User Manual
www.moxa.com info@moxa.com65
Cellular Networks
OPC and DCOM: 5 Things You Need to Know
OPC technology relies on Microsoft’s COM and DCOM to exchange data between automation hardware
and software; however it can be frustrating for new users to configure DCOM properly. If you have ever
been unable to establish an OPC connection or transfer OPC data successfully, the underlying issue is likely
DCOM-related. In the following, we will discuss the steps necessary to get DCOM working properly and
securely. A simple and effective strategy to establish reliable DCOM communication involves the following
steps:
Remove Windows Security
The first step to establish DCOM communication is to disable the Windows Firewall, which is turned on by
default in Windows XP Service Pack 2 and later. The Firewall helps protect computers from unauthorized
access (usually from viruses, worms, and people with malicious or negligent intents). If the computer resides
on a safe network, there is usually little potential for damage as long as the Firewall is turned off for a short
period of time. Check with the Network Administrator to ensure it is safe to turn off the Firewall temporarily.
Set Up Mutual User Account Recognition
To enable both computers to properly recognize User Accounts, it is necessary to ensure that User
Accounts are recognized on both the OPC Client and Server computers. This includes all the User Accounts
that will require OPC access. If there are no User Accounts or Passwords already on the computers, please
add them to both computers.
Configure System-wide DCOM Settings
OPC specifications depend on Microsoft’s DCOM for the data transportation. Consequently, you must
configure DCOM settings properly. It is possible to configure the default system-wide DCOM settings, as
well for a specific OPC server. The system-wide changes affect all Windows applications that use DCOM,
including OPC application. In addition, since OPC Client applications do not have their own DCOM settings,
they are affected by changes to the default DCOM configuration. OPC communication only requires
“Connection-Oriented TCP/IP”, so add “Anonymous Logon” (required for OPCEnum) and “Everyone” to the
list of “Group or user names” in each tab.
Configure Server Specific DCOM Settings
Once the system-wide DCOM settings are properly configured, turn attention to the server-specific DCOM
settings. In the OPC-Server specific settings, only the Identity tab needs to change from the default settings.
After opening the DCOM setting windows, find the OPC Server to configure and right-click on it. Select
the Properties option in the list of objects in the right window pane. Choice the The system account
(services only). The OPC Server will take the identity of the Operating System (or System for short). This
is typically the desired setting for the OPC Server as the System Account is recognized by all computers
on the Workgroup or Domain. In addition, no one needs to be logged on the computer, so the OPC Server
can execute in an unattended environment. Disable this option if the OPC Server is not setup to execute
as a Windows Service. If this is the case, simply configure the OPC Server to execute as a service before
configuring this setting.
Restore Windows Security
Once you establish the OPC Client/Server communication, it is important to secure the computers again.
This includes (but is not limited to):
a. Turn on the Windows Firewall again. This will block all unauthorized network traffic. You will also need to
provide exceptions on two main levels:
• Application level: specify which applications are able to respond to unsolicited requests.
• Port-and-protocol level: specify that the rewall should allow or deny trafc on a specic port for either
TCP or UDP traffic.
b. Modify the Access Control Lists (ACLs) to allow and deny the required User Accounts. This can be
accomplished either through the system-wide settings of DCOMCNFG, or in the server-specific settings.
Remember that OPCEnum requires the “Anonymous Logon” access. You may wish to remove this
access. The consequence of this action will simply be that OPC Users will be unable to browse for OPC
Servers on the specific computer where Anonymous Logon access is not available. However, users will
indeed be able to properly connect to and exchange data with the OPC Server.