RAS Clients

Remote Access Services have largely been replaced by Virtual Private Networks. Refer to: VTScada and VPNs

A Remote Access Service (RAS) server provides access to remote computers. Generally, the RAS server is configured to provide a separate IP address for itself and the remote client, when connected. Allocating each client a different IP address from a pool of addresses caters for multiple concurrent clients.

VTScada provides support for multiple remote clients.

When allowing a remote client to connect, due consideration should be given to deciding whether the remote client will require access to the LAN that the RAS server is connected to.

If access is required, then it is better to delegate the RAS server to be a machine other than one running VTScada. In this way:

  1. Routing between the RAS server and the SCADA system is handled by the network infrastructure.
  2. The RAS server can be shared between infrequent access to the SCADA system and other work, without compromising the SCADA system.
  3. "Hacking" attacks, e.g. denial-of-service (DoS), are less likely to disable your SCADA system, when the point of access is separated from the SCADA system.

If access is not required, or another system is not available to be a RAS server, then you can use a machine running VTScada as the RAS server.

Caution: If the RAS server is also running VTScada, prior to version 5.1502, then, for correct operation, it is essential that the RAS IP addresses appear on a different subnet to any Network Interface Cards (NIC). If this precaution is not observed, the attached RAS client will be able to access the NIC IP addresses on the same subnet. This will not compromise operation, but will severely impair RPC Manager’s performance.

From VTS version 5.1502 onwards, a machine running VTScada can accommodate RAS clients on any subnet, including one already used by a LAN connection. Instructing RPC Manager, via a SETUP.INI section, to not create a connection to specific IP addresses, achieves this. By specifying the IP that the RAS host presents as its own IP to the RAS client, the RAS client will not create a connection to the RAS host IP, but only connections to the other IPs that the host machine is known by.

For example, if a machine running VTScada had an IP of 192.168.0.40 and that machine was configured to support a RAS client, such that the RAS client would see the host machine as 192.168.0.150 and the RAS client be assigned an IP address from a pool of addresses from the range 192.168.0.151 to 192.168.0.155, then the following section should appear in the RAS client’s SETUP.INI file, so that the RAS client will only make a connection to 192.168.0.40 [which will be done over the RAS link] and not to 192.168.0.150:

[RPCManager-ExcludeIP]
  IP = 192.168.0.150

Note that this is not necessary if the RAS IP address pool is on a different subnet from any other IP of the RAS host, so long as no routing exists between the two subnets.

From VTS version 5.18 onwards it is not necessary to exclude any IP addresses on the server, however, if the IP cannot be accessed by a connecting client VTScada system, it is advisable to exclude it from RPC Manager’s view by the above method.