Dcom security and Configuration
Download 311.88 Kb. View original pdf
|
- Navigate this page:
- Connectivity of OPC server and client •Required accounts •Virtual service accounts •Security configuration for PI Interface for OPC DA
| Prerequisites • Configuring operating system settings • Configure DCOM settings for the OPC client node • Configure DCOM settings for the OPC server node • Authentication Prerequisites To configure DCOM, you must log into the computer with an account that has local administrator privileges. DCOM configuration depends on how the OPC server and OPC client are deployed: Same computer Even though OPC client and server programs running on the same computer do not use DCOM (Distributed COM) to communicate, COM security is still in play. The default settings should allow the interface to work. If instantiation/communication problems are encountered between the interface and OPC Server in this mode, review/configure the COM permissions. COM permissions are configured using the DCOMCNFG utility, as described in this guide. Different computers, same Windows domain Grant DCOM permissions to domain accounts. Different computers, no common Windows domain Grant DCOM permissions to identical local accounts on both the server and client computers. • Connectivity of OPC server and client • Required accounts • Virtual service accounts • Security configuration for PI Interface for OPC DA • Set permissions for directories that contain OPC executables Parent topic: DCOM configurations for OPC Connectivity of OPC server and client Page 7 ©2022 AVEVA Group plc and its subsidiaries. All rights reserved. DCOM Security and Configuration DCOM configurations for OPC If the OPC server and OPC client reside on different computers, check connectivity before configuring your OPC server and OPC client computers for DCOM: • Verify that the server and client can connect to each other on the network and that port 135 is open (use telnet If port 135 is not open, check for issues related to a firewall or other network restrictions After that initial connection, the Service Control Manager will inform the client what port should be used for further communication. The chosen port could be any port within the ephemeral port range XP/Win2K3: 1024-4999 • Vista and later 49152-65535 • You should also open a range of ports above port 5000. Port numbers below 5000 may already be in use by other applications and could cause conflicts with your DCOM applications. Furthermore, previous experience shows that a minimum of 100 ports should be opened, because several system services rely on these RPC ports to communicate with each other Note: OPC operations use asynchronous callbacks. During callbacks, the OPC client becomes a DCOM server, and the OPC server becomes a DCOM client. When a server makes a callback to a client, it creates anew connection to the client and sends method calls over a separate TCP channel. The same dynamic port allocation, as described above, takes place in the OPC client side. This dynamic port allocation, in this ephemeral port range, makes DCOM a "firewall unfriendly" protocol. For more information, seethe OSIsoft Knowledge Base topic Configuring ports for DCOM for use with the OPC Interface. NAT and Firewall considerations. Download 311.88 Kb. Share with your friends:
|