System Platform Checklist - Wonderware Platform Checklist~… · · 2007-10-08System Platform Checklist ; Checklist for System Platform implementations ; R; EV ; ... InTouch HMI

Ground floor Block D Gillooly’s View Office Park 1 Osborne Road Bedfordview

Tel: 0861-WONDER Fax: (011) 607-8478

System Platform Checklist

Checklist for System Platform implementations

REV 1.0 [email protected]

Table of contents

1. General ................................................................................................................................ 4

2. Wonderware........................................................................................................................ 4

3. ArchestrA ............................................................................................................................ 5

1. System Requirements ......................................................................................................... 6 1.1. Application Server 3.0 ................................................................................................................ 6

1.1.1. Galaxy Repository Platform................................................................................................................. 6 1.1.2. Non-Galaxy Repository Platforms (IDE or Runtime): ....................................................................... 6 1.1.3. All Systems (IDE, GR, Runtime):........................................................................................................ 6

1.2. InTouch 10 ................................................................................................................................... 6 1.2.1. InTouch HMI Stand-alone Hardware .................................................................................................. 6 1.2.2. InTouch HMI and the ArchestrA IDE Hardware................................................................................ 6

1.3. Wonderware Historian 9.0 ........................................................................................................ 7 1.3.1. Level 1 Server ....................................................................................................................................... 7 1.3.2. Level 2 Server ....................................................................................................................................... 7 1.3.3. Level 3 Server ....................................................................................................................................... 7 1.3.4. Data disk space...................................................................................................................................... 7

1.4. Information Server 3.0 ............................................................................................................... 8 1.4.1. Minimum Requirements....................................................................................................................... 8 1.4.2. Recommended Requirements............................................................................................................... 8

2. Hyper-threading ................................................................................................................. 8

3. Data Execution Prevention................................................................................................ 9

4. Classic security model ...................................................................................................... 10

5. Time synchronisation....................................................................................................... 10

6. Name Resolution .............................................................................................................. 11

7. DCOM ............................................................................................................................... 11 7.1. Registering DCOM classes....................................................................................................... 11 7.2. DCOM Errors............................................................................................................................ 11

7.2.1. Enabling DCOM.................................................................................................................................12 8. Publisher certificates........................................................................................................ 13

9. Event Logs......................................................................................................................... 13

10. Licenses ............................................................................................................................. 14 10.1. It is illegal................................................................................................................................ 14 10.2. Expiration............................................................................................................................... 14

2

10.3. Functional differences........................................................................................................... 14 11. Security Settings for Wonderware® Products ............................................................... 14

11.1. Introduction ........................................................................................................................... 14 11.1.1. Assumptions........................................................................................................................................15 11.1.2. Application Versions...........................................................................................................................15

11.2. DCOM Global Settings......................................................................................................... 15 11.3. Archestra LogViewer ........................................................................................................... 15 11.4. SuiteLink ................................................................................................................................ 16 11.5. InTouch................................................................................................................................... 16 11.6. InSQL...................................................................................................................................... 16 11.7. Industrial Application Server.............................................................................................. 16 11.8. DA Servers.............................................................................................................................. 17 11.9. IO Servers............................................................................................................................... 18 11.10. InBatch.................................................................................................................................... 18 11.11. InControl ................................................................................................................................ 18

12. Network Service Account................................................................................................. 19

13. Virus Protection................................................................................................................ 20

14. Scan Groups...................................................................................................................... 20

15. Redundancy set-up without DI objects........................................................................... 20

3

A. Checklist 1. General

• Sufficient Disk space should be available. (Refer to System Requirements (1)) • Sufficient RAM should be available. (Refer to System Requirements (1)) • Disable Hyper-threading. (Refer to Hyper-threading (2)) • Avoid Computer names with underscores (“_”) or dashes (“-“). • Operating system should be on the latest supported patch or service pack. • SQL servers should be on the latest supported patch or service pack. • Configure the Boot.Ini file for no PAE. (Refer to Data Execution Prevention (3)) • In a workgroup environment on XP computers ensure that security model is set to

classic. (Refer to Classic security model (4)) • Time zone should be correct (Harare Pretoria (GMT+2)). • Time should be current. • Use reliable time synchronisation method. (Refer to Time synchronisation (5)) • IP configuration should be correct. • Name resolution must be fast and reliable. (Refer to Name Resolution (6)) • All DCOM classes should be registered. (Refer to DCOM (7)) • DCOM security should be correct. (Refer to DCOM (7)) • Remove “Check for publisher’s certificate revocation”. (Refer to Publisher

certificates (8)) • Avoid the use of “Deny…” policies. • Event logs should be clean. (Refer to Event Logs (9)) • CPU utilisation should average below 20%.

2. Wonderware

• Wonderware Software, Operating Systems and SQL Server versions should be compatible. (Refer to the Compatibility Matrix on http://www.wonderware.com/support/web)

• Wonderware software should be on the latest supported patch or service pack. • Valid licenses are required for all Wonderware products. (Refer to Licenses(10)) • OS Configuration Utility settings should be applied (Manually in an Active

Directory domain). (Refer to Security Settings for Wonderware® Products (11)) • Network service account should: (Refer to Network Service Account (12)) • All Wonderware nodes should use the same Network Service Account.

o Have Local Administrative rights. o Have Log on as a Service rights. o Be set to:

Never expire User cannot change password.

• Virus protection should be configured with the required exceptions. (Refer to Virus Protection (13))

• Historian should be started. • Historian should not have any pending changes. • SMC logs should be clean.

4

http://www.wonderware.com/support/web

3. ArchestrA

• ArchestrA platforms should all be the same version. • ArchestrA security should be correctly configured. • Engines should have no Scan Overruns. • Historian name must be set in the following objects:

o Application Engines. o Platforms (Engine tab) if required. o Formula Management objects.

• Always use scan groups (topics) when working with Device Integration. (Refer to Scan Groups (14))

• Never use more than 30 000 items per scan group. • If redundancy is used:

o Cross-over cable installed. o Redundant server pair must have two identical servers. o Binding order of network cards should be correct.

• Consider Top Server or DA Servers instead of DI Objects. (Refer to Redundancy set-up (15))

5

B. Details 1. System Requirements

1.1. Application Server 3.0

1.1.1. Galaxy Repository Platform

• Dual core PC with 2 gigahertz (GHz) or faster processor clock speed, or single core PC with 3 gigahertz (GHz) or faster processor clock speed

• Dual core processor recommended for optimal performance • 2 gigabytes (GB) or more of RAM. (1 GB minimum supported; may limit

performance of some features) The Galaxy Repository locks the SQL Server maximum memory usage to 65% of the physical memory.

1.1.2. Non-Galaxy Repository Platforms (IDE or Runtime):

• PC with 2 gigahertz (GHz) or faster processor clock speed • 1 gigabyte (GB) or more of RAM

1.1.3. All Systems (IDE, GR, Runtime):

• 30 gigabytes (GB) of available hard disk space • Super VGA (1024 x 768) or higher resolution video adapter and monitor • CD-ROM or DVD drive • Keyboard • Mouse or compatible pointing device

1.2. InTouch 10

1.2.1. InTouch HMI Stand-alone Hardware

• Computer with 1.2 GHz or faster processor clock speed • 512 MB of memory minimum, 1 GB or greater recommended • At least 4 GB of available hard disk space • Super VGA (1024 × 768) or higher resolution video adapter and monitor • CD-ROM or DVD drive to read Wonderware installation media • Keyboard and mouse or compatible pointing device

1.2.2. InTouch HMI and the ArchestrA IDE Hardware

• Computer with 2 GHz or faster processor clock speed (dual core processor recommended for optimal performance)

• 2 GB of memory • At least 4 GB of available hard disk space • Super VGA (1024 × 768) or higher resolution video adapter and monitor • CD-ROM or DVD drive to read Wonderware installation media • Keyboard and mouse or compatible pointing device

6

1.3. Wonderware Historian 9.0

Requirements depend on the installation. Three levels are identified in the Historian Installation guide.

1.3.1. Level 1 Server

A Level 1 server can handle a load of about 5 000 tags. For example 2 600 analogue tags, 2 200 discrete tags, 300 strings and 20 non-I/O Server (manual) tags. The minimum requirements are:

• P4 3.2 GHz CPU • 1 GB RAM • 1 GB network interface card (NIC) • 270 MB of free disk space to install the Wonderware Historian


A Level 2 server can handle a load of about 63 000 tags. For example 40 000 analogue tags, 20 000 discrete tags, 300 strings, and 5 000 non-I/O Server (manual) tags. The minimum requirements are:

• P4 3.0 GHz Dual CPU • 1 GB RAM • 1 GB network interface card (NIC) • 270 MB of free disk space to install the Wonderware Historian


A Level 3 server can handle a load of 130 000 tags. For example 70 000 analogue tags, 50 000 discrete tags, 6 000 strings and 20 non-I/O Server (manual) tags. The minimum requirements are:

• P4 2.7 GHz Xeon Quad • 8 GB RAM • 1 GB network interface card • 270 MB of free disk space to install the Wonderware Historian

1.3.4. Data disk space

For analogue, discrete and fixed-length string (128 characters or less) tags, each value that is stored uses Storage Size + 3 bytes of disk space, plus approximately 15% overhead. Use the following formula to estimate the disk usage:

( )( ) ( )( )

Ratio nCompressio NTFSPeriod Storage

Count Tag SizeStorageUsage Disk Estimated

minutes24minutes6060315.1 ⎟⎟⎠

⎞⎜⎜⎝

⎛+

=

For example, the disk usage per day for 10 000 4-byte analogue tags (that is: Storage Size = 4 bytes) that are stored at ten-second intervals would be:

7

( )( ) ( )( )

MB/day322

24601060100003415.1

=

⎟⎠⎞

⎜⎝⎛+

=Usage Disk Estimated

The disk usage per day for 10 000 discrete tags (that is: Storage Size = 1 byte) that are changing, on average, every 60 seconds would be:

( )( ) ( )( )

MB/day322

24606060100003115.1

=

⎟⎠⎞

⎜⎝⎛+


The disk usage per day for 10 000 8-byte string tags (that is: Storage Size = 8 bytes) that are changing, on average, every 60 seconds would be:

( )( ) ( )( )

MB/day872

24606060100003815.1

=

⎟⎠⎞

⎜⎝⎛+


1.4. Information Server 3.0

1.4.1. Minimum Requirements

• CPU: 2.5 GHz Pentium 4 • 1 GB RAM • 5 GB free disk space

1.4.2. Recommended Requirements

• CPU: 3 GHz Pentium 4 • 2 GB RAM • 10 GB free disk space

2. Hyper-threading

Some machines are still running Hyper-threading – Wonderware recommends that Hyper-threading be switched of on all platforms. Hyper-threading splits a processor in two and since Application Server is a sequential engine, only one halve of the processor is fully utilised.

• Reboot the computer. • Enter BIOS setup. • Disable hyper-threading. • Save and exit setup.

8

3. Data Execution Prevention

On Windows 2003 SP1 and Windows XP SP2 machines, the service packs implements Data Execution Prevention – this interferes with the normal operation of among other things the Logger. Wonderware recommends that this option be switched off.

This procedure should only be executed on Machines with Windows 2003 Server Service Pack 1 or Windows XP Service Pack 2. The change will not force a reboot but one is required for the change to take effect.

• Click Start. • Click “Run”. • Type: “sysdm.cpl”. • Click “OK”. • Select the “Advanced” Tab. • In the “Startup and recovery” group, click the “Settings” button. • Under “System Startup”, click the Edit button.

• This will open up a notepad with the Boot.ini in. • On a Windows 2003 server with Service Pack 1

o Remove the “/NoExecute=####” switch if it is there. o Add the following switches: “/Execute /NOPAE”. o The file should look more or less like this:

• On a Windows XP Professional PC with Service Pack 2 o Change the “/NoExecute=###” switch to “/NoExecute=alwaysoff”. o Add the “/NOPAE” switch. o The file should look more or less like this:

9

• Save the file and exit. • Reboot the machine as soon as possible.

4. Classic security model

When Windows XP is installed without being a part of a domain the Windows default is to “Secure by default”. It will therefore set the Sharing and security model to “Guest”. ArchestrA needs to authenticate on the remote PC using the Network account. This setting must therefore be changed to classic manually:

• Click Start. • Navigate to “Settings” | “Control Panel”. • Click on “Control Panel”. • Double-click on “Administrative Tools”. • Double-click on “Local Security Policy”. • The Policy editor opens… • In the left pane: Navigate to “Security Settings” | “Local Policies” | “Security

Options”. • In the Right pane: Double click on “Network Access: Sharing and Security model

for local accounts”. • Change the setting from “Guest only” to “Classic”. • Click OK and close the editor.

5. Time synchronisation

Due to the fact that both ArchestrA and Wonderware Historian are real-time systems, time synchronisation is extremely critical.

• Wonderware Historian will not accept data that is more than 30 seconds late (according to the Historian server’s local time) or more than 5 seconds early.

• ArchestrA platforms will have difficulty communicating to each other if they are not time synchronised.

All machines in the system (InTouch, Application Server, Information Server, Wonderware Historian etc.) should be synchronised.

In a full scale system time synchronisation would normally be accomplished by setting up a time server (running SNTP) and synchronising this server to a GPS or other accurate clock. All other PC’s are then forced via group policies (in Active directory) or manually with the net time /setsntp command to synchronise with this server.

In a workgroup environment, the synchronisation can also be achieved by scheduling a batch file to execute the net time \\server /set /y command.

• Create a .bat file with the command: net time \\servername /set /y • Copy the file to a convenient location on all the servers and workstations

10

• On each computer schedule the file to execute every hour: o Open Scheduled tasks in the Control Panel o Double-click Add Scheduled Task o Select the batch file o Select Daily and provide a time o Provide the Wonderware Network account details o Select “Open Advanced properties” o On the Schedule Tab, click Advanced o Select Repeat Task o Set to: Every 1 hour o Set Duration to 23 hours

6. Name Resolution

ArchestrA requires strong name resolution – normally a DNS server is sufficient. In the absence of a DNS server a set of “hosts” files can be used. The “hosts” file is normally located under the folder C:\Windows\system32\drivers\etc. Every server in the system should be listed with its correct IP address. The file can be copied to all the machines in the system. This can be done manually or automatically (by using a scheduled task).

If “hosts” files are not used, it is recommended that there be at least two DNS servers on each Active Directory Site. If there are problems with the DNS server: use the “hosts” files – this will guarantee name resolution to be correct (provided that the files are correctly set up). Bear in mind that if “hosts” files are not all identical on all machines, this can cause communication problems on a network.

7. DCOM

7.1. Registering DCOM classes

It is a good practice to start DCOMCnfg.exe at least once after any installation. This will ensure that all DCOM classes are registered.

• Click Start | Run. • Type DCOMCnfg and click OK. • Navigate to Component Services | Computers | My Computer | DCOM Config. • If there are unregistered DCOM classes, there will be a dialogue box per class to

inform of the situation – Click Yes on each to register the Class.

7.2. DCOM Errors

These can be intimidating to diagnose and solve. Wonderware products make extensive use of DCOM and problems with DCOM settings can cause unpredictable behaviour. DCOM problems are caused by the following:

• Installation of non-compatible software – this software might make modifications to the DCOM settings that are incompatible with Wonderware software.

• Operating System corruption – This may happen when a machine is hard booted (power supply is toggled) and it did not have time to do a safe shutdown.

11

• Viruses – Some viruses exploit available features (not vulnerabilities) of the operating system (such as DCOM). For instance: When a virus has already infected a machine it might modify DCOM settings to allow it to propagate to other machines connecting to it. Viruses can also cause the registry to corrupt.

• Incomplete installation of software – When an installation is interrupted and the installation is not allowed to roll back (or cannot), it may have made changes to the DCOM settings which are now invalid. This can also corrupt the registry.

• Incorrect Security (this is the major contributor) – Several things are factors here:

o Sometimes after the DCOM has been set up correctly, someone or some other software changes an associated username or group membership or password (to a lesser degree) and then more software is installed utilising the new credentials. DCOM is then updated with the new credentials and the original program will start to malfunction.

o Software on two different boxes executing under two different sets of credentials will have difficulty communicating with each other.

DCOM errors usually present in the Event log as shown below:

7.2.1. Enabling DCOM

One of the first things to check is whether DCOM is actually enabled. The procedure shown is for Windows XP or Windows 2003 server.

• Click Start | Run. • Type DCOMCnfg and click OK. • Navigate to Component Services | Computers |

My Computer. • Right Click My Computer • Click Properties. • Click on the Default Properties tab. • Ensure that the “Enable Distributed COM on this

computer” checkbox is ticked.

12

8. Publisher certificates

ActiveFactory utilises Internet Explorer functionality. To do this a certificate is issued to ActiveFactory to protect the end-user. Internet Explorer will be default always check whether that certificate has expired or have been revoked. The expiration is part of the certificate, but revocation must be checked on the Internet. If a computer does not have Internet access, the attempt to check for revocation will fail (time out). This will slow down the start-up of ActiveFactory components. It is therefore recommended that this check be disabled. Be aware that disabling this functionality poses a security risk if the computer does have Internet access – malicious software with revoked certificates will not be stopped from execution.

• In Internet Explorer open Internet Options.

• Click on the Advanced Tab. • Navigate to the Security section (right at

the bottom). • Uncheck the “Check for publisher’s

certificate revocation”.

9. Event Logs

The event viewer is the log file system for the Microsoft operating system. The files are divided into three sections.

• Application: Applications can log messages to this log file to indicate events. Due to the high speed nature of process systems, this log file is not used often by Wonderware applications, but Microsoft SQL will log information here.

• Security: By default not much is logged here. This can be changed from the Policy viewer and if there is an apparent security problem it might be worth the trouble to temporarily enable addition logging here, as it will indicate the user name and the object to which access is denied.

• System: This is probably the most important log as it will show errors happening on the operating system level.

The raised issue event in the log file might be minor but scores of minor problems can result in erratic behaviour and complicates diagnostic procedures.

Several behavioural changes are recommended:

• After every major change, please check every affected log for any reported errors.

• Check all the logs on a frequent (once a week basis) for any unexpected issues – most serious problems can be avoided by catching issues early.

13

• Ensure that the implication and meaning of every listed error or warning is understood and fixed if necessary. The main goal here is to remove all the red and yellow!

• Event viewer errors can mostly be looked up on the internet and in some cases the error can be ignored (for instance the spnRegister error sometimes found on SQL servers).

10. Licenses

Avoid using SI consignment licenses on running plants.

This situation is acceptable during development, but once the machines are in production one should be extremely diligent to change the licenses to avoid issues.

There are three problems with running incorrect licenses:

10.1. It is illegal

Obtain the correct licenses for the correct products and determine the correct servers to run them on.

10.2. Expiration

Consignment and demo licenses are typically only valid for a certain period of time (usually one year for consignment and 30 days for demo). After this period, the license expires. At this point the software will no longer operate.

The situation should be rectified immediately or the system will stop when the license expires. After license expiry the following symptoms can be expected:

• Slow or no communications • Unable to deploy changes to ArchestrA platforms • Unable to open InTouch WindowMaker or WindowViewer.

10.3. Functional differences

Certain licenses have additional functionality licensed (for instance: a full InTouch can have access names other than “Galaxy:”). Other licenses may not include this functionality (for instance: InTouch View licenses can only have the “Galaxy:” access name). It is easy to utilise functionality during design that should not be available under the correct license, and this might cause major problems.

11. Security Settings for Wonderware® Products

11.1. Introduction

Wonderware has released an OS Configuration Utility to support our products on Windows XP SP2 and Windows Server 2003 SP1 or higher. If you have not tried using the

14

utility, please go to http://ww.Wonderware.com/support/web and download the OS Configurator Utility. If you have already run the utility and are still having problems running Wonderware software, you may need to configure some security settings manually.

There are several reasons that the OS Configurator Utility does not allow Wonderware software to function properly on a Windows XP SP2 or Windows Server 2003 SP1 (or higher) node. The most likely reason is that the system is part of a Windows 2000 or Windows 2003 Active Directory Domain. If the Active Directory Domain is locking down security at the domain level, the utility will not be successful in changing the security settings. In this case, the security settings must be changed manually by the network administrator. Alternatively, the network administrator can set it up so that the user is allowed to change security settings on Windows nodes. This allows the utility to set security settings without being overwritten by the domain policies.

If problems are experienced running Wonderware software on Windows XP SP2 or Windows Server 2003 SP1, the first thing that Wonderware recommends doing is shutting off the built-in Windows firewall. This software firewall is only useful if you do not have a hardware or corporate firewall protecting your systems from the outside world. If the firewall is not your problem, and you have run the OS Configurator Utility, you will need to set the following settings manually.

11.1.1. Assumptions

This document divides up the settings necessary by Wonderware Software Component. You will have to know the full path to the files listed below. You will need administrative rights to the system to make these changes.

11.1.2. Application Versions

This document applies to all Wonderware products that are supported on Windows XP SP2 and Windows Server 2003 SP1 or higher.

11.2. DCOM Global Settings

These settings are used by multiple Wonderware components including IAS and DA Servers:

• Security settings (in Component services) • Component Services Com Security • Launch and Activation Permissions • Everyone and Remote Activation • Access Permission • Add Local Access and Remote Access permissions for the ANONYMOUS

user.

11.3. Archestra LogViewer

Used by all FactorySuite A² components including InTouch, IAS, InSQL, DA Servers.

Make the following entry into the registry:

HKLM\Software\Policies\Microsoft\WindowsNT\RPC\RestrictRemoteClients = 0

15

http://ww.wonderware.com/support/web

11.4. SuiteLink

Used by all Wonderware products.

Add the following to the firewall settings exception list:

• slssvc.exe

11.5. InTouch

Requires Suite link common component modification.

Add following programs in exception list:

• wm.exe

11.6. InSQL


The following processes need to be added to the firewall exclusion list:

• InSQLData.exe • InSQLConfig.exe • InSQLSCM.exe • InSQLRet.exe • SQLServer.exe

Add the following ports to the Firewall exception list:

File and printer sharing 445/TCP AND UDP SQL Server Browser 1434/UDP SQL TCP Remote IDAS

1433/TCP 145 to 139 TCP AND UDP

11.7. Industrial Application Server


Add Application list to be excluded in firewall blocking list:

• aaIDE.exe • aaLogger.exe • Slssvc.exe • aaPim.exe • BootStrap.exe • aaDcomTransport.exe • SQLServr.exe • NmxSvc.exe


16

DCOM 135/tcp File and printer sharing 445/tcp SQL TCP 1433/tcp SQL Server Browser 1434/udp

11.8. DA Servers



DAS SI Direct 102 DAS MBTCP 502 DAS ABTCP 2221 DAS ABTCP 2222 DAS ABTCP 2223 S/L DA Servers 5413 DAS ABCIP 44818

The following files need to be excluded in the firewall. They are common to all DA Servers:

• aaEngine.exe • NmxSvc.exe • OPCEnum.exe • *Dllhost.exe* • DASAgent.exe

The following files need to be excluded in the firewall. They are specific to each DA Server:

• DASABCIP.exe • DASMBTCP.exe • DASABTCP.exe • DASSIDirect.exe • FSGateway.exe • DASS7.exe • S7ConSvr.exe • DASMBSerial.exe • DASMBPlus.exe • DASAlarm2U.exe

If you are using Industrial Application Server and are planning on deploying DI Objects you will need to manually exclude the following files in the firewall. You will need to create dummy files with these names as they are not on the system until a deploy occurs. Windows XP SP2 firewall will not exclude files unless they already exist on the system. These files are deployed to the \Program Files\Archestra\Framework\Bin directory.

• DASABCIP.exe • DASMBTCP.exe • DASABTCP.exe • DASSIDirect.exe • DASS7.exe • DASMBSerial.exe • DASMBPlus.exe

17

• DASAlarm2U.exe • aaEngine.exe • NmxSvc.exe • DASAgent.exe

The following file is deployed to the \Windows\System32 sub-directory:

• OPCEnum.exe

11.9. IO Servers


11.10. InBatch

1. Add ports (9001 - 9016) list to be excluded in firewall blocking list for communication:

Vista 9001/tcp EnvMngr 9002/tcp MsgMngr 9003/tcp SecMngr 9004/tcp RedMngr 9006/tcp UnilinkMngr 9007/tcp BatchMngr 9008/tcp LogMngr 9011/tcp InfoMngr 9012/tcp RedMngrX 9013/udp RedMngrX2 9014/udp HistQMngr 9015/tcp HistQReader 9016/tcp

2. Enable File and Printer Sharing:

File and printer sharing 445/tcp

3. Add the InBatch Server to the Local Intranet Zone in Internet Explorer as a trusted site. If the InBatch Server site is not a secured site, you may need to change the Local Intranet Zone to allow unsecured sites.

11.11. InControl


Add following programs to the exception list:

• ICDev.exe • RTEngine.exe • ICOPCServer.exe

Modifications must be made to the firewall registry settings if you frequently switch between Domain and Workgroup logons. If you do, set both the Domain and Standard

18

profiles so that all Wonderware products are configured in both profiles. These profiles are located in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FIrewallPolicy

There is one key per firewall policy. The profile in effect when the machine is connected to the domain is under the key DomainProfile. The profile in effect when the machine is not connected to the domain is under the key StandardProfile.

The list of application exceptions for each profile is stored as a set of string values under the profile subkey of AuthorizesApplications\List. The list of port exceptions for each profile is stored as a set of string values under the profile subkey of GloballyOpenPorts\List.

So, to see in the registry what application exceptions are in force for the domain firewall profile, look at the values under the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List

To see in the registry what port exceptions are in force for the domain firewall profile, look at the values under the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List .

To see the exceptions in force for the workgroup policy, please look in the following locations:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List

12. Network Service Account

All inter-platform communications in an ArchestrA galaxy uses the network account to communicate to each other. These accounts should never be modified or removed as it will break the system. Problems with these accounts can also slow down system response.

If the account already exists:

• Ensure that it is set to never expires • Ensure that the user is prevented from changing the password • Ensure that the user is a member of the local PC’s administrator group.

Run the “Change network account” utility (Start | Run | aaAdminUser). If the account is local and does not exist, select “Create Local Account”. Supply the credentials and click OK – it forces a reboot (no choice is given). In a domain environment, it is desirable to use a domain account.

19

Local network accounts work just as well as Domain accounts. The problem with local accounts is that it is difficult to manage. If someone changed a password of one of these local accounts, all the machines in the system will behave strangely and finding the culprit machine is sometimes difficult – one usually has to change all the machine’s network accounts separately to make sure the problem is resolved.

A domain account provides better security and a single password to manage. Remember to make the domain account a member of the local Administrators groups.

13. Virus Protection

Virus protection is highly recommended. If it is required because there is a physical link between the supervisory LAN and the Business LAN, virus protection will be critical. It is guaranteed that at some point Virus activity will disrupt the system (and therefore production). A strong commercial anti-virus package such as McAfee or Symantec Anti-virus is recommended. The software should be updated on a regular basis, which is something that can be automated (once a day is recommended).

The Anti-virus software should be set up to exclude the following directories (folders). The default folders are shown.

• C:\Program Files\ArchestrA\Framework\Bin\CheckPointer • C:\Program Files\ArchestrA\Framework\Bin\GalaxyData • C:\Program Files\ArchestrA\Framework\Bin\GlobalDataCache • C:\Program Files\ArchestrA\Framework\Bin\Cache • C:\Documents and Settings\All Users\Application Data\ArchestrA • C:\InSQL

14. Scan Groups

Most DI objects have a default scan group (previously known as “a topic”) which will scan the device every 500ms (default). It is recommended that the default not be used. One should rather create Scan groups with different scan rates as required. For instance: Tags with slow rates of change (set points etc.) can be read every 2000 ms, while volatile signals can be read at 250ms (e.g. flow rates etc.).

The use of named scan groups (the default scan group is not named) also allows better portability – for instance if another IO server is to be used.

Scan groups can handle a maximum of 32 000 tags. It is therefore recommended that no more than 30 000 tags be used on each scan group.

15. Redundancy set-up without DI objects

DI Objects used above is a wrapped OPC Client and DAS server. The alternative configuration is to manually install the DAS server or Top Server and then utilise an OPCClient object to communicate to it. The RedundantDIObject is replaced with the OPCClient object. This object is configured with the node name blank – This will cause the object to look for the DAS server or Top Server on the local machine. If a failover

20

21

occurs, it will fail over to the backup server and still look at the local machine for a DAS server or Top Server and will just continue operating…

Server 1Platform 1

Engine 1

OPCClient object 1

Object 2

Object 1

Server 2Platform 2

Engine 1 (Backup)

OPCClient object 1

Object 2

Object 1

Engine 2

OPCClient object 2

Object 4

Object 3

Engine 2 (Backup)

OPCClient object 2

Object 4

Object 3

DAS Server/Top Server DAS Server/Top Server