Background
We have been supplying rack mount servers running a desktop Windows OS for some time. We are currently using the Dell R330 hardware platform and have recently moved to Server 2016 Essentials.
From time to time we encounter issues where the end users insist on installing Anti-Virus software on the flow computers, which we do not want as we cannot be certain that there will be no adverse effects on the software packages we use. Even if we test here at the factory with the version and definitions at that time, we cannot guarantee continued operation.
Additionally, we are looking at making the Flow Computer application more protected (from tampering, IP etc) and resilient (through hardening, no uncontrolled applications etc).
Key applications
1/. Kepware Modbus Suite
OPC server
Manages all Modbus communications over RS485/Ethernet
2/. Atvise
Presents HMI via a built-in web-server
OPC Client getting/sending data via Kepware
Approach being considered
To resolve this, we are considering the following solution:
Install Windows Hyper-V server 2016 (command line only, no GUI) which is FOC from Microsoft
Install Server 2016 Essentials as a ‘hidden’ VM – this will run all our software and will not be exposed to the customer
a. ‘CORE’ VM
b. Runs both Kepware and Atvise
c. We use a Moxa PCIe serial card for RS485 IO – this will need to be available exclusively to this VM
d. It will need an external ethernet connection allowing the web-based HMI to be run externally
e. This VM needs to be managed by using Server Manager on Windows 10 (installed on Solartron Laptops for setup and commissioning purposes)
- Install Windows 10 (for example) as an exposed VM
a. ‘GUEST’ VM
b. This VM has control over the video and so will be the OS seen when powering on
c. It will run the web-based HMI presented by the hidden VM
d. Client can install anti-virus software without impacting the core VM
What has been done so far?
Installed Hyper-V Server 2016 on test PC
Administrator password is set
Followed the instructions on this link to setup remove server admin tools: a. https://docs.microsoft.com/en-us/windows-server/remote/remote-server-administration-tools
Downloaded “WindowsTH-RSAT_WS_1803-x64.msu”
Had trouble connecting using Server Manager – was OK with RDP but kept giving Kerberos error message when trying to connect to the server.
Tried following steps in the following link: a. How do I remotely manage Hyper-V 2016 standalone via Windows 10?
… this seems to be all the right steps but couldn’t get it to work.
Tasks needed
Review whether this is the correct approach
Get remote administration working with Server Manager on Windows 10
Install 2 VMs
Configure GUEST VM so it has ownership of the video/keyboard/mouse
Configure CORE VM so it has ownership of the PCIe slot with drivers installed
Configure CORE VM with RDP connection (perhaps on a non-standard port) so it can be administered by Solartron
Possibly restrict browse support on the CORE VM so it won’t been seen on the client LAN, only visible through port 80 (HTTP) and 502 (Modbus) and RDP
Configure TCP so that:
a. GUEST VM can access the web-browser in the CORE VM (for local display support)
b. Any other networked system can access the web-server installed on the CORE VM
- Help with ‘hardening’ of the CORE VM
