Setting up the Windows App Client
Scenario
You want to set up and work with the Windows App client on the Desigo CC Server with local web server (IIS) or on the remote web server (IIS) hosted on the Desigo CC Client/FEP.
For working with the local Windows App client on the local web server (IIS) you can leave the web communication as Local
.
For working with the remote Windows App Client, it is recommended to secure the communication between the Desigo CC Server and the remote web server (IIS).
In this workflow for securing the communication between the Desigo CC Server and the remote web server (IIS) Windows store based certificates are used.
If you are upgrading from Desigo CC V4.x (and not using code-signing certificate in V4.x) to V5.0, are not able to work with the Windows App Client after the upgrade. This is because starting Desigo CC V5.0 SMC verifies code signing for website/web application certificates. The certificate must have code-signing feature to prevent your systems from any security threats and remote attacks.
For the purpose of code signing, you can use either SMC-created certificates or procure certificates from a trusted Certificate Authority (CA). The certificate can be a host certificate with a private key or a self-signed certificate. However, it is recommended to secure the communication with the self-signed certificate.
Validity of Self-Signed Certificates
Self-signed certificates allow local deployments without the overhead of obtaining commercial certificates. When using self-signed certificates, the owner of the Desigo CC system is responsible for maintaining their validity status, and for manually adding them to and removing them from the list of trusted certificates.
Self-signed certificates must only be used in accordance with local IT regulations (several CIO organizations do not allow them, and network scans will identify them). Importing the commercial certificates follows the same procedures.
You must ensure the compliant installation of the trusted material on the involved machines, for example, on all Installed Clients. In some organizations, this must be done by the IT organization.
For background information, see the reference section.
Prerequisites
- On the Server station:
- (Only applicable for Server with local web server (IIS)): IIS is installed and configured according to the OS installed. (see Install IIS in Complete the Installation Planning Requirements).
- You have verified the existing Application Request Routing (ARR) installation.
- (Optional) A dedicated IIS User is created and assigned to the IIS_IUSRS Group. - A project is created and the history database is linked to it.
- (Only applicable for Server with remote web server (IIS)): To set the Web Server Communication =
Secured
over CCom port.
- The Windows store based root and host certificates (used for securing CCom port) are imported in the appropriate certificate store and set as default.
- The root certificate (.cer file) of the CCom host certificate is available in the Trusted Root Certification Authorities (TRCA) store of the Local machine certificates store.
- The CCom host certificate's subject name must match the server name configured in the Client/FEP project.
- If a multi-host certificate is used as a CCom host certificate, then the Subject Alternative Name (SAN) property must contain all its possible host names. - On the remote web server (IIS) hosted on Client/FEP station:
- The user that you are about to configure as a web application user is
- a member of the IIS_IURS group and
- added with Allow log on locally as service rights and
- added in the list of allowed users in the Project Shares expander of the linked Server project.
- (Only applicable when the project that you are about to link to the web application is in distribution with other projects) added in the list of allowed users in the Project Shares expander of all the systems (projects) in the distribution with system (project) linked to the web application. - The root certificate (.cer file) of the CCom host certificate of the linked Server project is imported in the Trusted Root Certification Authorities (TRCA) store of the Local machine certificates store.
- You have stopped the Default IIS Website using SMC.
- (Only applicable only for the third-party websites/web applications) You have reviewed the tips for working with the third-party websites and web applications.
- The website/web application certificate:
- (recommended) Use the default set self-signed certificate or the self-signed certificate created at the time of website/web application creation.
- The self-signed certificate is imported in the Personal, as well as the Trusted Root Certification Authorities store of Local machine certificates in the Windows Certificate store.
- If a host certificate is used as a website/web application certificate, the host (.pfx) along with its exportable Private key and its root (.cer file) are imported in the appropriate Windows Certificate store. Otherwise, a chain validity message displays.
- A host certificate is issued for the host name provided in the Host name field during website creation. Otherwise, you may encounter a Network Error (dns_unresolved_hostname).
- If a multi-host certificate is used as a website/web application certificate, then the Subject Alternative Name (SAN) property must contain all its possible host names. (see Add Entries in the V3.txt File for Creating a Multihost Certificate). - To run the Windows App client on IPv6 network enabled systems, see Configure the Web Server to Run on the Dual-Stack (IPv4 and IPv6) Network.
Overview