Industry Online Support
Technical Forum
Navigation
What Firewall Rules should I configure between ES, OSS (WinCC server) and OS (WinCC Client)?
Created by: JazTai at: 9/6/2023 10:37 AM (6 Replies)
Rating 
Thanks 4
7 Entries
| 9/6/2023 10:37 AM | |
Joined: 9/9/2015 Last visit: 11/12/2024 Posts: 728 Rating:
|
Hi all, I need support here. Does anyone have ideas on what firewall rules to configure within a network firewall ( SC636-2C) between ES, OS Server (WinCC Server) and OS Client (WinCC Client)? System - PCS 7 V9.x WinCC - V7.4 / v7.5 After connecting the stations through network firewall with all TCP and UDP ports allowed to pass through, the simatic shell in ES could not reach WinCC server and WinCC Client. |
|
Please give me 5 stars Rating if my post is helpful for you. :) |
|
| 9/6/2023 6:10 PM | |
Joined: 2/17/2020 Last visit: 11/11/2024 Posts: 1114 Rating:
|
Hi, I would recommend you review the following links of the WinCC/PCS7 documentation: How to Access Computers Outside a Subnet > Firewall settings How do you manage to maintain the WinCC client-server communication when a firewall is switched on? Additionally, there is the SIMATIC Security Controller tool that is used to restore the settings for registry, permissions, firewall, etc. |
|
A rating will be well appreciated. |
|
This contribution was helpful to
|
|
| 9/7/2023 12:22 AM | |
|
Joined: 9/9/2015 Last visit: 11/12/2024 Posts: 728 Rating:
|
Thank you for the reply. Indeed, I have reviewed all the windows host firewall rules mentioned in both security controller and siemens pcs 7 installation security permissions page . And then, I made the network firewall rules to all all TCP and UDP ports from ES/OSS/OSC to/from ES/OSS/OSC. The result is negative. Simatic shell cant see each other. if the network firewall bypassed and directly connecting them to a hub, simatic shell can see all the stations. |
|
Please give me 5 stars Rating if my post is helpful for you. :) |
|
| 9/11/2023 2:15 PM | |
Joined: 2/1/2010 Last visit: 11/8/2024 Posts: 154 Rating:
|
Have you set up Multicast Proxy settings in SIMATIC Shell on machines on both sides of the firewall? When dealing with firewall I've always found that you must use that even if all other traffic goes through (ping, SMB etc.) Firewalls can't easily/don't really forward multicast traffic which is what SIMATIC Shell uses. You can check more in the WinCC 7.5SP2 manual in section 1.2.2.4 and especially 5.1.9.3. https://support.industry.siemens.com/cs/document/109792585/ |
|
If my post helped you, please rate. Thanks. |
|
This contribution was helpful to
|
|
| 9/14/2023 2:11 PM | |
|
Joined: 9/9/2015 Last visit: 11/12/2024 Posts: 728 Rating:
|
Thank you. Let me give it a try. The current case of my issue is , the OS Servers and OS Clients are in the same subnet. A network firewall (SC636-2C) configured in between of them in terminal bus via Intervlan Bridge configuration. Even all rules allowed in the firewall, but simatic shell could not detect it. We will test the multicast configuration , to add all relevant IP address (same subnet) in the multicast list to see whether it works. Thank you for your advice. |
|
Please give me 5 stars Rating if my post is helpful for you. :) |
|
| 9/14/2023 2:45 PM | |
Joined: 9/14/2023 Last visit: 9/14/2023 Posts: 2 Rating:
|
thanks🙏🏻 |
| 9/19/2023 11:08 AM | |
|
Joined: 9/9/2015 Last visit: 11/12/2024 Posts: 728 Rating:
|
I confirm this method is working. The issue is resolved after adding IP address into multicast. Within subnet or Outside Subnet , we can still add into the simatic shell multicast. Thank you for the solution. |
|
Please give me 5 stars Rating if my post is helpful for you. :) |
|
This contribution was helpful to
|
|
Follow us on