We have a setup on a customer's site with a main WinCC OA server in a secure network (dedicated subnet) with a second PC acting as a WebServer. All users connect to the system via the WebServer.
There is a firewall between MainServer and WebServer that permits access to the MainServer only from the WebServer. Users do not have direct access to MainServer.
All this is working fine, but the customer has asked if communications between WebServer and MainServer can be encrypted.
As I understand the setup of the system at the moment, communications between users and the WebServer are encrypted, but communications between WebServer and MainServer are not.
Users connect to the Webserver with the Desktop UI.
The Webserver runs a ReportingServer (they have BIRT reporting) and a control manager to provide web connectivity for the users (via the supplied webclient_http.ctl script). The config.webclient file on the WebServer has the following entries:
[general]
data = "MainServer"
event = "MainServer"
mxProxy = "MainServer WebServer cert"
The Webserver allows only https access on port 443. Port 80 is used by the ReportingServer. This is implemented with the following entries in the main config file of WebServer:
[general]
data = "MainServer"
event = "MainServer"
[proxy]
server = "MainServer:4897"
server = "MainServer:4998"
[reporting]
httpPort = 80
httpAuth = 0
NofThreads = 25
[webClient]
httpPort = 0
httpsPort = 443
Have I understood correctly: encrypted communications between users and WebServer; unencrypted communications between WebServer and MainServer?
I thought that to establish encrypted communications between WebServer and MainServer all that would be required would be to replicate the mxProxy entry that is in config.webclient in the config file too, i.e. the [general] section of the main config file on WebServer would become
[general]
data = "MainServer"
event = "MainServer"
mxProxy = "MainServer WebServer cert"
But when I do this, ReportingServer and the ControlManager on Webserver do not connect to MainServer. The log viewer reports:
WCCOAreporting(0), 2020.09.29 16:35:28.593, SYS, INFO, 101, Connection to (SYS: 0 Data -num 0 CONN: 1) @ MainServer:4897 failed, new attempt in 20 secs
The system is using default certificates, and is using v3.16 P019 of WinCC OA. Operating system is Windows Server 2016. The PMon on both systems are started as Windows services.
Multiplexing Proxy is running only on MainServer. There is one relevant config entry on that system: mxProxy = "none"
How do I establish encrypted communications between WebServer and MainServer?
How do I Encrypt Communications from a Webserver?
Search
-
brian@applied.co.uk
- Posts: 11
- Joined: Thu Nov 19, 2015 4:35 pm
-
gschijndel
- Posts: 373
- Joined: Tue Jan 15, 2019 3:12 pm
Re: How do I Encrypt Communications from a Webserver?
brian@applied.co.uk wrote: ↑Tue Sep 29, 2020 6:13 pm As I understand the setup of the system at the moment, communications between users and the Multiplexing Proxy are encrypted, but communications between Multiplexing Proxy and MainServer are not.
The Multiplexying Proxy is not able to connect to another Multiplexing Proxy.
By placing a reverse proxy server in the DMZ the complete communication between the DesktopUIs and the WinCC OA servers in the secured zone can be encrypted. The white paper 'WinCC OA secured by Apache' provides more information on this, which can be found in the downloads section.
An alternative would be to run the ULC UX UI's in the DMZ with the multiplexing proxy in the secured zone.