Technical FAQs

Ask a Question

Firewall Configuration to Allow Server-Server Communications

DISCLAIMER

The example below is intended to demonstrate one or more features or methods and is presented as a configuration example only. Schneider Electric assumes no liability for the use or application of this example or any portion thereof.


On a redundant system (Hot-Standby, Triple Standby, with or without Permanent Standby servers) you need to configure the firewall so that it allows connections to be made between the partner servers. Before showing which ports are used in such connections, let's talk about how the "Server to Server" connections are established.

Server to Server connections

For all non-web client applications, a connection to a server is established like this:
  • The currently main server makes a connection to the partner server by creating a connection to the partner's incoming port (port 5481 by default, see below). The main server uses this connection to send information to the partner server including, for example, synchronization of data and configuration.
  • Standby servers make connections to the main server by creating a connection to the main server's incoming port (5481 by default, see below). The standby server uses this connection to send requests such as control requests and proxied actions.
  • ClearSCADA servers will check the status of their partner servers by establishing a connection to their standby servers on the partner's incoming port (5481 by default, see below).
  • ClearSCADA servers will check the status of their partner servers' hardware by performing an ICMP poll. This is designed to check for hardware failure of the partner device of intermediate network infrastructure.
Firewalls must be configured to allow ClearSCADA partners to establish connections on the incoming port (5481 by default, see below) and to perform ICMP polling.
Note As DMZ Permanent Standby Server are designed not to perform controls or proxied actions on the server, they do not establish links from the DMZ Permanent Standby Server to the main server. They also do not perform ICMP polling of the main server. As such firewalls must allow traffic on the incoming port (port 5481 by default, see below) and via ICMP from the Main to the DMZ standby, but not the other way around.

Summary of Port Usage

The table below shows which ports are used by the server, client applications and web clients (by default). The information is categorized under these headings:
  • Protocol - Indicates the protocol used by the port (TCP, UDP or ICMP)
  • Port(s) - Shows the port or ports that are used by the server or clients. The table shows the numbers for the default ports (you can configure your system to use different ports)
  • Incoming Connection - Indicates the component that receives the connection request
  • Outgoing Connection - Indicates the component that attempts to open the connection
Protocol Port(s) Incoming Connection Outgoing Connection Description
TCP 5481 by default Main, Standby and Permanent Standby Server Partner Used for sending synchronization data from main to standby, for proxying controls and other actions from standby to main and for checking the status of partner servers. This port number can be configured under the Server Configuration's Global Parameters -> Advanced
ICMP N/A Main, Standby and Permanent Standby Server Partner Used for checking the status of partner server hardware
Was this helpful?
What can we do to improve the information ?