Configuring Software and Hardware Firewalls to Support National Instruments Products

Publish Date: Mar 29, 2013 | 24 Ratings | 3.75 out of 5

Overview
National Instruments software packages and embedded hardware targets take advantage of network communication for application deployment, remote control of applications or instruments, transferring data, accessing and hosting web servers and services, and more. When using National Instruments network-enabled products with hardware or software firewalls, information about individual network port access may be needed to permit communication. This tutorial briefly explains the networking settings associated with performing common tasks using NI products, including the default TCP/UDP ports used and how to reconfigure these ports (if possible).

Table of Contents
1. Introduction to Network Ports and Firewalls 2. Network Ports and Settings Used by National Instruments Products 3. Summary Table (Network Ports and Settings) 4. Additional Assistance

1. Introduction to Network Ports and Firewalls

On modern computer systems, network communication including web page traffic, file transfers, emails, and more can be logically divided into different layers; this is known as the OSI Model. One layer, known as the network layer, is responsible for successfully routing network traffic, and providing error detection and diagnostic capability. The main network layer protocol used for both local network and Internet communication is known as Internet Protocol (IP). Another layer, known as the transport layer, is responsible for providing end-to-end communication services for applications. Two of the most common transport layer protocols are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). In order for a piece of network traffic to reach an application on a remote system, it must contain two key pieces of information: an address for the computer(s) that should receive the traffic (this is referred to as an IP address when using the IP protocol), and a destination port number for the application on the remote system(s) that should process the data. The IP address of the computer transmitting the data or request is also sent along with a source port number used by the originating application. In practice, each transport layer protocol (e.g. TCP, UDP) allows for up to 65,535 ports that applications can use. If an application on a given computer is accepting data, or "listening" on a given port, then the potential exists for that application to receive network data and do something based on that data. In this way, network traffic can affect the operation of a system up to the extent that an application allows. To reduce the effect that network traffic can have on a computer's operation, both networking equipment and individual computers may employ filters called firewalls that use a set of rules to allow or block certain unwanted network traffic (based on IP addresses, ports, or applications that are attempting to send the traffic).

Hardware Firewalls
Hardware firewalls are commonly built into networking equipment (such as routers), and examine each piece of network traffic (known as packets) as they are received and then re-transmitted. The header of each packet contains information about the destination IP address, transport layer protocol used, remote port number, and more. Hardware firewalls can filter packets based on this information and a set of user-defined rules, resulting in certain network packets being allowed and others being dropped without re-transmission. Although each individual hardware firewall may be configured differently (or have different default settings), many personal network routers are set up by default to allow all outgoing traffic and disable all incoming traffic between a local and external network. All traffic within the local network itself is typically allowed by default, and incoming traffic based on a recent outgoing request is also typically allowed.

Software Firewalls
In addition to the presence of hardware firewalls on network, individual computers may also run firewall software packages to filter network communications and protect against the unwanted influence of remote machines. While software firewalls have a similar objective as hardware firewalls, they use different methods to do this filtering. To filter packets based on header information (IP address, transport layer protocol, port, etc), software firewalls commonly employ an intermediate network driver that can accept or reject traffic based on rules before passing it to an application (in the case of incoming packets) or for outbound transmission. To filter network traffic based on the individual running application, or process, that is attempting to send or receive data, software firewalls can also intercept software calls between applications and underlying transport layer protocol drivers. Using this method, for example, certain applications could be denied the opportunity to listen for data on a specific port, while others could be granted this permission. Although each software firewall package may be configured differently (or have different default settings), many personal firewall software packages are set up by default to allow all outgoing port traffic and disable all incoming port traffic. However, these packages typically also enable incoming port traffic that is expected based on a previous outgoing request. As mentioned previously, firewall software may also prompt the user to allow or restrict port access for individual applications.

2. Network Ports and Settings Used by National Instruments Products

A wide variety of National Instruments products take advantage of network communication to provide different types of functionality -- from identifying networked hardware targets to providing access to web services created in LabVIEW. Given the fact that the majority of corporate and personal networks feature a combination of hardware and software firewalls, it is often necessary to change firewall settings to allow the network traffic needed for a given National Instruments product to function properly. The remainder of this document outlines the transport layer protocols and ports that different National Instruments products and features use, as well as where you can change these ports (if this is possible). Please see the documentation for your hardware or software firewall for instructions on how to change firewall settings in order to allow the desired traffic. If you are working on a large network in which you do not have access to change hardware or software firewall settings, please contact your network administrator and reference this document. Remember that in most situations it is only necessary to configure your hardware or software firewalls to enable incoming connections to server ports (for servers running on your local PCs or embedded hardware targets). When using software firewalls, you may also be prompted to allow individual applications to send or receive data.

Hardware Identification (Measurement & Automation Explorer)

Description of Functionality: NI Measurement & Automation Explorer (MAX) sends broadcast network traffic to poll for all locally available National Instruments network-enabled devices (such as LabVIEW Real-Time targets). Server Ports: UDP port 44525 Are the Ports Configurable?: No

Web Servers and Remote Control

Web Monitoring and Configuration of Networked Devices Description of Functionality: As of the release of LabVIEW 2010, it is possible to monitor and configure many National Instruments network-enabled devices using a web browser . Server Ports: UDP port 5353 (used for device detection over mDNS), TCP port 52725 (used for the NI Network Browser utility), TCP port 3580 (web monitoring and configuration server port) Are the Ports Configurable?: No Location of Port Settings: You can not change the web monitoring and configuration server ports. However, you can choose to enable SSL communication by visiting the web monitoring and configuration page for a given system (http://IP_ADDRESS:5353) and using the Web Server Configuration page and the settings under System Web Server. LabVIEW Remote Front Panels Description of Functionality: Remote Front Panels enable viewing and controlling VI front panels on one PC or embedded target from another network-connected PC. Server Ports: TCP port 8000 (default if SSL disabled), TCP port 433 (default of SSL enabled) Are the Ports Configurable?: Yes

1/4

www.ni.com

Are the Ports Configurable?: Yes Location of Port Settings: Remote front panel settings for VIs that run on a desktop PC can be configured from the Tools >> Web Server page under Remote Panel Server and HTTP port. The Remote front panel server can also optionally be configured to use SSL from the same settings page, and use a separate SSL port. When configuring the remote front panel server for an embedded hardware target, these same settings are accessible from the LabVIEW project by right clicking on the target and selecting Properties >> Web Server. Web Services Created by LabVIEW Description of Functionality: LabVIEW applications can be made into web services and then accessed from other networked systems when hosted using the LabVIEW Application Web Server. Server Ports: TCP port 8080 (default) Are the Ports Configurable?: Yes Location of Port Settings: You can change the Application Web Server port used to host LabVIEW web services using the web monitoring and configuration page for the server machine. This can be accessed by visiting (http://IP_ADDRESS:5353) and then visiting the Web Server Configuration page and using the settings under Application Web Server. In addition, it is possible to assign additional ports and optionally use SSL for Application Web Server communication using these settings. Programmatic Application Control with VI Server Description of Functionality: VI Server can be used to programatically control front panel objects, VIs, and LabVIEW on a given computer from either the local system or a remote machine. Server Ports: TCP port 3363 (default) Are the Ports Configurable?: Yes Location of Port Settings: You can change the VI Server port on a development computer by navigating to the Tools >> Options >> VI Server menu. To change the VI Server port on an embedded hardware target (e.g. CompactRIO), right click on the target in the LabVIEW Project and select Properties >> VI Server. Remote Instrument Control with VISA Server Description of Functionality: In addition to communicating with instruments connected to a local machine through the NI-VISA API, it is possible to remotely control instruments that are physically connected to another machine -- using the VISA Server. Server Ports: TCP port 3537 (default) Are the Ports Configurable?: Yes Location of Port Settings: To view and change port settings for the VISA server on a PC, open NI Measurement & Automation Explorer (MAX) software and navigate to Tools >> NI-VISA >> VISA Options >> VISA Server. FPGA Compile Farms Description of Functionality: You can send a LabVIEW FPGA compile job to a single remote computer for compilation, or use a remote bank of computers for site-wide compilation (each compile still utilizes only one computer). Remote compilation on one machine can be accomplished by installing LabVIEW FPGA Compile Worker software on that machine, and LabVIEW FPGA Compile Server software on either the local or remote machine. Site-wide remote compilation systems can be built using a bank of computers with LabVIEW FPGA Compile Worker software installed, and a server computer with the LabVIEW FPGA Compile Server and LabVIEW FPGA Compile Farm Toolkit installed. Server Ports: TCP port 3580 (same as Web Monitoring and Configuration server) Are the Ports Configurable?: No Legacy: G Web Server Description of Functionality: The G Web Server is part of the LabVIEW Internet Toolkit, and can be used to provide remote machines with access to CGI applications written in LabVIEW. Server Ports: TCP port 80 (default) Are the Ports Configurable?: Yes Location of Port Settings: You can configure the G Web Server using the LabVIEW menu located at Tools >> Internet >> G Web Server Configuration.

File, Email, Web Page, and Data Communication

File Transfer (FTP) Description of Functionality: LabVIEW File Transfer Protocol (FTP) VIs are included in the LabVIEW Internet Toolkit, and enable writing and reading files to and from remote FTP servers. Server Ports: TCP port 20 (used in active mode only), TCP port 21 (used in active and passive mode) Are the Ports Configurable?: Yes (defined by the server) Location of Port Settings: You can use the FTP VIs in the LabVIEW Internet Toolkit to connect to a remote FTP server -- not to implement the FTP server itself. Ports 20 and 21 are commonly used by FTP servers, though this can be changed on the server side, and you can connect to non-standard ports using the LabVIEW VIs. Note that special firewall settings may be needed to support active FTP connections; for additional information, please follow this link. For passive FTP connections, no firewall adjustments are typically needed to connect to a remote server. Email Communication (SMTP) Description of Functionality: LabVIEW contains Simple Mail Transfer Protocol (SMTP) VIs for sending emails through a remote SMTP server. Server Ports: TCP port 25 Are the Ports Configurable?: No Location of Port Settings: You can use the SMTP VIs in LabVIEW to connect to a remote SMTP server -- not to implement the SMTP server itself. Port 25 is commonly used by SMTP servers; at this time the LabVIEW SMTP VIs can not be used to access a non-standard port, or to connect to secure SMTP servers. In most cases, no firewall adjustments should be needed to connect to a remote SMTP server. Web Page Communication (HTTP) Description of Functionality: You can use the HTTP Client VIs to build a Web client that interacts with servers, pages, and Web services. You can add HTTP headers, store cookies, provide authentication credentials, and send Web requests using HTTP methods such as POST, GET, PUT, HEAD, and DELETE. Server Ports: TCP port 80 (default) Are the Ports Configurable?: Yes (defined by server) Location of Port Settings: You can use the HTTP Client VIs in LabVIEW to connect to remote Web servers -- not implement the Web server itself. Port 80 is commonly used by Web servers, but you can use the HTTP Client VIs to connect to servers on non-standard ports by using a URL with format (http://HOSTNAME:PORT). In most cases, no firewall adjustments should be needed to connect to a remote HTTP server. Shared Variables and Network Streams Description of Functionality: Both Network Shared Variables (available in LabVIEW, LabWindows/CVI, and Measurement Studio) and Network Streams (available in LabVIEW 2010 and higher) can be used to transmit variable data between machines on a network. In practice, Network Shared Variables are optimized for polling variable values from one or more remote systems, while Network Streams are optimized for sending a complete stream of data in a lossless manner between one system and another. Because Network Shared Variables and Network Streams both make use of an underlying protocol called Logos, they both use the same network ports. Server Ports: UDP port 2343 (default), UDP ports 6000-6010 (default), TCP ports 59110 and above (one port for each application running on the server) Are the Ports Configurable?: Yes Location of Port Settings: For Network Shared Variables or Network Streams that are hosted on a Windows PC, you can create a LogosXT.ini file to specify a different range of TCP ports to use (the UDP ports used are fixed). Follow this link to read about the location and contents of the LogosXT.ini file: Changing the Default Ports for TCP-Based NI-PSP (Windows) . In addition, you can configure these ports for Network Shared Variables and Network Streams hosted on LabVIEW Real-Time targets by editing the ni-rt.ini file located in the root FTP directory of the controller. The parameters of interest are the LogosXT_PortBase and LogosXT_NumPortsToCheck entries in the file. DataSocket (DSTP) Description of Functionality: NI DataSocket VIs can be used to communicate with other applications, files, FTP servers, and Web servers. The specific ports used will depend on the type of server

2/4

www.ni.com

Description of Functionality: NI DataSocket VIs can be used to communicate with other applications, files, FTP servers, and Web servers. The specific ports used will depend on the type of server that you are connecting to. In addition, DataSocket VIs can connect to DataSocket servers that use the DataSocket Transfer Protocol (DSTP). Server Ports Used: TCP port 3015 (for DSTP) Are the Ports Configurable?: No. You can start the DataSocket server by navigating to Start >> All Programs >> National Instruments >> Datasocket >> DataSocket Server.

Direct TCP and UDP Communication

Description of Functionality: Using the UDP and TCP VIs in LabVIEW, you can directly send and receive UDP and TCP communication to and from other machines on a network. Protocol and Ports Used: Defined by application code or server Is the Port Configurable?: Yes Location of Port Settings: The TCP and UDP VIs enable listening on your port of choice, or sending data to another machine on a port number that you specify.

Time Synchronization (NTP, SNTP)

Description of Functionality: Certain NI embedded hardware targets have a built-in ability to set their system time based on a network time server (typically a Simple Network Time Protocol, or SNTP server). On other hardware targets, example code is available for programatically retrieving a time via NTP or SNTP and setting the system time based on that value. Server Ports: TCP port 123 (default) Is the Port Configurable?: Yes (defined by server) Location of Port Settings: Note that code running on NI hardware targets is typically used to connect to a network time server -- not implement the time server itself. Therefore, the network port used will depend on the server that you are connecting to. For CompactRIO targets, you can use the instructions in this reference to configure the server and port to connect to: Configuring CompactRIO Real-Time Controllers to Synchronize to SNTP Servers . If you are using code on another target to connect to a network time server, you can set the server and port to connect to using that code. In most cases, no firewall adjustments should be needed to connect to a remote NTP or SNTP server.

Device-Specific Port Information

NI ENET-232 and ENET-485 Description of Functionality: The NI ENET-232 and NI ENET-485 devices enable you to control RS-232 and RS-485 connections remotely via Ethernet. Server Ports: TCP port 5225 Are the Ports Configurable?: No NI GPIB-ENET/100 and NI GPIB-ENET/1000 Description of Functionality: Using NI GPIB-ENET devices, you can control communication with GPIB instruments remotely via Ethernet. Server Ports: TCP ports 5000, 5003, 5005, 5010, and 5015 Are the Ports Configurable?: No

3. Summary Table (Network Ports and Settings)

Product or Feature

Server Ports (default) UDP 44525 UDP 5353, TCP 52725, TCP 3580 NA

Port Configuration Location

MAX Hardware Identification Web Monitoring and Configuration

NA (can enable SSL at http://IP_ADDRESS:5353 via Web Server Configuration page) PC (in LabVIEW ): Tools >> Web Server Embedded RT target (in LabVIEW): right click on target in Project >> Properties >> Web Server

LabVIEW Remote Front Panels

TCP 8000 (no SSL), TCP 433 (SSL)

LabVIEW Web Services

TCP 8080

http://IP_ADDRESS:5353 then visit Web Server Configuration page under Application Web Server PC (in LabVIEW): Tools >> Options >> VI Server Embedded RT target (in LabVIEW): right click on target in Project >> Properties >> VI Server

LabVIEW VI Server

TCP 3363

NI VISA Server

TCP 3537

Measurement & Automation Explorer: Tools >> NI-VISA >> VISA Options >> VISA Server NA LabVIEW: Tools >> Internet >> G Web Server Configuration Defined by server, can access non-standard ports using API. Defined by server, can not access non-standard ports using API. Defined by server, can access non-standard ports using API. PC: use LogosXT.ini file (read this) Embedded RT target: use ni-rt.ini file in root directory (LogosXT_PortBase and LogosXT_NumPortsToCheck entries) Same as above NA Defined by application Defined by server, can access non-standard ports using API. CompactRIO: (read this)

LabVIEW FPGA Compile Farms (LabVIEW 2010 and later) LabVIEW G Web Server FTP VIs (LabVIEW Internet Toolkit) Email VIs (SMTP)

TCP 3580 TCP 80 TCP 20 (active mode), 21 (passive mode) TCP 25

HTTP Client VIs Network Shared Variables

TCP 80 UDP 2343, UDP 6000-6010, TCP 59110 and above (one port for each application instance)

Network Streams DataSocket (DSTP) LabVIEW TCP and UDP VIs Time Synchronization (NTP, SNTP)

Same as above TCP 3015 NA TCP 123

NI ENET-232, NI ENET-485

TCP 5225

NA

3/4

www.ni.com

NI GPIB-ENET/100, NI GPIB-ENET/1000

TCP 5000, 5003, 5005, 5010, and 5015

NA

4. Additional Assistance
If you are experiencing issues with firewalls and NI products, visit ni.com/support and call or e-mail an Applications Engineer for assistance. You can also ask about any products not mentioned in this tutorial, and request that they be added for future reference.

4/4

www.ni.com