A switch connects ethernet devices with addresses in the same 'subnet'. A router can connect different subnets together.


In this illustration, LAN 1 and LAN 2 are individual switched networks on the 'dot 1' and 'dot 2' subnets respectively. For communications to cross this IP subnet boundary, a router is required.

Most industrial networks are solely 'switched' networks. That is, all the active network elements are 'Layer 2' devices, or switches, and this means typically that there is a single IP address range used. Routing is introduced when networks get large, and there is the need to contain network traffic to specific 'subnets' within the network. By this means, network functions can be segregated with controlled interconnection, and network problems (such as broadcast storms) are contained to each subnet. This segregation function can also be achieved through the use of VLANs, which are a common function in managed switches.

To fully address this question requires reference to the 7 layer OSI model.
A switch operates only at the 'Datalink' level, or 'Layer 2', which involves identifying a path through a network based on the hardware MAC address. A router operates at the 'Network' or Layer 3 level, which involves reference to the IP address with which most people are familiar. While a router can receive a message and forward it based purely on its IP address, a switch can not do this, and must resolve the MAC address relating to a destination address through use of protocols such as the Address Resolution Protocol (or ARP).

Unless a network is large or needing to accommodate a large number of disparate systems, a managed switch is the standard network device.

Like to know more?

Call us on 1300 DAANET (1300 322 638), or send an enquiry now.
Please note that Daanet only supplies to Australian & NZ customers.

An ethernet hub has two limitations. Firstly, it operates only in half-duplex, which restricts traffic flow, and has the effect of limiting the overall network traffic capacity to much less than the nominal data rate of any individual port. Secondly, a hub does nothing more than to distribute or 'broadcast' every received data frame at a port to every other port, irrespective of the address. In fact, the hub doesn't even look at the data frame's address. This too has the effect of diminishing the performance of the network, by loading ports with unnecessary traffic.

An ethernet switch however overcomes these obstacles firstly by allowing operation in full-duplex. More importantly however, a switch seeks to correctly distribute data frames to the correct destination port, which it does through use of the matching destination MAC addresses with entries it has built up in the 'learned address table' (LAT). The LAT is populated with data every time data is received at a port, with the switch noting for example, Host A is on port 1, Host B is on port 3 etc. When a message is received with Host A as the destination, the switch knows where to send the data. If it has no entry for Host A, in this case it must 'broadcast' it, i.e., send it to every port.

Most applications now benefit from switches in place of hubs. The lingering benefits of hubs are as a diagnostic tool to provide a retransmission of network data for network sniffing, and for specific deterministic networks like Ethernet Powerlink.

For more information, refer to related FAQs:

Should I replace my ethernet Hubs with Switches?

Like to know more?

Call us on 1300 DAANET (1300 322 638), or send an enquiry now.
Please note that Daanet only supplies to Australian & NZ customers.

No. It is not recommended.
Given the high-speed response requirements of the fast-recovery ring, the variable latency of the wireless link can result in the ring manager mistaking a delayed response as a fault. This can lead to unwanted toggling of the redundancy state.

If it is desired to have a wireless link for redundancy, use of the slower to respond Rapid Spanning Tree Protocol is more reliable.

Like to know more?

Call us on 1300 DAANET (1300 322 638), or send an enquiry now.
Please note that Daanet only supplies to Australian & NZ customers.


While the switching and network management functions (IGMP, QoS, RMON, SNMP etc) are largely similar across all applications for Ethernet networks, the industrial environment provides many challenges and points of difference that mean 'oils ain't oils' when it comes to selecting network switchgear when achieving high production uptime is essential. Simply put, devices for 'industrial ethernet' need to provide tolerance to extremes (and rapid changes ) of temperature, vibration, shock and EMI. Domestic and Commercial grade equipment is not subject to these environments, and is hence not designed nor built for them.

There are numerous other differences, with Industrial Ethernet products featuring:

  • Rail mounting to suit switchboards (though Rack mount models are also available)
  • Low voltage DC supplies - typically 24Vdc, but often with quite wide ranges.
  • Redundant power supplies
  • Relay fault contacts
  • Fanless design to boost reliability
  • GUI for ease of use
  • High recovery speed redundancy protocols such as Hirschmann's proprietary HiPER-Ring™ and the standardised MRP

 Like to know more?

Call us on 1300 DAANET (1300 322 638), or send an enquiry now.
Please note that Daanet only supplies to Australian & NZ customers.


A router is used to pass data between different networks.

You may recall that in an IP address, the netmask identifies the 'network' part of the address. So in an address like with a netmask of, the netmask defines the 'network' address to be the first three bytes, that is, If two addresses have different network parts of their addresses, they are in different networks, and require a router to communicate.

As another example, a device with address is in a different network to, as the network part of these addresses is different. For messages to move from one network to another, hosts send these message to the default gateway, which is the entrance to the next network. These concepts are illustrated in this diagram, which features a switch (square icon) connected to a router (round).


There are many benefits of segregating networks:

  • Faults such as broadcast storms are constrained to the network in which they occur; routers do not propagate broadcast traffic.
  • Similarly, multicast traffic is not re-transmitted unless specifically enabled with a multicast routing protocol like PIM-DM for example.
  • Through the use of access control lists, (ACL), routers can be configured to control the data routed from one network to another. This is used to limit access to resources (such as a printer), and also provides a degree of security.


Hardware firewalls often provide routing capability, Industrial Ethernet Firewall Router - Hirschmann EAGLE20as does the Hirschmann EAGLE20 shown (but not the EAGLE Tofino).

Many industrial networks are small enough to not require segregation via a router, and what defines 'small enough' is hard to define. Natural boundaries however for routers tend to be along production cell lines and your tolerance for cross contamination of problems; if cell 1 network failed, could you tolerate it taking cell 2 with it? A simple routed interface using the EAGLE20 would create the cell boundaries necessary to avoid network fault contagion.

If you think a router or firewall may be of benefit to your network, or you would just like a review of your network design or topology, send an enquiry and we will arrange a service engineer to discuss the available services.

 Like to know more?

Call us on 1300 DAANET (1300 322 638), or send an enquiry now.
Please note that Daanet only supplies to Australian & NZ customers.


Yes, much of the Hirschmann range is available with the appropriate Germanischer Lloyd (GL) shipbuilding approval, and hence suited to marine applications. Some of the entry level products, such as the Unmanaged SPIDER for example are not available in this form.

Mach4000 48G Throttle 1.jpg

This is NOT a standard feature Ethernet switch with GL marine approvals - Hirschmannhowever - the GL approval must be specified for quotation, and ordered with the correct 'H' code in the 'Approvals' field in the part number.
Such applications may also need a conformal coating - this is available with the 'E' or 'F' code in the Temperature Range field, this is also known as the EEC - Extended Environmental Conditions version.

Like to know more?

Call us on 1300 DAANET (1300 322 638), or send an enquiry now.
Please note that Daanet only supplies to Australian & NZ customers.



This is the number 1 FAQ in the area of industrial networking.
While an 'unmanaged' switch provides no means of user configuration, a 'managed' switch provides a number of configurable parameters. These settings allow the network's behaviour to be managed, and may include provision for redundancy, network segregation, priortisation, network management or alarming.

The Hirschmann SPIDERs shown here (left) are examples of unmanaged switches. These are typically located in field cabinets as end points in networks, where there is the requirement to add devices to a network simply, and perhaps provide a local access point to the network.
Despite being considered 'entry-level' devices, even unmanaged switches feature auto-crossing, auto-negotiation and auto-polarity to simplify installation and choice of cable. Being industrial products, they are designed for DIN rail mounting, with 24Vdc power supply.

Managed switches typically include functions such as:


  • Redundancy
  • VLAN
  • IGMP Query / Snooping
  • Quality of Service - enables prioritisation for different classes of traffic
  • Power over Ethernet (PoE)
  • Advanced Diagnostic functions such as traps, port mirroring, duplicate addresses detection and and even cable testing.

For mission-critical applications, managed switches are now more common than unmanaged due to the ability to build fault-tolerant network topologies with fault reporting as well as accommodate the variety of network traffic types - video, voice, I/O and motion as well as standard peer to peer messaging.

Like to know more?

Call us on 1300 DAANET (1300 322 638), or send an enquiry now.
Please note that Daanet only supplies to Australian & NZ customers.


Let's start with an ethernet hub. You can think of a hub as a half-duplex double adapter for an ethernet network - it simply provides more connection ports. A hub however is 'dumb' - it simply distributes everything it receives at one a port to every other port (called flooding) whether the destination is at that port or not. A copy of the message ends up at the destination, but duplicate copies are sent to all other hosts as well, reducing overall network performance.

An ethernet switch is more advanced, and has the following differences to a hub:


  1. Switch ports generally operate in Full-Duplex (though can be set for half-duplex).
  2. When a switch receives an ethernet frame, it wants to distribute it only to the port where the destination host is connected. It achieves this by referring to its 'Learned Address Table' (LAT), a list of entries that matches the network host MAC addresses to the switch's ports.The LAT is also called the Forwarding DataBase (FDB).
  3. This LAT is populated by monitoring network traffic, and most commonly 'ARP' request messages issued by network hosts, and the replies they receive. In doing so, the switch 'learns' what devices are connected to each of its ports.
  4. Switches can be of the 'managed' type in which case the provide a number of inbuilt functions can be configured to manage how the network behaves.

When an ethernet frame is received by a switch and it has no record of where to send it, it will have to 'flood' it to all ports (except the port on which it was received) to ensure delivery. The reply through a single port is then likely to reveal the location of the intended recipient. 

To ensure that changes in network topology can be accommodated, (such as when you remove your computer from one port and connect it to a different port), the LAT has an aging timer for each address - typically just 30 seconds for a managed switch and 5 minutes for an unmanaged switch. Once an address has been unused for the period of the aging timer, the address is classified as unused. When the same period elapses again without use, the entry is deleted from the LAT.

For diagnostic purposes, some switches can have this learning function disabled, making the switch behave like a hub so that network traffic may be monitored by a 'packet sniffer'.

If this has been of interest, Daanet run hands-on industrial ethernet training courses for electricians, technicians and engineers.

Like to know more?

Call us on 1300 DAANET (1300 322 638), or send an enquiry now.
Please note that Daanet only supplies to Australian & NZ customers.


When a PLC is programmed, or an HMI data tag is configured, they are typically done using the Layer 3 IP address, such as A switched ethernet network however doesn't recognise IP addresses, it only understands Layer 2 addresses, or MAC Addresses. These are the unique 6 byte (00:8B:63:0A:42:44 for example) Media Access Control numbers that every piece of equipment is issued with by the manufacturer.

When a Layer 3 IP Packet is presented to Layer 2 on its way to the physical network, the MAC address relating to the target IP address must be identified, and inserted as the destination MAC address. The Address Resolution Protocol (ARP) is used by a network host to resolve an IP address to a MAC address, allowing the Ethernet frame to be correctly addressed and sent on the wire. There could be a number of such targets in the network, so the network host populates an ARP table, matching MAC and IP addresses for future use.

When the Layer 2 switch receives a data frame and reads the MAC address, it refers to its Learned Address Table to know which port to direct the data frame to.

Like to know more?

Call us on 1300 DAANET (1300 322 638), or send an enquiry now.
Please note that Daanet only supplies to Australian & NZ customers.


The MICE MB-2T 2 slot base expansion module may beHirschmann MICE MB-2T Base Expansion Module attached to the following switch models:


  • MS20-16
  • MS30-16
  • MS4128

It can not be used on a 2 slot (8 port base) such as an MS20-08.


Like to know more?

Call us on 1300 DAANET (1300 322 638), or send an enquiry now.
Please note that Daanet only supplies to Australian & NZ customers.



The answer is 'probably', but let's see why first.

Hubs were overtaken by switches as the default for network inter-connection around 10 years ago. This is because hubs have a number of limitations that make them unsuitable for modern networks:

  • 10Mbps data rate.
  • As they operate only at half-duplex, they create large collision domains, meaning only one host on the whole hubbed network can transmit at one time. All other hosts must wait.
  • This combination of rate and half-duplex means actual data rates are significantly less than the nominal 10Mbps - maybe as low as 2 Mbps.
  • Hubs retransmit everything they receive to all other ports, creating additional network traffic and host port activity and processing.

As networks have grown, hubs have become significant bottlenecks. What can you do about this?

For many networks, replacing each hub with an industrial ethernet unmanaged switch will transform the network's behaviour:

  • No more collisions - with full duplex each host can receive and transmit simultaneously.
  • No data rate limitation - with full 100Mbps or even Gigabit data rate simultaneously at every port, data frames are delivered virtually instantly. (Ensure your chosen switch has a 'non-blocking architecture', making sure that high loads on one port do not affect other ports. All Hirschmann switches provide this level of performance).
  • Advanced unmanaged switches can offer functions like power supply redundancy and port based fault alarming to further increase network reliability and diagnostics. (Of course mission critical networks should consider a managed switch for enhanced diagnostics and network control).

How do you tell if your network is 'ill'? Look at the statistics on network ethernet cards for errors - fragments, CRC errors, late collisions, retries. Consider the ratio of total errors to delivered frames and assess whether the network is likely to be performing to your requirements for reliability and timeliness.

Daanet can assist with these diagnoses, and also recommend an unmanaged or managed switch starting at just a few hundred dollars to significantly improve your network's performance.

For further information, call 1300 DAANET (1300 322 638)


Like to know more?

Call us on 1300 DAANET (1300 322 638), or send an enquiry now.
Please note that Daanet only supplies to Australian & NZ customers.


Unmanaged switches do not recognise redundancy protocols like HiPER-Ring or RSTP. In a ring fail-over scenario for example, when the ring manager issues a 'flush address table ' command, this is not acted upon by the unmanaged switch, leading to delays in effecting a full changeover for all data paths.

The Hirschmann RSB entry-level range of managed switches can be a good choice for applications where a more economical switch is required. RSB supports all HiPER-Ring functions except for acting as a Ring Manager.

Like to know more?

Call us on 1300 DAANET (1300 322 638), or send an enquiry now.
Please note that Daanet only supplies to Australian & NZ customers.


The following procedures may be used to determine IP addresses of networked devices that are connected to your LAN.

1. If you have a web access to a managed switch or router on the network, this can be used to identify all connected devices. The switch/router displays Static and Dynamic client lists with hostname, IP address and MAC address of the connected devices.

2. You may also try pinging your network from a computer connected to the network, and lookup an arp table. On your computer, click [Start] -> [Run...] and type "cmd" and [Enter]. Type "ipconfig" to find your network address. The network address is found by performing a logical AND operation on your IP address and the subnet mask. For example, if you IP is and subnet mask is, then the network address is Ping your network's broadcast address, i.e. "ping". After that, perform "arp -a" to determine all the computing devices connected to the network.

3. You may also use "netstat -r" command to find an IP address of all network routes. However, if your printer has problem communicating with other network devices, you may not be able to find IP address of the printer using "netstat" command.


 Like to know more?

Call us on 1300 DAANET (1300 322 638), or send an enquiry now.
Please note that Daanet only supplies to Australian & NZ customers.


These numbers refer to the ratio of the fibre optical core diameter to the cladding outer diameter in microns with the smaller number being the core value and the larger number being the cladding value.

Typical multimode cable types are 50/125µm and 62.5/125µm. Singlemode cables have a smaller core, with 9/125µm the most common.

Like to know more?

Call us on 1300 DAANET (1300 322 638), or send an enquiry now.
Please note that Daanet only supplies to Australian & NZ customers.


Mach4000 48G Throttle 1.jpg

The MACH3000 has been replaced by the MACH4000 and is no longer available for purchase.

The MACH3000, like the MACH4000 was a modular switch/router with high port density. In fact, the MACH3005 could provide up to 160 Fast Ethernet ports and 40 Gigabit ports, compared to a maximum 48 ports total in the MACH4000. The main differences that the MACH4000 offers are:

  • 10 Gigabit Ports (up to 4)
  • Modular Power supply offering greater redundancy and installation choices
  • All media modules offer 8 ports
  • Rapid Spanning Tree Protocol replaces STP
  • Latest Redundant Ring Protocols
  • PoE

The MACH4000 sits at the top of the Industrial Ethernet food chain, feast on its power today!

If you need Layer 3 / routing without the port density provided by the MACH4000, there are two alternatives.

  1. The PowerMICE (Model MS4128 with L3E or L3P firmware) is a rail mounted modular solution
  2. The MACH1000 (Model MACH1040with L3E or L3P firmware) is a rack mount solution.

Like to know more?

Call us on 1300 DAANET (1300 322 638), or send an enquiry now.
Please note that Daanet only supplies to Australian & NZ customers.



Multimode fibre has a relatively large light carrying channel, usually 50 or 62.5 microns in diameter. It is commonly used for short distance transmissions with LED based optical fibre equipment, and has limitations in regards to bandwidth capacity and distance.

The typical distance limitation of a 100Mbps 50/125µm multimode (MM) fibre is 5km.This reduces to 550m for Gigabit.

Singlemode fibre has a smaller light carrying channel of 8 to 10 microns in diameter. It is used for large bandwidth transmissions over longer distance, and uses laser diode based optical fibre transmission equipment.

Standard 9/125µm multimode (SM) fibre can provide a distance of 25km at 100Mbps. Again, this reduces for Gigabit. Using readily available industrial equipment, distances up to 120km are possible. Longer distances would generally require more specialised ($) equipment.

Like to know more?

Call us on 1300 DAANET (1300 322 638), or send an enquiry now.
Please note that Daanet only supplies to Australian & NZ customers.




Web access to a Hirschmann managed switch requires the PC to have the Java Runtime Environment (JRE) installed. This is common now for a range of functions, and a copy may be found on the installation CD provided with the switch. Alternatively, the current version is available for download from java.com, where you can also verify whether the version you have installed is the latest version.

Some early model switches may experience problems with some combinations of browser and JRE, though in terms of access to some functions rather than preventing login altogether. In this event, it is best to flash the switch to a later firmware release, or Version 5 at least.

Like to know more?

Call us on 1300 DAANET (1300 322 638), or send an enquiry now.
Please note that Daanet only supplies to Australian & NZ customers.


Almost. The SiteManagers without built-in 3G modem can use an external GPRS / 3G / 4G / USB adapter. The SiteManager includes a large number of drivers for different adapters.

Yes, all models can use a USB HUB to connect more USB devices. Please note that curren models of the SiteManager (1029,1039, 3229, 3239, 3429 and 3429) supports the USB 1.1 standard. For best result, please use a USB HUB with USB 2.0 or below, and with external power.

No, just like the Serial port, you can only connect from one LinkManager at a time.

No, when using identical USB devices, you will only be able to connect to the first one detected by the USB Root HUB. This will be changed in future FirmWare versions.

No, other than potentially using up the last physical USB connector (depending on you SiteManager model), it has no impact.

When using a USB Memory Stick to change the SiteManager configuration, you just connect the USB stick when the SiteManager is in operation - it will then reboot automatically to apply the changes.

Please note that you can not connect the memory stick when the SiteManager is turned off, and then turn it on to apply the configuration. It must have been running for a couple of minutes, before the configuration changes will be applied.

There are 3 different scenarios, depending on where it is moved to:

A. To a different GateManager.
If you need to move a SiteManager to another GateManager (new owners, company mergers, etc.), you just use either the Appliance Launcher or the SiteManager Web GUI to change the GateManager address to the new GateManager and the Domain Token to the new location. Then reboot the device.


B. To the same GateManager in your own domain scope.
If you need to move a SiteManager to a place in the domain structure within your own scope, simply drag and drop it with your mouse.

The Domain Token in the SiteManager is just a one time only configuration, and will NOT change when you move the SiteManager to another domain. You can, of course, change it for sake of documentation.


C. To the same GateManager outside your domain scope.
If you need to move the SiteManager to a Domain in the Domain structure that you don't have access to, you need to know the Domain Token of the destination domain. Typically this is due to company mergers, so contact the buyer, and get them to log into the GateManager and click his root domain and then click the "Copy to clipboard" icon just to the right of "Domain Token". 

Then retrieve a copy of the Domain Token and enter it into the SiteManager, through either the Appliance Launcher or the Web GUI.

When entering the Domain Token, insert a "=" sign before the token - this will tell the SiteManager to move to the new location. The Appliance Launcher will reboot the SiteManager, and move it. If using the Web GUI, please select either "Reconnect" at the bottom of the GateManager Settings guide or reboot the device (ig. "=CustomerA.SiteB.Machines").

The SiteManager does support connecting to PPI or MPI natively, but needs either a RS232-to-PPI/MPI adapter, a USB-to-MPI/PPI or an Ethernet-to-PPI/MPI.

Refer to the Siemens connection guide found here for more info link here Secomea offer such adapters (SE PPI100 part number 26871 and SE MPI100 part number 26864). 

When connected you just configure the SiteManager agent with device type Siemens/Serial.

Koyo PLCs typically have two serial ports. You may experience problems with the Default port.

Successful tests have been made with a SiteManager connected to the Koyo COM port 2 configured to DirectNet (the Direct Soft5 program auto negotiates to 38400, 8, odd, 1).

The first thing to check is if the email was triggered at all. In the GateManager console, go to the appliance for which the alert is attached, and check the Alert log. Also check that the email address is correct. 

If this is true, there is a propability that the email has been caught in a spam filter. The alert email has an xml file attached that will make some spam filters to block the mail.

If the alert has been accepted by the spam filter in the past, but suddenly gets blocked, it could be because the alert is triggered often, and the spam filter may subsequently block it as "repeated spam" after a while.

The best resolution is to enter the spam filter setup and white list all emails from the GateManager

It is possible to install the SiteManager Soft PC as a Windows Service. This is the procedure:

  1. Log on as administrator and install the SiteManager Soft PC (SM PC)
  1. When the SM PC is rightfully installed - install the SM PC as server by the following command: - "%ProgramFiles%\Secomea\SiteManager PC\SiteManagerPC.exe" -install 

this will install the SM PC as service in the background.

You can still log on as user level, but the TrayIcon will not be available. It does not help trying to start the TrayIcon manually. (By "TrayIcon" is referred to the Secomea "ON" icon which in reality represents the SiteManagerPC.exe program)

If you need to browse the admin WEB interface of the SM PC from the local PC you can use the url: > (Username = admin // PW = admin (if not changed) ) 

Command for uninstalling SM PC as service: > SiteManagerPC.exe -remove

The serial port in principle supports any type of RS232 Serial attached equipment, including full flow control and with support for autodetection according to RFC2217.

Additionally the SiteManager also has a number of "Vendor Specifik Agents" that automatically sets up the serial settings according to the PLC type. This currently include the following type:

  • - Siemens (S5, S200, S300) *
  • - Rockwell / Allen-Bradley
  • - Omron
  • - Mitsubishi
  • - B&R
  • - Beckhoff
  • - Panasonic
  • - Koyo
  • - GE IP
  • - Danfoss (AK-SC255)

* Note that the Siemens S200 and S300 require a RS232-to-PPI/MPI adapter, or alternatively you can use a USB-to-PPI/MPI adapter inserted in the SiteManager USB port, or alternatively use a Ethernet-to-PPI/MPI adapter

It may be the 3G modem presents it self to Windows as a PPP interface. This is seen in some regions for Vodafone subscriptions. In this scenario LinkManager will have problems resolving the GateManager IP from the DNS name inside the certificate. You should solve it by issuing a LinkManager certificate that uses the GateManager IP address instead of the DNS name. You can verify the IP address by simply pinging the dns name (e.g. "ping gm04.secomea.com"), which will resolve the GateManager IP address. 

Alternatively you can create a static IP entry inside the LinkManager configuration menu for the DNS name as follows: Click the Advanced menu to enter the menu. Select System ->  Dev1 -> DNS -> Static . Add a Static Host Entry with the GateManager DNS name as Hostname (e.g. gm04.secomea.com) and the GateManager IP address as IP address (e.g.

Note: this has been observed on LinkManager version v6041_11017. A solution to this scenario may become available in a future LinkManager release. 

It is correct that with version 4.4 (11122) the SiteManager signals remote connections from LinkManager by activating the OUTPUT1 port (setting it to "ON" state). The purpose of this change is to be able to warn (e.g. by turning on a warning light) any local operators and service technicians that remote access/maintenance is in progress, and operators should be extra careful when operating or servicing the equipment. 

This feature has been implemented as result of new regulations for "Safety of packaging machines" that are currently in discussion forum, and are expected to be formalized as part of an update to the EN415 standard  (Will presumably be EN415-10).

Note that when a LinkManager is not connected, it is still possible to force the setting "ON" from the SiteManager web gui. This will enable a service technician to turn on the warning light without having to connect a LinkManager. For safety reasons it is not possible to force the setting OFF from the SiteManager Web gui if a LinkManager is connected.

  • Service Technicians
  • Commissioning Engineers
  • Maintenance Electricians
  • Travelling technicians (who wish to reduce their travel!)
  • Anybody requiring remote and direct access to PLCs, HMIs and other network connected devices, and without the need to do so through a site PC. The Secomea solution allows direct access to the unit as though you were connected directly to the network.

As part of the security function, each individual network 'Device' to which the remote user connects is nominated in the GateManager configuration. For example, there may be an Allen-Bradley ControlLogix, B&R X20 PLC, a Siemens S7-1200 PLC and a Schneider Magelis HMI. Each of these require a Device Agent to be allocated. The Device Agent conducts the security filtering that drops all data that is not correctly directed to these nominated devices. The number of available Device Agents is shown on the differences between the models below. Note that the lower models come with 2 Device Agents, upgradeable to 5, while the larger models come with 5 Device Agents upgradeable to 100. In this way, you only pay for the M2M capacity you need. Upgrades are conducted remotely via the GateManager, there is no need to go to site to reconfigure the SiteManager.

  • The solution is literally plug and play, everything is configured prior to delivery. Changes? Easily done remotely.
  • Secomea provides access directly to network hosts - PLC, HMIs, Drives etc as though you were directly connected. Access is granted on a granular 'per device' basis for the highest security.
  • No local PC with development licences is required, (though this approach remains an option)
  • The unique GateManager™ cloud service connects users and devices from across the world, taking care of all IP address and DNS issues.
  • No need for a costly Static 3G IP addresses - save $ hundreds each year.
  • Security is assured by AES/SSL encryption, as well as by the GateManager configuration - you nominate the authorised user and device combinations.
  • Inbuilt filtering ensures that only authorised protocols can be used. If a connection is configured to a particular model and type of PLC, traffic not suiting that type of device is rejected.
  • Remote access ports includes RJ45 ethernet, USB and DB9 serially connected remote devices.

SiteManagers can operate as carrier of alarms, email alerts etc. between devices and central logging servers over the internet.

Secomea SiteManagers are firewall friendly communications,- uses standard web protocols, and only inside-out.

The SiteManager itself and its monitored devices are all centrally managed and accessible from the GateManager server.

There is no requirement for a public or fixed IP address. SiteManager is by default DHCP enabled. No need to re-configure the PLC with gateway address etc.

The IP Code, International Protection Marking, IEC standard 60529, sometimes interpreted as Ingress Protection Marking, classifies and rates the degree of protection provided against intrusion (body parts such as hands and fingers), dust, accidental contact, and water by mechanical casings and electrical enclosures. It is published by the International Electrotechnical Commission (IEC)

Source: https://en.wikipedia.org/wiki/IP_Code (11/11/2015)

Positive opening contacts are physically separated by a shearing force to break any contact weld when the actuator is acted upon. This also often performs a contact self-cleaning function. These contacts are also referred to as 'direct acting' contacts. Proper fuse or protection rating is required to help avoid contact weld in the first place.

Standard IEC 947-5-1 describes the requirements for positive opening contacts. positive%20opening%20symbol.pngConforming products are often identified with the arrow symbol.


The combination of three components working together - SiteManager, GateManager and LinkManager mean the heavy lifting is in the design, not the configuration.


If you already have internet access from the plant LAN, the Secomea SiteManager will use the existing openings through the firewall for web traffic (TCP Port 80).

If you don't have internet access and it can't be provided (and this is common), we recommend the 3G modem SiteManager (models 1039 or 3239) which uses the 3G mobile network for access. Should there be concerns about this breaching corporate communications policies, the defence in depth security of the Secomea Solution (AES Encryption and Authentication by certificate) generally satisfy the concerns of informed policy makers.

If they can not be persuaded, and internet access will not be provided to the plant lan for fears of misue, we can advise alternatives that have been found to be acceptable to management. Call to discuss.

It remains that in the vast majority of instances, the IT department does not need to get involved.

Three things make Secomea easy to use.

  1. The design of the system is specifically constructed for ease of use.
  2. The system is pre-configured by Daanet to suit your application
  3. Secomea means SEcure COmmunication Made EAsy - this is what they do!

 Let me elaborate.

Typical VPN based systems have a huge number of settings - IP Addresses, Gateways, DynDNS, Protocols, Encryption and Authentication settings. The number of permutations is daunting, and configuration becomes a trial and error nightmare. The Secomea solution eliminates all the guesswork by having components that are designed to find each other, and work together:

  1. The Cloud-based GateManager contains the look-up table of users from your company who are authorised to connect to the SiteManagers at your chosen sites.
  2. Power-up a pre-configured SiteManager and it tries a number of paths to the internet until it finds one, then it lets the GateManager know it is online. Connect your plant LAN.
  3. Install and run the PC-based LinkManager (or the new smartphone / tablet based LinkManager Mobile) and select the plant device you want to connect to.

It really is that simple!

In the current FirmWare release, RDM 5.8 - 14514, you can not have any interfaces in the same IP range.

This means that UPLINK 1(2) and DEV 1(2/3/4) must ALL be in different IP ranges (or bridged), regardless of how they are connected (cabled or not).

If you have all your remote devices on the corporate network, just make agents for them as you would if they were on the Device side, and leave the DEVICE side without any cable (do NOT attach it to the corporate network or the same switch).

Then configure your DEVICE port(s) with an IP address that are unknown to the corporate network and networks where your LinkManager is placed, ig. -
This way you can easily connect to your devices as if they were on the DEV interface, there is no difference in the LinkManager interface.

Please note that you are not able to use the LinkManager "Connect All" functionality on the UPLINK interfaces, as this is not in accordance with our security standards.

To be able to access the Internet from the DEVICE network, you need to create a Custom > SCADA agent. In the Parameter Details of the agent, type in the IP address of the device, which needs access to the Internet. Check the "Enable UPLINK Source Translation" box, and make sure the IP address of the DEV port is set as default gateway on the device.

Bridgeway Configuration Tool automatically scans the COM ports to locate the device. We have experienced that in some cases, the tool is not capable to scan the LinkManager virtual COM port.

The solution is to disable the physical COM ports on the computer. You go in to the Device Manager, and right-click on the COM ports, and disable them. Next, reboot the PC and Bridgeway Configuration Tool should be able to scan the LinkManager virtual COM ports.

Microsoft Blue Screen Of Death (BSOD)

Observations on the Internet show that Intel Microsoft virtualization does not like to share the service between different systems like Virtual PC and Virtual Box at the same time - The result is a BSOD.

Eg see link at the end of this FAQ.

What is generating BSOD on Win7 with Virtual PC:

If Virtualization is enabled in the PC's BIOS a BSOD will occure if you are running Virtual PC guest systems while you start the LinkManager on the Host system (LinkManager includes a component that uses VBox)

How to awoid BSOD with Virtual PC guests:
Disabling the VT-x in the BIOS will solve the problem.

With Vt-x enabled what else can be done:
If the Virtualization is enabled in the BIOS and running Windows7(32b/64b) you can without any problem run LinkManager inside the Virtual PC guest OS just like you can run LM inside a vmware Player guest OS. Note that LinkManager can only run inside a vmware guest OS if you are running Win7 and VT-x is enabled. With Virtual PC you can always run LinkManager inside the guest OS (VT-x enabled or not).

You might be able to run a vmware guest OS and have the LinkManager running on the host PC while VT-x is enabled. We have not seen a BSOD but it might happen.

Windows XP: 
You can always run LM on the host or inside a Virtual PC. With VMWare you can only run LinkManager on the Host PC, it will not start inside a VMWare guest OS.

Windows 2008 or a HyperV server:
Windows 2008 will behave like Windows 7.

> Windows 7 (32bit/64bit), VT-x enabled in BIOS
> Virtual PC guest is running and you start LinkManager on the Host OS.

What is working  with Virtual PC (no BSOD)
> Windows 7(32b/64b), VT-x DISABLED in BIOS
> Virtual PC is running any Guest PC and you can with out problems start LinkManager in the Host PC.

What is working with Virtual PC(no BSOD)
> Windows 7(32b/64b), VT-x ENABLED in BIOS
> LinkManager is running inside the Virtual PC Guest PC.


Also read this post on the Microsoft forum: 



Spencer Shi-MSFT Microsoft - wrote July, 2012: 

Quote: "First, please make sure that VPC is the only virtualization software on the same machine. This is because we do not support a scenario which involves running VPC and another virtualization software on the same machine including Hyper-V. The first client VM running gets the handle to VMM (e.g. the CPU registers) and when you try to run more than one VM solution on a given host, it will cause the system crash.

Then if this is not the scenario you are experiencing, please send me the dump file via SkyDrive or other 3rd party tool for analysis. "end-Quote

If you cannot find your device in the list of vendor agents, you should always first try the Generic / Serial agent. This agent will attempt to detect and negotiate serial settings with the device based on RFC2217. This agent should work in 98% of cases.

Refer to the "Serial agent setup and trouble-shooting guide" found in the setup aid section.

Yes, but only models with built-in UMTS modem (xx39) running firmware 5.1 (13025) or later, and only if the SIM card supports SMS messaging. 

For further information see the SiteManager xx39 SMS alert system application note.

This is solved in a later SiteManager firmware. Please update to latest version.

This is solved in a later SiteManager firmware. Please update to latest version.