universal douglas WLC-4150 Lighting Control Unit User Manual
- October 27, 2023
- universal douglas
Table of Contents
WLC-4150 Lighting Control Unit
LCU CYBERSEC
Considerations for Customers
User Manual
WLC-4150 Lighting Control Unit
LCU Cybersec
The Dialog Network Lighting Control system is a digitally addressable
lighting control system that runs on its own proprietary protocol for day-to-
day lighting controls operation and communications. For remote override and
configuration changes via a computer, there may be a desire to connect the
system to a facility network or LAN.
The Dialog Networked Lighting Control system is designed to run without
requiring a connection to the internet or building LAN. However certain
features may require such connections.
- Remote access
- View and Control of outputs
- Add/Edit Groups and Presets
- Schedule Changes
- Daylighting Adjustments
- BACnet IP Integration
- Remote Support and Diagnostics downloads
- CheckLight™
- Cloud Access
- Energy Management
- OpenADR
Basic Security Considerations
-
Physical Security
In all cases Lighting Control Units (LCU) such as the WLC-4150, Global Webservers (GWS), and any network switches connecting them should have a layer of physical security protecting them. They should be in locked cabinets inside access controlled electrical/telecom closets. -
Digital Security: Firewalls
The Lighting Control Ethernet Network (LCEN) and GWS ‘internet’ port must be protected by a firewall. The LCU and GWS must never be connected directly to the internet.
When connecting the LCEN to a corporate LAN, a Layer 7 firewall is required. This firewall is available as a feature of many managed routers, or as an separate appliance placed in between the LCEN and the corporate LAN. Care should be taken to only expose the necessary ports used in the day-to-day operation of the lighting control system. See Table 1 and Table 2 for more details on each individual TCP/UDP port.
Typical Network Security Configurations
There are 5 basic configurations:
- Single WLC-4150 to a corporate LAN
- CheckLight™ – Cloud Connection
- Global Web Server to LAN, with a lighting controls sub-network
- Global Web Server to LAN, with a lighting controls VLAN
- Global Web Server to LAN, with BACnet IP connectivity
*BACnet functionality can be paired with any of these, but requires special considerations. See WLC-4150 BACnet Connection instructions for more details.
Single WLC-4150 to a corporate LAN
The LCU should not be exposed directly to the corporate LAN, a firewall is
required. Care should be taken to only expose the necessary ports. See Table
- CheckLight™ Cloud Managed LCUs
This configuration is suitable for CheckLight™ energy monitoring, OpenADR and BMS Integration through the cloud API. A GWS is not used, and the LCEN must not be connected to any other devices.
The LTE modem performs IP filtering which allows connections with the CheckLight™ cloud only.
Lighting Control Ethernet Network
Corporate LAN
BACnet Network
Internet Connection or Public LAN
Note:
- CAT5e or higher wiring is required for all Ethernet connections.
- Ethernet switches may be provided by others.
- LCUs only support static IPv4 address assignments.
- LCUs and GWS (“internet”) must be on the same subnet. The GWS ‘internet’ port can be on a different subnet.
- Typical only. See project information for system specific diagrams.
Global Web Server to LAN, with isolated lighting control network
The GWS has 2 ports, one for the LCEN, and one for the Corporate LAN.
Communication on the LCEN is not secure and must be isolated from the
corporate LAN.
The GWS ‘internet’ port does not provide an encrypted web interface and must
not be connected to an untrusted network directly. It must be protected by a
Layer 7 firewall.
Global Web Server to LAN, with a lighting controls VLAN
The GWS has 2 ports, one for the LCEN, and one for the Corporate LAN (labelled
‘internet’). Communication on the LCEN is not encrypted and must be isolated
from the corporate LAN. If it is not possible to run dedicated cabling for the
LCEN, this can be accomplished by using a VLAN enabled switch.
The GWS ‘internet’ port does not provide an encrypted web interface and must
not be connected to an untrusted network directly. It must be protected by a
Layer 7 firewall.
Global Web Server to LAN, with BACnet IP connectivity
The LCU has 2 Ethernet ports, but they are internally connected with a
built-in layer 2 switch to allow a daisy-chained topology.
The BACnet IP protocol does not have any security or encryption. To separate a
BACnet network from the LCEN, a small layer 3 router is installed for each
LCU. The routers perform address translation and filtering so that the LCUs
can effectively be on two subnets at once. BACnet traffic is separated out
from the LCEN, improving security.
Note:
- CAT5e or higher wiring is required for all Ethernet connections.
- Ethernet switches may be provided by others.
- LCUs only support static IPv4 address assignments.
- LCUs and GWS (LCEN) PHY must be on the same subnet. The GWS ‘internet’ port can be on a different subnet.
- Typical only. See project information for system specific diagrams.
Lighting Control Ethernet Network
Corporate LAN
BACnet Network
Internet Connection or Public LAN
WLC-4150 Lighting Control Unit (LCU) Networking Specifics
- The WLC-4150 LCU does not support DHCP.
- BACnet communication is switched off by default for security reasons.
Table 1: WLC-4150 LCU TCP/UDP Ports
| Protocol (TCP/UDP) | Encrypted? | Inbound Port | Description |
|---|---|---|---|
| TCP | no | 80 | LCU web interface and Checklight™ power monitoring data uploaded |
from LCU
TCP| TLS 1.1| 443| LCU web interface encrypted and Checklight™ Connection.
TCP| no| 5000| GWS communication to the LCU
TCP| no| 5655| Debug
TCP| no| 7070| LCU remote update
UDP| no| 137| NetBIOS name service
The WLC-4150 must be protected by a Layer 7 firewall to achieve a secured
connection to a corporate LAN.
Global Webserver (GWS) Network Specifics
The GWS is based on Windows Server 2016, but must remain static in its
configuration to ensure product stability. Windows Update, Firewalls, and Auto
Back-ups must remain disabled. As this poses a security risk, the GWS must be
isolated from the corporate LAN using a Layer 7 firewall.
There are 2 Ethernet ports on the GWS:
- Lighting Control Ethernet Network (LCEN)
- Internet” (Not to be connected directly to an unsecured network)
Table 2: Global Webserver TCP/UDP Ports
Protocol (TCP/ UDP)| Encrypted?| Inbound port (LCEN)| Inbound port
(“Internet”)| Description
---|---|---|---|---
TCP| no| 80| 80| GWS web interface
TCP| no| 6000| | LCU communication to GWS
TCP| no| 13000| | Main traffic between LCU and GWS
The GWS must be protected by a Layer 7 firewall to achieve a secured connection to a corporate LAN.
This product is designed to be connected to and to communicate information and
data via a network interface. It is Customer’s sole responsibility to provide
and continuously ensure a secure connection between the product and Customer
network or any other network (as the case may be). Customer shall establish
and maintain any appropriate measures (such as but not limited to the
installation of firewalls, application of authentication measures, encryption
of data, installation of antivirus programs, etc) to protect the product, the
network, its system and the interface against any kind of security breaches,
unauthorized access, interference, intrusion, leakage and/or theft of data or
information. Douglas Lighting Controls and its affiliates are not liable for
damages and/or losses related to such security breaches, any unauthorized
access, interference, intrusion, leakage and/or theft of data or information.
Learn More at www.universaldouglas.com
It’s EASY to REACH US
universaldouglas.com
UniversalDouglasSupport
Douglas Lighting Controls
(877) 873-2797
[email protected]
Universal Lighting Technologies
(800) 225-5278
[email protected]
universaldouglas.com
Documents / Resources
|
universal douglas WLC-4150 Lighting Control
Unit
[pdf] User Manual
WLC-4150 Lighting Control Unit, WLC-4150, Lighting Control Unit, Control Unit,
Unit
---|---