[Imported] Secure WebX Clients and Make 'new' WebX Default

>>Message imported from previous forum - Category:Scripts and Tips<<
User: mchartrand, originally posted: 2018-10-25 18:11:26 Id:265
This is a re-posting from the obsoleted (October 2018) "Schneider Electric Telemetry & SCADA" forum.

_______

**_du5tin:
I had setup a new development server and I was attempting to get 'new' WebX to come up as the default on the HTTPS port and ran in to some problems. Mimics would not display properly and queries would fail out. I was getting an Mimic cannot be displayed - Error 500 from 'new' WebX.
So I got some tips from tech support. If you have a 'non-standard' web client setup then you might have to change some settings in IIS to get it to work. Instructions on my blog (because screenshots on this forum are a PITA!).
[https://du5tin.com/2017/06/28/secure-clearscada-webx/](https://du5tin.com/2017/06/28/secure-clearsca... "https://du5tin.com/2017/06/28/secure-clearscada-webx/")
I turned off all the HTTP ports in the server configuration and in IIS. Then I set IIS to port 443 and ClearSCADA's HTTPS port to 453 (swapping the typical installation defaults).
Once that is done 'new' WebX doesn't know how or where to talk to 'original' WebX for mimic graphics and the like. You need to open up IIS, click onto ClearSCADA-WebX and then double-click on Application Settings in the middle panel.
In the IIS WebX application settings you need to update the URLs that link to ClearSCADA to reflect the changes you have made. After that you should be good to go. At least I was. _**

__________________

AWoodland:
Great article Dustin, some suggestions to take it to the next level:

- IIS by default supports weak protocols and ciphers (unlike the old WebX which ClearSCADA had control over), where your clients support it need to block the weak protocols (e.g. SSL3 and earlier) and ciphers (lots)
- Tools such as https://www.ssllabs.com/ssltest/analyze.html and https://securityheaders.io/ (if Internet facing) can help you identify the weaknesses
- If not Internet facing there are some offline tools like sslyze that can do similar, just not anywhere near as pretty and easy to interpret!
- Even if you do use the offline tool, those websites have plenty of information on how to configure IIS to be more secure, for example ssllabs reference https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12 which has a Powershell script you can run that modifies a load of security settings to help harden the IIS

And as always, make sure you keep IIS and the rest of Windows patched with suitable security software. Ideally whitelisting on the server and some deep packet inspection on the web traffic would be nice (more so if Internet facing) but as a minimum properly managed AV.
One thing I have wanted to try just not had time yet is to configure a 'proxy IIS', i.e. have the real WebX in some secure enviroment and then have a more exposed IIS, perhaps Internet facing, using something like URL Rewrite to proxy the traffic. That has a few advantages like if the more vulnerable IIS gets infected easier to just re-install and re-config than a server with the full ClearSCADA. Your example with switching ports becomes easier, the proxy IIS can just rewrite to the port of your choose, will also help with cut-over maybe?
Food for thought really, now they use IIS the possibilities are massive.
Also remember that the old WebX is still used for scripting, as of CS2017R1 for anyone reading this in the future, so you can't get rid of it. If you change the ports then all you need do is restart ViewX (also also ensure any host or network firewalls accept the new ports, that catches people out too)