1.6.1.3            TCP Ports and Firewalls

A Firewall restricts the flow of data onto a network; it is a method of network security. Many corporations use firewalls.

If your connection is through a firewall, you will need to have your network administrator open two TCP ports for you to use the DRAW or VIEW features in WebAccess. You should be able to use the Configuration Manager without having TCP ports opened for you. This only applies if you are connecting through the firewall. If all your WebAccess Clients and SCADA nodes are inside the firewall, you can ignore this.

The TCP Ports used by the Project Node and SCADA Node are set during software Installation (NodeSetup.exe). Note that 0 means the default ports numbers are used (4592 and 14592).

You must re-install software (or edit the INI file) to change the TCP ports used by the Project Node and SCADA node.  In Project Manger, you must specify the TCP Ports used during software installation under node properties.

Windows Firewall

Note - Windows XP, Vista and Server 2003 come with Windows Firewall.  You may be using it and don't even know it.

WebAccess will configure the Windows Firewall in Vista, XP and 2003 on the Project and SCADA nodes to allow communications.

Note  - WebAccess is not compatible with the old Internet Connection Firewall (ICS) used in Address Mapping for Firewalls and mixed Private & Public IP Addresses

If you are using a dedicated firewall for the Project Node and SCADA Nodes or are using a Firewall with access from Public IP addresses and Private IP Addresses, you should use this feature to modify the BwClient.ini file on your Project Node and SCADA Nodes.

This will allow the Project Node and SCADA node to access itself using a Private IP Address and allow external users to access the Project Node and SCADA Nodes via Public IP Address.

Most Firewalls do not allow a Computer in a Private Intranet to access itself or other computers on the Private Intranet using Public IP Address mapped to the Private IP Address.  If the Project Node or SCADA Node uses a dedicated firewall, the Project Node will not be able to connect to itself using its Public IP Address.

If there are Clients on the same Private Network as the Project and SCADA nodes, and Public Clients (i.e. external to the private network), and you are using a Firewall, then the Private Network clients will not be able to access the Project Node or SCADA nodes using the Public IP Address. Also the Project and SCADA nodes can not access each other on the same Private network using Public IP Addresses.

The solution is to use the Public IP Address (and ports) in the WebAccess Project Manager to allow Public Users to access the Project and SCADA Nodes.  Then modify the bwclient.ini file on the SCADA nodes and Project Node behind the Firewall.

If you have a modern router, you don’t need to do Address Mapping since a router will essentially redirect a Public IP Address back to the Private IP Address.  Although, this may help improve speed of response by reducing reliance on the router to redirect Private IP addresses back to the private network.

To MAP IP Addresses:

1.      On each SCADA Node and Project Node behind a Firewall, edit the bwclient.ini file with Notepad.exe or other text editor.

drive:\Webaccess\node\bwclient.ini

Typically it is at:

C:\Webaccess\node\bwclient.ini 

2.      Create a section named [mapping]

3.   Enter the Public IP Address and Port and the Private Address and Port of the SCADA Node(s) or Project Node behind the same firewall (i.e. on the same private network).

You use can a Network Name (the Microsoft Net Bios Name).

If using a dedicated Firewall for each SCADA Node or Project Node you can use the private IP address, localhost or even 127.0.0.1.  The format is

[mapping]
64.55.156.4:0=192.168.0.175:0

Where the address listed in Project Manager (and deploy file) is on the left, and will be replaced by address on the right (usually a private IP address).

4. Save the bwclient.ini file to drive:\WebAccess\Node.  Optionally copy it to the Project node or other SCADA nodes.  Optionally copy it to the drive:\WebAccess\Client (for use by web local browser).

Note - even though it says bwclient.ini,when copied to drive:\Webaccess\Node, it is used by the SCADA and Project Node software for acting like a client to itself!

5. Stop webvrpcs.exe in Task Manager on the SCADA Nodes and Project node.

6. Restart  webvrpcs.exe.  Start -> Programs -> Startup -> WebAccess Network Service.

Example bwclient.ini file for Client, SCADA or Project Node connecting with network addresses using Private IP Address (i.e. behind a firewall on an Intranet) and with other clients and/or SCADA nodes (who do not use this file) connecting via Public IP Address.

 C:\Webaccess\node\bwclient.ini 

 

[viewer]

bitmap=mspaint.exe

bitmap_width=

bitmap_height=

text=notepad.exe

actlog=notepad.exe

almlog=notepad.exe

 

[mapping]

64.55.156.4:0=192.168.0.175:0

64.55.156.4:4592=192.168.0.175:4592

64.55.156.4:14592=192.168.0.175:14592

64.55.156.4:80=192.168.0.175:80

 

About Private IP Addresses

Note that 192.168.0.175 in the above example is a private IP address also known as a Reserved Addresses.

The "blackhole" Servers, "blackhole-1.iana.org" and "blackhole-2.iana.org", are an obscure part of the Internet infrastructure.  Specifically, these servers are part of the Domain Name System (DNS), and respond to inverse queries to addresses in the  reserved RFC 1918 address ranges:

        10.0.0.0 - 10.255.255.255

        172.16.0.0 - 172.31.255.255

        192.168.0.0 - 192.168.255.255

These addresses are reserved for use on private intranets, and should never appear on the public internet. The 192.168.0.0 addresses are especially common, being frequently used in small office or home networking products like routers, gateways, or firewalls.XP before Service Pack 2.