Line-of-sight issues with Remote Desktop Services and remote desktop

Because an operator's physical location may be different from the location where
FactoryTalk
programs are running,
Windows
Remote Desktop presents some challenges to fulfilling line-of-sight requirements.
Remote installation not supported
Installing
FactoryTalk Services Platform
on a Remote Desktop session host or remote computer through a Remote Desktop client is not supported.
Identifying computers when using Remote Desktop
Two system policies within the
FactoryTalk Directory
that dictate how permissions are evaluated for remote clients. One determines what name is used to identify the remote client, and the second determines whether the client name must be included in the list of computers in the
FactoryTalk Directory
. Change these policy settings in
Security Policy Properties
.
These policies are:
  • Require computer accounts for all client machines
  • Identify terminal server clients using the name of
When
Require computer accounts for all client machines
is enabled, the client name must be included in the list of computers in the
FactoryTalk Directory
.
IMPORTANT:
These two policies significantly affect security, activity logging, and auditing. Do not change the policies from default values without fully understanding the consequences.
Require computer accounts for all client machines
Determines whether client computers can access the
FactoryTalk
network directory without having a computer account in the
FactoryTalk Directory
.
Setting
Description
Advantage
Disadvantage
Enabled
Allows users to log on to
FactoryTalk
only if they are logging on from a client computer that has an account in the
FactoryTalk Directory
. Even if set to Enabled, Remote Desktop Services clients can still log on to
FactoryTalk Directory
without computer accounts if the
Identify terminal server clients using the name of
policy is set to Server Computer.
Tighter security. Only authorized clients can access the system.
Must add the name of every authorized computer, including remote clients, to the
FactoryTalk Directory
Disabled
Allows users to log on to
FactoryTalk
from any client computer, even if that computer has no computer account in the
FactoryTalk
network directory.
When many client computers will be connected/disconnected and there is no control over when new clients will be connected to the system, or don’t want to manage all of the clients.
Allows any computer to connect as a client, even if it is not part of the
FactoryTalk Directory
.
IMPORTANT:
Even when this setting is disabled, it is necessary to create computer accounts for any computers hosting servers — for example,
FactoryTalk Linx
,
OPC
data servers, Tag Alarm and Event servers, or HMI servers. Without the server computer accounts, it is not possible to configure the servers from client computers on the network because the
FactoryTalk
network directory server cannot locate these servers on the network without their computer accounts.
Identify terminal server clients using the name of
Determines what computer name identifies clients connecting to the
FactoryTalk Directory
through Remote Desktop Services. This policy also affects whether client computers connecting through Remote Desktop Services require computer accounts in the
FactoryTalk Directory
.
Setting
Description
Advantage
Disadvantage
Server computer
Allows client computers to connect through Remote Desktop Services without requiring accounts in the
FactoryTalk Directory
, even if the
Require computer accounts for all client machines
policy is set to
Enabled
. This is possible because Remote Desktop clients are identified by the Remote Desktop Server name, and the Remote Desktop Server must always have an account configured in the
FactoryTalk Directory
.
No need to add the name of each Remote Desktop client to the
FactoryTalk Directory
.
Any computer can use a Remote Desktop client to remote into the system. Remote Desktop clients are identified by the Remote Desktop Server name, thus actions are logged using the server name instead of the client name, so troubleshooting and auditing actions may be more difficult.
Require computer accounts for all client machines is
Enabled
Client computers must have computer accounts in the
FactoryTalk Directory
to access
FactoryTalk
applications.
Tighter security. Only authorized clients can access the system, even using Remote Desktop. All activity is logged using the client name.
Must add the name of every authorized computer to the
FactoryTalk Directory
, including Remote Desktop clients.
Require computer accounts for all client machines is
Disabled
Client computers do not require computer accounts in the
FactoryTalk Directory
to access
FactoryTalk
applications. Client computers are automatically included in the "All Computers" computer group. This combination of settings is useful for diagnostic logging because the name of the client computer where actions originate can be logged.
No need to add the name of each Remote Desktop client to the
FactoryTalk Directory
. The Remote Desktop client name is used for logging and audits. Only permissions that apply to the "All Computers" group apply to clients that are not included in the directory. Can still add individual client names to the system and provide those computers with additional permissions.
Any computer connects a client to the system. This includes thick client as well as Remote Desktop clients.
Session Re-use
Remote Desktop Services allows a user to reconnect to an existing Remote Desktop Session from another computer without logging off or terminating the original session. If the
Identify terminal server clients using the name of
security policy is set to
Terminal Client
, it is possible for the client computer name for a given Remote Desktop session to change. To solve this problem, set the
Identify terminal server clients using the name of
policy to
Server computer.
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal