Procedure for configuring the Windows Firewall for use with the I/A Series R2 (Niagara) software

Issue

 Interstation links between UNC and Enterprise Server are not functioning.

Product Line

TAC IA Series

Environment

• Windows 7
• Windows Vista
• Windows XP
• Niagara R2

Cause

Windows Firewall is enabled by default on desktop operating systems post Windows XP SP1. The Windows Firewall must be configured to allow unsolicited messages such as alarms and inter-station links from UNC's to be received by the Enterprise Server.

Resolution

WINDOWS FIREWALL OVERVIEW
Windows Firewall is a “state-full packet filter” firewall by default. This means that all TCP packets trying to enter a system with the Windows Firewall enabled will be discarded unless those packets are responses to queries from that system, or if the packet is destined for a port that has an exception create for it. In other words, unless an exception is created, or the Windows Firewall is disabled a valid message such as an alarm or an inter-station link from a UNC will be blocked by the Windows Firewall and won’t be received by the Enterprise Server.

Windows Firewall allows for exceptions to be created for particular ports and from particular ranges of IP addresses. For example, one could create a rule that accepts unsolicited packets on port 25, but only from the range of addresses from 192.168.0.1 through 192.168.0.254.

There are two kinds of exceptions: program exceptions and port exceptions.

• A program exception is where the Windows Firewall is instructed to open ports that a certain program needs for unsolicited communications. This is the preferred method since Windows Firewall is only open while the program is waiting to receive the connection.
• In contrast, a port exception is the Windows Firewalls' way of acting like a port-filtering router. In other words, Windows Firewall can be configured to let in any traffic on a particular port whether it's solicited or not.

Creating a Program Exception

Windows XP

1. Open Windows Firewall from the Control Panel and from the exceptions tab click "Add Program..."

   

2. Click the browse button

   

3. Navigate to the c:\Niagara\Version\Nre\Bin folder. Select the file “nre.exe” adding it to the list of programs.

   

4. To specify which TCP/IP devices can use the port, click Change Scope and select one of the following

   

   1. To allow connections from any device, including those on the Internet, select “Any computer (including those on the Internet)”, and then click OK. (This is the default and least secure option)

   2. To allow connections from your local subnet only, select “My network (subnet) only”, and then click OK. (This is more secure than the previous option but will still allow a malicious attack from a PC on the network)

   3. To define a custom list, select “Custom list”, and then type a list of IP addresses separated by commas. (This is the most secure option)

5. Click OK. The program will appear selected on the Exceptions tab under Programs and Services.

6. Click OK to finish.

Windows 7

1. Open Windows Firewall from the Control panel then select Advanced Settings:

   

2. Right click Inbound Rules and select New Rule

   

3. Select program and click Next.

   

4. Click the Browse button

   

5. Navigate to the c:\Niagara\Version\Nre\Bin folder. Select the file “nre.exe” and click Open to add it to the list of programs.

   

6. Click next.
7. Select Allow the connection and click next

   

8. Select the Network profiles that the rule applies to and click next

   Domain

   The domain profile applies to a network when a domain controller is detected for the domain to which the local computer is joined. If you select this box, then the rule applies to network traffic passing through a network adapter connected to this network.

   Private

   The private profile applies to a network when it is marked private by the computer administrator and it is not a domain network. Newly detected networks are not marked private by default. A network should be marked private only when there is some kind of security device, such as a network address translator or perimeter firewall, between the computer and the Internet. The private profile settings should be more restrictive than the domain profile settings.

   Public

   The public profile applies to a network when the computer is connected directly to a public network, such as one available in airports and coffee shops. The public profile settings should be the most restrictive because the computer is connected to a public network where the security cannot be as tightly controlled as it is in an IT environment.

   

9. Name the exception and click Finish

   

Creating a Port Exception

Windows XP

1. Open Windows Firewall from the Control Panel and from the exceptions tab click "Add Port..."

   

2. In the Port number field type 80

   

3. Select TCP.
4. Type a short name for the port
5. To specify which TCP/IP devices can use the port, click Change Scope and select one of the following.

   

   1. To allow connections from any device, including those on the Internet, select “Any computer (including those on the Internet)”, and then click OK. (This is the default and least secure option)

   2. To allow connections from your local subnet only, select “My network (subnet) only”, and then click OK. (This is more secure than the previous option but will still allow a malicious attack from a PC on the network)

   3. To define a custom list, select “Custom list”, and then type a list of IP addresses separated by commas. (This is the most secure option)

6. Click OK twice. The Port will appear, selected, on the Exceptions tab, under Programs and Services.
7. Repeat the procedure to add an exception for port 3011
8. Click OK to finish.

Windows 7

1. Open Windows Firewall from the Control panel then select Advanced Settings:

   

2. Select  Connection Security Rules:

   

3. From right side menu, select “New  Rule”

   

4. Select Rule Type then select Custom then click Next:

   

5. Select “Protocol and Ports” then select the TCP protocol type, specify required ports, then click Next. This screen capture     shows the configuration for the I/A Series (Niagara) R2 required ports:

   

6. On the “When does this rule apply screen, click Next, leaving all three areas checked.

   

7. On the next screen, name the rule “Niagara 80, 3011 TCP” and click “Finish”.
8. Repeat steps 3 through 7, above, selecting UDP instead of TCP.  All other entries are the same except in step 7 the rule name will be UDP instead of TCP.
9. After completing step 8, the Connection Security Rules will be displayed in the center section of the program window.  You should see the following two rules: