If you distribute your control system across the globe using the Internet, then a dedicated firewall for each remote location with a public IP address is a highly recommended. This will increase the security of your system. A firewall appliance is recommended. For more information, see 1.6.1 Firewalls.
Figure 1.2.2.2 -Firewall for Project Node requires Address Mapping - optionally use Address Mapping on SCADA Nodes
In the above configuration (Figure 1.2.2.2) the Central Control Room Project Node, SCADA Node and clients need to use Address Mapping in WebAccess. The NAT in the Firewalls handles all the redirection of the Public IP addresses to the Private IP Addresses for the SCADA Nodes with dedicated firewalls.
The Control Room clients and the Project Node and SCADA node behind the same firewall must use private IP addresses to communicate. This is because most firewalls do not allow Private Users to address each other using their Public IP address (note- most routers do allow this). In the above configuration (Figure 1.6.2), the Control Room Clients and the Project Node and SCADA Node need to use Address Mapping in WebAccess to substitute the Private IP Address when the Public IP address is seen.
See 8.7.5 Address Mapping for Firewalls and mixed Private & Public Users for more information on Address Mapping by editing the bwclient.ini file on the SCADA and Project Nodes.
See 8.7.3 Routers, Proxy_Servers, Port_Mapping and_NAT.htm for more information about configuring your firewall.