Virtual ViewX Setup

📖 Home  Back  

Virtual ViewX Setup and Security Information

Virtual ViewX is part-OT and part-IT technology. Setup can be demanding particularly if the Windows server on which it is installed has been modified for some policies or settings specific to an end user environment. The guides below should help with security and troubleshooting.

 

Virtual ViewX Security

Virtual ViewX is configured by a combination of settings in the Virtual ViewX area and Internet Information Server (IIS). The following items are recommended:

 

Disable Legacy TLS within the IIS Web Server

You should disable older insecure TLS features within Virtual ViewX and the Geo SCADA Expert RP (Reverse Proxy). Find these web sites within the IIS Manager. For each one select Bindings near the top of the right-hand pane. Select the https binding and then select Edit.... Finally select the option Disable Legacy TLS.

 

Enable HSTS Within the IIS Web Server

HTTP Strict Transport Security (HSTS) is a widely supported standard that helps protect website visitors by ensuring that their browser always connects using an HTTPS connection. The certificate used to encrypt the session must be valid and trusted by the client.

The HSTS options can be found by navigating to the Geo SCADA reverse proxy website in IIS Manager and then clicking the HSTS link at the bottom of the right-hand pane. This will show a configuration dialog for enabling HSTS.

Customize the Virtual ViewX Web Headers

The web headers published to Virtual ViewX are used to control browser behavior, for example the ability to embed Virtual ViewX within other web pages. The headers are configurable within the file C:\Program Files\Schneider Electric\VirtualViewX\web-headers.json

 

To configure alternative options we recommend that you copy this file to C:\ProgramData\Thinfinity\VirtualUI\web-headers.json and make your changes. This will ensure that your customizations are not overwritten after a Virtual ViewX upgrade.

 

We recommend that the following lines are added/changed. Edit this line for "frame ancestors".

 

 

 

"frame-ancestors": "none",

 

 

 

And add this line under the item "X-XSS-Protection".

 

 

 

"X-Frame-Options": "deny",

 

 

 

Disable Autocomplete for the Login form

We recommend you disable automatic form completion for the login password. You can do this by changing an attribute in the login.html file. The file is located at C:\Program Files\Schneider Electric\VirtualViewX\web

Change:

 

 

 

<input type="password" name="password" id="password" value="" placeholder="Password" autofocus required autocomplete="password" />

 

 

 

To:

 

 

 

<input type="password" name="password" id="password" value="" placeholder="Password" autofocus required autocomplete="off" />

 

 

 

Make cookies secure through IIS Rewrite

When using Virtual ViewX on Windows Server, the HTTP web site on port 6580 (default) is made more secure using IIS on port 85 (default) and the Rewrite module. However, the HTTP port issues standard cookies but it is more secure if the Rewrite module changes these to secure cookies. Do this by editing the web.config file in the folder: C:\Program Files\Schneider Electric\ClearSCADA\RootHost

 

Insert these lines after </rules> and before </rewrite> (those lines included here).

 

 

            </rules>
            <outboundRules>
                <rule name="Ensure secure Cookies" preCondition="Missing secure cookie">
                    <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
                    <action type="Rewrite" value="{R:0}; secure" />
                </rule>
                <preConditions>
                    <preCondition name="Missing secure cookie">
                        <!-- Don't remove the first line here -->
                        <add input="{RESPONSE_Set_Cookie}" pattern="." />
                        <add input="{RESPONSE_Set_Cookie}" pattern="; secure" negate="true" />
                    </preCondition>
                </preConditions>
            </outboundRules>
        </rewrite>

 

 

 

What should I check if Virtual ViewX does not work?

The Geo SCADA Installation Guide, plus the Release Notes for Geo SCADA 2019 provide guides for setup, particularly when upgrading systems. It has advice to help you upgrade to Virtual ViewX.

 

We also provide the troubleshooting document attached to this article below:

Geo SCADA Virtual ViewX Troubleshooting Guide-xx.pdf

This document helps you with:

• Setup
• How it Works
• Logging
• Users and Security
• Tips

If you need some help with getting Virtual ViewX working - and there are sometimes problems because Virtual ViewX is at the intersection of OT and IT, please read the above guide.

 

Latest changes: 17 Dec 2024. Version 1i . Extended the ini section for logging.

 

Notes on using INI files to log Virtual ViewX activity

Please use the latest set of INI files to specify log files. This is in the attachment below.

a) Delete existing logs in c:\Logs\*, or create folder if it does not exist.

b) Copy in just 3 files:

• VirtualUISdk.ini and 
• Thinfinity.VirtualUI.ini and
• Thinfinity.VirtualUI.Server.ini to Program Files\Schneider Electric\VirtualViewX\bin32

c) Copy in ALL ini files to Program Files\Schneider Electric\VirtualViewX\bin64

d) Restart the ThinfinityVUISvcMgr service

e) Reproduce the issue

f) Delete only the INI files you added and then restart the ThinfinityVUISvcMgr service

This will reduce the chance that the logs are too large, and reduce the affect on performance and disk space by the logging.

It may be appropriate to enable browser traffic logging using the client browser's 'More Tools | Developer Tools' menu. Click the 'Network' menu, then toolbar item 'Clear Network Log' before the test, then click the toolbar item 'Export HAR...' when the test has completed.

 

Virtual ViewX and Single Sign-On

Geo SCADA uses the AVEVA Systems Management Server software and its AVEVA Identity Management features to provide Single Sign-on for ViewX (from Geo SCADA Expert 2023) and Single Sign-on for Virtual ViewX (from Geo SCADA Expert 2023, Update March 2024, further updates in November 2024).

The attached document Geo SCADA VVX and SSO Setup Guide Vxx.pdf is a worked example sequence of setup screens which may help you when setting it up.