Documente Academic
Documente Profesional
Documente Cultură
Client
Planning and Installation Guide for Version 1.94
2012, Schneider Electric All Rights Reserved No part of this publication may be reproduced, read or stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of Schneider Electric. This document is produced in the United States of America. Andover Plain EnglishTM is a trademark of Schneider Electric. Andover InfinetTM is a trademark of Schneider Electric. All other trademarks are the property of their respective owners. Title: Andover Continuum web.Client Planning and Installation Guide web.Client Version 1.94 Schneider Electric part number: 30-3001-835 The information in this document is furnished for informational purposes only, is subject to change without notice, and should not be construed as a commitment by Schneider Electric. Schneider Electric assumes no liability for any errors or inaccuracies that may appear in this document. On October 1st, 2009, TAC became the Buildings Business of its parent company Schneider Electric. This document reflects the visual identity of Schneider Electric. However, there remain references to TAC as a corporate brand throughout the Andover Continuum software. In those instances, the documentation text still refers to TAC only to portray the user interface accurately. As the software is updated, these documentation references will be changed to reflect appropriate brand and software changes. All brand names, trademarks and registered marks are the property of their respective owners. Schneider Electric One High Street North Andover, MA 01845 (978) 975-9600 Fax: (978) 975-9782 http://www.schneider-electric.com/buildings
Contents
9
9 10 10 11
Chapter 1
13
14 14 15 16 17 19
Chapter 2
21
22 23 27 32 32 32 32 43 45 45 46
Windows 7 .......................................................................... SSL Considerations for the IIS PC ................................... Changing the Default TCP Web Port Number for the IIS PC ........................................................................... Disabling WinSock Proxy Client on Standalone System . Ensuring a Domain Membership Is Selected ................... Avoiding Invalid Characters in a Server Name ............... Disabling Windows Automatic Updates and Windows Firewall ............................................................................... Windows 7 and User Account Control Data Redirection .
50 51 52 52 52 52 53 55
Chapter 3
57
Overview ...................................................................................... 58 Installing web.Client on the IIS PC ........................................... 59 Creating and Initializing the Database on a Standalone IIS PC ................................................................................. 65 Adding web.Client to an Existing Standalone Database . 72 Initializing the Database on a LAN IIS PC ...................... 74 web.Client Video System Upgrades ........................................... 77 Routing Alarms to the IIS PC on a LAN System ..................... 79 Configuring Access Permissions for web.Client Users .... 80 Configuring Your Video Servers ................................................ 81 Configuring Graphics Folders for web.Client: Windows XP and Windows Server 2003 ................................................................. 82 Specifying a Local Folder as a Web Address for Windows XP and Windows Server 2003 ........................................... 82 Specifying a Network Folder as a Web Address for Windows XP and Windows Server 2003 ........................................... 83 Verifying Anonymous Access to Virtual Folders .............. 86 Configuring Graphics Folders for web.Client: Windows Server 2008 and Windows 7 ................................................................... 87 Setting Up an Application for Graphics on Windows Server 2008 and Windows 7 .......................................................... 87 Specifying a Local Folder as a Web Address for Windows Server 2008 and Windows 7 ........................................ 89 Specifying a Network Folder as a Web Address for Windows Server 2008 and Windows 7 ....................... 93 Giving Everyone Access to Graphics Files on Windows Server 2008 and Windows 7 .............................................. 95 Establishing Pinpoint Folders ................................................... 100
6 Schneider Electric
Configuring DCOM Default Security Settings ......................... Configuring Default Launch and Access Permissions ..... Disabling HTTP Keep-Alives ...................................................... Resetting Timeout and Live Events Via web.config File .......... Inactivity Timeout .............................................................. Live EventView .................................................................. Establishing SSL Support for Confidential Information .......... Using SSL Online Documentation .................................... Changing IE Security Internet Options to Accommodate SSL ...................................................................................... Enabling SSL for web.Client ............................................. Setting Up SSL for web.Client Pinpoint ........................... Changing the Default TCP Port Number ..................................
102 102 105 105 106 106 107 107 110 111 111 114
Chapter 4
Chapter 5
How Is the Company Physically Divided? ........................ Who Are the Users? ........................................................... What Are the Security Levels? .......................................... Setting Up web.Client in CyberStation ............................ Scenario 2: A Global Company ................................................... What Are the Company Personnel Groups? ..................... Where Are the Company Facilities Located? ................... Who Are the Users? ........................................................... What Are the Security Levels? .......................................... Setting Up web.Client in CyberStation ............................
136 137 138 138 139 139 140 140 141 142
Appendix A
143
144 144 144 145 146 146 147 148 148 149
Appendix B
151
152
Appendix C
153
154
Appendix D
157
158 159
Schneider Electric
Introduction to web.Client System and Pre-Installation Requirements Installing and Configuring web.Client on the IIS PC Testing and Installing web.Client on a Client PC Using web.Client to Set Up Your Organization web.Client Security and Troubleshooting Tips web.Client Applications that Are Installed Guidelines for Upgrading to Version 1.94 SQL Express Installation Error Messages
Revision History
This manual documents web.Client, Version 1.94. Revision History
Document Revision
1.94 1.93 1.92 1.91 1.9 1.82 1.81 1.8 1.74 1.73 1.71 1.7 1.62 1.6 1.52 1.5
Software Version
1.94 1.93 1.92 1.91 1.9 1.82 1.81 1.8 1.74 1.73 1.71 1.7 1.62 1.6 1.52 1.5
Date
June 2012 March 2011 December, 2010 February, 2010 August, 2008 January, 2008 June, 2007 December, 2006 August, 2006 January, 2006 May, 2005 December, 2004 March, 2004 August, 2003 December, 2002 October, 2002
Related Documentation
For additional or related information, refer to these documents. Related Documents
Document
Andover Continuum CyberStation Installation Guide CyberStation Access Control Essentials Guide CyberStation HVAC Essentials Guide web.Client online help (Version 1.94) 10 Schneider Electric
Document Number
30-3001-720 30-3001-405 30-3001-1000
Symbols Used
The Notes, Cautions, Warnings, and Hazards in this manual are defined, as follows.
Note: Notes contain additional information of interest to the user.
11
12
Schneider Electric
Chapter 1
Introduction to web.Client
web.Client Overview web.Client User Documentation A Typical System before web.Client A Typical System Implementing web.Client Differences between web.Client and CyberStation
13
Overview
This manual provides you, the system administrator, with general information for planning, installing, and configuring your Andover Continuum web.Client system, version 1.94.
CAUTION This manual is for system administrators.
To use the installation and setup procedures in this manual you must be a system administrator with experience in setting up a web server. You must also have experience using Microsoft system software and understand that there are graphical user-interface differences between the different Windows platforms. For detailed information about Microsoft software, please see your Microsoft Windows online help and visit www.microsoft.com and other Microsoft web sites.
Failure to observe this precaution can result in incorrect system configuration. Note: The procedures in this manual presume you and your users are installing or
upgrading to web.Client version 1.94. You must meet the software and hardware requirements compatible with version 1.94. Refer to Chapter 2, System and Pre-Installation Requirements.
web.Client Overview
web.Client is an application that provides you with web-enabled access everywhere, all the time. By using a standard browser, your authorized personnel can access the Continuum facility management system in real time across your sites local area network (LAN) or across your wide-area network (WAN). web.Client is either added to a LAN Andover Continuum CyberStation system or installed with a standalone CyberStation on a single PC. With the basic web.Client Personnel Manager option, your users can:
z z z
14 Schneider Electric
Create, search for, edit, and delete personnel records Change employee access privileges View a persons access events
View and generate reports of all access events, including area access events, access events by persons, and distribution-event transactions via the Access Distribution View Edit and view schedules and calendars. Change a password.
z z
With the advanced web.Client Pro option, your users have all the features of the basic web.Client Personnel Manager option as well as the following additional features:
z
Create, run, and view graphical reports (class object Report), including bar charts, pie charts, trend charts, text reports, and so on. List and view graphics and groups View live system alarms and live events View live video, as well as search for and view recorded video, via the class object, VideoLayout. Search for web.Client objects by exploring a folder tree hierarchy or a network/device tree hierarchy, or by using a text search engine Edit and view Loops and TrendLogs.
z z z z z
For complete information about any of these features, please see the web.Client online help.
15
A Continuum system without web.Client consists of a database server and high powered, dedicated workstations. Also note that all administration must be performed at one of the dedicated workstations. The following illustration shows what the administration of the typical system would entail. In this security example, a single administrator is responsible for assigning all security privileges for engineering and manufacturing personnel.
16
Schneider Electric
A database server Dedicated workstations for configuration A dedicated web.Client application server PCs running Internet Explorer 8.0 connecting web.Client
with web.Client. A LAN system has two servers: a database server and a web.Client application server. In a standalone system, the database and web.Client application reside on one server. Chapter 2, System and PreInstallation Requirements, provides detailed requirements for both systems.
Note: You will be installing either a web.Client for a LAN system or a standalone
You can delegate security tasks to authorized personnel who then assign security privileges for their departments (in this case, engineering and manufacturing personnel). You use the dedicated workstation, and the authorized personnel use web.Client on their own computers. In the administration of a web.Client system, for example, you would be responsible for assigning privileges to engineering and manufacturing designees, who in turn are responsible for assigning all security privileges for engineering and manufacturing personnel. Similarly, you could grant access rights to:
z z z z z
An employee to adjust the temperature after viewing current conditions A coordinator to schedule a conference room and activate the lighting A technician to take control of an air handler during service A manager to search video for an incident A facilities manager to graphically monitor and adjust building conditions and monitor alarms
17
18
Schneider Electric
Delete
X X Events within schedules only
Create
X Events within schedules only X
Reports Areas Groups Loops Graphics Alarms Events Distribution Events Points and objects
X X X X X X X X X
X X X X
X
1
1. Video can be modified, but not saved. For example, you can change cameras, show/hide time, change focus, zoom, but you will lose these changes if the page is refreshed or you open another editor.
19
20
Schneider Electric
Chapter 2
System and Pre-Installation Requirements
web.Client Setup Configurations Hardware and Software Requirements for LAN System Hardware and Software Requirements for a Standalone System Pre-Installation Microsoft Tasks
21
web.Client local area network (LAN) system A standalone single user system with web.Client
LAN system: The web.Client LAN system comprises a Continuum/ SQL database server and an Internet Information Services (IIS) server dedicated to running the web.Client application. On a LAN system, the IIS server can be a Windows XP Professional workstation, Windows Server 2003, Windows Server 2008, or Windows 7 machine. Each supports a different number of user connections, however. See the table below for more details. Standalone system: The standalone single user system with web.Client comprises one PC on which the Continuum/SQL Express database, IIS, and the web.Client application all reside. A standalone system PC may also run Windows XP Professional workstation, Windows Server 2003, or Windows 7. The following table lists the maximum number of web.Client version 1.94 users per server, as well as the maximum number of CyberStations and IIS servers, for each type of setup: Maximum Number of web.Client 1.94 Users Per Server
Maximum Number of web.Client Users Per Server When IIS Is Installed on Windows Server 2003 25
1
When IIS is installed on Windows 7 Number of CyberStations 2 2 Unlimited 1 Number of IIS Servers Unlimited 1
2 2
22
Schneider Electric
1. A total of three machines (web.Client browser PCs plus CyberStations) is the maximum number allowed on a standalone system. This means the following combinations are valid: Two web.Client connections and one CyberStation, one web.Client connection and two CyberStations, or three CyberStations (if there are no web.Client connections).
If your system has no more than 25 users, select one server as the web.Client IIS server. This IIS server should be dedicated to running the web.Client application. For a larger LAN system (at least for any system having more than 25 users) your site must have more than one IIS server.
Depending on your particular LAN installation, the IIS server can be:
z z z z
Windows XP Professional workstation (maximum of two users) Windows Server 2003 (maximum of 25 users per IIS server) Windows Server 2008 (maximum of 25 users per IIS server) Windows 7 (maximum of two users per IIS server)
23
The IIS server must be on a network that can connect to the Continuum/SQL database server. The browser PCs must be on a network that can connect to the IIS server. web.Client version 1.94 will upgrade any previous version on IIS server. web.Client 1.94 includes CyberStation 1.94, and installing it upgrades the IIS machine to 1.94. Workstations not at version 1.94 must be upgraded before installing web.Client. See also:
z z z
Chapter 3, Installing and Configuring web.Client on the IIS PC Appendix C, Guidelines for Upgrading to Version 1.94 Andover Continuum CyberStation Installation Guide, 30-3001-720
The following table shows the hardware and software requirements for the IIS server and the client browser on LAN systems. Hardware Requirements for IIS Server for LAN Systems
Minimum
Intel CoreTM 2, Duo, 1.66 GHz or better1, 2 2 Gb RAM or higher2 plus 5 Mb per connection 15 Gb free space (NTFS Partition) CD ROM drive Video resolution: 1024 x 768 pixels Parallel or USB port
Recommended
Quad core1 2 GHz or better 4 Gb RAM plus 5 Mb per connection 30 Gb free space (NTFS Partition) CD ROM drive Video resolution: 1024 x 768 pixels Parallel or USB port
1. Memory and processor speed - Performance is directly related to processor speed and RAM. Increasing hard drive size allows for growth of applications (graphics, programs, and so on). Faster processor speeds and more RAM available to the program will increase performance. 2 Use Recommended requirement for systems with integrated video.
Note: Every connection to the IIS server by a browser PC accessing web.Client uses 5
MB of RAM on the IIS server. (For example, two browser PCs connected to the IIS server accessing web.Client use 10 MB of RAM on the IIS server. For this configuration, Schneider Electric recommends a minimum of 512 MB plus 10 MB (used by the two PCs) or a minimum of 522 MB of RAM on the IIS Server.)
24
Schneider Electric
The following table shows the video-specific hardware requirements for the IIS server on LAN systems. Video-Specific Requirements
Minimum
100 Mbps network port Graphics card with DirectX 9.x or later with 256 Mb of dedicated RAM
Recommended
1 Gb network port DirectX 10 graphics device with WDDM 1.0 or higher driver with 512 Mb of dedicated RAM
Note: Andover Continuum uses stream 2 to display video through video interfaces. Per standard Pelco Endura video configuration, you should configure stream 2. When doing so, be sure to set a lower resolution and smaller frame rate. Otherwise, the performance of your PC may be negatively affected. Be aware that Andover Continuum only supports H.264 and MPEG4 video formats.
The following software is recommended for LAN systems. Software for LAN Systems
Tested & Supported Software for LAN Systems1 Microsoft Windows XP Professional workstation (SP3) Server
OR: Microsoft Windows Server 2003 (SP2) OR: Microsoft Windows Server 2003 R2 (SP2) OR:
Microsoft Windows Server 2008 using SQL 20082 OR: Microsoft Windows Server 2008 R2 32-bit or 64-bit modes using SQL Server 20082 OR: Microsoft Windows 7 Professional OR: Microsoft Windows 7 Ultimate
Browser
For Windows 7: Internet Explorer 8.0 Note: Be aware that web.Client only supports the 32-bit version of Internet Explorer.
Internet
IIS: Microsoft Windows XP: IIS 5.0 Microsoft Windows Server 2003: IIS 6.0 Microsoft 7: IIS 7.0
When you are prompted to select an authentication mode, select Mixed Mode. For more information, please see the Andover Continuum CyberStation Installation Guide, 30-3001-720.
TCP/IP Microsoft .NET Framework version 2.0 AND: Microsoft .NET Framework version 3.5 (SP1) Windows Installer 3.1
1. Internet Explorer, IIS, and TCP/IP are included with the Microsoft operating systems. Upgrades and service packs are available free of charge from Microsofts web site, www.microsoft.com. 2. No CyberStation or webClient software installed.
26
Schneider Electric
The following table shows the Browser PCs that are recommended for LAN systems. Browser PCs for Users on a LAN System
Tested & Supported Browser PCs for Users on a LAN System Hardware
The video feature requires network access to a digital video recorder. This may require you to open port 18772 or establish a Virtual Private Network (VPN) connection if there is a firewall.
Software
The client browser PC on a LAN system can be running one of the following:
z z z
Windows XP Professional (SP3) Windows Server 2003 (SP2) or Windows Server 2003 R2 (SP2) Windows 7 Professional or Windows 7 Ultimate
For Windows XP and Windows Server 2003: Internet Explorer 8.0 For Windows 7: Internet Explorer 8.0 Verify IE defaults are enabled for: Cookies and JavaScript
web.Client version 1.94 will upgrade any previous versions IIS server. web.Client 1.94 includes Cyberstation 1.94, and installing it upgrades the IIS machine to 1.94. Workstations other than the IIS server that are not at version 1.94 must be upgraded before installing web.Client.
Andover Continuum web.Client Planning and Installation Guide 27
(Refer to the Andover Continuum CyberStation Installation Guide, 303001-720, for upgrade procedures.) See also:
z z z
Chapter 3, Installing and Configuring web.Client on the IIS PC Appendix C, Guidelines for Upgrading to Version 1.94 Andover Continuum CyberStation Installation Guide, 30-3001-720
The following table lists hardware and software requirements for the IIS workstation and the client browser on standalone systems. Hardware Requirements for Standalone Systems
Minimum
Intel CoreTM 2, Duo, 1.66 GHz or better1
1, 2
Recommended
Quad core1 2 GHz or better 4 Gb RAM 30 Gb free space CD ROM drive Video resolution: 1024 x 768 pixels Parallel or USB port
2 Gb RAM or higher2 15 Gb free space CD ROM drive Video resolution: 1024 x 768 pixels Parallel or USB port
1. Memory and processor speed - Performance is directly related to processor speed and RAM. Increasing hard drive size allows for growth of applications (graphics, programs, and so on). Faster processor speeds and more RAM available to the program will increase performance. 2. Use Recommended requirement for systems with integrated video.
Note: Every connection to the IIS server by a browser PC accessing web.Client uses 5
MB of RAM on the IIS server. For example, two browser PCs connected to the IIS server accessing web.Client use 10 MB of RAM on the IIS server. In this configuration, Schneider Electric recommends a minimum of 512 MB plus 10 MB (used by the two PCs) or a minimum of 522 MB of RAM on the IIS Server.)
28
Schneider Electric
The following table shows the video-specific hardware requirements for the IIS workstation on a standalone system. Video-Specific Requirements
Minimum
100 Mbps network port Graphics card with DirectX 9.x or later with 256 Mb of dedicated RAM
Recommended
1 Gb network port DirectX 10 graphics device with WDDM 1.0 or higher driver with 512 Mb of dedicated RAM
Note: Andover Continuum uses stream 2 to display video through video interfaces. Per standard Pelco Endura video configuration, you should configure stream 2. When doing so, be sure to set a lower resolution and smaller frame rate. Otherwise, the performance on your PC may be negatively affected. Be aware that Andover Continuum only supports H.264 and MPEG4 video formats.
The following table shows the software that is recommended for standalone systems. Software for Standalone Systems
Tested & Supported Software for Standalone Systems Server
Microsoft Windows XP Professional workstation (SP3) OR: Microsoft Windows Server 2003 (SP2) OR: Microsoft Server 2003 R2 (SP2) OR: Microsoft Windows Server 2008 using SQL 20081 OR: Microsoft Windows Server 2008 R2 32-bit or 64-bit modes using SQL Server 20081 OR: Microsoft Windows Windows 7 Professional OR: Microsoft Windows 7 Ultimate
Browser
For Windows XP, or Windows Server 2003: Internet Explorer 8.0 For Windows 7: Internet Explorer 8.0 Note: Be aware that web.Client only supports the 32-bit version of Internet Explorer.
Internet
IIS: Microsoft Windows XP: IIS 5.0 Microsoft Windows Server 2003: IIS 6.0 Microsoft Windows 7: IIS 7.0 Andover Continuum CyberStation Version 1.94 Andover Continuum web.Client Planning and Installation Guide 29
CyberStation
automatically upgraded to SQL Express, if SQL Express is not already installed. (See also Chapter 3, Installing and Configuring web.Client on the IIS PC , Appendix C, Guidelines for Upgrading to Version 1.94,.and the Microsoft web site).
Network protocol
TCP/IP
Note: Internet Explorer, IIS, and TCP/IP are included with the
Microsoft operating systems. Upgrades and service packs are available free of charge from their web site, www.microsoft.com.
Other
Microsoft .NET Framework version 2.0 AND: Microsoft .NET Framework version 3.5 (SP1) Windows Installer 3.1
30
Schneider Electric
The following table shows the browser PCs that are recommended for standalone systems. Browser PCs for Users on a Standalone System
Tested & Supported Browser PCs for Users on a Standalone System Hardware
The video feature requires network access to a digital video recorder. This may require you to open port 18772 or establish a Virtual Private Network (VPN) connection if there is a firewall.
Software
The client browser PC on a standalone system can be running one of the following:
z z z
Windows XP Professional (SP3) Windows Server 2003 (SP2) or Windows Server 2003 R2 (SP2) Windows 7 Professional or Windows 7 Ultimate
For Windows 7: Internet Explorer 8.0 Verify IE defaults are enabled for Cookies and JavaScript
31
To avoid this problem, be sure that IIS has been installed on the server before Microsoft .NET Framework 2.0 is installed. If Microsoft Windows already comes with .NET Framework 2.0, or you have downloaded .NET Framework 2.0 separately during a Windows upgrade before IIS is installed, run the following command:
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -i
The LAN web.Client application server and standalone CyberStation/ web.Client workstation are generically called IIS PC in this manual for both systems.
1.
2.
33
3.
In the Add Roles Wizard, Before You Begin page, click Next.
34
Schneider Electric
4.
In the Select Server Roles page, check the Application Server checkbox to install .Net Framework 3 as a prerequisite.
35
5.
6.
36
Schneider Electric
7.
.
8.
In the Select Server Roles page, check the following checkboxes: Web Server (IIS) Support, HTTP Activation, and Message Queuing Activation.
Andover Continuum web.Client Planning and Installation Guide 37
An Add role services/features required dialog displays for each of your role service selections.
9.
Click the Add Required Role Services or Add Required Features button to install additional features for Web Server (IIS) Support, HTTP Activation, and Message Queuing Activation.
38
Schneider Electric
39
40
Schneider Electric
12. In the Select Role Services page, check the IIS 6 Management
Compatibility checkbox.
13. Click Next. 14. In the Confirm Installation Selections page, click Install to
41
An Installation Progress page displays with information on the roles, role services, or features being installed.
42
Schneider Electric
For Windows XP and Windows Server 2003, install IIS on the designated web.Client application server (LAN systems) or the standalone CyberStation/web.Client workstation (standalone system). The LAN web.Client application server and standalone CyberStation/ web.Client workstation are generically called IIS PC in this manual for both systems. For Windows XP: Follow this procedure to install IIS 5.0:
1. 2. 3.
From the Control Panel, open Add/Remove Programs. The Add/Remove Programs dialog appears. Select Add/Remove Windows Components. The Windows Components Wizard (Windows Components) screen appears. Check the Internet Information Services (IIS) checkbox, and click Next to install.
Andover Continuum web.Client Planning and Installation Guide 43
4.
After the Wizard completes the component-configuration process, which may take several minutes, click Finish.
For Windows Server 2003: Follow this procedure to install IIS 6.0:
1. 2. 3. 4. 5.
From the Control Panel, open Add/Remove Programs. The Add/Remove Programs dialog appears. Select Add/Remove Windows Components. The Windows Components Wizard (Windows Components screen) appears. Check the Application Server checkbox. Select and highlight Application Server, and click the Details button. The Application Server dialog appears. Check the following checkboxes: ASP.NET, Application Server Console, Enable network COM+ access, and Internet Information Services (IIS). In the Application Server dialog, select and highlight Internet Information Services (IIS) and click the Details button. The Internet Information Services (IIS) dialog appears. Check the following checkboxes: Common Files, Internet Information Services Manager, and World Wide Web Service. In the Internet Information Services (IIS) dialog, select and highlight World Wide Web Service, and click the Details button. The World Wide Web Service dialog appears. Check the following checkboxes: Active Server Pages, Internet Data Connector, Server Side Includes, WebDAV Publishing, and World Wide Web Service.
6.
7.
8.
9.
10. Click the OK button back through all three dialogs. 11. Click Next in the Wizards Configuring Components screen. A
progress bar appears on this screen during the configuration process, which may take several minutes. Please wait.
12. After the Wizard completes the component-configuration process,
click Finish.
44
Schneider Electric
From the Control Panel, double click and open Administrative Tools. The Administrative Tools dialog appears. Double click and open Internet Information Services (IIS) Manager. The Internet Information Services (IIS) Manager dialog appears. In the tree, right click on the machine name, and select Properties from the popup menu. The Properties dialog appears. Click the MIME Types button. The MIME Types dialog appears. Click the NEW button. The MIME Type dialog appears. In the Extension field, enter .pin and in the MIME type field, enter pinfiles/plain. Click OK and repeat steps 5 and 6, but in the Extension field, enter .emf and in the MIME type field, enter image/emf. Click OK three times back through the dialogs. Restart your machine, follow the other pre-installation tasks, and follow the installation procedures in Installing and Configuring web.Client on the IIS PC and Testing and Installing web.Client on a Client PC.
3. 4. 5. 6. 7. 8. 9.
From the Control Panel, open Programs and Features. Under Tasks on the left, click Turn Windows features on or off.
Andover Continuum web.Client Planning and Installation Guide 45
3. 4.
In the Windows Features (Turn Windows features on or off) dialog, in the tree, expand Internet Information Services. Under Internet Information Services, expand Web Management Tools, then expand IIS 6 Management Compatibility. Check only the following checkboxes: IIS 6 Management Console, IIS Metabase and IIS 6 configuration compatibility, and IIS Management Console. Other checkboxes must be cleared. Under Internet Information Services, expand World Wide Web Services, then expand Application Development Features, Common Http Features, Health and Diagnostics, Performance Features, and Security. Check only the following checkboxes: .NET Extensibility, ASP.NET, ISAPI Extensions, ISAPI Filters, Default Document, Directory Browsing, HTTP Errors, Static Content, HTTP Logging, Request Monitor, Static Content Compression, Request Filtering, and Windows Authentication. Other checkboxes must be cleared. Click OK.
5.
6.
7.
8.
Restart your machine, follow the other pre-installation tasks, and follow the installation procedures in Installing and Configuring web.Client on the IIS PC and Testing and Installing web.Client on a Client PC.
Open IIS Manager. Expand the computer name in the left-hand pane and click on Application Pools in the system tree view.
46
Schneider Electric
3.
4. 5.
In the Application Pool Defaults dialog box, select Identity under Process Model. When the selection control appears in the second column, click this button.
47
6.
In the Application Pool Identity dialog box, select Network Service in the dropdown menu under Built-in account.
7. 8.
Click OK. Then, click OK once more in the Application Pool Defaults dialog box.
Open IIS Manager. Expand the computer name in the left-hand pane and click on Application Pools in the system tree view.
48
Schneider Electric
3.
4.
.
In the Advanced Settings dialog box, change the Enable 32-bit Applications option to True.
49
Access Internet Information Services (IIS) Manager. In the Connections tree, select the machine name. In the content pane, under IIS, double click MIME Types. The Add MIME Type dialog appears. Under Actions, click Add. In the File name extension field, enter .pin. In the MIME type field, enter pinfiles/plain.
7.
Click OK and repeat Steps 4, 5, and 6, but in the File name extension field, enter .emf and in the MIME type field, enter image/emf. Click OK. Restart your machine, follow the other pre-installation tasks, and follow the installation procedures in Installing and Configuring web.Client on the IIS PC and Testing and Installing web.Client on a Client PC.
8. 9.
50
Schneider Electric
51
Changing the Default TCP Web Port Number for the IIS PC
Normally, the IIS PC defaults to Internet TCP port 80. Some Internetaccess providers do not use port 80. You can change this port number from 80 to another port number. This can be done before or after web.Client installation. For more information, please see Changing the Default TCP Port Number in Chapter 3
From the Windows Control Panel, double click WSP Client. The Microsoft WinSock Proxy Client dialog appears. Remove the check from the Enable WinSock Proxy Client checkbox, and click OK.
52
Schneider Electric
In the Control Panel, click System and Security and then Windows Firewall. Disable all three Windows firewalls: Domain, Public, and Private. Select Administrative Tools and then double-click Services. Double-click Windows Firewall.
5. 6.
Click Stop to disable Windows Firewall. Also, in Services, locate and double-click Software Protection.
Andover Continuum web.Client Planning and Installation Guide 53
7. 8.
Click Stop to disable Software Protection. In Services, locate and double-click Windows Defender.
54
Schneider Electric
9.
10. In Control Panel, click System and Security and then Action 11. Disable the anti-virus software. For more information, see the anti-
as administrator.
55
By design, Andover Continuum writes files to the Program Files\Continuum directory. This includes Pinfiles (.pin) for graphics, Menu files (.mnu) for the Continuum shell, XML (.xml) for the Personnel Manager custom buttons, and text files (.txt) for CommandLine macros. For example, if User Account Control is enabled when creating a graphic, Andover Continuum attempts to create the .pin file in the Program Files\Continuum\NewGraphicsFiles folder. If the user does not have permissions to write to that folder, the write operation is redirected instead to the following location:
Users\<Username>\AppData\Local\VirtualStore\Program Files\Continuum\NewGraphicsFiles
Later, if another Windows user logs on to the workstation, that user will be unable to access the Pinpoint graphic.
CAUTION If you are an Andover Continuum administrator, you resolve this issue by either turning off User Account Control or allowing read\write permissions to the Program Files\Continuum or Program Files (x86)\Continuum folder for all of your Standard users.
56
Schneider Electric
Chapter 3
Installing and Configuring web.Client on the IIS PC
Overview Installing web.Client on the IIS PC web.Client Video System Upgrades Configuring Your Video Servers Configuring Graphics Folders for web.Client: Windows XP and Windows Server 2003 Configuring Graphics Folders for web.Client: Windows Server 2008 and Windows 7 Establishing Pinpoint Folders Configuring DCOM Default Security Settings Disabling HTTP Keep-Alives Resetting Timeout and Live Events Via web.config File Establishing SSL Support for Confidential Information Changing the Default TCP Port Number
57
Overview
This chapter provides instructions for installing and configuring web.Client version 1.94 on the IIS PC, defined as follows:
z
The IIS PC on a LAN system is the IIS server with Windows Server 2003, Windows Server 2008, Windows XP Professional workstation, or Windows 7. The IIS PC on a standalone system with web.Client is the single machine (Windows XP Professional workstation, Windows Server 2003, or Windows 7) on which both IIS and Continuum database reside.
The procedures in this chapter are for a first-time installation. If you are upgrading to web.Client version 1.94, refer to Appendix C, Guidelines for Upgrading to Version 1.94, which presents some guidelines for this upgrade. See also the Andover Continuum CyberStation Installation Guide, 30-3001-720.
58
Schneider Electric
Insert the web.Client CD. The Install web.Client screen displays. Click Install web.Client to begin.
2.
If you do not have the Microsoft VS 2008 C++ Redistributable installed, an InstallShield Wizard appears and indicates that this application is required before the CyberStation installation begins. Click Install. Continuum then checks to ensure that Microsoft .NET Framework 3.5 is also installed. If not, the following message displays:
59
Follow these instructions, discontinue this CyberStation installation, and install the .NET Framework 3.5 from the Continuum release CD. Once these requirements are installed, return to this installation and when the initial Install web.Client screen displays once more, click Install web.Client.
Note: If you do not have the correct Microsoft service pack installed, you will receive a
warning message, asking you to install the correct software. See Chapter 2 for software requirements.
3.
If your key is not enabled for web.Client, you will receive a warning message. You may continue with the installation or cancel.
4.
The License Information dialog appears. Read and accept the license agreement, and click Next to continue.
60
Schneider Electric
5.
The RegisterUser dialog appears. Enter your User Name and Company Name.
Later, after web.Client is installed, you can right-click on the Continuum icon in your tool tray and select About to display the About Continuum dialog, which lists the information from the RegisterUser dialog.
6.
An Alias Information screen appears explaining what happens next in the installation. After reading this screen, click Yes to continue.
61
The Enter Text screen asks you to provide the web.Client Virtual Directory Alias. Keep the default alias (WebClient) or provide your own alias. Click Next to continue.
7.
The Create Web Server Virtual Directory screen asks you to select the physical path for your virtual Web Server directory. Select the default directory, or supply your own directory. Click Next to continue.
62
Schneider Electric
Once the progress bar disappears, the Create IIS Application window appears and informs you that the IIS application is being created.
Then, you are asked if you would like to read the latest web.Client release notes. Click Yes or No. Finally, you are asked if you would like to run the Database Initialization program now. Click Yes or No.
63
web.Client is now installed on the IIS PC. Depending on your system, follow one of the next three procedures, covered in the following subsections:
z z z
Creating and Initializing the Database on a Standalone IIS PC Adding web.Client to an Existing Standalone Database Initializing the Database on a LAN IIS PC
64
Schneider Electric
Failure to observe this precaution will result in the loss of your work.
From the Start menu, select Programs > Continuum > Database Initialization. Select Stand Alone from the Continuum Database Initialization dialog.
65
3.
66
Schneider Electric
Note that Microsoft SQL Server is shown in the DBMS Name field dropdown menu.
4. 5.
Ensure that Continuum (default setting) appears in the Data Source Name field. Ensure that (Workstation Name)\SQLEXPRESS appears in the Server Name field. For example, QUALPC217 is the workstation name used in the previous dialog. Leave the Database Name at its default, ContinuumDB. Enter your login ID, Andover97, in the User Login ID field. Enter your user password in the User Password field.
password, Pyramid97, you must enter Pyramid97 here. If you are installing web.client for the first time, use a password of your choice.
6. 7. 8.
Note: If you are upgrading to Version 1.94, and you accepted the pre-1.94 default
9.
Re-enter your password (Pyramid97 if you are upgrading to 1.94 from the previous version default) in the Confirm Password field. path, then you must leave SQL Express at its default path when it is installed. If you browse a different path for DB File Location, then you must browse SQL Express to the same file path when it is installed.
11. Leave the Database Size at its default setting. 12. Enter a system administrator password of your choice into the Sa
Password field. This password must meet Microsoft SQL Server rules for the composition of a password:
The password must be at least eight characters long. The password must not contain all or part of the users account name (three or more alphanumeric characters). The password must not contain the following characters: comma (,), period (.), hyphen (-), underscore (_), or number sign (#). The password must contain characters from three of the following four categories: Uppercase letters (A...Z)
Andover Continuum web.Client Planning and Installation Guide 67
Lowercase letters (a...z) Digits 0...9 Non-alphanumeric characters, such as exclamation (!) and dollar ($)
13. In the Windows User Name field, enter your Microsoft Windows
system user name here. This is necessary with SQL Express. You must have administrative access in order to run the automated scripts that are part of the database initialization process.
14. Enter your Microsoft Windows system password and confirm that
15. Check the checkboxes as follows: Note: Be sure the Create Default List Views, Create System List Views, Create
System Alarm Enrollments, and Enhanced Alarm Logging boxes are checked. If you leave them unchecked, CyberStation does not import the necessary dump files. The dump files generate all of the default views, so the listviews and alarms are not created. In addition, faster alarm logging is not activated. The dump file import happens as soon as the workstation is started for the first time after installation and the appropriate files are placed in folders. For more information on Listviews, alarms, and alarm logging, please see the Continuum CyberStation online help.
a.
Create Default List Views - Check this box to import and create listviews (from the ASCII dump file, DefaultListViews.dmp) for all CyberStation object classes.
68
Schneider Electric
b.
c.
d.
e.
Create System List Views - Check this box to import and create listviews (from the ASCII dump file, List.dmp) for system information other than object class defaults (for example, all events). Create System Alarm Enrollments - Check this box to import configured system AlarmEnrollment objects (from the ASCII dump file, SystemAlarms.dmp). These define the basic conditions under which CyberStation points go into alarm. Create/Update Graphical Report Settings - Check this box to import graphical report templates. CyberStation supplies many Report templates that include bar-chart templates, pie-chart templates, and trend templates, giving Reports a certain default look and feel. If you do not check this box, then these report templates will not be available. For more information on Reports, see the Continuum CyberStation online help. Enhanced Alarm Logging - Check this box to activate an enhanced method that automatically speeds up the process of logging alarms with workstations. Without enhanced alarm logging, configuration of workstation recipients in EventNotification objects becomes more cumbersome.
Alarm Delivery checkbox becomes unselectable.
Note: If the Enhanced Alarm Logging checkbox is not checked, the Enhanced f. Enhanced Alarm Delivery - This checkbox is intended for a system with multiple workstations. Check this box only if you intend to add more workstations to the system. If more workstations will not be added, then leave it unchecked.
the configuration of BACnet alarm notifications.
Note: This setting has no effect on BACnet alarms, which can be guaranteed through Checking this checkbox guarantees the delivery of alarms to all recipient workstations regardless of their status at the time of the alarm generation. This selection activates special background applications and processes (already installed) that establish an ongoing connection between workstations and the database server, where new alarms are written. Enhanced alarm delivery guarantees alarm delivery even when connections are lost. The alarms are delivered when the connection is restored. Enhanced alarm delivery provides a suite of diagnostic and troubleshooting tools that allow you, for example, to monitor the status of alarm messages and background alarm delivery processes as well as
69
ping a particular workstation to deliver an alarm message that, for some reason, could not be delivered. For instructions on how to activate these diagnostic tools, please contact product support services. g. Extended Logging Backwards Compatibility - If you want to use pre-Version 1.7 old extended logging, in addition to new extended logging, be sure this checkbox is checked.
These programs facilitated extended log tables in the database, one table per controller. In version 1.7 or higher, you must check the Extended Logging Backwards Compatibility box to retain the older method for creating extended logs, while also enabling new extended logging functionality.
Note: Before version 1.7, you created Plain English programs for extended logs.
For more information about extended logs, please see the Continuum CyberStation online help. 16. Click the Continue button.
For first time installations, you should see this dialog. If, in the very unlikely event, you do not see this dialog, it means SQL Express is already on your computer for some other reason. If it is not installed, proceed to the next step. If it is already installed be sure it has been configured with the correct settings, as defined in the CyberStation Installation Guide, 30-3001-720.
17. Select the Install SQL now radio button and click OK. SQL
During SQL Express installation, the software checks your computer for certain problems that could complicate SQL installation and/or the creation or update of the Continuum database. There are several different scenarios. For example, thirdparty software may generate license-agreement issues. For a detailed description of these issues, how CyberStation resolves them, and a list of error messages, please see Appendix D, SQL Express Installation Error Messages. If there are no problems, the Select Folder dialog appears.
18. Accept the default path, or use the browse button to select a
Note: Be sure that the drive you have selected has a minimum of 2 GB of free space
available.
takes approximately 1 to 5 minutes. Next, the Microsoft SQL Server 2005 Setup progress window appears. This also can take several minutes. After the installation has completed, the reboot dialog appears, which may take up to 60 seconds. Do not proceed until this dialogue appears. Click OK and reboot your computer.
Note: Reboot happens immediately. You do not have the choice of doing this later. 20. After rebooting, a screen telling you that SQL script is running
Double click the SQL Server Service Manager icon system tool tray.
in the
Be sure you have performed the procedure, Installing web.Client on the IIS PC. After the server reboots, the Continuum Database Initialization window appears.
72
Schneider Electric
2.
Select the Update Existing Database radio button. Click the Continue button. Upon completion, you receive this message:
Database successfully updated
5.
6.
Click Close.
73
After the server reboots, the Continuum Database Initialization window appears. Select Workstation. Once the database is set up on your web server, the main Workstation Configuration dialog, shown on the next page, appears.
74
Schneider Electric
Select the Workstation tab to set the workstation parameters. Set the Workstation Name, Folder Name, Device Node ID and Network ID for the workstation. See the Andover Continuum CyberStation Installation Guide, 30-3001-720, for further details.
Andover Continuum web.Client Planning and Installation Guide 75
provides important guidelines for entering information in the Workstation Configuration dialog. Refer to that manual.
3. 4.
Select the Database tab, shown on the next page. Fill in the fields as shown below if you are adding a new server to a LAN system. If this is a server upgrade, they will be populated automatically. The Server Name field should be set to the name of your Continuum database server.
5.
Click OK to activate the workstation, then click Close on the Continuum Database Initialization window to complete the database initialization. Run web.Client on this machine. This will create the final objects in the Continuum database for this workstation.
6.
76
Schneider Electric
Click Yes to learn all servers and cameras now, or No to learn them later in CyberStations Video Administrator. It is recommended that you learn video servers and cameras now since it is more efficient to learn them all at once rather than learning them individually later.
Note: Should you choose not to learn servers and cameras now, you will need to learn
them later in Video Administrator. For more information on learning cameras , see the Video Administrator Settings tab in the CyberStation online help.
If you click Yes, the Learn All Video Servers - Status dialog, shown on the next page, displays. It shows a count of the servers and cameras as they are learned.
2.
Click Close to stop the learn process at any time. The video servers and cameras will then be in a partially-learned state- with only those servers and cameras that have been learned to that point displaying in the Learn All Video Servers - Status dialog.
Andover Continuum web.Client Planning and Installation Guide 77
message during the learn process. Should this occur, ensure that your system is stable and then perform a single Learn Cameras operation for that server. For more information, see the Video Server Editor - General Tab in the CyberStation online help.
78
Schneider Electric
For every EventNotification object, add the IIS PCs workstation to the list of alarm recipients to be notified. To do so, open the EventNotification editor and select the Delivery tab.
2.
In the Delivery tab, click the Add Recipient button. The Recipients Configuration dialog, shown on the next page, appears. Use the Recipient fields browse button and the browse dialog to search for and select the workstation that is on the IIS PC. Configure these settings appropriately for your system. There are several ways to configure recipients, according to your needs. Refer to the Continuum CyberStation online help, for information on the configuration of event notifications.
3. 4.
5.
79
Note: For additional enhanced alarm delivery, ensure that the Enhanced Alarm
Delivery checkbox is checked via the Database Initialization dialog. For detailed information on the checkboxes in the Database Initialization dialog, please see the Andover Continuum CyberStation Installation Guide, 30-3001720.
From the system tray in the lower right corner of your screen, right-click on the Continuum icon, and select Security from the popup menu to open the Security editor. Select the Actions tab of the Security editor. Scroll down to the bottom of the folder tree structure. Expand the web.Client folder. A list of all web.Client permissions, or actions appears.
2. 3. 4.
80
Schneider Electric
5.
For each user group, edit each web.Client action to grant or deny permission to access the web.Client feature. To grant access, click to display a key, as shown above. To deny access, leave the lock, or if unlocked, click to display a lock.
For complete Continuum security configuration procedures, see the Andover Continuum CyberStation Access Control Essentials Guide, 313001-405, or the Continuum CyberStation online help.
For more information on configuring a video server (and the VideoServer object) please see VideoServer in the Continuum CyberStation online help. For more information on configuring video layouts, please see Video in the web.Client online help.
Andover Continuum web.Client Planning and Installation Guide 81
Configuring Graphics Folders for web.Client: Windows XP and Windows Server 2003
If you have Windows XP or Windows Server 2003, perform the following procedures. If you have Windows 7, see Configuring Graphics Folders for web.Client: Windows Server 2008 and Windows 7. Your users must access web.Client Pinpoint graphics file folders as URL web-address locations on the Internet. This section presents the following procedures:
z z z
Specifying a Local Folder as a Web Address for Windows XP and Windows Server 2003 Specifying a Network Folder as a Web Address for Windows XP and Windows Server 2003 Verifying Anonymous Access to Virtual Folders
encrypted, confidential information, then you must also set up web.Client Pinpoint to be compatible with SSL. For instructions, please see Setting Up SSL for web.Client Pinpoint later in this chapter.
Note: If you are using SSL (and an SSL Certificate) to facilitate exchanges of
Note: web.Client does not support multiple network interface cards (NICs).
Specifying a Local Folder as a Web Address for Windows XP and Windows Server 2003
Use the following procedure to specify local folders as web addresses:
1.
Using your Windows Explorer, search for and select the folder that you wish to access as a URL web address. For example, suppose the folder name is NewGraphicsFiles. Right click on the folder. The Properties dialog appears (in this example, entitled NewGraphicsFiles Properties). Select the Web Sharing tab on the Properties dialog. Click the Share this folder radio button. The Edit Alias dialog appears.
2. 3. 4.
82
Schneider Electric
5.
Check the Read, Write and Directory browsing checkboxes in the Access permissions section, and be sure the Scripts radio button is selected in the Application permissions section. Click OK. This graphics folder can now be accessed via the web address:
http://ServerName/NewGraphicsFiles
6.
where ServerName is the IIS PC. Normally, Internet port numbers default to port 80. Some Internet access providers use a port other than port 80. If you have such a provider, then Pinpoint graphics files may not be accessible. As a workaround, you can specify a port number other than 80 (the default) directly in the URL:
http://ServerName:PortNumber/NewGraphicsFiles
where ServerName is the IIS PC and where PortNumber is an integer representing the number of the desired port. If the server is registered in an Internet domain, the format would be:
http://ServerName.com:PortNumber/NewGraphicsFiles
Note: You can also permanently change the default TCP port number. See Changing
the Default TCP Port Number later in this chapter.
Specifying a Network Folder as a Web Address for Windows XP and Windows Server 2003
Perform the following procedure to specify remote network graphics folders as URL web addresses that can be accessed via web.Client on the Internet:
Andover Continuum web.Client Planning and Installation Guide 83
1. 2.
Using your Windows Start menu, select Settings, then Control Panel. From the Control Panel, select Administrative Tools. The Administrative Tools dialog appears.
3.
From the Administrative Tools dialog, select Internet Services Manager (or Internet Information Services in Windows XP). The Internet Information Services dialog appears.
4. 5. 6. 7.
From the explorer tree, expand your server name directory, exposing the default subdirectories. Right click on the Default Web Site subdirectory. From the popup menu, select New, then Virtual Directory. The Virtual Directory Creation Wizard appears. Click the Next button to continue. The Virtual Directory Alias screen appears.
8.
In the Alias field, enter an alias name that you want to use to gain access to this virtual web directory. For example, you could enter NewGraphicsFiles.
9.
Click the Next button to continue. The Web Site Content Directory screen appears. for) the network server/drive and path containing the graphics files.
10. In the Directory field, enter (or use the Browse button to search
11. Click the Next button to continue. 12. Enter a user name and password to gain access to the network
resource.
13. Click Next, and enter the password again to confirm.
84
Schneider Electric
If you have a Windows Server 2003 machine - On Windows Server 2003, you must uncheck the checkbox, Always use the authenticated users credentials when validating access to the network directory. Removing the check from this box makes the user and password fields selectable.
14. Click the OK button. The Access Permissions screen appears. 15. Check the Read, Write, Browse, and Run Scripts checkboxes. 16. Click Next. 17. Click Finish. 18. Using the example alias name, NewGraphicsFiles, established in
step 8, the graphics files can now be accessed via the web address:
http://ServerName/NewGraphicsFiles
where ServerName is the IIS PC. If the server is registered in an Internet domain, the URL would be:
http://www.ServerName.com/NewGraphicsFiles
Normally, Internet port numbers default to port 80. Some Internet access providers use a port other than port 80. If you have such a provider, then Pinpoint graphics files may not be accessible. As a workaround, you can specify a port number other than 80 (the default) directly in the URL. (See Step 6 in the previous section for details.)
Note: You can also permanently change the default TCP port number. See Changing
the Default TCP Port Number later in this chapter.
85
From the Control Panel, double click and open Administrative Tools. The Administrative Tools dialog appears. Double click and open Internet Services Manager. The Internet Information Services (IIS) Manager dialog appears. In the tree, expand your machine name, expand Web Sites, and expand Default Web Sites. Right click on NewGraphicsFiles, and from the popup, select Properties. The NewGraphicsFiles Properties dialog appears. Select the Directory Security tab, and under Authentication and access control, click the Edit button. The Authentication Methods dialog appears. Check the Enable anonymous access checkbox. Click OK.
6. 7.
86
Schneider Electric
Configuring Graphics Folders for web.Client: Windows Server 2008 and Windows 7
If you have Windows Server 2008 and Windows 7, perform the following procedures. If you have Windows XP or Windows Server 2003, see Configuring Graphics Folders for web.Client: Windows XP and Windows Server 2003. Your users must access web.Client Pinpoint graphics file folders as URL web-address locations on the Internet. This section presents the following procedures:
z
Setting Up an Application for Graphics on Windows Server 2008 and Windows 7 including:
Specifying a Local Folder as a Web Address for Windows Server 2008 and Windows 7 Specifying a Network Folder as a Web Address for Windows Server 2008 and Windows 7
Giving Everyone Access to Graphics Files on Windows Server 2008 and Windows 7
1. 2. 3. 4.
Access the Internet Information Services (IIS) Manager. Under Connections, under computer name, expand Sites. Expand Default Web Site. Right click over Default Web Site, and select Add Virtual Directory from the popup menu.
Andover Continuum web.Client Planning and Installation Guide 87
5. 6.
In the Add Virtual Directory dialog, enter NewGraphicsFiles in the Alias field. In the Physical path field, specify the following:
C:\Program Files\Continuum\NewGraphicsFiles
7. 8.
Click OK. Share the graphics folder with everyone and provide full-control access. For more information, see Giving Everyone Access to Graphics Files on Windows Server 2008 and Windows 7. Under Default Web Site, select the newly created NewGraphicsFiles folder. and open Directory Browsing.
9.
88
Schneider Electric
Specifying a Local Folder as a Web Address for Windows Server 2008 and Windows 7
Use the following procedure to specify local folders as web addresses:
1.
Using your Windows Explorer, search for and select the folder that you wish to access as a URL web address. For example, suppose the folder name is NewGraphicsFiles. Right click on the folder. The Properties dialog appears (in this example, entitled NewGraphicsFiles Properties). Select the Sharing tab on the Properties dialog. Click Advanced Sharing. The Advanced Sharing dialog appears. Click Permissions. When the Permission for NewGraphicsFiles dialog appears, click Add. In the Select Users, Computers, Service Accounts or Groups, dialog, select Users, Groups, or Built-in security principals in the object type selection field.
Andover Continuum web.Client Planning and Installation Guide 89
2. 3. 4. 5. 6. 7.
8. 9.
Click Locations, find your computer, and ensure that it appears in the From this location field. Click Advanced and then Find Now.
10. In the Search results list, double click Everyone and click OK. 11. Check the Full Control checkbox to add full control for everyone
as shown.
12. Click OK. This graphics folder can now be accessed via the web
address:
http://ServerName/NewGraphicsFiles
where ServerName is the IIS PC. Normally, Internet port numbers default to port 80. Some Internet access providers use a port other than port 80. If you have such a
90
Schneider Electric
provider, then Pinpoint graphics files may not be accessible. As a workaround, you can specify a port number other than 80 (the default) directly in the URL:
http://ServerName:PortNumber/NewGraphicsFiles
where ServerName is the IIS PC and where PortNumber is an integer representing the number of the desired port. If the server is registered in an Internet domain, the format would be:
http://ServerName.com:PortNumber/NewGraphicsFiles
Note: You can also permanently change the default TCP port number. See Changing
the Default TCP Port Number later in this chapter.
application.
Under Connections > Default Web Site, right-click on the NewGraphicsFiles folder. Select Manage Application and then Advanced Settings. Check the path: Graphics (pin files) - c:\program files\Continuum\NewGraphicsFiles Image - c:\program files\Continuum\NewGraphicsFiles\ImageLibrary Background - c:\program files\Continuum\NewGraphicsFiles\Backgrounds
store your .pin files.
Note: Since these are the defaults, no typing is needed if you are using the IIS PC to
91
Launch Internet Explorer. Browse to the following sample web location as a test: http://ser8web/NewGraphicsFiles Files under this web location display.
92
Schneider Electric
Specifying a Network Folder as a Web Address for Windows Server 2008 and Windows 7
Start this procedure by referring to Specifying a Local Folder as a Web Address for Windows XP and Windows Server 2003. Then, continue by following these steps to specify remote network graphics folders as URL web addresses:
1.
Configure the following Remote Share settings (in this example, a new application called NewGraphicsFiles2).
Map a drive to the share. Add the mapped path to the Options in Continuum Graphics.
93
2. 3.
Launch Internet Explorer. Browse to the following sample web location as a test: http://ser8web/NewGraphicsFiles2 Files under this web location display.
94
Schneider Electric
Giving Everyone Access to Graphics Files on Windows Server 2008 and Windows 7
Follow this procedure to add everyone full-control access to the graphics files folder on Windows Server 2008 and Windows 7.
1.
95
2. 3. 4. 5.
In the Connections tree, expand the computer name, then Web Sites, then Default Web Site. Right click over NewGraphicsFiles. (See also Setting Up an Application for Graphics on Windows Server 2008 and Windows 7.) From the popup menu, click Edit Permissions (Windows 7). In the NewGraphicsFiles Properties dialog, select the Security tab, and click the Advanced button.
6.
In the Advanced Security Settings for NewGraphicsFiles dialog, select the Permissions tab, and click Edit.
96
Schneider Electric
7. 8.
When the Permissions tab reappears, click Add. In the Select User or Group dialog, specify the location for the object (Everyone). Make sure the computer name appears beneath From this location, and click Find Now. In the Search results list, double click Everyone. tab, check the Full Control checkbox).
9.
97
11. Click OK. 12. Launch Microsoft Notepad as user Administrator. (That is, when
you open this program, right click on its menu selection, and from the popup menu, select Run as administrator.)
13. Access and open the ApplicationHost.config file located in: C:\Windows\System32\inetsrv\config\ 14. Change this line:
<section name=requestFiltering overrideModeDefault=Deny />
to:
<section name=requestFiltering overrideModeDefault=Allow />
15. Access and open the Web.config file located in: C:\\Program files\Continuum\DNWACServerFactory\. 16. Using Notepad as user Administrator, edit the present Web.config
98
Schneider Electric
Note: Be sure to edit the machine name to your PC name (in this example,
WORKSTATION1).
Note: Due to page size limitations, the line starting with <wellknown mode= and 17. Launch Internet Explorer. 18. From the Tools menu, select Internet Options.
ending with .soap /> is shown on 3 different lines here. Be aware that this text needs to be on a single line in your Web.config file.
19. In the Internet Options dialog, select the Connections tab and
99
Log on to Continuum and start Pinpoint. (See the Continuum CyberStation online help for details.) From the Pinpoint application window, select the View dropdown menu, then Options. The Options dialog appears. On the Web Locations tab, enter the appropriate paths to the following shared folders.If the image folder and background folder are under NewGraphicsFiles (the sample folder you just specified as a web address) then, in the Web Locations tab of the Pinpoint Options dialog, the new paths would be:
http://ServerName/NewGraphicsFiles/imagelibrary and http://ServerName/NewGraphicsFiles/backgrounds
NewGraphics (Pin) Files - This is the location (specified as a URL web address) from which Pinpoint panel (.PIN) files are accessed. In a multi-user setup this could be a shared location across the workstations. ImageLibrary - This is the image file location (specified as a URL web address) that contains ready-made images that you can use to make graphic panels in Pinpoint. This is usually set up and copied by the installation program. Backgrounds - This is the image folder location (specified as a URL web address) that contains background files that serve as backgrounds for the panels. These files are specified per graphic in the Configuration editor of the CyberStation Pinpoint graphics application.
folders so that all client machines can view the graphics. To ensure the paths you entered are correct, click the Check button.
Note: Ensure that you have given accessible sharing privileges to the above three
If the path is incorrect, the symbol appears next to the incorrect path. If the three paths are correct, click OK and close Pinpoint.
CAUTION Manually changing an IP address
If you use a specific IP address in the Graphics (Pin Files) field, instead of ServerName, and then manually change the IP address (in the IP Address field of the Default Web Site Properties dialog, accessed via the Control Panels Administrative Tools - Internet Services Manager - Default Web Site properties) the Graphics URL no longer works. You must go back and change the path in the Graphics (Pin Files) field in the Options dialog to match what was changed in the IP Address field, or enter a server name. To map the local host to this new IP address, you must also edit, and place this new entry into the LMHOSTS.SAM file located in: C:\WINNT\system32\drivers\...
Failure to observe this precaution can result in failure to access web.Client Pinpoint graphics files. 4. 5. 6.
Log out of Continuum. Stop and then restart your IIS server, or reboot the machine. Lock your computer.
After installing web.Client, the default security permissions for both access and launch might not be set. You must verify that the Distributed COM (DCOM) default security is configured properly. This involves editing the default access permissions and default launch permissions.
1.
From the Windows Start menu, select Run, and run the DCOM configuration utility. (In the Run dialog, enter dcomcnfg, and click OK.) The Component Services dialog appears.
2.
In the explorer tree, expand Component Services, expand the Computers folder, expand My Computer, and expand DCOM Config. Right-click over AccDataServices, and select Properties from the popup menu. The AccDataServices Properties dialog appears.
3.
4. 5.
Select the Security tab, and in the Launch and Activation Permissions section, select the Customize radio button. Click the Edit button. The Launch Permission dialog appears, displaying a Group or user names window and a Permission for... window.
6.
Click the Add button. The Select Users, Computers, or Groups dialog appears.
7.
Click the Locations button, and from the Locations dialog, select the IIS PC (computer) name. It usually appears at the top of the list. Click OK. You can also specify an object type via the Object Types button.
8.
From the Select Users, Computers, or Groups dialog, click the Advanced button. A blank window appears at the bottom of the dialog.
9.
Click the Find Now button. The window at the bottom of the dialog becomes populated with the names and locations of users and groups.
For Windows Server 2003, IIS 6.0, and Windows Server 2008, and Windows 7, IIS 7.0, highlight and add these accounts:
11. Click OK, and OK again to close the Select Users, Computers,
or Groups dialog.
12. On the Launch Permissions dialog, in the Permissions for...
window, check the Local Launch and Local Activation checkboxes for each user/group.
13. Click OK. 14. From Security tab of the ACCDataServices Properties dialog,
in the Access Permissions section, select the Customize radio button, then click the Edit button. The Access Permission dialog appears, displaying a Group or user names window and a Permission for ... window.
15. Repeat steps 6 through 12 for Access Permissions this time
(instead of Launch and Activation Permissions). But in step 12, be sure to select the Local Access checkbox.
16. Repeat steps 3 through 14 for AccXMLAuto,
Note: After installing web.Client, check that the default document on the web.Client
virtual directory is set. (See Tip 5 - Enabling the Default Document in Appendix A.)
From the Control Panel, access Administrative Tools. From the Administrative Tools dialog, select Internet Information Services Manager (IIS) Manager. The Internet Information (IIS) Services Manager dialog appears. In the explorer tree, expand the IIS PC name directory, and expand the Web Sites folder. Right click on the Default Web Site folder, and from the popup menu select Properties. The Default Web Site Properties dialog appears. In the Web Site tab, remove the check from the HTTP KeepAlives Enabled checkbox, and click OK.
3. 4.
5.
The timeout is the number of minutes that a web.Client session remains active during non-use (inactivity) before the session ends, requiring the user to log on again. The maxEventViewRows is also set in the web.config file. It defines the maximum number of live events that are listed in the EventViews window. For more information about session timeout and EventViews, see the web.Client online help.
Inactivity Timeout
The timeout default is 20 minutes, but it can be reset to a different time period by editing the web.config file:
Live EventView
The maxEventViewRows default value is 1000, but you may want edit the web.config file to reset it to a smaller number to save time while the event view list rebuilds:
For example: VeriSign web-site instructions for generating a Certificate Signing Request (CSR) for a Microsoft IIS 6.0 Server, in preparation for installation.
VeriSign web-site instructions for installing a Certificate on a Microsoft IIS 6.0 Server. VeriSign web-site instructions for moving a Certificate from one server to another. VeriSign web-site instructions for backing up a Certificate. You generate a CSR and install a Certificate through Microsofts administrative tool, Internet Information Services, and the IIS Web Server Certificate Wizard. For complete instructions for using SSL on Microsoft platforms, please see Microsofts extensive online IIS documentation on secure communications and certificates:
1. 2. 3. 4. 5. 6.
From your Control Panel, open Administrative Tools. From the Administrative Tools dialog, open Internet Information Services. In the navigation tree in the Internet Information Services dialog, expand your local PC name and the Web Sites folder. Right click over Default Web Site, and select Properties. On the Default Web Site Properties dialog, select the Directory Security tab. Click the Help button. From the IIS Documentation window, select Secure communications. For very extensive, detailed information, click Certificates. This Microsoft IIS documentation provides information on:
z z z z
An overview of certificates Setting up SSL on your server Using the security task wizards Obtaining a server certificate
Using Certificate trust lists. (Trust lists are managed via Internet Explorers Internet Options dialog. From IEs Tools dropdown menu, select Internet Options. Select the Content tab. Certificate management options appear in the Certificates section. Obtaining a client Certificate Enabling client certificates Mapping client Certificates to user accounts.
domain name of the IIS server, particularly if you plan to connect the web server to the Internet with a public IP address. For example, use the following: (FQDN) System name.schneider-electric.com (public). If you plan to connect the web server internally with a private IP address, you need only use a NetBIOS name. For example, use the following: (netBios) System name (private). The URL of the site name must comprise the same server name and domain name to which your client machine browsers connect: https://ServerName.DomainName.com For example: https://yourpc.schneider-electric.com/webclient (public IP address) https://yourpc/webclient (private IP address) Otherwise, if these do not match, errors will result and SSL wont work. To test the URL, ping it from your machine and ensure there is a reply.
z z z
Note: When applying for and creating your certificate, please use the fully qualified
Note: In order to use SSL encryption from the client machine, a web.Client user must
access web.Client with the prefix: https:// instead of http:// For more information, see Chapter 4.
To launch Microsofts Web Server Certificate Wizard, click the Server Certificate button under Secure communications on the Directory Security tab of the Default Web Site Properties dialog.
Install an SSL Certificate. See Establishing SSL Support for Confidential Information. In Internet Explorer, select Internet Options from the Tools dropdown menu. On the Internet Options dialog, select the Security tab. In the Security level for this zone section, click the Custom Level button. On the Security Settings dialog, scroll down to Miscellaneous. Under Display mixed content, select the Enable radio button. Under Access data sources across domains, select the Enable radio button. Click OK in the Security Settings dialog and again in the Internet Options dialog.
As an alternative, on each client machine you can add the web.Client URL address to Trusted sites. On the Internet Options dialog:
1. 2. 3.
Select the Security tab, and click Trusted sites. On the Trusted sites dialog, enter the web address in the Add this Web site to the zone field. Click OK.
Install an SSL Certificate. See Establishing SSL Support for Confidential Information. From the Control Panel, open Administrative Tools. From the Administrative Tools dialog, select Internet Information Services. From the navigation tree in the Internet Information Services dialog, expand your local computer name, expand Web Sites, and expand Default Web Site. Locate and right-click over WebClient. Select Properties. On the WebClient Properties dialog, select the Directory Security tab. In the Secure communications section, click the Edit button. On the Secure Communications dialog, check the Require secure channel (SSL) checkbox, and make sure the Ignore client certificates radio button is selected. Click OK.
5. 6. 7. 8.
9.
Set up your Pinpoint graphics folders. See Configuring Graphics Folders for web.Client: Windows XP and Windows Server 2003 and Configuring Graphics Folders for web.Client: Windows Server 2008 and Windows 7 earlier in this chapter.
2. 3. 4. 5.
Install an SSL Certificate. See Establishing SSL Support for Confidential Information. From the Control Panel, open Administrative Tools. From the Administrative Tools dialog, select Internet Information Services. From the navigation tree in the Internet Information Services dialog, expand your local computer name, expand Web Sites, and expand Default Web Site. Locate and right-click over DNWACServerFactory. Select Properties from the popup menu. On the DNWACServerFactory Properties dialog, select the Directory Security tab. Under Secure communications, click the Edit button. On the Secure Communications dialog, check the Require secure channel (SSL) checkbox, and make sure the Ignore client certificates radio button is selected.
6. 7. 8. 9.
10. Click OK. 11. On the same DNWACServerFactory Properties dialog, select
Change the value of the ServerName to the fully qualified domain name of the IIS server. Make sure the SSL port value remains 443, which is the default. Note: If you are using SSL with Pinpoint graphics, the SSL port must be 443.
17. Restart your computer. 18. After restarting your computer, test the Certificate and its
19. A Security Alert appears. Click Yes to the question, Do you want
If this page does not appear, it means it is not valid, or the Certificate has expired. At this point, SSL is ready for use with web.Client Pinpoint.
From the Control Panel, open Administrative Tools. From the Administrative Tools dialog, open Internet Information Services. From the navigation tree in the Internet Information Services dialog, expand the local computer name, and expand Web Sites. Right click over Default Web Sites, then select Properties. On the Default Web Site Properties dialog, select the Web Site tab. Under Web Site Identification, in the TCP Port field, change 80 to a number compatible with your Internet access provider. (Consult your provider.)
7.
Click OK. If you do not permanently change the TCP Port number, you can override the default, 80, by entering the desired port number directly into a URL web address. For example, if you want to connect to web.Client:
https://ServerName.com:PortNumber/webClient
Note: The s in the https:// URL is used when an authorized SSL Certificate is
installed on the IIS PC.
8.
Chapter 4
Testing and Installing web.Client on a Client PC
Overview Testing Access to and Installing web.Client on a Client PC Before Getting Started Launching Internet Explorer in Windows 7 Installing the web.Client Utilities Control Installing Microsoft .NET Framework 2.0 Installing web.Client Pinpoint Installing the Video Layout Control and .NET Framework 3.5 Setting Browser Zone Permissions for .NET Framework Server Proxy Applications Logging Out of web.Client
Overview
When your web.Client users log on to web.Client via their clientmachine browsers for the first time, it is likely that several applications will be installed (automatically or via user prompts).
Note: The procedures in this chapter presume you and your users are installing or
upgrading to web.Client version 1.94 and have Internet Explorer version 8.0, and meet the other software and hardware requirements presented in Chapter 2, System and Pre-Installation Requirements.
web.Client Utilities Control Microsoft .NET Framework 2.0 web.Client Pinpoint (only if users have access permission to graphics) Schneider Electric Video Layout Control (only if users have access permission to video) and Microsoft .NET Framework 3.0, which the video requires for its operation.
This chapter shows you how to test browser access to web.Client by logging on and installing web.Client on a user-client workstation.
Find a workstation suitable for testing client-browser access to web.Client. Be sure this workstation has versions of the operating system that your user clients would typically have. Be sure the workstation meets the system requirements given in Chapter 2, System and Pre-Installation Requirements. Restart this workstation and other client PCs before logging onto web.Client for the first time.
web.Client Utilities Control must be installed before a user can log on to web.Client for the first time. (See Installing the web.Client Utilities Control.) .NET Framework 2.0 must be installed before a user can bring up the web.Client Home screen in a browser for the first time. (See Installing Microsoft .NET Framework 2.0.) web.Client Pinpoint must be installed before a user can open a graphic for the first time. (See Installing web.Client Pinpoint.) The Schneider Electric Video Layout Control (and .NET Framework 3.0, which is required for the Video Layout Control) must be installed before a user can open a video layout for the first time. (See Installing the Video Layout Control and .NET Framework 3.5.)
z z
Note: All web.Client users must have a password to log in. web.Client users are
created in CyberStation. web.Client features must be unlocked at another CyberStation for the test user, so that the user can log on to web.Client and perform all the necessary feature tests.
1.
Right click the Internet Explorer icon in your tool tray, and select Run as administrator. Via Program Files in your Start menu, right click the Internet Explorer menu selection, and select Run as administrator.
Note: Your users need only perform this step once in order to install
ActiveX components and web.Client Pinpoint. Once they do so, they can run web.Client as that user (it is profile dependent) without being asked to specify the administrator account or run IE as administrator.
2. 3. 4.
From the Internet Explorer Tools menu, select Internet Options. In the Internet Options dialog, select the Connections tab, and click LAN Settings. In the Local Area Network (LAN) Settings dialog, make sure the Automatically detect settings checkbox is cleared.
5.
120 Schneider Electric
Click OK.
where MachineName is the name of the computer where you installed web.Client and Continuum. See Chapter 3, Installing and Configuring web.Client on the IIS PC. You must enter https:// if you have installed an authorized SSL Certificate on the IIS PC. If this is not an SSL server, then you would enter http://. Version 1.74 (and higher) fully supports SSL, which accommodates client-server exchanges of confidential information. (See Establishing SSL Support for Confidential Information in Chapter 3.) The VirtualDirectoryAlias was entered in the Enter Text screen of the installation procedure. Enter the name you supplied. If you did not change the default name, enter WebClient. For example:
https://SiteServer1/WebClient
A Security Warning dialog appears, prompting you to install the web.Client Utilities Control.
Note: If the IIS server does not have Internet connectivity, it may take between 30
and 90 seconds for this installation prompt to appear.
Note: The web.Client Log On screen, shown on the next page, appears in the
background, beneath this Security Warning dialog, but you cannot enter your user name and password until the web.Client Utilities Control is installed.
3.
Click the Yes button (or the Install button on Windows XP) on the Utilities Control Security Warning dialog to begin the
Andover Continuum web.Client Planning and Installation Guide 121
installation. Installation of the Utilities Control happens automatically, in a few seconds. If you are upgrading from Version 1.73 to 1.94, go to the next step. If you are upgrading from Version 1.74 or 1.94, go to Step 4.
4.
If you are upgrading from Version 1.73 to 1.94, a dialog appears, asking you to close and restart Internet Explorer. Do so now. After you restart Internet Explorer, enter the same URL you entered in Step 1. On the web.Client Log On screen, enter your user name and password.
5.
At the Welcome to Microsoft .NET Framework 2.0 Setup window, click Next. The End-User License Agreement window appears.
2.
Check the I accept the terms of the License Agreement checkbox, and click Install. A Setup progress-bar, followed by the Installing components window, appears while the installation is configured and components are installed. This may take a several minutes. Please wait. When .NET Framework 2.0 is installed successfully, the Setup Complete window appears. Click Finish.
3.
.Microsoft .NET Framework allows the system to accept configurations that include firewalls.
Select Graphics from the navigation filter dropdown menu. In the navigation pane, explore and search for a list of graphic paths, and click the name of the graphic file you want. A Security Warning dialog appears, prompting you to install the file, msxml4.cab. Click the Yes button (or the Install button on Windows XP) to install the file. Another Security Warning dialog appears, asking if you want to install and run the WebClient Pinpoint graphics package. Click Yes to launch the Install Shield Wizard for WebClient Pinpoint and begin the installation. Click Next.
3.
4.
5. 6.
A License Agreement window appears. Click Yes to accept the terms of the license agreement. At this time, web.Client Pinpoint files are installed. The Setup Status window appears, displaying the progress of the installation. When installation is complete, the InstallShield Wizard appears. Click Finish to complete the installation process.
If your IIS PC Uses IIS 6.0 and Windows Server 2003, Windows Server 2008, or Windows 7
If your IIS PC uses IIS 6.0 and Windows Server 2003, Windows Server 2008, or Windows 7, be aware that IIS resources are recycled after a long period of time (29 hours) by default. This means that your web.Client Pinpoint windows, including web.Client itself, are disconnected after this long period of time expires. Please take this into account if your users need Pinpoint running continuously for more than a day. If you need to run Pinpoint continuously for more than 29 hours, you may lengthen that time via the Windows Internet Information Services (IIS) Manager. For a procedure on how do to this, please see the section, Tip 8 - Changing IIS / Windows Server 2003 Resource Recycle Time, in Appendix A, web.Client Security and Troubleshooting Tips.
Note: The video feature requires network access to a digital video recorder. This may
require you to open port 18772 or establish a Virtual Private Network (VPN) connection if there is a firewall.
At least 72 MB of disk space are needed for the Video Layout Control, which comprises the file, WebClientVideo.cab, and .NET Framework 3.5. (See also Appendix B, web.Client Applications that Are Installed.) To install the Video Layout Control and .NET Framework 3.5, perform the following procedure:
1. 2.
From the navigation filter dropdown menu, select Video, Explore and search for a list of video paths, and click the name of the VideoLayout object you want. A message appears, prompting you to install the file, WebClientVideo.cab, as the first step in Video Layout Control installation.
3.
Click Install. If you do not already have Microsoft .NET Framework 3.5 installed on your computer, the InstallShield Wizard appears, asking you to install it now. (If you are not asked to install .NET Framework 3.5, go to Step 5.)
4.
Click Install. Installation of .NET Framework 3.5 begins. A progress bar appears in the InstallShield Wizard window. Installation takes several minutes. Please wait.
5.
When installation of .NET Framework 3.5 completes, the Welcome to InstallShield Wizard for Schneider Electric Video Layout Control window appears. Click Next. The Ready to Install the Program window apperas. Click Install.
6.
7.
The Installing Schneider Electric Video Layout Control window appears with a progress bar. Please wait. When installation completes, click Next. The InstallShield Wizard Completed window appears. Click Finish. Your video layout object appears.
8.
Download and install the Microsoft .NET Framework Software Development Kit (SDK) 2.0, available from Microsoft, and set zone permissions. Run the Microsoft Code Access Security Policy tool, Caspol.exe
From the Windows Control Panel, open Administrative Tools. The Administrative Tools dialog appears. In the Administrative Tools dialog, double click Microsoft .NET Framework 2.0 Configuration. The .NET Configuration 2.0 dialog appears.
3. 4.
In the tree, expand Runtime Security Policy, Machine, Code Groups, All_Code, until all code groups are listed. Depending on which zone is running, right click on Trusted_Zone or Internet_Zone and select Properties from the popup menu. The Trusted_Zone Properties dialog (or Internet_Zone Properties dialog, respectively) appears.
5. 6.
Click the Permission Set tab, and from the Permission set dropdown menu, select FullTrust. Click OK or Apply
You can also change the default permission set or create a new permission set that has the following specific permissions.
z z z
Security - Enable Assembly execution User Interface - Grant assemblies unrestricted access to user interface elements. Web Access - Grant assemblies unrestricted access to user interface elements.
To add full trust to the Internet zone in .NET Framework 2.0, execute the following:
caspol.exe -m -addgroup Internet_Zone -zone InterNet FullTrust -name FullTrust
To add full trust to the Trusted zone in .NET Framework 2.0, execute the following:
caspol.exe -m -addgroup Trusted_Zone -zone Trusted FullTrust -name FullTrust
ACWebServerProxy, installed with web.Client, displays a window, shown below, that logs all users who are logged on to web.Client. It runs automatically on the server after the first user logs on the web site. It must not be manually closed.
ACWPPServerProxy is used exclusively for web.Client Pinpoint. Like the ACWebServer Proxy, it runs automatically on the server and must not be manually closed. Schneider Electric XML Automation server
If anyone manually closes the ACWebServerProxy window, all users are disconnected from the application.
If the session is closed without logging out, the client license will not be available for a different user until after the timeout period has expired.
Chapter 5
Using web.Client to Set Up Your Organization
Overview web.Client Security Basics Scenario 1: A Single-Building Company Scenario 2: A Global Company
Overview
Having installed and tested web.Client version 1.94 on an Internet browser, you are now ready to use this powerful, web-based facility management tool. For example, web.Client can distribute personnel records, view and edit schedules and points, integrate video, display live events, provide convenient access to reports for managers, monitor BACnet loops, and download TrendLog records. (For complete information, please see the web.Client online help.) It is very important to plan for web.Client carefully. If you can start planning for web.Client before the initial configuration of the facility management system, implementation will be much easier.
Is the security installation contained within one building or are there multiple facilities managed by one system? Where are the facilities located? Who are the security delegates that will administer the personnel records? What personnel records do the security delegates have authority to administer? What are the areas of which the security delegates have control? Can personnel records be placed in logical groups?
Based on the answers to the above questions, you will have to decide:
z
132 Schneider Electric
z z
What Folder and Device Level (FDL) security should be used for these folders? What group level security should the security delegates have to limit their ability to view only certain object classes or perform only certain tasks? What object level security should be set up to limit the security delegate to specific groups of objects?
This chapter details two scenarios in which the above questions were answered and decisions were made on how to set up the Continuum system. Use these examples to aid in planning for your scenario.
groups, and can only be used to deny a permission granted by security groups. Security levels cannot be used to grant permissions denied by security groups. They may be applied to individual objects (for example, an area called Engineering) or to a folder with many objects. When a security level is applied to a folder, all the contents of the folder, including subfolders, are limited to that security levels restrictions. Since only one security level can be applied to an individual object or folder, a security level must be defined to include all the restrictions that will be applied. For example, the following security levels may be required:
z z z
Admin only Admin and Engineering Managers Admin, Engineering Managers, and Sales Managers
Folders: Folders are used in the Continuum system to partition, or logically group objects in the database. For example, a folder may contain all the areas in building 52. Folders make Continuum security much easier to implement. Instead of individually applying security levels to every object, a security level can be applied to the folder once to set the appropriate security permissions. Users: Users created with the Continuum system are assigned to one or more security groups. Since a user may be a member of more than one security group, security groups may be set up to focus on a small set of permissions. Setting up security groups with a modular approach, makes assignment of security groups to users much easier. If a user is assigned to more than one security group with conflicting permissions, the unlocked permissions take precedence and the user will be granted the permission. Object-Level Security: is accomplished by using an object class called SecurityLevel. This class contains security permissions; these permissions are part of the SecurityLevel object and may be (and usually are) different than the default permissions. SecurityLevel: Objects are used to create security permissions for groups of objects (such as Building52 Areas or Administration Objects). These permissions can then be attached to the appropriate objects.
134 Schneider Electric
Folder and Device Level Security (FDL): provides the user with the ability to apply a security level to a collection of child objects by placing them in a folder (the parent) so that they inherit the parents security level. When you configure security using FDL, consider the following:
z z z
Roles - Categories to which users can be assigned (for example, Administration, Guard, Maintenance, and so on) Partitions - Divisions of the site into physical areas (for example, Building A, Building B, and so on) Group names - The combination of roles and partitions (for example, BldgAAdmin, BldgAGuard, BldgAMaint, and so on)
The number of groups is a product of the number of roles multiplied by the number of partitions: Number of Groups = (Number of Roles) x (Number of Partitions) For example, a site with three roles and two partitions would have six groups.
Note: CyberStation supports up to 1024 groups. If the number of groups (number of
roles multiplied by the number of partitions) exceeds 1024, then the number of roles and/or number of partitions needs to be decreased.
How Is the Company Physically Divided? Who Are the Users? What Are the Security Levels? Setting Up web.Client in CyberStation
Main lobby East stairwell West stairwell Fitness room Human Resources department Administrative offices Engineering lab
z z
Common areas: Main lobby, fitness room, east stairwell, west stairwell Administrative areas: Human Resources department, administrative offices Engineering areas: Engineering lab, engineering conference room Sales areas: Sales offices
Since this setup requires that each delegate have different sets of permissions, it requires four security groups (one for each user / delegate). These groups will be: Admin, Eng, Sales, and IT (where the HRDel serves as the Admin delegate). Also, since only one security level can be applied per folder or object, it is recommended that you create separate security levels for each folder. This will make it easier to organize permissions specifically for the contents of the folder.
Users
HrDel EngDel SalesDel ITDel
What Are the Company Personnel Groups? Where Are the Company Facilities Located? Who Are the Users? What Are the Security Levels? Setting Up web.Client in CyberStation
Andover personnel England personnel France personnel Germany personnel Hong Kong personnel Mexico personnel
Andover Continuum web.Client Planning and Installation Guide 139
EnglandAdmin
FranceAdmin
GermanyAdmin
HongKongAdmin
MexicoAdmin
Since this setup requires that each delegate have different sets of permissions, this scenario requires eight administrative groups (one for each user / delegate). These groups will be: Andover Administrator, England Administrator, France Administrator, Germany Administrator, Hong Kong Administrator, Mexico Administrator, Global Personnel Administrator, and Global Viewer. Also, since only one security level can be applied per folder or object, it is recommended to create separate security levels for each folder. This will make it easier to organize permissions specifically for the contents of the folder.
1. All Security Levels will also be unlocked for the Global Viewer with the exception that the keys (in the security settings) will be locked for the change, edit, create, and delete functions.
Personnel Folders
AndoverPersonnel EnglandPersonnel FrancePersonnel GermanyPersonnel HongKongPersonnel MexicoPersonnel GlobalPersonnel
Area Folders
AndoverAreas EnglandAreas GermanyAreas HongKongAreas MexicoAreas
Security Levels
AndoverAreaSL EnglandAreaSL FranceAreaSL GermanyAreaSL HongKongAreaSL MexicoAreaSL AndoverPersonnelSL EnglandPersonnelSL FrancePersonnelSL GermanyPersonnelSL HongKongPersonnelSL MexicoPersonnelSL GlobalPersonnelSL
Users
AndoverAdmin EnglandAdmin FranceAdmin GermanyAdmin HongKongAdmin MexicoAdmin GlobalPersonnel Admin Global Viewer
Appendix A
web.Client Security and Troubleshooting Tips
Tip 1 - Ensuring Full System Access for at Least One User Tip 2 - Placing PIM Files in a Single Folder Tip 3 - Applying Security to non-web.Client Folders Tip 4 - Verifying DCOM Is Enabled Tip 5 - Enabling the Default Document Tip 6 - Understanding Security Ramifications for IIS Applications Tip 7 - Be Sure that IIS Is Installed before .NET Framework Tip 8 - Changing IIS / Windows Server 2003 Resource Recycle Time Tip 9- Fixing a Web Location Access SOAP Error
Tips
This appendix provides some tips for keeping your web.Client system secure and for troubleshooting some common problems that may arise.
CAUTION Microsoft system experience required.
To perform the Microsoft-related procedures, you must have administrative experience using Microsoft system software and understand that there are differences in the graphical user interfaces between different Windows platforms. User-interface illustrations are not provided. Please see your Microsoft Windows online help and visit www.microsoft.com and other Microsoft web sites.
Be sure at least one user is assigned to both the first and your highestnumbered security groups. This ensures that at least one user will have full access to the system in case of an inadvertently locked action.
Create a security level at a CyberStation workstation and call it NonWebClient. Unlock permissions only for CyberStation workstation users. Keep the columns reserved for web.Client security groups locked. Apply this new security level to all folders without personnel, areas, or numerics (used by schedules).
From the Windows Start menu, select Run. The Run dialog appears. Enter dcomcnfg. The Component Services dialog appears. In the explorer tree, expand Component Services, and right click on My Computer. The My Computer Properties dialog appears.
4. 5.
Select the Default Properties tab. Verify that the Enable Distributed COM on this computer checkbox is checked.
From the Start menu, select Settings Control Panel. From the Control Panel, select Administrative Tools. The Administrative Tools dialog appears. From the Administrative Tools window, click Internet Services Manager. (or Internet Information Services on Windows XP and Server 2003). The Internet Services Manager dialog appears. In the left-hand explorer tree pane of the Internet Information Services dialog, expand the directories beneath the computer icon that is the name of the computer on which you are working.
4.
5.
Expand the directory name, Default Web Site. (On Windows XP and Windows Server 2003, expand Web Sites, then Default Web Sites.)
web.Client, and by default it is called WebClient. During the installation of web.Client, this directory name can be changed.
Note: There is a virtual directory under the default web site that is used for
6.
Note: If you are unsure which directory it is, click them, one at a time, to list the
7. 8. 9.
The WebClient Properties dialog appears. Select the Documents tab. Ensure that the Enable Default Document checkbox is checked. Click OK to close the WebClient Properties dialog and the Internet Information Services dialog.
For more information on launching OLE servers from ISAPI applications, refer to the Microsoft article on Security Ramifications for IIS Applications. This article can be found at:
http://www.microsoft.com/windows2000/en/server/iis/htm/asp/ eadg4n77.htm?id=231.
Refer to Chapter 2, System and Pre-Installation Requirements. and Chapter 3, Installing and Configuring web.Client on the IIS PC.
From the Windows Control Panel, double click and open Administrative Tools. The Administrative Tools dialog appears.
2.
Double click and open Internet Information Services (IIS) Manager. The Internet Information Services (IIS) Manager dialog appears. In the navigational directory, expand your local computer directory. Expand the Application Pools directory. Right click on DefaultAppPool, and from the popup menu, select Properties. The DefaultAppPool Properties dialog appears.
3. 4. 5.
6. 7.
Select the Recycling tab. Next to the Recycle worker processes (in minutes) checkbox, which should be checked, notice the field displaying the default number of minutes - 1740 minutes. This is equivalent to 29 hours. To lengthen this time, use the field's up-arrow button to add minutes. (Use the down arrow to subtract minutes.) Click OK.
8. 9.
Your resources are now automatically disconnected when this new time expires.
2.
Using Wordpad as user Administrator, add the following lines to the present Web.config file:
Appendix B
web.Client Applications that Are Installed
This appendix lists the applications that web.Client installs on the client PCs and the file size of each application.
Installed Applications
The following table lists the applications that web.Client installs on the client PCs and the file size of each application. Applications that web.Client Installs on the Client PCs
Installed Application
web.Client Utilities Control Microsoft .NET Framework 2.0
Description
This 60 KB application configures some internal settings that are invisible to administrators and users. Required before user logs on. web.Client operates in a Microsoft .NET Framework 2.0 environment. The user installs.NET Framework 2.0 on the client machine when web.Client is launched for the first time. Be sure you have at least 22 MB of free disk space for .NET Framework 2.0. For more information, refer to Installing Microsoft .NET Framework 2.0 When a user brings up a video layout in web.Client for the first time, he/she is prompted to install the Video Layout Control. As part of that installation, the user may also be prompted to install .NET Framework 3.5, which the Video Layout Control requires. The Video Layout Control and .NET Framework 3.5 make up the file WebClientVideo.cab. Be sure you have at least 72 MB of free disk space. For more information, refer to Installing the Video Layout Control and .NET Framework 3.5
Schneider Electric Video Layout Control and Microsoft .NET Framework 3.5
Adobe scalable vector graphics (SVG) viewer for graphical reports. web.Client Pinpoint (wPinpoint) web.Client Video Control
This 5 MB application allows the client to view web.Client Reports. (See the web.Client online help.)
This 4 MB application allows the client to view Pinpoint graphics through web.Client. This 2 MB application allows the client to view and play back live and recorded video images through web.Client.
Appendix C
Guidelines for Upgrading to Version 1.94
Upgrade Guidelines
This appendix presents guidelines for upgrading web.Client to version 1.94. A quick procedure is provided below, but please refer back to the procedures and requirements in Chapter 2, Chapter 3, and Chapter 4. Refer also to the Andover Continuum CyberStation Installation Guide, 30-3001-720. As with any upgrade, it is good practice to ensure, before you begin, that you have a known good backup of the database.
Note: web.Client version 1.94 supports Microsoft Windows Server 2003, in addition
to Windows XP Professional Workstation.
1.
Upgrade your hardware security key to version 1.94 Depending upon the version of CyberStation you are running, you may need to update your hardware security key to version 1.94. If your CyberStation software is a pre-1.9 version (such as, v1.6, or v1.81), you will have to upgrade your key to support v1.94. If you are running version 1.9 or higher, however, you will not need to update your security key; your key is already enabled to support version 1.94.
2.
Perform pre-installation tasks, and ensure your system meets the minimum software and hardware requirements. (See Chapter 2, System and Pre-Installation Requirements.) Reboot your PC before inserting the version 1.9CD, and start the web.Client Install program. Perform the installation over the previous versions application. Reboot your PC, when prompted. Also refer to the procedure in Chapter 3: Installing web.Client on the IIS PC.
3.
4.
After the installation procedure is complete, and you have rebooted your machine, the database initialization procedure begins. When the Database Initialization dialog appears, select the Update Existing Database radio button to update the database.
Note: If you do not have the database engine, SQL Express, already installed, or if
you have an older version of the database engine, then SQL Express is installed for you automatically during the database initialization process.
Refer to the procedures in Chapter 3: Initializing the Database on a LAN IIS PC and Creating and Initializing the Database on a Standalone IIS PC. See also, Appendix D, SQL Express Installation Error Messages.
5.
Configuring Access Permissions for web.Client Users Configuring Your Video Servers Configuring Graphics Folders for web.Client: Windows XP and Windows Server 2003 Configuring Graphics Folders for web.Client: Windows Server 2008 and Windows 7 Configuring DCOM Default Security Settings Disabling HTTP Keep-Alives Establishing SSL Support for Confidential Information Enabling SSL for web.Client
6.
After installation is complete, and your users are ready to log onto web.Client on their client-PC browsers, follow the procedures, as needed, in Chapter 4, Testing and Installing web.Client on a Client PC. Be sure your users reboot their browser PCs before logging on to the upgraded IIS PC.
Microsoft .NET Framework 2.0 installed, a user must install it as he/she logs on to web.Client for the first time. web.Client operates in a .NET Framework environment. When a user is logged onto web.Client and tries to bring up a video layout for the first time, he/she may be prompted to install .NET Framework 3.0 on the client machine, if it is not already installed. The web.Client Video Control requires the client machine to have .NET Framework 3.0, just as web.Client overall requires .NET Framework 2.0. For more information see Installing the Video Layout Control and .NET Framework 3.5 in Chapter 4.
Note: During the web.Client installation, if a client machine does not already have
.NET Framework installation typically takes several minutes. If your machine has a 9600 baud-rate modem, the process is longer. Please be patient.
Appendix D
SQL Express Installation Error Messages
Overview
This appendix provides a list of error messages that may appear if certain problems occur during the installation of the database engine, SQL Express. (SQL Express is installed or upgraded automatically on a standalone system during the Continuum database initialization process.) During SQL Express installation, one of three things is detected on your computer:
z z
There is no SQL Express at all. In this case, SQL Express is installed automatically. MSDE 2000 is already installed as the database engine. In this case, SQL Express is installed over MSDE 2000.
However, your computer is also checked for certain rare problems that could complicate SQL Express installation and/or the creation or update of the Continuum database. For example, a third-party software vendor may already be using the existing database engine. This creates license-agreement conflicts and possible performance problems. To satisfy the software license agreement, Continuum CyberStation must own the database engine. In this case, it may be necessary to create another instance of SQL Express for Continuum CyberStation and/or notify the software vendor. Using another example, the database may be configured incorrectly. In this case, it may be necessary to re-create the Continuum database during database initialization. In a few cases, it may be necessary to contact your Technical Support representative. There are many variations of these special cases. If a problem arises, you will receive an SQL Express installation error message that states the problem and provides instructions for correcting it.
We have detected an existing incorrectly configured version of SQL Express, which cannot be upgraded. Installation has been halted. Please uninstall this version manually, and rerun Continuum Database Initialization. To uninstall, go to the Windows Control Panel, open Add/Remove Programs, select "SQL Server 2005", and uninstall.
We have detected an incorrectly configured existing version of SQL Express, which Continuum is already using. Another instance of SQL Express will be installed now, and the existing Continuum database will be attached to it automatically.
We have detected an incorrectly configured existing version of SQL Express, which another software vendor is already using. According to the Microsoft license agreement, Continuum cannot use this version of SQL Express. We will now install another instance of SQL Express for Continuum. After the SQL Express instance is installed, a reboot of your computer is required. Please note the new server name, "ServerName\ContinuumSE". Each client workstation will need to have the server name adjusted accordingly to include "\ContinuumSE". For example, a server formerly named "MyServer" is now "MyServer\ContinuumSE". Please use this new SQL Express instance for Continuum only. This satisfies the conditions of the Microsoft license agreement.
We have detected that an existing version of SQL Express is already installed on your computer. However, another software vendor, in addition to Continuum, is already using this existing version. The upgrade will continue, but we recommend you notify the software vendor that it is using an SQL Express instance belonging to Continuum and suggest that the vendor create its own instance of SQL Express to avoid configuration incompatibilities, performance problems, and license-agreement conflicts.
We have detected that your Continuum database is configured incorrectly. To correct the problem, please call your Technical Support representative after the database update for further instructions.
Andover Continuum web.Client Planning and Installation Guide Document Number 30-3001-835 Version 1.94