What's New in the ThingWorx Remote Access Extension
This topic provides release notes for the versions of the ThingWorx Remote Access Extension (RAE) and the ThingWorx Remote Access Client (RAC) in the following sections. Click each section title to display the content. Click the title again to hide the content.
Security Improvements in All Releases
Each release of the ThingWorx Remote Access Extension (RAE) includes security-related updates, as follows:
• Fixed potential security issues, including items proactively identified by vulnerability scanning software or PTC Quality Assurance testing. Please upgrade as soon as possible to take advantage of these security improvements.
• See this technical support article for important recommendations regarding the use and update of third-party software for ThingWorx.
 | Although PTC has taken care to harden ThingWorx against a variety of attack vectors, individual users still have a responsibility to operate the application in a safe manner. This includes avoiding navigating to malicious web sites, importing unsafe content into the ThingWorx Platform, and similar cybersecurity best practices. |
ThingWorx Remote Access Extension (RAE), 3.2.1
Updated the default behavior of the TokenPropertyAuthenticator that is used to authenticate tokens for Axeda eMessage Agent assets and Global Access Server (GAS) Things. When an invalid token is received, the authenticator now disables communication with remote Things by setting the tokenInvalid Thing property to true. Any new tokens are rejected until the invalid token is reset manually using the ClearToken service on the remote Thing.
For more information about token validation for eMessage Agents, see TokenPropertyAuthenticator Behavior in the ThingWorx Axeda Compatibility Package 2 Help Center.
ThingWorx Remote Access Extension (RAE), 3.2.0
• Added support for pinning remote Things to a GAS server in a specific country, region, or manually by specifying the GAS server name. You can use services and Thing properties to control which GAS servers are available for a remote Thing. For more information, see Pinning GAS Servers.
• Added new entities and services to support GAS pinning.
• Updated existing entities and services to support GAS pinning.
• Added a Healthy property to the GASModel Thing Template . This property is used to when SelectServer.GASSelector service is executed. For more information, see GASSelector Thing.
Known Issues in version 3.2.0 of the ThingWorx Remote Access Extension (RAE)
The following issues are fixed in version 3.2.0 of the Remote Access Extension:
ID | Description |
|---|---|
RAE-1326 | A GAS server name can be added more than once to the pinnedGASList property when GAS pinning type is set to manual pinning. This issue occurs when using the Composer UI instead of the PinGASThing service. |
RAC-1328 | Executing the UnpinCountry, UnpinRegion, or UnpinGASThing services on countries, regions, or GAS Things that are not pinned does not return an error. |
RAC–1329 | Pinning a country, region, or GAS Thing multiple times using the PinCountry, PinRegion, or PinGASThing does not return an error. |
Issues Fixed in version 3.1.7 of the ThingWorx Remote Access Extension (RAE)
The following issues are fixed in version 3.1.7 of the Remote Access Extension:
ID | Description |
|---|---|
RAE-347 | Fixed an issue that was causing remote sessions to fail because RAC uses an old session ID value. |
ThingWorx Remote Access Extension (RAE), 3.1.6
• Added support for parameter substitution within Auto Launch commands that are executed on the Remote Access Client. To support this feature, a bindable JSON property named AutoLaunchParams was added to the RemoteAccesClientLinker widget. For more information, see Configuring Auto Launch Commands using JSON Data from the RemoteAccessClientLinker Widget.
• Added entities and services to support connecting to Remote Session Edge Extension (RSEE) devices.
ThingWorx Remote Access Extension (RAE), 3.1.4
The Remote Access Extension (RAE) has been updated to support the RAC Auto Launch features. For more information about the Auto Launch, see Configuring Auto Launch on the ThingWorx Platform.
Issues Fixed in version 3.1.4 of the ThingWorx Remote Access Extension (RAE)
The following issues are fixed in version 3.1.4 of the Remote Access Extension:
ID | Description |
|---|---|
RAE-298 | Fixed an issue that was preventing GAS remote sessions on ThingWorx from ending when a token resets. |
RAE-308 | Fixed an issue that was preventing users without administrator access from being able to start the RAC. |
RAE-314 | Fixed an issue that was causing RAE to ignore the remoteServerConfiguration value when determining the ADV version to provide to the user. |
ThingWorx Remote Access Extension (RAE), 3.0.0,
The primary feature for RAE 3.0.0 is "GAS Enablement", which provides support for ThingWorx Global Access Server, 7.1.0, to offload remote sessions from ThingWorx Platform. This version of the RAE also supports ThingWorx GAS, 7.0.x, and Axeda Global Access Server 6.9.2/6.9.3. For details on GAS Enablement, read GAS (Global Access Server) Enablement. For information on specific enhancements and issues fixed, refer to the ThingWorx Axeda Compatibility Package Release Notes, 2.2.0, in the ThingWorx Axeda Compatibility Package 2 Help Center.
For details about the new features, refer to the following topics:
• Global Access Server (GAS) support — Support for Axeda and ThingWorx Global Access Servers
• Policy Server support — Remote Access: When Using Policy Server
• IP Cycling — IP Cycling for the Remote Access Client (RAC)
ThingWorx Remote Access Extension (RAE), 2.2.1
The 9.1.0 release of the ThingWorx Platform supports Java 11, more specifically Oracle JDK 11 and Amazon Corretto 11 (OpenJDK). The 2.2.1 release of the RAE includes changes to support running the extension on a ThingWorx Platform that is using Java 11.
| | Java 11 has deprecated JNLP. With an upgrade to Java 11, JNLP does not work. For tunneling (remote sessions) with ThingWorx Edge devices, or Axeda eMessage Agent devices, users should always use the latest version of the ThingWorx Remote Access Client (RAC) to initiate a tunnel. If any of your users are on JNLP, instruct them to install the RAC instead. You can download the RAC from the ThingWorx Remote Access Client Downloads page. Choose the download for your operating system. Each RAC download is an installer that you can run on your system. |
Issues Fixed in version 2.2.1 of the ThingWorx Remote Access Extension (RAE)
The following issues are fixed in 2.2.1 of the Remote Access Extension:
ID (SFID) | Description |
|---|---|
RAE-205 (15413355) | The TimezoneServices permissions issue is fixed in this release. |
RAE-223 (15410928) | SessionCompleted event was not returning the correct status on EMS. This issue is fixed in this release of the Remote Access Extension. |
RAE-226 (15413355) | Due to a limitation in the ThingWorx permissions model, the service GrantPermissionsThingworxInternalForTemplate has been found to not work properly and results in the required authorization not being applied to the instance runtime permissions. As a result, users must call GrantPermissionsThingworxInternalForThing for each Thing they would like to grant permission to use the remote access capabilities. |
ThingWorx Remote Access Extension (RAE), 2.0.0
The major change in the ThingWorx Remote Access Extension, 2.0.0 is that the extension has been updated to work in a ThingWorx High Availability (HA) Clustering environment.
Here is a summary of changes for the RAE:
• To support remote sessions in an HA environment, a ThingWorx Connection Server is required. No special configuration of the Connection Server is required for this support. This routing is the way that the RAC connects to a ThingWorx Platform that supports the TWS endpoint. However, if you are using a load balancer configuration that is path-based, you need to make sure to allow the /TWS path.
 | To accommodate remote access in a high availability environment, the default idle timeout for tunneling in the Connection Server has been increased from 30 seconds to 300 seconds. This value matches the default value used in the RAC workflow in an HA environment. |
• The RAE 2.0.0 ensures that client (RAC) nonces are in shared state across instances of ThingWorx Platform in an HA cluster environment. Once nonces are used, they are removed from shared state, regardless of which instance used them. When a RAC connects with a nonce, the mashup waiting on the connection is notified.
ThingWorx Remote Access Extension, v.1.2.0
This section explains what changed in the releases of the ThingWorx Remote Access Extension (RAE), v.1.2.0 and also explains how to upgrade the RAE and RAC.
In general, the RAE has been updated for ThingWorx Platform, 8.5.2 and later to support the use of nonce keys (one-time use keys) on a ThingWorx WebSocket endpoint that supports only these keys. The next section provides more details about the new endpoint.
WebSocket Endpoint for Remote Access
To ensure only RAC connections can connect and perform RAC activities on a ThingWorx Platform endpoint, a new WebSocket (WS) endpoint has been added to the ThingWorx Platform for 8.5.2. This new endpoint enhances security for RAC connections and, more generally, provides additional options in managing edge connectivity. The feature includes:
◦ A new ThingWorx Temporary WebSocket (TWS) endpoint on the ThingWorx Platform to handle short-lived, user traffic. This WebSocket is created and available when the ThingWorx Platform starts. It uses the ThingWorx AlwaysOn protocol.
◦ A new single-use authentication key, called a nonce key. This WebSocket accepts nonce keys only when authenticating a connection. It does not accept application keys. In all other aspects, the TWS acts like the WS endpoint.
◦ An updated RAC to use the new endpoint and nonce key.
The new TWS endpoint enables the separation of user-based WebSocket traffic from remote device traffic. This endpoint is specifically designed to handle temporary remote access client and other short-lived traffic.
TWS connection and endpoint requirements include:
◦ A connection must be established using a one-time key called a NonceKey.
▪ A NonceKey is short-lived and associated with the user that creates it.
▪ A NonceKey is created via the raClientLinker widget. It calls the EntityServices.GetClientNonce() service on the ThingWorx Platform.
▪ A NonceKey is removed from the ThingWorx Platform once it is used to authenticate a ThingWorx connection or once the NonceKey expires (TTL is 15 seconds).
◦ The ThingWorx Always On protocol is the only protocol supported over this connection.
Additional Enhancements
The table below lists and briefly describes additional changes for this release of the Remote Access Extension.
ID | Description |
|---|---|
RAE-153 | The ComposerUsers group is permitted to invoke the GetClientNonce service on the ThingWorx Platform. This enables users assigned to this group to run remote sessions using the ThingWorx Remote Access Client. |
RAE-176 | The raClientLinker widget that is provided in the Remote Access Extension now forwards the user to a tw-ra-client URL that contains a NonceKey. The retry feature creates a new NonceKey each time it retries the connection. |
Upgrading the Remote Access Extension to RAE 1.2.0
To upgrade to RAE 1.2.0, a ThingWorx administrator must complete these tasks:
1. Follow standard ThingWorx guidance on upgrading the ThingWorx Platform to version 8.5.2.
2. Install the updated Remote Access Extension (RAE), v. 1.2.0, and restart the ThingWorx Platform for the new extension to take effect.
3. Remove all older Remote Access Clients that work with older versions of ThingWorx Platform and the RAE (v.1.1.0 and earlier)
After you have complete these tasks, tell your end users to uninstall their current version of RAC and install the RAC v.1.1.0.
| | Once the RAE has been upgraded and the platform restarted, Remote Access Clients that are older than v.1.1.0 stop working. That said, the RAC v.1.1.0 works with older versions of the RAE as is. |