Thin Clients: Mobile and Internet

The VTScada Thin Client Server allows operators to connect to an application from a remote computer or mobile Internet client. Your VTScada license must permit thin client (Internet) connections.

The VTScada Thin Client Server must be configured if you are using any of the following technologies:

  • Thin client connections. (VIC, Mobile and VTScada Anywhere)
  • Remote data access. (Needed for the Excel add-in, ODBC connections, and REST queries.)
  • Alarm notifications using Twilio.

If you are running VTScada as a Windows service, it is typical to require connections to that server to use a thin client connection. Depending on the choice of client (there are three) you can still do all development of an application and you can Access the VAM from a Thin Client. (This last is available only if you are running VTScada as a Windows Service.)

 

There are three ways to connect. Each of the clients has its own relative advantages. All allow operators to monitor and control the application. Users can identify which client they are using by looking at the URLClosed Uniform Resource Locator. The address of a web page..

VIC clients and servers should have matching versions. We work to maintain backward compatibility, but there is no guarantee that a client from one release will work properly with a server from another release.

If you have more than one VTScada Thin Client Server, then upon the loss of one server, both the VTScada Anywhere client and the VIC will fail-over automatically to the backup server. New sessions must connect to the backup server at its URL, which will differ from that used by the primary server. The mobile client does not have support for automatic fail-over and must be directed to connect to the backup server.

Licensing

Your license controls the number of simultaneous connections you can have. Licenses are managed in a pool, or "cluster". See Server Requirements and Licensing.

VTScadaLIGHT requires a VPN for thin client access outside your local network.

Security

Security must be enabled in an application, and the Thin Client Access privilege granted before anyone can connect. As a safety measure, the Thin Client Access privilege is not included in any of the pre-configured roles. You must choose to grant it to designated users. After signing in, operators may proceed as their other security privileges permit.

The entire Internet lies between your client and server, and all communication that is not encrypted is visible. Be assured that no SCADA site goes unnoticed if connected to the Internet.

A hacker who is able to intercept communication packets as they route through the Internet can easily decipher all information that is not encrypted, including user-names and passwords.

You must use at least one of:

  • A virtual private network (VPN) for all communications.
  • An X.509 certificate. (Also known as a TLS/SSL Certificate and available from many online providers).

Tools in VTScada help you to obtain the required certificate. Using the third tab of the VTScada Internet Client/Server Setup dialog, you can fill in the blanks to generate a request that can then be sent to an organization such as VeriSign. If successful, the request will be placed on your Windows™ clipboard. Internet Security (TLS, X.509, SSL)

For those using Twilio for alarm notification (Using Twilio for Alarm Notifications), there is no choice other than to have a publicly-accessible server protected by a certificate. These sites might also configure a VPN link for thin client access, but the Twilio connection cannot be made over a VPN.

Using Browser Bookmarks and Windows Shortcuts

Bookmarks start with a URL that serves up a web page, through which users sign into. After sign-in, Internet clients receive server lists from the server, and hence can fail over to a backup if the server disconnects. There is a difference if you create a VIC shortcut by using the Bookmark Page item in the VIC window's system menu. The resulting shortcut (stored, for example, on your desktop) contains a VIC server list, so, from that point on, you can start a connection as long as any one of those servers is running.

When you try to start a VIC or Anywhere Client connection through a web browser, you provide a single URL to a server, and that server must be able to respond to that request. The VIC shortcut provides a way around this for VICs, but there is no way around this limitation for the Anywhere Client, which can connect only to the URL provided by the browser.

Redundancy and Thin Client Connections

A frequent question is how to switch to a backup server automatically when the current primary server is unavailable. (Thin client failover) The answer depends on several factors:

  • Which client you use for your connection.
  • Whether you are connecting from an internal network or across the Internet.
  • Whether you have an existing connection at the time of server failure or are a client attempting to connect to a server that you do not know is unavailable.

The VIC keeps a list of servers and will automatically connect to the next when the current server goes offline. Browser-based clients do not have this feature, but if connected internally and if the server goes offline, it will fail to the next. External connections from browser-based clients are limited by the network gateway.

Scenario 1. Session in progress

Applies to both the VIC and the Anywhere client. If the session has already started and a thin client is connected to a server that subsequently fails, the clients have an active server list and will fail over to the next active server in the list.

Scenario 2. New session

If the session has not already started and a Client tries to connect to an offline server, the VIC Client has the Server List cached and will connect to the next Active Server in the list.

An Anywhere Client will only attempt to connect to the server attached to the URL so will fail to connect. In this situation, you should create a second URL shortcut, specifying the backup server.

Custom Disclaimer Message

You may choose to add an HTML file to your application, which will be displayed to all who connect. This must be a complete HTML file that is part of your application (Import File Changes Tool). Note that JavaScript content will not execute and should not be included. You can find an example thin client disclaimer in ..\Examples\ExampleThinClientDisclaimer.html

After adding the file to your application, create an application property named ThinClientDisclaimer, whose value is the name of your HTML file.

Thin Client Landing Page Configuration

The appearance of the standard VIC landing page is protected by branding requirements. But with application property settings, you can control which parts of it are enabled without needing to license customized Branding Files. Note that these properties will take precedence over configuration in custom branding files. Referring to the following image: