Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

PI System Connector

TABLE OF CONTENTS

Firewall configuration

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedFeb 27, 2023
  • 3 minute read

You must properly configure firewalls to support the connector.

Remote administration

The connector process hosts a web service for connector administration. To access the connector administration pages from a remote host, all firewalls between the remote host (running a compatible browser) and the connector host must allow the browser to open a connection to the administration port that is assigned to the connector during installation. For example, if Windows firewall is enabled on the connector host, Windows firewall needs to allow incoming connections to the connector administration port from remote hosts that are permitted to administer the connector.

Access to the connector's web page can be restricted to the local host alone. The firewall for listening on that port does not have to be open to remote machines. For administering the connector using PI Data Collection Manager, no listening ports on the connector are required. This is a more secure way to administer the connector remotely. This is possible because the connector initiates the connection to PI Data Collection Manager. The connection is required for users to perform administrative tasks, such as configuring which relay to send data and data selection.

PI Connector to PI Data Collection Manager Security

Communication between the connector and PI Data Collection Manager occurs using Advanced Message Queuing Protocol (AMQP) over TCP on port 5672. This port is not configurable. The channel communication is secured by self-signed certificates that are created during installation. These same certificates are also used for authentication. If any firewalls are in the network route from the connector to PI Data Collection Manager, all firewalls must be configured to permit the connector to open connections to TCP port 5672 on the PI Data Collection Manager host.

Note: The firewalls can be physical network devices or the Windows firewall on the PI Data Collection Manager or connector hosts.

When a registration request is submitted from a connector to PI Data Collection Manager, the connector initiates a security handshake outbound to the PI Data Collection Manager administration port. (The administration port is selected during installation of PI Data Collection Manager; the default port is 5460.) During the security handshake, the connector and PI Data Collection Manager exchange certificates to use for authenticating and encrypting communication. The security handshake will complete and communication between the connector and PI Data Collection Manager will occur only if the administrator approves the registration request in PI Data Collection Manager. Once the request is approved, the connector can be administered using PI Data Collection Manager. Communication between the connector and PI Data Collection Manager will now occur exclusively using AMQP over port 5672.

Note: The administration port (default 5460) on PI Data Collection Manager must remain open to the connector machine during the security handshake. After the security handshake is complete, the PI Data Collection Manager administration port can be closed to the connector. However, the 5672 communication port (AMQP), outbound from the connector to PI Data Collection Manager, must remain open between the connector and PI Data Collection Manager to allow them to communicate with each other.

PI Connector to PI Connector Relay security

Communication between a connector and PI Connector Relay occurs using Advanced Message Queuing Protocol (AMQP) over TCP on port 5671. This port is not configurable. The channel is secured by self-signed certificates that are created during installation. The same certificates are also used for authentication. If any firewalls are in the network route from the connector to the relay, all firewalls must be configured to permit the connector to open connection to TCP port 5671 on the relay host.

Note: The firewalls can be physical network devices or the Windows firewall on relay or connector hosts.

When configuring data flow from connector to relay, PI Data Collection Manager initiates a security handshake between the connector and the relay. During the security handshake, the connector and relay exchange certificates for authenticating and encrypting that allow data communication. PI Data Collection Manager exchanges a certificate between the connector and the relay, and then the relay returns the certificate. Secure data communication between the connector and relay will then occur using AMQP over port 5671.

In This Topic
Related Links
TitleResults for “How to create a CRG?”Also Available in