Define the HTTPS Support for Original WebX Clients

Although we do not recommend it, you can configure the Original WebX server to communicate with a Geo SCADA Expert server using an HTTPS port (rather than via a proxy). To do this:

1. Display the Server Configuration Tool and log on if required.
2. Expand the System Configuration branch of the tree-structure.
3. Select the WebX entry.
4. Use the fields in the deprecated HTTPS Support section to define the required settings:
   

   

   1. Select the Enable check box for the Original WebX clients to communicate using an HTTPS port, rather than via a proxy.

      (If you clear the Enable check box (the default on new installations), the fields in the rest of this section are grayed out and unavailable for use and you can ignore the rest of this topic. Use the Listen Port and Proxy sections, rather than this deprecated HTTPS Support section, to specify the settings that are required for the Original WebX Server. For more information, see the topics that are listed in the gray footer section at the bottom of this topic. Select the relevant entry to display the topic that you require.)

   2. Use the HTTPS Port field to specify the Web server's HTTPS Port. An HTTPS Port will provide secure access—the data in the traffic between the Geo SCADA Expert server and the Original WebX client is encrypted and is not susceptible to unauthorized access.

      The default port number on new installations is 0.

      Specify the number of an available port (typically, the high port numbers are available).

      There is no standard alternative port address—we recommend that you refer to the Internet Engineering Task Force website at http://www.IETF.org/rfc and search for RFC 1700 for details about which port numbers are available.

      To provide secure access, Geo SCADA Expert generates a top-level non-trusted SSL certificate. This type of certificate causes a warning message to be displayed, which can be distracting to some users. You can stop the warning message from appearing by using a trusted SSL certificate (see Define the Certificate Settings for Original WebX Clients).

      When the HTTPS Port is enabled it always returns this port value to be used by the Web Server. If this port is using a self signed certificate then the Web Server will not display any ActiveX content, for example Mimics.

   3. Use the next two fields to specify the encryption settings that exist on your system. The settings indicate the level of encryption that is used by Original WebX clients when connected to the Geo SCADA Expert Server. The primary reason for managing the level and type of encryption is to mitigate the POODLE (Padding Oracle On Downgraded Legacy Encryption) exploit, which takes advantage of clients using SSL 3.0 encryption.

      Older clients and servers may not support newer TLS 1.0 encryption, in isolated installations the use of the weaker SSL 3.0 encryption may be acceptable.

      • Minimum Supported Protocol—Use this combo box to select the minimum supported protocol that you want to implement for client connections:
        • SSL 3.0 (the weakest)
        • TLS 1.0
        • TLS 1.1 (the strongest)

        If a client does not support the level of encryption protocol the server can downgrade the protocol to allow the client to establish a connection if Support TLS_FALLBACK_SCSV...is not selected.

      • Support TLS_FALLBACK_SCSV to help defend against downgrade attacks—Select this check box to stop connections being downgraded if the minimum required protocol is not supported by a client. This will cause some clients not to be able to connect to the server if the encryption level of the client does not match the server settings.
   4. Define the Certificate Settings for Original WebX Clients.
   5. Define whether the Self-Signed Certificate Warning is Shown in Original WebX.
5. Apply the changes to the server.