Line-of-sight issues with Remote Desktop Services and remote desktop
Because an operator's physical location may be different from the location where
FactoryTalk
programs are running, Windows
Remote Desktop presents some challenges to fulfilling line-of-sight requirements.Remote installation not supported
Installing
FactoryTalk Services Platform
on a Remote Desktop session host or remote computer through a Remote Desktop client is not supported. Identifying computers when using Remote Desktop
Two system policies within the
FactoryTalk Directory
that dictate how permissions are evaluated for remote clients. One determines what name is used to identify the remote client, and the second determines whether the client name must be included in the list of computers in the FactoryTalk Directory
. Change these policy settings in Security Policy Properties
.These policies are:
- Require computer accounts for all client machines
- Identify terminal server clients using the name of
When
Require computer accounts for all client machines
is enabled, the client name must be included in the list of computers in the FactoryTalk Directory
.
IMPORTANT:
These two policies significantly affect security, activity logging, and auditing. Do not change the policies from default values without fully understanding the consequences.
Require computer accounts for all client machines
Determines whether client computers can access the
FactoryTalk
network directory without having a computer account in the FactoryTalk Directory
. Setting | Description | Advantage | Disadvantage |
|---|---|---|---|
Enabled | Allows users to log on to FactoryTalk only if they are logging on from a client computer that has an account in the FactoryTalk Directory . Even if set to Enabled, Remote Desktop Services clients can still log on to FactoryTalk Directory without computer accounts if the Identify terminal server clients using the name of policy is set to Server Computer. | Tighter security. Only authorized clients can access the system. | Must add the name of every authorized computer, including remote clients, to the FactoryTalk Directory |
Disabled | Allows users to log on to FactoryTalk from any client computer, even if that computer has no computer account in the FactoryTalk network directory. | When many client computers will be connected/disconnected and there is no control over when new clients will be connected to the system, or don’t want to manage all of the clients. | Allows any computer to connect as a client, even if it is not part of the FactoryTalk Directory . |
IMPORTANT:
Even when this setting is disabled, it is necessary to create computer accounts for any computers hosting servers — for example,
FactoryTalk Linx
, OPC
data servers, Tag Alarm and Event servers, or HMI servers. Without the server computer accounts, it is not possible to configure the servers from client computers on the network because the FactoryTalk
network directory server cannot locate these servers on the network without their computer accounts.Identify terminal server clients using the name of
Determines what computer name identifies clients connecting to the
FactoryTalk Directory
through Remote Desktop Services. This policy also affects whether client computers connecting through Remote Desktop Services require computer accounts in the FactoryTalk Directory
.Setting | Description | Advantage | Disadvantage |
|---|---|---|---|
Server computer | Allows client computers to connect through Remote Desktop Services without requiring accounts in the FactoryTalk Directory , even if the Require computer accounts for all client machines policy is set to Enabled . This is possible because Remote Desktop clients are identified by the Remote Desktop Server name, and the Remote Desktop Server must always have an account configured in the FactoryTalk Directory . | No need to add the name of each Remote Desktop client to the FactoryTalk Directory . | Any computer can use a Remote Desktop client to remote into the system. Remote Desktop clients are identified by the Remote Desktop Server name, thus actions are logged using the server name instead of the client name, so troubleshooting and auditing actions may be more difficult. |
Require computer accounts for all client machines is Enabled | Client computers must have computer accounts in the FactoryTalk Directory to access FactoryTalk applications. | Tighter security. Only authorized clients can access the system, even using Remote Desktop. All activity is logged using the client name. | Must add the name of every authorized computer to the FactoryTalk Directory , including Remote Desktop clients. |
Require computer accounts for all client machines is Disabled | Client computers do not require computer accounts in the FactoryTalk Directory to access FactoryTalk applications. Client computers are automatically included in the "All Computers" computer group. This combination of settings is useful for diagnostic logging because the name of the client computer where actions originate can be logged. | No need to add the name of each Remote Desktop client to the FactoryTalk Directory . The Remote Desktop client name is used for logging and audits. Only permissions that apply to the "All Computers" group apply to clients that are not included in the directory. Can still add individual client names to the system and provide those computers with additional permissions. | Any computer connects a client to the system. This includes thick client as well as Remote Desktop clients. |
Session Re-use
Remote Desktop Services allows a user to reconnect to an existing Remote Desktop Session from another computer without logging off or terminating the original session. If the
Identify terminal server clients using the name of
security policy is set to Terminal Client
, it is possible for the client computer name for a given Remote Desktop session to change. To solve this problem, set the Identify terminal server clients using the name of
policy to Server computer.
Provide Feedback