VTScada and Twilio Inbound Access

format


vtscada-twilio-factory

VTScada and Twilio Direct Access Through Firewall

This is a technical walk through of how to set up Agilicus AnyX with Twlilio® and VTScada for remote use without a VPN or DMZ. See the Infosheet for a high level view.

The Case StudyZero Trust Remote Operations and Asset Management” provides more detail on how this can be leveraged.

Overview: VTScada and Twilio Inbound Access

Twilio® requires inbound access for the Twilio Telephone API to interact with the VTScada® environment. This can be challenging to achieve since many people would prefer not to have their VTScada exposed to the Internet. Thin facades of security like a port-forward or a DMZ are insufficient. In this example we show VTScada and Twilio Inbound Access without opening the firewall, without a VPN, without a fixed IP, without port-forwarding.

In this guide we are going to be making some changes to the VTScada setup. Notably:

  1. We will create an SSL Certificate (if none exists). This can be self-signed
  2. We will create a Twilio endpoint on VTScada
  3. We will import the SSL certificate to this endpoint
  4. We will create an application in Agilicus AnyX
  5. We wll enable firewall rules in the Agilicus AnyX for the Twilio endpoint

This is a technical walk through of how to set up Agilicus AnyX with Twlilio® and VTScada for remote use without a VPN or DMZ. See the Infosheet for a high level view.

The Case StudyZero Trust Remote Operations and Asset Management” provides more detail on how this can be leveraged.

Requirements

The following requirements need to be satisfied in the VTScada configuration to enable Twilio:

  • VTScada must have a SSL certificate (for the Twilio inbound endpoint). It does not need to be signed by a trusted 3rd party. This is not a security requirement, but a functionality requirement as VTScada will otherwise generate the Twilio Callback URL incorrectly assuming the URL should be HTTP. Agilicus AnyX will generate a valid TLS certificate which will be used to connect to the product and prevent MITM attacks.
  • VTScada must not be the free version, and must support alarms
  • A user must be created in VTScada for Twilio, with Thin Client permissions for the VTScada application
  • The “Server Setup” tab of thin client manager must match the Agilicus Application host name (eg. waterdemo.mydomain.ca) in the Server List, with SSL enabled and port 443.
  • REFER TO: https://www.vtscada.com/help/Content/D_Internet/D_DomainAlias.htm  for domain alias under existing server install
  • The configured realm must be on port 443 with SSL enabled

Additionally, to complete this exercise, you will need access to a Twilio account, complete verification of the telephone number you wish to add to the roster, and register a telephone number in your Twilio account.

In this guide, we will set up a VTScada environment to be authenticated by proxy. This means a server will be available by a hostname, but no traffic will be allowed to the VTScada environment until the authorization rules have been met. This may include identity and multi-factor credential verification. The Agilicus AnyX will generate a valid third-party signed TLS certificate, ensure the best practices for TLS are followed, and ensure all network traffic is audited and subject to the additional access control measures enabled through Agilicus AnyX.

Agiicus AnyX Application Configuration

Use the ‘New Application’ stepper to create a new application. Choose “My application is accessed: from my site via an onsite connector”

b87cfd5d image

When selecting the internal hostname, enter the value of `echo %computername%` lowercase (e.g. open a ‘cmd’ shell on the VTScada machine and run that to get the exact computer name). Select ‘Service is accessed via TLS (without verify)’.

c2bce25d image

For authentication, select is authenticated by a proxy, has named users with a single role.

5d791ffd image

Navigae to Applications/Overview, and select the “Configure Application” action for the newly created application. This will move you to the application’s details.

Choose the Security tab to configure the firewall.

Create a Firewall Rule allowing post and get to ^/<realm>/TELECOM/Twilio from anyone

Now we will configure the Twilio firewall rules. Open the ‘Configure Application’ for the newly created VTScada application. Choose the ‘Security’ tab to configure the firewall. Create a Firewall Rule allowing POST and GET to ^/<realm>/TELECOM/Twilio from anyone. The <realm> will be a GUUID, e.g. cd17710c-e9b3-48eb-a04e-ba2cfd2ef6ac

3edad7b2 image

Next, move to the Proxy tab to configure how the application proxies requests.

In the Rewrite Media types, make sure the following settings are checked and filled in, and 

in the Rewrite Rules, make sure the “My application expects the http host to be..” matches the Agilicus external hostname of the application.

76bd98c3 image

Quick VTScada SSL Certificate Install

Note: you can have the Agilicus connector automate these steps and create a proper trusted certificate for VTScada. See the export.

Note: Agilicus has found it simpler to use PowerShell to create the certificate.

$expiry = [datetime]::Today.AddYears(3)
$extName = "vts.dbt.agilicus.cloud"
$cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname $env:USERDOMAIN, $extName  -notafter $expiry -KeyLength 4096

This will create a 3 year-valid certificate and store it into the Windows Certificate store. You must edit extName to be your valid external hostname (e.g. myscada.mydomain).

If you wish to follow the VTScada instructions, these are shown below using a web site called ‘getacert’ which will obtain a 3-month valid certificate.

Follow the instructions here to create an SSL certificate for VTScada.: https://www.vtscada.com/help/Content/D_Customize/Dev_SSLProcess.htm?TocPath=Use%20VTScada%7CSecure%20Your%20Application%7CInternet%20Security%20(SSL%2C%20TLS%2C%20X509)%7C_____2

1)Create a CSR and private key by filling in the SSL certificate request fields and hit “Generate Request”
Note host+domain name should be the domain name configured in the Agilicus application with the CNAME pointing to the Agilicus Ingress Gateway.

dbf461cb image

3) Download the signed certificate and import it into the Current User certificate store. You shall find the certificate icon shows it has the key.

83dc5acc image


4) Right click the certificate, under all tasks, you will find an option for a wizard to let you export the certificate with the key. You will be required to assign a passphrase.

ac03447e image

5) Import the certificate and key into the local machine certificate store so that it can be used by the vtscada software.
Make sure the key is marked as exportable otherwise VTScada may fail to load the key.

f7878a1a image


Note the icon should show the key is included with the certificate.

a0dca288 image

6) Modify C:\VTScada\setup.ini.
Add a line under [SYSTEM]:
SSLCertName = <Issued To>

243bfd02 image

VTScada Configuration

In the thin client/server setup, ensure the Agilicus external server name is configured and with the ssl checkbox and port 443. It should be the 2nd server in the list.

c0d714c0 image
19afe6e5 image

Ensure the realm is configured for 443 and SSL, and that the main application is deployed to the realm

403bd190 image

Enable authentication for your app.

Create a username for twilio, ensure in additional privileges it has “thin client access”

da4931af image

Ensure your user to be used for roster callout has “alternet Identification” configured with a numeric password.

2b8a925e image


Configure the user credentials, domain and realm in the Alarm properties. The realm matches the configured realm and domain must be https://<agilicusexternalname>

b54f707b image

Testing the Alarm Call-Out

To test alarm call-out, use Idea-studio to create new page with “Roster Alarm Test” widget

0024b716 image


The widget is located under
Tag Types\Communications\Alarm Notification\Roster

Assign the tag “Default Call-Out Off

52377a3d image

You can now use the newly created page to configure the roster and trigger an alarm.

Checking the checkbox will trigger an alarm.

Right clicking the checkbox will allow you to edit the call-out roster.

bcebdda9 image

Create a contact row. Link the contact to the user with alternate contact details.

e883e506 image

If you have successfully configured Twilio and Agilicus, you will receive a phone call-out repetitively until the alarm is acknowledged after the roster callout checkbox has been toggled. You can see the call-out status in the alarms page.

0247b9ee image

Troubleshooting

After triggering an alarm for the first time, your active twilio number should have it’s webhook URL configured. This webhook URL is re-configured after any alarm.

This URL must be in the format https://username:pasword@agilicushostname:443/realm/TELECOM/Twilio…
If this URL is not correct, the VTScada configuration is incorrect.

It is expected that you will still get a phone call with either “an application error has occurred” or a hang-up without voice if the URL is incorrect.

If you are getting the correct URI populated, check the request logs and ensure requests to /realm/TELCOM are not redirected