Firewall Configuration to Allow Client - Server Comms

📖 Home  Back  
To allow clients to connect to ClearSCADA through a firewall (regardless of type), you need to configure the firewall so that it allows connections to be made between clients and the server.

For information on the ports used by the other components of your ClearSCADA system, including Telnet clients, see here.  

Non WebX Client Applications

For all non web client applications, a connection to a server is established like this:

• The client application makes a connection to the server by creating a connection to the server's incoming port (by default, this is port 5481). Any firewall between the client and the server must have a rule that allows this connection to be made.

• The server accepts the connection from the client on its incoming port (by default, 5481). The client application uses this connection to send requests to the server, and the server uses the connection to send back responses to the client.

• The server now creates a second connection back to the client. The second connection is called a server advise. The server uses the server advise connection to send unsolicited messages such as alarm updates to the client. There is one server advise for each client application that is connected to the server. (For information on which client applications have a server advise connection, see the Notes below).

Each client machine defines a range of ports for the server advise connections. The size of the range determines the number of client applications that can run at the same time on a particular client. By default, this range is port 5500 to 5509 which allows a maximum of ten client applications per machine. (The port range can be changed by altering the Sockets settings for the client (via the ClearSCADA Client applet, see ClearSCADA Help for more information).

You must create rules in your firewall(s) to allow incoming connections to the server and outgoing connections from the client(s) on TCP port 5481 (default port setting). You must also create rules that allow outgoing connections from the server to TCP ports 5500 to 5509 (default range) and allow incoming connections to the client(s) on TCP ports 5500 to 5509 (default range).

WebX Client Connections

Each ClearSCADA server contains four web servers (any that are not required can be disabled). Each web client can connect to any of the available web servers as required. The four web servers are:

• Secure XML (Port 443 by default)

• Non-Secure XML (Port 80 by default)

• Secure HTML (Port 444 by default)

• Non-Secure HTML (Port 81 by default)

So you must create rules in your firewall(s) that allow incoming connections to the server and outgoing connections from the web clients on the TCP ports that are being used. The TCP ports for the connections are defined in the Web settings in the Server Configuration Tool , see ClearSCADA Help for more information.

New WebX Client Connections (CS 2015 R1 and above)

ClearSCADA 2015 R1 introduces a new WebX interface, delivering enhanced functionality and increased efficiency for web-based operators using Microsoft's IIS. This new interface can be accessed from a HTML5 compliant browser and provides support for viewing of Trends, Alarm Lists, Event Lists, and Queries from a variety of phones, tablets or laptops. Mimics however still required ActiveX and are only supported in Internet Explorer. The default ports for New WebX interface are:

• Secure HTML (Port 453 by default)

• Non-Secure HTML (Port 85 by default)

These ports are configured in IIS not ClearSCADA. Refer to the ClearSCADA Help section "Installation-> Installing ClearSCADA-> Web and Mobile Setup" for more information.

For further information on New WebX client see the help section "ViewX and WebX clients-> WebX Client"

Summary of Port Usage

The table below shows which ports are used by the server, client applications and web clients (by default). The information is categorized under these headings:

• Protocol - Indicates the protocol used by the port (TCP or UDP)

• Port(s) - Shows the port or ports that are used by the server or clients. The table shows the numbers for the default ports (you can configure your system to use different ports)

• Incoming Connection - Indicates the component that receives the connection request

• Outgoing Connection - Indicates the component that attempts to open the connection

Protocol	Port(s)	Incoming Connection	Outgoing Connection	Description
TCP	5481	Server	Clients	The port for client to server communications.This is the port on which the server will listen for inbound connections from clients. So the firewall must allow incoming connections on port 5481 (default setting) to the server. You can configure a different port for client to server connections by using the Global Parameters\Advanced\Server setting in the Server Configuration Tool and the Port setting on the Advanced section of the ClearSCADA Client applet. For more information on the Server Configuration Tool and the ClearSCADA Client applet, see the Server Administration Guide in the online help.
TCP	1025-5000 49152-65535	Server	Clients	This range of ports is used by ClearSCADA drivers to provide the remote browse functionality allowing, for example, ViewX clients to browse the server's Available OPC Server Name list. The port range used will depend on the server's operating system, for example on Windows Server 2003 and earlier, the default range is between 1025 to 5000, but Vista and later the default range is between 49152 and 65535
TCP	5500 - 5509	Clients	Server	The ports for server advise connections (back links from the server to clients). There is one server advise port for each client application. So for a machine running ViewX and an ODBC connection, two ports will be opened in this range.  The clients must allow incoming connections to the clients on these ports (5500-5509 by default). You can configure the server advise connections by using the Sockets settings on the ClearSCADA Client applet.
TCP	80	Server	Web Clients	The port used for the non-secure XML web server (http). You can configure the port for the XML web server by using the System Configuration\Web\Non-Secure\XML setting in the Server Configuration Tool.
TCP	81	Server	Web Clients	The port used for the non-secure HTML web server (http). You can configure the port for the HTML web server by using the System Configuration\Web\Non-Secure\HTML setting in the Server Configuration Tool.
TCP	443	Server	Web Clients	The port used for the secure XML web server (https). You can configure the port for the secure XML web server by using the System Configuration\Web\Secure\XML setting in the Server Configuration Tool.
TCP	444	Server	Web Clients	The port used for the secure HTML web server (https). You can configure the port for the secure HTML web server by using the System Configuration\Web\Secure\HTML setting in the Server Configuration Tool.
TCP	85	Web Server	Web Clients	This port is used for non secure HTML web server connections (http).  You can access this setting from Internet Information Services (IIS)
TCP	453	Web Server	Web Clients	This port is used for secure HTML web server connections (https). You can access this setting from Internet Information Services (IIS)

Notes

ViewX

In this article, we use the term 'client' for any computer that is running any of the following ClearSCADA applications:

• ViewX (uses server advise connections)

• Server Status Tool

• Server Configuration Tool

• ODBC Client, for example, Crystal Reports, Excel

• ScxCmd - Command Line Tool

• OPC Alarm and Event Printer (uses server advise connections)

• OPC DA-HDA Bridge (uses server advise connections)

• External application using the automation interface.

WebX

The term 'web client' is used for any computer that is running one of these web clients to access ClearSCADA :

• Internet Explorer

• External application using SOAP interface

Other

Firewalls that support per program exceptions can be configured to unblock those ClearSCADA programs that require network access.

Windows XP SP2, Windows 2003 Server and Windows Vista automatically configure the firewall settings on your machine when you install ClearSCADA. The firewall settings are only automatically configured locally. Windows XP SP2 and Windows 2003 only support incoming blocks, whereas Windows Vista supports both incoming and outgoing blocks.

Go: Home Back