Terminal Services for InTouch - Platforma Internetowa ASTOR.

Terminal Services for InTouch - Platforma Internetowa ASTOR.
Wonderware® FactorySuite® Terminal Services
for InTouch™ Deployment Guide
Revision A
Last Revision: September 2002
Invensys Systems, Inc.
All rights reserved. No part of this documentation shall be reproduced, stored
in a retrieval system, or transmitted by any means, electronic, mechanical,
photocopying, recording, or otherwise, without the prior written permission of
the Invensys Systems, Inc. No copyright or patent liability is assumed with
respect to the use of the information contained herein. Although every
precaution has been taken in the preparation of this documentation, the
publisher and the author assume no responsibility for errors or omissions.
Neither is any liability assumed for damages resulting from the use of the
information contained herein.
The information in this documentation is subject to change without notice and
does not represent a commitment on the part of Invensys Systems, Inc. The
software described in this documentation is furnished under a license or
nondisclosure agreement. This software may be used or copied only in
accordance with the terms of these agreements.
© 2002 Invensys Systems, Inc. All Rights Reserved.
Invensys Systems, Inc.
33 Commercial Street
Foxboro, MA 02035
(949) 727-3200
All terms mentioned in this book that are known to be trademarks or service
marks have been appropriately capitalized. Invensys Systems, Inc. cannot
attest to the accuracy of this information. Use of a term in this book should not
be regarded as affecting the validity of any trademark or service mark.
Alarm Logger, ActiveFactory, ArchestrA, Avantis, DBDump, DBLoad,
DTAnalyst, FactoryFocus, FactoryOffice, FactorySuite, hotlinks, InBatch,
InControl, IndustrialRAD, IndustrialSQL Server, InTouch, InTrack,
MaintenanceSuite, MuniSuite, QI Analyst, SCADAlarm, SCADASuite,
SuiteLink, SuiteVoyager, WindowMaker, WindowViewer, Wonderware, and
Wonderware Logger are trademarks of Invensys plc, its subsidiaries and
affiliates. All other brands may be trademarks of their respective owners.
Welcome to Terminal Services for InTouch .....7
Before You Begin ............................................................................... 7
Document Symbols............................................................................. 7
Must Know Terminology.................................................................... 8
Checklist: Setting up Terminal Services for InTouch......................... 8
About this Manual.................................................................................. 9
Technical Support................................................................................. 10
CHAPTER 1: Introduction to Terminal Services
for InTouch......................................................... 11
Thin computing and Process Visualization ...........................................11
Total Cost of Ownership ....................................................................11
Data Access for the Casual User ...................................................... 12
Wonderware Products ....................................................................... 12
Windows 2000 Terminal Services........................................................ 13
Modes of Operation .......................................................................... 13
Components ...................................................................................... 14
Why Terminal Services for InTouch? .................................................. 15
Terminal Services for InTouch Benefits ........................................... 15
Terminal Services and Industrial Applications................................. 16
Business Justification and Project Approval .................................... 17
Industrial Scenarios .............................................................................. 18
Centralized InTouch Management.................................................... 19
Remote Access ................................................................................. 21
Internet Access ................................................................................. 22
Increased Availability ....................................................................... 23
CHAPTER 2: Project Planning ........................25
Deployment Planning Model ............................................................... 25
Identifying Key Team Members .......................................................... 29
Defining Vision and Scope................................................................... 30
Assessing Risk...................................................................................... 31
Documenting Your "As-Is" Environment ............................................ 32
Documenting LAN Information ....................................................... 32
Documenting WAN Information ...................................................... 33
Documenting Internet Information ................................................... 33
Documenting the Operator Interface ................................................ 33
Documenting Logical Design ........................................................... 34
Creating a Functional Specification "To-Be"....................................... 35
Creating/Approving the Physical Design............................................. 35
Choosing a Domain Setup ................................................................ 36
Expanding to the WAN..................................................................... 38
Terminal Services for InTouch Deployment Guide
Choosing a License Server ................................................................39
Integrating with the FactorySuite ......................................................40
Choosing the Right Client .................................................................42
Improving Reliability ........................................................................45
Building the Master Project Plan ..........................................................46
CHAPTER 3: Deployment ................................47
Deploying a Pilot Terminal Server........................................................47
Server Hardware Requirements ............................................................48
RDP Client Hardware Requirements ....................................................50
Installing Terminal Services..................................................................50
Terminal Services Licensing .................................................................50
License Purchase ...............................................................................50
Activate a License Server..................................................................51
Install Licenses ..................................................................................52
Client Licensing ................................................................................53
License Recovery ..............................................................................53
Defining Security ..................................................................................53
Session Security ................................................................................54
User Account Management ...............................................................57
Changing a Desktop into a RDP Client ................................................59
Client Installation Disks ....................................................................59
Client Connection Properties.............................................................59
Installing Terminal Services
for InTouch............................................................................................65
Modifying Applications ........................................................................66
Software Testing and Validation........................................................66
Known Issues and Limitations ..........................................................68
Converting Color Palettes .................................................................70
Running WindowViewer.......................................................................73
Selecting an Application....................................................................74
Configuring NAD for Terminal Services ..........................................74
Configuring Start Program ................................................................75
Running WindowMaker........................................................................77
Remote Development ........................................................................77
Rapid Application Development .......................................................77
Assessing the Pilot Deployment ...........................................................80
Deploying Terminal Server Throughout your Environment.................81
Providing Maintenance and Support .................................................81
Monitoring Performance ...................................................................81
Remote Control .................................................................................84
Network Load Balancing ......................................................................85
Stand-by Server Option .....................................................................85
Installation .........................................................................................86
Administration Tools .........................................................................94
Disconnection Timeouts ....................................................................95
Terminal Services for InTouch Deployment Guide
Terminal Services Advanced Client ..................................................... 97
Benefits ............................................................................................. 97
Installation ........................................................................................ 98
How to Use ....................................................................................... 98
Securing Web-based Applications .................................................. 100
Best Practices ..................................................................................... 103
Terminal Services Hot key Sequences............................................ 105
Index ................................................................107
Terminal Services for InTouch Deployment Guide
Terminal Services for InTouch Deployment Guide
Welcome to Terminal Services for InTouch
Welcome to Terminal
Services for InTouch
Before You Begin
The Terminal Services for InTouch Deployment Guide is intended to help you
efficiently plan, deploy and run InTouch applications on Windows 2000
Terminal Services. As a complement to the Terminal Services for InTouch
User’s Guide, it provides greater detail in architecture design, hardware
selection, and how to leverage the features of Terminal Services in an
industrial environment. It specifically addresses the RDP protocol. Additional
information on RDP and related protocols are available at the following websites:
Automation Control Products
Citrix Systems
Document Symbols
This manual uses the following document symbols.
A task to be performed on the terminal
server (console) or on the license server.
A task to be performed on the client (local)
Terminal Services for InTouch Deployment Guide
Before You Begin
Must Know Terminology
This is the normal desktop experience on the
computer that has Terminal Services installed.
Independent Computing Architecture. A remote
presentation services protocol from Citrix Systems.
Remote Desktop Protocol. The default connection
protocol installed with Windows Terminal Services.
A log-on instance where 100 percent of the resources
(processing, memory, and hard disk) are managed
under a virtual user account, referred to as a session
Terminal Services
A service that enables a server-grade computer for
multi-user processing and management.
Thin Client
(a.k.a. terminal) A device that allows you to send
commands to another computer. At a minimum, this
usually means a keyboard, a display screen, and
some simple circuitry.
Checklist: Setting up Terminal Services for
Review key Terminal Services for InTouch concepts.
Chapter 1
Determine how you want to utilize Terminal Services for
InTouch in your industrial environment.
Chapter 1
Describe how the deployment project meets business
Chapter 1
Develop a plan for implementing Terminal Services for
Chapter 2
Review recommended architectures and how to integrate with Chapter 2
the FactorySuite.
Consider safeguards to minimize the impact of a hardware
Chapter 2
Identify the right client for the environment and operator
Chapter 2
Establish guidelines and standards for networking, set-up,
user security, and so on.
Chapter 3
Determine licensing requirements.
Chapter 3
Enable Terminal Services and install programs.
Chapter 3
Configure client connections.
Chapter 3
Review known issues and limitations and best practices.
Chapter 3
Terminal Services for InTouch Deployment Guide
Welcome to Terminal Services for InTouch
Modify applications to run in a multi-user environment.
Chapter 3
Test and pilot your system.
Chapter 3
Prepare to provide support.
Chapter 3
About this Manual
This manual is divided into a series of logical building block chapters that
describe the various aspects of using Terminal Services for InTouch. It is
written in a "procedural" format that tells you in numbered steps how to
perform most functions or tasks.
If you are viewing this manual online, when you see text that is green, click the
text to "jump" to the referenced section or chapter. When you jump to another
section or chapter and you want to come back to the original section, a "back"
option is provided.
Tip These are "tips" that tell you an easier or quicker way to accomplish a
function or task.
To familiarize yourself with the WindowMaker development environment and
its tools, read Chapter 1, "WindowMaker Program Elements" in your online
InTouch User's Guide. Also, read Chapter 10, "Terminal Services for
For details on the runtime environment (WindowViewer), see your InTouch
Runtime User's Guide.
Online manuals are also included in your FactorySuite software package for all
FactorySuite components.
Note You must install the Adobe Acrobat Reader (version 4.0 or later) to
view or print the online manuals.
This manual assumes you are:
Familiar with the Windows 2000 and/or Windows NT operating system
working environment.
Knowledgeable of how to use of a mouse, Windows menus, select options,
and accessing online Help.
Experienced with a programming or macro language. For best results, you
should have an understanding of programming concepts such as variables,
statements, functions and methods.
Terminal Services for InTouch Deployment Guide
Before You Begin
Technical Support
Wonderware Technical Support offers a variety of support options to answer
any questions on Wonderware products and their implementation.
Prior to contacting technical support, please refer to the relevant chapter(s) in
your Terminal Services for InTouch Deployment Guide for a possible solution
to any problem you may have with your system. If you find it necessary to
contact technical support for assistance, please have the following information
Your software serial number.
The version of InTouch you are running.
The type and version of the operating system you are using. For example,
Microsoft Windows NT Version 4.0 SP5 (or later) workstation.
The exact wording of system error messages encountered.
Any relevant output listing from the Wonderware Logger, the Microsoft
Diagnostic utility (MSD), or any other diagnostic applications.
Details of the attempts you made to solve the problem(s) and your results.
Details of how to recreate the problem.
If known, the Wonderware Technical Support case number assigned to
your problem (if this is an on-going problem).
Terminal Services for InTouch Deployment Guide
Introduction to Terminal Services for InTouch
Introduction to Terminal
Services for InTouch
This chapter provides you with an introduction to Terminal Services for
InTouch. It also presents business and industrial scenarios to help you
determine if a server-centric strategy is appropriate for your particular
• Thin computing and Process Visualization
• Windows 2000 Terminal Services
• Why Terminal Services for InTouch?
• Industrial Scenarios
Thin computing and Process Visualization
Windows-based HMI and supervisory control products have empowered
operators by making computing easy to use and with better functionality than
the traditional mini-computers of yesterday. Now with so many desktops
deployed in the business and industrial environments, maintenance and
administration have become a major burden on the Information Technology
(IT) infrastructure. Accordingly, there is renewing interest in thin computing- a
computing model very similar to those mini-computers where the software and
processing is performed on a centralized server. New technology in emulation
software and browser-based applications now provide this thin computing
model to the Windows environment.
Total Cost of Ownership
The use of thin clients promise to reduce the acquisition cost of computer
hardware while reducing administrative costs related to systems management.
IT managers can then lower their total cost of ownership (TCO) for computer
equipment while improving their level of service.
Terminal Services for InTouch Deployment Guide
Chapter 1
TCO is a term used to collectively group the benefits associated with thin
clients. At a hardware level, thin clients (often called terminals) are devices
that rely on a server for applications and data, and perform little or no
application processing. They typically have a basic operating system to support
a web browser or some form of a terminal emulation software. Thin clients
require relatively small amounts of RAM and minimum processing power. In
contrast, desktop computers are referred to as fat clients because they run
programs locally. Desktop computers usually have more RAM, greater
processing power, and large hard-drives to store program files and associated
data. Note-worthy benefits of a thin computing model include the following:
Centralized deployment of programs. Most (if not all) program
execution, data processing, and data storage occur on a server, centralizing
the deployment of programs. This ensures that all clients can access
current versions of a program. Software is installed only once on the
server, rather than every desktop throughout the organization, reducing the
costs associated with updating individual computers.
Centralized Management. Provides you with the ability to manage
centrally while still allowing the individual user the flexibility of using the
Windows desktop environment.
Increased Security and Reliability. Because no application or user data
ever resides on the client, thin computing provides you with more control
for security. The use of thin clients can also help prevent the loss of data.
Since the data is processed and stored on a server, damage to the client
does not lead to destruction of data. This decreases the number of nodes
that need to be hardened for data protection.
Full advantage of existing hardware. Thin computing extends the model
of distributed computing by allowing computers to operate as both thin
clients and full-featured personal computers, simultaneously. Computers
can continue to be used as they have been within existing networks while
also functioning as thin clients capable of accessing server-based
programs and applications.
Scalability. True scalability means more than adding more clients to your
environment. You also need an effective means of managing this
environment as it grows. Thin computing provides the ease of installing
new clients, as well as the ease of maintaining them.
Data Access for the Casual User
Another benefit of thin computing is the ability to support a new level of users
referred to as casual users. Casual users include maintenance, supervisors,
engineers and perhaps vendors who need immediate access to critical
manufacturing or process information that is pertinent to them. They need this
information on-demand and for short duration. Internet technology,
telecommunications (voice mail/paging), and wireless Ethernet are typically
the preferred mediums to transport such information.
Wonderware Products
Wonderware offers several integrated products that leverage the thin
computing model:
Terminal Services for InTouch Deployment Guide
Introduction to Terminal Services for InTouch
SCADAlarm introduces Wonderware's first mobile client to access and
acknowledge factory alarm information from a mobile telephonic device.
Terminal Services for InTouch allows you to fully leverage the benefits
of Windows 2000 Terminal Services in an industrial environment. With
Terminal Services, the processing of InTouch is moved completely off the
operator's workstation and onto a centralized server.
SuiteVoyager Series introduces the Manufacturing Information Portal
that provides Internet access to summary graphics, real-time factory floor
data, and reporting information. The Portal has been designed for quick
access to summary and analysis information from multiple data sources
and from across the enterprise. SuiteVoyager is a fully scalable product,
providing process information to hundreds of clients with minimum
impact on the control network.
Windows 2000 Terminal Services
Microsoft Windows 2000 Terminal Services is an integral part of Windows
2000 technology that delivers the familiarity and ease-of-use associated with
the Windows graphical user interface (GUI) through a thin computing model.
Windows 2000 Server or Advanced Server is required to enable Terminal
With the integration of Windows 2000 Terminal Services into the core server
operating system, you can now choose to deploy InTouch in a fully servercentric mode, where applications run entirely on the server. Each operator logs
on and perceives only their presentation (known as a session), which is
transparently managed by the server operating system and is independent of
any other client session. Only screen, mouse, and keyboard information is
passed between the client and server.
Modes of Operation
Terminal Services can be enabled in one of two modes:
Terminal Services for InTouch Deployment Guide
Chapter 1
Application Server. This is the standard mode for running InTouch.
Applications are deployed and managed from a central location. Licensing
is required when deploying a Terminal Services-enabled server as an
application server. Each client, regardless of the type of operating system
and protocol used to connect to Terminal Services, must have a Terminal
Services Client Access License (TS CAL), as well as a Windows 2000
Server CAL. Windows 2000 Professional includes one TS CAL, but not a
Windows 2000 Server CAL. Access from earlier versions of Microsoft
Windows NT, as well as clients using other operating systems, must
purchase a TS CAL and Windows 2000 Server CAL.
For more information on Licensing requirements, see "Terminal Services
Licensing" in Chapter 3, "Deployment,"
Remote Administration. Terminal Services Remote Administration
mode allows any server running Windows 2000 Server to be administrated
remotely with full access to the built-in administrative tools, as if you
were sitting right at the server.
Windows 2000 Terminal Services consists of five components, as described
Multi-user kernel. The multi-user kernel extensions are fully integrated
as a standard part of the Windows 2000 Server family kernel. These are
resident on the server at all times, regardless of whether Terminal Services
is enabled or not.
Remote Desktop Protocol (RDP). This is the default protocol that allows
a client to communicate with the terminal server over a network.
Independent Computer Architecture (ICA) is another thin client protocol
offered by Citrix. Both protocols support several levels of encryption,
client-side bitmap caching, and optional compression for low-bandwidth
Terminal Services Client. The client software that displays the familiar
GUI on a client machine. The client software is a very small software
application that establishes and maintains the connection between a client
and server running Terminal Services. It transmits all input from the user
to the server, such as keystrokes and mouse movements, and all output
from the server such as application display information and print streams.
Terminal Services Licensing service. This service is required when
Terminal Services is enabled for application serving. The service allows
Terminal Services to obtain and manage its TS CALs for connecting
Terminal Services Administration Tools. Tools consist of software that
manages Terminal Services. These include Terminal Services License
Manager (if licensing was installed), Terminal Services Client Creator,
Terminal Services Configuration, and Terminal Services Manager.
Terminal Services for InTouch Deployment Guide
Introduction to Terminal Services for InTouch
Why Terminal Services for InTouch?
Terminal Services for InTouch allows InTouch to run in a multi-user
environment. For organizations wanting to increase flexibility in process
visualization and to control operator workstation management costs, a
Terminal Services for InTouch architecture offers an important enhancement to
the traditional two or three tier client-server architecture.
Terminal Services for InTouch Benefits
Beyond cost and scalability improvements, Terminal Services for InTouch also
provides many technological advantages. For example, you can remotely
control an InTouch application for quick troubleshooting and operator training.
Using Microsoft's new Terminal Services Advanced Client (TSAC), you can
view your process over the web for a super-thin client, full InTouch
experience. You can also provide roaming operators with real-time information
and control by using wireless Ethernet.
Lastly, using Terminal Services for InTouch with Embedded NT and Windows
CE provides a full desktop experience on hardware that would otherwise be
unable to support such operating systems. Embedded clients are generally
dedicated purpose devices. Due to InTouch licensing and hardware
requirements, full-featured HMI functionality has not been available for
embedded-type applications – until now. Terminal Services for InTouch fully
supports very thin hardware – hardware with much less components than a
desktop computer. Not only are these clients less likely to fail but they can be
replaced in less than 60 seconds, reducing the overall MTTR (mean time to
Caution! Terminal Services scalability does not consider the impact on the
control network. Data fan out can occur when InTouch sessions exceed the
number of topics/update rates that SuiteLink or the I/O devices can support.
For a more scalable solution, consider SuiteVoyager.
For more information on the benefits of Terminal Services, see Chapter 10,
"Terminal Services for InTouch" in your online InTouch User's Guide.
Terminal Services for InTouch Deployment Guide
Chapter 1
Terminal Services and Industrial Applications
In a simple deployment, all InTouch applications will be located on a single
computer – a terminal server. This computer also has an I/O server to
connect the WindowViewer sessions to the plant process.
Each WindowViewer session may be the same InTouch application or a
different one. They can communicate with each other and run as they would in
a traditional client-server environment. The primary difference is that now
InTouch is operating in a server-centric environment where all the processing
is performed on the terminal server. As the architecture expands and more
components are added, you need to consider the impact of such an
Knowing if a server-centric environment is appropriate for your application is
the first step in the deployment process. Terminal Services requires a fair share
of up-front planning and ongoing maintenance. Your existing InTouch
applications may need to be modified before running on a terminal server.
There must also be greater consideration for fault tolerance and availability as
multiple InTouch nodes will be affected if the server goes down.
Terminal Services for InTouch Deployment Guide
Introduction to Terminal Services for InTouch
There are many benefits to implementing Terminal Services for InTouch, but
the degree of benefit will depend on your particular application. Terminal
Services for InTouch has a sweet spot for applications that have traditionally
been deployed in client-client and client-server environments.
If you have a stand-alone InTouch node and do very little configuration, you
will most likely find little value in implementing Terminal Services for
InTouch. The benefits tend to also drop as the complexity of InTouch
applications increase. Highly complex applications frequently have graphical
and distributed I/O requirements that will burden the terminal server and
associated network. Due to the protocol nature of Terminal Services, most I/O
servers will not work on the client (local) computer.
However, Terminal Services is not an all-or-nothing solution. Industrial
applications that do not fit within the scope of a server-centric environment can
be left to run on the operator's desktop. For example, if you need an I/O server
to be running on the client computer, then keep the I/O server on the operator
desktop and only move the InTouch application to the terminal server. This
flexibility allows PCs to operate as both thin and fat clients simultaneously.
Business Justification and Project Approval
Many organizations that have made the decision to implement Terminal
Services typically explain their decision in terms of business drivers. Although
not all organizations focus on the same set of drivers or give them all the same
degree of consideration, a well-implemented Terminal Services deployment
will often confer benefits upon the user that exceed those planned for during
the initial decision-making process.
To help increase your chances for project approval, consider the following
Create a project team and regularly communicate to all affected parties.
The best way to achieve this is by using milestone-based planning.
Terminal Services for InTouch Deployment Guide
Chapter 1
Review the capabilities and sample industrial scenarios for Terminal
Services for InTouch. Clearly define the scope of the project and stick to
it. Knowing what you can accomplish up-front will prevent possible
disappointments later in the project life cycle.
Consider the initial capital and long-term costs associated with the project.
Frequently, initial capital costs are the same for both Terminal Services
and traditional installations. True savings are realized as support and
maintenance response times are improved.
Realize that this is not a desktop deployment. If you have previously
configured a domain controller, you have a pretty good idea on the effort
that is required to deploy a terminal server. You should, therefore,
spend a significant time planning. By understanding the capabilities of
Terminal Services and the effort to provide them, you should be able to
deliver what you promise.
The first point is perhaps the most important. Implementing Terminal Services
to run InTouch will most likely change the role of the operator workstation in
your organization. Accordingly, there will be a change in how InTouch and
other applications are delivered and supported on the plant floor. A significant
success factor for your Terminal Services implementation will be to minimize
the changes in how users must work. Although very little change should be
necessary for the operator, it will have a much greater impact on the people
who support the system. You should have their buy-in before submitting your
project proposal.
The bottom line is the Terminal Services for InTouch saves money, effort, and
time. By following the points above, you should be able to provide a clear and
honest business plan for the executive who will ultimately appropriate the
necessary funds. Good Luck!
Industrial Scenarios
The first task in the deployment process is to determine what business and
technical issues Terminal Services for InTouch will address. Review the
industrial scenarios in this section to familiarize yourself how Terminal
Services for InTouch might benefit your organization. The scenarios will be
illustrated with a fictitious manufacturing company called MagTape, Inc.
Scenarios are presented in italics.
MagTape, Inc. (MTI), was founded in 1981 to manufacture magnetic tape
cartridges. The operation involves several processes, each one independently
controlled. Some processes use InTouch operator interfaces, while others still
use hardwired control panels.
A recent Operations Improvement Strategy now requires greater information to
be shared among the operators. This will be accomplished by upgrading the
hardwired control panels and providing plant-wide access to process data.
MTI's engineering director is particularly concerned about the following
issues related to real-time control that may impact the cost and reliability of
such a project:
Terminal Services for InTouch Deployment Guide
Introduction to Terminal Services for InTouch
Additional support costs. The cost of maintaining and supporting the
existing operator interfaces has been increasing at an accelerating rate.
Computers that will replace the hardwired control panels must be as
maintenance-free as possible.
Added hardware expenses. To avoid additional costs, a group of spare
Windows 98 computers should be used.
Limited access for mobile operators. Certain operators spend most of
their time transporting raw materials throughout the plant. To improve
their awareness of process activity, these mobile operators must have
access to the same data available in the control rooms.
Impact of hardware failures. Hardware failures and their impact on the
process must be minimized. Operator Interfaces must also have the
flexibility to take control of a particular area if the local workstation goes
At the direction of the CEO, MagTape's engineering director has funded an
Infrastructure Renewal Project to determine how these issues could be
resolved with minimal impact to MTI's operations and bottom line.
Centralized InTouch Management
By running InTouch applications on a terminal server, only one InTouch
runtime program needs to be installed. Service packs, upgrades, and other
related maintenance requirements are also done only once – just on the
terminal server. All operators are therefore ensured that they are using the
current version of InTouch. Accordingly, the costs and challenges of updating
workstation machines, especially for remote workstations, are significantly
MTI can therefore reduce labor costs associated with software maintenance.
Only one computer (configured as a terminal server) requires InTouch and
its applications to be installed. The new operator interfaces can be Windowsbased Terminals or other thin client computers.
Terminal Services for InTouch Deployment Guide
Chapter 1
Beyond viewing the process, MTI can also remotely modify applications. They
simply need to connect to the terminal server launch WindowMaker. The task
of maintaining the same application version among different repositories is no
longer necessary.
WindowMaker does not currently support multiple users. Only one person may
edit an application at any one time. If another person concurrently launches
WindowMaker for the same application, it may become corrupt and/or
unpredictable machine operation may result.
Reduced Hardware Costs
Terminal Services Clients run on the following platforms:
Windows CE-Based Terminals
Windows for Workgroups 3.11
Windows 95
Windows 98
Windows NT 3.51 or later.
Windows 2000
Note Adding Citrix MetaFrame™ and/or ACP ThinManager™ increases the
available client types to non-Windows-based workstations, including UNIX,
Linux, and industrial display panels. Consult the associated vendor to verify
Wonderware support for a particular non-Windows-based operating system.
With the integration of InTouch and Terminal Services, you can deploy the
latest applications in a fully server-centric mode. By removing the processing
and data storage tasks from the client machine, you can greatly extend the life
of your existing hardware. In some cases, the need to replace may not occur
until the computer physically breaks down.
Terminal Services for InTouch and 3rd party industrial panel displays can also
provide an economical alternative for process visualization in harsh
environments. The increased cooling requirements and stronger construction
typically make industrial panel displays more expensive than their desktop
counterparts. With Terminal Services, industrial hardware costs are reduced
because you no longer need high-powered processors, extra memory, floppy or
CD-ROM drives. Many industrial panel displays now provide the ability to
boot and connect to a terminal server from ROM, and therefore, do not require
the added expense of a hard drive. No moving parts also extends the life of
hardware because MTBF (mean-time-between-failure) is improved.
MTI can therefore experience the new features of FactorySuite and Windows
2000 with their existing Windows 98 computers. If MTI requires more robust
hardware to replace the control panels, they can install industrial-grade
computers. These machines only require the minimum components to run the
emulation software, and therefore, can be purchased at a significantly reduced
Terminal Services for InTouch Deployment Guide
Introduction to Terminal Services for InTouch
Remote Access
Operators and other end-users gain access to a terminal server over any
Transmission Control Protocol/Internet Protocol (TCP/IP) connection
including Remote Access, Ethernet, the Internet, wireless, wide area network
(WAN), or virtual private network (VPN). Due to the reduced bandwidth
requirements of the RDP/ICA protocol, Terminal Services extend the
capabilities of InTouch to users who would otherwise be unable to access the
Wireless networks have traditionally been unable to support the large amount
of process information for real-time monitoring and control. With Terminal
Services for InTouch, applications can run with the same response time and
performance as their counterparts directly connected to the local area network
MTI can therefore support real-time monitoring and control for their mobile
operators. The client terminals need only the emulation software to connect to
the terminal server. They can then simply launch WindowViewer to monitor the
operation of choice.
Terminal Services for InTouch Deployment Guide
Chapter 1
Internet Access
Using Microsoft's new Terminal Services Advanced Client (TSAC), remote
users can access a terminal server over the Internet. TSAC is based on the RDP
5.0 feature set, but comes in the form of an ActiveX control. The ActiveX
control can be downloaded and executed within Microsoft Internet Explorer
(I.E 5.0), allowing remote users to experience full InTouch with super-thin
clients. Microsoft Point-to-Point Tunneling Protocol (PPTP) provides secure
access to a private network for users operating over a public medium, such as
the Internet.
MTI can therefore support real-time monitoring and control for their mobile
operators with either the Terminal Services Client software or by simply
launching a web browser and downloading the TSAC ActiveX control.
Terminal Services for InTouch Deployment Guide
Introduction to Terminal Services for InTouch
Increased Availability
Network Load Balancing Services is a feature of Windows 2000 Advanced
Server that enhances the availability and scalability of applications. It provides
constant support to end-users by redirecting the connection from a failing or
offline server to a backup. After necessary maintenance is completed, the
offline computer can transparently rejoin the cluster.
Remote Control is a feature of Terminal Services that provides the ability to
take control of another workstation in the event of a client hardware failure.
Remote Control also provides an easy way to train operators and monitor
operations without being physically next to the terminal.
MTI can therefore be confident that even though failures may occur, their
impact on production will be a minimum. Remote Control enables a
workstation to immediately take over another that has failed. By adding a
second server and installing Network Load Balancing, all the sessions are
Wonderware strongly recommends that you consult a Microsoft professional
and perform adequate testing before deploying load balancing into production.
ACP ThinManager 2.3 or later supports server fail-over for both Windows
2000 Server and Advanced Server.
Terminal Services for InTouch Deployment Guide
Chapter 1
Terminal Services for InTouch Deployment Guide
Project Planning
Project Planning
This chapter provides you with a planning model to properly deploy Terminal
Services for InTouch. It also provides architecture guidelines for running
applications on a LAN/WAN network and how to integrate with the
FactorySuite and third party software.
• Deployment Planning Model
• Identifying Key Team Members
• Defining Vision and Scope
• Assessing Risk
• Documenting Your "As-Is" Environment
• Creating a Functional Specification "To-Be"
• Creating/Approving the Physical Design
• Building the Master Project Plan
Deployment Planning Model
Terminal Services for InTouch requires a fair share of up-front planning. The
important thing to remember is that this is not a desktop deployment. If you
have ever installed a domain controller, you have a pretty good idea of the
effort involved.
You should follow Microsoft's Solutions Framework deployment-planning
model for designing and implementing Terminal Services for InTouch. The
following flowchart offers a simplified view of the approach. It highlights the
major activities and tasks and their associated milestones and key deliverables
that are important for the entire project team.
Although the activities leading to each milestone have a logical progression,
they need not take place in the order stated. Different team members can
perform activities concurrently, to leverage resources of people, time, and
money. Use your best judgement and knowledge of the application to deciding
the optimal time to work on any specific activity. To maximize project
efficiency, however, you should not change the sequence in which the four
milestones are reached.
Terminal Services for InTouch Deployment Guide
Chapter 2
The roadmap provides a high-level overview of the deployment process. It
Activities that are necessary to complete the project deliverables and
advance to the next milestone.
Resources that are necessary to complete each activity and create project
Deliverables resulting from activities that are necessary to complete a
timely and effective project.
Use this roadmap to gain a comprehensive visual perspective of how your team
must prepare itself to undertake this project. Gray highlighted areas in the left
column denote the four milestones, and are explained below.
For more information on the Microsoft Solutions Framework deploymentplanning model and sample documents, refer to the Microsoft's Resource kit
for Windows 2000.
A Note About Documentation
Just like electricians who deliver electrical wiring diagrams at the end of a job,
you should provide reference material upon completion of this deployment.
The roadmap contains many documents, but none are as important as the ones
needed for the support professional who may need to rebuild a machine or
make minor modifications. Documenting vendor profiles, network topology,
computer setup, security settings, program configurations, and so on, are key
deliverables for a complete project. Don't forget the supporting
Terminal Services for InTouch Deployment Guide
Project Planning
Deployment Process Flowchart
Terminal Services for InTouch Deployment Guide
Chapter 2
Vision/scope document
The vision statement provides a conceptual foundation
for the entire project. The project scope defines specific
parameters and features of project implementation. An
opportunity cost analysis is conducted.
Risk management plan
This plan provides a high-level view of risks that could
occur throughout the project with parallel mitigation
plans. The risk management plan is revisited during
each of the succeeding phases and milestones.
Bugs and issues database This database is a repository in which all issues that
arise during the project are logged and resolved. The
bugs and issues database is revisited during each of the
succeeding phases and milestones.
Project plan
Functional specification
This specification identifies business and technical
design requirements, including any proposed products
and technologies. The functional specification
describes specific project deliverables and the final
release product.
Physical Design
This document details the work that will take place. It
is a compromise between the goals of the project and
the constraints of technology, finance, and time.
Master project plan
This plan provides the essential elements needed to
implement and track the actual project and describes
the project from business, technical, application, and
implementation perspectives, including all tasks needed
to complete testing and piloting.
Master project schedule
The schedule provides the essential elements needed to
track time-sensitive deliverables.
Pilot server
The goal is to test terminal server and InTouch
applications in a controlled environment, but engaged
in real-world activity. This involves building a test lab,
identifying a Pilot Group, and documenting use cases.
The pilot deployment concludes with a meeting to
determine if the test server met project requirements.
Terminal Services for InTouch Deployment Guide
Project Planning
Server deployed
throughout the
For the most part, the full deployment process
resembles the pilot deployment process, but on a larger
scale. Operators and support staff should be trained at
this time.
Deployment assessment
During and after the deployment, communicate with
the project overseers to report progress and gauge
overall satisfaction. The result of a successful
deployment will be a satisfied customer or management
unit, the satisfactory achievement of all primary
deployment goals, and a process visualization
infrastructure that can be adequately maintained and
scaled for the future.
A stable, scalable
process visualization
Keep the test lab running after the deployment to test
new applications and any significant changes you want
to make to the server or network
Identifying Key Team Members
Terminal Services for InTouch will change the role of the client desktop in
your organization. A successful implementation starts with building a team
with people who have the right expertise for the job, who are empowered to
use their expertise, and who are held accountable for results in their areas of
responsibility. The team should include a mixture of people who can promote
buy-in and maintain continuity throughout the deployment.
Seven distinct roles must be filled and are outlined in the table below. There
need not be a one-one relationship for each role.
Team Member
Skill Set
Executive Sponsor
Provide leadership, money and
human resources
Familiarity with the FactorySuite and
Terminal Services
Assure changes are adopted into Understanding of business drivers
the company culture from the top
Project Manager
Drives critical schedule decisions Familiarity with the FactorySuite and
Terminal Services
Familiarity with project management
System Integrator
Represents the engineers who will Experience in FactorySuite components
be designing and installing the
and how to apply them in a Terminal
Services environment
Experience in Microsoft operating
systems, and networking technology
Terminal Services for InTouch Deployment Guide
Chapter 2
Team Member
Skill Set
Testing and
Ensures all issues are known
before deployment
Familiarity with applications and
operating systems
Performs scalability analysis and
performance testing
Familiarity with the process and related
Ensures a smooth rollout of
product or service
Familiarity with the organization's system
and network infrastructure
Good relationship with the system
integrator and vendors
Good understanding of the delivery
Helps identify and meet end-user Good understanding of the FactorySuite
needs and desires
and Terminal Services
Ability to write clear and useful technical
Experience training users
Represents the operator and
people responsible for
maintaining the system
Good understanding of the operations
Good relationship with the operators,
maintenance and management
Defining Vision and Scope
The vision statement is an expansive view of the proposed deployment. It
describes the top business reasons for deployment and broadly defines the
overall results of successful completion.
For more information on how MTI used business drivers to justify Terminal
Services for InTouch, see "Industrial Scenarios" in Chapter 1, "Introduction to
Terminal Services for InTouch,"
Scope defines the portions of a vision that can actually be accomplished within
the project constraints. The project scope provides boundaries for the vision
statement by specific details that include business reasons for deployment,
features, resources, and schedule framework. By understanding the capabilities
of Terminal Services and the effort to provide them, you should be able to
deliver what you promise.
Terminal Services for InTouch Deployment Guide
Project Planning
The scoping process should be S-M-A-R-T: Specific, Measurable, Achievable,
Result-based, and Time-oriented. The table below provides a more detailed
definition of S-M-A-R-T.
Specifying results to be achieved (for example, what
action will be taken or what application will be
Clearly specifying what will be achieved (for
example, the number of seats deployed or the number
of business units completed).
Identifying what the enterprise will achieve by this
action (for example, plant-wide access to process
Establishing realistic outcomes based on company
resources and project parameters.
Setting a realistic time frame to achieve specific goals
(for example, will commence on X date and complete
on Y date).
Assessing Risk
Risk identification and ranking is the first step in the proactive risk
management process. It provides the team with information it needs to bring
major risks to the surface before they adversely affect the project.
Possible risks in deploying Terminal Services for InTouch are:
Not testing sufficiently, or not allotting enough time for testing.
Failing to accurately determine the scalability of current and future
Failing to understand end-user expectations.
Failing to account for the behavior and interaction of existing programs
that may not be multi-user compliant.
Not providing adequate security to protect system files and applications.
Failing to adequately train personnel who are responsible for maintaining
the system.
Risk is composed of two factors: probability and impact. Risk probability is
the likelihood that an event will actually occur. Risk impact is the severity of
adverse effects on operations, safety, cost, or the ability to continue with the
project. Once identified, the risk is rated (e.g., high, medium, or low) based on
its probably and impact, and a corresponding mitigation plan developed. The
assessment is then entered into a risk assessment matrix. This matrix should be
a living document, updated whenever there is a change, and included in
deployment status reports.
Terminal Services for InTouch Deployment Guide
Chapter 2
Sample Risk Matrix
Risk Description
Medium Low
Some of the existing
applications were not
designed to operate
within a Terminal
Services environment.
Testing will need to
profile the various
applications to determine
whether or not they are
Routers are configured Project
to filter port 3389.
Configure routers to allow
connections through port.
May not be able to use System
existing Windows 98 Integrator
Evaluate available
protocols and match with
hardware requirements.
Documenting Your "As-Is" Environment
Before beginning the deployment process, it's a good idea to survey the
existing infrastructure to create a baseline for improvement and help you
determine how the new technology will fit in. This is especially important if
you are migrating existing InTouch applications to a terminal server.
Terminal Services for InTouch will change the role of the operator interface in
your organization. This will come a change in how InTouch applications are
delivered to the operator, how they are used, and how they are maintained.
These changes in process are known as Business Process Redesign (BPR). An
important point with BPR and your terminal server deployment is minimizing
the change in how the operators must work, and their ability to perform day-today functions.
A starting point for BPR is determining what your process visualization
capabilities and requirements are today. This is known as the as-is model.
When documenting your "as-is" model, include both technical information and
operator interface requirements. By documenting the existing technical
environment, the team can make a more educated decision on the ability of the
system to support the deployment, and what additional hardware/software may
be necessary.
Documenting LAN Information
The local area network (LAN) has become a popular control network. A LAN
is almost always confined to a single plant.
Even though the low bandwidth requirements for RDP and ICA will place a
relatively insignificant burden on the infrastructure, you will want to ensure all
identified users are able to connect to the terminal server. Understanding the data
flow patterns for the applications that you will be putting on the terminal server,
their required resources, and the network path they travel will help determine if
any modification is necessary.
Terminal Services for InTouch Deployment Guide
Project Planning
Terminal Services supports only TCP/IP connections between the TS client
and server. If other protocols are in use, such as IPX or NetBEUI, you must add
TCP/IP. You will still be able to IPX or NetBEUI as the transport protocol for
non-terminal server traffic, such as network file or printer sharing.
Documenting WAN Information
A wide area network (WAN) is the interconnection of geographically dispersed
buildings extending beyond a single area. By deploying TS clients at remote
office locations and only sending the RDP or ICA traffic across the wide area,
you can realize the same bandwidth savings as in the LAN. If the WAN
consists of frame relay connections, distinguish between committed rates and
burst rates.
Determine if filters have been implemented on the routers or firewalls that may
prevent clients from remotely gaining access to terminal server. Check to
make sure that the RDP port (port 3389) is not blocked at the firewall and that
access to the specific corporate segments is not limited to certain Internet
Protocol (IP) or Internet work Packet Exchange (IPX) network addresses. If
these blocks are in place and they prevent remote connections, the team must
address them during deployment.
Documenting Internet Information
The new Terminal Services Advanced Client (TSAC) enables remote users to
access a terminal server over the Internet. The main difference between Internet
and other networks is security implications.
If your organization uses a firewall, determine if it is a packet-level or an
application-level firewall. Packet-level firewalls are easier to configure for
new protocols. If an application-level is used, check with your Internet Service
provider (ISP) if they can define a filter for the RDP protocol.
Document the method the network uses to connect to the Internet. This will
help you determine how much bandwidth is available to terminal server.
Depending on the frequency remote users will access a terminal server, your
team should know the costs and availability of a permanent connection to the
Documenting the Operator Interface
No matter how powerful and robust your server is, or how well you have
designed your environment, in the end the success of your project will be
measured by the usability of the client. Knowing the needs of the end-user and
the environment where the operator interface will be located is critical to a
successful project.
In order to set the expectations of the users, you will need to be able to measure
what they have and use today with what you intend to deliver. These
measurements are known as benchmarks. Benchmarks are used to draw
comparisons between the "as-is" and the "to-be" models and highlight areas
where expectations can be exceeded, can be met, or are deficient.
Representative benchmarks include:
Terminal Services for InTouch Deployment Guide
Chapter 2
Access to programs other than InTouch
Time delays to process information or query databases
Size and quality of video displays
Special interface requirements such as touch screens, keyboards, or sound
Access to a disk drive
Local printing
Environmental hazards
User security – permissions and rights
You also need to identify any I/O devices that are connected to the operator
interface. Generally, I/O devices local to the client computer are not supported.
The exception is a low throughput device at the client (such as a hand scanner
or low bandwidth serial device). Using the client for demanding I/O devices
can have a negative impact on the InTouch application. Connecting all of the
I/O to the server solves this problem, but it may not be practical, especially if
your terminal server system is replacing a system that used distributed
computers to collect and update data points around the plant.
There are two options if I/O devices cannot be moved to the terminal server:
Use a desktop replacement where only the InTouch application is moved
to the terminal server. The I/O server remains on the local computer and
runs as normal.
Use an ACP Enabled Thin Client. These clients support special drivers
including high-speed serial, Profibus, ControlNet, and DeviceNet.
For more information on ACP Enabled Thin Clients, see the ACP
documentation at http://www.acpthinclient.com.
Finally, document system security and user profiles. You will most likely add
more security on the terminal server, but operators should not perceive any loss
in permissions or rights. Keeping familiar procedures and practices is the key
to minimizing BPR.
Documenting Logical Design
Logical design is a high-level understanding of the business and operational
requirements without considering the technology used to achieve them. It
describes what events occur when an operator or process performs some
action. Most often, there is no correspondence between the logical architecture
and the physical topology of the system.
The purpose of documenting the current logical design is to express any
business requirements that must remain when migrating to a server-centric
environment. The system integrator then has the responsibility to develop a
physical design that attempts to meet each business requirement (existing and
proposed) while applying the constraints of technology, finance, and time.
Terminal Services for InTouch Deployment Guide
Project Planning
Creating a Functional Specification "To-Be"
The functional specification is the next step after documenting the
environment. It is a high-level explanation of how Terminal Services for
InTouch will be designed and what it will do. The functional specification
should be considered a blueprint for the deployment process and presents goals
that have been agreed by all team members. However, the team should not treat
the functional specification as something written in stone. It should be a living
document that the team updates regularly to reflect changes in scope or
The functional specification should ensure that what the team wants to achieve
is what is required by the business. When you can directly relate the outcome
of the deployment process to business goals, you have your to-be model. The
"to-be" model is a set of target measures that you will work to achieve. Most
measures will be quantifiable, like the number of seconds to launch InTouch,
while others will be more subjective, such as operator satisfaction as a result of
improved stability. The "to-be" data collection will most often come from your
pilot users. By comparing this data against the benchmarks, you can determine
whether you are ready to proceed with your implementation.
Creating/Approving the Physical Design
A physical design is part of the design process in which you collect the
information you have gathered about the current state and the goals that have
been identified, and use this information to develop a plan for deploying
Terminal Services for InTouch within the limits set forth in the vision/scope
The physical design builds upon the logical design and functional specification
by applying real-world technology constraints, including any implementation
and performance considerations. It is a compromise between the needs of your
business and the limitations of the computer. This is also the point at which the
team can estimate human resources, costs, and schedules.
Terminal Services for InTouch Deployment Guide
Chapter 2
Choosing a Domain Setup
The first part of developing the physical design involves planning the position
of Terminal Services within your enterprise. Terminal Services need not be on
a Windows 2000 domain to function. Without a domain, however, users must
have separate accounts on every terminal server. This limits scalability and
makes it more difficult to administer groups of users. Industrial organizations
without many users can typically use a single domain.
For more information on setting up Windows 2000 Server domains, see your
Windows 2000 documentation
Note If you add Terminal Services to a domain that uses DHCP, keep the
client IP addresses fixed. WWLogger, SuiteLink and Network Load Balancing
all rely on permanently assigned IP addresses to identify clients.
Install Terminal Services as a stand-alone server. We strongly recommend that
you not run Terminal Services on any computer that also acts as a database
server (such as IndustrialSQL Server), RAS server, PPTP server, or domain
controller. Terminal Services is designed to perform like Windows 2000
Professional at the end-user level, and it will not assign top priority to critical
domain-level processes. Installing Terminal Services on any of these servers
can significantly degrade performance.
Terminal Services for InTouch Deployment Guide
Project Planning
The location of the terminal server will mostly depend on how information
flows from the plant floor. Unlike the traditional client-server relationship in
which the desktop client is communicating directly with the I/O servers and
databases, terminal server creates an indirect communication path from the
client to the terminal server and then to the destination server. This is
demonstrated below, which depicts the data flow and bandwidth requirements
between the TS clients and terminal server.
IndustrialSQL Server and the I/O servers are no longer in direct
communication with the clients. Instead, clients communicate with them only
through the terminal server. This way, the high bandwidth requirement exists
only between the terminal server and the other servers. The bandwidth
requirements between the clients and terminal server are much lower. The RDP
and ICA protocols offer similar performance, and on average have a utilization
of approximately 20Kbps per user session.
Terminal Services for InTouch Deployment Guide
Chapter 2
Expanding to the WAN
By deploying TS clients at remote locations and only sending the RDP or ICA
traffic across the wide area, you can realize the same bandwidth savings as on a
LAN. The functional difference between a WAN and LAN is that the WAN
requires switches to route information to the destination. The figure below
illustrates the best use of such a network.
Only the RDP and ICA traffic traverses the wide area connections. All the
bandwidth-intensive processing requirements are located at the same physical
location as the high-speed switching backbone. The information you gathered
while documenting your "as-is" environment is now very critical to
understanding bandwidth requirements, latency issues, and data flow
Note Printing considerations are important! When assessing Terminal
Services across a WAN (and to some extent a LAN), you need to pay particular
attention to the location of printers and how clients have been configured to
access them.
If an operator prints to a local printer that resides on the operator's LAN but
across a slow link from the server running Terminal Services itself, the print
job is spooled across the slow link to the printer. This adds to the bandwidth
requirements for Terminal Services because the network is required to handle
print traffic as well as keystrokes, mouse events, and screen updates.
Terminal Services for InTouch Deployment Guide
Project Planning
Choosing a License Server
The Terminal Services Licensing service is a separate entity from Terminal
Services. In most large systems, the license server will be deployed on a
separate server although it can be co-resident on the terminal server in some
smaller systems. Regardless of where it resides, Licensing is a low-impact
service. It requires very little CPU or memory for regular operations, and its
hard disk requirements are small, even for a significant number of clients.
The license server must be discoverable by the terminal servers. For a
Windows 2000 domain, this means the license server must be deployed on a
domain controller. The terminal server will discover the license server by
enumerating its domain controllers and checking for Terminal Services
It is also possible to deploy a license server in a Windows 2000 network on a
site basis. This approach, known as the enterprise-licensing configuration, can
be selected at installation. It will allow any terminal server in the same physical
site to discover the Licensing service, even across domain boundaries. This
configuration does not support discovery from remote sites within the network.
Note In determining the location of a license server, discoverability is the
most critical factor. A domain, site or workgroup hosting terminal servers
must also host a license server. For critical applications, there should be at least
two discoverable license servers to ensure high availability.
Once a terminal server has discovered a license server it will continue to use
that as long as it is available. The terminal server will communicate with its
default license server about once an hour to assure it is still present. If it cannot
find the default license server, the terminal server will seek another
Terminal Services for InTouch Deployment Guide
Chapter 2
Note Terminal Services Licensing only runs on Windows 2000 Servers, and
only manages licenses for Windows 2000 Terminal Services.
Integrating with the FactorySuite
Terminal Services for InTouch is the only Wonderware product currently
supported on a terminal server. Other components of the FactorySuite must be
installed on a separate computer. The following describes limitations you will
encounter when integrating Wonderware products with Terminal Services for
NetDDE is limited to console (server) use only, because of the
\\node\application|topic!item naming convention. Since several sessions share
the same node, NetDDE cannot differentiate between sessions. A client will
not connect, even if it is the first user to connect to NetDDE.
If DDE is selected for a particular Access Name, SuiteLink will be used. This
will impact the ability to communicate to certain I/O servers and Microsoft
Office products (such as Excel) that depend solely on DDE. For these
situations, a tagname server can be used. A tagname server is an application
that contains only InTouch QuickScripts and tagnames. By running it on the
console or separate machine, you now have the ability to communicate using
both DDE and SuiteLink.
An instance of WindowViewer running on the terminal server acts as a
tagname server. The tagname server uses NetDDE to communicate to the I/O
server using DDE, and SuiteLink to communicate to the desired session. The
sessions, therefore, have an indirect connection to the DDE I/O server.
Terminal Services for InTouch Deployment Guide
Project Planning
For more information on how to configure a tagname server, see "Creating a
Tagname Server Application" section of the InTouch User's Guide.
Note The diagram above shows a common network for both the clients and
normal data traffic. Based on the "as-is" LAN analysis, you may need to
separate the networks or install switched hubs to provide adequate bandwidth.
SPC Pro, InTrack, and InBatch are currently not supported. However, you can
still access data using any database query tool or ActiveX control.
AlarmSuite Logger must be disabled on the terminal server. AlarmSuite does
not support multi-user configuration. You must use a tagname server on a
separate computer to log alarms to the database. However, you can use
AlarmSuite ActiveX controls in the WindowViewer sessions to query and
display alarms.
I/O servers must be Windows 2000 Server Ready to run on a terminal server.
They must run on the console and not as a session. All other I/O servers must
be installed on a separate computer as shown above.
IndustrialSQL Server cannot import tagnames from InTouch running as a
session. IndustrialSQL Server accepts only one Tagname.x database from each
node. Use a tagname server to aggregate the tags you want stored and import
these tags. The tagname server may run on the terminal server console or on a
separate computer.
Terminal Services for InTouch Deployment Guide
Chapter 2
The terminal server acts as an application server, running the WindowViewer
sessions. A separate computer acts as a data server, running IndustrialSQL
Server, I/O servers, and if necessary, a tagname server. In this situation, you
need a tagname server to import Memory or System tagnames to
IndustrialSQL Server.
Note The diagram above shows a common network for both the clients and
normal data traffic. Based on the "as-is" LAN analysis, you may need to
separate the networks or install switched hubs to provide adequate bandwidth.
Choosing the Right Client
Available client computers range from desktop replacements to industrial
display panels. They all connect to terminal server using a small client program
installed on disk or in firmware. The choice of which client platform to use
depends on the currently installed base and operator interface needs.
Your client computer must be able to communicate to terminal server using the
RDP or ICA protocol. ACP Enabled Thin Clients embed a version of ICA. A
feature comparison among the three options is shown below:
Note The column marked ACP+ICA means that both ACP ThinManager and
Citrix MetaFrame (ICA) are installed on the terminal server.
32-bit client for Windows based PCs (Windows
95, Windows 98, Windows NT
Workstation/Server 3.51, Windows NT
Workstation/Server 4.0, Windows 2000
16-bit client for Windows for Workgroups 3.11
16-bit client for older versions of Windows and
the MS-DOS operating systems
Windows CE-based client (Windows-based
Terminal Standard and H/PC Pro)
UNIX client, Macintosh client, Java client
Browser client
Thin client enabling for x86 based PC platforms
Connect client over local area network (LAN)
Connect client over wide area network (WAN)
Connect client over dial-up, ISDN, xDSL, VPN
SPX, IPX, NetBEUI, and Direct Asynch
Dial-up connection directly to the server without
using a dial-up service such as RAS
Terminal Services for InTouch Deployment Guide
Project Planning
System beeps
Support for stereo Windows Audio (system and
Local Printing
Printing to a local printer attached to a PC client
Printing to a local printer attached to a WBT
Printing to a local printer attached to a thin client x
Local Drive
Local drives accessible from server-based
Local I/O
Redirection of server COM ports (COM port
Cut and Paste
High speed serial transfer module (up to 115
Touch screen support out of the box (Elo and
Profibus module
DeviceNet module
ControlNet module
Cut and paste of text/graphics between client and x
Server-based applications resize and minimize on
a Windows PC similar to local applications
Advertise server-based applications directly to
client desktops
Pooling of servers behind a single server address x5
and for increased availability
Client connects to alternative terminal server if
its terminal server fails
Cut and paste of files/directories between client
and server
session access
Client remembers previous user's logon name for x
each connection
Connect to an active or disconnected session
using a different screen resolution than the
original session
Connect directly to an application (InTouch)
rather than an entire desktop
Automatic failover without operator intervention
Viewing and interaction with other sessions
Optionally cache display bitmaps to disk for
improved performance
Terminal Services for InTouch Deployment Guide
Chapter 2
Multiple-level encryption for security of client
Multiple-level encryption on all Windows CEbased terminals
Administrative means for updating client
connection software from the server
Client Update
Pre-configured Predefined client with published applications, IP x
addresses, server names and connections options
Auto-creation of clients
Remote administration
Remote reboot
Remote initiation of touch screen calibration
OCX for client management embeds into
Not Applicable
Windows CE RDP 5.0 client is available with WBT Standard 1.5. Consult
your WBT manufacturer for availability. H/PC RDP 5.0 client is not
currently available.
Available with 3rd party add-on from NCD.
Using Windows 2000 Server Resource Kit utilities.
Requires Windows 2000 Advanced or Datacenter Server, or 3rd party addon from NCD or Clusterisis.
Requires optional Load Balancing Services or SecureICA Services in
addition to Citrix MetaFrame.
Uses Windows native networking.
Using the Terminal Services Advanced Client Web package.
Using Microsoft Systems Management Server, Intellimirror™
management technologies or 3rd party utilities in conjunction with the
Terminal Services Advanced Client MSI package.
10. ACP Enabled thin clients are already connected when the browser loads.
11. Connects over WAN or dialup using TCP/IP.
12. Requires Citrix MetaFrame.
13. Release To Be Announced.
14. Vendors currently include: Advantech, Ann Arbor, Christensen Displays,
Contec, HMW, Nematron, and Xycom.
Terminal Services for InTouch Deployment Guide
Project Planning
Improving Reliability
Moving InTouch applications and related software to a terminal server will
save time and money, but will also increase your dependency on a single piece
of equipment. Your risk identification will not only include possible failures
that can interrupt access to terminal server but the chance that the server itself
will fail. A single point of failure is any component in your environment that
can block data or shutdown a critical operation. Maximum reliability is
achieved when you:
Minimize the number of single points of failure.
Provide mechanisms that maintain service when a failure occurs.
The table below lists common points of failure in a server environment and
describes whether you can protect the point of failure by using load balancing
or by using a third party solution.
Failure point
Load balancing Other solutions
Network hub
Redundant networks
Power outage
Uninterruptible power supply (UPS)
Server connection
Hardware or software RAID, to ensure against
the loss of specific data on a specific computer
and to provide for uninterrupted service.
Other server hardware such Fail-over
as CPU or memory
Spare components such as motherboards and
small computer system interface (SCSI)
controllers (any spare components need to
exactly match the original components,
including network and SCSI components).
Server software such as the Fail-over
operating system or specific
Wide area network (WAN)
links such as routers and
dedicated lines
Redundant links that provide secondary access
to remote connections
Network Load Balancing Services is a feature of Windows 2000 Advanced
Server. The principal goal of load balancing is to provide increased reliability.
A cluster of two or more terminal servers ensures that if one fails, another
computer will be available.
Tip Use servers that are engineered, built, and tuned specifically for thinclient computing. Unisys ES Series servers are such computers. For more
information, refer to their web site, http://www.unisys.com.
Note ACP ThinManager 2.3 or later also includes fail-over capability. You
can configure multiple terminal servers so that one is a primary server and the
rest are secondary servers. If the primary fails, terminals will automatically
connect to the secondary.
Terminal Services for InTouch Deployment Guide
Chapter 2
For information on how to configure load balancing, see "Network Load
Balancing" in Chapter 3, "Deployment,"
Building the Master Project Plan
All members of the project team contribute to the project plan by producing
planning and scheduling documents describing how they will create the system
or service as defined in the functional specification. The project plan includes
approach, dependencies, assumptions, and budget information and refines the
agreement of the vision/scope document between the team and customer.
The project team should have a number of major deliverables ready before the
project plan is completed and the Project Plan Approved Milestone is reached.
These major deliverables include:
The environment analysis should contain a comprehensive assessment of
the technical infrastructure as it currently exists.
The functional specification should provide the beginning of the
deployment plan.
The physical design should detail the actual plan of action.
The risk assessment should be updated with current information.
After the team has created the master project plan and started the project, they
should update the data on a regular basis. The project team should also review
the project plan regularly to determine if the project is on time and on budget.
Terminal Services for InTouch Deployment Guide
This chapter provides you with the necessary steps to deploy Terminal Services
for InTouch and how to modify your existing applications to run in a servercentric environment. It also includes instructions to remotely control sessions
and how to install Network Load Balancing for improved reliability.
• Deploying a Pilot Terminal Server
• Server Hardware Requirements
• RDP Client Hardware Requirements
• Installing Terminal Services
• Terminal Services Licensing
• Defining Security
• Changing a Desktop into a RDP Client
• Installing Terminal Services for InTouch
• Modifying Applications
• Running WindowViewer
• Running WindowMaker
• Assessing the Pilot Deployment
• Deploying Terminal Server Throughout your Environment
• Network Load Balancing
• Terminal Services Advanced Client
• Best Practices
Deploying a Pilot Terminal Server
The goal of the Scope Complete/First Use Milestone is to test Terminal
Services for InTouch in a controlled environment and to begin the deployment
process by installing a pilot server into a group engaged in real-world activity.
Validating the physical and logical designs is perhaps the most important task
in the deployment process. Failure to properly test applications and
architectures could lead to costly mistakes or could inhibit critical tasks.
Terminal Services for InTouch Deployment Guide
Chapter 3
The ideal environment for validating your design is a test laboratory that
simulates the environment of the actual deployment as closely as possible. The
test lab will function as a miniature version of the organization itself, enabling
the team and the assigned pilot group to see Terminal Services for InTouch in
action before deployment.
Good group communication is a vital part of a successful pilot deployment.
Before deployment begins, establish the communication framework your team
and pilot group will be using. The Bugs and Issues database should be used to
track and resolve issues during this phase.
The first step in the pilot deployment involves preparing a test lab. The test lab
will consist of one or more terminal servers and a number of client
terminals. The physical design should be used as a guide to specify hardware
and software requirements.
Server Hardware Requirements
Terminal Services for InTouch must be installed on a new Windows 2000
Server or Advanced Server. Do not upgrade from a Windows NT system. The
following table provides recommended hardware platforms based on "Best
Practices" outlined in this guide. They should give you good performance with
a representative InTouch application.
Recommended Hardware Based on "Best Practices"
Physical Memory
Virtual Memory
2, 3
Number of Clients
Pentium III 450 MHz
384 MB
960 MB
Pentium III 500 MHz
1024 MB
2560 MB
Pentium III 700 MHz
2048 MB
5120 MB
Multi-processors can improve performance.
Add 128 MB RAM for Windows 2000 Advanced Server.
Memory requirements depend on application load and the number of users
connected. RDP will need 40-60 MB per user running InTouch, while ICA
will require slightly more.
Virtual memory (page file size) should be 250% of the physical memory.
Note A good way to estimate how many users a server can support is to
measure system performance with two to five users on the system, and then
scale the results.
For more information on analyzing system performance, see "Monitoring
For more information on optimizing the operator's experience, see "Best
Terminal Services for InTouch Deployment Guide
Hard Disk Space
One or more hard disks with a minimum of 2 GB on the partition that will
contain the system files.
The use of RAID, Redundant Array of Inexpensive Disks, will help prevent
loss of data and server downtime.
10/100Mbps network adapter card. Network that uses the TCP/IP protocol.
Other Drives
CD-ROM drive
A high-density 3.5 inch disk drive as drive A, unless:
The computer supports starting the Setup program from a compact disc.
You are installing Windows 2000 over a network.
Keyboard, mouse (or other pointing device) and a monitor (VGA or better).
View with resolution of 800X600 or higher.
A UPS (Uninterrupted Power Supply).
Note Before you install Windows 2000, verify that your hardware is on the
Windows 2000 Hardware Compatibility List (HCL). Because Microsoft
provides tested drivers for only those devices that are listed on the Windows
2000 HCL, using hardware that is not listed on the HCL may cause problems
during and after installation. You can find the most recent version of the HCL
on the Internet at http://www.microsoft.com/hwdq/hcl/.
Examining Peripheral Devices that Affect
Peripheral devices can also affect the performance of a server running
Terminal Services:
Hard disks. Disk speed is critical for terminal server performance.
Small computer system interface (SCSI) disk drives, especially devices
compatible with Fast SCSI and SCSI-2, have significantly better
throughput than other types of drives.
Network adapter. A high-performance network adapter is recommended,
especially if users require access to data that is stored on network servers
or client/server applications such as Wonderware InTouch. Using multiple
adapters can significantly increase network throughput.
Terminal Services for InTouch Deployment Guide
Chapter 3
RDP Client Hardware Requirements
Clients that run Terminal Services are not required to have much processing
power. For example, a Pentium with 32 MB of RAM and a VGA video card is
sufficient. Therefore, it is very easy to integrate Terminal Services into a
network that has older computers and equipment.
Note Using a standard VGA card may limit your display size and color depth.
There will be some performance considerations depending on the model of the
client you are using. For example, a device that uses Microsoft Windows CE as
its operating system will not operate as quickly as the same device would if it
used Linux.
Installing Terminal Services
You can install Terminal Services on the server during Windows 2000 Server
Setup, or you can install Terminal Services after Setup through Add/Remove
Programs in the Control Panel. For detailed instructions on installing
Terminal Services, see the installation instructions in the ReadMe file on your
Terminal Services software CD.
Terminal Services Licensing
Licensing requirements are based on the installed software products and the
number of clients that will be connecting to a terminal server. Once you
have enabled Terminal Services Licensing on a machine, the next step is to
activate the license server and install appropriate client access licenses (CALs).
License Purchase
Each client requires one of the following licenses to gain access to the
terminal server:
Terminal Services Client Access licenses (TS CALs). These licenses are
purchased for known, non-Windows 2000 devices connecting to a
terminal server.
Built-in Licenses. Clients that are running the Windows 2000 operating
system are automatically licensed as Terminal Services Clients.
Temporary licenses. When a terminal server requests a client access
license and the license server has none to give, or if a license server has
not yet been discovered, it will issue a temporary license. A terminal
server will accept connections from unlicensed clients for 90-days. This
period is known as the license server grace period.
Terminal Services for InTouch Deployment Guide
Note Terminal Services Licensing is in addition to other licenses that might
be needed, such as FactorySuite licenses, operating system licenses, and any
BackOffice family Client Access Licenses.
If you purchase ThinManager™ from ACP, it only includes the necessary
licenses to run ThinManager and Citrix Devices. The licenses mentioned
above are still required.
Activate a License Server
A license server must be activated in order to certify the server and allow it to
issue client licenses. A license server is activated using the licensing wizard,
which is located in the Terminal Services Licensing tool.
There are four connection methods to activate your license server: Internet,
Web, Phone, and Fax. Internet is the quickest and easiest. All four methods
access the Microsoft Clearinghouse, which is a facility to activate license
servers and to issue client license key packs to the license servers that request
Terminal Services for InTouch Deployment Guide
Chapter 3
To activate the license server
Start up the Terminal Services Licensing program by clicking Start on the
Windows Taskbar, pointing to Programs, pointing to Administrative
Tools, and then clicking Terminal Services Licensing. The Terminal
Services Licensing dialog box appears.
On the Action menu, click Activate Server.
The Licensing Wizard welcome screen appears.
Click Next.
Choose your connection method (explained above).
Follow the instructions in the wizard.
Install Licenses
Installing licenses supports the same four methods of license server activation.
When you install licenses, you will be asked for information regarding your
purchase of the licenses. Depending on how you obtained your licenses, the
information requested may include your Microsoft Enterprise or Select
Enrollment Agreement number, your Microsoft Open License and
Authorization numbers, or your 25-character License Code if you are a retail
customer. The License Code can be found in your Microsoft License Pak
(MLP) packaging. When installing a License Code from an MLP, choose
Other as your licensing program when prompted. If you obtained your
licenses from a program or a method not listed above, please consult your
program documentation for more information.
Terminal Services for InTouch Deployment Guide
Client Licensing
After you have installed your licenses, the license server can begin deploying
them. The terminal server initiates the actual client license distribution.
When a client attempts to connect to a terminal server, the terminal server
will check that the client is fully licensed. A client that possesses a valid CAL
or a client that is running Windows 2000 operating system will be allowed to
connect, with no need for the terminal server to communicate with the
license server.
If a client has no license, or has an expired temporary license, the terminal
server requests a permanent TS CAL for the client. The license server than
checks its database. If it has a TS CAL available, it will mark that license as
taken by that client and remove it from the available pool. A certificate for that
license is sent to the terminal server, which then pushes this certificate down
to the client where it is stored. The client will present this certificate on
subsequent terminal server connections as proof of license. Any terminal
server will accept the certificate.
License Recovery
Issued TS CALs lost from the client device due to events such as hard disk
failure, inadvertent reformatting, device swap-out, or un-issued licenses lost
due to a license server crash will need to be re-issued by the Clearinghouse. To
get the licenses re-issued, use the phone connection method to contact a
Microsoft Terminal Services Licensing customer service representative. The
customer service representative will require the License Server ID to re-issue
the licenses.
For more information regarding Terminal Services Licensing, see
Defining Security
A proper security implementation is a critical component of any computerbased control system. The default security of the Windows 2000 operating
system is not nearly sufficient for any production deployment. Of course,
security is not simply to protect against malicious attack, but more often from
human error. Often, a major problem is introduced by a simple mistake. On a
terminal server, you can not afford to provide the operators with the
opportunity to make such mistakes.
Because of the multi-user nature of Terminal Services, we strongly recommend
that you consult with a Windows 2000 Security professional. Without proper
security, users can have access to any directory and file on the server, including
important system files and InTouch applications.
Terminal Services for InTouch Deployment Guide
Chapter 3
Session Security
Connection settings and security control not only access to a terminal server
through the Terminal Services Client, but also how a user can interact with
other users on the server. Connection security is managed through regular
Windows 2000 users or groups.
We recommend that you never control client connection access through
individual user accounts even when dealing with only a single server. The
administrative work required is much greater than that for using groups.
Accordingly, the following local groups should be defined:
WW_Admins – Members of this group will have administrative
connectivity rights on the terminal server. They will be able to perform
all functions on other sessions including logging off, disconnecting, and
resetting any session.
WW_Users – Members of this group will have only user connectivity
access on this server. This is the preferred choice for operators.
WW_Users_RC – Members of this group will have user connectivity
access in addition to the ability to remotely control other users. This group
is optional, and accommodates users who require this privilege, such as
support engineers.
To create terminal server local groups
Click Start on the Windows Taskbar, point to Programs, point to
Administrative Tools, and then click Computer Management. The
Computer Management dialog box appears.
Terminal Services for InTouch Deployment Guide
In the Tree, under Local Users and Groups, right-click the Groups
Click New Group.
Add the three recommended local groups.
After the local groups have been created, the next step is to configure the
connection security for these groups. The tool that you will use to manage
connection settings and security is the Terminal Services Configuration
To configure connection security
Click Start on the Windows Taskbar, point to Programs, point to
Administrative Tools, and then click Terminal Services Configuration.
The Terminal Services Configuration dialog box appears listing all of the
created connection types for the terminal server in the right pane.
Note When configuring security, make sure that you set the security for
each of the connection names that exist. Setting them for one will not
automatically set them for all.
Double-click RDP-Tcp. The RDP-Tcp Properties dialog box appears.
Terminal Services for InTouch Deployment Guide
Chapter 3
Click the Permissions tab to activate the Permissions property sheet.
Note The RDP-Tcp Properties property sheet provides global settings
that override individual user settings. If you are having problems getting a
particular user setting to work (such as auto-logon), remember to refer to
this window to determine if there is a conflicting global setting.
Select all the listed groups except SYSTEM, and then click Remove. The
default groups are not appropriate for managing access to your terminal
server for the following reasons:
Administrators group – This group is granted full control for
connections. Although the local Administrator certainly needs access
to the server, we prefer not to use this group to assign this right. The
main reason is because the Administrators group automatically
includes the Domain Admins group when the terminal server is
added to a domain. Such administrative users should not have full
control of this server.
Users group – Under most circumstances, you will not want to have
any user accessing the terminal server. If you wanted to restrict a
user's access for any reason, the only way to do so would be to
remove them from the Domain Users group, which would also restrict
them from accessing other non-TS domain resources.
Terminal Services for InTouch Deployment Guide
Add the three recommended groups mentioned earlier, assigning them the
following permissions:
Full Control
User Access
Special Access (User Access + Remote Control)
To set the privileges for the WW_Users_RC group, begin by assigning it
the User Access privileges. Then click Advanced to view the Access
Control Settings for RDP-Tcp dialog box. Select WW_Users_RC and
then click View/Edit. Check the Allow box for Remote Control.
Click OK.
User Account Management
Windows 2000 user account options are valid for Terminal Services.
Organizational policy should guide you on the appropriate settings for
passwords, time restrictions and auditing.
Terminal Services for InTouch Deployment Guide
Chapter 3
To configure users to access a terminal server
Click Start on the Windows Taskbar, point to Programs, point to
Administrative Tools, and then click Computer Management.
In the Tree, open the Users folder under Local Users and Groups.
Double-click a desired user to open the ASTCLIENT205 Properties
dialog box.
Click the Member Of tab to activate the Member of property sheet.
Remove any default groups and add the appropriate Wonderware group
and the Power Users group.
Note Terminal Services for InTouch supports only two security groups
under the Windows 2000 operating system: Administrators and Power
Users. Wonderware strongly recommends that you do not allow users to
connect to a terminal server with administrative rights. Such users have
global access to all user files, and the ability to shutdown the server (even
by mistake).
Terminal Services for InTouch Deployment Guide
Changing a Desktop into a RDP Client
Once the server connections have been configured and user accounts created,
the next task is to configure the desktop computers as TS clients.
Client Installation Disks
Windows 2000 includes the Terminal Services Client Creator administrative
tools with which you can create installation disks for the client software. After
the software is installed on the client, the client will be able to connect to a
server running Terminal Services.
To create client installation disks
Open Terminal Services Client Creator.
Select the type of Terminal Services client software that you want to
create. There are three options:
Terminal Services for 16-bit windows (requires 3 disks)
Terminal Services for 32-bit x86 windows (requires 2 disks)
Terminal Services for 32-bit Alpha windows (requires 2 disks)
Insert a disk into the destination drive.
After copying the files to the disks, close the Create Installation Disk
dialog box, or click OK to create more disks.
Client Connection Properties
After you have installed the Terminal Services Client software on a client
device, you will need to configure the connection properties. The Client
Connection Manager is a simple tool for connecting to a terminal server.
The preferred approach is to connect immediately upon logon to the local
To configure client connections
Click Start on the Windows Taskbar, point to Programs, point to
Terminal Services Client, and then click Client Connection Manager.
On the File menu, and then click New Connection. The Client
Connection Manager Wizard will start.
Terminal Services for InTouch Deployment Guide
Chapter 3
Click Next. The first Client Connection Manager Wizard dialog box
In the Connection name box, type a description for your connection and
the actual name or IP address of the server.
Terminal Services for InTouch Deployment Guide
Click Next. The second Client Connection Manager Wizard dialog box
Select the Log on automatically with this information option, if you
want this connection to automatically log on to the server.
In the User name, Password, and Domain boxes, type the desired logon
Tip Only enter user names that are members of the Power Users group.
These users have adequate permissions to run InTouch, but are restricted
in accessing system files and shutting down the server.
Note If the terminal server connections have been configured to not
allow automatic logons, this information is ignored.
Terminal Services for InTouch Deployment Guide
Chapter 3
Click Next. The third Client Connection Manager Wizard dialog box
The third Client Connection Manager Wizard dialog box allows you to
select the screen resolution for the session, and whether or not it will open
full screen. The maximum screen resolution you can select cannot exceed
what your desktop is currently configured for. You can always select a
resolution smaller than what you currently have.
Selecting Full Screen will completely hide the local desktop behind your
terminal server connection. You will not have a title bar, nor will you be
able to minimize your session. You will still have the ability to switch to
any applications that are running locally, but you will not have direct
access to the local desktop.
Tip Select Full Screen with the same resolution as your current desktop
resolution. If a lower resolution is selected, the unused space will appear
simply as a black border.
Terminal Services for InTouch Deployment Guide
Click Next. The fourth Client Connection Manager Wizard dialog box
The fourth Client Connection Manager Wizard dialog box provides
connection options to improve the performance of the session.
10. Select the Enable data compression option if you will be connecting to a
low-speed network such as a dial-up or Internet.
11. Select the Cache bitmaps option to store commonly used bitmaps, like
the one used to display the Start button, in a file on the client computer.
This improves performance by minimizing the amount of display
information that must be passed over a connection. You should have
10MB of free hard-drive space to support this feature.
Terminal Services for InTouch Deployment Guide
Chapter 3
12. Click Next. The fifth Client Connection Manager Wizard dialog box
13. The fifth Client Connection Manager Wizard dialog box allows you to
specify whether you are going to be running a complete desktop on the
terminal server, or whether you will run a specific application. For now,
accept the default to open a desktop.
Tip Before deploying the pilot server, start InTouch using this
connection and select the desired application to run. Afterwards, you can
enable the Start program option to only run WindowViewer.
To configure the connection to automatically start WindowViewer, see
"Configuring Start Program."
Terminal Services for InTouch Deployment Guide
14. Click Next. The sixth Client Connection Manager Wizard dialog box
15. The sixth Client Connection Manager Wizard dialog box allows you to
change the icon for the connection that is being created and also to specify
the program group where a shortcut to this connection will be
automatically created.
Tip Select the Startup program group to automatically connect after the
operator logs-on to the desktop. This will resemble WindowViewer
running as a service. Remember that the operator can disconnect from the
terminal server and log-off from the local desktop with
WindowViewer still running on the server. The next time the operator
logs-on, they will return to the InTouch application as if they never left.
16. Click Next. A dialog box displaying a brief summary of the new
connection you have created appears.
17. Click Finish to complete the connection setup.
Installing Terminal Services
for InTouch
To install the Terminal Services for InTouch, you must log on to the server
running Terminal Services by using the built-in Administrator account.
Terminal Services for InTouch Deployment Guide
Chapter 3
Note If you have already installed a Non Terminal Services version of
InTouch, it is not possible to upgrade to a Terminal Services version of
InTouch. It is, however, possible to upgrade from a previously Terminal
Services version of InTouch to the latest version.
For detailed instructions on installing Terminal Services, see the installation
instructions in the ReadMe file on your Terminal Services software CD.
Modifying Applications
Once the pilot terminal server has been deployed, the next step is to install
and test the applications. Validation is best achieved with the help of a pilot
group, which is made of qualified individuals who will show a tangible
improvement or benefit. They should possess a relatively high-level of
technical expertise so they can understand and report issues and describe how
to reproduce them.
Software Testing and Validation
Software testing is always important, but is especially true for Terminal
services. The impacts of a poorly tested application unleashed into production
are an order of magnitude greater than those in a standard desktop. This is why
testing and piloting is stressed so much more than they might be during a
regular desktop deployment.
Terminal Services for InTouch Deployment Guide
After you have the applications installed on the test server, you should run
some initial testing. At a minimum, verify that you can log on to the server for
every user, inspect security settings, and launch InTouch. Continue only when
the team is comfortable that the terminal server is working properly.
When the application is working properly for the single user, the next step is to
increase this to two to five users. The reason for this is to ensure that the
software continues to function when multiple instances are being run on the
same computer.
After the application has successfully gone through multi-user testing, the last
task is to examine the load that InTouch will introduce. This can actually be
started during the single-user testing because sever performance problems may
be noticed immediately. It is at this point that benchmarks from the "as-is"
deployment phase can be evaluated to determine if the intended benefits can be
Terminal Services for InTouch Deployment Guide
Chapter 3
Known Issues and Limitations
The following table describes the limitations and suggested work-around you
may need to implement when running applications on a terminal server.
Wonderware is aggressively resolving many of these issues in the next release.
AlarmSuite Logger
Use a tagname server (separate computer
DDE to an I/O Device or MS
Office 2000 (for example, Excel)
Use a tagname server (console or separate
computer). This includes DDE
QuickScripts: WWExecute(), WWpoke()
and WWRequest()
DDE from MS Office 2000 (for
example, Hot-link configured in
Excel and InTouch must be running in the
same session
Historical Trending
Use a tagname server or NAD to log values.
Multiple sessions may read the same
historical files
In work - to be supported in a future release
InControl must run on the console, and
requires v7.1 Patch 03 or later.
InSQL Active Controls (OLE DB) Yes
InSQL should be on a separate computer
InTouch Alarm Logger
In work - to be supported in a future release
InTrack OLE Automation
In work - to be supported in a future release
"Playsound" QuickSript
Requires Citrix MetaFrame
Retentive tags
Must use NAD
SQL Access (ODBC)
Database should be on a separate computer
SuiteLink to an I/O Device or
another InTouch application.
When communicating to another view
session, include the terminal server Node
name and append the IP address of the
desired session to the Application name.
For example, view10.103.25.6.
Terminal Services for InTouch Deployment Guide
Starting Local I/O
InTouch cannot start I/O servers in a terminal server environment. To avoid
receiving an "Initializing I/O" error message when WindowViewer starts, turn
off the Start Local Servers option on the WindowViewer General property
Note Depending on the sequence that view sessions start, you may need to
execute the IOReinitialize QuickScript. Remember ALL servers (I/O devices
or view applications) must be running before starting an application that reads
values from these servers.
Script Execution
Because all applications running on a terminal server use a single timing
reference (server clock), there is a chance that scripts may not execute during
abnormal CPU loading. Abnormal CPU loading can be caused by excessive
video processing or when several applications have the same script triggers
defined (such as an End-of-Shift event). It is possible, therefore, that if the
server is busy processing scripts from many clients, it may not start a script on
another client during the interval when the timer would normally start the
script. This may cause the script on that client to not execute.
Terminal Services for InTouch Deployment Guide
Chapter 3
To ensure proper script execution, combine scripts with common triggers and
move them to a single application, such as a tagname server. This is one of the
primary reasons for pilot deployment. Pilot deployment gives you an
opportunity to perform "what-if" scenarios and determine if your hardware
selection is adequate.
Converting Color Palettes
The current version of Terminal Services supports up to 8-bit color depth (256
color) graphics. Many InTouch applications make use of bitmap images that
are 16-bit (65,536 colors) or 24-bit (1,677,216 colors) color depth. Attempting
to display these higher color depth graphics at 256 colors will result in a
dithering effect. Dithering is the computer's attempt to substitute the subtle
variations between colors in a 16 or 24-bit image with one of the 256 colors
available in the 8-bit palette.
Note Citrix MetaFrame supports 16-bit color depth. If your image uses a
large color palette, you may want to consider MetaFrame to maintain the
quality of the display. Keep in mind, however, that an increase in color depth
will increase network traffic, as more data needs to be transferred to the clients.
To prevent the images from being displayed improperly, you can convert them
using an image manipulation program. Adobe's Photoshop™ or Jasc's Paint
Shop Pro™ are ideal for this purpose. Paint Shop Pro is available with a 30day free evaluation download from the Jasc site at:
To modify bitmaps within InTouch using Paint Shop Pro
Open Paint Shop Pro. On the File menu, point to Preferences, and then
click File Format Associations.
Terminal Services for InTouch Deployment Guide
Select the Windows or OS/2 Bitmap (*.bmp) option. (This option forces
any file with the *.BMP extension to launch Paint Shop Pro instead of
Microsoft Paint.)
Click OK to close Paint Shop Pro.
Start WindowMaker with the application that you want to modify.
Open the window that has the desired bitmap to be modified.
Right-click the bitmap object and select Edit Bitmap to launch Paint Shop
Pro. The status bar in the lower right of the application window shows the
size, color depth and file size of the graphic.
Click Color, Decrease color depth, 256 color (8 bit).
Terminal Services for InTouch Deployment Guide
Chapter 3
Choose Standard/Web-safe palette, and the Error diffusion reduction
Click OK. Note that the status bar now displays the decreased color depth
of the graphic and smaller file size.
10. Close Paint Shop Pro and click Yes when prompted to save the bitmap.
Remember to save the window before closing WindowMaker.
Terminal Services for InTouch Deployment Guide
Running WindowViewer
Running InTouch applications from a terminal server is no different than
running them on a standard desktop. The multi-user functionality of Terminal
Services for InTouch allows you to individually configure InTouch for every
client. Configuration details are stored in the client's home directory. This is
also the best place for NAD files because only the connected client can gain
access their home directory.
Home directories for Terminal Services Clients
Terminal Services for InTouch Deployment Guide
Chapter 3
Selecting an Application
Each client can run the same or different application. Simply connect to the
terminal server as the client you want to configure, and launch InTouch
Application Manager (INTOUCH.EXE). Configure InTouch as you would
normally. Any changes are saved in the client's home directory.
Note You will need to configure InTouch for every client that will connect to
the terminal server.
Configuring NAD for Terminal Services
Network Application Development (NAD) is the preferred architecture on
terminal servers. It is required for Historical Trending and Retentive
Tagnames. NAD provides a separate application folder for every user, and if
NTFS is used, adequate security.
For more information on how NAD works, see Chapter 3, "Building a
Distributed Application" in your online InTouch User's Guide.
To configure NAD
From a client workstation, connect to the terminal server. The logon
should be configured to view the session desktop.
Open the client's home directory. This is the corresponding user name
folder in C:\Local Documents and Settings.
Terminal Services for InTouch Deployment Guide
Create a new folder called NAD.
Example: C:\Documents and Settings\Client202\NAD
Start the InTouch program (intouch.exe). The InTouch Application
Manager dialog box appears.
Click the Node Properties tool or on the File menu, click Properties. The
Node Properties dialog box appears with the App Development property
sheet active.
Turn on the Enable Network Application Development option.
In the Local working directory box, type the path of the NAD directory
you just created.
In the Polling period (sec) box, type the appropriate seconds for the
polling period.
Select the appropriate Change Mode option.
10. Click OK.
Repeat this procedure for every client that will be running InTouch.
Configuring Start Program
Wonderware strongly recommends that sessions only run InTouch. User
profiles and the Client Connection Manager, both can be configured to start
WindowViewer upon connection. Running only InTouch will avoid the
confusion of a desktop within a desktop, and best resembles WindowViewer
running as a service on standard desktops. The Client Connection Manager
method is described below.
Terminal Services for InTouch Deployment Guide
Chapter 3
Note Configure InTouch before automatically launching WindowViewer.
The desired application must be selected, and NAD configured correctly.
To automatically start WindowViewer upon connection
From a client workstation, start up the Client Connection Manager.
Right-click the connection you want to modify, and click Properties. The
Properties dialog box appears with the General property sheet active.
Click the Program tab to activate the Properties dialog box.
Select the Start the following program option.
In the Program path and file name box, type the appropriate path for
Click OK. The next time you log-on, WindowViewer will start the last
application selected.
Terminal Services for InTouch Deployment Guide
Running WindowMaker
WindowMaker is not designed for a multi-user environment. Only one person
may edit an application at any time. If you ensure applications cannot be
simultaneously modified, there are some noteworthy benefits of using
WindowMaker in a Terminal Services environment. Remote configuration and
Rapid Application Development using studio applications are two such
Remote Development
By launching WindowMaker in a session, you can modify applications as if
you are sitting right at the development node. Remote development provides
an easy way for off-site engineers to update applications without travelling to
the site. The low bandwidth requirements of RDP make this far more efficient
than modifying applications locally, and then downloading the files.
Rapid Application Development
Clipboard redirection is a feature of Terminal Services that allows users to cut
and paste between applications running on the local machine and those running
on the terminal server. If the local machine has WindowMaker installed,
clipboard redirection can copy and paste any InTouch object. This enables
Rapid Application Development by providing standard InTouch applications
(referred to as studio applications) that others can easily access. Clipboard
redirection is an alternative to WindowMaker's Import command.
Architecture of a studio deployment is shown below:
Terminal Services for InTouch Deployment Guide
Chapter 3
Studio applications include industry or company-standard graphics, scripts and
window templates. They are stored on a terminal server and set for READONLY so that any modifications are strictly controlled. A developer working
on an application in the same office or across the world has immediate access
to these studio applications.
To copy/paste between a studio application and local
From the client machine, connect to the terminal server, and launch
WindowMaker with the desired studio application. Size the window so
that it just covers half of the client's desktop.
On the client desktop, launch WindowMaker with the local application.
Size the local application so that it covers the other half of the client's
On the local application, perform a Copy and Paste on any object to
activate the local Windows clipboard. You only need to do this once.
On the studio application, open the desired window and right-click on the
object you want to copy, and click Copy.
WindowMaker running in a Session
Terminal Services for InTouch Deployment Guide
WindowMaker running locally
On the local application, right-click anywhere on the destination window.
Click Paste to paste the object from the studio application to the local
Terminal Services for InTouch Deployment Guide
Chapter 3
Position the object to the desired location. The copied object will include
any animation links and tagnames that were part of the original object.
Just like the Import command, tagnames will be converted to placeholder
tagnames. For example, when a discrete tagname is copied, the tagname is
prefixed with the three characters ?d:. These tagnames will then need to be
defined in the local tagname database.
Assessing the Pilot Deployment
The pilot deployment concludes with an assessment of the process produced
by the deployment team with the assistance of the pilot group. This assessment
is usually conducted in the form of a postmortem meeting.
Use this meeting to discuss such things as any unresolved bugs, technical
issues or problems that came up during the process, and information related to
the risks identified earlier in the deployment. Present this information to the
organization responsible for overseeing the deployment of Terminal Services
for InTouch. The Scope Complete/First Use Milestone can then be achieved.
Characteristics of a successful pilot deployment include:
End-user satisfaction as indicated by the pilot group feedback
A positive status report that the project team can present to management
Permission to continue with the full deployment
No major, unresolved application incompatibilities that prevented the pilot
deployment from proceeding as planned.
Terminal Services for InTouch Deployment Guide
Deploying Terminal Server Throughout your
The last goal in the deployment process is the Release Milestone, which uses
the knowledge gained in the other three milestones to complete the deployment
and to prepare the infrastructure for ongoing maintenance and support.
Having completed the pilot process, you are now prepared to move to a fullscale deployment. For the most part, the full deployment process resembles the
pilot deployment process, but on a larger scale. Training end-users and those
responsible for supporting the system should take place during this phase.
Training too early when problems still exist will most likely create fear,
uncertainty and doubt.
If you have planned the project well and carried out the pilot successfully, the
full deployment should proceed with few unexpected surprises or problems.
Tip If you have existing InTouch applications, keep them on the desktop, and
train the users on how to switch back and fourth between the terminal session
and client desktop. This will minimize the impact on production if a problem
The result of a successful deployment will be a satisfied customer or
management unit, the satisfactory achievement of all primary goals, and an
infrastructure that can be adequately maintained and scaled for the future.
Providing Maintenance and Support
Hopefully, the test lab is still functioning, and adequate supporting
documentation has been provided. Use the test lab to train new users and to test
any significant changes you want to make on the production machines.
Remember to always disconnect all users from the server and prevent inbound
connections from being established (for example, from an ACP Enabled Thin
Client) before installing any new software.
Monitoring Performance
Detecting a processor bottleneck in Terminal Services is similar to detecting
processor bottlenecks in Windows 2000 Server and Professional, but the
baseline values for the counters may differ. Use the performance monitoring
tools to monitor system performance and the effects of configuration changes
on system throughput. Among the most important measurements for
performance monitoring are:
Processor utilization
Hard-disk I/O rates
Memory utilization
Pagefile activity
Network utilization
Terminal Services for InTouch Deployment Guide
Chapter 3
Task Manager
Task Manager provides information about programs and processes running on
your computer. It also displays the most commonly used performance
measures for processes. Use Task Manager to monitor key indicators of your
computer's performance. You can quickly see the status of the programs that
are running and end programs that have stopped responding. The default
setting only shows processes running on the console. Select Show processes
from all users to include processes running in sessions.
Performance Monitoring (MMC snap-in)
System Monitor and Performance Logs and Alerts are available snap-ins for
the Microsoft Management Console (MMC). They provide detailed data about
the resources used by specific components of the operating system and by
server programs that have been designed to collect performance data. Graphs
provide a display for performance-monitoring data, logs provide recording
capabilities for the data, and Alerts send notification to users by means of the
Terminal Services adds the Terminal Services and Terminal Services Session
objects and their counters to the set of objects you can observe using System
Monitor. The most significant counters for evaluating server and network
performance are the following:
Terminal Services for InTouch Deployment Guide
Processor\ % Processor Time is the percentage of time that the processor
is executing a non-Idle thread. It can be viewed as the percentage of the
sample interval spent doing useful work. This counter displays the average
percentage of busy time observed during the sample interval. Generally, it
should be less than 85 percent.
System\ Processor Queue Length is the instantaneous length of the
processor queue in units of threads. All processors use a single queue in
which threads wait for processor cycles. After a processor is available for
a thread waiting in the processor queue, the thread can be switched onto a
processor for execution. A processor can execute only a single thread at a
time. Windows Terminal Services can sustain a processor queue length of
10 to 12 threads per processor and still provide acceptable performance. It
is important to note that the processor queue length is an instantaneous
count, not an average over the time interval.
Processor\ Interrupts/sec is the average number of hardware interrupts
the processor is receiving and servicing in each second. This value is an
indirect indicator of the activity of devices that generate interrupts, such as
the system clock, the mouse, disk drivers, data communication lines,
network interface cards and other peripheral devices. You can use this
counter to identify any device drivers that may be consuming an unusually
high amount of processor time. A dramatic increase in this counter value
without a corresponding increase in system activity indicates a hardware
Memory\ Available MBytes is the amount of physical memory available
to processes running on the computer, in Megabytes. Add more on-board
RAM if available memory drops below 4Mbytes.
Memory\ Pages/sec is the number of pages read from or written to disk to
resolve hard page faults. (Hard page faults occur when a process requires
code or data that is not in its working set or elsewhere in physical memory,
and must be retrieved from disk). This counter displays the difference
between the values observed in the last two samples, divided by the
duration of the sample interval. Generally, more than 20 pages/sec
indicates a problem.
Network Segment\ % Network Utilization indicates how close the
network is to full capacity. The threshold depends on your network
infrastructure and topology. If the value of the counter is above 30 to 40
percent, collisions can cause problems.
Note You must install the Network Monitor Driver in order to collect
performance data using the Network Segment object counters.
Terminal Services Session\ Private Bytes is the current number of bytes
this process has allocated that cannot be shared with other processes.
Process\ % Processor Time for each instance of view. This will show the
percentage of processor time for each view instance.
Process\ Handle Count for each instance of view. This will show the
current number of handles being used for each view instance.
Process\ Private Bytes for each instance of view. This will show the
amount of memory that each instance is currently using.
Terminal Services for InTouch Deployment Guide
Chapter 3
Note When viewing Process counters, instances of view will be differentiated
by a number based on the start-up sequence. For example, view is the first
instance started, view#1 is the second, view#2 is the third, and so on.
Remote Control
Remote Control is a feature of Terminal Services that allows one session to
temporarily control another user's session. An engineer, for example can help
troubleshoot the system without being physically beside the operator. The
engineer can interact with the operator and execute commands on their behalf.
Response time to resolve problems can therefore be improved.
Note You can also remotely control ICA-based clients using the Terminal
Services Manager utility. However, you cannot remotely control an ICA-based
client from an RDP-based client, or vice versa.
You must have adequate permission to remotely control another session. See
"Defining Security" for more information.
Remote Control from the console is currently not supported.
To remotely control an operator workstation
Start up Terminal Services Manager.
Right-click the session you want to monitor, and then click Remote
Control. The Remote Control dialog box appears.
Select the Hot keys you want to use to end a remote control session.
Terminal Services for InTouch Deployment Guide
Tip The default hot key is Ctrl+* (using * from the numeric keypad only).
Click OK.
Before monitoring begins, the server warns the user that their session is about
to be remotely controlled, unless this warning is disabled. Your session might
appear to be frozen for a few seconds while it waits for a response from the
user. When you want to end remote control, press Ctrl+* (or whatever hot key
you have defined).
Network Load Balancing
Network Load Balancing Services (NLBS) is one of the clustering
technologies available with Windows 2000 Advanced Server. A cluster is a
group of independent computers that work together to run a common set of
applications or services and provides an image of a single system to the client.
With NLBS, you can enhance the availability of scalability of InTouch
Note Wonderware strongly recommends that you consult a Microsoft
professional and perform adequate testing before deploying load balancing into
Stand-by Server Option
The following procedure will configure a stand-by terminal server. Normal
operation has all InTouch applications running on one machine in the cluster
(shown as the primary host in the figure below). If the server or network fails,
sessions will freeze for roughly 10 seconds before acknowledging a
disconnection. At that time, operators need to simply re-launch the connection.
NLBS will automatically redirect all the log-ons to the stand-by server. When
the primary machine is placed back into service, operators should log-off and
launch their sessions again. Sessions will be directed to the primary host.
Terminal Services for InTouch Deployment Guide
Chapter 3
Note If the operator disconnects by mistake, that session may become
orphaned. See "Disconnection Timeout" for more information.
Caution! Installing NLBS is relatively straightforward. Howerver, incorrect
settings may cause unpredictable operation or very poor performance.
Familiarize yourself with Microsoft documentation on NLBS before following
these instructions.
Start with two terminal servers configured exactly the same. Both should be
updated when applications are modified, or when users are added. In other
words, one is a clone of the other. The only difference is that each has a unique
IP address (NLBS calls them "dedicated" IP addresses). You will need to
provide a virtual IP for the cluster (NLBS calls this the "primary" IP address),
and choose which machine will be the primary host.
Note Log-off all clients before installing NLBS.
To install Network Load Balancing
On the Primary Host, open Network and Dial-up Connections.
Terminal Services for InTouch Deployment Guide
Right-click the Local Area Connection on which load balancing is to be
installed, and then click Properties. The Terminal Services Properties
dialog box appears with the General property sheet active.
Select Network Load Balancing in the Components checked are used
by this connection list.
Terminal Services for InTouch Deployment Guide
Chapter 3
Click Properties. The Network Load Balancing Properties dialog box
appears with the Cluster Parameters property sheet active.
Type a Primary IP address, Subnet mask, and Full Internet name to
represent the cluster in their respective boxes. The Primary IP address
must be a static IP. The full Internet name is used only for remote
administration and is used as an identifier for the cluster.
If you are using a single network adapter, select the Multicast support
option to allow the network adapter to handle traffic both for the cluster
and dedicated IP address.
Note Use two or more network adapters whenever possible. A second
network adapter can boost overall network performance and speed-up
access to back-end databases.
Terminal Services for InTouch Deployment Guide
Click the Host Parameters tab. Host parameters configure the cluster
machine's native IP settings and how the cluster loads.
In the Priority (Unique host ID) box, type a 1 (one). The Priority
(Unique host ID) setting is used to determine which server in the cluster
is considered the manager that receives incoming requests and routes them
to other serves in the cluster. The server with the lowest ID performs this
Select the Initial cluster state option to start NLBS immediately when
Windows 2000 is started.
10. In the Dedicated IP address box, type the actual machine IP address. The
Subnet mask should also be same as the machine's subnet mask.
Terminal Services for InTouch Deployment Guide
Chapter 3
11. Click the Port Rules tab to activate the Port Rules property sheet.
Port Rules allows you to configure individual machines in the cluster. The
rules determine how the cluster balances the load among the machines in
the cluster with rules for percentage-based balancing as well as specific
ports being sent to specific machines in the cluster.
12. Remove any predefined rules. By default, NLBS serves all ports and this
setting is sufficient.
13. Click OK to return to the Local Area Connection Properties dialog box.
Terminal Services for InTouch Deployment Guide
14. Click Internet/Protocol (TCP/IP), and then click Properties.
15. Confirm that the dedicated IP address and Subnet mask matches the IP
address and Subnet mask defined for this machine.
16. Click Advanced. The Advanced TCP/IP Settings dialog box appears
with the IP Settings property sheet active.
Terminal Services for InTouch Deployment Guide
Chapter 3
17. Type in the Primary IP address for the cluster, and then click Add.
You now have an IP address that the virtual IP can bind to.
18. Click OK. The Local Area Connection Properties dialog box reappears.
19. Click OK.
Terminal Services for InTouch Deployment Guide
20. Repeat this procedure for the stand-by machine. Everything is the same
except for the Host Parameters. Enter a 2 (two) for the Priority (Unique
host ID), and the correct Dedicated IP address, as shown below:
Now that the two machines are configured as a cluster, clients have the option
to connect directly to one of the machines, or to connect to the cluster.
To connect to the cluster
From a client workstation, open the Client Connection Manager.
Terminal Services for InTouch Deployment Guide
Chapter 3
Right-click the connection you want to modify, and then click Properties.
The Properties dialog box appears with the General property page active.
In the Server name or IP Address box, type the Primary IP address for
the Server name.
Click OK.
Administration Tools
NLBS comes with a command line utility: WLBS.EXE. This utility allows you
to view and refresh setting made in the dialogs in the live cluster. The most
important ones are describes below:
The command line for the Network Load Balancing control program
(Wlbs.exe) has the following syntax:
wlbs command [cluster [:host] [remote options] ]
Starts cluster operations on the specified hosts attempting to join the cluster.
This enables all ports that may have been previously disabled.
Stops cluster operations on the specified hosts leaving the cluster.
Terminal Services for InTouch Deployment Guide
Displays the current cluster state and the list of host priorities for the current
members of the cluster. The possible states are:
Unknown --The responding host has not started cluster operations and cannot
determine the cluster's state.
Converging -- The cluster is currently attempting to converge to a consistent
state. Prolonged convergence usually indicates a problem with cluster
parameters. If this occurs, check the event logs on the cluster hosts for Network
Load Balancing messages warning you about the source of the problem.
Draining -- The cluster has converged, and the responding host is draining
active connections prior to stopping cluster mode.
Converged as default -- The cluster has converged, and the responding host is
the current default (the highest-priority host without a drainstop command in
progress). The default host handles network traffic for all of the TCP/UDP ports
not covered by the port rules.
Converged -- The cluster has converged, and the responding host is not the
default host.
(local only)
Reloads the Network Load Balancing driver's current parameters. Cluster
operations on the local host are automatically stopped and restarted if necessary.
If an error exists in the parameters, the host will not join the cluster, and a
warning is displayed. If this should occur, open the Network Load Balancing
Properties dialog box to fix the problem.
Disconnection Timeouts
As a general recommendation, establish a standard timeout for disconnected
sessions. This is especially important when utilizing load balancing. There is a
chance that sessions may become orphaned if the operator improperly logs-off
a terminal server. Orphaned sessions will hold resources that could be freed
up for use elsewhere.
To enable a timeout for a disconnected session
Click Start on the Windows Taskbar, point to Programs, Administrative
Tools, and then click Terminal Services Configuration.
Double-click RDP-Tcp to open the RDP-Tcp Properties dialog box.
Terminal Services for InTouch Deployment Guide
Chapter 3
Click the Sessions tab to activate the Sessions property sheet.
Select the Override user settings option.
In the End a disconnected session box, type the number of minutes you
want to elapse before ending a disconnected session.
Click Apply.
Terminal Services for InTouch Deployment Guide
Terminal Services Advanced Client
Microsoft's Terminal Services Advanced Client (TSAC) is a Win32®-based
ActiveX® control that can be used to run Terminal Services sessions within
Microsoft® Internet Explorer. By using TSAC, you can now run full-featured
InTouch applications across the Internet, with the same performance and speed
as if you were on the local area network.
The downloadable ActiveX control provides almost the same functionality as
the full Terminal Services Client, but is designed to deliver this functionality
over the Web. The TSAC provides the following benefits:
Run sessions within Internet Explorer. Terminal emulation software
does not need to be installed on the client machine. Only Internet Explorer
4 or later and an URL address pointing to the terminal server is
Quick and easy access to terminal servers. The TSAC is especially
useful for fact, on-demand access to terminal servers. URL addresses
can contain optional fields, such as username and screen size, to make
accessing different terminal servers as simple as clicking on a
"Favorites" link.
Terminal Services for InTouch Deployment Guide
Chapter 3
Common interface. The common look and feel of Internet Explorer make
it a preferred GUI for viewing MS Office™ applications, browsing plant
information, or doing trend analysis using ActiveFactory™ or
The TSAC is a free ActiveX control available from the Microsoft website. It
must be installed on a computer running Internet Information Services (IIS)
version 4.0 or later. This dependency applies to the Web server only. Users can
download the control and view a session from any supported web browser
(Windows 32-bit versions of Internet Explorer 4.x, 5.x, or 6.x).
Note For the most recent information or to download the TSAC, visit
How to Use
Once the TSAC is installed on the Web server, users can point to a default
login page and/or pass specific user information to initiate a terminal server
session. Three sample Web pages are installed in the TSWeb directory. These
pages can be run as they are, or they can be modified.
Note For information on how to configure and use the sample pages, please
refer to the Microsoft® Terminal Services ActiveX® Client Control
Deployment Guide.
Terminal Services for InTouch Deployment Guide
Default.htm. Default.htm is a sample logon page that is designed to
collect terminal server connection information from the user. You
access the default page by the following URL:
Where MyWebServer is the computer name or IP address of the Web
Connect.asp. Connect.asp is a sample page that contains the actual
ActiveX client control, which hosts the terminal server session. By
design, Connect.asp does not run alone, but must be called with the
following parameters:
Where MyWebServer is the computer name or IP address of the Web
server, MyTSServer is the computer name of the terminal server,
MyUser is a valid logon name, and MyDomain is the name of the computer
that has the logon name defined.
Note To use the sample page, Active Server Pages (ASP) must be
enabled on the Web sever.
If your Internet access goes through a Firewall, make sure to open TCP
port 3389.
Terminal Services for InTouch Deployment Guide
Chapter 3
Securing Web-based Applications
Beyond the safety and liability issues of remotely controlling a process, the
Internet has an increased risk of unauthorized access. The Internet is a public
medium, and any connection may inadvertently expose sensitive information
and/or damage systems by malicious acts. To adequately protect your
terminal server and the process it controls, you should develop a sound
information security (INFOSEC) policy. Your INFOSEC policy should include
Physical Security, Network Security, Application Security, and Security
Physical Security
Physical security addresses the operating environment of your servers and
connected client systems.
Place your terminal server in a protected room that is free from physical
threat and adverse conditions. Make the room available only to authorized
(trusted) personnel.
Develop a schedule to back-up data and publish procedures on how to
restore it.
Evaluate your risk if the terminal server goes down. Hardware
protection such as surge suppressors, uninterruptible power supplies, and
redundant servers will help keep your system running. Network Load
Balancing or systems with Assured Availability will mitigate the chance
that a component failure will stop production.
Network Security
Network security addresses the data transfer between the terminal server
and client computers.
Provide adequate computer log-on security.
For more information, see "Defining Security."
Enable medium (or higher) encryption. Encryption prevents spoofing,
which refers to any unauthorized attempts to intercept an address, user
identification, partial or even total transmission of data. Terminal Services
provides multilevel encryption. All levels use the standard RSA RC4
encryption model
Terminal Services for InTouch Deployment Guide
This level secures all data sent from the client to the
server by using either a 56-bit or 40-bit key. A
Windows 2000 terminal server uses a 56-bit key
when Windows 2000 clients connect to it, and a 40bit key when earlier versions of the client connect.
This input-only encryption is used to protect
sensitive data, such as a user password.
This level secures data sent in both directions (from
the client to the server and from the server to the
client) by using either a 56-bit or a 40-bit key. A
Windows 2000 terminal server uses a 56-bit key
when Windows 2000 clients connect to it, and a 40bit key when earlier versions of the client connect.
Use medium encryption to secure sensitive data as it
travels over the network to display on remote clients.
If you are located in the United States or Canada,
you have the option to select the high level. High
encryption affects all data sent in both directions, but
encrypts using the non-exportable 128-bit key.
To enable encryption
Click Start on the Windows Taskbar, point to Programs, point to
Administrative Tools, and then click Terminal Services Configuration.
Terminal Services for InTouch Deployment Guide
Chapter 3
Double-click RDP-Tcp. The RDP-Tcp Properties dialog box appears.
Click the General tab to activate the General property sheet.
Select the appropriate Encryption level.
Application Security
Application Security addresses the security embedded in your InTouch
application, IndustrialSQL Server, and other sensitive information systems.
Use the $Operator tagname to provide security within the InTouch
application. By applying security to your application, you can control
specific functions that an operator is allowed to perform by linking those
functions to internal tagnames.
For more information on the $Operator tagname, see the "Using InTouch
Security" section in Chapter 2 of your online InTouch User's Guide.
Replace the GetNodeName() QuickScript with the new TseGetClientId()
QuickScript to identify the client computer. When using Terminal
Services, GetNodeName() returns the name of the terminal server, not
the name of the client computer.
Terminal Services for InTouch Deployment Guide
Add a password to the SQLServer system administrator (SA) account.
When you install IndustrialSQL Server, an all-powerful "sa" login ID is
created with an empty password. Do not use this account to access data.
Use the default login IDs (for example, wwUser), instead.
For more information on database security, refer to the "Managing Security"
chapter in the IndustrialSQLServer Administrator's Guide.
Security Auditing
Security Auditing addresses the ability for you to monitor intrusion attempts. If
you suspect that your system is under any sort of attack, then you can enable
logging for an array of auditable events. By default, security logging/auditing
is disabled because it usually requires excessive processing resources. We,
therefore, recommend that you initially select only a few events to monitor.
Caution! Security Auditing requires significant resources. Make sure to
enable auditing when you evaluate your pilot server, or you may undersize the
To configure auditing, refer to the Audit Policy, which is part of the Windows
2000 Local Security Policy.
Additional Information
For further exploration of these and related security considerations, please
refer to the following resources:
National Computer Security Center (NCSC) "Rainbow Books" –
Common Criteria (CC) for Information Technology Security Evaluation –
Microsoft Privacy & Security Fundamentals: Security –
Windows 2000 Security Technical Overview –
Default Access Control Settings in Windows 2000 –
Best Practices
You can maximize the operator's experience with Terminal Services for
InTouch by following these recommendations:
Always use Add/Remove Programs when installing software. Never
perform an auto-install from CD ROM.
Use the TSSHUTDN command before shutting down the server. This forces
a proper client log-off and shutdown.
Terminal Services for InTouch Deployment Guide
Chapter 3
Use an NTFS file system on all volumes. NTFS provides greater security
for users in a multi-session environment who access the same data
Use static IP addressing. WWLogger, SuiteLink and Network Load
Balancing all rely on permanently assigned IP addresses to identify
Run InTouch full screen and as the only program. See "Configuring Start
Run one InTouch session per client and use a unique user account for each
session. Multiple instances of WindowViewer on a client are possible, but
keep in mind that all the sessions will have the same IP address, and
therefore, you will not be able to poke values to a particular view session.
Back up your license server regularly. Include at least the System State,
plus the Lserver directory. By default, this is %windir%\system32\Lserver.
Run only InTouch on the terminal server. Other software products
running in sessions or on the console may cause performance degradation.
Place the terminal server in a secure place, protected from industrial
hazards and operator interaction.
Use standard InTouch graphics instead of bitmaps in designs. InTouch
standard graphic objects are vector-based, and are ideally suited for a
terminal session. Raster-based graphics (*.BMP), however, require much
more information to display. Bitmap objects should be smaller than 200 x
200 pixels.
Avoid animated graphics. Animated graphics can slow down the screen
refresh rate on the client, creating an impression of diminished
Always have something changing on the screen. This keeps a steady
communication between the server and client. If the connection breaks,
the server will detect the failure and mark the session as disconnected.
Consider showing the current time or some form of heartbeat.
Use NAD. See "Configuring NAD for Terminal Services."
Enable file sharing on client computers, sharing drives with easily
identifiable names like "driveC." Be aware of the security implications
Train users to use Terminal Services hot key sequences. There are a few
important differences in the hot key sequences used in a Terminal Services
client session than in a Windows 2000 session. These hot key sequences
only apply to desktop replacement clients. A comparison table is shown
If you provide access to the session desktop, disable Active Desktop and
smooth scrolling. Minimize the use of cascading menus, particularly the
Start menu. Place shortcuts on the desktop and keep the Programs
submenu as flat as possible. Avoid using bitmaps in wallpaper; in Display
Properties set Wallpaper to None on the Background tab, and select a
single color from the Appearance tab.
Terminal Services for InTouch Deployment Guide
Terminal Services Hot key Sequences
Terminal Services
Open application selector ALT + TAB
and move selection to the
Open application selector ALT + SHIFT + TAB
and move selection to the
Switch between running
Open Start menu
Right-click running
application's Task Bar
Open Windows NT
Security window
Toggle the client screen between full-screen mode
and windowed mode
Terminal Services for InTouch Deployment Guide
Chapter 3
Terminal Services for InTouch Deployment Guide
Access Name 40
ACP 51
ACP Enabled Thin Client 34
ACP Enabled Thin Clients 42
ACP ThinManager 20, 23, 42
Activate a License Server 51
Activating the license server 52
ActiveX 22
Administration tools 14, 94
Administrators group 56
Application server 14, 42
Architecture for a DDE I/O Server 40
Assessing Risk 31
Assessing the Pilot Deployment 80
Automatically starting WindowViewer upon
connection 76
Automation Control Products (ACP) 7
Benefits 15
Best Practices 103
BPR 32
Bugs and Issues database 48
Building the Master Project Plan 46
Business Process Redesign 32
CALs 50, 53
Centralized deployment of programs 12
Centralized Management 12
InTouch 19
Changing a Desktop into a RDP Client 59
Checklist: Setting up Terminal Services for
InTouch 8
Choosing a License Server 39
Choosing the Right Client 42
Citrix Devices 51
Citrix MetaFrame 20, 42
Citrix Systems 7
RDP hardware requirements 50
Terminal Services client access license 50
Client Connection Manager 75
Client Connection Properties 59
Client Installation Disks 59
Client Licensing 53
Common points of failure 45
Administration tools 14
Licensing service 14
Multi-user kernel 14
Remote Desktop Protocol 14
Terminal Services Client 14
Client connections 59
Connection security 55
NAD for Terminal Services 74
Start Program 75
Users to access a terminal server 58
Connection methods 51
Connection security 55
Connection Wizard 59
To the cluster 93
Console 8
Converting Color Palettes 70
Copying and pasting between a studio application and
local application 78
Creating client installation disks 59
Data access 12
Data flow and bandwidth requirements for TS
Clients 37
Data server 42
DDE 40
Dedicated IP address 89
Defining Vision and Scope 31
Deployment 47
Assessing the Pilot 80
Characteristics of a successful pilot deployment 80
Pilot Terminal Server 47
Planning Model 25
Terminal Server throughout your Environment 81
Test lab 48
Disconnection Timeouts 95
Disk speed 49
Distributed computing 12
Internet Information 33
LAN Information 32
Logical Design 34
The Operator Interface 33
WAN Information 33
Your Environment 32
Domain Setup 36
Embedded NT 15
Enable data compression 63
Enabling a timeout for a disconnected session 95
Enterprise-licensing configuration 39
Environment analysis 46
Examining Peripheral Devices that Affect
Performance 49
Expanding to the WAN 38
Fat clients 12, 17
Full Internet name 88
Functional specification 35, 46
Terminal Services for InTouch Deployment Guide
Hardware Costs 20
Hardware Requirements 48
HCL 49
Historical Trending 74
Home directories for Terminal Services Clients 74
Host Parameters page 89
ICA 8, 33, 84
Protocol 37, 42
Traffic 38
Identifying Key Team Members 29
Improving Reliability 45
Industrial Scenarios 18
IndustrialSQL Server 42
Initial cluster state 89
Licenses 52
Terminal Services 50
Internet Access 22
Internet Protocol 33
Internet work Packet Exchange 33
IPX 33
ISP 33
Messenger 82
MLP 52
Modes of Operation
Application server 13
Remote Administration 13
Modifying Applications 66
Modifying bitmaps within InTouch using Paint Shop
Pro 71
Monitoring Performance 81
MTI 20, 23
Multicast support 88
Multi-user kernel 14
Must Know Terminology 8
NAD 73, 74
NetBEUI 33
NetDDE 40
Network adapter 49
Network Load Balancing 23, 47, 85
Control Program 94
Installing 87
Network Segment % Network Utilization 83
Installing 86
Known Issues and Limitations 68
Override user settings 96
LAN 21, 38, 42
Information 32
Across a
LAN 38
LAN/WAN network 25
License server 39, 51
Activating 52
Client 52
Installing 52
Microsoft License Pak 52
Recovery 53
Server client access 50
Terminal Services client access 50
Licensing Service 14
Load balancing 45
Local Area Connection Properties 90
Local printer 38
Local Users and Groups 55
Performance Monitoring (MMC snap-in) 82
Peripheral devices 49
Permissions 56
Physical design 35, 46
Point-to-Point Tunneling Protocol 22
Port Rules 90
Primary IP address 88, 92
Printing 38
Across a
LAN 38
WAN 38
Privileges 57
Process counters 84
Process % Processor Time 83
Process Handle Count 83
Process Private Bytes 83
Processor % Processor Time 83
Processor Interrupts/sec 83
Providing Maintenance and Support 81
Manufacturing Information Portal 13
Memory Available MBytes 83
Memory Pages/sec 83
Rapid Application Development 77
RDP 8, 14, 33, 37, 42
RDP Client 59
Terminal Services for InTouch Deployment Guide
RDP client hardware requirements 50
RDP traffic 38
RDP/ICA protocol 21
RDP-Tcp Properties 56
Remote Access 21
Remote Administration 14
Remote Control 23, 84
Remote Desktop Protocol 14
Remote development 77
Remotely controlling an operator workstation 84
Retentive Tagnames 74
Risk assessment 46
Risks in deploying Terminal Services for InTouch 31
Running WindowMaker 77
Running WindowViewer 73
ThinManager 51
Timeouts 95
Total Cost of Ownership 11
Transmission Control Protocol/Internet Protocol
(TCP/IP) connection 21
TSAC 22, 33
VGA card 50
Viewing process counters 84
Viewing the process 20
SCADAlarm 13
Scalability 12, 15
Script Execution 69
Security 53
Session 54
Selecting an Application 74
Server Client Access license 50
Server fail-over 23
Server Hardware Requirements 48
Server-centric environment 16
Server-centric mode 20
Session 8
Session Security 54
Shadowing 84
Simple Terminal Services for InTouch
Deployment 16
Software Testing and Validation 66
Stand-by Server Option 85
Starting Local I/O 69
Subnet mask 88, 89, 91
SuiteLink 40
SuiteVoyager 13
System tagnames 42
System Processor Queue Length 83
User Account Management 57
Users group 56
Using network adapters 88
WAN 38
Information 33
Wide area bandwidth 38
Windows 2000
Hardware compatibility List (HCL) 49
Server CAL 14
Terminal Services 13
Terminal Services client access licenses 50
WindowsCE 15
Wireless networks 21
Task Manager 82
TCO 11
TCP/IP 21, 33
Technical Support 10
Terminal server local groups 54
Terminal Services 8
Advanced Client 33
Client 14
Client Access license 50
Creating client installation disks 59
Hot key Sequences 105
Session Private Bytes 83
Test lab 81
Testing Process 66
Thin client 8, 12
Thin-Computing and Process Visualization 11
Terminal Services for InTouch Deployment Guide
Terminal Services for InTouch Deployment Guide
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF