Hi
I have a Remote Client Server (RCS) that is used for connections into DeltaV from an external Business Domain.
I cannot currently "hop" from the RCS to any other DeltaV application station. The application stations appear to be enable for remote connections and the is no policy denying connections.
Appreciate any thoughts. Is this discouraged for any reason?
Thanks!
In reply to Alexandre Peixoto:
In reply to Lun.Raznik:
In reply to LaurentB:
It appears that Colin is looking to have administrative access to the servers, and not to run any DeltaV client applications. All such applications are available to him on his Remote Client session on the RD Server. KBA NK-1200-0138 documents the use of RealVNC product to allow remote administration functions for Application stations. It explains that the change in Microsoft Server 2008 and beyond altered the mstsc /console command to access the Session 0 of a server. The KBA goes on to state that remotely administering Applications stations is not addressed with DeltaV Remote Client. The KBA states RealVNC can be used to remotely adminster Batch Application Manager, Continuous Historian Administration tool, Event Chronicle Administration Tool and OPC Mirror. The problem is that this solution assumes you are connecting to RealVNC from a Thick Client, that is a PC or workstation. there is a client side component that is installed on the Client computer. There is no discussion that this can be installed on the DeltaV Remote Client server for use by a client session. This would require the Firewall to allow the VNC connection to the Application station. Although VNC provides encryption, it is not supported for the Professional Plus. In a separate KBA, it is pointed out that the use of DeltaV Remote DeskTop Connection (DRDC) can be used to connect the the RDP session of a server without the RDS Role, this connection requires the login user to have administrative and remote management privileges, and cautions that if this is not acceptable in terms of cyber security, to use Real VNC. This is offered when the computers are virtualized. As Alexandre points out, physical server installations do not have the RDP services enabled as part of the workstation hardening. In my opinion, the topology suggested by Colin limits access to the DeltaV system via the signal remote session connection through the firewall. Enabling RDP on these additional servers but also blocking connection to them via the firewall mitigates the risk. In addition, only the Remote Client server session is expected to make an RDP connection to these machines so each server can be further restricted as to which users will be allowed to connect. The connection could be made through the DeltaV Secondary network via IP address to further limit the visibility of the RDP session. But Alexandre pointed out a specific issue. During a software update of the Application station, where DeltaV Workstation configuration is run, the settings on Remote Desktop services may be altered and if these are set to disabled, the remote connection will be disabled. And if you were using the remote connection to install the software, well, that would put an end to the remote installation. This would likely be during a software upgrade. For day to day administration, and even applying hotfixes from time to time, the remote connection would not be disabled. The choices seem to be: - RealVNC - supports direct encrypted connection from a thick client. Not sure if it can be used via the RDP connection to remote client session or will require a PC to run the client. Software must be purchased. and it is not supported on the Professional Plus. This does not mean it can not be installed, but it has not been tested. If installing RealVNC client is possible on the RDS server and works within the remote client session, this could deploy locally in the DeltaV system without passing through Firewall.
- Enable RDP services on the servers, without enabling RDS Role
This is not supported on physical servers but is known to work. Software Installation may disable services as part of hardening of workstations. Does not require any software purchase or installation of 3rd party software. User requires admin and remote management privileges to connect. Not recommended from L3 to L2 directly, but between L2 RDS server and L2 Application station, security risk is limited. User should have no DeltaV access for Windows Admin reasons. A separate DeltaV user would be used at DeltaV logon if needed.
Cybersecurity and system access are diametrically opposed to each other. One has to strike a balance. Out of the Box, DeltaV provides a system with a high level of cyber security. Changing RDP settings on servers needs to be carefully considered and appropriately safeguarded. If RDP security risks are not acceptable, then Real VNC is an alternative.
There does not appear to be any supported solution that works for all these servers, other than in a Virtual Environment were the Hyper V connection to the 0 session of any VM is provided.
Andre Dicaire