Problem Statement
When implementing Aspen Manufacturing and Execution System (MES) solution customers may install a firewall between the various Aspen applications.
Firewall systems help prevent unauthorized access to computer resources. However, if a firewall is turned on but not correctly configured, it may block some ports, which may cause applications that rely on those ports for communication to stop working.
The purpose of this Knowledge Base article is to document all of the ports that need to be open when the web and/or Aspen InfoPlus.21 (IP.21) server is behind the firewall. There is also a possibility of having a firewall between the Aspen InfoPlus.21 server and the web server which presents additional challenges that need to be addressed.
Solution
To positively determine if the issue at hand is caused by a firewall, it is suggested to first try logging in with an administrative account that can be properly authenticated by the firewall. Such an account should have the ability to effectively bypass all of the firewall restrictions.
If a user logged in with such an administrative account has no issues accessing various resources behind the firewall, then this is proof positive that the firewall is blocking some essential ports that must remain open for applications on the opposite sides of the firewall to be able to work together.
The next step should be for a user to log in to the IP.21 server with an IP.21 Admin account and run the RPC PortMapper application to identify the ports which need to be opened in the firewall. Note: RPC PortMapper application RPCINFO.EXE is located in the C:\Program Files (x86)\Common Files\AspenTech Shared\Portmapper directory.
Below is a list of Aspen MES applications and their port usage.
Aspen InfoPlus.21
· IP.21 RPC DA Servers (TSK_ADMIN_SERVER, TSK_APEX_SERVER, TSK_EXCEL_SERVER, TSK_ORIG_SERVER, TSK_DEFAULT_SERVER, TSK_BATCH21_SERVER). Use six ports - typically 11111 - 11116 but these ports are dynamic and change every time IP.21 is restarted. Different (static) port numbers may be configured. See KB article # 104056 for more info. NOTE: In addition to ports for each RPC server task, port 111 also must be opened in the firewall. Port 111 is used by the NobleNet Portmapper for the initial API call.
· TSK_BGCSNET. Used by GCS and Aspen IP.21 Process Browser clients when making connections to an InfoPlus.21 database. On the InfoPlus.21 server, TSK_BGCSNET listens on a TCP/IP socket 10013 for any Aspen IP.21 Process Browser client trying to connect.
· TSK_SQL_SERVER. Uses port # 10014.
· TSK_ACCESS_SVC. Uses port # 20014.
· IP.21 Tag Replication. Aspen InfoPlus.21 Tag Replication uses Microsoft's Message Queueing System (MSMQ) as the transport in Windows Communication Framework (WCF). MSMQ requires the following communication ports to be open: 1801 (both TCP and UDP), 2101 (TCP), 2107 (TCP), 3527 (UDP), 2105 (TCP), 2103 (TCP), 135 (TCP). for more info see Aspen KB article # 130208 or the following MS KB article: https://support.microsoft.com/en-us/kb/178517.
· Cim-IO client tasks.Beginning with V8.4 it is no longer required to define Aspen Cim-IO services and ports on the Cim-IO Client system. When a Cim-IO client task starts, it connects to the Cim-IO Manager service running on the Cim-IO Interface Server. The Cim-IO Manager returns the port numbers assigned to the Cim-IO services on the Cim-IO Server to the Cim-IO client task. The port used by the Cim-IO client task to communicate with the Cim-IO Manager service is defined by the service CIMIOManager in the Services file. The default port number is 7777. This port number must be the same on both the Cim-IO Server and Client machines. See KB article # 140636 for more info.
· IP21 OPCDA Server. Based on DCOM so port 135 is used. A fixed port can be specified by editing the registry. See article: https://support.microsoft.com/en-us/kb/217351. Note: the App ID for IP21 OPCDA (IP21DA_Server.exe) is {32EE345D-A261-4B84-845F-44E61CBCE3FE}.
· IP21 OPCUA servers determine their ports from a configuration file. See the following file locations:
UA Component
Configuration File Location
XML Excerpt
IP21 OPCUA Server
C:\ProgramData\AspenTech\InfoPlus.21\db21\group200\ tsk_opcua_server.opcua.config.xml
<BaseAddresses xmlns:d3p1="http://opcfoundation.org/UA/2008/02/Types.xsd">
<d3p1:String>opc.tcp://localhost:63500/InfoPlus21/OpcUa/Server</d3p1:String>
<d3p1:String>http://localhost:63501/InfoPlus21/OpcUa/Server</d3p1:String>
</BaseAddresses>
Aspen Process Simulator Service (UA server)
C:\Program Files (x86)\AspenTech\CIM-IO\io\cio_opc_uai\ AspenProcessSimulator.Config.xml
<d3p1:String>http://localhost:62551/Aspen/ProcessSimulator</d3p1:String>
<d3p1:String>opc.tcp://localhost:62552/Aspen/ProcessSimulator</d3p1:String>
OPC UA Discovery Service
C:\ProgramData\OPC Foundation\Config\ Opc.Ua.DiscoveryServer.Config.xml
<d3p1:String>opc.tcp://localhost:4840/UADiscovery</d3p1:String>
<d3p1:String>http://localhost:52601/UADiscovery</d3p1:String>
Aspen InfoPlus.21 Administrator and InfoPlus.21 Definition Editor
Although specific port numbers can be assigned to the various Aspen InfoPlus.21 API server tasks to effect client communication through a firewall, the Aspen InfoPlus.21 Task Service is still dynamically allocated a new port number through the Noblenet Portmapper every time this service is restarted. Since the Aspen InfoPlus.21 Administrator uses the Aspen InfoPlus.21 Task Service to communicate with the Aspen InfoPlus.21 database, the port for the Aspen InfoPlus.21 Task Service needs to be opened through the firewall as well. For additional information on connecting the InfoPlus.21 Administrator tool across a firewall, please see solution id 000078782.
Aspen Process Explorer
Can use any of the RPC DA Server ports - typically 11111 - 11116. Different port numbers may be configured. See KB article # 104056 and 115049 for more info. NOTE: In addition to the ports assigned to each RPC server task, port 111 also must be opened in the firewall. Port 111 is used by the NoblenetPortmapper for the initial API call.
aspenONE Process Explorer
· HTTP port 80.
· Port 111 for the PortMapper.
· Six other ports for the TSK_ External Services as identified in the IP.21 Manager section above must remain open. These six ports are dynamic and change every time IP.21 is restarted, or the individual Services are restarted. These six ports can be configured to be static so they don't change when the IP.21 Services are restarted.
Aspen IP.21 Process Browser
· TCP 10013 and 10014.
· Six other ports for the TSK_ External Services as identified in the IP.21 Manager section above must remain open.
· DCOM port 135 and a range of ports 3000 - 4000 must remain open. See KB article # 104040 for more info.
Aspen SQLPlus
Uses port 10014. It is configurable using ADSA.
AFW Security Server
AFW Security Server is a web service thus it uses port 80 from IIS by default.
Client applications using DCOM
Client applications using Windows DCOM require port 135 and a range of ports 3000 - 4000 to be open.
Aspen Calc
Uses port 135 and a range of ports 3000 - 4000. See KB article # 110537 for more info.
Aspen Production Record Manager
· Client applications use TCP/UDP port 135 and a range of ports 3000 - 4000. See KB article # 115120 , 118957 and 104056 for more info.
· Aspen Production Record Manager Business Process Document Service uses port 7500. See KB article # 121971 for more info.
· APRM ODBC. Uses port 52011. It is configurable using ADSA.
Aspen Production Execution Manager
Apache port 8080 and port 1433. See KB article # 128922 for more info.
The MOC client communicates with the APEM server using port 8888 by default, but if the 8888 is used by any other application, MOC will try to increase the port number by 1, e.g. 8889 is the next, until it finds a valid usable port. APEM server will utilize a random local port to connect to the remote 8888 port.
Aspen Process Data Service
Uses port 52007. It is configurable using ADSA.
Aspen Operations Reconciliation and Accounting
· Uses database-specific ODBC ports to connect to the database server.
· ORACLE as a relational database: SQL*Net 2: port 1521 (This is the default listener port. A listener port will always be used.). The following ports may be used (check with your site's DBA): LDAP: port 3060, LDAP SSL: port 3131, Oracle Notification Server: port 6200, Web Cache Invalidation: port 4001. See KB article # 116910 for more info.
· SQL Server as a relational database. See the following Microsoft KB article for more info: https://support.microsoft.com/kb/287932/
· Aspen Advisor Connect. PI database communication port number is 5450. PHD database communication port number is 3000.
Aspen Software License Manager (SLM)
· TCP/UDP Port 5093 and 5094. You also have to enable pinging to the license server. See KB article # 135484 for more info.
· Auto Upload Tool requires that the following ports are open: HTTPS PORT 443, Secure FTP (SFTP) port 22, SMTP Email port 25. See KB article # 000082940 for more info.