User Manual

Network Security Controls

Siemens Application Note

Smart Infrastructure

3.2.4 Client/Server with Internet Access

Intended Use Case

This is the configuration choice for the cases where multiple Installed Clients,

connected via a dedicated or shared LAN are required, but web connectivity is also

required to allow remote access via a Desigo CC Web Client or provide remote

connectivity to an external application via Web Services.

The Management System Server, history database service, Web Server and the

first Installed Client are deployed on the same hardware platform, which can be

physical or virtual.

Field networks are connected directly to the Management System Server.

FEP can be used to better balance the communication load or to better adapt to

the distribution of the field systems. A typical case for FEP usage would be a

system with multiple remote sites and one central control location.

Installed and remote Windows App Clients are connected via the system LAN to

the server.

The size of the field system and the number of clients that can be supported by this

configuration depend on the server hardware configuration.

For systems with Internet access additional support for networks and IT security is

available:

 Support of Windows domains and Active Directory

 Support of network policies

 Firewall/DMZ support

For systems with key components in the Internet additional network and IT security

measures need to be implemented to run Desigo CC properly:

 Only Web and Windows App Clients are hosted outside the customer net-

work

 Communication between all key components is required to be secured by

standard IT security mechanisms like virtual private network (VPN) and/or

certificates

 Communication to components in the Internet must be secured by custom-

er or trust center provided certificates and separated from the customer

network by professional hardware firewalls/DMZ

 Logon to Desigo CC in the Internet only with users of the customer Active