Configure an Industrial Graphics Server using a Secure Gateway

This topic provides the instructions required to set up an Industrial Graphics Server that needs to communicate with web clients located outside your SCADA system network. It explains how to secure the server with a Secure Gateway using a reverse proxy server.

The examples in this document are based on the following system architecture:

• computer1 is the computer name of the System Management Server.

• computer2 is the computer name of the Industrial Graphics Server.

• computer3 is the computer name of the Secure Gateway.

Confirm the Industrial Graphics Server is working

Before you configure the Secure Gateway, you need to confirm that the Industrial Graphics Server is set up correctly.

To do this, enter the following address into a browser on a computer within the plant network.

https://computer2/aig

If the Industrial Graphics Web Client does not display, see the section on securing clients within your plant network in the topic Secure the Industrial Graphics Web Client.

Set up the Secure Gateway

The first step is to set up computer3, the Secure Gateway installed in a demilitarized zone (DMZ). This requires the installation of a reverse proxy server to protect the identity of the Industrial Graphics Server from external computers connecting via the Internet.

For this, you will need a valid SSL certificate (.key and .pem files) issued by an authorized entity. This certificate will be used later to set up the System Management Server.

Note: Self-signed certificates are not recommended for production environments.

Set up the System Management Server

Make the following changes on the System Management Server (computer1).

1. Add the SSL certificate from the Secure Gateway (computer3).

   You need to import the certificate to the Trusted Root.

2. Open the appsettings.json file for editing.

   This file is part of the Platform Common Services installation on the System Management Server. It is located here:

   C:\Program Files (x86)\AVEVA\Platform Common Services\Management Server

3. Add the "PublicOrigin" property to the AppSetting section of the file in the format specified below. Use a fully-qualified domain name (FQDN) to identify the Secure Gateway computer.

   "PublicOrigin": "https://computer3.mydmzdomain.com"

   Specify the port number if it is not 443.

   "PublicOrigin": "https://computer3.mydmzdomain.com:<portNumber>"

   

4. Reconfigure the System Management Server.

   Go to the System Management Server page in Configurator and confirm that This machine is the System Management Server is selected.

   Click the Configure button.

   The changes you have made to the PublicOrigin property will be evident in the Configuration Messages panel. For example, the System Management Server will now be identified by the FQDN of the Secure Gateway computer.

   

5. You will need to enter the login details for a domain user to connect to the Secure Gateway computer.

If the configuration process is not successful, try the following:

• Ping the Secure Gateway computer before you attempt to configure the System Management Server.

• Confirm that the Secure Gateway SSL certificate has been added correctly.

Set up the Industrial Graphics Server

Note: Before you commence, you should confirm that your Plant SCADA project includes the "BUILTIN\Administrators" role. Check the Roles view in Plant SCADA Studio's Security activity.

Make the following changes on the Industrial Graphics Server (computer2).

6. Add the SSL certificate from the Secure Gateway.

   You need to import the certificate to the Trusted Root.

7. Open the appsettings.json file for editing.

   This file is part of the Platform Common Services installation on the Industrial Graphics Server. It is located here:

   C:\Program Files (x86)\AVEVA\Platform Common Services\Management Server

8. Add the "PublicOrigin" property to the AppSetting section of the file in the format specified below. Use a fully-qualified domain name (FQDN) to identify the Secure Gateway computer.

   "PublicOrigin": "https://computer3.mydmzdomain.com"

   Specify the port number if it is not 443.

   "PublicOrigin": "https://computer3.mydmzdomain.com:<portNumber>"

   

9. Open Configurator on the Industrial Graphics Server.

10. Go to the System Management Server page and confirm that Connect to an existing System Management Server is selected.

11. Enter the FQDN for the Secure Gateway computer (for example, computer3.mydmzdomain.com).

12. Click the Configure button.

    The changes you have made to the PublicOrigin property should be evident in the Configuration Messages panel.

13. In Configurator, go to Authentication Settings page.

    Note: The changes to the PublicOrigin setting on the System Management Server will be reflected on the Authentication Settings page. While the FQDN of the Secure Gateway computer is displayed in the System Management Server field, the SMS will continue to operate on the computer on which it was originally configured.

14. Enter the FQDN for the Secure Gateway computer in the Secure Gateway field.

    

15. Click the Configure button.

When these steps are complete, you can log in to the Industrial Graphics Web Client via the Secure Gateway computer using the following address:

https://computer3/aig

If you attempt to log in from a computer within the plant network, you can access the Industrial Graphics Server directly using the following address:

https://computer2/aig

See Also

Log On to the Industrial Graphics Web Client