Review the Windows XP Firewall

As shipped from the factory, a JACE-NXT has its Windows Firewall configured to block incoming network connections, save for a few program and service “exceptions.” Typically, each exception corresponds to one or more TCP/IP ports.

The following sections provide more details:

Review current Windows Firewall settings

Depending on the drivers and features to be used on the station running on the JACE-NXT, you may need to make adjustments or additions to Windows Firewall exceptions. For example, if you changed the platform daemon port in the Platform Adminstration view (see HTTP Port), you will need to make the same change to the firewall exception named “admin.” Or, if you intend to use the drivers for either Modbus TCP or SNMP, you will need to make additions in order for those drivers to work.

The JACE-NXT has a batch file that you can edit and run to simplify making certain firewall changes. See optionalLockdown.bat.

Access the Windows Firewall in the JACE-NXT using the following procedure:

To access the Windows Firewall in a JACE-NXT

Logon as administrator to Windows XP running on the JACE-NXT, using either a Remote Desktop Connection or via a local console.
Click Start->Control Panel to open the Windows Control Panel.
Double-click the Windows Firewall applet to launch the Windows Firewall application.

It opens displaying the General tab, showing the firewall On (recommended).
Click the Exceptions tab, as shown in Figure 34. This is where you view or edit most settings.

See Table 1 for a listing of default Windows Firewall exceptions for a new JACE-NXT.
To see the configuration for any exception, click to highlight it, then click the Edit button.
If you make changes to any exception, click OK to save and exit the dialog.

Figure 34. Windows Firewall exceptions (defaults) in a JACE-NXT

For related details, see the next two sections, Windows Firewall (port) defaults and optionalLockdown.bat.

Windows Firewall (port) defaults

Table 1 summarizes the factory-shipped Windows Firewall exceptions for a new JACE-NXT.

Table 1. Windows Firewall exceptions in a factory-shipped JACE-NXT

Exception Name	TCP port	UDP port	Protocol/Program	Description (Scope is “any source” unless noted)
admintool	3011	—	TCP, HTTP	Niagara platform connection
Bacnet	—	47808	UDP	BACnet/IP (conventional port)
File and Printer Sharing	139, 445	137, 138	NetBIOS, SMB	Windows file and printer sharing Scope for each port is local subnet only.
fox	1911	—	Fox over TCP	Niagara Fox Service (Workbench, station-to-station)
HTTP	80	—	HTTP	HTTP, Hx access to a station
Network Diagnostic	—	—	system32\sessmgr.exe	Microsoft Remote Desktop Help Session Manager
Niagara Tunnel	9973	—	Niagara Tunnel Service	Default port for TunnelService (LonTunnel and/or SerialTunnel)
Remote Assistance	—	—	Network Diagnostic\ xpnetdiag.exe	Network Diagnostics for Windows XP
Remote Desktop	3389	—	Terminal Server	Remote access using Remote Desktop Connection client
UPnP Framework (disabled)	2869	1900	SSDP	Universal plug-and-play framework, i.e. addition of PNP devices connected through Ethernet port

In addition, ICMP protocol “ping” requests are enabled, from all computers (on the Windows Firewall’s Advanced tab, this is under ICMP Settings, “allow incoming echo request”).

By default, both FTP and Telnet are disabled on a JACE-NXT, as each of these typically poses a significant security risk. However, if needed, you can enable these using optionalLockdown.bat. Alternatively, you can also add and edit firewall exceptions directly using the Windows Firewall dialog of the Windows Control Panel, as shown in Figure 34.

Using optionalLockdown.bat

The JACE-NXT’s system drive (C:) has a directory named “lockdown.” It contains two files as shipped from the factory:

lockdown.bat

A batch file that can be run (after removing all firewall exceptions) to return the system to default firewall settings, matching all “as shipped” firewall exceptions. Usage is expected to be infrequent.
optionalLockdown.bat

A batch file which you can first edit and then execute to implement additional firewall exceptions, if needed. See the next section, To use the optionalLockdown.bat file on a JACE-NXT.

Updates to JACE-NXT lockdown batch files may occur. Check the Niagara Central portal for details.

To use the optionalLockdown.bat file on a JACE-NXT

Logon as administrator to Windows XP running on the JACE-NXT, using either a Remote Desktop Connection, or a local console.
Open a command prompt window.

To do this, click Start->Run... , type “cmd”, then click OK.
In the command window, navigate to the C:\lockdown directory.

To do this, type “cd C:\lockdown”, then press Enter. The prompt should now be: C:\lockdown>
Edit the file by typing “notepad optionalLockdown.bat” and pressing Enter.

The optionalLockdown.bat file opens in Notepad for editing. This batch file has several pre-edited command lines which have been commented out with the “rem” (remark) syntax.
In the Notepad window, cursor down to the line in the file which contains the appropriate firewall command line, and remove the leading “rem” from that line.
Review all the firewall command lines to be sure only the ones which apply to this specific installation are uncommented. All lines without the leading “rem” are valid command lines, and will result in a new exception being added to the Windows Firewall.
Save the file, and exit Notepad.
Run the optionalLockdown.bat batch file.

To do this, in the command window, type optionalLockdown and press Enter.

Commands in the batch file appear in the command window as they run, and any changes become immediately effective.
Close the command window and review the Windows Firewall settings. See To access the Windows Firewall in a JACE-NXT.

If a CompactFlash-based unit with EWF enabled for drive C (typical), you will need to commit any changes from the EWF overlay (RAM) to flash. This requires EWF commands, including an orderly reboot. For related details, see Notes on EWF (Enhanced Write Filter) in Windows XPE.