Configuring Software and Hardware Firewalls to Support National Instruments Products

Publish Date: Jul 25, 2018 | 40 Ratings | 3.38 out of 5 | Print

Overview

National Instruments software packages and embedded hardware targets take advantage of network communication for application deployment, remote control of applications or instruments, transferring data, accessing and hosting web servers and services, and more. When using National Instruments network-enabled products with hardware or software firewalls, information about individual network port access may be needed to permit communication. This tutorial briefly explains the networking settings associated with performing common tasks using NI products, including the default TCP/UDP ports used and how to reconfigure these ports (if possible).

Table of Contents

  1. Introduction to Network Ports and Firewalls
  2. Network Ports and Settings Used by National Instruments Products
  3. Summary Table (Network Ports and Settings)
  4. Additional Assistance

1. Introduction to Network Ports and Firewalls

On modern computer systems, network communication including web page traffic, file transfers, emails, and more can be logically divided into different layers; this is known as the OSI Model. One layer, known as the network layer, is responsible for successfully routing network traffic, and providing error detection and diagnostic capability. The main network layer protocol used for both local network and Internet communication is known as Internet Protocol (IP). Another layer, known as the transport layer, is responsible for providing end-to-end communication services for applications. Two of the most common transport layer protocols are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).

In order for a piece of network traffic to reach an application on a remote system, it must contain two key pieces of information: an address for the computer(s) that should receive the traffic (this is referred to as an IP address when using the IP protocol), and a destination port number for the application on the remote system(s) that should process the data. The IP address of the computer transmitting the data or request is also sent along with a source port number used by the originating application. In practice, each transport layer protocol (e.g. TCP, UDP) allows for up to 65,535 ports that applications can use.

If an application on a given computer is accepting data, or "listening" on a given port, then the potential exists for that application to receive network data and do something based on that data. In this way, network traffic can affect the operation of a system up to the extent that an application allows. To reduce the effect that network traffic can have on a computer's operation, both networking equipment and individual computers may employ filters called firewalls that use a set of rules to allow or block certain unwanted network traffic (based on IP addresses, ports, or applications that are attempting to send the traffic).

Hardware Firewalls

Hardware firewalls are commonly built into networking equipment (such as routers), and examine each piece of network traffic (known as packets) as they are received and then re-transmitted. The header of each packet contains information about the destination IP address, transport layer protocol used, remote port number, and more. Hardware firewalls can filter packets based on this information and a set of user-defined rules, resulting in certain network packets being allowed and others being dropped without re-transmission.

Although each individual hardware firewall may be configured differently (or have different default settings), many personal network routers are set up by default to allow all outgoing traffic and disable all incoming traffic between a local and external network. All traffic within the local network itself is typically allowed by default, and incoming traffic based on a recent outgoing request is also typically allowed.

Software Firewalls

In addition to the presence of hardware firewalls on network, individual computers may also run firewall software packages to filter network communications and protect against the unwanted influence of remote machines. While software firewalls have a similar objective as hardware firewalls, they use different methods to do this filtering. 

To filter packets based on header information (IP address, transport layer protocol, port, etc), software firewalls commonly employ an intermediate network driver that can accept or reject traffic based on rules before passing it to an application (in the case of incoming packets) or for outbound transmission. To filter network traffic based on the individual running application, or process, that is attempting to send or receive data, software firewalls can also intercept software calls between applications and underlying transport layer protocol drivers. Using this method, for example, certain applications could be denied the opportunity to listen for data on a specific port, while others could be granted this permission.

Although each software firewall package may be configured differently (or have different default settings), many personal firewall software packages are set up by default to allow all outgoing port traffic and disable all incoming port traffic. However, these packages typically also enable incoming port traffic that is expected based on a previous outgoing request. As mentioned previously, firewall software may also prompt the user to allow or restrict port access for individual applications.

Back to Top

2. Network Ports and Settings Used by National Instruments Products

A wide variety of National Instruments products take advantage of network communication to provide different types of functionality -- from identifying networked hardware targets to providing access to web services created in LabVIEW. Given the fact that the majority of corporate and personal networks feature a combination of hardware and software firewalls, it is often necessary to change firewall settings to allow the network traffic needed for a given National Instruments product to function properly. 

The remainder of this document outlines the transport layer protocols and ports that different National Instruments products and features use, as well as where you can change these ports (if this is possible). Please see the documentation for your hardware or software firewall for instructions on how to change firewall settings in order to allow the desired traffic. If you are working on a large network in which you do not have access to change hardware or software firewall settings, please contact your network administrator and reference this document.

Remember that in most situations it is only necessary to configure your hardware or software firewalls to enable incoming connections to server ports (for servers running on your local PCs or embedded hardware targets). When using software firewalls, you may also be prompted to allow individual applications to send or receive data.

 

Hardware Identification (Measurement & Automation Explorer)

Description of Functionality: NI Measurement & Automation Explorer (MAX) discovers, enumerates, and configures National Instruments network-enabled devices (such as LabVIEW Real-Time targets).

Server Ports: UDP port 44515, UDP port 44525, TCP port 44516

Are the Ports Configurable?: No

 

Web Servers and Remote Control

Web Monitoring and Configuration of Networked Devices

Description of Functionality: As of the release of LabVIEW 2010, it is possible to monitor and configure many National Instruments network-enabled devices using a web browser.

Server Ports: UDP port 5353 (used for device detection over mDNS), TCP port 52725 (used for the NI Network Browser utility), TCP port 3580 (web monitoring and configuration server port)

Are the Ports Configurable?: No

Location of Port Settings: You can not change the web monitoring and configuration server ports. However, you can choose to enable SSL communication by visiting the web monitoring and configuration page for a given system (http://IP_ADDRESS:5353) and using the Web Server Configuration page and the settings under System Web Server.

 

LabVIEW Remote Front Panels

Description of Functionality: LabVIEW applications can be made into web services and then accessed from other networked systems when hosted using the LabVIEW Application Web Server.

Server Ports: TCP port 8080 (default)

Are the Ports Configurable?: Yes

Location of Port Settings: You can change the Application Web Server port used to host LabVIEW web services using the web monitoring and configuration page for the server machine. This can be accessed by visiting (http://IP_ADDRESS:5353) and then visiting the Web Server Configuration page and using the settings under Application Web Server. In addition, it is possible to assign additional ports and optionally use SSL for Application Web Server communication using these settings.

 

Programmatic Application Control with VI Server

Description of Functionality: VI Server can be used to programmatically control front panel objects, VIs, and LabVIEW on a given computer from either the local system or a remote machine. 

Server Ports: TCP port 3363 (default)

Are the Ports Configurable?: Yes

Location of Port Settings: You can change the VI Server port on a development computer by navigating to the Tools >> Options >> VI Server menu. To change the VI Server port on an embedded hardware target (e.g. CompactRIO), right click on the target in the LabVIEW Project and select Properties >> VI Server.

 

Remote Instrument Control with VISA Server

Description of Functionality: In addition to communicating with instruments connected to a local machine through the NI-VISA API, it is possible to remotely control instruments that are physically connected to another machine -- using the VISA Server.

Server Ports: TCP port 3537 (default)

Are the Ports Configurable?: Yes

Location of Port Settings: To view and change port settings for the VISA server on a PC, open NI Measurement & Automation Explorer (MAX) software and navigate to Tools >> NI-VISA >> VISA Options >> VISA Server.

 

FPGA Compile Farms

Description of Functionality: You can send a LabVIEW FPGA compile job to a single remote computer for compilation, or use a remote bank of computers for site-wide compilation (each compile still utilizes only one computer). Remote compilation on one machine can be accomplished by installing LabVIEW FPGA Compile Worker software on that machine, and LabVIEW FPGA Compile Server software on either the local or remote machine. Site-wide remote compilation systems can be built using a bank of computers with LabVIEW FPGA Compile Worker software installed, and a server computer with the LabVIEW FPGA Compile Server and LabVIEW FPGA Compile Farm Toolkit installed.

Server Ports: TCP port 3582 (same as System Web Server)

Are the Ports Configurable?: Yes

 

Legacy: G Web Server

Description of Functionality: The G Web Server is part of the LabVIEW Internet Toolkit, and can be used to provide remote machines with access to CGI applications written in LabVIEW. 

Server Ports: TCP port 80 (default)

Are the Ports Configurable?: Yes

Location of Port Settings: You can configure the G Web Server using the LabVIEW menu located at Tools >> Internet >> G Web Server Configuration.

 

File, Email, Web Page, and Data Communication

File Transfer (FTP)

Description of Functionality: LabVIEW File Transfer Protocol (FTP) VIs are included in the LabVIEW Internet Toolkit, and enable writing and reading files to and from remote FTP servers.

Server Ports: TCP port 20 (used in active mode only), TCP port 21 (used in active and passive mode)

Are the Ports Configurable?: Yes (defined by the server)

Location of Port Settings: You can use the FTP VIs in the LabVIEW Internet Toolkit to connect to a remote FTP server -- not to implement the FTP server itself. Ports 20 and 21 are commonly used by FTP servers, though this can be changed on the server side, and you can connect to non-standard ports using the LabVIEW VIs. Note that special firewall settings may be needed to support active FTP connections; for additional information, please follow this link. For passive FTP connections, no firewall adjustments are typically needed to connect to a remote server. 

 

Email Communication (SMTP)

Description of Functionality: LabVIEW contains Simple Mail Transfer Protocol (SMTP) VIs for sending emails through a remote SMTP server.

Server Ports: TCP port 25

Are the Ports Configurable?: No

Location of Port Settings: You can use the SMTP VIs in LabVIEW to connect to a remote SMTP server -- not to implement the SMTP server itself. Port 25 is commonly used by SMTP servers; at this time the LabVIEW SMTP VIs can not be used to access a non-standard port, or to connect to secure SMTP servers. In most cases, no firewall adjustments should be needed to connect to a remote SMTP server.

 

Web Page Communication (HTTP)

Description of Functionality: You can use the HTTP Client VIs to build a Web client that interacts with servers, pages, and Web services. You can add HTTP headers, store cookies, provide authentication credentials, and send Web requests using HTTP methods such as POST, GET, PUT, HEAD, and DELETE.

Server Ports: TCP port 80 (default)

Are the Ports Configurable?: Yes (defined by server)

Location of Port Settings: You can use the HTTP Client VIs in LabVIEW to connect to remote Web servers -- not implement the Web server itself.  Port 80 is commonly used by Web servers, but you can use the HTTP Client VIs to connect to servers on non-standard ports by using a URL with format (http://HOSTNAME:PORT). In most cases, no firewall adjustments should be needed to connect to a remote HTTP server.

 

Shared Variables and Network Streams

Description of Functionality: Both Network Streams  (available in LabVIEW 2010 and higher) can be used to transmit variable data between machines on a network. In practice, Network Shared Variables are optimized for polling variable values from one or more remote systems, while Network Streams are optimized for sending a complete stream of data in a lossless manner between one system and another. Because Network Shared Variables and Network Streams both make use of an underlying protocol called Logos, they both use the same network ports.

Server Ports: TCP port 2343 (default), UDP ports 6000-6010 (default), TCP ports 59110 and above (one port for each application running on the server)

Are the Ports Configurable?: Yes

Location of Port Settings: For Network Shared Variables or Network Streams that are hosted on a Windows PC using LogosXT, you can create a LogosXT.ini file to specify a different range of TCP ports to use (the UDP ports used are fixed). Follow this link to read about the location and contents of the LogosXT.ini file: Changing the Default Ports for TCP-Based NI-PSP (Windows). In addition, you can configure these ports for Network Shared Variables and Network Streams hosted on LabVIEW Real-Time targets by editing the ni-rt.ini file located in the root FTP directory of the controller. The parameters of interest are the LogosXT_PortBase and LogosXT_NumPortsToCheck entries in the file. For solutions using Logos, you can change the UDP port by editing the appropriate registry key or disable it entirely using the appropriate token in the Logos.ini file. Refer to the following link for more information: Why Does spnsrvnt.exe Crash After Installing National Instruments Products?

 

DataSocket (DSTP)

Description of Functionality:NI DataSocket VIs can be used to communicate with other applications, files, FTP servers, and Web servers. The specific ports used will depend on the type of server that you are connecting to.  In addition, DataSocket VIs can connect to DataSocket servers that use the DataSocket Transfer Protocol (DSTP).

Server Ports Used: TCP port 3015 (for DSTP)

Are the Ports Configurable?: No. You can start the DataSocket server by navigating to Start >> All Programs >> National Instruments >> Datasocket >> DataSocket Server.

 

Direct TCP and UDP Communication

Description of Functionality: Using the UDP and TCP VIs in LabVIEW, you can directly send and receive UDP and TCP communication to and from other machines on a network.

Protocol and Ports Used: Defined by application code or server

Is the Port Configurable?: Yes

Location of Port Settings: The TCP and UDP VIs enable listening on your port of choice, or sending data to another machine on a port number that you specify.

 

Time Synchronization (NTP, SNTP)

Description of Functionality: Certain NI embedded hardware targets have a built-in ability to set their system time based on a network time server (typically a Simple Network Time Protocol, or SNTP server). On other hardware targets, example code is available for programmatically retrieving a time via NTP or SNTP and setting the system time based on that value.

Server Ports: TCP port 123 (default)

Is the Port Configurable?: Yes (defined by server)

Location of Port Settings: Note that code running on NI hardware targets is typically used to connect to a network time server -- not implement the time server itself. Therefore, the network port used will depend on the server that you are connecting to. For CompactRIO targets, you can use the instructions in this reference to configure the server and port to connect to: Configuring CompactRIO Real-Time Controllers to Synchronize to SNTP Servers. If you are using code on another target to connect to a network time server, you can set the server and port to connect to using that code. In most cases, no firewall adjustments should be needed to connect to a remote NTP or SNTP server.

 

Device-Specific Port Information

NI ENET-232 and ENET-485

Description of Functionality: The NI ENET-232 and NI ENET-485 devices enable you to control RS-232 and RS-485 connections remotely via Ethernet.

Server Ports: TCP port 5225

Are the Ports Configurable?: No

 

NI GPIB-ENET/100 and NI GPIB-ENET/1000

Description of Functionality: Using NI GPIB-ENET devices, you can control communication with GPIB instruments remotely via Ethernet.

Server Ports: TCP ports 5000, 5003, 5005, 5010, and 5015

Are the Ports Configurable?: No

 

Volume License Manager (VLM)

Main Licensing Port

Description of Functionality: The port that client machines use to connect to the volume license server. If the Main Licensing Port is set to something other than the default, clients need to specify the Main Licensing Port in NI License Manager. For example, if the Main Licensing Port is 27001, then the client would specify servername:27001. The Volume License Installer wizard automatically sets the Main Licensing Port when creating Volume License Installers.

Server Ports: TCP 27000 (default)

Are the Ports Configurable?: Yes

Location of Port Settings: To view and change the port settings for VLM, navigate to Tools >> Preferences >> General >> Server Settings.

 

NI Update Service

Description of Functionality: NI Update Service checks for and electronically delivers software updates for your NI software and drivers.

Server Ports: URL delta.ni.com  with HTTPS 443 port. URLs ftp.ni.com and download.ni.com with HTTPS 80 port for both URLs.

Are the Ports Configurable?: No

 

Communication Port

Description of Functionality: The port that NI VLM uses to communicate with client machines.

Server Ports: TCP 4637 (default)

Are the Ports Configurable?: Yes

Location of Port Settings: To view and change the port settings for VLM, navigate to Tools >> Preferences >> General >> Server Settings.

 

SMTP Email Server Ports

Description of Functionality: NI VLM has an SMTP email server included to send emails and license files to clients from within the NI VLM environment.

Server Ports: SMTP 25, SSL/SMTP 465 (default)

Are the Ports Configurable?: Yes.

Location of Port Settings: You can specify a port number when entering the SMTP server address, for example, smtp.example.com:465. If you do not specify a port, VLM will use the default port. The default port is 25 if you are not using SSL encryption. If you are using SSL encryption the default port is 465.

 

Sending VLA Log

Description of Functionality: NI VLM uses this port to send a VLA Log file back to National Instruments. The data contained in the log is the compliance and usage data for the volume license server.

Server Ports: HTTPS 443

Are the Ports Configurable?: No

 

Back to Top

3. Summary Table (Network Ports and Settings)

 

Product or Feature Server Ports
(default)
Port Configuration Location
MAX Hardware Identification UDP 44515, UDP 44525, TCP 44516 NA
Web Monitoring and Configuration UDP 5353, TCP 52725, TCP 3580 NA (can enable SSL at http://IP_ADDRESS:5353 via Web Server Configuration page)
LabVIEW Real-Time (Deploying and Debugging VI's) TCP 3079 NA
LabVIEW Remote Front Panels TCP 8000 (no SSL), TCP 433 (SSL)
  • PC (in LabVIEW ): Tools >> Web Server
  • Embedded RT target (in LabVIEW): right click on target in Project >> Properties >> Web Server
LabVIEW Web Services TCP 8080 http://IP_ADDRESS:5353 then visit Web Server Configuration page under Application Web Server
LabVIEW VI Server TCP 3363
  • PC (in LabVIEW): Tools >> Options >> VI Server
  • Embedded RT target (in LabVIEW): right click on target in Project >> Properties >> VI Server
NI VISA Server TCP 3537 Measurement & Automation Explorer: Tools >> NI-VISA >> VISA Options >> VISA Server
LabVIEW FPGA Compile Farms (LabVIEW 2010 and later) TCP 3582 http://IP_ADDRESS:3582 then visit Web Server Configuration page under System Web Server section
LabVIEW G Web Server TCP 80 LabVIEW: Tools >> Internet >> G Web Server Configuration
FTP VIs (LabVIEW Internet Toolkit) TCP 20 (active mode), 21 (passive mode) Defined by server, can access non-standard ports using API.
Email VIs (SMTP) TCP 25 Defined by server, can not access non-standard ports using API.
HTTP Client VIs TCP 80 Defined by server, can access non-standard ports using API.
Network Shared Variables TCP 2343, UDP 6000-6010, TCP 59110 and above (one port for each application instance)
  • PC LogosXT: use LogosXT.ini file (read this)
  • PC Logos: modify registry key (read this)
  • Embedded RT target: use ni-rt.ini file in root directory (LogosXT_PortBase and LogosXT_NumPortsToCheck entries)
Network Streams Same as above Same as above
DataSocket (DSTP) TCP 3015 NA
LabVIEW TCP and UDP VIs NA Defined by application
Time Synchronization (NTP, SNTP) TCP 123

Defined by server, can access non-standard ports using API.

NI ENET-232, NI ENET-485 TCP 5225 NA
NI GPIB-ENET/100, NI GPIB-ENET/1000 TCP 5000, 5003, 5005, 5010, and 5015 NA
NI VLM TCP 27000 and 4637, SMTP 25 (no SSL) and 465 (SSL), HTTPS 443
  • TCP ports specified in VLM
  • SMTP specified in server address
  • HTTPS non-configurable

 

Back to Top

4. Additional Assistance

If you are experiencing issues with firewalls and NI products, visit ni.com/support and call or e-mail an Applications Engineer for assistance. You can also ask about any products not mentioned in this tutorial, and request that they be added for future reference.

Back to Top

Bookmark & Share


Ratings

Rate this document

Answered Your Question?
Yes No

Submit