Trust relationships - Metasys - LIT-12011279 - General System Information - Metasys System - 13.0
Network and IT Guidance Technical Bulletin
Product
Building Automation Systems > Building Automation Systems > Metasys System
Document type
Technical Bulletin
Document number
LIT-12011279
Version
13.0
Revision date
2023-09-29
Product status
Active
Document introduction
Summary of Changes
Related documentation
Network and IT considerations
Computer hardware configuration requirements
Metasys device IP address assignment (DHCP or manual)
Metasys device hostname resolution (DNS or hosts file)
DNS implementation considerations
DHCP implementation considerations
Microsoft Active Directory service overview
Support for Active Directory/LDAP service (including single sign-on capability)
Support for Active Directory Federation Services (including two-factor authentication capability)
Creating an ADFS application group for Metasys
Configuring ADFS with the Metasys UI
Enabling Single Sign On with the Keep Me Signed In feature for ADFS Accounts
Enabling ADFS Two Factor Authentication (2FA)
Implementation considerations
Trust relationships
Metasys Server and SCT considerations
Child device considerations
Information obtained from Active Directory services
Enabling exact or alternate UPN authentication for a Metasys Server
Enabling exact or alternate UPN authentication for SCT
Service account
Service account rules
Service account permissions
User account rules
User creation and permissions
User management in Metasys UI
Syslog overview
Metasys system use of Syslog packet format
RADIUS and Syslog Configurations
Web site caching
Microsoft Message Queuing (MSMQ) technology
Recovery
Introduction
Message queue troubleshooting
RabbitMQ technology
Recovery
Introduction
Message queue troubleshooting
Metasys system and virtual environments
Monitoring and managing (SNMP)
Time management (Simple Network Time Protocol [SNTP])
Email (SMTP)
Encrypted email
Communication to pagers, email, printer, SNMP, or Syslog destination
Remote access to the Metasys system
Metasys system architecture
Protocols, ports, and connectivity for the Metasys system
Protocols and ports tables
Connectivity and protocol diagrams
Multiple engines with one ADX
Active Directory network
ZFR183x Series Wireless Field Bus network
ZigBee channels
Spanning trees
Field bus considerations
Pre-boot Execution Environment (PXE)
Network reliability requirement
Metasys system security considerations
General security recommendations
Warning banners
Users
Metasys system local user accounts and passwords
Active Directory service – user accounts
Default Administrator accounts
Password complexity
Last login
Auditing
Device
Network message security
SQL database security
Security on hardware-based Network Engines
Changing Remote Desktop settings
Allow HTTP
Advanced security enabled
Software time bomb
Antivirus software considerations (Metasys server, NxE85, NIE89, and LCS85 only)
Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
Implementing SSL security for the Metasys Advanced Reporting System
Metasys for Validated Environments (MVE)
Metasys server considerations
ADX-specific features
ADX split configuration
Metasys Network with an ADX
ADSADX log folder
Anti-spyware considerations
Backup considerations for the Metasys Server
Supported operating system, SQL Server software, and IIS versions
Supported network engine models and releases with security attributes
Supported .NET Core Versions and Upgrades
IIS anonymous access considerations (Metasys Server and SCT)
General information
Enabling and disabling anonymous access on the default web site
Databases
Microsoft SQL database considerations
Database management: Metasys Database Manager
Database management: SQL Server tools
Historical data storage
Data backup/restore
Site Management Portal UI
Metasys Advanced Reporting System UI
Java software and private JREs
Web browser recommendations
Launcher download options and proxy settings
Pop-up add blockers
Sleep power option on Windows OS computers
Disabling User Account Control
Metasys dial-up networking
Metasys Application Programming Interface (API)
BACnet/SC
Appendix: Network and IT terminology
Active Directory Service
Active Directory Federation Services
Active Directory Service Domain/Domain Controller
Active Directory Service Schema
Demilitarized Zone (DMZ)
Domain Name System (DNS)
Dynamic Host Configuration Protocol (DHCP)
Firewall
Forest
Integrated Windows Authentication
Kerberos
Lightweight Directory Access Protocol (LDAP)
Microsoft Message Queuing (MSMQ)
Network Address Translation (NAT)
NT LAN Manager (NTLM)
Organizational Units (OU)
Point-to-Point Protocol (PPP)
RabbitMQ
Ransomware
Security Identification (SID)
Service Account in Active Directory/LDAP Service
Simple Mail Transfer Protocol (SMTP)
Simple Network Management Protocol (SNMP)
Simple Network Time Protocol (SNTP)
Syslog
Transmission Control Protocol (TCP)
Transport Layer Security (TLS) and Secure Sockets Layer (SSL)
User Account in Active Directory Service
User Datagram Protocol (UDP)
Virtual Private Network (VPN)
Appendix: Microsoft Windows operating system and SQL Server software license requirements
Licensing requirements overview for operating systems
Purchasing and designating operating system CALs
OS licensing modes and CAL examples
ADS, ADS-Lite, and non-server based OAS requirements
Microsoft SQL Server licensing requirements
Appendix: SNMP agent protocol implementation
Overview
Limitations
Metasys SNMP MIB files
Enterprise ID number
SNMP traps
Trap format
Configuring trap filtering
Agent restart trap
Alarm raised trap
Alarm clear trap
Alarm synchronization
Trap cases
Supervisory device offline/online
Field device offline/online
Field device disable/enable
SNMP Get requests
Get request definition
Get request base OID
Point attribute Get request
Base OID
Example #1
Example #2
Device diagnostic attributes
Base OID
Example
Translating attribute values
Example
Trap examples
Binary point alarm
Binary point return to normal
Analog point high warning
Analog point high alarm
Analog point low warning
Analog point low alarm
Analog point return to normal
Supervisory device agent restart (ColdStart)
Field device offline
Field controller online
Field controller disabled
Field controller enabled
Appendix: Windows Desktop OS considerations
Administrator rights
Services
Software supported
Windows features not supported by Metasys software
Windows scheduled features
Appendix: Active Directory service
Overview
Infrastructure questions
Primary requirements
Metasys server computer
SCT computer
Client computer
Additional requirements
Appendix: Windows firewall
Configuring the Windows Defender firewall
Closing ports
Appendix: Certificate management and security
Requesting a server certificate
Completing a server certificate request
Binding the secure certificate
Importing root and intermediate certificates
Verifying the server certificate chain
Setting the Site Security Level to Encrypted and Trusted
Changing Advanced Security Enabled to False
Removing or rebinding the secure certificate
Removing the self-signed certificates in the certificate store
Renewing an existing certificate
Requesting certificates from a third party certificate authority
Certificate management troubleshooting
Appendix: Installing antivirus software
Installing and configuring Symantec® Endpoint Protection software
Installing and configuring McAfee VirusScan Enterprise software
Appendix: VPN with a Cisco Meraki MX security appliance configuration
Setting up a Tempered Airwall
Configuring a VPN tunnel with a Cisco Meraki MX security appliance
Configuring the modem/router into bridge mode
Product warranty
Software terms
Patents
Contact information
Trust relationships and privileges are
dictated by the customer's IT department and are a fundamental part of a
security policy. Active Directory service implementation on the Metasys
system does not dictate the trusts that are established. While Active
Directory services provide multiple domain support, the customer
infrastructure determines whether this function is used.