VeEX test sets supporting Web Access/Remote have isolated web servers to provide a secure management user interface via HTTPS/SHA256 encryption, using Self-Signed TLS/SSL certificates. This may trigger the security warning.
Many VeEX test sets provide HTML5 user interfaces for their local Web Access and Web Remote management functionalities. These local web services use a built-in isolated web server (hosted inside the test set) to provide a secure management user interface via HTTPS/SHA256 encryption, using Self-Signed TLS certificates (also known as SSL). The use of self-signed certificates is common practice for isolated web pages; however, they trigger a security warning in modern browsers.
- Web Access - Allows access to test results, data, images, PDF, software updates, etc., stored on the test set, from a local web browser.
- Web Remote - Provides Remote Control functionality via screen and mouse mirroring (VNC), from a local browser.
- In both cases the test set and the computing device should be connected to the same LAN/WLAN, or via secured VPN, or peer-to-peer with the test set acting as a Wi-Fi access point.
Basically, test sets supporting such functionality have an isolated web server built-in, which provides a user-friendly management interface, rendered by the web browser. Modern web browsers require unique Secure Socket Layer (SSL)* certificates signed (validated) by a trusted Certificate Authority (CA), to authenticate the website and enable encrypted connection. The SSL* certificate is what enables websites to use HTTPS. Industry-standard browsers mark pages without encryption or self-signed SSL certificates as "Not Secure".
*Transport Layer Security (TLS) is an updated, more secure version of SSL. However, people may still refer to them as SSL certificates because it's a more common term.
That said, it is not practical to issue and maintain (keep paying for) individual TLS/SSL certificates for each of the thousands of instruments we manufacture and ship. So, the common practice in these cases is to use self-signed TLS/SSL certificates for the management port GUI, with the understanding that the equipment is not meant to be a public web server. Only to be used in secured local area networks (LAN). Remote users will have to use a VPN to access the LAN a test set is connected to, or use the EZ-Remote cloud service (free of charge).
How to Remove the Security Warning
There are ways to download and install the test set's TLS/SSL certificate on a local PC, to remove the security warning, by connecting to it using its unique Network Host Name (URL), for example https://RXT123456.local. The Host Name is used (instead of the IP address) because the test set's IP address can change over time, in a DHCP LAN environment. However, the procedure varies by OS, from browser to browser, and they tend to change over time, with new OS and browser releases.
The unique Network Host Name assigned by the test set by default, can be found at >Utilities >Settings >More >Remote Access. Users can customize it, to reflect the location group, application, or a name that is easy to remember. If the test equipment is permanently installed with a static IP, you may use the IP address.
Point the web browser to the test equipment's internal web page, using https://, acknowledge all the security warnings, and log in to the management page. Then click on the "Not Secure" message and find the Copy to File or Export to File function to download the TLS/SSL certificate (.CER) to your local drive (e.g. desktop). Double-click on the .CER file and follow the instructions.
What are the risks associated with the use of self-signed SSL/TLS?
In this type of controlled applications, since you know what and where the physical web server (instrument) is, and you enter its direct IP address, the vulnerability risk is extremely low. Also, the test set will not request, handle or store any sensitive information from the client PC/browser. Users connect to the server by directly entering the test set's IP address or .local URL (Bonjour/ZeroConfig/mDNS, if supported) to access the test set (on the same LAN or via VPN) and the connection terminates there. The test set's built-in web page server does not route any information anywhere else. However, you may need to get used to the idea of seeing the security warning indication on the web browser.
It is never a good idea to connect the test set's management port directly to a public (unprotected) IP address.
By default, the built-in VNC server supporting Web Access & Remote functionality is always available in the background and ready to be accessed at any time.
If required (e.g., for security reasons or IT policies), the function can be disabled by going to >Utilities >Settings >More > Remote Access and set VNC Services = Disabled.