Installing and Commissioning Metasys® Web Access Technical...

Technical BulletinIssue Date March 4, 2003

© 2003 Johnson Controls, Inc. www.johnsoncontrols.comCode No. LIT-1201162 Software Release 5.1

Installing and CommissioningMetasys® Web Access

Installing and Commissioning Metasys Web Access (MWA)............3

Introduction......................................................................................................... 3

Key Concepts...................................................................................................... 4

MWA ................................................................................................................................. 4Microsoft Terminal Services.............................................................................................. 4Microsoft Windows License Requirements ....................................................................... 5Hardware and Software Requirements ............................................................................. 6Installation Order............................................................................................................... 6Commissioning MWA........................................................................................................ 8Authentication Options ...................................................................................................... 9Metasys Person-Machine Interface (PMI) on the MWA Computer ................................. 10Metasys PMI on a Separate Computer ........................................................................... 10Special MWA Configuration for Tenant Use ................................................................... 12Automatic Log On to Windows Operating System (OS).................................................. 13M-Web Migration............................................................................................................. 13

Detailed Procedures......................................................................................... 14

Configuring Windows 2000 Server/Advanced Server for MWA ...................................... 14Installing MWA ................................................................................................................ 16Configuring the Automatic Log Off Feature..................................................................... 21Setting Up Remote Users ............................................................................................... 24Changing the Authentication Option ............................................................................... 28Changing the Picture on the MWA Logon Page ............................................................. 29Generating the Object List .............................................................................................. 30Configuring N1 Schedule ................................................................................................ 33Restricting Remote User Access to an Application......................................................... 34Enabling Automatic Log On to Windows OS................................................................... 34Migrating Existing M-Web Release 2.0 or Later Installations to MWA............................ 35

Installing and Commissioning Metasys Web Access Technical Bulletin2

Internet Access to MWA.................................................................................................. 36

Troubleshooting ............................................................................................... 39

Possible Installation Problem .......................................................................................... 39Using the M-Password Autologin Feature with MWA...................................................... 40

Installing and Commissioning Metasys Web Access Technical Bulletin 3

Installing and CommissioningMetasys Web Access (MWA)

IntroductionMetasys® Web Access (MWA) allows any authorized buildingoperator to control all day-to-day activities of the Building AutomationSystem (BAS) from anywhere using intranet or Internetcommunication infrastructure and Microsoft® Internet Explorer Webbrowser.

This document describes how to:

• configure Windows® 2000 Server/Advanced Server for MWA

• install MWA

• configure the automatic log off feature

• set up remote users

• change the authentication option

• change the picture on the MWA logon page

• generate the object list

• configure N1 Schedule

• restrict remote user access to an application

• enable automatic log on to Windows OS

• migrate existing M-Web Release 2.0 or later installations to MWA

This document also describes Internet access to MWA andtroubleshooting procedures.


Key ConceptsMWA

MWA provides Web access to M-Series component features from aWindows 2000 Server/Windows 2000 Advanced Server computer tomultiple remote users via Microsoft Internet Explorer Web browser.When you access the MWA computer remotely through a Webbrowser, MWA uses the same user interface presentation as anM5 Workstation and uses the screen manager to organize the screenspace layout.

By using Microsoft Terminal Services, each user connected to theMWA computer essentially acts as a separate M5 Workstation and canuse the M-Series applications to access data on integrated N1 andN30 networks.

Microsoft Terminal ServicesTerminal Services is a technology available with MicrosoftWindows 2000 Server and Microsoft Windows 2000 Advanced Serverthat allows remote users to create a Windows 2000 client sessionthrough Microsoft Internet Explorer Web browser. The Windows 2000client session allows the user to access the applications and resourcesof the MWA/Windows 2000 Terminal Services computer.Microsoft Terminal Services requires that you download an ActiveX®control. The ActiveX control is available from theMicrosoft Corporation. Navigate tohttp://www.microsoft.com/windows2000/downloads/recommended/TSAC/default.aspDownload and install the most recent version of the Remote DesktopWeb Connection ActiveX control into the TSWeb directory (default)before you install MWA.Depending on the MWA product option installed, Terminal Servicescan host up to 10 MWA client sessions. When a remote user isconnecting for the first time, the MWA computer automaticallyverifies that the remote computer has the correct Remote Desktop WebConnection ActiveX control. If not found, the remote user’s computerautomatically downloads the ActiveX control from the MWAcomputer.On the client computer, the control is called Microsoft RDPClient Control (redist) and exists in the following directory:C:\[Windows Directory]\Downloaded Program Files\


Note: The Netscape Navigator® browser does not support theActiveX control plug-in used with Microsoft Terminal Services.MWA client sessions are not available through Netscape NavigatorWeb browser.

Microsoft Windows License RequirementsThere are two types of licenses needed: the Windows 2000 ServerClient Access License (CAL) and the Windows 2000 TerminalServices Client Access License (TS CAL).

The MWA computer must have “Per Server” Windows 2000 ServerCALs for the number of concurrently connected users. CALs areloaded with the Windows 2000 server OS. The number of CALscontrols the number of users allowed to connect concurrently. Remoteusers can connect from any device, but only up to the number ofWindows 2000 Server standard CALs. For example, assume that youhave installed the Windows 2000 Server Operating System (OS) with5 Windows 2000 Server CALs but you have 12 users that may need toaccess the MWA. All 12 users can access the MWA server, but only5 can connect concurrently.

Note: If the MWA computer was not properly configured forPer Server configuration during Windows 2000 OS installation, youcan change it using Windows Licensing (Start > Programs >Administrative Tools > Licensing).

In addition to the standard CALs for the Windows 2000 Server OS,each client device (computer) that connects to the MWA server isrequired to have a TS CAL. TS CALs are loaded onto the Windows2000 Server Terminal Services machine (MWA server). When a newdevice connects to this server, one of these TS CALs is issued.

Accounting for issued TS CALs differs with the operating system ofthe connecting device:

• Every device with a Windows 98 OS, Windows NT® OS, orWindows XP Home Edition OS uses one of the allocatedTS CALs.

• Devices with a Windows 2000 Professional OS or WindowsXP Professional OS do not get counted as using a TS CAL.

Terminal Services License ServerThe appropriate number of CAL and TS CAL licenses for thecustomer’s site must be purchased from the Microsoft Corporation.Once you have purchased the Terminal Server License from theMicrosoft Corporation, refer to Microsoft Knowledge Base Articlenumber 237811 to activate the Terminal Services License Server andInstall CALs over the Internet.


Note: There are four ways to Activate the Terminal ServicesLicense Server. Please refer to the Microsoft Knowledge Base or to theMicrosoft Windows Server OS documentation for other methods.

Hardware and Software RequirementsFor hardware and software requirements, please seeMetasys Installation and Platform Requirements Technical Bulletin(LIT-12012).

Installation OrderDepending upon whether an N1 network or an N30 network needs tobe integrated, the order in which you install the software componentsmay be slightly different. Figure 1 shows the order in which you installthe software components on a Windows 2000 Server/Advanced Servercomputer.

Note: Do not install M3 or M5 Workstation software separately onthe hardware platform that runs MWA software. M3 and M5Workstation software do not support the Windows 2000Server/Advanced Server operating system. Make sure that you have aseparate M3 Workstation connected to the N30 network, or a separateM5 Workstation connected to the N1 or N30 network for performingany network configuration activities.


Install Metasys PMI (2)

Install Internet Information Server (IIS)

Install Microsoft Terminal Services

Download Remote Desktop WebConnection ActiveX Control from Microsoft

Web site (1)

Install Microsoft Terminal ServicesLicensing

Install Metasys Web Access

Windows 2000Server/Advanced Server

with Per Server Windows CALconfiguration

Activate Terminal Services Licenses (3)

MWA-install

BACnetTM Network

N1 Network

(1) Refer to Microsoft Terminal Services in this document.

(2) If Metasys PMI is installed on a separate computer, do not installMetasys PMI on the MWA computer.

(3) Refer to Microsoft Windows License Requirements in thisdocument.

Figure 1: Metasys Web Access Installation ProcedureFor any application installed (except MWA) after Microsoft TerminalServices, you must start the installations from the Windows OSStart menu at Settings > Control Panel > Add/Remove programs.


Commissioning MWAOnce MWA is installed on the computer, complete the activities listedin Table 1 before a remote user logs on.

Table 1: Commissioning MWAActivity Description Refer ToConfigure the Automatic LogOff Feature

Allows MWA to automaticallyterminate connections if the userdoes not log off correctly.

Configuring the Automatic Log OffFeature in this document

Set Up Remote Users Create all remote users and setuser permissions.

Setting Up Remote Users in thisdocument

Authorize MWA Software Use M-Authorize to authorize allM-Series software on thecomputer.

Using M-Authorize Technical Bulletin(LIT-6424400)

Set Up M-Password Create M-Password profiles for allMWA users.Open and Save the M-Passworddatabase file to the local drive.Limit M-Password configuration toone administrator(recommendation).

M-Password Technical Bulletin(LIT-1153150) and M-PasswordApplication Actions Technical Bulletin(LIT-1153175)

Configure Trend Collectors Configure N1 Trend Collector andM-Collector.

M5 Workstation User’s Guide andUsing M-Collector Technical Bulletin(LIT-1153700)

Configure OLE for ProcessControl (OPC) Servers

Configure BACnet OPC DataAccess Server, BACnet OPC Alarmand Event Server, N1 OPC DataAccess Server, and the N1 OPCAlarm and Event Server.

Using M-Alarm with theBACnet OPC AE Server(LIT-11537540), Appendix A: N1OPC Data Access Server TechnicalBulletin (LIT-643300), and UsingM-Alarm with the N1 OPC AE Server(LIT-11537535)

Generate the Object List Use the N1 OPC DA Configuratorto generate the Metasys N1 objectlist.

Generating the Object List in thisdocument

Configure M-Alarm Logger Use the Logger Configurator toconfigure the M-Alarm Logger.

Configuring the Logger(LIT-11537525) chapter of theM-Alarm User’s Guide

Configure N1 Schedule Use the N1 Schedule Configuratorto configure N1 Schedule.

Configuring N1 Schedule in thisdocument

Configure Metasys OperatorWorkstation (OWS)

Create and compile Data DefinitionLanguages (DDLs) and downloadthem to the N1 network.

Operator Workstation TechnicalBulletin (LIT-636013)

Configure M-Graphics Configure M-Graphics on the MWAcomputer.

M-Graphics User’s Manual

Configure M-Trend Configure M-Trend on the MWAcomputer.

M-Trend User’s Manual

Change Default MWA Page Change the picture on the MWAlogon page (optional).

Changing the Picture on the MWALogon Page in this document

Restrict Remote UserAccess to Applications

Restrict remote user access to theMetasys Historical DataVisualization (MHDV) Configuratorand any other applications installedafter MWA software.

Restricting Remote User Access toan Application in this document


Authentication OptionsMWA provides remote users with two types of Windows 2000 OSauthentication: with and without Windows 2000 User Authentication.The authentication type you select applies to all users.

Connection with Windows 2000 User Authentication(Recommended, Default with MWA Installation)A remote user connecting to MWA needs to log on to aWindows 2000 Server. This connection type sets up individual remoteuser names for each remote user accessing MWA. Use M-Password asan additional level of security to control access to M-Seriescomponents.

Connection without Windows 2000 User AuthenticationA remote user with preexisting authentication (for example,Novell® NetWare Services) does not need to log on to Windows 2000Server/Advanced Server when connecting to the MWA computer. Thisconnection type sets up a single user name and all remote users usethat name to log on to MWA. Use M-Password as an additional levelof security to control access to M-Series components.

M-Password supports auto logon to M-Password from theWindows 2000 Server/Advanced Server logon. Refer to Auto Logon toSecurity Server from Windows NT Logon in the M-PasswordTechnical Bulletin (LIT-1153150).

Note: Auto Logon to security server requires a Windows 2000domain controller User ID. The MWA server cannot be used as aWindows 2000 domain controller. The MWA server should be a partof another domain to get Auto Logon implemented.

To use the auto logon feature with the Metasys Operator Workstation(OWS), refer to Appendix C: Metasys OWS AutoLogin (LIT-1153894).


Metasys Person-Machine Interface (PMI) on the MWA ComputerMetasys PMI is not available for MWA remote users and is onlyavailable for MWA local users if it is installed on the same computeras MWA. Windows 2000 Server/Advanced Server with TerminalServices installed only allows a user to run one instance of a 16-bitapplication, and thus Metasys PMI is limited to the local user.

Metasys PMI requires a user to be logged on to the Windows OS forproper data exchange with MWA. If Metasys PMI software and MWAreside on the same computer, a Windows OS local user must be loggedon to the MWA computer to provide Metasys N1 network data toremote MWA users. To avoid keeping a local Windows OS userlogged on to the MWA computer, MWA can be set up to communicatewith a separate computer on the network that is running MetasysOWS.

Note: To get data from the N1 Trend Collector to the Point Historytab of M-Explorer, you must set the Enable Point History and SavePoint History flags in PMI software.

Metasys PMI on a Separate ComputerA user must be logged on to the Windows OS where the MetasysOWS is installed for MWA to get data from the Metasys N1 network.If Metasys PMI and MWA reside on the same computer, a WindowsOS local user must be logged on to the MWA computer to provideMetasys N1 network data to remote MWA users. To avoid keeping alocal Windows OS user logged on to the MWA computer, MWA canbe set up to communicate with a separate computer on the network thatis running Metasys OWS.

To communicate with the Metasys OWS on a separate computer, usethe network address of the Metasys OWS to reconfigure the followingapplications:

• N1 OPC Data Access Server (DAS)

• N1 OPC Alarm and Event (AE) server

• N1 Schedule

The Metasys OWS must be running the application called Metahost.Metahost.exe should be configured to run on startup when the MetasysOWS starts on a separate computer.

With this configuration, Metasys PMI is unavailable to the local MWAuser since Metasys PMI is not operating on the same computer asMWA. The Metasys OWS computer’s Internet Protocol (IP) addressmust be used to configure the OPC servers for the N1 network.


For trend collection with Metasys PMI on a separate computer, theN1 Trend Collector runs on the same computer as Metasys PMI.

Note: To get data from the N1 Trend Collector to the Point Historytab of M-Explorer, you must set the Enable Point History and SavePoint History flags in PMI software.

Use the MWA Installation CD-ROM to install N1 Trend Collector onthis computer. From Windows Add/Remove Programs, choose AddNew Programs and navigate to M5 > M5 Workstation > setup.exe onthe MWA CD-ROM. Perform a custom M5 installation and select thefollowing components:

• Johnson Controls® Access Historian

• Johnson Controls M-Authorize

• Johnson Controls M-Password

• Johnson Controls N1 Trend Collector Release

Refer to the M5 Workstation Installation Technical Bulletin(LIT-1153300) for details.

Note: You do not need to activate temporary authorization for thiscomputer with M-Authorize. If the temporary authorization is alreadyactivated, you can ignore it until it expires or remove the temporarylicense using M-Authorize.

When N1 Trend Collector is running on the separate computer withMetasys PMI, you need to configure N1 Trend Collector to write thedatabase file (Trenddb.mdb) to the MWA computer.

On the MWA computer, create a folder to share (for example,AccessHistorianData) and set the folder file sharing properties to allowthe MWA Terminal Server Group access to the folder.

On the computer running Metasys PMI, map the folder (in this case,AccessHistorianData) as a network drive. Use the Data Sources OpenDatabase Connectivity (ODBC) administrative tool to select the drive(mapped folder) and set the database file (Trenddb.mdb) as an AccessHistorian Data Source.

N1 Trend Collector now writes to the folder on the MWA computer.

Note: This N1 Trend Collector configuration on a firewall requiresPort 445 to be open. Consult with the customer’s InformationTechnology (IT) staff before configuring N1 Trend Collector on aMetasys PMI computer.


Special MWA Configuration for Tenant UseYou can also configure MWA for an occupant/tenant user applicationthat allows an occupant to control his or her own environment. Thisspecial configuration allows the user to access one single M-Graphicsdisplay that shows his or her personal environment.

To configure MWA for this tenant user application (only if MWAsoftware is installed on the same computer as PMI software), followthese guidelines:

1. Remove the M5 startup shortcut from the all-users startup menu onthe MWA server computer.

2. On the MWA server computer, create one local user account andactivate auto logon for this user so that the computer starts upautomatically after a reboot.

Note: This user must have Power User or Administrator privileges.

3. Insert an M5 shortcut into the Start menu for the local auto loginuser created in Step 2. This step allows the MWA server to startautomatically in the local session.

Note: You do not have to insert an M5 shortcut for all tenant users.This only needs to be done for the auto logon user created inStep 2. The reason for creating this local user is to make sure that PMIsoftware starts automatically after a reboot and provides data to theOPC DA Server, at the time when M-Graphics starts the OPC DAServer.

4. Create all of the terminal MWA users.

5. Place a shortcut in the Start menu of all the terminal server userswhich points to the graphic for that particular user (for example,C:\Documents and Settings\All Users\ApplicationData\Johnson Controls\M-Data\M-Graphics\room101.gdf).

Note: To ensure that M-Graphics starts automatically in runtimemode, either select Start in Runtime Mode from the applicationpreferences of M-Graphics, or configure the shortcut so that it startsthe application in runtime mode (for example,

“C:\Program Files\Johnson Controls\M-Graphics\gwx32.exe"- runtime "C:\Documents and Settings\All Users\ApplicationData\Johnson-Controls\M-Data\M-Graphics\room101.gdf")

6. Limit each users access to the Windows desktop using theWindows policy editor.


Note: If a large number of users is going to access the server(expected in a tenant application), it is also a good idea to limit theconnection time of each terminal server user to 3 to 5 minutes. Otherusers cannot access the server if multiple users have not logged offafter accessing the server.

Automatic Log On to Windows Operating System (OS)When MWA and Metasys PMI software reside on the same computer,you can configure a user to log on to the Windows 2000Server/Advanced Server OS automatically by editing the registrydatabase. With this configuration, Windows OS starts and does notprompt you for the password. This configuration allows the server toreboot without anyone being present (for example, after a powerfailure during the night) and is important in situations where trend datais critical.

Refer to Enabling Automatic Log On to Windows OS in this document.

IMPORTANT: The Automatic Log On feature may pose a security risk. If youset a computer for automatic log on, anyone who can physically obtainaccess to the computer can gain access to all of the computer contents,including any network or networks to which it is connected. In addition, whenautomatic log on is enabled, the password is stored in the registry in plaintext. The specific registry key that stores this value is remotely readable bythe Authenticated Users group. This setting is only recommended for caseswhere the computer is physically secured and steps have been taken toensure that unauthorized users cannot remotely access the registry.

M-Web MigrationMWA provides a functional replacement for M-Web. MWA may beable to reuse existing graphics (.gdf) and trend (.htv) files. TheM-Graphics animation limitations imposed by M-Web are removed byMWA. You can now enhance the existing M-Web based M-Graphicsfiles to use the full functionality of M-Graphics.

With MWA:

• M-Explorer provides navigation and object level summary similarto the M-Web summary features. M-Web customized summaryfeature is not supported by MWA.

• M-Password replaces the M-Web password feature.

• Screen manager replaces M-Web graphics links.

Migrating existing M-Web installations to MWA is a manual processthat you do before you install MWA. Refer to the procedure MigratingExisting M-Web Release 2.0 or Later Installations to MWA in thisdocument.


Detailed ProceduresConfiguring Windows 2000 Server/Advanced Server for MWA

To configure Windows 2000 Server/Advanced Server for MWA:

Information Technology (IT) RequirementsBefore installing Windows 2000 OS, get the information listed inTable 2 from your IT department.

Table 2: IT RequirementsRequirement DescriptionStatic Internet Provider (IP) Address*Subnet Mask*Default Gateway*

The network location of the computeryou are setting up

Domain or Workgroup Name* The name of the workgroup or domainwhere you are installing the newcomputer

Place Server on Domain Only the Network Administrator can adda server to a domain (domain usersonly).

* Required during Windows 2000 Server/Advanced Server installation

Set Up WindowsInstall Windows 2000 Server or Windows 2000 Advanced Server withthe components listed in Table 3.

During Windows 2000 Server/Advanced Server installation, set thelicensing mode to Per Server and set the minimum number ofWindows Client Access Licenses equal to the number of MWA remoteusers.

For an example of a typical installation procedure, refer toAppendix A: Metasys Web Access (MWA) Server InstallationGuidelines (LIT-1201590).


Table 3: Windows 2000 Server/Advanced Server ComponentsComponent DescriptionMWA Must Have:

NTFS File System Allows MWA to control user access todirectories, applications, and individualfiles.MWA installation requires that the C: drivehas NTFS.

Service Pack 2 Provides bug fixes and security updatesfor the OS. Available from MicrosoftCorporation.

Application Server* Set at the Terminal Services Setup screenduring the installation. Allows multipleconnections to Windows 2000 TerminalServices.

Networking Services* Installs Networking Services.IIS* Installs IIS.Terminal Services* Installs Windows 2000 Terminal Services

technology.Terminal Services Licensing* Installs the Windows 2000 Terminal

Services Licensing program.MWA Cannot Have

Certificate Services* Does not allow necessary ApplicationServer mode.

Cluster Services* Does not allow more than three remoteconnections to Terminal Services.

* Indicates the components can be added or changed after Windows 2000Server/Advanced Server installation.

IMPORTANT: The Microsoft Corporation has issued two security patches,MS02-46 and MS02-47, that affect MWA. MWA users should download andinstall these two patches.

MWA users should download and install the MS02-46 and MS02-47Microsoft Security patch immediately from the following addresses:

• http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-046.asp

• http://www.microsoft.com/technet/treeview1/default.asp?url=/technet/security/bulletin/MS02-047.asp


Table 4: Terminal Services SetupOption DescriptionApplication Server Do not select the default remote

Administration setting.Permissions Compatible withTerminal Server 4.0 Users

Select Permissions Compatible withTerminal Server 4.0 Users instead ofPermissions compatible with Windows2000 Users, recommended.

Your domain or workgroup Keep the default location.

Installing MWANotes: Install Internet Information Server (IIS) and MicrosoftWindows 2000 Terminal Server software before installing MWA.

Download and install the most recent version of the Remote DesktopWeb Connection ActiveX control from the Microsoft Web site beforeyou install MWA(http://www.microsoft.com/windows2000/downloads/recommended/TSAC/default.asp).

To install MWA:

1. Insert the MWA CD-ROM.

Note: If autorun is disabled, browse to MWA_Setup.exe anddouble-click it. The Welcome dialog box appears.

The install verifies that M-Series software components are installed.The install then launches the M5 Workstation installation includedwith MWA. Refer to M5 Workstation Installation Technical Bulletin(LIT-1153300) for details. Table 5 lists the M5 Install types andcomponents required for MWA.

Continue to Step 2 when the M5 installation is complete.

Table 5: M5 Install TypesInstall Type Available ComponentsTypical (recommended) No manual selectionsCustom N1 Network M5 Master, screen manager, M-Authorize,

M-Password, Metasys PMI, N1 OPC DA and Alarmand Event (AE) servers

Custom N30 Network M5 Master, screen manager, M-Authorize,M-Password, BN OPC DA and AE servers

IMPORTANT: Do not install M5 Workstation software directly from theMWA CD. The MWA installation sequence installs the necessary M-Seriessoftware. If, for any reason, you install M5 Workstation on the MWA Servercomputer after the MWA software, re-install MWA after the M5 Workstationinstallation for MWA to configure the system correctly.

2. Click Next. The Software License Agreement dialog box appears.


3. Click Yes to accept the terms of the License Agreement. TheChoose Destination Location dialog box appears (Figure 2).

Figure 2: Choose Destination Location Dialog Box4. Verify that the destination is in C:\Inetpub\wwwroot and click

Next. The Configure Virtual Directory dialog box appears(Figure 3).


Figure 3: Configure Virtual Directory Dialog Box5. Specify the name of the virtual directory in the Directory Name

field (for example, type MWA) and click Next. The Select DomainUser dialog box appears (Figure 4).

Note: The virtual directory is the name that remote users use toconnect to the MWA.


Figure 4: Select Domain User Dialog Box6. Enter an existing Username, Password, and Confirm Password.

If the user you entered already exists, the Start Copying Filesdialog box appears (Figure 6).

If you enter a name that does not exist, the Create User Accountdialog box appears (Figure 5) to create the administrator youentered. Click Yes. The Start Copying Files dialog box appears(Figure 6).

Note: Windows 2000 Server policies introduced by your ITdepartment may not allow you to create the user here. If not, the MWAinstallation displays an error code for your IT department to see thepolicy that is not allowing MWA to create the user. Work with your ITdepartment to resolve policy issues.

Figure 5: Create User Account Dialog Box


Figure 6: Start Copying Files Dialog Box7. Confirm the current settings and click Next to begin installation or

click Back to change any of the selected settings. When theinstallation finishes, the Terminal Services Client dialog boxappears and asks if you want to read the Release Notes.

8. Click Yes or No. The Setup Complete dialog box appears and asksif you want to restart the computer.


Figure 7: Setup Complete Dialog Box9. Select Yes, I want to restart my computer now and click Finish.

Configuring the Automatic Log Off FeatureNote: If a remote user does not log off correctly (for example, ifthe user closes their Web browser before logging off), the session staysactive on the MWA computer. The automatic log off feature ends thesession if the user does not log off correctly.

To configure the automatic log off feature:

1. On the task bar, click the Start button and select Programs >Administrative Tools > Terminal Services Configuration. TheTerminal Services Configuration explorer window appears(Figure 8).


Figure 8: Terminal Services Configuration Explorer Window2. Select Connections in the left pane.

3. Double-click RDP-Tcp in the right pane. The RDP-Tcp Propertiesdialog box appears.

4. Click the Sessions tab (Figure 9).


Figure 9: RDP-Tcp Properties Dialog Box – Sessions Tab5. Select the first Override user settings and set options according to

Table 6.

Table 6: Session Dialog Box OptionsField DescriptionEnd a Disconnected Session Terminates a session if the user closes the

Web browser.Active Session Limit Sets a time limit that a user can stay

connected and terminates the session afterthat time.

Idle Session Limit Terminates a session if the user is inactivefor a certain amount of time.

6. Select the second Override user settings and select End session.

7. Click OK.


Setting Up Remote UsersNotes: Repeat Creating a New User and Setting User PermissionsSections for each MWA remote user.

The MWA computer cannot be used as a domain controller.

Creating a New UserTo create a new user:

1. On the Windows Start menu, click Programs > AdministrativeTools > Computer Management. The Computer Managementexplorer window appears (Figure 10).

Figure 10: Computer Management Explorer Window2. Click Local Users and Groups in the left pane of the Computer

Management explorer window.

3. Double-click Users in the right pane.

4. Click Action > New User . . . The New User dialog box appears(Figure 11).


Figure 11: New User Dialog Box5. Fill in the fields with the new user information and password

settings.

6. Click Create. The dialog box resets for another new user.

7. Click Close or return to Step 5.

Setting User PermissionsTo set user permissions:

1. In the right pane of the Computer Management dialog box(Figure 10), select a user.

2. Right-click on the User and select Properties from the pop-upmenu. The User Properties dialog box appears with the user namein the upper left hand corner (Figure 12).


Figure 12: User Properties Dialog Box3. On the Member Of tab, click Add . . . The Select Groups dialog

box appears (Figure 13).


Figure 13: Select Groups Dialog Box4. Select MWA Terminal Server Group and click Add.

5. Select Power Users and click Add.

6. Click OK.


Changing the Authentication OptionTo change the authentication option:

1. On the task bar, click the Start button and select Programs >Administrative Tools > Terminal Services Configuration. TheTerminal Services Connection explorer window appears.

2. Select Connections in the left pane.

3. Double-click RDP-Tcp in the right pane. The RDP-Tcp Propertiesdialog box appears.

4. Click the Logon Settings tab (Figure 14).

Figure 14: RDP-Tcp Properties – Logon Settings Tab5. Set RDP-Tcp options depending on your connection type

according to Table 7.


Table 7: Connection Type SettingsConnection Type SettingWith Windows 2000User Authentication*

Select Use client-provided logon information.Select Always Prompt for Password.

Without Windows 2000User Authentication

Select Always use the following logon information:Complete the User name and Domain fields.**Select Always prompt for password.

* Default and recommended** Every user must log on using this name.

6. Click OK.

7. Close the Terminal Services Connection explorer window.

Changing the Picture on the MWA Logon PageTo change the picture on the MWA logon page:

1. Create a 4 in. x 4 in. picture.

2. Save the picture with the name customer.jpg

3. Move the file to the MWA virtual directory (for examplec:\Inetpub\wwwroot\MWA).

The picture file appears on the MWA logon page (Figure 15).

Figure 15: Location of customer.jpg Picture


Generating the Object ListNote: Before you can use the N1 OPC Configurator to generate theobject list, the Global and NC DDL files must already exist. MWAuses the files from the configured Metasys PMI software. Before youcan use these DDL files, you must compile them first without errors.

To generate the object list:

1. Close all programs, including the M5 screen manager.

2. On the Start menu, select Programs > Johnson Controls >N1 OPC DA Server > N1 OPC DA Configurator. The N1 OPCConfigurator program appears (Figure 16).

Figure 16: N1 OPC Configurator Program3. On the Tools menu, select Generate Object list. The Generate

Object List dialog box appears (Figure 17).


Figure 17: Generate Object List Dialog Box4. Click Browse. The Open dialog box appears (Figure 18).

Note: If MWA accesses Metasys PMI on a remote machine, youneed to copy all the DDL files to MWA local drive to generate objectlist.


Figure 18: Open Dialog Box5. Navigate to and select the Global DDL file and click Open. The

path appears in the Select DDL File field (Figure 19).

Figure 19: Generate Object List Dialog Box Showing Global DDL File


6. Click Add. The path appears in the Global File Name section.

7. In the NC File Name section, click Browse. The Open dialog boxappears.

8. Navigate to and select the NC DDL file(s) and click Open.

Note: Select all NC DDL files associated with the global DDL file.

9. Click Add and the file names appear in the NC File Name section.

10. Click OK. If a database already exists, the N1OPCConfiguratordialog box appears (Figure 20). If not, skip Step 11 and theN1OPCConfigurator program appears.

Figure 20: N1OPCConfigurator Dialog BoxNote: When configuring multiple networks, click No for the firstnetwork to start a new object list. For all subsequent networks, clickYes to add all of the networks together into the same object list. TheN1 OPC Configurator program appears.

Configuring N1 ScheduleTo configure N1 Schedule:

Note: The N1 Schedule OCX provides access to N1 Schedulesresiding in NCMs.

1. On the Windows Start menu, click Programs > Johnson Controls >N1 Schedule > N1 Schedule Configurator. The N1 ScheduleConfigurator appears (Figure 21).

Figure 21: N1 Schedule Configurator2. Complete the IP Address and Timeout fields.


3. Click OK.

Restricting Remote User Access to an ApplicationNote: Use this procedure to limit remote user access to anyapplication installed on the MWA computer after the MWA softwareis installed (for example, MHDV configurator).

To restrict remote user access to an application:

1. Use Windows Explorer and browse to the executable file (.exe) ofthe application.

2. Right-click and select Properties from the pop-up menu.

3. On the Security tab, remove MWA Terminal Server Group,Terminal Server User, and Users groups from the list of allowedgroups.

4. Click OK.

Enabling Automatic Log On to Windows OSIMPORTANT: The registry contains system configuration information. Useextreme caution when using the registry editor.

IMPORTANT: This setting is only recommended for cases where thecomputer is physically secured, and steps have been taken to ensure thatunauthorized users cannot remotely access the registry.

To enable automatic log on to Windows OS:

1. Start Regedt32.exe, and then locate the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

2. Using your account name and password, double-click theDefaultUserName entry, type your user name, and then click OK.

3. Double-click the DefaultPassword entry, type your password, andthen click OK.

Note: If the DefaultPassword value does not exist, perform thefollowing steps:

a. On the Edit menu, click Add Value.

b. In the Value Name box, type DefaultPassword, and selectREG_SZ for the Data Type.


c. Type your password in the String box. Save your changes.

d. Also, if no DefaultPassword string is specified, Windows OSautomatically changes the value of the AutoAdminLogon keyfrom 1 (true) to 0 (false), which disables the AutoAdminLogonfeature.

4. On the Edit menu, click Add Value, enter AutoAdminLogon inthe Value Name box, and select REG_SZ for the Data Type.

5. Type 1 in the String box. Save your changes.

6. Quit Regedt32.

7. Click Start, click Shutdown, and then click OK to turn off yourcomputer. When you restart the computer, it logs on to theWindows OS automatically.

Note: To bypass the AutoAdminLogon process and to log on as adifferent user, hold down the SHIFT key after you log off or afterWindows OS restarts.

Migrating Existing M-Web Release 2.0 or Later Installations to MWATo migrate existing M-Web Release 2.0 or later installations to MWA:

1. Copy the files and folders listed in Table 8 onto a network drive ora CD-ROM.

Table 8: M-Web Files and DirectoriesFiles or Folders Default Location ContentsM-Graphics Folder C:\Documents and Settings\All Users\

Application Data\Johnson Controls\M-DataCopy all .gdf files.Copy any saved/editedfiles in subfolders. Do notinclude subfolders - MWAinstalls the latest samplefiles. Any customercreated subfolders shouldbe copied.

M-Trend Folder C:\Documents and Settings\All Users\Application Data\Johnson Controls\M-Data

Copy all .htv files.Copy any saved/editedfiles in subfolders. Do notinclude subfolders - MWAinstalls the latest samplefiles. Any customercreated subfolders shouldbe copied.

Access Historian Database C:\Documents and Settings\All Users\Application Data\Johnson Controls\M-Data\Access Historian\Active Database

Copy all .mdb files.

M-Web Sample GraphicsFolder

C:\Documents and Settings\All Users\Application Data\Johnson Controls\M-Data

Copy any saved/edited.gdf files.

Continued on next page. . .


Files or Folders (Cont.) Default Location ContentsN1 OPC DA Server C:\Documents and Settings\All Users\

Application Data\Johnson Controls\M-DataC:\program files\Johnson Controls\N1OPC (M-Web Release 2.0)

N1 OPC DA Server folder

gdf files All customer createdM-Graphics files in otherlocations

htv files All customer createdM-Trend files in otherlocations

M-Web Folder* C:\Inetpub\wwwroot\M-Webx.x M-Web database files* Copy for your reference. Do not restore to the MWA computer.

2. Install MWA.

3. Restore the files and folders onto the computer runningWindows 2000 Server/Advanced Server with MWA.

4. Navigate through all M-Graphics displays to confirm that theywork correctly.

Note: Refer to the M-Graphics User’s Manual.

5. Verify that archived trend is properly restored on the MWAcomputer.

• If M-Web used AspenTech® InfoPlus.21® Historian,reconfigure M-Trend to connect to Access Historian.

Notes: Refer to Appendix A: Adding Database Connections(LIT-6450070).

M-Trend in MWA does not retrieve existing data fromAspenTech InfoPlus.21 Historian.

• If M-Web used Access Historian, open the M-Trend databasefiles (.htv) to confirm that M-Trend is retrieving data.

Internet Access to MWANetwork security issues make connecting to MWA over the Internet aspecial concern. This section is used to convey possible security risksto the IT department. This section only applies to situations whereremote users are connecting to the MWA computer from somewhereon the Internet.

There are two recommended approaches to connect to MWA from theInternet: use a Virtual Private Network (VPN) or use a firewall.


! CAUTION: Risk of Equipment Damage or Data Loss.Network Security is an important issue. Configurations that expose thecustomer networks to the Internet need to be approved by your customer’sIT department.

Internet Access to MWA using a VPNThe simplest method of connecting to MWA from the Internet is to usea VPN (Figure 22). If a VPN already exists, the risks and securityconcerns have already been established.

The system would act as though the remote users were on the companyintranet.

mwa-vpn

MWA Remote User 1

MWA Remote User 10

VPN Router

MWA Computer

VPN Tunnel

Internet

MWA Remote User 2 intranet

BAS Network

Figure 22: MWA Internet Communication via VPN

Internet Access to MWA using a FirewallYou can connect to MWA from the Internet using a firewall(Figure 23). A firewall is a combination of hardware and software thatprovides a security system to prevent unauthorized access from theInternet to the intranet. Demilitarized Zone (DMZ) is a term referringto the portion of a network located between the Internet and theintranet. It is a buffered area that is usually protected by one or morefirewalls.

Because a local user cannot stay logged on, M-Trend is not availablewith this configuration.


Internet

MWA-firewall

MWA Computer

MWA Remote User 1

MWA Remote User 2

Firewall

MetasysOWS

Inbound Port 24688from MWA server to OWS

Inbound ports 80 and 3389from Internet and Local Area

Network (LAN) to MWA

MWA Remote User 10

DMZ

N1 Network

Figure 23: MWA Internet Communication via FirewallNetwork Security RisksMWA communicates with the Metasys OWS using Port 24688,leaving your network exposed to the Internet on this port.

Mitigating FactorsConsider the following:

• Use firewalls to isolate MWA from the intranet. Close inboundPorts 3389 and 445 to the intranet.

• Set up two firewalls to semi-separate the Metasys OWS from theintranet. A semi-separate Metasys OWS provides another set of logfiles and controls traffic better.

• Set up an Intrusion Detection System (IDS) to monitor the serversand detect changes to the system.

• Restrict the IP addresses that can access the MWA system.

• Use strong encryption for the terminal session when connecting tothe MWA server.

• Do not use the administrative ID (or any ID with administrativerights) to access the system from the Internet.


TroubleshootingPossible Installation Problem

ProblemNew installation of MWA software installs incorrect OPC ServerSubscription information.

SymptomAfter performing a new install of an M5 Workstation, or MWAsoftware, and running the Alarm Logger Configurator, click the EditSubscription button. If Iconics servers are shown rather thanJohnson Controls servers (Figure 24), then the wrong OPC ServerSubscription information has been installed.

Figure 24: Subscription Properties Showing Iconics Servers

SolutionThe default logger configuration file (awxlog32.mdb) needs to bereplaced.


To replace the Default Logger Configuration file:

Note: The following operation needs to be performed in both theEmpty Database folder and the Active Database folder. Both foldersare in the c:\Documents and Settings\All Users\ApplicationData\Johnson Controls\M-Data\M-Alarm\ folder.

1. Open Windows Explorer.

2. Navigate to and open the Empty Database folder in theC:\Documents and Settings\All Users\Application Data\JohnsonControls\M-Data\M-Alarm\ folder.

3. Right-click the awxlog32.mdb file and select Rename.

4. Rename the file oldawxlog32.mdb.

5. Press the Enter key.

6. Right-click the n1aegeneventlog.mdb file and select Rename.

7. Rename the file awxlog32.mdb.

8. Press the Enter key.

9. While still in the c:\Documents and Settings\All Users\ApplicationData\Johnson Controls\M-Data\M-Alarm\ folder, navigate to andopen the Active Database folder.

10. Repeat Steps 3 through 8.

11. Restart the MWA software.

Using the M-Password Autologin Feature with MWAProblemThe MWA Autologin feature for M-Password requires the login UserID from a Windows NT/Windows 2000 Domain Controller. WhenWindows 2000 Server/Advance Server OS is converted to a domaincontroller, it removes the Power User group from ComputerManagement/Local Users and Groups to increase the security of thedomain controller. However, since the MWA application requires theremote user to have Power User group privileges, this issue impactsthe MWA system security design and the use of the M-PasswordAutologin feature for MWA.

SolutionThe power users group only exists on computers in a workgroup andM-Password Autologin only works using a domain controller. Use thefollowing solution to restore the M-Password Autologin featurecapability for MWA:


Add the MWA-based Windows 2000 Server to another domaincontroller. This action allows the MWA-based Windows 2000 Serverto log on to another domain controller and keep the Power User groupprivileges available on the local machine for MWA components.

When defining MWA remote users on the domain controller, add thelocal Power Users group and MWA Terminal Server Group to theDomain Users group.

Note: This solution may introduce Domain Name System (DNS)and machine name resolution error messages. Contact IT support ofthe site for assistance or if you are unfamiliar with domain controllers.

Controls Group507 E. Michigan StreetP.O. Box 423 www.johnsoncontrols.comMilwaukee, WI 53201 Published in U.S.A.

Installing and Commissioning Metasys® Web Access Technical...

Documents

Transcript of Installing and Commissioning Metasys® Web Access Technical...