|Home||Customer List||Mirador's Capabilities||Enquiries and Orders||Downloads|
Mirador Remote Terminal Server
The Mirador Remote Terminal Server is a suite of Win32 programs that allows users of Mirador's PC8800 Intecolor terminal emulator or PC5200 Aydin display generator emulator to connect to a control system host by way of a LAN or the internet. The remote terminal server is designed for security and reliability. The components of the system run as Win32 services that automatically re-start following any reboots of the hosting hardware; access to these services is controlled by a simple group membership test. Additional security measures can be implemented using SSH, if required.
The program suite consists of two Win32 executables.
The component programs perform specific functions that are described in detail in the sidebar on this page. The programs communicate with each other by means of a named pipe. This communications mechanism allows the user to install the system in a number of different ways, depending on the physical relationships of the control system host, server host and PC8800 clients and requirements for administrative control and security. Two examples are given below.
Simplest LAN Configuration
In a minimal configuration, the data collector and server programs are installed on the same workstation. This workstation is connected to the control system host by an RS-232 cable and to a local area network. PC8800, running on another workstation that is also on the local network, connects directly to the remote terminal service, providing a user name and password. Once authenticated, the PC8800 user is connected to the control system host by way of the remote terminal server and the data collector.
This type of configuration is appropriate when all hosts are “trusted” and there are no stringent administrative requirements for access to a host that provides TCP/IP and named pipe based services.
In a network environment in which pipe servers (as well as TCP / IP network servers) are under system administrator control and subject to security requirements and / or the control system host is situated far from any server host, the data collector and terminal server services can run on different machines. The data collector creates no pipes and opens no network ports, so it can run under a normal user's authority. The terminal server does create pipes and opens network ports, so it can run under administrator authority with appropriate access controls.
When clients are expected to connect to the terminal server from outside a trusted network, the terminal server host can be situated behind a firewall/SSH server and the firewall host can control remote client access to the terminal server using SSH authentication methods and other firewalling rules. It is only necessary for the clients to request port forwarding to the terminal server when making connections to the SSH server. The PC8800 client fully supports this.
Creating an SSH “tunnel” for traffic moving over the internet or other WAN between the PC8800 terminal emulator and the control system host provides complete security for the conduct of “mission critical” control, since SSH uses a very secure authentication method (RSA public/private key pairs) and provides strong encryption of all traffic.
Connecting with PC8800 or PC5200
PC8800 and PC5200 are ordinary Win32 applications. They can connect to a control system host directly by way of a serial port, or remotely through the server and collector services described above (with or without the mediation of an SSH server).
PC8800 and PC5200 provide a network setup dialog to allow the user to specify the address of the host running the remote terminal service. See the illustration below. If the user is not connecting over the internet or other WAN that is subject to security attacks, she can specify a direct connection by checking “Direct” for the “Connect method”. In that case, she does not need to specify an SSH server address, etc. After specifying the terminal server host, she merely clicks on “OK” and then, from the PC8800 main menu, selects the “Network” connection method, and “On Line”. PC8800 or PC5200 will then connect to the terminal server and the server will present a login prompt. After the user logs in, giving a user name and password for the server, she is connected to the control system host.
To establish a connection over the internet from a remote location, the user might be required to use SSH tunneling for security reasons. In that case, after specifying the terminal server host in the Network Setup dialog, the user should check “Tunnel through SSH” as the connect method and fill in the fields required for this type of connection. The user must already have created an RSA public/private key pair, and provided her public key to the system administrator. The system administrator must have created an account for her on the SSH server (under some user name) and associated her public key with her account. When the user sets up the PC8800 client for an SSH session, she provides the SSH server’s address, her user name on that server, and a path to her private key file. Login then proceeds more or less as for the direct connect method. PC8800 or PC5200 automatically requests that the SSH server forward the SSH session traffic to the remote terminal server.
Functions of the Data Collector
The data collector, pc88clct.exe, runs on a Windows PC that is connected by an RS-232 serial cable to the control system host. The data collector is a Win32 service. It has no graphical user interface (no window) of its own. It is intended to run all the time as a background task. While it typically runs under the authority of an ordinary user, it is installed and set up to start and run automatically, so that the user does not have to log on and manually launch it. Once installed and started, its operation is automatic.
When it starts, the data collector service first initializes the serial port which will handle communications with the control system host. It then establishes a network connection to the terminal server service program by opening the server's named pipe. The collector then commences reading data received from the control system host at the serial port and forwarding that data to the server over the pipe. Likewise, it begins reading data from the server's pipe (originating at a remote terminal emulator) and forwarding that data to the control system host via the serial connection.
Serial communications parameters can be set by the user of the collector program.
Functions of the Server
The server, pc88srvr.exe, is also a Win32 service application with no graphical user interface (window) of its own, intended to run constantly “in the background”. It function is to create and control the communications channels that are used by the data collector and the PC8800 emulator clients.
When it starts up, the server first creates a named pipe to support communications between it and the data collector service. The data collector will open this pipe. The pipe will then be available to pass serial data collected from the external control system host to the server, and to pass data received by the server back to the control system host by way of the collector.
Next, the server starts listening for client connections on a TCP port (for now port 3333). PC8800 clients can connect to this port, either directly (providing a user name and password as prompted), or by way of a “tunnel” through a secure SSH connection.
Direct connection would be appropriate for trusted clients on a private network. An SSH tunnel is preferred for remote clients connecting by way of the internet. To establish a tunneled connection with the server, each client must first establish an SSH session with an SSH server. In the process of establishing this connection, the client requests that the SSH server forward session traffic to the Mirador terminal server. The PC8800 client is fully capable of supporting both direct and tunneled SSH connections.
The server function is implemented in a separate executable in order to facilitate security measures that are often necessary when communications take place over a network. In a minimal configuration, the data collector and server can run on the same PC under the same user’s authority and clients on a trusted network can connect directly. In a more secure networked configuration, the server is typically run on a designated server machine under the authority of the system administrator. The system administrator can control which users can connect to the server’s pipes over the network by creating a terminal server user's group and making those users members of the group. When the administrator installs the server, he or she specifies to the server the name of the group that has been created, whose members will have access to the pipes the server manages.
Each PC that is to host one or both of the service programs must be running Windows NT4.0, 2000 or XP Professional, have CPU and memory resources appropriate to operating system, and have an Ethernet connection. The PC running the collector program must have one available serial port.
Note that Windows XP Home Edition does not support user groups or participation in a domain. Therefore it is not suitable for running these services.
Copyright © 2001-2014 by Mirador Software All Rights Reserved
|Home||Customer List||Mirador's Capabilities||Enquiries and Orders||Downloads|
1040 West End Blvd. Winston-Salem, NC 27101 USA
e-mail firstname.lastname@example.org Telephone 1-770-850-9100 / FAX 1-770-881-7958