8.7.3.2    Port Mapping Example

The WebAccess Project Node and SCADA Node can be mapped to a "Port" on a Router or other Proxy Server.  This allows the Project Node and SCADA node(s) to be given a Private IP addresses.  Users from the outside connect to the public IP address of the router with the Port number appended to it.  The format is http://ipaddress:port. 

For example, if the port number is 6722 for the Project Node (web server), and the routers IP Address us 67.94.27.227, users would type http://67.94.27.227:6722  

Users are directed to the Web Access Project Node/SCADA node and precluded access to any other private IP addresses on the network.

 

Router - To successfully use NAT to make a Project Node and SCADA Node with private IP Addresses viewable through a Router, use the Router's Public IP Address during configuration of the Project Property and Node Property in WebAccess Project Manager.  Although the SCADA and Project Nodes have private IP Addresses, the WebAccess Configuration uses the Public IP Address of the router (without the HTTP port number). If using a HTTP Port other than 80, this must be configured in WebAccess and IIS. Users inside the router will also use the Public IP Address (with port number). This requires a modern Router that re-directs the traffic (from inside and outside) to the Private IP.

Firewall - alternatively, if using a firewall which usually does not allow private IP users to address computers on their network using the Public IP, the trick is to use a Address Mapping in the BWClient.ini file for Clients, SCADA Nodes and Project Node on the local LAN. name.

Alternatively, the HOST file on Private IP users (i.e. inside the firewall) can have that HOST name mapped to a the private IP addresses for the Project and SCADA Nodes.  The Public users (outside the firewall, must use a HOST file mapped to the Public IP of the firewall. Or use a DMZ. This may increase the security of you system by requiring the HOST file be distributed to all authorized users, but does require significant coordination.

Three (3) TCP ports are required. Typically port 80 is already open, this is the port for HTTP (web and ASP pages). WebAccess needs two additional ports for file transfer (Primary port, default 4592) and real-time data (Secondary Port, default 14592).

WebAccess downloads a "deploy file" which describes the two additional TCP ports used by Web Access Project and SCADA Nodes to the Clients.  The deploy file contains the IP Address of the Router (in place of the IP Address of the SCADA Node and Project Node). It also contains the Port Numbers used for HTTP, Primary and Secondary Ports.

Example Deploy file (Private IP mapped to Router)

Clients in the following example connect using http://67.94.27.227:6722. The following deploy file is downloaded to the Client:

[location]

ip=67.94.27.227

port=4592

timeout=0

dir=.\config

porthttp=6722

[nodeinfo]

SCADANode1=67.94.27.227

[port]

SCADANode1=4592

[timeout]

SCADANode1=0

[port2]

SCADANode1=14592

[nodelist]

node1=SCADANode1

In the above example, the HTTP port is changed to 6722 in both WebAccess Project Manager and IIS.  During Project Node / SCADA Node installation (or by editing the bwserver.ini) and in WebAccess Project Manager, the Primary Port is 4592 and the secondary port is 14592.  Note that the Private IP address of the SCADA and Project Nodes do not appear, instead the Public IP address of the Router (67.94.27.227) appears as if it is the address of the SCADA and Project Nodes.

If the Project Node and SCADA Node are the SAME computer, 3 ports must be mapped to the Project / SCADA Node.  If the Project Node were separate from the SCADA node, 4 ports would be needed.  Each additional SCADA node would require an additional port (assuming they all share the same primary and secondary ports).

Default Ports

Port 80 is the default HTTP Port used for the ASP page (the web page).

Port 4592 is the default WebAccess Primary Port used for File Downloads (e.g. graphics, symbols, etc). 

Port 14592 is the default WebAccess Secondary Port is used for real-time data (e.g. setpoints, measurements, status, Trends).

Port mapping is a way to reduce the number of public IP addresses assigned.  Many WebAccess Nodes can use a single public IP address, each with its own private IP address and a port mapped to those private IP address.

Network Address Translation (NAT) is a method of connecting multiple computers to the Internet (or any other IP network) using one IP address. This allows home users and small businesses to connect their network to the Internet cheaply and efficiently.

The impetus towards increasing use of Port Mapping and NAT comes from a number of factors:

·         Security needs

·         Shortage of IP addresses

·         Ease and flexibility of network administration

Dynamic Port Mapping in NAT automatically provides firewall-style protection without any special set-up. That is because it only allows connections that are originated on the inside network. This means, for example, that an internal client can connect to an outside Project Node /Web server, but an outside client will not be able to connect to an internal Project Node / Web server because it would have to originate the connection, and NAT will not allow that.

Static Port Mapping in NAT makes it possible to make some internal Project Nodes / Web Servers and SCADA Nodes available to the outside world via inbound mapping, which maps specified TCP ports to specific internal addresses, thus making services such as the Web or TCP/IP available in a controlled way.

WebAccess uses Active Server Pages (.ASP) to communicate with an Access database for engineering and configuration (typically via TCP Port 80).  Real-time Data and Animated Graphics are supplied to client Web Browsers using an ActiveX "plug-in" to Internet Explorer 6.0 (the default ports are 4592 and 14592, respectively).

The outside clients will use the Proxy Server's IP Address with the third ports IP appended to it. Clients will type in the IP Address of the Proxy Server: 3rd Port.  If the third HTTP TCP Port is 6722 and the IP address of the Proxy Server is 64.55.156.4 then Internet Clients must enter for the IP address

 http://64.55.156.4:6722

Both "Internal Users" and External Users must refer to the public IP Address. Most modern routers and firewalls support this.

Note   -      An alternative is to use a Host Name and a Host File instead of IP Addresses.  The Internal Users Host name would refer to the private IP and the External Users Host file would refer to the Public IP. The Project Node an SCADA node would also use the Host File and Project Manager configured to use Host Name. Users would type: http://COMPUTERNAME

WebAccess is compatible with Router Port Mapping using NAT on Microsoft networks, where the HTTP Port is changed in IIS (to 4593 in the example) and the Router/Proxy Server is maps Port 4593 to Project Node's private ipaddess:port 4593 (the changed web server port in IIS).

Any port numbers can be used. The 4593 is just an example, the 4592 and 14592 are just defaults used by non-http services in WebAccess. Both IIS (Internet Information Server) and WebAccess can be configured to use any port numbers.

Note - TCP Ports 4569-4599 are unassigned and 14150-14935 unassigned. (Source http://www.iana.org/assignments/port-numbers)

 

No other application should be using these port numbers.  WebAccess will not start if another application is using either the Primary or the Secondary ports assigned to WebAccess (the webvrpcs.exe will fail to start) and the WebAccess icon  will fail to appear in the taskbar of the Project and SCADA Nodes.

To change TCP Ports used by a Project Node through a  firewall (HTTP Port and Primary TCP Port), go to the Home page in the Project Manager. This affects all projects on this Project Node. The user must also either edit the bwserver.ini file or reinstall WebAccess software and specify the new TCP ports. Finally, the user must stop and restart either WebAccess Network Service (webvrpcs) via the Windows Task Manager or restart the computer. The appropriate windows service must also be modified (e.g. www service and SMTP service) for the new port numbers.

To change TCP Ports used by a SCADA Node through a  firewall (Primary TCP Port ), go to the Home page in the Project Manager, then select Update for the desired Project. To change the SMTP Port or POP3 email port, got to SCADA Node Properties and modify SMTP Port and/or Email Port. The user must also either edit the bwserver.ini file or reinstall WebAccess software and specify the new TCP ports. Finally, the user must stop and restart either WebAccess Network Service (webvrpcs) via the Windows Task Manager or restart the computer. The SMTP service, if used or modified, for the new port number.

See Also 8.7 TCP Ports.