Restricted

Document no.: 0102-5558 V03

2022-02-02

Vestas Client VPN

VestasOnline® Mk5 Network

Vestas Wind Systems A/S · Hedeager 42 · 8200 Aarhus N · Denmark · www.vestas.com

Classification: Restricted
VESTAS PROPRIETARY NOTICE: This document contains valuable confidential information of Vestas Wind Systems A/S. It is protected by copyright law as an unpublished work. Vestas reserves all patent, copyright, trade secret, and
other proprietary rights to it. The information in this document may not be used, reproduced, or disclosed except if and to the extent rights are expressly granted by Vestas in writing and subject to applicable conditions. Vestas
disclaims all warranties except as expressly granted by written agreement and is not responsible for unauthorized uses, for which it may pursue legal remedies against responsible parties.
Document no.: 0102-5558 V03 Vestas Client VPN Date: 2022-02-02
Document owner: Communication Infrastructure Restricted
Type: T05 - Marketing Data Page 2 of 8

Table of contents

1 Scope ....................................................................................................................................... 3
2 Introduction ............................................................................................................................. 3
3 Vestas Client VPN ................................................................................................................... 4
3.1 User Credentials ....................................................................................................................... 5
3.2 Vestas Client VPN Setup .......................................................................................................... 5
3.2.1 Installing PlantVPN ................................................................................................................... 5
3.2.2 Setup PlantVPN ........................................................................................................................ 5
3.3 Using PlantVPN ........................................................................................................................ 7
4 Abbreviations .......................................................................................................................... 8

Vestas Wind Systems A/S · Hedeager 42 · 8200 Aarhus N · Denmark · www.vestas.com

Classification: Restricted
Document no.: 0102-5558 V03 Vestas Client VPN Date: 2022-02-02
Document owner: Communication Infrastructure Restricted
Type: T05 - Marketing Data Page 3 of 8

1 Scope
The scope of this document is to describe the Vestas Client VPN solution for
connection to the wind power plant in a controlled and secured manor.

2 Introduction
The wind power plant network is isolated from the outside by a plant perimeter
router. This separates the internal network from the outside in a secure way.
The Vestas Client VPN solution can be used to get access to the plant services
from outside the wind power plant network.
 Vestas Client VPN
- Used for interim access from a single remote Windows computer
- A VPN client application is used on the connecting computer

The Vestas Client VPN can be used to access certain services in the wind power
plant, including:
 VOB client application
 Industrial protocols, such as OPC, OPC UA, Modbus, DNP3, IEC 101/104,
etc., as applicable
 Subscription DB
 Other externally accessible services and options, as applicable

Vestas Wind Systems A/S · Hedeager 42 · 8200 Aarhus N · Denmark · www.vestas.com

Classification: Restricted
Document no.: 0102-5558 V03 Vestas Client VPN Date: 2022-02-02
Document owner: Communication Infrastructure Restricted
Type: T05 - Marketing Data Page 4 of 8

3 Vestas Client VPN

The Vestas Client VPN solution is a secure VPN connection directly from a
customer or external partners PC to the wind power plant. The VPN functionality
is limited to only one plant connection at a time.
When connecting to a plant, a method named “Split Tunnelling” is used. The
advantage of “Split Tunnelling” is that only traffic for the plant will use the Vestas
Client VPN solution while all other traffic for office services or internet do not.
Be aware that only one VPN connection can be active at a given time e.g.
connecting to the corporate office and a Plant at the same time.
The Vestas Client VPN solution requires a client to be installed on the customer
or external partners windows computer. This client consists of a frontend and an
engine:
 Frontend - Vestas PlantVPN
 Engine - Cisco AnyConnect VPN client

Requirements for running the PlantVPN solution are:

 Microsoft Windows PC running Windows 7 (64bit) or higher
 Disk space requirement: 100MB
 Memory requirement: 1GB
 Cisco AnyConnect 4.7 or higher①
 .NET framework version 4.6.2 or higher②
 Local user elevated privileges allowed to install the PlantVPN client (e.g.
Admin right)
 Internet connection with the following ports open in the Firewall:
- TCP and UDP 53 (DNS)
- UDP 500 (IKE/ISAKMP)
- UDP 4500 (IPSec Nat T)
 Valid plant user credentials (unique per user)

① Cisco AnyConnect is included in the PlantVPN installation.

② .NET framework is included in the PlantVPN installation.

Vestas Wind Systems A/S · Hedeager 42 · 8200 Aarhus N · Denmark · www.vestas.com

Classification: Restricted
Document no.: 0102-5558 V03 Vestas Client VPN Date: 2022-02-02
Document owner: Communication Infrastructure Restricted
Type: T05 - Marketing Data Page 5 of 8

3.1 User Credentials

All users that require access to the plant using the PlantVPN solution must have
personal user credentials. Vestas will contact the user for collecting the required
information to setup the user account.

Required information needed for creation of the user.

 First name
 Last name
 Email address
 Mobile phone no.
 Plants to access (could be one or more plants)

When created, the specific user will be informed by mail. The mail will contain the
needed user credentials and a link to download the PlantVPN installer and the
installation guide (this guide).

3.2 Vestas Client VPN Setup

3.2.1 Installing PlantVPN

After downloading the PlantVPN application, start the installation.

NOTE The Installer needs elevated user credentials so make sure you have valid user
credentials when installing the PlantVPN application.

The installer will guide you through the steps needed.

If you do not have Cisco AnyConnect client and .Net frame already, this will be
installed as part of the PlantVPN installation.
After installation of PlantVPN, run the application to setup access to all the wind
power plants listed in the information mail.

3.2.2 Setup PlantVPN

Start the PlantVPN application by selecting the icon on the desktop or by pushing
the [Windows] key on the keyboard followed by typing “PlantVPN” and [Enter].

Vestas Wind Systems A/S · Hedeager 42 · 8200 Aarhus N · Denmark · www.vestas.com

Classification: Restricted
Document no.: 0102-5558 V03 Vestas Client VPN Date: 2022-02-02
Document owner: Communication Infrastructure Restricted
Type: T05 - Marketing Data Page 6 of 8

Figure 3-1: PlantVPN Figure 3-2: Plant Manager

First time PlantVPN starts up, configure the plant(s) to where access is required.
Select the cogwheel next to plant field to go to the Plant Manager and update the
plant(s), see Figure 3-1 and Figure 3-2. Here you can add plants and give it a
friendly plant name. This list will be presents in the Plant field as a drop down.
 Left field – input the Vestas provided SP no. (site unique identifier)
– You can find the Vestas provided SP no. in the PlantServicePortal under
menu “My Powerplants”, see Figure 3-3
 Right field – input the plant name to your liking
Save the changes.

Figure 3-3: Menu from PlantServicePortal, where you can find the Vestas
provided SP no.

This is only needed the first time running PlantVPN (or if changes are needed on
the plant(s).
Thereafter the PlantVPN application is ready to be used.

Vestas Wind Systems A/S · Hedeager 42 · 8200 Aarhus N · Denmark · www.vestas.com

Classification: Restricted
Document no.: 0102-5558 V03 Vestas Client VPN Date: 2022-02-02
Document owner: Communication Infrastructure Restricted
Type: T05 - Marketing Data Page 7 of 8

3.3 Using PlantVPN

Start the PlantVPN application by selecting the icon on the desktop or by pushing
the [Windows] key on the keyboard followed by typing “PlantVPN” and [Enter].

Fill out the dialog fields, see Figure 3-1:

Plant: Select the plant you need to connect to in the dropdown menu (or manual
add the Vestas unique SP no.)
Username: Use your plant username (your email address)
Password: Use your plant password (as created in section 3.1)

NOTE Make sure the Cisco AnyConnect clients is not running in the background. If so,
right click on the AnyConnect icon in the notification area and select Quit.
Thereafter start PlantVPN again.

When the VPN connection has been initiated, the PlantVPN application will
display “Connected to plant”. You will now be able to access plant services from
the PC. When work is finished click the “Disconnect” button.
To access the VOB server, the default IP is 10.56.128.220③ . The VOB server
can be accessed from the VOB client or other relevant applications.

NOTE PlantVPN is not able to run in a multiuser setup e.g. on a Windows terminal
server because of security limitations.

If you need support for the PlantVPN application, reach out to your local
responsible Vestas Customer Care contact.

③ If customer requires an alternative IP, the IP can be changed.

Vestas Wind Systems A/S · Hedeager 42 · 8200 Aarhus N · Denmark · www.vestas.com

Classification: Restricted
Document no.: 0102-5558 V03 Vestas Client VPN Date: 2022-02-02
Document owner: Communication Infrastructure Restricted
Type: T05 - Marketing Data Page 8 of 8

4 Abbreviations

Abbreviation Explanation
Credentials Username and Password
DNS Dynamic Name Server
IKE Internet Key Exchange
IP Internet Protocol
IPSec Internet Protocol Security
NAT Network Address Translation
Plant Consists of WTG´s, and SCADA equipment
SCADA Supervisory Control and Data Acquisition
TCP Transmission Control Protocol
UDP User Datagram Protocol
VOB VestasOnline® Business
VPN Virtual Private Network
WTG Wind Turbine Generator
Table 4-1: Abbreviations

Vestas Wind Systems A/S · Hedeager 42 · 8200 Aarhus N · Denmark · www.vestas.com

Classification: Restricted