Configure a VTScada Thin Client Server

The following is a generalized list of the major tasks required to configure a VTScada Thin Client Server. Each of these tasks is fully described in the linked topics. Technical details that apply only in specific cases are listed at the end of this topic. You are advised to review that list to confirm whether your situation matches one of these specific cases.

Step 1: Within your secured application, grant the privilege Thin Client Access or Remote Data Access to Selected Operators

Full description and instructions: Accounts and Roles, Assign Privileges

VTScada does not permit mobile or Internet access to any unsecured application. Users must have the Thin Client Access privilege.

  1. Enable security if you have not already done so.
  2. Sign into the application with an account that has the Manager privilege.
  3. Ensure that selected user accounts have the Thin Client Access privilege, either directly or through one of their assigned roles.
  4. For accounts that will make ODBC (REST) connections, including those using the Excel Add-In, grant the Remote Data privilege. (The Remote Tag Value/History Retrieve privilege is optional.)

Step 2: Establish the VTScada Thin Client Server Security parameters

When credentials are transmitted between the VIC and the server, the account name and the password are both transmitted using Base64 encoding. This encoding system is public knowledge and is entirely reversible, therefore the account name and password can be extracted by knowledgeable persons who can intercept the communication. An HTTPS connection is strongly recommended.

Full description and instructions: Internet Security (TLS, X.509, SSL), Securing a VTScada Thin Client Server, Servers in a Demilitarized Zone (DMZ)

Access to the VTScada Thin Client Server is protected by the account name and password credentials held for each application by the VTScada Security Manager. This is the sole protection that is afforded to a VTScada Thin Client Server from unauthorized access. Therefore, these credentials must be guarded.

Security is provided by implementing a virtual private network (VPN), or by using HTTPS (Transport Layer Security, or TLS). This establishes an encrypted communications connection that is secure against decryption, relay attacks and many other hacking attempts.

All systems that use a thin client on a WAN (wide area network) should use a VPN or TLS to secure their communication. Optionally, consider configuring the properties, HTTPAllow, HTTPDeny to limit connections to known addresses. You might also consider configuring the Thin Client Server as a Read-Only Workstation in your network's DMZClosed Demilitarized zone. A physical or logical subnetwork that contains and exposes an organizations's external-facing services to an untrusted network such as the Internet..

The VTScada Security Options dialog includes an option that controls whether VIC (VTScada Internet Client) connections are maintained after a user logs out, but leaves the browser open. Choosing that option allows a faster re-connection time and ensures that the operator can reconnect, but at the cost of tying up a license for an undetermined time.

Step 3: Configure one or more VTScada Servers as VTScada Thin Client Servers

It is common for one of your server keys to allow many thin client connections and the others to have few or none. Licenses are shared between servers after configuration. Always do the work of configuring your Thin Client Server list on the computer that has the licenses. It will be the first server added to the server list. When you add other computers to the list, the licenses will be synchronized to those other servers and saved to them.
After the setup is complete, the order of the server list may be changed, but the name of the server with the licenses can never be removed from the list. If you do this, all the other servers will also lose the licenses.

Full description and instructions: Define the Server Setup

Use the VTScada Thin Client/Server Setup dialog to add the computer where you are working to the server list and configure connection parameters. If your application runs on multiple servers, you may also set up redundant operation.

You may configure the Thin Client Server and realms on any port you prefer. However, if connecting from a public network (e.g. the Internet), you will likely have to traverse firewalls and other security mechanisms. Configuring a realm or Thin Client Server to operate on ports other than the standard ports (port 80 for plain text HTTP, or port 443 for HTTPS), will likely require special configuration of such interposing security mechanisms. It is therefore advisable to operate on the standard ports whenever possible and assuming that no other service on your computer is already using your chosen port.

The list can be configured only from a machine that is a member of the list, and will remain a member after configuration.
If you attempt to remove the last local server, the entire server list and all related connection addresses will be removed from the local machine.

At smaller locations where there may not be a DNS or a network administrator who can take care of such things, you should do the following. It is also worthwhile to review the documentation topic RPCConnectStrategy.

  1. Run Notepad as an administrator.
  2. Open the file, HOSTS.
    This is located in the directory C:\WINDOWS\SYSTEM32\DRIVERS\ETC
  3. Add a line for your computer name and its IP address.
    For example:
    192.165.6.2 MyComputerName
    ...where "MyComputerName" must precisely match a computer name on the X.509 certificate installed on the server.
  4. Save the HOSTS file.

The local indicator will not immediately show a check mark. Upon saving the server setup and reopening the dialog, the check mark will be there if VTScada is able to recognize that this computer is the Thin Client Server.

Step 4: Add the Connection Addresses for Those Servers.

Full description and instructions: Define the Connection Addresses

A need for an address list other than "Default Address List" is extremely rare.

You must define how operators will connect to the servers in the license cluster. The set of connection addresses can include the public URL configured for your security certificate and also the address of a specific server for use by local connections.

Step 5: Establish a Realm Containing One or More Applications

Full description and instructions: Internet Realms

In short, a realm is a named list of one or more applications that are to be made available to VIC and Mobile Internet Client connections.

If Security Realms are enabled, you must create one Internet realm for each security realm, matching the names. Operators may connect only to the Internet realm that matches their security realm. Super-users (those not belonging to any security realm) may not connect to any Internet realm unless you also add the application property, RootNamespace, setting its value to the name of a realm to which those users should connect.

The value of RootNamespace must not match any defined security realm.

Step 6: [Optional] Add a Realm Display Setup tag

You may choose to add one of these tags for each realm. Realm Display Setup Tags allow you to define the level of control that operators will have over their display parameters.

Step 7: [Optional] Add a disclaimer message

You may choose to add an HTML file to your application, which will be displayed to all who connect. This must be a complete HTML file that is part of your application (Import File Changes Tool). Note that JavaScript content will not execute and should not be included. You can find an example thin client disclaimer in the VTScada examples folder: (C:\VTScada\Examples\ExampleThinClientDisclaimer.html)

After adding the file to your application, create an application property named ThinClientDisclaimer whose value is the name of your HTML file.

Specific cases requiring further configuration:

  • For those who want to allow VIC connections from outside their firewall to their VTScada Thin Client Server, where their site has a simple router and no internal network infrastructure services (e.g. DHCP/DNS), refer to Network Configuration
  • Cross-Origin Resource Sharing" (CORS). You may need to use this at a smaller site if connecting using a machine alias, or at a larger site if using a third-party load-balancing server. Refer to Domain Aliases (CORS)