User Manual

Network Security Controls

Siemens Application Note

Smart Infrastructure

3.2.5 Large, Distributed Client/Server with Internet Access

Intended Use Case

This is the configuration choice for cases where system size or specific customer

indications require the deployment of key Desigo CC components on different

hardware platforms, which can be physical or virtual.

Communication between the key components is required to be secured by

standard IT security mechanisms like certificates. Communication to components

in the Internet must be secured by customer or trust center provided certificates

and protected by professional hardware firewalls/DMZ.

Field networks are connected to the Management System Server, and when

appropriate FEP can be used.

The size of the field system and the number of clients that can be supported by this

configuration depend on the server hardware configuration.

For systems with Internet access additional support for networks and IT security is

available:

 Support of Windows domains and Active Directory

 Support of network policies

 Firewall/DMZ support

For systems with key components in the Internet additional network and IT security

measures need to be implemented to run Desigo CC properly:

 Only Web and Windows App Clients are hosted outside the customer

network

 Communication between all key components is required to be secured by

standard IT security mechanisms such as VPN and/or certificates

 Communication to components on the Internet must be secured by

customer or trust center provided certificates and separated from the

customer network by professional hardware firewalls/DMZ

 Logon to Desigo CC on the Internet only with users on the customer’s

Active Directory

 Field systems must be separated from Internet access

Figure 17: Large, Distributed Client/Server with Internet Access.