Network and IT Guidance for the BAS Professional Technical Bulletin

Network and IT Guidance for the BAS Professional TechnicalBulletinCode No. LIT-12011279Software Release 6.1Issued June 17, 2013Supersedes May 15 2013Refer to the QuickLIT website for the most up-to-date version of this document.Document Introduction.............................................................................................................4Concepts.....................................................................................................................................4Key Terms............................................................................................................................................4Active Directory Service........................................................................................................................4Active Directory Service Domain/Domain Controller............................................................................4Active Directory Service Schema..........................................................................................................4Demilitarized Zone (DMZ).....................................................................................................................4Domain Name System (DNS)...............................................................................................................4Dynamic Host Configuration Protocol (DHCP).....................................................................................4Firewall..................................................................................................................................................5Forest....................................................................................................................................................5Integrated Windows Authentication......................................................................................................5Kerberos................................................................................................................................................5Lightweight Directory Access Protocol (LDAP).....................................................................................5Microsoft Message Queuing (MSMQ)...................................................................................................5Network Address Translation (NAT)......................................................................................................5NT LAN Manager (NTLM) ....................................................................................................................5Organizational Units (OU).....................................................................................................................5Point-to-Point Protocol (PPP)...............................................................................................................6Service Account in Active Directory Service.........................................................................................6Security Identification (SID)..................................................................................................................6Simple Mail Transfer Protocol (SMTP)..................................................................................................6Simple Network Management Protocol (SNMP)...................................................................................6Simple Network Time Protocol (SNTP).................................................................................................6Transmission Control Protocol (TCP)...................................................................................................6User Account in Active Directory Service.............................................................................................6User Datagram Protocol (UDP)............................................................................................................6Virtual Private Network (VPN)...............................................................................................................7Related Documentation.............................................................................................................7Network and IT Considerations................................................................................................7Computer Hardware Configuration Requirements..........................................................................7Metasys Device IP Address Assignment (DHCP or Manual)..........................................................8Metasys Device Hostname Resolution (DNS or Hosts File).........................................................10DNS Implementation Considerations..............................................................................................10DHCP Implementation Considerations...........................................................................................10Microsoft Active Directory® Service Overview..............................................................................11Support for Active Directory Service (Including Single Sign-On Capability).......................................12Implementation Considerations..........................................................................................................12ADS/ADX/SCT Considerations...........................................................................................................13Child Device Considerations...............................................................................................................13Information Obtained from Active Directory Services.........................................................................14Service Account..................................................................................................................................14MSEA-SSO User Group.....................................................................................................................15Network and IT Guidance for the BAS Professional Technical Bulletin1

Disabling User Account Control..........................................................................................................55Metasys Dial-up Networking............................................................................................................55Data Sharing with Published Web Services...................................................................................56Network Interface Cards (NICs).......................................................................................................56Appendix: Microsoft® Windows® Operating System and SQL Server Software LicenseRequirements...........................................................................................................................57Windows Operating System License Requirements............................................................57Operating System CALs...................................................................................................................57Purchasing and Designating CALs.................................................................................................58Licensing Modes and CAL Examples.............................................................................................59SQL Server 2008 Licensing Requirements............................................................................59SQL Server 2012 Licensing Requirements............................................................................60ADS Requirements..................................................................................................................61Appendix: SNMP Agent Protocol Implementation................................................................62Overview............................................................................................................................................62Limitations.........................................................................................................................................62Metasys SNMP MIB Files..................................................................................................................62Enterprise ID Number.......................................................................................................................62SNMP Traps.......................................................................................................................................62Trap Format........................................................................................................................................62Configuring Trap Filtering....................................................................................................................63Agent Restart Trap..............................................................................................................................63Alarm Raised Trap..............................................................................................................................63Alarm Clear Trap.................................................................................................................................63Alarm Synchronization........................................................................................................................63Trap Cases..........................................................................................................................................63SNMP Get Requests...........................................................................................................................64Appendix: Active Directory Service.......................................................................................79Overview............................................................................................................................................79Infrastructure Questions..................................................................................................................79Primary Requirements......................................................................................................................80ADS/ADX Computer...........................................................................................................................80SCT Computer....................................................................................................................................80Client Computer..................................................................................................................................80Additional Requirements.................................................................................................................81Appendix: Windows Server OS Considerations...................................................................82Administrator Rights........................................................................................................................82Services.............................................................................................................................................82Internet Explorer Enhanced Security Configuration.....................................................................82Software Supported on Windows Server Platforms......................................................................83Configuring the Computer as an Application Server for Use as an ADX....................................83Appendix: Windows Desktop OS Considerations................................................................84Folder Structure................................................................................................................................84Administrator Rights........................................................................................................................84Services.............................................................................................................................................85Internet Explorer Web Browser Settings........................................................................................85Software Supported..........................................................................................................................85Windows Features Not Supported by Metasys Software..............................................................85Windows Scheduled Features.........................................................................................................86Technical Bulletin3

Document IntroductionThis document contains important information about connecting a Metasys® system to your network. From an ITperspective, a Metasys system device is simply a node on the network. But, the Metasys system uses communicationprotocols, security methods, and other technologies that you should consider.This document is intended for the Building Automation System (BAS) professional and contains everything in theNetwork and IT Considerations for the IT Professional Technical Bulletin (LIT-1201578) as well as supplementaldefinitions and concepts to help you interact with a network technologist.Important: Engage appropriate network security professionals to ensure the computer hosting the Site Director isa secure host for Internet access. Network security is an important issue. Typically, the IT organizationmust approve configurations that expose networks to the Internet. Be sure to fully read and understandIT Compliance documentation for your site. Use care when performing steps on Metasys systemcomponents as restarts may be required that conflict with compliance requirements. For example,upgrading an ADS/ADX requires the computer be offline for a period of time. Similarly, installing newsoftware on the ADS/ADX may require a computer restart.Note: In this document, engine refers to all models of Network Automation Engine (NAE) 35, NAE45, NAE55,Network Integration Engine (NIE) 55, Network Control Engine (NCE) 25, NxE85, and LONWORKS® ControlServer (LCS) 85, unless noted otherwise.Note: Application and Data Server (ADS) refers to all ADS products unless noted otherwise.Note: Some products in this document are available only to specific markets.ConceptsKey TermsNetwork-related key terms are defined as follows.Active Directory ServiceA network operating technology that enables IT administrators to manage enterprise-wide information from a centralrepository. This information includes data center policy compliance and identity management (user logon accounts),which are used for both Microsoft® Windows® authentication (logon to the Windows operating system) as well asnetwork resource authentication (logon to enterprise-wide secured applications, such as e-mail).Active Directory Service Domain/Domain ControllerA collection of Domain Controllers that can be thought of as a security boundary for network resources. A DomainController provides the Active Directory service to network users and computers; stores directory data; and managesuser and domain interactions including the logon process, authentication, and directory searches.Active Directory Service SchemaThe formal definition of all object and attribute data that can be stored in the directory; for example, user is an objecttype with attribute data of name, first name, last name, e-mail, and so on. The schema is made up of object classesand attributes. The base (or default) schema contains a rich set of object classes and attributes to meet the needsof most organizations, and is modeled after the ISO X.500 standard for services.Demilitarized Zone (DMZ)A portion of the network located between the Internet and the intranet. It is a buffered area that is usually protectedby two or more firewalls.Domain Name System (DNS)The method by which host domain names are translated into IP addresses. A domain name is a meaningful andeasy-to-remember handle for an Internet address. domain name system (DNS) is the Internet standard for naminghost devices and mapping host names to IP addresses.Dynamic Host Configuration Protocol (DHCP)A communications protocol that lets network administrators centrally manage and automate the assignment of IPaddresses in an organization’s network.Network and IT Guidance for the BAS Professional Technical Bulletin4

Dynamic Host Configuration Protocol (DHCP) lets a network administrator supervise and distribute IP addressesfrom a central point and automatically sends a new IP address when a device is plugged into a different location onthe network. DHCP can also assign dial-up users an IP address automatically when they connect to the network.Some DHCP servers can support fixed addresses for devices that need a static IP address.The engine, ADS, Extended Application and Data Server (ADX), TEC20 Coordinator, and Many-to-One WirelessRoom Temperature Sensing Receiver (WRS-RTN) can obtain their IP addresses and other network informationusing DHCP. Each Metasys device that can connect to the Ethernet network needs a unique IP address. WithoutDHCP, the IP address must be entered manually for each device; and, if the devices are moved to another subneton the network, you must enter a new IP address. The Metasys system supports both dynamic and static IP addressassignments.FirewallA firewall combines hardware and software to provide a security system that prevents unauthorized access fromthe Internet to the intranet. When engines have access to the Internet, firewalls typically are installed to preventoutsiders from accessing private data resources and to control which outside resources its own users can access.ForestOne or more domains that share a common schema and global catalog. Forests are normally organized hierarchically.The hierarchy is determined by the IT organization.Integrated Windows AuthenticationAn authentication method for directory security on a web server. Integrated Windows authentication uses acryptographic exchange with the user’s Internet Explorer® web browser to confirm the identity of the user and thusauthenticate the user to access the web server resource (such as a web service or a file).KerberosA network authentication protocol designed to provide strong authentication for client/server applications by usingsecret-key cryptography. Kerberos is the primary security protocol for authentication within an Active Directoryservice domain.Lightweight Directory Access Protocol (LDAP)A standard communication protocol for directories located on networks. Lightweight Directory Access Protocol(LDAP) defines how a directory client can access a directory server and how the client can perform directory operationsand share directory data.Microsoft Message Queuing (MSMQ)A technology that supports reliable, persistent storage of messages that require processing when the recipient deviceis temporarily offline or busy. Refer to http://www.microsoft.com for information on Microsoft Message Queuing(MSMQ).Network Address Translation (NAT)A protocol that enables a local area network to use one set of IP addresses for internal traffic and registered IPaddresses for external traffic.NT LAN Manager (NTLM)A network authentication protocol developed by Microsoft Corporation. NT LAN Manager (NTLM) is the secondaryprotocol for authentication within an Active Directory service domain. If a domain client or domain server cannot useKerberos authentication, then NTLM authentication is used.Organizational Units (OU)A container within Active Directory service that should be used to reflect the details of the organization’s businessstructure or to delegate administrative control over smaller groups of users, groups, and resources. An organizationalunit (OU) inherits security policies from the parent domain and parent OU unless it is specifically disabled.Network and IT Guidance for the BAS Professional Technical Bulletin5

Point-to-Point Protocol (PPP)A protocol for communication between two computers using a serial interface, typically a computer connected byphone line to a server. For example, your Internet service provider may provide you with a Point-to-Point Protocol(PPP) connection so that the provider’s server can respond to your requests, pass them on to the Internet, andforward your requested Internet responses back to you. PPP uses IP (and is designed to handle others). It issometimes considered a member of the TCP/IP suite of protocols. Relative to the Open Systems Interconnection(OSI) reference model, PPP provides layer 2 (data-link layer) service. Essentially, it packages your computer TCP/IPpackets and forwards them to the server where they can be placed on the Internet.Service Account in Active Directory ServiceA login account assigned to an application to enable the application to perform privileged actions within ActiveDirectory service; the Metasys system requires one or more Service Accounts to be assigned to allow the systemto perform directory queries and request Active Directory service authentication. Only one Service Account is allowedper domain.Security Identification (SID)An alphanumeric character string that uniquely identifies Active Directory service users and groups within ActiveDirectory service. Unlike a user name or group name, which may be renamed, the Security Identification (SID)remains constant throughout the life of the user account or group.Simple Mail Transfer Protocol (SMTP)A protocol for sending e-mail messages between servers. Most e-mail systems that send mail over the Internet useSimple Mail Transfer Protocol (SMTP) to send messages from one server to another. The messages can then beretrieved with an e-mail client using either Post Office Protocol (POP) or Internet Message Access Protocol (IMAP).Simple Network Management Protocol (SNMP)The primary protocol governing IP network management and the monitoring of IP network devices and their functions.It is not necessarily limited to TCP/IP networks.Simple Network Time Protocol (SNTP)A simplified version of Network Time Protocol (NTP). These protocols allow one computer to ask another computerwhat time it is across a TCP/IP network, then set its own clock accordingly. A number of public Simple Network TimeProtocol (SNTP) time servers keep track of time with a very high degree of accuracy that can be used to ensure theSite Director is synched to real time. You can find lists of public SNTP time servers by performing a search on theInternet.Transmission Control Protocol (TCP)A set of rules (protocol) used along with IP to send data in the form of message units between computers over theInternet and on other networks commonly referred to as intranets or extranets. Whereas IP takes care of handlingthe actual delivery of the data, Transmission Control Protocol (TCP) keeps track of the individual units of data (calledpackets) into which a message is divided for efficient routing through the Internet.User Account in Active Directory ServiceA login account assigned to a user that is created, stored, and maintained only within Active Directory service; thisUser Account provides access to Active Directory service Network Resources. It may also provide access to theMetasys system when added and privileged using the Metasys Security Administrator System.User Datagram Protocol (UDP)A communications protocol that offers a limited amount of service when messages are exchanged between computersin a network that uses IP. User Datagram Protocol (UDP) is an alternative to TCP. Like TCP, UDP uses the InternetProtocol to actually get a data unit (called a datagram) from one computer to another. Unlike TCP, UDP does notdivide a message into packets (datagrams) and reassemble it at the other end. Specifically, UDP does not providesequencing of the packets that the data arrives in; therefore, the application program that uses UDP must ensurethat the entire message has arrived and is in the right order.Network and IT Guidance for the BAS Professional Technical Bulletin6

Virtual Private Network (VPN)A private data network that uses the public telecommunication infrastructure and the Internet, maintaining privacythrough the use of tunneling protocol and security procedures (encrypting data before sending it through the publicnetwork and decrypting it at the receiving end).Related DocumentationTable 1: Related InformationFor Information OnSee DocumentLIT NumberThe Metasys SystemMetasys System Extended ArchitectureOverview Technical BulletinLIT-1201527Access Settings and Users/Roles in theSystemSecurity Administrator System TechnicalBulletinLIT-1201528Security Database Backup/RestoreTime, Date, Time Zone, and TimeSynchronizationMetasys system HelpNAE Commissioning GuideADS/ADX Commissioning GuideLCS85 Commissioning GuideLIT-1201793 1LIT-1201519LIT-1201645LIT-12011568Interaction between an N1 Network andthe NIEN1 Migration with the NIE TechnicalBulletinLIT-1201535BACnet® Network and a MetasysNetwork InteractionSNMP for Network MonitoringBACnet Controller Integration withNAE/NCE Technical BulletinMetasys system HelpLIT-1201531LIT-1201793 11 This LIT number represents a print-friendly version of the Help.Network and IT ConsiderationsComputer Hardware Configuration RequirementsComputer minimum hardware configurations are based upon experience and testing for both client and serverplatforms and are published in the literature for each component of the Metasys system. Follow these requirements.Computers running Metasys software must perform simultaneous tasks that require both hardware and networkresources, and optional or advanced features require a large amount of memory for proper performance. Examplesof the optional features of the Metasys system include advanced navigation and support for complex graphics,operation with the maximum number of concurrent users, complex and extended queries with the Metasys ExportUtility, support for large network integrations, extensive use of trending, and large numbers of concurrent openwindows.It is important to note that operating systems and computing capabilities change rapidly. A computer that is adequatefor today’s applications may be inadequate in a year if additional system features and functions are required.Configuration requirements may be upgraded on a regular basis to reflect these changes.Refer to the Metasys System Configuration Guide (LIT-12011832) for specific computer requirements.Network and IT Guidance for the BAS Professional Technical Bulletin7

Metasys Device IP Address Assignment (DHCP or Manual)See Table 2 for IP address assignment rules in the Metasys system.Table 2: IP Address AssignmentsDevice Dynamic AddressingStatic AddressingCommentsNAE/NCESupportedRecommended when theNAE/NCE is the Site Director 1• The NAE/NCE is a supervisorycontroller/engine.• NAE85s are installed on server-classcomputers, but all other models arestand-alone devices on the IP network.• The NAE45-Lite cannot be the SiteDirector. It must reside under anADS-Lite Site Director.NIENot SupportedRequired• A DHCP server can be configured toassign a particular IP address to aparticular MAC address; therefore, DHCPcan be used to assign a static IP addressto a device.• The NIE is a supervisorycontroller/engine.• NIE85s are installed on server-classcomputers, but the NIE55s and NIE59sare stand-alone devices on the IPnetwork.LCSSupportedRecommended when the LCS85is the Site Director 1• The NAE/NCE is a supervisorycontroller/engine.• LCS85s are installed on server-classcomputers.• DHCP is supported as long as the sameaddress is assigned to the LCS85 aftera restart or shut down for an extendedperiod of time. If a new address isassigned, you must reconfigure theLONWORKS software driver and updatesettings for the LCS85 designated as theconfiguration server.ADS/ADXSupportedRecommended when theADS/ADX is the Site Director 1The ADS is loaded on a desktop-classcomputer and the ADX is installed on aserver-class computer.Network and IT Guidance for the BAS Professional Technical Bulletin8

Table 2: IP Address AssignmentsDevice Dynamic AddressingStatic AddressingCommentsTEC20-3C-2Supported for primary portonlyRecommended for primary port;required for secondary port• Enable DHCP only if your network hasone or more DHCP servers. Otherwise,the TEC20-3C-2 Coordinator maybecome unreachable over the network.• Only the primary Ethernet connection PRI(NET1, LAN1) can be enabled to useDHCP. The secondary Ethernetconnection SEC (NET2, LAN2) can onlyuse static IP addressing.• A new TEC20-3C-2 Coordinator isfactory-configured with an IP address of192.168.1.12n and a submask of255.255.255.0, where n equals the lastnumber in the TEC20-3C-2 Coordinatorserial number. When commissioning thedevice with the TEC WirelessConfiguration Tool, do not assign yourcomputer with the same IP address asthe TEC20-3C-2 Coordinator’sfactory-assigned IP address.WRS-RTNSupportedRecommended if communicationissues arise• If your network uses network addresstranslation (NAT) to communicate acrossthe Internet, the NATs must provide staticinternal and external IP addresses. If youare using DHCP to assign addresses todevices that communicate acrossnetworks that use NATs, your DHCPserver should be configured to alwaysallocate the exact same IP address asthe Metasys system devices' MACaddresses. This configuration makesthese devices behave as if they havestatic IP addresses, although they haveDHCP addresses. This behaviorsometimes is called DynamicallyAssigned, Statically Allocated addressingfrom a DHCP server.• The data transmission over Ethernetbetween a WRS-RTN and an engineconsumes very little bandwidth (less than1.5% of the usable bandwidth on a 10Mbps Ethernet network, based onmaximum device loading). Refer to theWRS Series Many-to-One WirelessRoom Temperature Sensing SystemTechnical Bulletin (LIT-12011095) fordetails.1 The Site Director is the device designated to maintain the site information by holding the Site object, which contains informationabout the logical organization of data about your facility, user password administrative information, and overall master timeand date. This function resides in an engine, or an ADS/ADX on large installations. Although an engine can be a Site Director,if the site has an ADS/ADX, then an ADS/ADX must be the Site Director. The Site Director provides a uniform point of entryand supports functions such as user logon, user administration, time synchronization, and traffic management.Network and IT Guidance for the BAS Professional Technical Bulletin9

Metasys Device Hostname Resolution (DNS or Hosts File)If DHCP servers are available on the network and DHCP is enabled on the Metasys system devices, a DHCP servercan automatically assign the addresses of the DNS servers to some devices. Alternatively, the DNS server addressesmay be manually assigned. See Table 2 for specifics for each device.If the network does not support DNS, then the hosts file or registry entries of the Site Director must be updated withthe host name/IP address pairs for all engines/servers on the Metasys site, and each child device (non-Site Directorengine/server) must be updated with the host name/IP address pair of the Site Director (and any other Ethernet-baseddevice with which it communicates).Either DNS or local host file updates are necessary for successful communication between a Site Director and alldevices on the Metasys site.We recommend using DNS scavenging to ensure old host records are cleaned up properly. The recommendedscavenging interval is the same interval as the DHCP lease time.For information on configuring DHCP and DNS on an engine, refer to the NAE Commissioning Guide (LIT-1201519)or LCS85 Commissioning Guide (LIT-12011568). For information on configuring DHCP and DNS for an ADS/ADX,refer to Microsoft® Windows operating system literature. Also refer to the TEC Series Wireless Thermostat ControllerSystem Technical Bulletin (LIT-12011414) and WRS Series Many-to-One Wireless Room Temperature SensingSystem Technical Bulletin (LIT-12011095) for DHCP and DNS information on those respective devices.DNS Implementation ConsiderationsThe DNS infrastructure must be configured to do the following:• The Metasys server and/or Metasys engine and Metasys DHCP supported devices (TEC20-3C-2 Coordinators,WRS-RTN Many-to-One Receivers) must be defined in the same DNS domain.• The Metasys server and/or Metasys engine and Metasys DHCP supported devices (TEC20-3C-2 Coordinators,WRS-RTN Many-to-One Receivers) require DNS servers defined to resolve hosts in the domain they are in.• If the DNS server and the Metasys server and/or Metasys engine are in different networks (VLANs), routing mustbe available between networks.DHCP Implementation ConsiderationsFor Metasys devices to function properly in a DHCP implementation, the DHCP servers must support dynamic DNS.The DHCP infrastructure must be configured to do the following:• The DHCP server must create an A record in the defined DNS domain upon handing a lease to a Metasys device.Optionally, you can configure the DHCP server to update the PTR (pointer) record of the Metasys DHCP supporteddevice in the reverse zone DNS domain.• The domain for DNS updates must be included in the DHCP server configuration. The Metasys DHCP supporteddevice does not specify the domain.• The Metasys server and/or Metasys engine and the Metasys DHCP supported devices (TEC20-3C-2 Coordinatorsand WRS-RTN Many-to-One Receivers) all must be in the same DNS domain.• We recommend that the Metasys server and/or Metasys engine and the Metasys DHCP supported devices(TEC20-3C-2 Coordinators and WRS-RTN Many-to-One Receivers) be in a separate VLAN from all other devicesat the Metasys site.• If the DNS server, Metasys server, Metasys engine, and/or Metasys DHCP supported devices (TEC20-3C-2Coordinators and WRS-RTN Many-to-One Receivers) are in different networks (VLANs), ensure that routing isavailable between networks and that a proper router is passed in the DHCP lease.• If the DHCP server is not in the same VLAN as the Metasys devices, enable DHCP forwarding to the properDHCP server on the VLANs on which the Metasys devices are located.Metasys devices require that you configure the DHCP options in Table 3 in the DHCP server in addition to the IPaddress and subnet mask.Network and IT Guidance for the BAS Professional Technical Bulletin10

Support for Active Directory Service (Including Single Sign-On Capability)Table 4 is a summary of which Metasys system application UIs support Active Directory logons and the SSO capability.If the application supports Active Directory logons, then the Metasys system can be configured to use your existingIT Active Directory Service infrastructure for authentication purposes. If the application supports SSO, then you canlog on to multiple, secured applications without reentering the same user name and password.Table 4: Products That Support Active Directory Logons and SSOApplicationActive Directory Logons SupportedSSO SupportedADS Site Management Portal UIADX Site Management Portal UISCTMetasys Advanced Reporting SystemReady Access PortalEngine 4YesYesYes 1NoYes (Computer) No (Handheld)NoYesYesYesNo 2No 3No1 If you are using the SCT Manager to switch between SCT versions, do not use the Active Directory service. SCT versionsmanaged this way do not support the integration of the Metasys system with the Active Directory service.2 If you are using Metasys Advanced Reporting System UI on an ADX, you still can use the SSO capability to log on to the ADXSite Management Portal UI. For example, if you have an ADX with the Metasys Advanced Reporting System, you can useSSO to log on to the ADX Site Management Portal UI but you must enter your Metasys system user name and password pairto log on to the reporting system.3 If you are using Ready Access Portal UI on an ADS/ADX, you still can use the SSO capability to log on to the ADS/ADX SiteManagement Portal UI. For example, if you have an ADX with the Ready Access Portal software installed on it, you can useSSO to log on to the ADX Site Management Portal UI but you must enter your Metasys system user name and password pairto log on to the Ready Access Portal UI.4 The engine Site Management Portal UI does not support authentication with Active Directory service. If you have an ADS/ADXSite Director, however, you can log on to the ADS/ADX Site Management Portal UI using SSO and access system informationfor the entire site, including details on the engine.For more details on Active Directory and SSO interaction with Metasys system security, refer to the SecurityAdministrator System Technical Bulletin (LIT-1201528).Implementation ConsiderationsThe Active Directory service feature as implemented on the Metasys system uses the existing Active Directoryservice infrastructure at the customer site. The following are important considerations:• Active Directory service users in Windows Server® 2012, Windows Server 2008 R2 with SP1, or Windows Server2008 SP2 domains and read-only domains are supported.• Use of a Windows Server 2012, Windows Server 2008 R2 SP1, or Windows Server 2008 SP2 read-only domaincontroller is determined by the IT department that is responsible for setting up accounts for authentication againstthe domain controller. SSO and Active Directory service logins function with the Windows Server 2012, WindowsServer 2008 R2 SP1, or Windows Server 2008 SP2 read-only domain controller whether the primary read-onlydomain controller is online, offline, or not accessible (as long as the Active Directory service user credentials arecached in the read-only controller). If a trust relationship exists between the read-only domain controller andanother domain, the Active Directory service login functions properly as long as the trusted domain is accessible.In this case, Kerberos manages the forwarding to the correct domain. SSO does not work for an Active Directoryservice user in a trusted domain of a read-only domain controller because SSO uses NTLM and the messageis not forwarded.• The default Active Directory services schema is supported. For details, see Information Obtained from ActiveDirectory Services.• NTLMv2 is required to accomplish strict SSO login-free access to the Metasys system using IIS WindowsIntegrated Authentication. All other authentication is performed using Kerberos, which includes the Active Directoryservice user name, password, and domain selection at the Metasys system login screen and authentication toActive Directory services for LDAP queries.Network and IT Guidance for the BAS Professional Technical Bulletin12

• The Metasys system does not store or manage the passwords of Active Directory service users. Active Directoryservice users who are given access to the Metasys system (identified by SID) are not created or managed bythe Metasys system. The system maintains authorization permissions to the Metasys system only.• Active Directory service credentials provided at the Metasys system login screen are strongly encrypted beforebeing sent over the network from the Site Management Portal UI to the ADS/ADX and SCT. Preceding the login,a Rivest, Shamir, and Adelman (RSA) exchange of an RC2 key occurs. For details, see Network MessageSecurity.• To ensure that Metasys system SSO works properly, the security policy Network Security: LAN Managerauthentication level must be configured to compatible settings on the ADS/ADX and SCT computer, any SiteManagement Portal UI client machines, and the Active Directory service domain controller.• The Active Directory service structure may comprise one or more forests consisting of one or more domains.The Metasys system does not require any particular Active Directory service structure. Users from any domainmay be given access privileges to the Metasys system, as long as appropriate trust relationships and privilegesexist within Active Directory services.• The ADS/ADX and SCT computer should be placed in an Active Directory service that is not affected by GroupPolicies (such as those typically applied to a desktop), which download software to the machine that may adverselyaffect Metasys system device operation.• A service account in Active Directory service consisting of an Active Directory user name, password, and domainis required. For details, see Service Account.• Trust relationships and privileges are dictated by the customer IT department and are a fundamental part of asecurity policy. Active Directory service implementation on the Metasys system does not dictate the trusts thatare established. While Active Directory services provide multiple domain support, the customer infrastructuredetermines whether this function is used.ADS/ADX/SCT ConsiderationsThe ADS/ADX or SCT computer that is handling user authentication and authorization must adhere to the followingrequirements to use the Active Directory services feature as implemented on the Metasys system:• ADS/ADX and SCT software must be at Release 4.1 or later.• ADS/ADX and SCT computer must be joined to an Active Directory service domain. This is necessary for SSOlogin-free access to the Metasys system using Windows Integrated Authentication. If the ADS/ADX and SCTare not joined to an Active Directory service domain, the Active Directory service user cannot use the login-freeaccess to the Metasys Site Management Portal UI, but the Active Directory service user may still specify theirActive Directory service user name, password, and domain at the login screen.• ADS/ADX and SCT computer must be configured to use Windows Integrated Authentication through IIS. WindowsIntegrated Authentication is configured by the Metasys installation program and is necessary for SSO login-freeaccess to the Metasys system.• ADS/ADX and SCT computer must be configured to allow Metasys system privileged Active Directory serviceusers access to the device from the network and read/execute access to the Metasys Single Sign-On web service.This is accomplished through the MSEA-SSO Windows user group that was created when the ADS/ADX or SCTsoftware was installed. For details, see MSEA-SSO User Group.• The hard disk on the ADS/ADX or SCT computer must be formatted for the NTFS, not the File Allocation Table(FAT) system.• ADS/ADX and SCT computer must not be running other third-party applications that compete with the Metasyssystem for computer resources.Child Device ConsiderationsChild devices such as engines do not use the Active Directory service; however, if the user logs on to a Site Directorwith Active Directory service credentials, they may navigate to child devices, including engines. The child devices:• can be any combination of platforms illustrated in Figure 6• do not need to be at the same release as the Site Director• do not need to join an Active Directory service domainNetwork and IT Guidance for the BAS Professional Technical Bulletin13

Information Obtained from Active Directory ServicesThe Active Directory service used by the Metasys system reads a set of information from the Active Directory servicedatabase and populates/updates the user’s Properties based on those values. The following information is read,with the actual Active Directory service attribute names in parentheses:• User name (samAccountName, userPrincipalName, CanonicalName)• Description (Description)• Full Name (displayName)• Email (mail)• Phone Number (telephoneNumber)• Account Disabled (UserAccountControl)In addition, the Security Identifier (ObjectSID) is obtained from the Active Directory service database and usedinternally to uniquely identify the Metasys user.Service AccountThe Active Directory services, as implemented on the Metasys system, require a service account in Active Directoryservice consisting of a user name, password, and domain. The feature uses this service account when executingLDAP queries of Active Directory service. The Active Directory service feature allows the use of one Service Accountto access all domains, or one Service Account per domain.The service account in Active Directory service must have directory read privileges. These privileges may be opento the entire directory or limited to only those organizational units and domains that contain Metasys privileged ActiveDirectory service users and groups. For some Active Directory service configurations, the IT department may dictatethat one service account is created per domain.The service account user name, password, and domain are defined by the customer IT department. This user shouldbe created with a non-expiring password. If the IT department requires the modification of the Service Accountpassword on a periodic basis, a Metasys system work process must be defined to update the password in theSecurity Administrator System at the time it is changed in Active Directory service. If the Service Account passwordin the Metasys system does not match the Service Account password in Active Directory service, Metasys systemaccess by Active Directory service users is denied.Service Account RulesWhen specifying a service account with the Metasys Security Administrator System, keep these important rules inmind:• For each service account, use the user principal name (UPN) format for the user name. Provide the fully qualifieddomain name where the domain specifier is at the domain level. For example, usemetasys.service@my.corp.com instead of metasys.service@corp.com, even though the latter is a valid formof the user name.• A blank password for a service account is prohibited.• The ability to specify more than one service account is available. You only need to specify more than one serviceaccount if an Active Directory service trust does not exist between the domain in which the service account iscreated and all other domains where Metasys users reside. In this case, specify one service account per domainwhere the Metasys users reside.• The service account user does not need to be part of the MSEA-SSO user group.• The Service Account should be configured with a non-expiring password; however, if the password is set toexpire, you need to reset it in the Metasys Security Administrator System each time you reset it on the ActiveDirectory service domain.Network and IT Guidance for the BAS Professional Technical Bulletin14

Service Account PermissionsThe Metasys system requires that the service account in Active Directory service allow a minimal set of permissions.This section lists these permissions, but does not dictate how they should be applied; the customer IT departmentdetermines this at the time of creation. The required permissions include the following:• Read access to the domain object of each domain that contains Active Directory service users who are Metasyssystem users.• Read access to each organizational unit that contains Active Directory service users who are also Metasyssystem users.• Read access to the attributes of each User Object in Active Directory service that relates to Metasys systemusers or read access to only the following individual attributes on those user objects (if full read access is notallowed):- ObjectSID- samAccountName- displayName- Description- mail- userPrincipalName- telephoneNumber- UserAccountControl- CanonicalNameIn addition, a non-expiring Service Account password is required. See Service Account Rules. Also, the ServiceAccount must be able to access all domains with Metasys system users to perform LDAP queries. For example,accounts cannot be denied access to the domain controller in the domain security policy.MSEA-SSO User GroupWhen the ADS/ADX or SCT is installed, a new user group called MSEA-SSO is created under the set of user groupson the computer. To allow the Active Directory service user SSO login-free access to the Metasys ADS/ADX or SCTsoftware, each Active Directory service user must be added to this user group. Alternatively, the IT professional cancreate an Active Directory service group intended solely for Metasys system users and place each Active Directoryservice user, who has permission to use the Metasys system, under that group. In this case, adding this ActiveDirectory service group to the MSEA-SSO user group provides access to all Metasys users defined under that ActiveDirectory service group.Note: The Active Directory service user you add to the MSEA-SSO group on the ADS/ADX or SCT computer mustbe defined on the same Active Directory service domain as the ADS/ADX or SCT computer, or on a trusteddomain.When the ADS/ADX and SCT software is present on the same computer, both applications share the same MSEA-SSOuser group. If the ADS/ADX and SCT software is installed on separate computers, the set of Active Directory serviceusers must be added separately to the MSEA-SSO group of both computers.Note: If the ADS/ADX or SCT computer is not in an Active Directory service domain, SSO login-free access is notavailable. Do not add any users to the MSEA-SSO group.Network and IT Guidance for the BAS Professional Technical Bulletin15

The MSEA-SSO group has the following permissions on the ADS/ADX and SCT computer:• User Rights Assignment: Access this computer from the network:- In Windows 8, Windows 7, Windows Server 2012, or Windows Server 2008 R2 with SP1, select ControlPanel > System and Security > Administrative Tools > Local Security Policy > Local Policies- In Windows XP®, select Control Panel > Administrative Tools > Local Security Policy > Local Policies- In Windows Server 2008 SP2, select Control Panel > System and Maintenance > Administrative Tools >Local Security Policy > Local Policies• Read and execute access on the following web service file and directory:{IIS Drive and Directory}\wwwroot\MetasysIII\WS\Security\ActiveDirectory\ SingleSignOnService\ValidateSingleSignOnADUser.asmxUser Account RulesThe following rules apply to Active Directory service users who are added with the Metasys Security AdministratorSystem:• The UPN format is used for the user name, in which the fully qualified domain name is provided. For example,myUser@my.corp.com is specified instead of myUser@corp.com, even though the latter is a valid form ofthe user name. The fully qualified user name appears on the main Metasys Site Management Portal UI screento identify the currently logged in user. It also appears as the user name on Metasys reports and logs.• Each specified user must exist and be enabled in Active Directory service. Properties of the user (for example,phone number and e-mail address) are read when the user is added to the Metasys system. These items aredisplayed by the Metasys Site Management Portal UI under User Properties. For details, see Information Obtainedfrom Active Directory Services.• If the user name for an Active Directory service user changes, you do not need to change the user’s name inthe MSEA-SSO group or specify the new name with the Metasys System Administrative tool. The update of thenew user name occurs within the Security Administrator System when you left-click the Active Directory serviceuser account.• If an Active Directory service user is deleted from the Active Directory service database, delete that user fromthe Metasys system as well. If, for any reason, an Active Directory service user with the same user name is lateradded to the Active Directory service database but you did not delete this user from the Metasys system, thenew user cannot be added to Metasys until the original user is deleted.• If an Active Directory service user is disabled in the Active Directory service database, the Metasys AccessSuspended property check box under the user’s Properties window is selected. Once the service user for ActiveDirectory directory is re-enabled, a Metasys Administrator must manually click to clear the Metasys AccessSuspended property check box before the user can log on again.• The Metasys system follows the text case format dictated by Active Directory services. In other words, if youadd a user called MYUSER@my.corp.com, and the Active Directory service format uses all lowercase characters,the user name adjusts to myuser@my.corp.com when added.• At least one defined Service Account must have the privilege to read the user’s Active Directory service attributes.User Creation and PermissioningIn many organizations, different people need to be involved in the process of defining and maintaining Active Directoryservice users for the Metasys system.IT and Active Directory service Administrators create, delete, and update accounts in Active Directory service,including the provision of a Service Account for use by the Metasys system. They manage Active Directory serviceuser account passwords, password policies, and account policies.Metasys Administrators add existing Active Directory service users to the Metasys system, and assign Metasyssystem privileges using the Security Administrator System. They may also manage the users assigned to theMSEA-SSO user group on the ADS/ADX or SCT computer.Network and IT Guidance for the BAS Professional Technical Bulletin16

Once you add an Active Directory service user to Metasys, the user is assigned privileges in the same manner asa local Metasys user. In fact, a user’s local Metasys account can be disabled or deleted once their Active Directoryservice user account is established, unless there is an important reason for a user to have two accounts. An auditrecord is created whenever an Active Directory service user is added to or removed from the Metasys system.Web Site CachingIf you cache web pages to reduce bandwidth, you may experience problems with Metasys system graphics andschedules. These features still function normally, but the UI may appear distorted or dimmed. We recommend youdo not use web page caching.Microsoft Message Queuing (MSMQ) TechnologyIntroductionAs implemented in the Metasys system, MSMQ supports trending and Site Management Portal UI navigation treefeatures. The Site Director queue receives trend data and navigation tree changes from other system devices. Whenthe Site Director is busy, the messages remain in the queue until the Site Director is available to process them.Using MSMQ allows the system to avoid bottlenecks by separating the actions of receiving and processing data.MSMQ must be installed on all computers where ADS, ADX, and Ready Access Portal software is installed. Onceinstalled, do not stop or disable MSMQ. If MSMQ is stopped or disabled, the Site Director does not receive/processmessages. Lost trending data may be irrecoverable. The queue fills at a rate determined by your site configurationand system use; for example, trend frequency or number of additions, changes, or deletions made to the navigationtree.Note: Each Site Director and Ready Access Portal computer contain all the navigation information for an entire sitein a cache known as the Navigation Tree Cache. This cache allows the Site Management Portal UI to displayquickly without repeated requests to system devices. Updates received through the MSMQ queue keep theNavigation Tree Cache information current.An alarm is generated in the Metasys system when any trend or alarm sample remains in the MSMQ for more than10 minutes. This alarm usually indicates a problem with the Microsoft SQL Server or that a remote forwardingdestination is offline. See Figure 1 for an example of the Metasys alarm.Figure 1: MSMQ AlarmRecoveryWe recommend that you set MSMQ to restart after first, second, and subsequent failures.To set recovery action:1. In Control Panel, select Administrative Tools.2. Double-click Services.3. Right-click Message Queuing and select Properties. The Message Queuing Properties dialog box appears.Network and IT Guidance for the BAS Professional Technical Bulletin17

4. On the Recovery Tab (in the First failure, Second failure, and Subsequent failures drop-down lists boxes) selectRestart the Service.5. Click OK.Queue TroubleshootingUnder normal operation, Metasys message queues are empty or near zero. If there is a problem with trend forwarding,the messages remain in the backlog queue and queue size increases. If this occurs, and the queues become full,permanent data loss can result.Note: This procedure requires that you have Windows Administrator access on your computer. Perform thisprocedure on all ADSs/ADXs on your site. If you have a split ADX, perform this procedure on the DatabaseServer computer.To see the size of your MSMQ queue:1. Using Windows Explorer, right-click My Computer and select Manage. Depending on your operating system, theComputer Management tor Server Management screen appears.2. Do the following depending on your operating system:• On Windows 8, Windows 7, or Windows Server 2008 R2 SP1, in the tree in the left pane, browse to Servicesand Applications > Message Queueing > Private Queues.• On Windows XP, in the tree in the left pane, browse to Services and Applications > Message Queuing >Private Queues.• On Windows Server 2008 SP2, browse to Features > Message Queuing > Private Queues.3. If the Number of Messages column for the Metasys queues (particularly metasys_trendbacklog) contains anumber that is growing or not zero, you may have an issue with trend forwarding that requires further investigation.You may need to resize the window if this column is not visible.Metasys System and Virtual EnvironmentsJohnson Controls recognizes the benefits and popularity of running software applications in virtual environmentsusing software such as VMWare® and Microsoft Hyper-V Server 2008 R2. Virtual environments allow multiple,independent instances of an operating system to function on a single computer hardware platform. Many ITorganizations have embraced the economic benefits of deploying applications in virtual environments. AlthoughJohnson Controls does not formally support virtual environments, the Metasys system functions under certain virtualenvironments and requires that you consider the following important factors:• Supported Operating Systems: Run only supported operating systems in your virtual environment. For a listof supported operating systems, refer to the technical literature for the product you are installing.• Operating System Installation: You must install the operating system software and apply the appropriateservice packs following the procedures in the ADS, ADX, and SCT Installation and Upgrade Wizard(LIT-12011521).Note: Ensure the correct manufacturer drivers are installed and do not use generic Windows drivers, especiallyfor Bluetooth®, wireless, USB 2.0, USB 3.0, network cards, and disk drives. To obtain the correct drivers,please visit your computer manufacturer's web site.• SQL Server Software Installation: You must install the SQL Server software and apply the appropriate servicepacks following the procedures in the ADS, ADX, and SCT Installation and Upgrade Wizard (LIT-12011521).• Other Metasys Applications: You must follow the procedures in Johnson Controls® technical literature for anyother Metasys software application that is installed on a computer with a virtual environment.• SQL Server Software Performance: Understand that the performance of SQL Server software may degradewhen deployed in a virtual environment. Also, other applications that compete with the Metasys system for SQLServer resources may affect performance.• Help from IT: Engage the expertise of your IT department and network technologists when setting up the virtualenvironment.Network and IT Guidance for the BAS Professional Technical Bulletin18

• Reliability: Realize that Metasys system reliability in a virtual environment with other applications is difficult toassess when the applications share the same hardware. Be aware of other applications that run in the samevirtual environment as the Metasys system.• Dedicated Network Card: To ensure reliable communication between the Site Director and supervisory controllers,use a dedicated network interface card (NIC) whose MAC address does not change. Do not use managed orload sharing NICs.• Available Memory and Hard Disk Space: Make sure that the virtual environment has allocated enough memoryand hard disk space. Do not attempt to run a system with the bare minimums. Both the virtual environment andthe Metasys software need a certain amount of memory and disk space; typically, 4 GB for the host operatingsystem and 4 GB for the operating system that Metasys is using. For general hardware requirements, refer tothe Application and Data Server (ADS/ADX) Product Bulletin (LIT-1201525).Note: Dynamic memory mode for virtual servers is not supported. ADX must be installed in a static-memoryenvironment or SQL Server may not function correctly.• Hard Disk Configuration: Make sure that the hard disk space is fully allocated, and do not configure the virtualenvironment to allow for disk drive expansion.• Other Applications: Make sure that no other applications are adversely affecting the computer that is runningthe virtual environment. Metasys system performance degrades very quickly if other applications are contendingfor host operating system resources.• Dedicated Processor: Dedicate the virtual environment to a single processor. Do not share the processor withother virtual environments.• Reduced Cost Benefit: Do not allow reduced hardware and software costs be the sole reason for deploying avirtual environment.If you deploy Metasys applications in a virtual environment, Johnson Controls supports any Metasys product issue,but issues that are identified with the virtual environment are not supported. For Metasys product support, contactyour local authorized Johnson Controls provider.Monitoring and Managing (SNMP)SNMP provides IP standard SNMP functionality in the Metasys system, enabling network administrators to manageMetasys network performance, find and resolve issues related to the Metasys network, and plan for future growthof the Metasys system. SNMP uses standard SNMP Versions 1, 2C, and 3 (which excludes SNMP encryption andauthentication support). The Metasys system allows delivery of unsecured SNMP traps for Metasys alarm eventsvia a Network Management System (NMS).A custom Metasys system specific management information base (MIB) is available and allows the NMS to monitorMetasys point objects, display attributes, and control sequence objects. The MIB also defines explicit traps andassociated attributes that align with Metasys alarm messages, making data correlation (parsing/sorting) at the NMSstraightforward. Traps from the Metasys system are not encrypted.The NMS operator can perform Gets and Get Nexts (SNMP Walks) against engines via an NMS. Gets allow you toview object data but do not allow you to write to objects. To use Gets, you must query the specific engine (NAE55,for example) on which the object appears. Site Directors do not forward Get requests to other devices on the siteand you cannot perform Gets on ADSs/ADXs. Metasys system objects are specified as a string index in a table, sothe NMS must have the capability to specify an index as a string or the NMS operator must encode the Object IDusing the decimal equivalents.The Johnson Controls® MIB is included on the product media. SNMP is offered on all supervisory devices (engineand ADS/ADX).For information on configuring SNMP traps, turning off SNMP or Gets capability, and other alarm information, referto the Alarm and Event Management section of the Metasys system Help (LIT-1201793). For information aboutSNMP implementation in the Metasys system, see Appendix: SNMP Agent Protocol Implementation.Time Management (Simple Network Time Protocol [SNTP])There are three methods for network time synchronization available in the Metasys system, including MicrosoftWindows SNTP time synchronization, Multicast, and BACnet time synchronization.Network and IT Guidance for the BAS Professional Technical Bulletin19

You can use the Multicast and Microsoft Windows methods when an SNTP master time server is available. If theSite Director has no access to SNTP time servers, you can use the BACnet synchronization method.Note: The Multicast time synchronization is preferred over the Windows time synchronization.Typically in the Metasys system, only the Site Director synchronizes its time with an SNTP time server. The otherdevices on the Metasys network synchronize with the Site Director. As a secondary method of time synchronization,configure the Metasys system to have all devices synchronize time with the Site Director as an SNTP Time Server.If critical changes occur to time zones or time change protocols, Johnson Controls issues patches to update theMetasys system. For more details on time management, refer to the Time Zone, Date, and Time ManagementAppendix found in the NAE Commissioning Guide (LIT-1201519), LCS85 Commissioning Guide (LIT-12011568),and the ADS/ADX Commissioning Guide (LIT-1201645).E-mail (SMTP)All e-mail capable devices in the Metasys system use only to communicate with the mail server. The Metasys systemcan be configured to use SMTP for notification of system events and alarms.For information about using e-mail as a notification method for alarms, refer to the NAE Commissioning Guide(LIT-1201519) or LCS85 Commissioning Guide (LIT-12011568).Note: If Symantec® Enterprise Protection Version 12 is installed on an ADS/ADX client machine with the POP3/SMTPScanner option selected, the SMTP functions and e-mail alerts for the ADS/ADX software are disabled withoutnotification. Do not select the POP3/SMTP Scanner option during Symantec Enterprise Protection installationin order to use the SMTP and e-mail alert features in the ADX application.Encrypted EmailMetasys software features an email encryption capability that encrypts your user name and password as they areentered into the SMP UI. This feature allows embedded and server machines to send email to email servers overa secure channel (secure socket layer [SSL]). The entire email payload is encrypted, and allows Metasys softwareto communicate to email servers that require SSL connections.Email encryption can be configured with no authentication required, SMTP authentication, and POP-Before-SMTPauthentication.Communication to Pager, E-mail, Printer, or SNMP DestinationThe Metasys system guarantees delivery of events from engines to an ADS/ADX, but this delivery guarantee doesnot extend to the Destination Delivery Agent (DDA) destinations: pagers, e-mail accounts, printers, or SNMPdestinations.See the following:• Pagers: (Telocator Alphanumeric Protocol) - Delivery guaranteed to the service provider. The service providerdelivers to the final pager account as time permits.• E-mail: (Simple Mail Transfer Protocol) - Delivery to the service provider is guaranteed. The service providerdelivers to the final e-mail account as time permits. The delivery may not be made for a number of reasons,including recipient mail server spam rules, or the service provider’s inability to communicate to the recipient mailserver.• Printers: Information sent to a printer may not be delivered in a timely manner for a number of reasons, includingprinter offline or out-of-paper conditions.• SNMP: This delivery system uses User Datagram Protocol (UDP), which does not guarantee delivery.Given the non-deterministic status of delivery, we recommended that physical fail-over measures be implementedas the primary safety control for critical activities.Location of a Site Director in a Demilitarized Zone (DMZ) or on the InternetImportant: Do not place the Site Director and any Metasys components in the DMZ or on the Internet. If offsiteaccess is necessary, use a VPN. Access to any component of Metasys should be strictly controlled.Network and IT Guidance for the BAS Professional Technical Bulletin20

The Site Director provides access to all the devices on the site using only one public IP address (the address of theSite Director). Only the Site Director requires access through the firewall to the Internet. All other devices on the siteare exposed through the Site Director. See Figure 2 for an example of a DMZ.Communication between a Metasys client computer on the Internet (web browser in Figure 2) and the Site Directorwithin a DMZ uses HTTP only. Metasys software requires that only TCP Port 80 be opened at the firewall.If you are using NAT to communicate between a browser and the Metasys site over the Internet, all Metasys systemdevices exposed to the Internet (normally only the Site Director) must have static internal and external IP addresses.Dynamic NAT is not a supported Metasys system configuration. If you are using DHCP to assign addresses todevices that communicate across networks that use NAT, your DHCP server should be configured to always allocatethe same IP address to each Metasys system device. This is done in the DHCP server by assigning IP addressesto the MAC addresses of the Metasys system devices. This configuration makes these devices behave as if theyhave static IP addresses, although they have DHCP addresses. This behavior sometimes is called DynamicallyAssigned, Statically allocated addresses from a DHCP server.Note: Supervisory devices in a Metasys system site (the Site Director and its child devices) cannot be separatedby NATs. All devices on a site must be addressable via local IP addresses; however, if a site is forwardinghistorical data (such as alarms, events, and trends) to an ADS/ADX repository that is not part of the site,NATs can be used if the ADS/ADX repository is assigned static internal and external IP addresses.If the Active Directory service is implemented for Metasys system use, all involved devices (ADS/ADX, SCT computer,and Site Management Portal UI clients) must be directly addressable on the LAN. The client cannot make a directconnection to the Site Director over the Internet. For example, if the user is connected remotely to the Site Director,a VPN or extranet connection must be used. This is a restriction of the Active Directory service and is not unique tothe Metasys system implementation of the service. The existing customer infrastructure determines VPN and extranetconnectivity; the Metasys system implementation of the Active Directory service does not require a particularconnectivity method.At Release 6.0 or later, Remote Desktop for engines is only available through the NxE Information and ConfigurationTool (NCT). If you intend to apply upgrades or patches over the Internet instead of locally at the site, you must openadditional ports to the Internet.Figure 2: Site Director in a DMZ ExampleNetwork and IT Guidance for the BAS Professional Technical Bulletin21

Because the Remote Desktop port (TCP port 3389) is susceptible to network attacks, IT does not readily open theport. Opening this port is not recommended because it goes against IT security best practice. Be prepared to explainto the IT department why contacting the devices via this open port is the best option.Remote Access to the Metasys System Using a VPNThe simplest method of remotely accessing the Metasys system is to use an existing VPN infrastructure. If an existingVPN infrastructure is present on the site already, the risks and security concerns have been established andaddressed. Using a VPN, the Metasys system features are the same as if remote users are on the company intranet.Note: Johnson Controls does not supply VPN infrastructure.Note: The Metasys system does not support Secure Socket Layer (SSL) VPN.Figure 3: Metasys System Internet Communication via VPNMetasys System ArchitectureFigure 4 shows one example of the many ways you can design the Metasys system architecture.Note: Restrictions apply to the engines supported with an ADS-Lite Site Director. Refer to the Metasys SystemExtended Architecture Overview Technical Bulletin (LIT-1201527).Network and IT Guidance for the BAS Professional Technical Bulletin22

Figure 4: Metasys System ArchitectureProtocols, Ports, and Connectivity for the Metasys SystemProtocols and Ports TablesNote: Bluetooth technology is used by the Metasys system only as an option to commission a select number ofdevices. Bluetooth technology is not used for system communication in any way after initial commissioning.Table 5 and Table 6 describe the various IP protocols and how they relate to the Metasys system. See Connectivityand Protocol Diagrams for information on how protocols are used in various network layouts.Table 5: Ethernet Protocols and PortsProtocolUses Port 1 NumberMetasys DeviceDescriptionDHCPUDP6768EngineADS/ADXComputer (WebBrowser)Active Directory ClientAssigns and keeps track of dynamicIP addresses and other networkconfiguration parameters.Alternate Method: Use static IPaddresses.Trivial File TransferProtocol (TFTP)UDP69EngineDownloads new images to NAEs.DNSUDP53EngineADS/ADXTranslates domain names into IPaddresses.Computer (WebBrowser)Active Directory ClientNetwork and IT Guidance for the BAS Professional Technical Bulletin23

Table 5: Ethernet Protocols and PortsProtocolUses Port 1 NumberMetasys DeviceDescriptionHTTPTCP80EngineADS/ADXComputer (WebBrowser)Provides communication betweenpeer controllers, computers, and otherInternet systems using Simple ObjectAccess Protocol (SOAP) over HTTP.The ADS/ADX requires that only Port80 be open to receive communicationfrom client devices.Note:TCP Port Forwarding issupported on Port 80 only.Post Office Protocol 3(POP3)UDP and TCP110995Computer (WebBrowser)Usually, POP receives and holdse-mail for downloading from yourInternet server. POP3 is allowed in theMetasys system only forauthentication from a Simple NetworkManagement Protocol (SNMP) server.Note:Firewall rules are notnecessary to allow access inmost cases because thisserver should be behind thefirewall.SMTPUDP25EngineE-mails alarms.ADS/ADXN30SNMPUDP161465EngineADS/ADXProvides network monitoring andmaintenance.M-Series WorkstationEthernet IPSNMP TrapUDP162EngineADS/ADXM-Series Workstation(M-Alarm messages)Typically notifies IT departmentpersonnel of alarms that are of interestto them such as data centerenvironmental conditions. The sitemust use a network managementsystem capable of receiving SNMPTraps.Alternate Method: Use pager ore-mail destinations for remote alarmnotification instead of SNMP.Simple Network TimeProtocol (SNTP)UDPTCP12380EngineADS/ADXComputer (WebBrowser)Used to synchronize computer clocksover a network between a server andits clients. SNTP is not required for allsystems.Metasys System Client(Client not on anyDomain)Network and IT Guidance for the BAS Professional Technical Bulletin24

Table 5: Ethernet Protocols and PortsProtocolUses Port 1 NumberMetasys DeviceDescriptionN1 ProtocolUDP11001 2NIENCMProvides N1 message transmission(proprietary packet encoded in UDP).If you are connecting to multiple N1networks, the port is unique for eachN1 network. Network Control Module(NCM) automatically configurethemselves to use Port 11001. Startnumbering other networks in theMultinetwork configuration with 11003and continue sequentially. Do not usea UDP Port Address (UDPPA) of11002. The value 11002 is used bythe Metasys Ethernet Router andshould be avoided even if MetasysEthernet Routers are not in thesystem. The recommendedaddressing for five N1s is 11001,11003, 11004, 11005, 11006.BACnet/IP ProtocolUDP47808NAE/NCEN30TEC20-3c-2Refer to the BACnet ControllerIntegration with NAE/NCE TechnicalBulletin (LIT-1201531). If you areconnecting to multiple BACnetnetworks, the port is unique for eachBACnet network. The default portnumber is 47808. Choose additionalUDP ports that do not conflict with aport that is in use.Microsoft SQL ServerDatabaseTCP1433ADXMetasys ADX SplitDatabase Server(Member of Domain X)Used between the web/applicationserver and Database servercomputers when the ADX is splitacross two devices.Remote DesktopProtocol (RDP)TCP3389NAE55/NIEUsed to log on to the operating systemof a device from a remote computer.KerberosTCPUDP88Metasys System Client(Member of anyDomain)Metasys SCT (Memberof Domain X)Metasys ADS/ADX(Member of Domain X)Metasys ADX SplitWeb/Application Server(Member of Domain X)Kerberos is authentication protocolused by the Metasys system for ActiveDirectory service authentication at theMetasys system logon screen, andService Account authentication priorto LDAP queries.Kerberos is a standard networkauthentication protocol designed toprovide strong authentication forclient/server applications by usingsecret-key cryptography. Kerberos isthe primary security protocol forauthentication within an ActiveDirectory service Domain. Kerberosauthentication relies on clientfunctionality built into the Windowsoperating systems supported byMetasys software.Network and IT Guidance for the BAS Professional Technical Bulletin25

Table 5: Ethernet Protocols and PortsProtocolUses Port 1 NumberMetasys DeviceDescriptionNT LAN ManagerVersion 2 (NTLMv2)TCP445Metasys System Client(Member of anyDomain)NTLMv2 is the protocol used duringMetasys system SSO (login free)authentication.Metasys SCT (Memberof Domain X)Metasys ADS/ADX(Member of Domain X)Metasys ADX SplitWeb/Application Server(Member of Domain X)NTLMv2 is a network authenticationprotocol developed by Microsoft andthe secondary security protocol forauthentication within an ActiveDirectory service domain. If a domainclient or domain server cannot useKerberos authentication, then NTLMauthentication is used.Secure Sockets Layer(SSL)TCP443Metasys AdvancedReporting ADXReady Access PortalRequired if you use SSL with yourreporting ADX. See Implementing SSLSecurity for the Metasys AdvancedReporting System.LDAPTCP389Metasys System Client(Member of anyDomain) 3LDAP is used by the Metasys systemto access user objects and attributeswithin Active Directory service.Metasys SCT (Memberof Domain X)Metasys ADS/ADX(Member of Domain X)Metasys ADX SplitWeb/Application Server(Member of Domain X)LDAP is a standard communicationprotocol for directories located onTCP/IP networks. LDAP defines howa directory client can access adirectory server and how the client canperform directory operations andshare directory data.NTPTCP123Metasys System Client(Member of anyDomain)Metasys SCT (Memberof Domain X)Metasys ADS/ADX(Member of Domain X)Time synchronization across anetwork between Windows 8,Windows 7, or Windows XP clientcomputers and Windows Server 2012,Windows Server 2008 R2 SP1, orWindows Server 2008 SP2 servercomputers.Metasys ADX SplitWeb/Application Server(Member of Domain X)Remote Procedure Call(RPC)TCP1351025Metasys System Client(Member of anyDomain)Metasys SCT (Memberof Domain X)Metasys ADS/ADX(Member of Domain X)Metasys ADX SplitWeb/Application Server(Member of Domain X)Used by IIS on the ADS/ADX/SCTduring the process of authenticationduring SSO (Windows IntegratedAuthentication). If SSO is disabled inthe Metasys system, this port andprotocol are not used by Metasys;however, if the ADS/ADX/SCT and/orMetasys client is a member of anActive Directory service domain, thisport and protocol are used for ActiveDirectory service functionality.1 Generally recorded by the Internet Assigned Numbers Authority (IANA).2 This port number is registered to Johnson Controls, Inc.3 LDAP is used by the Metasys system client only if an Windows Active Directory service search tool is used (for example,Start -> Search -> For People).Network and IT Guidance for the BAS Professional Technical Bulletin26

Table 6: Wireless Ports and ProtocolsProtocolUsesWirelessProtocolPort 1NumberMetasys DeviceDescriptionWirelessMany-to-OneSensing 2UDP802.15.44050 3WRS-RTNRecommended UDP port numberused for wireless supervisorintegration.Wireless ZigBeeUDP802.15.447808TEC20-3CCoordinatorRecommended UDP port numberused for wireless supervisorintegration.HTTPTCP802.11b/802.11g80Computer (WebBrowser)TCP Port Forwarding is supportedon Port 80 only.1 Generally recorded by the IANA.2 Proprietary protocol.3 If this port is in use, it can be reconfigured to another port.Connectivity and Protocol DiagramsFigure 5 through Figure 11 are example diagrams of the various types of connectivity and protocols for the Metasyssystem. Not all protocols are used in all Metasys system configurations.The configuration and network topology of the specific Metasys system installation must be considered when openingfirewall ports for communication. For example, considering Figure 5 and Table 5, if the ADS is not acting as a timeserver, then the SNTP protocol between 3 and 2 is not used. Similarly, if Metasys system alarms and events arenot being monitored by IT tools, then the SNMP Trap protocol between 2 and 4, and 3 and 4 is not used.Note: Restrictions apply to the engines supported with an ADS-Lite Site Director. Refer to the Metasys SystemExtended Architecture Overview Technical Bulletin (LIT-1201527) to discover which engines are supportedfor systems using the ADS-Lite as Site Director.Figure 5 is an example of the connectivity and protocols for a Metasys system using multiple engines and an ADS.Network and IT Guidance for the BAS Professional Technical Bulletin27

Figure 5: Metasys System with Multiple Engines and an ADSNote: Figure 5 does not show the interaction between the NCM and NIE using the N1 protocol. See Figure 8.Figure 6 is an example of the connectivity and additional protocols used in a Metasys system that uses ActiveDirectory service. Table 7 describes the protocols used in Figure 6, and Figure 5 and Table 5 describe the baseprotocols used by the Metasys system.Network and IT Guidance for the BAS Professional Technical Bulletin28

Figure 6: Metasys System with Active Directory ServiceNote: Figure 6 does not show the interaction between the NCM and NIE using the N1 protocol. See Figure 8.Table 7: Metasys System with Active Directory ServiceInteraction between Callouts Protocol113, 4, 5, 6, 78, 9, 10No new protocols. See Figure 5 and Table 5. 1NTLMv2 3 existing protocols already defined forMetasys system; no new protocols. See Figure5 and Table 5. 1Communication DirectionUnidirectional 2Unidirectional 21 4,5 12, 13, 14, 15 Kerberos or NTLMv2 3 , DNS, LDAP, NTP, RPC Unidirectional 223, 4, 5, 6, 7 No new protocols. See Figure 5 and Table 5. 1 Unidirectional 2Network and IT Guidance for the BAS Professional Technical Bulletin29

Table 7: Metasys System with Active Directory ServiceInteraction between Callouts ProtocolCommunication Direction28, 9, 10No new protocols. See Figure 5 and Table 5. 1Unidirectional 28, 9, 10 4,6,7,812, 13, 14, 15Kerberos or NTLMv2 3 , LDAP, NTP, RPCUnidirectional 21 Metasys system client in Figure 6 is equivalent to web browser in Figure 5.2 In Unidirectional communication, only the originating device initiates requests (assuming synchronous response is allowed tothe request).3 NLTMv2 is the default and preferred version of the NTLM protocol.4 DNS, NTP, Kerberos, NTLM, LDAP, and RPC are protocols required as a result of the device becoming a member of an ActiveDirectory service domain. These are standard Active Directory service protocols.5 The LDAP protocol may be used between the Metasys system client and domain controller when the client is using ActiveDirectory service tools provided by the operating system and the particular domain controller is responding to the LDAP query.6 The Kerberos protocol is used between a Metasys Site Director and/or SCT and the Active Directory service domain controllerwhen the Site Director is authenticating against the Active Directory service domain. For domain authentication, any domaincontroller within the domain may respond.7 The LDAP protocol is used between a Metasys Site Director and/or SCT and Active Directory service domain controller whenthe Site Director is querying the directory for object information.8 RPC is used by IIS on the ADS/ADX/SCT during the process of authentication during SSO (Windows Integrated Authentication).If SSO is disabled in the Metasys system, this port and protocol are not used by Metasys; however, if the ADS/ADX/SCT and/orMetasys system client is a member of an Active Directory service domain, this port and protocol are used for Active Directoryservice functionality.Figure 7 is an example of the connectivity and protocols for a Metasys system using the M3 Workstation and N30controllers. See Figure 5 with Table 5, and Figure 6 with Table 7, for the full set of protocols used by the engine,ADS/ADX, and Site Management Portal UI.Figure 7: Metasys System with N30 Controllers Using BACnet ProtocolSee Table 8 for details on the callout numbers in Figure 7.Table 8: Metasys System with N30 Controllers Using BACnet ProtocolInteraction between CalloutsProtocolCommunication Direction12BACnet 1Bidirectional 213BACnet 1Bidirectional 2Network and IT Guidance for the BAS Professional Technical Bulletin30

Table 8: Metasys System with N30 Controllers Using BACnet ProtocolInteraction between CalloutsProtocolCommunication Direction14BACnet 1Bidirectional 215POP3, SMTP, SNMP, SNMP TrapUnidirectional 123BACnet 1Bidirectional 234BACnet 1Bidirectional 222BACnetBidirectional25DHCPUnidirectional1 When using BACnet protocol with N30s, you must specify UDP Port 47808 as being used. For multiple BACnet networks, usea different port number for each network.2 In Bidirectional communications, both devices initiate requests.3 In Unidirectional communication, only the originating device initiates requests (assuming synchronous response is allowed tothe request).Figure 8 is an example of the connectivity and protocols used in a Metasys system using the operator workstation(OWS) or M5 Workstation and NCMs. See Figure 5 with Table 5, and Figure 6 with Table 7, for the full set of protocolsused by the engine, ADS/ADX, and Site Management Portal UI.Figure 8: Metasys System with NCMsSee Table 9 for information on the number callouts in Figure 8.Table 9: Metasys System with NCMsInteraction between CalloutsProtocolCommunication Direction12N1 1Bidirectional 213SNMP, SNMP TrapUnidirectional 1Network and IT Guidance for the BAS Professional Technical Bulletin31

Table 9: Metasys System with NCMsInteraction between CalloutsProtocolCommunication Direction22N1Bidirectional24 4N1Bidirectional1 When using UDP protocol with NCMs, you must specify Port 11001 as being used. For multiple N1 networks, you must use adifferent port number for each network.2 In Bidirectional communications, both devices initiate requests.3 In Unidirectional communication, only the originating device initiates requests (assuming synchronous response is allowed tothe request).4 You can configure multiple N1 networks on the NIE. Refer to the N1 Migration with NIE Technical Bulletin (LIT-1201535) fordetails.Figure 9 is an example of the connectivity and protocols used in a Metasys network using the Many-to-One WirelessRoom Temperature Sensing Application.Figure 9: Metasys System with Many-to-One Wireless Room Temperature Sensing ApplicationSee Table 10 for information on the number callouts in Figure 9.Table 10: Metasys System with Many-to-One Wireless Room Temperature Sensing ApplicationInteraction between CalloutsProtocolCommunication Direction12Tunneling over EthernetBidirectional23Wireless Many-to-One Sensing (802.15.4) 1Bidirectional (2.4 GHzChannelized, 2.4 GHz DSSSWireless Protocol)42HTTPUnidirectional 11 Port 4050 is recommended for the WRS-RTN Receiver.2 In Unidirectional communication, only the originating device initiates requests (assuming synchronous response is allowed tothe request).The WRS Series sensors and WRS receivers operate on the 2.4 GHz Industrial, Science, Medical (ISM) band anduse multi-frequency direct sequence spread spectrum (DSSS) technology. The receiver meets the Institute ofElectrical and Electronic Engineers, Inc. (IEEE) 802.15.4 standard for low power, low duty-cycle wireless transmittingsystems.Network and IT Guidance for the BAS Professional Technical Bulletin32

The 802.15.4 standard radio is used for employing control networks within a building. This technology uses 16different channels, allowing 802.15.4 devices, such as the WRS Series systems, to coexist with 802.11 devices.The Many-to-One system uses multi-frequency, redundant data transmissions. The sensor transmits a rapid sequenceof high-speed (2 millisecond) redundant data bursts to an associated receiver approximately every 60 seconds. Thesensor transmits up to five redundant data bursts in rapid sequence, and each burst is transmitted on a differentZigBee frequency. When a single data burst is successfully received and acknowledged (or if all five redundant databursts fail), the sensor goes dormant for approximately 60 seconds and then repeats the rapid transmission burstsequence.Multi-frequency, redundant data-transmission sequences greatly enhance the success of the wireless sensing systemdata transmissions. Transmitting short, high-speed data bursts at 60-second intervals also reduces wireless datatransmission collisions and interference with other WiFi transmissions. The DSSS technology virtually eliminatesaccidental and unauthorized wireless interference.Figure 10 is an example of a Metasys network using the TEC Series Wireless Thermostat Controller system.Figure 10: Metasys Network with TEC Series Wireless Thermostat Controller System (BACnet IP and BACnetMS/TP Versions Shown)Note: A system can use either a TEC20-3C-2 Coordinator (BACnet IP) or a TEC20-6C-2 coordinator (BACnetMaster-Slave/Token-Passing [MS/TP]), but cannot use both BACnet IP and BACnet MS/TP versions.Table 11: Metasys Network with TEC Series Wireless Thermostat Controller SystemInteraction between CalloutsProtocolCommunication Direction12BACnet IP 1Bidirectional14HTTPUnidirectional 123ZigBee Wireless Network (802.15.4)Bidirectional (2.4 GHzChannelized, 2.4 GHz DSSSWireless Protocol)42HTTPUnidirectionalNetwork and IT Guidance for the BAS Professional Technical Bulletin33

Table 11: Metasys Network with TEC Series Wireless Thermostat Controller SystemInteraction between CalloutsProtocolCommunication Direction15BACnet MS/TPBidirectional53ZigBee Wireless Network (802.15.4)Bidirectional (2.4 GHzChannelized, 2.4 GHz DSSSWireless Protocol)1 When using BACnet protocol with TEC20-3C-2s, you must specify UDP Port 47808 as being used. For multiple BACnetnetworks, use a different port number for each network.2 In Unidirectional communication, only the originating device initiates requests (assuming synchronous response is allowed tothe request).The TEC Wireless Thermostat Controller System provides a wireless interface between anNAE25/NAE35/NAE45/NAE55/NCE and the TEC Wireless Thermostat Controllers, allowing the exchange of BACnetIP (TEC20-3C) or BACnet MS/TP (TEC20-6C) messages for the purpose of wireless monitoring and temperaturecontrol of building HVAC equipment.The system consists of at least one TEC20-3C-2 Coordinator and multiple TEC Wireless Thermostat Controllers.The system uses DSSS wireless technology and operates on the 2.4 GHz ISM band. The system meets the IEEE802.15.4 standard for low power, low duty-cycle wireless transmitting systems and are compatible with wirelessmesh networks compliant with the ZigBee standard. The TEC Thermostat Controllers use a transmission power of10 dBm.For general information on the TEC Series Wireless system, refer to the TEC Series Wireless Thermostat ControllerSystem Technical Bulletin (LIT-12011414).Figure 11 is an example of a Metasys network using the ZFR1800 Series Wireless Field Bus system.Network and IT Guidance for the BAS Professional Technical Bulletin34

Figure 11: Metasys Network with ZFR1800 Series Wireless Field Bus SystemSee Table 12 for details on the number callouts in Figure 11.Table 12: Metasys Network with ZFR1800 Series Wireless SystemInteraction between CalloutsProtocolCommunication Direction14HTTPUnidirectional 112BACnet MS/TPBidirectionalNetwork and IT Guidance for the BAS Professional Technical Bulletin35

Table 12: Metasys Network with ZFR1800 Series Wireless SystemInteraction between CalloutsProtocolCommunication Direction23ZigBee Wireless Network (802.15.4)Bidirectional (2.4 GHzChannelized, 2.4 GHz DSSSWireless Protocol)35ZigBee Wireless Network (802.15.4)Bidirectional (2.4 GHzChannelized, 2.4 GHz DSSSWireless Protocol)1 In Unidirectional communication, only the originating device initiates requests (assuming synchronous response is allowed tothe request).The ZFR1800 Series Wireless Field Bus System provides a wireless platform for Metasys field controllers usingJohnson Controls Metasys BACnet protocol. The system consists of at least one ZFR1810 Wireless Field BusCoordinator, connected to an NAE25/NAE35/NAE45/NAE55 or NCE. It also has one or more ZFR1811 WirelessField Bus Routers, each connected to any Metasys BACnet Field Equipment Controller (FEC) 16, FEC26, or VMA16Series Controller. And lastly, multiple WRZ Series Wireless Room Temperature Sensors (WRZ-TTx) in the systemcommunicate with the routers.As with the TEC Wireless system, the ZFR1800 Wireless Field Bus system uses DSSS wireless technology andoperates on the 2.4 GHz ISM band. The system also meets the IEEE 802.15.4 standard for low power, low duty-cyclewireless transmitting systems and are compatible with wireless mesh networks compliant with the ZigBee standard.For more details on the ZFR1800 Series Wireless system, refer to the ZFR1800 Series Wireless Field Bus SystemTechnical Bulletin (LIT-12011295).ZigBee ChannelsA ZigBee network has 16 channels available for use. The TEC Series Wireless Thermostat Controller system andZFR1800 Series Wireless Field Bus system use only channels 15, 20, and 25. These channels were selectedbecause they do not overlap with channels used on a WiFi network. Figure 12 is a diagram from the ZFR1800 SeriesWireless Field Bus System Technical Bulletin (LIT-12011295) illustrating that the ZigBee channels do not interferewith the Wi-Fi network.Network and IT Guidance for the BAS Professional Technical Bulletin36

Figure 12: Comparing Channel Spacing of the Systems Using ZigBee Technology Versus WiFi NetworksSpanning TreesImproperly configured spanning trees cause excessive Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol(RSTP), or Bridge Protocol Data Unit (BPDU) traffic, which causes Metasys engines to reset. Be sure all spanningtrees are properly configured.Field Bus ConsiderationsMetasys system devices that connect to Ethernet networks use various field buses to interface with the buildingcontrol system. Field buses provide direct connections between field devices and the supervisory device that controlsthem. Field devices/buses do not interact directly with the Ethernet network, but the supervisory devices do interactwith the Ethernet network. Possible field buses include the LONWORKS network, Master-Slave/Token-Passing (MS/TP)bus, and N2 Bus. For information on the buses supported by specific Metasys system devices, refer to the productliterature for each device.Pre-boot Execution Environment (PXE)Engines (excluding the NxE85 and LCS85) implement a PXE client. If your network uses a Pre-boot ExecutionEnvironment (PXE) server, exclude the MAC address for these devices from the PXE server. If you do not excludethe MAC addresses, these devices may not start up properly.Network Reliability RequirementCommunication between the ADS/ADX and engines requires a robust and reliable network. If communicationthroughput is not sufficient or is unreliable, false online and offline alarms from supervisory controllers may occur.In most cases, the controllers report online almost immediately, which is an indication that there is no problem withthe controllers. If they do not report online within a few seconds, or this behavior persists, contact the JohnsonControls technical support for assistance.Network and IT Guidance for the BAS Professional Technical Bulletin37

Metasys System Security ConsiderationsGeneral Security RecommendationsFor general recommendations based on the Best Practices for Enterprise Security document on Microsoft TechNet,follow this link:http://www.microsoft.com/technet/archive/security/bestprac/bpent/bpentsec.mspxMetasys Access SecurityDepartment of Defense BannerIf the custom United States Department of Defense (DoD) banner was enabled when the ADS/ADX was installed,a warning statement appears each time you access the Metasys Site Management Portal UI. The statement containsinformation important to any Metasys user accessing the building automation system at a Department of Defensefacility. You must click OK to indicate you consent to the stated conditions before reaching the login screen. Afteryou click OK, the standard Metasys system login screen appears. If your network uses Active Directory service withSingle Sign-On capability, the DoD banner still appears, but the Metasys login screen is bypassed, then the SiteManagement Portal appears.Figure 13: United States DOD Warning StatementThe DOD banner remains on the screen until either you click OK or you manually close the banner window. Thebanner does not close on its own.When the Metasys system login screen appears, you have up to 30 seconds to log in. If 30 seconds passes with nouser activity, the login screen closes and the DOD banner screen returns. The banner also reappears after you logoff from the Metasys system or the system logs you off because of user inactivity.Note: The DOD banner does not appear before logging in to the Metasys Advanced Reporting System, ReadyAccess Portal user interface, supervisory engine, SCT UI, or LONWORKS® Control Server (LCS85).Note: If you wish to remove the DoD banner requirement, uninstall the Metasys ADS/ADX, then reinstall MetasysADS/ADX with the DoD banner option box unchecked.UsersThe Metasys system has two types of users: local users and Active Directory service users. A local user is definedin the Security Administrator system and is authenticated and authorized against the Metasys Security database.An Active Directory service user is created and stored in an Active Directory service domain and is added as aMetasys system user with the Security Administrator System. This user is authenticated against an Active Directoryservice domain and authorized against the Metasys system.Network and IT Guidance for the BAS Professional Technical Bulletin38

Once logged in, the user is limited to actions that are permitted by the user’s assigned privileges. Refer to the SecurityAdministrator System Technical Bulletin (LIT-1201528) for specific details on Metasys system access security.Metasys System Local User Accounts and PasswordsThe user name and password are part of a Metasys local user account that controls which actions a user can performand which parts of the system a user can see, among other access controls. The data store for user accounts anduser privileges is a SQL Server database on computer/server platforms (ADS/ADX, NxE85, and LCS85) and anXML-based file on the supervisory controller platforms (NAE35/NAE45/NAE55/NIE55/NIE59/NCE25). Metasyssystem user account passwords are hashed (Secure Hash Algorithm [SHA] 1) before storing.Standard policy settings apply to a Metasys system local user account: password expiration/reset, session timeout,lockout after failed attempts, and password uniqueness. You also can set the times of day a user may access thesystem.Active Directory Service – User AccountsActions of an Active Directory service user within the Metasys system are controlled in the same manner as aMetasys local user, through assigned privileges. The data store for user privileges is a SQL Server database oncomputer/server platforms (ADS/ADX and SCT). For Active Directory service users, account policy settings – includingmaximum password age, account lockout, password uniqueness, password complexity – are controlled outside ofthe Metasys system by the Active Directory service domain server. These settings are shaded when displayed inthe Security Administrator System window. The Session Timeout attribute is one exception.Default Administrator AccountsThe MetasysSysAgent and BasicSysAgent accounts (both Metasys local accounts) are the default Administratoraccounts. These accounts cannot be renamed or deleted from the system. The MetasysSysAgent account retainsfull administrative rights, and these rights cannot be changed. The BasicSysAgent account retains a subset ofadministrative rights, in that Basic Access administrators can administer only user accounts that have been assignedthe Basic Access access type.Important: The first time you log in with the MetasysSysAgent account using the new default password, or theBasicSysAgent account with the original default password, the system prompts you to change thepassword immediately. This new behavior enhances the overall security of the Metasys system. Fordetails about the new default password, contact your local Johnson Controls representative.Metasys system local user name and password pairs are stored only in the system proprietary user store, with oneexception. For engines (excluding the NxE85 and LCS85), the MetasysSysAgent account is also mirrored in theoperating system as a Windows account with full administrative privileges. The password of the MetasysSysAgentoperating system account is controlled by the resetting of the MetasysSysAgent account through the Site ManagementPortal UI. Changing the account password in the Metasys system also changes the Windows operating systemaccount password in the supervisory controller.For the server-based NxE85 at Release 4.0 or later and the LCS85, the MetasysSysAgent account on the Windowsoperating system is not linked to the MetasysSysAgent account on the Site Management Portal UI. Changing theaccount password in the Metasys system does not change the Windows operating system account password. Thepasswords are independent.Note: The Windows operating system accounts and Metasys system local accounts never have been linked on theADS/ADX.For information on NAE35/NAE45/NAE55/NIE55/NIE59/NCE25 operating system security, see Security on Non-ServerBased Engines.Complex PasswordsComplex password requirements for Metasys local accounts are enabled by default when you install an ADX withMetasys for Validated Environments (MVE) Extended Architecture. For other ADSs/ADXs and supervisory engines,the complex password requirement is not enabled. For details on complex passwords, refer to the SecurityAdministrator System Technical Bulletin (LIT-1201528).Network and IT Guidance for the BAS Professional Technical Bulletin39

To define a complex password for an ADX with MVE, or any ADS/ADX or supervisory engine, you need to:• create a password with at least six characters• use at least three of the following character types:- uppercase letter (A-Z)- lowercase letter (a-z)- number (0-9)- symbol (for example: # %)- non-alphanumeric or non-symbol character (example: 0244)• avoid using three consecutive characters from the user name. Using three consecutive characters from the username is not allowed. For example, if the user name is Fred, the password cannot contain Fre or red.You can enable or disable the complex password requirements using the procedure in this section.To enable or disable complex passwords:1. Log out of the Metasys system Site Management Portal UI.2. Using Windows Explorer, browse to C:\Inetpub\wwwroot\MetasysIII\UI\com\jci\framework.3. Using a text editor, open frameworkproperties.properties.4. Go to the bottom of the file and enter the following new requireComplexPasswords setting on its own line:requireComplexPasswords=trueSpecify true to enable complex passwords or false to disable complex passwords.5. Save the file.6. Restart the ADS/ADX computer to allow the Site Management Portal to initialize the complex passwordrequirement.7. Log on to the Metasys system using your existing password.8. Change the passwords so they meet the complexity requirements, referring to the Security Administrator SystemTechnical Bulletin (LIT-1201528) for assistance.AuditingThe Metasys system offers user action auditing within the system. In other words, the software can trace each actionback to the logged-on user who performed the action, and list that information in the Audit Viewer. For Active Directoryservice users, the name recorded is the fully qualified user name (for example, myuser@division.company.com).Audits are written to a proprietary data store of the Metasys system, which is a SQL Server database oncomputer/server platforms (ADS/ADX, NxE85, and LCS85) and an XML-based file on the other engine platforms(NAE35/NAE45/NAE55/NIE55/NIE59/NCE25). Audits may be viewed using the Audit Trail feature of the SiteManagement Portal UI.DeviceIntra-computer Metasys system local accounts are used to perform authentication and authorization among deviceswithin the Metasys system. An intra-computer account is a Metasys system site account, which means the accountresides in the same proprietary user store as the other Metasys users. But, the intra-computer account cannot beadministered and cannot be used to log on to the system through the Site Management Portal UI. The intra-computeraccount uses a generated password that is programmatically changed once a day. Active Directory service accountsare not used for intra-computer accounts.Secure Sockets Layer (SSL)The Metasys Advanced Reporting System and the Ready Access Portal UI are the two Metasys system offeringsthat support SSL. We recommend that you implement SSL security for improved protection of user passwords whenusing the Metasys Advanced Reporting System (including when you use the reporting system on ADXs with MVE).SSL security is required for the Ready Access Portal UI.The steps in these sections should be done before you install the Metasys Advanced Reporting System or ReadyAccess Portal software on your site.Network and IT Guidance for the BAS Professional Technical Bulletin40

Implementing SSL Security for the Metasys Advanced Reporting SystemTo implement SSL security for the Metasys Advanced Reporting System:1. Generate a certificate request and install the certificate.For more information on these steps, see the following address:http://technet.microsoft.com/en-us/library/cc771438(WS.10).aspx2. Configure the Metasys software to use HTTPS (SSL) and HTTP protocols on the computer where you plan toinstall the reporting system.a. In Control Panel:• In Windows Server 2012 or Windows Server 2008 R2 with SP1, select System and Security, thenAdministrative Tools. On Administrative Tools, double-click Internet Information Services (IIS) Manager.• In Windows Server 2008 SP2, select System and Maintenance, then Administrative Tools. OnAdministrative Tools, double-click Internet Information Services (IIS) Manager.b. In the tree in the left pane, browse to and expand Sites or Web Sites.c. In the right pane, right-click Default Web Site and select Edit Bindings. The Site Bindings box appears.Figure 14: Site Bindingsd. Click Edit. Verify that the SSL port field contains 443 (Figure 15).Note: Port 80 must be open on the ADX for communication from other system devices. Verify that the TCPport entry is 80.Figure 15: SSL Port Field: 443e. Click OK.f. Close the Internet Information Services (IIS) Manager window.g. Install the ADX software with Metasys Reporting. For details, refer to the ADS/ADX Installation section ofthe ADS, ADX, and SCT Installation and Upgrade Instructions (12011521).Network and IT Guidance for the BAS Professional Technical Bulletin41

h. Using Windows Explorer, browse to:C:\Inetpub\wwwroot\MetasysIII\UI\com\jci\frameworki. Using a text editor, open frameworkproperties.properties.j. Update the advancedReportingURL setting line to use https: instead of http: so it appears like the following:advancedReportingURL=https://SERVERNAME/MetasysReportsk. Save the file.l. Using Windows Explorer, browse to:C:\Inetpub\wwwroot\MetasysReportsm. Using a text editor, open services.config.n. Delete the comment tags from the file. Comment markers appear as (Figure 16).Note: Do not delete the text between the comment tags. Delete only the text circled in Figure 13. Deleteall three sets of comment tags that appear in the file.Figure 16: Comment Tagso. Save the file.p. Close all Windows Explorer windows.q. Do the following depending on your operating system:• In Windows Server 2012 or Windows Server 2008 R2 with SP1, on the Start menu, in the Run text box,type regedit.• In Windows Server 2008 SP2, on the Start menu, select All Programs > Accessories > Run. The Rundialog box appears. Type regedit.r. Click OK. The Registry Editor window appears.s. In the tree on the left, browse to HKEY_LOCAL_MACHINE > Software > Johnson Controls > Metasys >ADS.t. On the right side of the screen, double-click SSRSWebURL. The Edit String box appears.u. In the Value data field, add an s after http. The value should be: https://(ADx Server Name)/ReportServer(Figure 17).Network and IT Guidance for the BAS Professional Technical Bulletin42

Figure 17: Edit String Boxv. Click OK.w. Close the Registry Editor.3. Restart the computer.4. Log on to the Metasys Advanced Reporting System UI.The UI should open correctly and the URL in the browser window should have the https: prefix.Implementing SSL for Ready Access Portal UITo implement SSL security for the Ready Access Portal UI, follow the steps during installation of the software. Youcan add SSL for the logon only or for the entire Ready Access Portal UI. The options for SSL certificates include thefollowing:• Third-Party – Coordinate with the customer IT department before installing the Ready Access Portal software toconfigure IIS correctly.• Self-Signed – Follow the installation process that allows you to generate a self-signed certificate.Note: We do not recommend a self-signed certificate for networks exposed directly to the Internet (no firewall orVPN).You also must have Port 80 (TCP) and Port 443 (SSL) open on the computer where the Ready Access Portalsoftware is installed. To open Port 443 on the computer where you are going to install the Ready Access Portal:1. In Control Panel:• In Windows 7 in the search box, type administrative tools, and then click Administrative Tools.• In Windows XP, select Administrative Tools > IIS Manager.• In Windows 8, Windows Server 2012, or Windows Server 2008 R2 with SP1, select System and Security,then Administrative Tools. On Administrative Tools, double-click Internet Information Services (IIS) Manager.The IIS Manager window appears.• In Windows Server 2008 SP2, select System and Maintenance, then Administrative Tools. In AdministrativeTools, double-click Internet Information Services (IIS) Manager. The IIS Manager window appears.2. In the tree in the left side of the screen, browse to and expand Sites or Web Sites.3. On the right side of the screen, right-click Default Web Site and select Properties. The Default Web Site Propertiesbox appears.4. On the Web Site tab, verify that the SSL port field contains 443 (Figure 15).Note: Port 80 must be open on the ADX for communication from other system devices. Verify that the TCP portentry is 80.5. Click OK.6. Close the IIS Manager window.Network and IT Guidance for the BAS Professional Technical Bulletin43

Metasys for Validated Environments (MVE)MVE is an enhanced feature of the Metasys system that audits user management for critical environments to facilitateU.S. Food and Drug Administration (FDA) electronic records and signature requirements (Title 21 Code of FederalRegulation [CFR] Part 11). MVE is also compliant with other similar agencies around the world that deal with electronicrecords and electronic signature requirements, such as Annex 11 of the European Union Good ManufacturingPractice (EU GMP) regulations (European Medicines Agency [EMEA] 1998).MVE provides secure data management and reporting capabilities, traceable electronic records and signatures, andtime-stamped audit trails for facilities subject to Part 11 compliance. Any action or change initiated by the user on avalidated device, such as alarm acknowledgment or setpoint adjustment, requires user reauthentication and electronicsignature with required annotation.Additionally, complex passwords that are enabled by default and message encryption secure the system fromunauthorized access and data tampering. The system uses Internet protocols and IT standards, and is compatiblewith enterprise level communication networks.MVE can be used only on an ADX running Windows Server 2012, Windows Server 2008 R2 with SP1, or WindowsServer 2008 SP2 with supported versions of SQL Server 2012, SQL Server 2008 R2, or SQL Server 2008 software.Also, MVE supports access by Active Directory service users of the Metasys system from the standard login screen.SSO login-free access is not supported because SSO is disabled for MVE installed on an ADX.For more information, refer to the Metasys for Validated Environments, Extended Architecture Technical Bulletin(LIT-12011327).Network Message SecurityMetasys software offers secured authentication challenges at logon. These include:• RSA exchange (using 1025-bit key) of RC2 Session Key (64-bit key)• RC2 encrypted credentials (user name and password)After logon, the Metasys software authenticates each SOAP message at the receiving engine. Authentication isbased on RC2 encrypted credentials, which may be a session token or user name and password pair. Within eachencrypted SOAP message header, there is protection against message spoofing, message replay, and messagetampering.SQL Database SecuritySQL Server databases are secured using SQL Server authentication.SQL Server software accounts used by Metasys software can be end-user defined on the ADS/ADX platform. Addedsecurity is possible if you separate the Database Server function of the ADX from the web/application Server functionof the ADX. In this scenario, the Database Server portion of the ADX can reside in a different DMZ from theweb/spplication Server portion of the ADX.Security on Non-Server Based EnginesThe operating system of the NAE35/NAE45/NAE55/NIE55/NIE59/NCE25 is secured using an account in the controller'sembedded operating system. This account is the MetasysSysAgent account and is the only Windows account locatedon these devices. The account has administrative privileges and the password can be changed by logging in to thedevice directly with the Site Management Portal UI and resetting the password of the Metasys system userMetasysSysAgent. The MetasysSysAgent user is the only account that exists both in the proprietary user store ofMetasys user accounts and in the operating system.Many of the operating system features not required by Metasys software have been removed from the engines,rendering them less vulnerable to operating system attack.Security Updates ManagementA Johnson Controls engineering team regularly evaluates newly released Microsoft security updates ranked Criticalor Important for their effect on the Metasys system. The results of the update analysis can be obtained from JohnsonControls technical support.Network and IT Guidance for the BAS Professional Technical Bulletin44

For Metasys system engines, we send out applicable security updates through our support channels with instructionsfor applying them. For the computer-based components of the Metasys system (ADS/ADX, NxE85, and LCS85),you can apply Microsoft security updates as soon as they are released by the Microsoft Corporation.To ensure higher security for the Site Management Portal, a private JRE is required at Release 6.0 or later thatprovides isolation between Metasys software and the Internet. The public Java® Runtime Environment (JRE) thatwas required at earlier Metasys software releases is no longer necessary for Release 6.0 or later, but it still arequirement for any older release of Metasys software. A new application called the Launcher puts down the privateJRE required by Release 6.0 or later. You install it when you first browse to the Site Management Portal UI from aclient computer or when you newly install Metasys system software. Thereafter, you use the Launcher to accessthe Site Management Portal UI. Refer to the Launcher Installation Instructions (LIT-12011783) for instructions abouthow to install the Launcher application.Note: If you use any applications from a release prior to Release 6.0 or later, you must continue to use the publicJRE required for that particular software release.Software BombsMetasys software does not have a software time bomb to disable the system. However, the software does remindyou periodically if you do not license the product. Reminders appear as pop-up messages when you are using theSite Management Portal UI and as a special tab within the UI that appears until you license the product.Antivirus Software Considerations (ADS/ADX, NxE85, and LCS85 Only)Frequent virus scans of the ADS/ADX, NxE85, and LCS85 are necessary to maintain the integrity of your system.We support virus scans on computer-based and server platform-based Metasys system components only (ADS/ADX,NxE85, and LCS85). The NAE35/NAE45/NAE55/NIE55/NIE59/NCE25 and other Metasys system components notrunning on a computer do not support virus scans; however, many of the operating system features not required byMetasys software have been removed from the engines, rendering them less vulnerable to operating system attacks.We have tested the ADS/ADX, NxE85, and LCS85 successfully with the following antivirus software programs:• Symantec AntiVirus Corporate Edition 9.0 software or later (recommended for the NxE85 and LCS85)• McAfee® VirusScan® 2004 Version 8.0 software or laterNote: Turnkey versions of the NxE85 and LCS85 ship with Symantec AntiVirus Corporate Edition Version 11.ADS/ADX ConsiderationsADX-Specific FeaturesSee the Metasys for Validated Environments (MVE) and Metasys Advanced Reporting System UI sections forinformation on these two features that are available only on ADXs with specific components installed.ADX Split ConfigurationThe ADX software and its associated database software are often installed on one computer (unified ADX). However,the ADX also can be installed in a split configuration, which involves installing ADX-related software on two separatecomputers. The computer running SQL Server software is known as the Database server computer, and it storeshistorical Metasys system data. The ADX software itself and all required ADX prerequisites reside on a secondcomputer, known as the web/application server computer. Additionally, in a split configuration, the SCT must resideon a third computer. Users browse to the web/application server computer to see system data. The Database servercomputer cannot be used as a historical data repository by more than one web/application server computer.Figure 18: Split ADX in a NetworkNetwork and IT Guidance for the BAS Professional Technical Bulletin45

ADSADX Log FolderThe ADSADX Log folder in the Windows Event Viewer on the ADS/ADX contains information related to specificADS/ADX software failures or important events. The messages appear in English only.Note: In a split ADX, this folder is on the web/application server computer.The following events appear in the ADSADX Log folder:• The ADS/ADX software has a failure initializing any subsystem during startup.• The ADS/ADX software has a failure during runtime when it tries to write to the Microsoft SQL Server database.• The ADS/ADX or SCT software has a failure during runtime for interactions with Active Directory services. Forexample, an Active Directory service user was denied access to the ADS/ADX or SCT software, or an ActiveDirectory service user could not be added as an ADS/ADX or SCT user.• The ADSADX Log reports a message queue timeout has occurred. The message contains the textSystem.Messaging.Message.QueueException: Timeout for the requested operating has expired. Thisevent indicates that MSMQ encountered an exception while reading an empty message queue. The sporadicappearance of this error in the ADSADX Log is normal. Because the error only occurs when the message queueis empty, all Metasys system messages have been processed successfully. However, if this error occurs constantlyor continually over brief periods of time, there may be a problem with message queuing. Report this behavior toyour Johnson Controls support representative.The ADSADX Log folder defaults to Overwrite as Necessary. If you would like to save all events or have a certainEvent Log folder size, right-click the folder in the Windows Event Log and change this property.Note: A display problem exists when viewing the properties of the ADSADX Log in the Windows Event Viewer.Even though the folder defaults to Overwrite as Necessary when the folder is created during the first startupof the ADS/ADX, it appears in the Windows Event Viewer as Overwrite Events Older Than. The file isOverwrite as Necessary.Additional errors write to the Windows Event Viewer Application folder. Any event in this folder is a result of informationgenerated by or an error in the Metasys III Device Manager service (MIIIDM source).The Windows Event Viewer is located in the Control Panel > Administrative Tools > Event Viewer.Network and IT Guidance for the BAS Professional Technical Bulletin46

The Windows Internet Explorer Web BrowserAdvanced Security ConfigurationWhen an ADX is installed, Windows Internet Explorer Advanced Security Configuration is enabled by default. Youmust add any website you want to navigate to from the ADS/ADX Internet Explorer web browser to the list of trustedwebsites. This applies to all external websites.We strongly advise that you do not browse to the Metasys Site Management Portal UI from a computer running aserver class operating system. By default, Windows Internet Explorer Enhanced Security Configuration is enabledon server class operating systems and may block the Launcher download page from which you install the Launcherapplication for access to the Site Management Portal. Open the Site Management Portal UI from a computer thatis not running a server class operating system.SmartScreen FilterIf you are using a private network, we recommend you turn off the Internet Explorer SmartScreen Filter feature.Failure to do so does not prevent Metasys software from running, but may launch multiple UI windows unnecessarily.Anti-Spyware ConsiderationsAnti-spyware packages alert users when changes are made to their operating systems by unidentified applications,programs, or services and may also allow the users to control these changes to their operating systems. For example,changes may occur in Internet Explorer web browser settings, processes running, or dial-up connections.The anti-spyware software may also allow the user to designate which services can run on an ADS/ADX. TheMetasys Device Manager, Metasys Action Queue, and Metasys Report Cache Refresh may appear on the list ofservices as unknown/unreliable. In both of these cases, in the anti-spyware tool, the Publisher attribute of the processdoes not identify the process as a Johnson Controls process, nor does the term Metasys appear in the name. Bothof these services must be allowed to run on the ADS/ADX.Additionally, anti-spyware software may not allow the ADS/ADX software to write to the hosts file. Some anti-spywaresoftware warns the user changes are to be made and the user must accept or reject the changes. Other anti-spywarepackages do not allow the change to occur at all until the software is configured.For more information, refer to the ADS/ADX Commissioning Guide (LIT-1201645).Backup Considerations for the ADS/ADXIf a backup program changes attributes in certain ADS/ADX files, the ADS/ADX may shut down and then restart. Toavoid this scenario, we recommend that you always avoid backing up the following files and folders, and excludethem from any other programs that access these directories in the ADS/ADX:• C:\Inetpub\wwwroot\MetasysIII\GLOBAL.ASAX• C:\Inetpub\wwwroot\MetasysIII\WEB.CONFIG• C:\Inetpub\wwwroot\MetasysIII\BIN• C:\\Microsoft.NET\Framework\v1.1.4332\CONFIG• C:\\Microsoft.NET\Framework\v2.0.50727\CONFIG• C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config• C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG• C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config• C:\Inetpub\wwwroot\MetasysReports\bin (Metasys Advanced Reporting System only)• C:\Inetpub\wwwroot\MetasysReports\web.config (Metasys Advanced Reporting System only)Supported Operating System and SQL Server Software VersionsRefer to the literature for the Metasys products you are installing for a list of supported operating system and SQLServer software versions. For an overview of software supported by the Metasys system, refer to the PrerequisitesOverview for Supported Releases section of ADS, ADX, and SCT Installation and Upgrade Instructions WizardContent (LIT-12011331).Network and IT Guidance for the BAS Professional Technical Bulletin47

As new software and service packs become available, Johnson Controls tests them for use with Metasys software.We do not recommend installing software or a service pack on a computer running Metasys software unless it hasbeen tested and qualified.Internet Information Server (IIS) Anonymous Access Considerations (ADS/ADXand SCT)General InformationThe Default Web Site of IIS must allow anonymous access to successfully install the ADS/ADX or SCT software.After ADS/ADX or SCT installation is complete, you may disable anonymous access for the default website as asecurity measure. However, disabling anonymous access to the default website is only necessary if required bysome other third-party software application. See Enabling and Disabling Anonymous Access on the Default WebSite. At ADS/ADX and SCT runtime, it is not necessary for the default website of IIS to allow anonymous access;however, it is necessary to always allow anonymous access to the Metasys or SCT virtual website and MetasysIIIvirtual folder.For more information, refer to the ADS, ADX, and SCT Installation and Upgrade Instructions Wizard (LIT-12011521)or the ADS-Lite Installation and Upgrade Instructions Wizard (LIT-12011688).Enabling and Disabling Anonymous Access on the Default Web SiteEnable and disable anonymous access in the following order when installing and running the ADS/ADX or SCTsoftware:Note: These steps should only be followed if a user needs to disable anonymous access to the default web site fora third-party application requirement.1. Enable Anonymous Access on the default web site.2. Install the ADS/ADX or SCT software.3. Disable Anonymous Access on the default web site.4. Enable Anonymous Access for MetasysIII and SCT Virtual Directories and Metasys Web Site.The user who is assigned as the anonymous access user for the web site and/or the group that this user belongsto must have the following privileges:• access this computer from the network• allow logon locally• log on as a batch jobThe user who is assigned as the anonymous access user for the web site and/or the group that this user belongsto must not have the privilege deny access to this computer from the network.Before changing your customer’s IIS anonymous access settings, consult with your customer and/or your customer’sIT department to make sure the changes do not violate network security policies.For troubleshooting information about anonymous access and the ADS/ADX, refer to the ADS, ADX, and SCTInstallation and Upgrade Instructions Wizard (LIT-12011521).DatabasesMicrosoft SQL Database ConsiderationsAll versions of SQL Server software must be set up in Mixed Mode Authentication and configured to use both theTCP/IP port 1433 and Named Pipes protocols. When upgrading to a new version of SQL Server software, you mustpreserve this configuration because the upgrade process turns off the network protocols.Network and IT Guidance for the BAS Professional Technical Bulletin48

Consider the following general database recommendations:• The unified ADS/ADX is incompatible with server clusters. For a split ADX, the Database Server computer canbe part of a server cluster.• Run SQL Server databases in Simple Recovery mode to reduce the risk of system failure due to lack of diskspace. Simple recovery mode allows you to restore from the previous night’s backup only. For point-in-timerecovery, run the databases in Full Recovery mode and back up your transaction log at least every 24 hours.Failure to perform Transaction log backups at this interval eventually results in system failure due to lack ofavailable disk space.• Confirm that SQL Server database backups are being performed correctly and consistently to prevent datacorruption. Check periodically to make sure the backups are present and restorable. Create backups using theMetasys Database Manager or the tools listed in Database Management: SQL Server Tools. Each backup shouldbe saved in separate locations.• Check periodically to make sure your database indexes are healthy because fragmented indexes greatly reducedatabase performance. Rebuild indexes as necessary using tools available from the IT department or the MetasysDatabase Manager. See Database Management: Metasys Database Manager and Database Management: SQLServer Tools.• Do not use third-party backup programs to backup the Metasys databases. Instead, use the tools provided bySQL Server software or use the Metasys Database Manager.• During installation, the ADS/ADX software installation program requires a user account with administrator accessto SQL Server databases to create and manage the ADS/ADX databases and SQL Server user accounts usedduring runtime of the ADS/ADX. This may be either a SQL Server user account or a Windows operating systemuser account that has administrative rights in SQL Server databases. After the installation program creates theADS/ADX databases and SQL Server user accounts, the account with administrator access to SQL Server isno longer used. You may remove SQL Server database administrator rights from this user.• During runtime, the ADS/ADX software uses the SQL Server user accounts that were created by the ADS/ADXinstallation program. For information about managing the SQL Server user accounts used by the ADS/ADX(account rename and password changes), contact Johnson Controls technical support.The default location for the Metasys system databases is the following:• Windows 8, Windows 7, Windows Server 2012, Windows Server 2008 R2 with SP1, and Windows Server 2008SP2: C:\ProgramData\Johnson Controls\MetasysIII\SQLData• Windows XP: C:\Documents and Settings\All Users\Application Data\Johnson Controls\MetasysIII\SQLDataThe historical databases for the ADS/ADX are JCIEvents, JCIAuditTrails, JCIHistorianDB, JCIAnnotations, andJCIReporting. Non-historical databases for the ADS/ADX include MetasysIII, XMS, MetasysTranslationDictionary(Metasys Advanced Reporting System only), and MetasysReporting (Metasys Advanced Reporting System only).CCT creates the CCT_DB and FDB_Control databases. The NavTreeCache database and any current MetasysSCT archive databases (SCT archive database names are user configured) also may be present.For information on installing SQL Server software for use with a Metasys system, refer to the ADS, ADX, and SCTInstallation and Upgrade Instructions Wizard (LIT-12011521) or ADS-Lite Installation and Upgrade InstructionsWizard (LIT-12011688).Database Management: Metasys Database ManagerThe Metasys Database Manager allows you to purge, back up, restore, and monitor your Metasys system SQLServer databases. This tool is included on all ADSs/ADX media and is compatible with all versions of SQL Serversoftware supported by the installed release of Metasys software. Refer to the Metasys Database Manager Help(LIT-12011202) for more information.Database Management: SQL Server ToolsIn addition to or instead of the Metasys Database Manager, you can use the following Microsoft Corporation toolsto maintain your SQL Server databases:Network and IT Guidance for the BAS Professional Technical Bulletin49

Table 13: SQL Server Software Maintenance ToolsSQL Server Software Family Microsoft Corporation Database ToolIncluded with SQL ServerSoftware? 1SQL Server 2008 SoftwareSQL Server 2008 Express SoftwareSQL Server Management StudioMicrosoft SQL Server Management StudioExpress (SSMSE)YesNo 21 All tools are available on http://www.microsoft.com/downloads.2 Available with versions that include Management Tools or Advanced Services.For specific steps on how to back up and manage Metasys system databases using these tools, go tohttp://www.microsoft.com. You do not need to stop Metasys system services to perform a database backup.Historical Data StorageNAE35s/NAE45s/NAE55s/NIE55s/NCE25s store a limited amount of alarm, trend, and audit trail information. Afterengines collect data, you can forward the data to an ADS/ADX and save the data on the hard disk for long-termstorage.Historical data on engines and ADSs/ADXs can be copied to the clipboard and pasted into a spreadsheet, wordprocessor, or database program. You can use Metasys Export Utility software to extract the historical data from theMetasys system to as many as six different file formats (such as Microsoft Excel) for easier viewing.Data SharingADSs/ADXs store collected system data in a SQL Server database. Johnson Controls support channels can providedatabase schemas via the schema release process upon request.Data Backup/RestoreFor information on SQL Server software backups, see the Microsoft SQL Database Considerations section.Use the System Configuration Tool (SCT) to back up and restore Metasys user accounts/privileges and to back up,restore, and create archives of Metasys configuration data. Refer to the SCT Technical Bulletin (LIT-1201534) fordetails.Site Management Portal UIThe Site Management Portal UI comprises a Java application, which runs with a private JRE. See Java Softwareand Private JREs for a definition of private JREs. The Java security model allows only trusted applications to performcertain activities such as printing, connecting to the network, retrieving system information, and accessing yourcomputer’s local file system. Trusted applications must be digitally signed and must be granted permissions by theend user.The Metasys Site Management Portal UI is digitally signed with a certificate provided by the VeriSign CertificateAuthority (CA). The certificate verifies that the Metasys system application has not been tampered with and isdistributed by Johnson Controls, Inc. A message appears stating that the security certificate was issued by a companythat is trusted and indicates whether your certificate is expired.Metasys Advanced Reporting System UIThe Metasys Advanced Reporting System offers a separate HTML-based UI in which you can run reports on systemconfiguration and performance. This system allows you to use a restricted access UI and avoid Java softwaredownloads for users with limited report and configuration needs.The Metasys Advanced Reporting System can be used only on ADXs running SQL Server 2008 R2 software or SQLServer 2008 software with SQL Server Reporting Services. Local Metasys system users with Standard Accessaccess type privileges are authorized with the Advanced Reporting option in the Security Administrator System.Currently, Active Directory service users cannot access the Metasys Advanced Reporting System.For more information, refer to the Metasys Advanced Reporting System Help (LIT-12011312).Network and IT Guidance for the BAS Professional Technical Bulletin50

Java Software and Private JREsThe Site Management Portal (SMP) and SCT are Java applications, requiring a JRE plug-in on the local clientcomputer. Security vulnerabilities were often discovered in the public version of the JRE, which required the developerto release updated versions and for Johnson Controls to issue patches to the SMP and SCT software. To alleviatethis problem, Metasys no longer relies on a public JRE plug-in for Release 6.0 or later. Instead, it uses an internalprivate JRE that is bundled with an application and is installed locally on the computer for that application only. Theprivate JRE is not exposed to possible security risks and is compatible with IT department policies.To support the use of the private JRE, a new application called the Launcher was developed to allow you to managea list of all engines, ADS, ADX, SCT, LCS85, NIE, Ready Access Portal, Metasys Advanced Reporting, or anygeneric website links. The Launcher is a simple user interface that launches the UI for any Metasys release, butonly manages the local Java files for Release 6.x systems.If you need to configure your proxy settings, you must do so in the Launcher tool, not in the Java control panel. Fordetails, refer to Launcher Help (LIT-12011742).Public JRE files are still required for older versions of Metasys. Public JREs are installed in a public location (suchas C:\Program Files\Java\) and are known by the operating system to allow certain applications, such as Internetbrowsers, to access that JRE.Web Browser RecommendationsThe Windows Internet Explorer web browser (Version 8.0, 9.0, or 10.0) is required for downloading the Launcher.Other web browsers may work but are not fully tested.The Launcher is a software application that is installed on each client computer that logs in to the Metasys ADS/ADXserver, SCT, or supervisory engine. The Launcher lets you access any Metasys server or supervisory engine onthe building network, regardless of its software version. Starting at Release 6.0, you use the Launcher, not a webbrowser, to reach the log in screen of the NAE. For details, refer to Launcher Help (LIT-12011742).Note: We strongly advise that you do not browse to the Metasys Site Management Portal UI from a computerrunning a server class operating system. By default, Windows Internet Explorer Enhanced SecurityConfiguration is enabled on server class operating systems, and may block the Launcher download pagefrom which you install the Launcher application for access to the Site Management Portal. Open the SiteManagement Portal UI from a computer that is not running a server class operating system.Launcher Download Options and Proxy SettingsWhen the SMP is downloaded for the first time at Release 6.1, the Windows Launcher Download screen (Figure19) appears.Network and IT Guidance for the BAS Professional Technical Bulletin51

Figure 19: Windows Launcher DownloadThe Launcher Download screen provides two choices: Full Launcher Installer and Single Site Connection.Full Launcher Installer DownloadIf you click Full Launcher Installer, a security warning screen appears (Figure 20. This screen gives you the optionto Run, Save, or Cancel.Figure 20: File Download - Security Warning ScreenClick Run on the File Download - Security Warning screen. The Internet Explorer - Security Warning screen mayappear (Figure 21).Network and IT Guidance for the BAS Professional Technical Bulletin52

Figure 21: Internet Explorer - Security Warning ScreenFor this screen, click Run to allow local installation of the Launcher software. For more details, refer to the LauncherInstallation Instructions (LIT-12011783).Single Site Connection DownloadIf you click Single Site Connection, a file download screen appears (Figure 22).Figure 22: File Download - Single Site ConnectionThe File Download screen gives you the option to Open, Save, or Cancel. Click Save and save theMetasysResource.zip file to a location on your computer. Refer to the Launcher Installation Instructions (LIT-12011783)for details on how to unzip the files and run the Launcher.Launcher Proxy SettingsThe full version of the Launcher tool lets you update certain options, including proxy settings (Figure 23).Network and IT Guidance for the BAS Professional Technical Bulletin53

Figure 23: Application Options ScreenThree options are proxy settings that you need to configure if the building network uses a proxy server for connectionto the Internet:• Proxy Host: IP address of the proxy server.• Proxy Port: port number required by the proxy server.• Proxy Auto Config URL: check box to indicate the network requires an automatic configuration script. If youmark this check box, you need to type the address of the automatic configuration script in the field.You use the Test button to test the proxy settings. If the test passes, the message Success appears. If the test doesnot pass, the message Failure appears. For more details about the Application Options Screen, refer to the LauncherHelp (LIT-12011742).Pop-up Ad BlockersAt Release 6.1, you do not need to disable third-party pop-up ad blockers on the computer you use to browse to theMetasys system UI in order to ensure Metasys system UI functionality. For previous releases, you must disablepop-up ad blockers or the Login screen may not launch. To disable pop-up ad blockers, turn off the third-party pop-upad blocker for all sites or for the address of the Metasys system Site Director. If you cannot turn off or configure thethird-party pop-up ad blocker, uninstall it from the computer.Turning Off the Internet Explorer Web Browser Pop-up BlockerThis procedure applies to the Internet Explorer pop-up blocker. If you have third-party pop-up blockers, use themanufacturer’s instructions to disable them.To turn off the pop-up blocker:1. Open Internet Explorer.2. On the Tools menu, select Pop-up Blocker > Turn Off Pop-up Blocker.Network and IT Guidance for the BAS Professional Technical Bulletin54

Note: For information on allowing pop-ups from specific sites only, refer to the Internet Explorer Help.Sleep Power Option on Windows 8 and Windows 7 ComputersIf you use a computer with Windows 8 or Windows 7 to browse into the Metasys system, be aware that the SiteManagement Portal UI session information is lost if you are logged in when the operating system goes to sleep. Thesession terminates at the time the operating system goes to sleep, regardless of the Inactive Session Propertysetting that applies to your Metasys user account; for example, if Never Terminate is set for your account, the SiteManagement Portal UI session still terminates. The Sleep option is enabled for 2 hours by default, so you may wishto increase this setting or disable it.Disabling User Account ControlNote: This procedure is required if you want to use CCT software, HVAC PRO software, or GX-9100 tool softwarein Passthru mode from SCT on a Windows 8 or Windows 7 computer. If you do not perform these steps,Passthru mode does not function. Also, follow this procedure if you need to download resource files for aVND integration into a supervisory engine.1. In Control Panel, click System and Security > Action Center. The Action Center window appears.2. Click Change User Account Control settings. The User Account Control window appears (Figure 24).Figure 24: Disabling User Account Control3. Move the slider bar to the bottom position called Never notify.4. Click OK.5. Restart the computer to make the change effective.Metasys Dial-up NetworkingPoint-to-Point Protocol (PPP) is used for all Metasys network dial-up communication between the Metasys clientcomputer (web browser) and the ADS/ADX and engine. Refer to the Metasys System Extended Architecture DirectConnection and Dial-Up Connection Application Note (LIT-1201639).Network and IT Guidance for the BAS Professional Technical Bulletin55

Data Sharing with Published Web ServicesJohnson Controls provides published web services for third-party applications to access a limited set of Metasyssystem functions. Access is tied to access controls within the Metasys system using local Metasys system useraccounts only. Refer to the Metasys System Extended Architecture Secure Data Access DLL Technical Bulletin(LIT-1201663) for details on the web services and access controls associated with them.Network Interface Cards (NICs)We do not support dual enabled NICs on a computer running Metasys software (including SCT, ADS/ADX, NxE85,and LCS85 software).Network and IT Guidance for the BAS Professional Technical Bulletin56

Appendix: Microsoft® Windows® Operating System and SQLServer Software License RequirementsWindows Operating System License RequirementsThe Microsoft operating system software used by the ADX requires licenses called Client Access Licenses (CALs).A CAL is a license that gives you the right to access the services of the server. Two types of Microsoft operatingsystem CALs are available: a device-based CAL and a user-based CAL. These Microsoft CALs are purchasedseparately from the ADX software as described in Purchasing and Designating CALs.Note: The ADS does not require purchased operating system CALs.Operating System CALsEvery site requires a combination of both device and user CALs.Operating System - Device CALs: A device CAL is required for every device that accesses the ADX server,regardless of the number of users who access the ADX. A device CAL is the best choice if your organization hasusers who access the Metasys network by sharing the same computer during their work shifts. Each NAE requiresone device CAL. For example, if 15 NAEs are connected to the ADX, a total of 15 device CALs are required. Or, if100 NAEs are connected to the ADX, a total of 100 device CALs are required.Operating System - User CALs: A user CAL is required for every user who accesses the ADX server, regardlessof the number of computers they use for that access. A user CAL is the best choice if your organization has Metasysusers who need roaming access to the Metasys network using multiple computers. For example, if two users log into the ADX from different locations, two user CALs are required. Or, if 50 users log in to the ADX, 50 user CALs arerequired.Another example is a security guard station. Security guards during different shifts often use a single workstation,requiring the use of only one device CAL. However, if the security guards use multiple workstations throughout thefacility, one user CAL per guard is required. In this example, a single user CAL is more cost-effective, because asingle ADX connection requires only one user CAL.Total Number of CALs: The total number of device and user CALs required equals the total number of devices andusers connected to the ADX.Example One: If you have 100 NAEs and 10 users who use different workstations to log in, you need 110 CALs(100 device CALs and 10 user CALs).Example Two: If you have 100 NAEs and 10 users who use the same workstation to log in, you need 101 deviceCALs (100 device CALs for NAEs and 1 device CAL for workstation).Table 14 lists the ADX software components and examples of what CAL combinations are required. Refer to theMetasys System Extended Architecture Overview Technical Bulletin (LIT-1201527) for the number of devices anADX supports.Network and IT Guidance for the BAS Professional Technical Bulletin57

Table 14: ADX License and CAL ExamplesADX Offering Optional MVE RecommendedOfferingNumber of CALs toPurchaseWindows Operating System CAL ExamplesADX10MVE555 CALs = 2 user CALs + 3 device CALs(up to 10 users)(up to 5 users)5 CALs = 3 user CALs + 2 device CALsMVE101515 CALs = 10 user CALs + 5 device CALs(up to 10 users)15 CALs = 8 user CALs + 7 device CALsADXSWOMVE253030 CALs = 25 user CALs + 5 device CALs(up to 25 users)(up to 25 users)30 CALs = 10 user CALs + 20 device CALsADX50MVE506060 CALs = 50 user CALs + 10 device CALs(up to 50 users)(up to 50 users)60 CALs = 10 user CALs + 50 device CALsIf you purchase Metasys system software separately from the hardware, use Table 14 to determine how many CALsyou need to purchase from Microsoft. If you purchase Metasys system software as part of an ADS/ADX Turnkey orADS/ADX Ready product, the appropriate number of CALs is included in the purchase. For more details, seePurchasing and Designating CALs.Purchasing and Designating CALsYou need to purchase one additional device CAL for every NAE added to your Metasys system. You may also needto purchase additional user CALs as you expand the number of authorized Metasys system users. If you currentlyhave an ADS and you expand your system to require more than 10 connections, upgrade to an ADX.For CAL purchasing information, log in to the Johnson Controls employee portal website, go to the Tools & Applicationspage, then click the Computer Price List (ADS/ADX Turnkey Info) link in the Procurement/Purchasing section.The Computer Price List page appears. Review this page to learn how to access the Insight/JCI website(http://www.insight.com/jci) that contains information about purchasing CALs.When you purchase CALs, you receive a paper certificate from Microsoft. There is no method in the operating systemto designate or configure the number of device or user CALs. So make sure you keep the Microsoft CALs certificatein safekeeping at the customer site in case of an audit. You may be subject to a fine if a security audit reveals thatyour system is not correctly licensed.If Metasys system software is purchased separately, the customer is responsible for purchasing the correct numberof CALs and for properly designating each CAL. A device CAL cannot be transferred to a user CAL, or vice versa.If a Metasys Ready or Turnkey computer is purchased, the proper number of CALs come with the purchase, so noadditional CALs are required. You must purchase additional CALs if the number of devices exceeds 5 or 10, dependingon the size of the purchased Metasys system. Ultimately, the customer must determine how to split the total numberof CALs between device and user.For additional information on CALs, licensing, and downgrading operating system CALs, refer tohttp://www.microsoft.com/licensing/about-licensing/client-access-license.aspx.Network and IT Guidance for the BAS Professional Technical Bulletin58

Licensing Modes and CAL ExamplesFigure 25 illustrates the use of CALs in a Metasys network.Figure 25: Example Network in Per Device or Per User Operating System Licensing ModeSQL Server 2008 Licensing RequirementsThe SQL Server 2008 software editions used by the ADX product, including SQL Server 2008 R2 Standard orEnterprise and SQL Server 2008 Standard or Enterprise, require CALs. However, the SQL Server 2008 softwareeditions used by the ADS product, including SQL Server 2008 Express R2 and SQL Server 2008 Express, do notrequire CALs.If your ADX computer has a single processor, we recommend you purchase one Processor License to allow anunlimited number of users, NAE/NIE/NCE devices, and ADS/ADX computers to access the SQL Server 2008database on that computer. If your ADX computer running SQL Server 2008 software has multiple processors,purchase Processor Licenses for all of the processors on that computer. Licensing is based on the number of physicalCPUs in the computer, not the number of core processors. For example, if the computer has a single quad-coreprocessor, only one processor license is required.Network and IT Guidance for the BAS Professional Technical Bulletin59

For a split ADX, SQL Server 2008 software is installed on the database server computer. You must purchase asingle processor license for the database server computer if the computer has a single processor. If the databaseserver computer has more than one processor, you must purchase one SQL Server 2008 processor license for eachprocessor.For a split ADX with the Metasys Advanced Reporting System, the database engine component of SQL Server 2008software is present on the database server computer, and the reporting services component of SQL Server 2008software is installed on the web/application server computer. You must purchase a single processor license for boththe database server computer and the web/application server computer.Table 15 lists the ADS/ADX software components and the operating system license types that they require.Table 15: SQL Server 2008 License RequirementsADX Offering Optional MVE Offering SQL Server 2008 Software CurrentlySupportedSQL Server 2008Processor LicenseADX10 (up to 10 users)MVE5 (up to 5 users)SQL Server 2008 R2 Software1 Processor LicenseMVE10 (up to 10 users)ORADXSWO (up to 25 users)MVE25 (up to 25 users)SQL Server 2008 SoftwareADX50 (up to 50 users)MVE50 (up to 50 users)SQL Server 2012 Licensing RequirementsSQL Server 2012 Standard or Enterprise software uses a per core licensing model instead of the per processorlicensing model that SQL Server 2008 uses. The cost of four core licenses in SQL Server 2012 is equivalent to thecost of one processor license in SQL Server 2008 R2. And just as with SQL Server 2008 Express, no CALs arerequired for SQL Server 2012 Express software.To determine the licensing needs for SQL Server 2012 software:• count the number of cores in the processor• purchase the adequate number of core licensesTo assist you in counting the number of processor cores, refer to the specifications provided by the computermanufacturer or download the free Microsoft Assessment and Planning Toolkit(http://www.microsoft.com/sam/en/us/map.aspx). This toolkit may require the assistance from an IT professional.After you determine the number of processor cores, purchase the appropriate number of core licenses to allow anunlimited number of users, NAE/NIE/NCE devices, and ADS/ADX computers to access the SQL Server 2012database on that computer. If the ADX computer running SQL Server 2012 software has multiple cores in theprocessor, purchase one license for each physical core in the processor. For example, if the computer has a singlequad-core processor, purchase four core licenses.For a split ADX without the Metasys Advanced Reporting System, SQL Server 2012 software is installed only onthe database server computer. You must purchase one core license for each physical core in the processor of thedatabase server computer.For a split ADX with the Metasys Advanced Reporting System, the database engine component of SQL Server 2012software is present on the database server computer, and the reporting services component of SQL Server 2012software is installed on the web/application server computer. You must purchase one core license for each physicalcore in the processor for both the database server computer and the web/application server computer.Table 16 lists the number of core licenses required based on the number of physical cores in the processor.Table 16: SQL Server 2012 License RequirementsPhysical Cores in the Processor124SQL Server 2012 Core Licenses Required 1444Network and IT Guidance for the BAS Professional Technical Bulletin60

Table 16: SQL Server 2012 License RequirementsPhysical Cores in the Processor68SQL Server 2012 Core Licenses Required 1681 SQL Server 2012 software requires a minimum of four core licenses, even for processors with less than four cores.ADS RequirementsThe ADS and ADS-Lite software that runs on Windows XP Professional or Windows 7 do not come with, and do notrequire, device or user CALs. Also, the ADS uses the free version of SQL Server Express software, so you do notneed to purchase SQL Server CALs.To avoid ADS connection and network communication performance issues, the number of users and the numberof NAE/NIE/NCE devices and ADS/ADX computers that transfer trend data, event messages, and audit messagesshould not exceed 10. If a Metasys site with a single ADS configured as the Site Director and default repositoryexceeds that number of connections, consider one of the following options:• Configure one ADS to be the Site Director. Install and configure another ADS (or more) to provide the ADSrepository function. When you install a separate ADS to provide the repository function, it allows you to dedicatefive connections on the alternate ADS for system users and another five connections on the alternate ADS toNAE/NIE/NCE devices and ADS/ADX computers for transferring trend data, event messages, or audit messages.Note: The ADS-Lite cannot be the Site Director for another ADS of any type.• Upgrade to an ADX. Configure the Windows Server of the ADX computer with the number of CALs equal to thetotal number of users and devices accessing the ADX. In addition, configure the SQL Server database with oneSQL Server Processor license.Refer to the Metasys System Extended Architecture Overview Technical Bulletin (LIT-1201527) for performanceguidelines and limitations.Network and IT Guidance for the BAS Professional Technical Bulletin61

Appendix: SNMP Agent Protocol ImplementationThis appendix provides information for network managers to interpret the SNMP traps and Gets received by theMetasys system and provides explanations related to available agent functionalities. The Trap Examples sectionincludes several Trap message examples for your reference. The information applies to Metasys systems at Release3.0 and later.OverviewThe Metasys SNMP agent implementation provides IP standard SNMP functionality in the Metasys system, enablingnetwork administrators to manage Metasys network performance, find and resolve issues related to the Metasysnetwork, and plan for future growth of the Metasys system. SNMP uses standard SNMP Versions 1, 2C, and 3(which excludes SNMP encryption and authentication support). The Metasys system allows delivery of unsecuredSNMP traps for Metasys alarm events via a Network Management System (NMS). The Metasys SNMP agent alsocan monitor Metasys system point objects, select diagnostic attributes, and control sequence objects. You canconfigure the filter on the agent using the filtering capabilities of the DDA.LimitationsThe following are the limitations of NMS and Metasys SNMP agent functionality:• NMS does not provide the ability to acknowledge and/or discard Alarms via an SNMP Set message.• NMS cannot modify the supervisory device via an SNMP Set message.• Metasys SNMP Agent functionality does not allow the NMS to detect when the supervisory device suffers apower failure or to initiate any action based on such detection.• SNMP Get requests are not proxied through the site; that is, you must query the device of interest directly andnot through the Site Director.• With the SNMP Version 3 implementation, user authentication and data encryption are not available for SNMPtraps and Gets.• The Get Bulk request, which returns data from multiple objects with one request, is not supported.Metasys SNMP MIB FilesThree Johnson Controls® MIB files are provided on the product media and on the Metasys system website fordownload (Table 17). The NMS software can read these MIB files, as well as the standard MIB files.Table 17: List of Johnson Controls and Standard MIB FilesJohnson Controls MIB FilesStandard MIB Files 1jcicontrolsgroup.mi2johnsoncontrolsinc.mi2msea.mi2SNMPV2_MIB.mibSNMPV2_SMI.mibSNMPV2_TC.mib1 Standard MIB files are available on the Internet.These MIB files define the data available from the Metasys SNMP feature. They provide the object identifier (OID)that describe the traps and point types available in the Metasys system. For example, an OID is available to describethe alarm state of a point. Loading the MIB files into the NMS provides translation of the Metasys data.Enterprise ID NumberThe assigned enterprise ID number for Johnson Controls is 4399. This number is part of all OIDs used in the Metasyssystem.SNMP TrapsTrap FormatWhen an object with an alarm extension generates an event in the Metasys system, the SNMP service sends a trapto the NMS. No matter what type of event occurs, the Trap OID sends out the same set of attributes. Table 18 liststhe attributes.Network and IT Guidance for the BAS Professional Technical Bulletin62

Configuring Trap FilteringOf the available attributes listed in Table 18, configure the NMS interface to filter the attributes to be trapped. Youalso must select these attributes when you configure the SNMP DDA alarm notifications and destinations in thedevice object. For details, refer to the NAE Commissioning Guide (LIT-1201519) and the ADS/ADX CommissioningGuide (LIT-1201645). This list applies to Metasys alarm events only.Table 18: Available Attributes for Trap FilteringField NamesackRequiredeventDetectionTimestampeventMessageeventPreviousStatuseventUniqueIdentifiereventValueevPriorityitemCategoryitemDescriptionitemFullyQualifiedReferenceitemNameSiteNameAgent Restart TrapWhen an Agent Restart occurs, a coldstart trap is sent when the supervisory device (NAE, for example) powers on.Table 19 lists the attributes that are sent.Table 19: Attributes for Coldstart TrapAttribute NameshostNameipAddressmacAddressunitssubnetMaskAlarm Raised TrapWhen an object with an alarm extension generates an event in the Metasys system, the SNMP Agent sends thesame Alarm Type that was raised in the system (NAE/ADS). Examples include High Warning and Low Alarm. EachTrap OID also sends the attribute values that were selected for the trap (Table 18).Alarm Clear TrapWhen an alarm Return to Normal state occurs, the SNMP Agent reacts in the same manner as when the alarm wasraised. In this way, the Alarm situation is cleared with a NormalEvent message.Alarm SynchronizationThe Metasys SNMP Agent does not support Alarm Synchronization, a function that indicates to the NMS whichMetasys objects went into alarm while the NMS was offline. The SNMP Agent assumes that the NMS received thealarm and, therefore, does not rebroadcast it. Even though alarm synchronization is not performed, the SNMP Agentallows the NMS to poll points and device attributes to determine their statuses. From this information, the NMS candetermine which points are reporting Alarms and react accordingly.Trap CasesSupervisory Device Offline/OnlineAccording to how the SNMP is configured, the Metasys Site Director sends an offline/online notification when anyof its children (NAEs as supervisory devices) are considered offline or online. These events have a structure similarto the Alarm Raised structure, and reports the same set of attributes (Table 18). The eventValue attribute indicatesOffline or Online.When a supervisory device is rebooted or restored after a power failure, the SNMP Agent on the Site Director sendsthe offline/online notification, and the supervisory device sends the agent coldstart information.Field Device Offline/OnlineField devices (for example, FECs and VMAs) are treated the same way as supervisory devices. If the field devicehas the appropriate alarm extension defined, the controller generates online/offline alarms (Traps) as they occur.Field Device Disable/EnableWhen the user or a process disables communication to a field device, the SNMP Agent sends a trap regarding theDisable command in a similar manner as the Alarm Raised trap. The eventValue indicates Comm Disabled.Network and IT Guidance for the BAS Professional Technical Bulletin63

When a Comm Enabled command to the device occurs, the SNMP Agent sends a trap regarding the Enable commandas well as a separate alarm trap regarding the return to online status.SNMP Get RequestsSNMP Get requests allow the NMS to request information for a specific variable. The SNMP agent, upon receivinga Get message, issues a GET-RESPONSE message to the NMS with either the information requested or an errorindication as to why the request cannot be processed.The Metasys SNMP Agent allows you to perform SNMP Gets on pre-defined OIDs of certain objects (for example,Analog Value [AV], Binary Value [BV], and Multistate Value [MV] objects). For a list of the attributes that are availablefor polling, see Table 20.Note: To use Gets, you must query the specific supervisory device (NAE55, NIE55, or NCE25, for example) onwhich the object appears. Site Directors do not forward Get requests to other devices on the site and youcannot perform Gets on ADSs/ADXs.The Metasys SNMP Agent also allows you to determine the health of the device by polling the OIDs listed underTable 21. These attributes include data such as battery condition and object count.You can poll all the points on the NAE, but realize there is a throttle on SNMP Gets, which is two requests per secondon an NAE55 and one request per second on an NAE45. For example, polling 500 points on a single NAE takesabout 5 minutes.Get Request DefinitionThe length of the OID for a Get request has one limitation relating to the SNMP protocol: the maximum number ofsubidentifiers per message is 128 characters. The reference of the item or object you are requesting is containedwithin these subidentifiers. To determine the item reference you should use, log on to the Metasys user interfaceand open the Focus window of the item/object. Locate the Item Reference field under the Advanced view of theFocus window. The format of the fully qualified item reference is:Site:Device/ItemThe only part of this string that you need to specify is the Item section. Here is an example:MyADS:NAE-1/N2-1/AHU-3/ZN-TThe only part of this item reference that is required is: N2-1/AHU-3/ZN-T.Get Request Base OIDThe Base OID for any Get Request is as follows:1.3.6.1.4.1.4399.2.1.1.1.1.4.1.1.x.ywhere x is an integer that represents the attribute of the point (Table 20) and y is an representation for the nameof the Metasys point.Table 20: Point Attributesx.85.103.117.661.1006.32527DescriptionPresent ValueReliabilityUnitsDisplay PrecisionAlarm StateItem ReferenceThe two primary Get Requests are the Point Attribute Get Request and the Device Diagnostics Get Request.Point Attribute Get RequestThis Get Request obtains point attribute information.Network and IT Guidance for the BAS Professional Technical Bulletin64

Base OID1.3.6.1.4.1.4399.2.1.1.1.1.4.1.1.x.ywhere x is an integer that represents the attribute of the point and y is an ASCII representation for the name of theMetasys point (Table 20).Example #11.3.6.1.4.1.4399.2.1.1.1.1.4.1.1.85.3.65.86.49Returned value: present value of Metasys object called AV1.In this example, the Present Value attribute breaks out as:1.3.6.1.4.1.4399.2.1.1.1.1.4.1.1.85The name of the Metasys point breaks out as:3.65.86.49where the first digit (3) is the length, and the remaining digits are the ASCII representations of the letters (AV1).Example #21.3.6.1.4.1.4399.2.1.1.1.1.4.1.1.1006.10.69.110.101.114.103.121.46.66.86.49Returned Value: point alarm state of a Metasys object called Energy.BV1.In this example, the Alarm State attribute breaks out as:1.3.6.1.4.1.4399.2.1.1.1.1.4.1.1.1006The name of the Metasys point breaks out as:10.69.110.101.114.103.121.46.66.86.49where the first digit (10) is the length, and the remaining digits are the ASCII representations of the letters(Energy.BV1).Device Diagnostic AttributesThis Get Request obtains device diagnostic information.Base OID1.3.6.1.4.1.4399.2.1.1.1.1.3.xwhere x is an integer that represents the attribute of the point (Table 21).Table 21: Device Diagnostic AttributesxDescription.647.650.651.844.2395.2579.2580.2581.2582.2583.2584.32565Battery ConditionChange of Value Receives Per MinuteChange of Value Transmits Per MinuteObject CountEstimate Flash AvailableCPU Temp (Not Available on NAE-45)Board TemperatureMemory UsageObject MemoryCPU UsageFlash UsagePager Dial StatusNetwork and IT Guidance for the BAS Professional Technical Bulletin65

Example1.3.6.1.4.1.4399.2.1.1.1.1.3.2580Returned value: board temperatureIn this example, the Board Temperature attribute breaks out as:1.3.6.1.4.1.4399.2.1.1.1.1.3.2580Translating Attribute ValuesAs highlighted in the Trap Examples section, each Trap OID sends the same set of attributes. You can translateattributes values (evPreviousState) using the key values in Table 22.Table 22: Device Diagnostic AttributesKeyTextKeyText0Normal68Alarm1Fault69Trouble2Off Normal70Status3High Limit71Offline4Low Limit72Shutdown64Low Warning73Unreliable65High Warning75Online66Low Alarm65535Unknown Previous State67High AlarmExampleThe difference between the SNMP Trap generated for a binary point that goes into Alarm and one whose statustransitions to Return to Normal is outlined in Table 23.Table 23: SNMP Trap Attribute ExampleSNMP Trap Attribute Alarm ValueNormal ValuesnmpTRAPOID.OEventValueEventPreviousStatusEventMessagealarmEventActive0 (see Status Value Table)Alarm message defined in Metasys UInormalEventInactive68 (see Status Value Table)Return to Normal message defined in MetasysUITrap ExamplesThe following sections shows several trap examples captured from a live system.Network and IT Guidance for the BAS Professional Technical Bulletin66

Binary Point AlarmFigure 26: Binary Point Alarm ExampleNetwork and IT Guidance for the BAS Professional Technical Bulletin67

Binary Point Return to NormalFigure 27: Binary Point Return to NormalNetwork and IT Guidance for the BAS Professional Technical Bulletin68

Analog Point High WarningFigure 28: Analog Point High WarningNetwork and IT Guidance for the BAS Professional Technical Bulletin69

Analog Point High AlarmFigure 29: Analog Point High AlarmNetwork and IT Guidance for the BAS Professional Technical Bulletin70

Analog Point Low WarningFigure 30: Analog Point Low WarningNetwork and IT Guidance for the BAS Professional Technical Bulletin71

Analog Point Low AlarmFigure 31: Analog Point Low AlarmNetwork and IT Guidance for the BAS Professional Technical Bulletin72

Analog Point Return to NormalFigure 32: Analog Point Return to NormalNetwork and IT Guidance for the BAS Professional Technical Bulletin73

Supervisory Device Agent Restart (ColdStart)Figure 33: Supervisory Device Agent Restart (ColdStart)Network and IT Guidance for the BAS Professional Technical Bulletin74

Field Device OfflineFigure 34: Field Device OfflineNetwork and IT Guidance for the BAS Professional Technical Bulletin75

Field Controller OnlineFigure 35: Field Controller OnlineNetwork and IT Guidance for the BAS Professional Technical Bulletin76

Field Controller DisabledFigure 36: Field Controller Disabled ExampleNetwork and IT Guidance for the BAS Professional Technical Bulletin77

Field Controller EnabledFigure 37: Field Controller Enabled ExampleNetwork and IT Guidance for the BAS Professional Technical Bulletin78

Appendix: Active Directory ServiceThis appendix provides additional information to network managers for configuring Active Directory service for usewith the Metasys system on a computer that has the ADS/ADX or SCT software.OverviewThis appendix lists questions and actions that help facilitate the interaction with the customer’s IT department forconfiguration of the Metasys system for use with Active Directory services. You need to obtain this information andcomplete the configuration before the feature is enabled and Active Directory service users are added to the Metasyssystem. Keep in mind that these actions are most likely performed by the customer’s IT department. Furthermore,several IT teams may need to be involved; for example, assistance from the Active Directory Service Team, ITSecurity Team, Infrastructure Team, and Network Team may be needed. Make sure you allow time for any necessaryteam interaction. Also, keep in mind that:• these questions focus only on the IT needs of the Active Directory service feature and not on the Metasys system.The Metasys system should be properly configured with a version of the ADS/ADX (and SCT) software thatsupports the Active Directory feature. Example logistics that fall outside these questions include:- administrative access to the ADS/ADX computer- proper SQL Server rights to install or upgrade the ADS/ADX software- firewalls between Metasys system devices• these questions assume that the person gathering the information is familiar with the Active Directory servicefeature.Infrastructure QuestionsTable 24 is a worksheet that outlines the questions that need to be answered as part of the Active Directory serviceimplementation on the Metasys system.Table 24: Active Directory Service WorksheetQuestionAnswerAction StepsHow many Active Directory servicedomains contain users who are to beadded as Metasys system users?Are there any firewalls between theADS/ADX and the Active Directoryservice domain?1More than 1YesNoJoin the ADS/ADX or SCT computer to the domain. Create onlyone Service Account under that domain. Specify the Service Accountunder Metasys Security Administration. For details, see ServiceAccount.If trusts exist between all domains that contain Metasys systemusers, the ADS/ADX or SCT can be in any domain. Use a singleService Account within Active Directory service with access to alldomains with Metasys system users.If trusts Do Not exist between all domains, the ADS/ADX can stillbe joined to any domain; however, if an Active Directory serviceuser is in a domain that does not trust the domain the ADS/ADX isin, that user is not able to take advantage of SSO login-free accessto the Metasys system, but they can still use their Active Directoryservice user name, password, and domain at the Metasys loginscreen. Create one Service Account per domain that containsMetasys system users. For details, see Service Account Rules andService Account Permissions.Firewalls must be correctly configured to allow Active Directoryservice port and protocol access between the ADS/ADX anddomain(s). This is a Microsoft prerequisite of joining domain. Fordetails, see Protocols, Ports, and Connectivity for the MetasysSystem.No action required.Network and IT Guidance for the BAS Professional Technical Bulletin79

Table 24: Active Directory Service WorksheetQuestionAnswerIs each client computer that can runthe UI joined to an Active Directoryservice domain that is in the samedomain as the ADS/ADX or in a trusteddomain?YesNoAction StepsVerify that Active Directory service is configured to allow the userto log in to their Windows Desktop with Active Directory servicecredentials.Can the client computers be added to the domain that the ADS/ADXis joined to or to some other trusted domain?Do you plan to specify Active Directoryservice users or Active Directoryservice user groups under theMSEA-SSO user group? 1UsersGroups• Yes - SSO login-free access is available.• No - SSO login-free access is unavailable, but the user can stillspecify Active Directory service credentials on Metasys systemlogin screen.To provide SSO login-free access to the Metasys system, add eachActive Directory service user to the MSEA-SSO local Windowsgroup on the ADS/ADX and SCT computer. 2 For details, seeMSEA-SSO User Group.To provide SSO login-free access to the Metasys system, add eachActive Directory service user group to the MSEA-SSO local Windowsgroup on the ADS/ADX and SCT computer. 31 These are two suggested methods. Contact your local IT department for the preferred method.2 In order to perform this step, you must be using an Active Directory service user account with sufficient privileges to search forusers within Active Directory service. These privileges must span all domains that contain users who have SSO access to theMetasys system.3 Active Directory service groups are normally managed by the IT department. A process for managing the addition and removalof Metasys system users who are also Active Directory service users must be enacted.Primary RequirementsThe following is a list of requirements for using Active Directory service with the Metasys system at the customer’ssite. The steps for setting up Active Directory service are primarily the responsibility of the customer’s IT department.Installation of the Metasys software is usually performed by others, but often supervised by IT personnel. Theserequirements are based on answers given for the questions posed in Table 24, though not all requirements applyto every installation.ADS/ADX ComputerThe computer with the ADS or ADX software must be:• installed with Release 4.1 or later of the Metasys systemNote: Other devices on the site do not need to be at Release 4.1• joined to an Active Directory service domain (or trusted domain) where the Metasys system users are located• added to an Active Directory service domain where the computer is not affected by group policiesIn addition, configure any firewalls to allow appropriate Active Directory service communication.SCT ComputerThe computer with the SCT software must be:• installed with Release 4.1 or later of the Metasys system software• joined to an Active Directory service domain (or trusted domain) where the Metasys system users are locatedIn addition, configure any firewalls to allow appropriate Active Directory service communication.Client ComputerThe client computer used to run the ADS/ADX or SCT UI must be joined to an Active Directory service domain wherethe ADS/ADX and SCT are located or to a trusted domain.Network and IT Guidance for the BAS Professional Technical Bulletin80

Additional RequirementsThe following are additional requirements:• Obtain the fully qualified domain names for all domains that are to contain Metasys system users. The namemust be the domain level (and not the forest level or some other level).Note: This information is necessary at the time when Active Directory service users are added to the Metasyssystem with the Security Administration tool. For details, see User Account Rules.• Obtain the corresponding pre Windows 2000 domain names (short format of the domain name). This informationis useful because the Metasys system user can specify this format at the login screen of the Site ManagementPortal UI.For additional requirements, see Service Account and MSEA-SSO User Group.Network and IT Guidance for the BAS Professional Technical Bulletin81

Appendix: Windows Server OS ConsiderationsNote: Release 6.1 supports three server operating systems: Windows Server 2012 (64-bit), Windows Server 2008R2 with SP1 (64-bit), and Windows Server 2008 SP2 (32-bit) with SP2.Important: We strongly advise that you do not browse to the Metasys Site Management Portal UI from a computerrunning a server class operating system. By default, Windows Internet Explorer Enhanced SecurityConfiguration is enabled on server class operating systems and may block the Launcher downloadpage from which you install the Launcher application for access to the Site Management Portal. Openthe Site Management Portal UI from a computer that is not running a server class operating system.See Internet Explorer Enhanced Security Configuration.For information on firewall settings required for Metasys system communication, refer to the ADS, ADX, and SCTInstallation and Upgrade Instructions Wizard (LIT-12011521) and ADS-Lite Installation and Upgrade InstructionsWizard (LIT-12011688).Administrator RightsDepending on your operating system login privileges, you may need to perform the steps listed in Table 25 to useMetasys software (including logs) or access Windows operating system features and SQL Server software on yourWindows Server operating system.Table 25: Login Privileges and StepsLogin PrivilegesNot Logged in as the Windows Account withusername of Administrator.Logged in as the Windows Account with theusername of Administrator.Steps to Run SoftwareTo run the software:1. Right-click the software icon on your desktop or software name in amenu.2. Select Properties.3. Select Run As Administrator.4. Click Allow.Refer to the documentation for the specific Metasys software you are usingfor more information on how to perform tasks that require Administratorprivileges.Run the software without additional steps.ServicesADS/ADX software installs and uses the Metasys III Device Manager Service and Metasys III Action Queue Service.Both Services must be run on the Local System account.Internet Explorer Enhanced Security ConfigurationImportant: We strongly advise that you do not browse to the Metasys Site Management Portal UI from a computerrunning a server class operating system. By default, Windows Internet Explorer Enhanced SecurityConfiguration is enabled on server class operating systems and may block the Launcher downloadpage from which you install the Launcher application for access to the Site Management Portal. Openthe Site Management Portal UI from a computer that is not running a server class operating system.This section applies to the web browser on any computer running Windows Server 2012, Windows Server 2008 R2SP1, or Windows Server 2008 SP2. By default, Internet Explorer Enhanced Security Configuration is enabled onthis operating system. When you start the Internet Explorer web browser, the Internet Explorer Enhanced SecurityConfiguration is enabled message appears (Figure 38).Network and IT Guidance for the BAS Professional Technical Bulletin82

Figure 38: Internet Explorer Enhanced Security Configuration is Enabled MessageThe Internet Explorer Enhanced Security Configuration establishes a configuration for your computer and for theInternet Explorer web browser. This configuration decreases the exposure of your server to potential attacks thatmay occur through web content and application scripts. As a result, some websites may not display or perform asexpected. For example, the Enhanced Security Configuration may prevent the download of the Launcher application.To disable Enhanced Security Configuration in Windows Server 2012, start Server Manager and select Local Server.Locate the IE Enhanced Security Configuration setting. Click On to open the Internet Explorer Enhanced SecurityConfiguration window. Click Off for administrators and users as recommended by the IT administrator.To disable Enhanced Security Configuration in Windows Server 2008 R2 or Windows Server 2008, start ServerManager and locate the Security Information section. Click Configure IE ESC to open the Internet Explorer EnhancedSecurity Configuration window. Click Off for administrators and users as recommended by the IT administrator.Software Supported on Windows Server PlatformsWindows Server 2012, Windows Server 2008 R2, and Windows Server 2008 supports the following Metasys softwareand technologies:• ADX• SCT• CCT• Metasys Advanced Reporting System• Site Management Portal UI client computer (computer browsing to the Site Management Portal UI)• Metasys Database Manager• Metasys Export Utility• Metasys System Secure Data Access• Ready Access Portal software• Ready Access Portal client computer (computer browsing to the Ready Access Portal UI)Software and technologies not listed here are not supported. Refer to the appropriate technical literature for thetechnology you are using to verify compatibility with Windows Server operating systems.Configuring the Computer as an Application Server for Use as an ADXFor information on configuring the computer as an application server, refer to the installation instructions for theMetasys software you are using (for example, ADS/ADX, Ready Access Portal, or SCT).Network and IT Guidance for the BAS Professional Technical Bulletin83

Appendix: Windows Desktop OS ConsiderationsNote: Release 6.1 supports three desktop operating systems: Microsoft Windows 8 Professional and Enterprise(64-bit), Windows 7 Professional, Enterprise, and Ultimate Editions (32-bit or 64-bit) with SP1, and WindowsXP Professional with SP3.Windows 8 and Windows 7 offer increased network security that impacts Internet and intranet communication,including communication among Metasys system components. Additionally, Windows 8 and Windows 7 have folderstructures that differ from those used in the Windows XP.Use the information in this appendix to configure Windows 8 or Windows 7. For information on firewall settingsrequired for Metasys system communication, refer to the ADS, ADX, and SCT Installation and Upgrade InstructionsWizard (LIT-12011521) and ADS-Lite Installation and Upgrade Instructions Wizard (LIT-12011688).Folder StructureThe folder structure in Windows 8 and Windows 7 is different from the folder structure that Windows XP uses. Table26 shows the differences in the folder structures used by the operating systems.Table 26: Folder Structure - Windows XP, Windows 8, and Windows 7Windows 8 and Windows 7 LocationsWindows XP Location 1Program FilesDocuments and SettingsDocuments and Settings\All UsersDocuments and Settings\All Users\Application DataDocuments and Settings\All Users\DocumentsDocuments and Settings\\My DocumentsDocuments and Settings\\Application DataDocuments and Settings\\CookiesDocuments and Settings\\Local SettingsDocuments and Settings\\Local Settings\ ApplicationDataDocuments and Settings\\Local Settings\ HistoryDocuments and Settings\\Local Settings\ TemporaryInternet FilesDocuments and Settings\All Users\DesktopDocuments and Settings\Default UserProgram FilesUsersProgramDataProgramDataUsers\Public\DocumentsUsers\\DocumentsUsers\\AppData\RoamingUsers\\AppData\Roaming\Microsoft\Windows\CookiesUsers\\AppData\LocalUsers\\AppData\LocalUsers\\AppData\Local\Microsoft\Windows\HistoryUsers\\AppData\Local\Microsoft\Windows\Temporary Internet FilesUsers\Public\DesktopUsers\Default1 is the username of the person currently logged in to the Windows Operating System.Note these other changes:• Add/Remove Programs in Windows XP exists in Windows 8 and Windows 7 as Programs and Features. Theseitems are found in Control Panel.• Folder settings, such as showing/hiding file extensions and system files, now exist in Control Panel underAppearance and Personalization > Folder Options. Changes must be done on a per-user basis.Refer to the documentation for each specific Metasys software tool for details on how file locations may be differentin Windows 8 and Windows 7.Administrator RightsAdministrative privileges function differently on Windows 8 and Windows 7 than on Windows XP. Depending onyour operating system login privileges, you may need to perform additional steps to use Metasys software (includinglogs) or access Windows operating system features and SQL Server software.Network and IT Guidance for the BAS Professional Technical Bulletin84

Table 27: Login Privileges and StepsLogin PrivilegesNot Logged in as the Windows Accountwith username of AdministratorSteps to Run SoftwareTo run the software with Windows 7:1. Right-click the application icon on your desktop or software name in a menu.2. Select Properties.3. Select Run As Administrator.4. If prompted, enter your credentials.5. Click Yes.To run the software with Windows 8:1. Right-click the application tile on the Start screen.2. Select Run As Administrator on the bottom of the screen.3. If prompted, enter your credentials.4. Click Yes.Refer to the documentation for the specific Metasys software you are using formore information on how to perform tasks that require Administrator privileges.Logged in as the Windows Account withthe username of AdministratorRun the software without additional steps.ServicesADS/ADX software installs and uses the Metasys III Device Manager Service and Metasys III Action Queue Service.Both Services must be run on the Local System account.Internet Explorer Web Browser SettingsActiveX Controls are not required to access Release 6.1 sites, such as SMP and SCT.Operating system administrator rights are required to download and install the Launcher Tool.If you do not follow the Administrator guidelines here, you may not be able to adjust the Internet Explorer web browsersettings or you may not be able to save the changes you make for the next browser session. If you experienceproblems similar to these, check your access rights.Software SupportedWindows 8, Windows 7, and Windows XP support the following Metasys software and technologies:• ADS• SCT• CCT• Site Management Portal UI client computer (computer browsing to the Site Management Portal UI)• Metasys Database Manager• Metasys Export Utility• Metasys System Secure Data Access• Ready Access Portal software• Ready Access Portal client computer (computer browsing to the Ready Access Portal UI)Software and technologies not listed here are not supported. Refer to the appropriate technical literature for thetechnology you are using to verify compatibility with the operating system.Windows Features Not Supported by Metasys SoftwareMetasys software does not support the following Windows features:• Sleep feature. If you install an ADS or SCT on Windows 8 or Windows 7, you must turn off the Sleep feature.Failure to turn off this feature can result in communication problems when the ADS or SCT goes to sleep.• Fast User Switching feature. Users must log off instead of switching users.Network and IT Guidance for the BAS Professional Technical Bulletin85

Windows Scheduled FeaturesSome features of Windows 8 or Windows 7 should be rescheduled depending on the load for the ADS. By default,the Windows Defender spyware identification and removal tool scans the operating at 2 A.M. every day and DiskDefragmentation runs every Wednesday at 1 A.M. If the ADS is busy at these times, you should reschedule thescan/defragmentation for a time when the ADS is less busy.Building Efficiency507 E. Michigan Street, Milwaukee, WI 53202Metasys® and Johnson Controls® are registered trademarks of Johnson Controls, Inc.All other marks herein are the marks of their respective owners. © 2013 Johnson Controls, Inc.Published in U.S.A.Network and IT Guidance for the BAS Professional Technical Bulletinwww.johnsoncontrols.com86