8.7.2   Firewalls

A firewall is highly recommended if your WebAccess Project and SCADA nodes are exposed to the Internet (i.e. you are using Public IP Addresses). This will increase the security of your system.

A firewall appliance is preferable over firewall software installed on the SCADA or Project Node.  A firewall appliance (like a Netgear FR114P) can be purchased for under $100 and is more secure that firewall software. Firewall software can interfere with the RPC service in Windows 2000 and XP.

A Firewall restricts the flow of data onto a network; it is a method of network security. Many corporations use firewalls.  The firewall is used to restrict View Clients from communicating with the SCADA node and from downloading files from the Project Node to the SCADA node.

If your connection is through a firewall, you will need to have your network administrator open two TCP ports for you to use the DRAW or VIEW features in WebAccess.   WebAccess need two TCP ports, one to download files and another to exchange live data.  You will need these TCP ports to install software on each SCADA node.  You will also have to inform View Clients outside the firewall of these two TCP/Ports for them to access your SCADA nodes.

If you are using a firewall (or multiple firewalls) and Public IP Address, then you will have to use Address Mapping to allow both Private Network users and Internet users to connect to the Clients, Project and SCADA Nodes behind the firewall.

 

Firewall with access to SCADA Nodes using Public IP Address - use Address Mapping on Nodes and Private Clients

If you are using a dedicated firewall for a Project node and a Public IP Address, then you must use Address Mapping to allow the Project Node to connect to itself via a private address and to allow users to connect via the Public IP Address.

Firewall for Project Node requires Address Mapping  -  optionally use Address Mapping on SCADA Nodes

If you are using a dedicated firewall for each SCADA Node, you don't need to use Address Mapping if you use ViewDAQ on the SCADA node.  If you want to use a web browser to view itself, then you will need to use Address Mapping.

See 8.7.5 Address Mapping for Firewalls and mixed Private & Public Users for more information on Address Mapping by editing the bwclient.ini file on the SCADA and Project Nodes.

Note - Windows XP Professional comes with a Firewall.

XP Service Pack 1  comes with "Internet Connection Firewall" (ICS).  You may be using it and don't even know it.  XP users should disable the firewall or configure two ports for WebAccess.

XP Service Pack 2 comes with "Windows Firewall". The WebAccess Network Service (Webvrpcs.exe) automatically configures “Windows Firewall” in XP Service Pack 2 to allow Webvrpcs and Datacore to pass on SCADA Node.  Webvrpcs on the Project Node also automatically configure “Windows Firewall” to allow Webvrpcs, Datacore and IIS (Internet Information Services) to pass including the Web Server (IIS) and Internet Mail Server (SMTP) protocols. No user action required during installation or later to modify the “Windows Firewall”.

To change TCP Ports used by a Project Node through a firewall (HTTP Port and Primary TCP Port), go to the Home page in the Project Manager. This affects all projects on this Project Node. The user must also either edit the bwserver.ini file or reinstall WebAccess software and specify the new TCP ports. Finally, the user must stop and restart either WebAccess Network Service (webvrpcs) via the Windows Task Manager or restart the computer. The appropriate windows service must also be modified (e.g. www service and SMTP service) for the new port numbers.

To change TCP Ports used by a SCADA Node through a  firewall (Primary TCP Port ), go to the Home page in the Project Manager, then select Update for the desired Project. To change the SMTP Port or POP3 email port, got to SCADA Node Properties and modify SMTP Port and/or Email Port. The user must also either edit the bwserver.ini file or reinstall WebAccess software and specify the new TCP ports. Finally, the user must stop and restart either WebAccess Network Service (webvrpcs) via the Windows Task Manager or restart the computer. The SMTP service, if used or modified, for the new port number.