TABLE OF CONTENTS
- 1. Introduction
- 2. Installation
Win-911 can be installed on a single computer as a standalone installation, or across two or more computers as a distributed system. This may be useful to move modules requiring internet access to a DMZ server, while leaving the rest of the system on a secure plant network. This article will provide an overview of how to install and set up a WIN-911 2021 Distributed Installation.
A. WIN-911 Logical Systems
WIN-911 2021 is a system comprised of module components that work together to manage information access and provide strategic alarm notifications. These modules can belong to one of three categories:
- Notifiers - Manages connections to end users and notification providers; handles runtime interactions with the end users (such as Email interactions over SMTP and IMAP/POP3)
- Sources - Manages alarm and data point collections, and interactions with the SCADA system (such as GE, InTouch, or Rockwell)
- Support - Manages logic related to notifications, reporting, and other functions between Sources and Notifiers (such as the Dispatcher)
A Logical System refers to a set of modules that constitute an entire working WIN-911 System. These can be installed together on a single physical machine, or on separate machines, distributing some modules onto another computer.
|An example of a Standalone installation, where all modules are installed on a single computer.||An example of a Distributed installation, where the Mobile module has been moved to a separate computer.|
B. Industrial Control System Architecture
ISA-99 adopts the Purdue Enterprise Reference Architecture (PERA) as a model for network segregation in Industrial Control systems. Within the manufacturing/industrial zone of the network, SCADA/HMI applications typically inhabit Level 2; historians, plant apps, and domain controllers typically inhabit Level 3. Email and Web access is typically restricted to a higher level - Level 4 or to a level 3.5 DMZ as shown. Our modules can fit into each of these different levels, such as Source modules being installed at Level 2, Support modules at Level 3, and Notifiers at Level 3.5 or 4.
|A Distributed WIN-911 System can span multiple levels to allow communication with both the SCADA and the Internet.|
C. When to Distribute
The ability to distribute the modules provides tremendous flexibility to fit WIN-911 into your existing network architecture. However, it is often not necessary to distribute all modules, or use a distributed installation at all. First, many of our Source modules allow for network connectivity with the SCADA and do not need to be installed on the same machine as the SCADA application. Refer to source-specific documentation and network diagrams found in our Data Source Quick Start Guides. Secondly, your Notifier module may not require direct Internet access to function. Your organization may have an internal mail server that can be reached over LAN. An internal VoIP system can process calls without using the Internet. You may need to check with your network administrator to identify the best deployment option for your organization. However, WIN-911 recommends installation across a minimum number of machines to reduce maintenance and complexity. Here are some examples of when you may want to distribute:
- If your SCADA system does not have internet access, and you want to use our Mobile app, you will need to either employ the WIN-911 Mobile Hub, or to distribute your Mobile Module.
- If you wish to use a SMS Modem such as the Sierra Wireless RV50X, but cannot plug non-production devices into your plant network, you can distribute the SMS Module to a computer on a network where the modem can be connected.
- If your VoIP provider is cloud-based, and requires internet access to register, you can distribute the Voice module to a computer with proper internet connectivity.
Note: Distributed Modules still require communications between the system they are installed on, and the primary system where the Support modules are installed. This is outlined in more detail later.
D. Microsoft SQL Server
In addition to distributing WIN-911 modules, the SQL Server instance hosting the WIN-911 configuration can reside on any of the WIN-911 host machines, or be distributed onto a separate physical machine. More information can be found in the article about Best Practices for SQL Server. Again, you may need to consult your organization's IT team to determine how best to deploy WIN-911 and MS SQL within your network.
A. Primary System
To set up a distributed installation, run the WIN-911 Installer and select "Distributed System", then click Next.
When setting up the primary system, you will want to create the SQL Instance using the installer. Alternatively, if you have created your own SQL Server on another computer you can click "Use Existing".
For a primary system, no modules should be found on the network. Wait for the search to complete, then click the Next button. You will be prompted with a box about "Creating a new Distributed System". Click Yes to continue.
The installer will then prompt for the user to run WIN-911 as, ask you to locate the SQL Server instance, and then for a primary system, will mark all the required Support modules. It will then prompt you to choose which other modules you want to have installed. Choose the modules that can reasonably run on your system (such as a data source, or any non-Internet Notifiers).
The Installer will then set up the modules selected, generate their configurations on the SQL Server, and start them running. At this point, the other system modules can be configured.
B. Other Systems
To install a module on another system, start the installer and choose Distributed System. It will run through the checks. If you have a centralized SQL server, or want to point back to the primary system's SQL server, you can click "Use Existing". Otherwise, a local SQL Server instance will need to be created for the distributed modules on this other system.
After this, you should be at the Locate Existing Modules screen. It will attempt to scan the network on port UDP 3702 automatically, but this is often blocked by firewalls. Simply enter the hostname of the Primary WIN-911 system, and click Search. It should locate the modules you've already installed, as shown below:
Confirm that all modules you were looking for are found. You may need to add other hostnames and search again if you distributed to more than one computer already. After this, follow the prompts the same way as the Primary system, entering the username to run WIN-911 under, the SQL Server to store the configurations, and then the modules you wish to install.
After your selections, the installation will proceed to set up the module, create the database configuration, and start the services.
At this time, you can return to your Primary System and run the WIN-911 Module Mapper. It should now detect all modules installed across your system.
Save the Module Map by clicking the save icon in the bottom right corner. After this, restart both WIN-911 systems. Once the systems come back online, the Workspace should now properly reflect the options you've chosen.
After your system is installed and working, you will want to license your system. You only need one license installed on your Primary WIN-911 System. CodeMeter has the option to act as a license server on your network, and distribute the license to all computers in the WIN-911 Distributed System. To enable this, open CodeMeter Control Center on the Primary computer.
Click "WebAdmin" in the bottom right. A web browser will open and show more options for the CodeMeter runtime. From here, look for Configuration in the top tab bar, and then click on Server.
From here, under the Server Access sub-tab, make sure that Network Server is set to Enable.
This has now turned the WIN-911 Primary computer into a license server. To have the other servers look at this license server, follow the same procedure to get to the WebAdmin on the distributed systems, but this time select "Configuration > Basic"
In the Server Search List, click "add new Server" and enter the hostname or IP address of the primary licensed system.
Apply this change, and then restart the WIN-911 systems. We also advise clearing any lingering WIN-911 containers from the CodeMeter Control Center as this can cause incorrect usage of the license system. If you are unable to delete the licenses, or the button to Remove License is greyed out, please see our article on resolving this issue in this article.
D. Ports and Firewalls
WIN-911 Distributed Systems have a lot of communications requirements. However, here's a list of ports that are necessary for the operation of WIN-911 over a distributed installation, and what they're used for.
- TCP 4020 - WIN-911 inter-module communications, this is used for all traffic in and out of the different modules.
- TCP 1433 - MS SQL Server communications, modules will access the SQL Server over this port for configuration information. If you do not want this port open between servers/networks, you will need a separate SQL Server installation on each computer a WIN-911 module resides.
- TCP 22350 - CodeMeter License communications, for sending licensing from the primary computer to the computers with the other modules.
- UDP 3702 - Installer scan, not necessary for day-to-day operation, but can help during setup