Your Geo SCADA Expert system can be accessed via the Internet or a company intranet. To provide this functionality, Geo SCADA Expert uses web ports for both the Geo SCADA Expert web server (for Original WebX and other clients that use this web API) and for the Virtual ViewX web server. Both are accessed via local reverse proxies. The configuration of each is managed using the Windows IIS Manager tool, although the Geo SCADA Expert web server requires additional configuration within the Geo SCADA Expert Server Configuration tool to match the IIS settings. This topic focuses on the web port configuration that relates to the Geo SCADA Expert web server (for Original WebX and other clients that use this web API). Please consult Windows help for assistance in setting up IIS securely.
There are two sets of web ports:
- Non-secure web ports—These ports allow Original WebX and other clients to access Geo SCADA Expert via the standard HTTP protocol.
The standard HTTP protocol is not encrypted. The communications traffic between the client and server can be seen by anybody who has physical access to the network and appropriate network monitoring tools.
- Secure web ports—These ports allow Original WebX and other clients to access Geo SCADA Expert via the secure HTTPS protocol.
The standard HTTPS protocol is encrypted. If somebody is monitoring the network, they will be unable to see the content of the traffic between the client and server.
When a web browser accesses a web server via the secure sockets protocol (HTTPS), the web browser will request the server's SSL certificate. The web browser uses the information in the certificate to:
- check that the web browser is communicating with the correct web server
- establish a secure encrypted connection to that web server.
If the deprecated HTTPS port within Geo SCADA Expert is used instead of the recommended IIS reverse proxy, then an SSL certificate has to be configured in the Geo SCADA Expert web server. In this case, if an administrative user has not already configured an SSL certificate in the web server, Geo SCADA Expert will automatically create a top-level non-trusted SSL certificate for that web server.
If a non-trusted SSL certificate (such as the server-generated one mentioned previously, or a self-signed certificate configured in IIS) is used, the Original WebX or other client will display warning messages when users access the system. The exact warning message depends on the browsers, but typically might be 'There is a problem with this website’s security certificate'. Some users may find these warning messages distracting, although they do not affect their ability to interact with your Geo SCADA Expert system.
If a trusted SSL certificate is used, the client is able to verify that it is connecting to the expected server, and so there are no warning messages shown when a client accesses the secure web server ports.
We recommend that you obtain trusted SSL certificates for your web servers as this will mean that users do not receive distracting warning messages.
Alternatively, you can either:
- Obtain a public signed certificate from a zero cost provider.
- Create a self-signed certificate.
For more information, see the Geo SCADA Expert Knowledge Base.
We also recommend you review your security options and establish appropriate security for your web server.
Recommended security:
- Obtain and install a web server certificate
- Clear the 'Allow logon and database writes over non-secure HTTP' setting
- Select the 'Allow local connections only' setting for the Listen port
- Use the IIS reverse proxy to perform TLS termination for the clients (such as Original WebX clients) that use this web API to access the Geo SCADA Expert server
- Use a proxy server or proxy firewall for communications with the clients (such as Original WebX clients) that use this web API to access the Geo SCADA Expert server
-
Set limits on the number of HTTP/2 settings parameters to help prevent malicious tuning of Windows to throttle HTML/2 options. For more information, see the following:
Increased security:
- Obtain and install a web server certificate
- Clear the 'Allow logon and database writes over non-secure HTTP' setting
- Disable the HTTP port within the IIS reverse proxy
- Select the 'Allow local connections only' setting for the Listen port
- Use the IIS reverse proxy to perform TLS termination for the clients (such as Original WebX clients) that use this web API to access the Geo SCADA Expert server
- Use a proxy server or proxy firewall for communications with the clients (such as Original WebX clients) that use this web API to access the Geo SCADA Expert server
-
Set limits on the number of HTTP/2 settings parameters to help prevent malicious tuning of Windows to throttle HTML/2 options. For more information, see the following:
We recommend that you do not:
- Clear the 'Allow local connections only' setting for the Listen port
- Enable the deprecated HTTPS port within the 'HTTPS Support' section for the Geo SCADA Expert web server
- Use the default server generated non-trusted web server certificate
- Select the 'Allow logon and database writes over non-secure HTTP' setting.
For more information, see Configuring Security and Connection Settings for Original WebX Clients.