Wonderware

InTouch Access
™
Anywhere

HTML5 - RDP Access for

Wonderware InTouch

Administrator’s Manual

8/29/2013
All rights reserved. No part of this documentation shall be reproduced, stored in a retrieval
system, or transmitted by any means, electronic, mechanical, photocopying, recording, or
otherwise, without the prior written permission of Invensys Systems, Inc. No copyright or patent
liability is assumed with respect to the use of the information contained herein. Although every
precaution has been taken in the preparation of this documentation, the publisher and the author
assume no responsibility for errors or omissions. Neither is any liability assumed for damages
resulting from the use of the information contained herein.

The information in this documentation is subject to change without notice and does not represent
a commitment on the part of Invensys Systems, Inc. The software described in this
documentation is furnished under a license or nondisclosure agreement. This software may be
used or copied only in accordance with the terms of these agreements.

© 2013 by Invensys Systems, Inc. All rights reserved.

Invensys Systems, Inc.

26561 Rancho Parkway South
Lake Forest, CA 92630 U.S.A.
(949) 727-3200
http://www.wonderware.com

For comments or suggestions about the product documentation, send an e-mail message to
ProductDocumentationComments@invensys.com.

All terms mentioned in this documentation that are known to be trademarks or service marks
have been appropriately capitalized. Invensys Systems, Inc. cannot attest to the accuracy of this
information. Use of a term in this documentation should not be regarded as affecting the validity
of any trademark or service mark.

Alarm Logger, ActiveFactory, ArchestrA, Avantis, DBDump, DBLoad, DT Analyst, Factelligence,

FactoryFocus, FactoryOffice, FactorySuite, FactorySuite A2, InBatch, InControl, IndustrialRAD,
IndustrialSQL Server, InTouch, MaintenanceSuite, MuniSuite, QI Analyst, SCADAlarm,
SCADASuite, SuiteLink, SuiteVoyager, WindowMaker, WindowViewer, Wonderware, Wonderware
Factelligence, and Wonderware Logger are trademarks of Invensys plc, its subsidiaries and
affiliates.

All other brands may be trademarks of their respective owners.

2
Table of Contents

ABOUT THIS DOCUMENT .................................................................................. 5

1. OVERVIEW.................................................................................................. 6
Architecture .................................................................................................................................. 7
RDP Compression and Acceleration ........................................................................................... 8
Licensing ...................................................................................................................................... 9
Prior to installing........................................................................................................................... 9
Getting Started in 5 Minutes ...................................................................................................... 10

2. INSTALLATION ......................................................................................... 13
Pre-requisites ............................................................................................................................. 13
InTouch Access Anywhere Server ............................................................................................. 15
InTouch Access Anywhere Web Component ............................................................................ 22
Secure Connections ................................................................................................................... 24

3. USER ACCESS ......................................................................................... 27

Supported Browsers .................................................................................................................. 27
Connection Web Page ............................................................................................................... 28
Connecting ................................................................................................................................. 31
Ending a Session ....................................................................................................................... 33
Configuring Firefox and Opera browsers ................................................................................... 33

4. GOOGLE CHROMEBOOKS ..................................................................... 35

Chromebook Keyboard .............................................................................................................. 35

5. TABLET AND SMARTPHONES ............................................................... 37

6. HTTPS MODE ........................................................................................... 39

7. ADVANCED CONFIGURATION ............................................................... 40

Static Configuration of Config.js................................................................................................. 40
Passing Credentials using Form POST ..................................................................................... 41
Define Configuration Groups ..................................................................................................... 42
Settings Precedence .................................................................................................................. 43
Settings Table ............................................................................................................................ 43
Embedding InTouch Access Anywhere in an iframe ................................................................. 48

8. SSL VPN CONFIGURATION .................................................................... 49

Web Proxy with 7.4 .................................................................................................................... 49
Web Proxy with older Juniper versions ...................................................................................... 50
Single Sign On (SSO) Using Cookies ........................................................................................ 51

3
 Network Connect........................................................................................................................ 51
JSAM and WSAM ...................................................................................................................... 51

9. KNOWN BEHAVIORS AND LIMITATIONS .............................................. 54

Per Device licenses Not Supported with InTouch Access Anywhere ........................................ 54
InTouch Access Anywhere does not support NLA .................................................................... 54
WindowMaker Not Supported with InTouch Access Anywhere ................................................. 55
Using software keyboards .......................................................................................................... 55
Right Click on Mac ..................................................................................................................... 55
Mouse Events ............................................................................................................................ 55
Scroll bars .................................................................................................................................. 56
Browser Extension Conflicts ...................................................................................................... 56
HTTPS and SSL Encryption ...................................................................................................... 56
Network quality........................................................................................................................... 56
Checking Connectivity ............................................................................................................... 57

10. TECHNICAL SUPPORT ............................................................................ 58

4
ABOUT THIS DOCUMENT
This manual provides instructions on how to install and use InTouch Access
Anywhere to access Wonderware InTouch applications hosted in Terminal
Servers by using HTML5 compatible web browsers. Follow the instructions in
this manual and start enjoying the benefits of InTouch Access Anywhere
within minutes!
This manual includes the following information:
• Overview of InTouch Access Anywhere
• Preparation and installation procedures
• Usage instructions
• Known issues and limitations
This manual assumes that the reader has knowledge of the following:
• Wonderware InTouch
• Enabling and configuring RDP on Windows operating systems 1
• Firewall configuration
• Web server administration
Important terminology used in this document:
• RDP – Remote Desktop Protocol. A remote display protocol
developed by Microsoft. RDP is a standard component of Microsoft
Windows.
• RDP Host – a Windows system that can be remotely accessed
using Microsoft RDP, such as a Terminal Server (RDS Session
Host) or Windows workstation with remote access enabled.
• HTML5 – a new update to the HTML specification. Extends HTML
with new features and functionality for communication, display,
etc.
• WebSocket – a bi-directional, full-duplex communication
mechanism introduced in the HTML5 specification.
• SSL – Secure Sockets Layer is a cryptographic protocol that
provides communications security over the Internet.

1
For details on proper configuration and management of a Remote
Desktop environment for use with Wonderware InTouch, refer to the
Wonderware InTouch for Terminal Services Deployment Guide.

5
1. OVERVIEW
InTouch Access Anywhere provides end-users with remote access to
Wonderware InTouch applications from any HTML5 compatible web browser,
leveraging Remote Desktop technology 2. Any browser that supports HTML5
canvas can be used as the client. HTML5 WebSockets is typically required for
InTouch Access Anywhere.

InTouch Access Anywhere provides the following benefits:

• End-users can access and interact with Wonderware InTouch
applications from any device that has an HTML5 compatible web
browser
• No need to install or configure any software on the end-point
device
• No need to perform software updates or patches on end-point
devices
• Works on platforms that only support web applications, and do not
allow application installation, such as Google Chrome OS
• Consistent look-and-feel on any platform that has a HTML5
compatible browser
• It can be seamlessly integrated with other web-based applications
and portals

2
Not intended for use in High Risk or Mission Critical applications.

6
Architecture
InTouch Access Anywhere is comprised of three installable components:
a. InTouch Access Anywhere Server (WebSocket server) that is
installed on the RDP host where Wonderware InTouch resides. This
includes a collection of web resources (HTML files, CSS, JavaScript,
images, etc.).
b. InTouch Access Anywhere Secure Gateway 3 – This is an optional
component installed separately on a machine in a DMZ to enable
access beyond a firewall. This is the recommended architecture
when you want users on the business side of your operation to be
able to access InTouch applications running on the HMI SCADA
network.

This diagram illustrates how the components of InTouch Access Anywhere work
together:

The user initiates the process by directing the browser to the start page
hosted on the web server (http://<machinename>:8080/). The Start.html
page is displayed in the web browser using HTTP/HTTPS.

3
For more information on the InTouch Access Anywhere Secure Gateway,
prefer to the InTouch Access Anywhere Secure Gateway Administrator’s
Manual

7
 1. The browser opens a WebSocket connection to the InTouch Access
Anywhere Server, which is running on the RDP host itself.
a. If the optional InTouch Access Anywhere Secure Gateway is
used, the InTouch Access Anywhere Server browser session
will connect through it.
2. The InTouch Access Anywhere Server translates the WebSocket
communication to and from RDP, thus establishing a connection from
the browser to the RDP host itself.
3. The browser then displays the content of the remote application.

RDP Compression and Acceleration

InTouch Access Anywhere contains technology for RDP compression and
acceleration. This enhances remote desktop performance over the Network,
including the Internet. There are three main features in this technology:
• Image compression
• Packet shaping
• Whole frame rendering
Image compression compresses images before transmitting them to the
browser for rendering. The level of compression is dependent on the
acceleration/quality level selected by the user (a default value can be
configured by the administrator).
Packet shaping optimizes the network messages to improve network
utilization and performance.
Whole frame rendering means that the display is updated as a whole rather
than in blocks, as performed by standard RDP. This is especially noticeable
when watching video or over slow network connections. Coupled with the
other optimization features, it results in a smoother display that more closely
resembles the functionality on local desktops.

8
Licensing
InTouch Access Anywhere is licensed for use with InTouch WindowViewer
only, more specifically for use with InTouch 2012 R2 TSE Concurrent licenses
only. Per Device licenses are not supported.
There is no need to request any additional licensing or to perform any
activation.
Every session opened with a browser using InTouch Access Anywhere,
consumes a remote desktop session.

Prior to installing
Prior to installing InTouch Access Anywhere you need to ensure that:
• You are using one of the server OSes supported by InTouch 2012 R2.
• Wonderware InTouch 2012 R2 has been installed.
• The corresponding TSE Concurrent license is in place.
• Remote Desktop Services has been properly configured.
o (Add view.exe to the RemoteApp list and configure it to allow
command-line arguments).
Because InTouch Access Anywhere leverages Remote Desktop Services, it is
important that you verify this functionality is properly configured and tested
prior to installing InTouch Access Anywhere. 4
IMPORTANT: For each RDP user, before using InTouch Access Anywhere to
connect to your TSE server, it is also important to logon using a standard
Remote Desktop Client, select an application from the InTouch Application
Manager and to launch it in WindowViewer. This configures the initial setup
and allows InTouch Access Anywhere clients to determine the list of available
InTouch applications.
For best display results with InTouch Access Anywhere, allow InTouch
applications to be launched using their original resolution.

4
For details on proper configuration and management of a Remote
Desktop environment for use with Wonderware InTouch, refer to the
Wonderware InTouch for Terminal Services Deployment Guide.

9
Getting Started in 5 Minutes

InTouch Access Anywhere is a feature-rich and flexible application. The

manual covers available features in detail to help customers best configure
InTouch Access Anywhere for use with Wonderware InTouch.
InTouch Access Anywhere is very quick and easy to install. The basic
installation will take approximately five minutes and will make Wonderware
InTouch applications on a Windows RDP host (server) accessible from a
HTML5 compliant web browser (for a list of supported browsers see the
‘Supported Browsers’ section).
Are your pre-requisites ready? Here are the steps to install and use InTouch
Access Anywhere in five minutes:
1) Run the InTouch Access Anywhere Server installer and click Next through
all the dialog boxes, accept the EULA and then click on the Finish button.
2) Configure (or disable) the Windows Firewall for use with InTouch Access
Anywhere.
a. Go to the Windows Control Panel and open Windows Firewall
b. Click “Allow Program or Feature …”
c. Click “Allow another program …”
d. Click Browse and navigate to <drive>:\Program Files
(x86)\Wonderware\InTouch Access
Anywhere\AccessNowServer32.exe
e. Click Add and then OK
3) For each RDP user, before using InTouch Access Anywhere to connect to
your TSE server, it is also important to logon using a standard Remote
Desktop Client, select an application from the InTouch Application
Manager and to launch it in WindowViewer. This configures the initial
setup and allows InTouch Access Anywhere clients to determine the list of
available InTouch applications
4) Once the above steps are done, InTouch Access Anywhere Server is ready
for use.
5) Open an HTML5 compliant browser and point it to the URL of the InTouch
Access Anywhere Server:
http://machinename:8080/
This URL will automatically redirect to the full URL:
http://machinename:8080/AccessAnywhere/start.html

10
 Alternatively, you can use the machine’s IP address instead of the
machine name.

The InTouch Access Anywhere Server port must be specified in the URL to
tell the browser to use the web server that is built-in to the InTouch
Access Anywhere Server service. HTTPS may also be used.

6) Once the InTouch Access Anywhere Server web page appears, enter the
user credentials and make your selections.
One of the choices you will be presented is the list of InTouch applications
available at the host system.

7) Once you have entered your credentials and made your selections, click
the Connect button.

8) The connection dialog will appear momentarily while the web browser
connects to the RDP host where the InTouch Access Anywhere Server is
installed.

11
9) InTouch WindowViewer will be launched at the remote node to display the
selected InTouch Application.

Note: Once connected, closing the InTouch application will logoff and end
the session. Closing the browser will simply disconnect from the session.

12
2. INSTALLATION
Pre-requisites
The InTouch Access Anywhere Server is compatible with all released server
versions of Windows supported by Wonderware InTouch 2012 R2. InTouch
Access Anywhere Server must be installed on the RDP server where
Wonderware InTouch 2012 R2 resides. The InTouch Access Anywhere Server
is highly efficient, and will have minimum impact on the RDP host’s
performance and scalability.
The InTouch Access Anywhere Server itself includes a built-in web server.
This includes a copy of the InTouch Access Anywhere web components.
InTouch Access Anywhere leverages RDP. It translates RDP to WebSockets.
Hence, RDP access must be enabled on the host that will be used with
InTouch Access Anywhere.

Configure Firewalls
By default, the client (browser) connects to the InTouch Access Anywhere
Server using port 8080 for both encrypted and unencrypted WebSocket
communication. This port number can be changed using the InTouch Access
Anywhere Server Configuration utility. In order to enable direct connection
from the client to the InTouch Access Anywhere Server (without using the
Gateway), the server must be directly accessible from the client using that
port.
If the Windows firewall is enabled on the same computer where the InTouch
Access Anywhere Server is installed, make sure to configure it to enable the
InTouch Access Anywhere client connection. On Windows 2008 Server, go to
Control Panel and then Windows Firewall. Select Advanced Settings and select
Inbound Rules. Click New Rule.

Select Port and click Next. Enter the specific port: 8080

13
Click Next and select Allow the connection
Click Next and select the networks to apply the rule (Select All)
Click Next, give the rule a name and click Finish.

Disable Network Level Authentication

InTouch Access Anywhere does not currently support Network Level
Authentication (NLA). If this is enabled on the RDP Host, it must be disabled
under the Remote settings properties.

To use InTouch Access Anywhere with the RDP host, select Allow connection
from computers running any version…

Bind Service to All Network Interfaces

In a virtual network environment - it is recommended to bind the InTouch
Access Anywhere Server to use all virtual network interfaces, rather than just
one virtual NIC. Always ensure that the network interface(s) that InTouch
Access Anywhere Server is using is accessible by the desired group of end-
users.

14
InTouch Access Anywhere Server
InTouch Access Anywhere Server is the server-side service that translates
RDP into WebSocket communication. The InTouch Access Anywhere Server is
installed on the RDP host.
The InTouch Access Anywhere client interface, running inside the browser,
connects to this service using WebSockets directly or through the Secure
Gateway.

Installation
Launch the install on the desired RDP host. When prompted, accept the
License Agreement and then click Install to perform the installation. At the
end of the process click Finish:

The InTouch Access Anywhere Server runs as a service, and can be started
and stopped from the Windows Services Manager.

The service is configured to run automatically on system startup. If the

service is stopped or is unable to listen on its default port (8080), clients will
not be able to connect to that host. Make sure to configure firewalls and
proxies between the end-point devices and the server-side component to
allow communication using port 8080, or use the InTouch Access Anywhere
Secure Gateway.

Notes: InTouch Access Anywhere Server cannot be installed on systems

where the hostname contains non-English characters.
InTouch Access Anywhere Server and InTouch Access Anywhere Secure
Gateway cannot be installed on the same machine.

15
Uninstalling InTouch Access Anywhere Server
Important: InTouch Access Anywhere cannot be removed via the Control
Panel. To uninstall InTouch Access Anywhere Server you need to run the
original install and select InTouch Access Anywhere Server to be removed.

InTouch Access Anywhere Server Configuration

The Server Configuration console presents a series of tabs that allow the
administrator to configure various settings for the server service.
The Configuration console only works on systems with Microsoft Internet
Explorer 7 or later.
In general, changing InTouch Access Anywhere Server configuration is not
required. It is recommended to use the default settings.

Note: It is recommended to hide the Server Configuration application from

end users to prevent unexpected changes to the server’s settings.

Following is a description of the different pages in the InTouch Access

Anywhere server configuration.

16
General
This page provides functions to start and stop the InTouch Access Anywhere
Server service. For certain configuration changes, a service restart is
required. This page also displays the number of active InTouch Access
Anywhere Server client sessions connected to this system.

Note: Whenever the InTouch Access Anywhere Server service is restarted, all
sessions on the server will be disconnected.

Performance
This tab displays current performance statistics related to InTouch Access
Anywhere connections.

17
Communication
This tab provides functions to change the InTouch Access Anywhere Server
listening port and the address of the host running RDP.
When using an InTouch Access Anywhere Server listening port other than the
default (8080), the port number must be explicitly specified in the client
address field (i.e., http://<machine name>:5678/ )
When running InTouch Access Anywhere Server on a machine with multiple
network cards, change the RDP host address from localhost to the IP or DNS
address of the network card that has RDP access to the system.
Changes to both settings require a service restart. This can be done via the
General tab or using the Microsoft Service Manager.

18
Acceleration
This tab provides functions to force the Acceleration/Quality level and disable
dynamic compression. When the Override client acceleration / quality
settings checkbox is checked all sessions will use the configured setting. All
client settings will be ignored. When checking or unchecking this setting, the
service must be restarted for the change to go into effect. When the setting
is enabled, changing the acceleration level does not require a service restart,
but active users must reconnect to use the new setting.
Dynamic Compression identifies small graphical objects on the screen (such as
toolbar icons, taskbar icons, Start Menu icons, etc.) and compresses them using
high quality when the Quality setting is set to Low; and at the best quality when
the Quality setting is higher than Low. All other graphical objects are
compressed at the selected quality. This provides the visual impression of a high
quality remote desktop session.
By default, this feature is enabled. To disable, uncheck the “Use dynamic
compression” box.

19
Security
This page configures the InTouch Access Anywhere Server security settings.

Note: InTouch Access Anywhere provides integrated 128-bit SSL encryption.

For best performance, set the host’s RDP Security Encryption level to Low and
change the Encrypt InTouch Access Anywhere communication to Always.
Using this configuration, InTouch Access Anywhere SSL encryption will be
used instead of the RDP encryption. Do not set this if users will be connecting
directly to RDP regularly, as those sessions will end up using Low encryption.

Logging
This tab provides functions to enable/disable certain logging features.
Technical Support may request a debugging log for diagnostic purposes. The
debugging log is enabled here.

20
Advanced (For Administrator Use Only)
This page provides access to advanced Server settings that are stored in the
system’s Registry.

Export Settings – exports the InTouch Access Anywhere Server Registry key
to the user’s home folder (i.e., My Documents).
Import Settings – imports previously saved InTouch Access Anywhere Server
Registry settings.
Advanced Configuration – adds all configurable Registry key settings to the
Registry. By default, only settings that are changed from the default value
are saved into the Registry.

21
InTouch Access Anywhere Web Component
The web component contains the resources that are used by the web browser
to display an interface for users to use to connect to their remote application
or desktop. These resources include HTML pages, JavaScript and CSS files and
graphic images. Review the chapter on Advanced Configuration to modify the
appearance and behavior of the web component interface.

Installation with InTouch Access Anywhere Server

The InTouch Access Anywhere web components are automatically installed
along with the InTouch Access Anywhere Server. The web components may
be found in the InTouch Access Anywhere Server folder:
<drive letter>:\Program Files (x86)\Wonderware\InTouch Access
Anywhere Server\WebServer\AccessAnywhere

Modifying the InTouch Access Anywhere interface

The InTouch Access Anywhere Server start page is comprised of a group of
images. Any of the standard images may be edited and replaced with a
custom image. It is recommended to keep the new image as close to the
same dimensions as the original image. Default logo image:

The path to the resources folder where the images are stored is similar to:
C:\Program Files (x86)\Wonderware\InTouch Access Anywhere
Server\WebServer\AccessAnywhere\resources

Note: Backup the resources folder before making any modifications. To roll-
back to the original files, simply copy the original resources folder back to the
original location.

22
InTouch Access Anywhere image files that are commonly customized:

Ericom.jpg Logo image at the upper left-hand corner of the

InTouch Access Anywhere Server landing page

globe.jpg Partial background image for the InTouch Access

Anywhere Server landing page. This will appear
as a watermark image behind the InTouch
Access Anywhere Server interface.

HTML5_Logo_64.png Small logo at the upper right-hand corner of the

InTouch Access Anywhere Server landing page

Note: Customizations performed upon the InTouch Access Anywhere page

not herein described are not supported by our Technical Support as they are
beyond the scope of a standard implementation.

Modifying the connection’s name

The InTouch Access Anywhere connection name uses the RDP Host’s address
by default. This label may be modified to a custom string.
To change the connection’s name:
Open the config.js file and add the name setting if it does not exist.
Set the name setting to the desired string. In this example, testname will be
used as the new connection name:

The name setting may also be set using the following cookie: EAN_name.
Once the name parameter is set, the new label will appear in the connection’s
browser tab and in the Establishing connection dialog box.

23
Secure Connections
Secured WebSocket communication to remote desktops
The InTouch Access Anywhere Server installation includes a self-signed
certificate for secure SSL connections. Some browsers, such as Google
Chrome, allow self-signed certificates for SSL-encrypted WebSocket
connections.
Opera browsers will notify the user that the server certificate is not signed,
and prompt the user to continue.
Chrome OS, Safari 5.x, and Firefox will not allow secure SSL connections
using self-signed certificate. In order to provide connectivity from these
browsers, a trusted certificate must be imported into the InTouch Access
Anywhere Server or into the InTouch Access Anywhere Secure Gateway if it is
being used as a proxy for InTouch Access Anywhere Server. A trusted
certificate must be purchased from a trusted certificate authority (i.e.
VeriSign).

Note: The DNS address of the InTouch Access Anywhere Server or Secure
Gateway server must match the certificate name. If a wildcard certificate is
being used, the domain must match. For example, if the certificate is for
*.acme.com the server name must end with acme.com.

24
To import a trusted certificate into the InTouch Access Anywhere Server,
perform the following steps using the Microsoft Certificate Manager:
1. Import the trusted certificate to the Computer (Personal |
Certificates) store.

2. Mark it as exportable during the import:

3. Go to the Certificate’s Details tab and highlight the Thumbprint.

4. Copy the thumbprint (CTRL+c)

5. Stop the InTouch Access Anywhere Server service
6. Using the Command Prompt (cmd.exe) go to the folder that
contains AccessNowServer32.exe

25
 7. Run: AccessNowServer32.exe/genbincert <thumbprint of cert to
export enclosed in quotes>
a. Example import command with thumbprint in quotes:

8. Once the thumbprint is properly imported, a notification will

appear confirming the BIN certificate has been successfully
created.

9. Start the InTouch Access Anywhere Server service and it will be

ready for use.

Secured WebSocket connections via InTouch Access Anywhere

Secure Gateway
When using the InTouch Access Anywhere Secure Gateway, the connection
between the InTouch Access Anywhere Server browser client and the InTouch
Access Anywhere Secure Gateway is always secured. The InTouch Access
Anywhere Secure Gateway is installed with a self-signed certificate by default,
but supports trusted certificates as well. Please read the InTouch Access
Anywhere Secure Gateway Administrator’s Manual for full instructions on how
to install and configure it for use with InTouch Access Anywhere.

Benefit of using a Trusted Certificate

Certain browsers require that HTTPS or SSL connections be made only when a
trusted certificate is present. Install a trusted certificate in the InTouch
Access Anywhere Secure Gateway or InTouch Access Anywhere Server to
ensure safe and reliable connections from a wide range of web browsers. A
trusted certificate must be purchased from a trusted certificate authority (i.e.
VeriSign).

26
3. USER ACCESS
With InTouch Access Anywhere, users can access remote Wonderware
InTouch applications from HTML5 compatible web browsers. To start a
session, users must navigate to start.html file that is installed in the
InTouch Access Anywhere Server. To do this, simply point a browser to
the InTouch Access Anywhere Server URL:
http://machineaddress:8080/

Supported Browsers
• Google Chrome 11 and higher,
• Apple Safari 5 and higher,
• Firefox 4 and higher,
• Microsoft IE 10,
• IE 9 (Secure Gateway required),
• IE7+ with Google Chrome Frame installed and
• Opera.

Notes:
Certain versions of Firefox and Opera require WebSocket support to be
explicitly enabled in the browser configuration. Instructions on how to enable
WebSockets in these browsers are included in a later section in this manual.
Refer to the ReadMe file for a list of known behaviors of specific browsers and
device combinations. For example, Opera Mini on iOS is not supported.

Multiple InTouch Access Anywhere sessions may be opened in different tabs

within the web browser, or in different browser windows. When a session is
not in use (its tab or window is not displayed) it will reduce its CPU and
memory utilization on the Server.

27
Connection Web Page
When the user navigates to the URL, a login form will be displayed.

The user must enter the connection parameters and press the Connect button
to initiate the connection.

Connection Details

InTouch Access This is a read only field that displays the name of the
Anywhere Server InTouch Access Anywhere server

User name The user’s credentials to login to the RDP host. Can
optionally contain domain specification, e.g.
domain\user. When using the Secure Gateway this field
is mandatory. Otherwise this field is optional – if not
specified then user will be prompted for credentials by
the RDP host.

28
Password Corresponding password for the user name. For security
reasons, this value should not be saved for future
connections. When using the Secure Gateway this field
is mandatory. Otherwise this field is optional – when
not specified then user will be prompted for credentials
by the RDP host.

Remember When this setting is checked, the password that is

entered will be saved for the next session.
Password
This option can be hidden from the web page.

Domain The user’s domain if it is not specified in the user name.

SSL encryption for When checked, the client utilizes SSL encrypted
desktop session WebSocket communication to the InTouch Access
Anywhere Server.

RDP compression When checked, enables lossy image compression for

and acceleration the session. Degree of quality loss / acceleration can be
specified using drop down list.

Acceleration Controls the degree of acceleration that is enabled in

Quality the session. Faster acceleration will result lower quality
images.

Application name This pull down list presents a list of Wonderware

InTouch applications available at the host node.

About button Displays the version number of the InTouch Access

Anywhere client.

Advanced button Used to access advanced configuration such as that

required when using the Secure Gateway

Connect button Starts the connection based on the entered parameters.

When the user clicks the Connect button, all configured
settings are saved for future sessions.

Reset button Clears all values that are saved and entered into the
form and resets them to the defaults.

29
Advanced Settings
Click the Advanced button to set additional settings for the connection.

Use Secure Gateway Select this to use the Secure Gateway to connect to
the RDP host.

Gateway Address Enter the address and port for the Secure
Gateway(s) in this field. To specify a custom port,
add a ‘:’ and the port number to the address (i.e.,
gateway.com:4343). If no port value is specified,
443 will be used by default.
Multiple SG’s can be specified for failover. Separate
each address with a comma (,) or semicolon (;). An
asterisk (*) will shuffle the items after it. For
example, if the following is specified:
aaa;*;bbb:4433;ccc:4343
SG aaa on port 443 is used to initially connect. If
aaa is unavailable, then bbb:4433 is used followed
by ccc:4343 OR ccc:4343 followed by bbb:4433.

Remote Audio Configure where the session’s sound will play at:
Playback local computer, remote computer, or do not play.

Keyboard Locale Select the keyboard region to be used in the InTouch

Access Anywhere session

30
Connecting
After a successful login, an RDP session is launched and InTouch
WindowViewer is started at the remote machine. The user is connected to the
specified Wonderware InTouch application. The content is displayed within the
browser window.

While it is connected, InTouch Access Anywhere intercepts mouse, button and

keyboard events, and transmits them to the RDP host. As a result, various
keyboard keys and mouse buttons that are usually handled by the browser,
will behave differently. For example, clicking the F5 button usually causes the
browser to reload the current page. When using InTouch Access Anywhere, F5
will not reload the page. Instead it will be transmitted to the remote InTouch
Window Viewer application, and handled by it.

Note: In most browsers, clicking the Back, Forward or Reload browser

buttons will cause InTouch Access Anywhere Server to display a message
asking the user if he/she wishes to leave the current page. If the user decides
to proceed, the remote session will be disconnected. (Some browsers may not
ask for confirmation).

31
In Remote Desktop Services remember to add view.exe to the RemoteApps
list of allowed applications. When adding it, configure it to allow command-
line arguments.

When accessed via InTouch Access Anywhere, the InTouch Window Viewer
application cannot be minimized. Users can close the InTouch application by
clicking on the X button in WindowViewer, if enabled. After the user closes
the Wonderware InTouch application, the session is automatically terminated
in approximately three seconds.
Closing the browser will leave the session running at the RDP server. You can
choose how to handle sessions in the configuration of your Remote Desktop
Server. For example, you can configure sessions to be terminated if they are
disconnected after a timeout period of your choice.

Note: When using InTouch Access Anywhere Server on Windows 2008

Terminal Services and Remote Desktop Services, the RemoteApps role should
be enabled before installing InTouch Access Anywhere Server.

32
Ending a Session
After the user logs out or disconnects, a “Session ended” message appears.
The browser returns to the connection dialog after the user clicks OK.

No trace of the session will remain on the device once it is ended. For
additional security, close the browser tab or window that previously ran the
InTouch Access Anywhere Server session.

Session Auto-logoff
Application sessions are logged off when the application is closed. In some
cases the session is not closed immediately or is frozen. InTouch Access
Anywhere Server includes an auto-logoff feature where if nothing is displayed
on the screen for a specified duration of time, the session will be
automatically logged off. The default value is three seconds; this value may
be changed by editing the blaze.txt file in Resources folder and adding the
line:
RDP_LogoffDelaySeconds:i:n
where n is the duration.

Configuring Firefox and Opera browsers

Older versions of Firefox and Opera browsers disable WebSocket by default. It
is recommended to upgrade such browsers to newer versions that have
WebSockets enabled upon installation. If older versions of these browsers
must be supported, WebSocket must be enabled on these browsers to use

33
InTouch Access Anywhere. Alternatively, such browsers can connect through
the Secure Gateway without configuration changes.

Enabling WebSocket for Firefox (earlier than version 6)

1. Type about:config in the Location bar
2. If a warning is displayed, click button to proceed
3. In the Filer box type: websocket
4. Double-click on the displayed items to change their values to true
5. Close the browser (all windows / tabs) and launch it again

Enable WebSocket for Opera

1. Type opera:config in the Location bar
2. In the Quick find box type: websocket
3. Enable the checkbox
4. Click on the Save button
5. Close the browser (all windows / tabs) and launch it again

Note: Opera browser does not support the changing of the cursor type, so a
generic browser cursor will always be used.

34
4. GOOGLE CHROMEBOOKS
InTouch Access Anywhere operates on Google Chromebook and Chromebox
just like it does with a Google Chrome browser. Here are some tips to keep in
mind when using InTouch Access Anywhere with a Chromebook or
Chromebox:

Function Description

Mouse Left-click Click the Chromebook trackpad with one finger

Mouse Right-click Click the Chromebook trackpad with two fingers

Scrolling a document or Drag two fingers on the Chromebook trackpad

website up or down to scroll

Configure Chromebook Enter into the address field: chrome://settings

Most Chromebook shortcut key combinations (i.e. CTRL+T to open a new tab)
are supported during an active InTouch Access Anywhere session. Configured
Modifier keys are also supported within the InTouch Access Anywhere session.

Chromebook Keyboard
The Chromebook keyboard lacks several keys that are used by Windows.
ChromeOS provides standard mappings that use existing keys with the ALT
button to represent certain missing keys. InTouch Access Anywhere supports
these key combinations:

Command Key combination

Delete (DEL) ALT+Backspace

Page Up ALT+Up

Page Down ALT+Down

Home CTRL+ALT+Up

End CTRL+ALT+Down

35
In addition, InTouch Access Anywhere provides special non-standard
mappings for additional key combinations on ChromeOS.

Command Key combination

F1 CTRL+1

F2, … CTRL+2, …

ALT+TAB ALT+`

ALT+SHIFT+TAB ALT+SHIFT+`

CTRL+Home CTRL+ATL+Left

CTRL+End CTRL+ALT+Right

36
5. TABLET AND SMARTPHONES
InTouch Access Anywhere will operate on tablet or smartphone device with an
HTML5 compliant browser (i.e. iPad Safari – see list of supported browsers).
Mobile devices have introduced new opportunities to empower users on the
go. They have also introduced new ways for people to interact with software.
Touch gestures are used to do the work that a mouse would do in a desktop
or laptop. Built-in software keyboards are used instead of physical keyboards.
Because there is no mouse, certain mouse events do not have an equivalent
in a touch environment. Software keyboards in mobile devices do not have
keys such as F1-F12, Ctrl, Alt.
When using InTouch Access Anywhere to view your applications remotely it is
important to be aware of these differences. It is very important to become
familiar with the way you work with touch interfaces in the devices you will
use and to keep this in mind as you design InTouch applications for use with
InTouch Access Anywhere. For example, Input animations do not need to
invoke the InTouch or Windows OS Keyboard as the mobile devices have their
own.
With existing InTouch applications that make use of mouse events and keys
or key combinations without a supported equivalent, you may want to modify
your application to use alternate methods.
The following list provides tips on using InTouch Access Anywhere from a
tablet or smartphone device where a physical keyboard and mouse is not
available. Functionality will vary across different devices and certain
commands may not be available.

• Single Tap performs a left click.

• Single long Tap performs a right-click.
• Tap + Hold + Drag performs a select then drag/scroll function.
• Double Tap, or tapping once with two fingers, performs double-click.
• Tap with three fingers sends Back command to a remote browser.
• Swipe down with three fingers is Page Up.
• Swipe up with three fingers is Page Down.
• Drag left or right with three fingers performs a left arrow and right
arrow respectively.
• Tap the keyboard icon (upper right-hand corner of window) to
open/close the virtual keyboard.

37
• Swipe and pinch gestures will apply to the InTouch Access Anywhere
session (i.e. zoom in with pinch in).
Note: Zoom pinch not
• (iOS only) When saving an InTouch Access Anywhere icon to the iOS
desktop, the shortcut will open the InTouch Access Anywhere session
full-screen mode. The browser’s toolbar will be hidden and there will
be more remote desktop area available.

38
6. HTTPS MODE
For environments where WebSockets support is not available, InTouch Access
Anywhere can work in HTTPS mode such that all communication will be sent
via HTTPS only. HTTPS mode will only be used if WebSockets is not available.
WebSockets will be used when available as it will provide better performance.
HTTPS mode is required when using Microsoft Internet Explorer 9 or with SSL
VPN’s that only proxy HTTPS traffic.
To enable this feature, the InTouch Access Anywhere Secure Gateway is
required. The InTouch Access Anywhere Server web pages must be delivered
using the web server built into the InTouch Access Anywhere Secure Gateway
(files are located under the Webserver/InTouch Access Anywhere folder).
Perform the following to enable InTouch Access Anywhere for HTTPS support.
1) Install the InTouch Access Anywhere Server on the desired RDP Host.
2) Install the Secure Gateway in a separate machine located in a DMZ. The
Secure Gateway must be installed on a server that is accessible by the
target end-user group(s).
3) To connect to the InTouch Access Anywhere Server using HTTPS - enter
the InTouch Access Anywhere URL of the Secure Gateway (the Secure
Gateway includes the InTouch Access Anywhere web component)
https://<securegatewayaddress>/InTouch Access Anywhere/start.html
4) Enter the parameters for the target InTouch Access Anywhere Server in
the start.html page.
5) Upon connection, if HTTPS mode is active a ‘-‘ symbol will then be shown
as a prefix to the address in the browser tab.

Note: HTTPS mode requires a browser that supports Canvas. Older

browsers, such as Microsoft Internet Explorer 8 (or earlier), are not
supported.

39
7. ADVANCED CONFIGURATION
InTouch Access Anywhere provides flexible ways to set predefined values and
accept custom values that are passed to it. These values can either be
displayed in the InTouch Access Anywhere Server start page or trigger an
automatic connection without allowing the user to change any settings.
InTouch Access Anywhere also easily integrates with other web pages and
portals. InTouch Access Anywhere can accept configuration settings from
other pages or directly from a web server. These settings can also be
displayed in the InTouch Access Anywhere start page for the user to view and
modify, or trigger an automatic connection.

Static Configuration of Config.js

An administrator can modify configuration settings for InTouch Access
Anywhere by editing the config.js file that is installed as part of the InTouch
Access Anywhere web component. This is a JavaScript file that can be
modified using any text editor, such as Windows Notepad.

Note: Always backup the original config.js file before making any changes.
This will ensure easy rollback to the original configuration.

Most settings in the file have the following format:

name: value,
The value can be a number, a flag (true or false), or text enclosed in quotes.
Some settings are prefixed by a double slash // which means they are
disabled. Remove the double slash in order to set a value for the setting.
Javascript rules apply in this file, certain characters need to be escaped (i.e.
backslash). Once the settings are configured, save the file and the next user
will have the new settings applied.
Refer to the Settings Table for a description of each setting.

40
Passing Credentials using Form POST
User credentials may be passed to InTouch Access Anywhere using the form
POST method. This functionality is used to provide SSO (single sign-on) from
an outside source that has already authenticated the user (such as an SSL
VPN.)
The InTouch Access Anywhere Secure Gateway is required in order to use
form POST with InTouch Access Anywhere. Please refer to the InTouch
Access Anywhere Secure Gateway manual for detailed instructions.

41
Define Configuration Groups
All users share the configuration settings defined in the config.js configuration
file. It is possible to specify special settings that will override the global
settings for certain groups of users. Multiple configuration groups are defined
in the configuration file.
For example, if the Marketing group will have clipboard redirection and
printing enabled, change config.js as follows:

var defaults = { // this already exists in the file

…
"Marketing": { // bold text are new additions
remember: false,
audiomode:0
},
};

Note: The double quotes surrounding Marketing must be identical. It may be

necessary to delete them and re-type them if the text was copied from
another source.
Also, the last setting of the configuration group should not have a ‘,’ at the
end. This comma will be placed after the closing bracket ‘}’

In the URL to be used by the Marketing group, add the settings parameter:
http://<machine name>:8080/InTouch Access
Anywhere/start.html?settings=Marketing

42
Settings Precedence
When the InTouch Access Anywhere client starts, it reads configuration
information from a variety of sources. If two or more sources contain different
values for the same setting, the value that InTouch Access Anywhere will use
is determined by the following precedence order:
Lowest Precedence Highest Precedence
config.js | saved settings from previous session | cookies | URL parameters
For example, if the gateway_address is specified to be “server1” in config.js
but “server2” in a cookie (EAN_ gateway_address), then the value “server2”
will be used.
If the setting overrideSaved is set to true in config.js, then any settings
predefined in the config.js file will override previously used settings.
Precedence order:
Lowest Precedence Highest Precedence
saved settings from previous session | config.js | cookies | URL parameters

Settings Table
The config.js file contains the following configuration settings. Setting names
are case sensitive. When settings are specified using cookies, their names are
prefixed by EAN_.

overrideSaved false (default), settings that the user

changes are preserved between sessions
and override values set in config.js.
Change to true for config.js to override
preserved settings.

onlyHTTPS By default, InTouch Access Anywhere first

attempts to connect using WebSockets. If
the Secure Gateway is used with InTouch
Access Anywhere, the connection will fall
back to HTTPS when WebSockets is not
available. If this setting is true, HTTPS is
used immediately.

noHTTPS By default, InTouch Access Anywhere first

attempts to connect using WebSockets. If
the Secure Gateway is used with InTouch
Access Anywhere, the connection will fall
back to HTTPS when WebSockets is not

43
 available. If this setting is true, only
WebSockets will be used and HTTPS
fallback will be disabled.

hidden A comma- or space-separated list of field

names as they appear in config.js. For
example “username,password,domain”.
The listed fields will be hidden so that the
user will not be able to modify them.
To hide a button, such as the Advanced
button, prefix the button text with the word
show. For example,
“showAdvanced,showAbout” hides both the
Advanced and About buttons.
All hidden variables ignore previously saved
settings.

settings (URL parameter only) Name of a Configuration Group to be used

wsport The default WebSocket port that will be

used by the client. The value specified in
the file (8080 by default) will be used for
both encrypted and unencrypted
WebSocket communication. The user can
override this value by explicitly specifying a
port address in the client UI.
For backward compatibility with older
versions of InTouch Access Anywhere
server, this behavior can be modified. If
singlePort is set to false then the port
value specified is only for encrypted
communication. The value specified in the
file plus one (8081 by default) will be used
for unencrypted WebSocket
communication.

gwport The default gateway port that will be used

if it is not explicitly specified in the address
field.

dialogTimeoutMinutes Timeout period, in minutes, after which an

inactive dialog is automatically closed and
the session is logged off. This is only
relevant for dialogs that have a logoff
button.

sessionTimeoutMinutes Timeout period, in minutes, after which an

44
 inactive session is disconnected. This
timeout is reset whenever user clicks on
the keyboard or a mouse button. The
default value is 0, which disables this
feature.

specialkeys Enables support for special RDP key

combination commands, such as
CTRL+ALT+END which starts the Windows
NT Security dialog box (similar to local
CTRL+ALT+DEL).See
http://support.microsoft.com/kb/186624
for the list of key combinations.
chromeKeys true (default) support special ChromeOS
keys combinations
showDownload true displays a link in the connection
dialog to download the InTouch Access
Anywhere Server installer.
clipboardSupport
true (default) enables clipboard
functionality; false disables it
clipboardTimeoutSeconds
The delay duration before the clipboard
image automatically fades out

clipboardUseFlash true (default) uses Flash when available

for one-click copy into local clipboard

clipboardKey Key to open clipboard paste dialog, set to

false to disable

console false (default) set true to enable RDP

console mode

settingsURL URL of the connection settings file

endURL URL to open to after the InTouch Access

Anywhere session has ended (# value
closes window).
If there is a prefix with the symbol ^ then
this sets the value of window.location
instead of top.location. This is useful when
the InTouch Access Anywhere session is
embedded in a frame.

address address of InTouch Access Anywhere

server. Always blank for the standard

45
 configuration.

full_address address of RDP host. Always blank for the

standard configuration.

username Username to pass into the InTouch Access

Anywhere session

password Password to pass into the InTouch Access

Anywhere session (entered as clear text in
config.js file)

domain Domain to pass into the InTouch Access

Anywhere session

remember false (default) determines whether the

user’s password will be saved in the
InTouch Access Anywhere page for future
use. Set to true to enable password saving
(not recommended for kiosk usage).

encryption false determines if encryption will be

enabled from the InTouch Access Anywhere
client to the server

blaze_acceleration true determines if RDP acceleration will be

used

blaze_image_quality Sets the quality level using a numeric For

example: 40 (fair quality), 75, 95 (best)

resolution Sets the resolution size of the InTouch

Access Anywhere session. The value set
must be a valid option under the InTouch
Access Anywhere screen resolution setting
For example: "1024,768"
For Full Screen, use: screen

use_gateway false (default), set to true to use a Secure

Gateway for remote access

gateway_address Defines the address and port of the Secure

Gateway
For example: secure.acme.com:4343

useScancodes No longer in use, see

convert_unicode_to_scancode

convert_unicode_to_scancode false (default), set to true when using

46
 certain applications that send characters as
scancodes (i.e. VMware vSphere Client,
any application where you may have issues
typing text). This setting will generate
scancodes based on the selected locale.

leaveMessage The message displayed to the user after

he/she navigates away from an active
session

audiomode 0, enables audio redirection (default)

1, play audio on remote computer
2, disables audio redirection

name Defines a custom string for the connection

name. By default, the RDP Host address is
used.

minSendInterval Specifies the minimum duration between

mouse position messages sent from the
client when the mouse button is pressed.
Units is milliseconds

These settings only take effect after the user starts a new session.

Note: In some cases, the local browser must be closed and reopened before
changes take effect. The local browser cache may also need to be cleared.

47
Embedding InTouch Access Anywhere in an
iframe
To embed InTouch Access Anywhere within a third-party web page using the
iframe mechanism, simply place an iframe tag within the containing page, and
have the iframe’s SRC attribute reference the InTouch Access Anywhere URL.
For example:
<body>
<h1>Embedded InTouch Access Anywhere</h1>
<iframe src="http://127.0.0.1:8080/AccessAnywhere/start.html"
style="width:1024px; height:768px"></iframe>
</body>

When the InTouch Access Anywhere session ends, it can be configured to

send the browser to a specified URL using the endURL setting.
• Specifying a simple URL will redirect the iframe.
• Prefix the URL with ^ to redirect the iframe’s parent (container).
• Prefix the URL with $ to redirect the top-most container.
• Specify # and the URL will close the browser tab.

48
8. SSL VPN CONFIGURATION
InTouch Access Anywhere is compatible with most SSL VPN’s. SSL VPN’s that
do not support WebSockets will require the Secure Gateway (SG) as well.
Juniper IVE version 7.4 supports WebSockets, so the SG is not required.
InTouch Access Anywhere has been tested with Juniper’s SA SSL VPN’s and
the documentation in this section will be based off Juniper’s administration
pages. Configuration with other third-party SSL VPN appliances will be similar
to the procedures described here (difference are mostly in terminology).

Web Proxy with 7.4

Juniper version 7.4 supports WebSockets natively. InTouch Access Anywhere
links are published in the Juniper’s web interface as web applications. To
publish a new InTouch Access Anywhere connection, go to the Juniper Admin
page and do the following:
1) Go to Resource Profiles | Web | New Web Application Resource Profile
2) Enter the Name of the InTouch Access Anywhere connection that the users
should see.
3) Enter the InTouch Access Anywhere URL in the Base URL field.
4) Click Save and Continue
5) At the Roles dialog add all roles that should have access to the InTouch
Access Anywhere link and click Save Changes.
6) Enter the desired label for the connection in the Bookmarks tab
7) When the user logs into Juniper - the InTouch Access Anywhere link will
be displayed under the Web bookmarks section (i.e. My Server and
InTouch Access Anywhere). Simply click on the link to connect to an
application or desktop published with InTouch Access Anywhere.

49
Web Proxy with older Juniper versions
Juniper versions prior to 7.4, and most other SSL VPN’s, do not support native
WebSockets. To use InTouch Access Anywhere with such SSL VPN’s, HTTPS
Mode (see HTTPS Mode chapter in this guide) is required. HTTPS mode is
enabled by installing the Secure Gateway (SG). Follow these instructions to
use InTouch Access Anywhere and the SG:
1) Go to Resource Profiles | Web | New Web Application Resource Profile
2) Enter the Name of the InTouch Access Anywhere connection that the users
should see.
3) Enter the Gateway’s InTouch Access Anywhere URL address as the Base
URL, Click Save.
4) Go to Autopolicy: Web Access Control
5) Edit the automatically entered address and delete the subfolder “InTouch
Access Anywhere”.
Instead of https://GWaddress.com:443/InTouch Access Anywhere/* the
correct resource is https://GWaddress.com:443/*
6) Click Save and Continue
7) At the Roles dialog add all roles that should have access to the InTouch
Access Anywhere link and click Save Changes
8) When the user logs into Juniper - the InTouch Access Anywhere link will
be displayed under the Web bookmarks section (i.e. InTouch Access
Anywhere Connection to RDP Host). Simply click on the link to connect to
an application or desktop published with InTouch Access Anywhere.

Note: If the link is not translating properly, make sure that there is not a
Passthrough Proxy policy defined for the Gateway Server (where the web
component is hosted on).

50
Single Sign On (SSO) Using Cookies
In the Single Sign-on Config, set “Remote SSO”
Set “Send the following data as request headers” to the InTouch Access
Anywhere URL.
Set the desired cookies, for example:
• EAN_username=<USER> (this passes the username)
• EAN_password=<PASSWORD> (this passes the password)
• EAN_autostart=true (this auto starts the connection, “bypassing”
the start page)
• Other InTouch Access Anywhere parameters may also be passed
as cookies.

Network Connect
Juniper’s Network Connect mode opens a VPN tunnel to the private network.
When using Network Connect, users simply enter the InTouch Access
Anywhere parameters as if they were on the private network.

JSAM and WSAM

The Java and Windows Secure Access Manager provide additional security by
limiting the end user’s access on the private network to only assigned
resources. The InTouch Access Anywhere parameters will be masked by
Juniper and will not be directly accessible by the end user. To configure
InTouch Access Anywhere for JSAM, go to the Juniper Admin page and do the
following (WSAM configuration is similar to the JSAM procedure below):
1) Publish a JSAM Client Application Profile by going to Resource Profiles |
SAM | Client Applications

2) Click New Profile and enter the parameters:

a. Type: JSAM
b. Application: Custom
c. Name: <enter desired label here>

51
d. Servers Name: <enter address of InTouch Access Anywhere
Server>
e. Server Port: <enter InTouch Access Anywhere port # (default is
8080)>
f. Client Loopback IP: Juniper’s aliased address for the InTouch
Access Anywhere Server (Important note: this address must be
entered as the InTouch Access Anywhere address for Juniper
users).
g. Client Port: Juniper’s aliased port for the InTouch Access Anywhere
Server (Important note: this port must be entered as the InTouch
Access Anywhere port for Juniper users). The default port 8080
may be used here if it does not create a port conflict.
h. Click Save and Continue
i. Select the Roles that will have access to this JSAM application
j. Click Save Changes and now this application is ready for use.

52
Auto-starting JSAM or WSAM upon login
Users may have to manually start a Client Application Session upon login:

To have the JSAM or WSAM applet launch on login to Juniper, go to the

Juniper Admin page and do the following:
1) Click on User Roles | <select desired Role> | General
2) Verify that the Secure Application Manager is checked and click on
Options
3) Check the Auto-launch Secure Access Manager option:

4) Click Save Changes and the next time a user logs in the SAM will
automatically start.

53
9. KNOWN BEHAVIORS AND LIMITATIONS
This section list a number of known behaviors and limitations. Please also refer to
the InTouch Access Anywhere ReadMe file.

Per Device licenses Not Supported with

InTouch Access Anywhere
InTouch Access Anywhere is only supported with InTouch 2012 R2 TSE
Concurrent licenses. TSE Per-Device licenses are not supported by InTouch
Access Anywhere.

InTouch Access Anywhere does not support

NLA
InTouch Access Anywhere currently does not support Network Level
Authentication (NLA). Please disable NLA; otherwise, InTouch Access
Anywhere connections will fail.

54
WindowMaker Not Supported with InTouch
Access Anywhere
InTouch WindowMaker is not supported in a TSE (Remote Desktop)
environment. Therefore, InTouch Access Anywhere is not supported for use
with InTouch WindowMaker. To prevent users from attempting to start
WindowMaker from WindowViewer, do not install a license that enables
WindowMaker and hide the menu bar in your InTouch applications.

Using software keyboards

InTouch provides the ability to invoke an InTouch keyboard or the Windows
On Screen Keyboard from Input Animations. When designing applications to
be accessed via InTouch Access Anywhere from mobile devices, keep in mind
that these have their own software keyboards optimized for their specific form
factor and size. In these cases, invoking the InTouch or the Windows
keyboards from your application is not needed. In general, you will have a
smoother experience using the software keyboard from the device.
Also keep in mind that software keyboards in mobile devices in most cases do
not have certain keys available in a physical keyboard such as F1-F12, Ctrl,
Alt, etc. If you already have an application that uses Key Scripts associated to
some of these keys, you can change your application to use alternate
available supported keys.
Some key combinations may not be available through your mobile device,
such as Shit+<letter>, Ctrl+Shift, Ctrl+Alt.

Right Click on Mac

To perform a right-click on Mac OSX system: Command+ left-click

Mouse Events
When designing your applications, keep in mind that certain mouse events do
not have an equivalent in a touch environment in most mobile devices, i.e.:
While Left Key Down, On Right Key Down, While Right Key Down, On Right
Double Click, On Right Up, Mouse Center click. Other mouse events are
triggered with a gesture you must become familiar with. For example, in many
mobile devices, a mouse over event is triggered by a tap on the screen.

55
Scroll bars
In some cases, moving a scroll bar in a touch environment may be tricky,
particularly when these are small. If the device has a stylus, try using it. As an
alternative, try touching the empty area of a scroll bar in the direction you
want to move. Dragging and dropping a dialog box can also be tricky. If your
device comes with a stylus, try using it.

Browser Extension Conflicts

Browser extensions and toolbars may inject JavaScript code into web pages.
This can adversely impact the behavior of certain web pages. If InTouch
Access Anywhere is not working properly - try disabling or uninstalling any
active browser extensions or toolbars. Restart the web browser after
uninstalling or disabling an extension to ensure that it is no longer active.

HTTPS and SSL Encryption

When the InTouch Access Anywhere page is delivered to the web browser
using HTTPS - the SSL encryption setting will be checked by default. Modern
browsers usually require WebSocket connections to be encrypted when
launched from pages delivered using HTTPS.

Network quality
The quality of the network will have an impact on the experience at the client
end, particularly with mobile devices. Long latencies, limited bandwidth, poor
WiFi coverage of the working area are factors that have an effect.
We recommend that in the menu of your application you add a heartbeat or a
clock displaying time including seconds that can help visualize good
connectivity.

56
Checking Connectivity
If a user is having trouble connecting remotely to the InTouch Access
Anywhere environment that has been installed, ask the user to connect to the
InTouch Access Anywhere demo site on the Internet.
If the demo site appears and the user can successfully launch an InTouch
application then the browser is compatible with InTouch Access Anywhere. If
the demo site works for the user, verify the following:
• Can you connect locally at the InTouch Access Anywhere node itself by
using a supported browser?
• Is the InTouch Access Anywhere service running?
• Windows Firewall configuration
• InTouch Access Anywhere port between the user’s browser and the
InTouch Access Anywhere environment is available. The default port is
8080.
• A trusted certificate may be required for the InTouch Access Anywhere
Secure Gateway or the InTouch Access Anywhere Server.
• Verify network connectivity.
• Can the client device reach the InTouch Access Anywhere Server or
the InTouch Access Anywhere Secure Gateway node? The Ping and
Traceroute commands come in handy in a Windows based system.
Third party tools exist for certain mobile devices to provide equivalent
functionality.
• If you cannot reach a node by name, try using its IP address.

57
10. TECHNICAL SUPPORT
Wonderware Technical Support consists of a global team of qualified Certified
Support Providers. If you have questions or concerns about InTouch Access
Anywhere, contact

Wonderware Technical Support.

Telephone: U.S. and Canada
800-966-3371
7 a.m. to 5 p.m Pacific Time

Outside the U.S. and Canada

949-639-8500

For local support in your language, contact a Wonderware-certified support provider

in your area or country.

Refer to the following web address for a local distributor or sales office in your area:
http://us.wonderware.com/aboutus/contactsales

Fax: 949-639-1545
E-mail: Customer First members, send an e-mail message to our priority address:
custfirstsupport@wonderware.com

Customers without a support agreement, send an e-mail message to:

wwsupport@invensys.com

Web: Registered customers, submit your questions to our Support web site.
Refer to the following web site for instructions to register for Wonderware technical
support:
http://wwdotprod02.wonderware.com/imoo/index.aspx

58