Index | Prev | Next

Review the Windows XP Firewall

As shipped from the factory, a JACE-NXS has its Windows Firewall configured to block incoming network connections, save for a few program and service “exceptions.” Typically, each exception corresponds to one or more TCP/IP ports.

The following sections provide more details:

Review current Windows Firewall settings

Depending on the drivers and features that are intended to be used on the station running on the JACE-NXS, you may need to make adjustments or additions to Windows Firewall exceptions. For example, if you changed the platform daemon port in the Platform Adminstration view (see HTTP Port), you will need to make the same change to the firewall exception named “admin.” Or, if you intend to use the drivers for either Modbus TCP or SNMP, you will need to make additions in order for those drivers to work.

NoteThe JACE-NXS has a batch file that you can edit and run to simplify making certain firewall changes. See optionalLockdown.bat.

Access the Windows Firewall in the JACE-NXS using the following procedure:

To access the Windows Firewall in a JACE-NXS

  1. Logon as administrator to Windows XP running on the JACE-NXS, using either a Remote Desktop Connection or via a local console.

  2. Click Start->Control Panel to open the Windows Control Panel.

  3. Double-click the Windows Firewall applet to launch the Windows Firewall application.

    It opens displaying the General tab, showing the firewall On (recommended).

  4. Click the Exceptions tab, as shown in Figure 35. This is where you view or edit most settings.

    See Table 1 for a listing of default Windows Firewall exceptions for a new JACE-NXS.

  5. To see the configuration for any exception, click to highlight it, then click the Edit button.

  6. If you make changes to any exception, click OK to save and exit the dialog.

Figure 35. Windows Firewall in a JACE-NXS


Windows Firewall in a JACE-NXS

For related details, see the next two sections, JACE-NXS Windows Firewall (port) defaults and optionalLockdown.bat.

JACE-NXS Windows Firewall (port) defaults

As shipped, Table 1 summarizes the factory-shipped Windows Firewall exceptions for a new JACE-NXS.

Table 1. Windows Firewall exceptions in a factory-shipped JACE-NXS

Exception Name TCP port UDP port Protocol/Program Description (Scope is “all computers” unless noted)
admin 3011 TCP, HTTP Niagara platform connection
Bacnet 47808 UDP BACnet/IP (conventional)
File and Printer Sharing 139, 445 137, 138 NetBIOS, SMB Windows file and printer sharing

NoteScope for each port is local subnet only.
fox 1911 Fox over TCP Niagara Fox Service (Workbench, station-to-station)
HTTP 80 HTTP HTTP, Hx access to a station
Remote Assistance system32\ sessmgr.exe Microsoft Remote Desktop Help Session Manager
Remote Desktop 3389 Terminal Server Remote access using Remote Desktop Connection client
UPnP Framework (disabled) 2869 1900 SSDP Universal plug-and-play framework, i.e. addition of PNP devices connected through Ethernet port

In addition, ICMP protocol “ping” requests are enabled, from all computers (on the Windows Firewall’s Advanced tab, this is under ICMP Settings, “allow incoming echo request”).

NoteBy default, both FTP and Telnet are disabled on a JACE-NXS, as each of these typically poses a significant security risk. However, if needed, you can enable these using optionalLockdown.bat.

Using optionalLockdown.bat

The JACE-NXS’s system drive (C:) has a directory named “lockdown.” It contains two files as shipped from the factory:

  • lockdown.bat

    A batch file executed at the factory (system installation time) that implemented default firewall settings.

  • optionalLockdown.bat

    A batch file which you can first edit and then execute to implement additional firewall exceptions, if needed. See the next section, To use the optionalLockdown.bat file on a JACE-NXS.

NoteUpdates to JACE-NXS lockdown batch files may occur. Check the Niagara Central portal for details.

To use the optionalLockdown.bat file on a JACE-NXS

  1. Logon as administrator to Windows XP running on the JACE-NXS, using either a Remote Desktop Connection, or a local console.

  2. Open a command prompt window.

    To do this, click Start->Run... , type “cmd”, then click OK.

  3. In the command window, navigate to the C:\lockdown directory.

    To do this, type “cd C:\lockdown”, then press Enter. The prompt should now be: C:\lockdown>

  4. Edit the file by typing “notepad optionalLockdown.bat” and pressing Enter.

    The optionalLockdown.bat file opens in Notepad for editing. This batch file has several pre-edited command lines which have been commented out with the “rem” (remark) syntax.

  5. In the Notepad window, cursor down to the line in the file which contains the appropriate firewall command line, and remove the leading “rem” from that line.

    NoteReview all the firewall command lines to be sure only the ones which apply to this specific installation are uncommented. All lines without the leading “rem” are valid command lines, and will result in a new exception being added to the Windows Firewall.

  6. Save the file, and exit Notepad.

  7. Run the optionalLockdown.bat batch file.

    To do this, in the command window, type optionalLockdown and press Enter.

    Commands in the batch file appear in the command window as they run, and any changes become immediately effective.

  8. Close the command window and review the Windows Firewall settings. See To access the Windows Firewall in a JACE-NXS.

Index | Prev | Next

Copyright © 2000-2014 Tridium Inc. All rights reserved.