[Imported] Centralized IIS WebX

>>Message imported from previous forum - Category:ClearSCADA Software<<
User: florian, originally posted: 2018-10-25 19:32:19 Id:282
This is a re-posting from the obsoleted (October 2018) "Schneider Electric Telemetry & SCADA" forum.

-------------------------------

**_du5tin:_**
**_We did some testing today with the centralized WebX in CS2017R2. It is pretty nifty._**

**_A few things people might want to know:_**

**_- This IIS app requires that remote servers have proper public trusted TLS certificates installed for HTTPS to work between IIS and the remote server. To get everything working in my test setup I had to DISABLE HTTPS (even though its all internal network) and use only HTTP between IIS and the remote server._**

**_- The new WebX client site ran poorly on my mid-level client hardware (Core i5, Intel graphics, a typical client workstation setup). The fading GUI elements seemed to be the worst offenders. Not sure how it will scale yet in a corporate VDI or streaming app environment. Could be my browser, I did the testing in IE11._**

**_- Alarms from all servers appear in the alarm banners. You will likely want to get locked down if you put this into production._**

**_- It does pass thru original WebX graphics and data from older versions of ClearSCADA. CS2017R1 worked. CS2015R2 did not (might be my client setup though). Going to contact tech support and see._**

**_- No user mangement tools available on the IIS side yet. So still no way to know which user is connected to a session and no way to boot them to free a license if someone left their IE tab open and logged out for the weekend (you have no idea how often this happens! Ignition's unlimited clients looks **bleep** good right now...). Luckily licenses don't count if you're using IIS (see release notes, this is a temporary measure while this functionality is refined)._**

**_- Installation was decently easy. The WebX configuration tool where you configure the remote server links felt familiar (it is similar to the ViewX Configure Connections application)._**

**_- Configured servers are listed in a drop down above the username and password on the logon screen. Users can select the server to log onto._**

----------------------

trentonite:
Surprised nobody has responded to this yet. Thanks for your feedback on this. I did a good bit of testing on this myself and am still apprehensive about it all.

I too was shocked about the certificate stuff and needing to disable HTTPS. I found that if you list out A/B/C in the nodes that each one of them has to have HTTPS disabled as well due to the same certificate issue.

I hadn't noticed the alarms from all servers showing up yet but I'll take a stab at it and report back. One thing I noticed back on 2015 that has carried over to 2017R2 is that the performance of the new WebX interface is really bad if there are a large number of alarms.

Overall I think it's a step in the right direction, but one issue I see is that licenses still need to be distributed between all servers for some level of WebX redundancy for the clients. Upon installing I had expected to be able to allocate some licenses to the machine the IIS piece was installed on but that wasn't the case. In an environment with 3 servers and a max of 20 concurrent web users, you'd still need to get 20 licenses on all 3 servers to ensure full redundant connections for the client.

Additionally for the client, another worthwhile test would be to have node A and B licensed and see if the new web interface will connect a new client to node B if all licenses on A are used up.

------------

AWoodland:

Originally posted by: du5tin

- This IIS app requires that remote servers have proper public trusted TLS certificates installed for HTTPS to work between IIS and the remote server. To get everything working in my test setup I had to DISABLE HTTPS (even though its all internal network) and use only HTTP between IIS and the remote server.

I'm yet to try it but I believe if you install the self-signed certificate into the certificate store on server at the IIS end this allows it work. Not great nor very secure, it would still be much better to use a organisation/system wide self-managed CA root cert (or a proper cert).

---------------

**_du5tin:_**
**_I tried installing the certificate on the IIS end and I could not get it to work for me. However, it was the first time I tried installing a cert. on a windows box so i could have missed something._**

**_One of the other things I thought to try was an internal certificate authority on the network and issue certs internally for those boxes, but thats a bit outside my normal area of expertise!_**

----------------------------

**_du5tin:_**
**_I got some more information from SE on this. Apparently the 'self-signed' certificate issue is a limitation of the Microsoft IIS server. Solution is to use a public certificate or an internal certificate authority._**

**_Now I can go back to doing some more testing._**