www.schneider-electric.

com/buildings | 1

Information Technology System Planning Guide

EcoStruxure Building Management

Commitment to IT-friendly and secure solutions

Schneider Electric views the deployment, monitoring,
and security of the devices and software that comprise
a Building Management System as essential to the goal
of achieving optimal efficiency for a building. As a
result, Schneider Electric is committed to providing an
IT- friendly and secure solution.

Scope
This guide is designed for IT professionals who need to
review the system design and provide support for the
system installation.

EcoStruxure Building Operation Cybersecurity SSH connection control (v1.6)

Features
• Disabled after failed logon attempts
The cybersecurity features of the EcoStruxure Building
• Time-out for admin free connection re-enabling
Operation software are constantly being enhanced.
The following list of cybersecurity features indicates the • Rate limiting to protect against brute force attacks
version of the EcoStruxure Building Operation software
each feature was introduced in. SSH device fingerprint authentication (v1.9)

Identification and Authentication Password policies are secure by default:

All human users are uniquely identified
• Factory settings (v1.7):
• Admin logon password management (v1.3) – Days until password expires: Enabled: 90
days
Imported User Accounts are disabled by default (v1.7)
– Minimum number of characters: 8
Certificate functionality for - HTTPS connections – Minimum number of lowercase characters: 1
• Self-signed certificates – Minimum number of numeric characters: 1
• Default certificates (v1.4) – Minimum number of special characters: 1
• Certificate Authority certificates (v1.6) – Number of consecutive unique passwords
before reuse: 6
Password policies can be enforced (v1.6) – Do not allow more than three repeating
identical characters: Enabled
• Days until password expires
• Minimum number of characters • Force Admin password change (v1.7)
• Minimum number of lowercase characters • Password blacklist (non editable) (v1.7):
• Minimum number of numeric characters – 123
• Minimum number of special characters – admin
• Number of consecutive unique passwords before – Admin
reuse – admin1
• No more than three repeating identical characters – Admin1
– Admin1!

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 2

Information Technology System Planning Guide

EcoStruxure Building Management

– password Basic data at rest protection (v1.4)

– Password
Integrity
– PaSsWoRd Auto logoff (v1.5)
– Password1!
Audit log with system-wide synchronized timestamps
Active Directory/Windows Logon support is available
for both Workstation and WebStation (v1.5) Activity logs provide non-repudiation

Enterprise Server Run-As-Service selectable user SmartX server Boot Loader U-Boot disabled (v1.5)
account (v1.5)
SmartX server Boot restricted to a single boot location
Secure flag for cookies in WebStation is enabled when (v1.5)
using HTTPs (v2.0)
SHA2-256 Hash algorithm support (v1.9)
Authorization
Custom logon banners can be enabled to WebStation: HTML5 Graphics and Trend viewing
communicate usage policies to operators support, removal of JAVA (v1.7)

• Non-SSH connections (v1.5) Basic protection of audit information

• SSH connections (v1.6) Basic protection against program and data at rest
modification
Role-based access control (permissions)
Basic protection for input validation
• Object level security
Basic protection for secure and effective error
Confidentiality messages
Encrypted transmission of data:
Restricted data flow
• HTTPS using TLS 1.0 (v1.2) Basic capabilities for network segmentation
• HTTPS using TLS 1.1, TLS 1.2 (v1.9)
Basic options for enabling/disabling ports
• SFTP using TLS 1.2 (v3.0.4)
• EWS Encrypted Logon (v1.5) • Disable HTTP (HTTPS only) configuration option
(v1.5)
• Disable use of MD5 configuration option (v1.6)
• Disable SmartX AS-P and AS-B server USB ports
• SNMPv3 support, SNMPv1 and v2 removed (v1.5) configuration option (v2.0)
• SmartX server: SSHv2, SSHv1 removed (v1.5) • Disable SmartX server SSH port 22 configuration
• Redirect web clients to HTTPS configuration option option (v2.0)
(v1.6)
World-writable programs or scripts removed (v1.6)
• SMTPS secure email notification support (v1.8)
EcoStruxure Web Services server interface is disabled
Clickjacking protection options (v1.9) by default on EcoStruxure BMS servers (v2.0)

Password data is obscured from view Timely response to events

Audit log access
Passwords are stored and transmitted securely
SIEM Support: Remote system logging option (v1.6)
CA certificate central log storage (v1.6)
Web server access logging configuration option (v1.6)
Basic secure key management

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 3

Information Technology System Planning Guide

EcoStruxure Building Management

Resource availability features. However, a defense-in-depth approach is

System backup, recovery and reconstitution recommended, particularly when Internet connectivity
is required. Direct Internet connectivity is not
Access to network and security configuration settings supported.

IT Overview The figure below shows the best practice architecture

for the implementation of a Building Management
Best practice LAN architecture System LAN connected to a Corporate LAN. The
Servers should be protected against cybersecurity primary feature is the presence of the segregation
threats by using standard IT hardening methods, such firewall that effectively decouples the two networks.
as a firewall and port filtering. The servers in the
EcoStruxure BMS have several internal cybersecurity

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 4

Information Technology System Planning Guide

EcoStruxure Building Management

IT architecture implementation example

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 5

Information Technology System Planning Guide

EcoStruxure Building Management

On the Corporate LAN side, there may be many During normal operation, only a very limited amount of
EcoStruxure Building Operation WorkStations. They are well-defined data needs to pass through the firewall,
used to program and manage the Building which ensures a simplified configuration of the
Management System equipment. segregation firewall.

Mobile and wireless devices are becoming as Types of traffic

prevalent in the Building Management System world as In general, communication passing through the
they are in the corporate world. Building management segregation firewall is associated with the following
professionals require secure and easy access to the functions:
Building Management System. The IT professional
should plan on providing a pathway from the wireless • HTTPS: This protocol is used for Building
system to the Building Management System firewall. Management System engineering and monitoring,
reports, web services, and EcoStruxure Web
On the Building Management System side, a wide Services.
range of IP devices are operational 24/7/365:
EcoStruxure Web Services is a Schneider Electric
• EcoStruxure Building Operation WorkStations web services standard used for integration
between systems. In certain scenarios, the
• EcoStruxure BMS servers that are software EcoStruxure Web Services traffic remains on the
applications (Enterprise Central, Enterprise Server, Building Management System LAN, and in other
License Server, and Reports Server) scenarios, the traffic could traverse public
• SmartX servers (SmartX AS-P servers and SmartX networks. As such, the firewall needs to be
AS-B servers): These EcoStruxure BMS servers are configured according to each use case.
hardware devices and use TCP/IP for their main • SSH: This protocol is used for EcoStruxure Building
communications and additionally support a wide Operation software upgrade operations on SmartX
array of open and proprietary serial bus protocols. servers. The need to have this port open depends
• SmartX IP Controller devices: on network use policy.
– RP Series controllers (RP-C): These are IP- • SNMPv3: This protocol is used to monitor servers
based field controllers, which are connected within an EcoStruxure BMS using standard SNMP
to a SmartX AS-P or AS-B server or an Managers supporting SNMP version 3
Enterprise Server using various network authentication. The protocol can also be used by
topologies such as star, daisy-chain, or RSTP. the EcoStruxure BMS to send trap notifications to
an SNMP management console.
– MP Series controllers (MP-C and MP-V): These
are IP-based field controllers, which are • SMTPS: This protocol is used to send secure email
connected to a SmartX AS-P or AS-B server or messages.
an Enterprise Server using various network
topologies such as star, daisy-chain, or RSTP. Open port on segregation firewall
The active communication paths should first be
– IP-IO modules: These are IP-based I/O
identified between network segments. Refer to the
extension modules, which are connected to an
Communication Paths figure for the respective IP
MP Series controller, a SmartX AS-P or AS-B
device to determine the paths that will be active to
server, or an Enterprise Server using various
support the targeted system design. Then refer to the
network topologies such as star, daisy-chain,
Network Ports table for the respective IP device to
or RSTP.
identify the network ports each path will require. All of
the required ports should be configured for both
• External log storage for historical data can either
inbound and outbound communication.
be installed on the same PC as the Enterprise
Central or Enterprise Server or on a separate PC.

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 6

Information Technology System Planning Guide

EcoStruxure Building Management

Enterprise Central – Communication paths

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 7

Information Technology System Planning Guide

EcoStruxure Building Management

Enterprise Central – Network Ports

Path Function Connection Protocol Default Port Configurabl Can Be Usage Internet Optional
Type (Default (TCP or e Port Disabled when Needed Settings
State) UDP) Enabled
a Server to IT CSP 4444 Yes if option 1 Persistent - -
B
server comm.
(option 1) (Config.) (TCP)

B
a Server to IT HTTPS 443 Yes if option 2 Persistent - -
server comm.
(option 2) (Config.) (TCP)

C
a Client to IT HTTP 80 Yes Yes On demand - -
server comm.
(option 1) (Config.) (TCP)

C
a Client to IT HTTPS 443 Yes - On demand - -
server comm.
(option 2) (Config.) (TCP)

D Time synch. IT NTP 123 – Yes Persistent - -

(Disabled) (UDP)
E Network IT SNMPv3 161/162 – Yes Persistent - -
mgmt
(Disabled) (UDP)
F Email IT SMTP 25 – Yes Persistent - -
(option 1) (Disabled) (TCP)
F Email IT SMTPS 587 Yes Yes Persistent - -
(option 2) (Disabled) (TCP)
O System IT HTTPS 443 – Yes Persistent Yes -
analytics
(Enabled) (TCP)
P Crash dumps IT SFTP 22 Yes Yes On demand Yes -
(Enabled) (TCP)
R Client to IT HTTP 80 Yes Yesb On demand - Redirect to
server comm. HTTPS
(option 1) (Enabled) (TCP)
R Client to IT HTTPS 443 Yes Yes
b On demand - -
server comm.
(option 2) (Enabled) (TCP)
S Client to IT HTTP 80 Yes Yes On demand - Redirect to
server comm. HTTPS
(option 1) (Disabled) (TCP)
S Client to IT HTTPS 443 Yes Yes On demand - -
server comm.
(option 2) (Disabled) (TCP)
T Historical IT HTTP 80 Yes Yes Persistent - -
data
(option 1) collection (Config.) (TCP)

T Historical IT HTTPS 443 Yes - Persistent - -

data
(option 2) collection (Config.) (TCP)

U License Propriet. FLEXnet 27000-27009 Yes - Persistent - -

checkout
(Enabled) (TCP)

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 8

Information Technology System Planning Guide

EcoStruxure Building Management

Continued

Path Function Connection Protocol Default Port Configurabl Can Be Usage Internet Optional
Type (Default (TCP or e Port Disabled when Needed Settings
State) UDP) Enabled

V License Propriet. FLEXnet Random Yes - Persistent - -

heartbeat c
(Enabled) (TCP)
CA External log IT HTTP 5432 Yes Yes Persistent - SSL
storage
(Enabled) (TCP)

a) This communication path uses dynamic port assignment. The port assignment is controlled by the operating system (Windows). The allowable range for the port
assignment is configurable from Windows. The default dynamic port range depends on the operating system. For the EcoStruxure Building Operation software
supported Windows versions, the default port range is 49152 to 65535.
b) Not for WebStation.
c) Flexera does not specify a port for the vendor daemon. If the port has not been specified, the port will be chosen at random by the operating system at runtime. It is
completely random and depends upon what (non-restricted) ports are available at the time the operating system assigns it. This port may be configured manually to
align with local policies and standard network management practices.

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 9

Information Technology System Planning Guide

EcoStruxure Building Management

Enterprise Server – Communication paths

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 10

Information Technology System Planning Guide

EcoStruxure Building Management

Enterprise Server – Network Ports

Path Function Connection Protocol Default Port Configurabl Can Be Usage Internet Optional
Type (Default (TCP or e Port Disabled when Needed Settings
State) UDP) Enabled
a Server to IT CSP 4444 Yes if option 1 Persistent - -
B
server comm.
(option 1) (Config.) (TCP)

B
a Server to IT HTTPS 443 Yes if option 2 Persistent - -
server comm.
(option 2) (Config.) (TCP)

C
a Client to IT HTTP 80 Yes Yes On demand - -
server comm.
(option 1) (Config.) (TCP)

C
a Client to IT HTTPS 443 Yes - On demand - -
server comm.
(option 2) (Config.) (TCP)

D Time synch. IT NTP 123 – Yes Persistent - -

(Disabled) (UDP)
E Network IT SNMPv3 161/162 – Yes Persistent - -
mgmt
(Disabled) (UDP)
F Email IT SMTP 25 – Yes Persistent - -
(option 1) (Disabled) (TCP)
F Email IT SMTPS 587 Yes Yes Persistent - -
(option 2) (Disabled) (TCP)
G BACnet BMS open BACnet/IP 47808 / Yes Yes Persistent - -
integr. protocol 33487
(Disabled)
(UDP)
H Modbus BMS open Modbus TCP 502 – Yes Persistent - -
integr. protocol
(Disabled) (TCP)
I LonWorks BMS open LonWorks IP 1628 – Yes Persistent - -
integr. protocol
(Disabled) (UDP)
J Transition BMS propriet. I/NET 50069b / Yes, from Yes Persistent - -
49152 to
(Disabled) 49152c
65535
(UDP)
K Transition BMS propriet. MicroNet 7001 – Yes Persistent - -
(Disabled) (TCP)
L Sigma BMS open Sigma 8080e Yes - On demand - -
integr.d protocol
(Enabled) (TCP)
(data
importer)
M Sigma BMS propriet. Sigma 49152f - - Persistent - -
b
integr. (Enabled) (UDP)
N Integr. Driver Driver Driver Driver Yes Persistent - -
depend. depend. depend. depend.
(Disabled)

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 11

Information Technology System Planning Guide

EcoStruxure Building Management

Continued

Path Function Connection Protocol Default Port Configurabl Can Be Usage Internet Optional
Type (Default (TCP or e Port Disabled when Needed Settings
State) UDP) Enabled

O System IT HTTPS 443 – Yes Persistent Yes -

analytics
(Enabled) (TCP)
P Crash dumps IT SFTP 22 Yes Yes On demand Yes -
(Enabled) (TCP)
R Client to IT HTTP 80 Yes Yesg On demand - Redirect to
server comm. HTTPS
(option 1) (Enabled) (TCP)
R Client to IT HTTPS 443 Yes Yes
d On demand - -
server comm.
(option 2) (Enabled) (TCP)
S Client to IT HTTP 80 Yes Yes On demand - Redirect to
server comm. HTTPS
(option 1) (Disabled) (TCP)
S Client to IT HTTPS 443 Yes Yes On demand - -
server comm.
(option 2) (Disabled) (TCP)
T Historical IT HTTP 80 Yes Yes Persistent - -
data
(option 1) collection (Config.) (TCP)

T Historical IT HTTPS 443 Yes - Persistent - -

data
(option 2) collection (Config.) (TCP)

U License Propriet. FLEXnet 27000-27009 Yes - Persistent - -

checkout
(Enabled) (TCP)
V License Propriet. FLEXnet Random Yes - Persistent - -
heartbeat h
(Enabled) (TCP)
CA External log IT HTTP 5432 Yes Yes Persistent - SSL
storage
(Enabled) (TCP)
DA MQTT IoT open TLS 8883 Yes Yes Persistent -i -
protocol
(Enabled) (TCP)

a) This communication path uses dynamic port assignment. The port assignment is controlled by the operating system (Windows). The allowable range for the port
assignment is configurable from Windows. The default dynamic port range depends on the operating system. For the EcoStruxure Building Operation software
supported Windows versions, the default port range is 49152 to 65535.
b) Default to 50069 for unencrypted communication.
c) Default to 49152 for encrypted communication.
d) For the engineering of Sigma, the Sigma software client(s) use TCP port 3614 to communicate with the Sigma server.
e) The EcoStruxure Building Operation data importer uses TCP port 8080 to import Sigma data from the Sigma server to the EcoStruxure Building Operation database.
f) Enterprise Server uses UDP port 41952 to communicate with the Sigma Universal Network Controllers (UNCs) and Integration Controllers (ICs) on the Sigma
network.
g) Not for WebStation.
h) Flexera does not specify a port for the vendor daemon. If the port has not been specified, the port will be chosen at random by the operating system at runtime. It is
completely random and depends upon what (non-restricted) ports are available at the time the operating system assigns it. This port may be configured manually to
align with local policies and standard network management practices.
i) An Internet connection is not needed when you run the cloud service on the same local network as the Enterprise Server.

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 12

Information Technology System Planning Guide

EcoStruxure Building Management

SmartX server – Communication paths

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 13

Information Technology System Planning Guide

EcoStruxure Building Management

SmartX Server – Network Ports

Path Function Connection Protocol Default Port Configurabl Can Be Usage Internet Optional
Type (Default (TCP or e Port Disabled when Needed Settings
State) UDP) Enabled

A Administratio Propriet. SSH 22 Yes Yes Config. only - -

n
(Enabled) (TCP)

Ba Server to IT CSP 4444 Yes if option 1 Persistent - -

server comm.
(option 1) (Config.) (TCP)

B
a Server to IT HTTPS 443 Yes if option 2 Persistent - -
server comm.
(option 2) (Config.) (TCP)

C
a Client to IT HTTP 80 Yes Yes On demand - -
server comm.
(option 1) (Config.) (TCP)

C
a Client to IT HTTPS 443 Yes - On demand - -
server comm.
(option 2) (Config.) (TCP)

D Time synch. IT NTP 123 – Yes Persistent - -

(Disabled) (UDP)
E Network IT SNMPv3 161/162 – Yes Persistent - -
mgmt
(Disabled) (UDP)
F Email IT SMTP 25 – Yes Persistent - -
(option 1) (Disabled) (TCP)
F Email IT SMTPS 587 Yes Yes Persistent - -
(option 2) (Disabled) (TCP)
G BACnet BMS open BACnet/IP 47808 / Yes Yes Persistent - -
integr. protocol 33487
(Disabled)
(UDP)
H Modbus BMS open Modbus TCP 502 – Yes Persistent - -
integr. protocol
(Disabled) (TCP)
I LonWorks BMS open LonWorks IP 1628 – Yes Persistent - -
integr. protocol
(Disabled) (UDP)
N Integr. Driver Driver Driver Driver Yes Persistent - -
depend. depend. depend. depend.
(Disabled)
Q Crash dumps IT HTTPS 443 Yes Yes On demand Yes -
(Enabled) (TCP)
R Client to IT HTTP 80 Yes Yesb On demand - Redirect to
server comm. HTTPS
(option 1) (Enabled) (TCP)
R Client to IT HTTPS 443 Yes Yes
b On demand - -
server comm.
(option 2) (Enabled) (TCP)
S Client to IT HTTP 80 Yes Yes On demand - Redirect to
server comm. HTTPS
(option 1) (Disabled) (TCP)

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 14

Information Technology System Planning Guide

EcoStruxure Building Management

Continued

Path Function Connection Protocol Default Port Configurabl Can Be Usage Internet Optional
Type (Default (TCP or e Port Disabled when Needed Settings
State) UDP) Enabled

S Client to IT HTTPS 443 Yes Yes On demand - -

server comm.
(option 2) (Disabled) (TCP)
c DHCP IT DHCP 67 - Yes Persistent - -
W
(Disabled) (UDP)
X DHCP IT DHCP 68 - Yes On demand - -
(Enabled) (UDP)
AD License Propriet. HTTPS 443 - - Setup only Yesd -
activation
(Enabled) (TCP)
CA External log IT HTTP 5432 Yes Yes Persistent - SSL
storage
(Enabled) (TCP)
DA MQTT IoT open TLS 8883 Yes Yes Persistent -e -
protocol
(Enabled) (TCP)
DB Zigbee BMS open Zigbee - - - Persistant - -
Device protocol
(Enabled)

a) This communication path uses dynamic port assignment. The port assignment is controlled by the operating system (Linux). The allowable range for the port
assignment is not configurable. The default dynamic port range depends on the operating system. For SmartX servers (Linux), the default port range is 32768 to
61000.
b) Not for WebStation.
c) Supported by SmartX AS-P and AS-B servers only.
d) Optional file-based activation.
e) An Internet connection is not needed when you run the cloud service on the same local network as the as the SmartX server.

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 15

Information Technology System Planning Guide

EcoStruxure Building Management

SmartX IP Controller device – Communication paths

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 16

Information Technology System Planning Guide

EcoStruxure Building Management

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 17

Information Technology System Planning Guide

EcoStruxure Building Management

SmartX IP Controller Device – Network Ports

Path Function Connection Protocol Default Port Configurabl Can Be Usage Internet Optional
Type (Default (TCP or e Port Disabled when Needed Settings
State) UDP) Enabled

G BACnet BMS open BACnet/IP 47808 / Yes Yes Persistent - -

integr. protocol 33487
(Disabled)
(UDP)
Y Client comm. Bluetooth BACnet - - Yes On demand - -
Low Energy
BLE/PPT
X DHCP IT DHCP 68 - Yes On demand - -
(Enabled) (UDP)

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 18

Information Technology System Planning Guide

EcoStruxure Building Management

Reports Server – Communication paths

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 19

Information Technology System Planning Guide

EcoStruxure Building Management

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 20

Information Technology System Planning Guide

EcoStruxure Building Management

Reports Server – Network Ports

Path Function Connection Protocol Default Port Configurabl Can Be Usage Internet Optional
Type (Default (TCP or e Port Disabled when Needed Settings
State) UDP) Enabled

B Server to IT CSP 4444 Yes if option 1 Persistent - -

server comm.
(option 1) (Config.) (TCP)
B Server to IT HTTPS 443 Yes if option 2 Persistent - -
server comm.
(option 2) (Config.) (TCP)
Z Client to IT HTTP 80 Yes Yes On demand - -
server comm.
(Config.) (TCP)

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 21

Information Technology System Planning Guide

EcoStruxure Building Management

License Server – Communication paths

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 22

Information Technology System Planning Guide

EcoStruxure Building Management

License Server – Network Ports

Path Function Connection Protocol Default Port Configurabl Can Be Usage Internet Optional
Type (Default (TCP or e Port Disabled when Needed Settings
State) UDP) Enabled

U License Propriet. FLEXnet 27000-27009 Yes - Persistent - -

checkout
(Enabled) (TCP)
V License Propriet. FLEXnet Random Yes - Persistent - -
heartbeat a
(Enabled) (TCP)
AA Administratio Propriet. FLEXnet 27000-27009 Yes - On demand - -
n
(Enabled) (TCP)
AB License Propriet. HTTPS 27000-27009 Yes - Setup only Yesb -
activation
(Enabled) (TCP)
AC Configuration IT HTTP 8888c Yesd - On demand -e -
(option 1) (Enabled) (TCP)
AC Configuration IT HTTPS Not set Yes Yes On demand e
- -
(option 2) (Disabled) (TCP)

a) Flexera does not specify a port for the vendor daemon. If the port has not been specified, the port will be chosen at random by the operating system at runtime. It is
completely random and depends upon what (non-restricted) ports are available at the time the operating system assigns it. This port may be configured manually to
align with local policies and standard network management practices.
b) Optional file-based activation.
c) This is the port that a network scanner picks up when the Admin page starts up.
d) Can be redirected to HTTPS.
e) An Internet connection is not needed when you run the license server web application on the same computer as the licenser server.

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 23

Information Technology System Planning Guide

EcoStruxure Building Management

Advanced Display (AD) – Communication paths

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 24

Information Technology System Planning Guide

EcoStruxure Building Management

Advanced Display (AD) – Network Ports

Path Function Connection Protocol Default Port Configurabl Can Be Usage Internet Optional
Type (Default (TCP or e Port Disabled when Needed Settings
State) UDP) Enabled

BA Data IT HTTPS 443 Yes Yes Persistent - -

exchange
(Config.) (TCP)
BB Data IT HTTPS 443 Yes Yes Persistent - -
exchange
(Config.) (TCP)

Windows services

Windows Services

Application Windows Service Startup Type Recovery Log On As Default

Enterprise Central Building Operation x.y Automatic Run a Program Local System
Enterprise Central

Enterprise Centrala Building Operation x.y Automatic Restart the service Local System
Connect Agent
Enterprise Server Building Operation x.y Automatic Run a Program Local System
Enterprise Server

Enterprise Serverb Building Operation x.y Automatic Restart the service Local System
Connect Agent

License Administratorc Building Operation x.y Automatic Restart the service Local System
License Server
Project Configuration Tool Project Configuration Tool Automatic Restart the service Local System
Modules Service
WebReports Building Operation x.y Automatic Restart the service Local System
WebReports Agent

a) The Enterprise Central installation file includes the Connect Agent.

b) The Enterprise Server installation file includes the Connect Agent.
c) The License Administrator installation file includes two components: License Administrator and License Server. You can select to install both components or one of
them. Only the License Server has a Windows service.

Bandwidth requirements EcoStruxure BMS LAN descriptions

As in all instances of planning, more is generally better. SmartX servers, Enterprise Server, and Enterprise
Although the current SmartX servers are limited to 100 Central
Mbps, a single installation may contain many SmartX
servers each with a significant number of field devices The SmartX servers are hardware devices with
resulting in substantial data traffic. Insufficient embedded Linux operating systems whereas the
bandwidth may affect the overall performance of the Enterprise Server and Enterprise Central are software
building. applications that are installed on a PC. These
EcoStruxure BMS servers are multi-function IP
addressable devices that can provide the following
functions:

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 25

Information Technology System Planning Guide

EcoStruxure Building Management

Server Functions

Function SmartX Servers Enterprise Server Enterprise Central

Server (for data exchange) – a Yes Yes Yes
server for open and proprietary
protocols
Server (for clients) – a web server Yes Yes Yes
and server for application-
based user interfaces

Router Functions

Function SmartX Servers Enterprise Server Enterprise Central

IP Networks – a router for LON Yes Yes Yesa
IP, BACnet/IP, Modbus TCP, Web
Services, proprietary networks
Private RS-485 Networks – a router Yes - -
for BACnet MS/TP,
LON, Modbus RTU, proprietary
networks
Private FT-10a Networks – a router Yes Yesb -
for LON TP networks

a) Enterprise Central includes only a router for Web Services.

b) With optional adapter

Gateway Functions

Function SmartX Servers Enterprise Server Enterprise Central

Gateway – a gateway for open and Yes Yes -
proprietary building automation
protocols

Clients RP-C supports the following clients:

The SmartX servers, Enterprise Server, and Enterprise
Central support the following clients: • Engage: A mobile application designed to enable
control of room temperature, fan speed, lights, and
• WorkStation: An application-based Microsoft blinds/shades directly from a smartphone.
Windows client.
AD
• WebStation: A browser-based client.
AD is a touch screen device that can be locked to an
application such as the preinstalled web browser
The SmartX IP Controller devices support the following
running WebStation. The preinstalled SmartXKiosk app
clients:
prevents the user from closing the selected application
or switching to another application. AD is connected to
• eCommission SmartX Controllers: A mobile
the EcoStruxure BMS using the USB ports on AD and a
application designed for local configuration, field
SmartX server. The preinstalled SmartX AD-Link app
deployment, and commissioning of SmartX IP
enables IP communication over USB.
Controller devices.

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 26

Information Technology System Planning Guide

EcoStruxure Building Management

External log storage for historical data Project Configuration Tool is a suite of three software
External storage(s) can be used as an option for storing programs: server, client, and WorkStation. The Project
historical data from Enterprise Central, Enterprise Configuration Tool sever provides an environment
Servers, and SmartX servers. within which all virtual EcoStruxure BMS servers of the
project can run while being engineered. The Project
The external log storage is installed using a separate Configuration Tool client provides an intuitive user
installer program. interface for project management. WorkStation is a full-
featured user interface for configuration of EcoStruxure
The historical data stored in the external log storage is BMS servers.
available natively to viewers built into the EcoStruxure
Building Operation clients. EcoStruxure Building Operation Software OS user
requirements
External reporting tools can be used to access the To install and use the EcoStruxure Building Operation
external log storage and create reports based upon the software, users must have the following credentials:
stored historical data.
• All software requires the installing user to have
Reports Server administrative privileges on the PC onto which the
The Reports Server is used to gather data from the installation is to take place.
Building Management System and generate reports. • Enterprise Central, Enterprise Server, and License
The Reports Server requires the following Microsoft Server are installed as services and require a user
applications: with administrative privileges to start and stop the
services.
• ASP.NET
• The PC running the Enterprise Central, Enterprise
• Internet Information Services (IIS) Server service or License Server service needs to
• SQL Server be running under an administrative user’s account.

• SQL Server Reporting Services • Use of the Software Administrator or License

Administrator requires that the user have
For more information on supported versions, see the administrative privileges.
EcoStruxure BMS requirements section. • Operation of WorkStation, Device Administrator,
and WebReports requires normal user privileges.
Project Configuration Tool
Project Configuration Tool is an off-site engineering EcoStruxure BMS requirements
platform for the EcoStruxure BMS. The Project
WorkStation includes Graphics Editor, Script Editor,
Configuration Tool simulates all functions of the
Function Block Editor, and WorkPlace Tech Editor.
Enterprise Central, Enterprise Server, and SmartX
servers virtually before deployment.

WorkStation

Hardware and software requirements Supported versions

Processor Minimum: Intel Core i5 @ 2.0 GHz or equivalent
Recommended: Intel Core i5 @ 3.0 GHz or better
Memory Minimum: 4 GB
Recommended: 8 GB or higher
Storage capacity Minimum: 20 GB
Operating systems Microsoft Windows 10 (64-bit)
Microsoft Windows Server 2012 R2 (64-bit)
Microsoft Windows Server 2016
Microsoft Windows Server 2019

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 27

Information Technology System Planning Guide

EcoStruxure Building Management

Continued

Hardware and software requirements Supported versions

Visio versions (WorkPlace Tech Editor) Microsoft Office Visio 2016 (32-bit)
Microsoft Office Visio 2013 (32-bit)
Microsoft Office Visio 2010 SP1 (32-bit)
Required additional software Microsoft .NET Framework 4.7.2 and later

The following Microsoft Windows 10 editions are The following Microsoft Windows Server 2016 editions
supported: Pro and Enterprise. are supported: Datacenter, Standard, and Essentials.

The following Microsoft Windows Server 2012 R2 The following Microsoft Windows Server 2019 editions
editions are supported: Datacenter, Standard, are supported: Datacenter, Standard, and Essentials.
Essentials, and Foundation.

WebStation

Software requirements (web browsers) Supported versions

Minimum web browser versions required Google Chrome 61 and later
Mozilla Firefox 60 and later
Microsoft Edge (EdgeHTML) 16 and later
Safari 11.1 and later
Recommended web browser versions Google Chrome 71 and later
Mozilla Firefox 64 and later
Microsoft Edge (EdgeHTML) 17 and later
Safari 11.4 and later

Enterprise Central

Hardware and software requirements Supported versions

Processor Minimum: Intel Core i5 @ 3.0 GHz or equivalent
Recommended: Intel Core i5 @ 4.0 GHz or better
Memory Minimum: 6 GB
Recommended: 12 GB or higher
Storage capacity Minimum: 1 TB
Recommended: 4 TB
Storage device Recommended: Enterprise Solid State Drive (SSD)
An Enterprise SSD is recommended to maintain the necessary speed
and stability. The database and the binaries should both be installed on
the Enterprise SSD.

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 28

Information Technology System Planning Guide

EcoStruxure Building Management

Continued

Hardware and software requirements Supported versions

Operating systems Microsoft Windows 10 (64-bit)
Microsoft Windows Server 2012 R2 (64-bit)
Microsoft Windows Server 2016
Microsoft Windows Server 2019 (not supported for I/NET integrated
system)
Required additional software Microsoft .NET Framework 4.7.2 and later
The Microsoft .NET Framework is required by Software Administrator.
External log storage option PostgreSQL 11.0 and later
TimescaleDB 1.2 and later
Quality assurance testing has been performed by Schneider Electric with
TimescaleDB and PostgreSQL installed natively in Windows 10, Windows
Server 2012, and Windows Server 2016. Other deployment scenarios
have not been tested by Schneider Electric.

Processor power, memory, and storage capacity The following Microsoft Windows Server 2012 R2
should be scaled upwards to accommodate targeted editions are supported: Datacenter, Standard,
system size as impacted by the total quantity of Essentials, and Foundation.
Enterprise Servers, SmartX servers, and expected
historical archiving. Enterprise Central is tested on a The following Microsoft Windows Server 2016 editions
server with an 8-core 3.6 GHz processor, a 16 GB of are supported: Datacenter, Standard, and Essentials.
memory, and an SSD storage capacity of 4 TB.
The following Microsoft Windows Server 2019 editions
The following Microsoft Windows 10 editions are are supported: Datacenter, Standard, and Essentials.
supported: Pro and Enterprise.

Enterprise Server

Hardware and software requirements Supported versions

Processor Minimum: Intel Core i5 @ 2.0 GHz or equivalent
Recommended: Intel Core i5 @ 3.0 GHz or better
Memory Minimum: 4 GB
Recommended: 8 GB or higher
Storage capacity Minimum: 100 GB
Recommended: 1 TB
Storage device Recommended: Enterprise Solid State Drive (SSD)
An Enterprise SSD is recommended to maintain the necessary speed
and stability. The database and the binaries should both be installed on
the Enterprise SSD.
Operating systems Microsoft Windows 10 (64-bit)
Microsoft Windows Server 2012 R2 (64-bit)
Microsoft Windows Server 2016
Microsoft Windows Server 2019 (not supported for I/NET integrated
system)

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 29

Information Technology System Planning Guide

EcoStruxure Building Management

Continued

Hardware and software requirements Supported versions

Required additional software Microsoft .NET Framework 4.7.2 and later
The Microsoft .NET Framework is required by Software Administrator.
External log storage option PostgreSQL 11.0 and later
TimescaleDB 1.2 and later
Quality assurance testing has been performed by Schneider Electric with
TimescaleDB and PostgreSQL installed natively in Windows 10, Windows
Server 2012, and Windows Server 2016. Other deployment scenarios
have not been tested by Schneider Electric.

Processor power, memory, and storage capacity The following Microsoft Windows Server 2012 R2
should be scaled upwards to accommodate targeted editions are supported: Datacenter, Standard,
system size as impacted by the total quantity of Essentials, and Foundation.
Enterprise Servers, SmartX servers, and expected
historical archiving. Enterprise Central is tested on a The following Microsoft Windows Server 2016 editions
server with an 8-core 3.6 GHz processor, a 16 GB of are supported: Datacenter, Standard, and Essentials.
memory, and an SSD storage capacity of 4 TB.
The following Microsoft Windows Server 2019 editions
The following Microsoft Windows 10 editions are are supported (not supported for I/NET integrated
supported: Pro and Enterprise. system): Datacenter, Standard, and Essentials.

Project Configuration Tool

Hardware and software requirements Supported versions

Client
Client machine only
Number of engineers 1
Processor Intel Core i5-3340M @ 2.70 GHz or higher
Memory 8 GB or higher
Storage capacity 1 GB or higher
Standalone
One project open with a maximum of 5 SmartX servers running
Number of engineers 1
Processor Intel Core i5-3340M @ 2.70 GHz or higher
Memory 8 GB or higher
Storage capacity 50 GB or higher
One project open with a maximum of 10 SmartX servers running
Number of engineers 1
Processor Intel Core i7-4800MQ @ 2.70 GHz or higher
Memory 16 GB or higher
Storage capacity 50 GB or higher
One project open with a maximum of 25 SmartX servers running

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 30

Information Technology System Planning Guide

EcoStruxure Building Management

Continued

Hardware and software requirements Supported versions

Number of engineers 1
Processor Intel Core i7-4800MQ @ 2.70 GHz or higher
Memory 32 GB or higher
Storage capacity 100 GB or higher
BIOS
Required BIOS configuration Intel VT-x or AMD-V virtualization support enabled
Server
Three projects with a maximum of 10 SmartX servers running per project
Number of engineers 3
Processor Intel Core i7-3930K @ 3.20 GHz
Memory 32 GB or higher
Storage capacity 250 GB or higher
Five projects with a maximum of 20 SmartX servers running per project
Number of engineers 5
Processor Intel Core i7-7820X @ 3.60 GHz or higher
Memory 64 GB or higher
Storage capacity 1 TB or higher
Five projects with a maximum of 20 SmartX servers running per project
Number of engineers 10
Processor Intel Core i7-7820X @ 3.60 GHz or higher
Memory 96 GB or higher
Storage capacity 1 TB or higher
BIOS
Required BIOS configuration Intel VT-x or AMD-V virtualization support enabled
Operating systems Microsoft Windows 10 (64-bit)
Microsoft Windows Server 2012 R2 (64-bit)
Microsoft Windows Server 2016
Microsoft Windows Server 2019
Oracle VirtualBox version 5.1.30
Required additional software Microsoft .NET Framework 4.7.2 and later

Processor power, memory, and storage capacity The following Microsoft Windows 10 editions are
should be scaled upwards to accommodate targeted supported: Pro and Enterprise.
system size as impacted by the total quantity of
EcoStruxure BMS projects. The Project Configuration The following Microsoft Windows Server 2012 R2
Tool is tested on a server with an 8-core 3.6 GHz editions are supported: Datacenter, Standard,
processor, 32 GB of memory, and storage capacity of 1 Essentials, and Foundation.
TB.
The following Microsoft Windows Server 2016 editions
are supported: Datacenter, Standard, and Essentials.

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 31

Information Technology System Planning Guide

EcoStruxure Building Management

The following Microsoft Windows Server 2019 editions

are supported: Datacenter, Standard, and Essentials.

Reports Server

Hardware and software requirements Supported versions

Processor Minimum: Intel Core i5 @ 2.0 GHz or equivalent
Recommended: Intel Core i5 @ 3.0 GHz or better
Memory Minimum: 4 GB
Recommended: 8 GB or higher
Storage capacity Minimum: 20 GB
Operating systems Microsoft Windows 10 (64-bit)
Microsoft Windows Server 2012 R2 (64-bit)
Microsoft Windows Server 2016
Microsoft Windows Server 2019
SQL versions Microsoft SQL Server 2008 R2 (64-bit) SP2 or SP3
Microsoft SQL Server 2012 (64 bit)*
Microsoft SQL Server 2014 (64-bit), SP1 and SP2
Microsoft SQL Server 2016 (64-bit) SP1
Required additional software Microsoft .NET Framework 4.7.2 and later

* Microsoft SQL Server 2012 SP1, SP2, SP3, or SP4 is For more information on hardware and software
required if the operating system Windows Server 2012 requirements for installing SQL Server 2008 R2, see
R2 is used https://msdn.microsoft.com/en-
us/library/ms143506(v=sql.105).
The following Microsoft Windows 10 editions are
supported: Pro and Enterprise. For more information on hardware and software
requirements for installing SQL Server 2012, see
The following Microsoft Windows Server 2012 R2 https://msdn.microsoft.com/en-
editions are supported: Datacenter and Standard. us/library/ms143506(v=sql.110).aspx/html.

The following Microsoft Windows Server 2016 editions For more information on hardware and software
are supported: Datacenter, Standard, and Essentials. requirements for installing SQL Server 2014, see
https://msdn.microsoft.com/en-
The following Microsoft Windows Server 2019 editions us/library/ms143506(v=sql.120).aspx.
are supported: Datacenter, Standard, and Essentials.
For more information on hardware and software
The following Microsoft SQL Server 2008 R2 and requirements for installing SQL Server 2016, see
Microsoft SQL Server 2012 editions are supported: https://docs.microsoft.com/en-us/sql/sql-
Standard and Express with Advanced Services. server/install/hardware-and-software-requirements-for-
installing-sql-server.
The following Microsoft SQL Server 2014 and Microsoft
SQL Server 2016 editions are supported: Enterprise,
Standard, and Express with Advanced Services.

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 32

Information Technology System Planning Guide

EcoStruxure Building Management

WebReports

Software requirements (web browsers) Supported versions

Minimum web browser versions required Google Chrome 61 and later
Mozilla Firefox 60 and later
Microsoft Edge (EdgeHTML) 16 and later
Safari 11.1 and later
Recommended web browser versions Google Chrome 71 and later
Mozilla Firefox 64 and later
Microsoft Edge (EdgeHTML) 17 and later
Safari 11.4 and later

eCommission SmartX Controllers

Hardware and software requirements Supported versions

Hardware Android phones and tablets
Apple iPhones and iPads
PCs, laptops, and tablets running Microsoft Windows 10
Operating systems Android 8.0 (Oreo) and later
Apple iOS 11.2 and later
MP Series communication EcoStruxure Building Operation version 2.0.1 and later
RP-C communication EcoStruxure Building Operation version 3.0.1 and later
Configuration Menu support EcoStruxure Building Operation version 3.0.1 and later
Bluetooth connectivity EcoStruxure Building Operation version 3.0.2 and later
RP Series expansion module support EcoStruxure Building Operation version 3.1.1 and later

Engage

Hardware and software requirements Supported versions

Hardware Android phones
Apple iPhones
Operating systems Android 5.0 (Lollipop) and later
Apple iOS 11 and later
RP-C communication EcoStruxure Building Operation version 3.1.2 and later

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.
 www.schneider-electric.com/buildings | 33

Information Technology System Planning Guide

EcoStruxure Building Management

www.schneider-electric.com

04-32013-02-en, August 2020

© 2020 Schneider Electric. All rights reserved. Trademarks and registered trademarks are the property of their respective owners.