Client

This section describes the required settings on the client's side. The client is the computer on which the OPC-Client application, e.g. a visualization, is running. Usually the OPC-Server is also located on this computer. However, in some environments it may be necessary that OPC-Client and OPC-Server need to be installed on different computers. Both, the OPC-Server's and OPC-Client's DCOM settings need to be configured, so that a remote communication between client and server is possible.

	The following settings have been tested on Windows 2000, Windows XP and Windows 7 computers.

Step 1: General network configuration

Depending on the client's operating system, some additional network settings need to be taken. Basically, the same settings must be performed. However, some "operating system specific" settings must be done to get the DCOM security running.

Please refer to our Article about Operating Systems for more information.

Step 2: DCOM configuration

To configure DCOM for a remote OPC communication, please perform the following steps on the computer running the OPC-Client.

	Only local administrators are allowed to open and change the DCOM security.

Open Start --> Run --> dcomcnfg.exe to start the DCOM configuration dialog.
Navigate to Console Root --> Component Services --> Computers --> My Computer
Select "My Computer", right click it and select Properties
On the "General" tab no changes must be made. The default settings will be correct for OPC Client side security settings
On the "Options" tab no changes have to be made. The default settings will be correct for OPC Client side security settings.
On the "Default Protocols" tab the Connection-oriented TCP/IP protocol should be moved to the top position. This setting forces the use of TCP/IP for DCOM connections. All other protocols can be removed if the are not used with DCOM. The timeout will be reduced if DCOM tries to connect only on TCP/IP connections.
On the Default Properties Tab the Enable Distributed COM on this computer must be checked. The Authentification Level and the Impersonation Level are set to Connect and Identify by default. If the client machine runs in a Workgroup the level should be changed

Authentification Level = None
Impersonation Level = Anonymous

If the client machine runs in a Domain the level remains to default settings

Authentification Level = Connect
Impersonation Level = Identify

If the client machine runs in a mixed configuration (e.g. the Client machine in a Workgroup and the Server machine in a Domain) the level should be changed. The machine being part of the Domain must be able to identify the security context without "asking" the Domain. Therefore the machine must "know" the users (they must have a local Login).

Authentification Level = None
Impersonation Level = Anonymous

	Not all possible combinations of setting these two levels make sense.

Known Bugs: on Windows 2000 operating systems the Network Configuration Icon disapears when setting DCOM security levels to None and Anonymous. The network still works but the IP-Address of the NIC can not be changed anymore. Change temporarely to default settings to change IP Address or use None and Delegate.

On the Default COM Security Tab the Access- and Launch permission for all COM-Objects can be changed. As the OPC Client is nothing else than a COM Client, the security setings should be changed to grant access to the Client application. Specially when the OPC Server sends callbacks (e.g. OnDataChange) to the OPC Client the server's process must have access permission on the Client.

The Default Access Permission should be granted for

Administrators

Interactive User

System

Network

"OPC Server's Security Context"

The Default Launch Permission should not be changed on the Client machine.
On the MSDTC Tab no changes must be done. The default settings will be correct for OPC Client side security settings.