IP access lists for TCP server sockets

You can set which IP clients may access the WinCC OA manager (TCP sockets). This can be set for all TCP sockets (Event, Data, Pmon, HTTP server, Dist, Drivers based on TCP, ...). The settings are made via an IP access list. The list allows only a definable number of clients to access the WinCC OA system in a network. A manager, which detects a TCP socket access by an unauthorized client, closes the connection.
The authorized/unauthorized clients can be configured in the [general] section of the config file (if the restriction should apply to the WinCC OA system). The authorized/unauthorized clients can also be defined per manager in the manager-specific section such as [data]. Thus the definition of the authorized/unauthorized clients can be extended or replaced.
The keywords for defining the lists are "ip_allow" and "ip_deny". An arbitrary number of these words can be defined in the file and each of them is included in an internal list. The type of this entry is a string which indicates the participant in the network. The notation can take place in different ways:
  • IP address with dot notation e.g. "192.168.0.2"

  • Computer name, e.g. "myPC.domain.org"

Both alternatives may contain wild cards (* or ?) but the client is checked according to the rule like in the CTRL function patternMatch(). First the dot notation of a client is compared to the pattern and after this all known domain names and aliases of the client are compared.
  • All computers of the domain "etm.at" should be defined "*.etm.at"

  • All computers of the IP range "192.168.0" should be defined "192.168.0.*"

    Several ip_allow und ip_deny entries must be added separately. The entries can be added several times.

You can check if a client is authorized according to the following rule:
  • If the client is included in the ip_allow list, then the access is allowed.

  • if the client is included in the ip_deny list, then the access is denied.

  • if the client is not included in the ip_allow list, the access is denied.

If both lists are empty the IP access is not valid.

If ip_allow or ip_deny are defined in several sections of the config file, the entries from top to bottom are included in both lists. If you want to define a specific list e.g. for "Pmon" or another manager in a manager-specific section, you have to delete the lists of the [general] section by using the specific keyword "-empty list-" first (otherwise made entries would still be of the [general] section). See example below.

The IP access list is not used when the Mulitplexing Proxy is used. The IP access list is used for the WinCC_OA manager connections.

In the following you can see an example of defining IP access lists in the config file.

ip_deny = "*" denies access for everyone, also for the local computer.

[general]
# forbid all from the domain "etm.at"
ip_deny = "*.etm.at"
[pmon]


# Only computers form the domain "etm.at" should be able to access the Pmon.


# By using the "-empty list-" entries below, the list of the [general]
# section is deleted first. Afterwards the access for the computers from the
# domain "etm.at" is granted via ip_allow = "*.etm.at" and the access is
# denied for others via ip_deny = "*"


ip_allow = "-empty list-"
ip_deny = "-empty list-"
ip_allow = "*.etm.at"
ip_deny = "*"


# allow access for the local computer


ip_allow = "127.0.0.1"
ip_allow = "::ffff:127.0.0.1"
ip_allow = "::1"

The settings of the IP access lists can be made in the following sections of the config file:

  • [general] - General settings

  • [data] - Data Manager

  • [event] -Event Manager

  • [ctrl] - CTRL Manager (Applies only to a CTRL Manager that calls an HTTP server module)

  • [pmon] - Pmon (process monitor)

  • [valarch] - Archive Manager

  • [dist] - Dist Manager