Edition 06/2023

Configuration Manual

SIMATIC NET
Device Management

RUGGEDCOM CROSSBOW v5.4 Server

https://www.siemens.com/ruggedcom
 Preface

Introduction 1
RUGGEDCOM CROSSBOW
Installation and Upgrade 2
SIMATIC NET
Setup and Configuration 3
Device Management
RUGGEDCOM CROSSBOW v5.4 Managing Logs 4
Server
Troubleshooting 5
Configuration Manual

06/2023
C79000-G8976-1574-01
Legal information
Warning notice system
This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent
damage to property. The notices referring to your personal safety are highlighted in the manual by a safety
alert symbol, notices referring only to property damage have no safety alert symbol. These notices shown
below are graded according to the degree of danger.

DANGER
indicates that death or severe personal injury will result if proper precautions are not taken.

WARNING
indicates that death or severe personal injury may result if proper precautions are not taken.

CAUTION
indicates that minor personal injury can result if proper precautions are not taken.

NOTICE
indicates that property damage can result if proper precautions are not taken.

If more than one degree of danger is present, the warning notice representing the highest degree of danger
will be used. A notice warning of injury to persons with a safety alert symbol may also include a warning
relating to property damage.
Qualified personnel
The product/system described in this documentation may be operated only by personnel qualified for the
specific task in accordance with the relevant documentation, in particular its warning notices and safety
instructions. Qualified personnel are those who, based on their training and experience, are capable of
identifying risks and avoiding potential hazards when working with these products/systems.
Proper use of Siemens products
Note the following:

WARNING
Siemens products may only be used for the applications described in the catalog and in the relevant
technical documentation. If products and components from other manufacturers are used, these must be
recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning,
operation and maintenance are required to ensure that the products operate safely and without any
problems. The permissible ambient conditions must be complied with. The information in the relevant
documentation must be observed.

Trademarks
All names identified by ® are registered trademarks of Siemens Canada Ltd.. The remaining trademarks in this
publication may be trademarks whose use by third parties for their own purposes could violate the rights of
the owner.
Disclaimer of liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software
described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the
information in this publication is reviewed regularly and any necessary corrections are included in subsequent
editions.

Digital Industries C79000-G8976-1574-01 Copyright © Siemens Canada Ltd. 2023

Process Automation © 06/2023 Subject to change All rights reserved
300 Applewood Crescent
Concord, Ontario, L4K 4E5
Canada
Table of contents

Preface .......................................................................................................................................... vii

Security information .............................................................................................................. vii
Firmware/software support model ........................................................................................ viii
Supplementary Documentation ............................................................................................. viii
Accessing documentation ..................................................................................................... viii
Registered trademarks .......................................................................................................... viii
Warranty ................................................................................................................................ ix
Training .................................................................................................................................. ix
Customer support ................................................................................................................... ix
Contacting Siemens ................................................................................................................. x
1 Introduction ........................................................................................................................... 1
1.1 Features and Benefits ............................................................................................ 1
1.2 Security Recommendations ................................................................................... 3
1.3 System Requirements ............................................................................................ 6
1.3.1 Software Requirements ......................................................................................... 6
1.3.2 Hardware Requirements ........................................................................................ 7
1.3.3 Network Configuration Requirements .................................................................... 9
1.4 RUGGEDCOM CROSSBOW Architecture and Operation .......................................... 11
1.5 RUGGEDCOM CROSSBOW Servers ........................................................................ 12
1.5.1 The RUGGEDCOM CROSSBOW Secure Access Manager - Primary (SAM-P) .............. 12
1.5.2 The RUGGEDCOM CROSSBOW Secure Access Manager - Local (SAM-L) .................. 13
1.5.3 The RUGGEDCOM CROSSBOW Station Access Controller (SAC) .............................. 14
1.5.4 CROSSBOW Server Support .................................................................................. 14
1.6 RUGGEDCOM CROSSBOW Tools ........................................................................... 15
2 RUGGEDCOM CROSSBOW Installation and Upgrade ........................................................... 17
2.1 Configuring/Upgrading the RUGGEDCOM CROSSBOW Database ............................ 17
2.1.1 Creating and Configuring a RUGGEDCOM CROSSBOW Database ........................... 17
2.1.2 Executing SQL Scripts .......................................................................................... 23
2.1.3 Upgrading the RUGGEDCOM CROSSBOW Database .............................................. 24
2.1.4 Upgrading the RUGGEDCOM CROSSBOW SAM-L Database .................................... 27
2.2 Installing/Upgrading RUGGEDCOM CROSSBOW Server and Services ....................... 27
2.2.1 Installing RUGGEDCOM CROSSBOW Server and Services ....................................... 28
2.2.2 Configuring the RUGGEDCOM CROSSBOW Server Log On Settings ........................ 30
2.2.3 Connecting to the RUGGEDCOM CROSSBOW Database ......................................... 33
2.2.4 Upgrading RUGGEDCOM CROSSBOW Server and Services ..................................... 35
2.3 Installing/Upgrading CAMs ................................................................................... 37
2.4 Installing/Upgrading the Station Access Controller (SAC) ...................................... 38
2.4.1 Installing/Upgrading the SAC on RUGGEDCOM ROX II Devices ............................... 38

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 iii
Table of contents

2.4.2 Installing/Upgrading RUGGEDCOM CROSSBOW SAC on a Windows-Based workstations

............................................................................................................................ 39
2.5 Installing/Upgrading a RUGGEDCOM CROSSBOW SAM-L ....................................... 39
2.5.1 Installing/Upgrading a RUGGEDCOM CROSSBOW SAM-L Using the Wizard ............. 42
2.5.2 Installing/Upgrading a RUGGEDCOM CROSSBOW SAM-L from the Windows Command
Line ..................................................................................................................... 42
2.5.3 Managing RUGGEDCOM CROSSBOW SAM-L Remote Installations .......................... 45
2.5.3.1 Preparing All SAM-Ls for a Remote Upgrade ......................................................... 45
2.5.3.2 Mass Deploying RUGGEDCOM CROSSBOW SAM-L Upgrades .................................. 46
2.6 Determining the Current Software Version .......................................................... 47
3 Setup and Configuration ..................................................................................................... 49
3.1 Basic Setup ......................................................................................................... 49
3.2 Launching RUGGEDCOM CROSSBOW Tools .......................................................... 50
3.3 Starting/Stopping RUGGEDCOM CROSSBOW Server Services ................................. 50
3.4 Securing Passwords ............................................................................................. 52
3.4.1 Encrypting/Decrypting the CROSSBOW Database .................................................. 52
3.4.1.1 Encrypting/Decrypting the Database Using a Certificate ........................................ 53
3.4.1.2 Changing/Updating the Encryption Certificate ...................................................... 56
3.4.1.3 Encrypting/Decrypting the Database Using a Password ......................................... 59
3.4.1.4 Changing/Updating the Encryption Password ....................................................... 62
3.4.1.5 Encrypting/Decrypting the Database in a Server Cluster ........................................ 65
3.4.2 Showing/Hiding Passwords for Devices/Gateways ................................................. 65
3.5 Managing Server Connections ............................................................................. 68
3.5.1 Configuring Server Host Connection .................................................................... 68
3.5.2 Enabling/Disabling TLS 1.2 Connections for RUGGEDCOM CROSSBOW Server ........ 70
3.6 Managing Parent Servers ..................................................................................... 72
3.6.1 Adding/Configuring a Parent Server ..................................................................... 72
3.6.2 Deleting a Parent Server ...................................................................................... 73
3.7 Managing Licenses .............................................................................................. 74
3.7.1 Installing a License File ....................................................................................... 75
3.7.2 Viewing License Limits ........................................................................................ 76
3.8 Managing Files and Firmware .............................................................................. 77
3.8.1 Decompressing CID Files ..................................................................................... 78
3.8.2 Adding Firmware for Gauntlet Gateways ............................................................. 80
3.9 Managing Users, Groups and Authentication ....................................................... 81
3.9.1 Configuring the Maximum Number of Login Attempts ......................................... 82
3.9.2 Configuring an Administrator User Group ............................................................ 83
3.9.3 Importing Users and User Groups from Active Directory ....................................... 85
3.9.4 Enabling/Disabling User Labels ............................................................................ 90
3.9.5 Enabling/Disabling Service Permissions ................................................................ 91
3.9.6 Managing User Authentication ............................................................................ 93
3.9.6.1 Choosing an Authentication Method ................................................................... 94
3.9.6.2 Configuring User Authentication ......................................................................... 95
3.9.6.3 Adding/Configuring a RADIUS Server ................................................................... 99

iv RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Table of contents

3.9.6.4 Deleting a RADIUS Server .................................................................................. 101

3.10 Managing E-Mails and Notifications ................................................................... 103
3.10.1 Configuring an E-Mail Server ............................................................................. 103
3.10.2 Enabling/Disabling E-Mail Logs .......................................................................... 106
3.11 Managing the RUGGEDCOM CROSSBOW Database ............................................. 107
3.11.1 Determining the Current Database Version ........................................................ 107
3.11.2 Determining the Current Database Type ............................................................ 108
3.11.3 Determining the Connection Status ................................................................... 109
3.11.4 Managing Database Growth .............................................................................. 110
3.12 Sharing Device Information With an External Database ...................................... 113
3.12.1 External Database Requirements ....................................................................... 114
3.12.2 Migrating from an Existing External Database .................................................... 116
3.12.3 Configuring the RUGGEDCOM CROSSBOW External Database Integration Service .. 117
3.12.4 Configuring the RUGGEDCOM CROSSBOW Asset Discovery Management Agent ... 120
3.12.5 Using the External Database to Add Devices/Gateways ....................................... 123
3.12.6 Importing Devices/Gateways Using the Nozomi Service ...................................... 124
3.13 Managing the RUGGEDCOM CROSSBOW File Export Service ............................... 125
3.13.1 Understanding the RUGGEDCOM CROSSBOW File Export Service ........................ 126
3.13.2 Configuring the RUGGEDCOM CROSSBOW File Export Service ............................. 128
3.14 Managing Modems ........................................................................................... 133
3.14.1 Caching Modem Connections ............................................................................ 133
3.14.2 Managing a Modem Pool .................................................................................. 135
3.14.2.1 Adding/Configuring a Modem ............................................................................ 135
3.14.2.2 Deleting a Modem ............................................................................................ 138
3.15 Managing a Server Cluster ................................................................................ 139
3.15.1 Adding/Configuring a Server .............................................................................. 140
3.15.2 Switching Between Servers/Clusters ................................................................... 142
3.15.3 Deleting a Server ............................................................................................... 142
3.16 Managing Certificates ........................................................................................ 143
3.16.1 Selecting/Installing the RUGGEDCOM CROSSBOW Server Certificate .................... 144
3.16.2 Selecting a Trusted CA for the RUGGEDCOM CROSSBOW Server .......................... 147
3.16.3 Selecting a Trusted CA for a RUGGEDCOM CROSSBOW SAC/SAM-L ...................... 149
3.17 Managing Cipher Suites .................................................................................... 151
3.17.1 Understanding Cipher Suites ............................................................................. 151
3.17.2 Selecting a TLS Cipher Suite .............................................................................. 153
3.17.3 Selecting an SSH Cipher Suite ........................................................................... 155
3.18 Customizing RUGGEDCOM CROSSBOW .............................................................. 156
3.18.1 Managing Custom Fields ................................................................................... 156
3.18.1.1 Configuring a Custom Field via RUGGEDCOM CROSSBOW Server ........................ 156
3.18.1.2 Deleting a Custom Field via RUGGEDCOM CROSSBOW Server ............................. 159
3.18.2 Managing Custom Labels .................................................................................. 160
3.18.2.1 Adding a Custom Label ..................................................................................... 160
3.18.2.2 Deleting a Custom Label ................................................................................... 162
3.18.3 Configuring a Restricted-Use Banner .................................................................. 163
3.18.4 Customizing Alerts ............................................................................................ 165

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 v
Table of contents

3.18.5 Enabling/Disabling Blocked Command Popup Messages ..................................... 167

3.19 Configuring Global Advanced Parameters .......................................................... 169
3.20 Configuring the Maximum Number of Scheduled Processes ............................... 171
3.21 Configuring the COM Pool ................................................................................. 172
3.22 Configuring the Local Tunnel Endpoint .............................................................. 174
4 Managing Logs .................................................................................................................. 177
4.1 Configuring the CrossBow Event Log Distribution Service ................................... 177
4.2 Configuring the Windows Event Log .................................................................. 178
4.3 Retrieving Log Messages from Devices/Gateways ............................................... 179
4.4 Managing Audit Logs ........................................................................................ 180
4.4.1 Configuring a Default Audit Level ...................................................................... 180
4.5 Managing System Logs ..................................................................................... 182
4.5.1 Configuring Syslog Targets ................................................................................ 182
4.5.2 Adding/Configuring a Distribution Rule .............................................................. 183
4.5.3 Deleting a Distribution Rule ............................................................................... 187
5 Troubleshooting ................................................................................................................ 189
5.1 RUGGEDCOM CROSSBOW Server ........................................................................ 189
5.2 Logging Messages ............................................................................................. 190
5.2.1 Logging Messages Using RUGGEDCOM CROSSBOW Logger ................................. 191
5.2.2 Configuring the RUGGEDCOM CROSSBOW Background Logger Service ................ 193
5.2.3 Controlling Sensitive Information in Logs ........................................................... 194

vi RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
Preface

This Configuration Manual describes RUGGEDCOM CROSSBOW v5.4, Siemens's

secure access management solution for accessing Intelligent Electronic Devices
(IEDs). It contains instructions and guidelines on how to manage the primary server
(SAM-P), optional local server(s) (SAM-L), and companion tools such as the Station
Access Controller (SAC) and Background Logger.
This manual is intended for use by network technical support personnel who are
familiar with the operation of networks. It is also recommended for use by network
and system planners, system programmers, and line technicians.

Note
Along with the server and companion tools, RUGGEDCOM CROSSBOW consists of
a Client application and an Asset Discovery and Management Agent (ADM). For
more information about managing the Client and ADM, refer to the "RUGGEDCOM
CROSSBOW Client Configuration Manual".

Security information
Siemens provides products and solutions with industrial security functions that
support the secure operation of plants, systems, machines and networks.
In order to protect plants, systems, machines and networks against cyber threats, it
is necessary to implement – and continuously maintain – a holistic, state-of-the-art
industrial security concept. Siemens’ products and solutions constitute one element
of such a concept.
Customers are responsible for preventing unauthorized access to their plants,
systems, machines and networks. Such systems, machines and components should
only be connected to an enterprise network or the internet if and to the extent
such a connection is necessary and only when appropriate security measures (e.g.
firewalls and/or network segmentation) are in place.
For additional information on industrial security measures that may be implemented,
please visit https://www.siemens.com/industrialsecurity.
Siemens’ products and solutions undergo continuous development to make them
more secure. Siemens strongly recommends that product updates are applied as
soon as they are available and that the latest product versions are used. Use of
product versions that are no longer supported, and failure to apply the latest updates
may increase customer’s exposure to cyber threats.
To stay informed about product updates, subscribe to the Siemens Industrial Security
RSS Feed under https://www.siemens.com/cert.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 vii
Preface
Firmware/software support model

Firmware/software support model

Siemens only monitors the latest firmware version for security vulnerabilities.
Therefore, bug and security fixes are provided only for the latest released firmware
version.

Supplementary Documentation
Other documents that may be of interest include:
• "RUGGEDCOM CROSSBOW v5.4 Client Configuration Manual". Contains
information about managing the RUGGEDCOM CROSSBOW Client and Asset
Discovery and Management Agent (ADM).
• "RUGGEDCOM CROSSBOW v5.4 Companion Reference Manual". Contains
information specific to device types and products that support RUGGEDCOM
CROSSBOW.
• "RUGGEDCOM CROSSBOW v5.4 Scripting Reference Manual"
• "RUGGEDCOM CROSSBOW v5.4 Device Type Definition Tool (DTDT) for
CROSSBOW Configuration Manual"
• "RUGGEDCOM CROSSBOW v5.4 Executables and Ports". Contains a list of
executable files and ports, and their default state.
• "Application Description: Deploying RUGGEDCOM CROSSBOW as an Intermediate
Remote Access Solution"
• "FAQ – How to Troubleshoot Connection Issues"

Accessing documentation
The latest user documentation for RUGGEDCOM CROSSBOW v5.4 is available upon
request. To request or inquire about a user document, contact Siemens Customer
Support.

Registered trademarks
The following and possibly other names not identified by the registered trademark
sign ® are registered trademarks of Siemens Canada Ltd.:
• RUGGEDCOM
• ROS
• RCDP
• Discovery Protocol
Other designations in this manual might be trademarks whose use by third parties
for their own purposes would infringe the rights of the owner.

viii RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Preface
Warranty

Warranty
Refer to the License Agreement for the applicable warranty terms and conditions, if
any.
For warranty details, visit https://www.siemens.com or contact a Siemens customer
service representative.

Training
Siemens offers a wide range of educational services ranging from in-house training
of standard courses on networking, Ethernet switches and routers, to on-site
customized courses tailored to the customer's needs, experience and application.
Siemens' Educational Services team thrives on providing our customers with the
essential practical skills to make sure users have the right knowledge and expertise
to understand the various technologies associated with critical communications
network infrastructure technologies.
Siemens' unique mix of IT/Telecommunications expertise combined with domain
knowledge in the utility, transportation and industrial markets, allows Siemens to
provide training specific to the customer's application.
For more information about training services and course availability, visit https://
www.siemens.com or contact a Siemens Sales representative.

Customer support
Customer support is available 24 hours, 7 days a week for all Siemens customers.
For technical support or general information, contact Siemens Customer Support
through any of the following methods:
Online
Visit http://www.siemens.com/automation/support-request to submit a Support Request
(SR) or check on the status of an existing SR.

Telephone
Call a local hotline center to submit a Support Request (SR). To locate a local hotline center,
visit https://w3.siemens.com/aspa_app/?lang=en.

Mobile app
Install the Industry Online Support app by Siemens AG on any Android, Apple iOS or
Windows mobile device and be able to:
• Access Siemens' extensive library of support documentation, including FAQs and
manuals
• Submit SRs or check on the status of an existing SR
• Contact a local Siemens representative from Sales, Technical Support, Training, etc.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 ix
Preface
Contacting Siemens

• Ask questions or share knowledge with fellow Siemens customers and the support
community

Contacting Siemens
Address Siemens Canada Ltd.
Digital Industries
Process Automation
300 Applewood Crescent
Concord, Ontario
Canada, L4K 5C7
Telephone Toll-free: 1 888 264 0006
Tel: +1 905 856 5288
Fax: +1 905 856 1995
E-Mail [email protected]
Web https://www.siemens.com

x RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
Introduction
1
RUGGEDCOM CROSSBOW is a proven secure access management solution designed
to provide substation operators access to their Intelligent Electronic Devices (IEDs)
and achieve NERC (North American Electric Reliability Corporation) CIP (Critical
Infrastructure Protection) compliance. The RUGGEDCOM CROSSBOW solution
focuses on delivering productivity gains for administrators and users while achieving
full NERC compliance in managing, securing and reporting on remote access.
The combination of a RUGGEDCOM CROSSBOW Secure Access Manager (SAM)
server and RUGGEDCOM CROSSBOW Station Access Controllers (SACs) for local
substation access provide an integrated and comprehensive solution, with a
seamless configuration environment.
Siemens' RUGGEDCOM CROSSBOW application addresses the need for utilities to
interactively access remote field IEDs for maintenance, configuration and data
retrieval. RUGGEDCOM CROSSBOW allows a native IED application to remotely
communicate with its associated IEDs, as if the user were directly connected to
the IED with a serial cable or network connection. User access is governed by the
appropriate authentication model (e.g. RSA SecurID) and all user activity is logged
and reported per the NERC CIP specification.

1.1 Features and Benefits

The following describes the many features and benefits offered by RUGGEDCOM
CROSSBOW:

Primary Features
• Global password management of all applicable relays and gateway devices
• Configuration and firmware management of applicable relays and gateway
devices
• Integrated file management provides controlled access, version control, and
history for all file types
• Support for third-party security event management systems
• Blocking of specified IED commands improves security and reduces errors
• Automated, scheduled retrieval of important IED event files
• Preservation of investment in legacy gateway devices and communication
infrastructure
• Individual user accounts and privileges

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 1
Introduction
1.1 Features and Benefits

• Audit log of activity

• WAN or Dial-up access
• Administration interface allows management of thousands of IEDs and hundreds
of users
• Integration with Active Directory, RSA SecurID and other enterprise
authentication solutions
• Complete set of one click NERC CIP compliance reports
• Comprehensive management of Siemens RUGGEDCOM routers and switches

Automation
• Support for IED polling applications (e.g. SEL-5040)
• Scheduling of special operations (e.g. log retrieval, report generation, password
changes)
• IED File Retrieval (e.g. event records)
• Configuration management of relays and gateways
• Firmware management of applicable devices
• Password management of many device types

Security
• Individual user accounts and permissions
• Two-factor authentication, using RSA SecurID (optional)
• Audit log of all IED accesses and security events
• Support for Active Directory domains
• Blocking and logging of specified IED commands
• Optional encryption between server and substation
• Support for scheduled polling by applications
• Optional Station Access Controller (SAC) and Secure Access Manager - Local
(SAM-L) extends offering to the substation

Supports a Wide Range of Remote Gateways and Servers

• RUGGEDCOM routers and switches
• SEL-PRTU/2020/2030/2032
• RUGGEDCOM ELAN substation communications server
• Novatech Orion
• Cooper SMP
• Telephone port switches

2 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Introduction
1.2 Security Recommendations

• Industrial Defender Gauntlet Gateway

• Other routers and terminal servers, WAN or modem access to field
• Integrated modem pool management

Ease of Administration
• Structured view of IEDs (region/substation/gateway)
• Support for groups of IEDs and users
• Transparent integration with Active Directory
• Database redundancy, including Hot Standby availability

1.2 Security Recommendations

To prevent unauthorized access to RUGGEDCOM CROSSBOW, note the following
security recommendations:

Authentication
• Make sure database encryption is enabled. For added security, Siemens
recommends using certificate-based encryption. If certificate-based encryption
is used, make sure the encryption certificate is different than the one used for
the RUGGEDCOM CROSSBOW server. If password-based encryption is used, make
sure to use registry protection.
For more information about encrypting passwords, refer to "Encrypting/
Decrypting the CROSSBOW Database" (Page 52).
For more information about registry protection, refer to "Enabling/Disabling
Service Permissions" (Page 91).
• Replace the default passwords for all user accounts and processes (where
applicable) before RUGGEDCOM CROSSBOW is deployed.
• Use strong passwords. Avoid weak passwords such as password1, 123456789,
abcdefgh, etc.
• Make sure passwords are protected and not shared with unauthorized personnel.
• Passwords should not be re-used across different user names and systems, or
after they expire.
• Record passwords in a safe, secure, off-line location for future retrieval should
they be misplaced. This includes the Device Password reports that can be
generated by RUGGEDCOM CROSSBOW.
• Restrict access to the RUGGEDCOM CROSSBOW server and database to only
trusted personnel.
• Do not save credentials in RUGGEDCOM CROSSBOW-adjacent applications (e.g.
Microsoft SQL Server Management Studio).

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 3
Introduction
1.2 Security Recommendations

Physical/Remote Access
• Restrict physical access to the RUGGEDCOM CROSSBOW server to only trusted
personnel. A person with malicious intent in possession of removable media
(e.g. USB, external hard drive, etc.) could extract critical information, such as
certificates, keys, etc., or reprogram the server.
• Make sure operators are trained to use RUGGEDCOM CROSSBOW and have the
required set of permissions to perform their duties.
• Do not expose the RUGGEDCOM CROSSBOW server – specifically, ports 21000,
21005 and 21008 – to the Internet. For more information about network
configuration, refer to "Network Configuration Requirements" (Page 9).
• Make sure unwanted commands are not issued to devices via RUGGEDCOM
CROSSBOW. While RUGGEDCOM CROSSBOW is designed to block commands
(as specified by the administrators), a determined user may still be able to
circumvent security surrounding a specific command. It is recommended
(and the responsibility of the user) to review the event logs regularly for any
such activity. If necessary, RUGGEDCOM CROSSBOW can also be configured to
generate audit logs for device connections, which detail all transactions between
users and devices.
• Generated reports may contain sensitive information, such as IP addresses and
credentials. The user generating these reports is responsible for the proper
storage and distribution of this material.
• Dependent on the company's Public Key Infrastructure (PKI), use Transport Layer
Security (TLS) 1.3 connections and make sure all TLS/SSL certificates are signed
using a Secure Hash Algorithm. TLS 1.3 is enabled by default in RUGGEDCOM
CROSSBOW v5.4.

Communication
• All communications with the RUGGEDCOM CROSSBOW server, client
workstations, and IEDs should be contained within the security perimeter.
• Make sure IP address allocations are managed by authenticated and privileged
users only, and that all IP addresses within the network are unique.
• Establish VPN connections with RUGGEDCOM routers and switches whenever
possible.
• Make sure connections between the SAM-P/SAM-L and the RUGGEDCOM
CROSSBOW database are encrypted.
• If the RUGGEDCOM CROSSBOW Client is to be deployed in a multi-user
environment, only platforms that guarantee the separation of resources (such
as serial and network ports) between simultaneously-connected users should be
used. Applications such as Citrix XenDesktop are recommended for this purpose.
Other applications that share resources between users, such as Windows Remote
Desktop and Citrix XenApp, are not recommended.

4 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Introduction
1.2 Security Recommendations

Hardware/Software
• Make sure the latest versions of all RUGGEDCOM CROSSBOW utilities are installed
on the RUGGEDCOM CROSSBOW server and individual client workstations,
including all security-related patches. For the latest information on security
patches for Siemens products, visit the ProductCERT Security Advisories website
[http://www.industry.siemens.com/topics/global/en/industrial-security/news-
alerts/Pages/alerts.aspx] or the ProductCERT Security Advisories website [https://
new.siemens.com/global/en/products/services/cert.html#SecurityPublications].
Updates to Siemens Product Security Advisories can be obtained by subscribing
to the RSS feed on the Siemens ProductCERT Security Advisories website, or by
following @ProductCert on Twitter.
• Make sure installed RUGGEDCOM CROSSBOW components contain an MD5 that
matches the MD5 specified in the document "RUGGEDCOM CROSSBOW v5.4
Executables and Ports".
• Only enable the services that will be used by RUGGEDCOM CROSSBOW utilities,
including physical ports. Unused physical ports could potentially be used to gain
access to the network behind the device.
• Use redundant RUGGEDCOM CROSSBOW setups whenever possible to increase
availability of all services and to backup the configuration.
• Make sure robust Server Class hardware is used when installing RUGGEDCOM
CROSSBOW on custom hardware not provided by Siemens.
• Make sure systems on which RUGGEDCOM CROSSBOW is installed are protected
from malware by using virus scanners, applying the latest Windows updates and
other industry best practices as appropriate.
• Make sure all centralized security components that interact with RUGGEDCOM
CROSSBOW (e.g. servers for Active Directory/RADIUS/RSA, external logging
servers, mail servers, etc.) are continuously secured and maintained according to
industry best practices.

Policy
• Periodically audit all workstations that access the RUGGEDCOM CROSSBOW
Server to make sure they comply with these recommendations and/or any
internal security policies.
• Make sure to follow the security recommendations outlined in this Configuration
Manual and configure the environment according to defense in depth best
practices.
• Review the user documentation for other Siemens products used in coordination
with RUGGEDCOM CROSSBOW for further security recommendations.

Decommissioning
• When RUGGEDCOM CROSSBOW is no longer in use, delete the RUGGEDCOM
CROSSBOW database and uninstall all instances of Server and Client applications,
including any related tools such as SAM-Ls, ADMs, etc.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 5
Introduction
1.3 System Requirements

For more information about related tools, refer to the "RUGGEDCOM CROSSBOW
Client Configuration Manual".

1.3 System Requirements

This section details the requirements for client workstations, servers, utilities and
field devices.

Note
Responsiveness of the RUGGEDCOM CROSSBOW Client and Servers (SAM-P, SAM-
L, and SAC) can vary depending on a number of factors, including the capacity of
the host hardware, the capacity of the network infrastructure, the number of active
automated activities, the number of connected users, and the size of the overall
system.
Consider employing industry best practices, such as limiting the number of
connected users and scheduling automated activities during off hours, to optimize
Client responsiveness and overall system performance.

1.3.1 Software Requirements

Servers and client workstations must meet the following minimum software
requirements:
• Microsoft .NET Framework v4.6.2
Microsoft .NET Framework must be installed on the RUGGEDCOM CROSSBOW
Server to support the RUGGEDCOM CROSSBOW Client application.
• Microsoft SQL Server
One of the following versions of Microsoft SQL Server is required for the
RUGGEDCOM CROSSBOW database:
• Microsoft SQL Server 2016/2016 Express
• Microsoft SQL Server 2017/2017 Express
• Microsoft SQL Server 2019/2019 Express
The database can reside on the RUGGEDCOM CROSSBOW server or a separate
server/workstation.

NOTICE
Users are responsible for managing the SQL Server instance in which the
RUGGEDCOM CROSSBOW database resides, including but not limited to its
security, user access, managed transaction logs, and disk space.

6 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Introduction
1.3.2 Hardware Requirements

Note
The SQL Server associated with the RUGGEDCOM CROSSBOW SAC must be
installed on the same workstation as the SAC to allow pushing the SAC database.

Note
Make sure the TCP/IP protocol is enabled if using the ADM.

• OLE DB (latest version)

This updates the OLE DB driver provided by Microsoft, which facilitates
connections between RUGGEDCOM CROSSBOW and SQL Server.
• Microsoft Visual C++ 2015-2022 Redistributable
One of the following versions of Microsoft VCRedist Libraries, as applicable, is
required to run RUGGEDCOM CROSSBOW:
• For 32-bit systems: vc_redist.x86.exe
• For 64-bit systems: vc_redist.x64.exe
• Microsoft Excel or Equivalent
Microsoft Excel or an equivalent program is required to generate and edit
spreadsheets used by the RUGGEDCOM CROSSBOW Bulk Importer. The Bulk
Importer requires all input to be in xlsx (*.xxls) format.
• PDF Viewer
A PDF viewer (e.g. Adobe Acrobat Reader or equivalent) is required to access the
RUGGEDCOM CROSSBOW Help functionality.
• Command Line File Compare Utility
To support the Configuration Management CAM, a file compare utility that
can be run from a command line (e.g. Beyond Compare or equivalent) is
recommended. This utility should be selected and ideally pre-installed before
RUGGEDCOM CROSSBOW is deployed.
For assistance in selecting a suitable file compare utility, contact Siemens
Customer Support.

1.3.2 Hardware Requirements

When the hardware requirements are met, RUGGEDCOM CROSSBOW can support up
to 25,000 devices.
Servers and client workstations must meet the following minimum hardware
requirements:
• RUGGEDCOM CROSSBOW Server (SAM-P)
Siemens recommends that a dedicated server be provided for RUGGEDCOM
CROSSBOW. Other closely related applications – such as Microsoft SQL Server –
may be hosted by this server as well, but unrelated applications should not.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 7
Introduction
1.3.2 Hardware Requirements

The following details the minimum hardware requirements for a RUGGEDCOM

CROSSBOW server:
Component Specification
CPU x86 Compatible, 12-core, 2.40 GHz or faster
RAM 16 GB or more
Disk 1 TB
Operating System Windows Server 2016 (64-bit)
Windows Server 2019 (64-bit)

RUGGEDCOM CROSSBOW server software can also be deployed on a Virtual

Machine, provided it has available resources in-line with the requirements for a
physical server.

Note
If deploying redundant RUGGEDCOM CROSSBOW servers on Virtual Machines,
make sure:
• The Virtual Machines are installed on different physical hardware
• A high-availability solution appropriate to the Virtual Machine deployment
environment is implemented

• Client/Windows SAC/SAM-L
Workstations running RUGGEDCOM CROSSBOW Client, Windows SAC or SAM-L
should meet the following minimum requirements:
Component Specification
CPU x86 Compatible, 6-core, 2.40 GHz or faster
RAM 8 GB or more
Disk 500 GB
Operating System Windows 8
Windows 10
Windows Server 2016
Windows Server 2019

Note
A preconfigured SAM-L is available on a RUGGEDCOM RX1500PN LM
APE1808SAM-L module, designed for RUGGEDCOM RX1500-series routers.
For more information about this module, refer to the "RUGGEDCOM APE1808
Configuration Manual [https://support.industry.siemens.com/cs/us/en/
view/109769739]" .
For technical specifications, refer to the "RUGGEDCOM Modules Reference Guide
[https://support.industry.siemens.com/cs/ww/en/view/109747072]" for the
RX1500-series routers.

8 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Introduction
1.3.3 Network Configuration Requirements

• Authentication Server
RUGGEDCOM CROSSBOW requires a separate authentication server for the
strong authentication of users and user groups. The following server types are
supported:
• RSA SecurID Server (RSA Authentication Manager)
• RADIUS
• Active Directory
• Network Connections
The RUGGEDCOM CROSSBOW Server requires at least one network connection.
If desired, a second network connection can be supported. In this case, typically
one Network Interface Controller (NIC) will connect to the internal Local Area
Network (LAN), and the second NIC will connect to field communication devices.
• Serial Connections and Modems
Requirements for serial connections and modems are dependent on the specific
field communication requirements of the facility.

1.3.3 Network Configuration Requirements

Network(s) on which the RUGGEDCOM CROSSBOW Server(s) is installed must meet
the following minimum requirements:
System Requirement
User Workstations Running An open TCP port from the client's workstation to the RUGGEDCOM
RUGGEDCOM CROSSBOW Client CROSSBOW Server.
This connection uses TLS between the client and server.

Note
For information about how to change the server port, refer to
"Configuring Server Host Connection" (Page 68).

Authentication Server RSA SecurID Server

RSA proprietary. For more information about network configuration
requirements, refer the documentation for the RSA SecurID server.

RADIUS Server
An open UDP port from the RUGGEDCOM CROSSBOW Server to
the RADIUS server. Use port 1812 (default) or any other port as
necessary. For more information, refer to the documentation for
the RADIUS server.

Active Directory Server

Open LDAP ports 389 and/or 636.
RUGGEDCOM CROSSBOW Station An open TCP port from the client's workstation to the RUGGEDCOM
Access Controller CROSSBOW SAC. Use port 21000 (default). For more information
about configuring the server port, refer to "Configuring Server Host
Connection" (Page 68).
One TCP port from the RUGGEDCOM CROSSBOW Server(s) to
RUGGEDCOM CROSSBOW Station Access Controller (SAC) for
mutual authentication. Use port 21005 (default). If the server port

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 9
Introduction
1.3.3 Network Configuration Requirements

System Requirement
has been changed, add 5 to the server port number. For example, if
the server port is 18000, the port for the SAC is 18005.
This connection uses TLS between the client and server.
RUGGEDCOM CROSSBOW Secure An open TCP port from the client's workstation to the RUGGEDCOM
Access Manager - Local CROSSBOW Secure Access Manager - Local (SAM-L). Use port 21000
(default). For more information about configuring the server port,
refer to "Configuring Server Host Connection" (Page 68).
One TCP port from the RUGGEDCOM CROSSBOW Server to
RUGGEDCOM CROSSBOW SAM-L for database synchronization. Use
port 21005 (default). If the server port has been changed, add 5 to
the server port number. For example, if the server port is 18000,
the port for the SAM-L is 18005. This connection uses TLS between
the client and server.
One TCP port from the RUGGEDCOM CROSSBOW Client to
RUGGEDCOM CROSSBOW Secure Access Manager - Local (SAM-L)
for the transfer of large types of data (RUGGEDCOM CROSSBOW
Network Proxy interface). Use port 21008 (default). If the server
port has been changed, add 8 to the server port number. For
example, if the server port is 18000, the port for the SAM-L is
18008. This connection uses TLS between the client and server.
RUGGEDCOM CROSSBOW Secure An open TCP port from the client's workstation to the RUGGEDCOM
Access Manager - Primary CROSSBOW Secure Access Manager - Primary (SAM-P). Use port
21000 (default). For more information about configuring the server
port,refer to "Configuring Server Host Connection" (Page 68).
One TCP port from the RUGGEDCOM CROSSBOW SAM-L and SAC to
RUGGEDCOM CROSSBOW SAM-P for database synchronization. Use
port 21005 (default). If the server port has been changed, add 5 to
the server port number. For example, if the server port is 18000,
the port for the SAM-P is 18005. This connection uses TLS between
the client and server.
One TCP port from the RUGGEDCOM CROSSBOW Client to
RUGGEDCOM CROSSBOW Secure Access Manager - Primary (SAM-
P) for the transfer of large types of data (RUGGEDCOM CROSSBOW
Network Proxy interface). Use port 21008 (default). If the server
port has been changed, add 8 to the server port number. For
example, if the server port is 18000, the port for the SAM-L is
18008. This connection uses TLS between the client and server.
E-Mail One TCP port from the RUGGEDCOM CROSSBOW Server to the SMTP
server. Use port 25 (default).
Field Devices Dependent on the specifics of each facility. The RUGGEDCOM
CROSSBOW Server requires access (network or modem) to every
gateway in every substation.
VPN Connections For VPN connections from RUGGEDCOM CROSSBOW to facilities,
the following ports will need to be open (in both the inbound
and outbound directions) in any firewall devices between the
RUGGEDCOM CROSSBOW server and the RUGGEDCOM gateway in
that facility:
• UDP 500
• Protocol 50
• Protocol 51
• UDP 4500 (if there is NAT traversal)

10 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Introduction
1.4 RUGGEDCOM CROSSBOW Architecture and Operation

1.4 RUGGEDCOM CROSSBOW Architecture and Operation

RUGGEDCOM CROSSBOW is part of the Siemens family of communication products. It
allows users to launch a device maintenance application from a workstation located
in a control center or at a facility (i.e. substation) and communicate with devices or
gateways remotely as if the user were directly connected to the end-device. Once
connected, a user can maintain, configure, and/or retrieve information from the end-
device.
RUGGEDCOM CROSSBOW client-server architecture allows users to easily and
securely manage remote connectivity to an entire set of field devices.

Figure 1.1 RUGGEDCOM CROSSBOW Architecture

The RUGGEDCOM CROSSBOW system consists of a primary server (SAM-P) and a

number of clients. The clients are typically the user’s desktop or laptop computers.
The SAM-P contains the system database, based on Microsoft SQL Server, and
manages all connections from the clients to the remote IEDs. The SAM-P supports a
high availability cluster configuration for increased reliability. Active Directory, RSA,
and Radius servers are supported for Role-Based Access Control (RBAC) and secure
user management.
The alternative Application Virtualization Server architecture also allows for the
central management of all native IED applications via a virtual desktop, such as Citrix
XenDesktop®, eliminating the need for client software on the user’s desktop.
The optional RUGGEDCOM CROSSBOW Station Access Controller (SAC) and local
server (SAM-L) are used remotely at substations to manage local IED access, while
maintaining stringent security methodologies in line with NERC CIP compliance and
industry best practices.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 11
Introduction
1.5 RUGGEDCOM CROSSBOW Servers

1.5 RUGGEDCOM CROSSBOW Servers

RUGGEDCOM CROSSBOW uses three types of servers, each with specific levels of
support:
• RUGGEDCOM CROSSBOW Secure Access Manager - Primary (SAM-P)
• RUGGEDCOM CROSSBOW Secure Access Manager - Local (SAM-L)
• RUGGEDCOM CROSSBOW Station Access Controller (SAC)
This section describes the server types and the support offered by each.

1.5.1 The RUGGEDCOM CROSSBOW Secure Access Manager - Primary (SAM-P)

The RUGGEDCOM CROSSBOW Secure Access Manager (SAM-P) is the heart of
RUGGEDCOM CROSSBOW system. It is responsible for the following:
• User Authentication
The SAM-P authenticates all users requesting access to remote devices by either
verifying their user name and password (basic security), or using a strong
authentication mechanism, such as Active Directory, RSA SecurID, RADIUS, or a
combination of RSA SecurID and Active Directory (strong security).
For more information about configuring user authentication, refer to "Managing
User Authentication" (Page 93).
• Connection to Remote Devices
When a device is selected for connection, the SAM-P establishes a
communication path, either directly or through one or more remote gateways to
the device.

Note
The configuration of the SAM-P determines the accessibility of each remote
device, based on the user’s group assignment. If a user is not a member of a user
group that is allowed access to a certain device, that device is not visible to the
user.

After a connection to the end-device is established, the user's RUGGEDCOM

CROSSBOW Client application launches the specified application to open an
interface with the device (e.g. SSH, Telnet, HTTPS, etc.). Depending on the
type of application and end-device, communication can take place either
using a virtual serial port (for serial devices or, in some cases, for Telnet/SSH
connections) or a network proxy endpoint (for network devices) provided by the
RUGGEDCOM CROSSBOW Client to the application.
For more information about connecting to devices, refer to the "RUGGEDCOM
CROSSBOW Client Configuration Manual".
• Database Maintenance
The RUGGEDCOM CROSSBOW database contains a variety of information,
including device and user information, activity logs, scripts, files, queries, etc.

12 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Introduction
1.5.2 The RUGGEDCOM CROSSBOW Secure Access Manager - Local (SAM-L)

The database may contain confidential information, and the performance of

database backups is the responsibility of the database administrators.
For more information about managing the RUGGEDCOM CROSSBOW database,
refer to "Managing the RUGGEDCOM CROSSBOW Database" (Page 107).
• Scheduling
Functionality available for the various device types (e.g. password changes, file
retrieval, etc.) is performed by one or more special operations (automated tasks).
These operations are scheduled and executed depending on the priorities of the
individual operations and availability of device connections.
For more information about scheduling operations, refer to "Configuring the
Maximum Number of Scheduled Processes" (Page 171).

1.5.2 The RUGGEDCOM CROSSBOW Secure Access Manager - Local (SAM-L)

The RUGGEDCOM CROSSBOW Secure Access Manager - Local (SAM-L) is a
functionally-limited version of the SAM-P, and is intended to be deployed on
machines in facility locations. Its purpose is both to allow local connectivity, as
well as to perform special operations on behalf of the SAM-P on the devices in that
facility.
The SAM-L is installed on a device physically located within the facility, and acts as a
local version of the RUGGEDCOM CROSSBOW Server. It can be run from a Windows
PC or a RUGGEDCOM RX1500-series router that has a RUGGEDCOM RX1500PN LM
APE1808SAM-L module installed.
The SAM-L is responsible for the following:
• User Authentication
As with the SAM-P, the SAM-L authenticates all users by either verifying their
user name and password (basic security), or by using a strong authentication
mechanism, such as Active Directory, RSA SecurID, RADIUS, or a combination of
RSA SecurID and Active Directory (strong security). The SAM-L also uses fallback
authentication in cases where the strong authentication source is not available.
For more information about configuring user authentication, refer to "Managing
User Authentication" (Page 93).
• Connection to Remote Devices
As with the SAM-P, the SAM-L establishes a communication path, either directly
or through one or more remote gateways to the device. Users connected to the
SAM-L cannot change the configuration of any of the devices in RUGGEDCOM
CROSSBOW.
For more information about connecting to devices, refer to the "RUGGEDCOM
CROSSBOW Client Configuration Manual".
• Scheduling
Functionality available for the various device types is performed by one or more
special operations (automated tasks). These operations are scheduled and
executed depending on the priorities of the individual operations and availability
of device connections.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 13
Introduction
1.5.3 The RUGGEDCOM CROSSBOW Station Access Controller (SAC)

Since these operations are performed on behalf of the SAM-P, they cannot be
scheduled by users connected to the SAM-L. Instead, they must be scheduled by
users connected to the SAM-P.
Any activities that will be executed on the SAM-L will appear with the state
Delegated on the SAM-P.
For more information about scheduling operations, refer to "Configuring the
Maximum Number of Scheduled Processes" (Page 171).

1.5.3 The RUGGEDCOM CROSSBOW Station Access Controller (SAC)

When it is not possible or practical to access a facility’s devices via the network
connection to the RUGGEDCOM CROSSBOW Server, use the RUGGEDCOM CROSSBOW
Station Access Controller (SAC).
The SAC is installed on a device physically located within the facility, and acts as
a local version of the RUGGEDCOM CROSSBOW Server. During normal operation,
communications occur as usual between the remote RUGGEDCOM CROSSBOW Server
(the enterprise server) and the devices within the facility.
However, if network connectivity is lost, or if the network speed makes it impractical
for an on-site operator to use the enterprise server connection, a user can launch
RUGGEDCOM CROSSBOW Client from within the facility, connect to the SAC,
and restore access to all of the facility's devices using their usual RUGGEDCOM
CROSSBOW interface.
Operations initiated via the SAC are logged and can be uploaded to the enterprise
server database after the network connection is restored. The SAC appears as a
device in the Device View in the main RUGGEDCOM CROSSBOW database.

1.5.4 CROSSBOW Server Support

The following table details the level of support provided by each server type:

Note
For more information about available authentication methods, refer to "Managing
User Authentication" (Page 93).

SAM-P SAM-L SAC

Platform Windows Windows Windows, ROXII
Authentication Strong Strong, with Strong only via SAM-P, with fallback
fallback options options
Client Features All Configurations are Configurations are read-only
read-only
Can make device Can make device connections
connections
Can view
automation form

14 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Introduction
1.6 RUGGEDCOM CROSSBOW Tools

SAM-P SAM-L SAC

Can view files
Can view alerts
Server Features All Device Device connections
connections
Special operations

1.6 RUGGEDCOM CROSSBOW Tools

A series of applications are used by various user levels to configure RUGGEDCOM
CROSSBOW and access devices/gateways:
Tool Description
RUGGEDCOM CROSSBOW Client RUGGEDCOM CROSSBOW Client is the primary interface for
accessing devices (based on user privileges), launching connection
sessions, and accessing device-related tasks and reports. It redirects
all communications to/from the device maintenance application
through either a network proxy or a virtual serial port (VPort)
depending on the nature of the maintenance application, and then
forwards communications through the RUGGEDCOM CROSSBOW
Server to a remote device using one of a variety of communications
mechanisms.

Note
A Virtual Port, or VPort, is an internal software component that
behaves like an actual hardware serial port. A Virtual Port is named
using the same convention as a real serial port, such as COM3. The
port number is configurable.

The RUGGEDCOM CROSSBOW Client is used by all users of

RUGGEDCOM CROSSBOW system. It can be installed on a physical
workstation or provided via a virtual desktop, such as Citrix
XenDesktop®.
For more information about the CROSSBOW Client, refer to the
"RUGGEDCOM CROSSBOW Client Configuration Manual".
RUGGEDCOM CROSSBOW ADM The RUGGEDCOM CROSSBOW Asset Discovery and Management
Agent (ADM) is a security feature used to discover and monitor the
activity of network connected devices. This information is collected
and reported to the Secure Access Manager (SAM). Operators
using CROSSBOW are then made aware of any devices added to
the operational environment within minutes of activation, via an
alert on both the Device View and in the event logging system.
Purposefully deployed devices can be identified and vetted for
inclusion, whereas rogue devices can be quickly identified and
isolated.
The ADM appears as a device in the Device View in the main
RUGGEDCOM CROSSBOW database. It is designed to be deployed
on the network where devices are to be discovered and monitored.
Hardware options include either a RUGGEDCOM RX1500 APE
module equipped with ADM, or an RUGGEDCOM RX1400 with
a Virtual Processing Engine (VPE) equipped with ADM. For more
information about obtaining ADM software for these products,
contact Siemens Customer Support.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 15
Introduction
1.6 RUGGEDCOM CROSSBOW Tools

Tool Description
The ADM must be reachable from the RUGGEDCOM CROSSBOW
External Database Integration Service (EDIS).
For more information about managing an ADM, refer to the
"RUGGEDCOM CROSSBOW Client Configuration Manual".
RUGGEDCOM CROSSBOW SAM-P RUGGEDCOM CROSSBOW SAM-P is the principal interface for
configuring the Secure Access Manager - Primary (SAM-P). This tool
must be installed on the RUGGEDCOM CROSSBOW server.
RUGGEDCOM CROSSBOW SAM-L RUGGEDCOM CROSSBOW SAM-L is the primary interface for
configuring a Secure Access Manager - Local (SAM-L). This tool
should be installed on a workstation at a substation facility.
RUGGEDCOM CROSSBOW SAC RUGGEDCOM CROSSBOW SAC is the primary interface for
configuring a Station Access Controller (SAC). This tool should
be installed at a substation facility, either on a workstation or a
RUGGEDCOM ROXII device.
RUGGEDCOM CROSSBOW Bulk RUGGEDCOM CROSSBOW Bulk Importer is used to import and
Importer export information to/from the RUGGEDCOM CROSSBOW database.
For more information about using the Bulk Importer, refer to the
"RUGGEDCOM CROSSBOW Client Configuration Manual".
RUGGEDCOM CROSSBOW DTDT RUGGEDCOM CROSSBOW DTDT, or Device Type Definition Tool, is
used to create and import custom device types.
For more information about the DTDT, refer to the "RUGGEDCOM
CROSSBOW v5.4 Device Type Definition Tool (DTDT) for CROSSBOW
Configuration Manual".
RUGGEDCOM CROSSBOW RUGGEDCOM CROSSBOW Background Logger can optionally be
Background Logger run in the background of the RUGGEDCOM CROSSBOW server. It
captures internal log messages to assist in debugging and analyzing
field issues.

16 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
RUGGEDCOM CROSSBOW Installation and Upgrade
2
This chapter describes how to install and upgrade the RUGGEDCOM CROSSBOW
database(s), server(s) and services, companion tools (i.e. CAMs, SAC, SAM-L,
Background Logger), and how to determine the current software version.

NOTICE
RUGGEDCOM CROSSBOW works with various third-party applications. Make sure
to consult the documentation for these applications for any requirements needed
to work with RUGGEDCOM CROSSBOW. Additionally, make sure to keep these
applications up-to-date, as outdated software can impact performance and security.

NOTICE
Make sure the installation materials provided by Siemens are digitally signed with
the Siemens AG certificate and contain MD5s that match those in the RUGGEDCOM
CROSSBOW v5.4 Release Notes.

2.1 Configuring/Upgrading the RUGGEDCOM CROSSBOW Database

This section describes how to configure and upgrade the RUGGEDCOM CROSSBOW
database.

2.1.1 Creating and Configuring a RUGGEDCOM CROSSBOW Database

This procedure describes how to create and configure a RUGGEDCOM CROSSBOW
SQL database for a SAM-P, SAM-L or Windows SAC.
To create and configure a RUGGEDCOM CROSSBOW SQL database, do the following:

Note
Unique databases must be created for the SAM-P, SAM-L and SAC.

Note
If mirror databases are implemented for redundancy, the following procedure must
be performed for all databases.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 17
RUGGEDCOM CROSSBOW Installation and Upgrade
2.1.1 Creating and Configuring a RUGGEDCOM CROSSBOW Database

NOTICE
If an error is encountered at any point in this procedure, contact Siemens Customer
Support for assistance.

Note
This procedure describes the basic steps for configuring a database in Microsoft's SQL
Server Management Studio. For more information about specific steps or topics, refer
to the "Microsoft Developer Network" website (https://msdn.microsoft.com/en-us/
library/bb545450).

1. On the RUGGEDCOM CROSSBOW server, extract the contents of SQLScripts.zip

to RUGGEDCOM CROSSBOW install directory (e.g. C:\ProgramFiles\RuggedCom
\CrossBow).
2. On a Microsoft SQL server, launch SQL Server Management Studio and connect
to the SQL server as a System Administrator (SA) or administrator.
3. Execute the following scripts in order:

Note
If the name of the RUGGEDCOM CROSSBOW database defined in SQL Server
Management Studio is anything other than CrossBow, change the database
name in each script before they are run.
To change the database name, type the following:
:setvar DatabaseName {name}

Where:
• {name} is the name of the database

Note
If the server installation type defined in SQL Server Management Studio is
anything other than SAM-P, change the server installation in each script, where
applicable, before they are run.
To change the server installation, type the following:
:setvar ServerInstallType {name}

Where:
• {name} is the name of the server installation. Options are SAM-P, SAM-L and
SAC.

SQL Script Description

Crossbow_db_create.sql This script creates the database schema (e.g. tables, triggers,
etc.).
Crossbow_db_{version}_ This script creates stored procedures, functions, etc.
functions.sql

18 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 RUGGEDCOM CROSSBOW Installation and Upgrade
2.1.1 Creating and Configuring a RUGGEDCOM CROSSBOW Database

SQL Script Description

Crossbow_db_initial_data.sql This script creates an initial set of required data within the
RUGGEDCOM CROSSBOW database, including an initial
administrative user and stock device type definitions.

Note
This script includes customizable parameters that can be
configured before the script is executed. Under Please edit
these statements to correspond to your desired initial
values, edit the following, or retain the default values:

SELECT @InitialAdministrator = '{ Admin }'

SELECT @InitialAdministratorPassword = '{ Ad
min }'
SELECT @InitialAdministratorDescription = '{ De
scription text }'

These parameters define the name of the administrator,

the administrator's password, and a description of the
administrator.
For increased security, Siemens recommends changing
the default values. Make sure to use strong authentication
credentials. For more information, refer to "Security
Recommendations" (Page 3).
The Initial Administrator configured by this script is not
the same as the database owner (dbo) selected in step
7 (Page 21). The Initial Administrator manages RUGGEDCOM
CROSSBOW itself via the RUGGEDCOM CROSSBOW client
application. It must be configured here to log into RUGGEDCOM
CROSSBOW later using RUGGEDCOM CROSSBOW.

NOTICE
Security hazard – risk of unauthorized access and/or
exploitation
If user authentication (via RSA SecurID, RADIUS, and/or
Active Directory) will be implemented immediately after
installation, the Initial Administrator must correspond to an
account defined in the authentication system. Logging in to
RUGGEDCOM CROSSBOW as the initial administrator will not be
possible otherwise.

Crossbow_db_scripts.sql This script creates a table in the database referencing the Visual
Basic and Perl scripts required for the various device types
supported by RUGGEDCOM CROSSBOW.
Crossbow_db_client_queries.sql This script creates a table in the database defining the queries
RUGGEDCOM CROSSBOW is permitted to run. This includes the
query text, parameters, permissions, etc.

For information about how to execute scripts, refer to "Executing SQL

Scripts" (Page 23).
4. In Object Explorer, expand the SQL server, and then expand the Databases
folder.
5. Right-Click the newly created RUGGEDCOM CROSSBOW database and select
Properties. The Database Properties window appears.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 19
RUGGEDCOM CROSSBOW Installation and Upgrade
2.1.1 Creating and Configuring a RUGGEDCOM CROSSBOW Database

Figure 2.1 Database Properties Screen (Typical)

6. Select the Files page from the navigation window.

20 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 RUGGEDCOM CROSSBOW Installation and Upgrade
2.1.1 Creating and Configuring a RUGGEDCOM CROSSBOW Database

Figure 2.2 Files Screen (Typical)

NOTICE
Security – risk of unauthorized access and/or exploitation
A database owner, or dbo, can perform a variety of administrative and
maintenance tasks, such as updating fields, changing stored procedures,
deleting tables, etc. Only RUGGEDCOM CROSSBOW administrators should be
granted ownership over the RUGGEDCOM CROSSBOW database.

Note
A database owner is not required for a single-server system with a local SQL
server instance.

7. Click …. The Select Database Owner dialog box appears.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 21
RUGGEDCOM CROSSBOW Installation and Upgrade
2.1.1 Creating and Configuring a RUGGEDCOM CROSSBOW Database

Figure 2.3 Select Database Owner Dialog Box (Typical)

8. Select a user to be the RUGGEDCOM CROSSBOW database owner in the SQL

server. This grants the RUGGEDCOM CROSSBOW server full access to the
RUGGEDCOM CROSSBOW database.
If the desired account is unavailable, or if a domain account is preferred, add
a Windows domain user account for authenticating against the database. This
account must be added to the database as an authorized user.
9. Click OK.
10. [Optional] Further configure the database (such as the recovery model) as
required based on the chosen database back up strategy. For more information,
contact the local Database Administrator (if available) or visit the "Microsoft
Developer Network" website (https://msdn.microsoft.com/en-us/library/
bb545450).
11. Click OK.
12. In Object Explorer, expand the Security folder, followed by Logins.
13. Right-click the desired Windows domain account, and then click Properties. The
Login Properties dialog box appears.

22 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 RUGGEDCOM CROSSBOW Installation and Upgrade
2.1.2 Executing SQL Scripts

Figure 2.4 Login Properties Dialog Box (Typical)

14. Under Default database, select the RUGGEDCOM CROSSBOW database, then
click OK.

2.1.2 Executing SQL Scripts

To execute a script in Microsoft's SQL Server Management Studio, do the following:
1. On a Microsoft SQL server, launch SQL Server Management Studio and connect
to the SQL server as a System Administrator (SA) or administrator.
2. On the SQL Editor toolbar, select the CROSSBOW database from the list.
3. On the File menu, point to Open, then click File.
4. Navigate to RUGGEDCOM CROSSBOW install directory (e.g. C:\ProgramFiles
\RuggedCom\CrossBow) and select the SQL script. The script appears in the SQL
query window.

Note
SQLCMD scripting mode can be enabled by default. For more information, refer
to the SQL Server Management Studio documentation.

5. Enable SQLCMD scripting mode.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 23
RUGGEDCOM CROSSBOW Installation and Upgrade
2.1.3 Upgrading the RUGGEDCOM CROSSBOW Database

Note
If the name of the RUGGEDCOM CROSSBOW database defined in SQL Server
Management Studio is anything other than CrossBow, change the database
name in each script before they are run.

6. On the SQL Editor toolbar, click Execute to run the script. A confirmation
message appears in the status bar once the script has completed. If the script
does not complete successfully, contact Siemens Customer Support.

2.1.3 Upgrading the RUGGEDCOM CROSSBOW Database

To upgrade the RUGGEDCOM CROSSBOW database to a newer version, do the
following:

Note
This procedure describes some tasks related to Microsoft's SQL Server Management
Studio. For more information about specific steps or topics, refer to the "Microsoft
Developer Network" website (https://msdn.microsoft.com/en-us/library/bb545450).

1. Contact Siemens Customer Support and obtain the necessary files to upgrade
the RUGGEDCOM CROSSBOW database.

NOTICE
To avoid the potential loss of important data, make sure a backup of the current
database is available before upgrading.

2. Make sure all users have logged out of RUGGEDCOM CROSSBOW.

3. Make sure any in-progress special operations and CAMs have completed.
4. Stop all services on the RUGGEDCOM CROSSBOW Server. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
5. Backup the current database via SQL Server Management Studio.

Note
Modified scripts may not function following a database upgrade. It is
recommended that all modified scripts be reverted back to their original baseline
state so they can be updated to work with the new database version. For
information about retaining custom functionality, contact Siemens Customer
Support.

6. Restart the RUGGEDCOM CROSSBOW server, and revert all scripts back to their
baseline state. For more information, refer to the "RUGGEDCOM CROSSBOW
Client Configuration Manual".

24 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 RUGGEDCOM CROSSBOW Installation and Upgrade
2.1.3 Upgrading the RUGGEDCOM CROSSBOW Database

7. Stop all services on the RUGGEDCOM CROSSBOW Server. For more

information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
8. Determine the current database version. For more information, refer to
"Determining the Current Database Version" (Page 107).
9. On the RUGGEDCOM CROSSBOW Server, extract the contents of the
SQLScripts.zip to RUGGEDCOM CROSSBOW install directory (e.g. C:
\ProgramFiles\RuggedCom\CrossBow).

Note
An available obsolescence script checks the RUGGEDCOM CROSSBOW database
for the presence of older device types. It is recommended to run this script and
provide the results to Siemens to ensure active device types are supported.

10. [Optional] Execute the script Crossbow_db_obsolecence_check.sql.

11. Execute the following scripts per the sequence example:

Note
If the name of the RUGGEDCOM CROSSBOW database defined in SQL Server
Management Studio is anything other than CrossBow, change the database
name in each script before they are run.

SQL Script Description

Crossbow_db_{current}_{new}_migrate.sql This script (referred to as a migration script)
upgrades the SQL database to the next
version. To help determine which script is
applicable to the current database version,
each migration script is named as follows:

Crossbow_db_{current}_{new}_mi
grate.sql

Where:
• current is the version number for the
current SQL database
• new is the version number of the SQL
database after the update
For example, if upgrading from database
version 4.13 to 4.14, use the migration script
titled Crossbow_db_413_414_migrate.sql.
If the current database is more than one
version away from the target version, make
sure to run the appropriate migration scripts
in sequence. For example, if upgrading
from database version 4.13 to 4.20, run
Crossbow_db_413_414_migrate.sql,
Crossbow_db_414_functions.sql,
Crossbow_db_414_420_migrate.sql, and
then Crossbow_db_420_functions.sql.
Refer to the sequence example for the
recommended series of steps.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 25
RUGGEDCOM CROSSBOW Installation and Upgrade
2.1.3 Upgrading the RUGGEDCOM CROSSBOW Database

SQL Script Description

Crossbow_db_{new}_functions.sql This script upgrades database functions to
their latest version.

Crossbow_db_{new}_functions.sql

Where:
• new is the version number of the SQL
database functions after the update
Crossbow_db_scripts.sql This script updates the table in the database
that references the Visual Basic and Perl scripts
required for the various device types supported
by RUGGEDCOM CROSSBOW.
Crossbow_db_client_queries.sql This script updates the table in the database
that defines the queries RUGGEDCOM
CROSSBOW is permitted to run. This includes
the query text, parameters, permissions, etc.
When this script is run, all previously existing
records in the associated tables are overwritten
with new values.

Sequence Example
The migrate and functions scripts must be run for each version in sequence, followed
by the scripts and client queries functions.
For example, to migrate from RUGGEDCOM CROSSBOW v4.4.1 to RUGGEDCOM
CROSSBOW v4.6, do the following:
1. Run the migrate script and functions script for each version.
a. Run CrossBow_db_441_450_migrate.sql.
b. Run CrossBow_db_450_functions.sql.
c. Run CrossBow_db_450_460_migrate.sql.
d. Run CrossBow_db_460_functions.sql.
2. Run the remaining scripts at the final target version.
a. Run CrossBow_db_scripts.sql.
b. Run CrossBow_db_client_queries.sql.
For information about how to execute scripts, refer to "Executing SQL
Scripts" (Page 23).

26 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 RUGGEDCOM CROSSBOW Installation and Upgrade
2.1.4 Upgrading the RUGGEDCOM CROSSBOW SAM-L Database

2.1.4 Upgrading the RUGGEDCOM CROSSBOW SAM-L Database

To upgrade the RUGGEDCOM CROSSBOW SAM-L database to a newer version, do the
following:

Note
Modified scripts may not function following a database upgrade. It is recommended
that all modified scripts be reverted back to their original baseline state so they can
be updated to work with the new database version. For information about retaining
custom functionality, contact Siemens Customer Support.

Note
This procedure describes some tasks related to Microsoft's SQL Server Management
Studio. For more information about specific steps or topics, refer to the "Microsoft
Developer Network" website (https://msdn.microsoft.com/en-us/library/bb545450).

1. Contact Siemens Customer Support and obtain the necessary files to upgrade
the RUGGEDCOM CROSSBOW database.
2. Make sure all users have logged out of the SAM-L.
3. Make sure any in-progress operations have completed.
4. Initiate synchronization with th SAM-P. For more information, refer to the
"RUGGEDCOM CROSSBOW Client Configuration Manual".
5. Stop all services on the RUGGEDCOM CROSSBOW Server. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
6. Delete the existing SAM-L database.
7. Create a new SAM-L database. For more information, refer to "Creating and
Configuring a RUGGEDCOM CROSSBOW Database" (Page 17).

2.2 Installing/Upgrading RUGGEDCOM CROSSBOW Server and

Services
This section describes how to install and upgrade the RUGGEDCOM CROSSBOW
Server tool and related services.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 27
RUGGEDCOM CROSSBOW Installation and Upgrade
2.2.1 Installing RUGGEDCOM CROSSBOW Server and Services

2.2.1 Installing RUGGEDCOM CROSSBOW Server and Services

To install the RUGGEDCOM CROSSBOW Server tool and related services, do the
following:

Note
Except in the case of a single-server system with a local SQL server instance, the
following procedure must be performed by a database owner, or dbo.

Note
RUGGEDCOM CROSSBOW Server cannot be installed alongside RUGGEDCOM
CROSSBOW SAC or RUGGEDCOM CROSSBOW SAM-L.

1. Contact Siemens Customer Support and obtain a compressed Zip file containing
the latest RUGGEDCOM CROSSBOW Server installer for RUGGEDCOM CROSSBOW
v5.4.
2. Open the compressed Zip file and double-click Server Strong Setup.msi.
The CrossBow Server with Strong Authentication Setup installation wizard
appears.
3. Follow the on-screen instructions to install RUGGEDCOM CROSSBOW Server.

Note
Windows by default grants all services the right to use the log in settings of the
local system account.

Note
Do not install DIGSI 4 or DIGSI 5 on the RUGGEDCOM CROSSBOW Server when
a SIPROTEC 4 Server is also installed. DIGSI is incompatible with SIPROTEC 4
servers.

Note
SIPROTEC 4 serial devices require the installation of the DIGSI 4 server to work
with RUGGEDCOM CROSSBOW. Complete step 4 (Page 28) if you are using
SIPROTEC 4 serial devices.
The DIGSI Server is a large file. To maximize system performance, it is
recommended to only install this file if SIPROTEC 4 Serial devices are in use.

4. [Optional] Open the compressed Zip file and double-click

CrossBow_DIGSI_4_Server_v1.msi for use with SIROTEC 4 serial devices. Follow
the instructions to install the file.
5. Review and acknowledge the server configuration:

Note
Failure to acknowledge the server connection will result in an error message
indicating the last saved server version is incorrect.

28 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 RUGGEDCOM CROSSBOW Installation and Upgrade
2.2.1 Installing RUGGEDCOM CROSSBOW Server and Services

a. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM

CROSSBOW Server.
b. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped.
For more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW
Server Services" (Page 50).
c. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.

Figure 2.5 CrossBow Server Configuration Dialog Box

d. Review all parameters.

e. Click OK.
6. [Optional] If the CrossBow Server Management Service should use the
credentials of a specific user instead of the local system account, configure the

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 29
RUGGEDCOM CROSSBOW Installation and Upgrade
2.2.2 Configuring the RUGGEDCOM CROSSBOW Server Log On Settings

log on settings for the service. For more information, refer to "Configuring the
RUGGEDCOM CROSSBOW Server Log On Settings" (Page 30).
7. Configure the RUGGEDCOM CROSSBOW database. For more information, refer to
"Configuring/Upgrading the RUGGEDCOM CROSSBOW Database" (Page 17).
8. Configure the server host connection. For more information, refer to
"Configuring Server Host Connection" (Page 68).
9. Install the license file. For more information, refer to "Installing a License
File" (Page 75).
10. Select a trusted Certificate Authority for the server. For more information, refer
to "Selecting a Trusted CA for the RUGGEDCOM CROSSBOW Server" (Page 147).
11. Select a certificate. For more information, refer to "Selecting/Installing the
RUGGEDCOM CROSSBOW Server Certificate" (Page 144).
12. Install any CAM licenses that have been purchased. For more information, refer
to "Installing/Upgrading CAMs" (Page 37).
13. [Optional] Encrypt passwords for users, devices and gateways in the
RUGGEDCOM CROSSBOW database. For more information, refer to "Encrypting/
Decrypting the CROSSBOW Database" (Page 52).

2.2.2 Configuring the RUGGEDCOM CROSSBOW Server Log On Settings

Following the successful installation of RUGGEDCOM CROSSBOW Server, consider
configuring the log on settings for the CrossBow Server Management Service. This
allows the server to log in as (and therefore act as) the selected user, as opposed to
using the local system account.

Note
Windows by default grants all services the right to use the log in settings of the local
system account. If a different account is being configured (e.g. domain account),
make sure this account is configured for all RUGGEDCOM CROSSBOW services.

To configure the log on settings, do the following:

Note
Images and steps may differ depending on the version of Windows being used. For
assistance, contact Siemens Customer Support.

1. Click Start, type Administrative Tools in the search box, then click Enter.
The Administrative Tools window appears.

30 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 RUGGEDCOM CROSSBOW Installation and Upgrade
2.2.2 Configuring the RUGGEDCOM CROSSBOW Server Log On Settings

Figure 2.6 Administrative Tools Window

2. Double-click Services. The Services window appears.

Figure 2.7 Services Window

3. Right-click CrossBow Server Management Service, and then click Properties.

The CrossBow Server Management Service Properties (Local Computer)
dialog box appears.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 31
RUGGEDCOM CROSSBOW Installation and Upgrade
2.2.2 Configuring the RUGGEDCOM CROSSBOW Server Log On Settings

1 3

6 7 8

1 Account Options
2 This Account Box
3 Browse Button
4 Password Box
5 Confirm Password Box
6 OK Button
7 Cancel Button
8 Apply Button
Figure 2.8 CrossBow Server Management Service Properties (Local Computer) Dialog Box

4. Select the Log On tab.

5. To allow the service to login as the local system account, select Local System
account. Or, to make the service login as a specific user, select This account.
If Local System account is selected, proceed to step 8 (Page 32).

Note
If a different user account is being configured (e.g. domain account), make sure
this account is also configured for all RUGGEDCOM CROSSBOW services.

6. In the This account box, type the name of the user account or click Browse and
select one of the available user accounts.
7. In the Password and Confirm password boxes, type the password for the user
account.
8. Click OK.

32 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 RUGGEDCOM CROSSBOW Installation and Upgrade
2.2.3 Connecting to the RUGGEDCOM CROSSBOW Database

2.2.3 Connecting to the RUGGEDCOM CROSSBOW Database

To establish a connection between the RUGGEDCOM CROSSBOW Server and the
RUGGEDCOM CROSSBOW database, do the following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Database, click Configure. The CrossBow Database
Configuration dialog box appears.

1 2 3

7 5

8 6

10

11

12

13

14

15

1 SQL Server Box

2 Test Button
3 OK Button
4 Cancel Button
5 SQL Mirror Server Box
6 Database Name Box
7 Use Windows Authentication Option
8 Use Database Authentication Option
9 SQL User Box
10 SQL Password Box
11 Connection Status Box
12 Current Version Box
13 Latest Version Box
14 Expected Type Box
15 Detected Type Box
Figure 2.9 CrossBow Database Configuration

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 33
RUGGEDCOM CROSSBOW Installation and Upgrade
2.2.3 Connecting to the RUGGEDCOM CROSSBOW Database

4. In the SQL Server box, type the name of the SQL server (case sensitive).
• To connect to the default instance of SQL server on a given workstation,
type the name of the workstation (e.g. CROSSBOW)
• To connect to a specific named instance of SQL server on a given
workstation, type the name of the workstation and instance (e.g.
CROSSBOW\SQLEXPRESS).
• To connect to the SQL server using a specific port, type the name of the
workstation, followed by the port number (i.e. CROSSBOW,1444). The
default TCP port number for the SQL server is 1433.

Note
SQL Server Express does not support database mirroring.

5. [Optional] In the SQL Mirror Server box, type the name (case-sensitive) of the
mirror SQL server.
• To connect to the default instance of SQL Server on a given workstation,
type the name of the workstation
• To connect to a specific instance of SQL Server on a given workstation, type
the name of the workstation and instance (i.e. workstation\instance)
6. In the Database Name box, type the name of the database as defined in SQL
Server Management Studio.

Note
To minimize the possibility of stored database credentials being accessed by
unauthorized personnel, Siemens recommends using Windows authentication.

7. Select either Use Windows Authentication or Use Database Authentication.

8. If Use Database Authentication is selected, in the SQL User box, type the name
of the user account to use to log into the SQL server.
9. If Use Database Authentication is selected, in the SQL Password box, type the
password for the user account used to log into the SQL server.
10. Click Test. The status of the connection is displayed in the Connection Status
box.
11. If the test is successful, click OK to save changes.
12. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

34 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 RUGGEDCOM CROSSBOW Installation and Upgrade
2.2.4 Upgrading RUGGEDCOM CROSSBOW Server and Services

2.2.4 Upgrading RUGGEDCOM CROSSBOW Server and Services

To upgrade the RUGGEDCOM CROSSBOW Server tool and related services, do the
following:

Note
Except in the case of a single-server system with a local SQL server instance, the
following procedure must be performed by a database owner, or dbo.

NOTICE
Compatible versions of RUGGEDCOM CROSSBOW Client and RUGGEDCOM
CROSSBOW Server must be used together. When RUGGEDCOM CROSSBOW Server
is upgraded, all end users accessing that server must also upgrade RUGGEDCOM
CROSSBOW Client on their workstations to continue connecting through that server.
For this reason, the corresponding version of RUGGEDCOM CROSSBOW Client
should be made available to all end users before RUGGEDCOM CROSSBOW Server
is upgraded. A staged upgrade approach is recommended, such as installing and
testing the upgrade on a less-used secondary server before installing on a more
heavily-used server.

1. Contact Siemens Customer Support and obtain a compressed Zip file containing
the latest RUGGEDCOM CROSSBOW Server installer for RUGGEDCOM CROSSBOW
v5.4.
2. Open the compressed Zip file and double-click Server Strong Setup.msi.
The CrossBow Server with Strong Authentication Setup installation wizard
appears.
3. Follow the on-screen instructions to upgrade the RUGGEDCOM CROSSBOW
Server application.
4. Review and acknowledge the server configuration:

Note
Failure to acknowledge the server connection will result in an error message
indicating the last saved server version is incorrect.

a. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM

CROSSBOW Server.
b. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped.
For more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW
Server Services" (Page 50).
c. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 35
RUGGEDCOM CROSSBOW Installation and Upgrade
2.2.4 Upgrading RUGGEDCOM CROSSBOW Server and Services

Figure 2.10 CrossBow Server Configuration Dialog Box

d. Review all parameters.

e. Click OK.
5. To verify the upgrade is successful, review the server configuration and
click OK. For more information refer to "Determining the Current Software
Version" (Page 47).

Note
A new license file is not required when the RUGGEDCOM CROSSBOW Server tool
and related services are upgraded. The existing license file may be re-used.

36 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 RUGGEDCOM CROSSBOW Installation and Upgrade
2.3 Installing/Upgrading CAMs

Note
step 6 (Page 37) is not required if the installation path has not changed since
the last upgrade.

6. If the installation path has changed since the last upgrade, re-install the license
file. For more information refer to "Installing a License File" (Page 75).
7. Re-configure the server log on settings. For more information refer to
"Configuring the RUGGEDCOM CROSSBOW Server Log On Settings" (Page 30).
8. Re-configure the user authentication settings. For more information refer to
"Configuring User Authentication" (Page 95).

2.3 Installing/Upgrading CAMs

CROSSBOW Application Modules (or CAMs) are separately licensed plug-ins that
can be purchased to add advanced functionality to RUGGEDCOM CROSSBOW. For a
description of the CAMs currently available, refer to the "RUGGEDCOM CROSSBOW
Client Configuration Manual".

Note
CAMs are licensed separately from RUGGEDCOM CROSSBOW itself. Each CAM has its
own separate license file and can be licensed for a specified number of end-devices,
users, etc. which may be different from the general the RUGGEDCOM CROSSBOW
server license. CAMs can only be run with an appropriate license in place on the
server.

To install or upgrade a CAM, do the following:

1. Stop all services running on the RUGGEDCOM CROSSBOW server. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
2. Make sure the license file (*.ccl) for the desired CAM is saved in RUGGEDCOM
CROSSBOW install directory (e.g. C:\Program Files\RuggedCom\CrossBow). If
the file is not present or if a new license has been purchased, add the file.
3. [Optional] Remove any *.cxb files from RUGGEDCOM CROSSBOW upgrades
folder (e.g. C:\Program Files\RuggedCom\CrossBow\Upgrades).
4. Restart the necessary services on the RUGGEDCOM CROSSBOW server. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
5. Enable the CAM. For more information, refer to the "RUGGEDCOM CROSSBOW
Client Configuration Manual".

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 37
RUGGEDCOM CROSSBOW Installation and Upgrade
2.4 Installing/Upgrading the Station Access Controller (SAC)

2.4 Installing/Upgrading the Station Access Controller (SAC)

This section describes how to install and upgrade the Station Access Controller (SAC)
on a RUGGEDCOM ROX II device or on a Windows-based workstation.

2.4.1 Installing/Upgrading the SAC on RUGGEDCOM ROX II Devices

The Station Access Controller (SAC) can be installed as an application on select
RUGGEDCOM devices running the RUGGEDCOM ROX II operating system.

Note
The SAC application is supported on RUGGEDCOM RX1400/RX1500/RX1501/RX1510/
RX1511/RX1512/RX5000/MX5000/MX5000RE devices. Review the software release
notes for full support details.

Before installing the SAC on any of the supported RUGGEDCOM ROX II devices, a
repository containing the SAC application must first be created on the RUGGEDCOM
ROX II upgrade server.
To create the repository, do the following:
1. Contact Siemens Customer Support and obtain a compressed Zip file containing
the RUGGEDCOM CROSSBOW SAC application for RUGGEDCOM ROX II devices.
2. On the RUGGEDCOM ROX II upgrade server, navigate to either C:\Apache
\Apache2\htdocs\ (for a Windows-based server running Apache HTTPS Server) or
/var/www/ (for a Linux-based server).
3. Create a folder titled crossbow and a subfolder titled dists (e.g. crossbow\dists).
4. Unzip the SAC application package from the compressed Zip file, navigate
to rs2\dists\, and copy the crossbow-{version}-rr{version}-powerpc folder
(e.g. crossbow-v5.4-rr2.6.0-powerpc) to the dists folder created in step
3 (Page 38).
5. Log in to the RUGGEDCOM ROX II device and install and configure the
RUGGEDCOM CROSSBOW application. For more information, refer to the
"RUGGEDCOM ROX II Configuration Manual" associated with the device.
For instructions about how to install/upgrade the SAC on one of the supported
RUGGEDCOM ROX II devices, refer to the "RUGGEDCOM ROX II Configuration Manual"
associated with the device.

38 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 RUGGEDCOM CROSSBOW Installation and Upgrade
2.4.2 Installing/Upgrading RUGGEDCOM CROSSBOW SAC on a Windows-Based workstations

2.4.2 Installing/Upgrading RUGGEDCOM CROSSBOW SAC on a Windows-Based

workstations
To install or upgrade RUGGEDCOM CROSSBOW SAC on a Windows-based
workstation, do the following:

Note
The SAC cannot be installed alongside RUGGEDCOM CROSSBOW SAM-P or
RUGGEDCOM CROSSBOW SAM-L.

Note
Make sure the SQL Server/SQL Server Express associated with the RUGGEDCOM
CROSSBOW SAC is installed on the same workstation as the SAC to allow pushing the
SAC database.
A SAC database push from the SAM-P is required before connecting to the SAC.

Note
The RUGGEDCOM CROSSBOW SQL database must be configured prior to installing
the SAC. For more information, refer to "Creating and Configuring a RUGGEDCOM
CROSSBOW Database" (Page 17).

1. Contact Siemens Customer Support and obtain a compressed Zip file containing
the RUGGEDCOM CROSSBOW SAC installer for RUGGEDCOM CROSSBOW v5.4.
2. Open the compressed Zip file and double-click CrossBow Windows Station
Access Controller {version}.msi. The CrossBow Station Access Controller
Setup installation wizard appears.
3. Follow the on-screen instructions to install/upgrade the SAC application.
4. After RUGGEDCOM CROSSBOW SAC is successfully installed, configure the
server host connection. For more information, refer to "Configuring Server Host
Connection" (Page 68).
5. Select the certificate. For more information, refer to "Selecting/Installing the
RUGGEDCOM CROSSBOW Server Certificate" (Page 144).
6. Select the trusted Certificate Authority (CA). For more information, refer to
"Selecting a Trusted CA for a RUGGEDCOM CROSSBOW SAC/SAM-L" (Page 149).

2.5 Installing/Upgrading a RUGGEDCOM CROSSBOW SAM-L

A SAM-L can be installed or upgraded using one of the following methods:
• Local Installation/Upgrade using the installation wizard
• Local Installation/Upgrade from the Windows command line
• Remote Upgrade via the SAM-P from the Windows command line

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 39
RUGGEDCOM CROSSBOW Installation and Upgrade
2.5 Installing/Upgrading a RUGGEDCOM CROSSBOW SAM-L

Note
A preconfigured SAM-L is available on a RUGGEDCOM RX1500PN LM APE1808SAM-L
module, designed for RUGGEDCOM RX1500-series routers.
The following sections do not apply to the APE1808SAM-L.
For more information about this module, refer to the "RUGGEDCOM APE1808
Configuration Manual [https://support.industry.siemens.com/cs/us/en/
view/109769739]" .
For technical specifications, refer to the "RUGGEDCOM Modules Reference Guide
[https://support.industry.siemens.com/cs/ww/en/view/109747072]" for the RX1500-
series routers.

Note
If any errors are encountered during an installation or upgrade, review the log file
and if necessary provide it to Siemens Customer Support.

Note
The SAM-L cannot be installed alongside a RUGGEDCOM CROSSBOW SAM-P or
RUGGEDCOM CROSSBOW SAC.

Note
Do not install DIGSI 4 or DIGSI 5 on the SAM-L when a SIPROTEC 4 Server is also
installed. DIGSI is incompatible with SIPROTEC 4 servers.

Local Installation
To install a RUGGEDCOM CROSSBOW SAM-L locally on a Windows-based workstation,
do the following:

Note
The SAM-L cannot be installed alongside a RUGGEDCOM CROSSBOW SAM-P or
RUGGEDCOM CROSSBOW SAC.

1. Contact Siemens Customer Support and obtain a compressed Zip file containing
the RUGGEDCOM CROSSBOW SAM-L installer for RUGGEDCOM CROSSBOW v5.4.
2. Install the RUGGEDCOM CROSSBOW SAM-L.
To install the SAM-L using the wizard, refer to "Installing/Upgrading a
RUGGEDCOM CROSSBOW SAM-L Using the Wizard" (Page 42).
To install the SAM-L from the command line, refer to "Installing/Upgrading
a RUGGEDCOM CROSSBOW SAM-L from the Windows Command
Line" (Page 42).
To mass install SAM-Ls remotely, refer to "Managing RUGGEDCOM CROSSBOW
SAM-L Remote Installations" (Page 45).

40 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 RUGGEDCOM CROSSBOW Installation and Upgrade
2.5 Installing/Upgrading a RUGGEDCOM CROSSBOW SAM-L

Note
The SQL database is installed along with the SAM-L as part of the SAM-L
installation. If desired, it can be installed separately.

3. Make sure an SQL database for the SAM-L has been created/upgraded.
To install the database, refer to "Creating and Configuring a RUGGEDCOM
CROSSBOW Database" (Page 17).
To upgrade an existing database, refer to "Upgrading the RUGGEDCOM
CROSSBOW SAM-L Database" (Page 27).
4. After the RUGGEDCOM CROSSBOW SAM-L is successfully installed, configure the
server host connection. For more information, refer to "Configuring Server Host
Connection" (Page 68).
5. Configure the parent server. For more information, refer to "Adding/Configuring
a Parent Server" (Page 72).
6. Select the certificate. For more information, refer to "Selecting/Installing the
RUGGEDCOM CROSSBOW Server Certificate" (Page 144).
7. Select the trusted Certificate Authority (CA). For more information, refer to
"Selecting a Trusted CA for a RUGGEDCOM CROSSBOW SAC/SAM-L" (Page 149).

Local Upgrade
To upgrade a RUGGEDCOM CROSSBOW SAM-L locally on a Windows-based
workstation, do the following:
1. Contact Siemens Customer Support and obtain a compressed Zip file containing
the RUGGEDCOM CROSSBOW SAM-L installer for RUGGEDCOM CROSSBOW v5.4.
2. Upgrade the RUGGEDCOM CROSSBOW SAM-L.
To upgrade the SAM-L using the installation wizard, refer to "Installing/
Upgrading a RUGGEDCOM CROSSBOW SAM-L Using the Wizard" (Page 42).
To upgrade the SAM-L from the command line, refer to "Installing/
Upgrading a RUGGEDCOM CROSSBOW SAM-L from the Windows Command
Line" (Page 42).
3. Upgrade the SAM-L database. For more information, refer to "Upgrading the
RUGGEDCOM CROSSBOW SAM-L Database" (Page 27).

Remote Upgrade
To upgrade RUGGEDCOM CROSSBOW SAM-Ls remotely via the SAM-P from the
command line, do the following:
1. Contact Siemens Customer Support and obtain a compressed Zip file containing
the RUGGEDCOM CROSSBOW SAM-L installer for RUGGEDCOM CROSSBOW v5.4.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 41
RUGGEDCOM CROSSBOW Installation and Upgrade
2.5.1 Installing/Upgrading a RUGGEDCOM CROSSBOW SAM-L Using the Wizard

2. Upgrade the RUGGEDCOM CROSSBOW SAM-L. For more information, refer to

"Installing/Upgrading a RUGGEDCOM CROSSBOW SAM-L from the Windows
Command Line" (Page 42).
3. Upgrade the SAM-L database. For more information, refer to "Upgrading the
RUGGEDCOM CROSSBOW SAM-L Database" (Page 27).

2.5.1 Installing/Upgrading a RUGGEDCOM CROSSBOW SAM-L Using the Wizard

To install or upgrade a RUGGEDCOM CROSSBOW SAM-L on a Windows-based
workstation using the installation wizard, do the following:

Note
For all related steps necessary to install a SAM-L, including server configuration,
certificates and licensing, refer to "Installing/Upgrading a RUGGEDCOM CROSSBOW
SAM-L" (Page 39).

1. Open the compressed Zip file containing the RUGGEDCOM CROSSBOW SAM-L
installer for RUGGEDCOM CROSSBOW v5.4.
2. Double-click CrossBow Windows Secure Access Manager - Local
{version}.msi. The CrossBow Windows Secure Access Manager - Local
installation wizard appears.
3. Follow the on-screen instructions to install/upgrade the SAM-L application.
4. Make sure an SQL database for the SAM-L has been created/upgraded.
To install the database, refer to "Creating and Configuring a RUGGEDCOM
CROSSBOW Database" (Page 17).
To upgrade an existing database, refer to "Upgrading the RUGGEDCOM
CROSSBOW SAM-L Database" (Page 27).

2.5.2 Installing/Upgrading a RUGGEDCOM CROSSBOW SAM-L from the Windows

Command Line
A SAM-L can be installed or upgraded locally from the command line using Windows
Installer. Windows Installer uses the Msiexec.exe process to install MSI packages.
For more information about using Windows Installer and Msiexec, visit https://
www.microsoft.com.
To install or upgrade a RUGGEDCOM CROSSBOW SAM-L on a Windows-based
workstation from the command line, do the following:

Note
For all related steps necessary to install a SAM-L, including server configuration,
certificates and licensing, refer to "Installing/Upgrading a RUGGEDCOM CROSSBOW
SAM-L" (Page 39).

42 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 RUGGEDCOM CROSSBOW Installation and Upgrade
2.5.2 Installing/Upgrading a RUGGEDCOM CROSSBOW SAM-L from the Windows Command Line

Note
The SQL scripts required to install/upgrade the database are included in the
RUGGEDCOM CROSSBOW SAM-L installer for RUGGEDCOM CROSSBOW v5.4.

1. Access the SAM-L workstation where the installation/upgrade will be applied.

2. Close RUGGEDCOM CROSSBOW Server.
3. Open a command line.
4. Open the compressed Zip file containing the RUGGEDCOM CROSSBOW SAM-L
installer for RUGGEDCOM CROSSBOW v5.4.
5. Install the file CrossBow Windows Secure Access Manager - Local
{version}.msi to the SAM-L using the following basic command:
msiexec.exe/i { {filename.msi} } /L*V { {log filename} }

Apply parameters as needed per the table and use cases below.

Common Parameters
Any parameters supported by Msiexec can be used in this procedure.
The following table lists some commonly used parameters:

Note
The custom parameters SAML_DBSERVER, SAML_DBUSER, SAML_DBPASSWORD and
SAML_DBNAME must be either all used together, or not used at all, per the described
use cases.

Parameter Description
AUTO Indicates that the installer will attempt to recreate the SAM-L database
automatically. This parameter is used with either all or none of the other four
custom parameters SAML_DBSERVER, SAML_DBUSER, SAML_DBPASSWORD and
SAML_DBNAME.
SAML_DBSERVER The name of the target SQL Server on which to create the database.
SAML_DBUSER The name of the user with permissions to perform CREATE and DROP functions on
databases.
SAML_DBPASSWORDThe password associated with SAML_DBUSER.
SAML_DBNAME The name of the database to be created and used with the RUGGEDCOM
CROSSBOW SAM-L Server.
/forcerestart Always restart option. Ensures the RUGGEDCOM CROSSBOW SAM-L Server starts
following the installation.
/quiet Quiet mode (no user interaction). This parameter is optional.
/L Enable logging. This parameter is optional.

Use Cases
The following upgrade scenarios are supported:

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 43
RUGGEDCOM CROSSBOW Installation and Upgrade
2.5.2 Installing/Upgrading a RUGGEDCOM CROSSBOW SAM-L from the Windows Command Line

New Installation Using Parameters:

A user wants to install the RUGGEDCOM CROSSBOW Server when no existing
RUGGEDCOM CROSSBOW Server exists on the machine, using parameters. The
provided credentials SAML_DBUSER and SAML_DBPASSWORD are used to create the
database named SAML_DBNAME on the SQL Server SAML_DBSERVER.

Upgrade Using Parameters:

A user wants to upgrade the existing software from the command line providing
parameters for the installation. The current version of the RUGGEDCOM CROSSBOW
Server software is uninstalled and replaced with the new version. The previous
database name configured in the registry is dropped and the SAML_DBNAME
database name is also dropped. The SAML_DBNAME is created and all install SQL files
are applied.

Command:
msiexec.exe/i CrossBow_Windows_Secure_Access_Manager_Lo
cal.msi AUTO="1" SAML_DBSERVER="{ {server name} }" SAML_D
BUSER="{ {user name} }" SAML_DBPASSWORD="{ {password} }" SAM
L_DBNAME="{ {database name} }" /quiet /L*V { {log filename} }

Example:
msiexec.exe/i CrossBow_Windows_Secure_Access_Manager_Local.m
si AUTO="1" SAML_DBSERVER="CROSSBOWSAM-L-1" SAML_DBUSER="sa"
SAML_DBPASSWORD="12345" SAML_DBNAME="CrossBowix" /quiet /L*V
cxb_package.log

New Installation or Upgrade Using No Parameters

A user wants to run the installation from the command line and manually drop the
database and apply new scripts.
Command:
msiexec.exe/i CrossBow_Windows_Secure_Access_Manager_Local.m
si /L*V { {log filename} }

Upgrade Installation Using Only Parameter AUTO

A user wants to upgrade the existing software from the command line without
providing any parameters, except AUTO. The user's Windows credentials are used to
access the SQL server and run the installation SQL files. The previously configured
database server name and database name in the registry are used for the installation.

Note
Appropriate credentials must be present in the SQL Server. The user must be the
database owner.

44 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 RUGGEDCOM CROSSBOW Installation and Upgrade
2.5.3 Managing RUGGEDCOM CROSSBOW SAM-L Remote Installations

Command:
msiexec.exe/i CrossBow_Windows_Secure_Access_Manager_Local.m
si AUTO="1" /quiet /L*V { {log filename} }

2.5.3 Managing RUGGEDCOM CROSSBOW SAM-L Remote Installations

SAM-Ls can be mass-upgraded or mass-installed remotely from their associated SAM-
P using a third-party program.
This section describes how to prepare and upgrade SAM-Ls remotely.

2.5.3.1 Preparing All SAM-Ls for a Remote Upgrade

RUGGEDCOM CROSSBOW allows a user to prepare all SAM-Ls in a SAM-P's network to
receive software updates.

Note
For instructions on preparing an individual SAM-L to receive a software update, refer
to the "RUGGEDCOM CROSSBOW Client Configuration Manual".

Preparing for an update puts each SAM-L in recovery mode, where users are
prevented from connecting to the SAM-L and any pending automated device
connections are prevented from starting. Automated device connections already in
progress will be permitted to complete. All data is pushed back to the SAM-P.

Note
This preparation feature is designed to work only with systems at RUGGEDCOM
CROSSBOW v5.0 or higher.

To prepare all SAM-Ls to be upgraded, do the following:

1. In RUGGEDCOM CROSSBOW Client, disconnect all users from the RUGGEDCOM
CROSSBOW server. For more information, refer to the "RUGGEDCOM CROSSBOW
Client Configuration Manual".
2. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
3. On the toolbar, click Update, then SAM-Ls. The System Update form appears.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 45
RUGGEDCOM CROSSBOW Installation and Upgrade
2.5.3 Managing RUGGEDCOM CROSSBOW SAM-L Remote Installations

1 SAM-L's Ready for Software Update Status

Figure 2.11 System Update Form

The form displays the update status of all SAM-L's in the SAM-P's network.
Once all SAM-Ls are prepared and all SAM-P users are offline, the SAM-L's Ready
for Software Update status will display Yes. Otherwise, No will be shown.

2.5.3.2 Mass Deploying RUGGEDCOM CROSSBOW SAM-L Upgrades

SAM-Ls can be mass-upgraded from their associated SAM-P in local and/or remote
locations using a third-party program such as Microsoft PsExec.
For more information about using Microsoft PsExec, refer to visit https://
www.microsoft.com.

NOTICE
Siemens does not endorse a specific third party application. Other applications
may be used to perform this procedure. Contact your IT department to determine
the appropriate method for your organization and to make sure no security
vulnerabilities are exposed in your system.

To mass deploy RUGGEDCOM CROSSBOW SAM-L upgrades using PsExec, do the

following:
1. Access the SAM-P.
2. Close RUGGEDCOM CROSSBOW Server on each SAM-L to be upgraded.
3. Make sure the file CrossBow Windows Secure Access Manager - Local
{version}.msi is copied to each SAM-L.
4. Prepare the target SAM-Ls for the upgrade. For more information, refer to
"Preparing All SAM-Ls for a Remote Upgrade" (Page 45).

46 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 RUGGEDCOM CROSSBOW Installation and Upgrade
2.6 Determining the Current Software Version

5. Open a command line.

6. Run the following command:
PsExec64.exe \\{SAM-L server name} -u "Domain\User" -p "{password}" msiex
ec.exe /i "{path to msi file}\CrossBow_Windows_Secure_Access_Manager_ Local.m
si" AUTO="1" SAML_DBSERVER="{SQL server name}" SAML_DBUSER="{database user
name}" SAML_DBPASSWORD="{database password}" SAML_DBNAME="{database name}" /
quiet /L*V "{log path}\{log filename}"

Once the process has completed, the following output will be dispalyed:
msiexec.exe exited on {SAM-L database name} with error code 0.

2.6 Determining the Current Software Version

To determine the version of any RUGGEDCOM CROSSBOW tool installed (e.g.
RUGGEDCOM CROSSBOW Client, RUGGEDCOM CROSSBOW Server, etc.), do the
following:
1. Launch the desired application.
2. On the toolbar, click Help, then click About {tool}. A dialog box appears listing
the software version.

Figure 2.12 About Dialog Box

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 47
RUGGEDCOM CROSSBOW Installation and Upgrade
2.6 Determining the Current Software Version

48 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
Setup and Configuration
3
This chapter describes how to setup and configure RUGGEDCOM CROSSBOW's
various tools to work with one another and the network of devices and gateways
they will manage.

3.1 Basic Setup

The following procedures describe the basic steps for configuring RUGGEDCOM
CROSSBOW following a successful installation of the database and all required
tools (i.e. RUGGEDCOM CROSSBOW Server, RUGGEDCOM CROSSBOW Client, and/or
RUGGEDCOM CROSSBOW SAC).

Note
For information about setting up the RUGGEDCOM CROSSBOW Client(s), refer to the
"RUGGEDCOM CROSSBOW Client Configuration Manual".

• RUGGEDCOM CROSSBOW Server

To configure a new RUGGEDCOM CROSSBOW server and database, do the
following:
1. Configure how clients and devices connect with the CROSSBOW Server, and
how the server handles inactive clients and devices. For more information,
refer to "Configuring Server Host Connection" (Page 68).
2. Install a license file for the server. For more information, refer to "Installing a
License File" (Page 75).
3. Configure the administrator user group. For more information, refer to the
"RUGGEDCOM CROSSBOW Client Configuration Manual".
4. Add the server to a new or existing server cluster. For more information,
refer to "Managing a Server Cluster" (Page 139).
5. Configure the connection between the server and database. For more
information, refer to "Connecting to the RUGGEDCOM CROSSBOW
Database" (Page 33).
6. Configure how user credentials are authenticated. Basic authentication
mode is recommended for an initial setup. The Strong authentication mode
can also be implemented in the future. For more information, refer to
"Configuring User Authentication" (Page 95).
• RUGGEDCOM CROSSBOW SAC (If Applicable)
To configure a Station Access Controller (SAC), do the following:

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 49
Setup and Configuration
3.2 Launching RUGGEDCOM CROSSBOW Tools

1. Add and configure a SAC. For more information, refer to the "RUGGEDCOM
CROSSBOW Client Configuration Manual".
2. Configure a trusted Certificate Authority for the SAC. For more information,
refer to "Selecting a Trusted CA for a RUGGEDCOM CROSSBOW SAC/SAM-
L" (Page 149).
• RUGGEDCOM CROSSBOW SAM-L (If Applicable)
To configure a Secure Access Manager - Local (SAM-L), do the following:
1. Add and configure a SAM-L. For more information, refer tothe "RUGGEDCOM
CROSSBOW Client Configuration Manual".
2. Configure a trusted Certificate Authority for the SAM-L. For more
information, refer to "Selecting a Trusted CA for a RUGGEDCOM CROSSBOW
SAC/SAM-L" (Page 149).

3.2 Launching RUGGEDCOM CROSSBOW Tools

To launch RUGGEDCOM CROSSBOW tools (such as RUGGEDCOM CROSSBOW Server,
RUGGEDCOM CROSSBOW SAC, etc.), do the following:

Note
Images and steps may differ depending on the version of Windows being used. For
assistance, contact Siemens Customer Support.

Note
In the case of RUGGEDCOM CROSSBOW SAC, the following procedure describes how
to open the Windows application. For information about the RUGGEDCOM ROX II
based SAC, refer to the appropriate "RUGGEDCOM ROX II Configuration Manual".

1. Launch the tool by clicking Start, select All Programs, select RuggedCom,
select the folder for the tool, then select the tool itself.
2. If Windows' User Account Control (UAC) is enabled, a dialog box may appear
requesting authorization to open the application. Click Yes.

3.3 Starting/Stopping RUGGEDCOM CROSSBOW Server Services

To start or stop services run by the RUGGEDCOM CROSSBOW Server, do the
following:

Note
A service must be stopped before it can be configured.

50 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.3 Starting/Stopping RUGGEDCOM CROSSBOW Server Services

Note
If active user and device connections exist when attempting to stop RUGGEDCOM
CROSSBOW Server Services, a confirmation dialog will appear listing the active
connections. Select Yes to proceed, or No to abort.

Note
Stopping the RUGGEDCOM CROSSBOW Main Server service via RUGGEDCOM
CROSSBOW Server automatically disconnects all clients.

1. Launch the desired application (i.e. RUGGEDCOM CROSSBOW Server or

RUGGEDCOM CROSSBOW SAC).

2 3

1 Services
2 Start Button
3 Stop Button
Figure 3.1 RUGGEDCOM CROSSBOW Server Window

2. For the desired service, including the RUGGEDCOM CROSSBOW Server itself, click
either Start or Stop.
Icons for each service indicate the service's current status.
Icon Status
Stopped

Start Pending

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 51
Setup and Configuration
3.4 Securing Passwords

Icon Status
Running

3.4 Securing Passwords

RUGGEDCOM CROSSBOW supports password-based and certificate-based encryption
of passwords for users, devices and gateways in the RUGGEDCOM CROSSBOW
database.
This section describes how to protect passwords for devices/gateways and
RUGGEDCOM CROSSBOW users.

3.4.1 Encrypting/Decrypting the CROSSBOW Database

This section describes how to encrypt or decrypt passwords and other data for users,
devices and gateways in the RUGGEDCOM CROSSBOW database.

NOTICE
Whenever the encryption settings are changed (i.e. by applying/removing
encryption), RUGGEDCOM CROSSBOW deletes any existing log files, encrypted
reports and bulk import sheets in the database. Make sure to retrieve any desired
files via the client before changing these encryption settings. For more information
about retrieving logs from devices/gateways, refer to the "RUGGEDCOM CROSSBOW
Client Configuration Manual".

NOTICE
For added security, RUGGEDCOM CROSSBOW cross-references the server software
version with the database software version. To configure encryption or decryption,
the version numbers must match. For example, decrypting a database prior to
migration must take place before installing the new version of the RUGGEDCOM
CROSSBOW server.

52 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.4.1 Encrypting/Decrypting the CROSSBOW Database

3.4.1.1 Encrypting/Decrypting the Database Using a Certificate

To use certificate-based encryption to encrypt or decrypt the areas of the
RUGGEDCOM CROSSBOW database that store passwords for users, devices and
gateways, do the following:

NOTICE
Security hazard – risk of unauthorized access and/or exploitation
Make sure to safely record the encryption certificate and make sure it is only
available to trusted personnel.

Note
Certificates are managed in the Windows store. Users are responsible for uploading
certificates to the store. For more information about installing certificates, refer to
"Selecting/Installing the RUGGEDCOM CROSSBOW Server Certificate" (Page 144).

Note
The encryption process may take several minutes to complete, depending on the size
of the RUGGEDCOM CROSSBOW database.

1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM

CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.
4. Click the Database tab. The Database screen appears.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 53
Setup and Configuration
3.4.1 Encrypting/Decrypting the CROSSBOW Database

1 Configure Button
2 OK Button
3 Cancel Button
Figure 3.5 Database Screen

5. Under Encryption Settings, click Configure. The Encryption Configuration

dialog box appears.

54 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.4.1 Encrypting/Decrypting the CROSSBOW Database

1 4

2
5

8
12
9

11 10

1 By Certificate Button
2 Enable Encryption Check Box
3 OK Button
4 Cancel Button
5 Store Type Box
6 Store Name Box
7 Subject Box
8 Thumbprint Box
9 Browse Button
10 Validation Certificate Range Boxes
11 Force Decrypt Box
12 Expiry Warning Lead Time
Figure 3.6 Encryption Configuration Dialog Box

6. Under Encryption Type, select By Certificate.

7. To disable encryption, clear the Enable Encryption check box and proceed to
step 9 (Page 56).
8. To enable encryption, do the following:
a. Select Enable Encryption.
b. Click Browse. The Certificate Selection dialog box appears.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 55
Setup and Configuration
3.4.1 Encrypting/Decrypting the CROSSBOW Database

1 3

1 Certificate List
2 OK Button
3 Cancel Button
4 Import Button
Figure 3.7 Certificate Selection Dialog Box

c. Select the desired certificate and click OK.

d. In the Validation Certificate Range boxes, add the active start and end
dates for the certificate.
e. Select the desired certificate Expiry Warning Lead Time and click OK.
RUGGEDCOM CROSSBOW will send out notifications about upcoming
certificate expiry based on the validation certificate range and expiry lead
time. When a certificate has expired, a notification will appear and the
server will be prevented from starting until an updated certificate has been
added.
For more information about updating certificates, refer to "Changing/
Updating the Encryption Certificate" (Page 56).
9. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.4.1.2 Changing/Updating the Encryption Certificate

The following procedure describes how to change or update the encryption
certificate. Changing the encryption certificate changes the certificate in both the
RUGGEDCOM CROSSBOW database and server, while updating the certificate only
changes the certificate in the RUGGEDCOM CROSSBOW server.
If the encryption certificate is changed for the RUGGEDCOM CROSSBOW and a
server cluster is in use, each server in the cluster must be updated to use the new
certificate.

56 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.4.1 Encrypting/Decrypting the CROSSBOW Database

To change or update the encyryption certificate, do the following:

1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.
4. Click the Database tab. The Database screen appears.

1 Configure Button
2 OK Button
3 Cancel Button
Figure 3.8 Database Screen

5. Under Encryption Settings, click Configure. The Encryption Configuration

dialog box appears.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 57
Setup and Configuration
3.4.1 Encrypting/Decrypting the CROSSBOW Database

1 4

2
5

8
12
9

11 10

1 By Certificate Button
2 Enable Encryption Check Box
3 OK Button
4 Cancel Button
5 Store Type Box
6 Store Name Box
7 Subject Box
8 Thumbprint Box
9 Browse Button
10 Validation Certificate Range Boxes
11 Force Decrypt Box
12 Expiry Warning Lead Time
Figure 3.9 Encryption Configuration Dialog Box

6. Under Encryption Type, select By Certificate.

7. Click Browse. The Certificate Selection dialog box appears.

1 3

1 Certificate List
2 OK Button

58 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.4.1 Encrypting/Decrypting the CROSSBOW Database

3 Cancel Button
4 Import Button
Figure 3.10 Certificate Selection Dialog Box

8. Select the desired certificate and click OK.

9. Select the desired certificate Expiry Warning Lead Time and click OK.
10. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

Note
The encryption certificate is stored on the server used to originally encrypt user,
device and gateway passwords in the RUGGEDCOM CROSSBOW database. If
server clusters are implemented, the certificate must be configured on all other
servers that access the same database.

11. If the server is part of a server cluster, repeat this procedure for each server in
the cluster.

3.4.1.3 Encrypting/Decrypting the Database Using a Password

To use password-based encryption to encrypt the areas of the RUGGEDCOM
CROSSBOW database that store passwords for users, devices and gateways, do the
following:

NOTICE
Security hazard – risk of unauthorized access and/or exploitation
Make sure to safely record the encryption password and make sure it is only
available to trusted personnel.

Note
The encryption process may take several minutes to complete, depending on the size
of the RUGGEDCOM CROSSBOW database.

1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM

CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.
4. Click the Database tab. The Database screen appears.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 59
Setup and Configuration
3.4.1 Encrypting/Decrypting the CROSSBOW Database

1 Configure Button
2 OK Button
3 Cancel Button
Figure 3.11 Database Screen

5. Under Encryption Settings, click Configure. The Encryption Configuration

dialog box appears.

60 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.4.1 Encrypting/Decrypting the CROSSBOW Database

5
1 6

1 By Password Button
2 Enable Encryption Check Box
3 Encryption Password Box
4 Confirm Password Box
5 OK Button
6 Cancel Button
Figure 3.12 Encryption Configuration Dialog Box

6. Under Encryption Type, select By Password.

7. To disable encryption, clear the Enable Encryption check box and proceed to
step 9 (Page 61).
8. To enable encryption, do the following:
a. Select Enable Encryption.
b. In Encryption Password and Confirm Password, type the encryption
password. The password must be at least eight characters in length.
c. Click OK. If the database was successfully encrypted, a confirmation dialog
box appears.
d. Click Yes. The status on the Options tab under Encryption Settings reads:
Enabled, password verified

e. Click OK to close the dialog box.

9. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 61
Setup and Configuration
3.4.1 Encrypting/Decrypting the CROSSBOW Database

3.4.1.4 Changing/Updating the Encryption Password

The following procedure describes how to change or update the encryption
password. Changing the encryption password changes the password in both the
RUGGEDCOM CROSSBOW database and server, while updating the password only
changes the password in the RUGGEDCOM CROSSBOW server.
If the encryption password is changed for the RUGGEDCOM CROSSBOW and a server
cluster is in use, each server in the cluster must be updated to use the new password.
To change or update the encyryption password, do the following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.
4. Click the Database tab. The Database screen appears.

62 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.4.1 Encrypting/Decrypting the CROSSBOW Database

1 Configure Button
2 OK Button
3 Cancel Button
Figure 3.13 Database Screen

5. Under Encryption Settings, click Configure. The Encryption Configuration

dialog box appears.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 63
Setup and Configuration
3.4.1 Encrypting/Decrypting the CROSSBOW Database

5
1 6

1 By Password Button
2 Enable Encryption Check Box
3 Encryption Password Box
4 Confirm Password Box
5 OK Button
6 Cancel Button
Figure 3.14 Encryption Configuration Dialog Box

6. Under Encryption Type, select By Password.

7. In Encryption Password and Confirm Password, type either a new encryption
password or the password already set for the RUGGEDCOM CROSSBOW
database. The password must be at least eight characters in length.
8. Click OK. A confirmation dialog box appears.
9. Click Yes if changing the password, or No if only updating the password for the
RUGGEDCOM CROSSBOW server.
10. Click OK to close the dialog box.
11. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

Note
The encryption password is stored on the server originally used to encrypt user,
device and gateway passwords in the RUGGEDCOM CROSSBOW database. If
server clusters are implemented, the password must be configured on all other
servers that access the same database.

12. If the server is part of a server cluster, repeat step 1 (Page 62) to step
11 (Page 64) to for each server in the cluster.

64 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.4.2 Showing/Hiding Passwords for Devices/Gateways

3.4.1.5 Encrypting/Decrypting the Database in a Server Cluster

The encryption password or certificate is stored on the server used to originally
encrypt user, device and gateway passwords in the RUGGEDCOM CROSSBOW
database. If server clusters are implemented, the password or certificate must be
configured on all other servers that access the same database. This allows those
servers to access and decrypt any encrypted data, and to encrypt any new data.
To encrypt or decrypt the RUGGEDCOM CROSSBOW database when multiple servers
are being used, do the following:
1. Access the RUGGEDCOM CROSSBOW main server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure all RUGGEDCOM CROSSBOW services on all SAMs in the cluster
are stopped. For more information, refer to "Starting/Stopping RUGGEDCOM
CROSSBOW Server Services" (Page 50).
3. On the main server, encrypt or decrypt the database using either password or
certificate encryption.
For more information about encrypting the database using a certificate, refer to
"Encrypting/Decrypting the Database Using a Certificate" (Page 53).
For more information about encrypting the database using a password, refer to
"Encrypting/Decrypting the Database Using a Password" (Page 59).
4. Once the database is in the appropriate state (encrypted or decrypted), start the
main server.
5. If no errors are detected, update the rest of the SAMs in the cluster to use the
same encryption password or certificate.

3.4.2 Showing/Hiding Passwords for Devices/Gateways

User names and passwords for devices/gateways are displayed on the Connection
screen under the device/gateway's configuration, which is only accessible by
administrators and sub-administrators who have the necessary privileges. By default,
passwords are displayed in cleartext. RUGGEDCOM CROSSBOW, however, can be
configure to display them as a series of asterisks (****) to prevent unauthorized
access to a device/gateway.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 65
Setup and Configuration
3.4.2 Showing/Hiding Passwords for Devices/Gateways

Figure 3.15 Connection Screen – Passwords Hidden (Example)

Figure 3.16 Connection Screen – Passwords Shown (Example)

Note
Passwords are still visible to administrators/sub-administrators during password
checkouts and in the device password reports.

To show or hide passwords for devices/gateways, do the following:

1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

66 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.4.2 Showing/Hiding Passwords for Devices/Gateways

3. Under CrossBow Main Server, click Configure. The CrossBow Server

Configuration dialog box appears.
4. Click the Options tab. The Options screen appears.

1 OK Button
2 Cancel Button
3 Show Connected User's Name Check Box
4 Show Device Passwords to Admin Check Box
5 Disable Sending Checked Out Password Email Check Box
6 Show Popup Message When Command Blocked Check Box
Figure 3.17 Options Screen

5. Under Client Options, select or clear Show Device Passwords to Admin.

6. Click OK to save changes.
7. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 67
Setup and Configuration
3.5 Managing Server Connections

3.5 Managing Server Connections

This section describes how to configure the connection between the RUGGEDCOM
CROSSBOW server and individual client workstations.

3.5.1 Configuring Server Host Connection

To configure how clients and devices connect with the RUGGEDCOM CROSSBOW
server, and how the server handles inactive clients and devices, do the following:

Note
For information about enabling/disabling Transport Layer Security (TLS) 1.2
connections, refer to "Enabling/Disabling TLS 1.2 Connections for RUGGEDCOM
CROSSBOW Server" (Page 70).

1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM

CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.

68 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.5.1 Configuring Server Host Connection

3
5
4

7
6
7

1 OK Button
2 Cancel Button
3 Server Port Box
4 Use TLS 1.2 instead of TLS 1.3 Connections Check Box
5 Client Connection Timeout Box
6 Device Session Timeout Box
7 Disable Check Box
Figure 3.18 CrossBow Server Configuration Dialog Box

Note
If a firewall exists between RUGGEDCOM CROSSBOW clients and the
RUGGEDCOM CROSSBOW Server, make sure the server port number is not
blocked.

4. On the Primary Configuration tab, under Connection Configuration, the TCP

port number to be used by the RUGGEDCOM CROSSBOW Client application to
connect to the RUGGEDCOM CROSSBOW Server in the Server Port box. The
default port number is 21000, but can be changed as needed.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 69
Setup and Configuration
3.5.2 Enabling/Disabling TLS 1.2 Connections for RUGGEDCOM CROSSBOW Server

5. In the Client Connection Timeout box, type or select the maximum amount of
time (in minutes) for the server to wait before disconnecting an inactive client.
To disable this feature, select Disable.
6. In the Device Session Timeout box, type or select the maximum amount of
time (in minutes) for the server to wait before disconnecting an inactive remote
device. To disable this feature, select Disable.
7. Click OK to save changes.
8. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.5.2 Enabling/Disabling TLS 1.2 Connections for RUGGEDCOM CROSSBOW Server

Transport Layer Security (TLS) 1.3 connections between RUGGEDCOM CROSSBOW
clients and servers are enabled by default, requiring all TLS/SSL certificates be signed
using a Secure Hash Algorithm.
To enable TLS 1.2 connections in RUGGEDCOM CROSSBOW Server, do the following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.

70 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.5.2 Enabling/Disabling TLS 1.2 Connections for RUGGEDCOM CROSSBOW Server

3
5
4

7
6
7

1 OK Button
2 Cancel Button
3 Server Port Box
4 Use TLS 1.2 instead of TLS 1.3 Connections Check Box
5 Client Connection Timeout Box
6 Device Session Timeout Box
7 Disable Check Box
Figure 3.19 CrossBow Server Configuration Dialog Box

4. Select Use TLS 1.2 instead of TLS 1.3 Connections to allow TLS v1.2
connections, or clear the check box to use TLS v1.3 connections.
5. Click OK to save changes.
6. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
7. If the server is part of a server cluster, repeat step 1 (Page 70) to step
6 (Page 71) for the remaining servers in the cluster.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 71
Setup and Configuration
3.6 Managing Parent Servers

3.6 Managing Parent Servers

This section describes how to configure and manage parent servers for a Station
Access Controller (SAC) or Secure Access Manager (SAM-L).

3.6.1 Adding/Configuring a Parent Server

To add a new parent server or configure an existing server, do the following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.

3 5

1 OK Button
2 Cancel Button
3 Parent Servers
4 Add Server Button

72 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.6.2 Deleting a Parent Server

5 Delete Server Button

Figure 3.20 CrossBow Server Configuration Dialog Box

4. Either modify the values for an existing parent server, or click Add Server to add
a new row and then provide the host address and host port for the new parent
server.
5. Click OK to save changes.
6. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.6.2 Deleting a Parent Server

To delete a parent server, do the following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 73
Setup and Configuration
3.7 Managing Licenses

3 5

1 OK Button
2 Cancel Button
3 Parent Servers
4 Add Server Button
5 Delete Server Button
Figure 3.21 CrossBow Server Configuration Dialog Box

4. Select the desired parent server and then click Delete Server.
5. Click OK to save changes.
6. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.7 Managing Licenses

This section describes how to manage licenses in RUGGEDCOM CROSSBOW.

74 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.7.1 Installing a License File

3.7.1 Installing a License File

A license file contains information about licenses specific to the RUGGEDCOM
CROSSBOW installation. This file is required to determine if the current RUGGEDCOM
CROSSBOW installation is within the limits of the license restrictions.

Note
For information about how to view which licenses are enabled and make
sure no license restrictions have been exceeded, refer to "Viewing License
Limits" (Page 76).

The install a license file, do the following:

1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.

4
1

1 License File Box

2 OK Button

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 75
Setup and Configuration
3.7.2 Viewing License Limits

3 Cancel Button
4 Install Button
Figure 3.22 CrossBow Server Configuration Dialog Box

4. On the Primary Configuration tab, under License Configuration, either type

the name of the license file (including the system path) or click Install and select
the desired file.
5. Click OK to save changes.
6. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.7.2 Viewing License Limits

To view a report on the number of remaining licenses available, do the following:
1. Access the RUGGEDCOM CROSSBOW client workstation, launch RUGGEDCOM
CROSSBOW Client, and login as a user with the necessary administrative
privileges.
2. On the toolbar, click Reports and then click License Limits. The CrossBow
License Information dialog box appears.

76 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.8 Managing Files and Firmware

Figure 3.23 CrossBow License Information Dialog Box

The first section indicates the total number of licenses available and the number of
licenses in use. The color of the icon next to each category indicates the status of the
licenses:
Icon Color Description
Green The number of installed licenses is less than 90% of the license limit.
Yellow The number of installed licenses is greater than or equal to 90% of the license
limit.
Red The number of installed licenses has reached 100% of the license limit. Additional
or upgraded licenses must be purchased.

The second section is a read-only list of license features currently enabled or disabled
in RUGGEDCOM CROSSBOW.

3.8 Managing Files and Firmware

This section describes how to manage CID files and firmware in RUGGEDCOM
CROSSBOW.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 77
Setup and Configuration
3.8.1 Decompressing CID Files

3.8.1 Decompressing CID Files

Files with the .cid extension (i.e. configuration files) on SEL devices are compressed
by default. When RUGGEDCOM CROSSBOW retrieves these files, they remain
compressed.
This optional configuration item allows users to install the proprietary SEL
CompressorHead application on either the RUGGEDCOM CROSSBOW server or
the RUGGEDCOM CROSSBOW SAM-L server as applicable, so that the files are
automatically decompressed during the file retrieval process.
To allow RUGGEDCOM CROSSBOW to decompress CID files on retrieval, do the
following:

Note
This procedure applies only to SEL devices.

Note
This procedure details configuration of the RUGGEDCOM CROSSBOW main server.
For the RUGGEDCOM CROSSBOW SAM-L, follow the same procedure. The SEL
CompressorHead application must be installed on each SAM-L in a facility to have
files decompressed during file retrieval.

1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM

CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.
4. Click the Options tab. The Options screen appears.

78 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.8.1 Decompressing CID Files

1 OK Button
2 Cancel Button
3 Application File Path Box
4 Browse Button
Figure 3.24 Options Screen

Note
If the Application File Path box is blank, the CompressorHead application will
be inactive. RUGGEDCOM CROSSBOW will retrieve the files but they will remain
compressed.

5. Under SEL CompressorHead Configuration, in the Application File Path box ,

click Browse to select the destination folder on the RUGGEDCOM CROSSBOW
server to install the application.
6. Click OK to save changes.
7. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 79
Setup and Configuration
3.8.2 Adding Firmware for Gauntlet Gateways

3.8.2 Adding Firmware for Gauntlet Gateways

Firmware for devices/gateways must first be added to RUGGEDCOM CROSSBOW
before it is distributed.
To add firmware to RUGGEDCOM CROSSBOW for a Gauntlet gateway, do the
following:

Note
Firmware for Gauntlet gateways is stored on the RUGGEDCOM CROSSBOW server, as
opposed to within the RUGGEDCOM CROSSBOW database.

Note
Each updated firmware file for Gauntlet gateways replaces the last. Multiple versions
are not retained by RUGGEDCOM CROSSBOW.

1. Make sure the firmware file is accessible from the RUGGEDCOM CROSSBOW
server.
2. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
3. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
4. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.
5. Click the Options tab. The Options screen appears.

80 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.9 Managing Users, Groups and Authentication

4
3

1 OK Button
2 Cancel Button
3 Firmware File Box
4 Install Button
Figure 3.25 Options Screen

6. Under Gauntlet Bow Configuration, do one of the following:

• Type the full path and file name for the firmware file
• Click Install, find and select the file, then click OK
7. Click OK. The firmware is added to the RUGGEDCOM CROSSBOW server.

3.9 Managing Users, Groups and Authentication

Users and user groups can be created and managed directly within RUGGEDCOM
CROSSBOW, or imported from an Active Directory server.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 81
Setup and Configuration
3.9.1 Configuring the Maximum Number of Login Attempts

Note
If Active Directory is in use, some interface controls in RUGGEDCOM CROSSBOW
Client for managing users and user groups are disabled.

RUGGEDCOM CROSSBOW supports three different types of users:

• Administrators
Administrators are users who belong to the administrator user group, as defined
in the RUGGEDCOM CROSSBOW Server configuration. Administrators can
configure the system, set up connections between devices and maintenance
applications, create users and user groups, assign user rights, and access all areas
of RUGGEDCOM CROSSBOW Client.
• Sub-Administrators
Sub-Administrators, if granted permission by an Administrator, can add, edit,
and delete facilities, gateways, and devices. They can also run device-specific
reports, and add/edit applications. Multiple user groups can be assigned sub-
administrator rights, each with different permissions.
• Users
Users can log into the system and access those devices made available to them
by the Administrator or by a Sub-Administrator with appropriate access.
All users belong to a user group, which defines their level of control over
RUGGEDCOM CROSSBOW, specific device groups, reports, etc.
Users can be assigned to more than one user group, with the highest level of
permissions assigned to one group superseding all others.
RUGGEDCOM CROSSBOW also supports user authentication via RSA SecurID, Active
directory or RADIUS.

3.9.1 Configuring the Maximum Number of Login Attempts

To prevent unauthorized users from launching RUGGEDCOM CROSSBOW Client using
brute force, a maximum number of login attempts can be configured. If the user
repeatedly fails to login and exceeds this limit, the user's profile is automatically
locked. Only an administrator or sub-administrator can reactive the profile.

Note
For information about how to reactivate a user's profile, refer to the "RUGGEDCOM
CROSSBOW Client Configuration Manual".

Note
This setting is only applicable when Basic authentication is in use. If using Active
Directory or RSA SecurID, the lockout policy for the respective authentication method
overrides this setting.

82 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.9.2 Configuring an Administrator User Group

To configure the maximum number of login attempts, do the following:

1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Click the Options tab. The Options screen appears.

1 OK Button
2 Cancel Button
3 Max Login Attempts Box
Figure 3.26 Options Screen

3. Under Max Login Attempts, type the number of login attempters permitted.
4. Click OK to save changes.

3.9.2 Configuring an Administrator User Group

One user group must be granted full administrative access to RUGGEDCOM
CROSSBOW. While some user groups can be granted sub-administrator privileges for
specific device groups, reports, etc., members of the administrative group have full
rights over all aspects of RUGGEDCOM CROSSBOW.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 83
Setup and Configuration
3.9.2 Configuring an Administrator User Group

RUGGEDCOM CROSSBOW by default defines a single user group named Admin,

which includes a single user also named Admin. Any other user group, however, can
be made an administrator user group.

Note
The administrator user group must have at least one member.

To make a user group the administrator user group, do the following:

1. If using a user group other than Admin, make sure the user group has first been
configured via RUGGEDCOM CROSSBOW Client. For more information, refer to
the "RUGGEDCOM CROSSBOW Client Configuration Manual".
2. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
3. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
4. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.

1 OK Button
2 Cancel Button

84 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.9.3 Importing Users and User Groups from Active Directory

3 Group Name Box

Figure 3.27 CrossBow Server Configuration Dialog Box

5. Under Administrator User Group Configuration, in the Group Name box, type
the name of the administrator user group (e.g. Admin).
6. Click OK to save changes.
7. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.9.3 Importing Users and User Groups from Active Directory

Rather than create users and user groups within RUGGEDCOM CROSSBOW, users and
user groups can be imported from an Active Directory server.
To import users and user groups defined within Active Directory into the
RUGGEDCOM CROSSBOW database, do the following:

Note
If the number of allowable licenses for all users (Active Directory and CxB) is reached,
RUGGEDCOM CROSSBOW will prioritize the Active Directory users that are being
imported first, over the CxB manually-entered users. Only Active Directory users
that belong to at least one user group will be imported and a licensed used. To view
license limitations, refer to "Viewing License Limits" (Page 76).

Note
If users and user groups have been imported from Active Directory, Yes appears
under Use AD Group. Otherwise, the value is No.

Note
Users and user groups are updated in RUGGEDCOM CROSSBOW at a user-configured
polling interval. Any changes made in the Active Directory server will not be reflected
until the next poll.
For example, if RUGGEDCOM CROSSBOW is using AD authentication, and changes are
made to the username attribute in AD, RUGGEDCOM CROSSBOW will be required to
to complete its next poll before the user can log in. This is because the username is
checked both in AD and the RUGGEDCOM CROSSBOW database.
All connections to the Active Directory server are logged in the Event Log file. For
information about the Event Log file, refer to "Configuring the CrossBow Event Log
Distribution Service" (Page 177).

NOTICE
When users and user groups are imported from Active Directory, use strong
authentication options – such as RADIUS, RSA or Active Directory itself – to

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 85
Setup and Configuration
3.9.3 Importing Users and User Groups from Active Directory

authenticate users. If only basic authentication is used, new users will not be
automatically assigned a basic authentication password. The administrator will be
prompted to provide one, and one must be assigned before the user can log into
RUGGEDCOM CROSSBOW.

1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM

CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.
4. Click the Options tab. The Options screen appears.

4
3

1 OK Button
2 Cancel Button
3 Use AD Groups Box
4 Configure Button
Figure 3.28 Options Screen

86 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.9.3 Importing Users and User Groups from Active Directory

5. Under Active Directory Group Configuration, click Configure. The Active

Directory Groups dialog box appears.

1 3

10

11
14
12
15 13

1 Retrieve CrossBow Groups from Active Directory Check Box

2 OK Button
3 Cancel Button
4 Polling Interval (min) Box
5 Base Distinguished Name Box
6 Groups Filter Box
7 Group Name Attribute Box
8 Username Attribute Box
9 Full Name Attribute Box
10 Description Attribute Box
11 Email Attribute Box
12 Primary Phone Attribute Box
13 Secondary Phone Attribute Box
14 Allow non-AD Users and User Groups Check Box
15 Use Strong Authentication for non-AD Users Check Box
Figure 3.29 Active Directory Groups Dialog Box

6. Select Retrieve CrossBow Groups from Active Directory.

7. [Optional] Configure the Polling Interval. The default is 60 minutes.
8. [Optional] Select Allow non-AD Users and User Groups.
When selected, the local users and user groups in the database will be
preserved. RUGGEDCOM CROSSBOW will allow both AD authentication for AD
users and basic authentication for non-AD users.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 87
Setup and Configuration
3.9.3 Importing Users and User Groups from Active Directory

When deselected, all existing users and user groups will be overwritten with
the active users and user groups from the Active Directory server when the next
Active Directory polling attempt is made.
9. [Optional] Select Use Strong Authentication for non-AD Users.
When selected, RUGGEDCOM CROSSBOW will apply the selected strong
authentication method to non-AD users.
When deselected, the existing authentication method will be preserved for non-
AD users.

Note
For more information about available authentication methods, refer to
"Managing User Authentication" (Page 93).

10. Configure the following parameters:

Note
Make sure to use appropriate syntax (i.e. use of symbols, case sensitivity, etc.) as
defined by your LDAP controller in your configuration string.

Parameter Description

Base Distinguished The location of the Active Directory domain controller from
Name which all user and group information will be retrieved.

NOTICE
Security hazard – risk of unauthorized access and/or ex
ploitation
Appropriate certificates must be installed on both the Active
Directory and RUGGEDCOM CROSSBOW servers before any
TLS/SSL connection is established. Although authentication
information will not be transmitted in the clear over the
connection, sensitive user and user group information may still
be exposed.

Note
If redundant AD severs are being used, specify only the domain,
rather than a specific domain controller. For example, use
LDAP://domain not LDAP://machine.domain.

If the Active Directory server is configured to support SSL, add

:636 to the end of the distinguished name. For example:

LDAP://abx.example.lan:636

Groups Filter The query to be used to retrieve user and user group
information from Active Directory. For example:

(&(objectClass=group)(name=CxB*))

88 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.9.3 Importing Users and User Groups from Active Directory

Parameter Description
At minimum, the query must contain (objectClass=group)
to import user groups from Active Directory. Individual users
can be imported using (objectClass=user).
Use a filter to select only the users and user groups to be
imported. To simplify filtering, use a consistent naming
convention for all users and user groups in Active Directory.
For instance, in the previous example, only user groups whose
names begin with CxB will be imported.

Group Name Attribute Synopsis: name

Imports user group names from name attribute in Active

Directory. Type name.

Username Attribute Synopsis: sAMAccountName

Imports user names from sAMAccountName attribute in

Active Directory. Type sAMAccountName. This will become the
username of users in RUGGEDCOM CROSSBOW.

11. [Optional] Configure the following parameters as required:

NOTICE
Configuration hazard – risk of communication failure
Do not use Active Directory attributes that have an array value. Only attributes
with string values are permitted. If an array-type attribute is used, such as
memberOf, Active Directory will abort the import operation and close the
connection.

Note
If any of the following parameters are left blank, the associated property will
be configurable via RUGGEDCOM CROSSBOW for each user profile. Otherwise,
values are imported from Active Directory.

Parameter Description

Full Name Attribute The attribute in Active Directory that specifies the full name of a
user (e.g. displayName).

Description Attribute The attribute in Active Directory that specifies the description of
a user (e.g. description).

Email Attribute The attribute in Active Directory that specifies the e-mail
address for a user (e.g. mail).

Primary Phone At The attribute in Active Directory that specifies the primary
tribute phone number for a user (e.g. telephoneNumber, mobile,
pager, etc.).

Secondary Phone At The attribute in Active Directory that specifies the primary
tribute secondary number for a user (e.g. otherTelephone,
otherMobile, otherPager, etc.).

12. Click OK. The dialog box closes.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 89
Setup and Configuration
3.9.4 Enabling/Disabling User Labels

13. Click OK to save changes.

14. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.9.4 Enabling/Disabling User Labels

User labels identify users connected to a remote device by making their name visible
to other RUGGEDCOM CROSSBOW users in RUGGEDCOM CROSSBOW Client.
To enable/disable user labels, do the following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.
4. Click the Options tab. The Options screen appears.

90 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.9.5 Enabling/Disabling Service Permissions

1 OK Button
2 Cancel Button
3 Show Connected User's Name Check Box
4 Show Device Passwords to Admin Check Box
5 Disable Sending Checked Out Password Email Check Box
6 Show Popup Message When Command Blocked Check Box
Figure 3.30 Options Screen

5. Under Client Options, select or clear Show Connected User's Name.

6. Under Client Options, select or clear Show Device Passwords to Admin.
7. Under Client Options, select or clear Disable Sending Checked Out Password
Email.
8. Click OK to save changes.
9. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.9.5 Enabling/Disabling Service Permissions

By default, all users logged in to a SAM-P machine have permission to read the
RUGGEDCOM CROSSBOW server registry. In some cases, an administrator may want
to restrict this access only to specified users or groups.
To enable/disable service permissions, do the following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.
4. Click the Primary Configuration tab. The Primary Configuration screen
appears.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 91
Setup and Configuration
3.9.5 Enabling/Disabling Service Permissions

1 OK Button
2 Cancel Button
3 Service Permission Check Box
4 Service Start Name Box
Figure 3.31 Primary Configuration Screen

5. Under Service Configuration, select or clear the Service Permission check box.

Note
Any access permissions granted outside of RUGGEDCOM CROSSBOW will not be
impacted.

• Clear (default): Any user logged in to the SAM-P machine can access the
server registry.
• Selected – Only a specified user or group can access the server registry.
If clearing the check box, proceed to step 7 (Page 93).
6. When selected, the Service Start Name box appears. Do the following:

92 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.9.6 Managing User Authentication

Note
The user name configured in Windows must match the name entered in the
Service Start Name box. If there is a mismatch, the RUGGEDCOM CROSSBOW
services will be unable to run.

a. Enter the name of the user or group previously configured in Windows

to use the RUGGEDCOM CROSSBOW server. For more information
about configuring the RUGGEDCOM CROSSBOW server in Windows,
refer to "Configuring the RUGGEDCOM CROSSBOW Server Log On
Settings" (Page 30).
b. Configure the following services to run as the selected user or group:
• RUGGEDCOM CROSSBOW Server Management Service
• RUGGEDCOM CROSSBOW Background Logger Service
• RUGGEDCOM CROSSBOW Event Log Distribution Management Service
• RUGGEDCOM CROSSBOW Syslog Receiver Management Service
• RUGGEDCOM CROSSBOW External Database Integration Management
Service
• RUGGEDCOM CROSSBOW File Export Management Service
For more information about configuring services in Windows,
refer to "Configuring the RUGGEDCOM CROSSBOW Server Log On
Settings" (Page 30).
7. Click OK to save changes.
8. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.9.6 Managing User Authentication

User authentication is required to prevent unauthorized access to RUGGEDCOM
CROSSBOW and devices in the field. As such, RUGGEDCOM CROSSBOW supports
multiple levels of authentication, depending on the server connection.
This section describes the different authentication methods and possible primary and
secondary combinations for each server.

NOTICE
Active Directory, RSA and RADIUS servers are configured outside of RUGGEDCOM
CROSSBOW. Use industry best practices when configuring AD, RSA and RADIUS
servers.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 93
Setup and Configuration
3.9.6 Managing User Authentication

3.9.6.1 Choosing an Authentication Method

RUGGEDCOM CROSSBOW servers support primary and secondary authentication
methods. Generally, the primary authentication method determines how a user is
normally expected to authenticate to a server, while the secondary authentication
method (if configured) is an alternative method that may be available when either
primary authentication fails or is manually configured by the user.
Available methods vary depending on the server being used and the selected primary
authentication method.

Authentication Methods
• Basic Authentication
Basic authentication requires all users to log into RUGGEDCOM CROSSBOW using
a password that conforms to rules defined by the administrator. This password
may be subject to renewal at intervals chosen by the administrator.
Basic passwords are configured in the SAM-P and pushed to the SAC/SAM-L.
• Strong Authentication
Strong authentication requires all users to be authenticated by an external
service. That service can be an RSA/ACE, Active Directory, RADIUS, or RSA and
Active Directory server.
• Proxy
Authentication is performed via proxy to the SAM-P. If the SAM-P cannot be
reached then the fallback option becomes active, where a user can authenticate
with either their basic password or the SAM-L's global password. The basic
passwords are configured in the SAM-P and pushed to the SAM-L.
• Windows
Authenticate with the User's Windows password on that particular server.
• Global
For SAM-L, authenticate with the individual SAM-L global password. For the SAC,
authenticate with the individual SAC global password.
• Basic with Global
Users can authenticate with either their basic password or the SAM-L's global
password.
• AD
Authentication is performed locally using Active Directory.
• RSA
Authentication is performed locally via RSA.
• RSA and AD
Authentication is performed locally via RSA and AD.
• RADIUS
Authentication is performed locally via RADIUS.

94 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.9.6 Managing User Authentication

Primary/Secondary Authentication Support

The following table shows the supported Primary/Secondary authentication
combinations for each server:
SAM-P SAM-L Windows SAC ROX SAC
Primary Secondary Primary Secondary Primary Secondary Primary Secondary
Basic Windows, Basic None, Global, Proxy Windows, Proxy Basic/Global
None Windows Basic, None,
Global, Basic/
Global
Strong Basic, None Proxy Windows,
Basic, None,
Global,
Basic/Global
Strong Windows,
Basic, None,
Global,
Basic/Global

3.9.6.2 Configuring User Authentication

To configure authentication for RUGGEDCOM CROSSBOW users, do the following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.
4. Click the Authentication tab. The Authentication screen appears.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 95
Setup and Configuration
3.9.6 Managing User Authentication

3 1

4 2

6 7

9 8

10
13
11

12

14

15

16

17

1 OK Button
2 Cancel Button
3 Primary Options
4 Secondary Options
5 Manual Secondary Options
6 Disconnect on Failure Options
7 NAS IP Address Box
8 NAS Identifier Box
9 Password Encryption Options
10 Add RAD Svr Button
11 Edit RAD Svr Button
12 Delete RAD Svr Button
13 Available RADIUS Servers
14 Password Rule Settings
15 Allowed Characters Check Boxes
16 Symbol Characters Box
17 Required Characters Check Boxes
Figure 3.32 Authentication Screen (SAM-P)

5. Under Authentication Method, select one of the available authentication

methods:

96 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.9.6 Managing User Authentication

Note
Available authentication methods depend on the server connection being
used. For more information about available authentication methods, refer to
"Choosing an Authentication Method" (Page 94).

Parameter Description

Primary The primary method used to authenticate to the server.

Secondary The secondary method used to authenticate to the server when

manually configured or in case the primary method fails. This
parameter is optional.

Manual Secondary The method used to manually switch to the secondary

authentication method. Options include:
• None – Option unavailable per the selected primary
method.
• Available After Primary Authentication Failure – Option
to manually switch to the secondary authentication method
after primary authentication fails at least once.
• Always Available – Option to manually switch to the
secondary authentication method at any time, regardless if
primary authentication fails.

Disconnect on Failure The method used to determine if and when to disconnect

following authentication failure. Options include:
• Do Not Disconnect – When selected, the user is not
disconnected following an authentication failure, but is
prompted to try again. There is no limit on the number of
times authentication can be attempted.
• Disconnect for Secondary Authentication Only –
This option is available only when there is a secondary
authentication method configured on the server.
When selected, the user is disconnected after three
failed secondary authentication attempts on the same
connection. Failed primary authentication attempts will not
disconnect the user.
• Disconnect for Primary and Secondary Authentication –
When selected, the user is disconnected after three failed
primary or secondary authentication attempts on the same
connection.

Note
An RSA/ACE server must be present and configured for RSA SecurID strong two-
factor authentication.

Note
If RSA and AD is selected, the user is required to authenticate themselves twice
during the login, first via RSA and then via AD. Each of these login phases will go
through the usual full sequence of prompts. Both login phases must succeed in
order to gain access to RUGGEDCOM CROSSBOW.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 97
Setup and Configuration
3.9.6 Managing User Authentication

Note
Parameters under RADIUS Configuration are only available when RADIUS is
selected.

6. If RADIUS is selected, under RADIUS Configuration, configure the following

parameters:
Parameter Description

NAS IP Address The IP address of the RUGGEDCOM CROSSBOW Server.

NAS Identifier The NAS identifier attribute. This attribute (typically the Fully
Qualified Domain Name) is used in the Access-Request process
to identify the computer that constructed the Access-Request
packet.

Password Encryption Synopsis: [ MS CHAP v2 | PAP ]

Default: PAP

The level of password encryption to use.

7. If RADIUS is selected, add and configure RADIUS servers. For more information,
refer to "Adding/Configuring a RADIUS Server" (Page 99).

Note
Passwords are used for user access to the system if the CrossBow Server is
set for basic authentication. When strong authentication is selected, these
passwords still exist and may be used in SAC fallback authentication. Fallback
authentication occurs when a user logs in locally to a Station Access Controller
at a facility and the SAC is unable to connect to a parent SAM-P to proxy the
user login. In this case, the SAC will authenticate the user based on their basic
authentication password.
Even if strong authentication is selected, and there are no SACs in the system,
these settings should be reviewed and configured appropriately.

Note
When the rules for password characters are changed, they are not retroactively
applied to previously configured basic authentication passwords. New rules are
only applied to new passwords.
However, when the rules for password expiries and warnings are changed, they
are applied immediately to existing passwords.

8. Under CrossBow Basic Authentication/SAC Fallback Password Rules,

configure the following:
• The maximum number of days from when a password is generated until
the password expires. The range is 0 to 1000, where 0 indicates passwords
should never expire.

98 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.9.6 Managing User Authentication

A value of 0 is recommended when strong authentication is selected and

there are no SAC installations in the system. This prevents users from having
to update passwords that are never used.
• The number of days to wait before warning users to change their passwords.
The minimum value is 0, which indicates warnings should never be issued.
The maximum value is 1000, but must not exceed the maximum number of
days before the password expires. For example, if passwords expire after 90
days, the system cannot generate warnings for more than 90 days.
• The minimum number of characters allowed in a user password. The range
is 1 to 40, but it cannot exceed the maximum number of characters.
• The maximum number of characters allowed in a user password. The range
is 1 to 40, but it cannot be less than the minimum number of characters.

Note
The following characters are not permitted in passwords and will be ignored if
defined in the password rules:
• single quote (')
• semi-colon (;)
• pipe (|)

9. Under Allowed Characters, set the rules for characters allowed in user
passwords.
10. Under Required Characters, set the rules for characters that must be used in all
user passwords.
11. Click OK to save changes.
12. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.9.6.3 Adding/Configuring a RADIUS Server

To add a RADIUS server or configure an existing server for user authentication, do the
following:

Note
A maximum of 10 RADIUS servers can be configured.

1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM

CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 99
Setup and Configuration
3.9.6 Managing User Authentication

3. Under CrossBow Main Server, click Configure. The CrossBow Server

Configuration dialog box appears.
4. Click the Authentication tab. The Authentication screen appears.

Note
Available authentication methods depend on the server connection being
used. For more information about available authentication methods, refer to
"Managing User Authentication" (Page 93).

2
3
5

4 6

7 9

10

11

12

13

14

1 OK Button
2 Cancel Button
3 Authentication Method Options
4 Password Encryption Options
5 NAS IP Address Box
6 NAS Identifier Box
7 Available RADIUS Servers
8 Add RAD Svr Button
9 Edit RAD Svr Button
10 Delete RAD Svr Button
11 Password Rule Settings
12 Allowed Characters Check Boxes
13 Symbol Characters Box

100 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.9.6 Managing User Authentication

14 Required Characters Check Boxes

Figure 3.33 Authentication Screen (SAM-P)

5. Under RADIUS Configuration, either select an existing RADIUS server and click
Edit RAD Svr, or click Add RAD Svr. The RADIUS Server Configuration dialog
box appears.

1
4

5
2

1 RADIUS Server IP Address Box

2 RADIUS Server Auth. Port Box
3 Shared Secret Box
4 OK Button
5 Cancel Button
Figure 3.34 RADIUS Server Configuration Dialog Box

6. Configure the following parameters as required:

Parameter Description

RADIUS Server IP Ad The IP address for the RADIUS server.

dress

RADIUS Server Auth. The port to be used for authentication requests.

Port

Shared Secret The secret to be used by RUGGEDCOM CROSSBOW when

communicating with the RADIUS server.

7. Click OK. The dialog box closes.

8. Click OK to save changes.
9. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.9.6.4 Deleting a RADIUS Server

To delete a RADIUS server, do the following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 101
Setup and Configuration
3.9.6 Managing User Authentication

3. Under CrossBow Main Server, click Configure. The CrossBow Server

Configuration dialog box appears.
4. Click the Authentication tab. The Authentication screen appears.

Note
Available authentication methods depend on the server connection being
used. For more information about available authentication methods, refer to
"Managing User Authentication" (Page 93).

2
3
5

4 6

7 9

10

11

12

13

14

1 OK Button
2 Cancel Button
3 Authentication Method Options
4 Password Encryption Options
5 NAS IP Address Box
6 NAS Identifier Box
7 Available RADIUS Servers
8 Add RAD Svr Button
9 Edit RAD Svr Button
10 Delete RAD Svr Button
11 Password Rule Settings
12 Allowed Characters Check Boxes
13 Symbol Characters Box

102 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.10 Managing E-Mails and Notifications

14 Required Characters Check Boxes

Figure 3.35 Authentication Screen (SAM-P)

5. Under RADIUS Configuration, select the desired RADIUS server and then click
Delete.
6. Click OK to save changes.
7. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.10 Managing E-Mails and Notifications

RUGGEDCOM CROSSBOW can be configured to automatically e-mail a user, user
group, or a specific e-mail address when specific events occur during operation.

3.10.1 Configuring an E-Mail Server

RUGGEDCOM CROSSBOW requires an outgoing Simple Mail Transfer Protocol (SMTP)
server to be able to send e-mails to users.
To configure an SMTP server, do the following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.
4. Click the E-Mail tab. The E-Mail screen appears.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 103
Setup and Configuration
3.10.1 Configuring an E-Mail Server

3
5
4

6
9 11
7

8
12
10

13

1 OK Button
2 Cancel Button
3 Sender Email Address Box
4 Address Box
5 Port Box
6 Username Box
7 Password Box
8 Authentication Method List
9 SSL Connection Check Box
10 Max Attachment Size (MB) Box
11 Enter the Email Address Box
12 Test Button
13 Communication Log
Figure 3.36 E-Mail Screen

5. [Optional] Under Server Profile Notification Sender Email, configure the

Sender Email Address parameter with the desired sender email address.
If left blank, the address of the last user to modify the E-mail notification profile
will be used as the sender.
For more information about managing E-mail notification profiles, refer to the
"RUGGEDCOM CROSSBOW Client Configuration Manual".

104 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.10.1 Configuring an E-Mail Server

Note
The E-mail sender behavior is different when configuring reports.
For more information about configuring E-mail recipients when generating a
report, refer to the "RUGGEDCOM CROSSBOW Client Configuration Manual".

6. Under Email Server Configuration, configure the following parameters:

Parameter Description

Address The IP address or host name of the outgoing SMTP server.

Port The port number used to connect to the outgoing SMTP server.

Username The user name required to log into the outgoing SMTP server.

Password The password required to log into the outgoing SMTP server.

Authentication Method The authentication method used by the outgoing SMTP server.

SSL Connection Default: Disabled

When enabled (selected), RUGGEDCOM CROSSBOW uses Secure

Sockets Layer (SSL) to connect to the outgoing SMTP server.

Max Attachment Size Synopsis: An integer between 1 and 100

(MB)
The maximum file size in megabytes of an Email attachment
that RUGGEDCOM CROSSBOW will send to a user.

For example:
Address: smtp.gmail.com
Port: 25
Username: ruggedsol
Password: {password}
Authentication Method: Username/Password
SSL Connection: enabled
Max Attachment Size (MB): 5

7. Test the connection to the SMTP server by typing an e-mail address in the
Enter the Email Address box, and then click Test. If the test was successful, a
confirmation message appears and an e-mail is sent to the recipient. Click OK to
close the dialog box and continue.
Otherwise, if an Exception Message dialog box appears, the connection was
unsuccessful. Review the message(s) and modify the settings as required.

Note
Some email servers support security standards which can block email
notifications from RUGGEDCOM CROSSBOW. Refer to the email server
documentation for details about allowing less secure apps and/or resetting
CAPTCHA authentication. Once configured, repeat the test to ensure a successful
connection.

8. Click OK to save changes.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 105
Setup and Configuration
3.10.2 Enabling/Disabling E-Mail Logs

9. Start the RUGGEDCOM CROSSBOW Main Server service. For more

information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.10.2 Enabling/Disabling E-Mail Logs

The CrossBow Event Log Distribution Service can be configured to e-mail users, user
groups or specific e-mail addresses when certain events are recorded. The event
must match the criteria specified by an administrator, such as when a user's account
is locked after too many failed login attempts.
This service is highly useful for maintaining security and troubleshooting
RUGGEDCOM CROSSBOW.
To enable or disable the logging of outgoing e-mails for a SAM-P, do the following:
1. Launch RUGGEDCOM CROSSBOW Server.
2. Under CrossBow Event Log Distribution Service, click Configure. The
CrossBow Log Distribution Service Configuration dialog box appears.
3. Click the Email Notifications tab. The Email Notifications screen appears.

1 3

1 Enable Email Target Check Box

2 OK Button
3 Cancel Button
Figure 3.37 Email Notifications Screen

4. Select Enable Email Target to enable logging, or clear the check box to disable
logging.
5. Click OK to save changes.

106 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.11 Managing the RUGGEDCOM CROSSBOW Database

3.11 Managing the RUGGEDCOM CROSSBOW Database

The RUGGEDCOM CROSSBOW database contains a variety of information, including
device and user information, activity logs, scripts, files, queries, etc.
The database has a storage capacity of 10GB. More space may be required,
depending on the size of data being stored (i.e. attachments, faults, etc.). For
information about upgrading the RUGGEDCOM CROSSBOW database, refer to
"Upgrading the RUGGEDCOM CROSSBOW Database" (Page 24).

3.11.1 Determining the Current Database Version

To determine the current version of the RUGGEDCOM CROSSBOW database, do the
following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Database, click Configure. The CrossBow Database
Configuration dialog box appears.

1 Test Button
2 OK Button
3 Cancel Button
4 Current Version Box

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 107
Setup and Configuration
3.11.2 Determining the Current Database Type

5 Latest Version Box

Figure 3.38 CrossBow Database Configuration Dialog Box

4. Click Test. Under Database Version, the current database version is displayed in
the Current Version box.
5. Click OK.

NOTICE
If the database version is different from the version displayed in the Latest Version
box, the server will not start. Consider upgrading the RUGGEDCOM CROSSBOW
database. For more information, refer to "Upgrading the RUGGEDCOM CROSSBOW
Database" (Page 24).

3.11.2 Determining the Current Database Type

The detected database type must match the expected database type, i.e. SAM-P,
SAM-L or SAC. The expected database type is determined by the server to which the
user is connected.
To determine the current RUGGEDCOM CROSSBOW database type, do the following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Database, click Configure. The CrossBow Database
Configuration dialog box appears.

108 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.11.3 Determining the Connection Status

1 Test Button
2 OK Button
3 Cancel Button
4 Expected Type Box
5 Detected Type Box
Figure 3.39 CrossBow Database Configuration Dialog Box

4. Click Test. Under Database Type, the current database type is displayed in the
Detected Type box.
5. Click OK.

NOTICE
If the detected database type is different from the type displayed in the Expected
Type box, the server will not start. To connect to a different RUGGEDCOM
CROSSBOW database, refer to "Connecting to the RUGGEDCOM CROSSBOW
Database" (Page 33).

3.11.3 Determining the Connection Status

To determine the status of the connection to the RUGGEDCOM CROSSBOW database,
do the following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 109
Setup and Configuration
3.11.4 Managing Database Growth

2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Database, click Configure. The CrossBow Database
Configuration dialog box appears.

1 Test Button
2 OK Button
3 Cancel Button
4 Connection Status Box
Figure 3.40 CrossBow Database Configuration Dialog Box

4. Click Test. Under Connection Information, the connection status is displayed in

the Connection Status box.
5. Click OK.

3.11.4 Managing Database Growth

RUGGEDCOM CROSSBOW allows users to manage database growth by removing
records that are beyond a specified age.
To manage the RUGGEDCOM CROSSBOW database growth, do the following:

Note
It is recommended to back up the RUGGEDCOM CROSSBOW database prior to
enabling this feature.

110 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.11.4 Managing Database Growth

Note
There may be a performance impact the first time the RUGGEDCOM CROSSBOW
server is started after this feature is enabled, as the server will be removing all of
the now-expired data. This will be a one-time impact. Once the initial processing is
complete, the on-going clean-up effort will not impact normal system performance.

1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM

CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.
4. Click the Database tab. The Database screen appears.

10 7

11 8

12 9

1 OK Button
2 Cancel Button
3 Clear Older Records (Alerts/Events/Audits) List
4 Clear Older Files (Fault/Config/Firmware/Bulk/Report) List
5 Clear Older SOE Records List
6 Clear Older Password History Records List
7 Clear OlderScheduler Entries Records List
8 Configuration File Max Versions List
9 Enable Daily Clean Up Start Time Check Box
10 Daily Clean Up Start Time (hh:mm) Box
11 Perform Clean Up at System Start (optional) Box
12 Schedule Activity Repeat Limit (5-100) Box
Figure 3.41 Database Screen

5. Under Database Growth Management, configure the following parameters:

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 111
Setup and Configuration
3.11.4 Managing Database Growth

Parameter Description

Clear Older Records Synopsis: 1 to 5 or { None }

(Alerts/Events/Audits)
Default: None

The time frame in years to clear alerts, events and audits. When
configured, records older than the specified time frame days
are cleared. Selecting None disables the service.

Clear Older Synopsis: 1 to 5 or { None }

Files (Fault/Con
Default: None
fig/Firmware/Bulk/Re
port) The time frame in years to clear Fault, Config, Firmware, Bulk,
and Report files. When configured, records older than the
specified time frame days are cleared. Selecting None disables
the service.

Clear Older SOE Synopsis: 1 to 5 or { None }

Records List
Default: None

The time frame in years to clear SOE records. When configured,

records older than the specified time frame days are cleared.
Selecting None disables the service.

Clear Older Password Synopsis: 1 to 5 or { None }

History Records List
Default: None

The time frame in years to clear history records. When

configured, records older than the specified time frame days
are cleared. Selecting None disables the service.

Clear OlderScheduler Synopsis: An integer between 1 and 26

Entries Records List
The time frame in weeks to clear OlderScheduler Entries
records. When configured, records older than the specified time
frame days are cleared.

Configuration File Max Synopsis: 2 to 20 or { None }

Versions List
Default: None

The maximum number of non-approved configuration files

allowed to be stored. Selecting None disables the service.

Enable Daily Clean Up Synopsis: [ True | False ]

Start Time
Default: False

Enables/disables scheduled daily maintenance activities.

When disabled, daily maintenance tasks are performed 60
seconds after startup, and then every 24 hours thereafter.
When enabled, daily maintenance tasks are performed as
configured.

Daily Clean Up Start Default: 00:00

Time (hh:mm)
The time of day in hrs:minutes to start the daily maintenance.

112 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.12 Sharing Device Information With an External Database

Parameter Description

Perform Clean Up at Synopsis: [ True | False ]

System Start (option
Default: False
al)
When selected, RUGGEDCOM CROSSBOW performs the daily
maintenance at system start, and the subsequent daily clean up
is performed at the configured time.

Schedule Activity Re Synopsis: 5 to 100 or { None }

peat Limit (5-100)
Default: 25

The maximum number of execution occurrences stored for

each scheduled activity.

6. Click OK to save changes.

7. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.12 Sharing Device Information With an External Database

Using the CrossBow External Database Integration Service, RUGGEDCOM CROSSBOW
can share device/gateway information with a secondary, external SQL database.
During operation, RUGGEDCOM CROSSBOW polls the external database at user-
specified intervals for new devices and gateways. If the external database lists a
device/gateway that does not already exist in the main RUGGEDCOM CROSSBOW
database, RUGGEDCOM CROSSBOW adds it automatically.
Additionally, systems and users external to RUGGEDCOM CROSSBOW can trigger
CAMs targeted by Region, Facility, or Custom Field, or individually by adding records
manually using SQL queries.
RUGGEDCOM CROSSBOW also maintains a list of device and gateway passwords
in the external database. If one or more passwords have changed in the main
RUGGEDCOM CROSSBOW database between polling cycles, RUGGEDCOM CROSSBOW
replaces the associated table in the external database with the updated information.

NOTICE
Security hazard – risk of unauthorized access and/or exploitation
Passwords copied to an external database are stored as cleartext, even if the main
RUGGEDCOM CROSSBOW database is encrypted. Make sure access to the external
database is only granted to trusted personnel.

Note
The CrossBow External Database Integration Service is separately licensed from
RUGGEDCOM CROSSBOW. Contact Siemens Sales for more information about adding
this feature.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 113
Setup and Configuration
3.12.1 External Database Requirements

3.12.1 External Database Requirements

RUGGEDCOM CROSSBOW allows some information to be shared with an external
database. After its creation, the RUGGEDCOM CROSSBOW external database will
contain the following tables and parameters:

Note
For compatibility, the external database is created automatically using the
Crossbow_Ext_DB_Int_Svc_db_create.sql SQL script.
When upgrading from an earlier version of RUGGEDCOM CROSSBOW with an
external database installed, the existing external database can be migrated to the
new external database. For more information, refer to "Migrating from an Existing
External Database" (Page 116).
For information about how to run this script, refer to "Executing SQL
Scripts" (Page 23).

Required Table Purpose Parameters

AgentHeartBeat This table is associated with the Timestamp
ADM(s). When ADM agents are
configured and operational, they
update a heart beat table in the EDIS
to show their continued existence. If
they fail to report within the configured
number of minutes an alert will be
raised to indicate that the ADM is
offline.
CAMTriggerRecords This table allows systems and users CreatedTime
external to RUGGEDCOM CROSSBOW TargetType
to trigger CAMs by Region, Facility,
or Custom Field by adding records TargetValue
manually via SQL query. TriggerConfigCompareCAM
TriggerDataCAM
TriggerFirmwareVersionCAM
TriggerConnectivityCAM
TriggerTimeCompareCAM
CustomFields This table contains custom field data as Custom fields as defined in
defined in the CustomFields table of the RUGGEDCOM CROSSBOW
the RUGGEDCOM CROSSBOW database. database.
The data is synced during each EDIS
polling interval.
For more information about custom
fields, refer to "Managing Custom
Fields" (Page 156).
Regions This table contains regions data as Regions as defined in the
defined in the Regions table of the RUGGEDCOM CROSSBOW
RUGGEDCOM CROSSBOW database. The database.
data is synced during each EDIS polling
interval.
DevicesForCrossBow Use this table to define the network- RecordId
based devices/gateways that are to DeviceId
be imported into the RUGGEDCOM

114 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.12.1 External Database Requirements

Required Table Purpose Parameters

CROSSBOW database. Each time IPAddress
RUGGEDCOM CROSSBOW polls the ParentDeviceID
External Database Integration Service
(EDIS) database, it will import any new FacilityName
or modified device/gateways listed in DeviceName
this table and change their status to
added or updated. DeviceTypeName
DeviceGroupNames
Note
TriggerConfigCompareCAM
If the RUGGEDCOM CROSSBOW External
TriggerConnectivityCAM
Database Integration Service is unable
to add a device/gateway to the main TriggerDataCAM
RUGGEDCOM CROSSBOW database – TriggerFirmwareVersionCAM
perhaps because of a violation of data
validation rule – an error message is TriggerTimeCompareCAM
added to the Result parameter in the BesCyberSystemName
form of:
Status
Error: {message} Description
Review the error message and correct ParentGatewayPort
the table entry as needed. NetworkPorts
MACAddress
Note
FirstDetectionTime
For better system performance,
consider using the CAMTriggerRecords LastDetectionTime
tables with a defined scope (e.g. IPTrafficType
region) when triggering CAMs for large
ADMAgentId
batches of data.
Result
SerialNumber
Custom1
Custom2
Custom3
Custom4
Custom5
Custom6
Custom7
Custom8
Custom9
Custom10
PhoneNumber
PopupText
Critical
DeviceEssential
DialUpAccessible
UsesRoutableProtocol
ExtendedRoutable
ProxyPort
Network

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 115
Setup and Configuration
3.12.2 Migrating from an Existing External Database

Required Table Purpose Parameters

PreSharedKey
DeviceFilesExportEnabled
SpecialParameters
DevicesFromCrossBow This table is managed by the DeviceID
RUGGEDCOM CROSSBOW External IPAddress
Database Integration Service. It details
the current devices/gateways and ParentDeviceID
their settings in the RUGGEDCOM FacilityName
CROSSBOW database at the time of the
last polling interval. DeviceName
DeviceTypeName
Status
Description
ParentGatewayPort
MACAddress
DeviceCredentialsFrom This table is managed by the DeviceId
CrossBow RUGGEDCOM CROSSBOW External LoginDisplayName
Database Integration Service. It lists the
passwords configured for each device/ LoginReferenceName
gateway at the time of the last polling UserName
interval.
SupportsUserName
Password
SupportsPassword
DevicePasswordsForCrossBow This table is managed by the FacilityName
RUGGEDCOM CROSSBOW External DeviceName
Database Integration Service. It lists the
passwords configured for each facility/ LoginDisplayName
device at the time of the last polling UserName
interval.
Password
Result
ActivityLogFromCrossBow This table is managed by the RecordId
RUGGEDCOM CROSSBOW External Timestamp
Database Integration Service. It stores
notable messages (e.g. sync start, sync Message
end, errors, etc.).
DbVersion This table defines the schema version DatabaseVersion
of the database. An error will occur
if the schema version defined does
not match the value expected by the
RUGGEDCOM CROSSBOW External
Database Integration Service.

3.12.2 Migrating from an Existing External Database

When upgrading from an earlier version of RUGGEDCOM CROSSBOW to v5.4, an
existing external database can be migrated to the new database.

116 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.12.3 Configuring the RUGGEDCOM CROSSBOW External Database Integration Service

To migrate the existing external database to a newer version, do the following:

1. Stop all services on the RUGGEDCOM CROSSBOW Server. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
2. Make sure the database is decrypted. For more information, refer to "Encrypting/
Decrypting the CROSSBOW Database" (Page 52).
3. On the RUGGEDCOM CROSSBOW Server, extract the contents of the
SQLScripts.zip to RUGGEDCOM CROSSBOW install directory (e.g. C:
\ProgramFiles\RuggedCom\CrossBow).

Note
An available obsolescence script checks the RUGGEDCOM CROSSBOW database
for the presence of older device types. It is recommended to run this script and
provide the results to Siemens to ensure active device types are supported.

4. [Optional] Execute the script Crossbow_db_obsolecence_check.sql.

5. Execute the following script:
SQL Script Description
Crossbow_Ext_db_{current}_{new}_migrate.sql This script (referred to as a migration script)
upgrades the external database to the next
version. To help determine which script is
applicable to the current database version,
each migration script is named as follows:

Crossbow_Ext_db_{curren
t}_{new}_migrate.sql

Where:
• current is the version number for the
current external database
• new is the version number of the
external database after the update

Note
For information about how to execute scripts, refer to "Executing SQL
Scripts" (Page 23).

3.12.3 Configuring the RUGGEDCOM CROSSBOW External Database Integration

Service
To configure the RUGGEDCOM CROSSBOW External Database Integration Service, do
the following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 117
Setup and Configuration
3.12.3 Configuring the RUGGEDCOM CROSSBOW External Database Integration Service

2. Make sure the RUGGEDCOM CROSSBOW External Database Integration Service

is stopped. For more information, refer to "Starting/Stopping RUGGEDCOM
CROSSBOW Server Services" (Page 50).
3. Under CrossBow External Database Integration Service, click Configure. The
CrossBow External Database Integration Service Configuration dialog box
appears.

1 18

19
2 3

4
5

6
7

9
10

11 12

13

14
15

17
16

1 Run Every Box

2 Enable External Device Key Check Box
3 Export Device Information Box
4 External Key Box
5 Enable Device Approved Firmware Version Import Check Box
6 Firmware Override Box
7 Enable Device data sync from CrossBow Box
8 Database Name Box
9 SQL Server Box
10 Use Windows Authentication Option
11 Use Database Authentication Option
12 SQL User Name Box
13 SQL Password Box
14 Test EDI Service Credentials Button
15 Test Result Box

118 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.12.3 Configuring the RUGGEDCOM CROSSBOW External Database Integration Service

16 Database Version Box

17 Required Version Box
18 OK Button
19 Cancel Button
Figure 3.42 CrossBow External Database Integration Service Configuration Dialog Box

4. Under General Settings, in the Run Every box, type or select the polling
interval. The value is in hours. A value of zero (0) disables the service.
5. [Optional] Click the Enable External Device Key check box to allow the use of
external keys. Select the defined custom field that will hold the external device
key.
6. [Optional] Click the Enable Device Approved Firmware Version Import check
box to allow the EDIS to import the approved firmware version for the device.
Select the firmware version from the drop down menu.
7. [Optional] Click the Enable Device data sync from CrossBow check box to
push data from the RUGGEDCOM CROSSBOW database to pre-populate tables
in the EDIS database. This makes it easier for third parties to use the EDIS to
trigger CAM operations on specific devices or groups of devices using the
DevicedForCrossBow and CAMTriggerRecords tables. Enabling this feature will
keep the RUGGEDCOM CROSSBOW and EDIS databases in sync over time.

NOTICE
Before enabling device data syncing, make sure to review your device
configurations. Data synced from RUGGEDCOM CROSSBOW to the
DevicesForCrossBow table will include any missing configurations, such as
child devices without parent gateway ports, or devices without all of their
interfaces assigned to device groups. In these cases an error will be generated
during record processing.

For more information, refer to "External Database Requirements" (Page 114).

8. In the Database Name box, type the name of the external database as defined
in SQL Server Management Studio.
9. Under External Database Integration Service Credentials, in the SQL Server
box, type the name of the SQL server (case sensitive).
• To connect to the default instance of SQL server on a given workstation,
type the name of the workstation (e.g. CROSSBOW)
• To connect to a specific named instance of SQL server on a given
workstation, type the name of the workstation and instance (e.g.
CROSSBOW\SQLEXPRESS).
• To connect to the SQL server using a specific port, type the name of the
workstation, followed by the port number (i.e. CROSSBOW,1444).
10. Select either Use Windows Authentication or Use Database Authentication.
EDIS credentials are used by the EDIS service on the server machine only, and
are used to import devices and then output all devices and device credentials in
the system. This account needs full access permissions to the EDIS database in

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 119
Setup and Configuration
3.12.4 Configuring the RUGGEDCOM CROSSBOW Asset Discovery Management Agent

order to read and write to all tables, including the table storing the output of the
device credentials.
ADM credentials are used by any of the remote ADM Agent devices in the
field. These credentials are used to read/write to the DevicesFor CrossBow and
AgentHeartBeat tables only. Access to all other tables in the database should be
removed.

NOTICE
For added security, make sure the credentials used by the ADM to log into
the EDIS database are different from the credentials used by the EDIS on the
RUGGEDCOM CROSSBOW server.
For information about sharing device information, refer to "Sharing Device
Information With an External Database" (Page 113).
For information about configuring ADM credentials, refer to the "RUGGEDCOM
CROSSBOW Client Configuration Manual".

11. If Use Database Authentication is selected, in the SQL User box, type the name
of the user account to use to log into the SQL server.
12. If Use Database Authentication is selected, in the SQL Password box, type the
password for the user account used to log into the SQL server.
13. Click Test EDI Service Credentials. The status of the connection is displayed in
the Connection Status box.
14. If the test is successful, click OK to save changes.
15. Start the RUGGEDCOM CROSSBOW External Database Integration Service. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.12.4 Configuring the RUGGEDCOM CROSSBOW Asset Discovery Management

Agent
To configure the RUGGEDCOM CROSSBOW ADM, do the following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW External Database Integration Service
is stopped. For more information, refer to "Starting/Stopping RUGGEDCOM
CROSSBOW Server Services" (Page 50).
3. Under CrossBow External Database Integration Service, click Configure. The
CrossBow External Database Integration Service Configuration dialog box
appears.

120 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.12.4 Configuring the RUGGEDCOM CROSSBOW Asset Discovery Management Agent

1 13

14
2

3
4

10
11
12

1 Run Every Box

2 Enable External Device Key Check Box
3 External Key Box
4 Enable Device Approved Firmware Version Import Check Box
5 Database Name Box
6 SQL Server Box
7 SQL User Name Box
8 SQL Password Box
9 Remote Access Port Options
10 Test ADM Agent Credentials Button
11 Test Result Box
12 OK Button
13 Cancel Button
Figure 3.43 CrossBow External Database Integration Service Configuration Dialog Box

4. Under General Settings, in the Run Every box, type or select the polling
interval. The value is in hours. A value of zero (0) disables the service.
5. In the Database Name box, type the name of the external database as defined
in SQL Server Management Studio.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 121
Setup and Configuration
3.12.4 Configuring the RUGGEDCOM CROSSBOW Asset Discovery Management Agent

NOTICE
Parameters configured under Asset Discovery & Management Credentials
are required for the ADM to work properly. These parameters are pushed to the
ADM agent and will be used by that agent to access the database.

6. Under Asset Discovery & Management Credentials, in the SQL Server box,
type the name of the SQL server (case sensitive).

Note
When a host name is specified, a Domain Name Server (DNS) or host entry must
be present for the ADM. Otherwise, an IP address must be provided.

• To connect to the default instance of SQL server on a given workstation,

type the name of the workstation (e.g. CROSSBOW).
• To connect to a specific named instance of SQL server on a given
workstation, type the name of the workstation and instance (e.g.
CROSSBOW\SQLEXPRESS).

NOTICE
For added security, make sure the credentials used by the ADM to log into
the EDIS database are different from the credentials used by the EDIS on the
RUGGEDCOM CROSSBOW server. The ADM should be limited to only have
access to the DevicesForCrossbow table.
For information about sharing device information, refer to "Sharing Device
Information With an External Database" (Page 113).
For information about configuring the EDIS, refer to "Configuring the
RUGGEDCOM CROSSBOW External Database Integration Service" (Page 117).

7. In the SQL User Name box, type the SQL user name.
8. In the SQL Password box, type the SQL password.
9. In the Remote Access Port option field, use the arrows to select the remote
access port.
10. Click Test ADM Agent Credentials. The status of the connection is displayed in
the Test Result box.
11. If the test is successful, click OK to save changes.
12. Start the RUGGEDCOM CROSSBOW External Database Integration Service. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

122 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.12.5 Using the External Database to Add Devices/Gateways

3.12.5 Using the External Database to Add Devices/Gateways

To add devices/gateways to the main RUGGEDCOM CROSSBOW database via an
external database, create a new entry in the DevicesForCrossBow table and define
the following parameters:
Parameter Description

DeviceId Synopsis: An integer

The ID for the device/gateway. Zero (0) represents a new device/

gateway. A non-zero value represents a device/gateway that has
updated information.

IPAddress Synopsis: A string between 0 and 32 characters long

The IP address of the device/gateway.

ParendDeviceId Synopsis: An integer

Must be 0 (i.e. no parent), or a valid Deviceid in the same facility.

FacilityName Synopsis: A string between 1 and 40 characters long

The name of the parent facility. The name must match a facility
already defined in the RUGGEDCOM CROSSBOW database.

DeviceName Synopsis: A string between 1 and 60 characters long

The name of the device/gateway. The name must not match a

device/gateway that already exists under the same facility in the
RUGGEDCOM CROSSBOW database.

Note
Device names containing unsupported characters will not be added
to RUGGEDCOM CROSSBOW.
The following characters, including a blank space, are supported:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
0123456789_!@#&+$^[]-.`~%*()=\{}:""<>?/
ŠŒŽšœžŸÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖØÙÚÛÜÝ
Þßàáâãäåæçèéêëìíîïðñòóôõöøùúûüýþÿ

DeviceTypeName Synopsis: A string between 1 and 40 characters long

The name of the associated device type. The name must match
a device type already defined in the RUGGEDCOM CROSSBOW
database.

Status Synopsis: [ In Service | Out Of Service | Discovered ]

The status of the device/gateway.

Description Synopsis: A string between 0 and 256 characters long

The description of the device/gateway.

ParentGatewayPort Synopsis: A string between 0 and 40 characters long

Must match a port name on the parent device if the ParentDeviceId

is non-zero.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 123
Setup and Configuration
3.12.6 Importing Devices/Gateways Using the Nozomi Service

Parameter Description

MACAddress Synopsis: A string between 0 and 32 characters long

The MAC address of the device/gateway.

FirstDetectionTime Synopsis: Timestamp

The time the device was first detected on the network (optional,
may be blank). This parameter does not apply to serial devices.

LastDetectionTime Synopsis: Timestamp

The most recent time the device was detected on the network
(optional, may be blank). This parameter does not apply to serial
devices.

IPTrafficType Synopsis: A string between 0 and 250 characters long

The customer-desired networking details. These will be blindly

imported into RUGGEDCOM CROSSBOW. This parameter does not
apply to serial devices.

If the device/gateway does not already exist in the main RUGGEDCOM CROSSBOW
database, RUGGEDCOM CROSSBOW adds it automatically during the next polling
interval. The value of the Result parameter for the device/gateway in the external
database is also changed to either Added or Updated.

Note
If the RUGGEDCOM CROSSBOW External Database Integration Service is unable to
add a device/gateway to the main RUGGEDCOM CROSSBOW database – perhaps
because it exists already in the main database – an error message is added to the
Result parameter in the form of:
Error: {message}

Review the error message and correct the table entry as needed.

3.12.6 Importing Devices/Gateways Using the Nozomi Service

The Nozomi service is used to automatically discover and add new devices to the
RUGGEDCOM CROSSBOW database.
During operation, RUGGEDCOM CROSSBOW polls any Nozomi Guardians in the
network for assets according to the GuardianTimerDelay advanced parameter,
which specifies the polling interval. If the external database lists a device/gateway
that does not already exist in the main RUGGEDCOM CROSSBOW database, it is
automatically added.

NOTICE
A separate license is required for the Nozomi service. For information about
obtaining a license, contact Siemens Customer Support.

124 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.13 Managing the RUGGEDCOM CROSSBOW File Export Service

NOTICE
The External Database Integration Service (EDIS) must be licensed and running in
order for assets from the Guardian to be imported into RUGGEDCOM CROSSBOW.
For more information about the EDIS, refer to "Sharing Device Information With an
External Database" (Page 113).

The sequence is as follows:

• The Nozomi service runs on the SAM-P at an interval defined in the the
GuardianTimerDelay advanced parameter.
For more information about available advanced parameters, refer to the
"RUGGEDCOM CROSSBOW Client Configuration Manual".
For more information about configuring advanced parameters, refer to
"Configuring Global Advanced Parameters" (Page 169).
• The Nozomi service polls each Guardian in sequence to return a list of assets.
The service retrieves each asset's name, IP address, MAC Address, VLAN, serial
number, firmware version, product name, vendor, and type.

NOTICE
The unique device identifier is the MAC address. If an asset has either multiple
MAC addresses or no MAC address, the Nozomi service will ignore the asset and
it will not be added to the EDIS database.

NOTICE
When a server cluster is in use, each server processes the Guardians
independently of each other to avoid duplication and minimize the load on each
server.

• Assets matching the filter defined from device special parameters are added to
the EDIS database.
For more information about configuring Nozomi Guardians, refer to the
"RUGGEDCOM CROSSBOW Client Configuration Manual"
• When the EDIS service runs, the new assets are added to RUGGEDCOM
CROSSBOW as Generic IED - Network device types.
The device properties can then be updated in RUGGEDCOM CROSSBOW as
needed.

3.13 Managing the RUGGEDCOM CROSSBOW File Export Service

The RUGGEDCOM CROSSBOW file export service can be configured to transmit files
retrieved by the Configuration Compare CAM and Data CAM to a target FTP or SFTP
server.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 125
Setup and Configuration
3.13.1 Understanding the RUGGEDCOM CROSSBOW File Export Service

The RUGGEDCOM CROSSBOW file export service requires a license to function.

For information about acquiring a license, contact your Siemens Regional Sales
Representative.

3.13.1 Understanding the RUGGEDCOM CROSSBOW File Export Service

The RUGGEDCOM CROSSBOW file export service can be configured to transmit files
retrieved by the Configuration Compare CAM and Data CAM to a target FTP or SFTP
server. Users can configure the polling interval (how often the service checks for new
files), batch size (to limit the number of files being transferred) and target location of
the transmitted files.
A set of configurable and static parameters is available to specify the file naming
structure, target directory and subdirectories, if desired.

File Export Parameters

Note
COMTRADE components (i.e. .cfg, .dat, .hdr extensions) are extracted from ZIP files
and exported individually. ZIP files not containing COMTRADE files are exported
intact.

The following parameters are used to configure the exported file name and to define
the directory structure:
Parameter Description
regionname The name of the immediate parent region of the device, as listed in
the RUGGEDCOM CROSSBOW database
facilityname The name of the facility, as listed in the RUGGEDCOM CROSSBOW
database
devicename The name of the device, as listed in the Device Properties dialog
box
date The date the file was retrieved from the IED by the CAM operation,
in format yyyyMMdd (e.g. 20190820).
For oscillography files containing a .cfg or .dat extension, this
reperesents the event timestamp from within the COMTRADE
file when the Use COMTRADE Event Time check box is selected.
For more information, refer to "Configuring the RUGGEDCOM
CROSSBOW File Export Service" (Page 128).
time The time the file was retrieved from the IED by the CAM operation,
in format HHmmssffffff (e.g. 152543984000).
For oscillography files containing a .cfg or .dat extension, this
reperesents the event timestamp from within the COMTRADE
file when the Use COMTRADE Event Time check box is selected.
For more information, refer to "Configuring the RUGGEDCOM
CROSSBOW File Export Service" (Page 128).
customfieldname The value of the specified custom field for the specified device (e.g.
<Voltage>, <Busbar>, etc.). Multiple comma-separated entries are
permitted.

126 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.13.1 Understanding the RUGGEDCOM CROSSBOW File Export Service

Parameter Description
filename The name of the file as stored in the RUGGEDCOM CROSSBOW
database
version The version number of the file as stored in the RUGGEDCOM
CROSSBOW database
devicedescription The description of the device as listed in the Device Properties
dialog box

File Directory Structure

RUGGEDCOM CROSSBOW transfers the files to the directory specified in the
CrossBow File Export Service Configuration dialog box.

Note
If the file directories do not exist on the target server, the directories are created
using the specified settings.

The root directory is as specified in the CrossBow File Export Service Configuration
dialog box, with any <parameters> replaced with corresponding values from the
database.
For example, if the following is specified for the Customer1 directory:
\Customer1\<facilityname>\<voltage>\<devicename>

A sample output would be:

\Customer1\Substation1\240V\SEL-2020_Serial_123

Files are categorized inside the directory based on their type. For example, a settings
file would be placed in:
\Customer1\Substation1\240V\SEL-2020_Serial_123\Settings

If a file is of an unknown type (i.e. does not map to settings, events, oscillography or
faults), then it is placed in the main directory.
For more information about configuring the directory structure, refer to "Configuring
the RUGGEDCOM CROSSBOW File Export Service" (Page 128).

File Naming Structure

The file name is as specified in the CrossBow File Export Service Configuration
dialog box, with any <parameters> replaced with corresponding values from the
database.

Note
The date and time are generated based on when RUGGEDCOM CROSSBOW retrieves
the file from the IED.

For example, if the following file name is specified:

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 127
Setup and Configuration
3.13.2 Configuring the RUGGEDCOM CROSSBOW File Export Service

<date>_<time>--<voltage>,<devicename>+<version>

A sample output would be:

20180412_132219123456--240v,SEL-2020_Serial_123+15.cfg

File extensions are not configurable, as they match the extension of the file in the
database.
If the generated file name already exists in the target directory, a counter is
appended to the filename (before the extension) to make the file name unique. For
example, if a file already exists, the following files might be created:
• 20180412_132219123456--240v,SEL-2020_Serial_123+15.cfg_1
• 20180412_132219123456--240v,SEL-2020_Serial_123+15.cfg_2
• 20180412_132219123456--240v,SEL-2020_Serial_123+15.cfg_3
• 20180412_132219123456--240v,SEL-2020_Serial_123+15.cfg_4
For more information about configuring the file name, refer to "Configuring the
RUGGEDCOM CROSSBOW File Export Service" (Page 128).

3.13.2 Configuring the RUGGEDCOM CROSSBOW File Export Service

To configure the RUGGEDCOM CROSSBOW File Export Service, do the following:

Note
If multiple File Export Service instances are running in a server cluster, make sure to
restart each instance following any configuration changes to a single instance.

Note
For information about enabling or disabling the file export service for a specific
device or gateway, refer to the "RUGGEDCOM CROSSBOW Client Configuration
Manual".

1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM

CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW File Export Service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow File Export Service, click Configure. The CrossBow File
Export Service Configuration dialog box appears.

128 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.13.2 Configuring the RUGGEDCOM CROSSBOW File Export Service

2
3
4
5
6
7
8
9
11
13
10 15
11

12 16
17
14
18
19
20

21
22
23
24
25
26
27
28

1 Polling Interval (sec) Options

2 OK Button
3 Cancel Button
4 Batch Size Options
5 Exported File Name Format Box
6 Events File Types Box
7 Reports File Types Box
8 Oscillography File Types Box
9 Settings File Types Box
10 Use COMTRADE Event Check Box
11 Use COMTRADE Event Time Options
12 Use Custom Date Format Check Box
13 Use Custom Date Format Box
14 Use Custom Time Format Check Box
15 Use Custom Time Format Box
16 Root Directory Box
17 Settings Sub-Directory Box
18 Events Sub-Directory Box
19 Oscillography Sub-Directory Box
20 Reports Sub-Directory Box
21 File Transfer Protocol Options

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 129
Setup and Configuration
3.13.2 Configuring the RUGGEDCOM CROSSBOW File Export Service

22 SSH Algorithm Setting Button

23 Remote Host IP Address Box
24 Port Number Box
25 Username Box
26 Password Box
27 SSH Fingerprint Handling Options
28 SSH Fingerprint Value Box
Figure 3.44 CrossBow File Export Service Configuration Dialog Box

4. Under General Settings, in the Polling Interval (sec) options box, type or select
the polling interval. The value is in seconds. A value of zero (0) disables the
service.
5. In the Batch Size options box, type or select the desired number of files to be
transferred per polling interval.
6. In the Exported File Name Format box, type the desired file name format.
For more information about allowable parameters, refer to "File Export
Parameters" (Page 126).
7. Under Directory Structure, in the Root Directory box, type the desired root
directory name (i.e. the full path to the target directory). For more information
about allowable parameters, refer to "File Export Parameters" (Page 126).
8. In the Settings Sub-Directory box, type the desired sub-directory name for
delivery of settings files.
9. In the Events Sub-Directory box, type the desired sub-directory name for
delivery of events files.
10. In the Oscillography Sub-Directory box, type the desired sub-directory name
for delivery of oscillography files.
11. In the Reports Sub-Directory box, type the desired sub-directory name for
delivery of report files.
12. [Optional] Map file types to sub-directories as desired. Files will be saved to the
specified folder based on the file extension entered. Any unidentified file types
will be saved to the root directory.

Note
Files containing a .cfg extension are automatically mapped to the applicable
sub-directory: Event file types are mapped to the Oscillography sub-directory,
configuration type files are mapped to the Settings directory, and all other types
are mapped to the root directory.

Note
A file extension can only be mapped to one sub-directory.

• In the Events File Types box, type the desired file extension(s) to map files
to the Events sub-directory configured in step 9 (Page 130).
• In the Reports File Types box, type the desired file extension(s) to map files
to the Reports sub-directory configured in step 11 (Page 130).

130 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.13.2 Configuring the RUGGEDCOM CROSSBOW File Export Service

• In the Oscillography File Types box, type the desired file extension(s)
to map files to the Oscillography sub-directory configured in step
10 (Page 130).
• In the Settings File Types box, type the desired file extension(s) to map files
to the Settings sub-directory configured in step 8 (Page 130).

Note
The COMTRADE Event Timestamp will only be applied when the COMTRADE files
are packaged as a ZIP file.

13. [Optional] Select the Use COMTRADE Event Time check box, and select either
Trigger Point (default) or First Data Value as the timestamp to be used. If the
check box is not selected, or if the COMTRADE file is not a ZIP file, the timestamp
of the file within RUGGEDCOM CROSSBOW will be used.
14. [Optional] Select the Use Custom Date Format check box, and configure the
desired data format. Refer to your Microsoft documentation for supported
custom date and time format strings.

Note
The following characters are not supported:
• single quote (')
• double quote (")
• forward slash (/)
• backslash (\)
• question mark (?)
• pipe (|)
• asterisk (*)

If the check box is not selected, the default date format yyyyMMdd (case
sensitive) will be used.

Note
Changes to the custom date format will also be applied to the time file export
parameter. For more information about the time parameter, refer to "File Export
Parameters" (Page 126).

15. [Optional] Select the Use Custom Time Format check box, and configure the
desired data format. Refer to your Microsoft documentation for supported
custom date and time format strings.

Note
The following characters are not supported:
• single quote (')

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 131
Setup and Configuration
3.13.2 Configuring the RUGGEDCOM CROSSBOW File Export Service

• double quote (")

• forward slash (/)
• backslash (\)
• question mark (?)
• pipe (|)
• asterisk (*)

If the check box is not selected, the default time format HHmmssffffff (case
sensitive) will be used.

Note
Changes to the custom time format will also be applied to the time file export
parameter. For more information about the time parameter, refer to "File Export
Parameters" (Page 126).

16. Under Connection Settings, in the File Transfer Protocol box, select either File
Transfer Protocol (FTP) or Secure File Transfer Protocol (SFTP).
17. [Optional] Under SSH Algorithms, click SSH Algorithm Setting to select the
SSH algorithms to be used for SFTP file transfers. The SSHAlgorithmSelection
dialog box appears.

1 Available SSH Algorithms

2 OK Button
3 Cancel Button
Figure 3.45 SSH Algorithm Selection Dialog Box

132 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.14 Managing Modems

NOTICE
The values in the list are assigned a security grade from 0 to 5. Siemens
recommends using grade 3 and above security grades. Listed values with a
security grade lower than 3 are to support older devices.
For a description of the available SSH Algorithm types, refer to the available
advanced parameters listed in the "RUGGEDCOM CROSSBOW Client
Configuration Manual".

Select SSH algorithms as appropriate, then click OK.

18. In the Remote Host IP Address box, type the IP address of the desired remote
host or Fully Qualified Domain Name (FQDN).
19. In the Port Number box, type the desired port number on the device to be used
to transfer data.
20. In the Username box, type the user name to be used when initiating file
transfers. This user must have the necessary permissions to add files to the
remote file server.
21. In the Password box, type the password associated with the chosen user name
to be used when initiating file transfers.

Note
SSH Fingerprint Handling is only available when SFTP is selected as a File
Transfer Protocol.

22. Under SSH Fingerprint Handling, select either Store new device fingerprint
on next SSH connection to add a new fingerprint to the database at the next
connection, or Verify device fingerprint against stored fingerprint to check
the stored fingerprint matches the target device fingerprint. The current stored
fingerprint value is displayed in the SSH Fingerprint Value box.
23. Click OK to save changes.

3.14 Managing Modems

This section describes how to configure and manage modems via RUGGEDCOM
CROSSBOW Server.

3.14.1 Caching Modem Connections

After a modem-connected device is disconnected, the RUGGEDCOM CROSSBOW
server caches its dial-up connection in anticipation of another connection through
the same modem. This caching removes the need to re-dial the modem.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 133
Setup and Configuration
3.14.1 Caching Modem Connections

To cache modem connections, do the following:

1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.
4. Click the Options tab. The Options screen appears.

1 OK Button
2 Cancel Button
3 Modem Caching Timeout Box
Figure 3.46 Options Screen

5. Under Modem Caching Configuration, configure the following parameter:

134 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.14.2 Managing a Modem Pool

Parameter Description

Modem Caching Timeout Default: 0

The maximum time (in milliseconds) before the modem

connection is dropped.

6. Click OK to save changes.

7. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.14.2 Managing a Modem Pool

Individual modems can be added to a modem pool for use by RUGGEDCOM
CROSSBOW.

3.14.2.1 Adding/Configuring a Modem

To add a modem or configure an existing modem in the modem pool, do the
following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.
4. Click the Options tab. The Options screen appears.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 135
Setup and Configuration
3.14.2 Managing a Modem Pool

3 5

1 OK Button
2 Cancel Button
3 Available Modem Pools
4 Add Modem Button
5 Edit Modem Button
6 Delete Modem Button
Figure 3.47 Options Screen

5. Under Modem Pool Configuration, either select an existing modem and click
Edit Modem, or click Add Modem. The Modem Configuration dialog box
appears.

136 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.14.2 Managing a Modem Pool

1 5

6
2
7
3
8

4 9

10

1 Modem Port List

2 Port Speed List
3 Data Bits List
4 Flow Control List
5 OK Button
6 Cancel Button
7 Parity List
8 Stop Bits List
9 ATZ Reset Before Init Options
10 Modem Initialization String Box
Figure 3.48 Modem Configuration Dialog Box

6. Configure the following parameters as required:

Parameter Description

Modem Port Synopsis: COM{1-255}

Default: COM1

The serial port to connect use.

Note
This parameter is only configurable when adding a modem.

Port Speed Synopsis: [ 75 | 150 | 300 | 600 | 1200 | 2400 | 4800 | 7200 |
9600 | 19200 | 38400 | 57600 | 115200 ]
Default: 9600

Parity Synopsis: [ None | Even | Odd ]

Default: None

The parity checking scheme. Options include:

• None – No parity bit is transmitted.
• Even – An extra parity bit is transmitted along with each
byte, and arranged so the total number of one bits is even.
• Odd – An extra parity bit is transmitted along with each
byte, and arranged so the total number of one bits is odd.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 137
Setup and Configuration
3.14.2 Managing a Modem Pool

Parameter Description

Data Bits Synopsis: [ 7 | 8 ]

Default: 8

The number of data bits transmitted in each byte sent or

received

Stop Bits Synopsis: [ 1 | 2 ]

Default: 1

The number of stop bits used.

Flow Control Synopsis: [ None | RTS/CTS ]

Default: None

The flow control checking scheme. Options include:

• None – No flow control is done. Data may be lost if either
side attempts to send packets faster than the serial line
permits.
• RTS/CTS – Flow control is done using the RTS and CTS wires
on the serial line.

ATZ Reset Before Init Synopsis: [ Yes | No ]

Default: Yes

When set to Yes, an ATZ reset command is sent to the modem

first before any other commands, and the modem is reset to its
factory default settings.

Modem Initialization The AT command to send to the modem.

String

7. Click OK. The dialog box closes.

8. Click OK to save changes.
9. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.14.2.2 Deleting a Modem

To delete a modem from the modem pool, do the following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.
4. Click the Options tab. The Options screen appears.

138 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.15 Managing a Server Cluster

3 5

1 OK Button
2 Cancel Button
3 Available Modem Pools
4 Add Modem Button
5 Edit Modem Button
6 Delete Modem Button
Figure 3.49 Options Screen

5. Under Modem Pool Configuration, select the desired modem and then click
Delete Modem.
6. Click OK to save changes.
7. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.15 Managing a Server Cluster

A server cluster is a named set of RUGGEDCOM CROSSBOW servers linked to a single
RUGGEDCOM CROSSBOW database, used to implement server redundancy.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 139
Setup and Configuration
3.15.1 Adding/Configuring a Server

When RUGGEDCOM CROSSBOW servers are configured in a High-Availability (HA)

cluster, their online status is monitored by the other servers in the cluster. If a server
becomes unresponsive or goes offline, an alert is raised and an event log is recorded.
When the server comes back online the alert is automatically cleared.
The amount of time a server is considered offline is configurable via the
ServerTimeoutOffline advanced parameter.
For more information about available advanced parameters, refer to the
"RUGGEDCOM CROSSBOW Client Configuration Manual".

3.15.1 Adding/Configuring a Server

To add a server to a server cluster or configure an existing server, do the following:

Note
When a client connects to a server cluster, RUGGEDCOM CROSSBOW Client attempts
to connect to each server in the order in which they are listed until a connection is
established.

1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM

CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.

140 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.15.1 Adding/Configuring a Server

4 6

1 OK Button
2 Cancel Button
3 Cluster Name Box
4 Available Servers
5 Add Server Button
6 Delete Server Button
Figure 3.50 CrossBow Server Configuration Dialog Box

Note
The name of the cluster appears on the client-side Most Recently Used list.

4. On the Primary Configuration tab, under Server Cluster Configuration, type or

modify the name of the server cluster in the Cluster Name box.
5. Either click Add Server to add a new row to the table or select an existing entry.
6. Configure the following table entries:
Parameter Description

Host Address The IPv4 address or host name of the server.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 141
Setup and Configuration
3.15.2 Switching Between Servers/Clusters

Parameter Description

Host Port The host port used to connect to the server.

7. Click OK.
8. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

Note
It is recommended the server cluster configuration be identical for each server
in the cluster, including addresses and ports. However, the order of the server
cluster can be different for each server if needed, as the list is refreshed each
time a user successfully logs into a server.
For example, if Server B is to act as a fallback server when Server A is down,
define Server A first in the cluster on each server.

9. Configure the other servers within the cluster.

3.15.2 Switching Between Servers/Clusters

To switch between servers and server clusters from within RUGGEDCOM CROSSBOW
Client, do the following:
1. In RUGGEDCOM CROSSBOW Client, disconnect from the RUGGEDCOM
CROSSBOW server. For more information, refer to the "RUGGEDCOM CROSSBOW
Client Configuration Manual".
2. On the toolbar, click File, point to Servers/Cluster Name, and then click the
desired server/cluster. RUGGEDCOM CROSSBOW starts to connect to the selected
server/cluster.

3.15.3 Deleting a Server

To delete a server from a server cluster, do the following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.

142 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.16 Managing Certificates

4 6

1 OK Button
2 Cancel Button
3 Cluster Name Box
4 Available Servers
5 Add Server Button
6 Delete Server Button
Figure 3.51 CrossBow Server Configuration Dialog Box

4. On the Primary Configuration tab, under Server Cluster Configuration, select

a server and click Delete Server.
5. Click OK. The dialog box closes.
6. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.16 Managing Certificates

Communication between the RUGGEDCOM CROSSBOW server and client
workstations is protected by the use of Transport Layer Security (TLS). As such, a

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 143
Setup and Configuration
3.16.1 Selecting/Installing the RUGGEDCOM CROSSBOW Server Certificate

digital Certificate Authority (CA) certificate and identity certificate must be installed
via RUGGEDCOM CROSSBOW Server on the RUGGEDCOM CROSSBOW server to
support TLS/SSL connections.

NOTICE
It is recommended that a utility have an established Public Key Infrastructure (PKI),
including its own internal Certificate Authority (CA) from which certificates can be
issued. This certificate must include the matching private key.

The RUGGEDCOM CROSSBOW Secure Access Manager (SAM) uses TLS / SSL (X.509)
CA certificates to:
• Create a TLS/SSL tunnel between the client and the server (SAC or SAM)
• Mutually authenticate with the RUGGEDCOM CROSSBOW Station Access
Controller (SAC) or Secure Access Manager - Local (SAM-L).

NOTICE
TLS 1.3 connections between RUGGEDCOM CROSSBOW clients and servers are
enabled by default, requiring all TLS/SSL certificates be signed using a Secure Hash
Algorithm.

NOTICE
Some gateways/servers (e.g. Cooper Power Systems) require installing an additional
proprietary root CA to allow special operations in RUGGEDCOM CROSSBOW. Refer to
the manufacturer's instructions for details.

This section describes how to manage certificates on the RUGGEDCOM CROSSBOW

server(s).

3.16.1 Selecting/Installing the RUGGEDCOM CROSSBOW Server Certificate

To select and possibly install a new certificate for the RUGGEDCOM CROSSBOW
server, do the following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.

144 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.16.1 Selecting/Installing the RUGGEDCOM CROSSBOW Server Certificate

6
5

1 OK Button
2 Cancel Button
3 Certificate Store Type List
4 Certificate Store Name Box
5 Certificate Subject Box
6 Browse Button
Figure 3.52 CrossBow Server Configuration Dialog Box

4. On the Primary Configuration tab, under Server Certificate Configuration,

click Browse. The Select Server Certificate dialog box appears.

2
1
3

1 Certificate List
2 Import Button
3 OK Button

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 145
Setup and Configuration
3.16.1 Selecting/Installing the RUGGEDCOM CROSSBOW Server Certificate

4 Cancel Button
Figure 3.53 CrossBow Server Configuration Dialog Box

5. If the desired certificate is already installed on the RUGGEDCOM CROSSBOW

server, proceed to step 12 (Page 147).
Otherwise, click Import. A confirmation dialog box appears.
6. Click Yes. A confirmation dialog box appears, as well as the Microsoft
Management Console snap-in.

Figure 3.54 Microsoft Management Console

The left pane shows two pre-loaded certificate stores: local computer and
current user.
7. Expand Certificates (Local Computer).

NOTICE
CA certificates must be added to the Trusted Root Certification Authorities
folder. All other certificates signed by the CA certificate must be placed in the
Personal folder.

8. Right-click either Personal or Trusted Root Certification Authorities, point to

All Tasks, then click Import. The Certificate Import Wizard appears.
9. Follow the on-screen instructions to import the certificate.

NOTICE
During the import process, make sure to select the Mark this key as
exportable option. This is required for TLS connections between the client and
server. If this option is not selected, connections between the client and server
cannot be made.

10. Close the Microsoft Management Console snap-in.

11. Once the certificate is imported, Click OK. The dialog box closes

146 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.16.2 Selecting a Trusted CA for the RUGGEDCOM CROSSBOW Server

12. On the Select Server Certificate dialog box, select the certificate from the list
and then click OK. The certificate name appears in the Certificate Subject box.
13. Click OK to save changes.
14. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.16.2 Selecting a Trusted CA for the RUGGEDCOM CROSSBOW Server

To validate connections, one or more mutually trusted Certificate Authorities (CAs)
must be selected for the RUGGEDCOM CROSSBOW server, as well as each client
workstation, Station Access Controller (SAC) or Secure Access Manager - Local (SAM-
L) that connects to the server.

Note
For information about trusted CAs for client workstations, refer to the "RUGGEDCOM
CROSSBOW Client Configuration Manual".

To select a trusted Certificate Authority (CA) for the RUGGEDCOM CROSSBOW server,
do the following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 147
Setup and Configuration
3.16.2 Selecting a Trusted CA for the RUGGEDCOM CROSSBOW Server

1 OK Button
2 Cancel Button
3 Choose Trusted Certificate Authorities Button
Figure 3.55 CrossBow Server Configuration Dialog Box

4. Click Choose Trusted Certificate Authorities. A dialog box appears.

148 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.16.3 Selecting a Trusted CA for a RUGGEDCOM CROSSBOW SAC/SAM-L

1 Available Certificate Authorities

2 Show Intermediate Certificate Authorities Button
3 OK Button
4 Cancel Button
Figure 3.56 Dialog Box

5. [Optional] Select or clear Show Intermediate Certificate Authorities to hide/

display intermediate certificate authorities.
6. Select one or more CAs from the list.
7. Click OK to save changes.
8. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.16.3 Selecting a Trusted CA for a RUGGEDCOM CROSSBOW SAC/SAM-L

To select a trusted Certificate Authority (CA) for a RUGGEDCOM CROSSBOW Station
Access Controller (SAC) or SAM-L, do the following:
1. Launch RUGGEDCOM CROSSBOW SAC or SAM-L.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 149
Setup and Configuration
3.16.3 Selecting a Trusted CA for a RUGGEDCOM CROSSBOW SAC/SAM-L

1 OK Button
2 Cancel Button
3 Choose Trusted Certificate Authorities Button
Figure 3.57 CrossBow Server Configuration Dialog Box

4. Click Choose Trusted Certificate Authorities. A dialog box appears.

150 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.17 Managing Cipher Suites

1 Available Certificate Authorities

2 Show Intermediate Certificate Authorities Check Box
3 OK Button
4 Cancel Button
5 Import Button
Figure 3.58 Dialog Box

5. [Optional] Select or clear Show Intermediate Certificate Authorities to hide/

display intermediate certificate authorities.
6. Select one or more CAs from the list, or click Import to import a certificate from
the Microsoft Management Console snap-in.
7. Click OK to save changes.
8. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.17 Managing Cipher Suites

This section describes how to manage cipher suites in the RUGGEDCOM CROSSBOW
server.

3.17.1 Understanding Cipher Suites

A cipher suite is a set of algorithms (ciphers) used to secure network connections
through the Transport Layer Security (TLS) and Secure Shell (SSH) protocols. Each
suite contains multiple ciphers that work together to provide different cryptographic
functions, such as authentication and key generation.
TLS cipher suites are used during connections between the RUGGEDCOM CROSSBOW
client and server, and between the servers themselves (e.g. between the SAM-P and
a SAM-L). SSH cipher suites are used during device connections.
When establishing a secure connection, the two communicating sides perform a
handshake, where verification messages are exchanged and the ciphers to be used
are established. If a mismatch between ciphers is detected, the handshake fails and a
message is logged showing the reason of failure.
Each cipher suite is assigned a security strength grade by Siemens. For users,
determining the required security strength depends on the application use case
based on a threat and risk analysis. Ideally, grade 5 security should be the target.
For a list of supported TLS and SSH cipher suites, along with their security grade and
default status, refer to the "RUGGEDCOM CROSSBOW Client Configuration Manual".

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 151
Setup and Configuration
3.17.1 Understanding Cipher Suites

Cipher Strength Ratings

The following table outlines each security grade and its criteria as determined by
Siemens. Problems in the criteria description relate to known potential vulnerabilities
in the application of the cipher suite, such as the use of outdated algorithms or
modes of encryption used in combination with TLS protocols.
For increased security, Siemens recommends using grade 5 ciphers wherever
possible.
Security Grade Criteria for Algorithms
5 No known problems with the algorithm suite or its application;
cipher suite provides Perfect Forward Secrecy (PFS)
4 No known problems with the algorithm suite or its application;
cipher suite does not provide Perfect Forward Secrecy (PFS)
3 At least one known problematic aspect for the cipher suite;
application not recommended
2 Two known problematic aspects known for the cipher suite;
application not recommended
1 Cipher suite application requires specific consideration and may be
used with certain boundary conditions
0 Cipher suite regarded as broken and should no longer be used

TLS Cipher/Certificate Compatibility

To negotiate a secure connection, the client and server must establish a successful
SSL/TLS handshake, where both parties validate each other and communicate
through a secure SSL/TLS tunnel.
For the SSL/TLS handshake to succeed, the cipher selected on the server must be
compatible with the certificate configured on the client. If the cipher and certificate
are incompatible, the handshake fails and an error message is generated.
The following table outlines the certificates supported by each cipher suite, along
with their corresponding TLS protocol.
TLS Cipher Suite Supported TLS Protocol
Certificate(s)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECC 1.2
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

152 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.17.2 Selecting a TLS Cipher Suite

TLS Cipher Suite Supported TLS Protocol

Certificate(s)
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 DSS/DSA 1.2
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 RSA 1.2
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 RSA or ECC 1.2
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_AES_256_GCM_SHA384 1.3
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256

3.17.2 Selecting a TLS Cipher Suite

To select a TLS cipher suite, do the following:

NOTICE
For the server to start, at least one cipher suite must be selected for the enabled
TLS level (1.3 or 1.2) in the RUGGEDCOM CROSSBOW client. For example, if TLS
1.2 connections are enable in the client, at least one TLS 1.2 supported cipher suite
must be selected.
For information about enabling/disabling TLS 1.2 connections in the client, refer to
the "RUGGEDCOM CROSSBOW Client Configuration Manual".

NOTICE
Cipher suite selection is only available on the SAM-P.

NOTICE
For increased security, Siemens recommends using grade 5 ciphers wherever
possible.
While no ciphers below grade 4 were available at the time of release, new
vulnerabilities may be discovered over time, causing cipher grades to change. As
such, security grades will be updated with each release.
While grades 3 and lower may at some time be available for selection, they are
considered weak and should not be used unless necessary. If a security grade lower
than 4 is selected, a notification appears.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 153
Setup and Configuration
3.17.2 Selecting a TLS Cipher Suite

1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM

CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.

1 OK Button
2 Cancel Button
3 TLSCiperSuites Setting Button
Figure 3.59 CrossBow Server Configuration Dialog Box

4. Click TLSCiperSuites Setting. A dialog box appears.

154 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.17.3 Selecting an SSH Cipher Suite

4 5 6 7

1 Available TLS Cipher Suites

2 OK Button
3 Cancel Button
4 Select Button
5 Security Grade Column
6 Support TLS 1.2 Column
7 Support TLS 1.3 Column
Figure 3.60 Dialog Box

5. Select one or more suites from the list using the Select button.
6. Click OK to save changes.
7. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.17.3 Selecting an SSH Cipher Suite

SSH cipher suites are configurable for devices/gateways and device types via their
advanced properties in the RUGGEDCOM CROSSBOW client.
For more information about configuring devices/gateways and device types, refer to
the "RUGGEDCOM CROSSBOW Client Configuration Manual".

NOTICE
For increased security, Siemens recommends using grade 5 ciphers wherever
possible.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 155
Setup and Configuration
3.18 Customizing RUGGEDCOM CROSSBOW

While grades 3 and lower ciphers may be available for selection, they are considered
weak and should not be used unless necessary to connect to an older device. If a
security grade lower than 4 is selected, a notification appears.

3.18 Customizing RUGGEDCOM CROSSBOW

This section describes how to customize RUGGEDCOM CROSSBOW.

3.18.1 Managing Custom Fields

RUGGEDCOM CROSSBOW supports up to 10 custom fields, each with any number of
values. The fields are defined in the RUGGEDCOM CROSSBOW database, configured
via RUGGEDCOM CROSSBOW Server, and then customized for select devices/
gateways via RUGGEDCOM CROSSBOW Client.

Note
For information about how to apply a custom field to a device/gateway, refer to the
"RUGGEDCOM CROSSBOW Client Configuration Manual".

3.18.1.1 Configuring a Custom Field via RUGGEDCOM CROSSBOW Server

To configure a custom field via RUGGEDCOM CROSSBOW Server, do the following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.
4. Click the Custom tab. The Custom screen appears.

156 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.18.1 Managing Custom Fields

4
1 5

1 Available Custom Fields

2 OK Button
3 Cancel Button
4 Edit Button
5 Define Button
Figure 3.61 Custom Screen

5. Click Edit or Define next to the desired custom field. A dialog box appears.
Under Type, choose either Text or List.

1 5

6
2
7
3

1 Field Name Box

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 157
Setup and Configuration
3.18.1 Managing Custom Fields

2 Type Options
3 Default Box
4 Required Check Box
5 OK Button
6 Cancel Button
7 Remove Button
Figure 3.62 Dialog Box (Text Option)

1 6

7
2
8
3

4 9

1 Field Name Box

2 Type Box
3 Default Box
4 Required Check Box
5 Sort the List of Values Check Box
6 OK Button
7 Cancel Button
8 Remove Button
9 List Values Box
Figure 3.63 Dialog Box (List Option)

6. Configure the following parameters:

Parameter Description

Field Name The name of the custom field.

Type The desired format criteria. When List is selected, a comma

separated list of distinct values appears. When Text is selected,
a free-form text box appears.

List Values A comma separated list of distinct values. Appears when List is
selected.

Sort the List of Val When selected, the values are displayed in alphabetical order by
ues RUGGEDCOM CROSSBOW Client .

Default The default value.

Required When selected, the custom field must be configured for each
device managed by RUGGEDCOM CROSSBOW.

7. Click OK to save changes.

158 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.18.1 Managing Custom Fields

8. Start the RUGGEDCOM CROSSBOW Main Server service. For more

information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.18.1.2 Deleting a Custom Field via RUGGEDCOM CROSSBOW Server

To delete a custom field via RUGGEDCOM CROSSBOW Server, do the following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.
4. Click the Custom tab. The Custom screen appears.

4
1 5

1 Available Custom Fields

2 OK Button
3 Cancel Button
4 Edit Button

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 159
Setup and Configuration
3.18.2 Managing Custom Labels

5 Define Button
Figure 3.64 Custom Screen

5. Click Edit next to the desired custom field. A dialog box appears.

1 6

7
2
8
3

4 9

1 Field Name Box

2 Type Box
3 Default Box
4 Required Check Box
5 Sort the List of Values Check Box
6 OK Button
7 Cancel Button
8 Remove Button
9 List Values Box
Figure 3.65 Dialog Box (List Option)

6. Click Remove.
7. Click OK to save changes.
8. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.18.2 Managing Custom Labels

Custom labels can be defined for files associated with devices. These labels are visible
via the Data for Device dialog box under the Files tab. For information about how
to view files associated with a device, refer to the "RUGGEDCOM CROSSBOW Client
Configuration Manual".

3.18.2.1 Adding a Custom Label

To add a new custom label, do the following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.

160 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.18.2 Managing Custom Labels

2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.
4. Click the Options tab. The Options screen appears.

3
5
4
6

1 OK Button
2 Cancel Button
3 Enable Custom Labels Check Box
4 Available Custom Labels
5 Add Label Button
6 Delete Label Button
Figure 3.66 Options Screen

5. Select the Enable Custom Labels check box.

6. Click Add Label. The Custom Label dialog box appears.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 161
Setup and Configuration
3.18.2 Managing Custom Labels

1
4

5
2

1 Enumeration List
2 Custom Label Name
3 Custom Label Value
4 OK Button
5 Cancel Button
Figure 3.67 Custom Label Screen

7. Configure the following parameters:

Parameter Description

Enumeration Name Synopsis: FileVersionLabel

The name of the target enumeration.

Custom Label Name The name of the custom label that appears in the RUGGEDCOM
CROSSBOW Client.

Custom Label Value The value of the custom label.

8. Click OK. The dialog box closes.

9. Click OK to save changes.
10. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.18.2.2 Deleting a Custom Label

To delete a custom label, do the following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.
4. Click the Options tab. The Options screen appears.

162 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.18.3 Configuring a Restricted-Use Banner

3
5
4
6

1 OK Button
2 Cancel Button
3 Enable Custom Labels Check Box
4 Available Custom Labels
5 Add Label Button
6 Delete Label Button
Figure 3.68 Options Screen

5. Select the desired custom label and then click Delete.

6. Click OK to save changes.
7. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.18.3 Configuring a Restricted-Use Banner

A restricted-user banner is required for compliance with North American Electric
Reliability Corporation (NERC) Critical Information Protection (CIP) standards. When
configured, RUGGEDCOM CROSSBOW client displays the banner to users when

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 163
Setup and Configuration
3.18.3 Configuring a Restricted-Use Banner

connecting to the RUGGEDCOM CROSSBOW Server. Both the banner text and logo
can be customized by installing the appropriate files.

Note
The combined file size of the custom text and logo must not exceed 65000 bytes.
Otherwise, the banner may not display or display incorrectly.

Figure 3.69 Restricted Use Banner (Example)

To customize the restricted-use banner, do the following:

1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.
4. Click the Options tab. The Options dialog box appears.

164 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.18.4 Customizing Alerts

1 2

1 Install Button
2 Clear Button
3 OK Button
4 Cancel Button
Figure 3.70 Options Dialog Box

5. For either a custom text file or a custom logo file, click the associated Install
button. A dialog box appears.
6. Navigate to and select the desired file.
7. Click OK to save changes.
8. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.18.4 Customizing Alerts

Each alert generated by RUGGEDCOM CROSSBOW in the RUGGEDCOM CROSSBOW
Client user interface is color-coded to distinguish it from others. Alerts appear in the
Field Layout tab, as most are device-specific.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 165
Setup and Configuration
3.18.4 Customizing Alerts

To customize the text and background colors for an alert, do the following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.
4. Click the Alerts tab. The Alerts screen appears.

3 2

4 5 6

1 OK Button
2 Cancel Button
3 Restore Defaults Button
4 Text Setting Button
5 Background Setting Button
6 Example
Figure 3.71 Alerts Screen

166 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.18.5 Enabling/Disabling Blocked Command Popup Messages

Note
Color settings for each alert are demonstrated under Example.

5. Click the Text Setting button next to the desired alert. The Color dialog box
appears.

1 Basic Colors
2 Custom Colors
3 Define Custom Colors Button
4 OK Button
5 Cancel Button
Figure 3.72 Color Dialog Box

6. Select or define a color, then click OK.

7. Click the Background Setting button next to the desired alert. The Color dialog
box appears.
8. Select or define a color, then click OK.
9. Click OK to save changes.
10. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.18.5 Enabling/Disabling Blocked Command Popup Messages

RUGGEDCOM CROSSBOW allows administrators to block specific commands to
reduce errors and add security. By default, a popup message appears notifying users
when a blocked command is being attempted. These popups can be enabled or
disabled.
To enable/disable blocked command pop up messages, do the following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 167
Setup and Configuration
3.18.5 Enabling/Disabling Blocked Command Popup Messages

2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.
4. Click the Options tab. The Options screen appears.

1 OK Button
2 Cancel Button
3 Show Connected User's Name Check Box
4 Show Device Passwords to Admin Check Box
5 Disable Sending Checked Out Password Email Check Box
6 Show Popup Message When Command Blocked Check Box
Figure 3.73 Options Screen

5. Under Client Options, select or clear Show Popup Message When Command
Blocked.
6. Click OK to save changes.
7. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

168 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.19 Configuring Global Advanced Parameters

3.19 Configuring Global Advanced Parameters

Global advanced parameters are system-level configuration parameters,
i.e. non-device specific. They are used to enable or disable features (e.g.
MaintenanceModeAllowed, DatabaseCapacityCheck, etc.), or perform system-level
configuration such as inactivity timeouts or the duration of time to keep reports.
To configure global advanced parameters, do the following:

Note
For more information about advanced parameters, refer to the "RUGGEDCOM
CROSSBOW Client Configuration Manual".

1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM

CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.
4. Click the Options tab. The Options screen appears.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 169
Setup and Configuration
3.19 Configuring Global Advanced Parameters

1 OK Button
2 Cancel Button
3 Configure Button
Figure 3.74 Options Screen

5. Under Global Advanced Parameters, click Configure. The Global Advanced

Parameters form appears.

1 Available Global Advanced Parameters

2 OK Button
3 Cancel Button
Figure 3.75 Global Advanced Parameters Form (Example)

Any global advanced parameters, if available, appear in the form.

6. Double-click a parameter. The Configuration Item Edit Form screen appears.

4
2

1 Parameter Name Box

2 Description Box
3 OK Button
4 Cancel Button
5 Parameter Value
Figure 3.76 Configuration Item Edit Form

7. Change the parameter value as desired. If the chosen value falls outside of the
permitted range, a message will appear indicating the permitted range.

170 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.20 Configuring the Maximum Number of Scheduled Processes

If the parameter value contains a check box, select the box for True, deselect for
False.
8. Click OK to close the dialog box.
9. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.20 Configuring the Maximum Number of Scheduled Processes

Note
Siemens recommends increasing the number of scheduled processes incrementally
to monitor the overall impact to your system and optimize performance.

To configure the number of scheduled processes that can run simultaneously, do the
following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 171
Setup and Configuration
3.21 Configuring the COM Pool

1 OK Button
2 Cancel Button
3 Number of Scheduler Processes Box
Figure 3.77 CrossBow Server Configuration Dialog Box

4. Under Scheduler Configuration, in the Number of Scheduler Processes box,

type or select the number of scheduler processes that can run simultaneously.
The maximum number of scheduler processes is 20.
5. Click OK to save changes.
6. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.21 Configuring the COM Pool

The COM Pool is a range of serial ports for use with certain serial devices.
The available serial ports are used sequentially, so that a single failed serial port
will not cause all connections to fail. When the connection is complete, the port is
released and made available for future connections.

172 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.21 Configuring the COM Pool

For more information about configuring virtual serial ports, refer to the
"RUGGEDCOM CROSSBOW Client Configuration Manual"
To configure the range of COM pool ports, do the following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.

3 4

1 OK Button
2 Cancel Button
3 Minimum Port Number Options
4 Maximum Port Number Options
Figure 3.78 CrossBow Server Configuration Dialog Box

4. Under Com Pool Configuration, select the Minimum and Maximum port
number values to specify the range of serial ports.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 173
Setup and Configuration
3.22 Configuring the Local Tunnel Endpoint

5. Click OK to save changes.

6. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

3.22 Configuring the Local Tunnel Endpoint

In some cases, a firewall policy may cause the RUGGEDCOM CROSSBOW Server to
randomly select a Network Interface Card (NIC) to construct the VPN when more than
one NIC is present.
RUGGEDCOM CROSSBOW allows users to specify a local tunnel endpoint for device
connections in cases where the server has more than one IP address or NIC.
If this parameter is not configured, RUGGEDCOM CROSSBOW will use the first value it
finds.
To configure the Local Tunnel Endpoint, do the following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.

174 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Setup and Configuration
3.22 Configuring the Local Tunnel Endpoint

1 OK Button
2 Cancel Button
3 Server IP Box
Figure 3.79 CrossBow Server Configuration Dialog Box

4. Under VPN Local Tunnel EndPoint, enter the desired Server IP address.
5. Click OK to save changes.
6. Start the RUGGEDCOM CROSSBOW Main Server service. For more
information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 175
Setup and Configuration
3.22 Configuring the Local Tunnel Endpoint

176 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
Managing Logs
4
This section describes how to configure, view and manage audit logs, Windows event
logs, and system logs.

4.1 Configuring the CrossBow Event Log Distribution Service

The CrossBow Event Log Distribution Service distributes event information gathered
by RUGGEDCOM CROSSBOW to other external event tracking systems. This service
checks for events on a user-defined schedule, and sends the events to a specified
target. Supported targets for this service include the Windows Event Log, Syslog and
E-mail.
To configure the CrossBow Event Log Distribution Service for a SAM-P, do the
following:
1. Launch RUGGEDCOM CROSSBOW Server.
2. Under CrossBow Event Log Distribution Service, click Configure. The
CrossBow Log Distribution Service Configuration dialog box appears.

1 OK Button
2 Cancel Button
3 Seconds Between Every Check for Events List
4 Event Logs Sent to External Targets Every Poll Cycle List
Figure 4.1 CrossBow Log Distribution Service Configuration Screen

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 177
Managing Logs
4.2 Configuring the Windows Event Log

3. Configure the following parameters as required:

Parameter Description

Seconds Between Every Synopsis: An integer between 1 and 90

Check for Events
Default: 5

The time (in seconds) to wait before checking for events.

Event Logs Sent to Ex Synopsis: An integer between 5 and 1000

ternal Targets Every
Default: 25
Poll Cycle
The number of event logs to send to external targets per polling
cycle.

4. [Optional] Configure the Windows Event Log. For more information, refer to
"Configuring the Windows Event Log" (Page 178).
5. [Optional] Configure system logging. For more information, refer to
"Configuring Syslog Targets" (Page 182).
6. [Optional] Configure e-mail logs. For more information, refer to "Enabling/
Disabling E-Mail Logs" (Page 106).
7. Click OK. The dialog box closes.
8. Click OK to save changes.
9. [Optional] Enable the CrossBow Syslog Receiver to make system log (syslog)
messages from devices/gateways available in the RUGGEDCOM CROSSBOW
database for distribution. For more information, refer to "Retrieving Log
Messages from Devices/Gateways" (Page 179).

4.2 Configuring the Windows Event Log

To configure the Windows event log for a SAM-P, do the following:
1. Launch RUGGEDCOM CROSSBOW Server.
2. Under CrossBow Event Log Distribution Service, click Configure. The
CrossBow Log Distribution Service Configuration dialog box appears.
3. Click the Windows Event Log tab. The Windows Event Log screen appears.

178 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Managing Logs
4.3 Retrieving Log Messages from Devices/Gateways

1
3 2

1 OK Button
2 Cancel Button
3 Enable Windows Target Check Box
4 Data Prefix Box
5 Data Delimiter Box
6 Maximum Log Size Box
Figure 4.2 Windows Event Log Screen

4. Configure the following parameters:

Parameter Description

Enable Windows Target When selected, enables the generation of Windows event logs.

Data Prefix An optional text string prefixed to all event information. Third-
party monitoring systems can use this string to filter event
information in the log.

Data Delimiter A character to be used as a delimiter in the log export.

Maximum Log Size The maximum size of the log file in megabytes (MB). Once the
log file reaches its maximum size, older events are overwritten
by new events.

5. Click OK to save changes.

4.3 Retrieving Log Messages from Devices/Gateways

When enabled, the CrossBow Syslog Receiver Service retrieves system log (syslog)
messages from devices/gateways that forward messages to the same Syslog server
used by RUGGEDCOM CROSSBOW. The messages are then added to the RUGGEDCOM
CROSSBOW database.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 179
Managing Logs
4.4 Managing Audit Logs

Note
The IP address of the device/gateway must match the address defined in
RUGGEDCOM CROSSBOW.

Note
If multiple devices/gateways use the same IP address, only log messages from the
first device RUGGEDCOM CROSSBOW finds in its database are added to the Windows
Event Log.

To incorporate log messages generated by devices/gateways into the Windows Event

Log, do the following:
1. Configure the device/gateway to transmit all system log (syslog) messages to
the same Syslog server used by RUGGEDCOM CROSSBOW. For information about
configuring RUGGEDCOM CROSSBOW to forward system log messages to an
external syslog server, refer to "Configuring Syslog Targets" (Page 182).
2. Make sure the CrossBow Syslog Receiver Service is enabled on the RUGGEDCOM
CROSSBOW server. For more information, refer to "Starting/Stopping
RUGGEDCOM CROSSBOW Server Services" (Page 50).
3. [Optional] Launch RUGGEDCOM CROSSBOW Logger. For more information, refer
to the "RUGGEDCOM CROSSBOW Client Configuration Manual".
4. [Optional] Perform an action on the device/gateway that generates a system log
message. The message is displayed in RUGGEDCOM CROSSBOW Logger.

4.4 Managing Audit Logs

Audit logs detail the activities of users when they are connected to remote devices.
The audit logs are stored in the RUGGEDCOM CROSSBOW database, and can be
retrieved by administrators or users who have permissions to generate reports.

Note
For information about viewing, searching and deleting audit log files, and changing
audit log settings for individual devices and gateways, refer to the "RUGGEDCOM
CROSSBOW Client Configuration Manual".

4.4.1 Configuring a Default Audit Level

While an individual audit level can be configured for each device/gateway interface, a
default audit level can be configured for all devices/gateways.

180 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Managing Logs
4.4.1 Configuring a Default Audit Level

Note
The audit level configured for a device/gateway overrides the default setting. For
more information about configuring the audit level for a specific device/gateway,
refer to the "RUGGEDCOM CROSSBOW Client Configuration Manual".

To configure a default audit level, do the following:

1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.
4. Click the Options tab. The Options screen appears.

1 OK Button
2 Cancel Button
3 Default Audit Level List
Figure 4.3 Options Screen

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 181
Managing Logs
4.5 Managing System Logs

5. Under Session Auditing Configuration, select the default audit level. Options
include:
• None – No audit log is generated.
• Transmit Only – Logs all messages from RUGGEDCOM CROSSBOW Client to
the device.

Note
The Transmit and Receive option may result in large audit log entries in the
RUGGEDCOM CROSSBOW database. Select this option only when required.

• Transmit and Receive – Logs all messages to and from the RUGGEDCOM
CROSSBOW Client to the device.
6. Click OK to save changes.
7. Start the RUGGEDCOM CROSSBOW Main Server service. For more information,
refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server Services" (Page 50).

4.5 Managing System Logs

This section describes how to configure, view and manage system logs (syslog).

4.5.1 Configuring Syslog Targets

To configure system logs (or syslog) for a SAM-P, do the following:
1. Launch RUGGEDCOM CROSSBOW Server.
2. Under CrossBow Event Log Distribution Service, click Configure. The
CrossBow Log Distribution Service Configuration dialog box appears.
3. Click the Syslog tab. The Syslog dialog box appears.

182 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Managing Logs
4.5.2 Adding/Configuring a Distribution Rule

1 3 5

1 Syslog Address Box

2 Syslog Port Box
3 Enable Syslog Target Check Box
4 OK Button
5 Cancel Button
6 Timestamp Options
Figure 4.4 Syslog Dialog Box

4. Under General Configuration, configure the following parameters:

Parameter Description

Enable Syslog Target When selected, enables the generation of system logs.

Syslog Address The IP address or host name of the target Syslog server to which
RUGGEDCOM CROSSBOW will forward syslog messages.

Syslog Port The UDP port on the Syslog server to which RUGGEDCOM
CROSSBOW will forward syslog messages.

Timestamp The timestamp, either local time or GMT, which RUGGEDCOM

CROSSBOW uses to time-tag syslog messages.

5. Define one or more distribution rules to control which events are included in the
system log. For more information, refer to "Adding/Configuring a Distribution
Rule" (Page 183).
6. Click OK to save changes.

4.5.2 Adding/Configuring a Distribution Rule

Distribution rules define pattern matches for log messages that appear in the
RUGGEDCOM CROSSBOW Windows event log.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 183
Managing Logs
4.5.2 Adding/Configuring a Distribution Rule

To add a new distribution rule or configure an existing rule, do the following:

Note
RUGGEDCOM CROSSBOW includes a default distribution rule to handle any events
that did not match the user-defined distribution rules. The only configurable option
for this default rule is to specify whether events are included or excluded from the
system log.

1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM

CROSSBOW Server.
2. Under CrossBow Event Log Distribution Service, click Configure. The
CrossBow Log Distribution Service Configuration dialog box appears.
3. Click the Syslog tab. The Syslog dialog box appears.

1 Distribution Rules
2 Add Button
3 Edit Button
4 Delete Button
5 Move Up Button
6 Move Down Button
Figure 4.5 Syslog Dialog Box

4. Under Distribution Rule Configuration, either click Add or select an existing

distribution rule and click Edit. The Syslog Distribution Rule Configuration
dialog box appears.

184 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Managing Logs
4.5.2 Adding/Configuring a Distribution Rule

4
1
5
2

1 Database Field List

2 Distribution Action Options
3 OK Button
4 Cancel Button
5 Value To Match List
6 Facility List
7 Level List
Figure 4.6 Syslog Distribution Rule Configuration Dialog Box

5. Under CrossBow Source Event, configure the following parameters:

Parameter Description

Database Field Synopsis: [ EventType | EventText ]

Default: EventType

Determines if the target event will be matched based on its

associated event type (EventType) or a specific string in the
event message (EventText).

Value To Match Synopsis: [ Device Session (1) | Security (2) | Password Change
(3) | Configuration Change (4) | System Status (5) | Teltone
Operation (6) | Teltone Log Port Access (7) | Teltone Log Basic
Program (8) | Teltone Log Secure Program (9) | Teltone Log Aux
Relay (10) | Generic Special Operations (11) | External Syslog
(12) | Device Activity (13) | File Access (14) | Alert (15) ] or A
string

The event type associated with the target event or a string that
appears in the event message. Any events belonging to the
specified event type or containing the specified string will be
processed according to the distribution action (e.g. Include
Event or Exclude Event) chosen for the rule.

6. Under Distribution Action, select Include Event to include the event in the
system log, or click Exclude Event to exclude the event.
If Exclude Event is selected, proceed to step 8 (Page 186).

Note
The Facility and Level parameters are unavailable when Exclude Event is
selected.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 185
Managing Logs
4.5.2 Adding/Configuring a Distribution Rule

7. Under Syslog Destination Event, configure the following parameters:

Parameter Description

Facility Synopsis: [ Kernel (0) | User (1) | Mail (2) | Daemons (3) | Auth
(4) | Syslog (5) | Printer (6) | News (7) | UUCP (8) | Cron (9) |
Auth/Priv (10) | FTP (11) | NTP (12) | Log Audit (13) | Log Alert
(14) | Clock Daemon (15) | Local0 (16) | Local1 (17) | Local2
(18) | Local3 (19) | Local4 (20) | Local5 (21) | Local6 (22) |
Local7 (23) ]
Default: Local0 (16)

The syslog facility. This parameter generally indicates from

which part of the system the event originated. Each facility is
assigned a number that is used along with the specified severity
level to determine the event's overall priority.

Level Synopsis: [ Emergency (0) | Alert (1) | Critical (2) | Warning (3) |
Notice (4) | Information (5) | Debug (6) ]
Default: Information (5)

The event's severity level. The value is used along with the
specified facility to determine the event's overall priority.
Options include:
• Emergency – the device/gateway is unusable
• Alert – the device/gateway should be corrected
immediately
• Critical – the device/gateway is in a critical state
• Warning – the device/gateway may fail if not addressed
• Notice – the event is unusual, but associated with any
errors
• Information – the event is normal, no action is required
• Debug – the event is for debugging purposes

8. Click OK.

Note
Distribution rules are run against an event until a match is found. Make sure
distribution rules are defined in the desired order in which they are to be
applied.

Note
The default distribution rule will always be the last in the list to make sure any
events not captured by the distribution rule are excluded from the system log,
unless the default distribution rule is configured to include events.

9. [Optional] Select the distribution rule and click either Move Up or Move Down
to change the order in which rules are tested.

186 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Managing Logs
4.5.3 Deleting a Distribution Rule

4.5.3 Deleting a Distribution Rule

To delete a distribution rule, do the following:

Note
RUGGEDCOM CROSSBOW includes a default distribution rule to handle any events
that did not match the user-defined distribution rules. The only configurable option
for this default rule is to specify whether events are included or excluded from the
system log.

1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM

CROSSBOW Server.
2. Under CrossBow Event Log Distribution Service, click Configure. The
CrossBow Log Distribution Service Configuration dialog box appears.
3. Click the Syslog tab. The Syslog dialog box appears.

1 Distribution Rules
2 Add Button
3 Edit Button
4 Delete Button
5 Move Up Button
6 Move Down Button
Figure 4.7 Syslog Dialog Box

4. Under Distribution Rule Configuration, select the desired distribution rule and
then click Delete.
5. Click OK to save changes.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 187
Managing Logs
4.5.3 Deleting a Distribution Rule

188 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
Troubleshooting
5
This chapter describes troubleshooting techniques and some common issues that
may be encountered when using RUGGEDCOM CROSSBOW.

5.1 RUGGEDCOM CROSSBOW Server

The following details potential problems related to the RUGGEDCOM CROSSBOW
Server and how to troubleshoot them:
Problem Potential Cause Suggestion
The RUGGEDCOM If the following Make sure a TLS/SSL certificate has been selected
CROSSBOW starts and message appears on for the RUGGEDCOM CROSSBOW server. If a
then stops immediately the Messages tab, certificate has not been selected, the Certificate
following an upgrade the connection to Subject parameter in the CrossBow Server
the RUGGEDCOM Configuration dialog box (on the Primary
CROSSBOW server's Configuration tab) will be blank.
certificate subject For more information about selecting and (if
may have been lost: necessary) adding a TLS/SSL certificate for
:WinMain():338: the RUGGEDCOM CROSSBOW server, refer to
Error activat "Selecting/Installing the RUGGEDCOM CROSSBOW
ing SSL server: Server Certificate" (Page 144).
A valid cer
tificate is re
quired before
the server can
be activated.

The current version Backup and upgrade the RUGGEDCOM CROSSBOW

of the RUGGEDCOM database to the latest version. For more
CROSSBOW database information, refer to "Upgrading the RUGGEDCOM
does not match the CROSSBOW Database" (Page 24).
required version Once the RUGGEDCOM CROSSBOW database
has been upgraded, make sure the current
version matches the version required by
RUGGEDCOM CROSSBOW. For more information,
refer to "Determining the Current Database
Version" (Page 107).
Unable to connect An invalid IP address Make sure the correct IP address and port number
to the RUGGEDCOM and/or port number are configured for the server.
CROSSBOW server. may be assigned to • For information about configuring a server
Connection times out. the RUGGEDCOM cluster, refer to "Adding/Configuring a
CROSSBOW server host. Server" (Page 140).
• For information about configuring a parent
server for a SAC, refer to "Adding/Configuring
a Parent Server" (Page 72).
Receiving the The password provided Provide the password used originally to encrypt
following error does not match the database.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 189
Troubleshooting
5.2 Logging Messages

Problem Potential Cause Suggestion

when attempting to the password used
enable encryption originally to encrypt the
for the RUGGEDCOM database.
CROSSBOW database:

Enabled, pass
word incorrect

Receiving the
following error when
attempting to decrypt
the RUGGEDCOM
CROSSBOW database:

Unable to de
crypt the data
base. Please
contact Cross
Bow support for
assistance.

Receiving the RUGGEDCOM Make sure the database connection settings

following error when CROSSBOW Client is are correct. For more information, refer to
attempting to enable unable to connect with "Connecting to the RUGGEDCOM CROSSBOW
encryption: the database. Database" (Page 33).

unknown, data
base inaccessi
ble

Receiving the An unexpected error Contact Siemens Customer Support for assistance.
following error when has occurred.
attempting to enable
encryption:

unknown, con
tact support

5.2 Logging Messages

RUGGEDCOM CROSSBOW includes tools for logging events as they occur:
RUGGEDCOM CROSSBOW Logger and RUGGEDCOM CROSSBOW Background Logger.
Both tools detail interactions between RUGGEDCOM CROSSBOW clients and the
RUGGEDCOM CROSSBOW server where the logger is installed, and offer various tools
for displaying and exporting logs.

Note
RUGGEDCOM CROSSBOW Logger is automatically installed alongside both
RUGGEDCOM CROSSBOW server and RUGGEDCOM CROSSBOW client.
RUGGEDCOM CROSSBOW Background Logger is automatically installed alongside the
RUGGEDCOM CROSSBOW server.
For more information about installing RUGGEDCOM CROSSBOW, refer to
"RUGGEDCOM CROSSBOW Installation and Upgrade" (Page 17).

190 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Troubleshooting
5.2.1 Logging Messages Using RUGGEDCOM CROSSBOW Logger

Note
To capture all interactions between RUGGEDCOM CROSSBOW clients and the
RUGGEDCOM CROSSBOW server(s), a logger must be present on the machine hosting
each component.

5.2.1 Logging Messages Using RUGGEDCOM CROSSBOW Logger

RUGGEDCOM CROSSBOW Logger displays all log messages as they occur in real-
time from the moment the tool is launched. The Logger can display up to 300,000
characters at a time. Once the number of characters exceeds 300,000 characters,
older log messages are removed.

2 3 4 5 6 7 8 9 10 11

1 Messages
2 Input Filter Check Box
3 Input Filter Box
4 Invert Check Box
5 Font Button
6 Set Level Button
7 Open Button
8 Save Button
9 Disable/Enable Button
10 Clear Button
11 Close Button
Figure 5.1 CROSSBOW Logger Dialog Box

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 191
Troubleshooting
5.2.1 Logging Messages Using RUGGEDCOM CROSSBOW Logger

Launching Logger
Launch RUGGEDCOM CROSSBOW Logger by either:
• Double-clicking the RUGGEDCOM CROSSBOW Logger shortcut icon on the
desktop
• Clicking Start, selecting All Programs, selecting RuggedCom, selecting
CrossBow Logger, then selecting CrossBow Logger

Filtering Messages
The log can be filtered to show or hide messages that match or contain a specific
string. Simply select Input Filter and then type the string. Only messages that match
or contain that string will display going forward.
To exclude messages that match or contain the specified string, select Invert.

Note
Filtering only applies when it is enabled. It does not apply to previous log messages.

Customizing the Display Font

Customize the display font by clicking Font. A dialog box appears listing the various
options.

Setting the Log Level

The Set Level function instructs specific RUGGEDCOM CROSSBOW services to use a
specific log level. By default, this is set to level 5 (debug) for all services and should
not be changed unless requested by Siemens Customer Support.

Opening the Log In a Text Editor

To open the current list of messages in a text editor, click Open. The current list is
opened in the application associated with text files.

Saving the Log

To save the log locally for future analysis or retention, click Save and then select the
location and file name for the log file.

Enabling/Disabling Logger
To disable any further logging of messages without closing RUGGEDCOM CROSSBOW
Logger, click Disable. To re-enable logging, click Enable.

192 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Troubleshooting
5.2.2 Configuring the RUGGEDCOM CROSSBOW Background Logger Service

Clearing the Log

To clear the message log, click Clear.

Closing Logger
To close RUGGEDCOM CROSSBOW Logger, click Close.

5.2.2 Configuring the RUGGEDCOM CROSSBOW Background Logger Service

RUGGEDCOM CROSSBOW Background Logger allows users to collect log messages in
the background until a specified number of log files (of a specific size each) are filled
with data. The Background Logger can write a maximum of 25 files per server, each
up to 250 MB in size.
Once configured on a server, logs are accessible via the RUGGEDCOM CROSSBOW
Client. For more information about logging, exporting and opening log files, refer to
the "RUGGEDCOM CROSSBOW Client Configuration Manual".

Note
RUGGEDCOM CROSSBOW Background Logger does not automatically stop writing log
messages. If the log files are full, RUGGEDCOM CROSSBOW Background Logger will
automatically delete the first file and start a new one until the user stops the process.

To configure the RUGGEDCOM CROSSBOW Background Logger Service, do the

following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Under CrossBow Background Logger Service, click Configure. The
Background Logger Form appears.

1 Number of Files Options Box

2 OK Button
3 Cancel Button
4 Max Size of Files (MB) Options Box
Figure 5.2 Background Logger Form

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 193
Troubleshooting
5.2.3 Controlling Sensitive Information in Logs

3. In the Number of Files options box, type or select the desired number of files to
be generated.
4. In the Max Size of Files (MB) options box, select the maximum size (in
megabytes) permitted for each file.
5. Click OK to save changes.

5.2.3 Controlling Sensitive Information in Logs

System administrators can control whether or not certain sensitive information
appears in the RUGGEDCOM CROSSBOW Logger and RUGGEDCOM CROSSBOW
Background Logger logs.
Sensitive information includes the following:
• Passwords: Device, user or other similar passwords
• IP addresses: Device, RUGGEDCOM CROSSBOW server, or other IP addresses
• Phone numbers: Device or gateway phone numbers (for dial-up devices)
• Raw transmitted or received device data: Raw data transmitted to or received
from an end device. Note that raw data is also used for audit logs, so preventing
this data also prevents audit logs from being stored (overriding any Session
Auditing Configuration).
• Database query errors: Database queries and the exception messages associated
with them logged upon database errors
• Command lines: Command lines generated when launching RUGGEDCOM
CROSSBOW component executables, in particular those messages containing
command line parameters.
To control which information will appear in logs, do the following:
1. Access the RUGGEDCOM CROSSBOW server and launch RUGGEDCOM
CROSSBOW Server.
2. Make sure the RUGGEDCOM CROSSBOW Main Server service is stopped. For
more information, refer to "Starting/Stopping RUGGEDCOM CROSSBOW Server
Services" (Page 50).
3. Under CrossBow Main Server, click Configure. The CrossBow Server
Configuration dialog box appears.
4. Click the Logging tab. The Logging screen appears.

194 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
 Troubleshooting
5.2.3 Controlling Sensitive Information in Logs

1 OK Button
2 Cancel Button
3 Allow All Check Box
4 Allow Passwords Check Box
5 Allow IP Addresses Check Box
6 Allow Phone Numbers Check Box
7 Allow Raw Transmitted or Received Device Data Check Box
8 Allow Database Query Errors Check Box
9 Allow Command Lines Check Box
Figure 5.3 Logging Screen (SAM-P)

5. Click the check box of the chosen category or categories, or click Allow All to
select all categories.
6. Click OK to save changes.

RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01 195
Troubleshooting
5.2.3 Controlling Sensitive Information in Logs

196 RUGGEDCOM CROSSBOW v5.4 Server

Configuration Manual, 06/2023, C79000-G8976-1574-01
For more information

Siemens RUGGEDCOM
https://www.siemens.com/ruggedcom

Industry Online Support (service and support)

https://support.industry.siemens.com

Industry Mall
https://mall.industry.siemens.com

Siemens Canada Ltd.

Digital Industries
Process Automation
300 Applewood Crescent
Concord, Ontario, L4K 4E5
Canada

© 2023 Siemens Canada Ltd.

Subject to change