent, we have to set it up as a AC500 V2 PLC. This
will be done by completing the following steps:

Step 3a

How setup an AC500 V2 PLC on your SiteManager

1. Click on ”Device Name” field and fill out a unique name on the SiteManager
2. Click on the left drop‐down menu ”Device Type” and select ”ABB”
3. Click on the right drop‐down menu ”Device Type” and select ”PLC”
4. Click on the edit icon to access the parameters menu of the appliance agent

We have setup the basic parameters of the appliance agent, we now need to setup the ad-
vanced settings. This will define how we connect and what we are able to access through the
connection.

22 3ADR010650, 2, en_US
 S ECUR E REMOT E ACCESS VI A S ECOM EA GAT EWAY

Step 3b

How setup an AC500 V2 PLC on your SiteManager

1. Click on and type in the device IP address in the ”Device Address” field
2. Fill in the ports needed for access to the specific TCP ports in the ”Extra TCP ports”
3. Click on ”Ping” to test the connection IP address
4. Click on ”Save” to save the configuration of the connection
5. Finally click on ”Back” to get back to the appliance agent overview.

You can now log out of the SiteManager and utilize the connection as described in the final
section.

Please note:
• The IP address typed in is the standard IP address of the AC500 platform
• The ports typed in are the ports needed to connect and fully utilize the features
of the connection

3ADR010650, 2, en_US 23
5.4 AC500 V3 on SiteManager
5.4.1 Setting up the SiteManager to run with AC500 V3
Now that you have added the appliance agent, we have to set it up as an AC500 V3 PLC. This
will be done by completing the following steps:

Step 4a

How setup an AC500 V3 PLC on your SiteManager

1. Click on ”Device Name” field and fill out a unique name on the SiteManager
2. Click on the left drop‐down menu ”Device Type” and select ”ABB”
3. Click on the right drop‐down menu ”Device Type” and select ”PLC”
4. Click on the edit icon to access the parameters menu of the appliance agent

We have setup the basic parameters of the appliance agent, we now need to setup the ad-
vanced settings. This will define how we connect and what we are able to access through the
connection.

24 3ADR010650, 2, en_US
 S ECUR E REMOT E ACCESS VI A S ECOM EA GAT EWAY

Step 4b

How setup an AC500 V3 PLC on your SiteManager

1. Click on and type in the device IP address in the ”Device Address” field
2. Fill in the ports needed for access to the specific TCP ports in the ”Extra TCP ports”
3. Click on ”Ping” to test the connection IP address
4. Click on ”Save” to save the configuration of the connection
5. Finally click on ”Back” to get back to the appliance agent overview.

You can now log out of the SiteManager and utilize the connection as described in the final
section chapter.

Please note:
• The IP address typed in is the standard IP address of the AC500 platform
• The ports typed in are the ports needed to connect and fully utilize the features
of the connection

3ADR010650, 2, en_US 25
5.5 CP600 HMI on SiteManager
5.5.1 Setting up the SiteManager to run with CP600 Panel
Now that you have added the appliance agent, we have to set it up as a CP600 HMI Panel.
This will be done by completing the following steps.

5.5.2 BSP V1.3.x

Step 5a

How setup a CP600 Panel on your SiteManager

1. Click on ”Device Name” field and fill out a unique name on the SiteManager
2. Click on the left drop‐down menu ”Device Type” and select ”ABB”
3. Click on the right drop‐down menu ”Device Type” and select ”CP600 HMI”
4. Click on the edit icon to access the parameters menu of the appliance agent

We have setup the basic parameters of the appliance agent, we now need to setup the ad-
vanced settings. This will define how we connect and what we are able to access through the
connection.

Step 5b

How setup an AC500 V3 PLC on your SiteManager

1. Click on and type in the device name in the ”Device Name” field
2. Click on and type in the device IP address in the ”Device Address” field
3. Fill in the ports needed for access to the specific TCP ports in the ”Extra TCP ports”
4. Click on ”Ping” to test the connection IP address
5. Click on ”Save” to save the configuration of the connection
6. Finally click on ”Back” to get back to the appliance agent overview

26 3ADR010650, 2, en_US
 S ECUR E REMOT E ACCESS VI A S ECOM EA GAT EWAY

5 4

6
You can now log out of the SiteManager and utilize the connection as described in the final
section chapter.

Note

• The IP address typed in is the IP address of the panel connected

• The ports typed in are the ports needed to connect and fully utilize
the features of the connection

3ADR010650, 2, en_US 27
5.5.3 BSP V1.0.x
Step 5a

How setup a CP600 Panel on your SiteManager

5. Click on ”Device Name” field and fill out a unique name on the SiteManager
6. Click on the left drop‐down menu ”Device Type” and select ”Exor”
7. Click on the right drop‐down menu ”Device Type” and select ”Ethernet HMI”
8. Click on the edit icon to access the parameters menu of the appliance agent

We have setup the basic parameters of the appliance agent, we now need to setup the ad-
vanced settings. This will define how we connect and what we are able to access through the
connection.

Step 5b

How setup an AC500 V3 PLC on your SiteManager

7. Click on and type in the device IP address in the ”Device Address” field
8. Fill in the ports needed for access to the specific TCP ports in the ”Extra TCP ports”
9. Click on ”Ping” to test the connection IP address
10. Click on ”Save” to save the configuration of the connection
11. Finally click on ”Back” to get back to the appliance agent overview

28 3ADR010650, 2, en_US
 S ECUR E REMOT E ACCESS VI A S ECOM EA GAT EWAY

You can now log out of the SiteManager and utilize the connection as described in the final
section chapter.

Note

• The IP address typed in is the IP address of the panel connected

• The ports typed in are the ports needed to connect and fully utilize
the features of the connection

3ADR010650, 2, en_US 29
6 Appliance agent connections

6.1 Connecting to the ABB appliances on the Site

Manager

In this step we will connect to the appliances connected to the SiteManager, we can either
connect to all the applications or to one specific.

Step 6a

Connecting to all the appliances on your SiteManager

1. Click to select the SiteManager

2. Click on ”Connect All” to connect to all of the appliances connected to the SiteM-
anager

30 3ADR010650, 2, en_US
 S ECUR E REMOT E ACCESS VI A S ECOM EA GAT EWAY

Step 6b

Connecting to a single appliance on your SiteManager

1. Click to open the SiteManager

2. Click to select the appliance that you want to connect to
3. Click on ”Connect ” to connect to the appliance selected

3ADR010650, 2, en_US 31
__ __

ABB AG We reserve the right to make technical We reserve all rights in this document and
Eppelheimer Straße 82 changes or modify the contents of this in the subject matter and illustrations con-
69123 Heidelberg, Germany document without prior notice. With re- tained therein. Any reproduction, disclo-
Phone: +49 62 21 701 1444 gard to purchase orders, the agreed par- sure to third parties or utilization of its
Fax: +49 62 21 701 1382 ticulars shall prevail. ABB AG does not ac- contents – in whole or in parts – is forbid-
E-Mail: plc.support@de.abb.com cept any responsibility whatsoever for den without prior written consent of ABB
www.abb.com/plc potential errors or possible lack of infor- AG.
mation in this document. Copyright© 2023 ABB. All rights reserved