1.6.1.1  TCP Ports and Firewalls

A Firewall restricts the flow of data onto a network; it is a method of network security. Many corporations use firewalls.

If your connection is through a firewall, you will need to have your network administrator open two additional TCP ports for you to use the DRAW or VIEW features in WebAccess These are in addition to Port 80, the HTTP port, which must also be opened (or a third port assigned for HTTP). You should be able to configure tags in the Project Manager without having additional TCP ports opened for you (the Project Manager uses HTTP). This only applies if you are connecting through the firewall. If all your WebAccess Clients and SCADA nodes are inside the firewall, you can ignore this.

The TCP Ports used by the Project Node and SCADA Node are set during software Installation (Setup.exe) and in the Project Manager. Note that 0 means the default ports numbers are used (4592 is the default Primary Port for file transfer and 14592 is the default Secondary Port for real-time data).

WebAccess automatically configures Windows Firewall to allow the WebAccess Kernel (datacore.exe), the WebAccess Network Service (webvrpcs.exe), and the HTTP Service (port 80) to accept incoming network connections when WebAccess Node is installed. These ports must remain unblocked in order for WebAccess to work properly.

 

Note - Windows XP Professional comes with a Firewall.

XP Service Pack 1  comes with "Internet Connection Firewall" (ICS).  You may be using it and don't even know it.  XP users should disable the firewall or configure two ports for WebAccess.

XP Service Pack 2 comes with "Windows Firewall". The WebAccess Network Service (Webvrpcs.exe) automatically configures “Windows Firewall” in XP Service Pack 2 to allow Webvrpcs and Datacore to pass on SCADA Node.  Webvrpcs on the Project Node also automatically configure “Windows Firewall” to allow Webvrpcs, Datacore and IIS (Internet Information Services) to pass including the Web Server (IIS) and Internet Mail Server (SMTP) protocols. No user action required during installation or later to modify the “Windows Firewall”.

No other application should be using these port numbers.  WebAccess will not start if another application is using either the Primary or the Secondary ports assigned to WebAccess (the webvrpcs.exe will fail to start) and the WebAccess icon  will fail to appear in the taskbar of the Project and SCADA Nodes.

To change TCP Ports used by a Project Node through a firewall (HTTP Port and Primary TCP Port), go to the Home page in the Project Manager. This affects all projects on this Project Node. The user must also either edit the bwserver.ini file or reinstall WebAccess software and specify the new TCP ports. Finally, the user must stop and restart either WebAccess Network Service (webvrpcs) via the Windows Task Manager or restart the computer. The appropriate windows service must also be modified (e.g. www service and SMTP service) for the new port numbers.

To change TCP Ports used by a SCADA Node through a  firewall (Primary TCP Port ), go to the Home page in the Project Manager, then select Update for the desired Project. To change the SMTP Port or POP3 email port, got to SCADA Node Properties and modify SMTP Port and/or Email Port. The user must also either edit the bwserver.ini file or reinstall WebAccess software and specify the new TCP ports. Finally, the user must stop and restart either WebAccess Network Service (webvrpcs) via the Windows Task Manager or restart the computer. The SMTP service, if used or modified, for the new port number.

Warning - In a multiple SCADA node system, if each SCADA node requires it's own firewall protection, a router with NAT is preferable. Stateful Inspection of most Firewalls can interfere with the constant communication between SCADA nodes. A firewall appliance is preferable to Firewall software installed on the SCADA node. Some Firewall software (e.g. Visnetics) interfere with the communications between SCADA nodes.

See Also 8.7 TCP Ports.