Monarch Instrument DataChart 6000 User Manual

F O U N D A T I O N

Using OPC via DCOM

with

Microsoft Windows XP Service Pack 2

Karl-Heinz Deiretsbacher, Siemens AG

Jim Luth, ICONICS, Inc.

OPC Foundation Technical Director

Rashesh Mody, Invensys/Wonderware

OPC Foundation Chief Architect

Using OPC via DCOM with
Microsoft Windows XP
Service Pack 2

F O U N D A T I O N

Released

Abstract

The major goal of Windows XP Service Pack 2 is to reduce common available scenarios
for malicious attack on Windows XP. The Service Pack will reduce the effect of most
common attacks in four ways:

1. Improvement in shielding Windows XP from the network
a. RPC and DCOM communication enhancements
b. Enhancements to the internal Windows firewall

2. Enhanced memory protection

3. Safer handling of e-mail

4. Internet Explorer security enhancements.

Most OPC Clients and Servers use DCOM to communicate over a network and thus will
be impacted due to the changes in Service Pack 2. When Service Pack 2 is installed with
its default configuration settings, OPC communication via DCOM will cease to work.
This paper describes the settings necessary to restore OPC communication when using
XP Service Pack 2 (SP2).

SP2 includes many changes and security enhancements, two of which directly impact
OPC via DCOM. First new DCOM limit settings have been added. Secondly the software
firewall included with XP has been greatly enhanced and is turned on by default.

Since the callback mechanism used by OPC essentially turns the OPC Client into a
DCOM Server and the OPC Server into a DCOM Client, the instructions provided here
must be followed on all nodes that contain either OPC Servers or OPC Clients.

Note: OPC communication that is confined to a single machine (using COM, but not
DCOM) will continue to work properly after installing XP SP2 without following the
instructions in this white paper.

Windows Firewall

The Windows Firewall allows traffic across the network interface when initiated locally,
but by default stops any incoming “unsolicited” traffic. However, this firewall is
“exception” based, meaning that the administrator can specify applications and ports that
are exceptions to the rule and can respond to unsolicited requests.

The firewall exceptions can be specified at two main levels, the application level and the
port and protocol level. The application level is where you specify which applications are
able to respond to unsolicited requests and the port and protocol level is where you can
specify the firewall to allow or disallow traffic on a specific port for either TCP or UDP
traffic. To make any OPC client/server application work via DCOM, changes need to be
made on both levels.

© 2004 OPC Foundation, Inc. -1- All Rights Reserved

Using OPC via DCOM with
Microsoft Windows XP
Service Pack 2

F O U N D A T I O N

Released

Note: Developers of OPC Products may want to automatically make the necessary
firewall settings programmatically. Microsoft supplies the Windows Firewall API to
support this:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ics/ics/inetfwauthorizedapplication_name.asp

Configuring the Firewall

1. By default the windows firewall is set to “On”. This setting is recommended by
Microsoft and by OPC to give your machine the highest possible protection. For trouble
shooting, you may wish to temporarily turn off the firewall to prove or disprove that the
firewall configuration is the source of any communication failure.

Note: It may be appropriate to permanently turn off the firewall if the machine is
sufficiently protected behind a corporate firewall. When turned off, the individual
firewall settings outlined here need not be performed to allow OPC communication.

© 2004 OPC Foundation, Inc. -2- All Rights Reserved