Your Geo SCADA Expert system can be accessed via the Internet or a company intranet. To provide this functionality, Geo SCADA Expert uses web ports for both the legacy Geo SCADA Expert web server (for Original WebX ) and for the IIS web server (for Virtual ViewX). The latter configuration is managed using the Windows IIS settings tool. Please consult Windows help for assistance in setting up IIS securely.
There are two sets of web ports:
- Non-secure web ports—These ports allow an Original WebX client to access Geo SCADA Expert via the standard http protocol.
The standard http protocol is not encrypted. The communications traffic between the client and server can be seen by anybody who has physical access to the network and appropriate network monitoring tools.
- Secure web ports—These ports allow an Original WebX client to access Geo SCADA Expert via the secure https protocol.
The standard https protocol is encrypted. If somebody is monitoring the network, they will be unable to see the content of the traffic between the client and server.
When a web browser accesses a web server via the secure sockets protocol (https), the web browser will request the server's SSL certificate. The web browser uses the information in the certificate to:
- check that the web browser is communicating with the correct web server
- establish a secure encrypted connection to that web server.
If an administrative user has not already configured an SSL certificate in the web server, Geo SCADA Expert will automatically create a top-level non-trusted SSL certificate for that web server.
If the default, server generated non-trusted SSL certificate is used, the Original WebX client will display warning messages when users access the system. The exact warning message depends on the browsers, but typically might be "There is a problem with this website’s security certificate". Some users may find these warning messages distracting, although they do not affect their ability to interact with your Geo SCADA Expert system.
If a trusted SSL certificate is used, the Original WebX client is able to verify that it is connecting to the expected server, and so there are no warning messages shown when an Original WebX client accesses the secure web server ports.
We recommend that you purchase trusted SSL certificates for your web servers as this will mean that users do not receive distracting warning messages. We also recommend you review your security options and establish appropriate security for your web server.
Recommended security:
- Purchase and install a web server certificate
- Clear the "Allow logon and database writes over non-secure HTTP" setting
- Use a proxy server or proxy firewall for communications with Original WebX clients.
-
Set limits on the number of HTTP/2 settings parameters to help prevent malicious tuning of Windows to throttle HTML/2 options. For more information, see the following:
Increased security:
- Purchase and install a web server certificate
- Clear the "Allow logon and database writes over non-secure HTTP" setting
- Disable HTTP port(s)
- Use a proxy server or proxy firewall for communications with Original WebX clients.
-
Set limits on the number of HTTP/2 settings parameters to help prevent malicious tuning of Windows to throttle HTML/2 options. For more information, see the following:
We recommend that you do not :
- Use the default server generated non-trusted web server certificate
- Select the "Allow logon and database writes over non-secure HTTP" setting.
For more information, see Setting Up Security for Virtual ViewX and Original WebX Clients.