3
1. OPC Server uses callback mechanism for client subscription. This means
4
that OPC Client should behave as server including all security matters.
5
If client not appropriately configured this will lead to the following
6
situation: the connection to the server established succesfully, but
7
subscribed items are not updated.
9
2. DCOM response on the request not on the incomming IP, but reresolves
10
the name (without domain) of request issuer. Therefore, the simple SNAT/DNAT
11
firewalls are not enough to establish connection from NATed computer.
13
The way how it could be organized:
14
a) SNAT/DNAT firewall for request going from specific IP
15
iptables -t nat -N dcom
16
iptables -t nat -A dcom -m state --state ESTABLISHED -j RETURN
17
iptables -t nat -A dcom -m state --state RELATED -j RETURN
18
iptables -t nat -A dcom -p tcp --tcp-flags SYN,ACK SYN,ACK -j RETURN
19
iptables -t nat -A dcom -j DNAT --to-destination 192.168.25.6
20
iptables -t nat -A PREROUTING -p tcp -s 141.52.64.38 -j dcom
21
b) The VM PC name should be aliased in samba configuration at the main host.
22
netbios aliases = ZeusVM
23
c) The VM PC should not register in WINS and DHCP, since the server
24
would get the dummy IP out of there in that case.
25
d) Even after that there are sometimes, unknown problems. I have
26
direct connection, but not trugh firewall.
28
3. Allowing Remote Access.
29
a) Firewall issues. The initial connection is made on 135 port, but
30
afterwards dynamic ports are used by both sides... There are document
31
describing appropriate firewall configuration.
32
b) On WinXP the remote access should be allowed to the computer. In order
33
to allow it, simply try to share single folder.
34
c) Main tool is dcomcnfg. The access and execution should be allowed
35
to appropriate users. Some times limits should be set for ANONYMOUS LOGON
36
as well (to be checked if it is not neccessary). Besides that DCOM services
37
could be configured to run under different credentials (Current User,
38
Interactive User, System Service, Specified User)... This users should
39
have access to client computer for establishing callback connection...
40
d) If domains are not used. The Windows authorization may be achieved
41
by creating on the both PC's identical users with the same username and
43
e) The user should belong to Administrator group.
44
f) Control Panel -> Administrative Tools -> Local Security Policy:
45
Choose 'Security Settings -> Local Policies -> Security Options'
46
from the left tree. And make sure the value of policy:
47
'Network access: Sharing and security model for local accounts'
48
is 'Classic - local users authenticate as themselves'.
52
a) DOMAINS ARE EVIL. I have had a domain with several PC's (and a samba as
53
domain master). After a while one PC have gone. Then the DCOM connections
54
from remaining PC to particular PC (which never was member of this domain,
55
actually) always fail. The LabVIEW reports "catastrophic failure" (and
56
crashes on second execution. The windows event viewer is reporting what
57
the PC (which have gone from domain) is unreachable (it is not referenced:
58
not in Labview, not in SAMBA, not in windows registry, neither...)