How do I Encrypt Communications from a Webserver?
Posted: Tue Sep 29, 2020 6:13 pm
We have a setup on a customer's site with a main WinCC OA server in a secure network (dedicated subnet) with a second PC acting as a WebServer. All users connect to the system via the WebServer.
There is a firewall between MainServer and WebServer that permits access to the MainServer only from the WebServer. Users do not have direct access to MainServer.
All this is working fine, but the customer has asked if communications between WebServer and MainServer can be encrypted.
As I understand the setup of the system at the moment, communications between users and the WebServer are encrypted, but communications between WebServer and MainServer are not.
Users connect to the Webserver with the Desktop UI.
The Webserver runs a ReportingServer (they have BIRT reporting) and a control manager to provide web connectivity for the users (via the supplied webclient_http.ctl script). The config.webclient file on the WebServer has the following entries:
[general]
data = "MainServer"
event = "MainServer"
mxProxy = "MainServer WebServer cert"
The Webserver allows only https access on port 443. Port 80 is used by the ReportingServer. This is implemented with the following entries in the main config file of WebServer:
[general]
data = "MainServer"
event = "MainServer"
[proxy]
server = "MainServer:4897"
server = "MainServer:4998"
[reporting]
httpPort = 80
httpAuth = 0
NofThreads = 25
[webClient]
httpPort = 0
httpsPort = 443
Have I understood correctly: encrypted communications between users and WebServer; unencrypted communications between WebServer and MainServer?
I thought that to establish encrypted communications between WebServer and MainServer all that would be required would be to replicate the mxProxy entry that is in config.webclient in the config file too, i.e. the [general] section of the main config file on WebServer would become
[general]
data = "MainServer"
event = "MainServer"
mxProxy = "MainServer WebServer cert"
But when I do this, ReportingServer and the ControlManager on Webserver do not connect to MainServer. The log viewer reports:
WCCOAreporting(0), 2020.09.29 16:35:28.593, SYS, INFO, 101, Connection to (SYS: 0 Data -num 0 CONN: 1) @ MainServer:4897 failed, new attempt in 20 secs
The system is using default certificates, and is using v3.16 P019 of WinCC OA. Operating system is Windows Server 2016. The PMon on both systems are started as Windows services.
Multiplexing Proxy is running only on MainServer. There is one relevant config entry on that system: mxProxy = "none"
How do I establish encrypted communications between WebServer and MainServer?
There is a firewall between MainServer and WebServer that permits access to the MainServer only from the WebServer. Users do not have direct access to MainServer.
All this is working fine, but the customer has asked if communications between WebServer and MainServer can be encrypted.
As I understand the setup of the system at the moment, communications between users and the WebServer are encrypted, but communications between WebServer and MainServer are not.
Users connect to the Webserver with the Desktop UI.
The Webserver runs a ReportingServer (they have BIRT reporting) and a control manager to provide web connectivity for the users (via the supplied webclient_http.ctl script). The config.webclient file on the WebServer has the following entries:
[general]
data = "MainServer"
event = "MainServer"
mxProxy = "MainServer WebServer cert"
The Webserver allows only https access on port 443. Port 80 is used by the ReportingServer. This is implemented with the following entries in the main config file of WebServer:
[general]
data = "MainServer"
event = "MainServer"
[proxy]
server = "MainServer:4897"
server = "MainServer:4998"
[reporting]
httpPort = 80
httpAuth = 0
NofThreads = 25
[webClient]
httpPort = 0
httpsPort = 443
Have I understood correctly: encrypted communications between users and WebServer; unencrypted communications between WebServer and MainServer?
I thought that to establish encrypted communications between WebServer and MainServer all that would be required would be to replicate the mxProxy entry that is in config.webclient in the config file too, i.e. the [general] section of the main config file on WebServer would become
[general]
data = "MainServer"
event = "MainServer"
mxProxy = "MainServer WebServer cert"
But when I do this, ReportingServer and the ControlManager on Webserver do not connect to MainServer. The log viewer reports:
WCCOAreporting(0), 2020.09.29 16:35:28.593, SYS, INFO, 101, Connection to (SYS: 0 Data -num 0 CONN: 1) @ MainServer:4897 failed, new attempt in 20 secs
The system is using default certificates, and is using v3.16 P019 of WinCC OA. Operating system is Windows Server 2016. The PMon on both systems are started as Windows services.
Multiplexing Proxy is running only on MainServer. There is one relevant config entry on that system: mxProxy = "none"
How do I establish encrypted communications between WebServer and MainServer?