Application Note SKF Multilog IMx time synchronization and advanced Windows firewall settings with SKF @ptitude Observer and SKF @ptitude Analyst for Windows 7 By Ronny Sjoberg SKF Condition Monitoring Center Lulea Introduction What is the purpose of a firewall? Just as a brick wall can create a physical barrier, a firewall creates a barrier between the Internet and your computer, see Figure 1. A firewall is a software that controls the incoming and outgoing network traffic by analyzing the data packets and determining whether they should be allowed through or not, based on a rule set. A firewall isn t the same thing as an antivirus program. To help protect your computer, you need both a firewall and an antivirus software. Your computer Your firewall Internet Figure 1. A firewall creates a barrier between the Internet, and the SKF Multilog IMx network and your computer.
NOTE: In this application note the Windows 7 (64 bit) firewall is used in the explained examples. If a different firewall is used the identification number of the incoming and outgoing Ports may be different. If you currently are operating with a firewall, you most likely have noticed that when you load certain programs on your computer, or when you start certain programs, you receive a warning from the firewall software indicating an attempt by a program to establish an outbound connection. Most legitimate programs can be configured automatically by the firewall to allow programs updates and other routine tasks. However, the firewall is designed to restrict access to a network by selectively allowing or blocking inbound and outbound traffic to the network. For some applications or equipment, the firewall needs manual configuration. NOTE: For the SKF Multilog IMx / SKF @ptitude Observer and SKF @ptitude Analyst on-line systems it is required to check the configuration of the firewall to ensure correct operation. See Figure 7 and Table 1. A firewall can also help to prevent hackers or malicious software (such as worms) from gaining access to your computer through a network or the Internet. A firewall can also help stop your computer from sending malicious software to other computers. Always be careful when configuring your firewall for the SKF @ptitude Observer and SKF @ptitude Analyst on-line system, as it is possible to accidentally block access to a required resource that may cause a program to no longer work correctly. NOTE: Always refer to a qualified technician, if you are in doubt about whether you are making the right choice regarding how much access you grant or deny a Software, Port etc. For example a Port can be configured as an incoming or outgoing port. What is the purpose of Time Synchronization? Automatic Time Synchronization allows synchronizing of all the clocks in the system, therefore assuring that the stored measurements have the correct time stamp. If the user needs to check an alarm, the user needs to be sure that the time of the alarm is correct. Automatic time synchronization has to be activated on the SKF @ptitude Observer Monitor Service and SKF @ptitude Analyst IMx Service computers, since the SKF Multilog IMx devices synchronize the time with the computer where the SKF @ptitude Observer Monitor Service and SKF @ptitude Analyst IMx Service is installed and running, see Figure 2. For the synchronisation, the SKF Multilog IMx device uses a built-in function (called NTP) in Windows for time synchronization. Note! If a firewall is used, some ports needs to be opened in the firewall to have functional time synchronization. In many cases the SKF @ptitude Observer Monitor Service and SKF @ptitude Analyst IMx Service computers also include the: SKF @ptitude Observer or SKF @ptitude Analyst software SKF @ptitude Observer Monitor Service or SKF @ptitude Analyst IMx Service SQL or Oracle Server Database Content 1 Time synchronization 2 Procedure for configuration of Services and Ports in the Microsoft Windows 7 firewall 3 How to create a new rule for the outgoing Port UDP 123 (time synchronization) in the Windows firewall on the WindCon/SKF Multilog IMx side in Figure 7. 4 Examples of configuring the Ports Time synchronization on (UDP Port 123) and Storage of data on the (TCP Port 1000) 2
The SKF Multilog IMx device will automatically synchronize the time with the computer that has the SKF @ptitude Observer Monitor Service or SKF @ptitude Analyst IMx Service installed and running. Flow of data A continuously flow of measurement data from the SKF Multilog IMx on-line system via the SKF @ptitude Observer Monitor Service, or via the SKF @ptitude Analyst IMx Service. The computer where the SKF @ptitude Observer Monitor Service or the SKF @ptitude Analyst IMx Service is running The reference time for the SKF Multilog IMx on-line system, is set by the computer clock where the SKF @ptitude Observer Monitor Service or SKF @ptitude Analyst IMx Service is running. The SKF @ptitude Observer Monitor Service or the SKF @ptitude Analyst IMx Service is running. Figure 2. The SKF Multilog On-line System IMx unit will automatically synchronize the time with the SKF @ptitude Observer Monitor Service or the SKF @ptitude Analyst IMx Service. 3
Procedures 1) Time Synchronization NOTE: Time synchronization is only configured on the computer where the SKF @ptitude Observer Monitor Service or SKF @ptitude Analyst IMx Service is running. The time of the computer where the SKF @ptitude Observer Monitor Service or the SKF @ptitude Analyst IMx Service, is the reference time for the SKF Multilog IMx on-line system, see Figure 2. The SKF Multilog IMx device uses a built-in function in Windows for time synchronization. The time synchronization maintains date and time synchronization on all clients and servers in the SKF Multilog IMx-network. Time synchronization is done by the NTP service on the Port UDP 123. This port is dedicated for time synchronization between the SKF Multilog IMx devices and the computer where the SKF @ptitude Observer Monitor Service or the SKF @ptitude Analyst IMx Service is running. NOTE: In a wired network, the Network Time Protocol (NTP) for time synchronization is the most common one in the industry. When the SKF @ptitude Observer Monitor Service or the SKF @ptitude Analyst IMx Service computer synchronizes with the SKF Multilog IMx unit, the synchronization is done by sending an UDP (User Datagram Protocol) packet requesting for time information. The SKF @ptitude Observer Monitor Service or SKF @ptitude Analyst IMx Service will then return this information. NOTE: If this service is stopped, date and time synchronization will be unavailable, and any services that explicitly depend on it will fail to start. In order to activate time synchronization, follow the working procedure A to D as follows. A. Open Port UDP 123 in the firewall: This procedure is explained in detail in this application note. This can be done a bit differently, depending on your operating system and eventually external firewalls. In this case the firewall in Windows 7 (64 bit) is used. B. Double click on the file EnableTimeSync.reg in the folder Extra\TimeSync on the SKF @ptitude Observer DVD or in the folder Tools\ IMx\NTP Server on the SKF @ptitude Observer DVD. This will enter information in the registry to enable the service time synchronization on the SKF @ptitude Observer Monitor Service or the SKF @ptitude Analyst IMx Service computer. C. Go to Services by typing services in Figure 3, and check that the Windows Time service startup method is set to Automatic and started, see Figure 5. If this is not the case, double click on "Windows Time to open the Windows Time Properties in Figure 6, and set the parameter Startup type to Automatic. Then start the service by pressing on the black Start button in Figure 6 marked with a black box. Double click on the file EnableTimeSync.reg in the folder Extra\TimeSync on the SKF @ptitude Observer DVD. This will enter information in the registry to enable the service time synchronization on the SKF @ptitude Observer Monitor Service or the SKF @ptitude Analyst IMx Service computer. D. Stop and start the Windows Time service to make this change to take effect, see Figure 5. NOTE: Time synchronization is done by NTP on the Port UDP 123, see Figure 7. This port is dedicated for this working task (more information about the NTP can be found in the following and on the website: http://en.wikipedia.org/wiki/list_of_tcp_and_udp_port_numbers 4
Select "Services" Type "services" in this field, and then select "Services" in Figure 4. Figure 3. How to find "Services" in Microsoft Windows. Figure 4. Selecting "Services". 5
Stop and Start buttons Windows Time Select Start-up type: Automatic for Windows time Figure 5. The Windows Time is started in Services. Description Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Set Startup type to Automatic Make sure that the Service status is set to Started. This is done by pressing the Start button. "Start" button Figure 6. The settings for the Port UDP 123 in the Windows Time Properties window. 6
2) Procedure for the configuration of Services and Ports in the Microsoft Windows 7 firewall Figure 7 shows an example of the flow of measurement data, and the ports that needs to be opened in the firewalls for the on-line system SKF Multilog IMx / SKF @ptitude Observer or SKF @ptitude Analyst. to store measurement data, to view live and historical data, and to do configuration changes. SKF @ptitude Observer SKF @ptitude Analyst Users Outgoing ports 1000 1433 Server area Live data and SKF @ptitude Observer configuration changes View historical data in SKF @ptitude Observer 1433 Database WindCon/IMx 1000 1000 Store data 123 (UDP) Time Sync 123 (UDP) WindCon/IMx unit initiates the communication on Port 1000 Outgoing ports Incoming ports SKF @ptitude Observer Monitor Service or the SKF @ptitude Analyst IMx Service Figure 7. Ports that needs to be opened in the firewalls for the SKF Multilog IMx / SKF @ptitude Observer / SKF @ptitude Analyst online system to work properly. 7
Table 1 shows a summary how to configure the ports for all the firewalls in Figure 7, for the User / Client, SKF Multilog IMx and the SKF @ptitude Observer Monitor Service / SKF @ptitude Analyst IMx Service computers. Table 1. How to configure the ports for all the firewalls in Figure 7 including client, SKF Multilog IMx and the SKF @ptitude Observer Monitor Service / SKF @ptitude IMx Service computers. Ports SKF Multilog IMx unit (Outgoing) Hardware / Software SKF @ptitude Observer User / Client (Outgoing) Database / SKF @ptitude Observer Monitor (Incoming) Port 1000 t t t Port 1433 t t UDP 123 t t The following bullet points describe what kind of working tasks the Ports have in the firewalls in Figure 7. Ports Port 1000: The SKF Multilog IMx device initiates the communication to the SKF @ptitude Observer Monitor Service or the SKF @ptitude Analyst IMx Service on the Port TCP 1000 for storage of measurement data. The SKF @ptitude Observer Monitor and SKF @ptitude Analyst IMx services also connect on Port TCP 1000, when the user would like to view Live data and to do Configuration changes. Port 1433: SKF @ptitude Observer Monitor Service communicates with the database on Port 1433. The Port 1433 on the computer where the database is located, needs to be open for viewing of historical data in SKF @ptitude Observer and SKF @ptitude Analyst. Port UDP 123: Figures 8 to 15 shows how to create a new rule for the Port UDP 123 for time synchronization in the firewall on the SKF Multilog IMx side. NOTE: It is important that the ports have been opened in the firewall, and that they are configured correctly regarding to, if the port is an Incoming or an Outgoing port. 8
3) How to create a new rule for the outgoing (i.e outbound rule) Port UDP 123 (time synchronization) in the Windows firewall on the SKF Multilog IMx side in Figure 7 Examples are shown in Figures 8 to 15 on how to create a new Outbound (Outgoing) rule for the Port UDP 123, which is located in the firewall on the WindCon/IMx side marked with a green line. To open the Windows Firewall with Advanced Security, go to Control Panel/All Control Panel Items/Windows firewall and select Advanced settings in Figure 8. The Windows Firewall with Advanced security in Figure 9 will be opened. Then right click on the Outbound Rules and select the option New rule in the drop down list in Figure 9, to open the window in Figure 10. Advanced settings Figure 8. Select Advanced settings". 9
Select Outbound rules/new Rules Figure 9. Creating a new rule for the outgoing port UDP 123 for time synchronisation. Outbound rules The Port TCP 1000 needs to be opened in the firewalls for communication between the SKF Multilog IMx device and the SKF @ptitude Observer Monitor Service and the SKF @ptitude Analyst IMx Service Manager, as well as between the User side, to be able to view live data from the SKF Multilog IMx device. The Port UDP 123 for time synchronization (Time synch) needs to be opened in the firewall where the SKF Multilog IMx device is installed, to be able to connect with the SKF @ptitude Observer Monitor Server or SKF @ptitude Analyst IMx service located at the Server area. 10
Select the option Port. This rule type controls the connection for a UDP port. Figure 10. Rule type select the option Port. In total there are five steps to create a new firewall rule for the Port UDP 123, see Figure 10 and Table 2. Table 2. The five steps to create a UDP port. Rule type: What type of rule would you like to create? Protocol and Ports: Does this rule apply to TCP or UDP? Does this rule apply to all remote port or a specific port? Action: What action should be taken when a connection matches the specified conditions? Allow the connection; Allow the connection if it is secure; Block the connection. Profile: What does this rule apply? Domain, Private or Public? The name of the Port: Specify name and description of this rule! 11
Select Port "UDP" Figure 11. Protocol and Ports Port UDP 123. 12
Allow the connection This includes connections that are protected with IPsec, i.e. IP securities, as well as those are not. Figure 12. Action Allow the connection. 13
Domain Applies when a computer is connected to its corporate domain. Private Applies when a computer is connected to a private network location. Public Applies when a computer is connected to a public network location Figure 13. Profile Select the option Private. 14
Name Time synch (UDP 123). Description Automatic time synchronization shall be activated, since the SKF Multilog IMx will then automatically synchronize the time with the computer that has the SKF @ptitude Observer Monitor Service or the SKF @ptitude Analyst IMx Service running. Figure 14. Name Specify a name and a description of the rule. Figure 15. The recently created Port 123 (UDP) has now been added to the Outbound Rules in the Windows Firewall. 15
4) Configuring the Ports Time synchronization on (UDP Port 123) and Storage of data on the (TCP Port 1000) In Figures 16 and 17 some more details are showed for Time synchronization on the tabs General and Protocols and Ports. Figures 18 and 19 shows some details on the tabs General and Protocols and Ports, for the storage of data in the database via Port 1000. If you have questions concerning the firewall in Windows 7, consult the Windows Firewall Help Manual by pressing the Help button in Figure 15. The window for the Help manual will then be opened in Figure 20. UDP Port 123 Allow traffic to a device outside the Server computer! Figure 16. Time synch / General tab. Figure 17. Time synch / Protocol and Ports tab. 16
TCP Port 1000 Allow traffic to a device outside the Server computer! Figure 18. Port 1000 / General tab. Figure 19. Port 1000 / Protocol and Ports tab. 17
Firewall Rule Properties Page Figure 20. The Windows Firewall Help manual. 18
More facts about TCP and UDP Ports As you know every computer or device on the Internet must have a unique number assigned to it called the IP address. This IP address is used to recognize your particular computer out of the millions of other computers connected to the Internet. When information is sent over the Internet to your computer, how does your computer accept that information? It accepts that information by using TCP or UDP ports. An easy way to understand ports is to imagine your IP address is a cable box and the ports are the different channels on that cable box. The cable company knows how to send cable to your cable box based upon a unique serial number associated with that box (IP Address), and then you receive the individual shows on different channels (Ports). Ports work the same way. You have an IP address, and then many ports on that IP address. When I say many, I mean many. You can have a total of 65,535 TCP Ports and another 65,535 UDP ports. When a program on your computer sends or receives data over the Internet it sends that data to an IP address and a specific port on the remote computer, and receives the data on a usually random port on its own computer. If it uses the TCP protocol to send and receive the data then it will connect and bind itself to a TCP port. If it uses the UDP protocol to send and receive data, it will use a UDP port. Note that once an application binds itself to a particular port, that port can not be used by any other application. NOTE: The rule is first come, first served! 19
Seals Mechatronics Bearings and housings Services Lubrication systems The Power of Knowledge Engineering Combining products, people, and applicationspecific knowledge, SKF delivers innovative solutions to equipment manufacturers and production facilities in every major industry worldwide. Having expert ise in multiple competence areas supports SKF Life Cycle Management, a proven approach to improv ing equipment reliability, optimizing operational and energy efficiency and reducing total cost of ownership. These competence areas include bearings and units, seals, lubrication systems, mecha tronics, and a wide range of services, from 3-D computer modelling to cloud-based condition monitoring and asset management services. SKF s global footprint provides SKF customers with uniform quality standards and worldwide product availability. Our local presence provides direct access to the experience, knowledge and ingenuity of SKF people. SKF BeyondZero is more than our climate strategy for a sustainable environment: it is our mantra; a way of thinking, innovating and acting. For us, SKF BeyondZero means that we will reduce the negative environmental impact from our own operations and at the same time, increase the positive environmental contri bution by offering our customers the SKF BeyondZero portfolio of products and services with enhanced envir onmental performance characteristics. For inclusion in the SKF BeyondZero portfolio, a product, service or solution must deliver significant environmental benefits without serious envir onmental trade-offs. Please contact: SKF Condition Monitoring Center Luleå Aurorum 30 SE-977 75 Luleå Sweden Tel: +46 (0)31 337 1000 Fax: +46 (0)920 134 40 Web: www.skf.com SKF, @PTITUDE and MULTILOG are registered trademarks of the SKF Group. All other trademarks are the property of their respective owners. SKF Group 2014 The contents of this publication are the copyright of the publisher and may not be reproduced (even extracts) unless prior written permission is granted. Every care has been taken to ensure the accuracy of the information contained in this publication but no liability can be accepted for any loss or damage whether direct, indirect or consequential arising out of the use of the information contained herein. PUB CM3200 EN October 2014 skf.com