Welcome to the new Schneider Electric Community

It's your place to connect with experts and peers, get continuous support, and share knowledge.

  • Explore the new navigation for even easier access to your community.
  • Bookmark and use our new, easy-to-remember address (community.se.com).
  • Get ready for more content and an improved experience.

Contact SchneiderCommunity.Support@se.com if you have any questions.

Close
Invite a Co-worker
Send a co-worker an invite to the Exchange portal.Just enter their email address and we’ll connect them to register. After joining, they will belong to the same company.
Send Invite Cancel
84549members
353812posts

[Imported] Is there a good reason that there is not a default TCP port 5481 firewall rule when you install?

EcoStruxure Geo SCADA Expert Forum

Find out how SCADA systems and networks, like EcoStruxure Geo SCADA Expert, help industrial organizations maintaining efficiency, processing data for smarter decision making with IoT, RTU and PLC devices.

Solved
sbeadle
Janeway Janeway
Janeway
0 Likes
1
488

[Imported] Is there a good reason that there is not a default TCP port 5481 firewall rule when you install?

>>Message imported from previous forum - Category:ClearSCADA Software<<
User: geoffpatton, originally posted: 2019-02-11 18:54:44 Id:365
I run into this every once in awhile where a customer's IT is using the Windows firewall and we have to add a rule for TCP port 5481 so that the Clients can access the Server. It always seems to be a situation where you have to request IT to add it, since they don't allow anyone to edit Firewall rules. It is a request per computer too, quite annoying.

I know you can change the port the server uses from the default, but there are other rules that are created during install, and those ports can also be changed.


Accepted Solutions
sbeadle
Janeway Janeway
Janeway
0 Likes
0
487

Re: [Imported] Is there a good reason that there is not a default TCP port 5481 firewall rule when you install?

>>Responses imported from previous forum


Reply From User: adamwoodland, posted: 2019-02-11 21:49:20
The installer adds a rule to the host firewall for the DBServer process to cover all the TCP ports it uses, not a specific one just for 5481, so it doesn't matter which port you change it to it should work. Check for a rule called "ClearSCADA Database Server".

Also, if you don't have the ability to modify the host firewall, good chance the ClearSCADA installer can't either. With Group Policy you can set it so that only rules that come in via Group Policy are valid, this means you can on the machine add whatever you like and they'll just be ignored.


Reply From User: geoffpatton, posted: 2019-02-11 22:33:56
Adam,
That is an inbound rule. I set an outbound rule for ViewX Clients to connect to the Server. I probably should set the outbound rule for the ViewX program on all ports, however in this instance they are on 2013 still and will be upgrading to a 2017 version. ViewX has a different executable name in 2017, so having used the port means not having to get the rule changed.
As far as rights to the firewall during installation. Somehow they did get that because the inbound rules were there. I was not there for the installation, just got the call after they tried a bit to get it to work.

I actually have not heard back yet if they got IT to apply it. This is not a common problem I have just encountered it a few times. It takes some time before I try to see if that is the problem because it is usually something else.


Reply From User: adamwoodland, posted: 2019-02-12 03:42:39
Ah, by default the Windows host firewall allows anything outbound, so the administrators are modifying the firewall logic so a rule for ViewX and many others would likely be necessary.

The ViewX rename is certainly a problem though on upgrade, I've certainly been bitten with that with firewalls and whitelisting.

 


Reply From User: geoffpatton, posted: 2019-02-12 14:06:34
Lucky me to get a few fringe cases that IT blocks outbound stuff. This customer is probably paranoid. They got hit by that fake ransomware that encrypted everything with no decrypt possible if they even found the actual culprit.

See Answer In Context

1 Reply 1
sbeadle
Janeway Janeway
Janeway
0 Likes
0
488

Re: [Imported] Is there a good reason that there is not a default TCP port 5481 firewall rule when you install?

>>Responses imported from previous forum


Reply From User: adamwoodland, posted: 2019-02-11 21:49:20
The installer adds a rule to the host firewall for the DBServer process to cover all the TCP ports it uses, not a specific one just for 5481, so it doesn't matter which port you change it to it should work. Check for a rule called "ClearSCADA Database Server".

Also, if you don't have the ability to modify the host firewall, good chance the ClearSCADA installer can't either. With Group Policy you can set it so that only rules that come in via Group Policy are valid, this means you can on the machine add whatever you like and they'll just be ignored.


Reply From User: geoffpatton, posted: 2019-02-11 22:33:56
Adam,
That is an inbound rule. I set an outbound rule for ViewX Clients to connect to the Server. I probably should set the outbound rule for the ViewX program on all ports, however in this instance they are on 2013 still and will be upgrading to a 2017 version. ViewX has a different executable name in 2017, so having used the port means not having to get the rule changed.
As far as rights to the firewall during installation. Somehow they did get that because the inbound rules were there. I was not there for the installation, just got the call after they tried a bit to get it to work.

I actually have not heard back yet if they got IT to apply it. This is not a common problem I have just encountered it a few times. It takes some time before I try to see if that is the problem because it is usually something else.


Reply From User: adamwoodland, posted: 2019-02-12 03:42:39
Ah, by default the Windows host firewall allows anything outbound, so the administrators are modifying the firewall logic so a rule for ViewX and many others would likely be necessary.

The ViewX rename is certainly a problem though on upgrade, I've certainly been bitten with that with firewalls and whitelisting.

 


Reply From User: geoffpatton, posted: 2019-02-12 14:06:34
Lucky me to get a few fringe cases that IT blocks outbound stuff. This customer is probably paranoid. They got hit by that fake ransomware that encrypted everything with no decrypt possible if they even found the actual culprit.