Overview

Twilio® requires inbound access for the Twilio Telephone API to interact with the VTScada® environment. This can be challenging to achieve since many people would prefer not to have their VTScada exposed to the Internet. Thin facades of security like a port-forward or a DMZ are insufficient.

In this guide we are going to be making some changes to the VTScada setup. Notably:

1. We will create an SSL Certificate (if none exists). This can be self-signed
2. We will create a Twilio endpoint on VTScada
3. We will import the SSL certificate to this endpoint
4. We will create an application in Agilicus AnyX
5. We wll enable firewall rules in the Agilicus AnyX for the Twilio endpoint

Requirements

The following requirements need to be satisfied in the VTScada configuration to enable Twilio:

• VTScada must have a SSL certificate (for the Twilio inbound endpoint). It does not need to be signed by a trusted 3rd party. This is not a security requirement, but a functionality requirement as VTScada will otherwise generate the Twilio Callback URL incorrectly assuming the URL should be HTTP. Agilicus AnyX will generate a valid TLS certificate which will be used to connect to the product and prevent MITM attacks.
• VTScada must not be the free version, and must support alarms
• A user must be created in VTScada for Twilio, with Thin Client permissions for the VTScada application
• The “Server Setup” tab of thin client manager must match the Agilicus Application host name (eg. waterdemo.mydomain.ca) in the Server List, with SSL enabled and port 443.
• REFER TO: https://www.vtscada.com/help/Content/D_Internet/D_DomainAlias.htm  for domain alias under existing server install
• The configured realm must be on port 443 with SSL enabled

Additionally, to complete this exercise, you will need access to a Twilio account, complete verification of the telephone number you wish to add to the roster, and register a telephone number in your Twilio account.

In this guide, we will set up a VTScada environment to be authenticated by proxy. This means a server will be available by a hostname, but no traffic will be allowed to the VTScada environment until the authorization rules have been met. This may include identity and multi-factor credential verification. The Agilicus AnyX will generate a valid third-party signed TLS certificate, ensure the best practices for TLS are followed, and ensure all network traffic is audited and subject to the additional access control measures enabled through Agilicus AnyX.

Agiicus AnyX Application Configuration

Use the ‘New Application’ stepper to create a new application. Choose “My application is accessed: from my site via an onsite connector”

When selecting the internal hostname, enter the value of `echo %computername%` lowercase (e.g. open a ‘cmd’ shell on the VTScada machine and run that to get the exact computer name). Select ‘Service is accessed via TLS (without verify)’.

For authentication, select is authenticated by a proxy, has named users with a single role.

Navigae to Applications/Overview, and select the “Configure Application” action for the newly created application. This will move you to the application’s details.

Choose the Security tab to configure the firewall.

Create a Firewall Rule allowing post and get to ^/<realm>/TELECOM/Twilio from anyone

Now we will configure the Twilio firewall rules. Open the ‘Configure Application’ for the newly created VTScada application. Choose the ‘Security’ tab to configure the firewall. Create a Firewall Rule allowing POST and GET to ^/<realm>/TELECOM/Twilio from anyone. The <realm> will be a GUUID, e.g. cd17710c-e9b3-48eb-a04e-ba2cfd2ef6ac

Next, move to the Proxy tab to configure how the application proxies requests.

In the Rewrite Media types, make sure the following settings are checked and filled in, and 

in the Rewrite Rules, make sure the “My application expects the http host to be..” matches the Agilicus external hostname of the application.

Quick VTScada SSL Certificate Install

Note: Agilicus has found it simpler to use PowerShell to create the certificate.

$expiry = [datetime]::Today.AddYears(3)
$extName = "vts.dbt.agilicus.cloud"
$cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname $env:USERDOMAIN, $extName  -notafter $expiry -KeyLength 4096

This will create a 3 year-valid certificate and store it into the Windows Certificate store. You must edit extName to be your valid external hostname (e.g. myscada.mydomain).

If you wish to follow the VTScada instructions, these are shown below using a web site called ‘getacert’ which will obtain a 3-month valid certificate.

Follow the instructions here to create an SSL certificate for VTScada.: https://www.vtscada.com/help/Content/D_Customize/Dev_SSLProcess.htm?TocPath=Use%20VTScada%7CSecure%20Your%20Application%7CInternet%20Security%20(SSL%2C%20TLS%2C%20X509)%7C_____2

1)Create a CSR and private key by filling in the SSL certificate request fields and hit “Generate Request”
Note host+domain name should be the domain name configured in the Agilicus application with the CNAME pointing to the Agilicus Ingress Gateway.

3) Download the signed certificate and import it into the Current User certificate store. You shall find the certificate icon shows it has the key.

4) Right click the certificate, under all tasks, you will find an option for a wizard to let you export the certificate with the key. You will be required to assign a passphrase.

5) Import the certificate and key into the local machine certificate store so that it can be used by the vtscada software.
Make sure the key is marked as exportable otherwise VTScada may fail to load the key.

Note the icon should show the key is included with the certificate.

6) Modify C:\VTScada\setup.ini.
Add a line under [SYSTEM]:
SSLCertName = <Issued To>

VTScada Configuration

In the thin client/server setup, ensure the Agilicus external server name is configured and with the ssl checkbox and port 443. It should be the 2nd server in the list.

Ensure the realm is configured for 443 and SSL, and that the main application is deployed to the realm

Enable authentication for your app.

Create a username for twilio, ensure in additional privileges it has “thin client access”

Ensure your user to be used for roster callout has “alternet Identification” configured with a numeric password.

Configure the user credentials, domain and realm in the Alarm properties. The realm matches the configured realm and domain must be https://<agilicusexternalname>

Testing the Alarm Call-Out

To test alarm call-out, use Idea-studio to create new page with “Roster Alarm Test” widget

The widget is located under
Tag Types\Communications\Alarm Notification\Roster

Assign the tag “Default Call-Out Off

You can now use the newly created page to configure the roster and trigger an alarm.

Checking the checkbox will trigger an alarm.

Right clicking the checkbox will allow you to edit the call-out roster.

Create a contact row. Link the contact to the user with alternate contact details.

If you have successfully configured Twilio and Agilicus, you will receive a phone call-out repetitively until the alarm is acknowledged after the roster callout checkbox has been toggled. You can see the call-out status in the alarms page.

Troubleshooting

After triggering an alarm for the first time, your active twilio number should have it’s webhook URL configured. This webhook URL is re-configured after any alarm.

This URL must be in the format https://username:pasword@agilicushostname:443/realm/TELECOM/Twilio…
If this URL is not correct, the VTScada configuration is incorrect.

It is expected that you will still get a phone call with either “an application error has occurred” or a hang-up without voice if the URL is incorrect.

If you are getting the correct URI populated, check the request logs and ensure requests to /realm/TELCOM are not redirected