Release Notes

The Release Notes provide the following information:

  • Install and Upgrade Information
  • Troubleshooting Tips

Important Information About Licensing and Keys

You must use the license that is included with your Webspace software in order to access all the components of the GE software you purchased. You can only use your Webspace license with the supported versions of iFIX or CIMPLICITY (outlined on the Software Requirements > Compatibility with Other GE Products section).

For information about installing and updating licenses, refer to the following GE Digital Support page: https://ge-ip.force.com/communities/en_US/Article/GE-Intelligent-Platforms-Software-Product-Licensing.

Important: Do not remove the USB hardware key from your node while Webspace is running. If you do, you may need to restart Webspace. You may also damage the USB key if you remove it while Webspace is running.

Upgrading Webspace

The Webspace software installation automatically upgrades over older versions of Webspace; therefore, it is not necessary to uninstall and reinstall the Webspace software.

Patching GE Software

GE recommends that customers keep GE software up-to-date by applying the latest Software Improvement Module (SIM) to their deployed GE products. SIMs add new functionality, fix bugs, and address security vulnerabilities.

Security advisories and security-related SIMs can be found on the GE website Support at https://digitalsupport.ge.com/en_US/Alert/GE-Security-Advisories. Customers can also sign up for notification of new SIMs and security advisories on the Support website.

Patching Third-party Software

GE also recommends that customers keep operating systems, databases, and other third-party software in their environment up-to-date with the latest security patches from the software vendor.

GE regularly validates the compatibility of selected GE products with third-party operating system security patches. More information on this process can be found on the GE Support website at http://www.ge-ip.com/security.

Platform Configuration and Hardening

GE recommends configuring operating systems, databases, and other platforms as per vendor recommendations or industry standards.

The following organizations publish best practices, checklists, benchmarks, and other resources for securing systems:

You can also ask your GE Digital Channel Representative for a copy of the iFIX or CIMPLICITY Secure Deployment Guides which cover Webspace, or visit our web site to download your own copy: https://digitalsupport.ge.com/.

Prerequisites For Installation and Configuration

  • You must be an Admin on the machine you want to install the GE products onto. Webspace must be installed with a local Windows user account with administrator rights. Be aware that you do not have to run Webspace using that account, or as an administrator.
  • TCP/IP must be enabled on your computers in your setup. Administrators must have administrative rights on the server to perform the installation, and the server must have TCP/IP as a network protocol.
  • Configure any external firewall and any software firewall on the server to allow TCP port 491. (By default, Webspace listens on registered port 491 for TCP packets.)
  • You must have Microsoft® Internet Information Server (IIS) or Apache HTTP Server installed on your Web Server. For supported versions, see the Software Requirements topic. A Web Server (Microsoft IIS or Apache HTTP Server) must be available in order to set up the server for browser deployment of Webspace. The Webspace Server will install only if you have a supported version of Microsoft IIS or Apache HTTP Server installed beforehand. If both IIS and Apache are installed, the Webspace install will not prompt you to choose one or the other; the Webspace install defaults to IIS. If Apache is your choice of web server, simply copy over the files from < Webspace TARGET FOLDER>\Web into the Apache htdocs\ProficyWebspace folder.
  • You must have Microsoft® .NET Framework 4.5 installed on your Web Server.
  • Make sure you have the latest Windows updates and certificates installed (and that your certificate paths are correct). Webspace has been validated using the latest updates as of August 2019.
  • The ASP .NET feature must be enabled on your Web Server.
  • Proper GE licensing must exist on all computers. The licensing for WebSpace must match the version of WebSpace exactly, and must be compatible with the version of CIMPLICITY or iFIX being used. Your licensing keys must match the products you have installed.
  • Decide on a security model and identify the users that you want to allow to use Webspace.
  • Confirm that you do not have the "Standard VGA Graphics Adaptor" listed as the display adapter in Windows on your Web Server. Instead, the model name should appear in the list of adapters for your computer. For example, an adapter can be: Intel 82915G/GV/910GL/Express Chipset. If a model is not listed, then you may have issues with the screen resolution upon installation of the Webspace product. To check the display adapter in Windows before installing, right-click the My Computer icon on the desktop and select Properties. In the System Properties dialog box, click the Hardware tab, click the Device Manager button, and then double-click the Display Adapters icon. If you do not have a specific model listed, and instead only the "Standard VGA Graphics Adaptor" appears, you may need to upgrade your display drivers before installing the Webspace product.
  • Be sure that the color depth of the client and server computers are greater than 256 (16 million or greater is recommended).
Note: For detailed requirements, please refer to the Software Requirements and Hardware Requirements topics. For detailed installation requirements on iFIX or CIMPLICITY, refer to that product's IPI for more information.

Recommended Computer Setup

While running the Webspace Server and either the iFIX or CIMPLICITY Server on the same computer is possible, it is strongly recommended that your Webspace Server resides on a different computer than the production server (the iFIX or CIMPLICITY Server). It is also recommended that your Historian Server (if being used) resides on a different computer than your Webspace Server. Separating the Web Server from your other GE products (and behind a firewall) provides a more secure setup for your data.

Note: Additionally, be aware that you cannot run the iFIX SCADA Server as a service if both servers (SCADA Server and Webspace Server) are on the same machine.

Webspace Silent Install

You can use the InstallConfig.ini file to modify the default install settings. These settings can be viewed and changed in the Webspace Admin Console once the Webspace product has been installed.

The content of the installconfig.ini file includes:

[config]
; transport SSL (Encrypted) or TCP
transport=
; hostPortID 491 (default)
hostPortID=
; encryption None or 56-bit DES
encryption=
sslCertificate=
; authentication Standard or Integrated
authentication=

Use the following Webspace setup.exe command line options (case sensitive) to perform a silent install:

Command Line Options Description

/quiet

Quiet installation. No user wizard or dialog interaction, only Windows reboot dialog at the end of setup.

/SuppressReboot=TRUE

Suppress reboot dialog. The unattended installation still requires a reboot for successful Webspace installation. A combination of /quiet and /SuppressReboot=TRUE is equivalent to a silent installation.

/INSTALLDIR=<install path>

Install Webspace to a path other than the default path.

/inifile=<path to installconfig.ini>

Auto configuring Webspace Admin Console settings.

The Webspace Service also sets up an application pool when IIS is detected during the installation of the Webspace product. An administrator account for Windows is required to set this up. This can be specified on the command line during the installation by using the following command line options.

Command Line Options

Description

/pwsapppooluser=<username>

Username for configuring Webspace IIS AppPool.

/pwsapppoolpwd=<password>

Password for configuring Webspace IIS AppPool.

Installation Steps for Webspace

To install Webspace:

  1. On the SCADA Server computer (recommended), install iFIX Server or CIMPLICITY Server.
  2. On your Web Server, uninstall any previous builds of Webspace.
  3. On your Web Server, if it is not already installed, install the iFIX View node or CIMPLICITY Viewer/Server (for supported versions see the Software Requirements topic, "Compatibility with Other GE Products" section).
    Tip: For CIMPLICITY, while the Viewer is supported, it is recommended that you use a CIMPLICITY HMI Server 75 I/O Development & Runtime System. This Server is the lowest CIMPLICITY Server I/O count that you can have that allows for network access. It also provides the best flexibility for any centralized client node.
  4. Shut down any GE applications or services that run on startup. For instance, if you have Historian for SCADA Collectors configured to start when you start Windows, use the Services window to shut them down.
  5. Confirm that a supported version of Microsoft Internet Information Server (IIS) or Apache HTTP Server was installed beforehand. If it is not, install it now, as the Webspace install requires it.
  6. If installing on Microsoft Windows 8.x 64-bit, or Microsoft Windows Server 2012 64-bit, ensure that the ASP.NET feature is enabled:
    • In Microsoft Windows 8.x, from the Control Panel > Programs and Features, click, "Turn Windows Features on or off." In the Windows Features list, enable the following option: Internet Information Services > World Wide Web Services > Application Development Features > ASP .NET 4.5 or ASP .NET. Click OK to install.
    • In Microsoft Windows Server 2012, open the Server Manager, and click Add Roles and Features. From the Add Roles and Features Wizard, click the Server Roles link (or click through the wizard until you get to this page). Enable the following role: Web Server (IIS) > Web Server > Application Development > ASP .NET 4.5. Click Next until you get to the Confirmation page, and then click Install.
      Note: Microsoft Windows 8.x and Windows Server 2012 come with ASP .NET pre-installed and registered. Be sure to install the latest Windows updates. If ASP.NET 4.5 has not been registered on the Web server, you need to manually configure your Web server for ASP.NET 4.5 in order for your site to run correctly. For example, to register ASP .NET for IIS on Windows 8, use the command line: %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -i. For more information on installing using the command line refer to the Microsoft MSDN web site: http://msdn.microsoft.com/en-us/library/ms229858(v=vs.100).aspx. For more information on installing other ways, refer to MSDN: http://msdn.microsoft.com/en-us/library/5a4x27ek(v=vs.110).aspx. Also be sure to install the latest Windows updates.
      Important: On Microsoft Windows 7, DO NOT enable the Microsoft .NET 3.5.1 > Windows Communication Foundation HTTP Activation feature.
  7. Ensure that TCP/IP is enabled prior to installation. Configure any external firewall and any software firewall on the server to allow TCP port 491.
  8. Log in as a user with Administrator rights and start the Webspace installation.
  9. From the Welcome screen, click Next.
  10. On the License Agreement screen, to continue the installation, accept the terms of the license agreement, and click Next.
  11. On the Logon credentials screen, enter the User Name and Password for the user you plan to use as the administrator for this Webspace installation (for the IIS Webspace application pool), and click Next.
  12. On the Ready to Install the Program screen, click Install to begin the installation.
  13. When the installation is completed, click Finish and then restart the computer.
  14. Continue with configuration steps for your iFIX or CIMPLICITY software.

Certificate Installation

If you want to use encryption with certificates, the WebSpace installer provides an Install Certificates option which you can use to create a certificate. When you click the Install Certificates option from the installer menu, the Webspace Certificate Configuration Tool opens. From here you can Create and Bind a self-signed certificate for Webspace. If the Create, Import, and Bind Certificates sections do not appear to update in the tool after the action completes, click the Restart IIS Site option. Then, restart the Webspace Certificate Configuration Tool by clicking the Install Certificates option from the installer menu again, and review the sections again.

After the certificate is created, you can then select the certificate on the Security tab in the Webspace Admin Console.

If you did not buy the strong encryption license option, you do not need to install any certificates.

iFIX Configuration

On the SCADA Server computer:

  1. Update the HOSTS file with the name of the SCADA Server, to ensure the highest reliability for connectivity. If the SCADA Server node name is different from the computer name that it was installed on, you also need to add this name to the HOSTS file. The HOSTS file on the Webspace Server should be identical to the one on the SCADA Server.
  2. In Windows (Workgroup or Domain, preferably Domain), add the user accounts that you want to use with the Webspace Server. You must have the privileges to do so.
  3. If you want to enable security on the iFIX SCADA node (most likely), add these same users to the iFIX SCADA through the Security Configuration application (Edit > User Accounts). iFIX must be running to access this tool and enable security (Edit > Configuration).
    Important: It is recommended that if security is enabled, that the iFIX SCADA Server and the Webspace Server reside on the same network. These same user account names will later need to be added to the Webspace Server.
    Tip: When adding users through the Security Configuration application in iFIX, be sure to select the Windows Security option for the user.
    Important: When assigning security privileges in iFIX, use care when allowing application features that could allow write access, such as the "Database Save/Reload" and "Runtime Visual Basic Editor" features, as well as creating pictures with Datalinks, or any other means to write values into tags. Use Security Areas and Security Groups to further restrict access. Also, use care when creating and sharing schedules in iFIX, so that unintended VBA code is not activated inadvertently by web sessions. For more information on iFIX Security, refer to the Configuring Security Features e-book in the iFIX online help.
  4. In the iFIX System Configuration (SCU) tool, ensure that the Network Configuration is set to TCP/IP (Configure > Network), and that SCADA is enabled (Configure > SCADA).
  5. Create your pictures.

On the Web Server computer:

  1. Update the HOSTS file with the name of the SCADA Server, to ensure the highest reliability for connectivity. If the SCADA Server node name is different from the computer name that it was installed on, you also need to add this name to the HOSTS file. The HOSTS file on the Webspace Server should be identical to the one on the SCADA Server.
  2. In Windows (Workgroup or Domain, preferably Domain), add the user accounts that you want to use with the Webspace Server. If you are on a domain, you may have already done this. You must have the privileges to do so.
  3. In the iFIX Security Configuration program, add these same users accounts (Edit > User Accounts), and enable security (Edit > Configuration). iFIX must be running to access this tool and enable security. Unlike the SCADA Server, this step is not optional on the iFIX Webspace Server.
    Important: It is recommended that if security is enabled, that the iFIX SCADA Server and the Webspace Server reside on the same network. These same user account names will later need to be added to the Webspace Server.
    Tip: When adding users through the Security Configuration application in iFIX, be sure to select the Windows Security option for the user.
    Important: When assigning security privileges in iFIX, use care when allowing application features that could allow write access, such as the "Database Save/Reload" and "Runtime Visual Basic Editor" features, as well as creating pictures with Datalinks, or any other means to write values into tags. Use Security Areas and Security Groups to further restrict access. Also, use care when creating and sharing schedules in iFIX, so that unintended VBA code is not activated inadvertently by web sessions. For more information on iFIX Security, refer to the Configuring Security Features e-book in the iFIX online help.
  4. In the iFIX System Configuration (SCU) tool:
    1. Open the WEB.SCU file. If an iFIX View node is not installed before you install Webspace, you will need to manually create the WEB.SCU file; the WEB.SCU will not automatically be created if you install Webspace before iFIX View node.
    2. Verify that Network Configuration is set to TCP/IP (Configure > Network), that SCADA is disabled (Configure > SCADA), and that Workspace.exe appears in your tasks list (Configure > Tasks). By default, these settings are automatically configured during install. If these settings are not correct, update them now.
    3. Specify the name of your iFIX SCADA Server in the Remote Nodes list (Configure > Network).
  5. Either copy your pictures from the SCADA Server to the PIC folder on the iFIX Webspace Server (recommended for optimum performance), or map a drive to your PIC folder on your SCADA Server. If you map a drive for pictures:
    1. If you are using shared drives with Local Windows users (not on the Domain), make sure that the user is present on both the Webspace Server machine, and the machine which contains the shared folder.
    2. In the SCU on the Webspace Server, open WEB.SCU and point the picture folder to that mapped drive letter (Configure > Paths).
    3. Update the LoginScript.bat file provided in the C:\Program Files\Proficy\iFIX Webspace Server\Programs folder with the mapped drive information, and then add the script name to the Session Startup options in the Webspace Admin Console. For more information, refer to the online help for the Webspace Admin Console.
  6. Optionally, in the Webspace Admin Console, configure printer options and other session properties. For more information, refer to the online help for the Webspace Admin Console.
  7. If you want to configure multiple input locales for your web sessions, add the input language and keyboard layout for that locale to the Regional Settings on the Webspace Server. For more information, refer to the online help for the Webspace Admin Console.

Tips for Web Server Setup

  • You can find the HOSTS file in the C:\WINDOWS\system32\drivers\etc folder.
  • Use a text editor such as Notepad to edit the HOSTS file, and do not add a file extension to the file.
  • An example entry in the HOSTS file is as follows: 198.212.170.4 SCADA01.
  • If SCADA1 was the iFIX SCADA Server node name, but the computer name where the iFIX SCADA Server was installed was AREA1, you would need to add a second line to the HOSTS file for AREA1: 198.212.170.4 AREA1.
  • If you do not know the TCP/IP address of the SCADA computer, run the IPCONFIG command on the SCADA Server.
  • The same, identical entries should appear in the HOSTS file for the SCADA Server and the Webspace Server.
  • In an Enhanced Failover setup, make sure that the primary and secondary servers are separate from the Webspace server.
  • If iFIX is installed after Webspace, manually create and configure a WEB.SCU file if iFIX is to be used with Webspace.

CIMPLICITY Configuration

  • On the Web Server computer, configure Windows-based security or Standard CIMPLICITY security for CIMPLICITY.
    Important: Make sure the same security is configured for both the CIMPLICITY Server and Webspace servers.
  • Make all of the paths (with their folders) that will be shared for the Web Clients read-only. This will avoid running into the Microsoft limitation for sharing files.
  • On the CIMPLICITY Server, to publish a web page for a CIMPLICITY CimView screen, right-click the CIMPLICITY Options application and run as Administrator. On the Webspace tab, click the "Create a Web Page" button. The next dialog box allows you to select the screen that you want and creates a web page for it; if it does not pick up the default Webspace directory to place the html file in, you will need to enter it. If it's an Apache server, you will need to browse to the location of the Apache Server; by default, the Apache Server location is: "C:\Program Files (x86)\Apache Software Foundation\ApacheX.Y\htdocs\ProficyWebspace", where X.Y is the Apache version number.
  • Run the CimView screen(s) natively in Cimview.exe on the Webspace Server to ensure proper Viewer-to-Server communications are established. Since your CIMPLICITY project server(s) are most likely remote to the Webspace Server, it is highly recommended that CIMPLICITY Deployment is configured to synchronize files with the Webspace Server (and keep them up-to-date).
  • Do not use shared CimView screens. If you do, every client that connects will need to create their own share, which could run the server out of resources. This could increase the time it takes a user to log in, and could make the server fail.
  • A separate CimView.exe and CimLayout.exe session runs for each Webspace session with CIMPLICITY.
  • For the CIMPLICITY Windows Desktop Client, be sure that the command line parameter "-r" specifies the command line parameters for CIMVIEW. For example, -r CIMVIEW "C:\MyProject\screens\MyScreen.cim" will open the correct screen, as long as -r comes after the -a parameter, and all the other parameters are correct. For example: "C:\Program Files (x86)\Proficy\Proficy Webspace\Client\Proficy.exe" -h MyServer -c -a CimView -r CIMVIEW "c:\screens\userscreen.cim"
  • Do not configure the Webspace machine for Power Save or Lock; either feature can block Web Clients from connecting or cause them to lose an active connection.
  • If the session has been configured to Zoom to Best fit, the CimView screen will fit into the ActiveX container. The ActiveX container will conform to the Internet Explorer size when the URL is accessed.
  • The ActiveX Control or plug-in fits into the size of the browser when the URL is accessed; the size does not change when you resize the browser. Therefore, make sure the browser is the size you want before you go to the URL that will start the Webspace session.
  • Make sure in a redundant SCADA server setup, that the primary and secondary servers are separate from the Web Space server.
  • Optionally, in the Webspace Admin Console, configure printer options and other session properties. For more information, refer to the online help for the Webspace Admin Console.
  • If you want to configure multiple input locales for your web sessions, add the input language and keyboard layout for that locale to the Regional Settings on the Webspace Server. For more information, refer to the online help for the Webspace Admin Console.

Terminal Services Configuration

Do not install Webspace on a CIMPLICITY or iFIX Server that has already been configured as a Terminal Server. This type of installation is not supported.

Migration from iFIX Webspace or Globalview to Webspace

Direct upgrades from iFIX Webspace or Globalview are NOT supported. To use Webspace, you must first manually uninstall iFIX Webspace or Globalview, and then follow the install steps above. You will need to configure the web.scu (for iFIX) and republish your {cimpscreen}.html to the Web Server again (for CIMPLICITY), and possibly update some security settings.
Important: Before you uninstall the previous version: If you changed any of the default settings in the Host Options dialog box on the Webspace or Globalview Server or any other settings, you will need to re-enter these changes in the Administration application after upgrading. Be sure to take note of these settings before uninstalling the software so that you can enter them again after installing the new Webspace.

Be aware that if you try to install Webspace before uninstalling either of these applications, a message will appear reminding you that you need to manually uninstall the previous product.

If you run Webspace from the URL, be aware that the URL has changed. The new URL is http://<WebspaceServerName>/ProficyWebspace/<filename>.html, (for iFIX filename.html = iFIX.html and for CIMPLICITY it is {cimpscreen}.html), where WebspaceServerName is the computer name of your Webspace Server.

Also, be aware that the iFIX.exe and Globalview.exe executables no longer exist in the new Webspace. The command has been replaced (in the Windows client) by proficy.exe -a iFIX |CimView.

The executable which installs the Windows Desktop Client has also changed in Webspace. The Globalview client installer (globalview-client.windows.exe) and iFIX Webspace client installer (iFIX-client.windows.exe) both have been replaced by proficy-client.windows.exe. You can still find this installer on the Webspace Server computer in the directory where you publish the Webspace files to be hosted by your IIS or Apache server, on the product DVD in the Setup\Proficy\Webspace\WebspaceServer subfolder, or in the Webspace install folder, which is by default the C:\Program Files\Proficy\Proficy Webspace\Web\Clients folder.
Important: The logon.html file that existed in the previous iFIX Webspace and Globalview applications no longer exists. Do not use logon.html with Webspace.

Finally, be aware that if you use a Relay Server configuration for iFIX, there may be changes that need to be made there.

Troubleshooting Tips

Issue Steps to Troubleshoot
Client Connection Error
  1. Confirm that the web service is operational, by attempting a connection to the web server, http://ServerName. If it fails, troubleshoot IIS/Apache itself.
  2. If successful with the connection, confirm that you can connect using http://ServerName/proficywebspace. A successful connection will show a list of GE products (iFIX or CIMPLICITY).
  3. If it fails, examine the IIS configuration on the Webspace server. Open IIS Manager and view the ProficyWebspace application pool. It should have a running sign. If it shows a stopped status, open its advanced properties and set a local administrator's credentials. Restart the IIS service.
  4. If there is still an issue, open your browser and verify that JavaScript is enabled. With JavaScript enabled you should receive the option to connect to iFIX or CIMPLICITY when navigating to http://ServerName/proficywebspace.
  5. If you receive an error when opening http://ServerName/proficywebspace, view the error description and make sure the prerequisite items are installed (including the ASP .NET and HTTP Activation features).
  6. If the error indicates something about a conflicting config.ini, locate it and delete it (or rename it).
  7. If Webspace still does not start, confirm that the user credentials entered during the product install are correct. The user must be an Administrator, and the password must be correctly entered. A user who is not an Administrator or using an invalid password will cause the Webspace to fail during start. Incorrect user credentials cause the WebspaceAppPool to fail. This failure causes an HTTP 503 error (the service is unavailable) when accessing the http://webspaceserver/proficywebspace URL.
  8. To fix this issue, open the IIS administration tool and locate Application Pools in the left pane, and right-click the ProficyWebspaceAppPool. Select the Identity property, and supply the correct administrator credentials, and then restart the ProficyWebspaceAppPool.
  9. Attempt to log in again.
  10. If there is still an issue connecting to http://ServerName/proficywebspace on Apache, make sure that the \proficywebspace folder is copied to Apache's htdocs and that the contents are correct. The contents of the \proficywebspace folder under htdocs must be identical to that of the c:\program files\proficy\proficy webspace\web folder.
  11. On Apache, also check the spelling of the folders and links. Some versions of Apache might be case-sensitive.
HTTP Error 500.19 Internal Server Error appears and session cannot be established If this error occurs, delete the Web.config file in C:\Program Files\Proficy\ ProficyWebspace\Web folder, and then try to re-establish a connection.
Session cannot connect with Strong Encryption enabled When using the certificate installed with Webspace and strong encryption, you cannot start a Webspace session with the IP address of the WebSpace server. The IP address cannot be used for the host name. Use the Full Computer Name in the URL instead. The option to increase is only available if your license includes the Strong Encryption option.
Error with Verify Trust This error is usually the result of outdated root certificates. Ask your IT department for guidance on how to update them.
Webspace Session Connects but Has Other Recurring Server-side Issues Set the APS log level to 4. You can set the logging level in the Webspace Admin Console, by selecting Tools > Host Options, and then clicking on the Log tab. Enter the logging number in the Output Level field. Repeat test(s) and capture logs to send to GE Digital Support for Analysis.
Note: All log files, whether they pertain to the client or server machine, are located on the Webspace Server. The Log folder in the Webspace install folder contains all the aps_* log files. (A new log file is created each time the Webspace Application Publishing Service is started.)
Required Paths and Programs are Missing After Whitelisting is Enabled The symptoms for this scenario will differ based on what is missing. But the Application Publishing Service log will show that an attempt was made to start and stop those applications.
Application Publishing Service fails to start All the paths and programs are in the list, but the Application Publishing Service fails to start after enabling whitelisting. Try editing the WorkspacePropertyDefinitions.xml file. If the Application Publishing Service will not start after editing the XML file, it may be because of syntax issues (for example, a missing ; or ") or case-sensitivity (the value must be lowercase; for instance: "true" or "false").
Help Not Accessible in Web Sessions Help has been disabled from web sessions when in whitelist mode.
Cmd.exe Excluded from the Whitelist Since adding cmd.exe introduces the potential for a Webspace user to run operating system commands, it has been removed from the default whitelist. As a secure configuration practice, GE advises against including this command in the list.
Third Party Items and Whitelisting Issues
  • For any third-party products, the install paths should be added along with any programs with the right permissions to include all sub directories.
  • Any additional dependencies such as .NET frameworks, and so on, should be included.
  • When in doubt turn on the SandBoxLog to accurately pick up the missing executable as they will be clearly spelled out in the debug view logs.

Using Debug Mode for Whitelisting

An administrator can turn on the whitelisting debug view logs as follows:

  1. Add a DWORD registry value named SandBoxLog under the HKLM\Software\Proficy\Proficy Webspace\AppServer key and reboot.
  2. If this value exists and is set to a non-zero value, the user SandBox feature will output a debug message any time it blocks access to a process or a file. The message will include the path to the process or file that was blocked.
  3. To capture this output, run DebugView on the host and enable both of the kernel options under the Capture menu. You can download DebugView from: https://technet.microsoft.com/en-us/library/bb896647.aspx
  4. If the SandBoxLog value exists and is set to 0, the driver will not output debug messages when it blocks access to a file or process.
  5. The Administrator will have to manually create the SandBoxLog registry value. Therefore, the option will be off by default. The following is a sample debug view log:
    00000032 68.71609497 m_ZwCreateSection ERR __110__: C0000022 
The hexadecimal values of the XML texts used for SandBox access permissions are as follows:
Description XML Text Hexadecimal Value
No access is allowed. ACCESS_DENIED 0x00
Only read access is allowed. ACCESS_READ 0x01
Both read and write are allowed. ACCESS_WRITE 0x03 (0x02 | ACCESS_READ)
Filter none. Allow files and folders to be listed recursively. ACCESS_ALLOW_DESCENDANTS 0x10
Wildcard. Allow all files within a folder to be listed. ACCESS_ALLOW_ALL_CHILDREN 0x20
Whitelist. Allow only whitelisted files and folders to be listed. (This bit is for the internal mechanisms of the SandBox and should not be added unless instructed.) ACCESS_ALLOW_VISIBLE_CHILDREN 0x40

The permissions log can help, for example, if you have added a folder with READ + Visible all, but debug indicates that SandBox is blocking the access to the file. In general, SandBox blocks the handle creation to a given file/folder according to the requested permissions. In other words, even if an application only reads from a certain file, but it requested full access to it (such as WRITE), SandBox will block it from accessing the file in the first place.

Example diagnosis of log: P=0x01 indicates there is a write problem because only read access is allowed. So you would need to go back and open up the Common Files path to have ACCESS_WRITE permissions as well.

Whitelisting Best Practices

  • Wherever possible, you should use environment variables in the whitelist paths (for example, %ProgramFiles(x86)%\Microsoft Visual Studio 9.0\Common7\IDE\devenv.exe;). This will allow the DefaultWorkspaceProperties.xml file to be transferred to systems that might have different versions of Windows.
  • Every blocked access entry does not need to be added to the path. Add the entries to the path only if the application is not working correctly.
  • Begin by giving all permissions and include the parent path. Once everything is working properly, you can then evaluate folder by folder and analyze each flag to restrict access.
  • Be sure to check GE Digital Support (https://digitalsupport.ge.com) for KB articles that may help you in troubleshooting.