Ground floor Tel: 0861-WONDER

Block D Fax: (011) 607-8478

Gilloolys View Office Park
1 Osborne Road
Bedfordview

System Platform Checklist

Checklist for System Platform implementations

REV 1.0 [email protected]

Table of contents

1. General ................................................................................................................................ 4
2. Wonderware........................................................................................................................ 4
3. ArchestrA ............................................................................................................................ 5
1. System Requirements ......................................................................................................... 6
1.1. Application Server 3.0 ................................................................................................................ 6
1.1.1. Galaxy Repository Platform................................................................................................................. 6
1.1.2. Non-Galaxy Repository Platforms (IDE or Runtime): ....................................................................... 6
1.1.3. All Systems (IDE, GR, Runtime):........................................................................................................ 6
1.2. InTouch 10 ................................................................................................................................... 6
1.2.1. InTouch HMI Stand-alone Hardware .................................................................................................. 6
1.2.2. InTouch HMI and the ArchestrA IDE Hardware................................................................................ 6
1.3. Wonderware Historian 9.0 ........................................................................................................ 7
1.3.1. Level 1 Server ....................................................................................................................................... 7
1.3.2. Level 2 Server ....................................................................................................................................... 7
1.3.3. Level 3 Server ....................................................................................................................................... 7
1.3.4. Data disk space...................................................................................................................................... 7
1.4. Information Server 3.0 ............................................................................................................... 8
1.4.1. Minimum Requirements....................................................................................................................... 8
1.4.2. Recommended Requirements............................................................................................................... 8
2. Hyper-threading ................................................................................................................. 8
3. Data Execution Prevention................................................................................................ 9
4. Classic security model ...................................................................................................... 10
5. Time synchronisation....................................................................................................... 10
6. Name Resolution .............................................................................................................. 11
7. DCOM ............................................................................................................................... 11
7.1. Registering DCOM classes....................................................................................................... 11
7.2. DCOM Errors............................................................................................................................ 11
7.2.1. Enabling DCOM ................................................................................................................................. 12
8. Publisher certificates........................................................................................................ 13
9. Event Logs......................................................................................................................... 13
10. Licenses ............................................................................................................................. 14
10.1. It is illegal................................................................................................................................ 14
10.2. Expiration............................................................................................................................... 14

2
 10.3. Functional differences........................................................................................................... 14
11. Security Settings for Wonderware Products............................................................... 14
11.1. Introduction ........................................................................................................................... 14
11.1.1. Assumptions........................................................................................................................................ 15
11.1.2. Application Versions........................................................................................................................... 15
11.2. DCOM Global Settings......................................................................................................... 15
11.3. Archestra LogViewer ........................................................................................................... 15
11.4. SuiteLink ................................................................................................................................ 16
11.5. InTouch................................................................................................................................... 16
11.6. InSQL...................................................................................................................................... 16
11.7. Industrial Application Server.............................................................................................. 16
11.8. DA Servers.............................................................................................................................. 17
11.9. IO Servers............................................................................................................................... 18
11.10. InBatch.................................................................................................................................... 18
11.11. InControl ................................................................................................................................ 18
12. Network Service Account................................................................................................. 19
13. Virus Protection................................................................................................................ 20
14. Scan Groups...................................................................................................................... 20
15. Redundancy set-up without DI objects........................................................................... 20

3
A. Checklist
1. General

Sufficient Disk space should be available. (Refer to System Requirements (1))

Sufficient RAM should be available. (Refer to System Requirements (1))
Disable Hyper-threading. (Refer to Hyper-threading (2))
Avoid Computer names with underscores (_) or dashes (-).
Operating system should be on the latest supported patch or service pack.
SQL servers should be on the latest supported patch or service pack.
Configure the Boot.Ini file for no PAE. (Refer to Data Execution Prevention (3))
In a workgroup environment on XP computers ensure that security model is set to
classic. (Refer to Classic security model (4))
Time zone should be correct (Harare Pretoria (GMT+2)).
Time should be current.
Use reliable time synchronisation method. (Refer to Time synchronisation (5))
IP configuration should be correct.
Name resolution must be fast and reliable. (Refer to Name Resolution (6))
All DCOM classes should be registered. (Refer to DCOM (7))
DCOM security should be correct. (Refer to DCOM (7))
Remove Check for publishers certificate revocation. (Refer to Publisher
certificates (8))
Avoid the use of Deny policies.
Event logs should be clean. (Refer to Event Logs (9))
CPU utilisation should average below 20%.

2. Wonderware

Wonderware Software, Operating Systems and SQL Server versions should be

compatible.
(Refer to the Compatibility Matrix on http://www.wonderware.com/support/web)
Wonderware software should be on the latest supported patch or service pack.
Valid licenses are required for all Wonderware products. (Refer to Licenses(10))
OS Configuration Utility settings should be applied (Manually in an Active
Directory domain). (Refer to Security Settings for Wonderware Products (11))
Network service account should: (Refer to Network Service Account (12))
All Wonderware nodes should use the same Network Service Account.
o Have Local Administrative rights.
o Have Log on as a Service rights.
o Be set to:
Never expire
User cannot change password.
Virus protection should be configured with the required exceptions. (Refer to
Virus Protection (13))
Historian should be started.
Historian should not have any pending changes.
SMC logs should be clean.

4
3. ArchestrA

ArchestrA platforms should all be the same version.

ArchestrA security should be correctly configured.
Engines should have no Scan Overruns.
Historian name must be set in the following objects:
o Application Engines.
o Platforms (Engine tab) if required.
o Formula Management objects.
Always use scan groups (topics) when working with Device Integration. (Refer to
Scan Groups (14))
Never use more than 30 000 items per scan group.
If redundancy is used:
o Cross-over cable installed.
o Redundant server pair must have two identical servers.
o Binding order of network cards should be correct.
Consider Top Server or DA Servers instead of DI Objects. (Refer to Redundancy
set-up (15))

5
B. Details
1. System Requirements

1.1. Application Server 3.0

1.1.1. Galaxy Repository Platform

Dual core PC with 2 gigahertz (GHz) or faster processor clock speed, or single
core PC with 3 gigahertz (GHz) or faster processor clock speed
Dual core processor recommended for optimal performance
2 gigabytes (GB) or more of RAM. (1 GB minimum supported; may limit
performance of some features) The Galaxy Repository locks the SQL Server
maximum memory usage to 65% of the physical memory.

1.1.2. Non-Galaxy Repository Platforms (IDE or Runtime):

PC with 2 gigahertz (GHz) or faster processor clock speed

1 gigabyte (GB) or more of RAM

1.1.3. All Systems (IDE, GR, Runtime):

30 gigabytes (GB) of available hard disk space

Super VGA (1024 x 768) or higher resolution video adapter and monitor
CD-ROM or DVD drive
Keyboard
Mouse or compatible pointing device

1.2. InTouch 10

1.2.1. InTouch HMI Stand-alone Hardware

Computer with 1.2 GHz or faster processor clock speed

512 MB of memory minimum, 1 GB or greater recommended
At least 4 GB of available hard disk space
Super VGA (1024 768) or higher resolution video adapter and monitor
CD-ROM or DVD drive to read Wonderware installation media
Keyboard and mouse or compatible pointing device

1.2.2. InTouch HMI and the ArchestrA IDE Hardware

Computer with 2 GHz or faster processor clock speed (dual core processor
recommended for optimal performance)
2 GB of memory
At least 4 GB of available hard disk space
Super VGA (1024 768) or higher resolution video adapter and monitor
CD-ROM or DVD drive to read Wonderware installation media
Keyboard and mouse or compatible pointing device

6
1.3. Wonderware Historian 9.0

Requirements depend on the installation. Three levels are identified in the Historian
Installation guide.

1.3.1. Level 1 Server

A Level 1 server can handle a load of about 5 000 tags. For example 2 600 analogue tags,
2 200 discrete tags, 300 strings and 20 non-I/O Server (manual) tags. The minimum
requirements are:

P4 3.2 GHz CPU

1 GB RAM
1 GB network interface card (NIC)
270 MB of free disk space to install the Wonderware Historian

1.3.2. Level 2 Server

A Level 2 server can handle a load of about 63 000 tags. For example 40 000 analogue
tags, 20 000 discrete tags, 300 strings, and 5 000 non-I/O Server (manual) tags. The
minimum requirements are:

P4 3.0 GHz Dual CPU

1 GB RAM
1 GB network interface card (NIC)
270 MB of free disk space to install the Wonderware Historian

1.3.3. Level 3 Server

A Level 3 server can handle a load of 130 000 tags. For example 70 000 analogue tags,
50 000 discrete tags, 6 000 strings and 20 non-I/O Server (manual) tags. The minimum
requirements are:

P4 2.7 GHz Xeon Quad

8 GB RAM
1 GB network interface card
270 MB of free disk space to install the Wonderware Historian

1.3.4. Data disk space

For analogue, discrete and fixed-length string (128 characters or less) tags, each value
that is stored uses Storage Size + 3 bytes of disk space, plus approximately 15%
overhead. Use the following formula to estimate the disk usage:

1.15(Storage Size + 3)(Tag Count ) (60 minutes )(24 minutes )
60

Estimated Disk Usage = Storage Period

NTFS Compression Ratio

For example, the disk usage per day for 10 000 4-byte analogue tags (that is: Storage
Size = 4 bytes) that are stored at ten-second intervals would be:

7
 60
1.15(4 + 3)(10000) (60)(24)
Estimated Disk Usage = 10
2
= 32 MB/day

The disk usage per day for 10 000 discrete tags (that is: Storage Size = 1 byte) that are
changing, on average, every 60 seconds would be:

60
1.15(1 + 3)(10000) (60)(24)
Estimated Disk Usage = 60
2
= 32 MB/day

The disk usage per day for 10 000 8-byte string tags (that is: Storage Size = 8 bytes) that
are changing, on average, every 60 seconds would be:

60
1.15(8 + 3)(10000) (60)(24)
Estimated Disk Usage = 60
2
= 87 MB/day

1.4. Information Server 3.0

1.4.1. Minimum Requirements

CPU: 2.5 GHz Pentium 4

1 GB RAM
5 GB free disk space

1.4.2. Recommended Requirements

CPU: 3 GHz Pentium 4

2 GB RAM
10 GB free disk space

2. Hyper-threading

Some machines are still running Hyper-threading Wonderware recommends that Hyper-
threading be switched of on all platforms. Hyper-threading splits a processor in two and
since Application Server is a sequential engine, only one halve of the processor is fully
utilised.

Reboot the computer.

Enter BIOS setup.
Disable hyper-threading.
Save and exit setup.

8
3. Data Execution Prevention

On Windows 2003 SP1 and Windows XP SP2 machines, the service packs implements
Data Execution Prevention this interferes with the normal operation of among other
things the Logger. Wonderware recommends that this option be switched off.

This procedure should only be executed on Machines with Windows 2003 Server Service
Pack 1 or Windows XP Service Pack 2. The change will not force a reboot but one is
required for the change to take effect.

Click Start.
Click Run.
Type: sysdm.cpl.
Click OK.
Select the Advanced Tab.
In the Startup and recovery group, click the Settings button.
Under System Startup, click the Edit button.

This will open up a notepad with the Boot.ini in.

On a Windows 2003 server with Service Pack 1
o Remove the /NoExecute=#### switch if it is there.
o Add the following switches: /Execute /NOPAE.
o The file should look more or less like this:

On a Windows XP Professional PC with Service Pack 2

o Change the /NoExecute=### switch to /NoExecute=alwaysoff.
o Add the /NOPAE switch.
o The file should look more or less like this:

9
 Save the file and exit.
Reboot the machine as soon as possible.

4. Classic security model

When Windows XP is installed without being a part of a domain the Windows default is to
Secure by default. It will therefore set the Sharing and security model to Guest.
ArchestrA needs to authenticate on the remote PC using the Network account. This
setting must therefore be changed to classic manually:

Click Start.
Navigate to Settings | Control Panel.
Click on Control Panel.
Double-click on Administrative Tools.
Double-click on Local Security Policy.
The Policy editor opens
In the left pane: Navigate to Security Settings | Local Policies | Security
Options.
In the Right pane: Double click on Network Access: Sharing and Security model
for local accounts.
Change the setting from Guest only to Classic.
Click OK and close the editor.

5. Time synchronisation

Due to the fact that both ArchestrA and Wonderware Historian are real-time systems, time
synchronisation is extremely critical.

Wonderware Historian will not accept data that is more than 30 seconds late
(according to the Historian servers local time) or more than 5 seconds early.
ArchestrA platforms will have difficulty communicating to each other if they are not
time synchronised.
All machines in the system (InTouch, Application Server, Information Server, Wonderware
Historian etc.) should be synchronised.

In a full scale system time synchronisation would normally be accomplished by setting up

a time server (running SNTP) and synchronising this server to a GPS or other accurate
clock. All other PCs are then forced via group policies (in Active directory) or manually
with the net time /setsntp command to synchronise with this server.

In a workgroup environment, the synchronisation can also be achieved by scheduling a

batch file to execute the net time \\server /set /y command.

Create a .bat file with the command: net time \\servername /set /y
Copy the file to a convenient location on all the servers and workstations

10
 On each computer schedule the file to execute every hour:
o Open Scheduled tasks in the Control Panel
o Double-click Add Scheduled Task
o Select the batch file
o Select Daily and provide a time
o Provide the Wonderware Network account details
o Select Open Advanced properties
o On the Schedule Tab, click Advanced
o Select Repeat Task
o Set to: Every 1 hour
o Set Duration to 23 hours

6. Name Resolution

ArchestrA requires strong name resolution normally a DNS server is sufficient. In the
absence of a DNS server a set of hosts files can be used. The hosts file is normally
located under the folder C:\Windows\system32\drivers\etc. Every server in the system
should be listed with its correct IP address. The file can be copied to all the machines in
the system. This can be done manually or automatically (by using a scheduled task).

If hosts files are not used, it is recommended that there be at least two DNS servers on
each Active Directory Site. If there are problems with the DNS server: use the hosts files
this will guarantee name resolution to be correct (provided that the files are correctly set
up). Bear in mind that if hosts files are not all identical on all machines, this can cause
communication problems on a network.

7. DCOM

7.1. Registering DCOM classes

It is a good practice to start DCOMCnfg.exe at least once after any installation. This will
ensure that all DCOM classes are registered.

Click Start | Run.

Type DCOMCnfg and click OK.
Navigate to Component Services | Computers | My Computer | DCOM Config.
If there are unregistered DCOM classes, there will be a dialogue box per class to
inform of the situation Click Yes on each to register the Class.

7.2. DCOM Errors

These can be intimidating to diagnose and solve. Wonderware products make extensive
use of DCOM and problems with DCOM settings can cause unpredictable behaviour.
DCOM problems are caused by the following:

Installation of non-compatible software this software might make

modifications to the DCOM settings that are incompatible with Wonderware
software.
Operating System corruption This may happen when a machine is hard
booted (power supply is toggled) and it did not have time to do a safe shutdown.

11
 Viruses Some viruses exploit available features (not vulnerabilities) of the
operating system (such as DCOM). For instance: When a virus has already
infected a machine it might modify DCOM settings to allow it to propagate to other
machines connecting to it. Viruses can also cause the registry to corrupt.
Incomplete installation of software When an installation is interrupted and
the installation is not allowed to roll back (or cannot), it may have made changes
to the DCOM settings which are now invalid. This can also corrupt the registry.
Incorrect Security (this is the major contributor) Several things are factors
here:
o Sometimes after the DCOM has been set up correctly, someone or
some other software changes an associated username or group
membership or password (to a lesser degree) and then more software is
installed utilising the new credentials. DCOM is then updated with the
new credentials and the original program will start to malfunction.
o Software on two different boxes executing under two different sets of
credentials will have difficulty communicating with each other.
DCOM errors usually present in the Event log as shown below:

7.2.1. Enabling DCOM

One of the first things to check is whether DCOM is

actually enabled. The procedure shown is for Windows
XP or Windows 2003 server.

Click Start | Run.

Type DCOMCnfg and click OK.
Navigate to Component Services | Computers |
My Computer.
Right Click My Computer
Click Properties.
Click on the Default Properties tab.
Ensure that the Enable Distributed COM on this
computer checkbox is ticked.

12
8. Publisher certificates

ActiveFactory utilises Internet Explorer functionality. To do this a certificate is issued to

ActiveFactory to protect the end-user. Internet Explorer will be default always check
whether that certificate has expired or have been revoked. The expiration is part of the
certificate, but revocation must be checked on the Internet. If a computer does not have
Internet access, the attempt to check for
revocation will fail (time out). This will slow down
the start-up of ActiveFactory components. It is
therefore recommended that this check be
disabled. Be aware that disabling this
functionality poses a security risk if the computer
does have Internet access malicious software
with revoked certificates will not be stopped from
execution.

In Internet Explorer open Internet

Options.
Click on the Advanced Tab.
Navigate to the Security section (right at
the bottom).
Uncheck the Check for publishers
certificate revocation.

9. Event Logs

The event viewer is the log file system for the Microsoft operating system. The files are
divided into three sections.

Application: Applications can log messages to this log file to indicate events. Due
to the high speed nature of process systems, this log file is not used often by
Wonderware applications, but Microsoft SQL will log information here.

Security: By default not much is logged here. This can be changed from the
Policy viewer and if there is an apparent security problem it might be worth the
trouble to temporarily enable addition logging here, as it will indicate the user
name and the object to which access is denied.

System: This is probably the most important log as it will show errors happening
on the operating system level.

The raised issue event in the log file might be minor but scores of minor problems can
result in erratic behaviour and complicates diagnostic procedures.

Several behavioural changes are recommended:

After every major change, please check every affected log for any reported errors.

Check all the logs on a frequent (once a week basis) for any unexpected issues
most serious problems can be avoided by catching issues early.

13
 Ensure that the implication and meaning of every listed error or warning is
understood and fixed if necessary. The main goal here is to remove all the red
and yellow!

Event viewer errors can mostly be looked up on the internet and in some cases
the error can be ignored (for instance the spnRegister error sometimes found on
SQL servers).

10. Licenses

Avoid using SI consignment licenses on running plants.

This situation is acceptable during development, but once the machines are in production
one should be extremely diligent to change the licenses to avoid issues.

There are three problems with running incorrect licenses:

10.1.It is illegal

Obtain the correct licenses for the correct products and determine the correct servers to
run them on.

10.2.Expiration

Consignment and demo licenses are typically only valid for a certain period of time
(usually one year for consignment and 30 days for demo). After this period, the license
expires. At this point the software will no longer operate.

The situation should be rectified immediately or the system will stop when the license
expires. After license expiry the following symptoms can be expected:

Slow or no communications
Unable to deploy changes to ArchestrA platforms
Unable to open InTouch WindowMaker or WindowViewer.

10.3.Functional differences

Certain licenses have additional functionality licensed (for instance: a full InTouch can
have access names other than Galaxy:). Other licenses may not include this
functionality (for instance: InTouch View licenses can only have the Galaxy: access
name). It is easy to utilise functionality during design that should not be available under
the correct license, and this might cause major problems.

11. Security Settings for Wonderware Products

11.1.Introduction

Wonderware has released an OS Configuration Utility to support our products on

Windows XP SP2 and Windows Server 2003 SP1 or higher. If you have not tried using the

14
 utility, please go to http://ww.Wonderware.com/support/web and download the OS
Configurator Utility. If you have already run the utility and are still having problems running
Wonderware software, you may need to configure some security settings manually.

There are several reasons that the OS Configurator Utility does not allow Wonderware
software to function properly on a Windows XP SP2 or Windows Server 2003 SP1 (or
higher) node. The most likely reason is that the system is part of a Windows 2000 or
Windows 2003 Active Directory Domain. If the Active Directory Domain is locking down
security at the domain level, the utility will not be successful in changing the security
settings. In this case, the security settings must be changed manually by the network
administrator. Alternatively, the network administrator can set it up so that the user is
allowed to change security settings on Windows nodes. This allows the utility to set
security settings without being overwritten by the domain policies.

If problems are experienced running Wonderware software on Windows XP SP2 or

Windows Server 2003 SP1, the first thing that Wonderware recommends doing is shutting
off the built-in Windows firewall. This software firewall is only useful if you do not have a
hardware or corporate firewall protecting your systems from the outside world. If the
firewall is not your problem, and you have run the OS Configurator Utility, you will need to
set the following settings manually.

11.1.1. Assumptions

This document divides up the settings necessary by Wonderware Software Component.

You will have to know the full path to the files listed below. You will need administrative
rights to the system to make these changes.

11.1.2. Application Versions

This document applies to all Wonderware products that are supported on Windows XP
SP2 and Windows Server 2003 SP1 or higher.

11.2.DCOM Global Settings

These settings are used by multiple Wonderware components including IAS and DA
Servers:

Security settings (in Component services)

Component Services Com Security
Launch and Activation Permissions
Everyone and Remote Activation
Access Permission
Add Local Access and Remote Access permissions for the ANONYMOUS
user.

11.3.Archestra LogViewer

Used by all FactorySuite A components including InTouch, IAS, InSQL, DA Servers.

Make the following entry into the registry:

HKLM\Software\Policies\Microsoft\WindowsNT\RPC\RestrictRemoteClients = 0

15
11.4.SuiteLink

Used by all Wonderware products.

Add the following to the firewall settings exception list:

slssvc.exe

11.5.InTouch

Requires Suite link common component modification.

Add following programs in exception list:

wm.exe

11.6.InSQL

Requires Suite link common component modification.

The following processes need to be added to the firewall exclusion list:

InSQLData.exe
InSQLConfig.exe
InSQLSCM.exe
InSQLRet.exe
SQLServer.exe
Add the following ports to the Firewall exception list:

File and printer sharing 445/TCP AND UDP

SQL Server Browser 1434/UDP
SQL TCP 1433/TCP
Remote IDAS 145 to 139 TCP AND UDP

11.7.Industrial Application Server

Requires Suite link common component modification.

Add Application list to be excluded in firewall blocking list:

aaIDE.exe
aaLogger.exe
Slssvc.exe
aaPim.exe
BootStrap.exe
aaDcomTransport.exe
SQLServr.exe
NmxSvc.exe
Add the following ports to the Firewall exception list:

16
 DCOM 135/tcp
File and printer sharing 445/tcp
SQL TCP 1433/tcp
SQL Server Browser 1434/udp
11.8.DA Servers

Requires Suite link common component modification.

Add the following ports to the Firewall exception list:

DAS SI Direct 102

DAS MBTCP 502
DAS ABTCP 2221
DAS ABTCP 2222
DAS ABTCP 2223
S/L DA Servers 5413
DAS ABCIP 44818

The following files need to be excluded in the firewall. They are common to all DA Servers:

aaEngine.exe
NmxSvc.exe
OPCEnum.exe
*Dllhost.exe*
DASAgent.exe
The following files need to be excluded in the firewall. They are specific to each DA
Server:

DASABCIP.exe
DASMBTCP.exe
DASABTCP.exe
DASSIDirect.exe
FSGateway.exe
DASS7.exe
S7ConSvr.exe
DASMBSerial.exe
DASMBPlus.exe
DASAlarm2U.exe
If you are using Industrial Application Server and are planning on deploying DI Objects
you will need to manually exclude the following files in the firewall. You will need to create
dummy files with these names as they are not on the system until a deploy occurs.
Windows XP SP2 firewall will not exclude files unless they already exist on the system.
These files are deployed to the \Program Files\Archestra\Framework\Bin directory.

DASABCIP.exe
DASMBTCP.exe
DASABTCP.exe
DASSIDirect.exe
DASS7.exe
DASMBSerial.exe
DASMBPlus.exe

17
 DASAlarm2U.exe
aaEngine.exe
NmxSvc.exe
DASAgent.exe
The following file is deployed to the \Windows\System32 sub-directory:

OPCEnum.exe

11.9.IO Servers

Requires Suite link common component modification.

11.10.InBatch

1. Add ports (9001 - 9016) list to be excluded in firewall blocking list for communication:

Vista 9001/tcp
EnvMngr 9002/tcp
MsgMngr 9003/tcp
SecMngr 9004/tcp
RedMngr 9006/tcp
UnilinkMngr 9007/tcp
BatchMngr 9008/tcp
LogMngr 9011/tcp
InfoMngr 9012/tcp
RedMngrX 9013/udp
RedMngrX2 9014/udp
HistQMngr 9015/tcp
HistQReader 9016/tcp

2. Enable File and Printer Sharing:

File and printer sharing 445/tcp

3. Add the InBatch Server to the Local Intranet Zone in Internet Explorer as a trusted
site. If the InBatch Server site is not a secured site, you may need to change the Local
Intranet Zone to allow unsecured sites.

11.11.InControl

Requires Suite link common component modification.

Add following programs to the exception list:

ICDev.exe
RTEngine.exe
ICOPCServer.exe
Modifications must be made to the firewall registry settings if you frequently switch
between Domain and Workgroup logons. If you do, set both the Domain and Standard

18
 profiles so that all Wonderware products are configured in both profiles. These profiles
are located in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Para
meters\FIrewallPolicy

There is one key per firewall policy. The profile in effect when the machine is connected to
the domain is under the key DomainProfile. The profile in effect when the machine is not
connected to the domain is under the key StandardProfile.

The list of application exceptions for each profile is stored as a set of string values under
the profile subkey of AuthorizesApplications\List. The list of port exceptions for each profile
is stored as a set of string values under the profile subkey of GloballyOpenPorts\List.

So, to see in the registry what application exceptions are in force for the domain firewall
profile, look at the values under the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service\SharedAccess\Para
meters\FirewallPolicy\DomainProfile\AuthorizedApplications\List

To see in the registry what port exceptions are in force for the domain firewall profile, look
at the values under the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service\SharedAccess\Para
meters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List .

To see the exceptions in force for the workgroup policy, please look in the following
locations:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service\SharedAccess\Para
meters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service\SharedAccess\Para
meters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List

12. Network Service Account

All inter-platform communications in an ArchestrA galaxy uses the network account to

communicate to each other. These accounts should never be modified or removed as it
will break the system. Problems with these accounts can also slow down system
response.

If the account already exists:

Ensure that it is set to never expires

Ensure that the user is prevented from changing the password
Ensure that the user is a member of the local PCs administrator group.
Run the Change network account utility (Start | Run | aaAdminUser). If the account is
local and does not exist, select Create Local Account. Supply the credentials and click
OK it forces a reboot (no choice is given). In a domain environment, it is desirable to use
a domain account.

19
 Local network accounts work just as well as Domain accounts. The problem with local
accounts is that it is difficult to manage. If someone changed a password of one of these
local accounts, all the machines in the system will behave strangely and finding the culprit
machine is sometimes difficult one usually has to change all the machines network
accounts separately to make sure the problem is resolved.

A domain account provides better security and a single password to manage. Remember
to make the domain account a member of the local Administrators groups.

13. Virus Protection

Virus protection is highly recommended. If it is required because there is a physical link

between the supervisory LAN and the Business LAN, virus protection will be critical. It is
guaranteed that at some point Virus activity will disrupt the system (and therefore
production). A strong commercial anti-virus package such as McAfee or Symantec Anti-
virus is recommended. The software should be updated on a regular basis, which is
something that can be automated (once a day is recommended).

The Anti-virus software should be set up to exclude the following directories (folders). The
default folders are shown.

C:\Program Files\ArchestrA\Framework\Bin\CheckPointer
C:\Program Files\ArchestrA\Framework\Bin\GalaxyData
C:\Program Files\ArchestrA\Framework\Bin\GlobalDataCache
C:\Program Files\ArchestrA\Framework\Bin\Cache
C:\Documents and Settings\All Users\Application Data\ArchestrA
C:\InSQL

14. Scan Groups

Most DI objects have a default scan group (previously known as a topic) which will scan
the device every 500ms (default). It is recommended that the default not be used. One
should rather create Scan groups with different scan rates as required. For instance: Tags
with slow rates of change (set points etc.) can be read every 2000 ms, while volatile
signals can be read at 250ms (e.g. flow rates etc.).

The use of named scan groups (the default scan group is not named) also allows better
portability for instance if another IO server is to be used.

Scan groups can handle a maximum of 32 000 tags. It is therefore recommended that no
more than 30 000 tags be used on each scan group.

15. Redundancy set-up without DI objects

DI Objects used above is a wrapped OPC Client and DAS server. The alternative
configuration is to manually install the DAS server or Top Server and then utilise an
OPCClient object to communicate to it. The RedundantDIObject is replaced with the
OPCClient object. This object is configured with the node name blank This will cause
the object to look for the DAS server or Top Server on the local machine. If a failover

20
 occurs, it will fail over to the backup server and still look at the local machine for a DAS
server or Top Server and will just continue operating

Server 1 Server 2
Platform 1 Platform 2

Engine 1 Engine 2 (Backup) Engine 1 (Backup) Engine 2

Object Object Object Object Object Object Object Object

1 2 3 4 1 2 3 4

OPCClient object 1 OPCClient object 2 OPCClient object 1 OPCClient object 2

DAS Server/Top Server DAS Server/Top Server

21