Apart from the TCP and UDP port numbers listed below, some of the products may support non-IP protocols for device detection in a local network and setting of the IP address and other IP parameters. It is supposed that the products are separated from the Internet (or any other non-secure network) by an IP router which is routing TCP and UDP protocols only.
Industrial computer with OS Windows XP Embedded or Windows 7 Embedded. Part of the system is the Windows Firewall. By default, the following ports are used:
TCP
12345 SoftPLC Runtime – access to the process data using SoftPLC Link
80 Web panel
Usually, a program for remote control is installed, such as UltraVNC or remote Windows desktop. It is recommended to operate the process station in a separated, secure network, and protect the remote access (if used) by a VPN. Mapping of TCP ports to a public IP address for the web access is not recommended.
Process stations based on Beck IPC@CHIP. The PLCs do not have a firewall. By default, the following ports are used:
TCP
12345 SoftPLC Runtime – access to the process data using SoftPLC Link
80 Web server
20, 21 FTP server (for configuration and program upload)
UDP
8001 detection of MiniPLC in Platform Config
For service purposes, the PLC listens on:
TCP
23 Telnet
It is recommended to operate the process station in a separated, secure network, and protect the remote access (if used) by a VPN. Mapping of TCP port 80 to a public IP address for the web access is not recommended, the web server may be attacked by bots and it was experienced that frequent connection attempts had blocked the Etherent interface. Even if the port number for web access (80) can be changed in the CHIP.INI file, it is not a protection against this type of attacks.
Process stations with OS Linux. It has a firewall which is configured automatically (by a script), so if e.g. the SoftPLC Link port number (12345 by default) is changed, the firewall is reconfigured so that the new port number is available. By default, the following ports are enabled in the firewall configuration:
TCP
12345 SoftPLC Runtime – access to the process data using SoftPLC Link
22 SCP server (for program upload and file transfer)
UDP
8002 system services
Mapping of TCP port 12345 to a public IP address is a common practice, however, a more secure solution is an external router supporting VPN.
Program or service running on Windows XP, 7, 8, 10. By default, the following ports are used:
TCP
12345 SoftPLC Runtime – access to the process data using SoftPLC Link
Program or service running on Windows XP, 7, 8, 10. By default, the following ports are used:
TCP
8080 Web server – port number can be changed in the web server configuration
A HTTPS protocol can be used rather than the HTTP protocol.
Web interface for integrated room controllers. By default, the following ports are used:
TCP
80 Web server – port number can be changed in the web server configuration
20, 21 FTP server (for configuration and HTML files upload)
771 RealPort – only if enabled in the web interface. Direct access to the controller serial bus for service purposes.
Although the web access is protected by a password, it is recommended to protect the access from the Internet using a VPN. Changing of the web server port number is not a security measure.
Room units and controllers with Ethernet interface and Modbus TCP communication.
TCP
80 Web server for setup and diagnostics
502 Modbus TCP server
The web access is not protected by a password, however, it can be disabled by a DIP switch. Modbus TCP is a protocol which is unsecured by its nature. The room units and controllers are suitable for deployment in internal (technological), secured networks only! It is not acceptable to map the TCP port 502 to a public IP address!
Process visualisation software (SCADA).
TCP
8990 Data access for other RcWare Vision stations or for a web server.
80 Web server for RcWare Vision (only if web access using Internet Information Server (IIS) is configured)
The web access is protected by user name an password, however, it is necessary to focus on the security setting of the IIS server. The port number (80 by default) can be changed in the IIS settings. See IIS help for details. It is advised to run the IIS on a separate server in a DMZ rather than on the SCADA computer where RcWare Vision is installed.
Database for large trend data storage for monitoring systems, e.g. RcWare Vision. The port numbers listed below may be changed in the configuration file, see Merbon DB installation manual.
TCP
9876 Port for data access (API)
11112 Web inferface for administration
The TCP 9876 port for client PLC and SCADA access is usually mapped on a public IP address at distributed systems. To increase security, it is recommended to use e.g. a stateful firewall, and set up access limitation from whitelisted IP addresses only. The web interface for database management is protected by username and password, it is advised to allow access from the internal network only.
I/O module with Modbus TCP communication and Modbus TCP/RTU router functionality.
TCP
80 Web server for setup and diagnostics
502 Modbus TCP server
The web access is not password-protected. Modbus TCP is a protocol which is unsecured by its nature. The device is suitable for deployment in internal (technological), secured networks only! It is not acceptable to map the TCP port 502 to a public IP address!
Ethernet to serial converters, terminal servers; interfaces M0…5 also have Modbus TCP/RTU router functionality. The devices are powered by Ethernet controller, Digi ME. All ports listed below except for TCP 443 may be enabled or disabled in the web setup, and are enabled by default!
TCP
23 Telnet server for configuration
80 Web server for configuration (protected by username and password)
443 Secured web server (https:) for configuration (can not be disabled)
502 Modbus TCP (only if the Industrial Automation profile is set)
513 rlogin (Remote Login)
514 rsh (Remote Shell)
515 LPD (Line Printer Daemon)
771 RealPort – virtual COM port for serial data tunelling over the network
1027 encrypted RealPort
UDP
161 SNMP
2362 Device detection for IP address and other parameters setting (ADDP)
These devices are suitable for demanding industrial applications. However, when configuring NAT or routing, it is advised only to map the ports which are necessary for the system functionality.
A simple Modbus TCP/RTU router.
TCP
80 Web server for configuration
502 Modbus TCP
20, 21 FTP server (for configuration and upload of html files, fixed username and password)
The web access is not password-protected. Modbus TCP is a protocol which is unsecured by its nature. The device is suitable for deployment in internal (technological), secured networks only! It is not acceptable to map the TCP port 502 to a public IP address!
Modbus TCP/DALI converter
TCP
80 Web server for configuration
502 Modbus TCP
20, 21 FTP server (for configuration and upload of html files, fixed username and password)
The web access is not password-protected. Modbus TCP is a protocol which is unsecured by its nature. The device is suitable for deployment in internal (technological), secured networks only! It is not acceptable to map the TCP port 502 to a public IP address!
User interface – HMI panels (terminals) for SoftPLC Link (HT100, HT101), and Modbus TCP (HT110). Web and FTP access may be disabled by a DIP switch for increased security.
TCP
80 Web server for configuration (IP address etc., menu, firmware)
20, 21 FTP server (for configuration and upload of html files)
In normal operation, the panels initiate outgoing connection to the SoftPLC runtimes (HT100, HT101) or to Modbus servers (HT110). Incoming connections from the Internet to the panel should not be necessary then.
Graphical control panel for Merbon substations.
TCP
80 Web server for configuration (IP address, menu, etc.). Login with configurable password
20, 21 FTP server for uploading configuration files, login with configurable name and password
12346 SSCP protocol for menu and configuration upload, name and password protection
Process stations (PLC) based on ARM Cortex with OS FreeRTOS. The mark… range limits the number of used services to decrease security risks.
TCP
80 Web server, if enabled. Predefined usernames and passwords for different access levels.
12346 SSCP protocol for data access, program upload, and PLC configuration, protected by configurable username and password
Port number for SSCP (default 12346) can be changed in the PLC configuration. The protocol is suitable for data transfer over the Internet. To increase security it is advised to use a router with access limitation e.g. according to client IP addresses, or to use a VPN.
Process stations (PLC) based on MPC5200 or i.MX with OS Linux. The mark… range limits the number of used services to decrease security risks.
TCP
22 SSH to access Linux
80 Web server, if enabled. Predefined usernames and passwords for different access levels.
12346 SSCP protocol for data access, program upload, and PLC configuration, protected by configurable username and password
Port number for SSCP (default 12346) can be changed in the PLC configuration. The protocol is suitable for data transfer over the Internet. To increase security it is advised to use a router with access limitation e.g. according to client IP addresses, or to use a VPN.