User Manual

Network Security Controls

Intended Operational Environments

A6V11646120_enUS_b_40

41 | 85

● IPv4

● No IT firewalls (to other network segments or to the Internet)

Security

● Simple setup

● Effort for security configuration is medium

● A stand-alone system with a local web server must be protected against attacks

from other machines in the network. Follow the configuration guidelines to limit

outside communication by firewall settings, virus scanner, and so forth to secure

the system.

Certificate Usage on a Stand-alone System with a Local Web

Server

This section describes how to configure the web server using the same certificate for

both the website and the web application.

● No certificate is required for the communication between the Desigo CC server

and the installed client or FEP since there is no FEP and no remote installed client

in this deployment.

● The communication between the Desigo CC server and the local web server (IIS)

can be left unsecured (without certificates), since they are both installed on the

same machine.

● The communication between the web server and web/Windows App clients shall

always be secured. Hence, the website and the web application creation

certificates are mandatory. Desigo CC supports the use of either the same or

different certificates for the website and the web application. Usage of TLS 1.2 is

suggested whenever possible.

● The certificate and its private key must be imported into the Windows certificate

store (in the Local machine\Personal store; its root certificate must be imported in

the Local machine\Trusted Root Certification Authorities (TRCA) store). The

private key must be marked as exportable.

NOTICE

Validity of Self-Signed Certificates

Self-signed certificates allow local deployments without the overhead of obtaining

commercial certificates. When using self-signed certificates, the owner of the Desigo

CC system is responsible for maintaining their validity status, and for manually

adding them to and removing them from the list of trusted certificates.

Self-signed certificates must only be used in accordance with local IT regulations

(several CIO organizations do not allow them, and network scans will identify them).

Importing the commercial certificates follows the same procedures.

You must ensure the compliant installation of the trusted material on the involved

machines, for example, on all installed clients. In some organizations, this must be

done by the IT department.