InGateway Series

User's manual

(Applicable to IG500, IG900 series products)

Version V1.0, June 2024

www.inhand.com

The software described in this manual is according to the license agreement, can only be used in accordance with the terms of the agreement.

Copyright Notice

© 2024 InHand Networks All rights reserved.

Trademarks

The InHand logo is a registered trademark of InHand Networks.

All other trademarks or registered trademarks in this manual belong to their respective manufacturers.

Disclaimer

The company reserves the right to change this manual, and the products are subject to subsequent changes without prior notice.We shall not be responsible for any direct, indirect, intentional or unintentional damage or hidden trouble caused by improper installation or use.

1 Introduction

The InGateway series is an edge computing gateway for the industrial IoT sector from InHand. This series of products has rich interfaces and global cellular access capability. It supports users to use Python secondary development, and can be built-in InHand DeviceSupervisor™ Agent service, which supports hundreds of data collection protocols, and easily achieves device data collection, processing and cloud, and also supports InHand DeviceLive cloud management, helping enterprises to accelerate the process of digitisation.

The product models to which this manual applies are listed below:

2 Description of equipment configuration

2.1 Access to the gateway

Connect to the IG using the following default IP address (address information is also available from the device panel)

            Select "Use the following IP address", enter the IP address (default is any value from 192.168.2.2 to 192.168.2.254), subnet mask (default is 255.255.255.0), default gateway (default is 192.168.2.1), and DNS server address, click <OK>.

1. Step 2: Open a browser, access the IP address of Interface 2 of the IG and enter the login username and password. 
   

1. Step 3: After successful login, you can see the overview page as shown below.
   

2.2 Overview

This page provides an overview of the gateway's system status, system performance, system storage, network connectivity, network flow, and other information. This page allows you to get a quick overview of the device basics.

1. Network Connection Status: Show the network connection situation of IG and the network configuration
   
1. External Network: To configure the routing of data forwarding to an external network, click Static Routing page
   
2. Interface Network: To configure the interface, click the "Set UP" button after the interface to jump to the Ethernet page.
   

1. Performance & Storage: Shows the device's current CPU, memory, Flash, MicroSD, USB usage
   

1. System Information: Click the "Edit" Botton to modify IG's Name
   

2.3 Network

2.3.1 Network Interface

2.3.1.1 Cellular

This page shows the current cellular status and configuration information of the gateway. You can configure the cellular network parameters by using the "Enable Cellular" button.

The cellular network parameters are described below:

1. Enable Cellular: Enable/Disable Cellular function
   

1. Profile: Profile for configuring the APN, username, password and authentication method when used for dialing with a decicated network card. If it is not a dedicated network card, you usually do not need to modify the configuration here. Up to 10 records can be added to the Profile.
   

1. Enable Dual SIM: Enable Dual SIM function. In order to improve the reliability of the network, dual SIM card single dialling is supported. 2 SIM cards need to be inserted on the device, which is disabled by default.
   

1. Network Type: Auto, 2G, 3G, 4G, 5G and other networks can be selected. ((Note: different devices support different types of networks, you can check the corresponding product specifications)) Users can select a specific network mode according to the equipment used and the SIM card applicable, or use the automatic mode, the device can register itself to the network mode applicable to the current network conditions.
   

1. Profile: dialling policy selection, corresponding to the dialling parameter set configuration index item, if it is not a dedicated Network card, just select the default.
   

1. Roaming: Tick Enable Roaming, you can dial-up normally in roaming status, when cancelling the roaming option, the roaming SIM card can't dial-up; when using local card, ticking Roaming and cancelling Roaming won't affect the dial-up of the SIM card.
   

1. PIN code: PIN code is the personal identification number of the SIM card. If PIN code is enabled, the device will fail to dial up when no PIN code or wrong PIN code is set; and the device can dial up normally when normal PIN code is set.

1. Static IP: Whether to use static IP when dialling, you can manually specify the IP address of the device. The device gets the configured static IP every time it dials.
   

1. Redial Interval: the amount of time the device waits to redial each time it drops.
   

1. ICMP Probe: Cellular networks sometimes have the problem of dialling up successfully and obtaining an IP address, but not being able to access the Internet, which is usually resolved by redialling. ICMP Probe can be used to detect whether the network is working properly, and if the network is abnormal, a redial will be triggered to solve the problem of the network not being able to access the Internet. This feature is turned off by default and is recommended to be enabled when deploying a cellular network.
   

1. ICMP Probe Server: the remote IP address or domain name to be probed (to enable two ICMP probe servers at the same time, it is recommended that you enter both IP addresses or domain names at the same time). The device supports two ICMP probe servers: the primary server and the backup server. When two servers are configured, the first server is detected first, and the second server is detected only when the first server reaches the maximum number of retries. When both servers fail to detect, the device will redial and perform the next round of ICMP detection.
   

1. ICMP Probe Interval: the time interval between ICMP probe messages sent by the device.
   

1. ICMP Probe Timeout: If no ICMP response packet is received within the set ICMP Probe Timeout, it is considered that the ICMP Probe has timed out.
   

1. ICMP Probe Maximum Retries: Sets the maximum number of retries when an ICMP probe fails (the number will be redialled after the maximum number is reached).
   

1. ICMP Strict Detection: When ICMP Strict Detection is turned off, if there is traffic on the dial-up interface, ICMP probes are not sent to save traffic; when ICMP Strict Detection is turned on, ICMP probe messages are sent regardless of whether there is traffic on the dial-up interface.

1. SMS: SMS function is used to set cellular parameters, query cellular status, configure io output and reboot the system.
   

Details of the SMS configuration are given below:

1、SMS set cellular dialling parameters 

SMS format:

The cellular dialling parameters are configured as described below:

1. cellular: means set cellular service related parameters, the cellular keyword should be located at the beginning of the SMS content; the content after cellular is the cellular configuration item.
   

1. slot: flag to set which card's dialling parameter, the available values are: sim1 , sim2 ;
   

1. Mandatory parameter apn: Configure apn information;
   

1. Non-required parameter username: Configure the user name;
   

1. Non-required parameter password: Configure the password;
   

1. Non-required parameter auth: authentication method; settable values are: none , auto , pap , chap; strictly case-sensitive;
   

1. Non-required parameter network: configure the network system; the available values are: 2g , 3g , 4g , auto; strictly case-sensitive;
   

1. Non-required parameter dialnumber: dialling number; non-required parameter 
   

Caveats:

1. At least 1 non-required parameter is required; the order of the parameters is not required, except for cellular, which must be at the beginning of the SMS content; each parameter is separated by a space; 
   

1. Parameter names and some parameter values are strictly case sensitive;
   

1. If there is an unrecognised configuration item in the SMS content, for example icmp_interval=10, the configuration will fail; 
   

1. SMS content cannot exceed 140 characters in length; 
   

1. Since the default parameter set is not allowed to be modified, when sim1/sim2 selects the default parameter set, the configuration of dialling parameters via SMS will fail 
   

2、SMS to restart the system

SMS format:

Reboot System Parameter Description:

1. system: indicates the execution of system-related settings; the position of the system keyword needs to be at the beginning of the SMS content; 
   

1. command: the command to be executed, can take the value: reboot; required parameters 

3、SMS query dialling information

SMS format:

Query Dialling Information Parameter Description:

1. status: indicates the execution of the status query; the position of the status keyword needs to be at the beginning of the SMS content; 
   

1. object: indicates which service's status should be queried, value: cellular; mandatory parameter 

After sending the enquiry SMS, you will receive an SMS with the following content: 

The response content parameters are described below:

1. cellular_status: Status of the cellular 
   

1. signal: signal quality of the cellular; can take values: none , poor , moderate , good , great 
   

1. network: network standard; values: 2g , 3g , 4g , unknown 
   

1. hostname: hostname of the device 
   

1. ip: ip address of the dial-up interface 
   

1. uptime: startup time of the device, in s 

4、SMS device digital output DO

SMS format:

DO Setup Parameter Description:

1. io: means to set the parameters related to io service, the position of the io keyword needs to be at the beginning of the SMS content 
   

1. do0~do3: configure the output of do0~do3, you can configure more than one do, there is no order requirement between the configuration items, for example, you can configure this way: io do0=1 do1=1 do3=0 do2=0; you can also configure only one do, for example, io do0=1; at least you need to configure 1 do; the value of do can only be 0 or 1 

5、Changes in DI for SMS reception 

To use this feature, you need to configure the mobile phone number to receive SMS on the io page and add the mobile phone number to the whitelist on the dialling page.

The user's mobile phone number receives an SMS with the following content after the value of di changes: 

Note: Currently, only the basic models IG502-FF53 and IG502-FQ58 support the SMS function, e.g. IG502-FQ58-W-G, IG502-FF53-IO-W-G. Please refer to the Ordering Information section in the datasheet for the specific models.

1. Advanced Settings
   

2.3.1.2 Ethernet

The "Ethernet" page shows the configuration and status information of the Ethernet interface of the device, and you can configure the Ethernet interface parameters or view the detailed status information on this page. The steps to configure the Ethernet interface are as follows:

1. Select "Network > Network Interface > Ethernet/LAN/WAN" to enter the Ethernet interface configuration interface (different models of IG series devices are equipped with different types and numbers of interfaces, but the configuration method is the same).
2. Select the network type of the interface.
3. Select or enter each parameter in turn
4. Click "Submit".

Take the IG902 as an example, the IG902 has two Gigabit Ethernet ports, the specific configuration and description are as follows

Configure dynamic address acquisition for the interface (network type selected as DHCP) as shown below:

1. Network Type
1. Dynamic address (DHCP): Configure the interface as a DHCP client, using DHCP to obtain IP address and subnet mask and other information
   

1. Description: descriptive information of the Ethernet interface, identifying the role.

Configure the interface with a static IP (network type is selected as static IP) as shown below:

1. Network Type (Static IP by default)
1. Static IP: Manually configure the IP address and subnet mask for the Ethernet interface.
   

1. Primary IP Address: IP address of the Ethernet interface, customisable.
   

1. Netmask: Subnet mask of the Ethernet interface.
   

1. MTU: Maximum Transmission Unit, in bytes, default value is 1500.

If the interface type is WAN port, you can also set the gateway and DNS:

1. Gateway: IP address of the device gateway
   

1. DNS: IP address for DNS can be specified manually
   

1. Speed/Duplex：
   

1. Track L2 State: when it is turned on, the state of the port without physical connection is Down, and when it is physically connected, it is UP; when it is turned off, the port displays UP when it is physically connected or not.
   

1. Shutdown: Disables the interface
   

1. Description: descriptive information of the Ethernet interface, identifying the role.
   

1. Secondary IP Settings: In addition to the master IP, users can also assign secondary IP addresses, up to a maximum of 10.

2.3.1.3 WLAN

The "WLAN" page shows the IG's WLAN configuration and status information, where you can configure WLAN parameters or view detailed status information.

Note: Not all models of IG series support WLAN function, please refer to the official website Resource Centre for specific support, and go to the corresponding product list to check the "Ordering Guide" section in the product specification.

Configure the WLAN as the access point as shown below:

The parameters when configuring the WLAN as an access point are described below:

1. Enable Wi-Fi: Enables or disables the WLAN service. Enabling WLAN service allows you to configure the basic parameters of the wireless network and security authentication options, enabling wireless access to the Internet.
   

1. Station Role: Select the WLAN mode of operation, here select the AP
2. AP:
   

Configure the WLAN as a client as shown below:

The parameters when configuring the WLAN as a client are described below:

1. Enable Wi-Fi: Enables or disables the WLAN service. Enabling WLAN service allows you to configure the basic parameters of the wireless network and security authentication options, enabling wireless access to the Internet.
   

1. Station Role: Select the WLAN operating mode, here select Client
   

1. Client Mode:
   

2.3.1.4 Loopback interface

A loopback interface is a logical, virtual interface on the device. After you create and configure a loopback interface, its address can be pinged or telnetted, which can be used to test network connectivity. You can configure or view the loopback interface parameters on the Loopback Interface page.

1. IP address: IP address of the loopback interface
   

1. Subnet Mask: Subnet mask of the loopback interface IP address

NOTE: A maximum of 10 slave IP addresses can be configured.

2.3.2 Network services

2.3.2.1 DHCP services

DHCP uses a client/server communication model, in which the client requests an address from the server, and the server returns the IP address assigned to the client and related information (such as the lease period) to enable dynamic configuration of IP addresses and other information. You can set and view the configuration of the DHCP server on the DHCP Server page.

Start the dhcp server function on the interface to assign addresses to the downstream devices on that interface

1. The DHCP server parameters are described below:
   

1. Windows Name Server (WINS): IP address of the WINS server.
   

1. Static IP Setting: If some scenarios require fixed IP addresses for some terminals, you can use the Static IP Setting function to bind the MAC of the terminal with the IP in the address pool, and the bound terminal will be assigned a fixed address every time it connects to the network, as shown in the following figure:

2.3.2.2 DNS services

The Domain Name System (DNS) is a distributed database for TCP/IP applications that provides translation between domain names and IP addresses. With the DNS, users can use easy-to-remember, meaningful domain names for certain applications, and DNS servers in the network will resolve the domain names to the correct IP addresses. You can set up and view the domain name servers and DNS relay service in the "DNS Service" page.

Configure DNS servers to support up to two domain name servers, as shown in the following figure:

Configure the DNS relay service, as shown in the following figure:

Note: Enable the DNS relay service and do not disable the DNS relay service when DHCP server is enabled.

2.3.2.3 GNSS

GNSS stands for Global Navigation Satellite System. Common GNSS systems include GPS (Global Positioning System) of the United States, GLONASS (GLONASS) of Russia, and BeiDou (BDS) of China. On the "GNSS" page, you can view the status of GNSS and configure GNSS.

Remarks:

Not all models of IG series support GNSS function, for details, please refer to the website Resource Centre, and enter the corresponding product list to check the "Ordering Guide" section in the product specification.

GNSS configuration

GNSS configuration page parameter descriptions:

1. Enable GNSS: Enable/disable GNSS function
   

1. GNSS Type: select the appropriate satellite navigation system in the drop-down box
   

GNSS IP Forwarding

The GNSS IP forwarding parameters are described below:

1. Enable: enable/disable GNSS IP forwarding
   

1. Type: GNSS IP Forwarding Type
   

1. Server 
   

GNSS Serial Forwarding

The GNSS Serial Forwarding parameters are described below:

1. Enable: Enable/disable GNSS serial port forwarding
   

1. Serial port type: consistent with the counterpart (RS232/RS485)
   

1. Baud rate: consistent with counterpart
   

1. Data bits: consistent with counterpart
   

1. Check digit: consistent with the counterpart
   

1. Stop bit: consistent with the counterpart
   

1. Software flow control: enable/disable software flow control
   

1. Include RMC: Whether to send RMC data for GNSS data
   

1. Include GSA: Whether to send GSA data for GNSS data
   

1. Include GGA: whether to send GGA data for GNSS data
   

1. Include GSV: whether to send GSV data for GNSS data or not

2.3.2.4 Host List

You can view information about the hosts connected to IG on the Host List screen.

2.3.3 Routing

2.3.3.1 Routing status

Select "Network > Routing > Routing Status" to enter the "Routing Status" interface. You can view the detailed information of routes in this screen, as shown in the following figure:

2.3.3.2 Static Routing

You can manually set up a static route on the Static Routing page. After you set up a static route, messages to the specified destination will be forwarded in accordance with the path you specify.

Configure static routes as shown below:

The static route parameters are described below:

1. Destination network: the destination IP address/network segment to be reached
   

1. Subnet Mask: the subnet mask of the destination address to be reached
   

1. Interface: the outgoing interface through which the data reaches the destination network
   

1. Gateway: the gateway corresponding to the IP of the device's outgoing interface
   

1. Distance: overhead to the target network, smaller values are preferred
   

1. Track identification: index or ID of the Track (for Track configuration see: 3.3.2 Track module)

2.3.4 Firewalls

2.3.4.1 Access control lists

An ACL is an access control list that filters network interface data by configuring a series of matching rules to allow or disallow the passage of specified data streams (e.g., restricted source IP addresses, account numbers, etc.). You can set the filtering policy for network interface data in the "Access Control List" page.

Configure the standard access control policy, as shown in the following figure:

1. The standard access control policy parameters are described below:
   

Configure the extended access control policy as shown in the following figure:

1. The Extended Access Control Policy parameters are described below:
   

1. The access control list parameters are described below:
   

2.3.4.2 Network address translation

Network Address Translation (NAT) enables multiple hosts on a LAN to access the public network through one or more public IP addresses, i.e., using a small number of public IP addresses to represent a large number of private IP addresses, thus saving IP addresses on the public network. You can view and set the NAT rules in the Network Address Translation page.

As shown in the following configuration, configure the IG lower device to access the upper device through WAN:

The network address translation rule parameters are described below:

1. Action
   

1. Source Network (supported when the action is SNAT and DNAT):
   

In this example, the WAN port is the converted outgoing interface, so set the type of WAN to "Outside" interface.

1. Translation Type
   

1. Match Conditions:
   

1. Translated Address
   

2.3.5 VPN

Layer 2 Tunneling Protocol L2TP is a type of Virtual Private Dial-up Network VPDN tunneling protocol that extends the application of Point-to-Point Protocol PPP and is an important VPN technology for remote dial-up users to access the corporate headquarters network.

Note: Detailed configuration of IPSEC, GRE, OPENVPN can be found in the catalogue " Advanced Functions > VPN".

2.3.5.1 L2TP

2.3.5.1.1 L2TP client

1. L2TP Class
   

1. Pseudowire Class
   

1. L2TPv2 Tunnel
   

1. L2TPv3 Tunnel
   

1. L2TPv3 session
   

2.3.5.1.2 L2TP Service

The L2TP server parameters are described below:

1. Enable L2TP Server: Enables or disables the L2TP server
   

1. Username: the access account of the L2TP server
   

1. Password: Access password for the L2TP server
   

1. Authentication Type: selectable Auto, PAP, CHAP
   

1. Local IP Address: virtual address of the L2TP server interface
   

1. Address Client Start IP: start address of the L2TP server address pool
   

1. Address Client End IP Address: end address of the L2TP server address pool
   

1. Link Detection Interval(s): the time interval for sending connection detection messages after L2TP is successfully established. Legitimate value: 0-32767, unit: sec.
   

1. Max Retries for Link Detection: after L2TP connection detection fails, L2TP re-establishes the connection when the maximum number of failures is reached. Legal value: 0-100
   

1. Enable MPPE: Enable/disable MPPE data encryption scheme
   

1. Enable Tunnel Authentication
   

1. Expert Options (Expert Only): parameters for debugging L2TP
   

2.4 Edge computing

2.4.1 Python Edge Computing

The "Python Edge Computing" page shows information about the IG's Python secondary development environment and the app configuration and running status on the device. You can develop your customised Python App with the secondary development environment information on this page, and you can also configure and view the App status on this page.

The Python environment configuration steps are as follows:

1. Select "Edge Computing > Python Edge Computing" to enter the "Python Edge Computing" interface;
2. Enable the Python Engine;
3. Install/upgrade the Python SDK;
4. Just enable debug mode. See Python Development Quickstart how to do secondary Python development.

App configuration steps are as follows:

1. APP install, uninstall, start, stop
2. APP configuration import, export
3. APP Log View

App configuration features are described below:

1. APP Status
   

1. App List
   

2.4.2 Docker Management

IG supports hosted docker images, you can publish your docker images to IG to quickly deploy and run your self-developed applications.The steps to configure the Docker environment are as follows:

1. Install the Docker SDK;
2. Enable the Docker Manager;
3. Go to the Docker management page (portianer) to configure images and containers.

Note: Only IG902 and IG974 support Docker function.

Enable the Docker Manager as shown below:

The parameters of the Docker management page are described below:

1. Enable Docker Manager: Enable/Disable Docker Manager
   

1. Docker Version: install or upgrade Docker version
   

1. Enable Portainer Manager: Enable/Disable Portainer Manager
   

1. User Name: the username used to log in to portianer
   

1. Password: the password used to log in to portianer
   

1. Registry Mirrors: Configure the addresses of docker image repositories, up to 4

2.4.3 Cloud Edge Computing

The gateway supports both Azure IoT Edge and AWS IoT Greengrass edge computing components. They can be configured on the Edge Computing -> Cloud Edge Computing page. Note: Only the IG902 supports the Cloud Edge Computing function.

2.4.3.1 Azure IOT Edge

The configuration steps are as follows:

1. Manual Configuration: When Manual is selected for the source, only a device connection string needs to be configured. 
   

1. DPS: When the source selects DPS, you need to configure the global terminal node, region ID, method, and import the certificate file.
   

1. If there are still end nodes under the gateway that need to connect to the gateway, you can click Enable Certificates and import the relevant certificate files. 
   

2.4.3.1 AWS IoT Greengrass

The configuration steps are as follows:

1. Install/Upgrade SDK: Click the Upgrade button to install AWS IoT Greengrass version V1.
2. Supports importing root CAs, device certificates, device keys and configuration files, as well as exporting configuration files and log files.

2.4.4 IO module

An I/O module (Input/Output Module) is a device or component used to implement input and output functions. It can input signals from external devices into the control system or output signals from the control system to external devices, thus realising the interaction between the system and the external environment.

Configure the IOs on the Edge Computing -> IO Module page. the gateway supports 4 input IOs and 4 output IOs. 

Note: Support models IG502/IG504/IG532/IG902

Input IOs: 4 input IOs can be configured as "Digital Input" or "Counter".

Output IOs: 4 output IOs can be configured as "Digital Output", "Continuous Pulse Output" and "Fixed total Pulse Output".

Supports reading and writing IO data via Modbus TCP protocol when Modbus TCP slave function is enabled.  

1. Enable: Enable Modbus TCP slave function
   

1. External Access: when disabled, only internal requests will be allowed, and the IP address of Modbus slave can only be 127.0.0.1 when internal access is configured. when enabled, external access will be allowed, and the external access is configured as the IP address of the corresponding Ethernet interface.
   

1. Port: port information of the slave
   

1. Slave Address: unique identification of the slave device
   

1. Byte order: default ABCD byte order
   

1. Maximum TCP Connections: Maximum number of TCP connections, range: 1-32

You can view Modbus coil status information and holding register information in the Modbus Mapping Table page.

2.4.5 Telegraf 

Configure Telegraf functionality on the Edge Computing -> Telegraf page. Support for installing Telegraf sdk, importing and exporting configuration files and exporting log files 

Note: Only IG502 supports this function. 

2.5 Systems management

2.5.1 System Time

In order for the IG to work better with other devices, the system time needs to be configured accurately. The configuration method and steps are as follows:

1. Method 1: Configure the system time using the time zone
   

1. Method 2: Configure the system time using the PC's local time
   

1. Method 3: Configure the system time using the manual time setting method
   

1. Method 4: Configure the system time using the SNTP client
   

The SNTP client parameters are described below:

1. Enable SNTP Client: enable/disable SNTP clients.
   

1. Update interval: Synchronise the device time to the server according to the update interval after enabling the SNTP client.
   

1. SNTP Servers List
   

The IG can also be used as an NTP server to synchronise time for other devices as follows:

1. Select "System Management > System Time" to enter the "System Time" interface.
2. Tick "Enable NTP server".
3. Configure each parameter in turn
4. Click "Submit" to apply the configuration.

The NTP server parameters are described below:

1. Enable NTP Server: enable/disable NTP server
   

1. Preferred NTP Server: NTP adopts a layered synchronisation method, generally the n+1th level is synchronised with the nth level clock source.NTP supports a maximum of 16 levels of synchronisation, i.e. 0-15 levels. NTP supports up to 16 levels of synchronisation, i.e., 0-15 levels, and cannot synchronise with more than 16 levels.
   

1. Source Interface: The interface on which the gateway sends NTP messages. The source interface and source address cannot be used at the same time.
   

1. Source address: the source address carried by the gateway for SNTP messages. Source interface and source address cannot be used at the same time.
   

1. NTP Servers List
   

2.5.2 System logs

You can select "System > Log" to enter the "Log" page. This page contains a lot of information about the network and IG, including operational status, configuration changes, and so on.

In the "Configure" page, you can set the gateway to interface with the remote logging server, after the setup is completed, the gateway will upload all system logs to the remote logging server, which requires the cooperation of the remote logging software on the host computer (e.g., Kiwi Syslog Daemon).

1. Send to remote log server: Enable/disable device docking to remote log server
   

1. Server Address: the address of the remote logging server
   

1. Port Number: port number of the remote logging server
   

When logs are stored locally, you can set the size of the log file and the level of log output:

1. History Log File Size: The amount of space the host is allocated to store logs.
   

1. Historical log file severity level: Sorts the logs in the device by "Emergency > Alarm > Serious > Error > Warning > Notice > Information > Debug". If the log level is set to "Notice" and above, the log file will output "Notice" and logs with higher priority than "Notice".
   

2.5.3 Configuration Management

Select "System > Configuration Management" to enter the "Configuration Management" interface. You can backup the configuration parameters, import the corresponding parameter configurations, and restore the IG to the factory settings in this screen.

1. configuration management
   

1. Configuration Files Operations
   

2.5.4 InHand Cloud

The device cloud platform developed by InHand supports monitoring IG status, remote maintenance of field devices, remote batch issuance of IG configurations and batch upgrade of IGs, helping users manage IGs and field devices conveniently and efficiently. At present, IGs support interfacing with InHand cloud platforms: InHand Connect Service, InHand Device Manager, InHand iSCADA Cloud, and InHand Device Live Manager.

Configure the IG to connect to the InHand Connect Service (InConnect) platform as shown below:

Connecting to the InHand Connect Service platform parameters are described below:

1. Enable: Enables/Disables device connection to the InConnect platform
   

1. Server Address: Select the server address you want to connect to from the drop-down box, or select "Custom" to customise the server address.
   

1. Register Account: the name of the account already registered on the cloud platform
   

1. Advanced Settings
   

Configure the IG to connect to the InHand Device Manager (DM) platform as shown below:

Connecting to the InHand Device Manager platform parameters are described below:

1. Enable: Enable/disable device connection to the DM platform
   

1. Server Address: Select the server address you want to connect to from the drop-down box, or select "Custom" to customise the server address.
   

1. Register Account: the name of the account already registered on the cloud platform
   

1. Advanced Settings
   

Configure the IG to connect to the InHand iSCADA Cloud platform as shown below:

Connecting to the InHand iSCADA Cloud platform parameters are described below:

1. Enable: Enable/Disable device connection to the platform
   

1. Server Address: Select the server address you want to connect to from the drop-down box, or select "Custom" to customise the server address.
   

1. Heartbeat Interval: heartbeat interval with the cloud platform, legal value 30-1200, unit: second

Configure the IG to connect to the InHand Device Live Manager (DeviceLive) platform as shown below:

Connecting to the InHand Device Live Manager platform parameters are described below:

1. Enable: Enable/Disable device connection to the platform
   

1. Server Address: Select the server address you want to connect to from the drop-down box
   

1. Heartbeat Interval: heartbeat interval with the cloud platform, legal value 30-1200, unit: second

2.5.5 Firmware upgrades

You can upgrade the firmware version of IG to support new features or to get a better experience on the "Firmware Upgrade" page. The steps to upgrade the firmware version are as follows:

1. Select "System > Firmware Upgrade" to enter the "Firmware Upgrade" interface.
2. Click "Select File" to select the IG firmware file.
3. Click "Start Upgrading" and "Confirm" to start the upgrade.
4. Wait for the upgrade to be successful, after the upgrade is successful, click the "Rebot" button to restart the IG to complete the upgrade.

2.5.6 Access Tools

To manage and configure the IG, you can configure how to manage and access the IG in the "Access Tools" screen. The configuration steps are as follows:

1. Configuring HTTPS

The HTTPS parameters are described below:

1. Listening IP Address: Any, 127.0.0.1 and other IP addresses can be selected. Any is the default choice, that is, the device listens to HTTPS requests from any address.
   

1. Port: HTTPS access port number, default port 443 is used
   

1. web Login Timeout: the timeout time for logging in web page, default is 300s, when the web idle time exceeds 300s, it will exit the web login; you can also manually change the timeout time for web login, legal value is 100-3600, unit: second.
   

1. Remote Control: Enabled for remote access to IG via HTTPS
   

1. Source Network: the legal source address for accessing the WEB page of the device; if not set, it means any address can be connected to the IG via HTTPS.

1. Configuring TELNET

The TELNET parameters are described below:

1. Listening IP Address: Any, 127.0.0.1 and other IP addresses can be selected. Any is the default choice, that is, the device listens to TELNET requests from any address. 
2. Port: TELNET access port number, default is port 23
3. Remote Control: Enabled to access the IG remotely via TELNET.
4. Source Network: Legal source address for accessing the device; if not set it means any address can be connected to the IG via TELNET.

1. Configuring SSH
   

The SSH parameters are described below:

1. Listening IP Address: Any, 127.0.0.1 and other IP addresses can be selected. Any is the default choice, i.e., the device listens to SSH requests from any address. 
   

1. Port: SSH access port number, port 22 is used by default.
   

1. Timeout: SSH timeout time, legal value 0-120; if SSH does not connect successfully within the timeout time, it is regarded as the connection failure.
   

1. Private Key Mode: SSH connections typically use asymmetric encryption algorithms for secure communication, involving both public and private keys. A common key mode is RSA mode.
   

1. Private Key Length: The key length of the RSA algorithm can be chosen according to requirements. Generally speaking, the longer the key length, the higher the security, but the computational resources required to generate and process the key will also increase. You can choose 512/1024/2048/4096, the default length is 1024.
   

1. Remote Control: when turned on, you can access the IG remotely via SSH.
   

1. Source Network: Legal source address for accessing the device; if not set it means any address can be connected to the IG via SSH.

1. Configuring Developer Mode
   

The developer mode parameters are described below:

1. User name: the user name for developer mode login, fixed to pyuser 
   

1. SSH Port: The port number for developer mode login, default is 222.
   

1. Enable Fixed Password: when enabled, you can manually set a fixed password to log in to the device, otherwise the password is a random password generated by the device

2.5.7 User management

You can add a new user or manage the user's account password and access rights in the "User Management" page to achieve multi-user access and management of IG.

2.5.8 Restart

In the "Reboot" page, you can reboot the device every day or immediately. As shown in the figure below, if you enable "Regularly Daily Reboot", the device will be rebooted at "00:00" every day, and this function is disabled by default.

2.5.9 Network Tools

Select "System > Network Tools" to enter the "Networks Tools" page. You can diagnose IG network problems on this page. You can enter some extended options in Expert Options, e.g. -s 100 for sending 100-byte packets in Expert Options Configuration in Ping tool.

Use the Ping tool to detect whether the network is reachable, as shown below:

Use the route probing tool to determine the path through which IP datagrams access the destination, as shown in the following figure:

Use the network packet capture tool to capture the data transmitted on the specified interface, as shown in the following figure:

2.5.10 Third party software statements

Select "System> 3rd Party Notification" to enter the Third Party Software Notification page. You can view the third-party software notification of IG software here.

2.6 Navigation bar operation

2.6.1 Return to home page

You can click on the InGateway logo in the upper left corner of any web interface of the gateway to quickly jump to the "Overview" page.

2.6.2 Logout

You can click on your username in the top right corner to log out.

2.6.3 Switching languages

You can click "Language" in the upper right corner to switch the language display of the WEB interface, the gateway supports both Simplified Chinese and English.

3 Advanced Functions

3.1 Management

3.1.1 Systems

Here, you can view the system status and network status; in the system status section, you can view the name, model, serial number, MAC address, version information, device time, device startup time, performance, storage and other information, you can also click on the Synchronise Time button to set the system time; in the network status section, click on the interface of the "Settings" to enter the configuration page of the corresponding interface. Click "Settings" after the interface in the Network Status section to enter the configuration page of the corresponding interface.

3.1.2 AAA

3.1.2.1 Radius

The RADIUS protocol uses a client/server (C/S) mode of operation. the RADIUS protocol entity consists of three parts: the user side, the RADIUS client (NAS), and the RADIUS server. The authentication process is shown in the following figure:

The authentication steps are as follows:

1. When a user accesses the network, the user initiates a connection request and sends a username and password to the RADIUS client.

2. The RADIUS client sends an authentication request message containing user name and password information to the RADIUS server. (NAS and RADIUS server use a pre-shared key, and the user password is encrypted and hidden by MD5 encryption algorithm using this shared key, which increases the security of the password.)

3. The RADIUS server checks the legitimacy of the user's identity:

(1) If the user's identity is legitimate, the RADIUS server returns an authentication acceptance message to the RADIUS client, allowing the user to proceed to the next action. Since the RADIUS protocol merges the processes of authentication and authorisation, the authentication acceptance message also contains the user's authorisation information.

(2) If the user's identity is not legitimate, the RADIUS server returns an authentication denial message to the RADIUS client, denying the user access to the access network.

4. The RADIUS client informs the user whether the authentication is successful.

The Radius authentication configuration is shown below:

The Radius parameter is described below:

1. Server: address of Radius server (domain name/IP), supports up to 10 entries
   

1. Port: service port number of the Radius server
   

1. Key: Authentication key to be verified when establishing a connection with a Radius server. Only if the authentication key is the same, you can establish a connection with the Radius server.
   

1. Source interface: the source interface of Radius

3.1.2.2 Tacacs+

Tacacs+ (Terminal Access Controller Access Control System) is a security protocol with enhanced functionality based on the Tacacs protocol, which is similar in function to the RADIUS protocol. The protocol is similar to the RADIUS protocol, using a client/server model to achieve communication between the NAS and the TACACS+ server. TACACS+ holds independent authentication (Authentication), authorisation (Authorization) and billing (Accounting) functions. 

The Tacacs+ authentication configuration is shown below:

The Tacacs+ parameters are described below:

1. Server: Address (domain/IP) of the Tacacs+ server, up to 10 entries supported
   

1. Port: Service port number of the Tacacs+ server
   

1. Key: Authentication key to be verified when establishing a connection with the Tacacs+ server. Only if the authentication key is the same can a connection be established with the Tacacs+ server.

3.1.2.3 LDAP

Lightweight Directory Access Protocol LDAP is a directory access protocol based on TCP/IP, mainly used to store infrequent data, such as email addresses, contact lists, etc. LDAP defines a variety of operations, and user authentication and authorisation can be achieved through binding and query operations. LDAP is based on Client/Server structure, the directory information is stored on the server, and does not support billing.LADP authentication process is shown in the following figure:

LADP certification is described below:

1、When the user needs to access the LDAP server, the user enters the user name and password and initiates an authentication request to the device

2. The device obtains the user name and password of the user and sends an administrator binding request message to the LDAP server with the administrator DN and administrator password as parameters to obtain query privileges.

3. When the LDAP server receives the administrator binding request message, it verifies whether the administrator DN and administrator password are correct. If the administrator DN and administrator password are correct, the binding is successful and the LDAP server sends an administrator binding response message to the device.

4. When the device receives the binding response message, it constructs a filter condition with the parameter of the user name entered by the user and sends a user DN query request message to the LDAP server. For example, the filter condition is CN=User2.

5. After the LDAP server receives the user DN query request message, it looks up the user DN according to the query starting point, query range, and filter conditions in the message. If the query is successful, it sends a successful query response message to the device. The queried user DN can be one or more.

6. The device sends a user binding request message to the LDAP server based on the user DN obtained from the query and the password entered by the user as parameters.

7. After the LDAP server receives the user binding request message, it checks whether the password entered by the user is correct.

(1) If the password entered by the user is correct, a binding response message of successful binding is sent to the device.

(2) If the password entered by the user is incorrect, a binding failure response message is sent to the device. The device takes the next user DN queried as a parameter and continues to send binding requests to the LDAP server until one DN binds successfully. If all user DNs fail to bind, the device notifies the user of the authentication failure.

8、After successful authentication, the device notifies the user of successful login.

The LADP authentication configuration is shown below:

The LDAP parameters are described below:

1. Name: User-defined server list name
   

1. Server: server address (domain name/IP), supports up to 10 entries
   

1. Port: Same as server port
   

1. Base DN: Top of the LDAP directory tree
   

1. Username: the username to access the server
   

1. Password: Password to access the server
   

1. Security: 3 options for encryption: None, SSL and StartTLS.
   

1. Verify the opposite end: Tap to turn on
   

3.1.2.4 AAA authentication

The following authentication methods are supported:

1. No authentication (none): the user is trusted so much that it is not checked for legitimacy; this is not normally used.
   

1. Local authentication (local): user information is configured on the network access server. The advantages of local authentication is fast, can reduce costs for the operation, the disadvantage is that the amount of information stored by the equipment hardware conditions.
   

1. Remote Authentication (ldap): Configure user information on the authentication server. Supports remote authentication via Radius protocol, Tacacs+ protocol and LDAP.
   

1. No authorisation (none): no authorisation processing for the user.
   

1. Local authorisation (local): authorisation is based on the relevant attributes configured by the network access server for the local user account.
   

1. Tacacs+ Authorisation: Authorisation of users by the Tacacs+ server.
   

1. Authorisation after successful Radius authentication: Authentication and authorisation are bound together and cannot be authorised using Radius alone.
   

1. LDAP authorisation

NOTE: Authentication 1 and Authorisation 1 should be set up consistently; Authentication 2 and Authorisation 2 should be set up consistently; Authentication 3 and Authorisation 3 should be set up consistently.

3.2 Services

3.2.1 Dynamic domain names

Dynamic domain name is a service that bundles dynamically assigned IP addresses with fixed domain names. In networks, in many cases the IP address that users are given when they access the Internet changes dynamically. To access specific network services or devices through a domain name, a dynamic domain name service is required.

The dynamic domain name parameters are described below:

DDNS Method List：

1. Method name: name of the custom dynamic domain update method
   

1. Service type: The service type is mainly decided by the dynamic domain name service provider, and different dynamic domain name service providers set different service types and functional features. Users will pick from these service types according to their actual situation and needs when choosing and using them.
   

1. Username: the user name applied on the dynamic domain name server
   

1. Password: the password configured in the dynamic domain name server
   

1. Hostname: Domain name applied for on a dynamic domain name server
   

1. Period minutes (in minutes): the time interval between synchronisation of domain names and IPs by dynamic DNS servers

Note: Up to 4 dynamic domain name update methods can be configured

Specify A Method To Interface

1. Interface: Interface required for dynamic domain name resolution
   

1. Method: Select the dynamic domain name update method configured above

3.2.2 Flow control

Flow control is the process of managing and limiting network flow to ensure network stability, performance, and rational allocation of resources.IG can set limits for daily/monthly flow, and after the flow exceeds the set threshold, it can be set to only Reporting/Stop Forward/Shutdown Interface to remind users or disable the flow.

The configuration of flow control is shown below:

3.3 Link Backup

In order to maintain the stability of the network, in the network environment composed of devices, usually use some backup connections to improve the robustness and stability of the network, where the backup connection is also known as the backup link or redundant link.

3.3.1 SLA

InHand SLA Fundamentals: 1. Object tracking: the reachability of a specified object is tracked.2. SLA probe: the object tracking feature can be used to issue different types of probes to an object using the InHand SLA.3. using the static routing and tracking options.SLA Configuration Steps The SLA configuration steps are as follows:

1. Define one or more SLA operations (probes).
2. Define one or more Track objects to track the status of SLA operations.
3. Define the measures associated with the tracked object.

The SLA parameters are described below:

1. Index: Index or ID of the SLA, user-defined or automatically generated up to 10 SLAs can be added
   

1. Type: type of probe, default is icmp-echo, by simply sending an ICMP-ECHO (Type8) packet to the target host, if the ICMP-ECHO-Reply (ICMPtype0) packet is received, it means that the host is alive
   

1. Destination Address: IP address to be probed
   

1. Data size: user-defined size of probe packets
   

1. Interval (s): the device sends ICMP probes at a regular interval according to the set probe interval.
   

1. Timeout (ms): If the device does not receive a packet within the configured timeout period after sending an ICMP probe, the probe is considered to have failed and the next probe is performed.
   

1. Consecutive: i.e., how many times the detection fails for link failure. When the configured number of times of detection is reached, the SLA detection is considered to have failed, and then the SLA state is DOWN.
   

1. Life: default is forever (i.e., it will take effect forever after configuration), and cannot be changed by the user.
   

1. Start-time: default is now (effective immediately after configuration) 

3.3.2 Track module

The purpose of Track is to realise the linkage function, which consists of three parts: the application module, the Track module and the monitoring module.  the Track module is located between the application module and the monitoring module, and its main function is to shield the differences between the different monitoring modules and provide a uniform interface for the application module.

The Track module parameters are described below:

Track Object:

1. Index: Index or ID of the Track, user-defined or auto-generated, up to 10 can be created.
   

1. Type: sla or interface selectable
   

1. SLA ID/VRRP ID: index or ID of the defined SLA, not available when interface is selected as type
   

1. Interface: not available when sla is selected as type
   

1. Negative delay(s): when the interface or sla state is DOWN, how long it takes for the track to display the abnormality. 0 means display immediately, unit: second.
   

1. Normal state delay: When a fault is recovered, switchover can be delayed instead of immediate according to the set time (0 for immediate switchover)

Track Action:

1. Index: Index or ID of the Track, user-defined or auto-generated, up to 10 can be created.
   

1. Control Service: default is ipsec, i.e. this Track is used to detect the status of IPSec connection establishment.
   

1. Action:
   

3.3.3 Interface Backup

Interface backup refers to the formation of a master-backup relationship between specified interfaces of the same device. When an interface fails or the bandwidth is insufficient and the service transmission cannot be carried out normally, the flow can be quickly switched to the backup interface, which will take over the service transmission or share the network flow, thus improving the reliability of the communication of data devices.

The interface backup parameters are described below:

1. Primary interface: the interface in use
   

1. Backup interface: interface waiting to be switched over
   

1. Startup delay: Set how long to wait for the startup trace detection policy to take effect
   

1. Up delay: when the main interface switches from detection failure to detection success, the switchover can be delayed according to the set time (0 for immediate switchover) instead of immediate switchover
   

1. Down delay: when the main interface switches from detecting success to detecting failure, it can delay the switchover according to the set time (0 represents immediate switchover) instead of immediate switchover
   

1. Track ID: the index or ID of the Track that has been defined by the tracking probe.
   

3.4 VPN

VPN is a "virtual" private communications network built on top of a public network (such as the Internet). By "virtual", we mean that it does not have independent physical links and infrastructure like traditional private networks, but rather, through network technology, it establishes a logically isolated and dedicated communication channel on the public network to achieve functions and security similar to those of private networks.

By means of tunneling technology, encryption technology, etc., it makes users feel like they are communicating in an independent and secure private network when using a VPN, but in reality the data is transmitted on top of the public network and is only logically dedicated and private.

3.4.1 IPsec

IPsec is a set of open network security protocols developed by IETF, which performs authentication and encryption operations on packets at the IP layer to ensure the integrity and security of communication data. It reduces the risk of data leakage and eavesdropping, and guarantees the security of user business data transmission.

3.4.1.1 IPsec Configuration

The IPsec configuration parameters are described below:

1. IKEv1 Policy
   

1. IKEv2 Policy
   

1. IPsec policy
   

1. IPsec Tunnel Configuration

1. Destination Address: set the IP address or domain name of the counterpart IKE peer (configured as 0.0.0.0 when IG is server)
   

1. Map Interface: set the interface to which IPSec policy is applied
   

1. IKE Version: Set the version number of IKE protocol, IKEv1 and IKEv2 are supported.
   

1. IKEv1 Policy: the policy identifier defined in the IKEv1 policy list.
   

1. IKEv2 policy: the policy identifier defined in the IKEv2 policy list.
   

1. IPsec Policy: Policy identifiers that have been defined in the IPsec Policies list.
   

1. Authentication Type: two authentication methods are available, shared key and digital certificate.
   

1. Negotiation Mode: Sets the negotiation mode of IKEv1.
   

1. Local Subnet: the source network in the stream of interest as defined by IPESC
   

1. Remote Subnet: the destination network in the stream of interest as defined by IPESC

1. IKE Advance(Phase 1)
1. Local ID: Sets the identity type of the local device in IKE negotiation
   

1. Remote ID: Sets the identity type of the counterpart device in IKE negotiation
   

1. IKE Keeplive: Sets whether to enable the Peer Survival Detection DPD feature
   

1. Perfect Forward Stratification (PFS): PFS is a security feature that means that the cracking of one key does not affect the security of the other keys because there is no derivation between these keys. the IPSec phase 2 key is derived from the phase 1 key, and when the phase 1 IKE key is stolen, it is possible for an attacker to gather enough information to derive a key for the phase 2 IPSec SA. The PFS secures the phase 2 keys by performing an additional DH exchange.
   

1. IPsec SA lifetime: sets the lifecycle of the IPSec SA. the IPSec negotiation establishes the SA with the smaller of the lifecycle set at the local end or the lifecycle at the peer end.
   

1. IPsec SA Idle Idletime: When no data is transmitted within the configured idle time after IPsec is successfully established, the IPSec SA expires. before the IPSec SA is about to expire, IPSec negotiates to establish a new SA so that the new SA is ready before the old one expires.

1. Tunnel Start Mode: Setting the IPsec Enablement Method
   

1. Fail times to Restart Interface: when the number of tunnel connection failures reaches the set value, restart the physical interface on which the tunnel was established; the default is 0, i.e., the interface is not restarted even after a failure, legal value: 1-12 times
   

1. Fail times to Rebot: when the number of tunnel connection failures reaches the set value, restart the current device; the default is 0, i.e., the device is not restarted even after the failure, legal value: 1-32 times
   

1. Local/Remote Send Cert Mode: you can choose to send certificate on request, always send certificate, do not send certificate
   

1. ICMP Detect
   

3.4.1.2 IPsec Extern Setting

The IPSec extension parameters are described below:

1. Basic Parameters
   

1. IKE Advance(Phase 1)
   

1. IPsec Advanced Options (Phase 2)
   

Description:

1. The security of encryption algorithms in descending order is: AES, 3DES, DES, high security encryption algorithm implementation mechanism is complex, but slow computing speed. For general security requirements, DES algorithm can meet the needs
   

1. When the IG is used as an IPsec server, please configure the address of the counterpart as 0.0.0.0, which is generally used in scenarios where one end has a public network address and the other end has an unfixed dial-up address.
   

1. IPsec extensions are typically used in conjunction with GRE to build DMVP or GRE over IPsec networks.

3.4.2 GRE

Generic Routing Encapsulation (GRE) defines a protocol that encapsulates any other network layer protocol over any other network layer protocol.GRE can be used as a Layer 3 tunneling protocol for VPNs, providing a transparent transmission channel for VPN data. Simply put, GRE is a tunneling technology that provides a pathway on which encapsulated data messages can be transmitted, and encapsulates and decapsulates the data messages at both ends of the tunnel.

The GRE parameters are described below:

1. Enable: Enables or disables the GRE function
   

1. Index: Sets the GRE tunnel name, in the range of 1-100.
   

1. Network Type: Select the GRE network type
   

1. Local Virtual IP: Set the local virtual IP address
   

1. Peer Virtual IP: set the counterparty virtual IP address, if subnet type, this item is the local subnet mask
   

1. Source Type: Select the source address type and set the IP address or interface name of the corresponding type.
   

1. Local IP: Configure the source address of the GRE tunnel
   

1. Peer IP: configures the destination address of the GRE tunnel
   

1. Key: Set the authentication key of the tunnel, the configuration should be the same at both ends.
   

1. MTU: Sets the maximum transmission unit of the GRE tunnel, in bytes
   

1. NHRP Enable: Next Hop Resolution Protocol, which is used by a source station connected to a Non-Broadcast Multi-Access (NBMA)-style subnetwork to determine the interconnecting Internet layer address and the NBMA subnet address of the NBMA next hop between arriving destination stations.
   

1. IPsec Profile: disabled, used in conjunction with IPsec extensions
   

1. Description: Descriptive information about the GRE tunnel

Description:

1. NHRP is only used in DMVP networks, and generally GRE does not need to enable NHRP.
   

1. GRE is generally used in cases where both addresses are fixed public networks.

3.4.3 OpenVPN

In OpenVPN, if a user accesses a remote virtual address (belonging to the address series assigned to the virtual NIC, different from the real address), the operating system will send data packets (TUN mode) or data frames (TAP mode) to the virtual NIC through the routing mechanism, and the service programme receives the data and processes them accordingly, and sends them out from the extranet through SOCKET, the remote The service programme receives the data from the extranet via SOCKET and processes it accordingly, then sends it to the virtual NIC, which can be received by the application software, completing a unidirectional transmission process, and vice versa.

3.4.3.1 OpenVPN Client

The OpenVPN client parameters are described below:

1. Enable: Enables or disables OpenVPN client
   

1. Index: Sets the tunnel ID
   

1. OpenVPN Server: Set the IP address or domain name of the OpenVPN server.
   

1. Port: the port number used when establishing OpenVPN 
   

1. Protocol Type: selectable udp, tcp
   

1. Authentication Type: Select the authentication class and configure the parameters of the corresponding authentication type.
   

1. Description: customise the content of the tunnel description

1. Show Advanced Options
   

3.4.3.2 OpenVPN server

The OpenVPN server parameters are described below:

1. Enable: Enables or disables the OpenVPN server.
   

1. Config Mode: Manual config, Import Config File can be selected
   

1. Manual Configuration
   

1. User Password: the user/password configured by the server when using the user password authentication type
   

1. Local Subnet: the route from OpenVPN server to client, usually fill in the subnet where the client actually communicates.
   

1. Client Subnet: static route pushed to the client by the OpenVPN server

3.4.4 Certificate Management

Scep (Simple Certificate Enrollment Protocol) is a communication protocol for device certificate management developed by cisco and Verisign. It utilises a combination of existing PKCS#7 and PKCS#10 protocol technologies and enjoys extensive support for client and CA implementations.

Certificate Management:

The certificate management parameters are described below:

1. Enable SCEP(Simple Certificate Enrollment Protocol): Enable or disable Certificate Request Protocol
   

1. Forced to re-enroll: Forced reapplication means not detecting the current certificate status and restarting the certificate application service every time.
   

1. Status: the current state of the device applying for a certificate, divided into initialize Enrolling, Re-Enrolling, Complete four states
   

1. Protect Key: the certificate protection key set when applying for certificates, plays a role in digital certificate encryption, when importing and exporting certificates configured to protect the key and the key when applying for certificates can be used in the same way
   

1. Protect Key Confirm: verify the certificate protection key.
   

1. Strict CA: Set the CA identifier trusted by the device, when applying for certificates through a trusted entity certification authority to complete the registration and issuance of entity certificates, so it is necessary to specify a trusted CA identifier will be bound to the device and the CA, the device certificate application, acquisition, revocation and query are implemented through the CA
   

1. Server URL: URL address of the certificate server, the URL of the enrolment server must be specified before the certificate application, and then the entity can make the certificate application to this server through SCEP. For example: http://100.17.145.158:8080/certsrv/mscep/mscep.dll
   

1. Common Name: Specify the name of the certificate to be applied for, i.e., the certificate common name.
   

1. FQDN: Set the certificate's FQDN (Fully Qualified Domain Name) FQDN is a unique identifier for an entity on a network, consisting of a hostname and domain name that can be resolved to an IP address. For example, www is a host name and whatever.com is a domain name, then www.whatever.com is an FQDN.
   

1. Unit 1: Name of the unit to which the configuration certificate belongs 1
   

1. Unit 2: Name of the unit to which the configuration certificate belongs 2
   

1. Domain: Qualified domain name to configure the certificate
   

1. Serial Number: Configure the serial number of the requested certificate
   

1. Challenge: set the challenge password for certificate application, the challenge code is the password to be used when revoking the certificate (optional)
   

1. Challenge Confirm: Verify the authentication password, same as the above configuration.
   

1. Unstructured address: Sets the IP address used for the certificate
   

1. RSA Key Length: legal value: 128-2048, unit: bit
   

1. Poll Interval: the time interval for the device to query the current certificate status to the certificate server, legal value: 30-3600, unit: second
   

1. Poll Timeout: Set the maximum time for the device to query the certificate status, when the timeout time is reached, it is considered that this certificate application fails. Legal value: 30-86400, unit: second
   

1. Revocation: enable or disable certificate revocation
   

1. Certificates: import relevant certificates

Note: When using certificates, ensure that the device time is synchronised with the actual time

ROOT CA:

Import the pre-registered ROOT CA certificate

3.5 Industrial interfaces

3.5.1 DTU

3.5.1.1 Serial port settings

Set the parameters of the IG serial port according to the serial port parameters of the terminal device connected to the IG to achieve normal communication between the IG and the terminal device.

The serial port setting parameters are described below:

1. Serial Type: The type and number of serial ports of different series of IG are not the same, so choose according to the actual situation. 
   

1. Baudrate: This is a parameter that measures the rate at which symbols are transmitted. It indicates the number of symbols transmitted per second
   

1. Data Bits: parameter to set the actual data bits in the communication
   

1. Parity: the error checking method in serial communication, generally parity or no parity in two ways
   

1. Stop Bit: Used to indicate the last bit of a single packet. Typical values are 1, 1.5, and 2 bits.
   

1. Software Flow Control: Flow control for serial communications provides a mechanism for blocking communication when it is not possible for some reason. Flow control allows the data receiving device to notify the data sending device when it is unable to receive data, causing it to stop sending.
   

1. Description: custom description
   

Attention:

1. The serial port parameters of the IG and the serial port parameters of the connected terminal device must be set the same way.
   

1. DTU function and GNSS serial port forwarding function cannot be enabled at the same time.

3.5.1.2 DTU1

The DTU 1 parameters are described below:

1. Enable: Tap Enable
   

1. DTU Protocol: Transparent transmission, TCP server, RFC2217 mode, IEC101 to 104, Modbus bridge, DC protocol can be selected.
   

1. Transmit Protocol: TCP and UDP optional
   

1. Connection Type: long and short connections available
   

1. Keepalive Interval: the time interval between TCP client and TCP server to send TCP heartbeat messages periodically after the connection is established, which is used to detect the connectivity between the client and the server.
   

1. Keepalive Retry: When the TCP heartbeat timeout, the device re-sends the TCP heartbeat and reestablishes the TCP connection after reaching the set heartbeat retry times.
   

1. Serial Buffer Frame: the size of serial port buffer set when sending and receiving data, default 4K.
   

1. Packet Size: the size of a frame of data set when the serial port sends data. It starts to send when the set value is reached. Legal value: 1-1024, unit: byte
   

1. Force Transmit Timer: when the serial port sends data, when the sending interval is greater than the set sub-frame interval, the device will automatically send the sub-frame, legal value: 10-65535, unit: milliseconds
   

1. Min Reconnect Interval: user-defined minimum reconnect interval. When the device starts to connect, if it does not connect successfully, it will reconnect according to this minimum reconnection interval. Until the user-defined maximum reconnection interval is reached. Legal value: 15-60, unit: sec.
   

1. Max Reconnect Interval: User-defined maximum reconnect interval. After the device starts to connect and the connection time reaches the maximum reconnection interval, it will connect once every this interval (i.e. user-defined maximum reconnection interval). Legitimate value: 60-3600 in seconds.
   

1. Multi-server policy: optional concurrency, polling
   

1. Source Interface: general users do not have to choose
   

1. Local IP Address: the IP address of the device interface when IP is selected for the source interface. Generally, users do not need to configure it, and it can be empty.
   

1. DTU ID: customised, DTU identification automatically sent to the server after successfully connecting to the server. It can also not be configured, keep empty state
   

1. Enable Debug: Tap on to print DTU related logs when it is turned on
   

1. Enable Report ID: Tap Enable
   

1. Destination IP Address
   

Description: Up to 10 destination IP addresses can be set.

3.5.1.3 DTU2

Same as DTU1.