User Manual

ManualsBrandsSiemens ManualsBuilding automationDesigo CC MP 5.0 BACnet Server, BACnet Protocol Implementation Conformance Statement (PICS), Basic Documentation

Network Security Controls

Intended Operational Environments

54 | 88

A6V11646120_enUS_c_41

Server and a Remote Web Server (IIS) in a DMZ Network

A DMZ (demilitarized zone) refers to an area of a network, usually between two

firewalls, where users from the Internet are permitted limited access over a defined set

of network ports and to predefined servers or hosts. A DMZ is used as a boundary

between the Internet and your company's internal network. The network DMZ is the

only place on a corporate network where Internet users and internal users are allowed

at the same time.

In a DMZ setup, the web server (IIS) and the Desigo CC server are hosted on

separate machines that are on different networks, separated by firewalls.

In such a scenario, commercial SSL certificates are typically used for the website on

IIS. For verifying the signature of the web client/Windows App client, the same

certificate or a separate commercial or self-signed certificate, may be used. However,

you can use the same certificate if the private key used to secure the web site is

exportable.

The following section describes a typical deployment scenario for setting up a Desigo

CC system with a remote web server (IIS) in a DMZ scenario.

Server Station

A single dedicated workstation with the following features:

● Desigo CC server is installed.

● Microsoft SQL Server is installed on the Desigo CC server.

● The server project folder is shared.

● The required certificates are imported into the Windows Certificate store:

– The root certificate is imported into the Trusted Root Certification Authorities

store.

– The host certificate is imported into the Personal store.

● The host certificate used must have a private key; no private key is needed for a

root certificate.

Remote Web Server (IIS) Station in a DMZ

This section describes how to configure the web server to use the same certificate for

both the web site and the web application.

● A dedicated workstation serving as web server for hosting the website/application.

To simplify the website configuration, it is recommended that you install the

Desigo CC client or FEP software on this machine.

● The web application user on the remote web server has access rights on the

shared project folder on the server.

● The required certificates are imported into the Windows Certificate store:

– The root certificate of the host certificate provided for CCom port security is

imported into the Trusted Root Certification Authorities store.

– The communication between the web server and the web/Windows App clients

is always secured. Therefore, creating the website and the web application

certificates is mandatory. Desigo CC supports using either the same or

different certificates for the website and the web application.

– The certificate and its private key must be imported into the Windows

certificate store (in the Local Machine\Personal store; its root certificate must

be imported into the Local Machine\Trusted Root Certification Authorities

(TRCA) store). The private key must be marked to be exportable.

– If different commercial certificates are used for creating the website and web

application, then both must be present in the Trusted Root Certification

Authorities store and the Personal store of the Windows Certificate store.