Beruflich Dokumente
Kultur Dokumente
docx
Rev. 1.0
Client
Page 1 of
139
Client
Page 2 of
139
Client
Page 3 of
139
Table of Contents
ACKNOWLEDGEMENTS ............................................................................................................................ 6
AUTHORING AND TESTING:................................................................................................................................ 6
REVIEW AND DISTRIBUTION .............................................................................................................................. 6
WELCOME TO INTOUCH FOR TERMINAL SERVICES ................................................................................... 7
TERMINOLOGY................................................................................................................................................ 7
ASSUMPTIONS ................................................................................................................................................ 8
TECHNICAL SUPPORT ....................................................................................................................................... 8
USING TERMINAL SERVICES ..................................................................................................................... 9
RUNNING A MANAGED INTOUCH APPLICATION WITH TERMINAL SERVICES ............................................................... 10
Key Points............................................................................................................................................. 10
DEPLOYING THE INTOUCHVIEWAPP OBJECT IN A TERMINAL SERVICES ENVIRONMENT ................................................ 12
CONFIGURE HISTORICAL LOGGING ON INTOUCH FOR TERMINAL SERVICES ................................................................ 13
CONFIGURING AUTOMATIC STARTUP ................................................................................................................ 14
MISCELLANEOUS LIMITATIONS IN A TERMINAL SERVICES ENVIRONMENT .................................................................. 15
INTRODUCTION TO INTOUCH FOR TERMINAL SERVICES ........................................................................ 16
INTOUCH FOR TERMINAL SERVICES ................................................................................................................... 16
INTOUCH IN THE TERMINAL SERVICES ENVIRONMENT .......................................................................................... 16
Why was Terminal Services renamed to Remote Desktop Services In Windows Server 2008 R2? ... 17
How the /admin switch behaves .......................................................................................................... 17
Remote Desktop Services (Role) ........................................................................................................... 19
Using Remote Desktop Services ........................................................................................................... 20
Remote Desktop Services (Role services) ............................................................................................. 21
INSTALLING REMOTE DESKTOP SERVICES ........................................................................................................... 23
Install Remote Desktop Services (Role) ................................................................................................ 23
Install Specific Remote Desktop Services ............................................................................................. 25
INTOUCH FOR TERMINAL SERVICES ................................................................................................................... 28
Why InTouch for Terminal Services? .................................................................................................... 28
Terminal Services Benefits for InTouch ................................................................................................ 28
Remote Control .................................................................................................................................... 33
GETTING STARTED WITH INTOUCH FOR TERMINAL SERVICES ................................................................ 34
UNDERSTANDING INTOUCH FOR TERMINAL SERVICES........................................................................................... 34
Key Points............................................................................................................................................. 34
RUNNING INTOUCH APPLICATIONS IN A TERMINAL SERVICES ENVIRONMENT ............................................................ 35
Standalone InTouch for Terminal Services configuration created using Wonderware WindowMaker.
............................................................................................................................................................. 35
Running a Managed InTouch Application with Terminal Services ....................................................... 35
Running a Published InTouch Application with Terminal Services ....................................................... 37
TYPES OF INTOUCH FOR TERMINAL SERVICES ...................................................................................................... 37
WINDOWS 2008/R2 .................................................................................................................................... 38
TERMINAL SERVICES BEHAVIOR IN WINDOWS SERVER 2008 ................................................................................. 38
ACP THIN MANAGER .................................................................................................................................... 39
How ThinManager Works .................................................................................................................... 40
PLANNING CONSIDERATIONS FOR TERMINAL SERVER APPLICATIONS ................................................... 41
Client
Page 4 of
139
Client
Page 5 of
139
Client
Page 6 of
139
ACKNOWLEDGEMENTS
This Deployment Guide was authored, tested and reviewed by an I.O.M. Global
Customer Support team, which includes the following people:
Client
Page 7 of
139
Note: Adding ACP ThinManager increases the available client types to nonWindows-based workstations, including UNIX, Linux, and industrial display
panels. Consult your vendor to verify Wonderware support for a particular nonWindows-based operating system.
TERMINOLOGY
Console: This is the normal desktop experience on the computer that has
Terminal Services installed.
Client
Page 8 of
139
Thin Client: (a.k.a. Terminal) A device that allows you to send commands
to another computer. At a minimum, this usually means a keyboard, a
display screen, and some simple circuitry.
ASSUMPTIONS
This manual assumes you are:
TECHNICAL SUPPORT
Wonderware Technical Support offers a variety of support options to answer any
questions on Wonderware products and their implementation.
Prior to contacting technical support, please refer to the relevant chapter(s) in
your InTouch for Terminal Services Deployment Guide for a possible solution to
any problem you may have with your system. If you find it necessary to contact
technical support for assistance, please have the following information available:
1. Your software serial number.
2. The version of InTouch you are running.
3. The type and version of the operating system you are using. For example,
Microsoft Windows 2008 R2 SP1 (or later) workstation.
4. The exact wording of system error messages encountered.
5. Any relevant output listing from the Wonderware Logger, the Microsoft
Diagnostic utility (MSD), or any other diagnostic applications.
6. Details of the attempts you made to solve the problem(s) and your
results.
7. Details of how to recreate the problem.
8. If known, the Wonderware Technical Support case number assigned to
your problem (if this is an on-going problem).
Client
Page 9 of
139
For more information about Terminal Services, including features and benefits,
see your Microsoft documentation.
Client
Page 10 of
139
You must deploy each InTouch application to the server running InTouch
for Terminal Services.
You run each managed InTouch application in a separate terminalservices client session.
Client
Page 11 of
139
The following graphic shows the Galaxy and InTouch Development Nodes in
this context:
IN A
Client
Page 12 of
139
TERMINAL SERVICES
Run each managed InTouch application on its own terminal Server Node.
Run each InTouch View client in a separate Terminal Services client
session.
Note: Each Terminal Services client session uses a unique user logon.
Client
Page 13 of
139
Client
Page 14 of
139
Client
Page 15 of
139
Supported?
Yes
No
Yes
Yes
No
No
Yes
No
Yes
Yes
Yes
Comment
WindowViewer is not supported running as a
service under Terminal Services.
Use a tag server (console or separate
computer). This includes DDE QuickScripts:
WWExecute(), WWPoke()
and WWRequest().
Excel and the InTouch HMI must be running in
the same session.
Use a tag server or NAD to log values.
Multiple sessions may read the same historical
files, but only a console can write to historical
files.
---Must use NAD or Managed Application.
Not supported
Database should be on a separate computer.
When communicating to another view session,
include the Terminal Server node name and
append the IP address of the desired session to
the application name. For example,
view10.103.25.6.
I/O Servers are not supported in client sessions.
Client
Page 16 of
139
InTouch
Application
IO Server
RD Terminal Server
2008 R2
PLC
RDP\ICA protocol is used
to view the InTouch session
RD Gateway
Modem
RD
Se
ces
r vi
ts
Internet
lien
DC
lR
a
n
r
e
Int
External RD Clients
R
08
20
Client
Page 17 of
139
Because the physical console session is never session 0, you can always
reconnect to your existing session on the physical console. The Restrict
Terminal Services users to a single remote session Group Policy setting
determines whether you can connect to your existing physical console
session. This setting is available in the
Computer Configuration\Administrative Templates\Windows
Components\Terminal Services\Terminal Server\Connections node of the
Local Group Policy Editor. You can also configure this setting in Terminal
Services Configuration. The Restrict each user to a single session setting
appears in Edit settings in the General section.
Session 0
Client
Page 18 of
139
Session 1
Application 1
Service 1
Application 2
Service 2
Application 3
Service 3
Application 4
Application 5
Application 6
Session 2
Application 7
Application 8
Application 9
With Windows Vista, Windows Server 2008, and later versions of Windows,
sessions are assigned as shown in the following figure.
Session 0
Client
Page 19 of
139
Session 1
Service 1
Service 2
Application 1
Application 3
Application 2
Service 3
Session 2
Session 3
Application 4
Application 5
Application 7
Application 6
Application 8
Application 9
In this graphic, three users are logged on to the system. However, only services
run in Session 0. The first user logs on to Session 1, and Sessions 2 and 3
represent subsequent users.
REMOTE DESKTOP SERVICES (ROLE)
Remote Desktop Services (formerly Terminal Services), is a server role in
Windows Server 2008 R2. This role provides technologies that enable users to
access Windows-based programs installed on a Remote Desktop Session Host
(RD Session Host) server, or to access the full Windows desktop.
Client
Page 20 of
139
Because you install the programs on the RD Session Host server and not
on the client computer, programs are easier to upgrade and to maintain.
Remote access: Your users can access programs that are running on an
RD Session Host server from devices such as home computers, kiosks,
low-powered hardware, and operating systems other than Windows.
Client
Page 21 of
139
RD Web Access: Remote Desktop Web Access (RD Web Access), formerly
TS Web Access, enables users to access RemoteApp and Desktop
Connection through the Start menu on a computer that is running
Windows 7 or through a Web browser.
RemoteApp and Desktop Connection provide a customized view of
RemoteApp programs and virtual desktops to users.
Client
Page 22 of
139
RD Broker
Service Installed
InTouch
Application
RD Session Host 1
Terminal Server
2008 R2
RD Web Access
Service Installed
IO Server
RD Web Access
RD Broker
InTouch
Application
RD Session Host
Service Installed
RD Session Host 2
RD
P\I
C
Terminal Server
2008 R2
Ap
rot
o
col
s
s
ve r rver
Ser Se
RD minal 8 R2
r
Te
is u
sed
to
vie
wt
he
RD Gateway
Modem
InT
ou
ch
s
ess
ion
es
vic
Ser 2
RD 008 R
2
RD Gateway
Service Installed
Internet
e
Int
DC
lR
rna
ts
lien
e
Ext
DC
lR
rna
0
20
ts
lien
PLC
Client
Page 23 of
139
3. Click Next, then click Remote Desktop Services as the role to install on this
server.
Client
5. Click Next.
Page 24 of
139
Client
Page 25 of
139
Client
Page 26 of
139
to be used without providing licenses. This means you must provide licensing
within 120 days.
For Per Device mode, you are allowed a specified number of devices to
connect to the service at any one time regardless of who the users are.
The Per User option restricts access to the specified users, regardless of the
device from which they are connecting.
Client
Page 27 of
139
Unless you need users to be able to stream audio (both to and from the
session host) and video to the remote desktops and use the latest graphicsintensive desktop effects, it is recommended that these features remain
disabled:
4. Click Next. You see the Confirmation screen. Read any warnings carefully.
The wizard typically recommends any currently-installed applications should
be re-installed before remote access is provided to users.
5. Click Install to begin the installation process.
You must restart the Windows Server 2008 R2 system partway through the
installation. After the reboot, be sure to log in as the same administrative
user to complete the Remote Desktop Services configuration process. Once
the process is complete, the Installation Results window appears (following
figure).
6. Click Close.
Client
Page 28 of
139
Client
Page 29 of
139
Terminal Services Clients (RDP Client) run on the following Microsoft platforms
Windows XP SP3
Vista SP2
Windows 7
RDP clients are also available for Windows CE and Windows Mobile.
With the integration of InTouch and Terminal Services, you can deploy the latest
applications in a fully server-centric mode. By removing the processing and data
storage tasks from the client machine, you can greatly extend the life of your
existing hardware.
In some cases, the need to replace may not occur until the computer physically
breaks down.
Client
Page 30 of
139
InTouch for Terminal Services and 3rd party industrial panel displays can also
provide an economical alternative for process visualization in harsh
environments. The increased cooling requirements and stronger construction
typically make industrial panel displays more expensive than their desktop
counterparts.
With Terminal Services, industrial hardware costs are reduced because you no
longer need high-powered processors, extra memory, floppy or CD-ROM drives.
Many industrial panel displays now provide the ability to boot and connect to a
terminal server from memory, and therefore do not require the added expense
of a hard drive. The lack of moving parts also extends the life of hardware.
If you need more robust hardware to replace the control panels, you can install
industrial-grade computers. These machines only require the minimum
components to run the emulation software, and therefore, can be purchased at
a significantly reduced price.
Remote Access
Operators and other end-users gain access to a terminal server over any
Transmission Control Protocol/Internet Protocol (TCP/IP) connection, including
Remote Access, Ethernet, the Internet, wireless, wide area network (WAN), or
virtual private network (VPN).
Due to the reduced bandwidth requirements of the RDP/ICA protocol, Terminal
Services extends the capabilities of InTouch to users who would otherwise be
unable to access Wonderware applications.
Wireless networks have traditionally been unable to support the large amount of
process information for real-time monitoring and control. With InTouch for
Terminal Services, applications can run with the same response time and
performance as their counterparts that are directly connected to the local area
network (LAN). You can therefore support real-time monitoring and control for
their mobile operators. The client terminals need only the emulation software to
connect to the terminal server. You can then simply launch WindowViewer to
monitor the operation of choice.
Client
Page 31 of
139
Internet Access
Using Microsoft's new RD Gateway (introduced in Windows Server 2008),
remote users can access a terminal server over the Internet. A Remote Desktop
Gateway (RD Gateway) server is a type of gateway that enables authorized users
to connect to remote computers on a corporate network from any computer
with an Internet connection.
RD Gateway is based on the RDP feature set. RD Gateway uses the Remote
Desktop Protocol (RDP) along with the HTTPS protocol to help create a secure,
encrypted connection.
In earlier versions of Remote Desktop Connection, people couldn't connect to
remote computers across firewalls and network address translators because port
3389the port used for Remote Desktop connectionsis typically blocked to
enhance network security. However, an RD Gateway server uses port 443, which
transmits data through a Secure Sockets Layer (SSL) tunnel.
The RD Gateway server provides these benefits:
You can therefore support real-time monitoring and control for their mobile
operators with either the Terminal Services Client software or by simply
launching a web browser and connecting to remote computers on a corporate
network, from any computer with an Internet connection.
Client
Page 32 of
139
Client
Page 33 of
139
REMOTE CONTROL
Remote Control is a Terminal Services feature that provides the ability to take
control of another workstation in the event of a client hardware failure. Remote
Control also provides an easy way to train operators and monitor operations
without being physically next to the terminal.
You can therefore be confident that even though failures may occur, their impact
on production will be a minimum. Remote Control enables a workstation to
immediately take over another that has failed. By adding a second server and
installing Network Load Balancing, all the sessions are protected.
Terminal Services for InTouch
Benefits
InTouch
Application
Manage Network
Load Balancing (NLB)
and Availability
RD Session Host 1
Terminal Server
2008 R2
Web Access To
InTouch Applications
IO Server
InTouch
Application
Remote Access To
InTouch Applications
RD Web Access
Centralized InTouch
Application Management
RD Broker
PLC
RD Session Host 2
Terminal Server
2008 R2
RD
P\I
C
Ap
rot
o
cols
sed
to
vie
wt
he
s
ve r rver
Ser Se
RD minal 8 R2
r
Te
0
20
RD Gateway
Modem
InT
ou
ch
s
ess
io
es
vic
Ser 2
RD 008 R
2
n
Internet
e
Int
DC
lR
rna
ts
lien
e
Ext
DC
lR
rna
ts
lien
Client
Page 34 of
139
InTouch for Terminal Services uses the Remote Desktop Protocol (RDP) to
communicate between clients and the InTouch Terminal Server.
You can run an application that is developed for standard InTouch with
InTouch for Terminal Services. No application changes are necessary.
You can use the Distributed Alarm system with InTouch for Terminal
Services. Using the alarm client, you can select the alarm data and how to
show it from WindowViewer for each Terminal Services session.
You must deploy each InTouch application to the server running InTouch
for Terminal Services.
Client
Page 35 of
139
Client
Page 36 of
139
Best Practice: This is the recommended mode for Server 2008 R2 RDS
implementation, even if the InTouch application is a Tag-Based application.
Each client session manages its own instance of the application under
\UserName\Application Data\ArchestrA\Managed App.
Client
Page 37 of
139
Running
Published InTouch Application
on RD Session Host
InTouch
Application
RD Session Host 1
Terminal Server
2008 R2
IO Server
InTouch
Application
RD Web Access
Running
Standalone InTouch
Applications
on RD Session Host
RD Broker
Running InTouch
Viewer
On TS Clients
PLC
RD Session Host 2
Terminal Server
2008 R2
RD
P\I
C
Ap
rot
o
s
ve r rver
Ser Se
RD minal 8 R2
cols
r
Te
is u
sed
to
vie
wt
he
0
20
RD Gateway
Modem
InT
ou
ch
s
ess
io
es
vic
Ser 2
RD 008 R
2
n
Internet
e
Int
ts
lien
DC
lR
rna
e
Ext
DC
lR
rna
ts
lien
Client
Page 38 of
139
WINDOWS 2008/R2
Windows Server 2008 R2: Remote Desktop Services (formerly Terminal Services),
is a server role in Windows Server 2008 R2. This server role provides
technologies which enable users to access Windows-based programs installed
on a Remote Desktop Session Host (RD Session Host) server, or to access the full
Windows desktop. With Remote Desktop Services, you can access an RD
Session Host server from within a corporate network or from the Internet.
RD Server
Remote Desktop Services
Windows 2008 / R2
InTouch
Application
Corporate Network
Remote Desktop Services lets you efficiently deploy and maintain software in an
enterprise environment. You can easily deploy programs from a central location.
Because you install the programs on the RD Session Host server and not on the
client computer, programs are easier to upgrade and to maintain.
Client
Page 39 of
139
system, which permits only one alarm provider. While both Application Server
and InTouch can be configured as alarm providers, only one alarm provider is
supported.
InTouch
Application
ACP
ThinManager
Server
Corporate Network
Client
Page 40 of
139
PLANNING
CONSIDERATIONS
APPLICATIONS
FOR
Client
TERMINAL
Page 41 of
139
SERVER
SYSTEM REQUIREMENTS
The following system specifications are supported. The following information
was derived from the specific test plan and is not intended as a limitation.
TSE Platforms (10 Platforms)
In Wonderware tests, the TSE Platforms were used for client connection only.
The Platforms did not have App Engines. Each Platform was configured to be an
alarm provider and was filtered to subscribe to eleven Areas. Each Platform was
deployed to a Terminal Services machine. The ten Platforms serviced ten client
connections each.
Client Nodes (10 Nodes with 100 Client Connections)
Client
Page 42 of
139
Client
Page 43 of
139
Client
Page 44 of
139
You need a Microsoft TS license for managing the remote desktop terminal
server sessions.
ABOUT MANAGED INTOUCH APPLICATIONS WITH NETWORK LOAD BALANCING
The features provided by Remote Desktop are made available through the
Remote Desktop Protocol (RDP). RDP is a presentation protocol that allows a
Windows-based terminal (WBT), or other Windows-based clients, to
communicate with a Windows-based Terminal Server. RDP is designed to
provide remote display and input capabilities over network connections for
Windows-based applications running on your Windows XP Professional desktop.
In this topology, clients can access the InTouch System Platform node via
Remote Desktop. Whenever a new connection is requested to the InTouch
System Platform Node, a new session is created. So all the traffic goes to the
system platform node and degrades the performance of the InTouch node.
The following figure displays a topology without Network Load Balancing (NLB):
InTouch Node
Domain Network
Client Machine
Client Machine
Client Machine
Page 45 of
139
Client
InTouch
Node
InTouch
Node
Domain Network
Client Machine
Client Machine
Client Machine
Note: The Remote Desktop Connection Broker shown as a separate node in the
above topology can be configured on one of the NLB cluster nodes itself.
You can leverage the load balancing for InTouch-managed applications.
Client
Page 46 of
139
Client
Page 47 of
139
InTouch
Node
InTouch
Node
Domain Network
Client Machine
Client Machine
Client Machine
Client
Page 48 of
139
Page 49 of
139
Client
InTouch
Node
InTouch
Node
Domain Network
Client Machine
Client Machine
Client Machine
Client
Page 50 of
139
Client
Page 51 of
139
Client
Page 52 of
139
d. Click the Remote Desktop Services check box, and then click Next.
The Remote Desktop Services screen appears.
Client
Page 53 of
139
Client
Page 54 of
139
Client
Page 55 of
139
i. Click the Per User option or Per Device option based on license
availability, and then click Next. The Select User Groups Allowed
Access To This Remote Desktop Session Host Server screen
appears.
You can choose two types of Windows Client Access Licenses: device-based
or user-based, also known as Windows Device CALs or Windows User CALs.
Client
Page 56 of
139
This means you can choose to acquire a Windows CAL for every device (used
by any user) accessing your servers, or you can choose to acquire a Windows
CAL for every named user accessing your servers (from any device).
4. Confirm the details you entered, and install the services.
a. On the Select User Groups Allowed Access To This Remote
Desktop Session Host Server screen, click Next. The Configure
Client Experience screen appears (see page 582 of the
Wonderware ArchestrA System Platform in a Virtualized
Environment Implementation Guide on WDN).
Client
Page 57 of
139
3. On the Server Manager window, click Features. The Features pane appears.
4. Click Add Features. The Select Features screen in the Add Features Wizard
window appears.
Client
Page 58 of
139
5. Click the Network Load Balancing item, and then click Next. The Confirm
Installation Selections screen appears.
6. Click Install.
Client
Page 59 of
139
Client
Page 60 of
139
4. Right-click the Session Broker Computers group, and then click Properties.
The Properties window for the selected group appears.
Client
Page 61 of
139
7. Select Computers, then click OK. The node names of the computer appear in
the Select Users, Computers, or Groups window.
8. Click OK to add the computer account for the Remote Desktop Session Host
server.
CREATING A NETWORK LOAD BALANCING CLUSTER
To configure an NLB cluster, you need to configure the following parameters:
Port rules
Note: You can also use the default port rules to create an NLB cluster.
To create an NLB cluster
1. Open the Network Load Balancing Manager window.
2. On node 1 of the required VM with NLB, click Start, point to Administrative
Tools, and then click Network Load Balancing Manager. The Network Load
Balancing Manager window appears.
3. Connect the required host to a new cluster by right-clicking Network Load
Balancing Clusters, and then clicking New Cluster.
Client
Page 62 of
139
4. In the Host box, type the name of the host (node 1), and then click Connect.
Client
Page 63 of
139
5. Under Interfaces available for configuring a new cluster, select the interface
to be used with the cluster, and then click Next. The Host Parameters section
in the New Cluster window appears.
Client
Page 64 of
139
Note: The value in the Priority box is the unique ID for each host. The host
with the lowest numerical priority among the current members of the cluster
handles the entire cluster's network traffic that is not covered by a port rule.
You can override these priorities or provide load balancing for specific
ranges of ports by specifying the rules on the Port rules tab of the Network
Load Balancing Properties window.
8. Click Add to add a cluster IP address. The Add IP Address window appears.
9. Click the Add IPv4 address option.
10. Type the new cluster static IP address and the Subnet mask.
Client
Page 65 of
139
11. Click OK to close the window. The IP address appears on the Cluster IP
Addresses section of the New Cluster window.
12. Click Next. The Cluster Parameters section for the New Cluster window
appears.
13. Type the name of the new cluster.
14. Click the Multicast option.
Note: When you click the Unicast option, NLB instructs the driver that
belongs to the cluster adapter to override the adapter's unique, built-in
network address and change its MAC address to the cluster's MAC address.
Nodes in the cluster can communicate with addresses outside the cluster
subnet. However, no communication occurs between the nodes in the cluster
subnet.
When you click the Multicast option, both network adapter and cluster MAC
addresses are enabled. Nodes within the cluster are able to communicate
with each other within the cluster subnet, and also with addresses outside
the subnet.
15. Click Next. The New Cluster : Port Rules window appears.
Client
Page 66 of
139
16. Click Finish to create the cluster and close the window. The Network Load
Balancing Manager window appears (below).
Add another host to the cluster.
1. Right-click the newly-created cluster and then click Add Host to Cluster.
Client
Page 67 of
139
2. In the Host field, type the name of node 2, then click Connect.
3. Under Interfaces available for configuring a new cluster, click the interface
name to be used with the cluster, then click Next. The New Cluster : Host
Parameters window appears.
4. Type the priority value, and then click Next.
Client
Page 68 of
139
The Port Rules section of the Add Host to Cluster window appears.
5. Click Finish to add the host and close the window. The Network Load
Balancing Manager window appears.
The statuses of both the hosts are displayed.
To add users to the Remote Desktop Users group to access Network Load
Balancing Cluster
1. On the Start menu, click Control Panel, System and Security then System
Remote settings. The System Properties window appears.
Client
Page 69 of
139
2. Under Remote Desktop, click the relevant option to specify the remote
desktop versions you want to allow access to.
3. Click Select Users to provide access to the system. The Remote Desktop
Users window appears.
4. Select the users you want to allow access to, click Add, and then OK.
Note: The users can be local users and need not be domain
users/administrators. If the users are local users they should be added on
both the NLB cluster nodes with same user name and password.
Evenly distribute the session load among Remote Desktop Session Host
servers in a load-balanced Remote Desktop Session Host server farm.
Client
Page 70 of
139
Client
Page 71 of
139
Client
Page 72 of
139
6. In the RD Connection Broker server name box, type the node name where
the RD Connection Broker is installed.
7. In the Farm Name box, type the farm name that you want to join in the
Remote Desktop Session Broker, and then click OK.
8. In the Properties window, click Participate in Connection Broker Load
Balancing.
9. Type the value for the Relative weight of this server in the farm.
By assigning a relative weight value, you can distribute the load between
more powerful and less powerful servers in the farm. By default, the weight
of each server is 100. You can modify this value as required.
10. Under Select IP addresses to be useful for reconnection, click IP address you
provided while creating the cluster, and then click OK.
11. Click OK to acknowledge the confirmation/warning.
Client
Page 73 of
139
Repeat this procedure on Node 2. Ensure that you enter the same details in
each step for Node 2 as you did for Node 1. In the Farm Name box, type the
same Farm Name used while configuring Node 1.
Client
Page 74 of
139
3. Type a name for the group and click OK to close the window. The name can
be anything.
Client
Page 75 of
139
You can now select the group names in the left pane and view the sessions
connected to each node of the cluster.
Client
Page 76 of
139
WONDERWARE LICENSING
Licenses for Wonderware products are maintained in license files or on a license
server. The license file contains one or more license components, which are lines
of information that specify licensing for an individual product.
Each license component is assigned a unique part number and contains
information such as the:
Product name
Serial number
LICENSE TYPES
There are two kinds of licenses, unserved and served. For this document, only
unserved licenses are included, since InTouch does not use Served (serverbased) licensing.
Unserved licenses, also known as local licenses, are installed on the same
computer as the applications using them. Unserved licenses do not run on a
license server. Unserved license files usually have the file names wwsuite.lic or
ArchestrA.lic.
Client
Page 77 of
139
Information about the license Type appears with the license name and license
components when you view it in the ArchestrA License Manager.
Unserved (locally installed)
Licenses (WWSuite.lic and
ArchestrA.lic)
Products can have a demonstration period, which allows you to run the specified
application for a defined period when the license is not available. Licenses can
also define a grace period, which is entered when a license is unavailable. The
grace period is a limited time period tracked by the application. The application
determines what happens during the grace period.
Unserved licenses
Concurrent licenses
Page 78 of
139
Client
If the application is not supported by the license or if the required license is not
found, the software component defaults to either a demonstration mode or an
absent license mode.
WONDERWARE CAL (CLIENT ACCESS LICENSE)
A CAL is not a software product. It is a license that gives a user the permission
to access the services of a database server. It is a paper license!
CALs are used to connect with a database Server like
InBatch Server
InTrack Server
Client
Page 79 of
139
All HMI sessions are running the same Application so the same Tag count
No HMI view on Terminal Server
Terminal Server acts as a Device Integration IO Server
NODE
QTY
LICENSE DESCRIPTION
1
2
3&4
1
1
2
IO SERVER
INTOUCH RUNTIME 3K TAGS WITHOUT I/O TSE
V10.1
INTOUCH RUNTIME 3K TAGS WITHOUT I/O TSE
V10.1
Client
Page 80 of
139
1
4
InT
o
Se uch
ss
ion RT
Ta 1 TSE
gs 3K
No
3
InT
o
Se uch
ss
ion RT
Ta 1 TSE
gs 3K
InT
o
Se uch
ss
ion RT
Ta 1 TSE
gs 3K
Int
o
at uch
co Se
ns ss
ole ion
08
20 th
s
i
ow w p
nd rver skto
i
W Se D e
R2 ote
m
Re
Cs
PL
Client
Page 81 of
139
You can find it on the System Platform 2012 DVD on this path:
CD:\WIS\LicenseServer.
Note: The WWSuite.lic is not required on InTouch version 10.5 or higher. Only
the ArchestrA.lic is used.
Client
Page 82 of
139
Client
Page 83 of
139
DEFINING SECURITY
A proper security implementation is a critical component of any computer based
control system. Of course, security is not simply to protect against malicious
attack, but more often from human error. Often, a major problem is introduced
by a simple mistake. On a terminal server, you cannot afford to provide the
operators with the opportunity to make such mistakes.
Without proper security, users can have access to any directory and file on the
server, including important system files and InTouch applications.
PHYSICAL SECURITY
Physical security addresses the operating environment of your servers and
connected client systems.
Place your terminal server in a protected room that is free from physical
threat and adverse conditions. Make the room available only to
authorized (trusted) personnel.
Evaluate your risk if the terminal server goes down. Hardware protection
such as surge suppressors, uninterruptible power supplies, and redundant
servers will help keep your system running. Network Load Balancing or
Client
Page 84 of
139
Use the $Operator system tag to secure your application. You can then
control operator access to specific functions by linking those functions to
internal tags.
Use the $Operator system tag to secure your application. Replace the
GetNodeName() function with the newer TseGetClientId() function to
identify the client computer. When using Terminal Services, the
GetNodeName() function returns the name of the terminal server, not the
name of the client computer.
SESSION SECURITY
Note: The following information is intended for example purposes ONLY. Your
security requirements will differ.
Connection settings and security control not only access to a terminal server
through the Terminal Services Client, but also how a user can interact with other
users on the server. Connection security is managed through regular Windows
2008 users or groups.
Wonderware recommends that you never control client connection access
through individual user accounts even when dealing with only a single server.
The administrative work required is much greater than the work required for
using groups.
Accordingly, the following local groups should be defined (your group names
will be different based on your requirements):
Users (for example, WW_Users) Members of this group will have only
user connectivity access on this server. This is the preferred choice for
operators.
Client
Page 85 of
139
Client
Page 86 of
139
Add the three recommended local groups: Administrators, Users, and Users_RC.
After the local groups have been created, the next step is to configure the
connection security for these groups. Use the Remote Desktop Session Host
Configuration tool to manage connection settings and security.
Client
Page 87 of
139
The Remote Desktop Session Host Configuration dialog box appears listing all
of the created connection types for the terminal server in the middle top pane.
Client
Page 88 of
139
4. Select all the listed groups except SYSTEM, and then click Remove.
5. Add the three recommended groups mentioned earlier, and assign them the
following permissions:
Group
WW_Admins
WW_Users
WW_Users_RC
Permissions
Full Control
User Access
Special Access (User Access + Remote Control)
Client
Page 89 of
139
2. In the Tree, open Users folder under Local Users and Groups.
Client
Page 90 of
139
Client
Page 91 of
139
SECURITY LAYER
All RDP connections are encrypted automatically. Security layer settings
determine the type of encryption used for these Terminal Services connections.
Three options for the security level are available: RDP Security Layer, SSL (TLS
1.0), and Negotiate.
The RDP Security Layer option limits encryption to the native encryption built
into Remote Desktop protocol. The advantages of this option are that it requires
no additional configuration and that it offers a high standard of performance. Its
disadvantage is that it does not provide terminal server authentication for all
client types.
Although RDP 6.0 can provide server authentication for clients running Windows
Vista and later, Terminal Services clients running Windows XP and earlier do not
support server authentication. If you want to enable RDP clients running
Windows XP to authenticate the terminal server before establishing a
connection, you have to configure SSL encryption.
Client
Page 92 of
139
The SSL (TSL 1.0) option offers two advantages over RDP encryption. First, it
offers stronger encryption. Second, it offers the possibility of server
authentication for RDP client versions earlier than 6.0. SSL is, therefore, a good
option if you need to support terminal server authentication for Windows XP
clients.
However, this option does have some drawbacks. To begin with, SSL requires a
computer certificate for both encryption and authentication. By default, only a
self-signed certificate is used, which is equivalent to no authentication. To
improve security, you must obtain a valid computer certificate from a trusted
certification authority (CA), and you must store this certificate in the computer
account certificate store on the terminal server. Another disadvantage of SSL is
that its high encryption results in slower performance compared to that of other
RDP connections.
When you choose the Negotiate option, the terminal server will use SSL security
only when supported by both the client and the server. Otherwise, native RDP
encryption is used. Negotiate is also the default selection.
ENCRYPTION LEVEL
The Encryption Level setting on the General tab enables you to define the
strength of the encryption algorithm used in RDP connections. The default
selection is Client Compatible, which chooses the maximum key strength
supported by the client computer. The other available options are FIPS
Compliant (highest), High, and Low.
Client
Page 93 of
139
DISABLE THE ABILITY TO SWITCH USERS THROUGH THE GROUP POLICY INTERFACE
First, this could be a security policy requirement. A security requirement might
be that a user should completely quit all applications and log off from the
computer after finishing his or her work on the computer.
By disabling the fast user switching feature, you hide the Switch user button in
the Logon user interface, in the Start menu, and in the Task Manager.
Another reason could be performance issues. The fast user switching feature
uses some system resources which can be freed in case the fast user switching
functionality is not needed.
Client
Page 94 of
139
To disable the ability to switch users through the Group Policy interface
1. Click Start/Run.
2. In the Run dialog box, type gpedit.msc.
3. Click OK. The Group Policy dialog box appears.
Client
Page 95 of
139
6. On the File menu, click Exit to close the Group Policy editor.
Important: Certain editions of Windows Vista do not have the Group Policy
editor. Alternatively, configure the Switch User settings through the registry.
To disable the ability to switch users through the Registry Editor
1. Click Start/Run.
2. In the Run dialog box, type regedit.exe.
3. Click OK. The Registry Editor dialog box appears.
4. Go to HKEY_LOCAL_MACHINE > SOFTWARE > Policies > Microsoft >
Windows > CurrentVersion > Policies > System.
5. Right-click and select DWORD (32-bit) Value.
6. Name it HideFastUserSwitching.
7. Set the HideFastUserSwitching data value to 1.
8. On the File menu, click Exit to close the Registry Editor.
Client
Page 96 of
139
APPLOCKER
AppLocker is used to apply rules specify which files are allowed to run. Make
sure that there are not any rules applied against the InTouch folder.
If an AppLocker rule is applied to the InTouch folder, you will see the following
error at startup:
Client
Page 97 of
139
Increases the number of tasks that the standard user can perform, which
do not require/prompt for administrator approval.
UAC Recommendations
You can re-enable UAC after installation for use on a Runtime machine.
For details on disabling UAC in your environment, type UAC into the WDN
Search field.
NEW FEATURES IN WINDOWS SECURITY AUDITING
New Auditing enhancements in Windows Server 2008 R2 increase the level of
detail in security auditing logs and simplify the deployment and management of
auditing policies.
Reason for access reporting: This list is also called Access Control Entries.
The admin can allow privileges to objects. They can allow or deny rights
to objects in the environment.
Advanced Audit Policy Settings: 53 new settings are available. The new
settings allow the admins to target more specific activities.
Client
Page 98 of
139
USING AUDITING
There are two ways to use it. First you can describe policies which will track the
user activities and other system-wide activities.
The success or failure of the event and the time that the event occurred.
Use security auditing to monitor intrusion attempts. If you suspect that your
system is under any sort of attack, you can enable logging for an array of
auditable events.
By default, security logging/auditing is disabled because it usually requires
excessive processing resources.
Client
Page 99 of
139
DAServers
The InTouch HMI does not start I/O Servers in a Terminal Services environment.
Depending on the sequence that View sessions start, you might need to use the
IOReinitialize() function. All servers (I/O devices or View applications) must be
running before starting an application that reads values from these servers.
Tip: To avoid receiving an Initializing I/O error message when WindowViewer
starts, clear (de-select) the Start Local Servers check box on the General tab of
the WindowViewer Properties dialog box.
INTRODUCTION
A PC running the I/O Server, OPC Server, or DAServer is the data source for a
System Platform solution. This PC is referred to as the I/O Server node.
I/O Server applications translate data from protocols like DDE, SuiteLink or OPC,
into vendor-specific protocols to communicate with controllers, PLCs, or RTUs.
Client
Page 100
of 139
In their basic role, I/O Servers maintain the list of items that client applications
request, then poll or handle data received from field devices, and pass it to
subscribed clients.
The I/O Servers usually run in the console mode under the default system
account (unless you specify which user account to run).
The I/O server will not be able to provide data using the DDE protocol in
TSE environment.
The server reports the value and updates WindowViewer only if a change
occurs.
Note: This command closes all existing I/O conversations and restarts the entire
process of setting up I/O conversations. All I/O points are affected by this
command.
Client
Page 101
of 139
The user account used to access and set up the I/O Server on the Terminal
Server station is the only user account that can configure the I/O Server, even if
the user accessed it from a remote session.
Available resources
What other software and utilities are running in that host machine
Client
Page 102
of 139
It is possible that if the server is busy processing scripts from many clients, it may
not start a script on another client during the interval when the timer would
normally start the script. This condition can prevent the script from running on
the client.
To ensure scripts run correctly, combine scripts with common triggers and move
them to a single application, such as a tag server.
The difference between scripts that run on TSE and scripts that run on a
"normal" application is that in the "normal" application, one client can trigger
many scripts at the same time, but in TSE the same script can be triggered by
many clients at the same time. The server handles the script execution order
according to the server clock.
Client
Page 103
of 139
Client
Page 104
of 139
Client
For example:
Application Database
Application Database
Contains tagnames and quick scripts for system 1 Contains tagnames and quick scripts for system 2
I/O Server
Window Viewer
I/O Server
Window Viewer
Operator Workstation
Application Database
Contains windows with references to remote tagnames
Page 105
of 139
Client
Page 106
of 139
Note: Alarm Providers are not supported on Terminal sessions. They are only
supported on the Terminal Console.
The Wonderware InTouch Distributed Alarm system includes the Alarm DB
Logger utility that logs alarms and events to an alarm database. The
Wonderware Alarm DB Logger Manager uses fixed accounts in the Microsoft
SQL Server database to access the data.
Note: The DB Logger needs to have a write-access account which you specify
using the Alarm DB Logger manager utility.
For Vista, Windows 7 and Windows Server 2008 R2 operating systems, source
alarms are not visible to InTouch alarm clients unless the client AlarmViewer
query is configured according to the following steps.
The following section applies to Vista, Windows 7, or Windows Server 2008 R2.
Client
Page 107
of 139
The IP address is unique to your alarm provider node. Note the IP address
and use it in the next step.
2. In the Alarm Query tab of the AlarmViewer control on the remote machine,
configure the alarm query as follows, substituting your actual node name of
the alarm providing InTouch for nodeabc (below) and substituting your IP
address noted in the previous step:
\\nodeabc:253.127.148.120\intouch!$system
3. Test and verify that the alarms sourced from the alarm provider display
correctly in the InTouch AlarmViewer control.
Client
Page 108
of 139
MessageResult=TseGetClientId();
Example
The client IP address 10.103.202.1 is saved to the MsgTag tag.
MsgTag=TseGetClientID();
TseGetClientNodeName() Function
Returns the client node name if the View application is running on a Terminal
Server client assigned a name that can be identified by Windows. Otherwise, the
TseGetClientNodeName() function returns an empty string.
Syntax
MessageResult=TseGetClientNodeName();
Example
The client node name is returned as the value assigned to the MsgTag tag.
MsgTag=TseGetClientNodeName();
TseQueryRunningOnConsole() Function
The TseQueryRunningOnConsole() function can be run from a script to indicate
whether the View application is running on a Terminal Services console.
Client
Page 109
of 139
Syntax
Result=TseQueryRunningOnConsole();
Return Value
Returns a non-zero integer value if the View application is running on a Terminal
Services console. Otherwise, the TseQueryRunningOnConsole() function returns
a zero.
Example
IntTag is set to 1 if WindowViewer is running on a Terminal Services console.
IntTag=TseQueryRunningOnConsole();
TseQueryRunningOnClient() Function
Returns a non-zero integer value if the View application is running on a Terminal
Services client. Otherwise, it returns a zero.
Syntax
Result=TseQueryRunningOnClient();
Return Value
Returns 0 if View is not running on a Terminal Services client.
Example
IntTag is set to 1 if WindowViewer is running on a Terminal Services client.
IntTag=TseQueryRunningOnClient;
Client
Page 110
of 139
INTRODUCTION
This Tech Note explains setting up InTouch 10.0 in a Terminal Services
environment. It covers the three primary application configurations for
Managed, Published and Standalone Applications.
The three methods of running InTouch from TSE:
APPLICATION VERSION
InTouch 10.0
MANAGED APPLICATIONS
This section explains creating, editing, and deploying a managed InTouch
application.
Client
Page 111
of 139
Client
Page 112
of 139
Note: Do not use NAD when using the Managed Application method as it is not
needed nor intended to work in Managed Applications.
Client
Page 113
of 139
Client
Page 114
of 139
Client
Page 115
of 139
Launch the InTouch Application Manager on the platform where you have
deployed the InTouchViewApp object. The Managed Application will be
automatically listed.
Client
Page 116
of 139
Client
Page 117
of 139
WHEN
Page 118
of 139
Client
EXECUTED
FROM THE
Client
Page 119
of 139
Client
Page 120
of 139
Client
Page 121
of 139
PUBLISHED APPLICATIONS
To Create a Published InTouch Application
1. In the IDE, create an instance of the $InTouchViewApp Derived Template.
Edits to the application are made to the View Application template.
2. Publish the application to create a non-managed application containing
ArchestrA Graphics by right-clicking the $InTouchViewApp template and
selecting Publish InTouch Application (Figures 12 and 13 below).
Client
Page 122
of 139
Client
Page 123
of 139
STANDALONE APPLICATIONS
Create a Standalone InTouch Application with WindowMaker and run the
application using NAD (Network Application Development). This is the same
method recommended by Wonderware in previous versions.
1. In the InTouch Application Manager, create a new application. Edit the
application in WindowMaker.
2. Run the application as a NAD Client on the Terminal Sessions. Configure
NAD settings in the InTouch Application Manager under Node Properties.
Client
Page 124
of 139
Client
Page 125
of 139
4. Select the license file and then click Open. The license manager shows that
you have successfully installed the license.
Client
Page 126
of 139
Note: The Log pane shows all log messages associated to a specific license.
The license details are shown when you select the license file.
Client
Page 127
of 139
Possible values
ltags:
decimal format
rrefs:
Number of remote
references
decimal format
mode:
Former
Development/Runtime/
InTouchView application
1 (001) WindowMaker
2 (010) Fully functional Window Viewer
3 (011) WindowMaker and Fully functional Window
Viewer
6 (110) WindowViewer with limited functionality
(InTView)
7 (111) WindowMaker and Limited functionality
WindowViewer
readonly:
Read Only
0/1
lang:
Enforce language
0/1
windows:
Number Of Windows
decimal format
rttimeout:
decimal format
Client
Page 128
of 139
iorestrict:
IO Restriction
oem:
Client
Page 129
of 139
Client
Page 130
of 139
Wi
nd
Re ows
mo 20
0
RD
te
D e 8 R2
S
sk
Ho essio
top Serv
st
Se e r a
1 n
rve nd
r
ic
r
os
of
t
lie
nt
S
Ho essio
st
2 n
la
nt
lie
nt
RD
TS
C
TS
C
M
Au icros
tho of
t
Cle rity a Cert
ari nd ific
a
ng
ho Licen te
us
e se
Client
Page 131
of 139
3. Once the Microsoft activation server has been located a new dialog box
appears prompting for user, company and geographic location information.
Client
Page 132
of 139
INSTALLING LICENSES
To Install Remote Desktop Services Client Access Licenses (RDS CAL)
You can install Remote Desktop Services client access licenses (RDS CALs) onto
your license server in the following ways:
Install Remote Desktop Services Client Access Licenses Automatically
This scenario requires Internet connectivity from the computer running the
Remote Desktop Licensing Manager tool.
To install Remote Desktop Services client access licenses automatically,
complete the following steps.
1. On the license server, open Remote Desktop Licensing Manager (Start/
Administrative Tools/Remote Desktop Services/Remote Desktop
Licensing Manager).
2. Verify that the connection method for the Remote Desktop license server
is set to Automatic connection (recommended) by right-clicking the
Client
Page 133
of 139
license server on which you want to install Remote Desktop Services client
access licenses (RDS CALs), and then clicking Properties.
3. On the Connection Method tab, change the connection method if
necessary, and then click OK.
4. Right-click the license server on which you want to install the RDS CALs,
and then click Install Licenses. The Install Licenses Wizard appears.
5. Click Next.
6. On the License Program page, select the appropriate program through
which you purchased your RDS CALs, and click Next.
7. The License Program that you selected on the previous window in the
wizard determines what information you need to provide on this window.
In most cases, you must provide either a license code or an agreement
number. Consult the documentation provided when you purchased your
RDS CALs.
Client
Page 134
of 139
Client
Page 135
of 139
Client
Page 136
of 139
INSTALL REMOTE DESKTOP SERVICES CLIENT ACCESS LICENSES BY USING A WEB BROWSER
The Web installation method can be used when the computer running the
Remote Desktop Licensing Manager tool does not have Internet connectivity,
but you have access to the Web by means of a Web browser from another
computer. The URL for the Web installation method is displayed in the Install
Licenses Wizard.
INSTALL REMOTE DESKTOP SERVICES CLIENT ACCESS LICENSES BY USING THE TELEPHONE
The telephone installation method allows you to talk to a Microsoft customer
service representative to complete the installation process. The appropriate
telephone number is determined by the country/region that you chose in the
Activate Server Wizard and is displayed by the wizard.
Client
Page 137
of 139
CLIENT LICENSING
When a clienteither a user or a deviceconnects to an RD Session Host
server, the RD Session Host server determines if an RDS CAL is needed. The RD
Session Host server then requests an RDS CAL from a Remote Desktop license
server on behalf of the client attempting to connect to the RD Session Host
server. If an appropriate RDS CAL is available from a license server, the RDS CAL
is issued to the client, and the client is able to connect to the RD Session Host
server.
Although there is a licensing grace period during which no license server is
required, after the grace period ends, clients must have a valid RDS CAL issued
by a license server before they can log on to an RD Session Host server.
Microsoft offers a 120-Day Demo License.
Client
Page 138
of 139
ADDITIONAL RESOURCES
The following Tech Notes are available on the Wonderware Developer Network (login
required).
Client
Page 139
of 139
SOURCES
The following sources were used in this document: