enteliWEB v4.0 Deployment Planning Guide
Edition 1.2
Introduction
About This Document
Delta Controls has written Deployment Planning Guide for enteliWEB 4.0 to provide guidance on planning a deployment of enteliWEB version 4.0.
It encompasses these topics: recommended server hardware, sizing and software based on reference networks, TCP and UDP ports, services, installation guidelines, support and trouble shooting.
This document provides references to Delta Controls knowledgebase articles (KBAs) where a Delta partner can find additional information on a topic.
For information about enteliWEB features, see the product documentation.
Building Automation System Site Sizing
This document uses the terms small, medium, large and WAN (Wide Area Network) to describe the size of typical building automation systems (BAS) managed by enteliWEB.
The key factors for sizing a BAS are as follows.
- The number of BACnet networks that enteliWEB connects to
- The number of I/O points that enteliWEB manages
- The number of simultaneous client users during peak usage times
Table 1 defines the site size terms using the key factors for sizing.
| Site Size | Number of BACnet Networks | Number of I/O Points | Peak Simultaneous Users |
|---|---|---|---|
| Small | 1 | up to 500 | 3 |
| Medium | 1 | 501 – 2,500 | 5 |
| Large | 2 or more | 2501 – 10,000 | more than 5 |
| WAN | 10 or more, or 1 WAN | more than 10,000 | more than 10 |
Determining Site Size
Site size is determined by the most important factor in table 1 for the site you are sizing.
For example, consider the following scenarios.
| Site Size | Description |
|---|---|
| Small | one BACnet network with 12 BACnet devices; 3 peak simultaneous users |
| Medium | one BACnet network with less than 500 I/O points. Every staff member uses enteliWEB, although not simultaneously, and there are multiple public kiosks to display enteliVIZ-based dashboards. enteliVIZ graphics are embedded on the corporate website |
| Medium | one BACnet network in a commercial building with less than 2500 I/O points and 1 facility manager user |
| Large | Several BACnet networks, each network is located to a separate medium site building |
| WAN | a WAN connecting 5 locations with more than 60,000 I/O points in total across the 5 sites. |
Hardware and Software Requirements
Minimum Server Hardware and Software Requirements
Each enteliWEB server installation requires a single dedicated physical server or a virtual machine.
Table 2 lists the minimum hardware and software specifications for an enteliWEB server with a small site.
While enteliWEB 4.0 can be installed on a server with these minimum specifications, its performance and capacity is limited to small sites. For medium, large and WAN-sized sites, you should use a server with the specifications indicated in Recommended Hardware and Software Requirements.
| Minimum Server Hardware | |
|---|---|
| CPU | Intel/AMD multi-core CPU at 2GHz |
| Memory (RAM) | 4 GB |
| Hard drive space | Use a suitable combination of HDDs to achieve the hard drive space required, as follows: |
|
|
| Network adapter | 100 Mbps Link aggregation is not supported due to limitations inherent in the BACnet protocol. See Delta Controls KBA2234 for details. |
| Minimum Server Software | |
|---|---|
| Operating system | One of the following:
|
Recommended Server Hardware and Software Requirements
Table 3 lists the recommended hardware and software specifications for an enteliWEB server for medium, large and WAN-sized sites.
| Recommended Server Hardware | |
|---|---|
| CPU | Medium site: 4-core CPU or 2 dual-core CPUs Large or WAN site: 8 logical processors. For example, a 4-core CPU with Hyper-Threading technology or dual 4-core CPUs |
| Memory (RAM) | Medium site: 8 GB Large, WAN site: 16 GB |
| Hard drive space | Use a suitable combination of HDDs to achieve the disk space required, which is as follows: |
|
|
| Network adapter | Delta recommends 1 Gbps for better performance. 100 Mbps can be used if desired. See Internet Bandwidth Requirements for BACnet traffic. Link aggregation is not supported due to limitations inherent in the BACnet protocol. See Delta Controls KBA2234 for details. |
| Recommended Server Software | |
|---|---|
| Operating system | One of the following:
|
Recommended Virtual Machine Requirements
Table 4 lists the recommended specifications for a virtual machine (VM) that hosts enteliWEB software.
Note VM performance is influenced by the load generated by other VMs on the same host system, so these VM sizing recommendations are based on a system that is not under heavy load by other VMs.
| Recommended Virtual Machine Parameters | |
|---|---|
| Virtual CPU | Small site: 2 vCPUs Medium site: 4 vCPUs Large or WAN site: 8 vCPUs |
| Memory (RAM) | 8 – 16 GB |
| Hard drive space | Use a suitable combination of HDDs to achieve the disk space required, which is as follows: |
|
|
| Network adapter | Delta recommends 1 Gbps for better performance. 100 Mbps can be used if desired. See Internet Bandwidth Requirements for BACnet traffic. Link aggregation is not supported due to limitations inherent in the BACnet protocol. See Delta Controls KBA2234 for details. |
Installation Guidelines
Services
For proper operation, enteliWEB requires the following services to be running.
| Service | Description |
|---|---|
| Delta BACnet Server | Provides BACnet network and application layer services |
| Delta enteliWEB Connection Service | Connects enteliWEB and BACnet Server, processes background tasks and transmits notifications between the two applications |
| Delta License Server | License server for Delta Control applications |
| Delta Monitor | Monitors the Delta BACnet Server and connected BACnet clients |
| Delta MySQL Service | Database engine for enteliWEB |
| World Wide Web Service | Internet Information Services – Microsoft's web server that is built-in to Windows |
TCP and UDP Ports on enteliWEB Server
For proper operation, the enteliWEB server requires the following ports to be open.
| Port | Type | Direction | Usage |
|---|---|---|---|
| 80 | TCP | internal | enteliWEB Connection Service sends requests to IIS |
| 4321 | TCP | internal | Report generation via BIRT |
| 49250 | TCP | internal | enteliWEB Connection Service and IIS connects to MySQL |
| 80 or 443 | TCP | incoming | Client browser access to enteliWEB server; http or https respectively |
| 25, 465, 587 | TCP | outgoing | enteliWEB connection to SMTP Server. For details, see Email. |
| 80 | TCP | outgoing | License activation and call home server: http://activation.deltacontrols.com http://www.dglux.com/license/index.php |
| 389 | TCP and UDP | outgoing | LDAP server connection. For details see, LDAP Support. |
| 443 | TCP | outgoing | enteliWEB connection to CopperCube API connection |
| 443 | TCP | outgoing | Kaizen Cloud service when Kaizen Viewer is installed: https://kaizen.coppertreeanalytics.com |
| 1433 | TCP UDP | outgoing | enteliWEB connection to Historian that uses SQL Server |
| 3306 | TCP UDP | outgoing | enteliWEB connection to Historian that uses MySQL |
| 47808 (default) | UDP | both | BACnet/IP connection to a remote site via BBMD The outgoing or destination port is 47808*. The incoming or source port is an ephemeral port number obtained from the server's operating system. *port 47808 is the default port number for Delta BBMDs, however, it can be changed to other adjacent port numbers. See KBA2110 for details. |
Security Features
Usernames and Passwords
enteliWEB allows you to manage usernames and passwords via an organization's LDAP server or locally via enteliWEB administration on the enteliWEB server.
When usernames and passwords are administered locally on the enteliWEB server, the following constraints apply.
Username
- Username must be 3 characters or longer.
- The space character is not allowed.
- Username is case-insensitive.
Password Strength Policy
enteliWEB allows an administrator to configure the password strength policy that users must adhere to when they create or change their enteliWEB passwords. The following are the password strength policy variables:
- Minimum password length; lowest settable minimum length is 3 characters.
- Maximum password length; highest settable maximum length is 32 characters.
- Password must contain one or more alphabetic characters, in either upper case or lower case, and one or more numeric characters.
- Password must contain one or more alphabetic character in upper case and one or more alphabetic character in lower case.
- Password must contain one or more characters that are not a number and are not an alphabetic character.
LDAP Support
enteliWEB uses LDAP to load a list of users and to authenticate users by their passwords in the LDAP server. enteliWEB does not add data to the directory information. An enteliWEB administrator defines whether or not a user account is linked to the LDAP server.
enteliWEB supports Simple and Digest authentication and it supports Active Directory and OpenLDAP services.
To configure a connection to an LDAP server, the following information about the server is required.
- Hostname or IP address of LDAP server
- Network port to connect to LDAP server; default port number is 389.
- Authentication type: Simple or Digest
- LDAP bind account information: distinguished name (DN) and bind password
- Base DN
- User attribute
- Realm name, for Digest authentication
For detailed information and an FAQ about configuring LDAP connection on enteliWEB, see Delta KBA2015.
User Lockout
The user account lock out feature prevents attackers from infinitely retrying user name/password combinations and thereby possibly gaining access to enteliWEB. An unsuccessful login is when a correct user name is used but a wrong password is used.
A user is locked out after a configurable number of unsuccessful login attempts within a configurable time period.
A locked out user is not permitted to log in for a configurable time period or until an administrative user unlocks the user's account. The default lockout time period is 60 minutes.
Encryption
enteliWEB encrypts all passwords wherever they occur in its internal storage using a DIARMF/DIACAP approved algorithm.
Auditing
The enteliWEB Log contains records of all the events that occur in all the functional areas of enteliWEB since it was installed, except for records pertaining to device online/offline status changes which are deleted automatically from the Log after 365 days.
For example, the following events are recorded in the Log:
- Alarm and event notifications from devices
- Alerts
- Device status changes
- User actions including logins and attempted logins
- enteliWEB services
Each log record includes the value that was present before the event and the value after the event. For example, for user actions, the log record shows what the user changed, thus providing an audit trail of all user actions.
Each log record includes a time stamp that indicates when the event occurred.
Log records can't be deleted from the Log and they can't be altered.
Cross-Site Request Forgery
enteliWEB services are implemented to protect against penetration by Cross Site Request Forgery (CSRF) attacks.
Licensing Requirements
An enteliWEB license must be activated before enteliWEB will run. The activation server at Delta Controls provides license activation services. A license can be activated either over the Internet or by email. An activated license is node-locked to the hardware of a physical server or to the VM's hardware configuration.
A VM must have Internet access to allow enteliWEB's license server to contact the Delta Controls activation server periodically at least once every 30 days.
When enteliWEB is installed on a VM, it is recommended that the enteliWEB license include the Offline Virtual Machine add-on to avoid the possibility of network/firewall changes causing enteliWEB to report a license issue and to stop running.
For complete details about licensing an enteliWEB server, see the Delta Controls document: Software License Manager User Guide.
enteliWEB can be configured to send alarm and alert notifications via email to enteliWEB users. enteliWEB does not receive email.
To send emails, enteliWEB needs to be configured with information that allows it to reach an SMTP server. The following configuration information for the SMTP server must be available.
- Address of the SMTP server in fully qualified domain name (FQDN) format, for example mail.mycompany.com; or the IP address of the SMTP server.
- Port number to connect to SMTP server. enteliWEB default is 25 when secure connection not selected. Alternatively, when SSL is selected, default port is 465. When TLS is selected, default port is 587.
- User name and password, when required by the mail server for authentication.
enteliWEB supports the AUTH LOGIN SMTP Authentication method.
Internet Bandwidth Requirements for BACnet Traffic
An exact bandwidth requirement for BACnet traffic is difficult to calculate because it is dependent on site-specific variables such as the number of BACnet devices on the remote site's network and the amount of data exchange between devices. The calculation described in the following paragraph concludes that bandwidth of 10Mbps per remote site is adequate.
The enteliWEB server uses the Internet to connect to a remote site via a BBMD at the site. If this BBMD is a Delta Controls eBMGR, then the connection is as fast as it can be, since eBMGR is the fastest device that Delta manufactures. The eBMGR can route up to about 1500 BACnet packets per second. BACnet packets are typically no larger than 480 bytes, so the bandwidth at the eBMGR is 720,000 bytes per second. This is about the maximum bandwidth that a 10Mb Ethernet cable can handle.
Unlike Web traffic, BACnet traffic is symmetric in that the upload traffic is generally equal to download traffic. So for a site's Internet connection, upload bandwidth is probably the most concerning number.
For further information, see Delta KBA2119.
Securing enteliWEB with SSL
An enteliWEB server can be configured to use SSL which binds by default to port 443. For a detailed procedure, see Delta KBA 2037.
Client Browsers and Browser Settings
enteliWEB 4.0 supports the following browsers.
- Chrome 20+
- Edge
- Firefox 20+
- Internet Explorer 9+
- Safari 4+ on Apple device only
enteliWEB requires the following browser settings.
- Javascript enabled
- Popups: optional, affects Help pages
- Flash – enabled for enteliVIZ graphics
- Cookies enabled
- SVG: SVG support is required when using SVG site graphics. All supported browsers include native support for SVG graphics.
IIS Roles and Features
enteliWEB requires that the following roles and features must be enabled.
- IIS-WebServerRole
- WAS-WindowsActivationService
- WAS-ProcessModel
- WAS-NetTxEnvironment
- WAS-ConfigurationAPI
- IIS-ISAPIExtensions
- IIS-ISAPIFilter
- IIS-CGI
For details, see Delta KBA2108.
IIS Anonymous Authentication
enteliWEB provides username/password authentication to identify a user and group-based authorization to control the user's access to enteliWEB's resources. IIS Anonymous Authentication must be enabled to allow the proper operation of enteliWEB's authentication and authorization mechanism.
Vulnerability Testing
Delta tests for a range of vulnerabilities and configuration issues that may be introduced by installing enteliWEB.
Delta uses the Nessus Professional and the OWASP Zed Attack Proxy tools for these tests.
Support and Troubleshooting
Delta Support Protocol
An end user who requires technical support receives support from the Delta partner who installed enteliWEB. The Delta partner is the first line of support to resolve an issue.
Delta Controls provides technical support to its partners. A Delta partner can escalate an issue to Delta Technical Services.
If an end user or Delta partner is not satisfied with a problem resolution, he or she can escalate the problem to the Delta Controls Technical Services manager. The Technical Services manager deals directly with the product development team who help to resolve the issue.
Troubleshooting Utility
To assist Delta Technical Services when you need help with a serious enteliWEB server problem, you can supply them with the information that is generated by the sysinfo utility. The sysinfo utility performs a basic system health check and generates a file that contains a wealth of system information about the internals of your enteliWEB server. To run the utility, navigate to C:\ProgramFiles (x86)\Delta Controls\enteliWEB\website\support and run sysinfo.bat. The generated zip file will speed up further technical support.
Packet Identification
In some projects, you may need to be able to identify Ethernet packets that originate from a Delta BACnet device. Delta KBA1171 describes how to identify these packets.
Feature Requests
Delta Controls welcomes suggestions for features and improvements from both the end users and Delta partners.
An end user can suggest a new feature or improvement by contacting the Delta partner who installed enteliWEB.
A Delta partner can communicate a feature and improvement suggestion to the product manager by sending a message to featurerequests@deltacontrols.com.
Document Revision History
| Document Edition | Date Published | Author | Change Description |
|---|---|---|---|
| 1.0 | December 2015 | J. Halliday | Created for enteliWEB 4.0 |
| 1.1 | January 2016 | J. Halliday | Updated CPU recommendation in Table 3 Updated Virtual CPU recommendation in Table 4 |
| 1.2 | June 7, 2016 | J. Halliday | Added section IIS Anonymous Authentication. |
