A Remote Access Service or "RAS" server provides access to remote computers. Generally, the RAS server is configured to provide a separate IP address for itself and the remote client when connected. Allocating each client a different IP address from a pool of addresses caters to multiple concurrent clients.
VTS provides support for multiple remote clients.
When allowing a remote client to connect, due consideration should be given to deciding whether the remote client will require access to the LAN to which the RAS server is connected.
If access is required, then it is better to delegate the RAS server to be a workstation other than one running VTS. In this way:
1. Routing between the RAS server and the SCADA system is handled by the network infrastructure;
2. The RAS server can be shared between infrequent access to the SCADA system and other work without compromising the SCADA system; and
3. "Hacking" attacks (e.g. denial-of-service (DoS), are less likely to disable your SCADA system when the point of access is separated from the SCADA system.
If access is not required, or another system is not available to be a RAS server, then you can use a workstation running VTS as the RAS server.
Caution: If the RAS server is also running a VTS version prior to 5.1502, then it is essential that the RAS IP addresses appear on a different subnet to any Network Interface Cards (NIC). If this precaution is not observed, the attached RAS client will be able to access the NIC IP addresses on the same subnet. This will not compromise operation, but will severely impair the RPC Manager's performance.
From VTS version 5.1502 onwards, a workstation running VTS can accommodate RAS clients on any subnet, including one already used by a LAN connection. Instructing the RPC Manager to never create a connection to specific IP addresses (via a Setup.ini section) can achieve this. By specifying the IP that the RAS host presents as its own IP to the RAS client, the RAS client will not create a connection to the RAS host IP, but will only create connections to the other IPs by which the host workstation is known.
For example, if a workstation running TS had an IP of 192.168.0.40, and that workstation was configured to support a RAS client, such that the RAS client would see the host workstation as 192.168.0.150, and the RAS client would be assigned an IP address from a pool of addresses from the range 192.168.0.151 to 192.168.0.155, then the following section should appear in the RAS client's Setup.ini configuration file, so that the RAS client will not only make a connection to 192.168.0.40 (which will be done over the RAS link), and not to 192.168.0.150:
[RPCManager-ExcludeIP]
IP = 192.168.0.150
Note that this is not necessary if the RAS IP address pool is on a different subnet from any other IP of the RAS host, so long as no routing exists between the two subnets.
From VTS version 5.18 onwards, it is not necessary to exclude any IP addresses on the server; however, if the IP address cannot be accessed by a connecting client VTS system, it is advisable to exclude it from RPC Manager's view by the above method.