OPC and DCOM Configuration on Windows 2008 and Windows 7

Tutorial: OPC and DCOM Configuration.

1. Preliminary Conditions

1.1 Installing OPC Core Components

OPC Core Components are required for OPC servers and OPC clients to run. If the server and the client
are installed on different computers, this package must be installed on both computers. If the client or
the server runs on a 64-bit version of the operating system and they are 64-bit applications, you need to
install the corresponding version of OPC Core Components.

You can download OPC Core Components free of charge from opcfoundation.org. Link

After you download the libraries, you should install them. You need installed .Net Framework v1 to be
able to install the libraries.

Note: It is recommended to restart the computer after you install OPC Core Components

2. CREATING A USER AND GIVING ACCESS PERMISSIONS

2.1 ADDING A USER

You need to create a user that has permissions to run and use DCOM applications. To increase security,
you can create a user with restricted permissions. You need to have administrator permissions to add a
user.

Attention! You need to create users with the same name and password on both computers (where the
server and the client are installed). Further on you should run the OPC client using this user account.
Fig. 2 Access to the computer or server management console

Fig. 3 Adding a new user

Fig. 4 New user properties

You can create a user with any name. The password must be specified and must not be empty.

2.2 GIVING PERMISSIONS

To allow the new user to work with DCOM, you should add the user to the corresponding "DCOM Users"
group.

Fig. 5 User groups

Fig. 6 Adding a user to the group

Fig. 7 Selecting the user

Fig. 8 User list

Fig. 9 Selected user

Fig. 10 User in the group

Note. You can create several users and add them to one "DCOM Users" group. You can also add existing
users to this group.

3. CONFIGURING THE WINDOWS 2008 AND WINDOWS 7 FIREWALL FOR DCOM AND OPC

The DCOM technology the OPC technology is based on uses reserved system port 135 for its work. For
servers and clients to run normally, you should permit these connections in your firewall. If the client
and the server are located on different computers, firewall configuration is required. Below you can see
an example of configuring the standard firewall in Windows 2008. If the client and the server are used
on one computer, there is no need to configure the firewall.
Fig. 11 Access to the computer or server management console

For Windows 7 users. To open the firewall management console, use "Start" - "Control Panel" - "System
and Security" - "Windows Firewall" - "Advanced settings" or run it from the command line with the
"wf.msc" command.

For Windows 2008 Server users. To open the firewall management console, you may use the "The
server management console" or run it from the command line with the "wf.msc" command.

3.1 PERMITTING DCOM ACTIVITY

By default, Windows blocks inbound connections from other computer. For OPC clients to be able to
connect to OPC servers on this computer, enable the corresponding rule.

Fig. 12 Firewall rule properties

Fig. 13 Permitting DCOM activity

For Windows 7 users. If the "COM+ network access" or "DCOM" rule is not in the list, create two "Port"
rules.

1. Port 135 rule for the TCP protocol;

2. Port 135 rule for the UDP protocol;

3.2 CREATING RULES FOR EVERY OPC SERVER

You need to permit activity for every OPC server running on this computer. Also, you should permit
network activity for the OpcEnum system service that allows remote clients to receive the list of servers
from this computer.

Below you can see an example of how to create a rule for OpcEnum. Rules for other applications are
created in a similar way.
Fig. 14 Adding an individual rule

1. Select the "New Rule" action;

2. Select the "Program" rule type;

3. Click the "Next" button.

Fig. 15 Selecting the file

1. Select the "Program Path" option;

2. Specify the full path to the program and its file name;

3. You can select the program on the disk using the "Browse" button;
 4. Click the "Next" button.

Fig. 16 Rule properties

Fig. 17 Active profiles

Fig. 18 Rule name

Fig. 19 Active rules

You should repeat these steps to create a rule for every OPC server.

4. SPECIFYING DCOM PROPERTIES

For OPC servers to run correctly, you should specify the DCOM network and security properties.

There is no need to configure OpcEnum because this service is automatically configured when you install
"OPC Core Components".
This example shows how to specify the properties for the test OPC server "Test OPC Server". You can
specify the DCOM properties using the "dcomcnfg" service command.

To run "dcomcnfg" from the command line, open the Run dialog box by pressing Win+R on the
keyboard.

Fig. 20 Running the components service

4.1 SPECIFYING THE DEFAULT PROPERTIES

Fig. 21 Properties
Fig. 22 COM security

Click button 1 (fig. 22). In the new dialog box (fig.23):

1. Click the "Add" button;

2. Add the "DCOM users" group by completing operations similar to those shown in figures 7 - 9;

3. Set access permissions for it;

4. Click the "OK" button to save the changes.

Fig. 23 Configuring access permissions

Repeat the actions in the "Launch and Activation Permission" dialog box (fig.24) that appears when you
click "Edit Default..." button 2 (fig.22).

Fig. 24 Configuring launch permissions

Delete all protocols except for TCP/IP on the "Default Protocols" tab (fig.25) and click "OK" to save the
changes in the "My Computer Properties" dialog box.

Fig. 25 Configuring launch permissions

4.2 SPECIFYING OPC SERVER PROPERTIES

Fig. 26 Specifying DCOM properties for the OPC server

Since all properties have been already specified for the entire computer, you should make sure that the
OPC server uses the default properties.
Fig. 27 General OPC server properties
Fig. 28 Security properties
Fig. 29 Endpoints
Fig. 30 Identity

You should specify the previously created user that will launch the OPC server on the "Identity" tab.

Note 1. Before you edit the properties of the OPC server, you should make sure that it is not running
and is absent in the list of active processes. Or restart the OPC server after you edit its properties.

Note 2. It is necessary for some OPC servers to be launched with administrator permissions at least once
in order to get registered in the system and initialize the parameters of the OPC server. They will be
available for detection via OpcEnum and connection only after such initialization.

4.3 CONFIGURING "EVERYONE" ACCESS TO OPC SERVERS

Attention! Access permission for everyone may lower the security level of the computer.

Sometimes it may be necessary to permit access to the OPC server for everyone, including anonymous
users. For example, when the computer with the server does not belong to the domain while a lot of
clients will be connecting to the server.

Advantages:

1. It is possible for the computer with the server not to belong to the domain;

2. No need to create users on the computer with the OPC server;

3. Users can run the OPC client using their own account.
Disadvantages:

1. Lower security because of the remote access to DCOM for everyone.

If you want to provide access to the OPC server for everyone, you should configure individual access
permissions for the selected OPC server.

Open the DCOM properties for the OPC server as shown in section 4.2 and edit them according to fig.31
- fig.34. The other properties must correspond to the ones specified in section 4.2.

Fig. 31 General properties

Fig. 32 Security properties

Fig. 33 Launch and activation permissions

Fig. 34 Access permissions

You should configure the local security policy. To do it, you should open the "Local Security Policy"
console.

To open the "Local Security Policy" console run it from the command line with the "secpol.msc"
command.

Windows 2008 Server: You can open the console by selecting "Start" - "Administrative Tools" - "Local
Security Policy".

Windows 7: You can open the console by selecting "Start" - "Control panel" - "System and Security" -
"Administrative Tools" - "Local Security Policy" (fig. 34.1).
Fig. 34.1 Windows 7. Administrative tools

You should navigate to the "Local Policies: Security Options" section. And set the status of the "Let
Everyone permissions apply to ..." policy to "Enabled" (fig. 35).

Fig. 35 Security policy properties

If you change the security policy (as shown in fig. 35) and OPC clients cannot get the list of OPC servers
and connect to them, you should specify and save advanced security policy properties (fig. 36-37).

Fig. 36 DCOM: access restrictions

Fig. 37 DCOM: launch restrictions

You can find the detailed description of how to add a group or user in section 2.2.

5. TYPICAL PROBLEMS

5.1 RPC SERVER UNAVAILABLE

This error means that it is impossible to establish a network connection to the RPC service.

1. If the error occurs during an attempt to get the list of OPC servers on the remote computer, you
should check the firewall settings. The OpcEnum.exe file located in the Windows\System32
folder by default must be added to exceptions.

2. You should make sure that inbound DCOM connections to port 135 are permitted

3. If the error occurs during an attempt to connect to the OPC server, you should make sure that
the executable file of the OPC server is added to the Windows firewall exception list.

5.2 ACCESS DENIED

This error means that the current permissions are not enough to establish a connection. You should
configure DCOM as described in section 4.

5.3 IOPCSERVERLIST INTERFACE NOT FOUND

You should restart the computer after you install the OPC Core Components.