Firewall configuration guideline

This topic provides the list of TCP and UDP ports commonly used in a system based on PcVue. It can be used by system administrators to configure:

  • The local firewall of all computer hosts running PcVue
  • Firewalls used to control network perimeters and interconnections

Depending on the context, in particular the regulations in force, the practices and policies in place, it is up to the system administrator to determine the relevant network design and control measures, including network zoning, need for VPN and proxies, and applicable firewall rules. In all cases, ARC Informatique recommends users to segment networks, either physically or logically and take defensive measures to minimize the network exposure of the system.

Proper logging and monitoring of security events must be in place for third-party software and appliances designed to protect the system, including blocked network traffic, configuration changes, failed authentication, updates...

The proper performance of network protection measures must be tested as part of commissioning under the responsibility of the entity in charge of the system.

Refer to Reference architectures for more information related to recommended architectures and network segmentation practices.

The PcVue software never adds, modifies, or removes any firewall rule, either during installation, operation, or removal.

The information in this topic can be used by application designers to document:

  • Useful rules according to the specific project configuration
  • Network flow matrix in a particular system
  • Including the names given to network zones and IP address allocations

This guideline provides the typical firewall rules for the most used features and network flows based on TCP and UDP in PcVue.
These rules are organized and named according to the product features, roles or application-level interfaces involved:

  • Default rules
  • Rules for client-server networking
  • Rules for Data acquisition servers
  • Rules for Data server interfaces
  • Rules for the Web and Mobile server
  • Rules for other product features
  • Rules for other system level dependencies

When configuring the local firewall of a station's host, several rules from a variety of subsets may be applicable depending on the project design and network architecture. For example, rules from the Networking and Data Acquisition Server subsets on a host running PcVue for data acquisition in a client/server architecture. The same applies when configuring a network perimeter firewall. For example, rules from the Networking and Data server subsets.

Each table includes the parameters necessary to configure individual firewall rules:

Column Description
Feature The name of the feature, component or role involved in PcVue
Installed

Indicates how the component managing the interface is installed:

  • Always: The component is always installed
  • Option: The component can be installed optionally
  • Add-on: The component is part of an external Add-on with a dedicated installation procedure
Activated

If installed, indicates:

  • Always: The interface is always active
  • Config: The interface is activated/deactivated depending on the project configuration
Rule type Indicates if it is a rule for the inbound or outbound traffic
Process The process involved – Useful for rules defined for the host firewall
Protocol Transport layer (TCP or UDP), and the Application layer protocol if it is well-known by most firewalls on the market
Local port The local port involved
Remote port The remote port involved

In practice, for every rule, it is recommended to set 2 additional parameters:

  • The Local address: In case of multiple attachments to the network, only the address used by the PcVue process for the corresponding interface should be configured for a particular network flow.
  • The Remote address: Only the list of identified and authorized remote hosts (application or device) for a particular network flow should be configured.

Failing to do so reduces the effectiveness of the firewall as a technical measure to control network flows.

Local and Remote address parameters are always specific to the target system and therefore not documented here. You will find indications about the host where a rule shall be set and what are the typical legitimate remote hosts in the tables or associated notes below.

For some features, the value -local- is indicated as Rule type. These rules correspond to IP-based local inter-process exchanges on the host that need a dedicated port. Non-local traffic on this port must be blocked.

Default ports are indicated in the tables and whether they can be modified by configuration or not.
Configurable ports are marked with a ’*’.

Default rules

This documentation recommends and assumes that all inbound and outbound traffic is disabled by default.

If traffic is not disabled by default, any rule corresponding to a feature that is not used in the project shall be set to blocked on all hosts and at the perimeter. In the same way, if a rule corresponds to a role that is not assumed by a given host, it must be set to block on that host.
The base configuration of firewalls varies, industrial firewalls may already have rules for industrial protocols, Microsoft Windows firewall already have rules for RDP… In all cases, the information in this topic must be adapted to the specific target system and used responsibly by the administrator according to the applicable policy.
In particular, on the first launch of the PcVue application, Microsoft Windows® may automatically add rules allowing all inbound/outbound traffic to/from the sv32.exe process.

Microsoft recommends having the proper firewall rules in place before a user first launches the application.
If you are using the Microsoft Windows firewall, you can refer to this article for more information: https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/best-practices-configuring

Rules for client-server networking

This section details the list of applicable rules for PcVue systems taking advantage of the client/server Networking capabilities to exchange data between stations.

Feature Installed Activated Rule type Process Protocol Local port Remote port
Networking – Client node(1) Always Config outbound sv32.exe TCP any 1981*(3)
Networking – Server node(2) Always Config inbound sv32.exe TCP 1981*(3) any
Networking – RDS Client Always Config - Please refer to Microsoft® documentation -
Networking – RDS Server Always Config - Please refer to Microsoft® documentation -

(1) This rule applies to all the client stations of the project and to all server stations belonging to an association (high-availability), because a passive server requires client connections to active servers.
(2) This rule applies to all server stations of the project, whether they belong to an association or not.
(3) The port number can be modified on a per node basis in the project configuration. Refer to the following topics for more information:

Rules for Data acquisition servers

This section details the list of applicable rules for data acquisition drivers. Only the most common drivers are listed here.
These rules are given for a single remote host (PLC, controller, data source host…). A data acquisition driver may be used to communicate with several remote hosts, rules have to be adjusted according to the system configuration (list of remote addresses, identical or different remote ports…).

Feature Installed Activated Rule type Process Protocol Local port Remote port
Alstom - ESP Gemlan-T Always Config outbound sv32.exe TCP any 2222*
BACnet/IP Client Always Config outbound sv32.exe UDP Config(1) 47808*
inbound sv32.exe UDP 47808* Config(1)
Beckhoff - TwinCAT Always Config outbound sv32.exe TCP any 801
Citilog - Citilog Ip Always Config outbound sv32.exe TCP any 33000*
DDE Client Always Config -local- -NA- -COM- -NA- -NA-
DNP3 Client Always Config outbound sv32.exe TCP any 20000*
inbound sv32.exe TCP 20000* any
EtherNet/IP Add-on Config outbound sv32.exe TCP any 44818
outbound sv32.exe UDP any 2222
inbound sv32.exe UDP 2222 any
GE Fanuc - SRTP Always Config outbound sv32.exe TCP any 18245
Hilsher - netLINK Ip Always Config outbound sv32.exe TCP any 1099
Honeywell - Galaxy SIA Always Config outbound sv32.exe TCP any 10005
inbound sv32.exe TCP 10002* any
IEC 60870-5-101 Master / TCP Profile Always Config outbound sv32.exe TCP any 2404*
IEC 60870-5-101 Master / UDP Profile Always Config outbound sv32.exe UDP any 2404*
inbound sv32.exe UDP 2405*(2) any
IEC 60870-5-104 Client Always Config outbound sv32.exe TCP any 2404*
IEC 61850 Client Always Config outbound sv32.exe TCP any 102*
KNX Add-on Config outbound falcon.exe UDP any 3671*
inbound falcon.exe UDP 3671* any
Legrand-Bticino - OpenWebNet Ip Always Config outbound sv32.exe TCP 1629 20000
LNS Always Config inbound sv32.exe UDP 6001, 6002 1628
-local- sv32.exe TCP any any
LoRa Gateway Add-on Config outbound sv32.exe TCP any 1978*
inbound sv32.exe TCP any any
LS Industrial Systems - XGT Ip Always Config outbound sv32.exe TCP any 1099*
Matsushita - Mewtocol-Com FP7 Ip Always Config outbound sv32.exe TCP any 9600*
Matsushita - Mewtocol-Com Ip Always Config outbound sv32.exe TCP any 50*
Mitsubishi - Melsec Ip Always Config outbound sv32.exe TCP any 3000*
Moxa - Moxa ioLogik Always Config outbound sv32.exe TCP any 9500*
inbound sv32.exe TCP 9900* any
Moxa - Moxa Ip Always Config outbound sv32.exe TCP any 502*
MQTT over TCP Add-on Config outbound sv32.exe TCP any 1883*
inbound sv32.exe TCP 1883* any
MQTT over TLS Add-on Config outbound sv32.exe TCP any 8883*
inbound sv32.exe TCP 8883* any
Mtt - Mtt Rio Always Config outbound sv32.exe TCP any 47001
Omron - FINS Ip Always Config outbound sv32.exe TCP any 9600*
OPC DA Classic(3) Always Config -local- -NA- -COM- -NA- -NA-
OPC UA Client Always Config outbound sv32.exe TCP any 4840/4843*(4)
OPC UA Gateway Client Add-on Config outbound uagateway.exe TCP any 48050*
OPC XML-DA Always Config outbound sv32.exe TCP (HTTP) any 80/443*
PIMA Always Config inbound sv32.exe TCP 10024* any
outbound sv32.exe TCP any 10025*
inbound sv32.exe TCP 10026* any
Saia-Burgess Controls - Ether S-BUS Always Config outbound sv32.exe TCP any 5050*
Saia-Burgess Controls - Saia Ip Always Config outbound sv32.exe TCP any 5050*
Satec PM130 Always Config outbound sv32.exe TCP any 502*
Schneider Electric - Modbus II Ip Always Config outbound sv32.exe TCP any 502*
inbound sv32.exe TCP 502* any
Schneider Electric - Modbus Ip Always Config outbound sv32.exe TCP any 502*
Schneider Electric - Modbus RTU over Ip Always Config outbound sv32.exe TCP any 502*
Siemens - S7 Ip Fetch/Write Always Config outbound sv32.exe TCP any 2000*
outbound sv32.exe TCP any 2001(5)
Siemens - S7 Ip Industrial Ethernet Always Config outbound sv32.exe TCP any 102
SNMP Manager Always Config outbound sv32.exe UDP any 161*
inbound sv32.exe UDP 162* any
Tyco - POSM Ip Always Config outbound sv32.exe TCP any 5000*
Yokogawa - Yokogawa Ip Always Config outbound sv32.exe TCP any 12289

(1) The BACnet configuration comprises the network interface definition. See Configuring a BACnet/IP Network Interface for more information.
(2) When using the UDP profile, distinct listening ports must be configured for each IEC 60870-5-101 device.
(3) In the case of remote OPC server, a suitable DCOM configuration is required. Only the rule between PcVue and the OPC server are described here, additional rules may be necessary between the OPC server and the data source (e.g.: device).
(4) Remote port is defined as part of the server Uri and shall match the configuration of the OPC UA server.
(5) Fetch and Write ports are linked. Write port is equal to Fetch port +1.

Rules for Data server interfaces

This section details the list of applicable rules for features exposing data to third-party applications.

Feature Installed Activated Rule type Process Protocol Local port Remote port
BACnet/IP Server Add-on Config Inbound sv32.exe UDP 47808* any
outbound sv32.exe UDP any 47808*
DDE Server Always Config -local- -NA- -COM- -NA- -NA-
IEC 60870-5-104 Outstation Always Config Inbound sv32.exe TCP 2404* any
ICCP/TASE.2 Add-on Config Inbound sv32.exe TCP 102* any
outbound sv32.exe TCP any 102*
Modbus Ip slave Always Config Inbound sv32.exe TCP 502* any
OCPP Add-on Config Inbound sv32.exe TCP (HTTP) any 80/443*(3)
OPC DA Classic(1) Always Config -local- -NA- -COM- -NA- -NA-
OPC UA Gateway Server Add-on Config Inbound uagateway.exe TCP 48050* any
SNMP Agent(2) Add-on Config Inbound snmp.exe UDP 161 any
outbound snmp.exe UDP any 162

(1) In the case of a remote OPC client, a suitable DCOM configuration is required.
(2) Based on the Microsoft Windows SNMP Agent service. Please refer to the Microsoft Windows documentation.
(3) Remote port is defined as part of the HttpEndpoint Uri and shall match the configuration of the charging station.

Rules for the Web and Mobile server

This section details the list of applicable rules for features used as part of the Web & Mobile extensions. These interfaces are required to deploy any of the following Web & Mobile client:

  • Web Service Toolkit
  • WebVue
  • Web Scheduler
  • Instant Messaging
  • TouchVue & SnapVue mobile apps

These clients require the deployment of a Core back end and may require the Instant Messaging and Geolocation back ends.

Feature Installed Activated Rule type Process Protocol Local port Remote port
Web Server - Web interface(1) Option Always inbound IIS TCP (HTTP) 443 any
Web Server - Back end interface(2) Option(3) Config inbound IIS TCP 8091* any
Option(3) Config outbound IIS TCP any 8090*
Option(4) Config outbound IIS TCP any 8811*
Option(5) Config outbound IIS TCP any 8810*
Core back end(6) Option Config inbound sv32.exe TCP 8090* any
Option Config outbound sv32.exe TCP any 8091*
Instant Messaging back end(6) Option Config inbound sv32.exe TCP 8810* any
Geolocation back end(6) Option Config inbound sv32.exe TCP 8811* any

(1) The port number can be configured with Web Deployment Console that is used to configure IIS bindings. See Web Deployment Console overview for more information.
(2) Only required on the computer hosting the IIS Web Server.
(3) Required for communication with the computer hosting the Core back end.
(4) Required for communication with the computer hosting the Geolocation back end.
(5) Required for communication with the computer hosting the Instant Messaging back end.
(6) Only required on the computer hosting the corresponding Back end, for communication with the IIS Web Server.

Rules for other product features

This section describes rules for additional features that may be used in a system based on PcVue.

Feature Installed Activated Rule type Process Protocol Local port Remote port
Actions - Emails(1) Always Config outbound sv32.exe TCP (SMTP) any 587*
SCADA Basic - FTP Always Config outbound sv32.exe TCP (FTP) any 21*
Map providers Always Config - Please refer to the Map Provider documentation -
Configuration tools Always Always -local- -NA- -COM- -NA- -NA-
Security devices - ONVIF Option Config outbound sv32.exe TCP any 80*
outbound sv32.exe TCP (RTSP) any 554(2)
outbound sv32.exe UDP (RTSP) any 554(2)
Video Control Option Config outbound sv32.exe TCP (RTSP) any 554*(3)
outbound sv32.exe UDP (RTSP) any 554*(3)
Smart Bots manager Option Config outbound sv32.exe TCP any 8810*(4)
Config outbound sv32.exe TCP (SMTP) any 587*

(1) The rule configuration depends on the email server requirements as reflected in the PcVue project configuration. See Configuring an e-mail profile for more information.
(2) RTSP remote port shall match that of the device.
(3) The remote port is defined as part of the HttpEndpoint Uri and shall match that of the device.
(4) The remote port shall match the configuration of the Instant Messaging back end.

Rules for other system level dependencies

These features may be used by PcVue depending on the system architecture and project configuration details. They depend on services provided by the operating system or the infrastructure.

Feature Installed Activated Rule type Process Protocol Local port Remote port
Active Directory Always Config - Please refer to Microsoft® documentation(1) -
Active Directory - LDAPS(2) Always Config outbound sv32.exe TCP any 636
Printers Always Config - Please refer to Microsoft® documentation(3) -
Central Project Management Always Config - Please refer to Microsoft® documentation(4) -
HDS(5) Always Config -local- -NA- -COM- -NA- -NA-
Sv DbConnect - Sql connections(5)(6) Always Config - Please refer to the RDBMS® and ADO.Net providers documentation -
Syslog interface Always Config outbound sv32.exe TCP any 1468*
outbound sv32.exe UDP any 514*

(1) Please refer to https://docs.microsoft.com/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts.
(2) Port used to connect to AD-DS for browsing groups using LDAPS services. See Using Windows Domain user groups for more information.
(3) Please refer to https://docs.microsoft.com/windows-hardware/drivers/print/installing-tcp-ip-printers.
(4) Based on SMB, please refer to https://docs.microsoft.com/troubleshoot/windows-server/networking/direct-hosting-of-smb-over-tcpip.
(5) SQL Server documentation: https://docs.microsoft.com/sql/sql-server/install/configure-the-windows-firewall-to-allow-sql-server-access.
(6) Oracle documentation: https://docs.oracle.com/en/database/oracle/oracle-database/21/dbseg/keeping-your-oracle-database-secure.html.

OPC Classic and firewalls

When using OPC Classic, based on COM, it is quite common to have both the OPC server and the OPC client on the same computer. In such a configuration, the traffic between the server and the clients remains local to the host.
With certain network architectures, it is necessary to have the OPC server and OPC clients on different hosts, which requires configuring Distributed Component Object Model (DCOM). This technology uses Remote Procedure Call (RPC) dynamic port allocation. If you are using PcVue as a remote OPC server, you must change its permissions as you would with any other OPC server (Component Services\Computers\My Computer\DCOM Config). PcVue appears in the DCOM configuration as SV Application.

The following documentation and articles indicate how to enable and configure DCOM communication:

Accordingly, the default inbound ports used are:

  • TCP 135, for the RPC Endpoint Mapper
  • Random port number between TCP 49152 and 65535

These ports are used by all the applications needing DCOM configuration and RPC calls, enabling or disabling them will also have an impact on all these applications.

Useful links

Service overview and network port requirements for Windows:
https://docs.microsoft.com/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements

Best practices for configuring Windows Defender Firewall:
https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/best-practices-configuring

CISA – ICS recommended practices:
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices

ANSSI - Recommendations for the definition of a firewall configuration policy (in French):
https://messervices.cyber.gouv.fr/guides/definition-dune-politique-de-pare-feu