TERMINAL SERVICES WHITEPAPER Abstract: The benefits of Terminal Services with CitectSCADA and how to configure. TS Whitepaper.doc 1
About the Authors Daniel Strand, former Business Development Manager at Citect Pty Ltd, and Paul Burns, Director of Education for Automation Control Products, wrote this document. Daniel Strand has 8+ years experience from the automation industry and started off in software development. At Citect, he was the product manager for their vertical initiatives. Paul Burns is the Director of Education for ACP. A former college instructor and system integrator, Paul is responsible for technical training and product support for ACP. This document was updated in October 2004 by Tony Podsiadly, Senior Global Support Engineer. About Citect Citect is a worldwide leader in industrial automation and information management. Its CitectSCADA and Plant2Business software and industrial information management (IIM), analysis modules are complemented by professional services, customer support and training. These solutions are enhanced by strong partner programs and are sold in numerous industries, including mining, metals and minerals, food & beverage, manufacturing, pharmaceuticals, water, facilities, gas pipelines and power distribution. Citect is headquartered in Sydney Australia, has 17 offices in Australia, USA, Europe, China and Africa, and its products are distributed in more than 50 countries worldwide. For further information, visit http://www.citect.com/ 2004 Citect Pty Ltd. All rights reserved. The information contained in this document represents the current view of Citect on the issues discussed as of the date of publication. Because Citect must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Citect, and Citect cannot guarantee the accuracy of any information presented after the date of publication. This white paper is for informational purposes only. CITECT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording or otherwise) or for any purpose, without the express written permission of Citect Pty Ltd. Citect may have patents, patent applications, trademarks, copyrights or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Citect, the furnishing of this document does not give you any license to these patents, trademarks, copyrights or other intellectual property. Citect, CitectSCADA, CitectHMI, Plant2Business and Plant2Net are either registered trademarks or trademarks of Citect Group Corporation in Australia and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. TS Whitepaper.doc 2
Contents About the Authors... 2 About Citect... 2 Contents... 3 1. Introduction... 4 2. The benefits of Terminal Services... 4 3. How Terminal Services Works... 5 4. Terminal Server Client Hardware Requirements... 6 5. Installing Terminal Services... 6 6. Terminal Server Settings Related to Citect... 7 6.1. Terminal Server Client Environment... 7 6.2. Password Management... 8 6.3. Citect License Management... 9 6.4. Terminal Server Encryption...10 7. ACP Thin Client...11 8. Licensing...12 8.1. Citect Licensing...12 8.2. Microsoft Licensing...12 8.2.1. Microsoft CALs and TS CALs...12 8.2.2. Microsoft Terminal Server Licensing Server...12 TS Whitepaper.doc 3
1. Introduction Terminal Services (TS) are popular in office applications as it lowers IT administration costs for software applications that are accessed by a large number of users. Even though Terminal Services has been available since before 1997, this architecture has not been adopted as rapidly in the industrial automation environment because the savings don t exceed extra set up cost until at least 4 clients are deployed. With traditional automation architecture the clients have been islands of automation, all running their independent databases and applications, and not easily adaptable to a centralized architecture. However, once TS is adopted, it can provide great savings in a plant. CitectSCADA supports Terminal Services and has been used in a number of large applications around the world since 1999. We recommend considering Terminal Services for applications larger than six clients. This will not only save cost, but also save resources and lost time. 2. The Benefits of Terminal Services The use of thin clients lowers the Total Cost of Ownership (purchase plus maintenance) and provides alternative system architecture for suitable types of applications. Below is a table comparing the resources spent on a Terminal Services setup as compared to a traditional client/server configuration. Terminal Services Traditional Client/Server S/W Upgrade time 8hrs per annum 2hrs per annum General Administration 8hrs per annum 2hrs per annum H/W upgrade 8hrs per annum 2hrs per annum Total 24hrs per annum 6hrs/machine We can see that breakeven occurs at 4 clients on a capital basis and our recommendation is to consider the Terminal Services architecture on all applications larger than 6 clients. At a hardware level, thin clients are devices that rely on a server for applications and data, and perform little application processing. The clients used are low cost and get a long life span due to Terminal Services. This cost saving is partly offset by larger server requirements. Other benefits in addition to lower Total Cost of Ownership are: Centralized deployment and management of programs Increased Security: The Terminal Server Client will retrieve all its information and applications from the centralized server. This provides more control of security. Use existing hardware: Due to low system requirements, old hardware can be used as Terminal Server Clients. New machines can perform their own processing, but at the same time be setup to run Terminal Server Client sessions. Scalability: Terminal Services provides the means to easily install additional clients as well as maintaining them. This gives a scaleable solution that can easily grow. Data Access for the Casual User: Ability to support the casual user who needs temporary access to critical information. TS Whitepaper.doc 4
3. How Terminal Services Works Terminal Services is Microsoft's solution for server-based computing because the server performs most of the processing remotely and very few client resources are necessary. The server performs all the application processing and only the information from the display monitor, keyboard and mouse are transmitted between the server and the client. It uses far less bandwidth than downloading and running the application locally on a client computer. Microsoft included Terminal Services in Windows 2000 Server, Windows 2000 Advanced Server, and Windows 2000 Datacenter Server. Because it's intended for server-based computing, Terminal Services isn't available in Windows 2000 Professional. You can use Terminal Services on any TCP/IP connection over a LAN, WAN or the Internet, even at dial-up modem speeds. For example, many implementations use a VPN to connect remotely to the server. A Terminal Server client can be run on many different platforms. By default, Terminal Server clients can run on all Windows platforms including Pocket PC 2002. Other platforms that can be used with Citrix Metaframe are Linux, Unix and Macintosh. TS Whitepaper.doc 5
4. Terminal Server Client Hardware Requirements Server Terminal Services should be installed on a new Windows 2000 Server or Advanced Server. Do not upgrade from a Windows NT system.?? Multi-processors can improve performance.?? Add 128 MB RAM for Windows 2000 Advanced Server.?? Memory requirements depend on application load and the number of users connected. The Terminal Server will need approx 20 MB per session running CitectSCADA. A good way to estimate how many users a server can support is to measure system performance (memory and CPU usage) with a handful of Terminal Server Clients on the system, and then extrapolate the result.?? Virtual memory (page file size) should be 250% of the physical memory. Clients Clients that run Terminal Services are not required to have much processing power. For example, a Pentium with 32 MB of RAM and a VGA video card is sufficient. Therefore, it is very easy to integrate Terminal Services into a network that has older computers and equipment. Supported client operating systems are Windows, Linux, Unix and Macintosh as well as ACP s Thin Clients (more details in ACP Thin Client chapter in this whitepaper). 5. Installing Terminal Services 1. Click Start on the Windows Taskbar, point to Settings, and then click Control Panel. 2. Double-click the Add/Remove Programs icon. The Add/Remove Programs dialog box appears. 3. Click Add/Remove Windows Components. The Windows Components Wizard appears. 4. Select the Terminal Services and Terminal Services Licensing options, and then click Next. (Terminal Services licensing may be installed on a separate machine.) 5. Select the Application server mode option, and then click Next. 6. Select the Permissions compatible with Windows 2000 Users option, and then click Next. 7. When prompted locate file TSC.00_ on Windows 2000 Server CD. 8. When prompted please reboot as requested. 9. Select the Your domain or workgroup option and provide the directory location for the licensing server database Note: This option only appears if you selected the Terminal Services Licensing option. 10. Click Next to begin the installation. TS Whitepaper.doc 6
6. Terminal Server Settings Related to Citect 6.1. Terminal Server Client Environment By default, the TS Client will be presented with a normal Windows environment when logging into a Terminal Server - task bar at the bottom of the screen with a START button and applications on the desktop. This is useful if the client needs to access other software in addition to Citect. However, if a client should only have access to Citect, we can configure the system to start Citect as the shell for the client. This can be configured for ALL TS Clients by selecting Terminal Services Configuration, then Connections and then the properties of the connection you wish to edit. If this should be configured on a user by user basis select Computer Management in the Control Panel, expand the node System Tools, then Local Users and Groups and open the properties of the user you wish to configure. See the below picture for an example on how to configure Citect to automatically start for the Terminal Server User named: Client. In addition to this, note that each user will have its own instance of CITECT.INI. Its location will be c:\documents and Settings\<user_name>\Windows, it will NOT use the normal C:\WINDOWS folder. If preferred, it is possible to force all users to look at one version of the Citect.INI file. Typically, this is placed in one of three places, the "Windows" directory (or WinNT directory), the "\Bin" directory or in the main project directory (your preference may vary dpending on how many different projects and versions of CitectSCADA you have installed on your PC). CitectSCADA will initially look for an INI file in the "CitectSCADA\Bin\" directory, and if it doesn't find one there, it will then look in the Windows/WinNT directory (i.e. the path specified by the %WinDir% environment variable. If it does not find an INI filein the default %WinDir% directory, it gets re-directed to the User profile directory. TS Whitepaper.doc 7
Placing the INI file in the "\Bin" directory should stop this from happening, or alternatively, you can force the path that Citect uses to look for an INI file to by using the "-i" switch within the shortcut you use to startup Citect Runtime. To do this: 1) Right-click on your Citect Runtime shortcut and select "Properties" 2) Select the "Shortcut" tab 3) Modify the "Target" field as shown below: Target: C:\Citect\Bin\Citect32.EXE -ic:\citect\user\myproject\inis\citect.ini OR Target: "C:\Program Files\Citect\CitectSCADA\Bin\Citect32.EXE" -ic:\winnt\citect.ini NOTES: - You will need to use quotation marks around paths that contain spaces as shown above - You can always force Citect Explorer to use a specific INI file, using the same method, but you need to substitute CTEXPLORER.EXE for Citect32.EXE. It is recommended you force them both to the same location. - This procedure was written based on Windows XP, however the process is extremely similar for Windows NT4/2000/2003. Notice the second example points explicitly to the %WinDir% directory. If you want your INI file to be placed in the Windows/WinNT directory, you need to explicitly state the full path as shown (and not use the %WinDir% environment variable), or else the Citect.INI file will be created and maintained in the User's profile directory. 6.2. Password Management If multiple users will use the same user login on the Terminal Server, it is a good idea to make sure that the password is fixed. Otherwise, if a user changes the password, everybody else will be locked out until they were told the new password. Examples of such clients would be full featured operator stations that connect from the outside or reside on the LAN. Setup the appropriate users as below: TS Whitepaper.doc 8
6.3. Citect License Management Each Terminal Server Client that uses Citect will require an appropriate Citect license from the Citect server. Once the Citect session starts, the license is used from the server and it will not be released until the Citect session is closed. By default, the terminal server session will not terminate just because the TS Client closes its Terminal Server window to the server. The server will continue to process this session indefinitely. When a user logs in again and there is an active session from a previous session, the client will be prompted if they want to use the existing session or create a new one. The correct answer should be to connect to the existing one. To keep operators from creating unused sessions, the Terminal Server can be setup to automatically end sessions that have been disconnected. In this way the Citect licenses will release properly back to the Citect server where they will be available for future sessions. Below is an example of ending any disconnected session that has been disconnected for 1 minute. This means that any Citect license will not be tied up in a disconnected session for more than 1 minute. TS Whitepaper.doc 9
6.4. Terminal Server Encryption Terminal Server has inbuilt encryption and it can be set to LOW-MED-HIGH. In a secure environment, such as an Intranet, this parameter can be set to LOW to increase performance and LOW or MED if going through a VPN. If Terminal Server is used on the Internet we recommend that the encryption level is set to HIGH to provide the most secure link. Naturally, for each situation you have to take your circumstances under consideration to make sure that appropriate security and encryption are used. This can be configured for all TS Clients by selecting Terminal Services Configuration, then Connections and then the properties of the connection you wish to edit. See the picture below. This encryption setting can also be set on a per user basis if required. TS Whitepaper.doc 10
7. ACP Thin Client ACP is a partner of Citect and CitectSCADA works well with ACP thin clients without modification. ACP has enhanced the standard Thin Client technology as it comes from Microsoft by providing support for features required by the industrial market. These enhancements are coupled with ACP's award winning Thin Client management software, ThinManager. ACP technology is now used by 9 different manufacturers who bring to market combined almost 40 different models of ACP Enabled Thin Clients, all of which are completely interchangeable. Some of the most important benefits that the user will see when coupling Citect software with ACP Thin Client technology:?? Automatic server Failover and redundancy, controlled by the clients. If any ACP Enabled Thin Client detects a problem with the server, it can be configured to automatically switch to a backup server without operator intervention. Once the primary server has become operational again, the client can be configured to switch back. Useful not only to eliminate a single point of failure, but also for application and operating system updates.?? Industry Specific I/O directly from the clients. Standard Thin Clients are not able to handle high-speed serial communication needed to rapidly poll industrial equipment. Any ACP Enabled Thin Client can send/receive serial data at up to 115KB, and can also accept Profibus and Devicenet communication cards.?? Auto login, auto configuration of new clients, and auto replacement. Because they are designed for the industrial market, any ACP Enabled Thin Client can be replaced by an operator without any intervention from IT personnel. The client's configuration is kept and generated at the server so operators do not have to keep up with complicated settings.?? ThinManager management software. All ACP Enabled Thin Clients are configured and monitored from a simple Windows interface.?? Centralized support for any combination of ACP Enabled client hardware. ACP Thin Clients are interchangeable - if a unit from Advantech is destroyed by a forklift, for instance, the damaged unit can be replaced with a Thin Client from Ann Arbor.?? No software resident on the clients. This means that ACP Enabled Thin Client hardware will not become obsolete, and always has the latest version of the operating software. For more information on the advantages of ACP Thin Client technology, please visit their website at http://www.acpthinclient.com. TS Whitepaper.doc 11
8. Licensing 8.1. Citect Licensing Each Terminal Server Client that will use Citect requires an appropriate Citect license in the same way as you would license floating Citect licenses, i.e. the licenses have to reside on an IOServer in the network and these floating licenses should be the number of concurrent Citect client sessions required. You should only run a CitectSCADA client under the Terminal Server. You should never run a CitectSCADA Server under Terminal Server as you would get a clash with PLC hardware or network server connections. The CitectSCADA client is compatible with Microsoft Terminal Server. The recommended architecture is to run all your Citect Servers on non Terminal Server computers, and then setup a CitectSCADA client to run on the Terminal Server. Only the first client running on the Terminal Server will get access to the local hardware key. If you only want to run one client at a time, and have a single user key you could install that key on the Terminal Server computer, however if you want to run more than one CitectSCADA client on the Terminal Server, then you must install your multi-user CitectSCADA key on one of your CitectSCADA Servers. This will allow many instances of the CitectSCADA clients to get licences from the remote Servers. 8.2. Microsoft Licensing 8.2.1. Microsoft CALs and TS CALs Thin clients using Microsoft Terminal Server require a terminal server running Microsoft s Windows NT 4.0 Terminal Server Edition or Windows 2000 Server with Terminal Services enabled as an operating system. Each of these operating systems requires a standard Microsoft Client Access License (CAL) for each connection to the server. These are based on concurrent use; a 5-pack would allow more than five users to access server resources, but only five users at a time. Terminals require an additional Microsoft Terminal Server Client Access License (TS CAL) to connect to the server using either RDP or ICA. This licensing is per seat; ten terminals would require ten TS CALs, even if only two were connected at a time. Windows NT 4.0 Terminal Server Edition is sold with TS CALs. These are installed on the terminal server. Additional TS CALs are available from Microsoft. Windows 2000 Server is not normally sold with TS CALs. These need to be purchased separately and installed on the Terminal Services License server. 8.2.2. Microsoft Terminal Server Licensing Server Windows 2000 has a new method of license management. All TS CALs are installed on a single Terminal Services Licensing Server, which acts as a repository for all TS CALs. The terminal servers request TS CAL authentication from the Terminal Services Licensing Server as terminals (thin clients) attach to terminal servers. This allows a single site for management and authentication of terminal server connections. TS Whitepaper.doc 12
A server becomes a Terminal Server Licensing Server by selection of the option during the installation phase or by selecting Add/Remove Programs Add/Remove Windows Components from the Control Panel and selecting the Terminal Services Licensing option. See Microsoft Terminal Server Installation for details. The Terminal Services Licensing server is activated through the Internet by connecting to the Microsoft Certificate Authority and License Clearinghouse. Windows 2000 Server with Terminal Services enabled will issue 90-day temporary licenses while the Terminal Services Licensing server is being setup and activated. If this period has elapsed, the terminal will not connect to the terminal server and will display an Error Number 50 message box. Microsoft Terminal Server Licensing Server Hotfix Microsoft released a hotfix for its licensing server in June, 2001. It allows the licensing server to release licenses that are no longer used, which makes replacements easier. This hotfix needs to be added before you add the licenses. Further information can be obtained from Microsoft. Try Terminal Services Licensing Enhancements and Windows 2000 Terminal Services Licensing Hotfix Now Available for Download The licensing of the Microsoft components of a Windows 2000 terminal server is a twostep process; one must first authorize the Terminal Server Licensing Server, then one must activate the licenses. The license activation will be repeated for each license pack. To begin the process select Start Programs Administrative Tools Terminal Server Licensing on the Terminal Server Licensing Server. Highlight desired server Figure 1 Terminal Services Licensing Figure 2 Selected Terminal Server Select Action Activate Server from the menu bar. TS Whitepaper.doc 13
The Licensing Wizard will launch. Follow the steps of the wizard. Figure 3 Licensing Wizard Note: The ID numbers shown on screens have been changed to 1234. Please use the appropriate numbers that apply to your server and licenses. Figure 4 Connection Method There are several methods for connecting to the Microsoft License Clearinghouse. Internet Allows activation through a direct connection to Microsoft. The Licensing Server must have Internet access. World Wide Web Allows activation at Microsoft s web site through a web browser. Fax Allows activation through faxes to Microsoft. Telephone Allows activation through the telephone. TS Whitepaper.doc 14
Select the desired method from the drop-down box and select Next. Note: This article will detail the World Wide Web method. Figure 5 License Server Activation The server needs a License Server ID for authorization. This is done on the Microsoft web site. Go to the https://activate.microsoft.com site mentioned in the dialog box. Figure 6 Microsoft Terminal Services Licensing Web Site Select Activate a license server and select Next. TS Whitepaper.doc 15
Figure 8 Customer Information Continue with web-based wizard. Verify the data and select Next. TS Whitepaper.doc 17
8.2.3 Microsoft TS CAL License Authorization To continue adding license packs, return to the https://activate.microsoft.com web site. Figure 11 Microsoft Terminal Services Licensing Web Site Select the Install client license key packs and select Next. TS Whitepaper.doc 19
Fill out the form and select Next. Figure 12 Customer Information TS Whitepaper.doc 20
Figure 13 TS CAL Information Select the Product Type and fill in the fields with the Quantity, Authorization Number, and License Number from the Licensing Certificate that was included with the purchase of the licenses. Select Next to continue. TS Whitepaper.doc 21
Figure 14 License Information Verify that the information is correct and select Next to continue. TS Whitepaper.doc 22
Figure 15 License Key Pack ID The Microsoft site will provide the License Key Pack ID. This needs to be installed in the Licensing Wizard. Figure 16 License Key Pack ID Fields Fill in the fields of the Licensing Wizard with the License Key Pack ID from the Microsoft site and select Next. TS Whitepaper.doc 23
Figure 17 Licensing Completion The licenses will be added and will be displayed in the Terminal Services Licensing window. For further information on Citect products and services, visit http://www.citect.com/ TS Whitepaper.doc 24