BAS-SVX069F-EN
23
Customer Remote Access Configuration
Trane Connect Remote Access is the preferred method for secure remote access to a Tracer BAS
for both Trane employees and customers. Alternatively, when access to additional devices on the
BAS network is needed (i.e. non-Trane gateway device), the Digi WR21 can be utilized as a VPN
endpoint. If only Trane personnel require access, TraneConnect should be used, and this section
can be skipped.
If the Digi WR21 is being placed downstream of another router or firewall and NAT is being used
(the WR21 does not have a public IP assigned on LAN 0), then the upstream router will need to
permit/forward the following ports: UDP/1701, UDP/4500, and UDP/500.
NNoottee:: If the customer is using Windows 7, and the WR21 does not have a public IP address, the
customer must apply a registry fix. Navigate to the Trane Technologies IT Security
Sharepoint site. Locate the link to the NAT Registry fix. Click to open and then double-click
on the file labeled NNAATT--TT RReeggiissttrryy ffiixx..rreegg to apply the settings to the registry. Click Yes in
the registry editor warning box to apply the new settings. When complete, restart the PC.
Tunnel Negotiation
If the Digi WR21 is behind a NAT Firewall (the Digi does NOT have a public IP address) then
tunnel negotiation settings must be updated. If the WR21 has been supplied with a public IP
address, the following procedure can be skipped.
1. On the WR21 configuration page, click on NNeettwwoorrkk in the left hand menu.
2. In the right-side window, navigate to VViirrttuuaall PPrriivvaattee NNeettwwoorrkkiinngg ((VVPPNN))>>IIPPsseecc>>IIPPsseecc
TTuunnnneellss>>IIPPsseecc 00 TTrraanneeVVPPNN>>TTuunnnneell NNeeggoottiiaattiioonn.
3. Select the check box next to NNeeggoottiiaattee aa ddiiffffeerreenntt IIPP aaddddrreessss aanndd MMaasskk
4. In the box next to IIPP AAddddrreessss, enter the public facing IP address of the internet-connected
edge router.
5. In the box next to MMaasskk, enter 255.255.255.255.
6. Click AAppppllyy when complete.
Figure 18. Digi WR21 VPN setup
PPP Connection Configuration
If the configuration for ETH 1 (network attached to LAN 1 of the Digi WR21) has been changed
from the default of 192.168.209.0, the PPP interfaces assigned to VPN access must also be
updated. If the default network of 192.168.209.0 has been retained, the following procedure can
be skipped.
1. Click on the NNeettwwoorrkk link in the left hand menu.
2. In the right-hand window, navigate to IInntteerrffaacceess>>AAddvvaanncceedd>>PPPPPP 55 –– LL22TTPP00
3. In bbooxx AA (see figure below), enter the IP address used to configure EETTHH 11 earlier in the
document.
To Next Page
Loading...
