0% found this document useful (0 votes)

29 views172 pages

Exaquantum Engineering Guide Vol 2

Exaquantum V 3.2 Engineering Guide Vol 2

Uploaded by

r.kh.arjomandi

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

29 views172 pages

Exaquantum Engineering Guide Vol 2

Exaquantum V 3.2 Engineering Guide Vol 2

Uploaded by

r.kh.arjomandi

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 172

Instruction Exaquantum Engineering Guide

Manual Volume 2 – Network Configuration

IM 36J04A15-02E

IM 36J04A15-02E
© Yokogawa January 14th 2020
22nd Edition Issue 1
Exaquantum Engineering Guide – Volume 2 Network Configuration i

Copyright and Trademark Notices

© 2020 Yokogawa Electric Corporation
All Rights Reserved
The copyright of the programs and online manuals contained in the software medium of the
Software Product shall remain with YOKOGAWA.
You are allowed to print the required pages of the online manuals for the purposes of using
or operating the Product; however, reprinting or reproducing the entire document is strictly
prohibited by the Copyright Law.
Except as stated above, no part of the online manuals may be reproduced, transferred, sold,
or distributed to a third party in any manner (either in electronic or written form including,
without limitation, in the forms of paper documents, electronic media, and transmission via
the network).
Nor it may be registered or recorded in the media such as films without permission.
Trademark Acknowledgements
 CENTUM, ProSafe, Exaquantum, Vnet/IP, PRM, Exaopc, Exaplog, Exapilot, Exasmoc
and Exarqe are registered trademarks of Yokogawa Electric Corporation.
 Microsoft, Windows, Windows Server, SQL Server, Excel, Internet Explorer, SharePoint,
ActiveX, Visual Basic, Visual C++, and Visual Studio are either registered trademarks or
trademarks of Microsoft Corporation in the United States and other countries.
 Adobe and Acrobat are registered trademarks of Adobe Systems Incorporated, and
registered within particular jurisdictions.
 Ethernet is a registered trademark of XEROX Corporation.
 All other company and product names mentioned in this manual are trademarks or
registered trademarks of their respective companies.
 We do not use TM or ® mark to indicate those trademarks or registered trademarks in this
manual.
 We do not use logos in this manual.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

ii Contents

Highlights
The Highlights section gives details of the changes made since the previous issue of this
document.
Summary of Changes
This is the 22nd Edition of the document.
Detail of Changes
The changes are as follows.

Chapter/Section/Page Change
6.3.4 Added section

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration iii

Exaquantum Document Set

The documents available for Exaquantum are:

Exaquantum General Specification (GS 36J04A10-01E)

Exaquantum Technical Information (TI 36J04A10-01E)

Exaquantum/PIMS User's Manual (IM 36J04A11-01E)

Exaquantum/Explorer User's Manual Volume 1

General Information (IM 36J04A12-01E)

Exaquantum/Explorer User's Manual Volume 2

Custom Controls (IM 36J04A12-02E)

Exaquantum/Explorer User's Manual Volume 3

Microsoft Excel Reports (IM 36J04A12-03E)

Exaquantum/Explorer User's Manual Volume 4

Advanced Configuration (IM 36J04A12-04E)

Exaquantum Installation Guide (IM 36J04A13-01E)

Exaquantum API Reference Manual (IM 36J04A14-01E)

Exaquantum Engineering Guide Volume 1

Administration (IM 36J04A15-01E)

Exaquantum Engineering Guide Volume 2

Network Configuration (IM 36J04A15-02E)

Exaquantum Engineering Guide Volume 3

Support Tools (IM 36J04A15-03E)

Exaquantum Engineering Guide Volume 4

Web Authoring (IM 36J04A15-04E)

Exaquantum Engineering Guide Volume 5

PI Connection (IM 36J04A15-05E)

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

iv Contents

Table of Contents
Copyright and Trademark Notices .....................................................................................i
Highlights ......................................................................................................................... ii
Exaquantum Document Set ............................................................................................. iii
Table of Contents .............................................................................................................iv
Chapter 1 Introduction ............................................................................................................. 1-1
1.1 Document Purpose ............................................................................................................. 1-1
1.2 Intended Audience.............................................................................................................. 1-1
1.3 General ............................................................................................................................... 1-2
1.4 Terms.................................................................................................................................. 1-3
Chapter 2 Exaquantum Network Administration.................................................................. 2-1
2.1 General ............................................................................................................................... 2-1
2.2 Network Guidelines............................................................................................................ 2-2
2.2.1 Windows Domains ............................................................................................ 2-2
2.2.2 Windows Workgroups....................................................................................... 2-2
2.2.3 Security Principles............................................................................................. 2-2
2.2.4 Name Resolution ............................................................................................... 2-3
2.2.5 Network Topology ............................................................................................ 2-4
2.2.6 Firewalls ............................................................................................................ 2-5
2.2.7 Server Operating System Configuration ........................................................... 2-5
2.3 Firewall Configuration ....................................................................................................... 2-6
2.3.1 Firewall Configuration ...................................................................................... 2-6
2.3.2 Deep Packet Inspection Firewall Configuration.............................................. 2-27
2.3.3 Setting the Restriction of Ports for DCOM ..................................................... 2-45
2.4 Configuring Exaquantum for VPN Network Connections............................................... 2-46
Chapter 3 Specifying Your Configuration During Installation (Legacy Model)................. 3-1
3.1 Installation Basics .............................................................................................................. 3-1
3.2 Adding Users to User Groups ............................................................................................ 3-3
3.2.1 Domain Authentication ..................................................................................... 3-3
3.2.2 Workgroup Authentication ................................................................................ 3-3
3.3 Creating the Exaquantum Groups and Users Manually ..................................................... 3-4
3.4 OPC Servers Set-up............................................................................................................ 3-5
3.4.1 Using a global user account............................................................................... 3-5
3.4.2 Using a local user account ................................................................................. 3-5
Chapter 4 DCOM and Network Security in Exaquantum (Legacy Model) ........................ 4-1

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration v

Chapter 5 Network Diagnostic Tool ........................................................................................5-1

5.1 Overview ............................................................................................................................ 5-1
5.2 NetworkTest Utility ........................................................................................................... 5-2
5.3 Server Manager .................................................................................................................. 5-3
5.4 Test Detail .......................................................................................................................... 5-5
Chapter 6 IT Security ................................................................................................................6-1
6.1 Overview ............................................................................................................................ 6-1
6.1.1 Positioning of this Guide ................................................................................... 6-1
6.1.2 Introduction to IT Security ................................................................................ 6-2
6.1.3 Prerequisites to IT Security ............................................................................... 6-3
6.2 Security measures and security model ............................................................................... 6-4
6.2.1 Security measures .............................................................................................. 6-4
6.2.2 Security Models................................................................................................. 6-5
6.2.3 How to Use IT Security Setting Tool ................................................................ 6-7
6.2.4 Changing the Security Model .......................................................................... 6-10
6.2.5 Collaborating with Other Products .................................................................. 6-13
6.2.6 CENTUM VP (Integration Code: 0101-0801-02-03) ..................................... 6-27
6.3 Operations ........................................................................................................................ 6-30
6.3.1 Windows Account Management ..................................................................... 6-30
6.3.2 Related Programs ............................................................................................ 6-35
6.3.3 Windows Shared folders ................................................................................. 6-35
6.3.4 Changing the LAN Manager Authentication Level ........................................ 6-36
Chapter 7 Time Synchronization .............................................................................................7-1
7.1 Setting time synchronization .............................................................................................. 7-1
7.1.1 Time synchronization in the Active Directory domain environment ................ 7-2
7.1.2 Time synchronization in the existing network .................................................. 7-2
7.1.3 Time synchronization in a new work group environment ................................. 7-3
7.1.4 Time synchronization tools storage directory ................................................... 7-3
7.1.5 Installing “time synchronization” on an OPC gateway PC ............................... 7-3
7.1.6 Installing “time synchronization” on a Exaquantum server .............................. 7-4
7.2 Precautions when upgrading from R2.10.50 or older (changing the synchronization method) .. 7-5
7.2.1 Disabling the current synchronization method .................................................. 7-5
7.2.2 Establishing a new synchronization method ..................................................... 7-5
7.3 Setting up Time Synchronization ....................................................................................... 7-6

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

vi Contents

Appendix A. IT Security...................................................................................................... App.A-1

Appendix A.1 External process of Exaquantum and working module list of Communication ...App.A-1
Appendix A.2 Shared folder used with Exaquantum ........................................................App.A-2
Appendix A.3 Service list registered with Exaquantum ....................................................App.A-2
Appendix A.4 Unsupported Main Windows Security Functions ......................................App.A-3
Appendix A.4.1 Windows Defender ..................................................................App.A-3
Appendix A.4.2 EFS Function ...........................................................................App.A-3
Appendix A.4.3 BitLocker Function ..................................................................App.A-3
Appendix A.5 Underlying Security Threats ......................................................................App.A-4
Appendix A.5.1 DCOM .....................................................................................App.A-4
Appendix A.5.2 Scope of Windows Firewall.....................................................App.A-4
Appendix A.6 Workgroup Management and Domain Management .................................App.A-5
Appendix A.6.1 Workgroup Management .........................................................App.A-5
Appendix A.6.2 Domain Management...............................................................App.A-6
Appendix A.7 NetBIOS .....................................................................................................App.A-7
Appendix A.8 Maximum Tolerance for Computer Clock Synchronization ......................App.A-8
Appendix A.8.1 Setting Procedure (Windows Server – Domain Controller) ....App.A-9
Appendix A.9 Changing the Settings of DCOM ............................................................. App.A-10
Appendix A.9.1 Setting Personal Firewall .......................................................App.A-10
Appendix A.9.2 Controlling the Dynamic Ports of RPC Port ..........................App.A-10
Appendix A.10 Configuring All Settings of Windows Firewall ..................................... App.A-13
Appendix A.11 Configuring All Windows Services ....................................................... App.A-14
Appendix A.12 Starting the MMC Console .................................................................... App.A-17
Appendix A.13 IT Security Detail Information ............................................................... App.A-19
Appendix A.13.1 Access control......................................................................App.A-19
Appendix A.13.1.1 Access user group ......................................................App.A-19
Appendix A.13.1.2 Registry configuration and access rights ...................App.A-23
Appendix A.13.1.3 DCOM Access authority for standard model.............App.A-24
Appendix A.13.1.4 Local Security Access Permissions ...........................App.A-24
Appendix A.13.1.5 Access User Group Control .......................................App.A-25
Appendix A.13.2 Personal Firewall Tuning .....................................................App.A-26
Appendix A.13.3 Change in SQL server service account ................................App.A-29
Appendix A.13.4 Stopping of unnecessary Windows services
(Strengthened Model target) ................................................App.A-30
Appendix A.13.5 Changing IT Environment Settings .....................................App.A-30
Appendix A.13.5.1 Disabling USB and cancelling disable .......................App.A-31
Appendix A.13.5.2 Hiding the Last Logon User Name ............................App.A-33

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration vii

Appendix A.13.6 Security of Web server (Standard or Strengthened model) ... App.A-34
Appendix A.13.6.1 Installing Only the Necessary IIS Components ......... App.A-34
Appendix A.13.6.2 Enabling Only Necessary Web Service Extensions .... App.A-34
Appendix A.13.6.3 Configuring IIS Log .................................................. App.A-34
Appendix A.13.6.4 Enabling SSL (Secure Sockets Layer) ....................... App.A-35
Appendix A.13.6.5 Caution when using the tablet device ........................ App.A-38
Appendix A.14 Installation on HIS ................................................................................. App.A-39
Appendix A.14.1 Installation Procedure .......................................................... App.A-39
Appendix A.14.2 Settings after Installation in case of HIS type SSO ............. App.A-40
Appendix A.15 Security setting of Windows Server domain controller ......................... App.A-42

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

viii Contents

This page intentionally left blank

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 1-1

Chapter 1 Introduction
The introduction of Windows 2008 and Windows 2012 allows a high degree of administrator
control and flexibility. The result of this is a more complex operating system and domain
structure. Because of this it is not possible to give detailed step-by-step guides to
administrative matters within this document. It is assumed that network administration will
be performed by a qualified engineer.
1.1 Document Purpose
This document is aimed primarily at getting you the correct network set-up for the security
principles that Exaquantum requires. It will provide an understanding of the issues to
consider from a network perspective, when deploying an Exaquantum system.
1.2 Intended Audience
The intended audience of this document is the customers’ IT or networking departments who
are familiar with the technology and terminology of network administration.
The Exaquantum Engineering Guide contains tasks that need to be completed by users
within your organization that have administrative privileges. The user(s) of this document
must also be familiar with the following topics:
 Windows Domain security (Users, Groups, Permissions etc.)
 DCOM Settings
 Configuring Networking components.
This documentation therefore assumes that the person carrying out the procedures has
knowledge and experience in the areas mentioned above. It also assumes that you have
already completed the relevant Exaquantum course(s).

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

1-2 Chapter 1 Introduction

1.3 General
This document is designed to give users guidelines for implementing Exaquantum in a new
or their existing network infrastructure. The configurations of Exaquantum and the networks
to which they belong can vary greatly.
The Engineering Guide summarizes what is considered by Yokogawa as to be the 'good or
best practice' in the operation of an Exaquantum system. It is not intended that the methods
or procedures detailed in this document represent the only approach to configuring,
monitoring and using an Exaquantum system, but rather the procedures described are proven,
practical and effective.
This Engineering Guide has been divided into Volumes and Chapters that detail various
procedures and methods. Certain chapters may not be relevant to your Exaquantum system.
Volume 1: Administration
Volume 2: Network Configuration
Chapter 1: Introduction
Chapter 2: Exaquantum Network Administration
Chapter 3: Specifying Your Configuration During Installation (Legacy Model)
Chapter 4: DCOM and Network Security in Exaquantum (Legacy Model)
Chapter 5: Network Diagnostic Tool
Chapter 6: IT Security
Chapter 7: Time Synchronization
Volume 3: Support Tools
Volume 4: Web Authoring
Volume 5: PI Connection

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 1-3

1.4 Terms
The following terms are used in this manual and are defined according to their use within
Exaquantum.
Business Network
An intranet that does not include PCN.
CENTUM system
A system constructed with CENTUM DCS components.
Connections
There are two main types of connection required, and the settings for these are dependent on
the network configuration of the computers involved:
OPC Server to Exaquantum Server
The first connection is from the OPC Server to the Exaquantum server. This is required so
that requests for data can be passed from Exaquantum to the OPC servers and the actual data
passed from the OPC Servers to Exaquantum.
Exaquantum Server to Exaquantum Client
The second connection is between the Exaquantum server and its clients. This allows clients
to access data held on the Exaquantum server.
Critical data
Information assets, such as project database, formula and operation log in CENTUM system
that needs to be protected.
DCOM
DCOM (Distributed Component Object Model) is the architecture that allows applications to
run on remote computers. The Exaquantum installation program uses DCOM settings to
enable this. The settings are made initially using QDCOMConfig.exe, shipped with
Exaquantum and run automatically during installation.
QDCOMConfig can be re-run at any time to change Exaquantum DCOM settings. For more
information on QDCOMConfig, see the Exaquantum Engineering Guide Volume 1 –
Administration (IM 36J04A15-01E).
Domain
A collection of computers that are able to share resources using common users and user
groups, administered by a central Domain Controller (DC). A Windows domain can be
running in Mixed or Native mode.
Domain Administration Rights
Privileges assigned to a user account that allow domain wide administration tasks to be
performed. These tasks include the creation and maintenance or Global and Domain Local
User Groups and the creation of Global User Accounts. They also include the creation and
maintenance of Trust Relationships.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

1-4 Chapter 1 Introduction

Domain Local Group

A Windows Security User Group that is only available in a Windows domain running in
Native mode. This group type allows central administration on a domain controller and can
have members from anywhere in the Windows Forest.
Domain Controller
A server that controls Windows domains.
dcomcnfg
The Microsoft Windows program that allows modification of DCOM settings for
applications. This works on two levels. Firstly a set of default settings exist which will be
applied to all applications. These can be overwritten by setting specific DCOM properties
for any or all applications. New applications acquire the default settings unless specific
properties are applied.
Note 1: Any changes made to DCOM settings will only take effect when the computer is
restarted.
Note 2: It is possible to change and customize the default settings.
EXA System
A system where Exaquantum runs.
Exaquantum System
An Exaquantum System is typically distributed across three types of computer. These are an
Exaquantum client, which obtains data from an Exaquantum server, which in turn receives
data from an OPC server. These computers will each belong to a domain or a workgroup,
though not necessarily the same one as the other computers.
Forest
A collection of Windows domains that are linked by virtue of a common schema. Transitive
trust relationships are normally added by default for all domains in the Forest.
Global Account
A user account that is created on a domain and so is available to all computers within that
domain or within other domains that have the correct Trust Relationships.
Global Group
A user group that is created on a domain and so is available to all computers within that
domain. Global Groups can only contain members (security principals) from within the
domain they are created in.
IT Environment
A Windows environment where Exaquantum runs.
IT Security
Security measures for the IT environment to defend and counter current and future security
threats such as cyber terrorism. A security profile defined by Yokogawa for their range of
EXA products providing a consistent configuration to defend these systems.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 1-5

Kerberos Authentication
One of the authentication methods by cipher code. It is used to confirm the identities of the
server and client in networks including the Internet where the communication path is not
secure this is the default method for Windows domains.
Local Account
A user account that is created locally on a computer and so is available only for use on that
particular computer.
Local Administration Rights
Privileges assigned to a user account that allow administration tasks to be performed on a
particular computer. These tasks include the creation and maintenance of Local User Groups
and the creation of Local User Accounts. They also include the ability to install software
and run Windows services such as the Exaquantum Service.
Local Group
A user group that is created locally on a computer (the Exaquantum Server in the case of
Exaquantum). Local Groups within a workgroup can only contain members (security
principals) from the same computer. Local Groups within a domain can contain members
from that domain and any others that have valid Trust Relationships.
Multi-server
The ability to have more than one Exaquantum Server in your system. Each Server must
contain identical user group information.
NIC
Abbreviation of Network Interface Card. This is an interface card that is used to network
terminals.
OPC
Abbreviation of OLE for Process Control. This is a standard interface that supports the
development of the measurement control system using Microsoft COM/DCOM.
PCN
Abbreviation of Process Control Network. Network built for ICS (Industrial Control System)
such as the CENTUM system.
Personal Firewall or Personal F/W
Software Firewall that works on a terminal or a domain server.
Note: This is not limited to the Windows-standard firewall.
Program account
Windows account with a special privilege that enables Exaquantum-related programs to run.
QDCOMConfig
The Exaquantum tool that sets the specific DCOM settings required for Exaquantum. This
application runs silently during installation and can be re-run manually at any stage. For
more information on QDCOMConfig, see “Accessing The Domain Quantumuser Account”
in the Exaquantum Installation Guide (IM 36J04A13-01E).

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

1-6 Chapter 1 Introduction

Security Principle
A User Group, Computer or a User Account, created either locally or globally.
Transitive Trust
Trust Relationships that allow pass-through authentication. This allows security principles
to be authenticated from remote domains. Transitive trust relationships are created by
default when Windows domains are added to a Windows Forest.
Trust Relationship
A method of communicating between two domains whereby a trusting domain allows access
to users of a trusted domain. These are set up using User Manager for Domains. A single
trust relationship requires configuration work on both domains.
User Account
A computer account that can be granted privileges to perform operations on a computer or
computers. Users can be local to a specific computer or global to all computers (domain
only).
User Group
As above, but this allows users to be grouped, which makes attributing privileges easier to
manage. Exaquantum generally attributes privileges by user groups, which are checked by
the Exaquantum Server during normal operation.
User Manager
The Windows program that allows local computer users and user groups to be created and
modified.
User Manager for Domains
This window is similar to the User Manager window but also allows:
 Domain-wide (global) groups and users to be created/modified
 Trust relationships to be created.
Windows Firewall or Win F/W
Windows pre-installed firewall.
Windows service
Program that runs in the background, independently of the logged in user.
Workgroup
A collection of computers that are able to share resources by using matching user accounts
added to each unit.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 2-1

Chapter 2 Exaquantum Network Administration

2.1 General
It is intended that the customer should use this document to help provide a design
specification for the Exaquantum System Integrator before the system is commissioned.
This chapter defines the scope of supply for the customer and the System Integrator. The
customer needs to define his configuration requirements in simple tables, applying a physical
process type breakdown strategy that the customer will understand. The System Integrator
will expand the customers (design specification) tables into the required Exaquantum system
configuration, applying a best-practice interpretation that the System Integrator will
understand best.
Yokogawa provides the option of installing Exaquantum in the ‘Standard IT security model’
defined for other Yokogawa EXA products to provide a unified security configuration. If this
option is taken (described in Chapter 6 IT Security) then most installation decisions are
defined by the model. If the Legacy option is followed then many more options are open to
integrate the Exaquantum system with existing customer networks and systems.
This chapter describes how the process of configuring Exaquantum can range from easy to
complex, depending on the degree of customization the customer wishes to apply. The
primary advantages of customization are to maximize useful history availability for a given
disk space size, and also to ensure the work performed by Exaquantum is restricted to that
which is genuinely useful, and has genuine business value.
ISA99.00.01 defines security zone as a logical or physical group which share common
security requirements and the same security level.
By making the multiple zones where each zone satisfies different security requirements,
defense-in-depth strategy can be realized.
To communicate between Level 4 and Level 3 of ISA 99.00.01 Reference Model is not
recommended in the Exaquantum system.
(For example: Exaquantum server is level 3, Exaquantum client is level 4)
An OPC server that communicates to Exaquantum is recommended to separate in lower level
by using firewall and L3SW, due to realize defense-in-depth strategy.
Note:
The standard of “ANSI/ISA-99.00.01-2007: Security for Industrial Automation and Control
Systems, Part 1: Terminology, Concepts, and Models” is referenced by this document.
Hereinafter, this standard will be referred to as ISA 99.00.01.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

2-2 Chapter 2 Exaquantum Network Administration

2.2 Network Guidelines

Exaquantum is a client/server application that operates on Windows. Exaquantum is a client
server system whose default Legacy model and Standard StandaloneWorkgroup model
configuration is designed to work using Local Groups created on the Exaquantum server
though the Standard Domain model makes use of Domain groups. When upgrading a
previous (Legacy) installation that has been configured to work in a Windows domain
environment, some post-installation configuration is required. Refer to the installation guide
for more information on these procedures.
2.2.1 Windows Domains
The domain configuration offers centralized security and administration of users and data,
which can be easier to maintain than the workgroup configuration described later. However,
whenever the system is reconfigured, administrator level access to the domain controller is
required to implement the changes. Where control of IT is centralized this can be a severe problem.
For Exaquantum to operate in a domain environment, an existing Windows domain must be
available in the customer's organization with at least one of the servers acting as a Domain
Controller (DC).
Note: Exaquantum is not supported to run on a Domain Controller.
2.2.2 Windows Workgroups
By default, Exaquantum Legacy model and Standard Standalone model installations use
local groups that will function in a Windows workgroup environment.
The advantage of the Windows workgroup is that a separate domain controller is not
required. However, in a workgroup all the user accounts and passwords must be created on
each client and server, and kept concurrent, this is also true for Groups in a Standard
Standalone model installation.
Note 1: When using Exaquantum with a workgroup, we recommend that the Password Age
is set to Never Expire.
2.2.3 Security Principles
The following network items (known as security principles) are required by an Exaquantum
System:
 User Groups
Windows Security groups that are used to control access to Exaquantum databases.
Exaquantum in the Legacy model has four User Groups (5 in the Standard and
Strengthened models) as standard and can use more if Role-based Namespace is used.
 User Accounts
Windows Log-in accounts used by users to access computers and therefore access
Exaquantum. These accounts are made members of the relevant user groups to control
access.
 Exaquantum Service account (defaults to Quantumuser for the Legacy model and
QTM_PROCESS for Standard and Strengthened models)
A special user account under which the Exaquantum processes run. This user account
must be available to all Exaquantum computers and OPC servers.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 2-3

2.2.4 Name Resolution

If the end user does not use any common Windows naming resolution methods such as
WINS or DNS, it will be necessary to add an entry to the ‘hosts and ‘lmhosts’ file for the
Exaquantum server on each client.
The location for the ‘hosts’ and ‘lmhosts’ files is:
\%Windir%\system32\drivers\etc.
If they have not already been used, the files may have a .sam extension. Remove this
extension before using the file.
To allow the addition of clients or change the IP Address of the Exaquantum server, the
‘hosts’ and ‘lmhosts’ files will need to be kept up to date. Failure to do so will make
connection to the Exaquantum server impossible.
Recommendations
If the end user has a Windows server on his network using WINS and DNS, allow the
Exaquantum server to use them. This will reduce administration work later.
If the end user requires a few Exaquantum clients, adding the hostname and IP Address of
the Exaquantum server in the local host files will be sufficient, provided they have static IP
addresses and do not use DHCP.
If the end user does not use WINS and DNS, do not add these services to the network for the
purpose of installing the Exaquantum server, use local host files instead.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

2-4 Chapter 2 Exaquantum Network Administration

2.2.5 Network Topology

Exaquantum is a network intensive application and works best when used on a 1000mbps or
100mbps network running at full duplex to the server. . The choice of the network speed
will largely depend on the existing end user topology.
To make the maximum bandwidth available it is recommended that the Exaquantum server
is installed in an Ethernet switch (the only way you can get full duplex) as opposed to a hub.
This will provide the best performance for client workstations.
10/100/1000 BASE-T or 10BASE-2
Some organizations choose to add their Exaquantum server to the same network segment as
their Exaopc or HIS workstation, which typically run on a segment. This is sufficient,
however, care should be taken not to break the segment or exceed the length and/or the
number of stations on that segment.
This requires two Network Interface controls in the Exaquantum server. The
Exaopc/HIS/EWS will typically be running in a workgroup configuration.
Restricting Exaopc Traffic on the LAN
Typically, a user will not want to link their HIS/Exaopc/EWS LAN to their main site
Ethernet. To support communication with the Exaquantum server a second Network
Interface control is required on the Exaquantum server.
Binding Order of Network Interface Cards
Two Network interface cards can be fitted to an Exaquantum Server, to allow the separation
of the OPC network, and the business layer network. When this is the case, in most instances,
it is recommended that the binding order of the cards is OPC network first.
Networking Protocols
Exaquantum will only operate with the TCP/IP network protocol.
It is possible to run TCP/IP alongside other protocols such as IPX/SPX or NetBEUI,
however, it is recommended that the TCP/IP protocol be given the highest priority in the
order of protocols on the Exaquantum server.
Routers and RAS Connections
Routers are an integral part of many of today’s networks and Exaquantum has been tested
and used in organizations where such configurations exist.
Through the use of RAS it is possible to access Exaquantum data through a conventional phone line.
For speed and performance we recommended the Exaquantum server and its clients are in
the same subnet. If the Exaquantum clients reside in different subnet, try and keep the
number of ‘hops’ to a minimum to maintain performance.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 2-5

2.2.6 Firewalls
Firewalls are a common device to restrict traffic between networks. If there are any firewalls
between the Exaquantum server and its clients, the following should be noted:
Some Firewalls offer Network Address Translation (NAT) facilities. Exaquantum clients
will not be able to contact an Exaquantum server through the firewall if address translation is
used.
For more details about firewalls and DCOM see section 2.3 Firewall Configuration.
2.2.7 Server Operating System Configuration
The Exaquantum data server requires that the operating system be configured correctly.
There are some simple steps that can be taken to ensure that Exaquantum performance is
optimized. This configuration is recommended for a standard Exaquantum installation,
although there may be reasons why particular services need to run on a specific installation.
The following guide details some of these steps:
Remove Unwanted Services
Services such as DHCP server, WINS Server and DNS Server should not be running on the
Exaquantum server.
NETBEUI Protocol
This is not required by Exaquantum and should ideally be removed. If it has to be installed,
then it must have a lower priority than the TCP/IP protocol that is used by Exaquantum.
Network Monitor
Disable the network monitor from the network cards unless specifically monitoring network
traffic, as this can impede performance.
IP Address
We recommend that the Exaquantum server is issued with a static IP address rather than
having one assigned from the DHCP server.
Virus Checkers
If virus checkers are used on the Exaquantum server, then the checking of the database files
should be disabled, as this will affect performance.
Other Software
The Exaquantum Server should only be used to run Exaquantum. Other software can affect
the performance.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

2-6 Chapter 2 Exaquantum Network Administration

2.3 Firewall Configuration

2.3.1 Firewall Configuration
This section contains information on how to configure a firewall. The communications links
between components of an Exaquantum based system are shown. Any or all of these may
pass through firewalls.
Figure 2-1 Links between Exaquantum components

The links are numbered and will be described in detail below.

DCOM traffic cannot traverse Network Address Translation (NAT) Firewalls except via a
VPN tunnel; hence neither NAT nor Static NAT should be configured on any of links 1-3, 5 or 8.
Some, more sophisticated, firewalls perform deep packet inspection of DCOM traffic and
may restrict access by Program ID/GUIDs; most are limited to restricting traffic at a Port and
IP Address level.
Each detail section describing a link includes the:
 TCP port numbers and the start and end points of the required communications.
 DCOM port count
NB an Exaquantum Server may be a client to another Exaquantum Server in an RBNS
configuration.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 2-7

From this information the required Firewall configurations may be derived for standard
configurations. Project specific communication requirements resulting from bespoke code or
additional applications are not covered in this document. A series of sample configurations
follow with worked Firewall configurations.
Assumptions
The clients may be secured using the Windows Firewall.
The DCOM port range used by a Windows system may be restricted from the default 1024-
65535. It should be noted that this restriction is for ALL DCOM use on that system not just
Exaquantum and any other DCOM applications. For this reason it is not recommended to
limit the DCOM port range on Client PCs but only on Server systems. To facilitate decisions
on this, each link’s detail section includes the number of concurrent DCOM processes
required to support the link at each end.
NB. 2 DCOM ports are used for Windows processes so the counts below must be summed
and then add 2 to find the minimum size port range to use on the systems.
Link 1 Exaquantum Server to Exaquantum Explorer client/Administration
Tools Client
This link is split into two components that may be installed together or separately.
 Exaquantum Explorer, Excel Add in and API access
 Exaquantum Administration Tool
These will be dealt with in turn:
Exaquantum Explorer, Excel Add in and API access
Table 2-1 IP address and TCP Port filters link1

From From Port To To Port Description

Explorer */TCP Exaquantum 135/TCP RPC (DCOM) Listener

Client Server

Explorer */TCP Exaquantum 1433/TCP SQL Server communication

Client Server

Explorer */TCP Exaquantum 1024- DCOM dynamically allocated

Client Server 65535/TCP Ports. This range may be
restricted on the server

Exaquantum */TCP Explorer 135/TCP RPC (DCOM) Listener

Server Client

Exaquantum 1433/TCP Explorer */TCP SQL Server communication

Server Client

Exaquantum */TCP Explorer 1024- DCOM dynamically allocated

Server Client 65535/TCP Ports

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

2-8 Chapter 2 Exaquantum Network Administration

Total DCOM Ports on the Exaquantum Server = 5:

 Quantum.exe
 ExaQuantumExecutive.exe
 QRBNSServerBrowse.exe
 QNameSpaceBrowser.exe
 QHistorian.exe
Table 2-2 IP address and TCP Port filters Link 1a

From From Port To To Port Description

Admin */TCP Exaquantum 135/TCP RPC (DCOM) Listener

Client Server

Admin */TCP Exaquantum 1433/TCP SQL Server communication

Client Server

Admin */TCP Exaquantum 1024- DCOM dynamically allocated

Client Server 65535/TCP Ports. This range may be
restricted on the server

Exaquantum */TCP Admin 135/TCP RPC (DCOM) Listener

Server Client

Exaquantum 1433/TCP Admin */TCP SQL Server communication

Server Client

Exaquantum */TCP Admin 1024- DCOM dynamically allocated

Server Client 65535/TCP Ports

Admin ICMP Exaquantum Allow PING for RBNS Admin

Client Server tool check

Total DCOM Ports on the Exaquantum Server = 3 in addition to the Exaquantum Explorer
client:
 QBuilder.exe
 QAnalyse.exe
 QBFRetriever.exe

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 2-9

Link 2 Exaquantum Server to OPC server

OPC Classic Server
The restrictions of DCOM port ranges may be applied on both the Exaquantum Server and
the OPC server(s); there is no need for these ranges to be the same size.
Table 2-3 IP address and TCP port filters Link 2 – OPC Classic Server

From From Port To To Port Description

Exaquantum */TCP OPC Classic 135/TCP RPC (DCOM) Listener

Server Server

Exaquantum */TCP OPC Classic 1024- DCOM dynamically allocated

Server Server 65535/TCP Ports. This range may be
restricted on the OPC server

Exaquantum ICMP OPC Classic Allows ping to check for

Server Server functioning OPC server prior to
equalization.

OPC */TCP Exaquantum 135/TCP RPC (DCOM) Listener

Classic Server
Server

OPC */TCP Exaquantum 1024- DCOM dynamically allocated

Classic Server 65535/TCP Ports. This range may be
Server restricted on the OPC server

OPC ICMP Exaquantum Allows ping to check for

Classic Server functioning OPC server prior to
Server equalization.

Total DCOM Ports on the Exaquantum Server = 5

 QOPCDAMgr.exe
 QOPCAEPump.exe
 QOPCPropertyAccess.exe
 QFBRetriever.exe
 QZOPCAECatchup.exe

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

2-10 Chapter 2 Exaquantum Network Administration

OPC UA Server
The restrictions of DCOM port ranges may be applied on both the Exaquantum Server and
the OPC server(s); there is no need for these ranges to be the same size.
Table 2-4 IP address and TCP port filters Link 2 – OPC UA Server

From From Port To To Port Description

OPC UA */TCP Exaquantum 4840/TCP Port for connecting to

Server Server SMARTDAC+ OPC UA Server
(default)

Exaquantum */TCP OPC UA 4840/TCP Port for connecting to

Server Server SMARTDAC+ OPC UA Server
(default)

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 2-11

Link 3 Exaquantum Server to Exaquantum Web Server

Table 2-5 IP address and TCP port filters Link 3

From From Port To To Port Description

Exaquantum */TCP Exaquantum 135/TCP RPC (DCOM) Listener

Web Server Server

Exaquantum */TCP Exaquantum 1433/TCP SQL Server communication

Web Server Server

Exaquantum */TCP Exaquantum 1024- DCOM dynamically allocated

Web Server Server 65535/TCP Ports. This range may be
restricted on the Exaquantum
Server

Exaquantum */TCP Exaquantum 135/TCP RPC (DCOM) Listener

Server Web Server

Exaquantum 1433/TCP Exaquantum */TCP SQL Server communication

Server Web Server

Exaquantum */TCP Exaquantum 1024- DCOM dynamically allocated

Server Web Server 65535/TCP Ports This range may be
restricted on the Web Server

Total DCOM Ports on the Exaquantum Server = 5 (none in addition to the Exaquantum
Explorer client).
 Quantum.exe
 ExaQuantumExecutive.exe
 QRBNSServerBrowse.exe
 QNameSpaceBrowser.exe
 QHistorian.exe
Total DCOM Ports on the Exaquantum Web Server = 2.
 Quantum.exe
 W3pw.exe

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

2-12 Chapter 2 Exaquantum Network Administration

Link 4 Exaquantum Web server to Web Client

Table 2-6 IP address and TCP port filters Link 4

From From Port To To Port Description

Exaquantum */TCP Exaquantum 80/TCP HTTP

Web Client Web Server

Exaquantum 80/TCP Exaquantum */TCP HTTP

Web Server Web Client

Excel Web 34487/TCP Exaquantum 34487/TCP OPC UA Communication

Client Web Server

NB. If the web site is set up to respond on a port other than 80 then amend Table 2-6.
NO DCOM on this link. However, if the full Exaquantum Explorer thick client was installed
and access is possible to the Exaquantum server then the ports as defined for link 1 are
required between the Client and Exaquantum Server as Quantum.exe will connect to the
Exaquantum Server not the Exaquantum Web Server Web service for data.
Link 5 WTS server to Exaquantum Server
This is identical to link 1. Exaquantum Server to Exaquantum Explorer client/Administration
Tools Client.
Link 6 Exaquantum WTS Server to WTS Client
Table 2-7 IP address and TCP port filters Link 5

From From Port To To Port Description

Exaquantum */TCP Exaquantum 3389/TCP WTS protocol

WTS Client WTS Server

Exaquantum 3389/TCP Exaquantum */TCP WTS protocol

WTS Server WTS Client

NB. If the Terminal Server is set up to respond on a port other than 3389 then amend the
above.
No DCOM traffic on this link.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 2-13

Link 7 Any to Windows Domain Controller

Table 2-8 IP address and TCP port filters Link 7

From From Port To To Port Description

Member */TCP DC 389/TCP Lightweight Directory Access

system Protocol (LDAP)

Member */TCP DC 636/TCP LDAP Secure Sockets Layer

system (LDAP SSL)

Member */TCP DC 3268/TCP LDAP Global Catalogue

system

Member */TCP DC 3269/TCP LDAP Global Catalogue

system Secure Sockets Layer

Member */TCP & DC 53/TCP & Domain Name Service (DNS)

system UDP UDP

Member */TCP & DC 88/TCP & Kerberos

system UDP UDP

Member */TCP DC 445/TCP SMB protocol

system

Member 123/UDP DC 123/UDP Simple Network Time

system Protocol SNTP

DC 389/TCP Member */TCP Lightweight Directory Access

system Protocol (LDAP)

DC 636/TCP Member */TCP LDAP Secure Sockets Layer

system (LDAP SSL)

DC 3268/TCP Member */TCP LDAP Global Catalogue

system

DC 3269/TCP Member */TCP LDAP Global Catalogue

system Secure Sockets Layer

DC 53/TCP & Member */TCP & Domain Name Service (DNS)

UDP system UDP

DC 88/TCP/UDP Member */TCP & Kerberos

system UDP

DC 445/TCP Member */TCP SMB protocol

system

DC 123/UDP Member 123/UDP Simple Network Time

system Protocol SNTP

No DCOM traffic on this link.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

2-14 Chapter 2 Exaquantum Network Administration

Link 8 Exaquantum Server to OPC Client

Exaquantum may act as an OPC DA & HDA Server to transfer data to a higher level PI
historian via an intermediate Interface server. The PI OPC DA and HDA Interface processes
run on the PI Interface server with some Yokogawa software.
The restrictions of DCOM port ranges may be applied on both the Exaquantum Server and
the PI Interface Server there is no need for these ranges to be the same size.
Table 2-9 IP address and TCP port filters Link 8

From From Port To To Port Description

Exaquantum */TCP PI Interface 135/TCP RPC (DCOM) Listener

Server Server

Exaquantum */TCP PI Interface 1024- DCOM dynamically allocated

Server Server 65535/TCP Ports.

PI Interface */TCP Exaquantum 135/TCP RPC (DCOM) Listener

Server Server

PI Interface */TCP Exaquantum 1024- DCOM dynamically allocated

Server Server 65535/TCP Ports. This range may be
restricted on the Exaquantum
server

Total DCOM Ports on the Exaquantum Server = 3

 ZOPDA.exe
 QOPCHDAServer.exe
 QOPCHAEServer.exe
Link 9 Exaquantum server to DNS server
This is included for completeness in a Windows Workgroup environment where a DNS
server may be used to allow the Exaquantum Server to resolve the IP addresses of the clients
etc.
Table 2-10 IP address and TCP port filters Link 9

From From Port To To Port Description

Exaquantum */TCP & DNS 53/TCP & Domain Name Service (DNS)
Server UDP UDP

DNS 53/TCP & Exaquantum */TCP & Domain Name Service (DNS)
UDP Server UDP

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 2-15

Link 10 Exaquantum Server to PI Interface Server

Exaquantum may act as an OPC DA & HDA Server; the ProgIDs/GUIDs at the client end
will depend on the client.
The restrictions of DCOM port ranges may be applied on both the Exaquantum Server and
the OPC clients(s); there is no need for these ranges to be the same size.
Table 2-11 IP address and TCP port filters Link 10

From From Port To To Port Description

Exaquantum */TCP OPC Client 135/TCP RPC (DCOM) Listener

Server

Exaquantum */TCP OPC Client 1024- DCOM dynamically

Server 65535/TCP allocated Ports.

OPC Client */TCP Exaquantum 135/TCP RPC (DCOM) Listener

Server

OPC Client */TCP Exaquantum 1024- DCOM dynamically

Server 65535/TCP allocated Ports. This range
may be restricted on the
Exaquantum server

PI Interface */TCP Exaquantum 1433/TCP SQL Server communication

Server Server

Exaquantum 1433/TCP PI Interface */TCP SQL Server communication

Server Server

Total DCOM Ports on the Exaquantum Server = 3

 ZOPDA.exe
 QOPCHDAServer.exe
 QOPCHAEServer.exe

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

2-16 Chapter 2 Exaquantum Network Administration

Link 11 PI Server to PI OPC Interface Server

The PI OPC Interface PC must transfer the data collected to the PI server.
Table 2-12 IP address and TCP port filters Link 11

From From Port To To Port Description

PI OPC */TCP PI Server 5450/TCP PI Server communication

Interface
Server

PI Server 5450/TCP PI OPC */TCP PI Server communication

Interface
Server

Note: To port Number 5040 on PI Server is default value. In case PI system setting changes
from default value, Port Number need to be set.
Link 12 Exaquantum Server to Exaquantum Server (RBNS)
Exaquantum server to server link for RBNS
Table 2-13 IP address and TCP port filters Link 12

From From Port To To Port Description

Exaquantum */TCP Exaquantum 135/TCP RPC (DCOM) Listener

Server 1 Server 2

Exaquantum */TCP Exaquantum 1024- DCOM dynamically

Server 1 Server 2 65535/TCP allocated Ports.

Exaquantum */TCP Exaquantum 135/TCP RPC (DCOM) Listener

Server 2 Server 1

Exaquantum */TCP Exaquantum 1024- DCOM dynamically

Server 2 Server 1 65535/TCP allocated Ports.

Exaquantum ICMP Exaquantum Allow PING for RBNS

Server 1 Server 2 Admin tool check

Exaquantum ICMP Exaquantum Allow PING for RBNS

Server 2 Server 1 Admin tool check

Total DCOM Ports on the Exaquantum Servers = 2

 QRBNSServerBrowse.exe
 QNamespaceBrowser.exe

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 2-17

Link 13 Exaquantum Client to Exaquantum Server (RBNS)

Exaquantum client to Exaquantum server for remote RBNS data access
Table 2-14 IP address and TCP port filters Link 13

From From Port To To Port Description

Explorer */TCP Exaquantum 135/TCP RPC (DCOM) Listener

Client Server

Explorer */TCP Exaquantum 1433/TCP SQL Server communication

Client Server

Explorer */TCP Exaquantum 1024- DCOM dynamically allocated

Client Server 65535/TCP Ports. This range may be
restricted on the server

Exaquantum */TCP Explorer 135/TCP RPC (DCOM) Listener

Server Client

Exaquantum 1433/TCP Explorer */TCP SQL Server communication

Server Client

Exaquantum */TCP Explorer 1024- DCOM dynamically allocated

Server Client 65535/TCP Ports

Admin ICMP Exaquantum Allow PING for RBNS

Client Server Admin tool check even if
configuring RBNS on another
server (see link 1)

Total DCOM Ports on the Exaquantum Server = 4:

 Quantum.exe
 ExaQuantumExecutive.exe
 QRBNSServerBrowse.exe
 QHistorian.exe

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

2-18 Chapter 2 Exaquantum Network Administration

Microsoft Message Queue

If this function is being used the ports identified in Table 2-15 IP address and TCP port
filters MSMQ are used, NB this does not use DCOM but does use RPC and port 135 to
allow a client to identify the port(s) that mqsvc.exe is listening on. The machine to machine
links that require access on these ports will depend on the MSMQ configuration and may be
all within a single Exaquantum server or separated over multiple Windows servers and
administrative clients. See http://support.microsoft.com/?id=178517 for details.
Table 2-15 IP address and TCP port filters MSMQ

From From Port To To Port Description

Event */TCP MSMQ 135/TCP RPC (DCOM) Listener

Source Queue
Manager

MSMQ */TCP MSMQ 1801/TCP Message traffic and internal

Queue Queue session management traffic
Manager Manager

Any */TCP MSMQ 2101/TCP RPC-based MQIS and

MSMQ PC Queue Active Directory lookups
(this could
Server alternatively be
2112, /TCP if
2101 is already
taken)

Any */TCP MSMQ 2103/TCP Remote reads of Queues

MSMQ PC Queue 2105/TCP (the actual port to connect to
Server or is obtained from port 135
independent (these could
Client alternatively be above)
2114 and
2116/TCP if
the above are
already taken)

Any */TCP MSMQ 389/TCP LDAP lookups

MSMQ PC Queue
Manager

Any */UDP Any MSMQ 3527/UDP MSMQ Ping

MSMQ PC PC

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 2-19

Example Network Topologies

Sections Exaquantum in DMZ (De-Militarized Zone) and Exaquantum, WTS server and
Web server in DMZ illustrate the use of the information in previous sections to define actual
firewall configurations for two typical network topologies.
Exaquantum in DMZ (De-Militarized Zone)
The DMZ is illustrated as having two, separate, firewalls though it could be configured with
a single device with three network connections.
Figure 2-2 Exaquantum in DMZ

1 Domain
Controller 8
Exaquantum Explorer 7 OPC
& Admin Client Client
Firewall
A

Exaquantum
Server

Firewall
B

2
OPC
Server
(workgroup)

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

2-20 Chapter 2 Exaquantum Network Administration

From the sections from Link 1 Exaquantum Server to Exaquantum Explorer

client/Administration Tools Client, the following may be seen as the configuration
requirements:
Firewall A
Links of Type 1, 7 and 8 leading to the following port mapping (initially assuming no
restriction on the DCOM port mapping).
Table 2-16 IP address and TCP port filters Exaquantum in DMZ A

From From Port To To Port Description

Explorer */TCP Exaquantum 135/TCP RPC (DCOM) Listener

Clients Server

Explorer */TCP Exaquantum 1433/TCP SQL Server communication

Clients Server

Explorer */TCP Exaquantum 1024- DCOM dynamically allocated

Clients Server 65535/TCP Ports. This range may be
restricted on the server

Exaquantum */TCP Explorer 135/TCP RPC (DCOM) Listener

Server Clients

Exaquantum 1433/TCP Explorer */TCP SQL Server communication

Server Clients

Exaquantum */TCP Explorer 1024- DCOM dynamically allocated

Server Clients 65535/TCP Ports

Admin */TCP Exaquantum 135/TCP RPC (DCOM) Listener

Clients Server

Admin */TCP Exaquantum 1433/TCP SQL Server communication

Clients Server

Admin */TCP Exaquantum 1024- DCOM dynamically allocated

Clients Server 65535/TCP Ports. This range may be
restricted on the server

Exaquantum */TCP Admin 135/TCP RPC (DCOM) Listener

Server Clients

Exaquantum 1433/TCP Admin */TCP SQL Server communication

Server Clients

Exaquantum */TCP Admin 1024- DCOM dynamically allocated

Server Clients 65535/TCP Ports

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 2-21

From From Port To To Port Description

Exaquantum */TCP OPC Client 135/TCP RPC (DCOM) Listener

Server

Exaquantum */TCP OPC Client 1024- DCOM dynamically allocated

Server 65535/TCP Ports.

OPC Client */TCP Exaquantum 135/TCP RPC (DCOM) Listener

Server

OPC Client */TCP Exaquantum 1024- DCOM dynamically allocated

Server 65535/TCP Ports. This range may be
restricted on the Exaquantum
server

Exaquantum */TCP DC 389/TCP Lightweight Directory Access

Server Protocol (LDAP)

Exaquantum */TCP DC 636/TCP LDAP Secure Sockets Layer

Server (LDAP SSL)

Exaquantum */TCP DC 3268/TCP LDAP Global Catalogue

Server

Exaquantum */TCP DC 3269/TCP LDAP Global Catalogue

Server Secure Sockets Layer

Exaquantum */TCP & DC 53/TCP & Domain Name Service (DNS)

Server UDP UDP

Exaquantum */TCP & DC 88/TCP & Kerberos

Server UDP UDP

Exaquantum */TCP DC 445/TCP SMB protocol

Server

Exaquantum 123/UDP DC 123/UDP Simple Network Time Protocol

Server SNTP

DC 389/TCP Exaquantum */TCP Lightweight Directory Access

Server Protocol (LDAP)

DC 636/TCP Exaquantum */TCP LDAP Secure Sockets Layer

Server (LDAP SSL)

DC 3268/TCP Exaquantum */TCP LDAP Global Catalogue

Server

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

2-22 Chapter 2 Exaquantum Network Administration

From From Port To To Port Description

DC 3269/TCP Exaquantum */TCP LDAP Global Catalogue

Server Secure Sockets Layer

DC 53/TCP & Exaquantum */TCP & Domain Name Service (DNS)

UDP Server UDP

DC 88/TCP/UDP Exaquantum */TCP & Kerberos

Server UDP

DC 445/TCP Exaquantum */TCP SMB protocol

Server

DC 123/UDP Exaquantum 123/UDP Simple Network Time Protocol

Server SNTP

Firewall B
Link of type 2 (initially assuming no restriction on the DCOM port mapping).
Table 2-17 IP address and TCP port filters Exaquantum in DMZ B

From From Port To To Port Description

Exaquantum */TCP OPC Server 135/TCP RPC (DCOM) Listener

Server

Exaquantum */TCP OPC Server 1024- DCOM dynamically allocated

Server 65535/TCP Ports. This range may be
restricted on the OPC server

OPC Server */TCP Exaquantum 135/TCP RPC (DCOM) Listener

Server

OPC Server */TCP Exaquantum 1024- DCOM dynamically allocated

Server 65535/TCP Ports. This range may be
restricted on the Exaquantum
server

If HIS are to be used as Exaquantum clients the configuration of Firewall B will need to be
extended to include link type 1 ports and it may be considered worthwhile to restrict the
DCOM port range on the HIS’s to 9 plus any other required for non Exaquantum links in use.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 2-23

DCOM Port restrictions

To reduce the scope of the ‘holes’ in the firewalls, the DCOM ranges on the Exaquantum
and OPC servers may be restricted.
Table 2-18 DCOM Port Count
Exaquantum Server

Source and Link number Count Comments

2 Windows Processes

Link 1 5 Data access Client

Link 1 3 Administration Client

Link 2 5 OPC link

Link 8 2 OPC Client

Total 17

OPC Server
Dependent on the OPC server – 3 for Exaopc CS3000 cassette with HDA.
Exaquantum, WTS server and Web server in DMZ
Figure 2-3 Exaquantum, WTS server and Web in DMZ

Domain
Controller
WTS Client Web Client 4
7 6 Firewall A
Exaquantum
Web Server

DMZ WTS
Server
Firewall B 5

2 Exaquantum
OPC Server
Server

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

2-24 Chapter 2 Exaquantum Network Administration

Firewall A
Links of type 4, 6 & 7 leading to the following port mapping (initially assuming no
restriction on the DCOM port mapping).
Table 2-19 IP address and TCP port filters Exaquantum and web in DMZ A

From From Port To To Port Description

Exaquantum */TCP Exaquantum 80/TCP HTTP

Web Client Web Server

Exaquantum 80/TCP Exaquantum */TCP HTTP

Web Server Web Client

Exaquantum */TCP Exaquantum 3389/TCP WTS protocol

WTS Client WTS Server

Exaquantum 3389/TCP Exaquantum */TCP WTS protocol

WTS Server WTS Client

Member */TCP DC 389/TCP Lightweight Directory Access

system Protocol (LDAP)

Member */TCP DC 636/TCP LDAP Secure Sockets Layer

system (LDAP SSL)

Member */TCP DC 3268/TCP LDAP Global Catalogue

system

Member */TCP DC 3269/TCP LDAP Global Catalogue

system Secure Sockets Layer

Member */TCP & DC 53/TCP & Domain Name Service (DNS)

system UDP UDP

Member */TCP & DC 88/TCP & Kerberos

system UDP UDP

Member */TCP DC 445/TCP SMB protocol

system

Member 123/UDP DC 123/UDP Simple Network Time

system Protocol SNTP

DC 389/TCP Member */TCP Lightweight Directory Access

system Protocol (LDAP)

DC 636/TCP Member */TCP LDAP Secure Sockets Layer

system (LDAP SSL)

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 2-25

From From Port To To Port Description

DC 3268/TCP Member */TCP LDAP Global Catalogue

system

DC 3269/TCP Member */TCP LDAP Global Catalogue

system Secure Sockets Layer

DC 53/TCP & Member */TCP & Domain Name Service (DNS)

UDP system UDP

DC 88/TCP/UDP Member */TCP & Kerberos

system UDP

DC 445/TCP Member */TCP SMB protocol

system

DC 123/UDP Member 123/UDP Simple Network Time

system Protocol SNTP

Firewall B
Link of type 2 (initially assuming no restriction on the DCOM port mapping).
Table 2-20 IP address and TCP port filters Exaquantum and web in DMZ B

From From Port To To Port Description

Exaquantum */TCP OPC Server 135/TCP RPC (DCOM) Listener

Server

Exaquantum */TCP OPC Server 1024- DCOM dynamically allocated

Server 65535/TCP Ports. This range may be
restricted on the OPC server

OPC Server */TCP Exaquantum 135/TCP RPC (DCOM) Listener

Server

OPC Server */TCP Exaquantum 1024- DCOM dynamically allocated

Server 65535/TCP Ports. This range may be
restricted on the Exaquantum
server

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

2-26 Chapter 2 Exaquantum Network Administration

DCOM Port restrictions

To reduce the scope of the ‘holes’ in the firewalls the DCOM ranges on the Exaquantum and
OPC servers may be restricted.
Table 2-21 DCOM Port Count
Exaquantum Server

Source and Link number Count Comments

2 Windows Processes

Link 3 & 5 5 Data access via Web server

Link 5 3 Administration Client via WTS server

Link 2 5 OPC link

Total 15

NB Links 3 and 5 count even though they do not go through a firewall as they come out of
the DCOM port pool
OPC server
Dependent on the OPC server – 3 for Exaopc CS300 cassette with HDA.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 2-27

2.3.2 Deep Packet Inspection Firewall Configuration

This section provides the technical information on how to configure firewalls capable of
deep packet inspection for DCOM traffic by GUID. Examples of such firewalls include:
 Microsoft’s ISA server
 Checkpoint Firewall One
The section on 2.3.1 Firewall Configuration must be read in conjunction with this section
to cover the simple IP packet level filtering also required.
The communications links between components of an Exaquantum based system are shown.
Any or all of these may pass through firewalls. Those that contain DCOM traffic are shown
in Figure 2-4.
Figure 2-4 Links between Exaquantum components

The links are numbered and will be described in detail in the following sections.
Each detail section describing a link includes:
 ProgIDs and GUIDs for DCOM communication
From this information the required Firewall configurations may be derived for standard
configurations. Project specific communication requirements resulting from bespoke code or
additional applications are not covered in this document.
Note: An Exaquantum Server may be a client to another Exaquantum Server in an RBNS
configuration.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

2-28 Chapter 2 Exaquantum Network Administration

Link 1 Exaquantum Server to Exaquantum Explorer client/Administration

Tools Client
This link is split into two components that may be installed together or separately.
 Exaquantum Explorer, Excel Add in and API access
 Exaquantum Administration Tool
These will be dealt with in turn:
Exaquantum Explorer, Excel Add in and API access
Table 2-22 GUIDs and ProgIDs Link 1

DCOM Process ProgID & GUID Location

Quantum.exe Quantum.Broker.1 Exaquantum
Server
{455E1DAC-48C5-11D2-8E65-
00C04FA2F82C}
Quantum.Session.1
{DA2141A4-5DC5-11D2-8E70-
00C04FA2F82C}
Quantum.Session2.1
{50DE9C27-8BCF-48B7-B85A-
463AEB2863BE}
ExaquantumExecutive.exe ExaQuantumExecutive.Executive.1 Exaquantum
Server
{A3A150CD-01F4-11D3-AC0C-
00C04FA767C0}
QRBNSServerBrowse.exe RBNSServerBrowse.RBNSBrowse.1 Exaquantum
Server
{4C8823B6-E801-493E-859C-
A8234858B1BD}
QNameSpaceBrowser.exe QNamespaceBrowser.Browse2.1 Exaquantum
Server
{36EA7642-3ABB-11D4-9311-
00104BAA756F}
QHistorian.exe QHistorian.Historian.1 Exaquantum
Server
{F3E4AB3E-6E46-11D2-8A20-
00C04FA2F681}
MXXLDataSelector.exe MXXLDataSelector.CMXXLDataSelector Exaquantum
Client
{9FBC8945-AD5A-4251-9A0B-
0B86DFB6A1B}

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 2-29

DCOM Process ProgID & GUID Location

Quantum.exe Quantum.Broker.1 Exaquantum
Client
{455E1DAC-48C5-11D2-8E65-
00C04FA2F82C}
Quantum.Session.1
{DA2141A4-5DC5-11D2-8E70-
00C04FA2F82C}
Quantum.Session2.1
{50DE9C27-8BCF-48B7-B85A-
463AEB2863BE}
QExplore.exe Exaquantum
Client
LiveExplore Exaquantum
Client
Excel Exaquantum
Client
Query Wizard Exaquantum
Client
Server Manager Exaquantum
Client
Any other code using the Exaquantum
API or OLE/DB Client

NOTE that where the location in Table 2-19 specifies “Exaquantum Client”, it is not possible
to define a GUID or Prog ID in these cases, as they are dynamic DCOM callbacks, and it is
possible to run more than one instance of the associated DCOM Process.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

2-30 Chapter 2 Exaquantum Network Administration

Exaquantum Administrator Tools

Table 2-23 GUIDs and ProgIDs Link 1

DCOM Process ProgID & GUID Location

All as for the Exaquantum Exaquantum Server
Explorer client section 0
QBuilder.exe QBuilder.FBBuilder Exaquantum Server
{1AD16D6F-5995-11D4-A9E3-
00C04FA2E45C}
QBuilder.TagBuilder
{1AD16D60-5995-11D4-A9E3-
00C04FA2E45C}
QAnalyse.exe QAnalyse.FBAnalyser.1 Exaquantum Server
{AEB1CEA0-5992-11D4-9AED-
00C04FA767C0}
QAnalyse.TagAnalyser.1
{26F2CDAE-46BA-11D4-9AD9-
00C0FA767C0}
QFBRetriever.exe QFBRetriever.cCandidates Exaquantum Server
{BAB8A4FB-42D4-11D4-A0D8-
00C04F7949E9}
QFBRetriever.cReadFile
{242E5780-C500-4F11-AD3E-
F741B4061B6D}
QFBRetriever.TagMaintenance
{0E4094B7-6E48-49FD-AAAC-
C70F3BD6B054}
QArchive.exe Qarchive.Archive.1 Exaquantum Server
{69EB68E6-8F59-11D2-9473-
00C04FA2F82A}
QEventHandler.exe QeventHandler.APEventServer.1 Exaquantum Server
{EA864370-6687-11D4-B97B-
00C04FCD0ADC}

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 2-31

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

2-32 Chapter 2 Exaquantum Network Administration

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 2-33

Link 4 WTS server to Exaquantum Server

This is identical to link 1. Exaquantum Server to Exaquantum Explorer
client/Administration Tools Client.
Link 5 Exaquantum Server to OPC Client
Exaquantum may act as an OPC DA & HDA Server; the ProgIDs/GUIDs at the client end
will depend on the client.
Table 2-26 GUIDs and ProgIDs Link 8
DCOM Process ProgID Location
ZOPDA.exe Yokogawa.ExaopcDAEXQ.1 Exaquantum Server
{7C55C23F-4A01-43AD-B517-
B7DA3B25EECB}
QOPCHDAServer.exe QOPCHDAServer.HDAServer.1 Exaquantum Server
{E42A32A3-BDD8-40A5-9388-
2ADE4CC9AAA3}
QOPCHDAServer.HDAServerEx.1
{2A2165B5-7291-4F60-BD5B-
DB6EB554E777}
QOPCHAEServer.exe QOPCHAEServer.HDAServer_PIAE.1
{A297E742-2EA3-463E-BD63-
46C6555391AE}
Dependent on the OPC OPC Server
client software, One for
DA, possibly one for
HDA

Link 6 Exaquantum Server to PI Interface

This link is the same as Link 5.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

2-34 Chapter 2 Exaquantum Network Administration

Client Windows Firewall Configuration (Legacy Mode only)

With the Windows Operating systems (supported by Exaquantum), Microsoft provided a
software firewall. The control is to restrict inbound connections, and additionally, outbound
connections. The Firewall may be used to secure clients in an Exaquantum system.
This section deals with the setting up of incoming connections only. For Exaquantum clients,
it is recommended to use the default settings for outbound connections. If it is necessary to
modify the outbound settings (for example where sites have a Domain Security Policy), then
this should be undertaken only by an Administrator with appropriate knowledge.
Notes
1. An Exaquantum Server may be a client to another Exaquantum Server in an RBNS
configuration.
2. The firewall is configured automatically for Standard Mode security
To permit the client to connect to the server the following port needs to be added to the
exceptions list of the firewall.
Table 2-27 Windows Firewall configuration – Ports

Port Description Note

135 TCP RPC (DCOM) listener To allow the call back to connect
to DCOM and establish the call.

The following applications need to be added to the exceptions list of the firewall to allow the
call back transfer of historical data (see How to setup the Windows Firewall for instructions
on how to do this):
Table 2-28 Windows firewall configuration Programs

Application Location Notes

MMC WINDOWS\system32\mmc.exe Used by

Exaquantum Admin
Tools

Exaquantum Explorer <Installation Needed when

Folder>\ Explorer\QExplore.exe requesting historical
data.

Exaquantum Quantum <Installation Main

Module Folder>\ System\Quantum.exe communication
module to the server

Exaquantum <Installation Folder>\ Developer Needed when

LiveXplore Tools\LiveXplore.exe requesting historical
data.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 2-35

Application Location Notes

Exaquantum System <Installation Folder>\ Developer Needed for call back

Events Viewer Tools\SysEventsViewer.exe when requesting tag
value.

MXXLDataSelector.exe <Installation For historian call

Folder>\System\ MXXLDataSelector.exe back to provide data
to the in data
selector trend tool

Microsoft Excel <Microsoft Office Install Needed when

Folder>\ Excel.exe (typically located in requesting historical
the following folder) data.
In case of Microsoft Excel 2010
C:\Program Files (x86)\Microsoft
Office\OFFICE14
In case of Microsoft Excel 2013
C:\Program Files (x86)\Microsoft
Office\OFFICE15
In case of Microsoft Excel 2016
C:\Program Files (x86)\Microsoft
Office\OFFICE16

EQTagDefOutput.exe <Installation Needed of PI

Folder>\PIConnect\EQTagDefOutput.exe Interface
configuration

NetworkTest.exe <Installation Needed to run a

Folder>\System\NetworkTest.exe series of network
health checks when
configuring server
connection

Note1: Anything that uses the OLE/DB provider to retrieve historical data needs to be
added to the above list e.g. Crystal Reports.
Note2: Any user defined API that requests historical data should also be added to the list.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

2-36 Chapter 2 Exaquantum Network Administration

Server Windows Firewall Configuration (Legacy Mode only)

With the Windows Server Operating systems (supported by Exaquantum), Microsoft
provides a software firewall to restrict inbound connections and outbound connections.
The Firewall may be used on Exaquantum Servers systems. Note that client tools may be run
on a server and may require connections to other servers in a multi-server configuration.
This section deals with the setting up of incoming connections only. For Exaquantum
Servers, it is recommended to use the default settings for outbound connections (no
restriction). If it is necessary to modify the outbound settings (for example where sites have a
Domain Security Policy), then this should be undertaken only by an Administrator with
appropriate knowledge based on the details provided in Section 2.3 Firewall Configuration.
To permit clients to connect to the server, the port in Table 2-29 needs to be added to the
exceptions list of the firewall.
Table 2-29 Windows Firewall configuration – Ports

Port Description Note

135 TCP RPC (DCOM) listener To allow the client to connect to DCOM and
establish the call.

1433 TCP SQL Server Allow client access to the SQL server

The applications in Table 2-30 Table 2-30 Windows Firewall configuration Programsneed
to be added to the exceptions list of the firewall to allow the call back transfer of historical
data (See How to setup the Windows Firewall for instructions on how to do this):
Table 2-30 Windows Firewall configuration Programs

Application Location Notes

MMC WINDOWS\system32\mmc.exe Used by

Exaquantum
Admin Tools

Exaquantum Explorer <Installation Needed when

Folder>\ Explorer\QExplore.exe requesting
historical data.

Exaquantum Quantum <Installation Folder>\ System\Quantum.exe Main

Module communication
module to the
server

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 2-37

Application Location Notes

Exaquantum LiveXplore <Installation Folder>\ Developer Needed when

Tools\LiveXplore.exe requesting
historical data.

MXXLDataSelector.exe <Installation For historian call

Folder>\System\ MXXLDataSelector.exe back to provide
data to the in data
selector trend tool

Exaquantum System <Installation Folder>\ Developer Needed for call

Events Viewer Tools\SysEventsViewer.exe back when
requesting tag
value.

Microsoft Excel <Microsoft Office Install Needed when

Folder>\ Excel.exe (typically located in requesting
the following folder) historical data.
For Microsoft Excel 2010
C:\Program Files\Microsoft
Office\OFFICE14
For Microsoft Excel 2013
C:\Program Files\Microsoft
Office\OFFICE15
For Microsoft Excel 2016
C:\Program Files\Microsoft
Office\OFFICE16

ExaquantumExecutive.exe <Installation Needed for client

Folder>\ System\ExaquantumExecutive.exe connection

QRBNSServerBrowse.exe <Installation Needed for client

Folder>\ System\ QRBNSServerBrowse.exe RBNS browsing

QNameSpaceBrowser.exe <Installation Needed for client

Folder>\ System\ QNameSpaceBrowser.exe tag browsing

QHistorian.exe <Installation Needed for client

Folder>\ System\ QHistorian.exe Historian access

QBuilder.exe <Installation Needed for Admin

Folder>\ System\ QBuilder.exe Tools running of
Tag Build

QAnalyse.exe <Installation Needed for Admin

Folder>\ System\ QAnalyse.exe Tools running of
Tag Build

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

2-38 Chapter 2 Exaquantum Network Administration

Application Location Notes

QFBRetriever.exe <Installation Needed for Admin

Folder>\ System\ QFBRetriever.exe Tools running of
Tag Build

QOPCDAMgr.exe <Installation Needed for OPC

Folder>\ System\ QOPCDAMgr.exe Server callback

QOPCDAPump.exe <Installation Needed for OPC

Folder>\ System\ QOPCDAPump.exe Server callback

QOPCPropertyAccess.exe <Installation Needed for OPC

Folder>\ System\ QOPCPropertyAccess.e Server callback
xe

QZOPCAECatchup.exe <Installation Needed for OPC

Folder>\ System\ QZOPCAECatchup.exe Server callback

QArchive.exe <Installation Used by Admin

Folder>\ System\ QArchive.exe Tools

QEventHandler.exe <Installation Used by Admin

Folder>\ System\ QEventHandler.exe Tools

EQTagDefOutput.exe <Installation Needed for PI

Folder>\PIConnect\EQTagDefOutput.exe Interface
configuration

NetworkTest.exe <Installation Needed to run a

Folder>\System\NetworkTest.exe series of network
health checks
when configuring
server connection

Exaquantum OPC UA <Installation Folder>\OPC UA Exaquantum Web

Server.exe Server\ Exaquantum OPC UA Server.exe Server – provides
data to Excel
running on a Thin
client

Note1: Anything that uses the OLE/DB provider to retrieve historical data from another
server needs to be added to the above list e.g. Crystal Reports.
Note2: Any user application that utilizes the Exaquantum API to request historical data
from another server should also be added to the list.
Note3: When Rollbase View is constructed among multiple PIMS Server, “File and printer
share (echo requirement – ICMPv4 receive)” need to be valid on PIMS Server.
Note4: When Excel workbook which saved on PIMS Server from client will be shared,
“445/TCP (receive)” need to be valid on PIMS Server.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 2-39

How to setup the Windows Firewall

This section covers all Windows Operating Systems that are supported by Exaquantum.
Start the ‘Windows Firewall with Advanced Security’ snap in, from either the
Administrative Tools window, or the Server Manager. This can also be stated by opening the
WFAS snap in to MMC.
Once the snap in is open it will look as Figure 2-5.
Figure 2-5 WFAS Snap in

Then to add a rule open inbound rules and then select ‘add a new rule’ to invoke the wizard
as shown in Figure 2-6.
Figure 2-6 Add a Rule

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

2-40 Chapter 2 Exaquantum Network Administration

Adding a Program Rule

To add a program rule allowing DCOM connection to a particular program follow the steps
shown in Figure 2-7 Add a Program Rule to Figure 2-11 Name the Rule.
Figure 2-7 Add a Program Rule

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 2-41

Figure 2-8 Select the Program Location

Figure 2-9 Allow the Connection

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

2-42 Chapter 2 Exaquantum Network Administration

Figure 2-10 Specify When the Rule Applies To

Figure 2-11 Name the Rule

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 2-43

Adding a Port Rule

To add a Port Rule choose the port option and follows the steps from Figure 2-12 to Figure
2-13:
Figure 2-12 Port Rule Option

Figure 2-13 Specify the Port

The remaining steps are identical to the Program rule.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

2-44 Chapter 2 Exaquantum Network Administration

Amending an existing Rule

To amend an existing rule select it and double click then edit in the properties box as shown
in Figure 2-14. From here additional definitions for the rule may be added, for example
specifying which source computers the inbound rule applies to etc.,
Figure 2-14 Edit a Port Exception

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 2-45

2.3.3 Setting the Restriction of Ports for DCOM

This procedure should be carried out on the Exaquantum/PIMS server. Port ranges do not
have to be restricted on the client machine. In restricting the ports on the Exaquantum server
the firewall can be configured to only be open to incoming traffic on these ports to the
dedicated IP address of the Exaquantum server. All out going ports 1024-65535 should be
open.
If other applications are using DCOM the port requirements for each application should be
taken into consideration.
1 Start Component Services, from the Administrative Tools.
2 Click to expand the Component Services and Computers nodes. Right-click My
Computer and then click Properties.
3 On the Default Protocols tab, click Connection-oriented TCP/IP in the DCOM
Protocols list box, and then click Properties.
4 In the Properties for COM Internet Services dialog box, click Add.
5 In the Port range text box, add a port range (for example, type 5000-5080), and then
click OK.
6 Leave the Port range assignment and the Default dynamic port allocation options set
to Internet range.
7 Click OK three times, and then restart the Exaquantum/PIMS server computer.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

2-46 Chapter 2 Exaquantum Network Administration

2.4 Configuring Exaquantum for VPN Network Connections

Overview
A Virtual Private Network (VPN) connection allows users at a remote location away from
the site to connect securely to a private LAN or WAN via a public network such as the
Internet. This type of connection masks the communications by providing encryption of the
contents and wrapping it in a different address while in transit over the public network. Extra
configuration will probably be required at each end of the VPN connection in order that the
two computers can still locate each other through the masking process. This chapter explains:
 Some of the concepts behind the VPN system,
 Configuring Exaquantum to cope with reduced network functionality
 Checking system functionality.
VPN Connection Process
In a system that provides a full Domain Name Service (DNS), and in which any intervening
Firewalls have been configured correctly, an Exaquantum system should work normally over
a VPN without any extra configuration.

The following procedure summarizes the how a normal VPN connection works:
The client PC makes a connection to the public Internet.
The client attempts to establish a secure connection to the remote VPN server.
If the authentication is satisfactory, the VPN server will issue the client with an IP address
within the same sub-net as the Exaquantum server. This is address is only valid within the
local network; it is not the ‘real’ IP address of the client (as seen on the Internet).
The Exaquantum server will be able to communicate with the remote client using this
address, while the VPN server facilitates the routing to the real address of the client.
In the opposite direction, the client will communicate with the Exaquantum server via the VPN
server which will perform the necessary routing. The client will use the VPN to access the name
resolution service (DNS) facilities provided on the destination network to locate the server.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 2-47

However, if there is no DNS available, the system will have to be configured differently,
which is discussed in the next section.
Configuring Exaquantum for VPN with no DNS
There are two methods that can be used that approach the problem from different angles:
Using IP address - This method uses IP addresses instead of computer names, which
requires that a change be made to both the Exaquantum settings in the client PC, and to
the Windows Registry on each Exaquantum server.
Using computer names - This method continues to use names as usual. The only change
required is that the ‘hosts’ file on the client is modified to map the IP address of each
Exaquantum server to the correct name.
Configure to use IP addresses
There are two or three stages to enabling this system, which depends if there is more than
one Exaquantum server:
Client configuration
On the client PC using the VPN connection:
1 Establish a VPN connection from the client to the VPN server.
2 Open the Exaquantum Server Manager.
3 In the Primary Server box, replace the server’s name with the server’s IP address.
4 If your system uses a secondary server, in the Secondary Server box, replace the server’s
name with the server’s IP address.
Figure 2-15 Exaquantum Server Manager – Primary Server

5 To check that the connection can be established, click on the Test button for each server
configured and confirm the status is ‘Running’.
6 Select OK to close the Server Manager Tool.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

2-48 Chapter 2 Exaquantum Network Administration

Server Configuration
In a normally configured system, the Exaquantum server passes its host name to the clients.
Without a DNS to resolve this name, the client will be unable to locate the server. To
overcome this problem, the server must be configured to pass the IP address instead.
This change requires editing the Windows registry. Before making any changes to the registry
it is recommended that you have a full working backup of your system. If you are not confident
with making such changes, you should contact your Yokogawa support representative.
The name is set in four places:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node
\Quantum\Client\DesignatedServer
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node
\Quantum\DB\QConfigServer
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node
\Quantum\Server\Historian\ HistorianAdminServer
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node
\Quantum\Server\Historian\ HistorianDataServer

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 2-49

To configure the Primary Exaquantum server:

1 Open the Registry Editor
2 For each of the registry keys noted above, in the key’s data, replace the server name with
the equivalent IP address.
Figure 2-16 Registry Editor

3 Close the Registry Editor.

4 The changes will not take effect until the Exaquantum Server is stopped and restarted.
Ensure there are no clients connected, and then use the Exaquantum Server Manager
Tool.
5 Click on the Stop button to stop the service. After a short pause the service status will
change to ‘Stopped’.
6 When it becomes available, click on the Start button to restart the service. The status will
change to ‘Running’.
Figure 2-17 Exaquantum Services Manager

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

2-50 Chapter 2 Exaquantum Network Administration

Multiple Server environment

In addition to the above, in a multi-server environment the other servers will also have to be
identified by the Primary server using their IP addresses. This is achieved using the Servers
tool on the Primary Server.
On the Primary Exaquantum Server:
1 Log on to the server using an account with QAdministrator privileges, such as the
QuantumUser account.
2 Open the Exaquantum Administration Tools.
3 Navigate the tree on the left to locate Console Root -> Yokogawa Exaquantum ->
System Configuration -> Servers.

Figure 2-18 Exaquantum Administration Tools

4 For each of the servers listed, change the Computer name to the equivalent IP address.
5 Close the Administrative Tools window.
6 The changes will not take effect until the Exaquantum Server is stopped and restarted.
Ensure there are no clients connected, and then use the Exaquantum Server Manager
Tool.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 2-51

Configure to use host names

In this situation, the only configuration necessary is to provide the client with some means of
resolving the NetBIOS host names provided by the server. This is achieved by adding the
appropriate entries to the ‘hosts’ file on the client PC. In a standard installation using the
default locations, the ‘hosts’ file can be found at:
\%Windir%\system32\drivers\etc.
In order to complete this configuration you will need to know the host names and IP
addresses of all the Exaquantum servers to be accessed.
To add the servers to the ‘hosts’ file on the client PC:
1 Open the hosts file with a text editor such as Notepad.
2 To the existing entries in the ‘hosts’ file, add a line for each Exaquantum server on the
system, in the form: <IP address> <name>.
For example: 192.168.100.1 MyServer1
192.168.100.2 MyServer2
3 Save the changed host file and close the text editor. The changes take immediate effect.
Test the changes by using the Ping command against the servers in the form:
ping <name>.
For example, in a console window type:
ping MyServer1 .
Troubleshooting VPN
Failure to connect
There are two main reasons why a VPN connection fails to work, which are listed below. To
help diagnose what is causing the problem in any particular case, work through the sections
later in this chapter.
No DNS
In systems where DNS is not available, this system will not work as the client will be unable
to resolve the server name. No error messages will be given, but the usual symptom is that
the client cannot access any of the product client tools, and in most cases, only the splash
screen will be displayed.
Firewall
Another possible cause of failure is a Firewall, situated between the two computers that is
restricting some of the communications ports required by Exaquantum.
Determining the Cause
There are two stages to diagnosing the problem:
Verifying network connectivity – Check that there is a suitable network path between
the two computers.
Verifying DNS functionality – Check that the DNS is available to the client PC.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

2-52 Chapter 2 Exaquantum Network Administration

Verifying network connectivity

The purpose of this test is to determine if there is a suitable network path between the client
PC and Exaquantum server machines.
First, establish a VPN connection between the client PC and the VPN server. When
connected, open a console window on the client PC and type:
ping <Exaquantum Server IP Address>
There should be a series of responses from the server addressed. The whole event will be
something like:
C:\>ping 172.10.20.31
Pinging Exaq1 [172.10.20.31] with 32 bytes of data
Reply from 172.10.20.31: bytes=32 time<1ms TTL=128
Reply from 172.10.20.31: bytes=32 time<1ms TTL=128
If there was no response, the problem could be that a Firewall is blocking the ICMP protocol
used to perform the ‘ping’ function; check this with the network administrator.
Verifying DNS functionality
The purpose of this test is to establish that the client PC can access the DNS on the
destination network. It is assumed that the VPN connection between the client and VPN
server is working, and that the network connectivity has been tested is passed.
First, establish a VPN connection between the client PC and the VPN server. When
connected, open a console window on the client PC and type:
Nslookup <Hostname Of Exaquantum Server>
The DNS should respond with the IP address of the Exaquantum server. The whole event
will be something like:
C:\>nslookup Exaq1
Server: pluto.corp.yokogawa-marex.com
Address: 172.10.20.100

Name: Exaq1.corp.yokogawa-marex.com
Address: 172.10.20.31
In the example above, the IP address in question is the second one, 172.10.20.31.
If there is no response from the DNS then either:
 If you know there is a functioning DNS available on the remote network then there may
be a fault in the configuration.
 There is no DNS available, and you will have to reconfigure the Exaquantum system for
working on such a system as described earlier in this chapter.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 3-1

Chapter 3 Specifying Your Configuration During Installation

(Legacy Model)
During installation Local User Groups are created automatically.
3.1 Installation Basics
Exaquantum requires four user groups to control access to the database, and the Exaquantum
Service account initially called quantumuser to control the connection between the server
and the clients.
Basic Exaquantum User Groups
There are four basic Security Groups used by Exaquantum:
Table 3-1 Exaquantum Security Groups

Security Group Comment

QAdministratorGroup Allows change to the Exaquantum database, equalization,
creating tags and data writing.
QExplorerDesignGroup Allows Exaquantum/Explorer to be opened in Design
mode, to allow the creation and/or modification of
Exaquantum/Explorer documents.
QDataWriteGroup Specifically allows data writing, but not the other
privileges of QAdministratorGroup
QUserGroup Allows access to Exaquantum. All members of the above
groups MUST belong to this group.

Advanced Exaquantum User Groups

It is possible to allow access to certain tags based on a user’s role. Administrators may be
able to view tags from all over the plant, but an Operator in Area 1, for example, would only
view tags in Area 1. This is controlled by an extension of the security model called Role-
Based Namespace and requires additional user groups to control access. Refer to the
Exaquantum/PIMS User’s Manual (IM 36J04A11-01E) for more information.
Membership of User Groups
The user groups will contain the user accounts that will be allowed the abilities particular to
the group. Therefore all accounts to be added must be available to these groups so that they
can be added. Alternatively, local copies of the user accounts can be created in the same
location as the user groups. These copies must have the same password as the originals.
Availability of Exaquantum Service Account
The Exaquantum Service account must be available to all Exaquantum computers. This can
be achieved by making it a domain account accessible by all Domain computers, or by
creating local copies of the account on each Exaquantum computer. All copies of the
Exaquantum Service account must have the same password.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

3-2 Chapter 3 Specifying Your Configuration During Installation (Legacy Model)

Exaquantum Security Model

Exaquantum is a network-based product and involves managing databases to store and allow
retrieval of process data. Access to the databases must be controlled to allow only
authenticated users access. The security model used for Exaquantum is comprehensive,
allowing a flexible and solid degree of both general and role-based security. At the
cornerstone of this security model are Windows Security Groups.
The Exaquantum Security Model applies to both the Exaquantum Data Server and the
Exaquantum Web Server. Both servers use the same installation mechanism to comply with
the security model.
Exaquantum Security Model – Description
There are two parts to establishing a connection within Exaquantum:
There are two requirements:
 Availability of the Exaquantum Service account
 Membership of the QUserGroup.
Note: Membership of other groups is needed to perform special operations but this is
omitted from this example for clarity.
The Exaquantum Service account is the account as which the server side processes run.
When a client connects to the server a DCOM response is made from the Server side
processes, DCOM on the client must recognize the Exaquantum Service account to allow
them to connect.
The second aspect of connection is the membership of User Groups. To allow basic
access to Exaquantum, all users must be members of the QUserGroup.
Example: a login takes place on an Exaquantum client computer by a user with a login
account of John_Smith. DCOM on the server first checks the QUserGroup for a member
called John_Smith. If a match is found a return DCOM connection running as the
Exaquantum Service account is made to the client where DCOM will check that it
recognizes the Exaquantum Service account. For more details see Chapter 4 DCOM and
Network Security in Exaquantum.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 3-3

3.2 Adding Users to User Groups

There are two ways of adding the user account to the user group. These two methods
give rise to the two Security Models, the Domain Configuration and the Workgroup
configuration. There is a third configuration. This is a Workgroup configuration
within a domain.
Note: The examples below give a basic understanding of security concepts. The methods
described do not reflect the way that the software works in detail.
3.2.1 Domain Authentication
In a domain all user accounts can be created globally. As such they are available to all
computers in the domain. To add a user account to the user group, the user group is accessed
on the Domain controller and the account added using the appropriate tool. All accounts are
controlled centrally, which offers an administrative saving. The Exaquantum Service
account is also created globally in the domain, and so is available to all computers in the
domain. This ensures that Exaquantum processes will run correctly.
The User Groups are created locally on the Exaquantum Server(s) but should contain Global
groups as members allowing control of access to be managed from the Domain Controllers.
3.2.2 Workgroup Authentication
Workgroup Authentication works through matching local users/passwords on the client and
server; where these match the client user is treated as if it were the matching server user.
Workgroup authentication works whether the client and server are in a domain or workgroup.
In the case where the client is a domain member with a domain user logged on and the server
is in a workgroup configuration the domain user is treated as if it was a local user on the
client and compared for name and password with any local users on the server.
Therefore all user accounts used for Exaquantum access are duplicated on the Exaquantum
server, where the user groups are created. These duplicated user accounts are then added to
the local user groups. It should be noted, however, that there is considerably more
administration to perform as each account needs to be added to each computer that requires it.
Additionally, password changes must be performed on each instance of the user account.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

3-4 Chapter 3 Specifying Your Configuration During Installation (Legacy Model)

3.3 Creating the Exaquantum Groups and Users Manually

Role-Based Namespace (RBNS) Groups
It is possible to control the tags that each operator can view. This is done by creating
additional groups that further control access to the Exaquantum databases.
Each RBNS view is based on membership of one Windows security group. This group
should normally be created in the same place as your four standard Exaquantum User
Groups but can be created in a different location. Exaquantum supports groups in different
locations including a combination of locations. Therefore you can have RBNS views based
on groups created locally on the Exaquantum server as well as views based on groups
created on the local or external domains.
For more information, refer to "User account and Groups" in the Exaquantum Installation
Guide (IM 36J04A13-01E).
The RBNS configuration tool (located within Administration Tools of Exaquantum) allows
selection of Windows security groups from any location available on the network. However,
you will need some knowledge of the group type and restrictions, as these are not detailed by
the configuration tool. The following table should help you plan your RBNS group set-up:
Table 3-2 RBNS Group Set-Up
Group Type Group Location Potential Members
Local Group Exaquantum Server Local Accounts on the Exaquantum Server
Global Accounts on the Exaquantum server’s domain
Global Accounts on external domains (subject to
trust relationship)
Global Group Domain Controller Global Accounts on the same domain
Global Groups on the same domain
Domain Domain Controller Global Accounts on the same domain
Local Group Global Groups on the same domain
Domain Local Groups on the same domain
Global Accounts on a trusted domain
Global Groups on a trusted domain

This may require the assistance of your network administrator. RBNS group creation is
covered in more detail in the Exaquantum/PIMS User’s Manual (IM 36J04A11-01E).

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 3-5

EXA Account Password Setting

It may be necessary, due to site security policy, to change the EXA Account. This is done
using the tool:
<Exaquantum Installation Folder>\Exaquantum PIMS\System\ExaAccountSetting.exe.
The tool must be run with as a user who has local administration rights. Additionally, on
Windows Server Operating systems, the tool must be run with elevated rights: right mouse
click on ExaAccountSetting.exe, and select Run as Administrator from the pop-up menu.
Note: If the EXA user account is changed, previous user name will not be deleted
automatically. Hence, please delete previous EXA account name manually, ensuring that this
name is not still used by other applications or packages.
For further information please refer to Installation Guide (EXA Account Setting).
3.4 OPC Servers Set-up
The OPC servers must also be configured to allow connection to an Exaquantum Server.
The only requirement is that the Exaquantum Service account is also available to each OPC
server. There are two ways this can be achieved.
3.4.1 Using a global user account
If your Exaquantum System is configured to use global security principles and the OPC
server has access to these, no action needs to be taken. This is the case if the OPC server is
in the same domain as the Exaquantum Server and a global Exaquantum Service account has
been configured. For all other cases you will have to create a local copy of the Exaquantum
Service account.
If you do not know if the account exists you can try to log on to the OPC server using the
Exaquantum Service account and password, specifying the correct domain. If you cannot
log on then you will have to create the account locally.
3.4.2 Using a local user account
If the OPC server does not have access to a global Exaquantum Service account, you must
create a local account. This must have the same password as the Exaquantum Service
account used by the Exaquantum Server.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

3-6 Chapter 3 Specifying Your Configuration During Installation (Legacy Model)

This page intentionally left blank

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 4-1

Chapter 4 DCOM and Network Security in Exaquantum

(Legacy Model)
Exaquantum uses DCOM for all network communication. This chapter gives some
technical details of how the Exaquantum components are configured to allow secure
network communication.
Figure 4-1 shows components and how they communicate in a typical system comprising:
 A Client running Exaquantum/Explorer or the Exaquantum Administration Tools
 A Server running the Exaquantum Server components
 An OPC Server running Exaopc.
Figure 4-1 Communication Links in a Typical Exaquantum System
Client OPC Server

Client

OPC
Quantum.exe Server

Server

OPC
Clients

Quantum.exe

SQL Server

Client - Process running in computer - Internal communications

Tab
- Physical computer boundary - External communications

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

4-2 Chapter 4 DCOM and Network Security in Exaquantum (Legacy Model)

The internal communications are shown for completeness but are not of significance to the
DCOM communications discussion.
Each of the External communications routes must be allowed, in terms of DCOM
communication security, for Exaquantum to function. The following tables show how the
Exaquantum installation adjusts the DCOM settings to allow each of the external
communication routes.
Each physical computer has DCOM settings for the entire computer as follows:
Table 4-1 DCOM Settings

Physical Computer How security is configured

Server or Client The following settings remain as they are set on the PC (i.e.
Exaquantum does not alter them):
Default Authentication Level (default set to Connect.)
Default Impersonation Level (default set to Identify.)
OPC Server Default Authentication Level set to None.
This is the Exaopc installation setting.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 4-3

Each individual Process has some specific DCOM settings to aid communications as
follows:
Table 4-2 DCOM Settings

Process Responsibility How security is configured

Quantum.exe (Server) Manages RTDB and data Set to run as a specific user.
communications to client. (Exaquantum Service Account
(Default is Quantumuser))
Quantum.exe (Client) Provides the Client ‘gateway’ Set to run as the interactive user
into Exaquantum. All data so this process runs as different
returned from the RTDB users depending on who is logged
passes through this process on to the Client Computer.
on its way from Server to
Client.
Client Cache Management Manages caching of tag Set to run as a specific user.
(QClient.exe) (Server) identifiers and configuration (Exaquantum Service Account
data. This reduces the load on (Default is Quantumuser))
the server database and
network.
Client Cache Management Manages caching of tag Set to run as the interactive user
(QClient.exe) (Client) identifiers and configuration so this process runs as different
data. This reduces the load on users depending on who is logged
the server database and on to the computer.
network.
OPC Clients Reads and writes OPC data to Authentication level is
(OPCDAMgr.exe) the OPC Server. programmatically set to ‘NONE’
to allow communication with the
OPC Server.
Set to run as a specific user.
(Exaquantum Service
Account(Default is
Quantumuser))
OPC Clients Reads Alarm and Event data Authentication level is
(OPCAEPump.exe) from the OPC Server. programmatically set to ‘NONE’
to allow communication with the
OPC Server.
Set to run as a specific user.
(Exaquantum Service Account
(Default is Quantumuser))
OPC Clients Reads the list of Function Set to run as a specific user.
(QFBRetriever.exe) Blocks from the OPC Server (Exaquantum Service
during Equalization. Account (Default is
Quantumuser))

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

4-4 Chapter 4 DCOM and Network Security in Exaquantum (Legacy Model)

Process Responsibility How security is configured

OPC Clients Reads reference data Authentication level is
(QOPCPropertyAccess.exe) (engineering limits, units, programmatically set to ‘NONE’
etc.) from the OPC server. to allow communication with the
OPC Server.
Set to run as a specific user.
((Exaquantum Service Account
(Default is Quantumuser))
Reporting Logs information and error Set to run as a specific user.
(QReporter.exe) messages to the event log or ((Exaquantum Service Account
log file. (Default is Quantumuser))
Historian Reading and writing of data Set to run as a specific user.
(QHistorian.exe) to and from the Historian data (Exaquantum Service Account
store. (Default is Quantumuser))
Historian Archiving Manages the creation, back- Set to run as a specific user.
(QArchive.exe) up and restoring of historian (Exaquantum Service
data. Account(Default is
Quantumuser))
Tag Builder Manages the creation, Set to run as the interactive user
(QBuilder.exe) deletion and modification of so this process runs as different
tags, function blocks and users depending on who is logged
folders. on to the computer.
Tag Analyzing Analyses the changes to be Set to run as the interactive user
(QAnalyse.exe) made from the current so this process runs as different
configuration database when users depending on who is logged
creating, deleting or on to the computer.
modifying tags, function
blocks and folders.
Event Management Receives events from the Set to run as a specific user.
(QEventHandler.exe) OPC Alarm and Event (Exaquantum Service Account
components and takes action (Default is Quantumuser))
based on the system
configuration.
Recalculation Recalculation of Set to run as a specific user.
(QReclcEngine.exe) Aggregations for late arriving (Exaquantum Service
data. Account( Default is
Quantumuser))

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 4-5

Table 4-3 shows how the Exaquantum installation adjusts the DCOM settings to allow each
of the external communication routes:
Table 4-3 DCOM Settings

Route Typical information How security is configured

exchanged
Client Quantum.exe to Asynchronous DCOM Access Permissions for the
Server Quantum.exe requests for RTDB Server are set to include a group
and History data containing all Client Users
(QUserGroup).
Quantum.exe set to use these defaults.
Server Quantum.exe to Data from the Server DCOM Access Permissions for the
Client Quantum.exe is returned to the Server are set to include the Exaquantum
Client via call-backs. Service user account.
Quantum.exe set to use these defaults.
OPC Clients to OPC Server Asynchronous DCOM Authentication Level is set to
requests for OPC ‘NONE’ by OPC clients.
Data.
Clients to SQL Server Configuration Security login added for SQL Server for a
information. group containing all client users
(QUserGroup).

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

4-6 Chapter 4 DCOM and Network Security in Exaquantum (Legacy Model)

This page intentionally left blank

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 5-1

Chapter 5 Network Diagnostic Tool

5.1 Overview
A number of Exaquantum systems exhibit communication failures between Exaquantum
Servers, other Exaquantum Servers and Exaquantum Clients. These failures are reported in
the Windows Application Event log. They arise from a number of sources:
 Historian Client Query failures
 Historian Data call-back failures
 Client connection monitoring failures from Exaquantum Executive
 Exaquantum Server Manager connection failure

To allow better help in diagnosing the potential causes of communication failures,

functionality is provided to allow administrators better diagnosis of network communication
issues. This comprises:
 For Exaquantum Servers and Combined Servers, the utility NetworkTest
 For Exaquantum Clients, and Web Servers, a network test facility from the Server
Manager
NOTE: Network Diagnostic Tool supports IP4 addresses only; IP6 is not supported.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

5-2 Chapter 5 Network Diagnostic Tool

5.2 NetworkTest Utility

The NetworkTest utility is installed on Exaquantum servers only. It is located in the
Developer Tools folder (under the Exaquantum root folder). On launching, the Network test
dialog is displayed – see Figure 5-1.
Figure 5-1 Network Test utility

The Server should be entered; the IP address and FQDN fields are optional; if these are
blank when running the test, they will be filled in automatically.
The Test button will run the network tests, and the results will be shown in the output field.
The OK button will save the log file settings and close the application.
The Cancel button will close the application, without saving any changes.
The results of the test can be saved to a text file, by checking Output to Log file, and using
the Log File Path browse button to specify the output folder + file.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 5-3

5.3 Server Manager

The Server Manager provides a basic and advanced check of connection health to an
Exaquantum Server from:
 Exaquantum Client
 Exaquantum Web Server
The Exaquantum Server Manager (Figure 5-2 ) is available from the Exaquantum menu.
Figure 5-2 Server Manager

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

5-4 Chapter 5 Network Diagnostic Tool

The Test button runs a basic connection test to either the Primary or Secondary server
The Network Test button starts the Exaquantum Network Test dialog (Figure 5-3); this runs
detail connection tests to either the Primary or Secondary server
Figure 5-3 Network Test (Client)

After starting up the NetworkTest dialog, the server name will be filled in – it will contain
the name of the primary or secondary server. The IP Address and FQDN fields are optional;
if these are blank when running the test, they will be filled in automatically.
The Test button will run the network tests, and the results will be shown in the output field.
The OK button will save the log file settings and return to the Server manager dialog.
The Cancel button will return to the Server Manager dialog, without saving any changes.
The results of the test can be saved to a text file, by checking Output to Log file, and using
the Log File Path browse button to specify the output folder + file.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 5-5

5.4 Test Detail

This section describes that test output from the Network Test Dialog. The dialog in Figure
5-4 shows its output, divided into 4 numbered sections. Each Numbered section is described
in the succeeding text.
Figure 5-4 Network Test output detail

1 Ping test
Conventional ping to the specified IP address.
2 DNS, name – IP address resolution
This has two functions:
1. Confirmation that DNS is working
2. Report of what IP address DNS reports for the specified server name

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

5-6 Chapter 5 Network Diagnostic Tool

3 DNS, IP – name resolution

1. Report of what name DNS reports for the specified IP address
4 Attach to remote Quantum Session, and create a callback to client.
This test has two functions, which verify connectivity from Client to Server, and then back
from Server to the Client.
1. Tests that a connection can be made to the Quantum Session running on the specified
server
2. Following a successful test, the Quantum Session on the specified remote server will
execute a callback test to the client (where the Network Test Dialog is running).

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 6-1

Chapter 6 IT Security
6.1 Overview
This chapter is a guide for introducing IT (Information Technology) security to the EXA
system in order to defend against and counter current and future security threats.
Two security models are offered to minimize, wherever possible, the effects of IT security
introduction on the configuration and operation of the current system.
These models are based on the general configuration of all Yokogawa’s EXA products. The
application of these models requires the examination of the current system, engineering
activities and operations.
6.1.1 Positioning of this Guide
This chapter targets engineers who install the Exaquantum system and examine its operation.
The security provided is capable of defending against attacks on the Exaquantum system by
a third party who does not have specialized knowledge in IT and uses only generally
available devices or tools.
Four topics are covered in this chapter:
 Introduction to IT Security
 The IT Security Setting Tool
 How to change the IT Security model
 Configuration where there is co-existence of EXA products

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

6-2 Chapter 6 IT Security

6.1.2 Introduction to IT Security

Security Threats
There are a number of possible security threats, with which the IT Security is designed to
handle. These are classified as follows:
1. Attack over a network
Threat of a negative impact on the system brought about by an unauthorized person from
Business Network/DMZ/PCN via a network, which causes the leakage of critical data.
2. Direct attack by operating a terminal
Threat of a negative impact on the system or removal of critical data by an unauthorized
person operating a terminal.
3. Theft of critical data
Threat that arises when a terminal or critical data is stolen and the data is analyzed.
4. Direct attack that operates client terminal on Business Network
Impact on the System or removal of data by a non-privilege person on a client terminal on
the Business LAN.
Figure 6-1 System configuration of IT security target

The unit of the network shown in the block of the above-mentioned chart is called a security
zone. The security zone is a logical or a physical group, with a common security requirement
and the same security level. The defense is improved using a Hierarchy of zones with
different security settings.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 6-3

6.1.3 Prerequisites to IT Security

The handling of security-related software used in this document is shown as follows.
Table 6-1 Prerequisites

Item Policy

IT security The IT security (standard model) is configured Exaquantum R2.60.00

or later at the installation stage.
Versions prior to Exaquantum R2.60 were secured by individual
engineering.

Wireless network The use of the wireless network for terminal access is not considered.

Anti-virus software Only the anti-virus software (*) that is approved by the Yokogawa
Electric Corporation is to be used. Moreover, it is necessary to verify
each update before use on a test terminal to check for unanticipated
effects of new scan engine and Pattern file update.

Windows security Please carry out installation for security patches according to
patch customer's security policy.
(Service pack is Security patches should be applied, following Exaquantum
contained.) Installation. We strongly recommend applying security patch on
Exaquantum system as soon as is feasibly possible.

Windows Auto The Auto Update function of Windows cannot be used.

Update function

Unverified software The installation and the use of programs that are not verified by the
Yokogawa Electric Corporation is prohibited.

Domain server A freshly configured or an existing Domain and Domain Controller

are required when Domain User Management is to be used.
Individual engineering is necessary when operating it with domain.

(*)
McAfee VirusScan Enterprise 8.8i
Symantec Endpoint Protection 11, 12

McAfee VirusScan Enterprise is the official anti-virus software in Yokogawa.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

6-4 Chapter 6 IT Security

6.2 Security measures and security model

To oppose the security threats defined in the preceding section, three security models are
offered, which offer different levels of protection:
If Strengthened Model is required, please contact your local Yokogawa representative.
 Legacy
 Standard
 Strengthened
6.2.1 Security measures
The IT Security covers 6 areas of identified threats:
 Access control
 Tuning of Personal F/W
 Change in SQL server service account
 Stop unnecessary Windows services
 Setting change of information technology environment
 Security of Web server

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 6-5

6.2.2 Security Models

When installing Exaquantum R2.60 or later, you can choose to configure the Legacy or
Standard model by using the IT Security Setting Tool.
Table 6-2 Security Models

Legacy Model Standard model

Feature Model that gives The Model has features to counter "Attack over the
priority to network" and "Direct attack from terminal operation”
consolidation of consideration must be given to Exaquantum operation
previous version and with another System (Exaopc and CENTUM, etc.)
products not "Theft of critical data" will not be opposed by the
supporting ‘IT Standard Model, due to low threat considering from
security’ models.
Exaquantum feature.

Adjustment On installation On installation Exaquantum R2.60.00 or later, ‘IT

means Exaquantum Security’ can be selected Legacy or Standard model.
R2.60.00 or later,
‘IT Security’ can be
selected Legacy or
Standard model.

NOTE: Security Model Combination

All Exaquantum systems in the same installation must have the same security model.
For example, the following combination is not allowed.
- Exaquantum Server (Legacy Model) + Exaquantum Client (Standard Model).

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

6-6 Chapter 6 IT Security

Security model and security type

The security restrictions corresponding to each security model are shown in the following
table.
Table 6-3 Security Type

Security type Legacy Model Standard model

Access control × YY

Tuning of Personal F/W × YY

Change in SQL server service account × YY

Stop unnecessary Windows services × ×

Setting change of information technology × Y

environment

Security of Web server × YY

×: Not implemented
YY: implemented (set by IT Security Setting Tool)
Y: implemented (set manually)

Note: Considering the security type, when applying the group policy, the defining Group
policy, the following precedence should be used
- Tuning of Personal F/W
- Stop unnecessary Windows services
- Setting change of information technology environment

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 6-7

6.2.3 How to Use IT Security Setting Tool

This tool is for use in the following situations:
 When changing security level is required.
 When returning the settings operated manually to the default.
 After installing another EXA package that supports IT Security such as Exapilot,
ExaOPC, Exaplog
The IT security setting tool is available on:
 Exaquantum PIMS Server
 Exaquantum Combined Server
 Exaquantum Web Server
 Exaquantum Client.
 PI OPC Interface (Exaquantum-PI connection feature)
The tool is not available on an Exaquantum Web Client

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

6-8 Chapter 6 IT Security

The following steps provide information for the general use of the tool. Section 6.2.4
Changing the Security Model provides the detail for specific scenarios.
1 The user for executing the IT security setting tool differs depending on the current
security model and user management. Log on in the appropriate user as detailed in
Section 6.2.4 Changing the Security Model, before running the IT Security setting
tool.

IMPORTANT
When a user with no administrative privilege starts up this tool or one who does not belong
to EXA_MAINTENANCE group, an error dialog is displayed.

2 Stop Exaquantum, and all related processes.

IMPORTANT
Terminate all client window before IT security tool execution. Current executing
Exaquantum and EXA service such as Exa Boss, PM Logd will be stopped.

3 Select "IT security setting" menu from the Windows start menu.
"Start" - "YOKOGAWA EXA" - "Security" -"IT security setting"
Note: Do not use Security Setting Change Tool for Exaopc. From Windows Start Menu –
[YOKOGAWA EXA] – [Security].
4 A dialog box to select the package(s) to which to apply Security settings is displayed.
Checks are done on the Security settings of all packages that support ‘IT Security’.
Because the Security settings are necessary for all packages when the security model is
changed, the check cannot be removed.
TIP: A check mark is attached for all the packages currently installed with supporting IT
security setting.
5 "Selection of the security model" dialog box is displayed. Select the appropriate type of
IT security, and click "Next" button.
TIP: A security model currently set is selected.

IMPORTANT
 "Standard model (domain)" cannot be selected with PC that is not a member of a
domain.
 Only models that the user has privilege to change can be selected.
 When "Standard model (stand-alone)" is selected for a PC that participates in a
Windows domain, the following dialog boxes are displayed. Click the “OK”
button.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 6-9

6 Perform operations according to the selected security model.

TIP: The Security Settings window allows the user to select security items to be configured
in the computer. As long as there is no particular reason, select the check boxes of all
security items. If a model which is different from the currently-set Security Model is selected,
all security items need to be configured. Leave all security items as they are selected.
 When "Legacy Model" or "Standard model (stand-alone)” is selected, the Security
settings window is displayed. It is recommended that all items be checked
 When "Standard model (domain)" is selected, the Security settings window displays the
current domain name
Click Set button.
7 A dialog box to acknowledge if the EXA package can be stopped is displayed.
Clicking No closes the dialog box and returns to step 6.

IMPORTANT
When selecting standard (Domain) and a required user group is not created on the domain
server, an error message is displayed.
Click OK button and create a required user group on the domain server, then performs from
step 3.

8 When the Security setting is started, the progress bar is displayed under the left of the
Security settings item dialog box.
9 After the setting is done, the dialog box is displayed.
Click OK to reboot the PC.
NOTE: When the settings end abnormally, the dialog box is displayed. Click OK to end
the IT Security Tool.
Collect information necessary for the analysis with the EXA package information
gathering tool, and give the query to YOKOGAWA.

IMPORTANT
Any manual changes performed since the last run of the IT security setting tool or
installation may be lost following the running of this tool. These will need to be made again.

Note: On the Exaquantum/PIMS Server, Monitoring is performing by using Status

Monitoring Tool, partial setting needs to be changed manually. Refer to Chapter 18 Status
Monitoring Tool in Exaquantum Engineering Guide Volume 3 - Support Tools
(IM36J04A15-03E).

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

6-10 Chapter 6 IT Security

6.2.4 Changing the Security Model

If the current Security Model is changed, the user needs to have both execution authorities,
before change and after change.
To give user the appropriate permission, refer to “Section 2.26 User Group Generation
before Installation” in IM36J04A13-01E Exaquantum Installation Guide.
Legacy or Legacy Secure Lockdown to Standard (Workgroup)
Conditions
 Login user must be in the following groups:
o Local Administrators
o Local EXA_MAINTENANCE
Steps
1. Login as the appropriate user
2. Run the IT Security setting tool
3. Delete the local accounts quantumuser and EXA (if running on a server)
4. Reboot the PC
Legacy or Legacy Secure Lockdown to Standard (Domain)
Conditions
 The machine must be a member of the Domain.
 The set of groups, detailed in Section 2.11 of the Installation Guide, must have been
created on the Domain.
 Login user must be in the following groups:
o Local Administrators
o Domain EXA_MAINTENANCE
Steps
1. Login as the appropriate user
2. Run the IT Security setting tool
3. Delete the local accounts quantumuser and EXA (if running on a server)
4. Reboot the PC

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 6-11

Standard (Workgroup) to Legacy

 Login user must be in the following groups:
o Local Administrators
o Local EXA_MAINTENANCE
 Change password policy, detailed in Section 10.22 “Password Policy Setting (Legacy
Model)” of the Installation Guide.
Steps
1. Login as the appropriate user
2. Run the IT Security setting tool
3. Reboot the PC
Standard (Domain) to Legacy
 Login user must be in the following groups:
o Local Administrators group
o Local EXA_MAINTENANCE_LCL
 Change password policy, detailed in Section 10.22 “Password Policy Setting (Legacy
Model)” of the Installation Guide.
Steps
1. Login as the appropriate user
2. Run the IT Security setting tool
3. Reboot the PC
4. Optionally, remove the machine from the Domain
5. Remove the groups from the Domain, listed in Section 2.9 “User Account and Group” of
the Installation Guide.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

6-12 Chapter 6 IT Security

Standard (Workgroup) to Standard (Domain)

Conditions
 The machine must be a member of the Domain.
 The set of groups, detailed in Section 2.9 “User Account and Group” of the
Installation Guide, must have been created on the Domain.
 Login user must be a domain user
 Login user must be in the following groups:
o Local Administrators
o Domain EXA_MAINTENANCE
o Local EXA_MAINTENANCE
Steps
1. Login as the appropriate user
2. Run the IT Security setting tool
3. Reboot the PC
4. Remove the local groups, listed in Section 2.9 (User Account and Group of the
Installation guide).
Standard (Domain) to Standard (Workgroup)
 Login user must be in the following groups:
o Local Administrators
o Local EXA_MAINTENANCE
o EXA_MAINTENANCE_LCL
Steps
1. Login as the appropriate user
2. Run the IT Security setting tool
3. Reboot the PC
4. Optionally, remove the machine from the Domain
5. Remove the groups from the Domain, listed in Section 2.9 (User Account and Group of
the Installation guide).

Note: On the Exaquantum/PIMS Server, Monitoring is performed by using the Status

Monitoring Tool; partial setting needs to be changed manually. Refer to Chapter 18. Status
Monitoring Tool in Exaquantum Engineering Guide Volume 3 - Support Tools
(IM36J04A15-03E).

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 6-13

6.2.5 Collaborating with Other Products

This section describes the procedures required for linking the Exaquantum with the other
YOKOGAWA solution-based software packages.
All descriptions are for the Exaquantum server only; no settings are required for an
Exaquantum client.
Refer to the coexistence and connection instructions in the manuals for the other packages in
parallel with this document.
Two configurations are considered for each package.

Coexistence Operating environment where Exaquantum server and other packages

operate on the same PC.
Connection Operating environment where Exaquantum server and other packages
operate via a network with another PC.
Note: Exaquantum does not support the new Combination management Model in IT security.
 Security Model
If Exaquantum coexists with another product, please set same security model on the each
product.
When Exaquantum coexists with Exaopc R3.70 or later, Exapilot R3.90 or later, Exaplog
R3.40 or later, Exasmoc R4.03 or later, Exarqe R4.03 or later, Platform for Advanced
Control and Estimation R5.01 or later, please set “Legacy Model.”. This is because the IT
Security Setting tool is different between Exaquantum and the other products.
If Exaquantum coexist with other products which do not support IT Security, the Security
model should be set to Legacy on Exaquantum.
 User Management
If Exaquantum coexists or connects with another product, please set same User Management.
If the Security Model or User Management is different to another product, Exaquantum will
not run correctly.
Products other than Exaquantum support Combination Management; Exaquantum does not
support this mode. For a description of Combination Management, please refer to the
documentation of these other products.
Exaquantum in legacy mode is supported in a domain environment. However other products
do not support this arrangement. If it is required for other products to connect with
Exaquantum running in this way, please use the Standalone procedure (documented in the
following tables) for the other products.
 About the Exaquantum execution account
To create the Exaquantum service account “QTM_PROCESS” on a remote PC use the,
"Process execution account making tool". This is included on the Exaquantum prerequisite
DVD (Disc 1), execute the tool from the DVD on PC that requires the account.

<DVD>:TOOLS\CreateQTMProcess.exe

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

6-14 Chapter 6 IT Security

 Integration Code:
Integration code described on and after this page is a code assigned to each combination of
Yokogawa system products.
If Exaquantum is combined with other product, confirm the assigned integration code
described in both manuals. The last two digits of an integration code is a revision number of
combination information, meaning that a larger number indicates a newer revision of a
product. If Exaquantum and other product of the latest version are combined, perform setup
according to the procedure with a larger number.
(Example) The underlined number is a Rev number.
0103-0201-03-01
Exaopc
For the Standard Model matching Exaquantum and Exaopc service accounts are required on
both systems. For the standard model ,the accounts must be members of the particular group.
The "Process execution account making tool" from the Exaopc product CD is used to create
the OPC_PROCESS user.

<DVD->: EXA\TOOLS\CreateOPCProcess.exe

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 6-15

 Exaopc R3.70.00 or later (Integration Code: 0801-0401-03-03)

NOTE. Exaquantum and Exaopc R3.70.00 or later can only coexist in Legacy mode. This is
because the two products have different versions of the IT Security Setting tool.

Coexistence.
Standalone Management Domain Management
1 Exaquantum No special settings are necessary Not Applicable
Legacy Exaopc
2 Exaquantum Not supported Not supported
Standard Exaopc

Connection.
Standalone Management Domain Management
1 Exaquantum Standard Create the User Account
Create the User Account
"OPC_PROCESS", and place it in the
"OPC_PROCESS", and place it in
user group "QTM_OPC_LCL".
the user group "QTM_OPC".
Exaopc Standard Create the User Account
Create the User Account
"QTM_PROCESS", and place it in the
"QTM_PROCESS", and place it in
user group "OPC_USER_LCL".
the user group "OPC_USER".
2 Exaquantum Standard Create Exaopc Process account (Default
Create Exaopc Process account
EXA). It must have a matching password
(Default EXA). It must have a
with Exaopc Server, and place it in the
matching password with Exaopc
user group "QTM_OPC_LCL".
Server, and place it in the user
group "QTM_OPC".
Exaopc Legacy Not Applicable
Create the User Account
"QTM_PROCESS".
3 Exaquantum Legacy Create the local User Account
Create the User Account
“OPC_PROCESS”
“OPC_PROCESS”
Exaopc Standard Create the User Account "quantumuser".
Create the User Account
It must have a matching password with
"quantumuser". It must have a
Exaquantum Server, and place it in the
matching password with
user group "OPC_USER_LCL".
Exaquantum Server, and place it in
the user group "OPC_USER".
4 Exaquantum Legacy Create Exaopc process local account
Create Exaopc process account
(default EXA). It must have a
(default EXA). It must have a
matching password with the Exaopc
matching password with the
server.
Exaopc server.
If Exaopc process execution account is
If Exaopc process execution
EXA, no need to create it.
account is EXA, no need to create
it.
Exaopc Legacy Not Applicable
Create the User Account
"quantumuser" and with a password
matching the Exaquantum Server.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

6-16 Chapter 6 IT Security

 Exaopc R3.60.00
NOTE. Exaquantum and Exaopc R3.60.00 cannot coexist on the same PC. This is because
the two products have different versions of the IT Security Setting tool.

Connection.
Standalone Management Domain Management
1 Exaquantum Standard Create the User Account Create the User Account
"OPC_PROCESS", and place it in "OPC_PROCESS", and place it in the
the user group "QTM_OPC". user group "QTM_OPC_LCL".
Exaopc Standard Create the User Account Create the User Account
"QTM_PROCESS", and place it in "QTM_PROCESS", and place it in the
the user group "OPC_USER". user group "OPC_USER_LCL".
2 Exaquantum Standard Create Exaopc Process account Create Exaopc Process account (Default
(Default EXA). It must have a EXA). It must have a matching password
matching password with Exaopc with Exaopc Server, and place it in the
Server, and place it in the user user group "QTM_OPC_LCL".
group "QTM_OPC".
Exaopc Legacy Create the User Account Not applicable
"QTM_PROCESS".
3 Exaquantum Legacy Create the User Account Create the User Account
“OPC_PROCESS” “OPC_PROCESS”
Exaopc Standard Create the User Account Create the User Account "quantumuser".
"quantumuser". It must have a It must have a matching password with
matching password with Exaquantum Server, and place it in the
Exaquantum Server, and place it in user group "OPC_USER_LCL".
the user group "OPC_USER".
4 Exaquantum Legacy Create Exaopc process account Create Exaopc process local account
(default EXA). It must have a (default EXA). It must have a matching
matching password with the Exaopc password with the Exaopc server.
server. If Exaopc process execution account is
If Exaopc process execution EXA, no need to create it.
account is EXA, no need to create
it.
Exaopc Legacy Create the User Account Not Applicable
"quantumuser" and with a password
matching the Exaquantum Server.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 6-17

 Exaopc R3.50.10 or earlier (IT security not supported)

NOTE. Exaquantum and Exaopc R3.50.10 (or earlier) cannot coexist on the same PC.
Connection is possible, but only with Exaopc running in legacy mode.

Connection.
Standalone Management Domain Management
1 Exaquantum Standard Create Exaopc Process account Create Exaopc Process account (Default
(Default EXA). It must have a EXA). It must have a matching password
matching password with Exaopc with Exaopc Server, and place it in the
Server, and place it in the user user group "QTM_OPC_LCL".
group "QTM_OPC".
Exaopc Legacy Create the User Account Not applicable
"QTM_PROCESS".
2 Exaquantum Legacy Create Exaopc process account Create Exaopc process local account
(default EXA). It must have a (default EXA). It must have a matching
matching password with the Exaopc password with the Exaopc server.
server. If Exaopc process execution account
If Exaopc process execution is EXA, no need to create it.
account is EXA, no need to
create it.
Exaopc Legacy Create the User Account Not Applicable
"quantumuser" and with a
password matching the
Exaquantum Server.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

6-18 Chapter 6 IT Security

Exapilot
In case of the standard (strengthened) model, the service accounts need to be replicated
between the systems and placed into the correct user groups
In Exapilot, as Exaquantum client needs to be installed, coexistence or connection with
another model can not be used.
The Exapilot execution account
For the creation of the Exapilot execution account “PLT_PROCESS”, a tool is provided.
This is included on the Exapilot CD. This tool can be executed from the Exapilot CD.
<CD>:EXA\TOOLS\CreatePLTProcess.exe

 Exapilot R3.90.00 or later (Integration Code: 0801-0651-01-02)

NOTE. Exaquantum and Exapilot R3.90.00 or later can only coexist in Legacy mode. This is
because the two products have different versions of the IT Security Setting tool.

When Exaquantum Input/Output Unit Procedures are used

Connection.
Standalone Management Domain Management
1 Exaquantum Standard Not Supported Not Supported
Exapilot Standard Not Supported Not Supported
2 Exaquantum Standard Not Supported Not Supported
Exapilot Legacy Not Supported Not Applicable
3 Exaquantum Legacy Not Supported Not Supported
Exapilot Standard Not Supported Not Supported
4 Exaquantum Legacy Create Exapilot process account Create Exapilot process account
(default EXA) and with a (default EXA) and with a password
password matching of Exapilot. matching of Exapilot. Add this user
Add this user to the user groups to the user groups "QUserGroup" and
"QUserGroup" and “QDataWriteGroup”.
“QDataWriteGroup”.
Exapilot Legacy No special settings are necessary Not Applicable

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 6-19

When Exapilot ActiveX Control which is attached to Exaquantum Explorer is used

Coexistence.
Standalone Management Domain Management
1 Exaquantum No special settings are necessary Not Applicable
Legacy Exapilot
2 Exaquantum Not Supported
Not Supported
Standard Exapilot

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

6-20 Chapter 6 IT Security

 Exapilot R3.70.00, R3.80.00

When Exaquantum Input/Output Unit Procedures are used

Coexistence.
Standalone Management Domain Management
1 Exaquantum Create Exapilot process account Not Applicable
Legacy Exapilot (default EXA). It must have a
matching password with
Exapilot Server and place it in
the user groups "QUserGroup"
and "QDataWriteGroup".
2 Exaquantum Place the User Account Place the User Account
Standard Exapilot "PLT_PROCESS" in the user "PLT_PROCESS" in the user group
group “QTM_DATA_READ". “QTM_MAINTENANCE_LCL".
Place the User Account Place the User Account
"PLT_PROCESS" in the user "QTM_PROCESS" in the user group
group “QTM_DATA_WRITE". “PLT_OPC_LCL".
Place the User Account
"QTM_PROCESS" in the user
group “PLT_OPC".

Connection.
Standalone Management Domain Management
1 Exaquantum Standard Create the User Account Create the User Account
"PLT_PROCESS". "PLT_PROCESS".
Place the User Account Place the User Account
"PLT_PROCESS" in the user "PLT_PROCESS" in the user group
group “QTM_DATA_READ". “QTM_MAINTENANCE_LCL".
Place the User Account
"PLT_PROCESS" in the user
group “QTM_DATA_WRITE".
Exapilot Standard Place the User Account Place the User Account
"QTM_PROCESS" in the user "QTM_PROCESS" in the user group
group “PLT_OPC". “PLT_OPC_LCL".
2 Exaquantum Standard Not Supported Not Supported
Exapilot Legacy Not Supported Not Applicable
3 Exaquantum Legacy Not Supported Not Supported
Exapilot Standard Not Supported Not Supported
4 Exaquantum Legacy Create Exapilot process account Create Exapilot process account
(default EXA) and with a (default EXA) and with a password
password matching of Exapilot. matching of Exapilot. Add this user
Add this user to the user groups to the user groups "QUserGroup" and
"QUserGroup" and “QDataWriteGroup”.
“QDataWriteGroup”.
Exapilot Legacy No special settings are necessary Not Applicable

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 6-21

When Exapilot ActiveX Control which is attached to Exaquantum Explorer is used

Coexistence.
Standalone Management Domain Management
1 Exaquantum No special settings are necessary Not Applicable
Legacy Exapilot
2 Exaquantum Place the user which executes Place the user which executes
Standard Exapilot Exaquantum Explorer in the Exaquantum Explorer in the user
user group “PLT_OPERATOR". group “PLT_OPERATOR".

Connection.
Standalone Management Domain Management
1 Exaquantum Standard No special settings are necessary No special settings are necessary
Exapilot Standard Place the user which executes Place the user which executes
Exaquantum Explorer in the Exaquantum Explorer in the domain
user group “PLT_OPERATOR". group “PLT_OPERATOR".
2 Exaquantum Standard Not Supported Not Supported
Exapilot Legacy Not Supported Not Applicable
3 Exaquantum Legacy Not Supported Not Supported
Exapilot Standard Not Supported Not Supported
4 Exaquantum Legacy No special settings are necessary No special settings are necessary
Exapilot Legacy No special settings are necessary Not Applicable

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

6-22 Chapter 6 IT Security

 Exapilot R3.60.00 or earlier (IT security not supported)

The Exaquantum security model must be set to Legacy. Coexistence or connection with
another security model cannot be used.
Setting details is the same as Legacy Model of Exapilot R3.70.00 or later.

When Exaquantum Input/Output Unit Procedures are used

Connection.
Standalone Management Domain Management
1 Exaquantum Standard Not Supported Not Supported
Exapilot Standard Not Supported Not Supported
2 Exaquantum Legacy Create Exapilot process account Create Exapilot process account
(default EXA) and with a (default EXA) and with a password
password matching of Exapilot. matching of Exapilot. Add this user
Add this user to the user groups to the user groups "QUserGroup" and
"QUserGroup" and “QDataWriteGroup”.
“QDataWriteGroup”.
Exapilot Legacy No special settings are necessary Not Applicable

When Exapilot ActiveX Control which is attached to Exaquantum Explorer is used

Coexistence.
Standalone Management Domain Management
1 Exaquantum No special settings are necessary Not Applicable
Legacy Exapilot
2 Exaquantum Not Supported Not Supported
Standard Exapilot

Connection.
Standalone Management Domain Management
1 Exaquantum Standard Not Supported Not Supported

Exapilot Standard Not Supported Not Applicable

2 Exaquantum Legacy No special settings are necessary Not Applicable
Exapilot Legacy No special settings are necessary Not Applicable

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 6-23

Exaplog
Exaquantum and Exaplog can both coexist on the same PC or connect from separate PCs.
However, it is not possible for the Exaquantum Client to be installed on the same PC as
Exaplog, due to different versions of the IT Security Setting Tool.

 Exaplog R3.40.00 (Integration Code 0801-0701-03-02)

NOTE. Exaquantum and Exaplog R3.40.00 can only coexist in Legacy mode. This is
because the two products have different versions of the IT Security Setting tool.

Coexistence.
Standalone Management Domain Management
1 Exaquantum No special settings are necessary Not Applicable
Legacy Exaplog
2 Exaquantum Not Supported
Not Supported
Standard Exaplog

Connection.
Standalone Management Domain Management
1 Exaquantum Standard Not Supported Not Supported
Exaplog Standard Not Supported Not Supported
2 Exaquantum Standard Not Supported Not Supported
Exaplog Legacy Not Supported Not Applicable
3 Exaquantum Legacy Not Supported Not Supported
Exaplog Standard Not Supported Not Supported
4 Exaquantum Legacy No special settings are necessary No special settings are necessary
Exaplog Legacy Create the User Account Not Applicable
"Quantumuser". It must have a
matching password with
Exaquantum Server. Grant it the
privilege “Log on as batch job".

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

6-24 Chapter 6 IT Security

 Exaplog R3.30.00

Coexistence.
Standalone Management Domain Management
1 Exaquantum No special settings are Not Applicable
Legacy Exaplog necessary
2 Exaquantum Create the User Account Create the local group
Standard Exaplog "Quantumuser". It must have a “PLG_CONVERTER_LCL”. Create
matching password with the local User Account "Quantumuser".
It must have a matching password with
Exaplog Server. Add it to "Log Exaplog Server. Add it to "Log on as
on as batched job". batched job".
Place the User Account Place the User Account "Quantumuser"
"Quantumuser" in the user in the user group
group “QTM_DATA_READ". “QTM_MAINTENANCE_LCL".
Place the User Account Place the User Account "Quantumuser"
"Quantumuser" in the user in the user group
“PLG_CONVERTER_LCL".
group “PLG_CONVERTER".

Connection.
Standalone Management Domain Management
1 Exaquantum Standard Create the User Account Create the User Account
"Quantumuser" .It must have a "Quantumuser" .It must have a
matching password with matching password with Exaplog
Exaplog Server. Place it in the Server. Place it in the user group
user group “QTM_MAINTENANCE_LCL".
“QTM_DATA_READ".
Exaplog Standard Create the User Account Create the local user group
"Quantumuser" It must have a PLG_CONVERTER_LCL. Create the
matching password with User Account "Quantumuser" It must
have a matching password with
Exaquantum Server. Add it to Exaquantum Server. Add it to "Log on
"Log on as batched job". as batched job".
Place the User Account Place the User Account "Quantumuser"
"Quantumuser" in the user in the user group
group “QTM_DATA_READ". “QTM_MAINTENANCE_LCL".
Place the User Account Place the User Account "Quantumuser"
"Quantumuser" in the user in the user group
“PLG_CONVERTER_LCL".
group “PLG_CONVERTER".
2 Exaquantum Standard Not Supported Not Supported
Exaplog Legacy Not Supported Not Applicable
3 Exaquantum Legacy Not Supported Not Supported
Exaplog Standard Not Supported Not Supported
4 Exaquantum Legacy No special settings are necessary No special settings are necessary
Exaplog Legacy Create the User Account Not Applicable
"Quantumuser". It must have a
matching password with
Exaquantum Server. Grant it the
privilege “Log on as batch job".

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 6-25

 Exaplog R3.20.00 or earlier (IT security not supported)

Coexistence.
Standalone Management Domain Management
1 Exaquantum No special settings are necessary Not Applicable
Legacy Exaplog
2 Exaquantum Not Supported
Not Supported
Standard Exaplog

Connection.
Standalone Management Domain Management
1 Exaquantum Standard Create the User Account Not Supported
"Quantumuser" .It must have a
matching password with Exaplog
Server. Place it in the user group
“QTM_DATA_READ".
Exaplog Legacy Create the User Account Not Applicable
"Quantumuser" It must have a
matching password with
Exaquantum Server. Add it to
"Log on as batched job".
Place the User Account
"Quantumuser" in the user group
“QTM_DATA_READ".
2 Exaquantum Legacy No special settings are necessary No special settings are necessary
Exaplog Legacy Create the User Account Not Applicable
"Quantumuser". It must have a
matching password with
Exaquantum Server. Grant it the
privilege “Log on as batch job".

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

6-26 Chapter 6 IT Security

Exasmoc/Exarqe
It is possible for the Exaquantum and Exarqe / Exasmoc client to coexist on the same PC.

 Exasmoc R4.03.00 (Integration Code: 0851-0951-01-03) , Exarqe R4.03.00 (Integration

Code: 0851-1051-01-03)
Exasmoc / Exarqe and Exaquantum and Standard (Strengthened) Standalone Model cannot
coexist. This is because the IT Security Tool version is different.

Coexistence is possible for the Legacy Security model. No special settings are necessary.

 Exasmoc R4.02.00, R4.01.00 / Exarqe R4.02.00, R4.01.00

Coexistence is possible only if the Security model is the same on both products. No special
settings are necessary.

 Exasmoc R3.06.00 or earlier, Exarqe R3.06.00 or earlier (IT security unsupported)

The Legacy Model can coexist with Exaquantum. Coexistence or connection with another
model cannot be used. No special settings are necessary.

Platform for Advanced Control and Estimation

It is possible for the Exaquantum and Platform for Advanced Control and Estimation client
to coexist on the same PC.

 Platform for Advanced Control and Estimation R5.01.00 (Integration Code: 0851-
1551-01-01)
Platform for Advanced Control and Estimation and Exaquantum and Standard
(Strengthened) Standalone Model cannot coexist. This is because the IT Security Tool
version is different.
Coexistence is possible for the Legacy Security model. No special settings are necessary.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 6-27

6.2.6 CENTUM VP (Integration Code: 0101-0801-02-03)

The Exaquantum server can only connect with CENTUM VP R4 or later; coexistance is not
supported.
The Exaquantum Client can coexist with CENTUM VP HIS. For details, please refer to
Appendix 14 "Installation on HIS".

 The CENTUM VP account

In order for CENTUM and Exaquantum to communicate in Standard Model Security, the
CENTUM VP process execution account must exist, and be in the correct user group. This
account can be created and added to the correct group, using a tool provided with the
CENTUM VP DVD.

 CENTUM VP R4.03 or later:

<DVD>:CENTUM\SECURITY\Yokogawa.IS.iPCS.Platform.Serurity.CreateCentumProcess.
exe
 CENTUM VP R4.02 or earlier:
<DVD>:CENTUM\SECURITY\CreateCentumProcess.exe

Connection.
Standalone Management Domain Management
1 Exaquantum Standard Create the User Account Create the local User Account
"CTM_PROCESS", and place in "CTM_PROCESS", and place it in the
the user group "QTM_OPC". user group "QTM_OPC_LCL".
CENTUM VP Standard Create the User Account Create the local User Account
"QTM_PROCESS", and place in "QTM_PROCESS", and place it in the
the user group "CTM_OPC". user group "CTM_OPC_LCL".
2 Exaquantum Standard Create the User Account Create the local User Account
"CTM_PROCESS ", and place in "CTM_PROCESS ", and place it in the
the user group "QTM_OPC". user group "QTM_OPC_LCL".
CENTUM VP Legacy Create the User Account Not Applicable
"QTM_PROCESS".
3 Exaquantum Legacy Create the User Account Create the local User Account
“CTM_PROCESS” “CTM_PROCESS”
CENTUM VP Standard Create the User Account Create the local User Account
"quantumuser". It must have a "quantumuser". It must have a
matching password with matching password with Exaquantum
Exaquantum Server, and place it Server, and place it in the user group
in the user group “CTM_OPC ". “CTM_OPC_LCL ".
4 Exaquantum Legacy Create the User Account Create the local User Account
"CTM_PROCESS". "CTM_PROCESS".
CENTUM VP Legacy Create the User Account Not Applicable
"quantumuser”. It must have a
matching password with
Exaquantum Server.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

6-28 Chapter 6 IT Security

CENTUM CS 3000
The Exaquantum server can only connect with CENTUM CS 3000 HIS; coexistance is not
supported.
The Exaquantum Client can coexist with CENTUM CS 3000 HIS. For details, please refer to
Appendix 14 "Installation on HIS".

Connection.
Standalone Management Domain Management
1 Exaquantum Standard Create the User Account Create the User Account "CENTUM
"CENTUM “. It must have a “. It must have a matching password
matching password with with CS3000. Place in the user group
CS3000. Place in the user group "QTM_OPC_LCL".
"QTM_OPC".
CS3000 Create the User Account Not Applicable
"QTM_PROCESS"
2 Exaquantum Legacy Create the User Account Create the local User Account
"CENTUM “. It must have a "CENTUM". It must have a
matching password with matching password with CS3000
CS3000.
CS3000 Create the User Account Not Applicable
"quantumuser" and with a
password matching the
Exaquantum Server.

Other company’s OPC server

Process execution accounts have to be replicated for the standard (Strengthened) model and
placed into the correct user groups.
Table 6-4 Legacy Model

Setting contents
Exaquantum No special settings are necessary.
connection
Other companies OPC server Follow the setting procedure of Other companies OPC server

Table 6-5 Standard (Strengthened) Standalone Model

Setting contents
Exaquantum Create Other companies OPC execution account, and place in the
connection
user group "QTM_OPC".
Other companies OPC server Follow the setting procedure of Other companies OPC server

Table 6-6 Standard (Strengthened) Domain Model

Setting contents
Exaquantum Create Other companies OPC execution account, place in the user
connection
group "QTM_OPC_LCL".
Other companies OPC server Follow the setting procedure of Other companies OPC server

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 6-29

Client setting for accessing to Exaquantum Open Interface(OPC Server)

The client process execution account needs to be placed into the correct user group, The
Exaquantum service account must be created on the client. If data is read using the
Exaquantum OPC server, it is necessary to place the client process account into group
“QUserGroup” or “QTM_DATA_READ”. If data is written using the Exaquantum OPC
server, it is necessary to place the client process account into group “QDataWriteGroup” or
“QTM_DATA_WRITE” also.
Exaquantum OPC DA Server execution account is OPC_PROCESS. Exaquantum OPC
HDA Server execution account is QTM_PROCESS.
Table 6-7 Legacy Model
Setting contents
Exaquantum Place the process execution account of the client into “QUserGroup” and
cohabitation
Client *1 optionally “QDataWriteGroup”.
Exaquantum Create an account to match the client process execution account and place into
connection
the “QUserGroup” and optionally “QDataWriteGroup”.
Client *1 Follow the client manual.

Table 6-8 Standard (Strengthened) Standalone Model

Setting contents
Exaquantum Place the client process execution account into the “QTM_DATA_READ” and
cohabitation
Client *1 optionally “QTM_DATA_WRITE”.
Exaquantum Create an account to match the client process execution account and place into
connection
the “QTM_DATA_READ” and optionally “QTM_DATA_WRITE”.
Client *1 Follow the client manual.

Table 6-9 Standard (Strengthened) Domain Model

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

6-30 Chapter 6 IT Security

6.3 Operations
This chapter describes Windows account management and the related programs whose
operation requires attention when ‘IT Security’ settings summarized in the section Appendix
A.13 IT Security Detail Information is introduced.
6.3.1 Windows Account Management
Two types of account management, i.e. common account management and individual
account management, are provided.
Table 6-10 Windows account management

How to manage Operational

How to operate Security strength
accounts advantages

A Windows Same operability

Unfavorable
Common account account is shared as the
high low because of high
management by several users. conventional
anonymity
Exaquantum

More complex
than the
A Windows conventional Favorable
Individual account account is operation because because access
low high
management allocated to each Windows can be controlled
user. logoff/logon is on a user basis.
required when the
user is changed.

Common Account Management

The common account management provides high operational convenience. From the
viewpoint of security, however, it is not ideal because anonymity is high. It is recommended
that the user training is conducted and the system be configured to use individual account
management.
For account
If a common account is used it is reccomended that the group of staff with access ais tightly
controlled to provide traceability in the event of an accident or similar event.
For password management
It is recommended that users passwords are changed periodically to reduce the risk of the
password cracking attacks. Passwords used by groups of users should be changed at least
when staff leaves to prevent access by ex-employees.
For automatic logon function
When automatic logon function is used, it is recommended that no higher access level than
OPC_DATA_READ is given to the autologin account. This prevents engineering or other
functions being accessed by non-privilege users who have access to the system.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 6-31

For anonymity
The user of a common account and permanently logged on terminal provides little tracking
of activity. Hence it is recommended that access to the ternimal be tightly controlled and
staff be strictly training in security procedures.
Individual Account Management
The individual account management allows tight control of the privileges allocated to each
user and allow identification of the user responsible for particular activities on the system.
The downside of this is that it requires users to log on and then off whenever they change
terminal.
For account maintenance
The account privileges should be promptly changed when the privileges of a user are
changed. (*1)
By properly maintaining the account, illegal access from invalid users or an unexpected
attack can be prevented.
*1: For example, deletion of the account of the user who resigned, change of the group
when a maintenance person becomes an operator, etc.
For password management
Passwords should be set to require changing periodically to reduce the threat of cracking
attacks being successful.
Considerations when workers are alternated
When the user at a terminal is alternated, time is required for log off/log on of Windows
compared with individual account management. Prevent alternating all users at a terminal to
prepare for the emergency response. The provision of job specific terminals mitigates this
issue.
For personnel security education
Personal account management and responsibility for the security of the account become the
user’s responsibility with individual account management and this needs to be stressed with
the users. .
Precautions for Account Management
This section outlines the precautions commonly applicable to “common account
management” and “individual account management.”
System Monitoring
Periodic monitoring of the security event log on the system is recommended. By doing this,
abnormalities in the system can be detected in an early stage, which contributes to the early
detection of an attack or its sign. If you find any login failures, consult your internal network
administrator or a specialist and take prompt action.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

6-32 Chapter 6 IT Security

Account Management on a Workgroup basis

When accounts are controlled as a workgroup, identical user accounts need to be created
both on the terminal for the user and the engineering terminal that has a project database and
the password of the registered accounts must be identical. If the password is changed, the
password of all the terminals in which the identical accounts are registered need to be
changed to the new common password.
Account Management on a Domain basis
When there is a large difference (more than 5 minutes at default value) between the time of
the domain controller and that of Exaquantum, the authentication function in the domain
environment does not work properly. It is therefore required to pay careful attention to the
time synchronization between the domain controller and terminals.
For details, refer to Appendix A.8 Maximum Tolerance for Computer Clock
Synchronization.
‘QTM_MAINTENANCE’ ‘EXA_MAINTENANCE’ Group
‘QTM_MAINTENANCE’ ‘EXA_MAINTENANCE’ group, a user group for maintenance,
is an access group with very high privileges. The accounts belonging to
‘QTM_MAINTENANCE’ ‘EXA_MAINTENANCE’ group should be disabled usually and
enabled when operators require to use it. Moreover, it is effective in security to set an
expiration date for an account when it is enabled.
The User Account Control
On the Operating systems supported by Exaquantum, the Windows User Account control
affects users of the following groups, when accessing Exaquantum programs requiring the
Administrator priviledge:
 QTM_MAINTENANCE
 QTM_MAINTENANCE_LCL
 EXA_ MAINTENANCE
 EXA_MAINTENANCE_LCL
When using such programs, the User Account dialog may be shown; if so then click the
[Continue] or [Allow] button.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 6-33

Creating a New User with Administrator Rights

When you add a new user to the ‘QTM_MAINTENANCE’,
‘QTM_MAINTENANCE_LCL’, ‘EXA_MAINTENANCE’ or
‘EXA_MAINTENANCE_LCL’ group, you must also add the user to the ‘Administrators’ or
‘Domain Admins’ group.
 When a user who belongs to ‘QTM_MAINTENANCE’ group is created under domain
management:
Figure 6-2 User creation under domain management

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

6-34 Chapter 6 IT Security

 When a user who belongs to ‘OPC_MAINTENANCE’ group is created under workgroup

management:
Figure 6-3 User creation under workgroup management

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 6-35

6.3.2 Related Programs

Windows Security Patch
Please carry out installation for any security patches according to the customer's security
policy. We strongly recommend applying security patches on an Exaquantum system as soon
as possible, following insallation. When a security patch is issued following Exaquantum
installation, then we recommend applying the security patch as soon as possible.
When security patches and service packs are applied to the Exaquantum system, the existing
security settings (Firewall settings and local security settings) may be changed. Therefore,
after applying security patches and service packs, verify that the former security settings are
retained.
Antivirus Software
It is recommended that antivirus software verified by Yokogawa is installed on the terminals
connected to the Exaquantum system and the domain controller.
The update of the search engine or pattern files of the antivirus software can impact function
of these terminals. It is recommended that the behavior is tested with a test terminal in
advance of the update being applied.
Unverified Programs
The execution of a program not verified by Yokogawa on a terminal connected to the
Exaquantum system is not recommended because it may affect the operation of the
Exaquantum system or cause information leak and system damage.
6.3.3 Windows Shared folders
Windows shared folders may be used to deliver Exaquantum Explorer file (PXD file) to the
clients. However, files shares provide a weak point for the spread of virus infections if not
managed carefully.
The security risk may be minimized by sharing with the minimum required access(typicall
read only).

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

6-36 Chapter 6 IT Security

6.3.4 Changing the LAN Manager Authentication Level

Windows has LM authentication, NTLM authentication and NTLMv2 authentication
methods for backward compatibility.
For the environment of the product, use of NTLMv2 authentication is recommended. LM
authentication is not recommended since its method of hashing user’s password (LM hash
algorithm) is very vulnerable.
 Setting
The following table shows the setting.
Table 6-11 Setting

Policy Setting

Changing the LAN Manager Authentication Level Send NTLMv2 response only

Do not allow storage of passwords and credentials Enabled

for network authentication

Minimum session security for NTLM SSP based Require NTLMv2 session security
(including secure RPC) clients Require 128-bit encryption

Minimum session security for NTLM SSP based Require NTLMv2 session security
(including secure RPC) servers Require 128-bit encryption

Let Everyone permissions apply to anonymous users Disabled

 Cautions
 Ensure that the settings of ‘Minimum session security for NTLM SSP based (including
secure RPC) clients’ and ‘Minimum session security for NTLM SSP based (including
secure RPC) servers ‘ are consistent on all terminals.
 In a domain environment, this setting may be overwritten with the setting in the domain
controller, depending on the group policies of the domain controller. If this is your case,
change the setting in the domain controller.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 7-1

Chapter 7 Time Synchronization

Note:
- If the Time synchronization master uses a firewall, open UDP port 123 of the Time
Synchronization slave.
The Exaquantum server acquires data from various sources including the OPC gateways.
During this acquisition the data is saved and managed chronologically with the time serving
as the designated key. Exaquantum clients and those PCs using the API interface retrieve data
from the Exaquantum server with time being one of the key parameters.
Time synchronization is therefore very important for the entire Exaquantum system. Of
particular importance is the time synchronization between the Exaquantum server and the
OPC gateways as this affects the data being saved and read.
In the following sections the Exaquantum system is said to include the Exaquantum server,
Exaquantum client, OPC gateways, and PCs using the Exaquantum API.
7.1 Setting time synchronization
To implement time synchronization in the Exaquantum system, one of the following three
methods is available depending on the network environment:
 Time synchronization in the Active Directory domain environment
 Time synchronization in the existing network
 Time synchronization in a new work group environment
The “Active Directory domain” is a domain established using the ActiveDirectory database
using one of the Windows Server Operating systems, supported by Exaquantum.

The “Existing network environment” indicates a network that has already been established at
the time the Exaquantum system is installed.
The “New work group environment” indicates a network in a work group environment
established with the installation of the Exaquantum system.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

7-2 Chapter 7 Time Synchronization
7.1.1 Time synchronization in the Active Directory domain environment
In an Active Directory domain environment, the functionality exists to compare the time
stamp at logon with the domain controller (DC) time stamp. Login to the system will be
refused if the time difference between the DC and the login machine is greater than 5 minutes.
It is therefore imperative that time synchronization is maintained between computers on the
same domain. Time synchronization is usually implemented using to the Windows Time
(W32Time) service; however, this may be replaced with third party synchronization tools if
required.
If the Exaquantum server is in an Active Directory domain, the first domain controller which
takes the PDC Emulator Role usually functions as the time master (time server). Because PCs
in the same domain are automatically time-synchronized, specific setup for time
synchronization is not necessary.
The time synchronization between the systems on the PCS LAN and the Exaquantum server
is critical. It is recommended therefore that the PCS and the Site Windows Domain have a
common external time source, such as GPS clock(s).
Time synchronization must be setup using the “Time synchronization in the existing network”
method if the following hold true:
 An Active Directory domain environment exists
 The time server is not setup on the domain controller
 Time synchronization is not implemented using the Window Time service
If no Active Directory domain exists then time synchronization must be setup using the “New
work group environment” method.
7.1.2 Time synchronization in the existing network
If the Exaquantum server exists in a network with the following properties then time
synchronization must be setup according to the directives of the network administrator:
 The Domain environment is Windows NT
 It is a Work Group environment on Windows
 The time server is not the DC (domain controller) in the Active Directory domain.
 Windows Time is not used in the Active Directory domain
The OPC gateways should be configured to ensure they are time synchronized at the same
time of the day. The domain administrator should ensure the time synchronization period is
correctly set.
If time synchronization is not implemented even when the above networks have been established,
set up time synchronization referring to “Time synchronization in a new work group environment”.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 7-3
7.1.3 Time synchronization in a new work group environment
If the Exaquantum system is to be installed into a network with the following configuration,
the network administrator should be consulted regarding time synchronization in the network:
 No Active Directory domain with time synchronization exists
 No existing network with time synchronization exists
 A new work group network is to be established with the introduction of Exaquantum
The OPC gateways should be configured to ensure they are time synchronized at the same
time of the day. The domain administrator should ensure the time synchronization period is
correctly set.
Time synchronization is very important and the Exaquantum server can be used to perform
the time correction for the time server while also acting as a time server for the OPC gateways.
If there are many OPC gateway and difficult to set time synchronization between system, data
collection time from OPC gateway can be used Exaquantum time.
For further information, refer to "Chapter 2 OPC Gateway Configuration" in
Exaquantum/PIMS User's Manual.
7.1.4 Time synchronization tools storage directory
The time synchronization tool “TimeSynchronizeUtility.exe”.can be found in the following
directories:
 Exaquantum prerequisite DVD(Disc 1) within the “Tools” folder
 Exaquantum Server within the “\<Exaquantum Install Folder>\Developer tools” folder
7.1.5 Installing “time synchronization” on an OPC gateway PC
To install the time synchronization functionality on the OPC gateway PC perform the
following steps from either of the Time synchronization tools storage directories as listed
above:
1 Run the TimeSynchronizeUtility.exe setup tool by double-clicking on it.
2 When the selection of the Computer to Set Up is running, click the [Next] button to go
the Type of Time Synchronization Setup process.
3 When the setup tool is running, select “Set Time Synchronization on the master server”
and click the [Next] button to go the Setup of the Time Synchronization Server setup
process.
4 When the setup tool is running, click the [Set] button to initialize the time
synchronization process. On completion the time server function will be enabled on this
PC.
Note: Please add port 123/UDP to "Exceptions" of the Windows Firewall of the Domain
Controller when the Windows Firewall is enabled.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

7-4 Chapter 7 Time Synchronization
7.1.6 Installing “time synchronization” on a Exaquantum server
To install the time synchronization functionality on the Exaquantum server perform the
following steps from either of the Time synchronization tools storage directories as listed
above:
1 Run the TimeSynchronizeUtility.exe setup tool by double-clicking on it.
2 When the selection of the Computer to Set Up is running, click the [Next] button to go
the Type of Time Synchronization Setup process.
3 When the setup tool is running; select “Set Time Synchronization client on the
Exaquantum Server” and click the [Next] button to go the Setup of the Time
Synchronization Client setup process.
4 When the setup tool is running, click the [Set] button to initialize the Time
synchronization process. On completion the time server function will be enabled on this
PC.
5 Click the [Set] button to initialize the time synchronization process.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration 7-5
7.2 Precautions when upgrading from R2.10.50 or older (changing
the synchronization method)
From Exaquantum R2.20, Exaquantum uses the Windows time only. However, Exaquantum
systems released prior to R2.20 also supported the following methods of time
synchronization:
 Time Service
 Net Time
Therefore, if the Exaquantum system is using either the Time Service or Net Time, time
synchronization method then on Exaquantum upgrade to R2.20 the time synchronization
method needs to be changed to the Windows Time. To change the time synchronization
method the current method needs to be disabled and the new one installed.
7.2.1 Disabling the current synchronization method
Time Service:
To install the time synchronization functionality on the Exaquantum server perform the
following steps from either of the Time synchronization tools storage directories as listed above:
1 Run the TimeSynchronizeUtility.exe setup tool by double-clicking on it.
2 When the selection of the Computer to Set Up is running, click the [Next] button to go
the Type of Time Synchronization Setup process.
3 When the setup tool is running, select “Set Time Synchronization client on the
Exaquantum Server” and click the [Next] button to go the Setup of the Time
Synchronization Client setup process.
4 When the setup tool is running complete the following setup steps on the dialog screen:
Enter the same OPC gateway computer name as the one used in the “Time Server Name”
field set during the Exaquantum installation.
Enter a synchronization period in minutes in the “Period in minutes” field.
5 Click the [Release] button to initialize the time synchronization process.
Net Time:
In order to change new time synchronization system delete the batch file in which the following
command is described in the “Start-up” folder. If any command other than the following is
included, first delete the other command and then delete the following command.
In the standard installing procedure the batch file named “Timesync.cmd” has been created.
Net time \\Qserver /set /yes
7.2.2 Establishing a new synchronization method
Set up time synchronization using the method described in Section 7.1.3 Time synchronization in a
new work group environment which is a subsection of 7.1 Setting time synchronization.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

7-6 Chapter 7 Time Synchronization
7.3 Setting up Time Synchronization
When Time Synchronization is required in a Workgroup environment, the following operation
is required to set-up the Time Synchronization.
1. Open the Control Panel and select "data and time".
2. Select the [Internet Time] tab in Date and Time Properties and click [change setting]
button.
3. Check "Automatically synchronize with an Internet time server" and click the "Update
Now" button.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration App.A-1

Appendix A. IT Security
Appendix A.1 External process of Exaquantum and working module
list of Communication
Table A-1 External process of Exaquantum and working module list of Communication
No Service/Runtime file name Port Number (protocol) Others
Exaquantum server
TCP:139
UDP:137
1 File and printer sharing (*1)
UDP:138
TCP:445
TCP:135 (*2)
2 QOPCAEPump.exe
TCP:20500 to 20600
TCP:135 (*2)
3 Quantum.exe
TCP:20500 to 20600
TCP:135 (*2)
4 QEventHandler.exe
TCP:20500 to 20600
TCP:135 (*2)
5 ExaQuantumExecutive.exe
TCP:20500 to 20600
TCP:135 (*2)
6 QHistorian.exe
TCP:20500 to 20600
TCP:135 (*2)
7 QArchive.exe
TCP:20500 to 20600
TCP:135 (*2)
8 QOPCHDAServer.exe
TCP:20500 to 20600
TCP:135 (*2)
9 QOPCHAEServer.exe
TCP:20500 to 20600
Exaquantum Web Server
Exaquantum OPCUA (*2)
1 34487/TCP
Server.exe
Exaquantum Client and Web Server
TCP:135 (*2)
1 Quantum.exe
TCP:20500 to 20600

*1: When file sharing uses TCP:445 only, the setting of “disabling of NetBIOS over
TCP/IP” is required
*2: Moreover, the setting of DCOM dynamic port restriction is required see Figure
Group Policy Management Editor

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

App.A-2 Appendix A IT Security
Appendix A.2 Shared folder used with Exaquantum
No shared folder is used in Exaquantum.
Appendix A.3 Service list registered with Exaquantum
Table A-2 Service list registered with Exaquantum

Service Explaining Operation user Type of start-up

Exa Bossd Program loader service for OPC_PROCESS Automatic

Exaopc operation

Exaquantum Exaquantum Program Local System Manual operation

Loader Service

Exaquantum OPC Exaquantum OPC Server QTM_PROCESS Manual operation

HDA Service

Exaquantum Server Exaquantum Server Service QTM_PROCESS Manual operation

Exaquantum Web Exaquantum Web Server Local System Manual operation

Server Service

OpcEnum Service that acquires registry Local System Automatic

information of OPC server, operation
and offers it.

PM Logd Exa common log server EXA_PROCESS Automatic

service operation

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration App.A-3
Appendix A.4 Unsupported Main Windows Security Functions
Appendix A.4.1 Windows Defender
Windows Defender is the free spyware removal tool (built-in on Windows Vista, Windows 7
and Windows 8) supplied by Microsoft. The Yokogawa system products do not support the
software because it has not been tested with the Yokogawa system products. Do not activate
Windows Defender.
Appendix A.4.2 EFS Function
The EFS (Encrypting File System) function is a Windows standard file cryptography function.
Do not apply the EFS function to Yokogawa system products because the management of the
encryption key on multiple terminals and the slowdown in the throughput caused by the
encryption has not been verified.
Appendix A.4.3 BitLocker Function
The BitLocker function introduced in Window Vista (standard functions provided with
Ultimate and Enterprise editions) to ensure HDD data tamper resistance encrypts the HDD at
the volume level. This function has not been tested with the Yokogawa system products.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

App.A-4 Appendix A IT Security
Appendix A.5 Underlying Security Threats
Appendix A.5.1 DCOM
While the DCOM function, the basis of OPC, used in the Yokogawa system products is very
useful function that realizes various kinds of processing between processes through a network,
it is said that it includes many vulnerabilities. Security is ensured in the Yokogawa system
products by limiting the accessible users. However, please be careful about the control of the
accounts of the OPC users.
Appendix A.5.2 Scope of Windows Firewall
In the standard security model of Exaquantum, the scope of Windows Firewall configured
during installation has been set to [Any computer (including those on the Internet)] in order to
minimize the effect of system configuration to the operation. It is recommended to limit the
range of communication by considering the system configuration and to limit the scope at port
(program) level. Narrowing the scope will prevent access from unauthorized terminals.
How to change the scope of Windows Firewall
1 Run the [Control Panel] and select [Windows firewall].
2 In the [Exceptions] tab, select arbitrary setting items, and click [Edit] button.
Figure A-1 Windows Firewall

3 In the [Edit a Program] (or [Edit a Port]) dialog, click [Change scope] button.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration App.A-5
Appendix A.6 Workgroup Management and Domain Management
This section outlines workgroup and domain management.
Appendix A.6.1 Workgroup Management
When the workgroup configuration is adopted, and the system is composed with two or more
terminals, it is necessary to manage the account at each terminal. When the system cooperates
with related products and security is set, it is necessary to prepare the account of the same ID
(password is also the same) in all terminals where it will be used.
Figure A-2 Workgroup Management

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

App.A-6 Appendix A IT Security
Appendix A.6.2 Domain Management
When the domain management is adopted, a domain controller can do the unified Account
management for the terminals and the accounts which are used in the system, because all
terminals which are included in the system configuration participate in the domain.
Moreover, when logon to a terminal has succeeded, the logon information that flows on the
network can be suppressed as much as possible compared with workgroup management,
because the logon information is managed by the function of the Windows domain network.
Figure A-3 Domain Management

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration App.A-7
Appendix A.7 NetBIOS
NetBIOS (Network Basic Input/Output System), a specification developed by Sytec for IBM
in the 1980s, is an API that enables an application to access from a remote PC over a network.
This function realizes the Windows File Sharing function (SMB/CIFS).
Figure A-4 NetBIOS
Other Application
File Sharing Printer Sharing Program

SMB/ CIFS
Direct Hosting
(Windows 2000 or later)
TCP:445
NetBIOS

NetBIOS over TCP/IP

TCP:UDP 137, 138, 139

NetBEUI IPX/ SPX TCP/ IP

NIC

Various kinds of information on a machine on which NetBIOS is running are accessible using
NetBIOS features, which is said to provide low levels of security.
<Acquirable information>
 Workstation service information
 Messenger service information
 Master browser information
 RAS server service information
 NetDDE service information
 File server information
 RAS client service information
 Modem sharing server service information
 Modem sharing server client service information
 SMS clients remote control information
 SMS administrators remote control information
 SMS clients remote chat information
 SMS clients remote transfer information
 McAfee antivirus program information
 Domain information
 Account information

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

App.A-8 Appendix A IT Security
Appendix A.8 Maximum Tolerance for Computer Clock
Synchronization
The “Maximum tolerance for computer clock synchronization” sets up the maximum time
difference between the client time and the time of domain controller when using Kerberos V5.
In order to prevent the reproduced attack, the time stamp is used as a part of protocol
definition in Kerberos V5. For the smooth operation of the time stamp process, the time of
each client and the domain controller should be synchronized as often as possible.
Also, this setting is not fixed, because the setting returns to the default value (5 minutes) when
the domain controller is rebooted.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration App.A-9
Appendix A.8.1 Setting Procedure (Windows Server – Domain Controller)
1 On the domain server, launch [Group Policy Management] from [Administrative Tools].
2 In the console tree, right-click [Default Domain Policy] under the current domain node
and select [Edit].
Figure A-5 Group Policy Management

3 From the console tree in the [Group Policy Management Editor] window, select
[Computer Configuration] - [Policies] - [Windows Settings] - [Security Settings] -
[Account Policies] - [Kerberos Policy].
4 Change [Maximum tolerance for computer clock synchronization].
Figure A-6 Group Policy Management Editor

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

App.A-10 Appendix A IT Security
Appendix A.9 Changing the Settings of DCOM
This section describes the settings necessary to use the DCOM on Exaquantum.
Appendix A.9.1 Setting Personal Firewall
Add the following ports as the exception port of Personal Firewall.
Table A-3 Personal Firewall Ports

Item Exception port

RPC TCP:135

Dynamic Port TCP:20500-20600

When cohabiting with other EXA product, it must be registered total number of ports that
other EXA product needs. Number of ports that Exaquantum needed are 100.
Appendix A.9.2 Controlling the Dynamic Ports of RPC Port
DCOM uses Remote Procedure Call (RPC) dynamic port allocation. This setting controls
which ports RPC dynamically allocates for incoming communication.
1 From the Start menu, launch [Run... / Search] and enter “dcomcnfg” to start
DCOMCNFG.EXE.
Figure A-7 Component services

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration App.A-11
2 Select [Component Services] - [Computers] - [My Computer], and then right-click on it
and open Properties.
Figure A-8 My Computer Properties

3 Select the [Default Protocols] tab.

Figure A-9 My Computer Properties - Default Protocols

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

App.A-12 Appendix A IT Security
4 Select [Connection-oriented TCP/IP] and click [Properties...] button.
Figure A-10 Properties for COM Internet Services

5 Click [Add] button and assign the port range to “20500-20600” as the standard dynamic
port, and select [Internet range] for the environment of the usage.
If you cannot setup [Internet range] correctly, terminate “DCOMCNFG.EXE” once by
clicking [Delete All] button and then [OK] button. After rebooting the PC, then try
setting or changing the scope of the port.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration App.A-13
Appendix A.10 Configuring All Settings of Windows Firewall
When setting Windows Firewall exceptions of this IT security on Exaquantum, it is possible
to configure all of them at once by creating a batch file.
Command
<Command>
netsh firewall add portopening [protocol=]protocol [port=]port [name=]name [ [mode=]mode
[scope=]scope [addresses=]address [profile=]profile [interface=]interface ]

<Function>
Add the configuration of firewall ports.

<Detail of Parameter>
protocol - Port protocol
TCP - Transmission Control Protocol (TCP)
UDP - User Datagram Protocol (UDP)
ALL - All protocols
port - Port number
name - Port name
mode - Port mode (Omissible)
ENABLE - Allow communication via firewall (Default)
DISABLE - Do not allow communication via firewall
scope - Port scope (Omissible)
ALL - Allow every traffic via firewall (Default)
SUBNET - Allow local network (subnet) traffic only
CUSTOM - Allow communication via the specified firewall only
addresses - Custom scope address (Omissible)
profile - Configuration profile (Omissible)
CURRENT - Current profile (Default)
DOMAIN - Domain profile
STANDARD - Standard profile
ALL - All profiles
interface - Name of interface (Omissible)
Batch File Example
rem Standard Operation and Monitoring Function
netsh firewall add portopening tcp 20171 BKHOdeq ENABLE CUSTOM LocalSubnet
netsh firewall add portopening tcp 20110 BKHTrGhr ENABLE CUSTOM LocalSubnet
netsh firewall add portopening tcp 20183 LonTerm ENABLE CUSTOM LocalSubnet
netsh firewall add portopening udp 32301 MnsServer ENABLE CUSTOM LocalSubnet

pause
rem DCOM
netsh firewall add portopening tcp 135 DCOM ENABLE CUSTOM LocalSubnet
(Omitted hereinafter)

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

App.A-14 Appendix A IT Security
Appendix A.11 Configuring All Windows Services
When performing the operation “Stopping unnecessary Windows services” described in this
document on Exaquantum, it is possible to configure all of them at once by creating a batch
file.
Command
<Command>
sc [Servername] Command Servicename [Optionname= Optionvalue...]

<Function>
Add, start, and stop the Windows serviceWindows.

<Detail of Parameter>
Servername
Omissible. When executing Command by the remote computer, specify the server name. In that case, two
backslashes(\\) should be used in front of the server name (e.g. \\myserver). When executing “sc.exe” in the local
computer, do not use this parameter.
Command
Specifies sc Command. The administrator privilege of the specified computer is required for most sc Command.
The following Commands are supported in Sc.exe.
Config - Changes the service configuration (it continues the change perpetually).
Continue - Sends “Continue control request” to the service.
Control - Sends “Control” to the service.
Create - Creates the service (and add the created service to registry).
Delete - Deletes the service (from registry).
EnumDepend - Enumerates Dependence of the service.
GetDisplayName - Acquires the display name (DisplayName) of the service.
GetKeyName - Acquires the key name of the service (ServiceKeyName).
Interrogate - Sends “Interrogate control request” to the service.
Pause - Sends “Pause control request” to the service.
Qc - Inquires for the service configuration. Refer to Help of SC QC for further details.
Query - Inquires for the status of service or enumerates the status of service type. Refer to Help of SC QUERY
for further details.
Start - Starts the service.
Stop - Sends “Stop request” to the service.
Servicename
Specifies the name that was specified by Service key of registry. Note that this name is different from
DisplayName. The DisplayName is a name that is shown when using “nwt start Command” and “[Service] tools
of Control Panel”. The ServiceKeyName is used as the main identifier of the service in Sc.exe.
Optionname
The name and value of Option Command Parameter can be specified by using the Optionname Parameter or
Optionvalue Parameter. Note that there should be no blank space between the Optionname and the equal sign. In
the parameter of the Option, 0 names or more and the combinations of Values can be specified. More than 0
combination of Name and Value can be specified.
Optionvalue
Specifies the Parameter value that was specified in Optionname. The range of valid value may differ depending
on the Command. Refer to Help of each Command for the list of Available Value.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration App.A-15

Batch File Example

@echo off

set s_name=Browser
echo stop and disable to %s_name% service.
sc stop %s_name%
sc config %s_name% start= disabled

set s_name=Dhcp
echo stop and disable to %s_name% service.
sc stop %s_name%
sc config %s_name% start= disabled

set s_name=Dnscache
echo stop and disable to %s_name% service.
sc stop %s_name%
sc config %s_name% start= disabled

set s_name=ERSvc
echo stop and disable to %s_name% service.
sc stop %s_name%
sc config %s_name% start= disabled

set s_name=helpsvc
echo stop and disable to %s_name% service.
sc stop %s_name%
sc config %s_name% start= disabled

set s_name=NetDDE
echo stop and disable to %s_name% service.
sc stop %s_name%
sc config %s_name% start= disabled

set s_name=NetDDEdsdm
echo stop and disable to %s_name% service.
sc stop %s_name%
sc config %s_name% start= disabled

set s_name=RemoteRegistry
echo stop and disable to %s_name% service.
sc stop %s_name%
sc config %s_name% start= disabled

set s_name=seclogon
echo stop and disable to %s_name% service.
sc stop %s_name%
sc config %s_name% start= disabled

set s_name=ShellHWDetection
echo stop and disable to %s_name% service.
sc stop %s_name%
sc config %s_name% start= disabled

set s_name=Themes
echo stop and disable to %s_name% service.
sc stop %s_name%

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

App.A-16 Appendix A IT Security
sc config %s_name% start= disabled

set s_name=upnphost
echo stop and disable to %s_name% service.
sc stop %s_name%
sc config %s_name% start= disabled

set s_name=WebClient
echo stop and disable to %s_name% service.
sc stop %s_name%
sc config %s_name% start= disabled

set s_name=WZCSVC
echo stop and disable to %s_name% service.
sc stop %s_name%
sc config %s_name% start= disabled

echo finish.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration App.A-17
Appendix A.12 Starting the MMC Console
How to start the MMC console is described in the following.
1 From the Start menu, choose [Run.../ Search] and enter “mmc” to start the MMC console.
Figure A-11 R un MMC

2 From the menu bar, select [File] - [Add/Remove Snap-in...].

Figure A-12 MMC console

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

App.A-18 Appendix A IT Security
3 In the [Add/Remove Snap-in] dialog box, click [Add] button.
Figure A-13 Add/Remove Snap-in

4 From the [Available Standalone snap-ins:] list, select [Security Templates], and then
click [Add] button, [Close] button, and finally click [OK] button.
Figure A-14 Add Standalone snap-in

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration App.A-19
Appendix A.13 IT Security Detail Information
In this Section the details of individual security measures are described.
Appendix A.13.1 Access control
To restrict unauthorized access, to, or the leakage of important data in Exaquantum, a
minimum of individual user account is required. The access control function of Windows is
used to control access to files registry and various program execution rights.
User account access control can be managed through account membership of Groups named
in Access Control Lists granting access to the data or program in question.
Appendix A.13.1.1 Access user group
The following table shows the group created for standard, strengthened, and legacy models
and their roles.
Table A-4 Access user group of standard or strengthened model

User
User and Group Name or Location
group where Privilege
Description
Object is Group
Standard/ Created
Legacy (*2)
Strengthened

Users/ User group for users needing to

QTM_DATA_RE
QUserGroup Group TypeA Domain read data from Exaquantum
AD
Users

Users/ User group for users requiring to

QTM_DATA_WR QDataWriteG
Group TypeA Domain write data to the Exaquantum
ITE roup
Users system

Users/ User group that can

QTM_EXPLORE QExplorerDe
Group TypeA Domain make/modify/delete Exaquantum
R_DESIGN signGroup
Users Explorer documents

User group for user that will

make configuration changes to
the Exaquantum system or
Administr
perform maintenance. Users in
QTM_MAINTEN QAdministrat ators/
Group TypeA this group should also be
ANCE orGroup Domain
members of the Local
Admins
administrators group (either
directly or through being a
Domain Administrator). (*1)

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

App.A-20 Appendix A IT Security

User
User and Group Name or Location
group where Privilege
Description
Object is Group
Standard/ Created
Legacy (*2)
Strengthened

This group is only created for a

Standard/Strengthened Domain
implementation and by default
QTM includes the local Administrator
Administr
_MAINTENANC - Group TypeC account. This is the equivalent of
ators
E_LCL "QTM _MAINTENANCE", but
is accessible and checked if the
Domain Controller is
unavailable(*1)

User group for users that

perform EXA package common
maintenance and install other
Administr
EXA package. Members of this
EXA_MAINTEN ators/
- Group TypeA group should also be members of
ANCE Domain
the local Administrator group
Admins
(either directly or through
membership of the domain
administrator group). (*1)

This group is only created for a

Standard/Strengthened Domain
implementation and by default
includes the local Administrator
EXA_MAINTEN Administr
- Group TypeC account; This is the equivalent of
ANCE_LCL ators
"EXA_MAINTENANCE". But
is accessible and checked if the
Domain Controller is
unavailable. (*1)

Group for authentication when

accessing to DCOM from
outside the Exaquantum system.
Users/
The execution user of Exaopc
QTM_OPC - Group TypeA Domain
and Exapilot are placed in this
Users
group. (Exaopc connection and
Exaquantum Link Unit
Procedure, etc.)

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration App.A-21

User
User and Group Name or Location
group where Privilege
Description
Object is Group
Standard/ Created
Legacy (*2)
Strengthened

The privilege is the same

QTM_OPC_LCL - Group TypeC Users "QTM_OPC", and a local user
can be available.

This is the Exaquantum

Users/
Windows Service User. This
QTM _PROCESS Quantumuser User TypeB Domain
user does not have Windows
Users
login rights.

This is the Windows Service

Users/
Users for common EXA
EXA_PROCESS EXA User TypeB Domain
services. This user does not have
Users
Windows log in rights.

This is the SQL Server Service

users for the Exaquantum
Server.
TypeB Users/
QTM_SQLSERV
- User Domain The details are a reference as for
ER
Users "Change in SQL server service
account".

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

App.A-22 Appendix A IT Security
Table A-5 Legacy Model Users and Groups

User and Group User Making Privilege

Description
Name group Location Group

User group for users reading data from

QUserGroup Group TypeB Users
Exaquantum

User group that can write data to

QDataWriteGroup Group TypeB Users
Exaquantum

QExplorerDesign User group that can make/modify/delete

Group TypeB Users
Group Exaquantum Explorer documents

User for users that will make configuration

changes to the Exaquantum system or
QAdministratorGr Administrat perform maintenance. Users in this group
Group TypeB
oup ors should also be members of the Local
administrators group (either directly or
through being a Domain Administrator)

User to execute Exaquantum process

Quantumuser User TypeB Users
(Windows service)

User to execute EXA common process

EXA User TypeB Users
(Windows service)

< Location where Object is created >

TypeA – For Domain User Management this is a Domain Group. For Workgroup
Management, this is a Local Group.
TypeB - This is always a Local Group.
TypeC - This is always a Local Group but is only created when implementing Domain User
Management.
*1: When you add a user to an administrator’s group, in workgroup management,
register with the local “Administrators” group. For a domain environment, please
register with the “DomainAdmins” group or the local “Administrators” group on the
local PC.
*2: The user groups or users applicable in the legacy model are shown for reference.

Caution
In a Workgroup User Management configuration client users must have a corresponding
local user set up on the server with a matching password. The local membership of the server
access control groups by the server user will determine the client user’s access rights.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration App.A-23
Appendix A.13.1.2 Registry configuration and access rights
To enable collaboration between Exaquantum and the other coexisting packages, full access
control right is given to access control groups and accounts as follows.
Table A-6 Registry configuration and access rights

(See Note 1 below) [1] [2] [3] [4] [5] [6] [7] [8] [9]

Registry below
HKEY_LOCAL_MACHINE – F F F F - F F - -
SOFTWARE – Quantum
Registry below
[HKEY_CURRENT_USER]- F F - F - F - F -
[SOFTWARE]-[Quantum]
Registry below
HKEY_LOCAL_MACHINE -
F F - F - F - F -
SOFTWARE - Yokogawa -
PKGCOM
Registry below
HKEY_LOCAL_MACHINE -
F F - F - F - F -
SOFTWARE - Yokogawa -
Exaopc
Registry below
[HKEY_LOCAL_MACHINE]-
- - - - - - F - -
[SOFTWARE]-[Microsoft] -
[MSSQLServer] -[Setup]

< access user group >

[1]: QTM_DATA_READ
[2]: QTM_DATA_WRITE
[3]: QTM_EXPLORER_DESIGN
[4]: QTM_MAINTENANCE
[5]: QTM_OPC
[6]: EXA_MAINTENANCE
[7]: System (QTM _PROCESS)
[8]: System (EXA_PROCESS)
[9]: System (QTM_SQLSERVER)
< type of access authority >
F: full access control
NOTES
1. For 64 bit OS, the registry path is HKEY_LOCAL_MACHINE - SOFTWARE –
Wow6432Node …

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

App.A-24 Appendix A IT Security
Appendix A.13.1.3 DCOM Access authority for standard model
A DCOM component is added by installing Exaquantum. By setting up access authority for
every access group, each component is protected from impersonation, vandalism or theft via
DCOM.
Appendix A.13.1.4 Local Security Access Permissions
For each access user group, the following Local Security privileges are assigned besides
Windows standard privileges.
Table A-7 Local security access permissions

Access User Group

Local security
[1]-[6] [7] [8] [9]

Logon as a service - Y Y Y

Logon as batch job - Y Y Y

Deny logon local - Y Y Y

< Access user group >

[1]: QTM_ DATA_READ
[2]: QTM_DATA_WRITE
[3]: QTM_EXPLORER_DESIGN
[4]: QTM_MAINTENANCE
[5]: QTM_OPC
[6]: EXA_MAINTENANCE
[7]: System (QTM_PROCESS)
[8]: System (EXA_PROCESS)
[9]: System (QTM_SQLSERVER)
Y: Implemented
TIP: To display local security policies, use the following procedure.
1 Run [Control Panel] - [Administrative Tools] - [Local Security Policy].
2 In Local Security Settings window, select [Local Policies] - [User Rights Assignment].
Among various local security policies displayed here, the above three access privileges are the
minimum necessary requirements for operating the Exaquantum system.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration App.A-25
Appendix A.13.1.5 Access User Group Control
The following two user/group control methods that make use of access control on an access
user group basis are available.
Table A-8 Access user group control

Configuration Operation Other

Consolidating the
Requires a domain users reduces
Register the
server to be human errors,
accounts of the
Domain control established besides which can be an
users on the domain
Exaquantum advantage with
server.
terminals. respect to the
security.

For more information on access user group management, refer to Appendix A.6
Workgroup Management and Domain Management.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

App.A-26 Appendix A IT Security
Appendix A.13.2 Personal Firewall Tuning
To cope with attacks from an unknown area, network access to a terminal is minimized.

Caution
When installing Exaquantum R2.60 or later, you can configure Windows Firewall to comply
with the Standard model by using the Security Setting Tool. If using a Personal Firewall made
by a third-party, it is the user’s responsibility to setup and operate it.

TIP: Most of the third-party Personal Firewall products have initial settings, so some of them
may conflict with the settings in the following description.
Before setting up, make sure you remove the initial settings, and ensure that unexpected
services are not started after setting up.
Personal Firewall Settings (for Standard Model)
In the case of the Standard model, Exaquantum-related DCOM processes are set up as
exceptions so that Exaquantum functions can run without any changes in the settings. These
settings are common to all terminals. There is no restriction to the communication target.
Table A-9 Personal Firewall settings

Exaquantum server Exaquantum client

Standard settings Exception Setting (see below) Exception Setting (see below)

Table A-10 Exception Setting for PIMS Server or Combined Server

Port Port Number

HTTP 80/TCP (Web Server only)

EPMAP 135/TCP

MSSQL 1433/TCP

Remote Desktop 3389/TCP

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration App.A-27

Table A-11

Application Path

mmc.exe WINDOWS\system32\mmc.exe

Exaquantum Quantum <Exaquantum installation folder>\System\Quantum.exe

Module

Exaquantum Explorer <Exaquantum installation folder >\Explorer\QExplore.exe

Exaquantum LiveXplore <Exaquantum installation folder >\Developer

Tools\LiveXplore.exe

Exaquantum System Event <Exaquantum installation folder >\Developer

Viewer Tools\SysEventsViewer.exe

Microsoft Excel <Microsoft Office installation folder >Excel.exe

- For Office 2010
C:\Program Files (x86)\Microsoft Office\OFFICE14\
- For Office 2013
C:\Program Files (x86)\Microsoft Office\OFFICE15\
- For Office 2016
C:\Program Files (x86)\Microsoft Office\OFFICE16\

ExaQuantumExecutive.exe <Exaquantum installation folder

>\System\ExaQuantumExecutive.exe

QRBNSServerBrowse.exe <Exaquantum installation folder

>\System\QRBNSServerBrowse.exe

QNameSpaceBrowser.exe <Exaquantum installation folder

>\System\QNameSpaceBrowser.exe

QHistorian.exe <Exaquantum installation folder >\System\QHistorian.exe

QBuilder.exe <Exaquantum installation folder >\System\QBuilder.exe

QAnalyse.exe <Exaquantum installation folder >\System\QAnalyse.exe

QFBRetriever.exe <Exaquantum installation folder >\Product

Tools\QFBRetriever.exe

QOPCDAMgr.exe <Exaquantum installation folder >\System\QOPCDAMgr.exe

QOPCAEPump.exe <Exaquantum installation folder >\System\QOPCAEPump.exe

QOPCPropertyAccess.exe <Exaquantum installation folder

>\System\QOPCPropertyAccess.exe

QZOPCAECatchup.exe <Exaquantum installation folder

>\System\QZOPCAECatchup.exe

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

App.A-28 Appendix A IT Security

Table A- 12 Exception Setting for Web Server or Client

Port Port Number

HTTP 80/TCP (Web Server only)

EPMAP 135/TCP

Table A-13

Application Path

mmc.exe WINDOWS\system32\mmc.exe

Exaquantum Quantum <Exaquantum installation folder>\System\Quantum.exe

Module

Exaquantum Explorer <Exaquantum installation folder

>\Explorer\QExplore.exe

Exaquantum LiveXplore <Exaquantum installation folder >\Developer

Tools\LiveXplore.exe

Exaquantum System Event <Exaquantum installation folder >\Developer

Viewer Tools\SysEventsViewer.exe

Microsoft Excel For a 32 bit OS:

<Microsoft Office installation folder >Excel.exe
- For Office 2010
C:\Program Files\Microsoft Office\OFFICE14\
- For Office 2013
C:\Program Files\Microsoft Office\OFFICE15\
- For Office 2016
C:\Program Files\Microsoft Office\OFFICE16\

For a 64 bit OS:

<Microsoft Office installation folder >Excel.exe
- For Office 2010
C:\Program Files (x86)\Microsoft Office\OFFICE14\
- For Office 2013
C:\Program Files (x86)\Microsoft Office\OFFICE15\
- For Office 2016
C:\Program Files (x86)\Microsoft Office\OFFICE16\

Personal Firewall Settings (for Strengthened model)

For further Setting details, please contact YMX.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration App.A-29
Appendix A.13.3 Change in SQL server service account
The service for SQL Server which operates in the local System account has been changed for
SQL server Account.
The list of SQL services running are listed below.
Table A-14 SQL server service account
Service User group Minimum Permissions Required
SQL Predetermined instance : log on as the service
Server SQLServerMSSQLUser$ComputerName (SeServiceLogonRight)
$MSSQLSERVER
The process level Token is replaced
(SeAssignPrimaryTokenPrivilege)

The Scan is not checked

(SeChangeNotifyPrivilege)

Tuning up the memory quarter to the

process (SeIncreaseQuotaPrivilege)

Privilege that starts SQL Server Active

Directory Helper

Privilege that starts SQL writer

Privilege that reads event log service

Privilege that reads Remote Procedure

Call service
SQL Predetermined instance: log on as the service
Server SQLServerSQLAgentUser$ComputerNa (SeServiceLogonRight)
agent me$MSSQLSERVER
The process level Token is replaced
(SeAssignPrimaryTokenPrivilege)

The Scan is not checked

(SeChangeNotifyPrivilege)

The tuning works the memory quarter to

the process (SeIncreaseQuotaPrivilege)

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

App.A-30 Appendix A IT Security
Setting of standard model
An account for SQL server service is made for the Exaquantum server for the standard model.
All accounts of the above-mentioned SQL server service are changed to SQL server account
for the Exaquantum server.

Caution
Manually set SQL Server services other than the target services (SQL Server, SQL Server
agent) not to start.

Table A-15 SQL server service account (Standard model)

User name Target service Belonging user group

QTM_SQLSERVER SQL Server SQLServerMSSQLUser$

SQL Server agent ComputerName$MSSQLSERVER

Appendix A.13.4 Stopping of unnecessary Windows services (Strengthened Model

target)
For further Setting details, please contact your local Yokogawa representative.
Appendix A.13.5 Changing IT Environment Settings
This section provides an introduction to the Windows security functions that run in the IT
environment and are applicable to the Exaquantum. When implementing these security
functions, consider their suitability for use with Exaquantum.
Table A-16 Relationship between IT Environment Setting items and Security models

Setting items Standard model Strengthened model

Hiding the Last Logon User Name Y Y

Disabling USB and cancelling disable Y Y

For further Strengthened Model Setting details, please contact YMX.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration App.A-31
Appendix A.13.5.1 Disabling USB and cancelling disable
This function disables the use of USB storage devices such as USB memory sticks. You can
use this function to prevent theft of data by unauthorized users.
You can use the StorageDeviceCTL utility of Exaquantum to temporarily grant write
permissions to users.

Caution
If you use a USB Removable HDD as an Auto Archiving destination folder, and change the
removable media to read only using StorageDevicePolicies, the next archive operation will
fail. You need to change your confirmation, for example set the archive folder to an internal
HDD.

Disable Setting
1 Log on as a user with Administrator privilege.
2 Double click on the following file:
(Standard Model or Strengthened Model)
<Exaquantum installation folder>\Exaopc\PKGCOM\tool\PMCDisablingUSBStorageDevice.exe.
3 Reboot the PC.

If you want to enable the USB Storage Devices, double click the following file.
<Exaquantum installation folder>\Exaopc\PKGCOM\tool\PMCEnablingUSBStorageDevice.exe.

Note
If this function is applied to Windows Server 2008 R2, you cannot use StorageDeviceCTL to
temporarily cancel the effect of disabling USB storage devices. To cancel, you need to double
click the "PMCEnablingUSBStorageDevice.reg". (Refer to the Disable Setting)
Note that, to disable taking out of data using removable storage media without using this
function, you need to take security measures such as putting a cover on USB ports.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

App.A-32 Appendix A IT Security
Setting the temporary cancellation
If disable setting is executed, after storage device such as USB memory is disable, when
StorageDeviceCTL is executed, read and write can be available during execution only.
After executing this tool, when putting USB memory on PC, write procedure can be
performed.
This tool can be available on PC which set Storage Device Policies.
In case this tool executed on PC which does not set Storage Device Policies, set Storage
Device Policies automatically, and Storage Device can only read.
Note: After executing this tool, Storage Device needs to be recognized.
Storage Device CTL Executing method
Execute the following procedure.
1 Open the following program folder.
(In case of 32bit OS
C:\Program Files\YOKOGAWA\IA\iPCS\Products\SECURITY\PROGRAM\)
(In case of 64bit OS
C:\Program Files (x86)\Yokogawa\Exaquantum PIMS\Exaopc\PKGCOM\tool)
2 Double click the following file on folder.
Yokogawa.IA.iPCS.Platform.Security.StorageDeviceCTL.exe
After executing, task will be displayed on only Task bar.
3 Put Storage Device on PC.
4 Read / Write of needful data to Storage Device.
5 Remove Storage Device.
Note: In case USB memory removes, right click on "Safety Remove Hardware and Eject
Media" icon, select "Safety Remove Hardware and Eject Media".
6 Click [StorageDeviceCTL] from Task bar, and click [WriteStop].

Note 1. If StorageDeviceCTL is executed on Windows Server 2008, the “Portable Device

Enumerator Service” service stop confirmation dialog may be displayed.
In this case, click [Close] button.
Note 2. For Windows Server OS, as Portable Device Enumerator Service may not be active,
an OS restart may be required for settings to take effect.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration App.A-33
Appendix A.13.5.2 Hiding the Last Logon User Name
The last logon user name, normally shown on the logon dialog box, can be hidden to prevent
general display of user names.
Setting method
Modify the Local Security Policy setting as follows:
1. Open Local Security Policy from control panel - Administrative Tools.
2. Select [Security Settings] - [Local Policies] - [Security Options] in the left hand panel.
3. Double click [Interactive logon: Do not display last user name Properties]
4. Select [Enable] and click [Apply] button

Note
You must enter a user name on every logon attempt if you apply this security measure

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

App.A-34 Appendix A IT Security
Appendix A.13.6 Security of Web server (Standard or Strengthened model)
The Web server might be installed in Exaquantum. It is necessary to pay close attention to
security when connecting the Web server to the Internet or Intranet.
Table A-17 Security of Web server

Setting item Standard model

Only the necessary IIS components are installed. Y

Only the necessary Web extension services are made valid. Y

The IIS logging is set. Y

Appendix A.13.6.1 Installing Only the Necessary IIS Components

Do not enable components such as FTP, NNTP, and SMTP or any other unused service.
For further installation details, refer to Chapter 8 Installing IIS in the Exaquantum Installation
Guide (IM36J04A13-01E).
Appendix A.13.6.2 Enabling Only Necessary Web Service Extensions
The dynamic content function and extension with an IIS server are achieved by using Web
service extensions.
The IIS 6.0 extended security function enables or disables individual Web service extensions
separately. An IIS server after being newly installed transmits only static contents. To enable
the dynamic content function, the user can use the Web Service Extensions node of IIS
Manager. These extensions include ASP.NET, SSI, WebDAV, FrontPage Server, and others.
Disable unnecessary Web service extensions to reduce the risk of attack to the IIS server.
Appendix A.13.6.3 Configuring IIS Log
A log can be created for each Web site and application separately. An IIS log includes
information about who accessed a site, what was referred to, when its information was most
recently referred to, and so on. The use of an IIS log allows the administrator to evaluate the
frequency of contents access and grasp the bottleneck of information. The log can also be
used as a resource to investigate attacks on the site.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration App.A-35
Appendix A.13.6.4 Enabling SSL (Secure Sockets Layer)
SSL (Secure Sockets Layer) is a protocol developed by Netscape Communications
Corporation, which allows information to be encrypted on the Internet prior to transmission
and reception. The SSL is enabled by installing the SSL server certificate in the Web server.
An SSL server certificate is an electronic certificate that contains information on the Web site
owner, a key necessary for encryption of information to transmit, and the publisher’s
signature data. The SSL server certificate has two important roles of “encrypting
communication with a Web site” and “identifying the Web site owner”. These roles allow
a user to safely transmit data inputted on a Web browser to the true Web site owner. Since the
user needs an SSL server certificate to be issued by the certificate authority, it requires extra
cost to introduce the SSL protocol. The SSL uses HTTPS as a protocol. A Web client
(browser) that has access to the Web server using HTTPS can identify the server certificate.
 The certificate has been issued by a reliable root certificate authority.
 The certificate does not expire.
 The certificate is related to a site name the user is about to connect to.
HTTPS may not operate unless the destination server certificate is completely reliable. For
this reason, use a correct certificate conforming to the above three items.
 Install all certificates of the root certificate authority (and intermediate certificate
authority) in the browser.
 Use unexpired certificates.
 Match the Web server host name (host name of URL inputted into the address bar) to
the site name in the certificate.
Procedure for installing the server certificate (IIS 7.X)
1. Open the Internet Information Services (IIS) Manager windows
Figure A-15

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

App.A-36 Appendix A IT Security
2. Choose the “Server Certificates” icon from the “Features View" pane
Figure A-16

3. Choose “Import...” from the “Actions” pane.

Figure A-17

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration App.A-37
4. Select a Certificate file after Import Certificate dialog opens.
Figure A-18

5. Select a website and then select “Bindings...” from “Actions.” “Site Bindings” dialog
setting
Figure A-19

6. Click on the [Add...] button. The “Add Site Binding” dialog will be displayed
Figure A-20

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

App.A-38 Appendix A IT Security
7. Set “Type,” “Port,” and “SSL Certificate” in the dialog, and then click on the [OK]
button.
Figure A-21

8. The https protocol that has been set will be added

Figure A-22

Appendix A.13.6.5 Caution when using the tablet device

When communicating between wireless LAN base unit and a tablet device, the risk exists,
such as eavesdropping the communication contents.
For your wireless LAN base unit, please enable security features such as encryption, MAC
address registration and stealth capability.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration App.A-39
Appendix A.14 Installation on HIS
In order to install Exaquantum Client on CENTUM VP R4.03 or later, the following
procedure is needed. Details describes as follows.
Appendix A.14.1 Installation Procedure
■ Preparation
When you set [Auto logon setting] including HIS type SSO, follows the procedures below.
(1) Reset [Auto logon setting] and restart PC.
(2) Log on from the same account which was used at CENTUMVP security setting.
When the account which was used for the security setting was used for HIS reboot, reset the
HIS start setting and restart PC.

Caution
If CENTUM is Legacy model setting and the default authentication level of DCOM is set to
"None", please change the authentication level to "Connect" and install Exaquantum. If you
change, please return the default authentication level of DCOM to "None" after installing
Exaquantum.

■ Preparation for IT security setting

On CENTUM VP R4.03 or later, Legacy model or Standard Standalone model can coexist.
● Standard Standalone model:
Execute Session 2.1 [IT Security Setting preparation] from the administrator account belonging to [CTM_
MAINTENANCE] group.
● Standard Domain model:
Work for Domain Server PC:
 Execute Section 2.23 User Group Generation before Installation.
 Add the user accounts belonging to [EXA_MAINTENANCE] to
[CTM_MAINTENANCE], domain user account.
Work for PCs where Exaquantum is installed:
 Execute Session 2.23 User Group Generation before Installation from the administrator
account, belonging to [CTM_ MAINTENANCE] group.
● Legacy model:
Preparation for IT security setting is not required.
■ Exaquantum Client Installation
Exaquantum client installation is not supported on CENTUM CS 3000. When installing Exaquantum client
on CENTUM CS 3000, please install Exaquantum client on Exaquantum R2.60.

For details about Exaquantum client installation procedure of Exaquantum R2.60, Please refer to the
following file in Exaquantum prerequisite DVD (Disc 1).
<DVD>\Client\Support\ReadmeEn.txt
Execute the Web client installation in the same way as Section 4.5 Exaquantum/PIMS Server Installation or
4.7 Exaquantum Client Installation from the account for IT Security Setting

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

App.A-40 Appendix A IT Security
Appendix A.14.2 Settings after Installation in case of HIS type SSO
In case of HIS type SSO, please do not assign OFFUSER the authentication to access from
the security point of view.
So you cannot call each Exaquantum application from the start menu on the auto logon
environment. To call Exaquantum applications, the following preparation is necessary.
Refer to CENTUM VP Instruction Manual in detail.
 Security setting of user account to user in
 Setting of Function key preset menu
■ Security Setting of User Account to User In
For user accounts defined when Exaquantum is installed, execute the following setting. Refer to CENTUM
VP Instruction manual.
(1) Register the above user accounts to [CENTUM VP] group.
(2) Define to make user in.
■ Setting of Function Key Preset Menu
Assign each APC tool to the function key from [Run] in the preset menu, if necessary.
■ How to assign Exaquantum tools
When Exaquantum tool set on function key, preset menu, please set the following formula.
"<Exaquantum Installation folder>\System\StartExe.exe" "Exaquantum tool path"
As for path information, please refer to the following table.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration App.A-41
Table A-18 Exaquantum Client (Explorer)
Menu Path
Exaquantum Explorer <Exaquantum Installation Path>\Explorer\QExplorer.exe
Item Selector <Exaquantum Installation Path>\System\QItemSelector.exe
Query Wizard <Exaquantum Installation Path>\QQueryWizard.exe
Graphic Editor <Exaquantum Installation Path>\Graphics
Editor\GraphicsEditor.exe
Cross Reference Tool <Exaquantum Installation Path>\Developer
Tools\ExaquantumXRef.exe
Server Manager <Exaquantum Installation Path>\System\ServerManager.exe
System Event Viewer <Exaquantum Installation Path>\Developer
Tools\SysEventsViewer.exe
Administration Tool <Exaquantum Installation Path>\Product Tools\Exaquantum.msc
Tag Configuration <Exaquantum Installation Path>\Developer
Viewer Tools\TagConfigViewer.exe
Admin Tool Server <Exaquantum Installation Path>\Product
Tools\AdminToolsServer.exe
TrendAnalyze <Exaquantum Installation Path>\Explorer\QExplore.exe /R
<Exaquantum Installation
Path>\Explorer\TrendAnalyze\Explorer\WorkBook\TrendAnalyze.
pxw

Table A-19 Exaquantum Web Client

Menu Path

Web Server Manager <Exaquantum Installation Path>\System\WebServerManager.exe

Note 1) When the Windows system drive is not C drive, modify the drive name.
Assign Function key to APC application call
From the function key assign of CENTUM builder, select the function, following the
procedure in the CENTUM VP Instruction Manual.
Preset Menu Settings
From HIS setting window, select [Preset Settings], following the procedure in the CENTUM
VP Instruction Manual.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

App.A-42 Appendix A IT Security
Appendix A.15 Security setting of Windows Server domain controller
This section applies to the following configuration:
 Standard domain security model
 Windows Domain Controller
 One of the following operating systems
o Windows Server 2008 R2 Standard SP1
o Windows Server 2012 Standard
o Windows Server 2012 R2 Standard

The procedure is as follows.

1. Login to domain controller as a user who is a Member of a ‘Domain Admins’ group.
2. Insert the Exaquantum DVD prerequisite media (Disc 1) into the Domain Controller PC.
3. Open the folder <DVD>\Tools\DCSecurityBatch
Figure A-23

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Exaquantum Engineering Guide – Volume 2 Network Configuration App.A-43

4. Run the batch file DomainServerSecuritySetting.bat. You will need to right click on
the file, and select Run as Administrator

Figure A-24

5. Check the following message is displayed:

"The IT security setting of the domain server succeeded."
"!Please Reboot!"
6. Restart the domain controller.

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

App.A-44 Appendix A IT Security
The following settings are modified by the batch file.
 File folder access control : Windows Folder
 Registry access control : DCOM Registry Key
 Registry access control : Windows Registry Key
 OPC(DCOM) access control
 Local security
 Personal Firewall tuning : for DCOM communication
 Personal Firewall tuning : for Windows

The following domain groups are also added by the batch file:
 QTM_DATA_READ
 QTM_DATA_WRITE
 QTM_EXPLORER_DESIGN
 QTM_MAINTENANCE
 EXA_MAINTENANCE
 QTM_OPC
For IT Environment Settings, refer to Engineering guide Vol.2 Appendix A.13.5 "Changing
IT Environment Settings".

IM 36J04A15-02E 22nd Edition Issue 1 January 14th 2020

Evo - XPAND IP+ - InstallationGuide - RevA
100% (2)
Evo - XPAND IP+ - InstallationGuide - RevA
100 pages
7.3.7 Lab - View The Switch MAC Address Table
No ratings yet
7.3.7 Lab - View The Switch MAC Address Table
8 pages
EXOS User Guide 16 2
No ratings yet
EXOS User Guide 16 2
1,741 pages
SolidWorks Electrical 2020 Black Book
From Everand
SolidWorks Electrical 2020 Black Book
Gaurav Verma
5/5 (1)
COC 3 - Setup Computer Servers Tutorial
100% (1)
COC 3 - Setup Computer Servers Tutorial
8 pages
GPON OLT Quick Configuration User Manual: About Product
100% (1)
GPON OLT Quick Configuration User Manual: About Product
56 pages
Exaquantum Engineering Guide Vol 1
No ratings yet
Exaquantum Engineering Guide Vol 1
118 pages
Exaquantum Engineering Guide Vol 2
100% (1)
Exaquantum Engineering Guide Vol 2
174 pages
Exaquantum Engineering Guide Vol 4
No ratings yet
Exaquantum Engineering Guide Vol 4
226 pages
Exaquantum Engineering Guide Vol 1
100% (1)
Exaquantum Engineering Guide Vol 1
110 pages
Exaquantum Engineering Guide Vol 3
No ratings yet
Exaquantum Engineering Guide Vol 3
246 pages
Exaquantum Installation Guide
No ratings yet
Exaquantum Installation Guide
222 pages
Exaquantum PIMS Users Manual
100% (1)
Exaquantum PIMS Users Manual
134 pages
Exaquantum Installation Guide
100% (2)
Exaquantum Installation Guide
124 pages
Exaquantum API Reference Manual
100% (1)
Exaquantum API Reference Manual
204 pages
IM 36J40B25-01EN SFM R315 Engineering Guide
No ratings yet
IM 36J40B25-01EN SFM R315 Engineering Guide
64 pages
Exaquantum Explorer Users Manual Vol 3-Excel Reports
No ratings yet
Exaquantum Explorer Users Manual Vol 3-Excel Reports
58 pages
Exaquantum Engineering Guide-X123143
No ratings yet
Exaquantum Engineering Guide-X123143
16 pages
Extreme Networks
No ratings yet
Extreme Networks
69 pages
Modicon Quantum Ethernet 01
No ratings yet
Modicon Quantum Ethernet 01
119 pages
ExOS 6.4 - User Manual
No ratings yet
ExOS 6.4 - User Manual
480 pages
Exaquantum Setup and Troubleshooting Guide
No ratings yet
Exaquantum Setup and Troubleshooting Guide
28 pages
Extreme Exos Concepts Guide 153
No ratings yet
Extreme Exos Concepts Guide 153
1,682 pages
IC Getting Started XTM-series
No ratings yet
IC Getting Started XTM-series
20 pages
Gs36j04a10-01e 037
No ratings yet
Gs36j04a10-01e 037
15 pages
Challenges and Approaches for Selecting, Assessing and Qualifying Commercial Industrial Digital Instrumentation and Control Equipment for Use in Nuclear Power Plant Applications
From Everand
Challenges and Approaches for Selecting, Assessing and Qualifying Commercial Industrial Digital Instrumentation and Control Equipment for Use in Nuclear Power Plant Applications
IAEA
No ratings yet
Product Selection Guide
No ratings yet
Product Selection Guide
79 pages
Mediant 500 Gateway e SBC Quick Guide
No ratings yet
Mediant 500 Gateway e SBC Quick Guide
8 pages
Multi Cast Configuration Extreme Switch
100% (1)
Multi Cast Configuration Extreme Switch
280 pages
ExtremeXOS User Guide 16.2
No ratings yet
ExtremeXOS User Guide 16.2
1,724 pages
Gs36j04a10-01e 039
No ratings yet
Gs36j04a10-01e 039
17 pages
Gs36j40e30-01en - 005 Otm
No ratings yet
Gs36j40e30-01en - 005 Otm
2 pages
EXOS User Guide 16 1 PDF
No ratings yet
EXOS User Guide 16 1 PDF
1,818 pages
ABB Connectivity Packages
100% (1)
ABB Connectivity Packages
102 pages
Quantum Using Ecostruxure™ Control Expert: Ethernet Network Modules User Manual
No ratings yet
Quantum Using Ecostruxure™ Control Expert: Ethernet Network Modules User Manual
402 pages
EcoStruxture Building Cat - BMS
No ratings yet
EcoStruxture Building Cat - BMS
80 pages
Exaquantum
No ratings yet
Exaquantum
12 pages
Exinda User Manual: © 2012 Exinda, Inc. Exinda Exos Version 6.3
No ratings yet
Exinda User Manual: © 2012 Exinda, Inc. Exinda Exos Version 6.3
220 pages
LT Man Adptenv
No ratings yet
LT Man Adptenv
20 pages
GS36J04A10-01E - 020 (Exaquantum)
No ratings yet
GS36J04A10-01E - 020 (Exaquantum)
10 pages
998 20312057 Product Selection Guide EcoStruxureBuilding
No ratings yet
998 20312057 Product Selection Guide EcoStruxureBuilding
80 pages
Product Selection Guide EcoStruxure Building 998-20312057 07.20
No ratings yet
Product Selection Guide EcoStruxure Building 998-20312057 07.20
84 pages
EXOS User Guide 15.7
No ratings yet
EXOS User Guide 15.7
1,745 pages
Ipx S@e Manager GB
100% (3)
Ipx S@e Manager GB
234 pages
RE - 54 - REX 521ConnPac 755312ENe
No ratings yet
RE - 54 - REX 521ConnPac 755312ENe
46 pages
Manual Labs - Virtual
No ratings yet
Manual Labs - Virtual
27 pages
IxServer 6.80 User Guide 6.80
No ratings yet
IxServer 6.80 User Guide 6.80
36 pages
Tricon Triconex Planning & Installation Manual ML093290420
No ratings yet
Tricon Triconex Planning & Installation Manual ML093290420
11 pages
IDX 3.3 - Release Notes
100% (1)
IDX 3.3 - Release Notes
152 pages
EXOS User Guide 31.5
100% (1)
EXOS User Guide 31.5
2,183 pages
AX Config Guide v2 4 3-20100621
No ratings yet
AX Config Guide v2 4 3-20100621
950 pages
AX Series™ Advanced Traffic Manager Configuration Guide
No ratings yet
AX Series™ Advanced Traffic Manager Configuration Guide
950 pages
Release Notes: For iDX Release 4.1.2.x
No ratings yet
Release Notes: For iDX Release 4.1.2.x
90 pages
Nortel Passport 8000/ Accelar: Supports Management Module SM-NTL1003
No ratings yet
Nortel Passport 8000/ Accelar: Supports Management Module SM-NTL1003
83 pages
Quantum With Unity Pro: TCP/IP Configuration User Manual
No ratings yet
Quantum With Unity Pro: TCP/IP Configuration User Manual
76 pages
EXOS User Guide 30 5
0% (1)
EXOS User Guide 30 5
2,087 pages
Quantum With Unity Pro: TCP/IP Configuration User Manual
No ratings yet
Quantum With Unity Pro: TCP/IP Configuration User Manual
76 pages
Installation and Using Guide: Gigabit Ethernet-SX PCI-X Adapter and Dual Port Gigabit Ethernet-SX PCI-X Adapter
No ratings yet
Installation and Using Guide: Gigabit Ethernet-SX PCI-X Adapter and Dual Port Gigabit Ethernet-SX PCI-X Adapter
32 pages
Extremecloud Appliance User Guide: 9036135-02 Published June 2019
No ratings yet
Extremecloud Appliance User Guide: 9036135-02 Published June 2019
219 pages
Linear LED Strobe Light for Machine Vision Illumination
From Everand
Linear LED Strobe Light for Machine Vision Illumination
Subodh Sarkar
No ratings yet
Correct Maintenance - Cognex DataMan 8500
From Everand
Correct Maintenance - Cognex DataMan 8500
Unique Content
No ratings yet
Safe Use of Smart Devices in Systems Important to Safety in Nuclear Power Plants
From Everand
Safe Use of Smart Devices in Systems Important to Safety in Nuclear Power Plants
IAEA
No ratings yet
Framework for SCADA Cybersecurity
From Everand
Framework for SCADA Cybersecurity
Richard Clark
5/5 (1)
Firmware Update Sentron Pac3100 en
No ratings yet
Firmware Update Sentron Pac3100 en
17 pages
A054T063 Protonode
No ratings yet
A054T063 Protonode
122 pages
Cisco 2500 Series Routers
No ratings yet
Cisco 2500 Series Routers
16 pages
ECH - Stealthwatch NetFlow Configuration Templates v1 0
No ratings yet
ECH - Stealthwatch NetFlow Configuration Templates v1 0
10 pages
Cisco Router Configuration Commands For Student
No ratings yet
Cisco Router Configuration Commands For Student
11 pages
FONST 5000 U Series Packet Enhanced OTN Equipment Product Description J
No ratings yet
FONST 5000 U Series Packet Enhanced OTN Equipment Product Description J
270 pages
Bizhub 225i - Network Administrator - en - 1 1 0
No ratings yet
Bizhub 225i - Network Administrator - en - 1 1 0
104 pages
Android NGN Stack 00
No ratings yet
Android NGN Stack 00
28 pages
Maglev Load Balancer
No ratings yet
Maglev Load Balancer
14 pages
HCPP-IP Network
No ratings yet
HCPP-IP Network
17 pages
Advanced Remote Node ARN
No ratings yet
Advanced Remote Node ARN
10 pages
Tarea 3
No ratings yet
Tarea 3
7 pages
Huawei AR 46 Series
No ratings yet
Huawei AR 46 Series
6 pages
Chapter 1: Routing Concepts: Instructor Materials
No ratings yet
Chapter 1: Routing Concepts: Instructor Materials
70 pages
2 TCP - Ip Ii
No ratings yet
2 TCP - Ip Ii
42 pages
PPPoE - Concepts & Configuration
No ratings yet
PPPoE - Concepts & Configuration
8 pages
bNSG9000 Datasheet 2
No ratings yet
bNSG9000 Datasheet 2
3 pages
8.2.1.4 Packet Tracer - Designing and Implementing A VLSM Addressing Scheme - CCNA v6.0 Exam 2019 PDF
No ratings yet
8.2.1.4 Packet Tracer - Designing and Implementing A VLSM Addressing Scheme - CCNA v6.0 Exam 2019 PDF
18 pages
DDos Solution PDF
100% (1)
DDos Solution PDF
29 pages
Sip Cause Code
100% (2)
Sip Cause Code
4 pages
15 SSH, SCP - Secure Shell, Secure
No ratings yet
15 SSH, SCP - Secure Shell, Secure
16 pages
The OSI Model Module 3
No ratings yet
The OSI Model Module 3
4 pages
GWN7000 Command Line Guide
No ratings yet
GWN7000 Command Line Guide
10 pages
01 Google Cloud VPC Networking Fundamentals
No ratings yet
01 Google Cloud VPC Networking Fundamentals
45 pages
DCN Practical 3
No ratings yet
DCN Practical 3
24 pages
IP PBX Configuration Guide
No ratings yet
IP PBX Configuration Guide
12 pages
6400 3500 SNTP Time Client Clock Datasheet
No ratings yet
6400 3500 SNTP Time Client Clock Datasheet
2 pages