Server and a Remote Web Server (IIS) in a DMZ Network

A DMZ (demilitarized zone) refers to an area of a network, usually between two firewalls, where users from the Internet are permitted limited access over a defined set of network ports and to pre-defined servers or hosts. A DMZ is used as a boundary between the Internet and your company's internal network. The network DMZ is the only place on a corporate network where Internet users and internal users are allowed at the same time.

In a DMZ setup, the web server (IIS) and the Desigo CC server are hosted on separate machines that are on different networks, separated by firewalls.

In such a scenario, commercial SSL certificates are typically used for the web site on IIS. For verifying the signature of the Windows App client, the same certificate or a separate commercial or self-signed certificate, may be used. However, you can use the same certificate if the private key used to secure the web site is exportable.

The following section describes a typical deployment scenario for setting up a Desigo CC system with a remote web server (IIS) in a DMZ scenario.

Server Station

A single dedicated workstation with the following features:

  • Desigo CC server is installed.
  • Microsoft SQL is installed on the Desigo CC server.
  • The server project folder is shared.
  • The required certificates are imported in the Windows Certificate store:
    • The root certificate is imported in the Trusted Root Certification Authorities store.
    • The host certificate is imported in the Personal store.
  • The host certificate used must have a private key; no private key is needed for a root certificate.

Remote Web Server (IIS) Station in a DMZ

  • A dedicated workstation serving as web server for hosting the web site/application. To simplify the web site configuration, it is recommended that you install the Desigo CC client or FEP software on this machine.
  • The web application user on the remote web server has access rights on the shared project folder on the server.
  • The required certificates are imported in the Windows Certificate store:
    • The root certificate of the host certificate provided for CCom port security is imported in the Trusted Root Certification Authorities store.
    • The communication between the web server and the Windows App clients is always secured. Therefore, creating the web site and the web application certificates are mandatory. Desigo CC supports using either the same or different certificates for the web site and the web application. This section describes how to configure the web server to use the same certificate for both the web site and the web application.
    • The certificate and its private key must be imported into the Windows certificate store (in the Local Machine\Personal store; its root certificate must be imported in the Local Machine\Trusted Root Certification Authorities (TRCA) store). The private key must be marked to be exportable.
    • If different commercial certificates are used for creating the web site and web application, then both must be present in the Trusted Root Certification Authorities store and the Personal store of the Windows Certificate store.

Security

  • Secure server/remote web server (IIS) deployments require high security configuration setup.

Deployment Diagram

Remote Web Server in a DMZ Scenario