Preparation for Mobile and Internet Access

Assuming that you have a VTScada license permitting thin client (Internet) connections, the first step in configuring VTScada to allow thin client connections is to secure your site. Note that the following applies to all VTScada technologies that make use of the VTScada Thin Client Server.

At least one of Enable OpenID Connect or Permit Thin Client sign in with username and password, must be selected. If not, all Internet and Mobile sign in attempts will be met with the message "No sign in methods are available".

See also, OpenID Connect Authentication.

Features available to a thin client depend on the type. Refer to Capabilities of Internet Thin Clients.

Client display characteristics can be controlled by Realm Display Setup TagsRealm Display Setup Tags. This tag is where you will be able to configure multi-monitor displays for VIC clients. The default minimum Width by Height for an Anywhere Client is 1366 x 768. It is not recommended that you set a minimum Width by Height less than this as some standard VTScada dialogs may become unusable.

To allow or deny specific IP address (or a range of IP addresses) at the VTScada server level instead of your firewall, create the properties, HTTPAllow and HTTPDeny in your SETUP.INI file.

HTTP access to files and folders is restricted to those listed in the [HTTP-Unauthenticated] section of your Setup.INI file. Application folders do not need to be added to this list to run those applications on a thin client. ([HTTP-Unauthenticated] Section)

When configuring your server, ensure that you select a port that is not in use by any other process on your server. Port 80, the default HTTP port, is often used by other programs. You can check your server by opening a command prompt as an administrator, then running "netstat -ao". You can then check the process ID value in the Windows task manager. For example:

C:\WINDOWS\system32>NETSTAT -AO

Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 MYSTATION-PC:0 LISTENING 4
TCP 0.0.0.0:81 MYSTATION-PC:0 LISTENING 10916

This example shows that port 80 is in use by process id #4, which belongs to Windows. Port 81 is in use by process #10916, which happens to be a configured VTScada server in this example.

Thin clients transmit the user sign in credentials (username and password) using Basic Authentication, which is a simple, non-encrypted, Base 64 encoding of "username:password", and which can be decoded by network snooping tools if they can capture the message content. Wireshark as one example, will show the decoded credentials if connected to a local machine or switch that performs the communications (Because switches don't broadcast network traffic for all to hear, the "listener" must be local to the communications path versus being anywhere on the network.) If Windows Security Integration mode is enabled, then the potential consequences will extend beyond the SCADA system should the operator's Windows credentials be stolen.

To secure user credentials against listeners that may have access to switches or workstations carrying this traffic, it is essential that you encrypt thin client sessions with TLS (transport layer security) by installing an X.509 certificate on the VTScada Internet server. The certificate can be obtained from a 3rd party issuer such as Verisign, Thawte, GoDaddy, from an organization's own Certificate Authority (CA) infrastructure, or via local ad-hoc creation. (e.g. By using Open SSL tools.) To allow clients (browsers) to verify the certificate and not display an untrusted warning, they need the "root" certificate from the CA to be installed. The root certificate for most third-party issuers is already installed in most Web browsers.

If you have more than one VTScada Thin Client Server, then upon the loss of one server, both the VTScada Anywhere client and the VIC will fail-over automatically to the backup server. The mobile client does not have this ability and must be directed to connect to the backup server.

If your pages include tabbed folders, then the Unique Key property of the folder must be set in order for tabs to function when viewed using a Mobile Internet Client.