Network And IT Guidance Technical Bulletin

Network and IT Guidance TechnicalBulletinBuilding Technologies & 2-07Release 11.0

2Network and IT Guidance Technical Bulletin

ContentsContentsDocument introduction. 9Summary of changes. 10Related documentation. 10Network and IT considerations. 11Computer hardware configuration requirements.11Metasys device IP address assignment (DHCP or manual).12Metasys device hostname resolution (DNS or hosts file). 15DNS implementation considerations. 15DHCP implementation considerations.15Microsoft Active Directory service overview.16Support for Active Directory service (including single sign-on capability). 17Support for Active Directory Federation Services (including two-factorauthentication capability). 18Implementation considerations. 26Metasys Server and SCT considerations.27Child device considerations. 27Information obtained from Active Directory services. 27Enabling exact or alternate UPN authentication for a Metasys Server. 28Enabling exact or alternate UPN authentication for SCT. 28Service account.29User account rules. 30User creation and permissions.31User management in Metasys UI.31Syslog overview.32Metasys system use of Syslog packet format.34Web site caching. 35Microsoft Message Queuing (MSMQ) technology. 35Recovery. 35Introduction. 35Message queue troubleshooting. 36RabbitMQ technology. 36Recovery. 36Introduction. 37Message queue troubleshooting. 38Metasys system and virtual environments.38Monitoring and managing (SNMP). 40Time management (Simple Network Time Protocol [SNTP]).40Email (SMTP).41Encrypted email. 42Communication to pagers, email, printer, SNMP, or Syslog destination. 42Remote access to the Metasys system.42Metasys system architecture.43Network and IT Guidance Technical Bulletin3

Protocols, ports, and connectivity for the Metasys system. 44Protocols and ports tables. 44Connectivity and protocol diagrams.54ZigBee channels. 64Spanning trees.64Field bus considerations. 64Pre-boot Execution Environment (PXE).64Network reliability requirement. 65Metasys system security considerations. 65General security recommendations. 65Metasys access security.65Secure Sockets Layer (SSL)/Transport Layer Security (TLS).78Metasys for Validated Environments (MVE).80Metasys server considerations. 80ADX-specific features. 80ADX split configuration.80Metasys Network with an ADX. 81ADSADX log folder.81Windows Internet Explorer web browser. 82Anti-spyware considerations. 82Backup considerations for the Metasys Server. 83Supported operating system, SQL Server software, and IIS versions. 83Supported network engine models and releases with security attributes. 84IIS anonymous access considerations (Metasys Server and SCT). 84General information. 84Enabling and disabling anonymous access on the default web site. 85Databases. 87Microsoft SQL database considerations.87Historical data storage. 89Data backup/restore.89Site Management Portal UI. 89Metasys Advanced Reporting System UI. 89Java software and private JREs.90Web browser recommendations.90Launcher download options and proxy settings.90Pop-up add blockers. 93Sleep power option on Windows OS computers.94Disabling User Account Control. 94Metasys dial-up networking. 95Metasys Application Programming Interface (API).95Network Interface Cards (NICs).96Appendix: Network and IT terminology. 96Active Directory Service.964Network and IT Guidance Technical Bulletin

Active Directory Federation Services.96Active Directory Service Domain/Domain Controller.96Active Directory Service Schema.96Demilitarized Zone (DMZ).96Domain Name System (DNS). 96Dynamic Host Configuration Protocol (DHCP).97Firewall. 97Forest.97Integrated Windows Authentication. 97Kerberos.97Lightweight Directory Access Protocol (LDAP).97Microsoft Message Queuing (MSMQ). 97Network Address Translation (NAT). 97NT LAN Manager (NTLM).98Organizational Units (OU). 98Point-to-Point Protocol (PPP). 98RabbitMQ.98Ransomware.98Security Identification (SID).98Service Account in Active Directory Service.98Simple Mail Transfer Protocol (SMTP).99Simple Network Management Protocol (SNMP). 99Simple Network Time Protocol (SNTP).99Syslog. 99Transmission Control Protocol (TCP). 99Transport Layer Security (TLS) and Secure Sockets Layer (SSL). 99User Account in Active Directory Service. 99User Datagram Protocol (UDP).100Virtual Private Network (VPN). 100Appendix: Microsoft Windows operating system and SQL Server software licenserequirements. 100Windows operating system license requirements. 100License requirements for servers and SQL Server.100Purchasing and designating CALs. 103Licensing modes and CAL examples. 104ADS/ADS-Lite and non-server based OAS requirements. 105Microsoft SQL Server licensing requirements. 105Appendix: SNMP agent protocol implementation. 106Overview. 106Limitations. 106Metasys SNMP MIB files. 107Enterprise ID number. 107Network and IT Guidance Technical Bulletin5

SNMP traps. 107Trap format. 107Configuring trap filtering. 107Agent restart trap.108Alarm raised trap. 108Alarm clear trap.108Alarm synchronization.108Trap cases. 108SNMP Get requests. 109Trap examples. 112Appendix: Windows Server OS considerations.123Administrator rights. 124Services. 124Internet Explorer enhanced security configuration.124Software supported on Windows Server platforms. 125Configuring computer as Application server for use as ADX.126Appendix: Windows Desktop OS considerations. 126Administrator rights. 126Services. 127Internet Explorer web browser settings. 127Software supported.127Windows features not supported by Metasys software. 128Windows scheduled features. 128Appendix: Active Directory service.128Overview. 128Infrastructure questions.129Primary requirements.130Metasys server computer. 131SCT computer. 131Client computer.131Additional requirements.131Appendix: Windows firewall.131Configuring the Windows firewall. 131Closing ports. 134Appendix: Certificate management and security.136Requesting a server certificate. 136Completing a server certificate request. 137Binding the secure certificate. 137Importing root and intermediate certificates. 138Verifying the server certificate chain.138Setting the Site Security Level to Encrypted and Trusted.139Changing Advanced Security Enabled to False. 1396Network and IT Guidance Technical Bulletin

Removing or rebinding the secure certificate.140Removing the self-signed certificates in the certificate store.141Renewing an existing certificate.142Requesting certificates from a third party certificate authority. 143Certificate management troubleshooting.143Appendix: Installing antivirus software.144Installing and configuring Symantec Endpoint Protection software. 144Installing and configuring McAfee VirusScan Enterprise software. 145Appendix: VPN with a Cisco Meraki MX security appliance configuration.146Configuring a VPN tunnel with a Cisco Meraki MX security appliance. 147Configuring the modem/router into bridge mode. 149Product warranty.150Software terms. 150Patents.150Contact information.150Network and IT Guidance Technical Bulletin7

8Network and IT Guidance Technical Bulletin

Document introductionThis document is intended for Building Automation System (BAS) and IT professionals. In additionto this document, the Metasys IP Networks for BACnet/IP Controllers Technical Bulletin (LIT-12012458)provides valuable guidance on the various IP networks that are available for deploying the Metasyssystem into a facility. Also, for updated security and product support information from JohnsonControls , refer to the following sites: Cyber Solutions website Metasys Software Security and Support Statement on the Security advisories websiteImportant: Engage appropriate network security professionals to ensure that the computerhosting the Site Director is a secure host for Internet access. Johnson Controls supportsconnecting Metasys to the Internet through a VPN only. All other methods are not secureand leaves the customer vulnerable to unauthorized access. Network security is an importantissue. The IT organization must approve configurations that expose networks to the Internet.Be sure to fully read and understand IT Compliance documentation for your site. Use carewhen performing steps on Metasys system components because restarts may be required thatconflict with compliance requirements. For example, upgrading a Metasys Server requires thecomputer to be offline for a period of time. Similarly, installing new software on the MetasysServer, or installing of some Windows operating system updates, may require a computerrestart.In this document, Metasys Server refers in general terms to the following products (unlessotherwise noted): Application and Data Server (ADS) Extended Application and Data Server (ADX) ADS-Lite Open Application Server (OAS) Open Data Server (ODS)In this document, network engine refers in general terms to the following engine models (unlessotherwise noted): SNE series of Network Engines: SNE1050x, SNE1100x, SNE110Lx, and SNE2200x (where x iseither 0 or 1) SNC series of Network Controllers: SNC1612x and SNC2515x (where x is either 0 or 1) Network Automation Engine (NAE): NAE85 and NAE55 LonWorks Control Server (LCS): LCS85 Network Automation Engine (NAE): NAE35 and NAE45 Network Control Engine (NCE): NCE25 Note: The NCE, NAE35 and NAE45 are supported to Release 9.x only.Network Integration Engine (NIE): NIE55 and NIE85Note: NIEx9 engines are no longer available as these integrations are now standard withNAE's and SNx's at Release 10.1Note: Some products in this document are available only to specific markets.In this document, IP controllers (IP) refers in general terms to the following controllers: M4-CGE09090-0 M4-CGE04060-0Network and IT Guidance Technical Bulletin9

M4-CVE03050-0P MS-FAC4911-0 MS-VMA1930-0Summary of changesThe following information is new or revised: Removed RADIUS user account information because RADIUS servers are no longer supportedat Metasys Release 11.0. Removed Windows 7 content because Windows 7 is no longer a supported operating systemat Metasys Release 11.0. Also updated the versions of Windows 10 and Windows 8.1 that aresupported. Removed information about BasicSysAgent (Basic Access) account as it is no longer supportedfrom Release 11.0 and later. All users with Basic Access are converted to Standard Access userswhen you upgrade the archive with System Configuration Tool (SCT) Release 14.x. Added an Inbound/Outbound column to the Protocols and ports tables section. Updated the Advanced security enabled sections. Added a section on RabbitMQ technology. Added Renewing an existing certificate and Requesting certificates from a third partycertificate authority to the Appendix: Certificate management and security section. Added Support for Active Directory Federation Services (including two-factor authenticationcapability), Creating an ADFS application group for Metasys, Configuring ADFS with theMetasys UI, Enabling Single Sign On with the Keep Me Signed In feature for ADFS Accounts ,and Enabling ADFS Two Factor Authentication (2FA) to the Microsoft Active Directory serviceoverview section. Added Active Directory Federation Services and RabbitMQ to the Appendix: Network and ITterminology section. Removed ODS from Table 3 in th

SNC Commissioning Guide (LIT-12013295) NIEx9 Commissioning Guide (LIT-12011922) Commissioning a network engine for secure communication LCS85 Installation and Upgrade Instructions (LIT-12011623) Commissioning a secure NAE55 (NAE-S) with embedded encryption technology (available to Johnson Controls employees only) NAE-S Commissioning Guide .