Please help. What exactly should be allowed in Windows 7 Pro Firewall for reliable reconnecting local IG to remote OPC Server which is located directly in PLC (local network)?
If I Connect to PLCs OPC Server when Firewall is turned off, it connects and reconnects OK (after e.g. IG Restart etc.)
If I Connect and only after that turn on Firewall, IG remain connected OK, but after restarting IG the connection gets into Faulted:
java.lang.Exception: Error advising subscription callback. DCOM security settings are likely preventing the OPC server from connecting to the client for callbacks.
and reconnects only after turning off the Firewall and restarting IG.
EDIT: I was wrong that after turning the Firewall On while being connected, the connection work OK. It works for some time (several minutes) but then stops - the values of tags stop changing. Only the status of the OPC Server connection remains Connected.
When I turn the Firewall Off, the values start to live again.
It looks like you have done all the correct troubleshooting with this problem. I would suggest looking at the documentation for the DCOM server
to see if there is a port number specified. You will need to make an exception in your Windows Firewall for this server. If there is nothing in the
documentation you may find something by looking at the configuration/settings in the device.
What is the name of OPC Client application (or service) at IG host machine side which is connecting to remote OPC Server (located directly in the PLC)?
I am asking in order to place that application into Firewall rule (not only TCP port 135).
To Dravik: How to list the OPC Server in W7 if it is directly in PLC (i.e. non-windows machine)?
All information that can be found on internet discuss only OPC Servers in localhost or sometimes in remote (windows) machine.
Well, then you’ll have to use the IP address of the PLC device and simply allow inbound connections from it back to the Win7 machine.
I believe the callback gets assigned a random TCP port(which you can restrict the range of iirc), So probably restrict that range.(I think you do this from dcomcnfg, check under the Connection Oriented TCP/IP setting) and then open that range in the firewall from the IP above.
You’re not going to need to add any applications. The port number is all you need. Even if you added an application or service name it will not work. You only need to specify the port number.
Here is another tool that you can use. Its pretty straight forward but it will probably take a few minutes to run. You use the command line to run this. It will return all of the ports that are being used and for what.