Hi,

Adrian Reyes, have you checked this article: Will DCOM work with a NAT device?

Basically, it says that DCOM, the underlying technology for OPC DA, is designed to work with explicit IP addresses so it won't function correctly with NAT in between the server and client.

This is supported by other articles such as this one: Acquire Data From an OPC Server Through a Router OPCTI FAQ

Hello Adrian,

Apart from the NAT part, passing OPC DA traffic through a firewall is tricky because OPC DA uses a dynamic and very wide range of ports.

so you have few options:

A. open a very wide range of ports , Apart from port 135 you

need a range of ports that are not fixed for example, "49153-49453".

You can choose any ports between 49152 - 65535. Ensure that you

have at least 300 ports available. I have quoted this from here: PI OPC DA Interface DCOM Windows Firewall Settings

(osisoft.com)

but sometimes as you can read this is not sufficient.

There are ways to limit the number of ports required via Windows configuration. But this is tricky and has limitation. If you are not able to go

ahead with the other options below you can try...

In general this is not a great option...

B. use a firewall that identifies the OPC DA traffic, we had very good experience with Palo Alto

C. use a tunnelling software, there are many out there, we use Matrikon OPC Tunneller. The same software can translate OPC DA to OPC UA and then you can use the OPC UA Connector instead of OPC DA interface (OPC UA just need one port)

D. If your architecture allows it, install the interface next to the Emerson OPC DA so that the firewall will be sitting between the PI

Interface and the PI server (just one port required to be opened)