User Manual

ManualsBrandsSiemens ManualsBuilding automationDesigo CC MP 5.0 BACnet Server, BACnet Protocol Implementation Conformance Statement (PICS), Basic Documentation

Network Security Controls

Intended Operational Environments

A6V11646120_enUS_b_40

47 | 85

Server Station

A single dedicated workstation with the following features:

● Desigo CC server is installed.

● Microsoft SQL Server is installed on the Desigo CC server.

● The server project folder is shared.

● The required certificates (SMC-created or commercial) are imported into the

Windows Certificate store:

– The root certificate is imported into the Trusted Root Certification Authorities

store.

– The host certificate and its private key are imported into the Personal store.

● The host certificate used must have a private key; no private key is needed for a

root certificate.

Remote Web Server (IIS) Station

This chapter describes how to configure the web server to use the same certificate for

both the website and the web application.

● The web client and Windows App client options require installing an optional web

server (IIS) component. When the web server (IIS) is installed on a separate

computer it is known as the remote web server (IIS).

● A remote web server (IIS) hosts websites and web applications. To simplify the

website configuration using SMC, it is recommended that you also install the

Desigo CC client (or FEP) component on this machine.

● The web application user on this remote web server has access rights on the

shared project folder on the server.

● The required certificates (SMC-created or commercial) are imported into the

Windows Certificate store:

– The root certificate of the host certificate provided for CCom port security is

imported into the Trusted Root Certification Authorities store.

– The communication between the web server and the web/Windows App clients

is always secured. Hence, the website and the web application creation

certificates are mandatory. Desigo CC supports using either the same or

different certificates for the website and the web application.

● When a commercial certificate is used for creating a website and web application,

then ensure the following:

– The commercial self-signed certificate must be imported into the Trusted Root

Certification Authorities and Personal stores of the Local machine store.

– The commercial host certificate, along with its private key, must be imported

into the Personal store and its root certificate must be imported into the

Trusted Root Certification Authorities store of the Local machine store.

● You can also configure a remote web server (IIS) as an installed client/FEP. This

will allow you to perform the client/server deployment scenario. For more

information, see the client/server deployment scenarios in the following section.

Security

● Secure server/remote web server (IIS) deployments require medium security

configuration setup.

● The component in the DMZ are exposed to the internet, therefore it is important to

keep them up to date to the latest security patches.