Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ Plant SCADA

TABLE OF CONTENTS

Firewall Settings and Plant SCADA

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedFeb 06, 2024
  • 3 minute read

Plant SCADA networking and redundancy needs runtime to communicate through Windows Firewall. This means your Windows Firewall settings will need to be adjusted so that Plant SCADA and its components are included in the list of authorized programs.

The Plant SCADA installer can automatically adjust the required settings for you. If Windows Firewall is operational on a computer when installation occurs, the installer will display a Firewall page. To allow Plant SCADA to adjust these setting for you, select Yes, please modify Windows Firewall settings.

This will create Inbound Rules for each of the following components.

Name

Program

Local Port

Citect SCADA Runtime (x64)

C:\Program Files (x86)\AVEVA Plant SCADA\Bin\Bin (x64)\Citect.exe

All ports

Plant SCADA Runtime

C:\Program Files (x86)\AVEVA Plant SCADA\Bin\Citect32.exe

All ports

Configurator

C:\Program Files (x86)\Common Files\ArchestrA\configurator.exe

All ports

Configurator 443

All programs

443

Configurator 80

All programs

80

LicenseServerPort

All programs

55555

LicenseServerAgentPort

All programs

59200

Note: Microsoft Windows® distinguishes between Public, Home and Work networks. Each network has its own firewall profile. The Plant SCADA installer will automatically modify the Windows Firewall settings for the active network profile during installation. If you plan to change your network settings, you will need to manually modify the firewall settings for each profile within Windows.

If during installation you select No, I will modify Windows Firewall settings later, you will need to manually configure an Inbound Rule for each of the components listed above. You should confirm if a rule already exists, as Inbound Rules are also created under the following circumstances:

  • Inbound Rules for the License Server ports are created when installation of License Server occurs.

  • Inbound Rules for Configurator will be created when a System Management Server is selected within Configurator.

  • Inbound Rules are created for Runtime when it is launched.

    Note: If you postpone modifying the Windows Firewall settings during installation, when you launch Runtime for the first time a Windows Security Alert dialog will appear. When this occurs, click the Allow access button. The Inbound Rules for Plant SCADA Runtime will be updated and runtime will be launched.

If required, you can also manually modify the Inbound Rules created by Plant SCADA. For example, if the default "All ports" setting that is applied to Citect SCADA Runtime does not comply with your security requirements, you can manually set the Local Port property to a specific port.

You should also check that the required Ports are correctly configured.

Inbound Rule settings

Inbound Rules are configured using Windows Firewall Advanced Settings (refer to Microsoft Windows documentation for further information about configuring Inbound Rules).

For each Inbound Rule, you need to configure the following properties:

General Properties

  • Name – see table above.

  • Enabled – Yes.

  • Action – Allow the connection.

Programs and Services Properties

  • Programs – see table above.

Advanced Properties

  • Profile – for Plant SCADA Runtime select Domain. For Configurator and License Server components select Domain, Private and Public.

Protocols and Ports Properties

  • Protocol Type – TCP (or UDP where required).

  • Local Port – see table above.

  • Remote Port – All Ports.

Ports

You should confirm that the following ports are open (if they are required).

Port

Description

80

The default HTTP port used for web port sharing.

443

The default HTTPS port used for web port sharing.

808

Net.TCP Port Sharing Service. This is used by an Industrial Graphics Server or OPC UA Server.

1900​​

SSDP port for announcing the System Management Server.

2073

If a client acts as CTAPI server then port 2073 has to be added to the inbound rules.

2088

Time synchronization port. This service is not enabled by default.

3073

CTAPI (encrypted connections).

48031

The default for an OPC UA Server's Endpoint Connection setting.

On computers running a server process, you also need to open the server ports as inbound rules. See Server Processes.

Note: If the alarm server is not functional, or the hardware alarm "No server could be found" is raised for a report server, trend server, I/O server or alarm server, you should check the firewall settings to see if communication between runtime and the network is blocked.

In This Topic
Related Links
TitleResults for “How to create a CRG?”Also Available in