ThinManager

Architecture and Best Practices: Discussion

Agenda

1 2 3 4
ARCHITECTING COMMON SYSTEM TIPS AND
THINMANAGER ARCHITECTURES CONSIDERATIONS TOOLS
Architecting ThinManager
Deployment Considerations
 ThinManager Planning Guidance

 Useful Material and Links

 ThinManager RAKB Table of Contents
 Common Questions Form
 Architecture Review FAQ
 ThinManager and Windows Server 2012(R2)
 ThinManager and PXE Boot
 ThinManager Media
 WinTMC, iTMC, aTMC
 ThinManager and Security Best Practices
 Supported Hardware
 Ports
 ThinManager Client Hardware

 ThinManager Ready  ThinManager Compatible  ThinManager Client

 ThinManager BIOS  Intel x86 based computing
extension hardware
 Storage of Local IP Address  Must Issue DHCP/PXE
and Boot Instructions request to obtain IP
address and Boot
Instructions
 Mobile Devices and
Traditional PCs
 Devices boot from local OS
 ThinManager Client
application installed

ThinManager
v11 supports
UEFI hardware

Selection Considerations - CPU, RAM, GPU, Video Outs, USB, Serial, Audio
 Defining Display Clients
The Content to be Delivered

 Remote Desktop Services Display Clients

 Requires RDS Role to be installed and configured
 Using AppLink™ to restrict desktop access
 Workstation Display Clients
 Requires RDP Protocol (1 to 1 relationship)
 VNC Display Clients
 May require the installation of VNC on source OS
 PanelView Plus and PanelView 5000 terminals are ready
 Specify Interaction
 Camera Display Clients (USB or IP)
 Terminal Shadow Display Clients
 Specify Interaction
Remote Desktop Services Components
Component Architecture

Remote Desktop
Session Host
Server
Manager

Remote
Desktop
Connection
Broker
SmartSession

SQL Remote Desktop

Database Session Host
Remote Desktop
Gateway

Remote
Desktop
Licensing
ThinManager Licensing

CLIENT CONNECTIONS ENTERPRISE SERVER

Sold in Packs of 5, 10 or 25 Unlimited Client Connections
Including Full Redundancy

ThinManager Also Offers Redundant Licensing

Options to Sustain High Availability
 Other Licensing Considerations

 Remote Desktop Client Access Licenses (RDSCALs)

 There are 2 types available:
 Per User – each unique user session requires an RDSCAL
 Per Device – each device receiving a session requires an RDSCAL
 Per Device is generally more suitable for ThinManager deployments

 FactoryTalk Licensing
 ThinManager v11 can be licensed with FactoryTalk Activation or existing Master Licensing
 ThinManager v11 and FactoryTalk View SE v11 introduce support for a single FactoryTalk View SE client license
needed per ThinManager managed device.
 Supports terminals using multi-session capabilities (Tiling, Virtual Screens, Multimonitor)
 Supports terminals using RDS Failover capabilities (RDS High-Availability)
 For more information, refer to AID 1083982 - ThinManager and FTView SE Client Licensing
 ThinManager High Availability
ThinServer and Remote Desktop Services

 ThinManager Redundancy ThinManager Server/

Remote Desktop Server Pair
(redundancy and failover)
 ThinManager Service Process
 Synchronization of ThinManager Configuration Database
ThinManager
 Capability to boot ThinManager Ready and ThinManager Remote Desktop Services Role
Applications
Compatible terminals
 Provision of terminal/user/location based content to thin clients

OR
 Remote Desktop Services Failover
ThinManager Servers Remote Desktop Servers
 Remote Desktop Services Host Role (redundancy) (failover)

 Identical Windows Based Applications Installed

 Instant Failover – sessions established on both servers
 Standard Failover – session launches on demand on
secondary
 Enforce Primary – Primary Designated to run when online
ThinManager Service Remote Desktop Services Role
Applications
Common Architectures
LAN and CPwE Configurations
 Small ThinManager Architecture

ThinManager Server/
Domain Controller HMI/Data Server
Remote Desktop Server
FactoryTalk Directory
FactoryTalk Activation ThinManager
Microsoft Active Directory Remote Desktop Services Role
FactoryTalk View SE Server
FactoryTalk Alarms and Events Server FactoryTalk View SE Client
RSLinx Enterprise

FactoryTalk View Studio

RSLogix 5/500/5000 Managed by
RSLinx Classic ThinManager
` RSLinx Enterprise
Engineering
Workstation Thin Clients

aTMC
IP Camera iTMC
Source of Source of WAP
Managed by WinTMC
Content Content via
ThinManager Data CLx
Source
VNC Wireless Clients

Thin Clients PanelView

Architecture Notes:
 ThinManager server can be co-located with the RDS server.
 Applications to be installed on RDS server, install in Remote Desktop Mode.
 Domain controller is optional, ThinManager can be used in a workgroup environment.
 All thin clients and wireless clients need to be accessible on the network to have content managed by ThinManager.
 Redundant ThinManager Architecture

Domain ThinManager Server/

Controllers FactoryTalk Directory HMI/Data Servers Remote Desktop Server
(redundant) Server (redundant) (redundant)

FactoryTalk Directory FactoryTalk View SE Server

ThinManager
Microsoft Active FactoryTalk Alarms and Events Server
FactoryTalk Activation Remote Desktop Services Role
Directory RSLinx Enterprise
FactoryTalk View SE Client

FactoryTalk View Studio

RSLogix 5/500/5000 Managed by
RSLinx Classic ThinManager
` RSLinx Enterprise
Engineering
Workstations Thin Clients

aTMC
IP Camera iTMC
Source of Source of WAP
Managed by WinTMC
Content Content via
ThinManager Data CLx
Source
VNC Wireless Clients

Thin Clients PanelView

Architecture Notes:
 ThinManager server can be co-located with the RDS servers or can be located on a dedicated machine(s).
 ThinManager is installed on two machines in a redundant system.
 Remote Desktop Services Role installed on two machines to provide application failover.
 FactoryTalk View SE installed on two machines to provide application redundancy.
 Redundant Domain Controllers highly recommended in a redundant system.
 All thin clients and wireless clients need to be accessible on the network to have content managed by ThinManager.
 IDMZ ThinManager Architecture

Enterprise Security
Domain
Controllers Remote Access
(redundant) Servers PCs
ERP Server WinTMC

Zone
aTMC

Demilitarized Zone
ThinManager
ThinManager Ready WAP iTMC
Servers
TFTP Port 4900 UDP WinTMC
(redundant) AD Certificate Remote Desktop

Industrial
TM Port 2031 TCP
Server Gateway Wireless Clients
ThinManager Compatible
ThinManager DHCP Port 67 UDP
TFTP Port 69 UDP
TM Port 2031 TCP

Shadowing
2031 Bi-Directional
Domain
Industrial Security

5900 Outbound
Controllers HMI/Data Servers Remote Desktop Servers
FactoryTalk Directory (redundant) (redundant)
(redundant) Enable Firewall
Server Compatible TFTP
Zone

FactoryTalk View SE Remote Desktop

FactoryTalk Server Services Role
Directory FactoryTalk Alarms and FactoryTalk View SE
FactoryTalk Events Server Client
Activation RSLinx Enterprise

Remote Desktop FactoryTalk View Studio

Services role RSLogix 5/500/5000 Managed by
FactoryTalk Client RSLinx Classic
` ThinManager
Applications RSLinx Enterprise
ThinManager
Cell/Area Zones

Engineering
Workstations Thin Clients

aTMC
IP Camera iTMC
Source of Source of WAP
Managed by WinTMC
Content Content via
ThinManager Data CLx
Source
VNC Wireless Clients

Thin Clients PanelView

 IDMZ ThinManager Architecture
 Has to be a device running a

Enterprise Security
Domain
Controllers Remote Access ThinManager Client
(redundant) Servers PCs  Cannot be a thin client booted from
ERP Server WinTMC ThinManager

Zone
HTTPS (SSL Tunnel)
Port 443 TCP
TM Port 2031 TCP

aTMC

Demilitarized Zone
ThinManager
WAP iTMC
Servers
Windows Update WinTMC
(redundant) AD Certificate Remote Desktop

Industrial
Services Server Gateway Wireless Clients
Server
ThinManager
RDP
Port 3389 UDP/TCP

Shadowing
2031 Bi-Directional
Domain
Industrial Security

5900 Outbound
Controllers HMI/Data Servers Remote Desktop Servers
FactoryTalk Directory (redundant) (redundant)
(redundant)
Server
Zone

FactoryTalk View SE Remote Desktop

FactoryTalk Server Services Role
Directory FactoryTalk Alarms and FactoryTalk View SE
FactoryTalk Events Server Client
Activation RSLinx Enterprise

Remote Desktop FactoryTalk View Studio

Services role RSLogix 5/500/5000 Managed by
FactoryTalk Client RSLinx Classic
` ThinManager
Applications RSLinx Enterprise
ThinManager
Cell/Area Zones

Engineering
Workstations Thin Clients

aTMC
IP Camera iTMC
Source of Source of WAP
Managed by WinTMC
Content Content via
ThinManager Data CLx
Source
VNC Wireless Clients

Thin Clients PanelView

System Considerations
Secure and Reliable Performance
 ThinManager Communication Ports

 UDP 67 – DHCP, IP address delivery, ThinManager Compatible terminals

 UDP 69 – TFTP, firmware delivery, ThinManager Compatible terminals
 TCP 1758 – Multicast port, firmware delivery
 TCP 2031 – Profile delivery, monitor connection, ThinServer synchronization
 TCP 3389 – RDP, session communications
 UDP 4900 – TFTP, firmware delivery, ThinManager Ready terminals
 TCP 5900 – Shadowing port
ThinManager Security
 Relevance Users
 Active Directory Synchronization (1 AD Group or OU)
 Secure Password Management and Storage for service accounts

 Access Groups and Permissions

 Restrict access to assets
 Multifactor Authentication
 Password always needed to establish RDS session
ADD Temporary or Permanent PIN, RFID Badge, Biometrics
 Authentication Passthrough
 Requires v10+ of FactoryTalk View SE and ThinManager
 Add AD Users to ThinManager and FactoryTalk Directory
 Relevance User credentials natively passed to all FactoryTalk View SE
sessions running on a terminal
 For more information, refer to AID 1082369 - ThinManager and
Security Best Practices
Remote Desktop Server Sizing

Size conservatively! Use resource utilization tools!

Tips and Tools
Work Smarter
 Key Modules
Drive Peripherals
Networking
 Redundant Ethernet Module
 For use in Redundant Star
topology
 Second Ethernet Module
 Assign second IP address
to terminal (Static or
Dynamic)
 Prime Use Case – separate
cameras network
User Interface
 Key Block Module
 Block Windows Hotkeys
 Ctrl-Alt-Del
 Alt-F4
 Windows Key
 Alt-Tab
 Touch Screen Modules
 15 Serial Touch Drivers
 Universal USB Driver
Performance
 RDP Experience Module
 Stagger Multisession
establishment
 Serial Port Redirection
Module
 Access to serial devices
from RDP session
 USB Card Reader
 Support for readers across
multiple vendors
More Tools
Thank you
www.rockwellautomation.com