Connect an OPC DA client

An OPC DA server is identified on a machine by its OPC Server ID. Both the NETx BMS Platform and the NETx MP Server report as 

NETxBMSCoreServer40

Typically, an OPC client application provides means for server discovery in the network and/or manual connection configuration.

The NETx Server is able to handle multiple OPC client connections at the same time in an independent way. Each connect or disconnect request of an OPC client is logged in the server log.

DCOM configuration

Starting with June 8, 2021, Microsoft has hardened the security changes of DCOM. While these changes can be disabled in the Windows registry, they will become mandatory at March 14, 2023 – disabling it is not possible anymore. However, the products of NETxAutomation are not affected. Using this article, OPC DA communication via DCOM is still working.

In case of an OPC DA connection through the network, make sure to configure DCOM accordingly.

In order to enable an OPC DA 2.05a communication between an OPC server and one or more OPC clients, different configuration steps are necessary. This includes a change of the Windows Firewall settings as well as the configuration of the Windows DCOM system and its security policy. This article shall act as a tutorial for configuring a remote OPC DA 2.05a connection.

Configuring Windows DCOM can be complex and time consuming. In addition, OPC DA communication may not be possible at all if, for example, the OPC server and the OPC clients are not in the same LAN. Therefore, NETxAutomation Software GmbH provides a solution called NETx Tunneller. The NETx Tunneller is a software tool that tunnels the OPC communication through a VNET connection. VNET is a proprietary protocol provided by NETxAutomation Software GmbH. VNET is based on a TCP/IP connection and thus a time consuming Windows DCOM configuration is not necessary. More information about the NETx Tunneller can be found /wiki/spaces/PLATFORM/pages/1533247489.

This documentation shows the necessary configuration steps for setting up such a remote OPC DA 2.05a connection. The remote OPC client that shall connect to the NETx Server can be an OPC DA 2.05a client from any vendor. For the rest of this article, a remote OPC DA 2.05a client is simply referred to as OPC client.

As OPC client, clients that support OPC DA 3.0 can be used too, since these clients are backward compatible to OPC DA 2.05a.

In addition, it is assumed that the NETx Server and the OPC client are running under one of the following operating systems:

  • Windows 11

  • Windows 10

  • Windows Server 2022

  • Windows Server 2019

  • Windows Server 2016

Although the following operating systems are not support anymore, this article is applicable to them:

  • Windows 7

  • Windows 8

  • Windows 8.1

  • Windows Server 2008 R2

  • Windows Server 2012

  • Windows Server 2012 R2

Please keep in mind that this documentation shall only act as an example of how an OPC connection can be established. It is not guaranteed that this documentation is complete and that the described configuration steps fulfill the safety and security requirements of the IT infrastructure where it is applied. Changes to configuration settings could result in insufficient safety and security. Therefore, any change has to be reviewed and approved by the local system/security administrator.

In order to enable an OPC communication between an OPC server and one or more OPC clients, the following
steps are necessary:

  • Configuring the Windows Firewall

  • Changing the local security policy

  • Setting up a user

  • Configuring Windows DCOM

Windows Firewall Configuration

In order to permit OPC communication, the Windows Firewall has to be configured accordingly. This section described the necessary steps that have to be performed.

Allow DCOM communication from other computers

These steps have to be performed at both sides – at the OPC server and at the OPC client side.

By default, Windows blocks inbound DCOM connections from other computers. Therefore, the following steps have to be performed:

Open the Windows Firewall configuration dialogue (Control panel –> System and Security –> Windows Firewall) and select “Advanced settings” at the left hand side of the dialogue. The following dialogue appears:

Select “Inbound Rules” and enable the all rules that are named “Windows Management Instrumentation (DCOM-In)”.

Depending on the operating system and the used configuration, one or more DCOM-In rules can exist. If one rules exists, create two inbound rules to allow TCP port 135 and UDP port 135.

Creating a rule for OPC Enum

These steps have to be performed at the OPC server side only.

An inbound rule for the OPC Enum process has to be added. On the top left corner, select "‘Inbound rules ..."’. Afterwards, click “New Rule ...” at the top right corner. Within the dialog, select “Program” as rule type:

In the next step, select the executable file of the OPC Enum process . It is located at:

  • 32 bit operating system: C:\Windows\System32\OpcEnum.exe

  • 64 bit operating system: C:\Windows\SysWOW64\OpcEnum.exe

Next, select “Allow the connection”.

As next step, select the network profile(s) for which the rule shall be active.

Finally, specify a name for the rule (e.g. “OPC Enum”).

After having confirmed the last step, a new rule is created and activated immediately.

Creating a rule for the NETx Server

These steps have to be performed at the OPC server side only.

It is required to permit communication to the NETx Server. The setup of the NETx Server is creating a corresponding firewall rule automatically. For the NETx BMS Platform this rule is called “NETx BMS Platform Core Server” – for the NETx MP Server it is called “NETx MP Core Server”. If the corresponding rule is not listed, create a new one by performing the same steps as described above. As program path, the executable of the NETx Server has to be specified. If the default installation directories are used, the executable of the NETx Server can be found here:

  • NETx BMS Platform:

    • 32 bit operating system: C:\Program Files\NETxAutomation\BMS Platform\Core\NETxBMSCoreServer40.exe

    • 64 bit operating system: C:\Program Files (x86)\NETxAutomation\BMS Platform\Core\NETxBMSCoreServer40.exe

  • NETx MP Server:

    • 32 bit operating system: C:\Program Files\NETxAutomation\MP Server\Core\NETxBMSCoreServer40.exe

    • 64 bit operating system: C:\Program Files (x86)\NETxAutomation\MP Server\Core\NETxBMSCoreServer40.exe

The rule that is automatically added by the setup is activated for the network profiles “Private” and “Domain” only. If the connected network is defined as “Public”, the rules has to be changed accordingly.

Creating a rule for the OPC client

These steps have to be performed at the OPC client side only.

It is also required to permit communication to the OPC client. Create a corresponding firewall rule by performing the same steps as for the server rule.

Changing the local security policy

These steps have to be performed at both sides – at the OPC server and at the OPC client side.

In order to allow OPC communication, the local security policy has to be changed. Open the configuration dialogue (“Control panel → System and Security → Administrative Tools → Local Security Policy”) and navigate to “Security Settings → Local Policies → Security Options” and enable the option “Network access: Let Everyone permissions apply to anonymous users”.

User settings

To be able to establish an OPC connection between a NETx Server and an OPC client, the user management must be configured accordingly. In general, it is necessary that both PCs must have at least one common Windows user. This Windows user must use the same user name and password and it must have local administrator rights at both machines. The NETx Server process does not need to run under the common user. It can be run under the user “SYSTEM” (default for NETx Servers) or any user that has administrator rights. However, the OPC client itself must run under the common user – otherwise the OPC communication will not work. Depending on the used environment, the following configuration steps may be possible:

Both machines are member of the same Windows domain

Since both machines are member of the same Windows domain, they are using the same user database. This means any domain user can be used as common user. However, the common user must have local administrator rights at both machines. To add local administrator rights, open the Computer Management dialogue (“Control Panel → System and Security → Administrative Tools”) and select “Computer Management → System Tools → Local Users and Groups → Groups”. Double click “Administrators” and add the common user to the local administrator group.

Both machines are member of different Windows domains

If both machines are member of different domains, trust must be established on both domain controllers. This means that the users of domain A must be trusted by domain B and vice versa. More information about setting up trusts between domains can be found in the Microsoft Windows Server documentation. In addition, local administrator rights must be given to the common user at both machines. This can be done by using the same steps as shown above.

Both machines are not member of a Windows domain

If both machines are not member of a Windows domain, a common user has to be created on both machines. This user must have exactly the same user name and the same password at both machines. In addition, the user must have administrator rights on both machines.

DCOM configuration

The DCOM configuration at the NETx Server side consists of three steps:

  • Configure default DCOM settings

  • Configure DCOM settings of OPC Enum

  • Configure DCOM settings of NETx Server

Configure default DCOM settings

First, the general DCOM settings have to be changed. Within the DCOM configuration dialogue, right click at “My Computer”, select “Properties”, and change to the tab “Default Properties”. Within this tab, ensure that the “Authentication Level” is set to “None”.

Then, the limits of the DCOM security settings have to be changed. Change to the tab “COM Security”.

Within “Access Permissions”, press the button “Edit limits” and change the permissions of “Everyone” and “ANONYMOUS LOGON” according to the following figures:

Then, close the dialogue and press the button “Edit limits” within “Launch and Activation Permissions”. Change the permissions of “Everyone” and “Administrators” according to the following figures:

Afterwards, the changes have to be confirmed by pressing the “OK” button.

Configure DCOM settings of OPC Enum

As next, the DCOM security settings of the OPC Enum process have to changed. Within the DCOM configuration dialogue, open the tree “DCOM Config” and locate the entry “OPC Enum”. Right click at the entry, select “Properties”, and change to the tab “General”. Within this tab, ensure that the “Authentication Level” is set to “None”.

Then, change to the tab “Security”. Within the “Launch and Activation Permissions”, select “Customize” and press the “Edit” button. Change the permissions of “Everyone” and “Administrators” according to following figures:

Close the dialogue again. Within the “Access Permissions”, select “Customize” and press the “Edit” button. Change the permissions of “Everyone”. Afterwards, close the dialogue. Within the “Configuration Permissions”, select “Customize” and press the “Edit” button. Change the permissions of “Administrators”.


The DCOM configuration of the OPC Enum process is finished now and the dialogue can be closed again.

Configure DCOM settings of NETx Server

Usually, changing the DCOM configuration for a NETx Server is not necessary since the DCOM setting are automatically created during the installation process of the NETx Server. However, if the OPC connection between the OPC client and the NETx Server is not working, it is recommended to verify whether the DCOM settings are correct.

The required DCOM configuration for a NETx Server is identical to the settings of the OPC Enum process. To verify them, open the tree “DCOM Config” within the DCOM settings dialogue and locate the entry “NETxBMSCoreServer40” for the NETx Server.

After the correct entry has been found, apply the same configuration steps as described for OPC Enum.

DCOM configuration at the OPC client side

The DCOM configuration of the OPC client side is easier than at the NETx Server side, since only the default DCOM settings have to be changed. The required default DCOM settings at the client side are identical to the settings at the NETx Server side. Therefore, open the DCOM configuration dialogue and apply the same settings as described above.