I/A Series® System

RemoteWatch
I/A Series Data
Acquisition System
(DAS) V3.2
Installation and
Configuration

B0860AY

Rev A
August 30, 2012
Invensys, Foxboro, I/A Series, and the Invensys logo are trademarks of Invensys plc, its subsidiaries, and
affiliates.
All other brand names may be trademarks of their respective owners.

Copyright 2012 Invensys Systems, Inc.

All rights reserved

SOFTWARE LICENSE AND COPYRIGHT INFORMATION

Before using the Invensys Systems, Inc. supplied software supported by this documentation, you
should read and understand the following information concerning copyrighted software.
1. The license provisions in the software license for your system govern your obligations
and usage rights to the software described in this documentation. If any portion of
those license provisions is violated, Invensys Systems, Inc. will no longer provide you
with support services and assumes no further responsibilities for your system or its
operation.
2. All software issued by Invensys Systems, Inc. and copies of the software that you are
specifically permitted to make, are protected in accordance with Federal copyright
laws. It is illegal to make copies of any software media provided to you by
Invensys Systems, Inc. for any purpose other than those purposes mentioned in the
software license.
Contents
Figures..................................................................................................................................... v

Preface................................................................................................................................... vii
Revision Information .............................................................................................................. vii
Reference Documents ............................................................................................................. vii
Glossary of Terms ................................................................................................................... vii

1. 70 Series DAS Installation for I/A Series Workstations ..................................................... 1

I/A Series (70 Series) DAS Installation ...................................................................................... 1
Installation Prerequisites ....................................................................................................... 1
I/A Series Software V8.8 with Security Enhancements Installation Prerequisite .................... 1
RW_DasExec_Pkg Software Installation .............................................................................. 2
Verify the RemoteWatch Mailbox ............................................................................................. 9
Rules for Assigning RemoteWatch Mailbox Stations ............................................................ 9
Verification for Assigned RemoteWatch Mailbox Stations .................................................... 9
Modify RemoteWatch Mailbox Stations Assignment ......................................................... 10
I/A Series Software V8.5, V8.6, V8.7 and V8.8 Verification ................................................... 10
Verify Installation ............................................................................................................... 10
Uninstall Notes .................................................................................................................. 10

2. Verify the FIST Host....................................................................................................... 13

3. Verify Data Transfer to the RemoteWatch Server ........................................................... 15

I/A Series DAS Software for 70 Series Stations ........................................................................ 15

Appendix A. I/A Series Secure Environment Remote Watch Server Communications Setup 17
Enable/IP Configure Second Network Interface ...................................................................... 17
I/A DAS Mailbox Station and RW Server Not Connected to the Same Subnet ....................... 17
Add HIPS Firewall Rule .......................................................................................................... 18

Index .................................................................................................................................... 27

iii
B0860AY – Rev A Contents

iv
Figures
1-1. RemoteWatch I/A Series Installer Account .................................................................... 3
1-2. RemoteWatch I/A Series Installer Account - New Name ............................................... 3
1-3. RemoteWatch Server’s IP Address Dialog Box .............................................................. 4
1-4. IP Address Confirmation Dialog Box ............................................................................ 4
1-5. Invensys DAS Install Options Dialog Box ..................................................................... 5
1-6. RemoteWatch I/A Series Services Account .................................................................... 6
1-7. RemoteWatch RwDasServices Account - New Name .................................................... 6
1-8. RemoteWatch RwDasService Account - Password ........................................................ 7
1-9. RemoteWatch I/A Series Services Account Password Prompt -
for Each Station ............................................................................................................ 7
1-10. RemoteWatch Password Confirmation - Subsequent Installations ................................ 8
1-11. Command Window Displaying Installation Messages ................................................... 8
3-1. Certificate Error: Navigation Blocked Screen .............................................................. 19
3-2. Log In - McAfee EPolicy Orchestrator Administrator Account ................................... 19
3-3. Select Product - Host Intrusion Prevention 7.0.4 Firewall ........................................... 20
3-4. Add Rule - Invensys Firewall Rules ............................................................................. 21
3-5. Define Rule - Invensys Fire Wall ................................................................................. 22
3-6. Select I/A Series Stations to Receive the New RW DAS Rule ...................................... 23
3-7. Select Wake up Agents - More Actions Menu ............................................................. 24
3-8. Accept Defaults - Wake Up McAfee Agent Screen ...................................................... 25
3-9. Close - ePolicy Orchestrator Web Page ....................................................................... 26

v
B0860AY – Rev A Figures

vi
Preface
This document provides the details required to install the RemoteWatch (RW) Data Acquisition
System (DAS) V3.2 on workstations with I/A Series® software V8.5, V8.6, V8.7 and V8.8. For
operational details of the 70 Series RW DAS, refer to the RemoteWatch User’s Guide (B0860AJ).
The 70 Series RW DAS V3.2 is supported for I/A Series software V8.5, V8.6, V8.7 and V8.8.
The 70 Series RW DAS software may be installed system wide from a single 70 Series worksta-
tion. Based on the installation option chosen, the software installation can propagate the 70 Series
RW DAS software to the other 70 Series workstations on the I/A Series system.
The installation procedures for 70 Series workstations includes the following:
 Executing the software installation procedure
 Validating the Mailbox and FIST station designation
 Testing the installation

Revision Information
This is the initial release of the document.

Reference Documents
In addition to the information presented herein, you should be familiar with the following
I/A Series® documents:
 RemoteWatch Server Software Version 3.1 Installation Guide (B0860AS)
 Station Access Manager User's Guide (B0860AF)
 RemoteWatch Server Version3.1 Upgrade (B0860AR)
 RemoteWatch User’s Guide (B0860AJ)
 RemoteWatch Version 3.2 Release Notes (B0860RF)
Most are available on the I/A Series RemoteWatch Electronic Documentation CD-ROM
(CG500EL). The latest revisions may also be available through the Invensys Operations Manage-
ment Global Customer Support Center at http://support.ips.invensys.com.

Glossary of Terms
The following terminology, used throughout this user’s guide, relates to the RemoteWatch V3.1
and V3.2 software and associated equipment.

RemoteWatch RemoteWatch is a service that provides a diagnostic and dispatch interface

for Distributed Control System resource usage issues. This service allows
Invensys Operations Management engineers to remotely troubleshoot
issues before they become more serious problems. In addition, Remote-
Watch provides the capability for end-users to view and report DCS infor-

vii
B0860AY – Rev A Preface

mation and resource usage, as well as the ability to download additional

files to be deployed on your RemoteWatch Server.

RemoteWatch The RemoteWatch Server is the central point of control for the Remote-
Server Watch system at your site. The RemoteWatch Server collects data from an
I/A Series system, which are then historized and transferred to the Global
Customer Support Center where RemoteWatch engineers can monitor the
health of the system.
The RemoteWatch Server also provides a connection between IPS and
your site that allows Invensys experts to remotely view and troubleshoot
issues from the Global Customer Support Center. Using the remote con-
nection, it is possible navigate through an I/A Series system to determine
and fix the source of the problem and before it is allowed to escalate.

RW_DasExec RW_DasExec is a Windows® based Service Application that runs in the

background on 70 Series workstations with I/A Series software V8.5,
V8.6, V8.7 and V8.8. This service is responsible for executing the data
gathering probe scripts used by the DAS system.

RW_WinExec
RW_WinExec is a Windows® based Service Application that runs in the
background on 70 Series workstations with I/A Series software V8.5,
V8.6, and V8.7. This service is responsible for executing the data gather-
ing probe scripts used by the DAS system.

RW_WinExec_Service
RW_WinExec_Service is a Windows based Service Application that runs
in the background on pre I/A Series V8.5 workstations (70 Series). This
service is responsible for executing the data gathering probe scripts used by
the DAS system.

viii
1. 70 Series DAS Installation for
I/A Series Workstations
This chapter describes how to install the 70 Series RemoteWatch Data Acquisition System
(70_Series_RW_DAS) on 70 Series workstations with I/A Series V8.5, V8.6, V8.7 and V8.8
software.
The 70 Series RW DAS software may be installed system wide (that is, all 70 Series stations on an
instance of The Mesh control network) from a single 70 Series workstation on the system. The
software installation can propagate the 70 Series RW DAS software to the other 70 Series work-
stations on the I/A Series system based on the installation option chosen.

I/A Series (70 Series) DAS Installation

The RW_WinExec_Pkg software (RemoteWatch 3.2) may be installed from a single 70 Series
workstation on The MESH control network. The software will propagate to the rest of the I/A
Series V8.8 workstations (70 Series) based upon the installation option chosen. All secure work-
stations must be installed from a secure workstation using the domain IaInstaller account. All
standard workstations must be installed from a standard workstation using the fox account.

Installation Prerequisites
The following is required before and during the installation procedure.
 The IP address of the RemoteWatch Server
 For a Secure I/A Series System, the IA Installer account name, the IA Services account
name and password
 For a Standard I/A Series System, the fox account password
 The RemoteWatch Server must have RW File Services (IFS) Version 3.1.

I/A Series Software V8.8 with Security Enhancements

Installation Prerequisite
This procedure is ONLY required for an I/A Series V8.8 system with security enhancements.
On the Primary Domain Controller (PDC), perform the following steps to create the Active
Directory user RwDasService, before executing the RW_DasExec_Pkg Software Installation pro-
cedure:
1. Insert the DVD, part number GC500ET, in DVD drive.
2. Open a PowerShell window as administrator. Change the drive letter to the DVD
drive (typically “E:”), and change the directory to:
\70_Series_DAS_88\ActiveDirectoryPDCInstallScript
3. In the PowerShell window, type powershell and press <Enter>.
4. In the PowerShell window, type Set-ExecutionPolicy unrestricted and press
<Enter>.

1
B0860AY – Rev A 1. 70 Series DAS Installation for I/A Series Workstations

5. In the PowerShell window, type DASSetup.bat <UserName> <Password>, where:

 <UserName> - Name of the user account you want to create (in this case,
RwDasService)
 <Password> - Password of corresponding user (in this case, Das4RmtWtch)
Then press <Enter>.
6. Close the PowerShell window.
7. Open a command prompt. In Windows 7 or Windows Server 2008, click the Start
button then click All Programs -> Accessories -> Command Prompt. In the com-
mand prompt, type gpupdate /FORCE and press <Enter>.

RW_DasExec_Pkg Software Installation

Proceed as follows to install the software package:
1. Log in to the proper account for installation as follows:
 For a secure system, enter the IA Installer account
(typically, the name is IAInstaller)
 For a standard system, enter the fox account.
2. Insert the CD-ROM (Part No. CG500EY) into the CD-ROM drive.
3. Open a command window to: E:\70_Series_DAS_88

NOTE
If the Windows Task bar is not accessible, a cmd window can be opened using the
following steps:
a. Open Windows Explorer (Start -> Programs -> Accessories -> Windows
Explorer).
b. Navigate to C:\Windows\System32.
c. For stations with I/A Series V8.5, V8.6 and V8.7, right-click CMD.exe and
select Run as...
For stations with I/A Series V8.8, right-click CMD.exe and select Run as
administrator.
d. When prompted, select The following User from the popup window.
e. From the drop down menu, select FOX. for a standard I/A Series station or
IaInstaller for a secure I/A Series station.
f. Enter the password.
g. Select OK.
CMD will now run as the fox account. You can now execute scripts from this
CMD to install DAS.

2
1. 70 Series DAS Installation for I/A Series Workstations B0860AY – Rev A

NOTE
When the installation runs, the command window will contain lines of text indicat-
ing the steps and some of the instructions that are taking place. For this information
to be more readable, adjust the command window properties to allow a screen buf-
fer width of 200 characters and the height to be at least 300 lines as follows:
a. Right-click on the title bar at the top of the command window and select
Properties.
b. Select the Layout tab and change the Screen Buffer Size Width property to
200.
Change the Screen Buffer Size Height property to 300 or more. A confirmation
dialog appears asking if you want to apply the changes to the current window
only or on the shortcut that started the window. Select one of the choices and
click OK.

4. Execute the script install_70.cmd from the command window.

5. On a secure system, if the installation software detects that the I/A Series Installer
account is not the default of the IAInstaller, the following dialog box appears.

Figure 1-1. RemoteWatch I/A Series Installer Account

a. If the I/A Series Installer account has not been renamed, click No.
Verify that you are logged into the I/A Series Installer account, typically IAIn-
staller.
b. If the I/A Series Installer account has been renamed, click Yes.
The following dialog box appears prompting for the I/A Series Installer account
name. Enter the new name for the I/A Series Installer account. Click OK.

Figure 1-2. RemoteWatch I/A Series Installer Account - New Name

3
B0860AY – Rev A 1. 70 Series DAS Installation for I/A Series Workstations

6. A dialog box appears prompting for the IP Address of the RemoteWatch Server. Enter
the IP Address and click OK.

Figure 1-3. RemoteWatch Server’s IP Address Dialog Box

7. When prompted verify that the RemoteWatch Server IP address is correct and click
Yes.

Figure 1-4. IP Address Confirmation Dialog Box

8. Next a dialog box appears (Figure 1-5) with three choices of installation type. Enter
the number of the desired selection and click OK.
 Select 1 to install on all 70 Series workstations.
 Select 2 to install only on this workstation
 Select 3 to choose one or more stations from a list of stations.
By default, all available stations are displayed in the list. When 3 is selected, Note-
pad executes and displays a file (list) of station letterbugs that are contained in the
System Definition that are connected to the MESH network. Edit the list - only
the letterbugs remaining in the file will have the RW_WinExec software installed.
Save the file, then close the Notepad application. The installation automatically
continues from this point.

4
1. 70 Series DAS Installation for I/A Series Workstations B0860AY – Rev A

Figure 1-5. Invensys DAS Install Options Dialog Box

9. During installation, dialog boxes appear prompting the user to provide the account
password for the station that is being installed.

NOTE
It is important that the correct account password is supplied. The installation pro-
cess relies on the password to make the network connections to the remote station
being installed; the RW_WinExec service application relies on it for proper installa-
tion.

5
B0860AY – Rev A 1. 70 Series DAS Installation for I/A Series Workstations

For a Secure System:

a. For secure systems, prior to entering the account password, you will be prompted
as to whether or not the I/A Series Services account has been renamed.
For stations with I/A Series V8.8, always click Yes.
For stations with I/A Series V8.5, V8.6, V8.7, if the account has been renamed,
click Yes, and if it is not renamed, click No and go to Step b to enter the correct
account password.
For stations with I/A Series V8.8 or if the I/A Series Services account has been
renamed, click Yes. See Figure 1-6.

Figure 1-6. RemoteWatch I/A Series Services Account

For stations with I/A Series V8.8, enter RwDasService as the account name as
shown in Figure 1-7. Click OK. If the IAServices account was renamed, enter the
new name account of the IAService account, and then click OK.

Figure 1-7. RemoteWatch RwDasServices Account - New Name

b. Enter the password and click OK. See Figure 1-8.

6
1. 70 Series DAS Installation for I/A Series Workstations B0860AY – Rev A

Figure 1-8. RemoteWatch RwDasService Account - Password

For a Standard I/A System:

a. Enter the .\fox account password and click OK.

Figure 1-9. RemoteWatch I/A Series Services Account Password Prompt -

for Each Station

b. After the password is entered, a confirmation dialog box (Figure 1-10) appears
with the following question:
Do you want to use this password for all subsequent installa-
tions? (y/n).
 If you respond “Yes”, you are not prompted again to enter the password.
The password entered in the previous step is used for all the workstations
being processed.
 If you respond “No”, the Account Password Prompt dialog box appears for
every workstation being installed.

7
B0860AY – Rev A 1. 70 Series DAS Installation for I/A Series Workstations

Figure 1-10. RemoteWatch Password Confirmation - Subsequent Installations

NOTE
The confirmation dialog box in Figure 1-10 will not reappear again during this
installation session. It only appears after the first password is entered.

10. After the account password is entered, the installation continues and the command
window displays information regarding the various steps being executing. The exam-
ple in Figure 1-11 illustrates three 70 Series stations being installed: MHIST1,
MSRIA1 and MSRIA2. MSRIA1 is off-line.

Figure 1-11. Command Window Displaying Installation Messages

After the DAS installation is executed for all stations, the DAS Mailbox and FIST configuration
files are updated using the bld_mbxCfg.vbs and distribute_mbxCfg.vbs programs. The
bld_mbxCfg.vbs program determines the workstation on the system that is to be used as the
Mailbox station for those workstations that cannot directly access the RemoteWatch Server and
then saves the data to a configuration file mbx_cfg.csv. The distribute_mbxCfg.vbs pro-

8
1. 70 Series DAS Installation for I/A Series Workstations B0860AY – Rev A

gram updates the DasMailbox.txt file on each workstation to the value specified in the
mbx_cfg.csv file.

NOTE
The bld_mbxCfg.vbs and distribute_mbxCfg.vbs portion of the installation takes
the longest time to complete. This is especially true if many of the configured work-
stations are not connected or do not exist. This process can take 10 to 15 minutes or
more.

After the Mailbox is configured, the installation collects system information for every station on
the system. This information consists of: Host Letterbug, System Monitor Letterbug, System
Monitor Name, Station Type, NSAP and MAC Addresses. This process takes several minutes
depending on the number of stations configured (and not connected).
The last step in the installation process is to transfer the collected system information to the
RemoteWatch Server. See the following section “Verify the RemoteWatch Mailbox”.

Verify the RemoteWatch Mailbox

The installation program automatically designates one 70 Series workstation on the node or net-
work as the RemoteWatch Mailbox. The function of the Mailbox station is to send DAS data files
to the RemoteWatch Server for those workstations that can not directly access it.

Rules for Assigning RemoteWatch Mailbox Stations

The following rules pertain to the 70 Series station designated as a Mailbox:
 Automatic Mailbox Designation - The installation program will pick a station and
designate it as the mailbox. The selection must be verified to ensure that it follows the
Mixed Nodes and Nodebus/The MESH rules defined below.
 Mixed Nodes (50 Series and 70 Series Stations) - A 70 Series station cannot send files
to a 50 Series station, and vice versa. On systems containing both types, a Mailbox
must be designated on a 50 Series station for all other 50 Series stations and on a
70 Series station for all other 70 Series stations.
 Nodebus and The MESH network - Systems with both the I/A Series Nodebus and
The MESH networks cannot have a common Mailbox to cover both. RemoteWatch
does not transfer data files through an ATS in either direction. There must be at least
one station designated as the Mailbox on the Nodebus and another station on The
MESH network.
 On multiple Nodebus systems separated by a LAN Interface, each Nodebus must
have a separate Mailbox so that traffic is not routed through the interface.

Verification for Assigned RemoteWatch Mailbox Stations

Verify that the selected Mailbox station does not conflict with customer applications or prefer-
ences.
The DAS Mailbox file, DASmailbox.txt, is located in the folder:
D:\opt\fox\bin\remote\tools\DAS\cfg

9
B0860AY – Rev A 1. 70 Series DAS Installation for I/A Series Workstations

Verify that the letterbug contained in the file is acceptable. If this file must be modified with a dif-
ferent station letterbug, then only a 70 Series workstation with a second Ethernet network con-
nection to the RemoteWatch Server is acceptable. Refer to RemoteWatch User’s Guide (B0860AJ)
for more information.
Additionally, the DAS Mailbox file on each 70 Series workstation on the node or network must
be updated accordingly.

Modify RemoteWatch Mailbox Stations Assignment

During installation a RemoteWatch Mailbox configuration file is generated. The file is
d:\opt\fox\bin\remote\tools\DAS\install\mbxCfg\mbx_cfg.csv. Each line of the file
contains three fields separated by commas, the first field contains a I/A Series workstation name,
the second field contains the station designated as the Mailbox station for the station identified in
field one. The third field contains the NSAP of the station specified in field one. After this file has
been updated with the correct RemoteWatch Mailbox stations for each station, the new Remote-
Watch mailbox configuration is distributed using the
d:\opt\fox\bin\remote\tools\DAS\install\distribute_mbxCfg.vbs program.

I/A Series Software V8.5, V8.6, V8.7 and V8.8

Verification
Verify Installation
Proceed as follows:
1. Open the Services applet from Programs->Administrative Tools->Services.
2. Verify an entry titled RW_DasExec is present and its status is Started.

Uninstall Notes
If the RW_DasExec DAS software must be uninstalled for any reason use the following proce-
dure:
1. Login to the proper account for installation:
a. For a secure system, use the IA Installer account. Typically, the name is IAInstaller.
b. For a standard system, use the fox account.
2. Open a command prompt and navigate to
d:\opt\fox\bin\remote\tools\DAS\install. For stations with I/A Series v8.8,
open this command prompt as an administrator.
3. Execute the script uninstall_70.cmd. This script may take some time to execute
especially if the RW_DasExec service is pending on completion of a data acquisition
task before it can be stopped and removed.
4. On secure I/A Series systems, if the IA Installer account is not named IAInstaller, the
following occurs:
a. A dialog box asks if the I/A Installer account has been renamed.
b. If Yes is selected, another dialog box prompting for the IA Installer account name
appears. Enter the new account name, and click OK.

10
1. 70 Series DAS Installation for I/A Series Workstations B0860AY – Rev A

5. When prompted, select the station(s) to uninstall.

6. If a remote workstation is contained in the list of stations to uninstall, then proceed as
follows:
 On a standard I/A Series system, enter the fox account password at the prompt.
 On a secure I/A Series system, perform the following:
 In the dialog box, indicate whether or not the I/A Services account has been
renamed.
 If the IAServices account has been renamed, another dialog box appears. Enter
the new name and click OK.
 Enter the IAServices account password and click OK.
7. To verify that the un-install operation executed properly, check the Add/Remove Soft-
ware applet on the workstations and verify the package RW_DasExec_Pkg is not pres-
ent.
This completes the installation of the 70 Series DAS software (Version 3.2) on 70 Series worksta-
tions with I/A Series V8.5, V8.6, V8.7 and V8.8 software.
For operational details of the RW_DasExec DAS, refer to the RemoteWatch User's Guide
(B0860AJ).

11
B0860AY – Rev A 1. 70 Series DAS Installation for I/A Series Workstations

12
2. Verify the FIST Host
This chapter describes how to verify the correct addresses for the FIST host.
Be aware of the following:
 The FIST host text file designates which I/A Series workstation will transfer the FIST
configuration file to the RemoteWatch Server. This file is required for RemoteWatch
applications.
 Only one station on the system is designated as the FIST host.
 As with the RemoteWatch Mailbox file, verify that the station listed in the Fist-
Host.txt file exists.
 Fisthost.txt is located on 70 Series workstations in the folder:
D:\opt\fox\bin\remote\tools\DAS\cfg

13
B0860AY – Rev A 2. Verify the FIST Host

14
3. Verify Data Transfer to the
RemoteWatch Server
This chapter describes how to verify that data has been transferred successfully to the
RemoteWatch Server.

I/A Series DAS Software for 70 Series Stations

After DAS has been installed, a collection will run and transfer data files to the RemoteWatch
Server. On the server, the files are processed and ultimately stored in D:\resource_das\data in
separate subdirectories for each station.
To verify that DAS is running correctly, log onto the RemoteWatch Server and check the
D:\resource_das\data directory. There should be a folder for each station that is sending data
to the server. For example, if DAS was installed on two stations, there should be two folders under
D:\resource_das\data, regardless of whether one of the stations is using a mailbox.

NOTE
Due to timing issues with mailbox stations, it may take another DAS collection
before all of the stations have folders in D:\resource_das\data. If only some of
the stations have folders, check back in 1-2 hours to verify that the rest of the sta-
tions have sent their data.

If the folders don't exist, the following tips may help troubleshoot the issue:
 To force a DAS collection on the I/A station, pause and continue the RW_WinExec
service. Enter the following commands on the I/A Series station at a command
prompt:
 net pause RW_DasExec
 net continue RW_DasExec
It takes several minutes for a collection to run and transfer files to the server.
 The data files are archived on the I/A Series station into a 7z archive file and then
transferred to the server. To verify that the archive was received on the server, check for
any *.7z files in D:\ftproot using the following commands on the server at a com-
mand prompt:
 D:
 cd \ftproot
 dir /s *.7z
If no files are listed, then there is a problem with the connection between the station
and the server.
 The D:\ftproot\resource_das\data\7z_input folder must exist on the server
for the files to be processed correctly. Verify that the folder exists and if it doesn't, cre-
ate it.

15
B0860AY – Rev A 3. Verify Data Transfer to the RemoteWatch Server

 The Invensys® File Services must be installed and running on the RemoteWatch
Server. Try restarting the service by running the following two commands on the
server at a command prompt:
 net stop ISFService
 net start ISFService
For further troubleshooting guidance, contact the GCS Support Center.

16
Appendix A. I/A Series Secure
Environment Remote Watch Server
Communications Setup
This appendix describes how to setup the RemoteWatch Server communications in a secure
I/A Series environment.
Each station designated as a RW Mailbox station MUST BE able to communicate with the RW
Server. Each I/A Series station with DAS installed has the name PS_DAS assigned to the IP address
of the RW Server that was specified during installation.
After installation of an I/A Series Secure system, the following conditions may exist that prevent
data transfer to the RemoteWatch Server:
 The second network interface on the 70 Series station is disabled and has no IP
configuration
 Communication can only occur when a RW server is connected to the same second
subnet as the 70 Series station
 The McAfee® HIPS package, when fully enabled, prevents RW data files from being
sent to the RW Server.

! WARNING
Before connecting an I/A Series system to a network other than the I/A Series con-
trol network, the security of this connection must be reviewed by the customer to
insure that the customer security requirements are not compromised in anyway.

Enable/IP Configure Second Network Interface

The connection of the I/A Series station to the second network requires the user to determine if
the IP address is assigned using DHCP or is a fixed value entered manually. The second network
is enable using the standard MS Network Connections dialog box, that is accessed using Control
Panel > Network Connections. The properties for the connection are set by selecting the
LAN, and then right clicking and selecting the properties.

I/A DAS Mailbox Station and RW Server Not

Connected to the Same Subnet
In the case where the I/A DAS Mailbox station(s) and the RW Server are not on the same second
network subnet, a route add command is required.

17
B0860AY – Rev A Appendix A. I/A Series Secure Environment Remote Watch

! WARNING
A syntax error during the entering of the route add command could affect I/A Series
station operation and require an I/A Series station reboot.

It is suggested that the route add command be implement and verified without the persistence
option (-p) being specified. Once the command is verified to provide the proper routing, the
command can be re-issued with the -p option specified to make the change persist between
reboots.
For maximum security the route add command should specify a netmask 255.255.255.255. The
format of a route add is:
route add {RWS_IP} MASK 255.255.255.255 {2ND_NET_IP} METRIC 20
where: {RWS_IP} is replaced by the IP address of the RW Server
{2ND_NET_IP} is replaced with the 70 Series station second network IP address.

Add HIPS Firewall Rule

The McAfee HIPS requires a rule to be added to allow I/A Series workstations to send data files
using the FTP to the RemoteWatch Server using a network other than the I/A Series MESH Con-
trol network. The additional rule is implemented using the McAfee ePolicy Orchestrator 4.0.0
Console.
1. Log onto the IASERIES Domain controller using the iaDomainAdmin account.
2. Click on the Launch McAfee ePolicy Orchestrator® 4.0.0 Console desktop shortcut.
3. On the resulting web page, click Continue to the website (not recom-
mended).

18
Appendix A. I/A Series Secure Environment Remote Watch Server Communications Setup B0860AY – Rev A

Figure 3-1. Certificate Error: Navigation Blocked Screen

4. Log into the McAfee ePolicy Orchestrator 4.0.0 Console using the admin account.

Figure 3-2. Log In - McAfee EPolicy Orchestrator Administrator Account

5. On the ePolicy Orchestrator page, make the following selections:

a. Select Systems from the menu along the top.
b. Select Policy Catalog from the submenu below.
c. Select Host Intrusion Prevention 7.0.4 Firewall as the product.

19
B0860AY – Rev A Appendix A. I/A Series Secure Environment Remote Watch

d. Select Firewall Rules (Windows) as the category.

e. Click on Edit in the Actions Column for Invensys Firewall Rules.

Figure 3-3. Select Product - Host Intrusion Prevention 7.0.4 Firewall

20
Appendix A. I/A Series Secure Environment Remote Watch Server Communications Setup B0860AY – Rev A

6. On the resulting page, click Add Rule.

Figure 3-4. Add Rule - Invensys Firewall Rules

21
B0860AY – Rev A Appendix A. I/A Series Secure Environment Remote Watch

7. On the resulting page, the firewall rule is defined. Leave the default values except for
the following three fields:
a. For the Name field, enter: RW DAS
b. For the Remote address field, enter: Single and the IP Address of the Remote
Watch Server
c. For the Remote Service, enter: ftpdata (20)
Then, click OK.

Figure 3-5. Define Rule - Invensys Fire Wall

8. After adding the rule, click Save in the lower-right hand corner to bring you back to
the main interface.
9. From the top menu, select the Systems icon and then System Tree from the sub-
menu below it. Expand the nodes in the tree view on the left side of the screen to find
the I/A Series stations (typically found in the I/A Computers node). Check the box

22
Appendix A. I/A Series Secure Environment Remote Watch Server Communications Setup B0860AY – Rev A

next to all of the stations that have DAS installed or will have DAS installed in the
future.

Figure 3-6. Select I/A Series Stations to Receive the New RW DAS Rule

10. Click the More Actions button.

23
B0860AY – Rev A Appendix A. I/A Series Secure Environment Remote Watch

11. From the resulting More Actions menu, click Wake Up Agents.

Figure 3-7. Select Wake up Agents - More Actions Menu

24
Appendix A. I/A Series Secure Environment Remote Watch Server Communications Setup B0860AY – Rev A

Figure 3-8. Accept Defaults - Wake Up McAfee Agent Screen

12. On the Wake Up McAfee Agent screen, click OK to accept the default values as shown.

25
B0860AY – Rev A Appendix A. I/A Series Secure Environment Remote Watch

Figure 3-9. Close - ePolicy Orchestrator Web Page

13. Close the ePolicy Orchestrator web page.

26
Index
D
DAS 11
installation 1
software version 11
uninstall 10
DAS Installation
70 Series 1
Data transfer
RemoteWatch server 17

F
FIST Host 13

G
Global Customer Support Center vii

I
Installation
prerequisites 1

N
Nodebus 9

R
RemoteWatch Mailbox 13
Revision information vii
RW_DasExec_Pkg 2
RW_DasExec_Service viii, 10
RW_WinExec viii
RW_WinExec_Service viii

T
The MESH control network 9

V
Verifying data collection 15, 17

27
Invensys Operations Management
5601 Granite Parkway Suite 1000
Plano, TX 75024
United States of America
http://www.iom.invensys.com

Global Customer Support

Inside U.S.: 1-866-746-6477
Outside U.S.: 1-508-549-2424 or contact your
local Invensys representative.
Website: http://support.ips.invensys.com