Professional Documents
Culture Documents
Intouch Tse DG 10
Intouch Tse DG 10
Revision: 1.0
Table of Contents
ACKNOWLEDGEMENTS ............................................................................................................................ 6
AUTHORING AND TESTING:................................................................................................................................ 6
REVIEW AND DISTRIBUTION .............................................................................................................................. 6
WELCOME TO INTOUCH FOR TERMINAL SERVICES ................................................................................... 7
TERMINOLOGY................................................................................................................................................ 7
ASSUMPTIONS ................................................................................................................................................ 8
TECHNICAL SUPPORT ....................................................................................................................................... 8
USING TERMINAL SERVICES ..................................................................................................................... 9
RUNNING A MANAGED INTOUCH APPLICATION WITH TERMINAL SERVICES ............................................................... 10
Key Points............................................................................................................................................. 10
DEPLOYING THE INTOUCHVIEWAPP OBJECT IN A TERMINAL SERVICES ENVIRONMENT ................................................ 12
CONFIGURE HISTORICAL LOGGING ON INTOUCH FOR TERMINAL SERVICES ................................................................ 13
CONFIGURING AUTOMATIC STARTUP ................................................................................................................ 14
MISCELLANEOUS LIMITATIONS IN A TERMINAL SERVICES ENVIRONMENT .................................................................. 15
INTRODUCTION TO INTOUCH FOR TERMINAL SERVICES ........................................................................ 16
INTOUCH FOR TERMINAL SERVICES ................................................................................................................... 16
INTOUCH IN THE TERMINAL SERVICES ENVIRONMENT .......................................................................................... 16
Why was Terminal Services renamed to “Remote Desktop Services” In Windows Server 2008 R2? ... 17
How the /admin switch behaves .......................................................................................................... 17
Remote Desktop Services (Role) ........................................................................................................... 19
Using Remote Desktop Services ........................................................................................................... 20
Remote Desktop Services (Role services) ............................................................................................. 21
INSTALLING REMOTE DESKTOP SERVICES ........................................................................................................... 23
Install Remote Desktop Services (Role) ................................................................................................ 23
Install Specific Remote Desktop Services ............................................................................................. 25
INTOUCH FOR TERMINAL SERVICES ................................................................................................................... 28
Why InTouch for Terminal Services? .................................................................................................... 28
Terminal Services Benefits for InTouch ................................................................................................ 28
Remote Control .................................................................................................................................... 33
GETTING STARTED WITH INTOUCH FOR TERMINAL SERVICES ................................................................ 34
UNDERSTANDING INTOUCH FOR TERMINAL SERVICES........................................................................................... 34
Key Points............................................................................................................................................. 34
RUNNING INTOUCH APPLICATIONS IN A TERMINAL SERVICES ENVIRONMENT ............................................................ 35
Standalone InTouch for Terminal Services configuration created using Wonderware WindowMaker.
............................................................................................................................................................. 35
Running a Managed InTouch Application with Terminal Services ....................................................... 35
Running a Published InTouch Application with Terminal Services ....................................................... 37
TYPES OF INTOUCH FOR TERMINAL SERVICES ...................................................................................................... 37
WINDOWS 2008/R2 .................................................................................................................................... 38
TERMINAL SERVICES BEHAVIOR IN WINDOWS SERVER 2008 ................................................................................. 38
ACP THIN MANAGER .................................................................................................................................... 39
How ThinManager Works .................................................................................................................... 40
PLANNING CONSIDERATIONS FOR TERMINAL SERVER APPLICATIONS ................................................... 41
InTouch for Terminal Services Deployment Guide
Page 4 of
Rev. 1.0 Client
139
ACKNOWLEDGEMENTS
This Deployment Guide was authored, tested and reviewed by an I.O.M. Global
Customer Support team, which includes the following people:
TERMINOLOGY
Console: This is the normal desktop experience on the computer that has
Terminal Services installed.
RDP: Remote Desktop Protocol. The default connection protocol installed
with Windows Terminal Services.
RDS: Remote Desktop Services
Session: A log-on instance where 100 percent of the resources
(processing, memory, and hard disk) are managed under a virtual user
account, referred to as a Session ID.
Terminal Services: A service that enables a server-grade computer for
multi-user processing and management.
InTouch for Terminal Services Deployment Guide
Page 8 of
Rev. 1.0 Client
139
Thin Client: (a.k.a. Terminal) A device that allows you to send commands
to another computer. At a minimum, this usually means a keyboard, a
display screen, and some simple circuitry.
ASSUMPTIONS
This manual assumes you are:
„ Familiar with the Windows 2008 R2 operating system working
environment.
„ Knowledgeable of how to use of a mouse, Windows menus, select
options, and accessing online Help.
„ Experienced with a programming or macro language. For best results,
you should have an understanding of programming concepts such as
variables, statements, functions and methods.
TECHNICAL SUPPORT
Wonderware Technical Support offers a variety of support options to answer any
questions on Wonderware products and their implementation.
Prior to contacting technical support, please refer to the relevant chapter(s) in
your InTouch for Terminal Services Deployment Guide for a possible solution to
any problem you may have with your system. If you find it necessary to contact
technical support for assistance, please have the following information available:
1. Your software serial number.
2. The version of InTouch you are running.
3. The type and version of the operating system you are using. For example,
Microsoft Windows 2008 R2 SP1 (or later) workstation.
4. The exact wording of system error messages encountered.
5. Any relevant output listing from the Wonderware Logger, the Microsoft
Diagnostic utility (MSD), or any other diagnostic applications.
6. Details of the attempts you made to solve the problem(s) and your
results.
7. Details of how to recreate the problem.
8. If known, the Wonderware Technical Support case number assigned to
your problem (if this is an on-going problem).
InTouch for Terminal Services Deployment Guide
Page 9 of
Rev. 1.0 Client
139
KEY POINTS
In a typical Terminal Services architecture, application development,
deployment, and client visualization are placed on separate computers.
You must deploy each InTouch application to the server running InTouch
for Terminal Services.
You run each managed InTouch application in a separate terminal-
services client session.
For more information, see Chapter 4, Using IDE-Managed InTouch Applications
at Run Time, in the InTouch® HMI and ArchestrA® Integration Guide.
InTouch for Terminal Services Deployment Guide
Page 11 of
Rev. 1.0 Client
139
The following graphic shows the Galaxy and InTouch Development Nodes in
this context:
InTouch for Terminal Services Deployment Guide
Page 12 of
Rev. 1.0 Client
139
Client = TseQueryRunningOnClient();
IF client == 1
THEN
IOSAccessName["Tagserver","davidu6","View","Tagname"];
$HistoricalLogging = 0;
ENDIF;
InTouch for Terminal Services Deployment Guide
Page 14 of
Rev. 1.0 Client
139
.
InTouch for Terminal Services Deployment Guide
Page 16 of
Rev. 1.0 Client
139
InTouch
Application
IO Server
RD Terminal Server
2008 R2
s
PLC
ts
lien Internet
DC
alR
e r n
Int
External RD Clients
InTouch for Terminal Services Deployment Guide
Page 17 of
Rev. 1.0 Client
139
Session 0 Session 1
Application 3 Service 3
Session 2
Application 7
Application 8 Application 9
With Windows Vista, Windows Server 2008, and later versions of Windows,
sessions are assigned as shown in the following figure.
InTouch for Terminal Services Deployment Guide
Page 19 of
Rev. 1.0 Client
139
Session 0 Session 1
Application 2 Application 3
Service 3
Session 2 Session 3
Application 4 Application 7
In this graphic, three users are logged on to the system. However, only services
run in Session 0. The first user logs on to Session 1, and Sessions 2 and 3
represent subsequent users.
You use RD Licensing to install, issue, and track the availability of RDS
CALs on a Remote Desktop license server.
RD Gateway: Remote Desktop Gateway (RD Gateway), formerly TS
Gateway, enables authorized remote users to connect to resources on an
internal corporate network, from any Internet-connected device.
RD Connection Broker: Remote Desktop Connection Broker (RD
Connection Broker), formerly TS Session Broker, supports session load
balancing and session reconnection in a load-balanced RD Session Host
server farm.
RD Broker InTouch
Application
Service Installed
RD Session Host 1
Terminal Server
2008 R2
Service Installed
Internet
ts
lien
DC
lR
e rna
Int
ts
lien
DC
lR
e rna
Ext
InTouch for Terminal Services Deployment Guide
Page 23 of
Rev. 1.0 Client
139
3. Click Next, then click Remote Desktop Services as the role to install on this
server.
InTouch for Terminal Services Deployment Guide
Page 24 of
Rev. 1.0 Client
139
5. Click Next.
InTouch for Terminal Services Deployment Guide
Page 25 of
Rev. 1.0 Client
139
When Configure later is selected, a 120-day grace period allows the system
InTouch for Terminal Services Deployment Guide
Page 26 of
Rev. 1.0 Client
139
to be used without providing licenses. This means you must provide licensing
within 120 days.
For Per Device mode, you are allowed a specified number of devices to
connect to the service at any one time regardless of who the users are.
The Per User option restricts access to the specified users, regardless of the
device from which they are connecting.
Unless you need users to be able to stream audio (both to and from the
session host) and video to the remote desktops and use the latest graphics-
intensive desktop effects, it is recommended that these features remain
disabled:
4. Click Next. You see the Confirmation screen. Read any warnings carefully.
The wizard typically recommends any currently-installed applications should
be re-installed before remote access is provided to users.
5. Click Install to begin the installation process.
You must restart the Windows Server 2008 R2 system partway through the
installation. After the reboot, be sure to log in as the same administrative
user to complete the Remote Desktop Services configuration process. Once
the process is complete, the Installation Results window appears (following
figure).
6. Click Close.
InTouch for Terminal Services Deployment Guide
Page 28 of
Rev. 1.0 Client
139
InTouch for Terminal Services and 3rd party industrial panel displays can also
provide an economical alternative for process visualization in harsh
environments. The increased cooling requirements and stronger construction
typically make industrial panel displays more expensive than their desktop
counterparts.
With Terminal Services, industrial hardware costs are reduced because you no
longer need high-powered processors, extra memory, floppy or CD-ROM drives.
Many industrial panel displays now provide the ability to boot and connect to a
terminal server from memory, and therefore do not require the added expense
of a hard drive. The lack of moving parts also extends the life of hardware.
If you need more robust hardware to replace the control panels, you can install
industrial-grade computers. These machines only require the minimum
components to run the emulation software, and therefore, can be purchased at
a significantly reduced price.
Remote Access
Operators and other end-users gain access to a terminal server over any
Transmission Control Protocol/Internet Protocol (TCP/IP) connection, including
Remote Access, Ethernet, the Internet, wireless, wide area network (WAN), or
virtual private network (VPN).
Due to the reduced bandwidth requirements of the RDP/ICA protocol, Terminal
Services extends the capabilities of InTouch to users who would otherwise be
unable to access Wonderware applications.
Wireless networks have traditionally been unable to support the large amount of
process information for real-time monitoring and control. With InTouch for
Terminal Services, applications can run with the same response time and
performance as their counterparts that are directly connected to the local area
network (LAN). You can therefore support real-time monitoring and control for
their mobile operators. The client terminals need only the emulation software to
connect to the terminal server. You can then simply launch WindowViewer to
monitor the operation of choice.
InTouch for Terminal Services Deployment Guide
Page 31 of
Rev. 1.0 Client
139
Internet Access
Using Microsoft's new RD Gateway (introduced in Windows Server 2008),
remote users can access a terminal server over the Internet. A Remote Desktop
Gateway (RD Gateway) server is a type of gateway that enables authorized users
to connect to remote computers on a corporate network from any computer
with an Internet connection.
RD Gateway is based on the RDP feature set. RD Gateway uses the Remote
Desktop Protocol (RDP) along with the HTTPS protocol to help create a secure,
encrypted connection.
In earlier versions of Remote Desktop Connection, people couldn't connect to
remote computers across firewalls and network address translators because port
3389†the port used for Remote Desktop connections†is typically blocked to
enhance network security. However, an RD Gateway server uses port 443, which
transmits data through a Secure Sockets Layer (SSL) tunnel.
The RD Gateway server provides these benefits:
Enables Remote Desktop connections to a corporate network from the
Internet without having to set up virtual private network (VPN) connections.
Enables connections to remote computers across firewalls.
Allows you to share a network connection with other programs running on
your computer. This enables you to use your ISP connection instead of your
corporate network to send and receive data over the remote connection.
You can therefore support real-time monitoring and control for their mobile
operators with either the Terminal Services Client software or by simply
launching a web browser and connecting to remote computers on a corporate
network, from any computer with an Internet connection.
InTouch for Terminal Services Deployment Guide
Page 32 of
Rev. 1.0 Client
139
REMOTE CONTROL
Remote Control is a Terminal Services feature that provides the ability to take
control of another workstation in the event of a client hardware failure. Remote
Control also provides an easy way to train operators and monitor operations
without being physically next to the terminal.
You can therefore be confident that even though failures may occur, their impact
on production will be a minimum. Remote Control enables a workstation to
immediately take over another that has failed. By adding a second server and
installing Network Load Balancing, all the sessions are protected.
InTouch
Application
Manage Network
Load Balancing (NLB)
and Availability
RD Session Host 1
Terminal Server
2008 R2
RD Session Host 2
Terminal Server
2008 R2
Internet
ts
lien
DC
lR
e rna
Int
ts
lien
DC
lR
e rna
Ext
KEY POINTS
„ InTouch for Terminal Services uses the Remote Desktop Protocol (RDP) to
communicate between clients and the InTouch Terminal Server.
„ Each client computer runs an individual InTouch session on the Terminal
Server without interacting with other client sessions.
„ You can run an application that is developed for standard InTouch with
InTouch for Terminal Services. No application changes are necessary.
„ You can use the Distributed Alarm system with InTouch for Terminal
Services. Using the alarm client, you can select the alarm data and how to
show it from WindowViewer for each Terminal Services session.
When an alarm is acknowledged in a Terminal Services environment, the
Operator Node that gets recorded is the name of the client computer
where the respective operator established the Terminal Services session.
In a typical Terminal Services architecture, application development,
deployment, and client visualization are placed on separate computers.
It is recommended that you deploy a SINGLE Engine to the Remote
Desktop Server, even if it is hosting different InTouch applications.
You must deploy each InTouch application to the server running InTouch
for Terminal Services.
You run each managed InTouch application in a separate terminal
services client session.
InTouch for Terminal Services Deployment Guide
Page 35 of
Rev. 1.0 Client
139
Best Practice: This is the recommended mode for Server 2008 R2 RDS
implementation, even if the InTouch application is a Tag-Based application.
Each client session manages its own instance of the application under
\UserName\Application Data\ArchestrA\Managed App.
InTouch for Terminal Services Deployment Guide
Page 37 of
Rev. 1.0 Client
139
InTouch Applications
Terminal Services Environment
InTouch
Running Application
Managed InTouch Application
on RD Session Host
Running
Published InTouch Application RD Session Host 1
on RD Session Host Terminal Server
IO Server
2008 R2
Running
InTouch Standalone InTouch
Application Applications
on RD Session Host
s
RD ve r rver
P\I Ser Se
C Ap RD minal 8 R2
rot Te
r
20
0
o cols
is u
sed
to RD Gateway
vie Modem
wt es
he vic
InT Ser 2
ou
ch RD 008 R
s 2
ess
io n
Internet
ts
lien
DC
lR
e rna
Int
ts
lien
DC
lR
e rna
Ext
WINDOWS 2008/R2
Windows Server 2008 R2: Remote Desktop Services (formerly Terminal Services),
is a server role in Windows Server® 2008 R2. This server role provides
technologies which enable users to access Windows-based programs installed
on a Remote Desktop Session Host (RD Session Host) server, or to access the full
Windows desktop. With Remote Desktop Services, you can access an RD
Session Host server from within a corporate network or from the Internet.
RD Server
Corporate Network
Remote Desktop Services lets you efficiently deploy and maintain software in an
enterprise environment. You can easily deploy programs from a central location.
Because you install the programs on the RD Session Host server and not on the
client computer, programs are easier to upgrade and to maintain.
system, which permits only one alarm provider. While both Application Server
and InTouch can be configured as alarm providers, only one alarm provider is
supported.
InTouch
Application
ACP
ThinManager
Server
Corporate Network
SYSTEM REQUIREMENTS
The following system specifications are supported. The following information
was derived from the specific test plan and is not intended as a limitation.
TSE Platforms (10 Platforms)
Hardware: 2.8 GHz with 2 GB RAM, 1 GB network switch
Software: Distributed (refer to the following graphic)
Windows Server 2003 SP2 (32 and 64-bit version)
Windows 7 and SP1
Windows Server 2008 R2 and SP1
In Wonderware tests, the TSE Platforms were used for client connection only.
The Platforms did not have App Engines. Each Platform was configured to be an
alarm provider and was filtered to subscribe to eleven Areas. Each Platform was
deployed to a Terminal Services machine. The ten Platforms serviced ten client
connections each.
Client Nodes (10 Nodes with 100 Client Connections)
Hardware: 2.8 GHz CPU with 1 GB RAM, 1 GB network switch
Software: Distributed (refer to the following graphic)
Windows XP SP3 (32-bit only)
Windows Vista SP2 (32/64-bit)
Windows Server 2003 SP2 Standard and Enterprise (32-bit version)
Windows 7 and SP1
Windows Server 2008 R2 and SP1
InTouch for Terminal Services Deployment Guide
Page 42 of
Rev. 1.0 Client
139
You need a Microsoft TS license for managing the remote desktop terminal
server sessions.
InTouch Node
Domain Network
Domain Network
NLB Cluster
InTouch InTouch
Node Node
Domain Network
Note: The Remote Desktop Connection Broker shown as a separate node in the
above topology can be configured on one of the NLB cluster nodes itself.
You can leverage the load balancing for InTouch-managed applications.
InTouch for Terminal Services Deployment Guide
Page 46 of
Rev. 1.0 Client
139
Domain Network
NLB Cluster
InTouch InTouch
Node Node
Domain Network
Note: On the Select Role Services screen, select Remote Desktop Session
Host and Remote Desktop Connection Broker on one of the Cluster Nodes
to configure it as NLB Cluster node as well as RD connection broker node.
On the other NLB Cluster node, select only Remote Desktop Session Host.
2. On each of the cluster nodes, install Network Load Balancing. For more
information, refer to "Installing Network Load Balancing" in the ArchestrA
System Platform in a Virtualized Environment Implementation Guide on
WDN.
3. On the NLB cluster node which is configured as RD connection broker as
well, add a Remote Desktop Session Host Server. For more information, refer
to "Adding a Remote Desktop Session Host Server" in the ArchestrA System
Platform in a Virtualized Environment Implementation Guide on WDN.
4. On each of the cluster nodes, create a Network Load Balancing Cluster. For
more information, refer to "Creating a Network Load Balancing Cluster" in
the ArchestrA System Platform in a Virtualized Environment Implementation
Guide on WDN.
5. On each of the cluster nodes, configure Remote Desktop Connection Broker
Settings. For more information, refer to "Configuring Remote Desktop
Connection Broker Settings" in the ArchestrA System Platform in a
Virtualized Environment Implementation Guide on WDN.
InTouch for Terminal Services Deployment Guide
Page 49 of
Rev. 1.0 Client
139
Domain Network
NLB Cluster
InTouch InTouch
Node Node
Domain Network
d. Click the Remote Desktop Services check box, and then click Next.
i. Click the Per User option or Per Device option based on license
availability, and then click Next. The Select User Groups Allowed
Access To This Remote Desktop Session Host Server screen
appears.
You can choose two types of Windows Client Access Licenses: device-based
or user-based, also known as Windows Device CALs or Windows User CALs.
InTouch for Terminal Services Deployment Guide
Page 56 of
Rev. 1.0 Client
139
This means you can choose to acquire a Windows CAL for every device (used
by any user) accessing your servers, or you can choose to acquire a Windows
CAL for every named user accessing your servers (from any device).
4. Confirm the details you entered, and install the services.
a. On the Select User Groups Allowed Access To This Remote
Desktop Session Host Server screen, click Next. The Configure
Client Experience screen appears (see page 582 of the
Wonderware ArchestrA System Platform in a Virtualized
Environment Implementation Guide on WDN).
InTouch for Terminal Services Deployment Guide
Page 57 of
Rev. 1.0 Client
139
3. On the Server Manager window, click Features. The Features pane appears.
4. Click Add Features. The Select Features screen in the Add Features Wizard
window appears.
InTouch for Terminal Services Deployment Guide
Page 58 of
Rev. 1.0 Client
139
5. Click the Network Load Balancing item, and then click Next. The Confirm
Installation Selections screen appears.
6. Click Install.
InTouch for Terminal Services Deployment Guide
Page 59 of
Rev. 1.0 Client
139
4. Right-click the Session Broker Computers group, and then click Properties.
The Properties window for the selected group appears.
7. Select Computers, then click OK. The node names of the computer appear in
the Select Users, Computers, or Groups window.
8. Click OK to add the computer account for the Remote Desktop Session Host
server.
4. In the Host box, type the name of the host (node 1), and then click Connect.
InTouch for Terminal Services Deployment Guide
Page 63 of
Rev. 1.0 Client
139
5. Under Interfaces available for configuring a new cluster, select the interface
to be used with the cluster, and then click Next. The Host Parameters section
in the New Cluster window appears.
Note: The value in the Priority box is the unique ID for each host. The host
with the lowest numerical priority among the current members of the cluster
handles the entire cluster's network traffic that is not covered by a port rule.
You can override these priorities or provide load balancing for specific
ranges of ports by specifying the rules on the Port rules tab of the Network
Load Balancing Properties window.
8. Click Add to add a cluster IP address. The Add IP Address window appears.
9. Click the Add IPv4 address option.
10. Type the new cluster static IP address and the Subnet mask.
InTouch for Terminal Services Deployment Guide
Page 65 of
Rev. 1.0 Client
139
11. Click OK to close the window. The IP address appears on the Cluster IP
Addresses section of the New Cluster window.
12. Click Next. The Cluster Parameters section for the New Cluster window
appears.
13. Type the name of the new cluster.
14. Click the Multicast option.
Note: When you click the Unicast option, NLB instructs the driver that
belongs to the cluster adapter to override the adapter's unique, built-in
network address and change its MAC address to the cluster's MAC address.
Nodes in the cluster can communicate with addresses outside the cluster
subnet. However, no communication occurs between the nodes in the cluster
subnet.
When you click the Multicast option, both network adapter and cluster MAC
addresses are enabled. Nodes within the cluster are able to communicate
with each other within the cluster subnet, and also with addresses outside
the subnet.
15. Click Next. The New Cluster : Port Rules window appears.
InTouch for Terminal Services Deployment Guide
Page 66 of
Rev. 1.0 Client
139
16. Click Finish to create the cluster and close the window. The Network Load
Balancing Manager window appears (below).
Add another host to the cluster.
1. Right-click the newly-created cluster and then click Add Host to Cluster.
2. In the Host field, type the name of node 2, then click Connect.
3. Under Interfaces available for configuring a new cluster, click the interface
name to be used with the cluster, then click Next. The New Cluster : Host
Parameters window appears.
4. Type the priority value, and then click Next.
InTouch for Terminal Services Deployment Guide
Page 68 of
Rev. 1.0 Client
139
The Port Rules section of the Add Host to Cluster window appears.
5. Click Finish to add the host and close the window. The Network Load
Balancing Manager window appears.
To add users to the Remote Desktop Users group to access Network Load
Balancing Cluster
1. On the Start menu, click Control Panel, System and Security then System
Remote settings. The System Properties window appears.
InTouch for Terminal Services Deployment Guide
Page 69 of
Rev. 1.0 Client
139
2. Under Remote Desktop, click the relevant option to specify the remote
desktop versions you want to allow access to.
3. Click Select Users to provide access to the system. The Remote Desktop
Users window appears.
4. Select the users you want to allow access to, click Add, and then OK.
Note: The users can be local users and need not be domain
users/administrators. If the users are local users they should be added on
both the NLB cluster nodes with same user name and password.
6. In the RD Connection Broker server name box, type the node name where
the RD Connection Broker is installed.
7. In the Farm Name box, type the farm name that you want to join in the
Remote Desktop Session Broker, and then click OK.
8. In the Properties window, click Participate in Connection Broker Load
Balancing.
9. Type the value for the Relative weight of this server in the farm.
By assigning a relative weight value, you can distribute the load between
more powerful and less powerful servers in the farm. By default, the weight
of each server is 100. You can modify this value as required.
10. Under Select IP addresses to be useful for reconnection, click IP address you
provided while creating the cluster, and then click OK.
11. Click OK to acknowledge the confirmation/warning.
InTouch for Terminal Services Deployment Guide
Page 73 of
Rev. 1.0 Client
139
Repeat this procedure on Node 2. Ensure that you enter the same details in
each step for Node 2 as you did for Node 1. In the Farm Name box, type the
same Farm Name used while configuring Node 1.
3. Type a name for the group and click OK to close the window. The name can
be anything.
You can now select the group names in the left pane and view the sessions
connected to each node of the cluster.
InTouch for Terminal Services Deployment Guide
Page 76 of
Rev. 1.0 Client
139
WONDERWARE LICENSING
Licenses for Wonderware products are maintained in license files or on a license
server. The license file contains one or more license components, which are lines
of information that specify licensing for an individual product.
Each license component is assigned a unique part number and contains
information such as the:
Product name
Serial number
Type and duration of license
Number of seats and other information.
LICENSE TYPES
There are two kinds of licenses, unserved and served. For this document, only
unserved licenses are included, since InTouch does not use Served (server-
based) licensing.
Unserved licenses, also known as local licenses, are installed on the same
computer as the applications using them. Unserved licenses do not run on a
license server. Unserved license files usually have the file names wwsuite.lic or
ArchestrA.lic.
InTouch for Terminal Services Deployment Guide
Page 77 of
Rev. 1.0 Client
139
Information about the license Type appears with the license name and license
components when you view it in the ArchestrA License Manager.
Products can have a demonstration period, which allows you to run the specified
application for a defined period when the license is not available. Licenses can
also define a grace period, which is entered when a license is unavailable. The
grace period is a limited time period tracked by the application. The application
determines what happens during the grace period.
If the application is not supported by the license or if the required license is not
found, the software component defaults to either a demonstration mode or an
absent license mode.
1 1 IO SERVER
2 1 INTOUCH RUNTIME 3K TAGS WITHOUT I/O TSE
3&4 2 V10.1
INTOUCH RUNTIME 3K TAGS WITHOUT I/O TSE
V10.1
InTouch for Terminal Services Deployment Guide
Page 80 of
Rev. 1.0 Client
139
InT
o
No Cs
Se uch
ss
Int
o PL
ion RT at uch
3 co Se
Ta 1 – TSE ns ss
gs 3K ole ion
InT
o 08
Se uch
ss s 20 th
ion RT i
2 ow w p
Ta 1 – TSE
gs 3K ind rver skto
W Se D e
InT
R2 ote
m
o
Se uch Re
ss
ion RT
Ta 1 – TSE
gs 3K
InTouch for Terminal Services Deployment Guide
Page 81 of
Rev. 1.0 Client
139
DEFINING SECURITY
A proper security implementation is a critical component of any computer based
control system. Of course, security is not simply to protect against malicious
attack, but more often from human error. Often, a major problem is introduced
by a simple mistake. On a terminal server, you cannot afford to provide the
operators with the opportunity to make such mistakes.
Without proper security, users can have access to any directory and file on the
server, including important system files and InTouch applications.
PHYSICAL SECURITY
Physical security addresses the operating environment of your servers and
connected client systems.
Place your terminal server in a protected room that is free from physical
threat and adverse conditions. Make the room available only to
authorized (trusted) personnel.
Develop a schedule to back-up data and publish procedures on how to
restore it.
Evaluate your risk if the terminal server goes down. Hardware protection
such as surge suppressors, uninterruptible power supplies, and redundant
servers will help keep your system running. Network Load Balancing or
InTouch for Terminal Services Deployment Guide
Page 84 of
Rev. 1.0 Client
139
APPLICATION SECURITY
Installing the InTouch HMI on a computer used as a domain controller is
not supported.
Use Application Security to secure your InTouch application, Wonderware
Historian, and other sensitive information systems.
Use the $Operator system tag to secure your application. You can then
control operator access to specific functions by linking those functions to
internal tags.
Use the $Operator system tag to secure your application. Replace the
GetNodeName() function with the newer TseGetClientId() function to
identify the client computer. When using Terminal Services, the
GetNodeName() function returns the name of the terminal server, not the
name of the client computer.
SESSION SECURITY
Note: The following information is intended for example purposes ONLY. Your
security requirements will differ.
Connection settings and security control not only access to a terminal server
through the Terminal Services Client, but also how a user can interact with other
users on the server. Connection security is managed through regular Windows
2008 users or groups.
Wonderware recommends that you never control client connection access
through individual user accounts even when dealing with only a single server.
The administrative work required is much greater than the work required for
using groups.
Accordingly, the following local groups should be defined (your group names
will be different based on your requirements):
Administrators (for example, WW_Admins) ‟ Members of this group will
have administrative connectivity rights on the terminal server. They will be
able to perform all functions on other sessions including logging off,
disconnecting, and resetting any session.
Users (for example, WW_Users) ‟ Members of this group will have only
user connectivity access on this server. This is the preferred choice for
operators.
Remote Control Users (for example, WW_Users_RC) ‟ Members of this
group will have user connectivity access in addition to the ability to
InTouch for Terminal Services Deployment Guide
Page 85 of
Rev. 1.0 Client
139
Add the three recommended local groups: Administrators, Users, and Users_RC.
After the local groups have been created, the next step is to configure the
connection security for these groups. Use the Remote Desktop Session Host
Configuration tool to manage connection settings and security.
The Remote Desktop Session Host Configuration dialog box appears listing all
of the created connection types for the terminal server in the middle top pane.
InTouch for Terminal Services Deployment Guide
Page 88 of
Rev. 1.0 Client
139
4. Select all the listed groups except SYSTEM, and then click Remove.
5. Add the three recommended groups mentioned earlier, and assign them the
following permissions:
Group Permissions
WW_Admins Full Control
WW_Users User Access
WW_Users_RC Special Access (User Access + Remote Control)
2. In the Tree, open Users folder under Local Users and Groups.
SECURITY LAYER
All RDP connections are encrypted automatically. Security layer settings
determine the type of encryption used for these Terminal Services connections.
Three options for the security level are available: RDP Security Layer, SSL (TLS
1.0), and Negotiate.
The RDP Security Layer option limits encryption to the native encryption built
into Remote Desktop protocol. The advantages of this option are that it requires
no additional configuration and that it offers a high standard of performance. Its
disadvantage is that it does not provide terminal server authentication for all
client types.
Although RDP 6.0 can provide server authentication for clients running Windows
Vista and later, Terminal Services clients running Windows XP and earlier do not
support server authentication. If you want to enable RDP clients running
Windows XP to authenticate the terminal server before establishing a
connection, you have to configure SSL encryption.
InTouch for Terminal Services Deployment Guide
Page 92 of
Rev. 1.0 Client
139
The SSL (TSL 1.0) option offers two advantages over RDP encryption. First, it
offers stronger encryption. Second, it offers the possibility of server
authentication for RDP client versions earlier than 6.0. SSL is, therefore, a good
option if you need to support terminal server authentication for Windows XP
clients.
However, this option does have some drawbacks. To begin with, SSL requires a
computer certificate for both encryption and authentication. By default, only a
self-signed certificate is used, which is equivalent to no authentication. To
improve security, you must obtain a valid computer certificate from a trusted
certification authority (CA), and you must store this certificate in the computer
account certificate store on the terminal server. Another disadvantage of SSL is
that its high encryption results in slower performance compared to that of other
RDP connections.
When you choose the Negotiate option, the terminal server will use SSL security
only when supported by both the client and the server. Otherwise, native RDP
encryption is used. Negotiate is also the default selection.
ENCRYPTION LEVEL
The Encryption Level setting on the General tab enables you to define the
strength of the encryption algorithm used in RDP connections. The default
selection is Client Compatible, which chooses the maximum key strength
supported by the client computer. The other available options are FIPS
Compliant (highest), High, and Low.
InTouch for Terminal Services Deployment Guide
Page 93 of
Rev. 1.0 Client
139
DISABLE THE ABILITY TO SWITCH USERS THROUGH THE GROUP POLICY INTERFACE
First, this could be a security policy requirement. A security requirement might
be that a user should completely quit all applications and log off from the
computer after finishing his or her work on the computer.
By disabling the fast user switching feature, you hide the Switch user button in
the Logon user interface, in the Start menu, and in the Task Manager.
Another reason could be performance issues. The fast user switching feature
uses some system resources which can be freed in case the fast user switching
functionality is not needed.
InTouch for Terminal Services Deployment Guide
Page 94 of
Rev. 1.0 Client
139
To disable the ability to switch users through the Group Policy interface
1. Click Start/Run.
2. In the Run dialog box, type gpedit.msc.
3. Click OK. The Group Policy dialog box appears.
Enabling this policy hides the Switch User option in the Logon interface,
the Start menu and the Task Manager.
InTouch for Terminal Services Deployment Guide
Page 95 of
Rev. 1.0 Client
139
6. On the File menu, click Exit to close the Group Policy editor.
Important: Certain editions of Windows Vista do not have the Group Policy
editor. Alternatively, configure the Switch User settings through the registry.
To disable the ability to switch users through the Registry Editor
1. Click Start/Run.
2. In the Run dialog box, type regedit.exe.
3. Click OK. The Registry Editor dialog box appears.
4. Go to HKEY_LOCAL_MACHINE > SOFTWARE > Policies > Microsoft >
Windows > CurrentVersion > Policies > System.
5. Right-click and select DWORD (32-bit) Value.
6. Name it HideFastUserSwitching.
7. Set the HideFastUserSwitching data value to 1.
8. On the File menu, click Exit to close the Registry Editor.
APPLOCKER
AppLocker is used to apply rules specify which files are allowed to run. Make
sure that there are not any rules applied against the InTouch folder.
If an AppLocker rule is applied to the InTouch folder, you will see the following
error at startup:
InTouch for Terminal Services Deployment Guide
Page 97 of
Rev. 1.0 Client
139
USING AUDITING
There are two ways to use it. First you can describe policies which will track the
user activities and other system-wide activities.
User actives collect logs of user logins, logouts, file modifications,
deletion, etc.
System-wide activities can generate logs on objects’ activities.
INTRODUCTION
A PC running the I/O Server, OPC Server, or DAServer is the data source for a
System Platform solution. This PC is referred to as the I/O Server node.
I/O Server applications translate data from protocols like DDE, SuiteLink or OPC,
into vendor-specific protocols to communicate with controllers, PLCs, or RTUs.
InTouch for Terminal Services Deployment Guide
Page 100
Rev. 1.0 Client
of 139
In their basic role, I/O Servers maintain the list of items that client applications
request, then poll or handle data received from field devices, and pass it to
subscribed clients.
The user account used to access and set up the I/O Server on the Terminal
Server station is the only user account that can configure the I/O Server, even if
the user accessed it from a remote session.
It is possible that if the server is busy processing scripts from many clients, it may
not start a script on another client during the interval when the timer would
normally start the script. This condition can prevent the script from running on
the client.
To ensure scripts run correctly, combine scripts with common triggers and move
them to a single application, such as a tag server.
The difference between scripts that run on TSE and scripts that run on a
"normal" application is that in the "normal" application, one client can trigger
many scripts at the same time, but in TSE the same script can be triggered by
many clients at the same time. The server handles the script execution order
according to the server clock.
InTouch for Terminal Services Deployment Guide
Page 103
Rev. 1.0 Client
of 139
For example:
Operator Workstation
Application Database
Contains windows with references to remote tagnames
InTouch for Terminal Services Deployment Guide
Page 106
Rev. 1.0 Client
of 139
Note: Alarm Providers are not supported on Terminal sessions. They are only
supported on the Terminal Console.
The Wonderware InTouch Distributed Alarm system includes the Alarm DB
Logger utility that logs alarms and events to an alarm database. The
Wonderware Alarm DB Logger Manager uses fixed accounts in the Microsoft
SQL Server database to access the data.
Note: The DB Logger needs to have a write-access account which you specify
using the Alarm DB Logger manager utility.
For Vista, Windows 7 and Windows Server 2008 R2 operating systems, source
alarms are not visible to InTouch alarm clients unless the client AlarmViewer
query is configured according to the following steps.
The following section applies to Vista, Windows 7, or Windows Server 2008 R2.
InTouch for Terminal Services Deployment Guide
Page 107
Rev. 1.0 Client
of 139
The IP address is unique to your alarm provider node. Note the IP address
and use it in the next step.
2. In the Alarm Query tab of the AlarmViewer control on the remote machine,
configure the alarm query as follows, substituting your actual node name of
the alarm providing InTouch for nodeabc (below) and substituting your IP
address noted in the previous step:
\\nodeabc:253.127.148.120\intouch!$system
3. Test and verify that the alarms sourced from the alarm provider display
correctly in the InTouch AlarmViewer control.
InTouch for Terminal Services Deployment Guide
Page 108
Rev. 1.0 Client
of 139
TseGetClientId() Function
Returns a string version of the client ID (the TCP/IP address of the client) if the
View application is running on a Terminal Server client. This client ID is used
internally to generate SuiteLink server names and logger file names. Otherwise,
the TseGetClientId() function returns an empty string.
Syntax
MessageResult=TseGetClientId();
Example
The client IP address 10.103.202.1 is saved to the MsgTag tag.
MsgTag=TseGetClientID();
TseGetClientNodeName() Function
Returns the client node name if the View application is running on a Terminal
Server client assigned a name that can be identified by Windows. Otherwise, the
TseGetClientNodeName() function returns an empty string.
Syntax
MessageResult=TseGetClientNodeName();
Example
The client node name is returned as the value assigned to the MsgTag tag.
MsgTag=TseGetClientNodeName();
TseQueryRunningOnConsole() Function
The TseQueryRunningOnConsole() function can be run from a script to indicate
whether the View application is running on a Terminal Services console.
InTouch for Terminal Services Deployment Guide
Page 109
Rev. 1.0 Client
of 139
Syntax
Result=TseQueryRunningOnConsole();
Return Value
Returns a non-zero integer value if the View application is running on a Terminal
Services console. Otherwise, the TseQueryRunningOnConsole() function returns
a zero.
Example
IntTag is set to 1 if WindowViewer is running on a Terminal Services console.
IntTag=TseQueryRunningOnConsole();
TseQueryRunningOnClient() Function
Returns a non-zero integer value if the View application is running on a Terminal
Services client. Otherwise, it returns a zero.
Syntax
Result=TseQueryRunningOnClient();
Return Value
Returns 0 if View is not running on a Terminal Services client.
Example
IntTag is set to 1 if WindowViewer is running on a Terminal Services client.
IntTag=TseQueryRunningOnClient;
InTouch for Terminal Services Deployment Guide
Page 110
Rev. 1.0 Client
of 139
INTRODUCTION
This Tech Note explains setting up InTouch 10.0 in a Terminal Services
environment. It covers the three primary application configurations for
Managed, Published and Standalone Applications.
APPLICATION VERSION
InTouch 10.0
MANAGED APPLICATIONS
This section explains creating, editing, and deploying a managed InTouch
application.
InTouch for Terminal Services Deployment Guide
Page 111
Rev. 1.0 Client
of 139
If you make edits once the object is deployed, the instances are marked
for pending changes. TSE Session copies will obtain updates depending
on how their Change Mode is configured.
Terminal Server clients can then run the application within InTouch for Terminal
Services. The application directories for each user are automatically created
based on the Local working directory in the Managed Application tab under
Special/Configure/WindowViewer as shown above. For more information on file
locations review Managed Applications Local Working File Locations under the
Managed Applications File Locations section below.
Note: Do not use NAD when using the Managed Application method as it is not
needed nor intended to work in Managed Applications.
InTouch for Terminal Services Deployment Guide
Page 113
Rev. 1.0 Client
of 139
C:\Program
Files\ArchestrA\Framework\FileRepository\YourGalaxyName\Obj
ectFileStorage\$YourInTouchViewAppTemplate
Only the CheckedOut folder can be edited manually. In case you need to add
application dependency files, edit the InTouch.ini, or recompile.
When the application is being edited in WindowMaker, the changes are made
to the CheckedOut folder. Once the changes are made and the user exits
WindowMaker and checks-in the application, the CheckedIn folder is updated
with the changes.
Note: Any changes made manually to the CheckedIn folder may be lost and can
cause application corruption.
One or more Deployed_### folders contain a copy of the last version that was
deployed for a particular application. This is for the purpose of redeploy original
function.
InTouch for Terminal Services Deployment Guide
Page 114
Rev. 1.0 Client
of 139
C:\Program Files\ArchestrA\Framework\Bin\<GalaxyName>-
<ViewAppInstance>
Launch the InTouch Application Manager on the platform where you have
deployed the InTouchViewApp object. The Managed Application will be
automatically listed.
InTouch for Terminal Services Deployment Guide
Page 116
Rev. 1.0 Client
of 139
Note: The deployed (source) folder location is NOT the local working directory.
The next section explains the local working directory and NAD.
The Local Working directory setting is used as the dynamic path utilized by
InTouch when it launches from the client session. This is the case whether
WindowViewer™ is launched from the console or from a Terminal Session. The
path specified here (Figure 8 below) is dynamically created when the application
is launched.
InTouch for Terminal Services Deployment Guide
Page 117
Rev. 1.0 Client
of 139
IMPORTANT: The NAD settings under the node properties in the InTouch
application manager are NOT used for Managed Applications. Even if NAD is
enabled, the NAD settings from the node properties are ignored. The
application will be copied to and executed from the path configured here
(…\ArchestrA\ManagedApp).
InTouch for Terminal Services Deployment Guide
Page 118
Rev. 1.0 Client
of 139
The source path shown above is the source path for the application. Once
WindowViewer is launched the application actually executes from:
Note: Do not use NAD when using the Managed Application method as it is not
needed nor intended to work in Managed Applications.
InTouch for Terminal Services Deployment Guide
Page 121
Rev. 1.0 Client
of 139
PUBLISHED APPLICATIONS
To Create a Published InTouch Application
STANDALONE APPLICATIONS
Create a Standalone InTouch Application with WindowMaker and run the
application using NAD (Network Application Development). This is the same
method recommended by Wonderware in previous versions.
See the following list of references for more information on NAD Applications.
4. Select the license file and then click Open. The license manager shows that
you have successfully installed the license.
InTouch for Terminal Services Deployment Guide
Page 126
Rev. 1.0 Client
of 139
Note: The Log pane shows all log messages associated to a specific license.
The license details are shown when you select the license file.
InTouch for Terminal Services Deployment Guide
Page 127
Rev. 1.0 Client
of 139
For InTouch 2012 some bit string character sets of existing feature lines are
changed to parameters:
From:
VENDOR_STRING=03E800000000000300000000 HOSTID=ANY\
To:
iorestrict: IO Restriction Numeric field. For InTouch 10.5 release this can have
value 0/1.
oem: Enforce OEM restrictions Hex number with max value FFFF
VENDOR_STRING=count:5
Sample InTouch 2012 License
FEATURE InTouch Wonderware 10.5 1-jan-00 uncounted \
VENDOR_STRING=ltags:61402; rrefs:61402; mode:3 HOSTID=ANY \
FEATURE InTouch_TSE Wonderware 10.5 1-jan-00 uncounted \
VENDOR_STRING=count:5 HOSTID=ANY
You can change the setting at a later time if required via the RD Licensing
Manager tool.
5. Click Next.
On a server which is does not have the Remote Desktop Services role installed
1. Open the Server Manager, click Roles from the tree in the left hand panel
and click Add Roles.
2. Click Next if it appears so that the Select Server Roles panel is visible.
3. From the list of roles click Remote Desktop Services and click Next.
4. Read the information screen and then proceed to the Select Service Roles
window.
5. Check Remote Desktop Licensing, click Next, and follow the steps outlined
above.
InTouch for Terminal Services Deployment Guide
Page 130
Rev. 1.0 Client
of 139
Wi
nd
Re ows
mo 20
RD te 0
S D e 8 R2 M
Ho essio sk
top Serv Au icros
st
1 n Se e r a tho of
t
rve nd
r Cle rity a Cert
ari nd ific
ng a
ho Licen te
us
e se
TS
C lie
nt
t
of
os
r
RD
ic
M
S
Ho essio
TS st
C lie 2 n
nt
nt
la
P
InTouch for Terminal Services Deployment Guide
Page 131
Rev. 1.0 Client
of 139
3. Once the Microsoft activation server has been located a new dialog box
appears prompting for user, company and geographic location information.
InTouch for Terminal Services Deployment Guide
Page 132
Rev. 1.0 Client
of 139
INSTALLING LICENSES
To Install Remote Desktop Services Client Access Licenses (RDS CAL)
You can install Remote Desktop Services client access licenses (RDS CALs) onto
your license server in the following ways:
Install Remote Desktop Services Client Access Licenses Automatically
This scenario requires Internet connectivity from the computer running the
Remote Desktop Licensing Manager tool.
To install Remote Desktop Services client access licenses automatically,
complete the following steps.
1. On the license server, open Remote Desktop Licensing Manager (Start/
Administrative Tools/Remote Desktop Services/Remote Desktop
Licensing Manager).
2. Verify that the connection method for the Remote Desktop license server
is set to Automatic connection (recommended) by right-clicking the
InTouch for Terminal Services Deployment Guide
Page 133
Rev. 1.0 Client
of 139
license server on which you want to install Remote Desktop Services client
access licenses (RDS CALs), and then clicking Properties.
3. On the Connection Method tab, change the connection method if
necessary, and then click OK.
4. Right-click the license server on which you want to install the RDS CALs,
and then click Install Licenses. The Install Licenses Wizard appears.
5. Click Next.
6. On the License Program page, select the appropriate program through
which you purchased your RDS CALs, and click Next.
7. The License Program that you selected on the previous window in the
wizard determines what information you need to provide on this window.
In most cases, you must provide either a license code or an agreement
number. Consult the documentation provided when you purchased your
RDS CALs.
InTouch for Terminal Services Deployment Guide
Page 134
Rev. 1.0 Client
of 139
INSTALL REMOTE DESKTOP SERVICES CLIENT ACCESS LICENSES BY USING A WEB BROWSER
The Web installation method can be used when the computer running the
Remote Desktop Licensing Manager tool does not have Internet connectivity,
but you have access to the Web by means of a Web browser from another
computer. The URL for the Web installation method is displayed in the Install
Licenses Wizard.
INSTALL REMOTE DESKTOP SERVICES CLIENT ACCESS LICENSES BY USING THE TELEPHONE
The telephone installation method allows you to talk to a Microsoft customer
service representative to complete the installation process. The appropriate
telephone number is determined by the country/region that you chose in the
Activate Server Wizard and is displayed by the wizard.
InTouch for Terminal Services Deployment Guide
Page 137
Rev. 1.0 Client
of 139
CLIENT LICENSING
When a client†either a user or a device†connects to an RD Session Host
server, the RD Session Host server determines if an RDS CAL is needed. The RD
Session Host server then requests an RDS CAL from a Remote Desktop license
server on behalf of the client attempting to connect to the RD Session Host
server. If an appropriate RDS CAL is available from a license server, the RDS CAL
is issued to the client, and the client is able to connect to the RD Session Host
server.
Although there is a licensing grace period during which no license server is
required, after the grace period ends, clients must have a valid RDS CAL issued
by a license server before they can log on to an RD Session Host server.
Microsoft offers a 120-Day Demo License.
InTouch for Terminal Services Deployment Guide
Page 138
Rev. 1.0 Client
of 139
ADDITIONAL RESOURCES
The following Tech Notes are available on the Wonderware Developer Network (login
required).
Managed Application Tech Notes
511 Wonderware Application Server 3.0 & InTouch® 10.0 System
Upgrade and Application/Galaxy Migration Steps
SOURCES
The following sources were used in this document:
INTOUCH® HMI AND ARCHESTRA® INTEGRATION G UIDE
INTOUCH HMI A PPLICATION MANAGEMENT AND EXTENSION G UIDE
INTOUCHHMI CONCEPTS AND CAPABILITIES GUIDE
WONDERWARE ARCHESTRA SYSTEM PLATFORM IN A VIRTUALIZED
ENVIRONMENT IMPLEMENTATION GUIDE
TECH NOTE 538 INTOUCH© TSE VERSION 10.0 A PPLICATION
CONFIGURATION: MANAGED, PUBLISHED AND STANDALONE METHODS