The Windows firewall and a DeltaV workstation

The Windows firewall service is enabled by default on all DeltaV workstations. The Windows firewall profiles are off by default.

To control which network has the Windows firewall applied to it, you must enable the Windows firewall profile and select the specific network interface cards (NICs) for that profile.

To allow incoming communications through the enabled firewall, rules are created and applied that specify the port to be opened for communication.

The Windows firewall has a default set of rules opening specific ports. These default Windows firewall rules are applied when the Windows firewall is enabled. DeltaV Security Administration contains additional rules that open communication ports needed for certain Emerson-approved applications.

Important

The Windows firewall profiles should not be enabled without fully understanding the potential impact on communications between DeltaV and any applications external to DeltaV on the either the DeltaV 2.5 network or applications in networks above the 2.5 network.

Always refer to the Windows help system for more information about the Windows firewall. The information provided here is designed as an overview of the features you need to enable the Windows firewall profiles and to apply any rules pertinent to the DeltaV system.

Important

Do not enable the Windows firewall profiles for any dedicated DeltaV networks; for example, the DeltaV Primary and Secondary ACNs, DLINK for Redundant Batch, and the Thin Client Primary and Secondary networks. Doing so could disrupt communications between DeltaV nodes. Networks used to connect to the DeltaV system that are outside of the DeltaV network need to be evaluated for the Windows firewall. If any non-DeltaV traffic is allowed on the network connecting to DeltaV, then enable the Windows firewall on that NIC and use DeltaV Security Administration to select the correct rule to open the necessary ports.

The Windows firewall profile types are as follows:

(All definitions are from the Windows firewall help.)

Domain Profile
The domain profile applies to a network when a domain controller is detected for the domain to which the local computer is joined. If you select this box, then the rule applies to network traffic passing through a network adapter connected to this network.
When DeltaV is in its own private domain, you do not need to enable this profile. However, if DeltaV is in a child domain, then you should enable this profile for the NICs that are the parent/child domain connection.
Private Profile
The private profile applies to a network when it is marked private by the computer administrator and it is not a domain network. Newly detected networks are not marked private by default. A network should be marked private only when there is some kind of security device, such as a network address translator or perimeter firewall, between the computer and the Internet. The private profile settings should be more restrictive than the domain profile settings.
DeltaV itself is a private network. Other networks connected to the DeltaV system can also be private networks (such as the Remote Client and Thin Client networks). You can apply the firewall to the non-DeltaV ACN NICs in the private profile.
Public Profile
The public profile applies to a network when the computer is connected directly to a public network, such as one available in airports and coffee shops. The public profile settings should be the most restrictive because the computer is connected to a public network where the security cannot be as tightly controlled as it is in an IT environment.
DeltaV should never be connected to a public network. Enabling this profile for the non-DeltaV ACN NICs protects DeltaV in the unusual event that it is connected to a public network.

Subtopics:

Related information