2PAA110154-610 A en System 800xa 6.1 Operator Workplace Support For Mobile Device
2PAA110154-610 A en System 800xa 6.1 Operator Workplace Support For Mobile Device
2PAA110154-610 A en System 800xa 6.1 Operator Workplace Support For Mobile Device
ABB may have one or more patents or pending patent applications protecting the intellectual property in the ABB
products described in this document.
The information in this document is subject to change without notice and should not be construed as a commitment
by ABB. ABB assumes no responsibility for any errors that may appear in this document.
Products described or referenced in this document are designed to be connected, and to communicate information and
data via a secure network. It is the sole responsibility of the system/product owner to provide and continuously ensure
a secure connection between the product and the system network and/or any other networks that may be connected.
The system/product owners must establish and maintain appropriate measures, including, but not limited to, the
installation of firewalls, application of authentication measures, encryption of data, installation of antivirus programs,
and so on, to protect the system, its products and networks, against security breaches, unauthorized access, interference,
intrusion, leakage, and/or theft of data or information.
ABB Ltd and its affiliates are not liable for damages and/or losses related to such security breaches, any unauthorized
access, interference, intrusion, leakage and/or theft of data or information.
ABB verifies the function of released products and updates. However system/product owners are ultimately responsible
to ensure that any system update (including but not limited to code changes, configuration file changes, third-party
software updates or patches, hardware change out, and so on) is compatible with the security measures implemented.
The system/product owners must verify that the system and associated products function as expected in the environment
they are deployed.
In no event shall ABB be liable for direct, indirect, special, incidental or consequential damages of any nature or kind
arising from the use of this document, nor shall ABB be liable for incidental or consequential damages arising from use
of any software or hardware described in this document.
This document and parts thereof must not be reproduced or copied without written permission from ABB, and the
contents thereof must not be imparted to a third party nor used for any unauthorized purpose.
The software or hardware described in this document is furnished under a license and may be used, copied, or disclosed
only in accordance with the terms of such license. This product meets the requirements specified in EMC Directive
2014/30/EU and in Low Voltage Directive 2014/35/EU.
Trademarks
All rights to copyrights, registered trademarks, and trademarks reside with their respective owners.
Table of Contents
1 Introduction
1.1 Architecture ....................................................................................................... 13
1.2 Server System Requirements ........................................................................... 14
2 Concepts
2.1 Factory Coverage .............................................................................................. 17
2.1.1 Access point placement best practices ................................................ 17
2.2 Service Set Identifier ......................................................................................... 18
2.3 Security ............................................................................................................. 18
2.3.1 Understand the range of the wireless network. .................................. 18
2.3.2 Use highest security available. ........................................................... 19
2.3.3 Ensure that all default passwords are changed. .................................. 19
3 Wireless Components
3.1 Wireless Components ....................................................................................... 21
3.2 Wireless Configuration ...................................................................................... 23
2PAA110154-610 A 5
Table of Contents
5 Certificate Authority
5.1 Installing the Certificate Authority ...................................................................... 68
5.2 Configuring the Certificate Authority ................................................................. 74
6 Creating Certificates
6.1 Creating a new certificate for a device .............................................................. 83
6.2 Export Certificates ............................................................................................. 90
2PAA110154-610 A 6
Table of Contents
2PAA110154-610 A 7
Table of Contents
2PAA110154-610 A 8
About this User Manual
User Manual Conventions
The System 800xA Safety AC 800M High Integrity Safety Manual (3BNP004865*)
must be read completely by users of 800xA High Integrity. The recommendations
and requirements found in the safety manual must be considered and implemented
during all phases of the life cycle.
Any security measures described in this user manual, for example, for user access,
password security, network security, firewalls, virus protection, and so on, represent
possible steps that a user of an 800xA System may want to consider based on a risk
assessment for a particular application and installation. This risk assessment, as well
as the proper implementation, configuration, installation, operation, administration,
and maintenance of all relevant security related equipment, software, and procedures,
are the responsibility of the user of the system.
System 800xA is used for monitoring and controlling a process plant. This user manual
describes the configuration of an Operator Workplace for a mobile device.
Information in this user manual is intended for the engineers of a process plant.
Electrical warning icon indicates the presence of a hazard that could result in electrical
shock.
Warning icon indicates the presence of a hazard that could result in personal injury.
2PAA110154-610 A 9
About this User Manual
Terminology
Tip icon indicates advice on, for example, how to design your project or how to use
a certain function.
Although Warning hazards are related to personal injury, and Caution hazards are
associated with equipment or property damage, it should be understood that operation
of damaged equipment could, under certain operational conditions, result in degraded
process performance leading to personal injury or death. Therefore, fully comply with
all Warning and Caution notices.
Terminology
A complete and comprehensive list of terms is included in System 800xA Terminology
and Acronyms (3BSE089190*). The listing includes terms and definitions that apply to
the 800xA System where the usage is different from commonly accepted industry standard
definitions.
Term/Acronym Description
802.11 IEEE Standard to encourage inter operability among wireless
networking equipment
802.1x IEEE Standard for an authentication framework for wireless LANs
ACL Access Control List
AP Access Point
CA Certification Authority
EAP Extensible Authentication Protocol
FW Firewall
LAN Local Area Network
MAC Media Access Control
NPS Network Policy Server
PKI Public Key Infrastructure
2PAA110154-610 A 10
About this User Manual
Released User Manuals and Release Notes
Term/Acronym Description
RADIUS Remote Authentication Dial-In User Service
SSID Service Set Identifier
SSL Secure Socket Layer
TLS Transport Level Security (equivalent to SSL)
WEP Wired Equivalent Privacy (802.11 basic encryption)
Wi-Fi Wireless Fidelity
WLAN Wireless Local Area Network
WPA Wireless Protected Access
2PAA110154-610 A 11
2PAA110154-610 A 12
1 Introduction
1.1 Architecture
1 Introduction
1.1 Architecture
An overview of the concepts involved in providing wireless access from a mobile device,
such as a tablet, to the 800xA system is shown in Figure 1.1. As a tablet generally does
not have a native remote desktop client, a third party application is required as described
in section Remote Connection to 800xA. Wireless connectivity is provided by multiple
wireless access points that also implements firewall and intrusion detection systems.
2PAA110154-610 A 13
1 Introduction
1.2 Server System Requirements
The technology described in this guide is part of the IEEE 802.1X standard. Protected
Extensible Authentication Protocol (PEAP), which uses certificates, is used to establish
connection between wireless devices and wireless networks. This requires a Certificate
Authority (CA) server to be present in the network. To provide security authorization, at
least one Network Policy Server (NPS) server is used. This provides Remote
Authentication Dial-In User Service (RADIUS) authorization functionality. A separate
network is used for the server side of the wireless network to minimize exposed Windows
services.
The wireless access points are connected to one or more 800xA Remote Desktop Session
Hosts (previously called Terminal Servers) which provide the login sessions for the
remote desktop connection.
Due to the limited screen size, graphic displays will need to be engineered accordingly.
Additional security measures must also be implemented to restrict who can log into the
system, and that those users cannot operate equipment.
2PAA110154-610 A 14
1 Introduction
1.2 Server System Requirements
The requirements:
• Windows Server Operating System
• Active Directory based system
• Remote Desktop Session Host with Remote Desktop Services role
• Remote Desktop Licensing
However, there are settings in the local user configuration on a computer that may appear
to provide a definition to run an application at logon, but this does not work. Instead the
user settings must be defined in a domain.
The Remote Desktop Session Host (formally called Terminal Services) role must be
installed before other applications could be installed. Addition and configuration of
this role is described in section Remote Desktop Session Host Server Configuration.
2PAA110154-610 A 15
2PAA110154-610 A 16
2 Concepts
2.1 Factory Coverage
2 Concepts
2PAA110154-610 A 17
2 Concepts
2.2 Service Set Identifier
• How will the environment change over time. Stock build up may interfere with signal
strength.
• What are the potential electrical sources of interference.
For example, arc welders, medical equipment, eclectic motors, wireless video
cameras
2.3 Security
The security of a wireless system is dependent on the configuration of each of the
components in the WLAN. This includes the physical configuration, the configuration of
the devices and access points, and the subsequent monitoring of the system.
2PAA110154-610 A 18
2 Concepts
2.3 Security
2PAA110154-610 A 19
2PAA110154-610 A 20
3 Wireless Components
3.1 Wireless Components
3 Wireless Components
2PAA110154-610 A 21
3 Wireless Components
3.1 Wireless Components
2PAA110154-610 A 22
3 Wireless Components
3.2 Wireless Configuration
2PAA110154-610 A 23
2PAA110154-610 A 24
4 Remote Desktop Sessions
4.1 RDS Host Server Licensing
This section describes the Remote Desktop Session (RDS) Server Licensing, RDS
Server Licensing Configuration, RDS Server Role, and the RDS Server User
Configuration.
4.1.1 Installation
Execute the following steps to add host server licensing role in the domain controller:
1. Logon to the Domain Controller and start the Server Manager.
2. Select Roles > Add Roles and features.
2PAA110154-610 A 25
4 Remote Desktop Sessions
4.1 RDS Host Server Licensing
2PAA110154-610 A 26
4 Remote Desktop Sessions
4.1 RDS Host Server Licensing
5. At the Select destination server, select the domain controller, and click Next.
Figure 4.4: Selecting domain controller as the destination server for new roles
6. Select Remote Desktop Services as the additional role and click Next.
2PAA110154-610 A 27
4 Remote Desktop Sessions
4.1 RDS Host Server Licensing
2PAA110154-610 A 28
4 Remote Desktop Sessions
4.1 RDS Host Server Licensing
9. Select Remote Desktop Licensing role, then the Add Features at the suggested
additional features. Click Next.
Figure 4.8: Adding the Remote Desktop Licensing role and additional features
2PAA110154-610 A 29
4 Remote Desktop Sessions
4.1 RDS Host Server Licensing
11. After the successful installation, click Close and restart the domain controller.
2PAA110154-610 A 30
4 Remote Desktop Sessions
4.1 RDS Host Server Licensing
2PAA110154-610 A 31
4 Remote Desktop Sessions
4.1 RDS Host Server Licensing
2PAA110154-610 A 32
4 Remote Desktop Sessions
4.1 RDS Host Server Licensing
3. The following example uses Automatic connection since internet connection was
available. Where this is not practicable, there is an option for activation over the
telephone. Click Next.
Figure 4.14: Selecting Automatic connection (usually via internet) to activate the
server
2PAA110154-610 A 33
4 Remote Desktop Sessions
4.1 RDS Host Server Licensing
4. Enter name, company, and country details for the administrator of the system and
click Next.
Figure 4.15: Providing identification details for the activation of the RD licensing
server
2PAA110154-610 A 34
4 Remote Desktop Sessions
4.1 RDS Host Server Licensing
Figure 4.16: Providing optional information for the activation of the RD licensing
server
6. In the Completing the Activate Server Wizard window, remove the selection of
Start Install Licenses Wizard now, and click Finish.
2PAA110154-610 A 35
4 Remote Desktop Sessions
4.1 RDS Host Server Licensing
Reviewing Configuration
Execute the following steps:
1. After activating the licensing service, right-click the server and select Review
Configuration to review the configuration.
2. If there is any issue with membership of the license server, click Add to Group.
2PAA110154-610 A 36
4 Remote Desktop Sessions
4.1 RDS Host Server Licensing
3. At the request to add the computer account for the license server, click Continue.
Figure 4.20: Adding the computer account to the Terminal Server License Server
group
Figure 4.21: Confirmation that the computer account is added to the Terminal Server
License Server group
2PAA110154-610 A 37
4 Remote Desktop Sessions
4.1 RDS Host Server Licensing
2PAA110154-610 A 38
4 Remote Desktop Sessions
4.1 RDS Host Server Licensing
2PAA110154-610 A 39
4 Remote Desktop Sessions
4.1 RDS Host Server Licensing
4. Add the purchased licenses and click Next to install the licenses.
2PAA110154-610 A 40
4 Remote Desktop Sessions
4.2 RDS Host Server Role
2PAA110154-610 A 41
4 Remote Desktop Sessions
4.2 RDS Host Server Role
2PAA110154-610 A 42
4 Remote Desktop Sessions
4.2 RDS Host Server Role
4. At the Select Deployment Type, select Standard Deployment and click Next.
2PAA110154-610 A 43
4 Remote Desktop Sessions
4.2 RDS Host Server Role
2PAA110154-610 A 44
4 Remote Desktop Sessions
4.2 RDS Host Server Role
7. At least one node must be the RD Connection Broker server. In this example, the
first Remote Desktop Session host will be configured to be the RD Connection
Broker server. Add the server to be RD Connection Broker server and click Next.
8. At least one node needs to be the RD Web Access server. In this example, the first
Remote Desktop Session host will be configured to be the RD Web Access server.
Add the server to be RD Web Access server and click Next.
2PAA110154-610 A 45
4 Remote Desktop Sessions
4.2 RDS Host Server Role
2PAA110154-610 A 46
4 Remote Desktop Sessions
4.2 RDS Host Server Role
10. Select the Restart the destination server automatically if required check box
and click Deploy.
11. After restarting the computer, start the Server Manager to view the progress. Click
Close.
2PAA110154-610 A 47
4 Remote Desktop Sessions
4.2 RDS Host Server Role
2PAA110154-610 A 48
4 Remote Desktop Sessions
4.2 RDS Host Server Role
2. Add the computers that are to become additional Remote Desktop Session Hosts,
and click OK.
2PAA110154-610 A 49
4 Remote Desktop Sessions
4.2 RDS Host Server Role
4. Select the additional servers that are to become Remote Desktop Session Host
Servers, and click Next.
2PAA110154-610 A 50
4 Remote Desktop Sessions
4.2 RDS Host Server Role
2PAA110154-610 A 51
4 Remote Desktop Sessions
4.2 RDS Host Server Role
2. Select RD Licensing and specify the licensing according to the type of RD License
CALs purchased. Type in the computer name of the RD license server, click Add
and then click Apply and OK.
Figure 4.47: Specifying the RD Licensing for the Remote Desktop Server
2PAA110154-610 A 52
4 Remote Desktop Sessions
4.2 RDS Host Server Role
2PAA110154-610 A 53
4 Remote Desktop Sessions
4.3 Creating a Remote User
2PAA110154-610 A 54
4 Remote Desktop Sessions
4.3 Creating a Remote User
2. To provide security access for remote desktop login, make the user a member of
the remote desktop security group. The user is also added to the IndustrialITUser
group for access to 800xA and to the Users group to allow local login.
2PAA110154-610 A 55
4 Remote Desktop Sessions
4.4 Creating a New Collection
2PAA110154-610 A 56
4 Remote Desktop Sessions
4.4 Creating a New Collection
3. Provide a name and description for the new collection and click Next.
4. Add the Remote Desktop Session Hosts to the new collection and click Next.
Figure 4.54: Adding Remote Desktop Session host servers to the new collection
2PAA110154-610 A 57
4 Remote Desktop Sessions
4.4 Creating a New Collection
5. Specify the user groups which are allowed to connect to the collection. In the Default
Wizard configuration, Domain Users is added. To have a tighter limit on user access,
use the group created specifically for remote access. In this example, the
IndustrialITRemote user group.
Figure 4.55: Specifying the user groups to have access to the remote desktop
session collection
6. Remove the selection of Enable user profile disks check box and click Next.
2PAA110154-610 A 58
4 Remote Desktop Sessions
4.4 Creating a New Collection
7. At the Confirm Selections window, review the configuration and click Create.
2PAA110154-610 A 59
4 Remote Desktop Sessions
4.5 Limiting loading of Remote Desktop Session - Load balancing
Figure 4.59: Editing the collection properties to access the load balancing settings
2PAA110154-610 A 60
4 Remote Desktop Sessions
4.6 Testing Load Balancing
2. Select the Load Balancing option and specify the Session Limit. In the example
below, each Remote Desktop Session Host has been limited to 2 sessions. If a user
is logged into the server (that is, not in a remote session), this is still counted as a
session. This value should be set to the corresponding maximum users for each
RD Session Host Server.
Figure 4.60: Configuring load balancing for the Remote Desktop Session Collection
Any of the Remote Desktop Session Host server IP addresses can be used to make a
connection. If the designated server session limit is reached, another available server
in the collection will be used. If there are no more sessions available, an error message
will be presented.
2PAA110154-610 A 61
4 Remote Desktop Sessions
4.6 Testing Load Balancing
Figure 4.61: One remote desktop session user in addition to the locally logged in user
in Remote Desktop Session Host Server 1
When an additional user is logged in (rduser2), this user is redirected to another remote
desktop session host in the same collection. Figure 4.62 shows the example, mob-ts2.
2PAA110154-610 A 62
4 Remote Desktop Sessions
4.6 Testing Load Balancing
Figure 4.62: A second remote desktop session user is redirected to an available remote
desktop session host server
If there are no available Remote Desktop Session Host Servers, that is, all the session
limits are reached, an error box, see Figure 4.63, will be presented indicating there was
a problem connecting to the remote computer.
Figure 4.63: Attempting to establish a remote desktop session where session limits have
been reached
2PAA110154-610 A 63
4 Remote Desktop Sessions
4.7 Enabling Audio
To enable audio:
1. Select Services from the Computer Manager. Right-click the Windows Audio service
and select Properties.
2PAA110154-610 A 64
4 Remote Desktop Sessions
4.7 Enabling Audio
2. Set the Startup type to Automatic, click Start and then click OK.
Figure 4.66: Setting the Windows Audio service to Automatic and starting the service
3. Now, the speaker in the system tray indicates that the audio is enabled.
Figure 4.67: Audio enabled in the Remote Desktop Session Host server
2PAA110154-610 A 65
2PAA110154-610 A 66
5 Certificate Authority
5 Certificate Authority
The certificate authority is responsible for providing certificates which are used in the
authentication of the wireless device to the wireless access point. As it is expected to
have limited number of mobile devices used in conjunction with the 800xA system, it is
preferable to have one certificate per device. This provides a more concise control over
device access to the wireless networks.
2PAA110154-610 A 67
5 Certificate Authority
5.1 Installing the Certificate Authority
Figure 5.1: Selecting the Add Roles and features to add the certificate authority role
2PAA110154-610 A 68
5 Certificate Authority
5.1 Installing the Certificate Authority
2PAA110154-610 A 69
5 Certificate Authority
5.1 Installing the Certificate Authority
Figure 5.4: Selecting radius server for installation of the new role
5. At the Select Server Roles window, select the Active Directory Certificate
Services role. This will call a prompt to add additional features. Select the Include
management tools check box and click Add Features.
Figure 5.5: Selecting to add the Active Directory Certificate Services role and required
features
2PAA110154-610 A 70
5 Certificate Authority
5.1 Installing the Certificate Authority
2PAA110154-610 A 71
5 Certificate Authority
5.1 Installing the Certificate Authority
8. At the Select role services window, select the Certification Authority role and
click Next.
2PAA110154-610 A 72
5 Certificate Authority
5.1 Installing the Certificate Authority
2PAA110154-610 A 73
5 Certificate Authority
5.2 Configuring the Certificate Authority
2PAA110154-610 A 74
5 Certificate Authority
5.2 Configuring the Certificate Authority
2. Provide the required administrative credentials to configure the node and click Next.
Figure 5.12: Supplying the required administrative credentials to configure the role
2PAA110154-610 A 75
5 Certificate Authority
5.2 Configuring the Certificate Authority
4. At the Setup Type window, keep the setting as Enterprise CA and click Next.
5. Specify CA Type window appears. Leave the setting as Root CA and click Next.
2PAA110154-610 A 76
5 Certificate Authority
5.2 Configuring the Certificate Authority
6. Select Create a new private key when requested to set up a private key and click
Next.
7. Leave the defaults when configuring the cryptography for CA, and click Next.
2PAA110154-610 A 77
5 Certificate Authority
5.2 Configuring the Certificate Authority
8. Leave the default suggestion for the common name for the CA and click Next.
9. Enter a validity period for the certificate generated by the CA and click Next.
2PAA110154-610 A 78
5 Certificate Authority
5.2 Configuring the Certificate Authority
10. Leave the certificate database settings as default and click Next.
2PAA110154-610 A 79
5 Certificate Authority
5.2 Configuring the Certificate Authority
2PAA110154-610 A 80
5 Certificate Authority
5.2 Configuring the Certificate Authority
2PAA110154-610 A 81
2PAA110154-610 A 82
6 Creating Certificates
6.1 Creating a new certificate for a device
6 Creating Certificates
Each device should have its own certificate. When the NPS server configuration is
created, one certificate is used for the first client access.
2PAA110154-610 A 83
6 Creating Certificates
6.1 Creating a new certificate for a device
2. Handling certificates is done through a Snap-in. Select File > Add/Remove Snap-in.
3. From the available snap-ins, select the Certificates snap-in and then click Add.
2PAA110154-610 A 84
6 Creating Certificates
6.1 Creating a new certificate for a device
5. Select to manage certificates for the local computer and click Finish.
2PAA110154-610 A 85
6 Creating Certificates
6.1 Creating a new certificate for a device
6. Click OK.
7. To create a new certificate, navigate to the Console Root > Certificates > Personal
> Certificates, right-click the Certificates item and select All Tasks > Request New
Certificate.
2PAA110154-610 A 86
6 Creating Certificates
6.1 Creating a new certificate for a device
2PAA110154-610 A 87
6 Creating Certificates
6.1 Creating a new certificate for a device
10. Select Computer at the Request Certificates window and click Enroll.
2PAA110154-610 A 88
6 Creating Certificates
6.1 Creating a new certificate for a device
11. At the confirmation that the new certificate has been produced, click Finish.
12. Use the Properties on the new certificate to change the friendly name to identify the
intended device.
2PAA110154-610 A 89
6 Creating Certificates
6.2 Export Certificates
2PAA110154-610 A 90
6 Creating Certificates
6.2 Export Certificates
2PAA110154-610 A 91
6 Creating Certificates
6.2 Export Certificates
2PAA110154-610 A 92
7 Configuring NPS (RADIUS)
7.1 Adding NPS (RADIUS)
This section describes the procedure to add and configure the NPS (RADIUS).
2PAA110154-610 A 93
7 Configuring NPS (RADIUS)
7.1 Adding NPS (RADIUS)
2PAA110154-610 A 94
7 Configuring NPS (RADIUS)
7.1 Adding NPS (RADIUS)
Figure 7.4: Selecting authorization server for the NPS (RADIUS) role
5. In Select Server Roles wizard, select the Network Policy and Access Services
check box and click Next.
Figure 7.5: Adding the Network Policy and Access Services role
2PAA110154-610 A 95
7 Configuring NPS (RADIUS)
7.1 Adding NPS (RADIUS)
7. In Network Policy and Access Services wizard, review the information on the
policy and click Next.
2PAA110154-610 A 96
7 Configuring NPS (RADIUS)
7.1 Adding NPS (RADIUS)
8. In Select Role Services wizard, select the Network Policy Server check box to
access the Remote Desktop Session Host servers. Click Next.
2PAA110154-610 A 97
7 Configuring NPS (RADIUS)
7.1 Adding NPS (RADIUS)
2PAA110154-610 A 98
7 Configuring NPS (RADIUS)
7.2 Registering the server with Active Directory
2. Right-click the NPS object and select Register server in Active Directory from
the context menu.
2PAA110154-610 A 99
7 Configuring NPS (RADIUS)
7.3 Configuring NPS (RADIUS)
3. Click OK to confirm that the changes to read users dial-in properties are to be done.
Figure 7.13: Request to authorize the computer to read users' dial-in properties
Figure 7.14: Confirmation that the computer is authorized to read users' dial-in
properties
2PAA110154-610 A 100
7 Configuring NPS (RADIUS)
7.3 Configuring NPS (RADIUS)
2PAA110154-610 A 101
7 Configuring NPS (RADIUS)
7.3 Configuring NPS (RADIUS)
2. In the Configure 802.1X dialog, select Secure Wireless Connections. Enter the
name of the policy and click Next.
3. The next window provides the ability to add wireless access points. In this guide,
the clients will be added at a later stage. Click Next to continue.
Figure 7.17: Configuration window for adding clients such as wireless access points
2PAA110154-610 A 102
7 Configuring NPS (RADIUS)
7.3 Configuring NPS (RADIUS)
4. In Type, select Microsoft Protected EAP (PEAP) and click Configure. It helps to
confirm the authentication method. The certificates will be setup at a later stage.
5. With the certificate in place, the Edit Protected EAP Properties dialog appears.
If a warning appears with a message that there is no available certificate, either a CA
Authority has been installed on another node or it has not been installed on the Domain
Controller. Multi-node CA, NPS, DC are not in the scope of this user guide.
Click OK to return to Configure an Authentication Method window (see Figure
7.18). Click Next.
2PAA110154-610 A 103
7 Configuring NPS (RADIUS)
7.3 Configuring NPS (RADIUS)
6. The Specify User Groups wizard is used to restrict the authentication to specific
User Groups. It is recommended to restrict the users to non-administrative user
groups. In the following example, the Groups will be left blank. Click Next.
2PAA110154-610 A 104
7 Configuring NPS (RADIUS)
7.3 Configuring NPS (RADIUS)
7. The Configure Traffic Controls wizard appears. This is used to configure the traffic
control attributes. In this example, no adjustments are made. Click Next.
2PAA110154-610 A 105
7 Configuring NPS (RADIUS)
7.4 Starting and Stopping the NPS Service
2PAA110154-610 A 106
7 Configuring NPS (RADIUS)
7.4 Starting and Stopping the NPS Service
2. To start the NPS Service, right-click the NPS object and select Start NPS Service
from the context menu.
2PAA110154-610 A 107
2PAA110154-610 A 108
8 Remote Desktop Session Host Server Configuration
The goal for the Remote User Configuration is to provide a configuration where the
remote operator logs on to the 800xA system and is presented only with an 800xA
workplace. When the workplace is closed, the remote desktop session is automatically
closed.
If the remote operator disconnects from the session, reconnecting to the system presents
the same remote desktop session.
Note that automatic closing of remote desktop session can be configured in the Remote
Desktop Session Host server. It may be desirable to set this to a time that allows
movement between production areas without closing the session.
Whilst remote desktop log on may be granted to an existing user, the configuration
described here assumes that a separate user is created for remote logon to enable the
remote user privileges to be more restrictive, that is, monitor the process, but not to
operate it.
Following is the procedure to set up the first remote user:
1. Create a remote user.
2. Create a Remote Operators security group.
3. Add the remote operator to the Remote Operators and IndustrialITUser group.
4. Add the remote operator to the 800xA system.
5. Add the Remote Operators group to the Remote Desktop Session Host Server
Remote Desktop Host Configuration security.
6. Add the Remote Operators group to the local policy of the Remote Desktop Session
Host Server for the Allow log on locally, and Allow log on through Remote Desktop
Services.
7. Restart the Remote Desktop Session Host server.
8. Test log on to the remote operator through the Windows remote desktop client.
9. Create a desktop shortcut to a specific mobile device configured 800xA Workplace.
2PAA110154-610 A 109
8 Remote Desktop Session Host Server Configuration
8.1 Adding the remote operator to 800xA
10. Use the startup program definition from the shortcut to setup the environment startup
program for the remote user.
11. Configure the 800xA User profile for the remote user to use the specified mobile
device configured workplace in Operator workplace mode.
12. Configure remote operator privileges for non-operation.
13. Test that remote desktop log on of the remote operator provides a full screen operator
workplace with no desktop.
2PAA110154-610 A 110
8 Remote Desktop Session Host Server Configuration
8.3 Create a desktop shortcut to a mobile device configured Workplace
Figure 8.2: Using the 800xA Workplace application to create a desktop icon
2PAA110154-610 A 111
8 Remote Desktop Session Host Server Configuration
8.4 Setting the remote operator startup application
2PAA110154-610 A 112
8 Remote Desktop Session Host Server Configuration
8.4 Setting the remote operator startup application
2. Copy the Application Target line. As this must be entered in the Domain Controller,
the target definition can be copied into a text file that will then be copied to the
Domain Controller.
2PAA110154-610 A 113
8 Remote Desktop Session Host Server Configuration
8.4 Setting the remote operator startup application
3. Log on to the domain controller and start the Active Directory Users and Computers
program.
4. Double-click the remote operator account. Select the Environment tab and check
the Start the following program at logon check box. Paste in the target path
obtained through the desktop shortcut as in Figure 8.5.
Figure 8.6: Updating the remote operator user to only start the Workplace at log on
2PAA110154-610 A 114
8 Remote Desktop Session Host Server Configuration
8.5 Configuring the 800xA user profile for the remote
2PAA110154-610 A 115
8 Remote Desktop Session Host Server Configuration
8.6 Configure remote operator privileges for non-operation
2PAA110154-610 A 116
8 Remote Desktop Session Host Server Configuration
8.6 Configure remote operator privileges for non-operation
Figure 8.9: Placing a Security Definition on the Control Network to restrict operations
While this allows the remote operator to view graphic displays and faceplates, the buttons
on the faceplate will be disabled.
Figure 8.10: Confirmation that the remote operator cannot control production
2PAA110154-610 A 117
8 Remote Desktop Session Host Server Configuration
8.7 Test the remote desktop log on of the remote operator
2PAA110154-610 A 118
9 800xA Customization for a Mobile Device
9.1 A customized 800xA Operator Workplace
Due to the smaller screen area of a mobile device, such as a tablet, there may be
difficulties interfacing with items on the screen. This may be due to the small size such
as the close window button on the top right of the window, or the requirement to scroll
across a number of columns in an alarm band.
There are two main areas of customization for a mobile device configured workplace.
The first customization includes 800xA objects to assist in setting up a workplace in a
smaller screen area, and the second is to configure Windows to enlarge certain Windows
elements.
2PAA110154-610 A 119
9 800xA Customization for a Mobile Device
9.2 Windows Configuration on Small Screens
Since this configuration removes the target information, a copy should be placed into
a text file for easy restoration of the setting.
2PAA110154-610 A 120
9 800xA Customization for a Mobile Device
9.3 Changing the Title Bar Size
2PAA110154-610 A 121
9 800xA Customization for a Mobile Device
9.3 Changing the Title Bar Size
3. Select the Title Bars and change the Font. Click Apply to commit the changes.
Figure 9.4: Modifying the title bar for a larger close button
2PAA110154-610 A 122
9 800xA Customization for a Mobile Device
9.3 Changing the Title Bar Size
5. The following is the modified workplace. This minor modification results in easier
closing of windows in the workplace.
2PAA110154-610 A 123
2PAA110154-610 A 124
10 Configuring Wireless Access Points
This section describes a procedure to configure wireless access points and add them
to RADIUS. The examples uses an access point of type BAT54, which also requires
configuration of tool installation and rail devices.
This section is described based on wireless access points that are not previously
configured, or reset to the default settings.
To enable easy identification of each device, it is recommended to have only one
new device on the network at a time. After assigning an IP address to the device, the
next device is attached to the network and configured.
2PAA110154-610 A 125
10 Configuring Wireless Access Points
10.1 Configuring Tool Installation
2PAA110154-610 A 126
10 Configuring Wireless Access Points
10.1 Configuring Tool Installation
4. The Target Directory wizard appears. Click Browse to select the location to install
the software. Click Next.
2PAA110154-610 A 127
10 Configuring Wireless Access Points
10.1 Configuring Tool Installation
6. The Setup complete wizard appears. Click Finish to complete the installation.
2PAA110154-610 A 128
10 Configuring Wireless Access Points
10.2 Configuring Wireless Access Points
2. The Firmware update dialog appears. Click OK to notify that there are no firmware
files in the archive directory.
Figure 10.8: Notification that there are no firmware files in the archive directory
2PAA110154-610 A 129
10 Configuring Wireless Access Points
10.2 Configuring Wireless Access Points
Group configuration of access points has been found to set up one of the wireless
networks. Hence, group configuration of access points should be avoided unless full
functionality can be established.
4. Select File > Find Devices option.
2PAA110154-610 A 130
10 Configuring Wireless Access Points
10.2 Configuring Wireless Access Points
If there is difficulty in finding a device that has just been added to the network, it may
require that only the new device is on the network. i.e. temporarily, disconnect the
other BAT54 wireless access points. The other access points need to remain
disconnected until the initial configuration has been written to the newly attached
access point. This procedure is applicable to the initial setup of the device, and not
after the wireless network is in use.
2PAA110154-610 A 131
10 Configuring Wireless Access Points
10.2 Configuring Wireless Access Points
7. The Setup Wizard for BAT54 Rail dialog appears. Click Next.
2PAA110154-610 A 132
10 Configuring Wireless Access Points
10.2 Configuring Wireless Access Points
8. In Device Name, enter a name for the device and click Next.
2PAA110154-610 A 133
10 Configuring Wireless Access Points
10.2 Configuring Wireless Access Points
10. The next window provides the option to define how the device should get its IP
address. For this configuration, a static address is defined by first setting the DHCP
mode to Off.
Click Next.
Figure 10.16: Defining that a static IP address will be assigned to the device
2PAA110154-610 A 134
10 Configuring Wireless Access Points
10.2 Configuring Wireless Access Points
11. The first access point in the example will be set to 192.168.0.1. As the device only
needs to communicate to the Remote Desktop Session Host servers, no gateway
or DNS server addresses are required.
Enter the IP address and click Next.
2PAA110154-610 A 135
10 Configuring Wireless Access Points
10.2 Configuring Wireless Access Points
12. Enter the relevant information in Location, Administrator, and Comments. This
information will be used for the general maintenance of the wireless network. Click
Next.
2PAA110154-610 A 136
10 Configuring Wireless Access Points
10.2 Configuring Wireless Access Points
15. After a period of checking the device, the setup wizard for the device will be
presented. To enable an understanding of the configuration, each required item will
be configured separately. Click Cancel.
Figure 10.21: Setup wizard which starts after initial setup of device
2PAA110154-610 A 137
10 Configuring Wireless Access Points
10.3 Configuring Rail Devices
2PAA110154-610 A 138
10 Configuring Wireless Access Points
10.3 Configuring Rail Devices
2PAA110154-610 A 139
10 Configuring Wireless Access Points
10.3 Configuring Rail Devices
Execute the following steps for the two wireless interfaces (if both are present). The
wireless interfaces must be assigned different channels, and the channels must not
interfere with adjacent wires access points.
1. Select Configuration > Wireless LAN > General. In Interfaces, select WLAN
interface 1 (On) from drop-down.
Figure 10.24: Accessing the WLAN interface 1 parameters to change the radio
channel
2PAA110154-610 A 140
10 Configuring Wireless Access Points
10.3 Configuring Rail Devices
2. In Channel Number, select the channel from the drop-down. Click OK.
2PAA110154-610 A 141
10 Configuring Wireless Access Points
10.3 Configuring Rail Devices
2PAA110154-610 A 142
10 Configuring Wireless Access Points
10.3 Configuring Rail Devices
4. Ensure that all interfaces are setup correctly and click OK.
2PAA110154-610 A 143
10 Configuring Wireless Access Points
10.3 Configuring Rail Devices
2PAA110154-610 A 144
10 Configuring Wireless Access Points
10.3 Configuring Rail Devices
2. Enter the name, IP address and shared secret for the RADIUS server.
The shared secret must be same as the shared secret used when defining the access
point as a client in the RADIUS server.
Click OK.
After adding the RADIUS servers, it will be possible to define backup servers.
This functionality must be tested before the system is placed into production.
2PAA110154-610 A 145
10 Configuring Wireless Access Points
10.3 Configuring Rail Devices
Figure 10.32: Setting the LAN bridge to router to enable the firewall to be used
2PAA110154-610 A 146
10 Configuring Wireless Access Points
10.3 Configuring Rail Devices
2PAA110154-610 A 147
10 Configuring Wireless Access Points
10.3 Configuring Rail Devices
3. Enter a name and IP address for the network and click OK.
4. The details of the network will be displayed in the IP Networks dialog. Click OK.
2PAA110154-610 A 148
10 Configuring Wireless Access Points
10.3 Configuring Rail Devices
2PAA110154-610 A 149
10 Configuring Wireless Access Points
10.3 Configuring Rail Devices
3. In Network name, select the IP network. Enter the IP address range, the broadcast
and default gateway values. Click OK.
The address range must be within the subnet range and must exclude the IP address
of the gateway. The gateway is the IP address of the defined network.
2PAA110154-610 A 150
10 Configuring Wireless Access Points
10.3 Configuring Rail Devices
2PAA110154-610 A 151
10 Configuring Wireless Access Points
10.3 Configuring Rail Devices
2PAA110154-610 A 152
10 Configuring Wireless Access Points
10.3 Configuring Rail Devices
4. Verify that RDP definition appears in the list and click OK.
2PAA110154-610 A 153
10 Configuring Wireless Access Points
10.3 Configuring Rail Devices
2. Remove the existing firewall definitions and add the definitions (see Figure 10.45).
Click OK.
2PAA110154-610 A 154
10 Configuring Wireless Access Points
10.3 Configuring Rail Devices
3. The first entry allows RDP traffic and the second ensures that all other traffic is
dropped.
2PAA110154-610 A 155
10 Configuring Wireless Access Points
10.4 Adding Access Points to RADIUS
2PAA110154-610 A 156
10 Configuring Wireless Access Points
10.4 Adding Access Points to RADIUS
2PAA110154-610 A 157
10 Configuring Wireless Access Points
10.4 Adding Access Points to RADIUS
3. In Friendly name, enter a name for the device. Enter the IP address and enter the
Shared secret that was used while setting the RADIUS server in the access point.
Click OK.
Figure 10.48: Adding the access point to the RADIUS server as a client
2PAA110154-610 A 158
11 Remote Desktop Session Host Server Routing
Each Remote Desktop Session Host Server must be setup with a route that defines the
gateway IP address that is responsible for forwarding traffic to the correct destination.
With multiple wireless access points in the network, this would require one route to be
setup for each access point. The route command has an option for making the definition
persistent when restarting the computer.
Figure 11.1: Routing between the Remote Desktop Session Host server and the wireless
networks
To create the required routing for the configuration in Figure 11.1, execute the following
windows commands in each terminal server:
route-p add 192.168.1.0 mask 255.255.255.0 192.168.0.1
The commands needs to be executed using the administrative account. The -p option
makes the route persistent, which will survive a restart of the Remote Desktop Session
Host server.
2PAA110154-610 A 159
2PAA110154-610 A 160
12 Certificates for Mobile Devices
12.1 Transferring the Certificate to a Mobile Device
To enable a mobile device to connect to the access point, the certificate for the device
must be exported and sent to the device through an email and installed. Refer to section
Export Certificates on how to export a certificate. Take precautions when using emails
to deliver certificates. The email must not remain accessible after delivering the certificate
because the certificate can be installed on other devices.
The initial configuration of the iPad® must be done and an email account must be
setup for the initial transfer of the certificate.
2PAA110154-610 A 161
12 Certificates for Mobile Devices
12.1 Transferring the Certificate to a Mobile Device
2. In the example, a self-signed authority is used, that will show up as Not Trusted.
Click Install.
2PAA110154-610 A 162
12 Certificates for Mobile Devices
12.1 Transferring the Certificate to a Mobile Device
2PAA110154-610 A 163
12 Certificates for Mobile Devices
12.1 Transferring the Certificate to a Mobile Device
5. To view the current list of profiles, enter the settings app in the iPad®, and select
Settings > General profile.
6. Select the wireless network from the list of available wireless networks.
2PAA110154-610 A 164
12 Certificates for Mobile Devices
12.1 Transferring the Certificate to a Mobile Device
7. Enter the windows user name and password in Username and Password
respectively and click Join.
2PAA110154-610 A 165
12 Certificates for Mobile Devices
12.1 Transferring the Certificate to a Mobile Device
9. After establishing the connection, a check mark and a change in color will indicate
that the wireless network connection is established.
2PAA110154-610 A 166
13 Remote Connection to 800xA
13.1 Installing a remote desktop application
2PAA110154-610 A 167
2PAA110154-610 A 168
14 Lock Mobile Device
2PAA110154-610 A 169
14 Lock Mobile Device
14.1 Lock Tablet
2PAA110154-610 A 170
14 Lock Mobile Device
14.1 Lock Tablet
• By default, the restrictions are set to Allow. To enable the restrictions, click Enable
Restrictions.
• To control future access to the restrictions options, the iPad® will request for a 4
digit passcode be set. The passcode information should be restricted to administrator
of the network.
Enter a 4 digit passcode. A confirmation of the passcode will be requested.
2PAA110154-610 A 171
14 Lock Mobile Device
14.1 Lock Tablet
2PAA110154-610 A 172
14 Lock Mobile Device
14.1 Lock Tablet
• In addition to the controlling of apps, the allowed content should be set to as shown
in Figure 14.5.
• Changing of accounts should be disabled, and the Game Center options should
also be set to OFF.
Figure 14.6: Restricting changes of iPad® accounts and access to the Games Center
2PAA110154-610 A 173
2PAA110154-610 A 174
Revision History
Revision History
This section provides information on the revision history of this User Manual.
The revision index of this User Manual is not related to the 800xA System Revisions.
The following table lists the revision history of this User Manual.
Revision
Description Date
Index
A Published for 800xA System 6.1 release October 2018
2PAA110154-610 A 175
2PAA110154-610 A 176
Index
Index
Numerics
800xA Operator Workplace, 119 L
Lock, 169
A
Access Point to RADIUS, 156 N
Adding NPS (RADIUS), 93 NPS (RADIUS), 93
Adding RDS Server License, 38
R
B RDS Server Licensing, 25
BAT54 Rail Devices, 138 RDS Server Licensing Activation, 31
BAT54 Wireless Access Points, 129 RDS Server Licensing Configuration, 31
RDS Server User Configuration, 54
C Remote Connection, 167
Certificate Authority, 67 Remote Desktop Sessions, 25
Certificates, 161 Routing, 159
Concepts, 17
Configuring NPS (RADIUS), 100 S
Configuring Tool Installation, 126 Security, 18
Create Certificate, 161 Service Set Identifier, 18
Creating Certificates, 83
T
F Title Bar Size, 121
Factory Coverage, 17
W
H Windows Configuration, 120
Host Server Role, 41 Wireless Components, 21
Wireless Configuration, 23
I
iPad, 161
2PAA110154-610 A 177
2PAA110154-610 A 178
www.abb.com/800xA 800xA is a registered or pending trademark We reserve all rights to this document
of ABB. All rights to other trademarks reside and the items and images it contains.
www.abb.com/controlsystems with their respective owners. The reproduction, disclosure to third parties
or the use of the content of this document
We reserve the right to make technical – including parts thereof – are prohibited
changes to the products or modify the without ABB’s prior written permission.
2PAA110154-610 A