1.6.1.4 Routers, Proxy Servers, Port Mapping and NAT

The WebAccess Project Node and SCADA Node can be mapped to a "Port" on a Router or other Proxy Server.  This allows the Project Node and SCADA node(s) to be given a Private IP addresses.  Users from the outside connect to the public IP address of the router with the Port number appended to it.  The format is http://ipaddress:port.  If the port number is 8000, and example is http://66.106.164.174:8000.   Users are directed to the Web Access Project Node/SCADA node and precludes access to any other private IP addresses on the network.

WebAccess downloads a "deploy file" which describes the two TCP ports used by Web Access Project and SCADA Nodes to the Clients.  

If the Project Node and SCADA Node are the SAME computer, 3 must be mapped to the Project / SCADA Node.  If the Project Node is separate from the SCADA node, 4 ports would be needed.  Each additional SCADA node would require an additional 2 ports.

Port 80 is the default Port used for the ASP page (the web page). Port 4592 is the WebAccess Primary Port used for File Downloads (e.g. graphics, symbols, etc).  Port 14592 is the WebAccess Secondary port is used for real-time data (e.g. setpoints, measurements, status, Trends).

Port mapping is a way to reduce the number of public IP addresses assigned.  Many WebAccess Nodes can use a single public IP address, each with its own private IP address and a port mapped to those private IP address.

Network Address Translation (NAT) is a method of connecting multiple computers to the Internet (or any other IP network) using one IP address. This allows home users and small businesses to connect their network to the Internet cheaply and efficiently.

The impetus towards increasing use of Port Mapping and NAT comes from a number of factors:

Dynamic Port Mapping in NAT automatically provides firewall-style protection without any special set-up. That is because it only allows connections that are originated on the inside network. This means, for example, that an internal client can connect to an outside Project Node /Web server, but an outside client will not be able to connect to an internal Project Node / Web server because it would have to originate the connection, and NAT will not allow that.

Static Port Mapping in NAT makes it possible to make some internal Project Nodes / Web Servers and SCADA Nodes available to the outside world via inbound mapping, which maps specified TCP ports to specific internal addresses, thus making services such as the Web or TCP/IP available in a controlled way.

WebAccess uses Active Server Pages (.ASP) to communicate with an Access database for engineering and configuration (typically via TCP Port 80).  Real-time Data and Animated Graphics are supplied to client Web Browsers using an ActiveX "plug-in" to Internet Explorer 6.0 or 7.0 (the default ports are 4592 and 14592, respectively).

The outside clients will use the Proxy Server's IP Address with the third ports IP appended to it. Clients will type in the IP Address of the Proxy Server : 3rd Port.  If the third TCP Port is 3333 and the IP address of the Proxy Server is 66.106.164.175 then Internet Clients must enter for the IP address

 http://66.106.164.175:3333

Any port numbers can be used. The 3333 is just an example, the 4592 and 14592 are just defaults. Both IIS (Internet Information Server) and WebAccess can be configured to use any port numbers. of the above discussions involve securing your WebAccess SCADA system from outside users.  There may also be issues asked by IT departments regarding the security of the "Client" computers that View the data from WebAccess.

See Also 1.6.1.3 TCP Ports and Firewalls for a discussion of the BWCLIENT,INI file and Address Mapping.