User Manual

ManualsBrandsSiemens ManualsBuilding automationDesigo CC MP 5.0 BACnet Server, BACnet Protocol Implementation Conformance Statement (PICS), Basic Documentation

Network Security Controls

Intended Operational Environments

46 | 88

A6V11646120_enUS_c_41

Client/Server

Each Desigo CC installation has only one server; but it can have multiple clients,

running on different computers. You can work with Desigo CC in configuration where a

Desigo CC server communicates with multiple Desigo CC clients installed on separate

computers. This allows multiple operators to manage and supervise the same site.

The communication between the client and the server must be set up using SMC.

First, you must set up the server and then the client station. The communication

should be secured using certificates (this might be simplified on dedicated and

protected networks, such as within a control room).

By default, the template project is created for a stand-alone configuration (with the

indication that no communication is possible). To set up a secured/unsecured

client/server system, you must edit the project.

Server Station

A dedicated workstation with the following features:

● Desigo CC server

● Own administration

● Microsoft SQL Server installed/remote customer Microsoft SQL Server

● Own network segment

● IPv4/IPv6

● IT firewalls must allow communication between server and client

Client Station

A dedicated workstation with the following features:

● Desigo CC client/FEP

● Own administration

● IPv4/IPv6

● Internal firewalls

Security

● Secure client/server deployments require medium configuration setup.

Certificate Usage

This scenario explains setting up a secured client/server communication using

certificates from the Windows store.

For a client/server deployment, the following restrictions apply with respect to

certificates:

● The root certificate validates the certificates used for communication. Therefore, it

must be the same for all host certificates and it must be installed on the server and

on all clients.

● The root and communication (host) certificates must be different and have

different subject names.

● The communication certificates should be specific. Therefore, it is recommended

to use different host certificates for client and server.

● The communication certificates are used by the Desigo CC client/FEP. Therefore,

the logged on user of the client/FEP operating system requires access to the

private key of the host certificate stored in the Windows Certificate store.

The owner of the Desigo CC system is responsible for distributing authorized

certificates and keys. This is often done by the IT infrastructure, particularly, if

commercial certificates are used instead of the self-signed ones.