25 nov. Opc Da Firewall Rules
Use OPC applications based on OPC UA or OPC XMLDA. Both require a single entry port through the firewall. Hardware firewalls are often used in corporate environments to protect an entire or smaller portion of the corporate network from unwanted network traffic from the Internet. OPC applications can be configured to work beyond firewalls. See How do I get data from an OPC server through a firewall? To allow OPC traffic on your operating system, you must create firewall exceptions: How to configure Windows Firewall (see Hardware Firewalls below): To configure OPC communication to pass through a firewall, you must open a port for DCOM communication and provide application exceptions. The last option is, of course, the least secure option. No enterprise-wide IT department would do this for an Internet firewall that protects a corporate network. Windows operating systems have a built-in firewall that places incoming network traffic on connected network interfaces. It is recommended that you use Windows Firewall to prevent attacks on this operating system. Exceptions can be configured in Windows Firewall in 2 different ways: Open the firewall for the entire port range with classic OPC, but allow ONLY traffic from OPC client computer and OPC server computer to UA Customers are even easier: Since they only come out for the operating system, they are allowed by default via OPCTI firewall Level 2: OPC Security and Level 4: Advanced OPC projects cover this configuration comprehensively. For more information about automated firewall configuration, see OPC Expert.
DCOM technology, on which OPC technology is based, uses reserved system port 135 for its work. To allow servers and clients to function normally, you must allow these connections in your firewall. If the client and server are on different computers, firewall configuration is required. The following is an example of how to configure the default firewall in Windows 2008. If the client and server are used on the same computer, you do not need to configure the firewall. Port exception: All incoming TCP connections on a specific port are allowed by the firewall Note: These antivirus applications are only part of a cybersecurity measure. To improve your protection, you should also deploy firewalls on each computer and restrict access to user accounts. An automated solution can be found under OPC Rescue. For Windows 2008 Server users. To open the firewall management console, you can use the Server Management console or run it from the command line with the wf.msc command.
For more information, see our DCOM Guide for instructions on how to properly configure OPC communication with a running Windows firewall. For Windows 7 users. If the COM+ or DCOM network access rule is not listed, create two port rules. To enable remote access to OPC UA servers, you must configure your firewall(s) so that the corresponding TCP ports can pass. The following list shows the TCP ports for each application installed in this package per endpoint: For Windows 7 users. To open the firewall management console, use “Start” – “Control Panel” – “System and Security” – “Windows Firewall” – “Advanced Settings” or run it from the command line with the command “wf.msc”. DCOM can also be configured to transmit information over static (or fixed) ports, allowing it to work well with external or hardware firewalls. In this case, only 2 ports are needed.
In large OPC architectures, you often need to allow OPC traffic through a hardware firewall. There are different approaches to this: In general, there are three ways to diagnose a communication error. OPC applications can communicate with each other, even if they are in different Windows domains. The trick to getting the communication up and running is Windows authentication on the OPC client and OPC server PC. This can happen, for example, when you try to browse computers (with OpcEnum) or connect to OPC servers. This can occur when connecting locally or to remote applications. In either case, functions are not saved on the computer on which the target OPC server (or OpcEnum) is running. The most popular OPC specification today is OPC Data Access (DA). OPC HDA is far behind, while OPC Alarms & Events (A&E) is a third very far behind. However, as more and more users demand standardized access to their historical process data, OPC HDA continues to gain traction.
All major historian manufacturers already support OPC HDA. Whether you choose OPC tunneling or DCOM, the OPC Training Institute hopes that you will make an effort to learn DCOM before making your decision. Most people find DCOM surprisingly logical once they understand how it works. If this problem occurs when connecting to OPC servers, reinstall the server. First, the OPC server PC must recognize the user account of the OPC client PC. Therefore, the OPC client user account must exist in Active Directory (on the domain controller) of the OPC server PC. You can also configure a local user account for the OPC Client application on the OPC server PC. Some OPC servers cannot function as a Windows service. To do this, either a user must be logged in to the PC, or another application must start the operation of the OPC server.
To access an OPC server on all ports, an exception must be created for the OPC server executable. Changes to the DCOM configuration to support OPC communication do not open security vulnerabilities or compromise security. Many factors affect the use of computing resources. However, keep the following in mind. Applications that use DCOM abound in the world of IS (Information Systems). For this reason, the OPC Foundation has chosen DCOM as the platform of choice for OPC. DCOM is also already loaded in Windows by default. As a result, the additional resources used by OPC applications are minimal. Antivirus software detects viruses and other malicious software (Trojans, worms, etc.). Antivirus applications protect your computer from unwanted activity. These applications should not intercept OPC servers because the servers do not damage the computer.
However, future automated updates may incorrectly flag your OPC requests. To resolve this issue manually (not recommended), use RegSvr32.exe (included with Windows) to register specific OPC DLLs. OPC applications run if you register these DLLs correctly, because DCOM can find the interfaces. Then, check the Windows event log to see if any errors have been logged by Windows. This will also help you isolate the cause of the problem. You must allow activity for each OPC server running on this computer. You must also allow network activity for the OpcEnum system service, which allows remote clients to receive a list of servers on this computer. This error typically occurs when attempting to establish an initial connection to OPC (or DCOM) applications. However, this also happens when attempting to subscribe (setting up OPC consultation calls). During this error condition, DCOM was able to find the required application (server) on the target computer, but DCOM permissions prevent users from accessing certain client/server components. These quality values can clearly indicate that the loss of communication is due to an error between the OPC server and its data source and not to a communication problem between the OPC client and the OPC server. Providers can choose whether or not to implement this type of diagnostics on their OPC server.
Therefore, some OPC servers do not offer any diagnostics. With OPC UA, the OPC Foundation has written its own services for data transport. The OPC Foundation provides the source code to developers who can then port the technology to any operating system. OPCENUM.exe should now appear in the Exceptions list with the check box selected. Each UA server can be reconfigured to use a different TCP port and enable/disable endpoints. Simply open the appropriate configuration file (in the installation directory) according to the following table: In practice, most internal routers at a site/company do not use NAT. However, routers that communicate with the Internet typically use NAT and terminate OPC communication. If your OPC applications are separated by a router that uses NAT, you must use tunneling technology or OPC UA (which uses web services instead of DCOM to establish communication). The beauty of OPC is that once the OPC server has information, any OPC client can easily retrieve it without having to worry about the specific API format.