Network Configuration

This topic is for those who want to allow VIC connections from outside their firewall to their VTScada Thin Client Server, where their site has a simple router and no internal network infrastructure services (e.g. DHCP/DNS). Trihedral strongly advises that you use Transport Layer Security for accessing your VTScada Thin Client Server from outside your firewall.

Typically, in its default configuration, the router blocks all incoming connections. The router will probably have an embedded DHCPClosed Dynamic Host Control Protocol server (for allocating local, non-routable IP addresses on the local network) and a DNSClosed Domain Name Server forwarder (for resolving names using public, or ISPClosed Internet Service Provider-provided DNS servers). Most such routers allow the DHCP server to be disabled if address allocation is done by another means (such as an internal DHCP server or static IP assignments), but rarely provide DNS capabilities other than forwarding. This means that name resolution requests that cannot be directly resolved by the workstation are passed to the router, which forwards the request to an external DNS server

Name resolution is typically done by a machine inside the network perimeter by two means:

  • A machine name without a domain being specified [e.g. VTSCADA1] results in a NetBIOS name resolution and yields a non-routable internal IP address [e.g. 192.168.0.5].
  • A fully-qualified domain name (FQDN) being specified [e.g. vtscada1.trihedral.com] results in a DNS query being made to the router which forwards it to a DNS server on the internet to obtain a publicly-accessible IP address. This is normally the external IP of the router.

So long as the servers and clients (thick or thin) are within the network perimeter and these machines use NetBIOS-type names, this works. It will not work when someone wants to access a VIC server from outside the network perimeter. As the router's firewall blocks all incoming connections by default, to access the VIC server from outside the local network perimeter requires:

  • Port forwarding must be configured on the firewall such that the ports used by the VTScada Thin Client Server are forwarded to the VTScada Thin Client Server.
  • Install a DNS server on the internal network that resolves the server's fully qualified domain name (FQDNClosed Fully Qualified Domain Name) to its local IP address.
  • Configure all servers and clients to use that DNS server when inside the network perimeter. Typically this is done by disabling the DHCP server on the router and installing a DHCP server on the same machine as the DNS server. DHCP can then provide the correct IP addresses to use for DNS, the domain suffix to apply internally (e.g. trihedral.com) and the gateway (router) address.

This is sometimes referred to as "split DNS", "split horizon DNS", "split view DNS" or "split brain DNS". With this setup, you configure the VIC server list to use just the server's FQDN. When a machine is inside the network perimeter, the internal DNS server resolves the server FQDN to a local IP address and when outside the network perimeter, public DNS resolves the FQDN to the router which port-forwards to the server.

In order for TLS to work, the FQDN of the server must be listed on the X.509 certificate and resolve to the server, whether the client machine is on the internal or external network. In other words, you need the name resolution of vtscada1.trihedral.com to yield two different addresses depending on the location of the client - hence the use of a split DNS in this network configuration is recommended.