Remote Desktop Services with

Vijeo Citect 2015

August 2015 – Rev1 - Whitepaper

Jacky Lang
Martin Lalanne
Warwick Black
Summary
1. Remote Desktop Services (RDS) 3
1.1. Benefits at a glance 3
1.2. Supported Operating Systems 3
1.3. SCADA Licensing 3
1.4. Windows Remote Desktop Client License 4
1.5. Architectures 4

2. SCADA Installation 6
2.1. Project Setup – Computer Setup Editor 6

3. RDSH Installation (Windows Server 2012 R2) 7

3.1. Deploy RDS 9
3.2. Add an RDS License Server 11
3.3. Configure RDS Session Timeouts 16
3.4. Publish RemoteApp 18

4. RDSH Installation (Windows Server 2008 R2) 23

4.1. Setup Remote Desktop Licenses 28
4.2. Publish RemoteApp 30

5. Run the RemoteApp 38

6. Appendix A – Installer Known Issue 40
7. Appendix B – License Server Known Issue 41
1. Remote Desktop Services (RDS)
For the purpose of this document, Microsoft’s Remote Desktop Services (RDS) (formerly Terminal Services)
allow Remote Desktop Clients (RD Clients) to connect to RemoteApps hosted on a Remote Desktop
Session Host (RDSH) via the Remote Desktop Protocol (RDP).

In a Vijeo Citect 2015 system, the RDSH is configured to host SCADA Clients, by publishing a RemoteApp.
When an RD Client runs the RemoteApp, they view and interact with the program as if it were locally installed,
whilst leveraging the processing power and connectivity of the RDSH. In addition, RDP uses 128 bit encryption,
and RD Clients are not limited to Windows-based devices.

These attributes make it a good candidate to allow Remote Access to a SCADA System, and can be used with
other standard security products, such as two-factor authentication and VPNs.

For more detailed information regarding RDS, refer here:

https://technet.microsoft.com/en-us/video/remote-desktop-services-rds-explained.aspx

1.1. Benefits at a glance

RDS provides the following benefits:
 No SCADA installation on Clients
 Project files centrally managed
 Secure Remote Access
 No need to directly expose SCADA Servers
 Remote Desktop Protocol (RDP) traffic is 128 bit encrypted (RC4)
 FIPs compliant (regulatory compliance)
 SSL can be added for additional Security
 VPN access can be added for additional Security
 Integrate with enterprise two-factor authentication
 Cross-Platform Clients

1.2. Supported Operating Systems

The Remote Desktop Server must be running one of the following Operating Systems:
 Windows Server 2008 R2
 Windows Server 2012 R2

1.3. SCADA Licensing

The Citect client process on the server machine acts as a local license manager. The Citect server components
act as a provider to distribute “Floating License” to remote clients that make a connection and request a license.
The client process along with other server components are managed by the Citect Runtime Manager. In an RDS
environment, several SCADA client sessions cannot be launched by Citect Runtime Manager because multiple
instances are not supported. Therefore, the RDS Clients must use the switch /x to run without Citect Runtime
Manager. SCADA clients launched with switch /x are basically “remote” clients and they thus obtain their license
from a connected server component through the ‘Floating License’ mechanism. In the scenario where the
SCADA Server and RDS Clients are all running on the same machine, softkey licenses are not supported. This is
because the first RDS Client to startup will acquire all softkey licenses available on the machine and not have a
mechanism to share them with other clients. This is a known issue and will be addressed in the future release.
The hardware dongle license is the only option supported in this architecture, as the RDS Clients will not touch
any licences on the dongle and always acquire a licence through the “Floating License” mechanism..

The client licence entitlement can be also specified with switch /l (l for licence), with /l:1 for a view-only client,
while /l:2 is for a control client. This assumes that the default Citect.ini file will be used and switch /l simply
overrides the [Client]ComputerRole setting. In this case, there is no need to create a separate Citect.ini for each
type of clients. It should be noted that switch /l can only be used with switch /x.
1.4. Windows Remote Desktop Client License
Remote Connection Sessions using Remote Desktop Services require a standard Microsoft Client Access
License (CAL) for each connection to the server.

1.5. Architectures
1.5.1. SCADA and RDS on the same Server
It is possible to host the SCADA Servers on the same PC as the hosted Client Sessions.
This requires the smallest infrastructure, however, as all Servers and Clients now rely on the same hardware, this
becomes a single point of failure for the entire system.

Note: Softkey licensing is not supported in this architecture. Only hardware licenses (USB keys) are supported
through the floating license mechanism to connected server components. For more details see section 1.3.

In this architecture, you may consider installing the SCADA Server as a Windows Service.
This allows the SCADA Server to run on the RDS Server without the need for a logged in interactive user. Other
benefits and instructions can be found in the ‘Vijeo Citect 2015 Run as a Windows Service’ whitepaper.
RDP

Client

RemoteApp

SCADA Server

Client PC
RDS Server
SCADA Server

1.5.2. SCADA and RDS on different Servers

A more likely scenario is that the RDS Server only hosts SCADA Clients, and serves them as RemoteApps.
These Client Sessions then connect to the required independent SCADA Servers for their IO, Alarm, Report and
Trend data. This allows the usage of RDS for the Clients, and retains Citect’s redundancy capabilities for the
SCADA Servers, removing the single-point of failure.
RDP

Client

RemoteApp

SCADA Server

Client PC
SCADA Server RDS Server
1.5.3. RDS for Secure Remote Access
The use of RDS allows advanced architectures that allow for Secure Remote access.
Following the principles of the IEC-52443 (ISA 99) standard, functional ‘Zones’ can be created and the
interactions (‘Conduits’) between these zones controlled via heavily restricted firewall rules.

In the configuration below, all the traffic leaving the premises is encrypted via the Remote Desktop Protocol.
Additional VPN technology could be used to further protect the data on the wire.

Since RDS is a standard Windows technology, additional authentication methods such as Two-Factor
Authentication could easily be applied.

Control Zone Supervision Zone DMZ Encrypted

RDP
Industrial SCADA
Client
Protocols Comms
SCADA Server
WebApp

SCADA Server
RDS Server
Client PC
2. SCADA Installation
At a minimum, the Vijeo Citect SCADA ‘Runtime Only Client’ installation is required on the RDSH (Remote
Desktop Session Host):

This can be installed following the ‘Installation Guide’ provided on the installation Media.

Note: If you install Vijeo Citect SCADA after installing Remote Desktop Services, the installer may not complete.
This is a known issue and Appendix A outlines a workaround.

2.1. Project Setup – Computer Setup Editor

Restore your project backup from your development machine:
 Ensure the ‘Save Compiled’ option was selected, since you will not be able to compile on a machine with
a ‘Runtime Only Client’ installation

 Run ‘Computer Setup Wizard’, and add any required Citect.INI customizations

 Start the Client to test configuration and connectivity

 Shutdown the Client instance

Note: Other methods of distributing project files are documented in the product help, under:
‘Distributing the Project’
3. RDSH Installation (Windows Server 2012 R2)
Note: You must be logged in as a Domain user
The following steps must be followed to install Remote Desktop Services on Windows 2012 R2:

 Open Server Manager >> Click Manage and ‘Add Roles and Features’:

 Select ‘Next and use the ‘Role-based’ option

 Select your server:

 Add the remote Desktop Services Feature in the list:

 Select the following Remote Desktop Services (RDS) options:

 Proceed through the wizard, confirming your selection then click ‘Install’
3.1. Deploy RDS
Note: You must be logged in as a Domain user

The next step is to deploy the RDS Service on the Host machine:

 Open Server Manager >> Click Manage and Add Roles and Features

 Select Remote Desktop Services installation

 Select Quick Start in the Deployment Type

 Select ‘Session-Based Desktop Deployment’:

 Select Deployment Machine

 Confirm the selection and ‘Install’

3.2. Add an RDS License Server
In order to license the RDS Sessions, we need to add a Licensing Server, which will provide the required CALs
(Client Access Licenses). To configure the license server follow these steps:

 Open Server Manager >> Remote Desktop Services >> Overview:

 Click on the RD Licensing icon

 Select the server used for RDS, confirm the selection and install
 The RD Licensing is ready and is displayed in the Overview view:
3.2.1. Add CALs to License Server
RDS Sessions require a standard Microsoft Client Access License (CAL) for each connection to the server, these
need to be added into the RD Licensing Manager. You may need to purchase additional licenses from Microsoft.

To add CALs on the RDS Host machine follow these steps:

 Open RD Licensing Manager on Start >> All Programs >> Administrative Tools >> Remote Desktop
Services > Remote Desktop Licensing Manager

 Select ‘Activate Server’ and follow the Wizard’s prompts

 The Wizard will connect you to the ‘Microsoft Clearinghouse’ where you can activate your previously
purchased CAL licenses

 If you need to purchase additional CALs, you will need to do that via:
http://go.microsoft.com/fwlink/?LinkId=81077

 After completing the Wizard, the CAL Licenses will be displayed on the RD Licensing Manager:
3.2.2. ‘No License Server’ – Known Issue
If the RDSH server complains about no licensing server being set, please follow the instructions in Appendix B.

3.2.3. Configure the RD Licensing Mode

Configure the RD Licensing Mode:

 Server Manager >> Remote Desktop Services >> Overview >> Deployment Overview >> Tasks >> Edit
Deployment Properties:

 Configure ‘Per User’ mode in the RD Licensing section:

 Click OK to finish the license configuration

3.2.4. License Diagnostics
You can see relevant information about licensing in the RD Licensing Diagnoser:

 Open RD Licensing Diagnoser: Start >> Programs >> Administrative Tools >> RD Licensing Diagnoser
3.3. Configure RDS Session Timeouts
Once the RD Client session starts and runs the Citect application, the license it obtains from the SCADA system
will not be released until the session is closed.

By default, the RDS session will not terminate just because the RDS Client closes its window to the server. The
server will continue to process this session indefinitely.

To keep operators from creating unused sessions, the Remote Desktop Services Host can be setup to
automatically end sessions that have been disconnected. In this way the Citect licenses will release properly
back to the Citect Server components where they will be available for future sessions.

Below are the required steps to configure an automatic expiry of any disconnected session. This means that a
Citect license will not be tied up in a disconnected session for more than 1 minute:

 Open Server Manager >> Remote Desktop Services >> QuickSessionCollection >> Properties >> Tasks
>> Edit Properties
 In the Session section, set ‘End a disconnected session’ to the desired level, i.e 1 minute

 Click OK to validate and finish

3.4. Publish RemoteApp
The following steps show how to publish a RemoteApp in Windows Server 2012 R2:

 Open: Server Manager >> Remote Desktop Services >> QuickSessionCollection >> RemoteApp
Programs >> Tasks >> Publish RemoteApp Programs
 By default, Calculator, Paint and WordPad are already published, these can be removed

 Select ‘Vijeo Citect Runtime’

 Confirm the selection and publish the RemoteApp

 Highlight the new ‘Vijeo Citect Runtime’ entry, right click and select ‘Edit Properties’
 Under ‘Parameters’

 Set the ‘/x’ flag so that Clients do not load ‘Runtime Manager’

 Under ‘User Assignment’, select ‘Only Specified Users and Groups’, then click ‘Add’ in order to add
which windows Users / Groups should have access to the RemoteApp
3.4.1. Custom INI Paths
Custom INI paths can be set for the RemoteApp, this is especially important if you are also running your SCADA
Servers on the same machine, or if you have a mix of ‘View-Only’ and ‘Control’ Clients. It is also possible to
specify the license type and override the default citect.ini settings using the switch /l (l for license). For more
details see section 1.3.

Ensure any custom INI files are accessable by the intended users.

3.4.1.1 INI Parameters

The INI Parameters that govern which type of license the Client will take are:
[Client] ComputerRole
0 = Server and Control Client
1 = Control Client (enables [Client]FullLicense)
2 = View-Only Client
[Client] FullLicense
0 = Do not use a full license
1 = Use a Full licenese

3.4.1.2 View-Only Client

 Copy, rename and edit the INI file to contain: [Client] ComputerRole = 2
 Under ‘General’, rename your RemoteApp to indicate it is ‘View Only’
 Modify the ‘Parameters’ to point to this new INI file:
‘/x’ to prevent Runtime Manager from loading
‘/i’ followed by a custom INI path (encased in double quotes)

 Alternatively, if you don’t want to specify a custom citect.ini file, you can override the local citect.ini role
setting to force a view-only client, by using the /l switch in conjunction with /x:
/x /l:1
3.4.1.3 Control Client
 Copy, rename and edit the INI file to contain:
[Client] ComputerRole = 1
[Client] FullLicence=0
 Publish a second instance of the RemoteApp
 Under ‘General’, rename it to indicate it is a ‘Control’ Client
 Modify the ‘Parameters’ to point to this new INI file:
‘/x’ to prevent Runtime Manager from loading
‘/i’ followed by a custom INI path (encased in double quotes)

 Alternatively, if you don’t want to specify a custom citect.ini file, you can override the local citect.ini role
setting to force a control client, by using the /l switch in conjunction with /x:
/x /l:2
4. RDSH Installation (Windows Server 2008 R2)
To install RDS service on your host machine:

 Open Server Manager >> Click Roles and Add Roles

 Under ‘Server Roles’, select ‘Remote Desktop Services’ then click ‘Next’
  Select the following ‘Role Services’:
o Remote Desktop Connection Broker
o Remote Desktop Licensing
o Remote Desktop Session Host
o Remote Desktop Web Access

 Take note of the ‘Uninstall and Reinstall Applications for Compatibility’ warning, then click ‘Next’ if you
wish to proceed

 
  Depending on your needs, choose whether ‘Network Level Authentication’ is required


 Choose the correct licensing model for your Client Access Licenses (CALs)
 Add the Users or Domain Groups that require RDS Access

 On ‘Configure Client Experience’, you could leave everything as default and then click on Next
 Check ‘Configure a discovery scope for RD licensing’, select ‘This Domain’, then click ‘Next’

 Confirm selection and click ‘Install’

4.1. Setup Remote Desktop Licenses
Installing and configuring a RDS CAL license in Windows Server 2012 R2 has been discussed in the previous
chapter. Here it is demonstrated how to use the RDS licensing server available on the local network (domain).

 Launch ‘Server Manager’

 In the Left Pane - Select ‘RD Session Host Configuration’

 In the Right Pane - Right click ‘Remote Desktop license servers’ and select ‘Properties’

 Fill in the details of your specified License Server

4.1.1. License Diagnostics
The Licensing Diagnosis tool is available to assist troubleshooting any Remote Desktop CAL licensing issues:
 Launch ‘TSconfig.msc’ from the Windows ‘Run’ dialog
4.2. Publish RemoteApp
To publish a RemoteApp in Windows Server 2008 R2 follow these steps:

 Start > Administrative Tools > Remote Desktop Services, then click ‘RemoteApp Manager’.

 Click ‘Add RemoteApp Programs’

 Progress through the Wizard:

 Select ‘Vijeo Citect Runtime’ and click ‘Properties’

IMPORTANT: Specify “/x” as a command-line argument, this will ensure that only a Client process is run,
without the Runtime Manager. This is necessary to ensure that the multiple Client instances do not interfere
with each other.
 Select the ‘User Assignment’ Tab.

 Set your desired security

 We recommend restricting to only the required users or limited domain groups

 In addition you will need to add the user/group to the list of allowed ‘Remote Desktop Users’, otherwise
you will get the error below when trying to launch the RemoteApp
 Open ‘System Properties’ - from the ‘Run’ dialog, type ‘SystemPropertiesRemote’

 Click ‘Select Users’

 Add the required Users / Groups.

4.2.1. Custom INI Paths - View-Only & Control Clients
Custom INI paths can be set for the RemoteApp, this is especially important if you are also running your SCADA
Servers on the same machine, or if you have a mix of ‘View-Only’ and ‘Control’ Clients. It is also possible to
specify the license type and override the default citect.ini settings using the switch /l (l for license). For more
details see section 1.3.

Ensure any custom INI files are accessable by the intended users.

4.2.1.1 INI Parameters

The INI Parameters that govern which type of license the Client will take are:

[Client] ComputerRole
0 = Server and Control Client
1 = Control Client (enables [Client]FullLicense)
2 = View-Only Client
[Client] FullLicense
0 = Do not use a full license
1 = Use a Full licenese

4.2.1.2 View-Only Client

 Copy, rename and edit the INI file to contain:
[Client] ComputerRole = 2
 Rename your RemoteApp to indicate it is ‘View Only’
 Modify the ‘command-line arguments’ to point to this new INI file:
‘/x’ to prevent Runtime Manager from loading
‘/i’ followed by a custom INI path (encased in double quotes)

 Alternatively, if you don’t want to specify a custom citect.ini file, you can override the local citect.ini role
setting to force a view-only client, by using the /l switch in conjunction with /x:
/x /l:1
4.2.1.3 Control Client
 Copy, rename and edit the INI file to contain:
[Client] ComputerRole = 1
[Client] FullLicence=0
 Publish a second instance of the RemoteApp
 Under ‘General’, rename it to indicate it is a ‘Control’ Client
 Modify the ‘Parameters’ to point to this new INI file:
‘/x’ to prevent Runtime Manager from loading
‘/i’ followed by a custom INI path (encased in double quotes)

 Alternatively, if you don’t want to specify a custom citect.ini file, you can override the local citect.ini role
setting to force a control client, by using the /l switch in conjunction with /x:
/x /l:2

 Two newly created instances can now be seen on the http://your_server/rdweb page:
4.2.2. Alternative Distribution Method
Instead of navigating via the RDWeb webpage, you could also create an .rdp file, or even an installation
package, which can be distributed to the Client machines, and run directly.
5. Run the RemoteApp
 From another PC, navigate Internet Explorer to: http://your_server/rdweb

 Login as a privileged user

 We can see our RemoteApp is available

 Launch the App, you may be prompted to enter your credentials again:

 You may be prompted with a dialog asking which local resources you wish to share
 Typically none are required, but this may be project-dependent

 The Client will launch much the same as a local client

 The modified logo and the System Tray messages show that it is running as a RemoteApp

 Unlike a WebClient, the Kernel is still accessible

 On the RDSH machine, Task Manager will reveal the RemoteApp connections, showing additional
Citect32.exe instances being spawned under different accounts:
6. Appendix A – Installer Known Issue
Note: Group Policies only apply to Domain Accounts.
You must use a Domain Account for this workaround.

If the RDS service is already installed when you try to Install VJC, the ‘Windows Installer Coordinator’, will
appear to ‘hang’ and the installer will never complete.

This problem is caused by an incompatibility with the Embedded MSI technology and the Windows Installer
Coordinator. The Coordinator is responsible for keeping multiple MSI installations from running concurrently.

The work around for this issue is to disable the ‘Remote Desktop Session Host Windows Installer’ for the
duration of the installation:

 Run ‘Gpedit.msc’ to launch ‘Local Group Policy Editor’

 Go to:

Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >>
Remote Desktop Session Host >> Application Compatibility
 Set “Turn off Windows Installer RDS Compatibility” to ENABLED
 Once this property is turned off, Windows Installer Coordinator should immediately continue to the
next task, however, you may need to restart the installation
 This setting can be reverted once the installer has completed

More information on the following KB from Windows Support: http://support.microsoft.com/kb/2655192

7. Appendix B – License Server Known Issue
If the RDSH server returns an error about no licensing server being set, please follow the instructions below.

Use the following query to see what is currently set on the server (use Windows PowerShell running as
Administrator):
$obj = gwmi -namespace "Root/CIMV2/TerminalServices" Win32_TerminalServiceSetting
$obj.GetSpecifiedLicenseServerList()

If there is no licensing server specified in the SpecifiedLSList, we can set this manually using the following
command lines:
$obj = gwmi -namespace "Root/CIMV2/TerminalServices" Win32_TerminalServiceSetting
$obj.SetSpecifiedLicenseServerList("LicenseServerName.DomainName.com")

Running the followings query again to show the value set:

$obj = gwmi -namespace "Root/CIMV2/TerminalServices" Win32_TerminalServiceSetting
$obj.GetSpecifiedLicenseServerList()