Scribd
Upload
310 views

Wonderware - InTouch Access Anywhere Secure Gateway 2013

Aveva - Wonderware Intouch Access Anywhere

Uploaded by

ef
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
310 views

Wonderware - InTouch Access Anywhere Secure Gateway 2013

Aveva - Wonderware Intouch Access Anywhere

Uploaded by

ef
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 43

Wonderware

InTouch® Access
Anywhere Secure
Gateway

Administrator’s Manual

8/23/2013
All rights reserved. No part of this documentation shall be reproduced, stored in a retrieval
system, or transmitted by any means, electronic, mechanical, photocopying, recording, or
otherwise, without the prior written permission of Invensys Systems, Inc. No copyright or patent
liability is assumed with respect to the use of the information contained herein. Although every
precaution has been taken in the preparation of this documentation, the publisher and the author
assume no responsibility for errors or omissions. Neither is any liability assumed for damages
resulting from the use of the information contained herein.

The information in this documentation is subject to change without notice and does not represent
a commitment on the part of Invensys Systems, Inc. The software described in this
documentation is furnished under a license or nondisclosure agreement. This software may be
used or copied only in accordance with the terms of these agreements.

© 2013 by Invensys Systems, Inc. All rights reserved.

Invensys Systems, Inc.


26561 Rancho Parkway South
Lake Forest, CA 92630 U.S.A.
(949) 727-3200
http://www.wonderware.com

For comments or suggestions about the product documentation, send an e-mail message to
[email protected].

All terms mentioned in this documentation that are known to be trademarks or service marks
have been appropriately capitalized. Invensys Systems, Inc. cannot attest to the accuracy of this
information. Use of a term in this documentation should not be regarded as affecting the validity
of any trademark or service mark.

Alarm Logger, ActiveFactory, ArchestrA, Avantis, DBDump, DBLoad, DT Analyst, Factelligence,


FactoryFocus, FactoryOffice, FactorySuite, FactorySuite A2, InBatch, InControl, IndustrialRAD,
IndustrialSQL Server, InTouch, MaintenanceSuite, MuniSuite, QI Analyst, SCADAlarm,
SCADASuite, SuiteLink, SuiteVoyager, WindowMaker, WindowViewer, Wonderware, Wonderware
Factelligence, and Wonderware Logger are trademarks of Invensys plc, its subsidiaries and
affiliates.

All other brands may be trademarks of their respective owners.

2
Table of Contents

ABOUT THIS DOCUMENT .................................................................................. 5

1. OVERVIEW.................................................................................................. 7
Architecture .................................................................................................................................. 8

2. INSTALLATION........................................................................................... 9
Prerequisites ................................................................................................................................ 9
Secure Gateway Installation ...................................................................................................... 10

3. SECURE GATEWAY POST INSTALLATION ........................................... 14


Connecting to an InTouch Access Anywhere Server through the Secure Gateway ................. 14
Configuring the InTouch Access Anywhere Secure Gateway Node to Expose Your InTouch
Applications ................................................................................................................................ 17

4. CONFIGURATION PORTAL ..................................................................... 19


Dashboard.................................................................................................................................. 20
Mail Alerts .................................................................................................................................. 21

5. PORT AND SSL CERTIFICATE ................................................................ 22


Configure the Secured Port and SSL Certificate ....................................................................... 23
Manually Configuring a Trusted Certificate................................................................................ 24
Configuring Failover Gateways .................................................................................................. 25

6. INTOUCH ACCESS ANYWHERE™ HTML5 CLIENT CONFIGURATION27


Configuration .............................................................................................................................. 28

7. BUILT-IN WEB SERVER........................................................................... 29


Internal Web Server ................................................................................................................... 29
External Web Server .................................................................................................................. 30
Connecting to the Web Server ................................................................................................... 30
HTTP Redirect ........................................................................................................................... 31
Advanced Configuration............................................................................................................. 32

8. BUILT-IN AUTHENTICATION SERVER ................................................... 34

9. ADVANCED CONFIGURATION ............................................................... 36


High Availability .......................................................................................................................... 36
SSO Form Post .......................................................................................................................... 37

10. KNOWN BEHAVIORS AND LIMITATIONS .............................................. 40


Common Error Messages .......................................................................................................... 40

3
Obtaining Log Files .................................................................................................................... 41
Disabling HTTP/HTTPS filtering ................................................................................................ 42

11. TECHNICAL SUPPORT ............................................................................ 43

4
ABOUT THIS DOCUMENT
This guide provides instructions on how to install, configure and use InTouch
Access Anywhere Secure Gateway. The Secure Gateway enables remote,
secure connections from clients running at unsecured locations to internal
network resources. The Secure Gateway provides authentication and
authorization services, as well as data encryption.
Follow the instructions in this manual and start enjoying the benefits of the
Secure Gateway within minutes!
This guide includes the following information:
• Overview of the Secure Gateway
• Preparation and installation procedures
• Usage instructions
• Known issues and limitations
This guide assumes that the reader has knowledge of the following:
• Wonderware InTouch™
• Enabling and configuring RDP on Windows Server operating
systems1
• Firewall configuration
• Web Server Administration
Important terminology used in this document:
• DMZ (demilitarized zone) – a physical or logical subnetwork that
contains and exposes an organization's external services to a
larger untrusted network.
• SSL – Secure Sockets Layer is a cryptographic protocol that
provides communications security over the Internet.
• RDP – Remote Desktop Protocol. A remote display protocol
developed by Microsoft. RDP is a standard component of Microsoft
Windows.
• RDP Host – a Windows system that can be remotely accessed
using Microsoft RDP, such as a Terminal Server (RDS Session
Host) or Windows workstation with remote access enabled.

1
For details on proper configuration and management of a Remote
Desktop environment for use with Wonderware InTouch, refer to the
Wonderware InTouch for Terminal Services Deployment Guide.

5
• VPN – Virtual Private Network. It enables a computer to securely
send and receive data across shared or public networks as if it
were directly connected to the private network.
• HTML5 – the current version of the HTML specification. Extends
HTML with new features and functionality for communication,
display, etc.
• WebSocket – a bi-directional, full-duplex communication
mechanism introduced in the HTML5 specification.
For more information about this and other Wonderware products, please visit
the www.wonderware.com

6
1. OVERVIEW
The InTouch Access Anywhere Secure Gateway is a complementary
component to the InTouch Access Anywhere Server, used to provide end-
users with secured remote access to InTouch applications past a firewall
through a DMZ.

The Secure Gateway provides the following benefits:


• Secure, single port access to internal resources
• Eliminates the need to purchase, install, configure and manage
VPN
• The InTouch Access Anywhere Secure Gateway is installed in a
DMZ while all other resources reside securely behind the internal
firewall
• Install SSL digital certificate once on the Secure Gateway node
instead of on all hosts that need to be accessed
• Compatibility with HTML5 client browsers supported by InTouch
Access Anywhere™

7
Architecture
The Secure Gateway acts as a gateway between end users in remote locations
and applications in the control network. It may be installed in a DMZ to route
traffic between a business network and the HMI SCADA network.
The following diagram illustrates how the Secure Gateway requires just one
port to be made available for secured remote access. All communication
related web traffic and session protocols are tunneled through the SSL-based
Secure Gateway connection.

8
2. INSTALLATION
Prerequisites
The Secure Gateway must run on Windows Server 2003 or higher.
.NET Framework 4 Full Installation is required – this can be downloaded from
Microsoft’s website.
The Secure Gateway uses port 443 by default. This is a common port that is
also used by IIS so watch out for port conflicts.
The following ports need to be configured on the network.
• Port 443 is required between the External Network and the
Secure Gateway server; this value is adjustable.
• For InTouch Access Anywhere Server: Port 8080 is required
between the Secure Gateway server and the InTouch Access
Anywhere Server; this value is adjustable.

The Secure Gateway includes an HTTP proxy and will listen on port 80 by
default. This can be disabled post-installation.

9
Secure Gateway Installation
To install the Secure Gateway, launch the installer (on a machine running
Windows 2003, 2008 or higher.) Authorization may be required to perform
the installation on some systems.

The dialog allows the administrator to specify the installation path by clicking
the Browse button. We recommend keeping the default installation path.
Click Next.

10
Accept the Invensys End User License Agreement
Click Next. Installation will proceed.

11
Click the Finish button.

Secure Gateway Configuration


By default, the Secure Gateway is configured to listen on port 443.
The Secure Gateway includes a built-in web server that will also operate over
the specified port using HTTPS. The Secure Gateway can automatically
redirect HTTP web requests to HTTPS.
If needed, you can change these settings after install.

Note: If Microsoft IIS is running on the same server, make sure there are
no port conflicts. Either change the IIS ports to values other than 80 and
443, or change the Secure Gateway port to a value other than 443 and
disable the HTTP auto redirect feature after the installation. If there is a
port conflict on either the HTTP or HTTPS port, the Secure Gateway will
not operate properly.

To use a trusted certificate that is already installed on the machine where the
Secure Gateway is being installed on, click on Select Certificate and select the
desired certificate to be used by the Secure Gateway. The trusted certificate
may also be configured post-installation.

12
The Secure Gateway runs as a service, and can be stopped and restarted
from the Microsoft Windows Services Manager:

The service is configured to run automatically on system startup. If the


service is stopped or is unable to listen on its configured port, clients will be
unable to connect to hosts through the gateway. If the service is unable to
listen on its configured port, it will write an error message into the Windows
application event log.

Uninstalling the Secure Gateway


Uninstall the Secure Gateway by using the Control Panel | Add/Remove
Programs or Programs and Features. Select the Wonderware InTouch Access
Anywhere Secure Gateway and click Uninstall.

13
3. SECURE GATEWAY POST INSTALLATION
Connecting to an InTouch Access Anywhere
Server through the Secure Gateway
For example, InTouch Access Anywhere Server is installed on Node 1 and
InTouch Access Anywhere Secure Gateway is installed on Node 2.
You want to access the InTouch Access Anywhere Server through the
InTouch Access Anywhere Secure Gateway node.

When you navigate to https://<node2 name>/ the following page


appears:

Because you want to access InTouch Access Anywhere Server on Node1,


you enter the machine name or IP address of Node1 in the InTouch
Access Anywhere Server field and click Next. Now, there are two possible
scenarios:

A. The InTouch Access Anywhere Secure Gateway node (Node2) has not
yet been configured to expose the InTouch applications list.

In this scenario, you will be guided to a default page. Do the following four
steps to connect to the InTouch application you want to open:

1. Enter correct resolution of the last application opened in WindowViewer on


Node1 in the Screen Resolution field.

14
2. Click the Advanced button. The Advanced Settings dialog appears.

15
3. In the Program path and filename field, enter “view.exe” and the path for
the InTouch application you want to open. For example:

view.exe “c:\MyInTouchApps\newapp2”

Note that the path is enclosed within quote and separated by space with
view.exe

4. In the Start in the following folder field, enter the InTouch install path.

B. The Secure Gateway node is configured to expose the InTouch


Applications list.

In this scenario, you will be directed to a page that looks similar to the start
page for accessing an InTouch Access Anywhere Server. You can select the
application you want to open in WindowViewer and click Connect.

16
Configuring the InTouch Access Anywhere
Secure Gateway Node to Expose Your InTouch
Applications
You can display a list of your InTouch applications in the InTouch Access
Anywhere Server, accessed through the Secure Gateway.

1. From Node1, where InTouch Access Anywhere Server is installed, clone


(copy and paste) the Start.html page located in the following directory:
<InTouch Access Anywhere Server installation
folder>\WebServer\AccessAnywhere\.
2. Rename the cloned file, and go to Node2. Paste the file under <InTouch
Access Anywhere Secure Gateway installation folder>\Ericom Secure
Gateway\WebServer\AccessAnywhere\ folder on the Gateway node (i.e.
Node 2).

The start page can be renamed to any valid file name but for better
readability we recommend prefixing the file name with the InTouch Access
Anywhere server name. For example, if the server name is Master01, the
start page should be renamed to Master01_start.html

3. Open Start.html and locate the following html element:

<select id="ITAAServerList" name="ITAAServerList"


style="visibility:hidden">
<!-- A sample option element
<option ServerName="Master01"
IPAddress="xx.x.xx.xx" StartPageName="Master01_Start.html"/>
-->
</select>
4. Add an option element under the select element (an example is given)
and update the property values as follows:
a) The ServerName property value should be set to InTouch Access
Anywhere server name (Node1 in our example).
b) The IPAddress property value should be the IP Address of the
server. Setting the value will allow the page to be accessed when
you use IPAddress instead of ServerName.
c) The StartPageName property value should be set to the start
page name from step 2 above.

5. Save the changes.

17
You should now be able to see the Application Name list with the InTouch
applications available at the corresponding InTouch Access Anywhere Server
node.

18
4. CONFIGURATION PORTAL
The InTouch Access Anywhere Secure Gateway includes a Configuration Portal
to allow the administrator to adjust any related settings. Most of these
settings were set during the installation process. To access the Configuration
Portal page, use a web browser and navigate to the Secure Gateway’s
configuration URL:
https://<SG-server-address>:<port-number>/admin
Login is available to members of the local Administrators group on the
InTouch Access Anywhere Secure Gateway server. All logins are audited in
the Secure Gateway log file. Remind administrators to use strong passwords
to ensure secure access.

To log out of the Configuration Portal, press the Logout button.

After making changes to any settings, press the Save button. If the Save
button is not pressed, and a different page is selected, a warning dialog will
appear. Press Leave this Page to continue and cancel any changes. Press
Stay on this page to return to the current page to save changes.

19
Dashboard
The Secure Gateway Configuration Dashboard displays useful statistics related
to the Secure Gateway operation. Open this page to view server uptime, SSL
certificate status, session activity, and to restart the Secure Gateway Server
service.

20
Mail Alerts
The Secure Gateway can be configured to send e-mail alerts upon specified
system events. To configure mail alerts, enter the SMTP information of the
email server. Then check the desired parameters that will trigger the sending
of a mail alert.
Click Save or Save and Test Mail Settings to apply the configuration.

Other configuration pages will be covered in the following chapters.

21
5. PORT AND SSL CERTIFICATE
The InTouch Access Anywhere Secure Gateway includes a self-signed
certificate. Certain web browsers may display a security warning when a self-
signed certificate is detected. To remove the warning, install a trusted
certificate. A trusted certificate must be purchased from a trusted certificate
authority (i.e. VeriSign). The signed certificate must have a private key
associated with it. A .CER file may not have a private key, use one that
includes a private key – usually has a .PFX extension.
The Secure Gateway uses the certificate in the Windows Certificate Store
(Computer Account). To add, view, or modify certificates perform the
following:
1) Run mmc.exe
2) Go to File | Add/Remove Snap-in
3) Add Certificates and select Computer account

22
4) Select Local Computer

5) Click Finish and then OK.


6) Browse to the Certificates | Personal | Certificates folder to view all the
available certificates that can be used by the Secure Gateway.

7) If a trusted certificate will be used with the Secure Gateway, place it in the
same location as the Secure Gateway certificate (Personal | Certificates).
Secure Gateway identifies a certificate using a unique thumbprint that is
configured in the Gateway’s configuration file
EricomSecureGateway.exe.config.
<add key="CertificateThumbprint" value="<enter trusted certificate
thumbprint value here>" />

Configure the Secured Port and SSL Certificate


In the Configuration Dashboard, use the Secured Port and SSL Certificate
page to modify the port that will be used by the Secure Gateway. Make sure
that the desired port is not currently in use before configuring it. Verify port
status by using the Netstat utility.
Select the desired SSL certificate to be used by the InTouch Access Anywhere
Secure Gateway. It is strongly recommended to use a trusted certificate
when the InTouch Access Anywhere Secure Gateway is used in production.
Verify whether the selected certificate is trusted by viewing the Dashboard
page.

23
Manually Configuring a Trusted Certificate
There are two methods to manually configure the Secure Gateway to use a
trusted certificate.
Method 1: Run “EricomSecureGateway.exe /import_cert” to select a
certificate from Windows Store and import its thumbprint to the configuration
file.
Method 2: Add the thumbprint value to the configuration file by performing
the following:
1) Go to the Certificate Details tab and highlight the Thumbprint.

2) Press CTRL-C to copy it.


3) Click OK to close the dialog.
4) Open the EricomSecureGateway.exe.Config file
5) Delete the existing Thumbprint and press CTRL-V to paste the new
Thumbprint into the file. All spaces will be ignored.

24
6) Save the file and the new Thumbprint will be used. Restarting the Secure
Gateway service will apply the new certificate immediately.
The Thumbprint can also be manually typed in.

Note: The DNS address of the Secure Gateway server must match the
certificate name. If it does not, a “Connection failed” error message will
appear upon attempting a connection.

Configuring Failover Gateways


Multiple Secure Gateways can be configured as a failover chain in the
InTouch Access Anywhere web client. This will provide redundancy for the
Secure Gateway function as alternate Gateways will be automatically used
when the primary one is unavailable. If the connection to the first Secure
Gateway in the list fails, the request will be redirected to the server listed
next. There is no limit for this list.
To specify a failover list of Secure Gateways, enter each gateway address
separated by a semicolon (‘;’).
Here is a sample list of servers:
Us-bl2008r2;securegateway.domainname.com;192.168.0.3:4343
The primary gateway is Us-bl2008r2 over port 443
The second Secure Gateway is securegateway.domainname.com over port
443
The third Secure Gateway is 192.168.0.3 over port 4343 (any port value
other than 443 needs to be explicitly specified).

25
Note: Maintain uptime for the servers at the front of the list to ensure the
fastest login times. If the primary server is unavailable, the end-users will
experience longer login times as the login process must wait for the
primary server to timeout before attempting to connect to a failover
server.

26
6. INTOUCH ACCESS ANYWHERE™
HTML5 CLIENT CONFIGURATION
InTouch Access Anywhere can use the Secure Gateway to provide secured
connections between HTML5 Web clients and InTouch Access Anywhere
servers in order to access InTouch applications residing there. This diagram
describes how these components work together:

In this configuration, the client browser always establishes a secure


WebSocket connection to the Secure Gateway. The Gateway then establishes
a WebSocket connection to the InTouch Access Anywhere server.
The WebSocket connection between the Gateway and the InTouch Access
Anywhere server can be secured or not, based on a configuration setting in
the InTouch Access Anywhere client (check Enable SSL for the InTouch Access
Anywhere web configuration).

27
Configuration
To enable the use of a Secure Gateway with InTouch Access Anywhere:
At the client browser, click on the Advanced button in the Connection Details
page.

Check Use InTouch Access Anywhere Secure Gateway and provide the
Gateway address:

28
7. BUILT-IN WEB SERVER
Internal Web Server
The Secure Gateway has a built-in Web server. The Web server supports the
ability to host the web pages for certain products such as InTouch Access
Anywhere. The built-in Web server cannot be disabled and always listens on
the Secure Gateway port.
To configure the Web server, open the Configuration tool and go to Web
Server.

Click on the drop down box to select the component that should be the default
URL for the built-in Web Server. Click Save. When the user goes to the root
path of the URL, the selected component will be used.

29
For example, if InTouch Access Anywhere Server is selected, when the user
navigates to https://<sg-server-address>:<port-number>/ the URL will
automatically redirect to:
https://<sg-server-address>:<port-number>/AccessAnywhere/start.html

Note: The Secure Gateway could technically be used to host non-related


pages, but this is not officially supported. Hosted web pages should be of
basic static content.

External Web Server


The InTouch Access Anywhere Secure Gateway has a built-in Web server
proxy.

Note: Using the Secure Gateway to proxy to pages other than InTouch
Access Anywhere is not officially supported.

Connecting to the Web Server


To connect to an InTouch Access Anywhere server available through the
Secure Gateway Web server, the end user opens a browser and navigates to
the desired URL. If a port other than 443 is being used by the Secure
Gateway, it must be explicitly stated in the URL. For example:
https://myserver:4343/AccessAnywhere/start.html
The following URL’s are available by default.

Secure Gateway Welcome https://server:port/ or


Page https://server:port/welcome.html

InTouch Access Anywhere https://server:port/AccessAnywhere/start.html


Server

30
HTTP Redirect
The InTouch Access Anywhere Secure Gateway Web server listens on port 80
by default. This is so that HTTP references to the server will automatically
redirect to the HTTPS URL.
This feature only works if the Secure Gateway is listening on port 443. If it is
configured to use any other port, the HTTP automatic redirect will not be
supported. To enable this feature, check the setting: Enabled non-secured
port for HTTPS auto-redirect:

Configure this feature in the EricomSecureGateway.exe.Config file using:


<add key="EnableNonSecuredPortForHttpsAutoRedirect" value="false" />

31
Advanced Configuration
Back up the current EricomSecureGateway.exe.config file before making any
changes.
To configure the settings of the built-in Web server: open the
EricomSecureGateway.exe.config using a text editor. Each folder in the
WebServer directory may have a default document assigned for it, and may
also be restricted so that end users cannot access it.

For example, the settings below will configure the following:


• Set the View folder as the default folder
• Set the view.html as the default document for the View folder
• Restrict access to any unlisted folders in the directory
• Deny access to the Blaze and MyCustom folders.
<internalWebServerSettings>

<Folders default_folder="View" allow_access_for_non_listed_folders="false">

<add folder_name="AccessAnywhere" default_page="start.html" allow_access="true"/>

<add folder_name="View" default_page="view.html" allow_access="true"/>

<add folder_name="Blaze" default_page="blaze.exe" allow_access="false"/>

<add folder_name="MyCustom" default_page="hello.html" allow_access="false"/>

</Folders> </internalWebServerSettings>

32
Preventing Access to Non-listed Folders
Additional subfolders folders may be added to the SG WebServer folder.
These can be accessible, even if they are not listed in the
internalWebServerSettings list. To prevent access to folders that are not
explicitly defined in the internalWebServerSettings list, uncheck Allow access
for non-listed folders (or set allow_access_for_non_listed_folders="false”).

33
8. BUILT-IN AUTHENTICATION SERVER
The Secure Gateway includes an Authentication Server. The Authentication
Server provides a layer of security by authenticating end-users before they
can contact any internal resource (i.e. InTouch Access Anywhere Server).
The Authentication Server is installed on a server that is a member of the
domain that it will use to authenticate users.
The Authentication Server can only be configured for one domain at a time.
Use the Configuration page to modify settings for the Authentication Server:

The configuration settings are stored in the file


EricomAuthenticationServer.exe.config. The user configurable settings are
located under the <appsettings> section and defined in the following table.

Setting Description

Port This is the numerical value of the port that the


Authentication Server listens over. Make sure
that no other services on the system are using
the same port. A port conflict will interfere
with the operation of the Authentication Server

BindAddress The address that the Authentication Server will


bind to

CertificateThumbprint The SSL certificate thumbprint that is used by


the Authentication Server. A self-sign
certificate is installed and used by default.

LogStatisticsFreqSeconds The frequency interval to log service operations

34
Note: When the Authentication Server is enabled, only Domain Users will
be able to authenticate. Local system users (such as Administrator) will
not be able to login through the Authentication.

35
9. ADVANCED CONFIGURATION
All configurable settings related to the Secure Gateway may be found in the
EricomSecureGateway.exe.config file. This is a text file that can be opened
with a text editor.
Changing parameter values marked as “Reloadable” do not require a service
restart. “Not Reloadable” parameters will only take effect after the next
service restart.

High Availability
To provide high availability to the Secure Gateway layer, install two or more
Secure Gateways and use a third-party redundant load balancer to manage
access to them.
The load balancer will provide one address for end users to connect to. As
requests arrive at the load balancer, they will be redirected to an available
Secure Gateway based on built-in weighting criteria. A basic round-robin load
balancer may also be used, but it may not detect whether a Secure Gateway
is active.

36
SSO Form Post
When using a third-party authentication entity (such as an SSL VPN) that
supports form Post, the user can single-sign-on into an InTouch Access
Anywhere session using the authenticated credentials. The SG is required for
this feature.
In the authentication entity, there will be a field requesting the Post URL.
Enter the SSO URL for the desired product:
AccessNow: https://sg-address/AccessAnywhere/sso

Note: The Secure Gateway will auto-redirect the request to the respective
default page (start.html).

Include the following fields in the form:


• name="autostart" value="yes"
• name="esg-cookie-prefix" value="EAN_"
• name="username"
• name="password"
• name="domain"
Here is an example from a Juniper SSL VPN:

The value “esg-cookie-prefix” defines the Access Anywhere cookie prefix in


the form. For InTouch Access Anywhere connections, this is a mandatory
entry.
If the target is a relative URL, it will replace the “/sso” portion in the path
If the target is a full URL, than it will completely replace the current path.

37
Sample page to POST values
<form name="cookieform" method="post" action="/AccessNow/sso"><p>
<!-- <form name="cookieform" method="post" action="/view/sso"><p> -->
address: <input type="text" name="address"/><br/>
<!-- RDP Host: <input type="text" name="fulladdress"/><br/> -->
Username: <input type="text" name="username"/><br/>
Password: <input type="password" name="password"/><br/>
Domain: <input type="text" name="domain"/><br/>
Use Access Anywhere Secure Gateway: <input type="checkbox"
name="use_gateway" value="true"/><br/>
Gateway Address: <input type="text" name="gateway_address"/><br/>
Start Program on connection: <input type="checkbox"
name="remoteapplicationmode" value="true"/><br/>
Program Path: <input type="text" name="alternate_shell"
size="256"/><br/>
<input type="hidden" name="autostart" value="true"/>
<input type="hidden" name="esgcookieprefix" value="EAN_"/>
<input type="submit"/>
</p></form>

Sample page to receive POST values


<body>
<%
Response.Write( "address: " & Request.Form("address") & "<br/>")
Response.Write( "fulladdress: " & Request.Form("fulladdress") & "<br/>")
Response.Write( "username: " & Request.Form("username") & "<br/>")
'Response.Write( "password: " & Request.Form("password") & "<br/>")
Response.Write( "domain: " & Request.Form("domain") & "<br/>")
Response.Write( "autostart: " & Request.Form("autostart") & "<br/>")
Response.Write( "esgcookieprefix: " & Request.Form("esg-cookie-prefix") &
"<br/>")
Response.Write( "Use Access Anywhere Secure Gatway: " &
Request.Form("use_gateway") & "<br/>")

38
Response.Write( "Gateway Address:" & Request.Form("gateway_address") &
"<br/>")
Response.Write( "Start Program on connection: " &
Request.Form("remoteapplicationmode") & "<br/>")
Response.Write( "Program Path: " & Request.Form("alternate_shell") &
"<br/>")
%>
</body>

39
10. KNOWN BEHAVIORS AND LIMITATIONS
Common Error Messages
Most modern browsers will require that a trusted certificate be used when
establishing an encrypted session.
If the user sees an error message similar to this, there could be a problem
with the certificate on the InTouch Access Anywhere Secure Gateway server:

If this error appears, check the address that is being used for the InTouch
Access Anywhere Secure Gateway. If it is an IP address, it may pose a
problem:

Rather than using the IP address, use a domain name that matches a trusted
certificate that has been configured in the InTouch Access Anywhere Secure
Gateway.
For example, instead of using 192.168.1.111, use its domain name:
sg.test.com.
Moreover, install a trusted certificate on the InTouch Access Anywhere Secure
Gateway that matches sg.test.com or *.test.com

40
Obtaining Log Files
When requesting technical support, the Secure Gateway log files may be
requested.
The current log file is accessible using the Configuration page. Simply go to
the Download tab. The actual log detail levels may be set under the two Log
pages (Log Settings - Basic and Log Settings- Advanced).
Consult with a support engineer on which settings to enable.

The logs require a special viewer that is also downloadable using the
Download page.

41
Disabling HTTP/HTTPS filtering
Occasionally, certain types of network traffic will be blocked by firewalls. Port
443 on most firewalls are initially reserved for HTTP (and HTTPS) based
communication. Most firewalls will have a rule in place to filter out any non-
HTTP traffic. Depending on what the Secure Gateway will be routing, HTTP
filtering may need to be disabled on the firewall.
The Secure Gateway can proxy various types of traffic. Some are HTTP based
and some are not. The only configuration where HTTP filtering does not need
to be disabled is if the Web Application Portal and InTouch Access Anywhere
are used together.

This table denotes the protocol used by a connection method:

Communication type Protocol used

Web Application Portal login HTTP/HTTPS

Application Zone login TCP

InTouch Access Anywhere RDP HTTPS (Secure Gateway required)


session

42
11. TECHNICAL SUPPORT
Wonderware Technical Support consists of a global team of qualified Certified
Support Providers. If you have questions or concerns about InTouch Access
Anywhere, contact

Wonderware Technical Support.


Telephone: U.S. and Canada
800-966-3371
7 a.m. to 5 p.m. Pacific Time

Outside the U.S. and Canada


949-639-8500

For local support in your language, contact a Wonderware-certified support provider


in your area or country.

Refer to the following web address for a local distributor or sales office in your area:
http://us.wonderware.com/aboutus/contactsales

Fax: 949-639-1545
E-mail: Customer First members, send an e-mail message to our priority address:
[email protected]

Customers without a support agreement, send an e-mail message to:


[email protected]

Web: Registered customers, submit your questions to our Support web site.
Refer to the following web site for instructions to register for Wonderware technical
support:
http://wwdotprod02.wonderware.com/imoo/index.aspx

43

You might also like