ppt templateiom.invensys.com/en/usergroupspresentationsdallas2013/wonderware/...(managed application...
TRANSCRIPT
Slide 1
WW HMI SCADA-08Remote Desktop ServicesBest Practices
Steven L. WeygandtPortfolio Product Manager- Device Integration
@InvensysOpsMgmt / #SoftwareRevolution
/InvensysVideos
social.invensys.com
© 2013 Invensys. All Rights Reserved. The names, logos, and taglines identifying the products and services of Invensys are proprietary marks of Invensys or its subsidiaries.All third party trademarks and service marks are the proprietary marks of their respective owners.
Steven L. WeygandtPortfolio Product Manager- Device Integration /Wonderware
/company/Wonderware
Topics
• 50/50 – InTouch TSE licenses
• InTouch for Terminal Services Deployment Guide
• Scaling Up Remote Desktop Session Count
• Licensing – InTouch & Microsoft
• Server 2012 – InTouch 2014
• InTouch Access Anywhere
• Getting More Information
Slide 3
• 50/50 – InTouch TSE licenses
• InTouch for Terminal Services Deployment Guide
• Scaling Up Remote Desktop Session Count
• Licensing – InTouch & Microsoft
• Server 2012 – InTouch 2014
• InTouch Access Anywhere
• Getting More Information
50/50Approx. 50% of InTouchLicenses sold as TSE
Cost effectiveFull HMI experience
Slide 4
TSE Guidelines for InTouchInTouch for Terminal Services Deployment GuidePlanning and Implementation Guidelines 1.0 -January 2013- Written for Windows Server 2008 R2 Remote Desktop Services
RDP: Remote Desktop Protocol for Remote DesktopServicesDirectAccess: automatically establishes a bi-directionalconnection from client computers to a corporatenetwork
Client application connectionRemote Desktop Client or embedded in a web browserIPv4 or IPv6Security credentials
Slide 5
InTouch for Terminal Services Deployment GuidePlanning and Implementation Guidelines 1.0 -January 2013- Written for Windows Server 2008 R2 Remote Desktop Services
RDP: Remote Desktop Protocol for Remote DesktopServicesDirectAccess: automatically establishes a bi-directionalconnection from client computers to a corporatenetwork
Client application connectionRemote Desktop Client or embedded in a web browserIPv4 or IPv6Security credentials
Basic Rules• Application development, deployment, and client visualization
are placed on separate computers• Deploy each InTouch application to the server running
InTouch TSE• Each managed InTouch application in a separate TSE client
session. (Managed Application 10.x or later)• InTouch NAD for standalone• Remote Desktop Services client session unique user logon -
determines which application gets launched• InTouch VIEW.EXE automatic startup or RemoteApp• InTouch runs as application, not as a service
Slide 6
• Application development, deployment, and client visualizationare placed on separate computers
• Deploy each InTouch application to the server runningInTouch TSE
• Each managed InTouch application in a separate TSE clientsession. (Managed Application 10.x or later)
• InTouch NAD for standalone• Remote Desktop Services client session unique user logon -
determines which application gets launched• InTouch VIEW.EXE automatic startup or RemoteApp• InTouch runs as application, not as a service
When communicating to another view session, include the server node nameand append the IP address of the desired session to the application name.Example: view10.103.25.6
Basic RulesRemote Desktop Services "role" in Windows Server 2008 R2 - similar"role" for Windows Server 2012 (InTouch 11.0)
NLA (Network Level Authentication) – except not for InTouch AccessAnywhere
Access to a terminal server over any Transmission ControlProtocol/Internet Protocol (TCP/IP) connection, including Remote Access,Ethernet, the Internet, wireless, wide area network (WAN), or virtualprivate network (VPN) - firewall needs port 3389 open for RDP
InTouch TSE - applications can run with the same response time andperformance as their counterparts that are directly connected to the localarea network (LAN)
Remote Desktop Services Licensing - 120 day grace period forexperimenting, determine adequate sizing
Slide 7
Remote Desktop Services "role" in Windows Server 2008 R2 - similar"role" for Windows Server 2012 (InTouch 11.0)
NLA (Network Level Authentication) – except not for InTouch AccessAnywhere
Access to a terminal server over any Transmission ControlProtocol/Internet Protocol (TCP/IP) connection, including Remote Access,Ethernet, the Internet, wireless, wide area network (WAN), or virtualprivate network (VPN) - firewall needs port 3389 open for RDP
InTouch TSE - applications can run with the same response time andperformance as their counterparts that are directly connected to the localarea network (LAN)
Remote Desktop Services Licensing - 120 day grace period forexperimenting, determine adequate sizing
System Implementation OptionsInternet and business LAN: RD Gateway (port 443 HTTPS) and InTouchAccess AnyWhere [HTTPS DirectAccess port 443 for either]
Network Load Balancing - round robin allocation of sessions within acluster of servers
High availability – Hyper-V or VMware virtual Remote Desktop Servicesservers
Managed Apps - deploy a SINGLE Engine to the Remote Desktop Server
Each client session manages its own instance
InTouch Standalone & Published - NAD recommended
ACP ThinManager increases the available client types to non Windows-based
ThinManager clients run on workstations, including UNIX, Linux, andindustrial display panels
Slide 8
Internet and business LAN: RD Gateway (port 443 HTTPS) and InTouchAccess AnyWhere [HTTPS DirectAccess port 443 for either]
Network Load Balancing - round robin allocation of sessions within acluster of servers
High availability – Hyper-V or VMware virtual Remote Desktop Servicesservers
Managed Apps - deploy a SINGLE Engine to the Remote Desktop Server
Each client session manages its own instance
InTouch Standalone & Published - NAD recommended
ACP ThinManager increases the available client types to non Windows-based
ThinManager clients run on workstations, including UNIX, Linux, andindustrial display panels
Windows Server Options
• RD Session Host - enables a server to hostRemoteApp programs or session-based desktops
• RD Web Access - enables users to accessRemoteApp and Desktop Connection through theStart menu
• RD Licensing - manages the licenses required toconnect to a Remote Desktop Session Host serveror a virtual desktop
Slide 9
• RD Session Host - enables a server to hostRemoteApp programs or session-based desktops
• RD Web Access - enables users to accessRemoteApp and Desktop Connection through theStart menu
• RD Licensing - manages the licenses required toconnect to a Remote Desktop Session Host serveror a virtual desktop
Windows Server Options
RD Gateway - enables authorized users to connectto virtual desktops, RemoteApp programs, andsession-based desktops on an internal corporatenetwork from any Internet-connected deviceRD Connection Broker - allows users to reconnect totheir existing virtual desktops, RemoteAppprograms, and session-based desktops; enables youto evenly distribute the load among RD SessionHost servers; provides access to virtual desktops;disconnect from a session (whether intentionally orbecause of a network failure) the applications youwere running will continue to run subject to serversettings for timeout
Slide 10
RD Gateway - enables authorized users to connectto virtual desktops, RemoteApp programs, andsession-based desktops on an internal corporatenetwork from any Internet-connected deviceRD Connection Broker - allows users to reconnect totheir existing virtual desktops, RemoteAppprograms, and session-based desktops; enables youto evenly distribute the load among RD SessionHost servers; provides access to virtual desktops;disconnect from a session (whether intentionally orbecause of a network failure) the applications youwere running will continue to run subject to serversettings for timeout
Scaling Up and OutScaling: Platforms do not have App Engines10 Platform nodes, filtered Alarm Provider, 100 clients
Slide 11
Wonderware InTouch LicensingWonderware licensing:
Named device licenses
Named user licenses
Concurrent licenses
Client always needs a WWCAL when connecting to a WWHistorian and always needs an MSCAL when connecting to anyMicrosoft MSSQL database
4 types of WW CAL that include the MS CAL:WW Basic CAL for per device, per user, per seat
WW Basic CAL per processor.
WW Enterprise CAL for per device, per user, per seat.
WW Enterprise CAL per processor
Slide 12
Wonderware licensing:Named device licenses
Named user licenses
Concurrent licenses
Client always needs a WWCAL when connecting to a WWHistorian and always needs an MSCAL when connecting to anyMicrosoft MSSQL database
4 types of WW CAL that include the MS CAL:WW Basic CAL for per device, per user, per seat
WW Basic CAL per processor.
WW Enterprise CAL for per device, per user, per seat.
WW Enterprise CAL per processor
Wonderware InTouch Licensing
Can't mix TSE license types on a Remote DesktopServices serverInTouch for Terminal Services 2012 Feature line
VENDOR_STRING=count:5 Sample InTouch 2012 LicenseFEATURE InTouch Wonderware 10.5 1-jan-00 uncounted \VENDOR_STRING=ltags:61402; rrefs:61402; mode:3HOSTID=ANY \ FEATURE InTouch_TSE Wonderware 10.5 1-jan-00 uncounted \ VENDOR_STRING=count:5 HOSTID=ANY
Slide 13
Can't mix TSE license types on a Remote DesktopServices serverInTouch for Terminal Services 2012 Feature line
VENDOR_STRING=count:5 Sample InTouch 2012 LicenseFEATURE InTouch Wonderware 10.5 1-jan-00 uncounted \VENDOR_STRING=ltags:61402; rrefs:61402; mode:3HOSTID=ANY \ FEATURE InTouch_TSE Wonderware 10.5 1-jan-00 uncounted \ VENDOR_STRING=count:5 HOSTID=ANY
InTouch TSE Tips
Disable the fast user switching feature - hide theSwitch user button in the Logon user interface, inthe Start menu, and in the Task Manager
Script and memory tag behavior - each session isindependent of the other sessions
Client AlarmViewer query must be configuredaccording to the steps given in the document
example: \\nodeabc:253.127.148.120\intouch!$system
Slide 14
Disable the fast user switching feature - hide theSwitch user button in the Logon user interface, inthe Start menu, and in the Task Manager
Script and memory tag behavior - each session isindependent of the other sessions
Client AlarmViewer query must be configuredaccording to the steps given in the document
example: \\nodeabc:253.127.148.120\intouch!$system
Microsoft Remote Desktop LicensingIn addition to a Windows Server Client Access License, Microsoft Core CALSuite, or Microsoft Enterprise CAL Suite, you must acquire a Windows Server2012 RDS CAL for each user or device that directly or indirectly accesses theserver software to interact with a remote graphical user interface
RDS Device CAL: Permits one device (used by any user)
RDS User CAL: Permits one user (using any device)
RDS External Connector: Permits multiple external users to access a singleRemote Desktop server
Combine RDS Device CALs and RDS User CALs simultaneously
Permanently reassign your device CAL from one device to another
user CAL from one user to another
Slide 15
In addition to a Windows Server Client Access License, Microsoft Core CALSuite, or Microsoft Enterprise CAL Suite, you must acquire a Windows Server2012 RDS CAL for each user or device that directly or indirectly accesses theserver software to interact with a remote graphical user interface
RDS Device CAL: Permits one device (used by any user)
RDS User CAL: Permits one user (using any device)
RDS External Connector: Permits multiple external users to access a singleRemote Desktop server
Combine RDS Device CALs and RDS User CALs simultaneously
Permanently reassign your device CAL from one device to another
user CAL from one user to another
Microsoft Remote Desktop Licensing
Temporarily reassign your device CAL to a loaner device while thefirst device is out of service your user CAL to a temporary workerwhile the worker is absent
Do you need an RDS CAL if when using a third-party technology (e.g.ACP): Yes
Using VMware hosting: A RDS CAL is required
Slide 16
Temporarily reassign your device CAL to a loaner device while thefirst device is out of service your user CAL to a temporary workerwhile the worker is absent
Do you need an RDS CAL if when using a third-party technology (e.g.ACP): Yes
Using VMware hosting: A RDS CAL is required
InTouch TSE Considerations
Application security is configured according to the ManagedApplication Galaxy model or Standalone or Publishedapplications individual security model
User credentials if needed are passed in from the RDP sessionclient - available via LogonCurrentUser( )
Use TseGetClientId( ) in QuickScript to manage security
Slide 17
Application security is configured according to the ManagedApplication Galaxy model or Standalone or Publishedapplications individual security model
User credentials if needed are passed in from the RDP sessionclient - available via LogonCurrentUser( )
Use TseGetClientId( ) in QuickScript to manage security
Windows Server 2012
Windows Server 2012:up to 5000 users per serverup to 1000 Remote Desktop sessionsrecommended 150 sessions per physical hostrecommended SSD disk storagerecommended up to 150 sessions per virtual hostbest with 64-bit OS, multiple core, lots of GHz,large L2/L3 cache, virtualized, page file separatestorage, RAID disk, “green” balanced power plannetwork adapters - server rated
Slide 18
Windows Server 2012:up to 5000 users per serverup to 1000 Remote Desktop sessionsrecommended 150 sessions per physical hostrecommended SSD disk storagerecommended up to 150 sessions per virtual hostbest with 64-bit OS, multiple core, lots of GHz,large L2/L3 cache, virtualized, page file separatestorage, RAID disk, “green” balanced power plannetwork adapters - server rated
Windows Server 2012New features of Windows Server 2012:
predictable user experience to ensure that one user does notnegatively impact the performance of another user’s session
dynamically distributes available bandwidth across sessions
prevents sessions from over utilizing disk
dynamically distributes processor time across sessions
RD Virtualization Host (2012):
integrates with Hyper-V to deploy pooled or personal virtualdesktop collections by using RemoteApp and DesktopConnection
Slide 19
New features of Windows Server 2012:
predictable user experience to ensure that one user does notnegatively impact the performance of another user’s session
dynamically distributes available bandwidth across sessions
prevents sessions from over utilizing disk
dynamically distributes processor time across sessions
RD Virtualization Host (2012):
integrates with Hyper-V to deploy pooled or personal virtualdesktop collections by using RemoteApp and DesktopConnection
Windows Server 2012 R2Session Shadowing - monitor or control an activesession of another user
Quick Reconnect improves connection performanceenabling users to reconnect to their existing virtualdesktops, RemoteApp programs, and session-baseddesktops more quickly display changes on the clientto be automatically reflected on the remote client
Additional Hyper-V virtualization featuressupporting fast live migration, live export, live vhdxresize, export snapshot, and replica for disasterrecovery
1
Slide 20
Session Shadowing - monitor or control an activesession of another user
Quick Reconnect improves connection performanceenabling users to reconnect to their existing virtualdesktops, RemoteApp programs, and session-baseddesktops more quickly display changes on the clientto be automatically reflected on the remote client
Additional Hyper-V virtualization featuressupporting fast live migration, live export, live vhdxresize, export snapshot, and replica for disasterrecovery
Note 1: Requires WSP 2014 – InTouch 11.0 TSE
Security for Remote Desktop ServicesMicrosoft:
By default, Remote Desktop Services connections are encrypted atthe highest level of security available. However, some older versionsof the Remote Desktop Connection client do not support this highlevel of encryption. If your network contains such legacy clients, youcan set the encryption level of the connection to send and receivedata at the highest encryption level supported by the client.
NLA - Network Level Authentication is an authentication method thatcan be used to enhance RD Session Host server security by requiringthat the user be authenticated to the RD Session Host server before asession is created
Slide 21
Microsoft:
By default, Remote Desktop Services connections are encrypted atthe highest level of security available. However, some older versionsof the Remote Desktop Connection client do not support this highlevel of encryption. If your network contains such legacy clients, youcan set the encryption level of the connection to send and receivedata at the highest encryption level supported by the client.
NLA - Network Level Authentication is an authentication method thatcan be used to enhance RD Session Host server security by requiringthat the user be authenticated to the RD Session Host server before asession is created
Remote Desktop Services SetupSession configuration
End a disconnected session [minutes or never]
Active session limit [minutes or never]
Idle session limit [minutes or never]
When a session limit is reached [disconnect - enable automaticreconnection or end]
User profiles
Local [created first time logged on]
Roaming [copy of local profile]
Mandatory [local lost when logged off]
Temporary [upon error]
Slide 22
Session configuration
End a disconnected session [minutes or never]
Active session limit [minutes or never]
Idle session limit [minutes or never]
When a session limit is reached [disconnect - enable automaticreconnection or end]
User profiles
Local [created first time logged on]
Roaming [copy of local profile]
Mandatory [local lost when logged off]
Temporary [upon error]
IPv6
Administration: Remote Desktop Protocol (RDP) isused to manage the server, which supports IPv6without any configurationDual stack is enabled by default – IPv4 and IPv6Direct Access - native IPv6
needs policy settings to avoid IPv4 vs. IPv6 mixups
DHCPv6 is configured by IT department on Domainserversping6 – used to diagnose connectionstraceroute6 – used to diagnose connections
Slide 23
Administration: Remote Desktop Protocol (RDP) isused to manage the server, which supports IPv6without any configurationDual stack is enabled by default – IPv4 and IPv6Direct Access - native IPv6
needs policy settings to avoid IPv4 vs. IPv6 mixups
DHCPv6 is configured by IT department on Domainserversping6 – used to diagnose connectionstraceroute6 – used to diagnose connections
Remote Desktop Protocol 7RDP 7.0 - For remote client computers to useDirectAccess to connect to computers on theinternal corporate network, these computers andtheir applications must be reachable over IPv6. Thismeans the following:
The internal computers and the applications running onthem support IPv6. Computers running Windows 7,Windows Vista, Windows Server 2008, or Windows Server2008 R2 support IPv6 and have IPv6 enabled by default.
You have deployed native IPv6 connectivity or Intra-SiteAutomatic Tunnel Addressing Protocol (ISATAP) on yourintranet. ISATAP allows your internal servers andapplications to be reachable by tunneling IPv6 traffic overyour IPv4-only intranet.
Slide 24
RDP 7.0 - For remote client computers to useDirectAccess to connect to computers on theinternal corporate network, these computers andtheir applications must be reachable over IPv6. Thismeans the following:
The internal computers and the applications running onthem support IPv6. Computers running Windows 7,Windows Vista, Windows Server 2008, or Windows Server2008 R2 support IPv6 and have IPv6 enabled by default.
You have deployed native IPv6 connectivity or Intra-SiteAutomatic Tunnel Addressing Protocol (ISATAP) on yourintranet. ISATAP allows your internal servers andapplications to be reachable by tunneling IPv6 traffic overyour IPv4-only intranet.
InTouch Access AnywhereInTouch Access Anywhere contains technology for RDP compression andacceleration
InTouch Access Anywhere is licensed for use with InTouch WindowViewer only,more specifically for use with InTouch 2012 R2 TSE Concurrent licenses only. PerDevice licenses are not supported
Before using InTouch Access Anywhere to connect to your TSE server, it is alsoimportant to logon using a standard Remote Desktop Client, select an applicationfrom the InTouch Application Manager and to launch it in WindowViewer. Thisconfigures the initial setup and allows InTouch Access Anywhere clients todetermine the list of available InTouch applications
InTouch Access Anywhere can work in HTTPS mode such that all communicationwill be sent via HTTPS only. To enable this feature, the InTouch Access AnywhereSecure Gateway is required
InTouch Access Anywhere does not support NLA
Slide 25
InTouch Access Anywhere contains technology for RDP compression andacceleration
InTouch Access Anywhere is licensed for use with InTouch WindowViewer only,more specifically for use with InTouch 2012 R2 TSE Concurrent licenses only. PerDevice licenses are not supported
Before using InTouch Access Anywhere to connect to your TSE server, it is alsoimportant to logon using a standard Remote Desktop Client, select an applicationfrom the InTouch Application Manager and to launch it in WindowViewer. Thisconfigures the initial setup and allows InTouch Access Anywhere clients todetermine the list of available InTouch applications
InTouch Access Anywhere can work in HTTPS mode such that all communicationwill be sent via HTTPS only. To enable this feature, the InTouch Access AnywhereSecure Gateway is required
InTouch Access Anywhere does not support NLA
InTouch Access Anywhere
Slide 26
InTouch Access Anywhere Troubleshooting
Checking ConnectivityIf a user is having trouble connecting remotely to the InTouchAccess Anywhere environment that has been installed, ask theuser to connect to the InTouch Access Anywhere demo site onthe Internet.
If the demo site appears and the user can successfully launchan InTouch application then the browser is compatible. If thedemo site works for the user, verify the following:
• Can they connect locally at the InTouch Access Anywherenode itself by using a supported browser?
• Is the InTouch Access Anywhere service running?• Windows Firewall configuration: InTouch Access Anywhere
port between the user’s browser and the InTouch AccessAnywhere environment is available [8080]
Slide 27
Checking ConnectivityIf a user is having trouble connecting remotely to the InTouchAccess Anywhere environment that has been installed, ask theuser to connect to the InTouch Access Anywhere demo site onthe Internet.
If the demo site appears and the user can successfully launchan InTouch application then the browser is compatible. If thedemo site works for the user, verify the following:
• Can they connect locally at the InTouch Access Anywherenode itself by using a supported browser?
• Is the InTouch Access Anywhere service running?• Windows Firewall configuration: InTouch Access Anywhere
port between the user’s browser and the InTouch AccessAnywhere environment is available [8080]
InTouch Access Anywhere Troubleshooting
A trusted certificate may be required for theInTouch Access Anywhere Secure Gateway or theInTouch Access Anywhere Server.Can the client device reach the InTouch AccessAnywhere Server or the InTouch Access AnywhereSecure Gateway node?
The Ping and Traceroute commands come in handy in aWindows based system.
Third party tools exist for certain mobile devices to provideequivalent functionality.
If you cannot reach a node by name, try using its IPaddress
Slide 28
A trusted certificate may be required for theInTouch Access Anywhere Secure Gateway or theInTouch Access Anywhere Server.Can the client device reach the InTouch AccessAnywhere Server or the InTouch Access AnywhereSecure Gateway node?
The Ping and Traceroute commands come in handy in aWindows based system.
Third party tools exist for certain mobile devices to provideequivalent functionality.
If you cannot reach a node by name, try using its IPaddress
Common SenseDesign InTouch application layout for target client andpersonnel role
Navigation and operator action scripts check $AccessLevelwhich is assigned to personnel logons according to role
Different applications for different roles, different user logon
Configure session timeouts
Multiple virtual servers to distribute load and/or to allocatedifferent InTouch TSE license types (Concurrent separatedfrom Device and User)
Wireless clients use encrypted SSL via InTouch AccessAnywhere Secure Gateway
Slide 29
Design InTouch application layout for target client andpersonnel role
Navigation and operator action scripts check $AccessLevelwhich is assigned to personnel logons according to role
Different applications for different roles, different user logon
Configure session timeouts
Multiple virtual servers to distribute load and/or to allocatedifferent InTouch TSE license types (Concurrent separatedfrom Device and User)
Wireless clients use encrypted SSL via InTouch AccessAnywhere Secure Gateway
Information
Documentation: InTouch for Terminal Services Deployment Guide
TechNote 971: Configuring Resolution Settings for InTouchRunning on Terminal Services Sessions
Deployment: Hosting Applications with Terminal Server
Slide 30
Slide 31