Thin Clients: Mobile and Internet
The VTScada Thin Client Server allows operators to connect to an application from a remote computer or mobile Internet client. Your VTScada license must permit thin client (Internet) connections. The number of concurrentthin client connections allowed can be pooled between machines that both have a full production server license.
The VTScada Thin Client Server must be configured if you are using any of the following technologies:
- Thin client connections. (VIC, Mobile and VTScada Anywhere)
- Remote data access. (Needed for the Excel add-in, ODBC connections, and REST queries.)
- Alarm notifications using Twilio.
If you are running VTScada as a Windows service, it is typical to require connections to that server to use a thin client connection. Depending on the choice of client (there are three) you can still do all development of an application and you can Access the VAM from a Thin Client. (This last is available only if you are running VTScada as a Windows Service.)
There are three ways to connect. Each of the clients has its own relative advantages. All allow operators to monitor and control the application. Users can identify which client they are using by looking at the URL
Uniform Resource Locator. The address of a web page..
- Address ends with "Anywhere"
You are using the VTScada Anywhere Client. This will work on most devices and operating systems. The screens will be nearly identical to those at a VTScada run-time installation. (Connect Using the Anywhere Client) - Address ends with "Mobile"
You are using the VTScada Mobile Client (MIC Mobile Internet Client. Allows you to connect to a minimalized version of the application, suitable for mobile devices.). This has been optimized for use on mobile devices to minimize your connection charges. With the MIC, you have the option of switching to full display screens when needed, but most often you will probably prefer to use the optimized display. (Connect Using a Mobile Device) - Otherwise...
You are using the VTScada Internet Client (VIC VTScada Internet Client. Allows you to connect to an application over the Internet with many of the features of a full VTScada workstation.). This uses a native Windows application that must be installed on your computer. This can run within your browser, or you can download the VTSX installer to run it as a stand-alone application. (Connect Using the VTSX Program)
VIC clients and servers should have matching versions. We work to maintain backward compatibility, but there is no guarantee that a client from one release will work properly with a server from another release.
If you have more than one VTScada Thin Client Server, then upon the loss of one server, both the VTScada Anywhere client and the VIC will fail-over automatically to the backup server. New sessions must connect to the backup server at its URL, which will differ from that used by the primary server. If the backup server does not have a full production license, it will manage fail-overs in a limited capacity; active connections will be maintained but new connections will be limited to the connection limit of the back-up server. The mobile client does not have support for automatic fail-over and must be directed to connect to the backup server.
Licensing
A license defines the features that are enabled on a single installed instance of VTScada, including the number of simultaneous thin client connections you can have and if they can be pooled with other licensed machines.
In a standard setup, VTScada operates under a full production license. However, there are exceptions where VTScada runs with a limited license. For instance, VTScadaLIGHT is designed and authorized for use in miniature production systems. Meanwhile, a developer's license is a special license that provides developers with all the resources needed to build applications, but it is restricted from being used for running production systems.
VTScadaLIGHT requires a VPN for thin client access outside your local network.
Security
Security must be enabled in an application, and the Thin Client Access privilege granted before anyone can connect. As a safety measure, the Thin Client Access privilege is not included in any of the pre-configured roles. You must choose to grant it to designated users. After signing in, operators may proceed as their other security privileges permit.
The entire Internet lies between your client and server, and all communication that is not encrypted is visible. Be assured that no SCADA site goes unnoticed if connected to the Internet.
A hacker who is able to intercept communication packets as they route through the Internet can easily decipher all information that is not encrypted, including user-names and passwords.
You must use at least one of:
- A virtual private network (VPN) for all communications.
- An X.509 certificate. (Also known as a TLS/SSL Certificate and available from many online providers).
Tools in VTScada help you to obtain the required certificate. Using the third tab of the VTScada Internet Client/Server Setup dialog, you can fill in the blanks to generate a request that can then be sent to an organization such as VeriSign. If successful, the request will be placed on your Windows™ clipboard. Internet Security (TLS, X.509, SSL)
For those using Twilio for alarm notification (Using Twilio for Alarm Notifications), there is no choice other than to have a publicly-accessible server protected by a certificate. These sites might also configure a VPN link for thin client access, but the Twilio connection cannot be made over a VPN.
Using Browser Bookmarks and Windows Shortcuts
Bookmarks start with a URL that serves up a web page, through which users sign into. After sign-in, Internet clients receive server lists from the server, and hence can fail over to a backup if the server disconnects. There is a difference if you create a VIC shortcut by using the Bookmark Page item in the VIC window's system menu. The resulting shortcut (stored, for example, on your desktop) contains a VIC server list, so, from that point on, you can start a connection as long as any one of those servers is running.
When you try to start a VIC or Anywhere Client connection through a web browser, you provide a single URL to a server, and that server must be able to respond to that request. The VIC shortcut provides a way around this for VICs, but there is no way around this limitation for the Anywhere Client, which can connect only to the URL provided by the browser.
Redundancy and Thin Client Connections
A frequent question is how to switch to a backup server automatically when the current primary server is unavailable. (Thin client failover) The answer depends on several factors:
- Which client you use for your connection.
- Whether you are connecting from an internal network or across the Internet.
- Whether you have an existing connection at the time of server failure or are a client attempting to connect to a server that you do not know is unavailable.
- Whether your backup server has compatible licensing.
The VIC keeps a list of servers and will automatically connect to the next when the current server goes offline. Browser-based clients do not have this feature, but if connected internally and if the server goes offline, it will fail to the next. External connections from browser-based clients are limited by the network gateway.
Scenario 1. Session in progress
Applies to both the VIC and the Anywhere client. If the session has already started and a thin client is connected to a server that subsequently fails, the clients have an active server list and will fail over to the next active server in the list.
Scenario 2. New session
If the session has not already started and a Client tries to connect to an offline server, the VIC Client has the Server List cached and will connect to the next Active Server in the list.
An Anywhere Client will only attempt to connect to the server attached to the URL so will fail to connect. In this situation, you should create a second URL shortcut, specifying the backup server.
Scenario 3. Incompatible Licenses
The number of permitted thin client connections are only pooled between machines with full-production licenses. However, there are limited additional allowances made in the event of a failover.
Say a server can host 5 connections and the backup is running an instance of VTScada with a limited license (like a demo or developer's license) that only allows for 2. In the event of a failover, the backup may host all connections that are currently connected, temporarily exceeding the backup server's limit of 2. This is to mitigate a disruption in service. New connections cannot be made. If all but 2 of those connections end, they cannot be reconnected on the backup server in this configuration. Limited licenses are not designed or intended to be used as long-term fixtures in full-production systems.
Custom Disclaimer Message
You may choose to add an HTML file to your application, which will be displayed to all who connect. This must be a complete HTML file that is part of your application (Import File Changes Tool). Note that JavaScript content will not execute and should not be included. You can find an example thin client disclaimer in ..\Examples\ExampleThinClientDisclaimer.html
After adding the file to your application, create an application property named ThinClientDisclaimer, whose value is the name of your HTML file.
Thin Client Landing Page Configuration
The appearance of the standard VIC landing page is protected by branding requirements. But with application property settings, you can control which parts of it are enabled without needing to license customized Branding Files. Note that these properties will take precedence over configuration in custom branding files. Referring to the following image:
