Requesting a server certificate - Metasys - LIT-12011279 - General System Information - Metasys System - 10.1
Network and IT Guidance Technical Bulletin
Product
Building Automation Systems > Building Automation Systems > Metasys System
Document type
Technical Bulletin
Document number
LIT-12011279
Version
10.1
Revision date
2019-12-20
Document introduction
Summary of changes
Related documentation
Network and IT considerations
Computer hardware configuration requirements
Metasys device IP address assignment (DHCP or manual)
Metasys device hostname resolution (DNS or hosts file)
DNS implementation considerations
DHCP implementation considerations
Microsoft Active Directory service overview
Support for Active Directory service (including single sign-on capability)
Implementation considerations
Trust relationships
Metasys Server and SCT considerations
Child device considerations
Information obtained from Active Directory services
Enabling exact or alternate UPN authentication for a Metasys Server
Enabling exact or alternate UPN authentication for SCT
Service account
Service account rules
Service account permissions
User account rules
User creation and permissions
User management in Metasys UI
RADIUS Overview
Situations when Metasys system login screen appears for RADIUS users
RADIUS errors
Syslog overview
Metasys system use of Syslog packet format
RADIUS and Syslog Configurations
Web site caching
Microsoft Message Queuing (MSMQ) technology
Introduction
Recovery
Message queue troubleshooting
Metasys system and virtual environments
Monitoring and managing (SNMP)
Time management (Simple Network Time Protocol [SNTP])
Email (SMTP)
Encrypted email
Communication to pagers, email, printer, SNMP, or Syslog destination
Remote access to the Metasys system using a VPN
Metasys system architecture
Protocols, ports, and connectivity for the Metasys system
Protocols and ports tables
Connectivity and protocol diagrams
Multiple engines with one ADX
Active Directory network
M3 Workstation with N30 Controllers
NCM legacy network
Many-to-one wireless network
TEC Series Wireless Controller network
ZFR1800 Series Wireless Field Bus network
ZigBee channels
Spanning trees
Field bus considerations
Pre-boot Execution Environment (PXE)
Network reliability requirement
Metasys system security considerations
General security recommendations
Metasys access security
Warning Banners
Users
Metasys system local user accounts and passwords
Active Directory service – user accounts
RADIUS – user accounts
Default Administrator accounts
Password complexity
Last login
Auditing
Device
Network message security
SQL database security
Security on hardware-based Network Engines
Security updates management
Changing Remote Desktop settings
Allow HTTP
Advanced security enabled
Software time bomb
Antivirus software considerations (Metasys server, NxE85, NIE89, and LCS85 only)
Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
Implementing SSL Security for the Metasys Advanced Reporting system
Metasys for Validated Environments (MVE)
Metasys server considerations
ADX-specific features
ADX split configuration
Metasys Network with an ADX
ADSADX log folder
Windows Internet Explorer web browser
Advanced security configuration
SmartScreen filter
Anti-spyware considerations
Backup considerations for the Metasys Server
Supported operating system, SQL Server software, and IIS versions
Supported network engine models and releases with security attributes
Internet Information Server (IIS) anonymous access considerations (Metasys Server and SCT)
General information
Enabling and disabling anonymous access on the default web site
Databases
Microsoft SQL database considerations
Database management: Metasys Database Manager
Database management: SQL Server tools
Historical data storage
Data backup/restore
Site Management Portal UI
Metasys Advanced Reporting System UI
Java software and private JREs
Web browser recommendations
Launcher download options and proxy settings
Pop-up add blockers
Turning off the Internet Explorer Web Browser pop-up blocker
Sleep power option on Windows 8.1 and Windows 7 computers
Disabling User Account Control
Metasys dial-up networking
Metasys Application Programming Interface (API)
Network Interface Cards (NICs)
Appendix: Network and IT terminology
Active Directory Service
Active Directory Service Domain/Domain Controller
Active Directory Service Schema
Demilitarized Zone (DMZ)
Domain Name System (DNS)
Dynamic Host Configuration Protocol (DHCP)
Firewall
Forest
Integrated Windows Authentication
Kerberos
Lightweight Directory Access Protocol (LDAP)
Microsoft Message Queuing (MSMQ)
Network Address Translation (NAT)
NT LAN Manager (NTLM)
Organizational Units (OU)
Point-to-Point Protocol (PPP)
Ransomware
Remote Authentication Dial-In User Service (RADIUS)
Security Identification (SID)
Service Account in Active Directory Service
Simple Mail Transfer Protocol (SMTP)
Simple Network Management Protocol (SNMP)
Simple Network Time Protocol (SNTP)
Syslog
Transmission Control Protocol (TCP)
Transport Layer Security (TLS) and Secure Sockets Layer (SSL)
User Account in Active Directory Service
User Datagram Protocol (UDP)
Virtual Private Network (VPN)
Appendix: Microsoft Windows operating system and SQL Server software license requirements
Windows Operating System license requirements
Operating System CALs
Purchasing and designating CALs
Licensing modes and CAL examples
ADS/ADS-Lite and non-server based OAS requirements
Microsoft SQL Server licensing requirements
Appendix: SNMP agent protocol implementation
Overview
Limitations
Metasys SNMP MIB files
Enterprise ID number
SNMP traps
Trap format
Configuring trap filtering
Agent restart trap
Alarm raised trap
Alarm clear trap
Alarm synchronization
Trap cases
Supervisory device offline/online
Field device offline/online
Field device disable/enable
SNMP Get requests
Get request definition
Get request base OID
Point attribute Get request
Base OID
Example #1
Example #2
Device diagnostic attributes
Base OID
Example
Translating attribute values
Example
Trap examples
Binary point alarm
Binary point return to normal
Analog point high warning
Analog point high alarm
Analog point low warning
Analog point low alarm
Analog point return to normal
Supervisory device agent restart (ColdStart)
Field device offline
Field controller online
Field controller disabled
Field controller enabled
Appendix: Windows Server OS considerations
Administrator rights
Services
Internet Explorer enhanced security configuration
Software supported on Windows Server platforms
Configuring computer as Application server for use as ADX
Appendix: Windows Desktop OS considerations
Administrator rights
Services
Internet Explorer web browser settings
Software supported
Windows features not supported by Metasys software
Windows scheduled features
Appendix: Active Directory service
Overview
Infrastructure questions
Primary requirements
Metasys server computer
SCT computer
Client computer
Additional requirements
Appendix: Windows Firewall
Configuring the Windows Firewall
Closing ports
Appendix: Certificate management and security
Requesting a server certificate
Completing a server certificate request
Binding the secure certificate
Importing root and intermediate certificates
Verifying the server certificate chain
Setting the Site Security Level to Encrypted and Trusted
Changing Advanced Security Enabled to False
Removing or rebinding the secure certificate
Removing the self-signed certificates in the certificate store
Certificate management troubleshooting
Appendix: Installing antivirus software
Installing and configuring Symantec® Endpoint Protection software
Installing and configuring McAfee VirusScan Enterprise software
Appendix: VPN with a Cisco Meraki MX Security Appliance configuration
Configuring a VPN Tunnel with a Cisco Meraki MX Security appliance
Configuring the Modem/Router into Bridge mode
Product warranty
Software terms
Patents
Procedure
In Control Panel, select and double-click Internet Information Services (IIS)
Manager . The IIS main screen appears.
Under the IIS section in the middle pane, double-click Server
Certificates . The Server Certificates panel appears.
On the Actions pane, click Create Certificate Request . The Distinguished
Name Properties screen appears.
Fill out all the fields in the form. For Common name, specify
the full computer name, which you can determine from . The full name may also include a domain name (for example,
MAIN-ADX.mycorp.com). Click Next . The
Cryptographic Service Provider Properties screen appears.
Select an appropriate service provider and bit length. Click Next . The
File Name screen appears.
Click the Browse (...) button to select a location where to save the
certificate request file. The Specify Save as File Name window appears.
Type in a file name and click Open . The File Name window appears with
the file name specified.
Click Finish . The certificate request file with a .txt extension is
created in the selected folder. For example, the certificate request file for a
server called MAIN-ADX would be MAIN-ADX.txt .
Send the certificate request file to the IT department or CA to obtain your
trusted certificate. When you receive the file, go to Completing a server certificate request to import the
certificate into the server.