Setting up the Web Client

Scenario: You want to set up and work with the Web client on the Desigo CC Server with local web server (IIS) or on the remote web server (IIS) hosted on the Desigo CC Client/FEP.

For working with the local Web Client on the local web server (IIS) you can leave the web communication as Local.

For working with the remote Web Client, it is recommended to secure the communication between the Desigo CC Server and the remote web server (IIS).

In this workflow for securing the communication between the Desigo CC Server and the remote web server (IIS) Windows store based certificates are used.

It is recommended to secure the communication with the self-signed certificate. Alternatively, you can also use the host certificate.

For working with the Web Client, follow the Cybersecurity Guidelines ( ).

NOTICE

Validity of Self-Signed Certificates

Self-signed certificates allow local deployments without the overhead of obtaining commercial certificates. When using self-signed certificates, the owner of the Desigo CC system is responsible for maintaining their validity status, and for manually adding them to and removing them from the list of trusted certificates.

Self-signed certificates must only be used in accordance with local IT regulations (several CIO organizations do not allow them, and network scans will identify them). Importing the commercial certificates follows the same procedures.

You must ensure the compliant installation of the trusted material on the involved machines, for example, on all Installed Clients. In some organizations, this must be done by the IT organization.

 

Reference: For background information, see the reference section.

 

Workflow diagram:

 

Prerequisites:

  • On the Server station:
  • On the remote web server (IIS) hosted on Client/FEP station:
    • The user that you are about to configure as a web application user is
      - a member of the IIS_IURS group and
      - added in the list of allowed users in the Project Shares expander of the linked Server project.
      - (Only applicable when the project that you are about to link to the web application is in distribution with other projects) added in the list of allowed users in the Project Shares expander of all the systems (projects) in the distribution with system (project) linked to the web application.
    • The root certificate (.cer file) of the CCom host certificate of the linked Server project, is imported in the Trusted Root Certification Authorities (TRCA) store of the Local machine certificates store.
    • You have stopped the Default IIS Website using SMC.
    • (Only applicable only for the third-party websites/web applications) You have reviewed the tips for working with the third-party websites and web applications.
    • The website/web application certificate:
      - (recommended) Use the default set self-signed certificate or the self-signed certificate created at the time of website/web application creation.
      - The self-signed certificate is imported in the Personal, as well as the Trusted Root Certification Authorities store of Local machine certificates in the Windows Certificate store.
      - If a host certificate is used as a website/web application certificate, the host (.pfx) along with its exportable Private key and its root (.cer file) are imported in the appropriate Windows Certificate store. Otherwise, a chain validity message displays.
      - As a host certificate is issued for the host name provided in the Host name field during website creation. Otherwise, you may encounter a Network Error (dns_unresolved_hostname).
      - If a multi-host certificate is used as a website/web application certificate, then the Subject Alternative Name (SAN) property must contain all its possible host names. (see Add Entries in the V3.txt File for Creating a Multihost Certificate).
    • To run the Web client or Windows App client on IPv6 network enabled systems, see Configure the Web Server to Run on the Dual-Stack (IPv4 and IPv6) Network.

 

Steps:

1 – Enable Web Client
  1. Navigate to the path [installationdrive:]\[installationfolder]\GMSMainProject\bin.
  1. Right-click and edit the StartSmc.bat file in a text editor such as Notepad, or Notepad++.
  1. Append /EnableXbap switch at the end.
    For example, start Siemens.Gms.ApplicationFramework.exe /M:GMS /L:SMC.ldl /EnableXbap.
  1. Save the file.
  • You have enabled the Web Client by the adding the /EnableXbap switch.

 

2 – Modify the Server Project Parameters

For Launching Web Client on the remote web server (IIS), it is recommended to set the Server Communication as Stand-alone and the Web Server Communication as Secured in the Communication Security expander in SMC. For Server with a local web server (IIS), you can, however, leave the Server Communication as Stand-alone and the Web Server Communication as Local.

You also must share the Server project with the website/web application user using the Project Shares expander.

  • The Server project that you want to link to web application is after creation / restore available under the Projects and is Stopped.
  1. In the SMC tree, select Projects > [project].
  1. Click Edit .
  • Some fields of the Server Project Information and Communication Security expanders are enabled.
  1. In the Communication Security expander, do not modify the default (Stand-alone) Communication mode.
  1. In the Communication Security expander, provide the Web Server Communication details as follows:
  • For working with local web server (IIS): Change the default Communication mode (Disabled) by selecting Local from the drop-down list. This enables the communication between the CCom port and web server (IIS), without certificates.
  • For working with remote web server (IIS): (recommended) Change the default Communication mode as Secured from the drop-down list. This enables a secured communication between the CCom port and web server (IIS).
  • Configure a unique the CCom port number, if required, by changing the default.
  • (Applicable only for Web Server Communication as Secured) Verify the default set host certificate for CCom port. For more information, see tips.
  1. Using the Project Shares expander, you need to share the Server project with the website/web application (IIS) user as follows:
  • Select the Share Project check box to share project folder of the current project.
  • If required, type in the Base share name to change the default set, the Project name.
  • Click Add to add the website/web application user to the list of Group or user names using the Select User or Group dialog box.
  1. Click Save Project .
  • If you have changed the Communication Security settings including the Web Communication mode, CCom port, or a CCom Host certificate, a message displays indicating you that you must align the Web applications on Client/FEP linked with this modified Server Project.

 

5 – Browse a Website or Web Application URL

You can launch a Web Client by browsing the web application link on the local web server (IIS) or on the remote web server (IIS) hosted on a Client/FEP or on remote computer other than web server (IIS). For this you must install the website/web application certificates in the appropriate Windows certificate store.

You can launch the Web Client by browsing the website or web application URL using only Internet Explorer 11 onwards.

Information

NOTE:
Microsoft recommends upgrading and staying up-to-date on the latest Internet Explorer browser version. Only the most current version of Internet Explorer available for a supported operating system will receive technical support and security updates.

The following procedure provides the steps for launching the Web Client for the very first time by installing the website certificates. The steps may vary; for example, the Certificate Error: Navigation Blocked page may not display, if the website/web application certificate is already installed.

  1. You have reviewed the tips before launching the website or web application URL.
  1. In the SMC tree, select the website or web application.
    NOTE: Clicking the website/web application URL in the SMC results in opening the Desigo CC web page in your default browser. It is recommended to launch the Web Client using Windows browser Internet Explorer 11 onwards.
  1. Click Copy URL to copy the HTTPs URL of a website/web application.
  1. Launch the Windows Internet Explorer browser (Internet Explorer 11 onwards).
  1. In the address bar, paste the copied URL.
  • The Certificate Error: Navigation Blocked page displays. This error occurs if the self-signed or host certificate is not already available in the Windows Certificate stores. Usually this error does not occur for the commercial certificates.
  1. Install the website certificate.
  1. Close the IE 11 browser.
  1. Re-launch the web application HTTPs URL.
  • The error message Certificate Error:Navigation Blocked disappears and the Desigo CC web page with thumbnails for web and Windows App clients displays.
    NOTE: The thumbnail for Web Client displays only if you have created the web application using the Enable XBAP option.
  1. Install the web application certificate for verifying the signature when downloading the application in the appropriate Windows certificate store.
  1. From the Desigo CC web page, launch a Web Client by clicking the Web Client thumbnail and follow the onscreen prompts (in the section on Starting and Exiting the System, see Launch a Web Client).

 

6 – Install the Website Certificate
  • You have created a website or web application using SMC and the URLs (HTTPs) are available.
  • You have not installed the certificate used in the website.
  1. Browse the website or web application HTTPs URL in the Windows Internet Explorer 11 browser.
  • The Certificate Error: Navigation Blocked page displays due to an untrusted certificate.
  1. Click Continue to this website (not recommended).
  • In the Desigo CC web page address bar, a Certificate Error security report displays.
  1. Click Certificate Error to open a menu that contains a View certificates hyperlink.
  1. Click View Certificates.
  1. In the Certificate dialog box that displays, click Install Certificate.
    NOTE: The same website/web application certificate (host/self-signed) that was provided during website/web application creation, displays and you can proceed with installing it in the TRCA store. However, in order for the host certificate to work with the Web Client, you must import the root of the host certificate that you used while creating website in the TRCA store.
  1. Depending on the type of certificate used, proceed with importing the certificate as follows:
  • If the certificate you used while creating a website is a self-signed certificate, then you must install it in the Trusted Root Certification Authorities store.
  • If the certificate you used while creating a website is a host certificate, then you must install the root certificate of the host in the Trusted Root Certification Authorities store.
Information

NOTE:
If the Certificate Error: Navigation Blocked page displays, even after installing the website certificate, then verify that the Subject Alternative Name (SAN) property for the selected certificate contains the host name specified while creating the website.
For example, if the website Host name field contains the full computer name, ABCXY022PC.dom01.company.net, then the certificate provided in the Certificate issued to field must contain the full computer name ABCXY022PC.dom01.company.net as one of its names in the SAN property.

 

7 – Install the Web Application Certificate

The certificate you select while creating the web application is the same certificate that you must install in the certificate store under Current User > Trusted Root Certification Authority and Current User > Trusted Publisher certificate before launching the Web Client. You can do this using the following procedure.

  • You have created a web application using SMC and the HTTPs URLs display.
  • The Desigo CC web page is open in the Windows Internet Explorer browser, and the Desigo CC tab contents are displayed.
  1. Do one of the following:
  • In the Desigo CC web page, click the Click Here link on the Desigo CC page for a web application.
  • In the Desigo CC web page, click the Support tab, and then select the Web Client Application Certificate link.
  1. In the File download – Security Warning dialog box, click Open.
  1. In the Certificate dialog box, click Install Certificate.
  1. Depending on the type of certificate used, proceed with importing the certificate by doing one of the following:
  • If you used a self-signed certificate while creating a web application, then you must install it in the Trusted Root Certification Authorities and Trusted Publisher Windows Certificate store.
  • If you used a host certificate while creating a Web Application, then you must install it in the Trusted Publisher Windows Certificate store. You must also install the root certificate of the host in the Trusted Root Certification Authorities store.
    NOTE: If host certificates created with SMC are used for signing the Web Application and the Internet browser is configured to check the publisher's certificate revocation, the Security Warning message may display, even after installing the certificate. In this case, you can either add the website to the Trusted Sites zone to resolve the issue or ignore the warning and click Run (for Web Client).

 

8 – Launch a Web Client

Do this procedure to start Desigo CC as a browser-based application (Web Client).

  1. You have installed the security certificate on the computer where you are working with Web Client.
  1. Launch Microsoft Internet Explorer 11 onwards.
  1. In the address bar of the browser, paste the web application URL.
  • The Desigo CC page opens in the browser, and the Desigo CC tab contents display.
  1. In the Desigo CC tab, click the Web Client thumbnail for launching the Web Client.
  • The logon dialog box displays in the browser.
  1. Enter your username and password.
  1. Select the domain.
  1. Click Logon.