1.6.3            Secure Your Clients

Most of the above discussions involve securing your WebAccess SCADA system from outside users.  There may also be issues asked by IT departments regarding the security of the "Client" computers that View the data from WebAccess.

Use "Trusted Sites" or Local Intranet if using Client Plug-in

The WebAccess Client Plug-in is an ActiveX control (an OCX) providing full-animation graphics. The OCX is called by an Active Server Page (ASP) downloaded from the Project Node (Web Server).  The Client Plug-in can be installed from CD-ROM or by downloading its setup file from the Project Node. The Client Plug-in reads real-time data from the SCADA node.  Graphic files are "cached" locally on the Client.  The WebAccess Plug-in only reads and writes to its subdirectories (typically C:\WebAccess\Client) created during software installation.  The OCX cannot read or write data files outside of the WebAccess Directories. The files cached on the Client come from the SCADA node(s) or Project Node(s) that the Client connects.   By limiting the SCADA nodes and Project Nodes the Client can connect, you can limit users from caching un-authorized content.

To Secure a Client with the WebAccess Plug-in

1.      Add your Project Node and SCADA node(s) addresses to the "Trusted Sites" or "Local Intranet" of Internet Explorer Security settings on all your Clients.

2.      Make the Security Setting for "Trusted Sites" or "Local Intranet" MEDIUM in Internet Explorer Security settings on all your clients.  This will allow the OCX to run. This will allow the WebAccess Client to connect to your Project and SCADA nodes.

3.      Make the Security Setting for "Internet" HIGH.  This will prevent the WebAccess Client from connecting to "other" WebAccess systems.

Thin Client

Another alternative is to use the Thin Client interface.  This is the most secure method to secure your clients.  The Thin Client interface requires no software be installed on the clients (you don't need the ActiveX control).  The Graphic files are cached as GIF(s) and JPEG(s), and then displayed through a few ASP pages.  (GIFs are used for graphics displays with less than 256 colors; JPEGs are used for displays using more than 256 colors). The Thin Client uses Static Graphic Snapshots, no animation.  The Thin Client also maintains a connection with the Project Node (Web Server) only; using the Thin Client with many users will require Windows 2000 Server,  Server 2003, Vista Business or Vista Ultimate with a large connection license.  Windows 2000 and XP Professional are limited to only 10 simultaneous connections, which may be inadequate for a Thin Client only interface to many users.

The Thin Client supports Restricted Users, General Users and Power Users.

Only Administrator or Power User can install Client Plug-in

A bane to ordinary surfers, IT departments can control which Client computers have the WebAccess Client Plug-in installed.  The Client Plug-in is an OCX. Microsoft Windows 2003, 2000, XP and Vista require Administrator or Power User privileges to install the Plug-in.  All Win 98/ME users can install the plug-in. (Note - Windows 98/ME are not officially supported by WebAccess).