Servers in a Demilitarized Zone (DMZ)
For additional security, many sites choose to locate their VTScada Thin Client Server in a demilitarized zone of their network. (Separated from the Internet by one firewall, and from the internal network by another.) This configuration can allow both effective and secure external connectivity (for 3rd party connections and remote Thin Client connections) to a VTScada application without endangering the internal network.
- Install a separate VTScada server in the DMZ. If serving external ODBC or OPC connections, the license must be either a Development Runtime, or a Runtime with the Connectivity Package (ODBC Server & OPC Server.)
- Configure the firewall between the SCADA network and the DMZ to allow only connections on the VTScada RPC port 5780 that are initiated from the SCADA network side.
VTScada does not require any additional configuration for this, as long as at least one VTScada service includes the DMZ computer as a backup server on its server list. - Add the DMZ computer as a backup server on the list of Historian servers. (Or to the Default Servers list if there is no separate System Historian servers list.)
- If all connections to an external thin client should be prevented from performing operational control actions, the DMZ computer can be configured as a Read-Only WorkstationRead-Only Workstation. This can be configured to lock out control for all Thin Clients connected to this computer, regardless of the operator's privilege set.
If specific external users require the ability to perform operational control actions, use standard Accounts and RolesAccounts and Roles configuration.