Firewalls and PI AF security

Customers are often required to isolate the process control part of their network from the rest of their network. They might also configure a buffer zone, or demilitarized zone (DMZ), to install servers and software that needs to transfer data between the process control network and the local area network. The DMZ is usually isolated between firewalls.

There are three server components in an AVEVA™ PI System™:

• Data Archive

• PI AF server

• Microsoft SQL Server that hosts the PI AF SQL Server database.

While these components could be installed on a single computer, this section assumes that each component is installed on a separate computer in order to illustrate the complexity of connectivity and security configuration. In addition to this being a more interesting topology to discuss, it also distributes the processor load across several computers, which can increase system performance.

For up-to-date information on firewall ports, see the Knowledge Base article: Which firewall ports should be opened for PI AF Server?.

Note: Opening ports in your firewall can leave your server exposed to malicious attacks. Make sure that you understand firewall systems before you open ports. For more information, see the Microsoft article Security considerations for a SQL Server installation.