Firewalls and security

DCOM relies on dynamically-assigned TCP ports. When an OPC client connects to an OPC server, it connects to port 135 (the RPC port mapper), which assigns one TCP port and one UDP port to the component. Communication between client and server is directed to those ports. Because of these limitations, it is difficult to configure DCOM to work through a conventional firewall.

Third-party vendors offer products that address these limitations. OPC tunnelers use a specialized OPC client that mirrors data to a specialized OPC server through an encrypted channel. OPC-aware firewalls enable secure communication with OPC servers with minimal configuration.

If third-party solutions are not desirable, secure OPC through configuration as follows:

• If the OPC server vendor supports it, install PI Interface for OPC DA on the machine running the OPC server. The local COM connection permits you to disregard firewall issues between client and server.

• If a separate interface node is required, locate the interface on the OPC server’s subnet. It is much easier to open a single firewall exception to port 5450 on the Data Archive server than to configure DCOM to work through a conventional firewall.

• Configure DCOM permissions on a “least privilege” basis, by including only specific service accounts in DCOM ACLs. See DCOM Security and Configuration for more information.

• Use the built-in Windows firewall that is included in the Windows version you are using.