SP-C-WEB

System Networking
Administrator Guide
SP-C-WEB
February 2022
Legal Information
The Schneider Electric brand and any registered trademarks of Schneider Electric Industries
SAS referred to in this manual are the sole property of Schneider Electric SA and its
subsidiaries. They may not be used for any purpose without the owner's permission, given in
writing. This manual and its content are protected, within the meaning of the French intellectual
property code (Code de la propriété intellectuelle français, referred to hereafter as "the Code"),
under the laws of copyright covering texts, drawings and models, as well as by trademark law.
You agree not to reproduce, other than for your own personal, noncommercial use as defined
in the Code, all or part of this manual on any medium whatsoever without Schneider Electric's
permission, given in writing. You also agree not to establish any hypertext links to this manual
or its content. Schneider Electric does not grant any right or license for the personal and
noncommercial use of the manual or its content, except for a non-exclusive license to consult it
on an "as is" basis, at your own risk. All other rights are reserved.
Electrical equipment should be installed, operated, serviced and maintained only by qualified
personnel. No responsibility is assumed by Schneider Electric for any consequences arising
out of the use of this material.
As standards, specifications and designs change from time to time, please ask for confirmation
of the information given in this publication.
Trademarks and registered trademarks are the property of their respective owners.
SP-C-WEB System Networking

Contents
SP-C-WEB System 4
Introduction 4
Document Information 4
Software Application Version 4

SP-C-WEB Networking Parameters 5

Introduction 5
System Architecture 5

Installing SP-C-WEB on Secure Networks 6

General Security Best Practices 6

IP Networking Ports 8
Web Server Ports 8
Port Forwarding 8
Module IP Network 8
Mobile App 8
IP Monitoring 9
Ideal Port Configuration 9
SP-C-WEB Controller 9
IP Modules 9
Mobile App 9
IP Monitoring 9

February 2022 3
SP-C-WEB System Networking SP-C-WEB System

SP-C-WEB System
Introduction
SP-C-WEB is a flexible web-based system that allows you to program, monitor and control a
site from any smartphone, tablet or computer with a fixed or mobile network connection. It
combines access control, alarm intrusion, and automation and control, all into one unified
package.

Document Information
This document outlines the operation of the various networking and communication protocols
used by the SP-C-WEB system.
It is recommended that at a minimum the ports specified in this document are opened to the
device to allow upgrade and effective management of the access control system.

Software Application Version

This document is independent of the software application version that is operating and is
based on the default configuration of the SP-C-WEB system.

February 2022 4
SP-C-WEB System Networking SP-C-WEB Networking Parameters

SP-C-WEB Networking Parameters

Introduction
The SP-C-WEB modular hardware design allows you to scale your system as your
requirements change. Start with the controller or choose one of the cost-effective starter kits,
then add optional accessories as and when you need them. The controller is backwards
compatible with all Security Expert expander modules and accessories, meaning you can
move to SP-C-WEB without having to replace your existing hardware.

System Architecture
The following image shows the general structure of a SP-C-WEB system. This is a very basic
setup and is not intended to cover every permutation possible. This should be used as a
reference when opening ports and configuring routers to allow communications to operate
correctly.

February 2022 5
SP-C-WEB System Networking Installing SP-C-WEB on Secure Networks

Installing SP-C-WEB on Secure Networks

SP-C-WEB features end-to-end encryption of communications, as shown in the diagram
below. Communications with the controller's web server should be protected by a firewall on
the local area network.
AES128 with
Generated Key HTTPS

Bluetooth Credential Blob Bluetooth Credential Blob Mobile App

Card Reader (AES256 with Pre-shared Mobile App Server
Encryption Key)

AES256 with
Generated Key

Credential Blob

AES256 with Proprietary Encyption Firewall/NAT

Generated Key over RS485
HTTPS
Card Card (TLS 1.2)
Data Data

Card Reader Reader Expander Controller Web Server Web Browser

(RS485)

HTTPS
(TLS 1.2)

Web Browser

Private VLAN

General Security Best Practices

We strongly recommend the following industry cybersecurity best practices.
l Locate control and safety system networks and remote devices behind firewalls and
isolate them from the business network.
l Put physical controls in place so no unauthorized person can access the ICS and safety
controllers, peripheral equipment, or the ICS and safety networks.
l Place all controllers inside locked cabinets, secure from unauthorized access.
l Never connect programming software to any network other than the network for the
devices it is intended for.
l Scan all methods of mobile data exchange with the isolated network such as CDs, USB
drives, etc. before use in the terminals or any node connected to these networks.
l Never allow laptops that have connected to any network other than the intended network
to connect to the safety or control networks without proper sanitation.
l Minimize network exposure for all control system devices and systems, and ensure that
they are not accessible from the internet.
l When remote access is required, use secure methods, such as Virtual Private Networks
(VPNs).

February 2022 6
SP-C-WEB System Networking Installing SP-C-WEB on Secure Networks

Be aware that VPNs may have vulnerabilities and should be updated to the most current
version available. Also, recognize that VPNs are only as secure as the connected
devices.
l Connection to the controller web pages uses a self-signed HTTPS certificate by default.
While this is acceptable for system setup and commissioning, this should be replaced with
a certificate signed by a third-party certificate authority once the site is commissioned and
operational.
l As with any embedded controller with limited resources, the SP-C-WEB controller may be
susceptible to a Denial of Service (DoS) attack. As this cannot be solved in the controller
itself, external mitigation through network isolation or detection and rate limiting at the
network hardware must be employed.
l Special care and attention must be given when assigning roles and permissions to access
the SP-C-WEB device. Make sure that roles and permissions are set up to give the
minimum required privileges for the actions the operator must perform in the system. For
all roles, enable the options to prevent passwords and PINs from being exposed in clear
text.

February 2022 7
SP-C-WEB System Networking IP Networking Ports

IP Networking Ports
For the system to function correctly, certain ports must be opened to enable the controller's
web server to communicate with a web browser and additional hardware with the controller.

Web Server Ports

The controller has an on board web server that sends the web pages to a browser on any
internet capable device through a HTTP connection using the standard web ports for HTTP
and HTTPS.

From IP Port To IP Port Protocol

Controller 80 PC 80 TCP (HTTP)

Controller 443 PC 443 TCP (HTTPS)

Port Forwarding
Port forwarding can be enabled to access a controller over the internet. Networking Address
Translation (NAT) must be set up on the router to use this functionality.

The port forwarding number can be different for each situation, but as an example we will use
port 10000.

From IP Port To IP Port Protocol

Remote Client 10000 Router 443 TCP

Router 443 Remote Client 10000 TCP

Module IP Network
The SP-C-WEB system features a number of modules that communicate using their onboard
network connection. Module communications will always be sent to and from the ports listed
below. Periodic broadcasts to the broadcast address allow time and module synchronization to
be sent. A broadcast must be allowed to traverse to all modules on the controller for the correct
operation of the IP-based units.

From IP Port To IP Port Protocol

Controller 9450 Modules 9450 UDP

Modules 9450 Controller 9450 UDP

Mobile App
The Security Expert Mobile App communicates with the SP-C-WEB controller via the internet
on the standard web port (port 80/443), or to a different port number translated through a
router.

For port forwarding/translating setup consult your IT advisor.

From IP Port To IP Port Protocol

Mobile App Any Controller 80 TCP (HTTP)

February 2022 8
SP-C-WEB System Networking IP Networking Ports

Mobile App Any Controller 443 TCP (HTTPS)

IP Monitoring
IP alarm monitoring has been developed to achieve the same result as Contact ID alarm
monitoring (to transmit an alarm message to a central monitoring station), but does so via a
network connection across the internet. It is up to the installation company and monitoring
station to agree on suitable ports.

Ideal Port Configuration

The ideal port configuration for a system is detailed below and allows for system maintenance
and firmware updates across any connected modules. If any of the listed IP modules are not
used on a system they may be omitted from port setups.

SP-C-WEB Controller

Direction From/To IP Port Protocol

In/Out Server IP 443 TCP (with HTTPS)

In/Out Local Module IP 9450 TCP/UDP

IP Modules

Direction From/To IP Port Protocol

In/Out Local Module IP 9450 UDP

Mobile App

Direction From/To IP Port Protocol

Inbound Local Module IP 443 TCP (with HTTPS)

IP Monitoring

Direction From/To IP Port Protocol

Outbound Local Module IP Any TCP/UDP

February 2022 9
Schneider Electric
www.schneider-electric.com
© 2022 Schneider Electric. All rights reserved.
February 2022