Introduction
Dispel allows customers to fully customize their virtual desktop golden images and to connect to any endpoint over any port and protocol (TCP/UDP/ICMP) as long as the endpoint has a valid IP address. Customers often wish to connect to downstream endpoints using OEM provided configuration applications - TIA Portal from Siemens, or RSLinx / Studio5000 from Rockwell being common examples. This documentation will walk you through how to set up your team with custom OEM applications within a given Virtual Desktop Golden Image.
Non-Exhaustive list of OEMs Dispel Supports
Dispel also supports several additional OEMs large and small - but these are ones commonly asked about by our customers. As long as the target asset has an IP address, Dispel can allow a remote connection to it.
Implementing an OEM Application
Prerequisites & Initial Considerations
Application Installers
Please ensure you have the correct version of the OEM application you wish to install. Installers can be downloaded directly onto the virtual desktop using the OEM's customer portal, or they may be transferred onto a VDI from your local host using one of the methods described below.
Please ensure the installer is compatible with Windows Server 2019 and Windows Server 2022.
If an older Windows Operating system is required, please reach out to your Dispel Account manager to confirm feasibility.
Please note: Dispel may only deploy operating systems supported by the Cloud Provider. If a specific OS is beyond it's manufacturer End of Life and End of Support, Dispel will not be responsible for security patches and updates for that operating system and the customer will assume the risks inherent with using legacy software/systems.
NAT Considerations
In some situations, the OEM application uses routing and connection mechanisms that cannot survive Network Address Translation (NAT). Dispel is familiar with several OEMs that impose this limitation and can propose several architectures to work around these limitations. The simplest and most immediately available workaround is to create a point-to-point tunnel between a deployed Dispel Wicket, and the local endpoint/endpoint's network. This will enable standard routing without NAT, allowing for a successful connection in those situations.
Licensing
The customer is responsible for providing licenses for OEM applications present on Dispel Virtual Desktops. Most frequently, this is performed by enabling connectivity to a license farm, from which the VDI will dynamically pull a license during reservation/provisioning. In rare occurrences, customers will BYOL keys to insert into the VDI, or they will attach the license to a specific VDI. When these situations arise, Dispel will work with the customer team to convert that VDI to a long-term VDI, rather than a disposable one to help prevent accidental loss of relevant licenses. In those situations, the long-term VDI would become a "device" that other users will connect to in order to leverage the license installed on it. This can greatly help facilitate OT DMZ unification for some legacy application licenses.
Network accessibility and Architecture Diagram
In order for a VDI to connect to a particular endpoint using an OEM application, please ensure that endpoint is available to a proximally deployed Dispel Wicket. For the avoidance of doubt, the connection to that endpoint traverses the following "trace-route"
Dispel Virtual Desktop (w/OEM App) -> Dispel Region -> Dispel Wicket -> Endpoint.
Therefore, there must be an associated Region and Wicket before a given VDI can establish a connection to the target endpoint.
Building an Imaging Stack with Administrative Privileges
In order to configure a virtual desktop, you'll need to build a virtual desktop stack with administrative privileges. To do that:
Navigate to the Stacks page on the Dashboard. and select "+ Build New Stack"
Select the proper region and baseline image you want to build off of.
Under the details section, select the "Admin Privileges" checkbox.
Complete the VDI build steps - your new desktop with admin privileges should be ready in 3-5 minutes.
Now that you've built the VDI - please use the following guide to reserve your VDI.
Installing and Configuring the OEM Application
If you would like to connect to external links to download the target installers, please reach out to your Dispel team to make sure those external URLs are whitelisted. Common links our team whitelists:
Microsoft SharePoint
Microsoft OneDrive
Box or DropBox
Customer specific web or p2p file transfer portal(s)
OEM Download / Update Portal(s)
If you would like to to transfer via Drive Mapping from your local computer, please reach out to your Dispel account team to confirm drive mapping is enabled for your VDI. You can also enable drive mapping on your VDI as an administrator by adjusting the group policy options. To map a drive up to your VDI, you must connect to the VDI using RDP. Drive mapping will not work across Web/Bastion connections.
Please note: If your installers require more space than the standard storage provided by the VDI, please reach out to your Dispel Account Team. We would be happy to temporarily add extra storage/disk volumes to accommodate your installation needs.
For explicit instructions on how to install a given OEM application, please refer to those specific application guides. Please ensure you are following instructions for installation on Windows Server 2019 or 2022.
Mitsubishi Electric Documentation Center: https://us.mitsubishielectric.com/fa/en/support/technical-support/knowledge-base
Rockwell Documentation Center: https://www.rockwellautomation.com/en-us/support/documentation.html
Siemens Documentation Center: https://www.sw.siemens.com/en-US/documentation/
ABB Documentation Center: https://library.abb.com/
Licensing Considerations
Dispel has helped customer integrate OEM applications across a variety of license deployment models - please reach out to your Dispel Account team for additional help navigating your unique architecture needs.
Creating the Golden Image
When creating your new Golden Image, we recommend the following workflow for communicating with your Dispel account team:
Testing and Validation
Once your Golden image is ready, we recommend building a test stack to confirm end-to-end connectivity with your target OEM endpoint using their application. Please be sure to select the correct golden image type from the library available during stack build!
VDI Updates and Upgrades
As a rule of thumb, Dispel automatically updates VDIs with the latest security patches and malware libraries. That said, Dispel can create special configurations to minimize incremental changes to a customer's VDI golden image to ensure that a given patch or upgrade does not interfere with your deployed application.
Dispel will always communicate major upgrades to customers and will schedule migration/maintenance windows in line with any applicable SLAs and communications policies.