User Manual
Network Security Controls
3
33
Siemens
Application Note
Smart Infrastructure
WWW
Customer IT - HomeofficeCustomer IT - Branchoffice
Customer IT – Server Backbone
Customer IT – Local Office
DCC – Control Room
Customer IT - DMZ
DCC – Server Backbone
DCC – Subsystem nDCC – FS20 DCC – System One
FS20 System One Cameras
DCC – Subsystem m
VMS
DCC – Sipass
Sipass
DCC – Desigo PX
Desigo PX
DCC – SPC
Cameras
DCC Server
WinCC OA
MS SQL
Tomcat
DCC Client
BIRT
IIS
DCC WSI
DCC Server
WinCC OA
DCC FEP
WinCC OA
DCC Client
HTML5
DCC Client
HTML5
DCC Client
HTML5
DCC Client
HTML5
MS SQL
BIRT
Tomcat
IIS
DCC Client
HTML5
DCC Client
HTML5
DCC Client
HTML5
DCC Client
HTML5
DCC WSI
DomainNetwork M.
Fileserver
Firewall Firewall
Firewall
Firewall
Firewall Firewall
Firewall
Firewall Firewall Firewall Firewall Firewall Firewall Firewall
Firewall
Figure 15: Intranet-Extranet
Server and a Remote Web Server (IIS) in a DMZ Network
A DMZ (demilitarized zone) refers to an area of a network, usually between two
firewalls, where users from the Internet are permitted limited access over a defined
set of network ports and to pre-defined servers or hosts. A DMZ is used as a
boundary between the Internet and your company's internal network. The network
DMZ is the only place on a corporate network where Internet users and internal
users are allowed at the same time.
In a DMZ setup, the web server (IIS) and the Desigo CC server are hosted on sep-
arate machines that are on different networks, separated by firewalls.
In such a scenario, commercial SSL certificates are typically used for the web site
on IIS. For verifying the signature of the web client/Windows App client, the same
certificate or a separate commercial or self-signed certificate, may be used. How-
ever, you can use the same certificate if the private key used to secure the web
site is exportable.
The following section describes a typical deployment scenario for setting up a
Desigo CC system with a remote web server (IIS) in a DMZ scenario.