Secure the Industrial Graphics Web Client

A System Management Server (SMS) allows an Industrial Graphics Web Client to be used securely with the HTTPS protocol. You will need to connect an Industrial Graphics Server to an SMS to secure client access.

As an administrator, there are two configuration options available for user authentication and security. The option you chose will depend on whether or not you need to expose the Industrial Graphic Server to clients that exist outside your SCADA system network.

If this is the case, you need to use a Secure Gateway installed in a demilitarized zone (DMZ) to intercept requests from clients. This will use a reverse proxy server to protect the identity of the Industrial Graphics Server from external computers connecting via the Internet.

Securing clients within your plant network

To secure Industrial Graphics Web Clients that operate within your SCADA system network, use Configurator to set up the following:

• Authentication - Connect the Industrial Graphics Server to an SMS.

  See Use Configurator to Set Up an Industrial Graphics Server.

• Security Roles - Add the required users to one of the Industrial Graphics security roles on the Industrial Graphics Server.

  See Configure User Access for an Industrial Graphics Web Client.

Once this configuration is complete, the SMS can authenticate a Web Client user and provide an HTTPS connection to the Industrial Graphics Server.

Securing clients via a Secure Gateway server

To secure Industrial Graphics Web Clients that exist beyond your SCADA system network, use Configurator to set up the following:

• Authentication - Connect the Industrial Graphics Server to an SMS.

  For instructions, see Configure an Industrial Graphics Server using a Secure Gateway.

• Secure Gateway - Provide the Fully Qualified Domain Name of the reverse proxy server in Configurator's Secure Gateway field.

  For detailed configuration instructions, see Configure an Industrial Graphics Server using a Secure Gateway.

• Security Roles - Add the required users to one of the Industrial Graphics security roles on the Industrial Graphics Server.

  See Configure User Access for an Industrial Graphics Web Client.

Once this configuration is complete, the SMS can authenticate a Web Client user and provide an HTTPS connection to the Industrial Graphics Server via the Secure Gateway server.

If the Web Client page loads at runtime without a valid security token, the following will occur.

• The Web Client will redirect to a login page.

• The credentials entered by the user will be checked against the Active Directory.

• If the credentials are valid, then Active Directory will provide a security token and return it to the Web Client.

• The Web Client will then grant access to user with the token.

If a security token already exists, then the user will be granted access.

See Also

Log On to the Industrial Graphics Web Client