Firewalls and proxy servers

Note: You should consult the system owner’s IT department on these issues during the planning phase of the installation to avoid unnecessary delays and rework resulting from a lack of adequate communication.

Both JACE and AXSupervisor can use NAT (name / address translation) through a firewall to expose them to the Internet. The firewall should be used to filter traffic at the port level to any exposed NiagaraAX device.

NiagaraAX hosts function well in many firewall environments, with the following conditions:

In order to use the BUI in some profiles, Java applets must be permitted to download through the firewall. Any NiagaraAX host serving up non-Hx pages in the browser must be able to send the applets associated with these servlet pages to a BUI client.

BUI to station communications uses HTTP protocol.

On any firewall, application ports may need to be opened to allow communication between any two NiagaraAX hosts on opposite sides of the firewall.

The following connections are created using the Fox protocol. Proxy servers and firewalls need to allow Fox traffic to pass between NiagaraAX hosts to enable these features:

Niagara proxy points (station to station data exchange)

alarm console to monitor alarms on a remote station

station monitoring function to monitor a remote host

pushed (exported) or pulled (imported) archiving

using Workbench to engineer a remote station

Note: If you are implementing a firewall in lieu of using one already in place, a good security practice is to grant the most limited permissions you can on the firewall, while still following the guidelines for communication listed above.