Exaquantum Engineering Guide Vol 2

Instruction Exaquantum Engineering Guide
Manual Volume 2 – Network Configuration

IM 36J04A15-02E
IM 36J04A15-02E
© Yokogawa March 5 2012
12th Edition Issue 1
Exaquantum Engineering Guide – Volume 2 Network Configuration i
Copyright and Trademark Notices
© 2012 Yokogawa Electric Corporation
All Rights Reserved
All rights are reserved in this document, which is the property of Yokogawa Electric
Corporation. Information contained herein is the property of Yokogawa Electric
Corporation.
Unless agreed in writing by Yokogawa Electric Corporation, the licensee shall not remove,
release, disclose, reveal, copy, extract all or part of the documentation.
Trademark Acknowledgements
Exaquantum, Exaopc and CENTUM are trademarks of Yokogawa.
Microsoft, Windows, Windows Vista, Windows Server 2008, Windows Server 2008 R2,
Windows 7 Professional, Microsoft Word, Microsoft Excel, Microsoft Office 2007,
Microsoft Office 2010, Visual Basic, Visual C++, SQL Server, MDAC, Microsoft .NET and
ActiveX are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
Exaquantum uses Microsoft SQL Server as part of an Integrated Value Added Solution.
Adobe and Acrobat are registered trademarks of Adobe Systems Incorporated, and registered
within particular jurisdictions.
Ethernet is a registered trademark of XEROX Corporation.
Basic Scripting Engine provided by Cypress Software Inc., Copyright 1993 – 2000, all rights
reserved.
All other company and product names mentioned in this manual are trademarks or registered
trademarks of their respective companies.
We do not use TM or ® to indicate trademarks or registered trademarks in this manual.
IM 36J04A15-02E 12th Edition Issue 1 March 5 2012

ii Contents
Highlights
The Highlights section gives details of the changes made since the previous issue of this
document.
Summary of Changes
This is the 12th Edition of the document.
Detail of Changes
The changes are as follows.
Chapter/Section/Page Change
Section 2.3 Added firewall configurations for RBNS connections
Added NetworkTest.exe to the Firewall exclusions
Section 6 Various updates to security measures
Appendix A.13.5 Functions added to manual settings for Standard Security
Appendix A.14 Minor updates
Various Removed references to unsupported Operating Systems
Section 5 Updated for R2.70
Pages A1, A9,A10, A12 Updated port upper limit
Pages A8,A13 Deleted reference to Windows 2003
Appendix A.15 New description

Exaquantum Engineering Guide – Volume 2 Network Configuration iii
Exaquantum Document Set
The documents available for Exaquantum are:
Exaquantum General Specification (GS 36J04A10-01E)
Exaquantum Technical Information (TI 36J04A10-01E)
Exaquantum/PIMS User's Manual (IM 36J04A11-01E)
Exaquantum/Explorer User's Manual Volume 1

General Information (IM 36J04A12-01E)

Custom Controls (IM 36J04A12-02E)

Microsoft Excel Reports (IM 36J04A12-03E)

Advanced Configuration (IM 36J04A12-04E)
Exaquantum Installation Guide (IM 36J04A13-01E)
Exaquantum API Reference Manual (IM 36J04A14-01E)
Exaquantum Engineering Guide Volume 1

Administration (IM 36J04A15-01E)

Network Configuration (IM 36J04A15-02E)

Support Tools (IM 36J04A15-03E)

Web Authoring (IM 36J04A15-04E)

PI Connection (IM 36J04A15-05E)

iv Contents
Table of Contents
Copyright and Trademark Notices ...................................................................................i

Highlights ...................................................................................................................... ii
Exaquantum Document Set........................................................................................... iii
Table of Contents .........................................................................................................iv
Chapter 1 Introduction ...........................................................................................................1-1
1.1 Document Purpose ........................................................................................................... 1-1
1.2 Intended Audience ........................................................................................................... 1-1
1.3 General ........................................................................................................................ 1-2
1.4 Terms ........................................................................................................................ 1-3
Chapter 2 Exaquantum Network Administration................................................................2-1
2.1 General ........................................................................................................................ 2-1
2.2 Network Guidelines.......................................................................................................... 2-2
2.2.1 Windows Domains ........................................................................................ 2-3
2.2.2 Windows Workgroups................................................................................... 2-3
2.2.3 Security Principles......................................................................................... 2-3
2.2.4 Name Resolution ........................................................................................... 2-4
2.2.5 Network Topology......................................................................................... 2-5
2.2.6 Firewalls ...................................................................................................... 2-6
2.2.7 Server Operating System Configuration........................................................ 2-6
2.3 Firewall Configuration ..................................................................................................... 2-7
2.3.1 Firewall Configuration .................................................................................. 2-7
2.3.2 Deep Packet Inspection Firewall Configuration.......................................... 2-28
2.3.3 Setting the Restriction of Ports for DCOM ................................................. 2-46
2.4 Configuring Exaquantum for VPN Network Connections............................................. 2-47
Chapter 3 Specifying Your Configuration During Installation (Legacy Model)...............3-1
3.1 Installation Basics ............................................................................................................ 3-1
3.2 Adding Users to User Groups .......................................................................................... 3-3
3.2.1 Domain Authentication.................................................................................. 3-3
3.2.2 Workgroup Authentication ............................................................................ 3-3
3.3 Creating the Exaquantum Groups and Users Manually ................................................... 3-4
3.4 OPC Servers Set-up.......................................................................................................... 3-5
3.4.1 Using a global user account........................................................................... 3-5
3.4.2 Using a local user account ............................................................................. 3-5
Chapter 4 DCOM and Network Security in Exaquantum(Legacy Model) .......................4-1

Exaquantum Engineering Guide – Volume 2 Network Configuration v
Chapter 5 Network Diagnostic Tool ......................................................................................5-1

5.1 Overview ........................................................................................................................ 5-1
5.2 NetworkTest Utility ......................................................................................................... 5-2
5.3 Server Manager ................................................................................................................ 5-3
5.4 Test Detail ........................................................................................................................ 5-5
Chapter 6 IT Security..............................................................................................................6-1
6.1 Overview ........................................................................................................................ 6-1
6.1.1 Positioning of this Guide ............................................................................... 6-1
6.1.2 Introduction to IT Security ........................................................................... 6-1
6.1.3 Prerequisites to IT Security ........................................................................... 6-3
6.2 Security measures and security model ............................................................................. 6-4
6.2.1 Security measures .......................................................................................... 6-4
6.2.2 Security Models............................................................................................. 6-5
6.2.3 How to Use IT Security Setting Tool ............................................................ 6-6
6.2.4 Changing the Security Model ........................................................................ 6-9
6.2.5 Collaborating with Other Products .............................................................. 6-12
6.2.5.1 Exaopc ............................................................................................. 6-14
6.2.5.2 Exapilot............................................................................................ 6-16
6.2.5.3 Exaplog............................................................................................ 6-21
6.2.5.4 Exasmoc/Exarqe .............................................................................. 6-23
6.2.5.5 CENTUM VP (Integration Code: 0101-0801-02-03)...................... 6-24
6.2.5.6 CENTUM CS 3000 ......................................................................... 6-25
6.2.5.7 Other companies OPC server .......................................................... 6-25
6.2.5.8 Client setting for accessing to Exaquantum Open Interface
(OPC Server) ............................................................................................... 6-26
6.3 Operations ...................................................................................................................... 6-27
6.3.1 Windows Account Management ................................................................. 6-27
6.3.2 Related Programs......................................................................................... 6-32
6.3.3 Windows Shared folders.............................................................................. 6-32
Chapter 7 Time Synchronization ...........................................................................................7-1
7.1 Setting time synchronization............................................................................................ 7-1
7.1.1 Time synchronization in the Active Directory domain environment ............ 7-2
7.1.2 Time synchronization in the existing network .............................................. 7-2
7.1.3 Time synchronization in a new work group environment ............................. 7-3
7.1.4 Time synchronization tools storage directory................................................ 7-3
7.1.5 Installing “time synchronization” on an OPC gateway PC ........................... 7-4

vi Contents
7.1.6 Installing “time synchronization” on a Exaquantum server .......................... 7-4

7.2 Precautions when upgrading from R2.10.50 or older (changing the synchronization
method) ........................................................................................................................ 7-5
7.2.1 Disabling the current synchronization method .............................................. 7-5
7.2.2 Establishing a new synchronization method.................................................. 7-6
Appendix A. IT Security................................................................................................................. 1
Appendix A.1 External process of Exaquantum and working module list of
Communication ........................................................................................................App.A-1
Appendix A.2 Shared folder used with Exaquantum.....................................................App.A-2
Appendix A.3 Service list registered with Exaquantum ................................................App.A-2
Appendix A.4 Unsupported Main Windows Security Functions ..................................App.A-3
Appendix A.4.1 Windows Defender...............................................................App.A-3
Appendix A.4.2 EFS Function........................................................................App.A-3
Appendix A.4.3 BitLocker Function ..............................................................App.A-3
Appendix A.5 Underlying Security Threats ..................................................................App.A-4
Appendix A.5.1 DCOM..................................................................................App.A-4
Appendix A.5.2 Scope of Windows Firewall .................................................App.A-4
Appendix A.6 Workgroup Management and Domain Management .............................App.A-5
Appendix A.6.1 Workgroup Management......................................................App.A-5
Appendix A.6.2 Domain Management ...........................................................App.A-6
Appendix A.7 NetBIOS .................................................................................................App.A-7
Appendix A.8 Maximum Tolerance for Computer Clock Synchronization ..................App.A-8
Appendix A.9 Changing the Settings of DCOM .........................................................App.A-10
Appendix A.9.1 Setting Personal Firewall ...................................................App.A-10
Appendix A.9.2 Controlling the Dynamic Ports of RPC Port ......................App.A-10
Appendix A.10 Configuring All Settings of Windows Firewall ...................................App.A-13
Appendix A.11 Configuring All Windows Services .....................................................App.A-14
Appendix A.12 Starting the MMC Console ..................................................................App.A-17
Appendix A.13 IT Security Detail Information .............................................................App.A-19
Appendix A.13.1 Access control ....................................................................App.A-19
Appendix A.13.1.1 Access user group.........................................................App.A-19
Appendix A.13.1.2 Registry configuration and access rights......................App.A-23
Appendix A.13.1.3 DCOM Access authority for standard model model ....App.A-24
Appendix A.13.1.4 Local Security Access Permissions ..............................App.A-24
Appendix A.13.1.5 Access User Group Control..........................................App.A-25
Appendix A.13.2 Personal Firewall Tuning ...................................................App.A-26
Appendix A.13.3 Change in SQL server service account...............................App.A-29

Exaquantum Engineering Guide – Volume 2 Network Configuration vii
Appendix A.13.4 Stopping of unnecessary Windows services

(Strengthened Model target) .............................................................................App.A-30
Appendix A.13.5 Changing IT Environment Settings....................................App.A-31
Appendix A.13.5.1 Restriction on AutoRun................................................App.A-32
Appendix A.13.5.2 Application of StorageDevicePolicies function ...........App.A-33
Appendix A.13.5.3 Hiding the Last Logon User Name...............................App.A-35
Appendix A.13.5.4 Disabling USB Storage Devices...................................App.A-35
Appendix A.13.6 Security of Web server (Standard or Strengthened model) .App.A-36
Appendix A.13.6.1 Installing Only the Necessary IIS Components............App.A-37
Appendix A.13.6.2 Enabling Only Necessary Web Service Extensions .....App.A-39
Appendix A.13.6.3 Configuring IIS Log .....................................................App.A-39
Appendix A.14 Installation on HIS ...............................................................................App.A-40
Appendix A.14.1 Installation Procedure.........................................................App.A-40
Appendix A.14.2 Settings after Installation in case of HIS type SSO............App.A-41
Appendix A.15 Security setting of Windows Server domain controller .......................App.A-43

viii Contents
This page intentionally left blank

Exaquantum Engineering Guide – Volume 2 Network Configuration 1-1
Chapter 1 Introduction
The introduction of Windows 2008 allows a high degree of administrator control and
flexibility. The result of this is a more complex operating system and domain structure.
Because of this it is not possible to give detailed step-by-step guides to administrative
matters within this document. It is assumed that network administration will be performed
by a qualified engineer.
1.1 Document Purpose

This document is aimed primarily at getting you the correct network set-up for the security
principles that Exaquantum requires. It will provide an understanding of the issues to
consider from a network perspective, when deploying an Exaquantum system.
1.2 Intended Audience

The intended audience of this document is the customers’ IT or networking departments who
are familiar with the technology and terminology of network administration.
The Exaquantum Engineering Guide contains tasks that need to be completed by users
within your organization that have administrative privileges. The user(s) of this document
must also be familiar with the following topics:
Windows Domain security (Users, Groups, Permissions etc.)
DCOM Settings
Configuring Networking components.
This documentation therefore assumes that the person carrying out the procedures has
knowledge and experience in the areas mentioned above. It also assumes that you have
already completed the relevant Exaquantum course(s).

1-2 Chapter 1 Introduction
1.3 General
This document is designed to give users guidelines for implementing Exaquantum in a new
or their existing network infrastructure. The configurations of Exaquantum and the networks
to which they belong can vary greatly.
The Engineering Guide summarizes what is considered by Yokogawa as to be the 'good or

best practice' in the operation of an Exaquantum system. It is not intended that the methods
or procedures detailed in this document represent the only approach to configuring,
monitoring and using an Exaquantum system, but rather the procedures described are
proven, practical and effective.
This Engineering Guide has been divided into Volumes and Chapters that detail various
procedures and methods. Certain chapters may not be relevant to your Exaquantum system.
Volume 1: Administration
Volume 2: Network Configuration
0: Introduction
Chapter 2: Exaquantum Network Administration
Chapter 3: Specifying Your Configuration During Installation (Legacy Model)
Chapter 4: DCOM and Network Security in Exaquantum(Legacy Model)
Chapter 5: Network Diagnostic Tool
Chapter 6: IT Security
Chapter 7: Time Synchronization
Volume 3: Support Tools
Volume 4: Web Authoring
Volume 5: PI Connection

1.4 Terms
The following terms are used in this manual and are defined according to their use within
Exaquantum.
Business Network
An intranet that does not include PCN.
CENTUM system
A system constructed with CENTUM DCS components.
Connections
There are two main types of connection required, and the settings for these are dependent on
the network configuration of the computers involved:
OPC Server to Exaquantum Server
The first connection is from the OPC Server to the Exaquantum server. This is required so
that requests for data can be passed from Exaquantum to the OPC servers and the actual data
passed from the OPC Servers to Exaquantum.
Exaquantum Server to Exaquantum Client
The second connection is between the Exaquantum server and its clients. This allows clients
to access data held on the Exaquantum server.
Critical data
Information assets, such as project database, formula and operation log in CENTUM system
that needs to be protected.
DCOM
DCOM (Distributed Component Object Model) is the architecture that allows applications to
run on remote computers. The Exaquantum installation program uses DCOM settings to
enable this. The settings are made initially using QDCOMConfig.exe, shipped with
Exaquantum and run automatically during installation.
QDCOMConfig can be re-run at any time to change Exaquantum DCOM settings. For more
information on QDCOMConfig, see the Exaquantum Engineering Guide Volume 1 –
Administration (IM 36J04A15-01E).
Domain (Windows 2003 or Windows 2008)
A collection of computers that are able to share resources using common users and user
groups, administered by a central Domain Controller (DC). Or Controller A Windows
domain can be running in Mixed or Native mode.

Domain Administration Rights
Privileges assigned to a user account that allow domain wide administration tasks to be
performed. These tasks include the creation and maintenance or Global and Domain Local
User Groups and the creation of Global User Accounts. They also include the creation and
maintenance of Trust Relationships.
Domain Local Group
A Windows Security User Group that is only available in a Windows domain running in
Native mode. This group type allows central administration on a domain controller and can
have members from anywhere in the Windows Forest.
Domain Controller
A server that controls Windows domains.
dcomcnfg
The Microsoft Windows program that allows modification of DCOM settings for
applications. This works on two levels. Firstly a set of default settings exist which will be
applied to all applications. These can be overwritten by setting specific DCOM properties
for any or all applications. New applications acquire the default settings unless specific
properties are applied.
Note 1: Any changes made to DCOM settings will only take effect when the computer is
restarted.
Note 2: It is possible to change and customize the default settings.
EXA System
A system where Exaquantum runs.
Exaquantum System
An Exaquantum System is typically distributed across three types of computer. These are an
Exaquantum client, which obtains data from an Exaquantum server, which in turn receives
data from an OPC server. These computers will each belong to a domain or a workgroup,
though not necessarily the same one as the other computers.
Forest (Windows 2003 or Windows 2008)
A collection of Windows domains that are linked by virtue of a common schema. Transitive
trust relationships are normally added by default for all domains in the Forest.
Global Account
A user account that is created on a domain and so is available to all computers within that
domain or within other domains that have the correct Trust Relationships.

Global Group
A user group that is created on a domain and so is available to all computers within that
domain. Global Groups can only contain members (security principals) from within the
domain they are created in.
IT environment
A Windows environment where Exaquantum runs.
IT security
Security measures for the IT environment to defend and counter current and future security
threats such as cyber terrorism. A security profile defined by Yokogawa for their range of
EXA products providing a consistent configuration to defend these systems.
Kerberos Authentication
One of the authentication methods by cipher code. It is used to confirm the identities of the
server and client in networks including the Internet where the communication path is not
secure this is the default method for Windows domains.
Local Account
A user account that is created locally on a computer and so is available only for use on that
particular computer.
Local Administration Rights
Privileges assigned to a user account that allow administration tasks to be performed on a

particular computer. These tasks include the creation and maintenance of Local User Groups
and the creation of Local User Accounts. They also include the ability to install software
and run Windows services such as the Exaquantum Service.
Local Group
A user group that is created locally on a computer (the Exaquantum Server in the case of
Exaquantum). Local Groups within a workgroup can only contain members (security
principals) from the same computer. Local Groups within a domain can contain members
from that domain and any others that have valid Trust Relationships.
Multi-server
The ability to have more than one Exaquantum Server in your system. Each Server must
contain identical user group information.
NIC
Abbreviation of Network Interface Card. This is an interface card that is used to network
terminals.

OPC
Abbreviation of OLE for Process Control. This is a standard interface that supports the
development of the measurement control system using Microsoft COM/DCOM.
PCN
Abbreviation of Process Control Network. Network built for ICS (Industrial Control System)
such as the CENTUM system.
Personal Firewall or Personal F/W
Software Firewall that works on a terminal or a domain server.
Note: This is not limited to the Windows-standard firewall.
Program account
Windows account with a special privilege that enables Exaquantum-related programs to run.
QDCOMConfig
The Exaquantum tool that sets the specific DCOM settings required for Exaquantum. This
application runs silently during installation and can be re-run manually at any stage. For
more information on QDCOMConfig, see “Accessing The Domain Quantumuser Account”
in the Exaquantum Installation Guide (IM 36J04A13-01E).
Security Principle
A User Group, Computer or a User Account, created either locally or globally.
Transitive Trust
Trust Relationships that allow pass-through authentication. This allows security principles
to be authenticated from remote domains. Transitive trust relationships are created by
default when Windows domains are added to a Windows Forest.
Trust Relationship
A method of communicating between two domains whereby a trusting domain allows access
to users of a trusted domain. These are set up using User Manager for Domains. A single
trust relationship requires configuration work on both domains.
User Account
A computer account that can be granted privileges to perform operations on a computer or

computers. Users can be local to a specific computer or global to all computers (domain
only).

User Group
As above, but this allows users to be grouped, which makes attributing privileges easier to
manage. Exaquantum generally attributes privileges by user groups, which are checked by
the Exaquantum Server during normal operation.
User Manager
The Windows program that allows local computer users and user groups to be created and
modified.
User Manager for Domains
This window is similar to the User Manager window but also allows:
• Domain-wide (global) groups and users to be created/modified
• Trust relationships to be created.
Windows Firewall or Win F/W
Windows pre-installed firewall.
Windows service
Program that runs in the background, independently of the logged in user.
Workgroup
A collection of computers that are able to share resources by using matching user accounts
added to each unit.


Chapter 2 Exaquantum Network Administration

2.1 General
It is intended that the customer should use this document to help provide a design
specification for the Exaquantum System Integrator before the system is commissioned.
This chapter defines the scope of supply for the customer and the System Integrator. The
customer needs to define his configuration requirements in simple tables, applying a physical
process type breakdown strategy that the customer will understand. The System Integrator
will expand the customers (design specification) tables into the required Exaquantum system
configuration, applying a best-practice interpretation that the System Integrator will
understand best.
From R2.60 Yokogawa provides the option of installing Exaquantum in the ‘Standard IT
security model’ defined for other Yokogawa EXA products to provide a unified security
configuration. If this option is taken (described in Chapter 6 IT Security) then most
installation decisions are defined by the model. If the Legacy option is followed then many
more options are open to integrate the Exaquantum system with existing customer networks
and systems.
This chapter describes how the process of configuring Exaquantum can range from easy to
complex, depending on the degree of customization the customer wishes to apply. The
primary advantages of customization are to maximize useful history availability for a given
disk space size, and also to ensure the work performed by Exaquantum is restricted to that
which is genuinely useful, and has genuine business value.
ISA99.00.01 defines security zone as a logical or physical group which share common
security requirements and the same security level.
By making the multiple zones where each zone satisfies different security requirements,
defense-in-depth strategy can be realized.
To communicate between Level 4 and Level 3 of ISA 99.00.01 Reference Model is not
recommended in the Exaquantum system.
(For example: Exaquantum server is level 3, Exaquantum client is level 4)
An OPC server that communicates to Exaquantum is recommended to separate in lower

level by using firewall and L3SW, due to realize defense-in-depth strategy.
Note:
The standard of “ANSI/ISA-99.00.01-2007: Security for Industrial Automation and Control

Systems, Part 1: Terminology, Concepts, and Models” is referenced by this document.
Hereinafter, this standard will be referred to as ISA 99.00.01.

2-2 Chapter 2 Exaquantum Network Administration
2.2 Network Guidelines

Exaquantum is a client/server application that operates on Windows. Exaquantum is a client
server system whose default Legacy model and Standard Workgroup model configuration is
designed to work using Local Groups created on the Exaquantum server though the Standard
Domain model makes use of Domain groups. When upgrading a previous (Legacy)
installation that has been configured to work in a Windows domain environment, some post-
installation configuration is required. Refer to the installation guide for more information on
these procedures.

2.2.1 Windows Domains
The domain configuration offers centralized security and administration of users and data,
which can be easier to maintain than the workgroup configuration described later. However,
whenever the system is reconfigured, administrator level access to the domain controller is
required to implement the changes. Where control of IT is centralized this can be a severe problem.
For Exaquantum to operate in a domain environment, an existing Windows domain must be

available in the customer's organization with at least one of the servers acting as a Domain
Controller (DC).
Exaquantum fits into the last category of these servers, ‘stand-alone servers’.
Note: Exaquantum is not supported to run on a Domain Controller.
2.2.2 Windows Workgroups
By default, Exaquantum Legacy model and Standard Workgroup model installations use
local groups that will function in a Windows workgroup environment.
The advantage of the Windows workgroup is that a separate domain controller is not
required. However, in a workgroup all the user accounts and passwords must be created on
each client and server, and kept concurrent, this is also true for Groups in a Standard
Workgroup model installation.
Note 1: When using Exaquantum with a workgroup, we recommend that the Password Age
is set to Never Expire.
2.2.3 Security Principles
The following network items (known as security principles) are required by an Exaquantum
System:
User Groups
Windows Security groups that are used to control access to Exaquantum databases.
Exaquantum in the Legacy model has four User Groups (5 in the Standard and
Strengthened models) as standard and can use more if Role-based Namespace is used.
User Accounts
Windows Log-in accounts used by users to access computers and therefore access
Exaquantum. These accounts are made members of the relevant user groups to control
access.
Exaquantum Service account (defaults to Quantumuser for the Legacy model and
QTM_PROCESS for Standard and Strengthened models)
A special user account under which the Exaquantum processes run. This user account
must be available to all Exaquantum computers and OPC servers.

2.2.4 Name Resolution
If the end user does not use any common Windows naming resolution methods such as
WINS or DNS, it will be necessary to add an entry to the ‘hosts and ‘lmhosts’ file for the
Exaquantum server on each client.
The location for the ‘hosts’ and ‘lmhosts’ files is:
\%Windir%\system32\drivers\etc.
If they have not already been used, the files will have a .sam extension. Remove this
extension before using the file.
To allow the addition of clients or change the IP Address of the Exaquantum server, the
‘hosts’ and ‘lmhosts’ files will need to be kept up to date. Failure to do so will make
connection to the Exaquantum server impossible.
Recommendations
If the end user has a Windows server on his network using WINS and DNS, allow the
Exaquantum server to use them. This will reduce administration work later.
If the end user requires a few Exaquantum clients, adding the hostname and IP Address of
the Exaquantum server in the local host files will be sufficient, provided they have static IP
addresses and do not use DHCP.
If the end user does not use WINS and DNS, do not add these services to the network for the
purpose of installing the Exaquantum server, use local host files instead.

2.2.5 Network Topology
Exaquantum is a network intensive application and works best when used on a 1000mbps or
100mbps network running at full duplex to the server. . The choice of the network speed
will largely depend on the existing end user topology.
To make the maximum bandwidth available it is recommended that the Exaquantum server
is installed in an Ethernet switch (the only way you can get full duplex) as opposed to a hub.
This will provide the best performance for client workstations.
10/100/1000 BASE-T or 10BASE-2
Some organizations choose to add their Exaquantum server to the same network segment as
their Exaopc or HIS workstation, which typically run on a segment. This is sufficient,
however, care should be taken not to break the segment or exceed the length and/or the
number of stations on that segment.
This requires two Network Interface controls in the Exaquantum server. The
Exaopc/HIS/EWS will typically be running in a workgroup configuration.
Restricting Exaopc Traffic on the LAN
Typically a user will not want to link their HIS/Exaopc/EWS LAN to their main site
Ethernet. To support communication with the Exaquantum server a second Network
Interface control is required on the Exaquantum server.
Binding Order of Network Interface Cards
Two Network interface cards can be fitted to an Exaquantum Server, to allow the separation
of the OPC network, and the business layer network. When this is the case, in most
instances, it is recommended that the binding order of the cards is OPC network first.
Networking Protocols
Exaquantum will only operate with the TCP/IP network protocol.
It is possible to run TCP/IP alongside other protocols such as IPX/SPX or NetBEUI,

however, it is recommended that the TCP/IP protocol be given the highest priority in the
order of protocols on the Exaquantum server.
Routers and RAS Connections
Routers are an integral part of many of today’s networks and Exaquantum has been tested
and used in organizations where such configurations exist.
Through the use of RAS it is possible to access Exaquantum data through a conventional phone line.
For speed and performance we recommended the Exaquantum server and its clients are in
the same subnet. If the Exaquantum clients reside in different subnet, try and keep the
number of ‘hops’ to a minimum to maintain performance.

2.2.6 Firewalls
Firewalls are a common device to restrict traffic between networks. If there are any firewalls
between the Exaquantum server and its clients, the following should be noted:
Some Firewalls offer Network Address Translation (NAT) facilities. Exaquantum clients
will not be able to contact an Exaquantum server through the firewall if address translation is
used.
For more details about firewalls and DCOM see section 2.3 Firewall Configuration.
2.2.7 Server Operating System Configuration
The Exaquantum data server requires that the operating system be configured correctly.
There are some simple steps that can be taken to ensure that Exaquantum performance is
optimised. This configuration is recommended for a standard Exaquantum installation,
although there may be reasons why particular services need to run on a specific installation.
The following guide details some of these steps:
Remove Unwanted Services
Services such as DHCP server, WINS Server and DNS Server should not be running on the
Exaquantum server.
NETBEUI Protocol
This is not required by Exaquantum and should ideally be removed. If it has to be installed,
then it must have a lower priority than the TCP/IP protocol that is used by Exaquantum.
Network Monitor
Disable the network monitor from the network cards unless specifically monitoring network
traffic, as this can impede performance.
IP Address
We recommend that the Exaquantum server is issued with a static IP address rather than
having one assigned from the DHCP server.
Virus Checkers
If virus checkers are used on the Exaquantum server, then the checking of the database files
should be disabled, as this will affect performance.
Other Software
The Exaquantum Server should only be used to run Exaquantum. Other software can affect
the performance.

2.3 Firewall Configuration

2.3.1 Firewall Configuration
This section contains information on how to configure a firewall. The communications links
between components of an Exaquantum based system are shown. Any or all of these may
pass through firewalls.
M
O
M
C
O
C
D
D
Figure 2-1 Links between Exaquantum components
The links are numbered and will be described in detail below.
DCOM traffic cannot traverse Network Address Translation (NAT) Firewalls except via a
VPN tunnel; hence neither NAT or Static NAT should be configured on any of links 1-3, 5 or 8.
Some, more sophisticated, firewalls perform deep packet inspection of DCOM traffic and
may restrict access by Program ID/GUIDs; most are limited to restricting traffic at a Port and
IP Address level.
Each detail section describing a link includes the:
TCP port numbers and the start and end points of the required communications.
DCOM port count

NB an Exaquantum Server may be a client to another Exaquantum Server in an RBNS

configuration.
From this information the required Firewall configurations may be derived for standard
configurations. Project specific communication requirements resulting from bespoke code or
additional applications are not covered in this document. A series of sample configurations
follow with worked Firewall configurations.
Assumptions
The clients may be secured using the Windows Firewall.
The DCOM port range used by a Windows system may be restricted from the default 1024-
65535. It should be noted that this restriction is for ALL DCOM use on that system not just
Exaquantum and any other DCOM applications. For this reason it is not recommended to
limit the DCOM port range on Client PCs but only on Server systems. To facilitate decisions
on this, each link’s detail section includes the number of concurrent DCOM processes
required to support the link at each end.
NB. 2 DCOM ports are used for Windows processes so the counts below must be summed
and then add 2 to find the minimum size port range to use on the systems.
Link 1 Exaquantum Server to Exaquantum Explorer client/Administration Tools

Client
This link is split into two components that may be installed together or separately.
Exaquantum Explorer, Excel Add in and API access
Exaquantum Administration Tool
These will be dealt with in turn:

Table 2-1 IP address and TCP Port filters link1
From From Port To To Port Description
Explorer */TCP Exaquantum 135/TCP RPC (DCOM) Listener

Client Server
Explorer */TCP Exaquantum 1433/TCP SQL Server communication

Client Server
Explorer */TCP Exaquantum 1024- DCOM dynamically allocated

Client Server 65535/TCP Ports. This range may be
restricted on the server
Exaquantum */TCP Explorer 135/TCP RPC (DCOM) Listener

Server Client
Exaquantum 1433/TCP Explorer */TCP SQL Server communication

Server Client
Exaquantum */TCP Explorer 1024- DCOM dynamically allocated

Server Client 65535/TCP Ports
Total DCOM Ports on the Exaquantum Server = 5:
Quantum.exe
ExaQuantumExecutive.exe
QRBNSServerBrowse.exe
QNameSpaceBrowser.exe
QHistorian.exe

Exaquantum Administrator Tools
Table 2-2 IP address and TCP Port filters Link 1a
Admin */TCP Exaquantum 135/TCP RPC (DCOM) Listener

Client Server
Admin */TCP Exaquantum 1433/TCP SQL Server communication

Client Server
Admin */TCP Exaquantum 1024- DCOM dynamically allocated

Exaquantum */TCP Admin 135/TCP RPC (DCOM) Listener

Server Client
Exaquantum 1433/TCP Admin */TCP SQL Server communication

Server Client
Exaquantum */TCP Admin 1024- DCOM dynamically allocated

Total DCOM Ports on the Exaquantum Server = 3 in addition to the Exaquantum Explorer
client:
QBuilder.exe
QAnalyse.exe
QBFRetriever.exe

Link 2 Exaquantum Server to OPC server
The restrictions of DCOM port ranges may be applied on both the Exaquantum Server and
the OPC server(s); there is no need for these ranges to be the same size.
Table 2-3 IP address and TCP port filters Link 2
Exaquantum */TCP OPC Server 135/TCP RPC (DCOM) Listener

Server
Exaquantum */TCP OPC Server 1024- DCOM dynamically allocated

Server 65535/TCP Ports. This range may be
restricted on the OPC server
Exaquantum ICMP OPC Server Allows ping to check for

Server functioning OPC server prior to
equalization.
OPC Server */TCP Exaquantum 135/TCP RPC (DCOM) Listener

Server
OPC Server */TCP Exaquantum 1024- DCOM dynamically allocated

OPC Server ICMP Exaquantum Allows ping to check for

Server functioning OPC server prior to
equalization.
Total DCOM Ports on the Exaquantum Server = 5
QOPCDAMgr.exe
QOPCAEPump.exe
QOPCPropertyAccess.exe
QFBRetriever.exe
QZOPCAECatchup.exe

Link 3 Exaquantum Server to Exaquantum Web Server
Exaquantum */TCP Exaquantum 135/TCP RPC (DCOM) Listener

Web Server Server
Exaquantum */TCP Exaquantum 1433/TCP SQL Server communication

Web Server Server
Exaquantum */TCP Exaquantum 1024- DCOM dynamically allocated

Web Server Server 65535/TCP Ports. This range may be
restricted on the Exaquantum
Server

Server Web Server
Exaquantum 1433/TCP Exaquantum */TCP SQL Server communication

Server Web Server
Exaquantum */TCP Exaquantum 1024- DCOM dynamically allocated

Server Web Server 65535/TCP Ports This range may be
restricted on the Web Server
Total DCOM Ports on the Exaquantum Server = 5 (none in addition to the Exaquantum
Explorer client).
Quantum.exe
QNameSpaceBrowser.exe
QHistorian.exe
Total DCOM Ports on the Exaquantum Web Server = 2.
Quantum.exe
W3pw.exe

Link 4 Exaquantum Web server to Web Client
Exaquantum */TCP Exaquantum 80/TCP HTTP

Web Client Web Server
Exaquantum 80/TCP Exaquantum */TCP HTTP

Web Server Web Client
NB. If the web site is set up to respond on a port other than 80 then amend Table 2-5 IP
address and TCP port filters Link 4.
NO DCOM on this link. However, if the full Exaquantum Explorer thick client was installed
and access is possible to the Exaquantum server then the ports as defined for link 1 are
required between the Client and Exaquantum Server as Quantum.exe will connect to the
Exaquantum Server not the Exaquantum Web Server Web service for data.
Link 5 WTS server to Exaquantum Server
This is identical to link 1. Exaquantum Server to Exaquantum Explorer client/Administration

Tools Client.
Link 6 Exaquantum WTS Server to WTS Client
Exaquantum */TCP Exaquantum 3389/TCP WTS protocol

WTS Client WTS Server
Exaquantum 3389/TCP Exaquantum */TCP WTS protocol

WTS Server WTS Client
NB. If the Terminal Server is set up to respond on a port other than 3389 then amend the
above.
No DCOM traffic on this link.

Link 7 Any to Windows Domain Controller

Member */TCP DC 389/TCP Lightweight Directory Access

system Protocol (LDAP)
Member */TCP DC 636/TCP LDAP Secure Sockets Layer

system (LDAP SSL)
Member */TCP DC 3268/TCP LDAP Global Catalogue

system

system Secure Sockets Layer
Member */TCP & DC 53/TCP & Domain Name Service (DNS)

system UDP UDP
Member */TCP & DC 88/TCP & Kerberos

system UDP UDP
Member */TCP DC 445/TCP SMB protocol

system
Member 123/UDP DC 123/UDP Simple Network Time

system Protocol SNTP
DC 389/TCP Member */TCP Lightweight Directory Access

DC 636/TCP Member */TCP LDAP Secure Sockets Layer

system (LDAP SSL)
DC 3268/TCP Member */TCP LDAP Global Catalogue

system

DC 53/TCP & Member */TCP & Domain Name Service (DNS)

UDP system UDP
DC 88/TCP/UDP Member */TCP & Kerberos

system UDP
DC 445/TCP Member */TCP SMB protocol

system

DC 123/UDP Member 123/UDP Simple Network Time

No DCOM traffic on this link.
Link 8 Exaquantum Server to OPC Client
Exaquantum may act as an OPC DA & HDA Server to transfer data to a higher level PI
historian via an intermediate Interface server. The PI OPC DA and HDA Interface processes
run on the PI Interface server with some Yokogawa software..
the PI Interface Server there is no need for these ranges to be the same size.
Exaquantum */TCP PI Interface 135/TCP RPC (DCOM) Listener

Server Server
Exaquantum */TCP PI Interface 1024- DCOM dynamically allocated

Server Server 65535/TCP Ports.
PI Interface */TCP Exaquantum 135/TCP RPC (DCOM) Listener

Server Server
PI Interface */TCP Exaquantum 1024- DCOM dynamically allocated

Server Server 65535/TCP Ports. This range may be
server
ZOPDA.exe
QOPCHDAServer.exe
QOPCHAEServer.exe

Link 9 Exaquantum server to DNS server
This is included for completeness in a Windows Workgroup environment where a DNS

server may be used to allow the Exaquantum Server to resolve the IP addresses of the clients
etc.
Exaquantum */TCP & DNS 53/TCP & Domain Name Service (DNS)
Server UDP UDP
DNS 53/TCP & Exaquantum */TCP & Domain Name Service (DNS)
UDP Server UDP
Link 10 Exaquantum Server to PI Interface Server
Exaquantum may act as an OPC DA & HDA Server; the ProgIDs/GUIDs at the client end
will depend on the client.
the OPC clients(s); there is no need for these ranges to be the same size.
Exaquantum */TCP OPC Client 135/TCP RPC (DCOM) Listener

Server
Exaquantum */TCP OPC Client 1024- DCOM dynamically

Server 65535/TCP allocated Ports.
OPC Client */TCP Exaquantum 135/TCP RPC (DCOM) Listener

Server
OPC Client */TCP Exaquantum 1024- DCOM dynamically

Server 65535/TCP allocated Ports. This range
may be restricted on the
Exaquantum server
PI Interface */TCP Exaquantum 1433/TCP SQL Server communication

Server Server
Exaquantum 1433/TCP PI Interface */TCP SQL Server communication

Server Server

ZOPDA.exe
QOPCHDAServer.exe
QOPCHAEServer.exe
Link 11 PI Server to PI OPC Interface Server
The PI OPC Interface PC must transfer the data collected to the PI server.
PI OPC */TCP PI Server 5450/TCP PI Server communication

Interface
Server
PI Server 5450/TCP PI OPC */TCP PI Server communication

Interface
Server
Note: To port Number 5040 on PI Server is default value. In case PI system setting changes
from default value, Port Number need to be set.
Link 12 Exaquantum Server to Exaquantum Server (RBNS)
Exaquantum server to server link for RBNS

Server 1 Server 2
Exaquantum */TCP Exaquantum 1024- DCOM dynamically

Server 1 Server 2 65535/TCP allocated Ports.

Server 2 Server 1
Exaquantum */TCP Exaquantum 1024- DCOM dynamically

Server 2 Server 1 65535/TCP allocated Ports.

Total DCOM Ports on the Exaquantum Servers = 2
QNamespaceBrowser.exe
Link 13 Exaquantum Client to Exaquantum Server (RBNS)
Exaquantum client to Exaquantum server for remote RBNS data access

Client Server

Client Server


Server Client

Server Client

Total DCOM Ports on the Exaquantum Server = 4:
Quantum.exe
QHistorian.exe

Microsoft Message Queue
If this function is being used the ports identified in Table 2-14 IP address and TCP port
filters MSMQ are used, NB this does not use DCOM but does use RPC and port 135 to
allow a client to identify the port(s) that mqsvc.exe is listening on. The machine to machine
links that require access on these ports will depend on the MSMQ configuration and may be
all within a single Exaquantum server or separated over multiple Windows servers and
administrative clients. See http://support.microsoft.com/?id=178517 for details.
Table 2-14 IP address and TCP port filters MSMQ
Event */TCP MSMQ 135/TCP RPC (DCOM) Listener

Source Queue
Manager
MSMQ */TCP MSMQ 1801/TCP Message traffic and internal

Queue Queue session management traffic
Manager Manager
Any */TCP MSMQ 2101/TCP RPC-based MQIS and

MSMQ PC Queue Active Directory lookups
Server (this could
alternatively be
2112, /TCP if
2101 is already
taken)
Any */TCP MSMQ 2103/TCP Remote reads of Queues

MSMQ PC Queue
Server or 2105/TCP (the actual port to connect to
independent is obtained from port 135
Client (these could above)
alternatively be
2114 and
2116/TCP if
the above are
already taken)
Any */TCP MSMQ 389/TCP LDAP lookups

MSMQ PC Queue
Manager
Any */UDP Any MSMQ 3527/UDP MSMQ Ping

MSMQ PC PC

Example Network Topologies
Sections Exaquantum in DMZ (De-Militarized Zone) and Exaquantum, WTS server and
Web server in DMZ illustrate the use of the information in previous sections to define actual
firewall configurations for two typical network topologies.
Exaquantum in DMZ (De-Militarized Zone)
The DMZ is illustrated as having two, separate, firewalls though it could be configured with
a single device with three network connections.
1 Domain
Controller 8
Exaquantum Explorer 7 OPC
& Admin Client Client
Firewall
A
Exaquantum
Server
Firewall
B
2
OPC
Server
(workgroup)
Figure 2-2 Exaquantum in DMZ

From the sections from Link 1 Exaquantum Server to Exaquantum Explorer

client/Administration Tools Client the following may be seen as the configuration
requirements:
Firewall A
Links of Type 1, 7 and 8 leading to the following port mapping (initially assuming no
restriction on the DCOM port mapping).
Table 2-15 IP address and TCP port filters Exaquantum in DMZ A

Clients Server

Clients Server

Clients Server 65535/TCP Ports. This range may be

Server Clients

Server Clients

Server Clients 65535/TCP Ports
Admin */TCP Exaquantum 135/TCP RPC (DCOM) Listener

Clients Server
Admin */TCP Exaquantum 1433/TCP SQL Server communication

Clients Server
Admin */TCP Exaquantum 1024- DCOM dynamically allocated

Clients Server 65535/TCP Ports. This range may be
Exaquantum */TCP Admin 135/TCP RPC (DCOM) Listener

Server Clients
Exaquantum 1433/TCP Admin */TCP SQL Server communication

Server Clients
Exaquantum */TCP Admin 1024- DCOM dynamically allocated

Server Clients 65535/TCP Ports

Exaquantum */TCP OPC Client 135/TCP RPC (DCOM) Listener

Server
Exaquantum */TCP OPC Client 1024- DCOM dynamically allocated

Server 65535/TCP Ports.
OPC Client */TCP Exaquantum 135/TCP RPC (DCOM) Listener

Server
OPC Client */TCP Exaquantum 1024- DCOM dynamically allocated

server
Exaquantum */TCP DC 389/TCP Lightweight Directory Access

Server Protocol (LDAP)
Exaquantum */TCP DC 636/TCP LDAP Secure Sockets Layer

Server (LDAP SSL)
Exaquantum */TCP DC 3268/TCP LDAP Global Catalogue

Server
Exaquantum */TCP DC 3269/TCP LDAP Global Catalogue

Server Secure Sockets Layer
Exaquantum */TCP & DC 53/TCP & Domain Name Service (DNS)

Server UDP UDP
Exaquantum */TCP & DC 88/TCP & Kerberos

Server UDP UDP
Exaquantum */TCP DC 445/TCP SMB protocol

Server
Exaquantum 123/UDP DC 123/UDP Simple Network Time Protocol

Server SNTP
DC 389/TCP Exaquantum */TCP Lightweight Directory Access

Server Protocol (LDAP)
DC 636/TCP Exaquantum */TCP LDAP Secure Sockets Layer

Server (LDAP SSL)
DC 3268/TCP Exaquantum */TCP LDAP Global Catalogue

Server

DC 3269/TCP Exaquantum */TCP LDAP Global Catalogue

Server Secure Sockets Layer
DC 53/TCP & Exaquantum */TCP & Domain Name Service (DNS)

UDP Server UDP
DC 88/TCP/UDP Exaquantum */TCP & Kerberos

Server UDP
DC 445/TCP Exaquantum */TCP SMB protocol

Server
DC 123/UDP Exaquantum 123/UDP Simple Network Time Protocol

Server SNTP
Firewall B
Link of type 2 (initially assuming no restriction on the DCOM port mapping).
Table 2-16 IP address and TCP port filters Exaquantum in DMZ B

Server


Server

server
If HIS are to be used as Exaquantum clients the configuration of Firewall B will need to be
extended to include link type 1 ports and it may be considered worthwhile to restrict the
DCOM port range on the HIS’s to 9 plus any other required for non Exaquantum links in
use.

DCOM Port restrictions
To reduce the scope of the ‘holes’ in the firewalls, the DCOM ranges on the Exaquantum
and OPC servers may be restricted.
Table 2-17 DCOM Port Count
Exaquantum Server
Source and Link number Count Comments
2 Windows Processes
Link 1 5 Data access Client
Link 1 3 Administration Client
Link 2 5 OPC link
Link 8 2 OPC Client
Total 17
OPC Server
Dependent on the OPC server – 3 for Exaopc CS3000 cassette with HDA.
Exaquantum, WTS server and Web server in DMZ
Domain
Controller
WTS Client Web Client 4
7 6 Firewall A
Exaquantum
Web Server
DMZ WTS
Server
Firewall B 5
2 Exaquantum
OPC Server
Server
Figure 2-3 Exaquantum, WTS server and Web in DMZ

Firewall A
Links of type 4, 6 & 7 leading to the following port mapping (initially assuming no
restriction on the DCOM port mapping).
Table 2-18 IP address and TCP port filters Exaquantum and web in DMZ A
Exaquantum */TCP Exaquantum 80/TCP HTTP

Web Client Web Server
Exaquantum 80/TCP Exaquantum */TCP HTTP

Web Server Web Client
Exaquantum */TCP Exaquantum 3389/TCP WTS protocol

WTS Client WTS Server
Exaquantum 3389/TCP Exaquantum */TCP WTS protocol

WTS Server WTS Client
Member */TCP DC 389/TCP Lightweight Directory Access

Member */TCP DC 636/TCP LDAP Secure Sockets Layer

system (LDAP SSL)

system

Member */TCP & DC 53/TCP & Domain Name Service (DNS)

system UDP UDP
Member */TCP & DC 88/TCP & Kerberos

system UDP UDP
Member */TCP DC 445/TCP SMB protocol

system
Member 123/UDP DC 123/UDP Simple Network Time

DC 389/TCP Member */TCP Lightweight Directory Access

DC 636/TCP Member */TCP LDAP Secure Sockets Layer

system (LDAP SSL)


system

DC 53/TCP & Member */TCP & Domain Name Service (DNS)

UDP system UDP
DC 88/TCP/UDP Member */TCP & Kerberos

system UDP
DC 445/TCP Member */TCP SMB protocol

system
DC 123/UDP Member 123/UDP Simple Network Time

Firewall B
Link of type 2 (initially assuming no restriction on the DCOM port mapping).
Table 2-19 IP address and TCP port filters Exaquantum and web in DMZ B

Server


Server

server

DCOM Port restrictions
To reduce the scope of the ‘holes’ in the firewalls the DCOM ranges on the Exaquantum and
OPC servers may be restricted.
Table 2-20 DCOM Port Count
Exaquantum Server
Source and Link number Count Comments
2 Windows Processes
Link 3 & 5 5 Data access via Web server
Link 5 3 Administration Client via WTS server
Link 2 5 OPC link
Total 15
NB Links 3 and 5 count even though they do not go through a firewall as they come out of
the DCOM port pool
OPC server
Dependent on the OPC server – 3 for Exaopc CS300 cassette with HDA.

2.3.2 Deep Packet Inspection Firewall Configuration
This section provides the technical information on how to configure firewalls capable of
deep packet inspection for DCOM traffic by GUID. Examples of such firewalls include:
Microsoft’s ISA server
Checkpoint Firewall One
The section on 2.3.1 Firewall Configuration must be read in conjunction with this section
to cover the simple IP packet level filtering also required.
The communications links between components of an Exaquantum based system are shown.
Any or all of these may pass through firewalls. Those that contain DCOM traffic are shown
in Figure 2-4.
Figure 2-4 Links between Exaquantum components
The links are numbered and will be described in detail in the following sections.
Each detail section describing a link includes:
ProgIDs and GUIDs for DCOM communication
From this information the required Firewall configurations may be derived for standard
configurations. Project specific communication requirements resulting from bespoke code or
additional applications are not covered in this document.
Note: An Exaquantum Server may be a client to another Exaquantum Server in an RBNS

configuration.

Link 1 Exaquantum Server to Exaquantum Explorer client/Administration Tools

Client
This link is split into two components that may be installed together or separately.
Exaquantum Administration Tool
These will be dealt with in turn:
Table 2-21 GUIDs and ProgIDs Link 1
DCOM Process ProgID & GUID Location

Quantum.exe Quantum.Broker.1 Exaquantum
Server
{455E1DAC-48C5-11D2-8E65-
00C04FA2F82C}
Quantum.Session.1
{DA2141A4-5DC5-11D2-8E70-
00C04FA2F82C}
Quantum.Session2.1
{50DE9C27-8BCF-48B7-B85A-
463AEB2863BE}
ExaquantumExecutive.exe ExaQuantumExecutive.Executive.1 Exaquantum
Server
{A3A150CD-01F4-11D3-AC0C-
00C04FA767C0}
QRBNSServerBrowse.exe RBNSServerBrowse.RBNSBrowse.1 Exaquantum
Server
{4C8823B6-E801-493E-859C-
A8234858B1BD}
QNameSpaceBrowser.exe QNamespaceBrowser.Browse2.1 Exaquantum
Server
{36EA7642-3ABB-11D4-9311-
00104BAA756F}
QHistorian.exe QHistorian.Historian.1 Exaquantum
Server
{F3E4AB3E-6E46-11D2-8A20-
00C04FA2F681}
MXXLDataSelector.exe MXXLDataSelector.CMXXLDataSelector Exaquantum
Client
{9FBC8945-AD5A-4251-9A0B-
0B86DFB6A1B}


Quantum.exe Quantum.Broker.1 Exaquantum
Client
{455E1DAC-48C5-11D2-8E65-
00C04FA2F82C}
Quantum.Session.1
{DA2141A4-5DC5-11D2-8E70-
00C04FA2F82C}
Quantum.Session2.1
{50DE9C27-8BCF-48B7-B85A-
463AEB2863BE}
QExplore.exe Exaquantum
Client
LiveExplore Exaquantum
Client
Excel Exaquantum
Client
Query Wizard Exaquantum
Client
Server Manager Exaquantum
Client
Any other code using the Exaquantum
API or OLE/DB Client
NOTE that where the location in Table 2-18 IP address and TCP port filters Exaquantum and
web in DMZ A specifies “Exaquantum Client”, it is not possible to define a GUID or Prog
ID in these cases, as they are dynamic DCOM callbacks, and it is possible to run more than
one instance of the associated DCOM Process.

Exaquantum Administrator Tools

All as for the Exaquantum Exaquantum Server
Explorer client section 0
QBuilder.exe QBuilder.FBBuilder Exaquantum Server
{1AD16D6F-5995-11D4-A9E3-
00C04FA2E45C}
QBuilder.TagBuilder
{1AD16D60-5995-11D4-A9E3-
00C04FA2E45C}
QAnalyse.exe QAnalyse.FBAnalyser.1 Exaquantum Server
{AEB1CEA0-5992-11D4-9AED-
00C04FA767C0}
QAnalyse.TagAnalyser.1
{242E5780-C500-4F11-AD3E-
F741B4061B6D}
QFBRetriever.exe QFBRetriever.cCandidates Exaquantum Server
{BAB8A4FB-42D4-11D4-A0D8-
00C04F7949E9}
QFBRetriever.cReadFile
{BAB8A4F9-42D4-11D4-A0D8-
00C04F7949E9}
QArchive.exe Qarchive.Archive.1 Exaquantum Server
{69EB68E6-8F59-11D2-9473-
00C04FA2F82A}
QEventHandler.exe QeventHandler.APEventServer.1 Exaquantum Server
{EA864370-6687-11D4-B97B-
00C04FCD0ADC}

Link 2 Exaquantum Server to OPC server
There will be differences depending on the OPC server(s) being used though these will be in
the ProgIDs used on the OPC server. The list below assumes the OPC server supports all of
the options available:
DA including Browsing
HDA
A&E
Properties
QOPCDAMgr.exe YokogawaMarex.QOPCDAMgr.1 Exaquantum Server
{65FF4FB1-7D85-11D4-8A8A-
00C04F95AC2C}
QOPCDAPump.exe QOPCAEPump.Pump.1 Exaquantum Server
{97CB6026-7E0B-11D2-9462-
00C04FA2F82A}
QOPCPropertyAccess.exe YokogawaMarex.QOPCProp.1 Exaquantum Server
{77C5C20C-3DF6-11D4-B2DB-
004095460E25}
QFBRetriever.exe (OPC QFBRetriever.cCandidates Exaquantum Server
equalize) {BAB8A4FB-42D4-11D4-A0D8-
00C04F7949E9}
QFBRetriever.cReadFile
{BAB8A4F9-42D4-11D4-A0D8-
00C04F7949E9}
QZOPCAECatchup.exe YokogawaMarex.QZOPCAECatchup.1 Exaquantum Server
{87320759-08BA-11D5-8AFD-
00C04F95AC2C}
Dependent on the OPC OPC Server
server software, One for
AE, one for DA, possibly
one for HDA

Link 3 Exaquantum Server to Exaquantum Web Server

Quantum.exe Quantum.Broker.1 Exaquantum Server
{455E1DAC-48C5-11D2-8E65-
00C04FA2F82C}
Quantum.Session.1
{DA2141A4-5DC5-11D2-8E70-
00C04FA2F82C}
Quantum.Session2.1
{50DE9C27-8BCF-48B7-B85A-
463AEB2863BE}
ExaquantumExecutive.exe ExaQuantumExecutive.Executive.1 Exaquantum Server
{A3A150CD-01F4-11D3-AC0C-
00C04FA767C0}
QRBNSServerBrowse.exe RBNSServerBrowse.RBNSBrowse.1 Exaquantum Server
{4C8823B6-E801-493E-859C-
A8234858B1BD}
QNameSpaceBrowser.exe QNamespaceBrowser.Browse2.1 Exaquantum Server
{36EA7642-3ABB-11D4-9311-
00104BAA756F}
QHistorian.exe QHistorian.Historian.1 Exaquantum Server
{F3E4AB3E-6E46-11D2-8A20-
00C04FA2F681}
Quantum.exe Quantum.Broker.1 Exaquantum Web
Server
{455E1DAC-48C5-11D2-8E65-
00C04FA2F82C}
Quantum.Session.1
{DA2141A4-5DC5-11D2-8E70-
00C04FA2F82C}
Quantum.Session2.1
{50DE9C27-8BCF-48B7-B85A-
463AEB2863BE}
w3pw.exe (worker pool Exaquantum Web
process for the Website) Server

Link 4 WTS server to Exaquantum Server
This is identical to link 1. Exaquantum Server to Exaquantum Explorer

client/Administration Tools Client.
Link 5 Exaquantum Server to OPC Client
Exaquantum may act as an OPC DA & HDA Server; the ProgIDs/GUIDs at the client end
will depend on the client.
DCOM Process ProgID Location
ZOPDA.exe Yokogawa.ExaopcDAEXQ.1 Exaquantum Server
{7C55C23F-4A01-43AD-B517-
B7DA3B25EECB}
QOPCHDAServer.exe QOPCHDAServer.HDAServer.1 Exaquantum Server
{E42A32A3-BDD8-40A5-9388-
2ADE4CC9AAA3}
QOPCHDAServer.HDAServerEx.1
{2A2165B5-7291-4F60-BD5B-
DB6EB554E777}
QOPCHAEServer.exe QOPCHAEServer.HDAServer_PIAE.1
{A297E742-2EA3-463E-BD63-
46C6555391AE}
Dependent on the OPC OPC Server
client software, One for
DA, possibly one for
HDA
Link 6 Exaquantum Server to PI Interface
This link is the same as Link 5.

Client Windows Firewall Configuration
With Windows Vista, Windows 7 and 2008 Server, Microsoft provided a software firewall.
The control is to restrict inbound connections, and additionally, outbound connections. The
Firewall may be used to secure clients in an Exaquantum system.
This section deals with the setting up of incoming connections only. For Exaquantum clients
running on Windows Vista, Windows 7 or 2008 Server, it is recommended to use the default
settings for outbound connections. If it is necessary to modify the outbound settings (for
example where sites have a Domain Security Policy), then this should be undertaken only by
an Administrator with appropriate knowledge.
Note: an Exaquantum Server may be a client to another Exaquantum Server in an RBNS

configuration.
To permit the client to connect to the server the following port needs to be added to the
exceptions list of the firewall.
Table 2-26 Windows Firewall configuration – Ports
Port Description Note
135 TCP RPC (DCOM) listener To allow the call back to connect to DCOM
and establish the call.
The following applications need to be added to the exceptions list of the firewall to allow the
call back transfer of historical data (see How to setup the Windows Firewall – Vista,
Windows 7, Server 2008 and Server 2008 R2 for instructions on how to do this):
Table 2-27 Windows firewall configuration Programs
Application Location Notes
MMC WINDOWS\system32\mmc.exe Used by Exaquantum

Admin Tools
Exaquantum Explorer <Installation Folder>\ Needed when requesting

Explorer\QExplore.exe historical data.
Exaquantum Quantum <Installation Folder>\ Main communication

Module System\Quantum.exe module to the server
Exaquantum <Installation Folder>\ Needed when requesting

LiveXplore Developer Tools\LiveXplore.exe historical data.
Exaquantum System <Installation Folder>\ Needed for call back when

Events Viewer Developer requesting tag value.
Tools\SysEventsViewer.exe

MXXLDataSelector.exe <Installation Folder>\System\ For historian call back to

MXXLDataSelector.exe provide data to the in data
selector trend tool
Microsoft Excel <Microsoft Office Install Needed when requesting

Folder>\ Excel.exe (typically historical data.
located in the following folder)
In case of Microsoft Excel 2007
C:\Program Files\Microsoft
Office\OFFICE12
Office\OFFICE14
EQTagDefOutput.exe <Installation Needed of PI Interface

Folder>\PIConnect\EQTagDef configuration
Output.exe
NetworkTest.exe <Installation Needed to run a series of

Folder>\System\NetworkTest.exe network health checks when
configuring server
connection
Note1: Anything that uses the OLE/DB provider to retrieve historical data needs to be
added to the above list e.g. Crystal Reports.
Note2: Any user defined API that requests historical data should also be added to the list.

Server Windows Firewall Configuration
With Windows 2008 Server and Server 2008 R2, Microsoft provides a software firewall to
restrict inbound connections and outbound connections.
The Firewall may be used on Exaquantum Servers systems. Note that client tools may be run
on a server and may require connections to other servers in a multi-server configuration.
This section deals with the setting up of incoming connections only. For Exaquantum
Servers running on Windows 2008 Server, it is recommended to use the default settings for
outbound connections (no restriction). If it is necessary to modify the outbound settings (for
example where sites have a Domain Security Policy), then this should be undertaken only by
an Administrator with appropriate knowledge based on the details provided in Section 2.3
Firewall Configuration.
To permit clients to connect to the server the port in Table 2-28 Windows Firewall
configuration – Ports needs to be added to the exceptions list of the firewall.
Table 2-28 Windows Firewall configuration – Ports
Port Description Note
135 TCP RPC (DCOM) listener To allow the client to connect to DCOM and
establish the call.
1433 TCP SQL Server Allow client access to the SQL server
The applications in Table 2-29 Windows firewall configuration Programs need to be added
to the exceptions list of the firewall to allow the call back transfer of historical data (See
How to setup the Windows Firewall – Vista, Windows 7, Server 2008 and Server 2008 R2
for instructions on how to do this):
Table 2-29 Windows firewall configuration Programs
MMC WINDOWS\system32\mmc.exe Used by Exaquantum Admin

Tools
Exaquantum Explorer <Installation Needed when requesting

Folder>\ Explorer\QExplore.exe historical data.
Exaquantum Quantum <Installation Main communication module

Module Folder>\ System\Quantum.exe to the server
Exaquantum <Installation Folder>\ Developer Needed when requesting

LiveXplore Tools\LiveXplore.exe historical data.
Exaquantum System <Installation Folder>\ Developer Needed for call back when
Events Viewer Tools\SysEventsViewer.exe requesting tag value.

Microsoft Excel <Microsoft Office Install Needed when requesting

Folder>\ Excel.exe (typically historical data.
located in the following folder)
Office\OFFICE12
Office\OFFICE14
ExaquantumExecutive <Installation Needed for client connection

.exe Folder>\ System\Exaquantum
Executive.exe
QRBNSServerBrowse. <Installation Needed for client RBNS

exe Folder>\ System\ QRBNSServer browsing
Browse.exe
QNameSpaceBrowser. <Installation Needed for client tag browsing

exe Folder>\ System\ QNameSpace
Browser.exe
QHistorian.exe <Installation Needed for client Historian

Folder>\ System\ QHistorian.exe access
QBuilder.exe <Installation Needed for Admin Tools

Folder>\ System\ QBuilder.exe running of Tag Build
QAnalyse.exe <Installation Needed for Admin Tools

Folder>\ System\ QAnalyse.exe running of Tag Build
QFBRetriever.exe <Installation Needed for Admin Tools

Folder>\ System\ QFBRetriever.exe running of Tag Build
QOPCDAMgr.exe <Installation Needed for OPC Server

Folder>\ System\ QOPCDAMgr.exe callback
QOPCDAPump.exe <Installation Needed for OPC Server

Folder>\ System\ QOPCDAPump.exe callback
QOPCPropertyAccess. <Installation Needed for OPC Server

exe Folder>\ System\ QOPCProperty callback
Access.exe

QZOPCAECatchup.exe <Installation Needed for OPC Server

Folder>\ System\ QZOPCAECat callback
chup.exe
QArchive.exe <Installation Used by Admin Tools

Folder>\ System\ QArchive.exe
QEventHandler.exe <Installation Used by Admin Tools

Folder>\ System\ QEventHandler
.exe
EQTagDefOutput.exe <Installation Needed ofr PI Interface

Folder>\PIConnect\EQTagDef configuration
Output.exe
NetworkTest.exe <Installation Needed to run a series of

Folder>\System\NetworkTest.exe network health checks when
configuring server connection
Note1: Anything that uses the OLE/DB provider to retrieve historical data from another
server needs to be added to the above list e.g. Crystal Reports.
Note2: Any user application that utilizes the Exaquantum API to request historical data
from another server should also be added to the list.

How to setup the Windows Firewall – Vista, Windows 7, Server 2008 and
Server 2008 R2
To access the ‘Windows Firewall with Advanced Security’ snap in:
From Vista –through Control Panel/Administrative Tools
From Windows Server 2008, Server 2008 R2 through Server Manager/Configuration
Or, in either case by opening the WFAS snap in to MMC.
Once the snap in is open it will look as Figure 2-5 WFAS Snap in.
Figure 2-5 WFAS Snap in

Then to add a rule open in bound rules and then select ‘add a new rule’ to invoke the wizard
as shown in Figure 2-6 Add a Rule.
Figure 2-6 Add a Rule
Adding a Program Rule
To add a program rule allowing DCOM connection to a particular program follow the steps
shown in Figure 2-7 Add a Program Rule to Figure 2-11 Name the Rule:
Figure 2-7 Add a Program Rule

Figure 2-8 Select the Program Location
Figure 2-9 Allow the Connection

Figure 2-10 Specify When the Rule Applies To
Figure 2-11 Name the Rule

Adding a Port Rule
To add a Port Rule choose the port option and follows the steps from Figure 2-12 Port Rule
Option to Figure 2-13 Specify the Port:
Figure 2-12 Port Rule Option
Figure 2-13 Specify the Port

The remaining steps are identical to the Program rule.
Amending an existing Rule
To amend an existing rule select it and double click then edit in the properties box as shown
in Figure 2-14 Edit a Port Exception. From here additional definitions for the rule may be
added, for example specifying which source computers the inbound rule applies to etc.,
Figure 2-14 Edit a Port Exception

2.3.3 Setting the Restriction of Ports for DCOM
This procedure should be carried out on the Exaquantum/PIMS server. Port ranges do not
have to be restricted on the client machine. In restricting the ports on the Exaquantum server
the firewall can be configured to only be open to incoming traffic on these ports to the
dedicated IP address of the Exaquantum server. All out going ports 1024-65535 should be
open.
If other applications are using DCOM the port requirements for each application should be
taken into consideration.
1 To start Component Services, from the Start menu, point to Programs, point to
Administrative Tools, and then click Component Services.
2 Click to expand the Component Services and Computers nodes. Right-click My

Computer and then click Properties.
3 On the Default Protocols tab, click Connection-oriented TCP/IP in the DCOM

Protocols list box, and then click Properties.
4 In the Properties for COM Internet Services dialog box, click Add.
5 In the Port range text box, add a port range (for example, type 5000-5010), and then
click OK.
6 Leave the Port range assignment and the Default dynamic port allocation options set
to Internet range.
7 Click OK three times, and then restart the Exaquantum/PIMS server computer.

2.4 Configuring Exaquantum for VPN Network Connections

Overview
A Virtual Private Network (VPN) connection allows users at a remote location away from
the site to connect securely to a private LAN or WAN via a public network such as the
Internet. This type of connection masks the communications by providing encryption of the
contents and wrapping it in a different address while in transit over the public network. Extra
configuration will probably be required at each end of the VPN connection in order that the
two computers can still locate each other through the masking process. This chapter
explains:
Some of the concepts behind the VPN system,
Configuring Exaquantum to cope with reduced network functionality
Checking system functionality.
VPN Connection Process
In a system that provides a full Domain Name Service (DNS), and in which any intervening
Firewalls have been configured correctly, an Exaquantum system should work normally over
a VPN without any extra configuration.
The following procedure summarizes the how a normal VPN connection works:
The client PC makes a connection to the public Internet.
The client attempts to establish a secure connection to the remote VPN server.
If the authentication is satisfactory, the VPN server will issue the client with an IP address
within the same sub-net as the Exaquantum server. This is address is only valid within the
local network; it is not the ‘real’ IP address of the client (as seen on the Internet).

The Exaquantum server will be able to communicate with the remote client using this
address, while the VPN server facilitates the routing to the real address of the client.
In the opposite direction, the client will communicate with the Exaquantum server via the
VPN server which will perform the necessary routing. The client will use the VPN to access
the name resolution service (DNS) facilities provided on the destination network to locate
the server.
However, if there is no DNS available, the system will have to be configured differently,
which is discussed in the next section.
Configuring Exaquantum for VPN with no DNS
There are two methods that can be used that approach the problem from different angles:
Using IP address - This method uses IP addresses instead of computer names, which
requires that a change be made to both the Exaquantum settings in the client PC, and to
the Windows Registry on each Exaquantum server.
Using computer names - This method continues to use names as usual. The only change
required is that the ‘hosts’ file on the client is modified to map the IP address of each
Exaquantum server to the correct name.
Configure to use IP addresses
There are two or three stages to enabling this system, which depends if there is more than
one Exaquantum server:
Client configuration
On the client PC using the VPN connection:
1 Establish a VPN connection from the client to the VPN server.
2 Open the Server Manager Tool by selecting Start -> Programs -> Exaquantum -> Server
Manager.
3 In the Primary Server box, replace the server’s name with the server’s IP address.
4 If your system uses a secondary server, in the Secondary Server box, replace the server’s
name with the server’s IP address.

Figure 2-15 Exaquantum Server Manager – Primary Server
5 To check that the connection can be established, click on the Test button for each server
configured and confirm the status is ‘Running’.
6 Select OK to close the Server Manager Tool.
Server Configuration
In a normally configured system, the Exaquantum server passes its host name to the clients.
Without a DNS to resolve this name, the client will be unable to locate the server. To
overcome this problem, the server must be configured to pass the IP address instead.
This change requires editing the Windows registry. Before making any changes to the
registry it is recommended that you have a full working backup of your system. If you are
not confident with making such changes, you should contact your Yokogawa support
representative.
The name is set in four places:

HKEY_LOCAL_MACHINE\SOFTWARE\Quantum\Client\DesignatedServer
HKEY_LOCAL_MACHINE\SOFTWARE\Quantum\DB\QConfigServer
HKEY_LOCAL_MACHINE\SOFTWARE\Quantum\Server\Historian\
HistorianAdminServer
HKEY_LOCAL_MACHINE\SOFTWARE\Quantum\Server\Historian\
HistorianDataServer

To configure the Primary Exaquantum server:
1 Open the Registry Editor
2 For each of the registry keys noted above, in the key’s data, replace the server name with
the equivalent IP address.
Figure 2-16 Registry Editor
3 Close the Registry Editor.
4 The changes will not take effect until the Exaquantum Server is stopped and restarted.
Ensure there are no clients connected, and then use the Exaquantum Server Manager
Tool, available from Start -> Programs -> Exaquantum -> Exaquantum Server Manager.
5 Click on the Stop button to stop the service. After a short pause the service status will
change to ‘Stopped’.
6 When it becomes available, click on the Start button to restart the service. The status will
change to ‘Running’.
Figure 2-17 Exaquantum Services Manager

Multiple Server environment
In addition to the above, in a multi-server environment the other servers will also have to be
identified by the Primary server using their IP addresses. This is achieved using the Servers
tool on the Primary Server.
On the Primary Exaquantum Server:
1 Log on to the server using an account with QAdministrator privileges, such as the
QuantumUser account.
2 Open the Administration Tools by selecting Start -> Programs -> Exaquantum ->
Administration Tools.
3 Navigate the tree on the left to locate Console Root -> Yokogawa Exaquantum ->
System Configuration -> Servers.
Figure 2-18 Exaquantum Administration Tools
4 For each of the servers listed, change the Computer name to the equivalent IP address.
5 Close the Administrative Tools window.
6 The changes will not take effect until the Exaquantum Server is stopped and restarted.
Ensure there are no clients connected, and then use the Exaquantum Server Manager
Tool, available from Start -> Programs -> Exaquantum -> Exaquantum Server Manager.

Configure to use host names
In this situation, the only configuration necessary is to provide the client with some means of
resolving the NetBIOS host names provided by the server. This is achieved by adding the
appropriate entries to the ‘hosts’ file on the client PC. In a standard installation using the
default locations, the ‘hosts’ file can be found at:
\%Windir%\system32\drivers\etc.
In order to complete this configuration you will need to know the host names and IP
addresses of all the Exaquantum servers to be accessed.
To add the servers to the ‘hosts’ file on the client PC:
1 Open the hosts file with a text editor such as Notepad.
2 To the existing entries in the ‘hosts’ file, add a line for each Exaquantum server on the
system, in the form: <IP address> <name>.
For example: 192.168.100.1 MyServer1

192.168.100.2 MyServer2
3 Save the changed host file and close the text editor. The changes take immediate effect.
Test the changes by using the Ping command against the servers in the form:
ping <name>.
For example, in a console window type:
ping MyServer1 .
Troubleshooting VPN
Failure to connect
There are two main reasons why a VPN connection fails to work, which are listed below. To
help diagnose what is causing the problem in any particular case, work through the sections
later in this chapter.
No DNS
In systems where DNS is not available, this system will not work as the client will be unable
to resolve the server name. No error messages will be given, but the usual symptom is that
the client cannot access any of the product client tools, and in most cases, only the splash
screen will be displayed.

Firewall
Another possible cause of failure is a Firewall, situated between the two computers that is
restricting some of the communications ports required by Exaquantum.
Determining the Cause
There are two stages to diagnosing the problem:
Verifying network connectivity – Check that there is a suitable network path between
the two computers.
Verifying DNS functionality – Check that the DNS is available to the client PC.
Verifying network connectivity
The purpose of this test is to determine if there is a suitable network path between the client
PC and Exaquantum server machines.
First, establish a VPN connection between the client PC and the VPN server. When
connected, open a console window on the client PC and type:
ping <Exaquantum Server IP Address>
There should be a series of responses from the server addressed. The whole event will be
something like:
C:\>ping 172.10.20.31
Pinging Exaq1 [172.10.20.31] with 32 bytes of data
Reply from 172.10.20.31: bytes=32 time<1ms TTL=128
Reply from 172.10.20.31: bytes=32 time<1ms TTL=128
If there was no response, the problem could be that a Firewall is blocking the ICMP protocol
used to perform the ‘ping’ function; check this with the network administrator.

Verifying DNS functionality
The purpose of this test is to establish that the client PC can access the DNS on the
destination network. It is assumed that the VPN connection between the client and VPN
server is working, and that the network connectivity has been tested is passed.
First, establish a VPN connection between the client PC and the VPN server. When
connected, open a console window on the client PC and type:
Nslookup <Hostname Of Exaquantum Server>
The DNS should respond with the IP address of the Exaquantum server. The whole event
will be something like:
C:\>nslookup Exaq1
Server: pluto.corp.yokogawa-marex.com
Address: 172.10.20.100
Name: Exaq1.corp.yokogawa-marex.com
Address: 172.10.20.31
In the example above, the IP address in question is the second one, 172.10.20.31.
If there is no response from the DNS then either:
If you know there is a functioning DNS available on the remote network then there may
be a fault in the configuration.
There is no DNS available, and you will have to reconfigure the Exaquantum system for
working on such a system as described earlier in this chapter.

Chapter 3 Specifying Your Configuration During Installation

(Legacy Model)
During installation Local User Groups are created automatically.
3.1 Installation Basics

Exaquantum requires four user groups to control access to the database, and the Exaquantum
Service account initially called quantumuser to control the connection between the server
and the clients.
Basic Exaquantum User Groups
There are four basic Security Groups used by Exaquantum:
Table 3-1 Exaquantum Security Groups
Security Group Comment

QAdministratorGroup Allows change to the Exaquantum database, equalisation,
creating tags and data writing.
QExplorerDesignGroup Allows Exaquantum/Explorer to be opened in Design
mode, to allow the creation and/or modification of
Exaquantum/Explorer documents.
QDataWriteGroup Specifically allows data writing, but not the other
privileges of QAdministratorGroup
QUserGroup Allows access to Exaquantum. All members of the above
groups MUST belong to this group.
Advanced Exaquantum User Groups
It is possible to allow access to certain tags based on a user’s role. Administrators may be
able to view tags from all over the plant, but an Operator in Area 1, for example, would only
view tags in Area 1. This is controlled by an extension of the security model called Role-
Based Namespace and requires additional user groups to control access. Refer to the
Exaquantum/PIMS User’s Manual (IM 36J04A11-01E) for more information.
Membership of User Groups
The user groups will contain the user accounts that will be allowed the abilities particular to
the group. Therefore all accounts to be added must be available to these groups so that they
can be added. Alternatively, local copies of the user accounts can be created in the same
location as the user groups. These copies must have the same password as the originals.

3-2 Chapter 3 Specifying Your Configuration During Installation (Legacy Model)
Availability of Exaquantum Service Account
The Exaquantum Service account must be available to all Exaquantum computers. This can
be achieved by making it a domain account accessible by all Domain computers, or by
creating local copies of the account on each Exaquantum computer. All copies of the
Exaquantum Service account must have the same password.
Exaquantum Security Model
Exaquantum is a network-based product and involves managing databases to store and allow
retrieval of process data. Access to the databases must be controlled to allow only
authenticated users access. The security model used for Exaquantum is comprehensive,
allowing a flexible and solid degree of both general and role-based security. At the
cornerstone of this security model are Windows Security Groups.
The Exaquantum Security Model applies to both the Exaquantum Data Server and the
Exaquantum Web Server. Both servers use the same installation mechanism to comply with
the security model.
Exaquantum Security Model – Description
There are two parts to establishing a connection within Exaquantum:
There are two requirements:
Availability of the Exaquantum Service account

Membership of the QUserGroup.
Note: Membership of other groups is needed to perform special operations but this is
omitted from this example for clarity.
The Exaquantum Service account is the account as which the server side processes run.
When a client connects to the server a DCOM response is made from the Server side
processes, DCOM on the client must recognise the Exaquantum Service account to allow
them to connect.
The second aspect of connection is the membership of User Groups. To allow basic
access to Exaquantum, all users must be members of the QUserGroup.
Example: a login takes place on an Exaquantum client computer by a user with a login
account of John_Smith. DCOM on the server first checks the QUserGroup for a member
called John_Smith. If a match is found a return DCOM connection running as the
Exaquantum Service account is made to the client where DCOM will check that it
recognizes the Exaquantum Service account. For more details see Chapter 4 DCOM and
Network Security in Exaquantum.

3.2 Adding Users to User Groups

There are two ways of adding the user account to the user group. These two methods give
rise to the two Security Models, the Domain Configuration and the Workgroup
configuration. There is a third configuration. This is a Workgroup configuration within a
domain.
Note: The examples below give a basic understanding of security concepts. The methods
described do not reflect the way that the software works in detail.
3.2.1 Domain Authentication
In a domain all user accounts can be created globally. As such they are available to all
computers in the domain. To add a user account to the user group, the user group is accessed
on the Domain controller and the account added using the appropriate tool. All accounts are
controlled centrally, which offers an administrative saving. The Exaquantum Service
account is also created globally in the domain, and so is available to all computers in the
domain. This ensures that Exaquantum processes will run correctly.
The User Groups are created locally on the Exaquantum Server(s) but should contain Global
groups as members allowing control of access to be managed from the Domain Controllers.
3.2.2 Workgroup Authentication
Workgroup Authentication works through matching local users/passwords on the client and
server; where these match the client user is treated as if it were the matching server user.
Workgroup authentication works whether the client and server are in a domain or
workgroup. In the case where the client is a domain member with a domain user logged on
and the server is in a workgroup configuration the domain user is treated as if it was a local
user on the client and compared for name and password with any local users on the server.
Therefore all user accounts used for Exaquantum access are duplicated on the Exaquantum
server, where the user groups are created. These duplicated user accounts are then added to
the local user groups.. It should be noted, however, that there is considerably more
administration to perform as each account needs to be added to each computer that requires
it. Additionally, password changes must be performed on each instance of the user account.

3.3 Creating the Exaquantum Groups and Users Manually

Role-Based Namespace (RBNS) Groups
It is possible to control the tags that each operator can view. This is done by creating
additional groups that further control access to the Exaquantum databases.
Each RBNS view is based on membership of one Windows security group. This group
should normally be created in the same place as your four standard Exaquantum User
Groups but can be created in a different location. Exaquantum supports groups in different
locations including a combination of locations. Therefore you can have RBNS views based
on groups created locally on the Exaquantum server as well as views based on groups
created on the local or external domains.
For more information, refer to "User account and Groups" in the Exaquantum Installation
Guide (IM 36J04A13-01E).
The RBNS configuration tool (located within Administration Tools of Exaquantum) allows
selection of Windows security groups from any location available on the network. However,
you will need some knowledge of the group type and restrictions, as these are not detailed by
the configuration tool. The following table should help you plan your RBNS group set-up:
Table 3-2 RBNS Group Set-Up
Group Type Group Location Potential Members

Local Group Exaquantum Server Local Accounts on the Exaquantum Server
Global Accounts on the Exaquantum server’s domain
Global Accounts on external domains (subject to
trust relationship)
Global Group Domain Controller Global Accounts on the same domain
Global Groups on the same domain
Domain Local Domain Controller Global Accounts on the same domain
Group (W2003 and Global Groups on the same domain
W2008 Native)
Domain Local Groups on the same domain
Global Accounts on a trusted domain
Global Groups on a trusted domain
This may require the assistance of your network administrator. RBNS group creation is
covered in more detail in the Exaquantum/PIMS User’s Manual (IM 36J04A11-01E).

EXA Account Password Setting
It may be necessary, due to site security policy, to change the EXA Account. This is done
using the tool:
<Exaquantum Installation Folder>\Exaquantum PIMS\System\ExaAccountSetting.exe.
The tool must be run with as a user who has local administration rights. Additionally, on
Windows 2008, the tool must be run with elevated rights: right mouse click on
ExaAccountSetting.exe, and select Run as Administrator from the pop-up menu.
Note: If the EXA user account is changed, previous user name will not be deleted
automatically. Hence, please delete previous EXA account name manually, ensuring that this
name is not still used by other applications or packages.
For further information please refer to Installation Guide (EXA Account Setting).
3.4 OPC Servers Set-up

The OPC servers must also be configured to allow connection to an Exaquantum Server.
The only requirement is that the Exaquantum Service account is also available to each OPC
server. There are two ways this can be achieved.
3.4.1 Using a global user account
If your Exaquantum System is configured to use global security principles and the OPC
server has access to these, no action needs to be taken. This is the case if the OPC server is
in the same domain as the Exaquantum Server and a global Exaquantum Service account has
been configured. For all other cases you will have to create a local copy of the Exaquantum
Service account.
If you do not know if the account exists you can try to log on to the OPC server using the
Exaquantum Service account and password, specifying the correct domain. If you cannot
log on then you will have to create the account locally.
3.4.2 Using a local user account
If the OPC server does not have access to a global Exaquantum Service account, you must
create a local account. This must have the same password as the Exaquantum Service
account used by the Exaquantum Server.


Chapter 4 DCOM and Network Security in

Exaquantum(Legacy Model)
Exaquantum uses DCOM for all network communication. This chapter gives some technical
details of how the Exaquantum components are configured to allow secure network
communication.
Figure 4-1 Communication Links in a Typical Exaquantum System components and how
they communicate in a typical system comprising:
A Client running Exaquantum/Explorer or the Administration Tools
A Server running the Exaquantum Server components
An OPC Server running Exaopc.

Client OPC Server
Client
OPC
Quantum.exe Server
Server
OPC
Clients
Quantum.exe
SQL Server
Client - Process running in computer - Internal communications
Tab
- Physical computer boundary - External communications
Figure 4-1 Communication Links in a Typical Exaquantum System
The internal communications are shown for completeness but are not of significance to the
DCOM communications discussion.

4-2 Chapter 4 DCOM and Network Security in Exaquantum (Legacy Model)
Each of the External communications routes must be allowed, in terms of DCOM

communication security, for Exaquantum to function. The following tables show how the
Exaquantum installation adjusts the DCOM settings to allow each of the external
communication routes.
Each physical computer has DCOM settings for the entire computer as follows:
Table 4-1 DCOM Settings
Physical Computer How security is configured

Server or Client The following settings remain as they are set on the PC (i.e.
Exaquantum does not alter them):
Default Authentication Level (default set to Connect.)
Default Impersonation Level (default set to Identify.)
OPC Server Default Authentication Level set to None.
This is the Exaopc installation setting.

Each individual Process has some specific DCOM settings to aid communications as follows:
Process Responsibility How security is configured

Quantum.exe (Server) Manages RTDB and data Set to run as a specific user.
communications to client. (Exaquantum Service Account
(Default is Quantumuser))
Quantum.exe (Client) Provides the Client ‘gateway’ Set to run as the interactive user
into Exaquantum. All data so this process runs as different
returned from the RTDB users depending on who is logged
passes through this process on to the Client Computer.
on its way from Server to
Client.
Client Cache Management Manages caching of tag Set to run as a specific user.
identifiers and configuration (Exaquantum Service Account
(QClient.exe) (Server)
data. This reduces the load on (Default is Quantumuser))
the server database and
network.
Client Cache Management Manages caching of tag Set to run as the interactive user
identifiers and configuration so this process runs as different
(QClient.exe) (Client)
data. This reduces the load on users depending on who is logged
the server database and on to the computer.
network.
OPC Clients Reads and writes OPC data to Authentication level is
the OPC Server. programmatically set to ‘NONE’
(OPCDAMgr.exe)
to allow communication with the
OPC Server.
Set to run as a specific user.
(Exaquantum Service
Account(Default is
Quantumuser))
OPC Clients Reads Alarm and Event data Authentication level is
(OPCAEPump.exe) from the OPC Server. programmatically set to ‘NONE’
to allow communication with the
OPC Server.
(Exaquantum Service Account
OPC Clients Reads the list of Function Set to run as a specific user.
Blocks from the OPC Server (Exaquantum Service
(QFBRetriever.exe)
during Equalisation. Account (Default is
Quantumuser))

Process Responsibility How security is configured

OPC Clients Reads reference data Authentication level is
(QOPCPropertyAccess.exe) (engineering limits, units, programmatically set to ‘NONE’
etc.) from the OPC server. to allow communication with the
OPC Server.
((Exaquantum Service Account
Reporting Logs information and error Set to run as a specific user.
messages to the event log or ((Exaquantum Service Account
(QReporter.exe)
log file. (Default is Quantumuser))
Historian Reading and writing of data Set to run as a specific user.
to and from the Historian data (Exaquantum Service Account
(QHistorian.exe)
store. (Default is Quantumuser))
Historian Archiving Manages the creation, back- Set to run as a specific user.
(QArchive.exe) up and restoring of historian (Exaquantum Service
data. Account(Default is
Quantumuser))
Tag Builder Manages the creation, Set to run as the interactive user
deletion and modification of so this process runs as different
(QBuilder.exe)
tags, function blocks and users depending on who is logged
folders. on to the computer.
Tag Analyzing Analyses the changes to be Set to run as the interactive user
(QAnalyse.exe) made from the current so this process runs as different
configuration database when users depending on who is logged
creating, deleting or on to the computer.
modifying tags, function
blocks and folders.
Event Management Receives events from the Set to run as a specific user.
(QEventHandler.exe) OPC Alarm and Event (Exaquantum Service Account
components and takes action (Default is Quantumuser))
based on the system
configuration.
Recalculation Recalculation of Set to run as a specific user.
Aggregations for late arriving
(QReclcEngine.exe) (Exaquantum Service
data.
Account( Default is
Quantumuser))

Table 4-3 DCOM Settings shows how the Exaquantum installation adjusts the DCOM
settings to allow each of the external communication routes:
Route Typical information How security is configured

exchanged
Client Quantum.exe to Asynchronous DCOM Access Permissions for the
Server Quantum.exe requests for RTDB Server are set to include a group
and History data containing all Client Users
(QUserGroup).
Quantum.exe set to use these defaults.
Server Quantum.exe to Data from the Server DCOM Access Permissions for the
Client Quantum.exe is returned to the Server are set to include the Exaquantum
Client via call-backs. Service user account.
Quantum.exe set to use these defaults.
OPC Clients to OPC Server Asynchronous DCOM Authentication Level is set to
requests for OPC ‘NONE’ by OPC clients.
Data.
Clients to SQL Server Configuration Security login added for SQL Server for a
information. group containing all client users
(QUserGroup).


Chapter 5 Network Diagnostic Tool

5.1 Overview
A number of Exaquantum systems exhibit communication failures between Exaquantum
Servers, other Exaquantum Servers and Exaquantum Clients. These failures are reported in
the Windows Application Event log. They arise from a number of sources:
Historian Client Query failures
Historian Data call-back failures
Client connection monitoring failures from Exaquantum Executive
Exaquantum Server Manager connection failure
To allow better help in diagnosing the potential causes of communication failures,

functionality is provided to allow administrators better diagnosis of network communication
issues. This comprises:
For Exaquantum Servers and Combined Servers, the utility NetworkTest
For Exaquantum Clients, and Web Servers, a network test facility from the Server
ManagerNOTE: Network Diagnostic Tool supports IP4 addresses only; IP6 is not
supported.

5-2 Chapter 5 Network Diagnostic Tool
5.2 NetworkTest Utility

The NetworkTest utility is installed on Exaquantum servers only. It is located in the
Developer Tools folder (under the Exaquantum root folder). On launching, the Network test
dialog is displayed – see Figure 5-1.
Figure 5-1 Network Test utility
The Server should be entered; the IP address and FQDN fields are optional; if these are
blank when running the test, they will be filled in automatically.
The Test button will run the network tests, and the results will be shown in the output field.
The OK button will save the log file settings and close the application.
The Cancel button will close the application, without saving any changes.
The results of the test can be saved to a text file, by checking Output to Log file, and using
the Log File Path browse button to specify the output folder + file.

5.3 Server Manager

The Server Manager provides a basic and advanced check of connection health to an
Exaquantum Server from:
Exaquantum Client
Exaquantum Web Server
The Server Manager (Figure 5-2) is available from the Exaquantum menu, from the Start +
Programs option on the taskbar.
Figure 5-2 Server Manager

The Test button runs a basic connection test to either the Primary or Secondary server
The Network Test button starts the Exaquantum Network Test dialog (Figure 5-3); this runs
detail connection tests to either the Primary or Secondary server
Figure 5-3 Network Test (Client)
After starting up the NetworkTest dialog, the server name will be filled in – it will contain
the name of the primary or secondary server. The IP Address and FQDN fields are optional;
if these are blank when running the test, they will be filled in automatically.
The Test button will run the network tests, and the results will be shown in the output field.
The OK button will save the log file settings and return to the Server manager dialog.
The Cancel button will return to the Server Manager dialog, without saving any changes.
The results of the test can be saved to a text file, by checking Output to Log file, and using
the Log File Path browse button to specify the output folder + file.

5.4 Test Detail

This section describes that test output from the Network Test Dialog. The dialog in Figure
5-4 shows its output, divided into 4 numbered sections. Each Numbered section is described
in the succeeding text.
Figure 5-4 Network Test output detail
1. Ping test
Conventional ping to the specified IP address.

2. DNS, name – IP address resolution
This has two functions:
1. Confirmation that DNS is working
2. Report of what IP address DNS reports for the specified server name
3. DNS, IP – name resolution
1. Report of what name DNS reports for the specified IP address
4. Attach to remote Quantum Session, and create a callback to client.
This test has two functions, which verify connectivity from Client to Server, and then back
from Server to the Client.
1. Tests that a connection can be made to the Quantum Session running on the
specified server
2. Following a successful test, the Quantum Session on the specified remote server
will execute a callback test to the client (where the Network Test Dialog is
running).

Chapter 6 IT Security
6.1 Overview
This chapter is a guide for introducing IT (Information Technology) security to the EXA
system in order to defend against and counter current and future security threats.
Two security models are offered to minimize, wherever possible, the effects of IT security
introduction on the configuration and operation of the current system.
These models are based on the general configuration of all Yokogawa’s EXA products. The
application of these models requires the examination of the current system, engineering
activities and operations.
6.1.1 Positioning of this Guide
This chapter targets engineers who install the Exaquantum system and examine its operation.
The security provided is capable of defending against attacks on the Exaquantum system by
a third party who does not have specialized knowledge in IT and uses only generally
available devices or tools.
Four topics are covered in this chapter:
• Introduction to IT Security
• The IT Security Setting Tool
• How to change the IT Security model
• Configuration where there is co-existence of EXA products
6.1.2 Introduction to IT Security
Security Threats
There are a number of possible security threats, with which the IT Security is designed to
handle. These are classified as follows:
1. Attack over a network
Threat of a negative impact on the system brought about by an unauthorized person from
Business Network/DMZ/PCN via a network, which causes the leakage of critical data.
2. Direct attack by operating a terminal
Threat of a negative impact on the system or removal of critical data by an unauthorized

person operating a terminal.

6-2 Chapter 6 IT Security
3. Theft of critical data
Threat that arises when a terminal or critical data is stolen and the data is analyzed.
4. Direct attack that operates client terminal on Business Network
Impact on the System or removal of data by a non-privilege person on a client terminal on

the Business LAN.
Figure 6-1 System configuration of IT security target
The unit of the network shown in the block of the above-mentioned chart is called a security
zone. The security zone is a logical or a physical group, with a common security requirement
and the same security level. The defense is improved using a Hierarchy of zones with
different security settings.

6.1.3 Prerequisites to IT Security
The handling of security-related software used in this document is shown as follows.
Table 6-1 Prerequisites
Item Policy
IT security The IT security (standard model) is configured Exaquantum R2.60.00 at

the installation stage.
Versions prior to Exaquantum R2.60were secured by individual setting

by engineering.
Wireless network The use of the wireless network for terminal access is not considered.
Anti-virus software Only the anti-virus software that is approved by the Yokogawa Electric
Corporation is to be used. Moreover, it is necessary to verify each update
before use on a test terminal to check for unanticipated effects of new
scan engine and Pattern file update.
Windows security
patch Only the security patch whose necessity is confirmed by Yokogawa are
to be applied.
(Service pack is
contained.)
Windows Auto Update The Auto Update function of Windows cannot be used.
function
Unverified software The installation and the use of programs that are not verified by the
Yokogawa Electric Corporation is prohibited.
Domain server A freshly configured or an existing Domain and Domain Controller is

required when Domain User Management is to be used.
Individual engineering is necessary when operating it with domain.

6.2 Security measures and security model

To oppose the security threats defined in the preceding section, three security models are
offered, which offer different levels of protection:
If Strengthened Model is required, please contact your local Yokogawa representative.
• Legacy
• Standard
• Strengthened
6.2.1 Security measures
The IT Security covers 6 areas of identified threats:
• Access control
• Tuning of Personal F/W
• Change in SQL server service account
• Stop unnecessary Windows services
• Setting change of information technology environment
• Security of Web server

6.2.2 Security Models
When installing Exaquantum R2.60 or later, you can choose to configure the Legacy or
Standard model by using the IT Security Setting Tool.
Table 6-2 Security Models
Legacy Model Standard model
Feature Model that gives priority to The Model has features to counter "Attack
consolidation of previous version and over the network" and "Direct attack from
products not supporting ‘IT security’ terminal operation” consideration must be
models. given to Exaquantum operation with another
System (Exaopc and CENTUM, etc.)
"Theft of critical data" will not be opposed
by the Standard Model, due to low threat
considering from Exaquantum feature.
Adjustment On installation Exaquantum R2.60.00 On installation Exaquantum R2.60.00 or
means or later, ‘IT Security’ can be selected late, ‘IT Security’ can be selected Legacy or
Legacy or Standard model. Standard model.
NOTE: Security Model Combination

All Exaquantum systems in the same installation must have the same security model.
For example, the following combination is not allowed.
- Exaquantum Server (Legacy Model) + Exaquantum Client (Standard Model).
Security model and security type
The security restrictions corresponding to each security model are shown in the following
table.
Table 6-3 Security Type
Security type Legacy Model Standard model

Access control × YY
Tuning of Personal F/W × YY
Change in SQL server service account × YY
Stop unnecessary Windows services × ×
Setting change of information technology environment × Y
Security of Web server × Y
×: Not implemented
YY: implemented (set by IT Security Setting Tool)
Y: implemented (set manually)

6.2.3 How to Use IT Security Setting Tool
This tool is for use in the following situations:
♦ When changing security level is required.
♦ When returning the settings operated manually to the default.
♦ After installing another EXA package that supports IT Security such as Exapilot,
ExaOPC, Exaplog
The IT security setting tool is available on:
• Exaquantum PIMS Server
• Exaquantum Combined Server
• Exaquantum Web Server
• Exaquantum Client.
The tool is not available on an Exaquantum Web Client
The following steps provide information for the general use of the tool. Section 6.2.4
Changing the Security Model provides the detail for specific scenarios.
1 The user for executing the IT security setting tool differs depending on the current
security model and user management. Log on in the appropriate user as detailed in
Section 6.2.4 Changing the Security Model, before running the IT Security setting
tool.
IMPORTANT
When A user with no administrative privilege starts up this tool or one who does not belong
to EXA_MAINTENANCE group, an error dialog is displayed.
2 Stop Exaquantum, and all related processes.
IMPORTANT
Terminate all client window before IT security tool execution. Current executing
Exaquantum and EXA service such as Exa Boss, PM Logd will be stopped.
3 Select "IT security setting" menu from the Windows start menu.
"Start" - "YOKOGAWA EXA" - "Security" -"IT security setting"
Note: Don’t use Security Setting Change Tool for Exaopc. From Windows Start Menu –
[YOKOGAWA EXA] – [Security].

4 A dialog box to select the package(s) to which to apply Security settings is displayed.
Checks are done on the Security settings of all packages that support ‘IT Security’.
Because the Security settings are necessary for all packages when the security model is
changed, the check cannot be removed.
TIP: A check mark is attached for all the packages currently installed with supporting IT
security setting.
5 "Selection of the security model" dialog box is displayed. Select the appropriate type of
IT security, and click "Next" button.
TIP: A security model currently set is selected.
IMPORTANT
♦ "Standard model (domain)" cannot be selected with PC that is not a member of a

domain.
♦ Only models that the user has privilege to change can be selected.
♦ When "Standard model (stand-alone)" is selected for a PC that participates in a

Windows domain, the following dialog boxes are displayed. Click the “OK”
button.
6 Perform operations according to the selected security model.
TIP: The Security Settings window allows the user to select security items to be configured
in the computer. As long as there is no particular reason, select the check boxes of all
security items. If a model which is different from the currently-set Security Model is
selected, all security items need to be configured. Leave all security items as they are
selected.
♦ When "Legacy Model" or "Standard model (stand-alone)" are selected, the Security
settings window is displayed. It is recommended that all items be checked
♦ When "Standard model (domain)" is selected, the Security settings window displays the
current domain name
Click Set button.
7 A dialog box to acknowledge if the EXA package can be stopped is displayed.
Clicking No closes the dialog box and returns to step 6.

IMPORTANT
When selecting standard (Domain) and a required user group is not created on the domain
server, an error message is displayed.
Click OK button and create a required user group on the domain server, then performs from
step 3.
8 When the Security setting is started, the progress bar is displayed under the left of the
Security settings item dialog box.
9 After the setting is done, the dialog box is displayed.
Click OK to reboot the PC.
NOTE: When the settings end abnormally, the dialog box is displayed. Click OK to end
the IT Security Tool.
Collect information necessary for the analysis with the EXA package information
gathering tool, and give the query to YOKOGAWA.
IMPORTANT
Any manual changes performed since the last run of the IT security setting tool or
installation may be lost following the running of this tool. These will need to be made again.
Note: On the Exaquantum/PIMS Server, Monitoring is performing by using Status

Monitoring Tool, partial setting needs to be changed manually. Refer to Chapter 18 Status
Monitoring Tool in Exaquantum Engineering Guide Volume 3 - Support Tools
(IM36J04A15-03E).

6.2.4 Changing the Security Model
If the current Security Model is changed, the user needs to have both execution authorities,
before change and after change.
To give user the appropriate permission, refer to “Section 2.23 User Group Generation
before Installation” in IM36J04A13-01E Exaquantum Installation Guide.
Legacy or Legacy Secure Lockdown to Standard (Workgroup)
Conditions
• Login user must be in the following groups:
o Local Administrators
o Local EXA_MAINTENANCE
Steps
1. Login as the appropriate user
2. Run the IT Security setting tool
3. Delete the local accounts quantumuser and EXA (if running on a server)
4. Reboot the PC
Legacy or Legacy Secure Lockdown to Standard (Domain)
Conditions
• The machine must be a member of the Domain.
• The set of groups, detailed in Section 2.9 “User Account and Group” of the
Installation Guide, must have been created on the Domain.
o Domain EXA_MAINTENANCE
Steps
3. Delete the local accounts quantumuser and EXA (if running on a server)
4. Reboot the PC

Standard (Workgroup) to Legacy
• Change password policy, detailed in Section 10.22 “Password Policy Setting (Legacy
Model)” of the Installation Guide.
Steps
3. Reboot the PC
Standard (Domain) to Legacy
o Local Administrators group
o Local EXA_MAINTENANCE_LCL
• Change password policy, detailed in Section 10.22 “Password Policy Setting (Legacy
Model)” of the Installation Guide.
Steps
3. Reboot the PC
4. Optionally, remove the machine from the Domain
5. Remove the groups from the Domain, listed in Section 2.9 “User Account and Group” of
the Installation Guide.
Standard (Workgroup) to Standard (Domain)
Conditions
• The machine must be a member of the Domain.
• The set of groups, detailed in Section 2.9 “User Account and Group” of the
Installation Guide, must have been created on the Domain.

• Login user must be a domain user
o Domain EXA_MAINTENANCE
Steps
3. Reboot the PC
4. Remove the local groups, listed in Section 2.9 (User Account and Group of the
Installation guide).
Standard (Domain) to Standard (Workgroup)
Steps
3. Reboot the PC
4. Optionally, remove the machine from the Domain
5. Remove the groups from the Domain, listed in Section 2.9 (User Account and Group of
the Installation guide).
Note: On the Exaquantum/PIMS Server, Monitoring is performed by using the Status

Monitoring Tool; partial setting needs to be changed manually. Refer to Chapter 18. Status
Monitoring Tool in Exaquantum Engineering Guide Volume 3 - Support Tools
(IM36J04A15-03E).

6.2.5 Collaborating with Other Products
This section describes the procedures required for linking the Exaquantum R2.70 with the
otherYOKOGAWA solution-based software packages as of the R2.70 release.
All descriptions are for the Exaquantum server only; no settings are required for an Exaquantum
client.
Refer to the coexistence and connection instructions in the manuals for the other packages in
parallel with this document.
Two configurations are considerd for each package.
Coexistence Operating environment where Exaquantum server and other packages operate on the
same PC.
Connection Operating environment where Exaquantum server and other packages operate via a
network with another PC.
Note: Exaquantum does not support the new Combination management Model in IT security.
z Security Model
If Exaquantum coexists another product, please set same security model on the each product.
When Exaquantum R2.70 coexists with Exaopc R3.70 or later, Exapilot R3.90 or later, Exaplog R3.40 or
later, Exasmoc R4.03 or later, Exarqe R4.03 or later, please set “Legacy Model.”. This is because the IT
Security Setting tool is different between Exaquantum and the other products.
If Exaquantum coexist with other products which do not support IT Security, the Security model should be
set to Legacy on Exaquantum.
z User Management
If Exaquantum coexists or connects with another product, please set same User Management. If the
Security Model or User Management is different to another product, Exaquantum will not run correctly.
Products other than Exaquantum support Combination Management; Exaquantum does not support this
mode. For a description of Combination Management, please refer to the documentation of these other
products.
Exaquantum in legacy mode is supported in a domain environment. However other products do not support
this arrangement. If it is required for other products to connect with Exaquantum running in this way, please
use the Standalone procedure (documented in the following tables) for the other products.
z About the Exaquantum execution account

To create the Exaquantum service account “QTM_PROCESS” on a remote PC use the,
"Process execution account making tool". This is included on the Exaquantum DVD, execute
the tool from the DVD on PC that requires the account.
<DVD>:TOOLS\CreateQTMProcess.exe

z Integration Code:
Integration code described on and after this page is a code assigned to each combination of
Yokogawa system products.
If Exaquantum is combined with other product, confirm the assigned integration code
described in both manuals. The last two digits of an integration code is a revision number of
combination information, meaning that a larger number indicates a newer revision of a
product. If Exaquantum and other product of the latest version are combined, perform setup
according to the procedure with a larger number.
(Example) The underlined number is a Rev number.
0103-0201-03-01

6.2.5.1 Exaopc
For the Standard Model matching Exaquantum and Exaopc service accounts are required on both
systems. For the standard model ,the accounts must be members of the particular group.
The "Process execution account making tool" from the Exaopc product CD is used to create the
OPC_PROCESS user.
<DVD->: EXA\TOOLS\CreateOPCProcess.exe
Exaopc R3.70.00 or later (Integration Code: 0801-0401-03-02)
NOTE. Exaquantum and Exaopc R3.70.00 can only coexist in Legacy mode. This is because the two
products have different versions of the IT Security Setting tool.
Coexistence.
Standalone Management Domain Management
1 Exaquantum No special settings are necessary Not Applicable
Legacy Exaopc
2 Exaquantum Not supported Not supported
Standard Exaopc
Connection.
1 Exaquantum Create the User Account "OPC_PROCESS", Create the User Account
Standard and place it in the user group "QTM_OPC". "OPC_PROCESS", and place it in the
user group "QTM_OPC_LCL".
Exaopc Create the User Account "QTM_PROCESS", Create the User Account
Standard and place it in the user group "OPC_USER". "QTM_PROCESS", and place it in the
user group "OPC_USER_LCL".
2 Exaquantum Create Exaopc Process account (Default Create Exaopc Process account (Default
Standard EXA). It must have a matching password with EXA). It must have a matching password
Exaopc Server, and place it in the user group with Exaopc Server, and place it in the
"QTM_OPC". user group "QTM_OPC_LCL".
Exaopc Legacy Create the User Account "QTM_PROCESS". Not Applicable
3 Exaquantum Create the User Account Create the local User Account
Legacy “OPC_PROCESS” “OPC_PROCESS”
Exaopc Create the User Account "quantumuser". Create the User Account
Standard It must have a matching password with "quantumuser". It must have a
Exaquantum Server, and place it in the matching password with Exaquantum
user group "OPC_USER". Server, and place it in the user group
"OPC_USER_LCL".
4 Exaquantum Create Exaopc process account (default Create Exaopc process local account
Legacy EXA). It must have a matching password (default EXA). It must have a
with the Exaopc server. matching password with the Exaopc
If Exaopc process execution account is server.
EXA, no need to create it. If Exaopc process execution account
is EXA, no need to create it.
Exaopc Legacy Create the User Account "quantumuser" Not Applicable
and with a password matching the
Exaquantum Server.

Exaopc R3.60.00
NOTE. Exaquantum and Exaopc R3.60.00 cannot coexist on the same PC. This is because the two products
have different versions of the IT Security Setting tool.
Connection.
1 Exaquantum Create the User Account "OPC_PROCESS", Create the User Account
Standard and place it in the user group "QTM_OPC". "OPC_PROCESS", and place it in the user
group "QTM_OPC_LCL".
Exaopc Create the User Account "QTM_PROCESS", Create the User Account
Standard and place it in the user group "OPC_USER". "QTM_PROCESS", and place it in the user
group "OPC_USER_LCL".
Standard EXA). It must have a matching password EXA). It must have a matching password
with Exaopc Server, and place it in the user with Exaopc Server, and place it in the user
group "QTM_OPC". group "QTM_OPC_LCL".
Exaopc Legacy Create the User Account "QTM_PROCESS". Not applicable
3 Exaquantum Create the User Account Create the User Account
Legacy “OPC_PROCESS” “OPC_PROCESS”
Exaopc Create the User Account "quantumuser". Create the User Account "quantumuser".
Standard It must have a matching password with It must have a matching password with
Exaquantum Server, and place it in the Exaquantum Server, and place it in the
user group "OPC_USER". user group "OPC_USER_LCL".
Legacy EXA). It must have a matching password (default EXA). It must have a matching
with the Exaopc server. password with the Exaopc server.
If Exaopc process execution account is If Exaopc process execution account is
EXA, no need to create it. EXA, no need to create it.
Exaquantum Server.
Exaopc R3.50.10 or earlier (IT security not supported)

NOTE. Exaquantum and Exaopc R3.50.10 (or earlier) cannot coexist on the same PC. Connection is
possible, but only with Exaopc running in legacy mode.
Connection.
Standard EXA). It must have a matching password EXA). It must have a matching password
with Exaopc Server, and place it in the user with Exaopc Server, and place it in the user
group "QTM_OPC". group "QTM_OPC_LCL".
Exaopc Legacy Create the User Account "QTM_PROCESS". Not applicable
Legacy EXA). It must have a matching password (default EXA). It must have a matching
with the Exaopc server. password with the Exaopc server.
If Exaopc process execution account is If Exaopc process execution account is
EXA, no need to create it. EXA, no need to create it.
Exaquantum Server.

6.2.5.2 Exapilot
In case of the standard (strengthened) model, the service accounts need to be replicated between
the systems and placed into the correct user groups
In Exapilot, as Exaquantum client needs to be installed, coexistence or connection with another

model can not be used.
The Exapilot execution account
For the creation of the Exapilot execution account “PLT_PROCESS”, a tool is provided.
This is included on the Exapilot CD. This tool can be executed from the Exapilot CD.
<CD>:EXA\TOOLS\CreatePLTProcess.exe
Exapilot R3.90.00 (Integration Code: 0801-0601-03-02)
NOTE. Exaquantum and Exapilot R3.90.00 can only coexist in Legacy mode. This is because the two
When Exaquantum Input/Output Unit Procedures are used
Coexistence.
1 Exaquantum Create Exapilot process Not Applicable
Legacy Exapilot account (default EXA).
It must have a matching
password with Exapilot
Server and place it in the
user groups
"QUserGroup" and
"QDataWriteGroup".
2 Exaquantum
Not Supported Not Supported
Standard Exapilot

Connection.
1 Exaquantum Standard
Exapilot Standard
Exapilot Legacy
Not Supported Not Applicable
3 Exaquantum Legacy
Exapilot Standard
4 Exaquantum Legacy
Create Exapilot process account Create Exapilot process account
(default EXA) and with a (default EXA) and with a password
password matching of Exapilot. matching of Exapilot. Add this user
Add this user to the user groups to the user groups "QUserGroup" and
"QUserGroup" and “QDataWriteGroup”.
“QDataWriteGroup”.
Exapilot Legacy No special settings are necessary Not Applicable
When Exapilot ActiveX Control which is attached to Exaquantum Explorer is used
Coexistence.
1 Exaquantum No special settings are Not Applicable
Legacy Exapilot necessary
2 Exaquantum
Standard Exapilot
Connection.
Exapilot Standard
Exapilot Legacy
3 Exaquantum Legacy
Exapilot Standard
4 Exaquantum Legacy No special settings are necessary No special settings are necessary

Exapilot R3.70.00, R3.80.00
Coexistence.
1 Exaquantum Create Exapilot process account (default Not Applicable
Legacy Exapilot EXA). It must have a matching
password with Exapilot Server and
place it in the user groups
"QUserGroup" and
"QDataWriteGroup".
2 Exaquantum Place the User Account Place the User Account
Standard Exapilot "PLT_PROCESS" in the user group "PLT_PROCESS" in the user
“QTM_DATA_READ". group
Place the User Account “QTM_MAINTENANCE_LCL".
"PLT_PROCESS" in the user group Place the User Account
“QTM_DATA_WRITE". "QTM_PROCESS" in the user
Place the User Account group “PLT_OPC_LCL".
"QTM_PROCESS" in the user group
“PLT_OPC".
Connection.
Create the User Account Create the User Account
"PLT_PROCESS". "PLT_PROCESS".
Place the User Account Place the User Account
"PLT_PROCESS" in the user "PLT_PROCESS" in the user group
group “QTM_DATA_READ". “QTM_MAINTENANCE_LCL".
Place the User Account
"PLT_PROCESS" in the user
group “QTM_DATA_WRITE".
Exapilot Standard
Place the User Account Place the User Account
"QTM_PROCESS" in the user "QTM_PROCESS" in the user group
group “PLT_OPC". “PLT_OPC_LCL".
Exapilot Legacy
3 Exaquantum Legacy
Exapilot Standard
4 Exaquantum Legacy

Coexistence.
Legacy Exapilot
2 Exaquantum
Place the user which executes Place the user which executes Exaquantum
Standard Exapilot
Exaquantum Explorer in the Explorer in the user group
user group “PLT_OPERATOR". “PLT_OPERATOR".
Connection.
1 Exaquantum Standard No special settings are necessary No special settings are necessary
Exapilot Standard
Place the user which executes Place the user which executes
Exaquantum Explorer in the Exaquantum Explorer in the domain
user group “PLT_OPERATOR". group “PLT_OPERATOR".
Exapilot Legacy
3 Exaquantum Legacy
Exapilot Standard

Exapilot R3.60.00 or earlier (IT security not supported)

The Exaquantum security model must be set to Legacy. Coexistence or connection with another
security model cannot be used.
Setting details is the same as Legacy Model of Exapilot R3.70.00 or later.
Coexistence.
1 Exaquantum Create Exapilot process account (default Not Applicable
Legacy Exapilot EXA). It must have a matching password
with Exapilot Server and place it in the
user groups "QUserGroup" and
"QDataWriteGroup".
2 Exaquantum Not Supported Not Supported
Standard Exapilot
Connection.
Exapilot Standard
2 Exaquantum Legacy
Coexistence.
Legacy Exapilot
2 Exaquantum
Standard Exapilot
Connection.
1 Exaquantum Standard Not Supported Not Supported
Exapilot Standard Not Supported Not Applicable
2 Exaquantum Legacy No special settings are necessary Not Applicable


6.2.5.3 Exaplog
Exaquantum and Exaplog can both coexist on the same PC or connect from separate PCs.
However, it is not possible for the Exaquantum Client to be installed on the same PC as Exaplog,
due to different versions of the IT Security Setting Tool.
Exaplog R3.40.00 (Integration Code 0801-0701-03-02)
NOTE. Exaquantum and Exaplog R3.40.00 can only coexist in Legacy mode. This is because the two
Coexistence.
Legacy Exaplog
2 Exaquantum
Standard Exaplog
Connection.
Exaplog Standard
Exaplog Legacy
3 Exaquantum Legacy
Exaplog Standard
Exaplog Legacy Not Applicable
Create the User Account
"Quantumuser". It must have a
matching password with
Exaquantum Server. Grant it the
privilege “Log on as batch job".

Exaplog R3.30.00
Coexistence.
Legacy Exaplog
2 Exaquantum
Create the User Account Create the local group
Standard Exaplog
"Quantumuser". It must have a “PLG_CONVERTER_LCL”. Create the
matching password with Exaplog local User Account "Quantumuser". It must
Server. Add it to "Log on as have a matching password with Exaplog
batched job". Server. Add it to "Log on as batched job".
Place the User Account Place the User Account "Quantumuser" in

"Quantumuser" in the user group the user group
“QTM_DATA_READ". “QTM_MAINTENANCE_LCL".
Place the User Account Place the User Account "Quantumuser" in
"Quantumuser" in the user group the user group “PLG_CONVERTER_LCL".
“PLG_CONVERTER".
Connection.
1 Exaquantum Standard Create the User Account Create the User Account
"Quantumuser" .It must have a "Quantumuser" .It must have a
matching password with matching password with Exaplog
Exaplog Server. Place it in the Server. Place it in the user
user group.“QTM_MAINTENANCE_LCL".
group.“QTM_DATA_READ".
Exaplog Standard Create the User Account Create the local user group
"Quantumuser" It must have a PLG_CONVERTER_LCL . Create the
matching password with User Account "Quantumuser" It must
Exaquantum Server. Add it to have a matching password with
"Log on as batched job". Exaquantum Server. Add it to "Log on
Place the User Account as batched job".
"Quantumuser" in the user Place the User Account "Quantumuser"
group “QTM_DATA_READ". in the user group
Place the User Account “QTM_MAINTENANCE_LCL".
"Quantumuser" in the user Place the User Account "Quantumuser"
group “PLG_CONVERTER". in the user group
“PLG_CONVERTER_LCL".
2 Exaquantum Standard Not Supported Not Supported
Exaplog Legacy Not Supported Not Applicable
3 Exaquantum Legacy Not Supported Not Supported
Exaplog Standard Not Supported Not Supported
4 Exaquantum Legacy No special settings are No special settings are necessary
necessary
matching password with
Exaquantum Server. Grant it the
privilege “Log on as batch job".

Exaplog R3.20.00 or earlier (IT security not supported)
Coexistence.
Legacy Exaplog
2 Exaquantum
Standard Exaplog
Connection.
Create the User Account Not Supported
"Quantumuser" .It must have a matching
password with Exaplog Server. Place it in
the user group.“QTM_DATA_READ".
Exaplog Legacy
Create the User Account "Quantumuser" Not Applicable
It must have a matching password with
Exaquantum Server. Add it to "Log on
as batched job".
Place the User Account "Quantumuser"

in the user group
“QTM_DATA_READ".
matching password with Exaquantum
Server. Grant it the privilege “Log on as
batch job".
6.2.5.4 Exasmoc/Exarqe
It is possible for the Exaquantum and Exarqe / Exasmoc client to coexist on the same PC.
Exasmoc R4.03.00 (Integration Code: 0851-0951-01-03) , Exarqe R4.03.00 (Integration

Code: 0851-1051-01-03)
Exasmoc / Exarqe and Exaquantum and Standard (Strengthened) Standalone Model cannot coexist.
This is because the IT Security Tool version is different.
Coexistence is possible for the Legacy Security model. No special settings are necessary.
Exasmoc R4.02.00, R4.01.00 / Exarqe R4.02.00, R4.01.00

Coexistence is possible only if the Security model is the same on both products. No special
settings are necessary.
Exasmoc R3.06.00 or earlier, Exarqe R3.06.00 or earlier (IT security unsupported)

The Legacy Model can coexist with Exaquantum. Coexistence or connection with another model
cannot be used. No special settings are necessary.

6.2.5.5 CENTUM VP (Integration Code: 0101-0801-02-03)

The Exaquantum server can only connect with CENTUM VP R4 or later; coexistance is not
supported.
The Exaquantum Client can coexist with CENTUM VP HIS. For details, please refer to Appendix 14 "Installation on
HIS".
z The CENTUM VP account

In order for CENTUM and Exaquantum to communicate in Standard Model Security, the
CENTUM VP process execution account must exist, and be in the correct user group. This account
can be created and added to the correct group, using a tool provided with the CENTUM VP DVD.
• CENTUM VP R4.03 or later:
<DVD>:CENTUM\SECURITY\Yokogawa.IS.iPCS.Platform.Serurity.CreateCentumProcess.
exe
• CENTUM VP R4.02 or earlier:
<DVD>:CENTUM\SECURITY\CreateCentumProcess.exe
Connection.
1 Exaquantum Standard Create the User Account Create the User Account
"CTM_PROCESS", and place in the "CTM_PROCESS", and place it in the
user group "QTM_OPC". user group "QTM_OPC_LCL".
CENTUM VP Create the User Account Create the User Account
Standard "QTM_PROCESS", and place in the "QTM_PROCESS", and place it in the
user group "CTM_OPC". user group "CTM_OPC_LCL".
2 Exaquantum Standard Create the User Account "CENTUM ", Create the User Account "CENTUM ",
and place in the user group and place it in the user group
"QTM_OPC". "QTM_OPC_LCL".
CENTUM VP Legacy Create the User Account Not Applicable
"QTM_PROCESS".
3 Exaquantum Legacy Create the User Account Create the local User Account
“CTM_PROCESS” “CTM_PROCESS”
CENTUM VP Create the User Account Create the local User Account
Standard "quantumuser". It must have a "quantumuser". It must have a
matching password with matching password with Exaquantum
Exaquantum Server, and place it in Server, and place it in the user group
the user group “CTM_OPC ". “CTM_OPC_LCL ".
4 Exaquantum Legacy Create the User Account "CENTUM". Create the local User Account
It must have a matching password with "CENTUM". It must have a matching
CENTUM VP. password with CENTUM VP.
CENTUM VP Legacy Create the User Account Not Applicable
"quantumuser”.

6.2.5.6 CENTUM CS 3000

The Exaquantum server can only connect with CENTUM CS 3000 HIS; coexistnace is not
supported.
The Exaquantum Client can coexist with CENTUM CS 3000 HIS. For details, please refer to
Appendix 14 "Installation on HIS".
Connection.
Create the User Account Create the User Account "CENTUM
"CENTUM “. It must have a “. It must have a matching password
matching password with CS3000. with CS3000. Place in the user group
Place in the user group "QTM_OPC_LCL".
"QTM_OPC".
CS3000 Not Applicable
"QTM_PROCESS"
2 Exaquantum Legacy
Create the User Account Create the local User Account
"CENTUM “. It must have a "CENTUM". It must have a
matching password with CS3000. matching password with CS3000
CS3000 Create the User Account Not Applicable
"quantumuser" and with a password
matching the Exaquantum Server.
6.2.5.7 Other companies OPC server
Process execution accounts have to be replicated for the standard (Strengthened) model and placed
into the correct user groups.
Table 6-4 Legacy Model
Setting contents
connection Exaquantum No special settings are necessary.
Other companies Follow the setting procedure of Other companies OPC server
OPC server
Table 6-5 Standard (Strengthened) Standalone Model
Setting contents
connection Exaquantum Create Other companies OPC execution account, and place in the user group
"QTM_OPC".
OPC server
Table 6-6 Standard (Strengthened) Domain Model
Setting contents
connection Exaquantum Create Other companies OPC execution account, place in the user group
"QTM_OPC_LCL".
OPC server

6.2.5.8 Client setting for accessing to Exaquantum Open Interface(OPC Server)

The client process execution account needs to be placed into the correct user group, The
Exaquantum service account must be created on the client. If data is read using the Exaquantum
OPC server, it is necessary to place the client process account into group “QUserGroup” or
“QTM_DATA_READ”. If data is written using the Exaquantum OPC server, it is necessary to
place the client process account into group “QDataWriteGroup” or “QTM_DATA_WRITE” also.
Exaquantum OPC DA Server execution account is OPC_PROCESS. Exaquantum OPC HDA
Server execution account is QTM_PROCESS.
Table 6-7 Legacy Model
Setting contents
cohabitation Exaquantum Place the process execution account of the client into “QUserGroup” and optionally
Client *1
connection Exaquantum Create an account to match the client process execution account and place into the
“QUserGroup” and optionally “QDataWriteGroup”.
Client *1 Follow the client manual.
Table 6-8 Standard (Strengthened) Standalone Model
Setting contents
cohabitation Exaquantum Place the client process execution account into the “QTM_DATA_READ” and
optionally “QTM_DATA_WRITE”.
Client *1
“QTM_DATA_READ” and optionally “QTM_DATA_WRITE”.
Table 6-9 Standard (Strengthened) Domain Model
Setting contents
cohabitation Exaquantum Place the client process execution account into the “QTM_DATA_READ” and
optionally “QTM_DATA_WRITE”.
Client *1
“QTM_DATA_READ” and optionally “QTM_DATA_WRITE”.
*1 As for client, follow the manual.

6.3 Operations
This chapter describes Windows account management and the related programs whose
operation requires attention when ‘IT Security’ settings summarized in the section Appendix
A.13 IT Security Detail Information is introduced.
6.3.1 Windows Account Management
Two types of account management, i.e. common account management and individual
account management, are provided.
Table 6-10 Windows account management
How to manage Operational

How to operate Security strength
accounts advantages
A Windows Same operability

Unfavorable
Common account account is shared as the
high low because of high
management by several users. conventional
anonymity
Exaquantum
More complex
than the
A Windows conventional Favorable
Individual account account is operation because because access
low high
management allocated to each Windows can be controlled
user. logoff/logon is on a user basis.
required when the
user is changed.
Common Account Management
The common account management provides high operational convenience. From the
viewpoint of security, however, it is not ideal because anonymity is high. It is recommended
that the user training is conducted and the system be configured to use individual account
management.
For account
If a common account is used it is reccomended that the group of staff with access ais tightly
controlled to provide traceability in the event of an accident or similar event.
For password management
It is recommended that users passwords are changed periodically to reduce the risk of the
password cracking attacks. Passwords used by groups of users should be changed at least
when staff leaves to prevent access by ex-employees.

For automatic logon function
When automatic logon function is used, it is recommended that no higher access level than
OPC_DATA_READ is given to the autologin account. This prevents engineering or other
functions being accessed by non-privilege users who have access to the system.
For anonymity
The user of a common account and permanently logged on terminal provides little tracking
of activity. Hence it is recommended that access to the ternimal be tightly controlled and
staff be strictly training in security procedures.
Individual Account Management
The individual account management allows tight control of the privileges allocated to each
user and allow identification of the user responsible for particular activities on the system.
The downside of this is that it requires users to log on and then off whenever they change
terminal.
For account maintenance
The account privileges should be promptly changed when the privileges of a user are
changed. (*1)
By properly maintaining the account, illegal access from invalid users or an unexpected
attack can be prevented.
*1: For example, deletion of the account of the user who resigned, change of the group
when a maintenance person becomes an operator, etc.
For password management
Passwords should be set to require changing periodically to reduce the threat of cracking
attacks being successful.
Considerations when workers are alternated
When the user at a terminal is alternated, time is required for log off/log on of Windows
compared with individual account management. Prevent alternating all users at a terminal to
prepare for the emergency response. The provision of job specific terminals mitigates this
issue.
For personnel security education
Personal account management and responsibility for the security of the account become the
user’s responsibility with individual account management and this needs to be stressed with
the users. .

Precautions for Account Management
This section outlines the precautions commonly applicable to “common account

management” and “individual account management.”
System Monitoring
Periodic monitoring of the security event log on the system is recommended. By doing this,
abnormalities in the system can be detected in an early stage, which contributes to the early
detection of an attack or its sign. If you find any login failures, consult your internal network
administrator or a specialist and take prompt action.
Account Management on a Workgroup basis
When accounts are controlled as a workgroup, identical user accounts need to be created
both on the terminal for the user and the engineering terminal that has a project database and
the password of the registered accounts must be identical. If the password is changed, the
password of all the terminals in which the identical accounts are registered need to be
changed to the new common password.
Account Management on a Domain basis
When there is a large difference (more than 5 minutes at default value) between the time of
the domain controller and that of Exaquantum, the authentication function in the domain
environment does not work properly. It is therefore required to pay careful attention to the
time synchronization between the domain controller and terminals.
For details, refer to Appendix A.8 Maximum Tolerance for Computer Clock
Synchronization.
‘QTM_MAINTENANCE’ ‘EXA_MAINTENANCE’ Group
‘QTM_MAINTENANCE’ ‘EXA_MAINTENANCE’ group, a user group for maintenance,

is an access group with very high privileges. The accounts belonging to
‘QTM_MAINTENANCE’ ‘EXA_MAINTENANCE’ group should be disabled usually and
enabled when operators require to use it. Moreover, it is effective in security to set an
expiration date for an account when it is enabled.
Windows Vista / Window 7/ Windows Server 2008 and the User
On Windows Vista, the following limitations come into effect when a user belonging to the
group ‘QTM_MAINTENANCE’, ‘QTM_MAINTENANCE_LCL’, ‘EXA_
MAINTENANCE’ or ‘EXA_MAINTENANCE_LCL’ which are associated with
Administrator privilege to operate Exaquantum.
When using each tool, the dialog may be shown. At that time, click [Continue] or [Allow]
button.

Creating a New User with Administrator Rights
When you add a new user to the ‘QTM_MAINTENANCE’,

‘QTM_MAINTENANCE_LCL’, ‘EXA_MAINTENANCE’ or
‘EXA_MAINTENANCE_LCL’ group, you must also add the user to the ‘Administrators’ or
‘Domain Admins’ group.
When a user who belongs to ‘QTM_MAINTENANCE’ group is created under domain

management:
Figure 6-2 User creation under domain management

When a user who belongs to ‘OPC_MAINTENANCE’ group is created under workgroup

management:
Figure 6-3 User creation under workgroup management

6.3.2 Related Programs
Windows Security Patch
The verified security patches approved by Yokogawa should immediately be applied to the
Exaquantum system. Prompt application is required because the period between the
detection (announcement) of security vulnerability (security hole) in the OS and the attack
exploiting the vulnerability has become shorter.
When security patches and service packs are applied to the Exaquantum system, the existing
security settings (Firewall settings and local security settings) may be changed. Therefore,
after applying security patches and service packs, verify that the former security settings are
retained.
Antivirus Software
It is recommended that antivirus software verified by Yokogawa is installed on the terminals

connected to the Exaquantum system and the domain controller.
The update of the search engine or pattern files of the antivirus software can impact function
of these terminals. It is recommended that the behavior is tested with a test terminal in
advance of the update being applied.
Unverified Programs
The execution of a program not verified by Yokogawa on a terminal connected to the

Exaquantum system is not recommended because it may affect the operation of the
Exaquantum system or cause information leak and system damage.
6.3.3 Windows Shared folders
Windows shared folders may be used to deliverExaquantum Explorer file (PXD file) to the
clients. However, files shares provide a weak point for the spread of virus infections if not
managed carefully.
The security risk may be minimized by sharing with the minimum required access(typicall
read only).

Chapter 7 Time Synchronization

Note:
- If Time synchronization master uses firewall, open UDP port 123 of Time Synchronization
master.
- In order to confirm Time Synchronization, perform the following operation.
1. Open Control Panel from Start Menu, select "data and time".
2. Select [Internet Time] tab in Date and Time Properties and click [change setting] button.
3. Check "Automatically synchronize with an Internet time server" and click "Update Now"
button.
The Exaquantum server acquires data from various sources including the OPC gateways.
During this acquisition the data is saved and managed chronologically with the time serving
as the designated key. Exaquantum clients and those PCs using the API interface retrieve
data from the Exaquantum server with time being one of the key parameters.
Time synchronization is therefore very important for the entire Exaquantum system. Of
particular importance is the time synchronization between the Exaquantum server and the
OPC gateways as this affects the data being saved and read.
In the following sections the Exaquantum system is said to include the Exaquantum server,
Exaquantum client, OPC gateways, and PCs using the Exaquantum API.
7.1 Setting time synchronization

To implement time synchronization in the Exaquantum system, one of the following three
methods is available depending on the network environment:
Time synchronization in the Active Directory domain environment
Time synchronization in the existing network
Time synchronization in a new work group environment
The “Active Directory domain” is a domain established using the ActiveDirectory database
using Windows Server 2003 or Windows Server 2008.
The “Existing network environment” indicates a network that has already been established at
the time the Exaquantum system is installed.
The “New work group environment” indicates a network in a work group environment
established with the installation of the Exaquantum system.

7-2 Chapter 7 Time Synchronization
7.1.1 Time synchronization in the Active Directory domain environment
In an Active Directory domain environment established using Windows Server 2003 or

Windows Server 2008, the functionality exists to compare the time stamp at logon with the
domain controller (DC) time stamp. Login to the system will be refused if the time
difference between the DC and the login machine is greater than 5 minutes. It is therefore
imperative that time synchronization is maintained between computers on the same domain.
Time synchronization is usually implemented using to the Windows Time (W32Time)
service; however, this may be replaced with third party synchronization tools if required.
If the Exaquantum server is in an Active Directory domain, the first domain controller which
takes the PDC Emulator Role usually functions as the time master (time server). Because
PCs in the same domain are automatically time-synchronized, specific setup for time
synchronization is not necessary.
The time synchronization between the systems on the PCS LAN and the Exaquantum server
is critical. It is recommended therefore that the PCS and the Site Windows Domain have a
common external time source, such as GPS clock(s).
Time synchronization must be setup using the “Time synchronization in the existing
network” method if the following hold true:
An Active Directory domain environment exists
The time server is not setup on the domain controller
Time synchronization is not implemented using the Window Time service
If no Active Directory domain exists then time synchronization must be setup using the
“New work group environment” method.
7.1.2 Time synchronization in the existing network
If the Exaquantum server exists in a network with the following properties then time
synchronization must be setup according to the directives of the network administrator:
The Domain environment is Windows NT
It is a Work Group environment on Windows
The time server is not the DC (domain controller) in the Active Directory domain.
Windows Time is not used in the Active Directory domain
The OPC gateways should be configured to ensure they are time synchronized at the same
time of the day. The domain administrator should ensure the time synchronization period is
correctly set.
If time synchronization is not implemented even when the above networks have been established,
set up time synchronization referring to “Time synchronization in a new work group environment”.

7.1.3 Time synchronization in a new work group environment
If the Exaquantum system is to be installed into a network with the following configuration,
the network administrator should be consulted regarding time synchronization in the
network:
No Active Directory domain with time synchronization exists
No existing network with time synchronization exists
A new work group network is to be established with the introduction of Exaquantum
The OPC gateways should be configured to ensure they are time synchronized at the same
time of the day. The domain administrator should ensure the time synchronization period is
correctly set.
Time synchronization is very important and the Exaquantum server can be used to perform
the time correction for the time server while also acting as a time server for the OPC
gateways.
If there are many OPC gateway and difficult to set time synchronization between system,
data collection time from OPC gateway can be used Exaquantum time.
For further information, refer to "Chapter 2 OPC Gateway Configuration" in

Exaquantum/PIMS User's Manual.
7.1.4 Time synchronization tools storage directory
Various time synchronization tools can be found in the following directories:
Exaquantum DVD-ROM within the “Tools” folder
Exaquantum Server within the “\<Exaquantum Install Folder>\Developer tools” folder
File name is “TimeSynchronizeUtility.exe”.
Note: In case of domain environment, it is unnecessary to use this tool. Because time
synchronization was done automatically.

7.1.5 Installing “time synchronization” on an OPC gateway PC
To install the time synchronization functionality on the OPC gateway PC perform the
following steps from either of the Time synchronization tools storage directories as listed
above:
1 Run the TimeSynchronizeUtility.exe setup tool by double-clicking on it.
2 When the selection of the Computer to Set Up is running; click the [Next] button to go
the Type of Time Synchronization Setup process.
3 When the setup tool is running; select “Set Time Synchronization on the master server”
and click the [Next] button to go the Setup of the Time Synchronization Server setup
process.
4 When the setup tool is running; click the [Set] button to initialize the time
synchronization process. On completion the time server function will be enabled on this
PC.
7.1.6 Installing “time synchronization” on a Exaquantum server
To install the time synchronization functionality on the Exaquantum server perform the
following steps from either of the Time synchronization tools storage directories as listed
above:
3 When the setup tool is running; select “Set Time Synchronization client on the
Exaquantum Server” and click the [Next] button to go the Setup of the Time
Synchronization Client setup process.
4 When the setup tool is running; click the [Set] button to initialize the Time
synchronization process. On completion the time server function will be enabled on this
PC.
Note: Please add port 123/UDP to "Exceptions" of the Windows Firewall of the Domain
Controller when the Windows Firewall is enabled.
5 Click the [Set] button to initialize the time synchronization process.

7.2 Precautions when upgrading from R2.10.50 or older (changing

the synchronization method)
From Exaquantum R2.20, Exaquantum uses the Windows time only. However, Exaquantum
systems released prior to R2.20 also supported the following methods of time
synchronization:
Time Service
Net Time
Therefore, if the Exaquantum system is using either the Time Service or Net Time, time
synchronization method then on Exaquantum upgrade to R2.20 the time synchronization
method needs to be changed to the Windows Time. To change the time synchronization
method the current method needs to be disabled and the new one installed.
7.2.1 Disabling the current synchronization method
Time Service:
To install the time synchronization functionality on the Exaquantum server perform the
following steps from either of the Time synchronization tools storage directories as listed above:
3 When the setup tool is running; select “Set Time Synchronization client on the
Exaquantum Server” and click the [Next] button to go the Setup of the Time
Synchronization Client setup process.
4 When the setup tool is running complete the following setup steps on the dialog screen:
Enter the same OPC gateway computer name as the one used in the “Time Server Name”
field set during the Exaquantum installation.
Enter a synchronization period in minutes in the “Period in minutes” field.
5 Click the [Release] button to initialize the time synchronization process.
Net Time:
In order to change new time synchronization system delete the batch file in which the
following command is described in the “Start-up” folder. If any command other than the
following is included, first delete the other command and then delete the following command.
In the standard installing procedure the batch file named “Timesync.cmd” has been created.
Net time \\Qserver /set /yes

7.2.2 Establishing a new synchronization method
Set up time synchronization using the method described in 7.1.3 Time synchronization
in a new work group environment which is a subsection of 7.1 Setting time synchronization.

Exaquantum Engineering Guide – Volume 2 Network Configuration App.A-1
Appendix A. IT Security
Appendix A.1 External process of Exaquantum and working module
list of Communication
Table A-1 External process of Exaquantum and working module list of Communication
No Service/Runtime file name Port Number (protocol) Others
Exaquantum server
TCP:139
UDP:137
1 File and printer sharing (*1)
UDP:138
TCP:445
TCP:135 (*2)
2 QOPCAEPump.exe
TCP:20500 to 20600
TCP:135 (*2)
3 Quantum.exe
TCP:20500 to 20600
TCP:135 (*2)
4 QEventHandler.exe
TCP:20500 to 20600
TCP:135 (*2)
5 ExaQuantumExecutive.exe
TCP:20500 to 20600
TCP:135 (*2)
6 QHistorian.exe
TCP:20500 to 20600
TCP:135 (*2)
7 QArchive.exe
TCP:20500 to 20600
TCP:135 (*2)
8 QOPCHDAServer.exe
TCP:20500 to 20600
TCP:135 (*2)
9 QOPCHAEServer.exe
TCP:20500 to 20600
Exaquantum Client
TCP:135 (*2)
1 Quantum.exe
TCP:20500 to 20600
*1: When file sharing uses TCP:445 only, the setting of “disabling of NetBIOS over
TCP/IP” is required
*2: Moreover, the setting of DCOM dynamic port restriction is required see Figure
Group Policy Management Editor

App.A-2 Appendix A IT Security
Appendix A.2 Shared folder used with Exaquantum
No shared folder is used in Exaquantum.
Appendix A.3 Service list registered with Exaquantum

Table A-2 Service list registered with Exaquantum
Service Explaining Operation user Type of start-up
Exa Bossd Program loader service for Exaopc OPC_PROCESS Automatic

operation
Exaquantum Exaquantum Program Loader Local System Manual operation

Service
Exaquantum OPC Exaquantum OPC Server Service QTM_PROCESS Manual operation

HDA
Exaquantum Server Exaquantum Server Service QTM_PROCESS Manual operation
Exaquantum Web Exaquantum Web Server Service Local System Manual operation
Server
OpcEnum Service that acquires registry Local System Automatic

information of OPC server, and operation
offers it.
PM Logd Exa common log server service EXA_PROCESS Automatic

operation

Appendix A.4 Unsupported Main Windows Security Functions

Appendix A.4.1 Windows Defender
Windows Defender is the free spyware removal tool (built-in on Windows Vista and
Windows 7) supplied by Microsoft. The Yokogawa system products do not support the
software because it has not been tested with the Yokogawa system products. Do not activate
Windows Defender.
Appendix A.4.2 EFS Function
The EFS (Encrypting File System) function is a Windows standard file cryptography function.
Do not apply the EFS function to Yokogawa system products because the management of the
encryption key on multiple terminals and the slowdown in the throughput caused by the
encryption has not been verified.
Appendix A.4.3 BitLocker Function
The BitLocker function introduced in Window Vista (standard functions provided with
Ultimate and Enterprise editions) to ensure HDD data tamper resistance encrypts the HDD at
the volume level. This function has not been tested with the Yokogawa system products.

Appendix A.5 Underlying Security Threats

Appendix A.5.1 DCOM
While the DCOM function, the basis of OPC, used in the Yokogawa system products is very
useful function that realizes various kinds of processing between processes through a network,
it is said that it includes many vulnerabilities. Security is ensured in the Yokogawa system
products by limiting the accessible users. However, please be careful about the control of the
accounts of the OPC users.
Appendix A.5.2 Scope of Windows Firewall
In the standard security model of Exaquantum, the scope of Windows Firewall configured
during installation has been set to [Any computer (including those on the Internet)] in order to
minimize the effect of system configuration to the operation. It is recommended to limit the
range of communication by considering the system configuration and to limit the scope at port
(program) level. Narrowing the scope will prevent access from unauthorized terminals.
How to change the scope of Windows Firewall
1 From the Start menu, launch [Control Panel] - [Windows firewall].
2 In the [Exceptions] tab, select arbitrary setting items, and click [Edit] button.
Figure A-1 Windows Firewall
3 In the [Edit a Program] (or [Edit a Port]) dialog, click [Change scope] button.

Appendix A.6 Workgroup Management and Domain Management
This section outlines workgroup and domain management.
Appendix A.6.1 Workgroup Management
When the workgroup configuration is adopted, and the system is composed with two or more
terminals, it is necessary to manage the account at each terminal. When the system cooperates
with related products and security is set, it is necessary to prepare the account of the same ID
(password is also the same) in all terminals where it will be used.
Figure A-2 Workgroup Management

Appendix A.6.2 Domain Management
When the domain management is adopted, a domain controller can do the unified Account
management for the terminals and the accounts which are used in the system, because all
terminals which are included in the system configuration participate in the domain.
Moreover, when logon to a terminal has succeeded, the logon information that flows on the
network can be suppressed as much as possible compared with workgroup management,
because the logon information is managed by the function of the Windows domain network.
Figure A-3 Domain Management

Appendix A.7 NetBIOS

NetBIOS (Network Basic Input/Output System), a specification developed by Sytec for IBM
in the 1980s, is an API that enables an application to access from a remote PC over a network.
This function realizes the Windows File Sharing function (SMB/CIFS).
Other Application
File Sharing Printer Sharing Program
SMB/ CIFS
Direct Hosting
(Windows 2000 or later)
TCP:445
NetBIOS
NetBIOS over TCP/IP

TCP:UDP 137, 138, 139
NetBEUI IPX/ SPX TCP/ IP
NIC
Figure A-4 NetBIOS
Various kinds of information on a machine on which NetBIOS is running are accessible using
NetBIOS features, which is said to provide low levels of security.
<Acquirable information>
Workstation service information
Messenger service information
Master browser information
RAS server service information
NetDDE service information
File server information
RAS client service information
Modem sharing server service information
Modem sharing server client service information
SMS clients remote control information
SMS administrators remote control information

SMS clients remote chat information
SMS clients remote transfer information
McAfee antivirus program information
Domain information
Account information
Appendix A.8 Maximum Tolerance for Computer Clock

Synchronization
The “Maximum tolerance for computer clock synchronization” sets up the maximum time
difference between the client time and the time of domain controller when using Kerberos V5.
In order to prevent the reproduced attack, the time stamp is used as a part of protocol
definition in Kerberos V5. For the smooth operation of the time stamp process, the time of
each client and the domain controller should be synchronized as often as possible.
Also, this setting is not fixed, because the setting returns to the default value (5 minutes) when
the domain controller is rebooted.

Setting Procedure (Windows Server 2008)
1 On the domain server, launch [Group Policy Management] from [Administrative Tools].
2 In the console tree, right-click [Default Domain Policy] under the current domain node
and select [Edit].
Figure A-5 Group Policy Management
3 From the console tree in the [Group Policy Management Editor] window, select
[Computer Configuration] - [Policies] - [Windows Settings] - [Security Settings] -
[Account Policies] - [Kerberos Policy].
4 Change [Maximum tolerance for computer clock synchronization].
Figure A-6 Group Policy Management Editor

Appendix A.9 Changing the Settings of DCOM
This section describes the settings necessary to use the DCOM on Exaquantum.
Appendix A.9.1 Setting Personal Firewall
Add the following ports as the exception port of Personal Firewall.
Table A-3 Personal Firewall Ports
Item Exception port
RPC TCP:135
Dynamic Port TCP:20500-20600
When cohabiting with other EXA product, it must be registered total number of ports that
other EXA product needs. Number of ports that Exaquantum needed are 100.
Appendix A.9.2 Controlling the Dynamic Ports of RPC Port
DCOM uses Remote Procedure Call (RPC) dynamic port allocation. This setting controls
which ports RPC dynamically allocates for incoming communication.
1 From the Start menu, launch [Run...] and enter “dcomcnfg” to start DCOMCNFG.EXE.
Figure A-7 Component services

2 Select [Component Services] - [Computers] - [My Computer], and then right-click on it

and open Properties.
Figure A-8 My Computer Properties
3 Select the [Default Protocols] tab.
Figure A-9 My Computer Properties - Default Protocols

4 Select [Connection-oriented TCP/IP] and click [Properties...] button.
Figure A-10 Properties for COM Internet Services
5 Click [Add] button and assign the port range to “20500-20600” as the standard dynamic
port, and select [Internet range] for the environment of the usage.
If you cannot setup [Internet range] correctly, terminate “DCOMCNFG.EXE” once by

clicking [Delete All] button and then [OK] button. After rebooting the PC, then try setting
or changing the scope of the port.

Appendix A.10 Configuring All Settings of Windows Firewall

When setting Windows Firewall exceptions of this IT security on Exaquantum, it is possible
to configure all of them at once by creating a batch file.
Command
<Command>
netsh firewall add portopening [protocol=]protocol [port=]port [name=]name [ [mode=]mode
[scope=]scope [addresses=]address [profile=]profile [interface=]interface ]
<Function>
Add the configuration of firewall ports.
<Detail of Parameter>
protocol - Port protocol
TCP - Transmission Control Protocol (TCP)
UDP - User Datagram Protocol (UDP)
ALL - All protocols
port - Port number
name - Port name
mode - Port mode (Omissible)
ENABLE - Allow communication via firewall (Default)
DISABLE - Do not allow communication via firewall
scope - Port scope (Omissible)
ALL - Allow every traffic via firewall (Default)
SUBNET - Allow local network (subnet) traffic only
CUSTOM - Allow communication via the specified firewall only
addresses - Custom scope address (Omissible)
profile - Configuration profile (Omissible)
CURRENT - Current profile (Default)
DOMAIN - Domain profile
STANDARD - Standard profile
ALL - All profiles
interface - Name of interface (Omissible)
Batch File Example

rem Standard Operation and Monitoring Function
netsh firewall add portopening tcp 20171 BKHOdeq ENABLE CUSTOM LocalSubnet
netsh firewall add portopening tcp 20110 BKHTrGhr ENABLE CUSTOM LocalSubnet
netsh firewall add portopening tcp 20183 LonTerm ENABLE CUSTOM LocalSubnet
netsh firewall add portopening udp 32301 MnsServer ENABLE CUSTOM LocalSubnet
pause
rem DCOM
netsh firewall add portopening tcp 135 DCOM ENABLE CUSTOM LocalSubnet
(Omitted hereinafter)

Appendix A.11 Configuring All Windows Services

When performing the operation “Stopping unnecessary Windows services” described in this
document on Exaquantum, it is possible to configure all of them at once by creating a batch
file.
Command
<Command>
sc [Servername] Command Servicename [Optionname= Optionvalue...]
<Function>
Add, start, and stop the Windows serviceWindows.
<Detail of Parameter>
Servername
Omissible. When executing Command by the remote computer, specify the server name. In that case, two
backslashes(\\) should be used in front of the server name (e.g. \\myserver). When executing “sc.exe” in the local
computer, do not use this parameter.
Command
Specifies sc Command. The administrator privilege of the specified computer is required for most sc Command.
The following Commands are supported in Sc.exe.
Config - Changes the service configuration (it continues the change perpetually).
Continue - Sends “Continue control request” to the service.
Control - Sends “Control” to the service.
Create - Creates the service (and add the created service to registry).
Delete - Deletes the service (from registry).
EnumDepend - Enumerates Dependence of the service.
GetDisplayName - Acquires the display name (DisplayName) of the service.
GetKeyName - Acquires the key name of the service (ServiceKeyName).
Interrogate - Sends “Interrogate control request” to the service.
Pause - Sends “Pause control request” to the service.
Qc - Inquires for the service configuration. Refer to Help of SC QC for further details.
Query - Inquires for the status of service or enumerates the status of service type. Refer to Help of SC QUERY
for further details.
Start - Starts the service.
Stop - Sends “Stop request” to the service.
Servicename
Specifies the name that was specified by Service key of registry. Note that this name is different from
DisplayName. The DisplayName is a name that is shown when using “nwt start Command” and “[Service] tools
of Control Panel”. The ServiceKeyName is used as the main identifier of the service in Sc.exe.
Optionname
The name and value of Option Command Parameter can be specified by using the Optionname Parameter or
Optionvalue Parameter. Note that there should be no blank space between the Optionname and the equal sign. In
the parameter of the Option, 0 names or more and the combinations of Values can be specified. More than 0
combination of Name and Value can be specified.
Optionvalue
Specifies the Parameter value that was specified in Optionname. The range of valid value may differ depending on
the Command. Refer to Help of each Command for the list of Available Value.

Batch File Example

@echo off
set s_name=Browser
echo stop and disable to %s_name% service.
sc stop %s_name%
sc config %s_name% start= disabled
set s_name=Dhcp
sc stop %s_name%
set s_name=Dnscache
sc stop %s_name%
set s_name=ERSvc
sc stop %s_name%
set s_name=helpsvc
sc stop %s_name%
set s_name=NetDDE
sc stop %s_name%
set s_name=NetDDEdsdm
sc stop %s_name%
set s_name=RemoteRegistry
sc stop %s_name%
set s_name=seclogon
sc stop %s_name%
set s_name=ShellHWDetection
sc stop %s_name%
set s_name=Themes

sc stop %s_name%
set s_name=upnphost
sc stop %s_name%
set s_name=WebClient
sc stop %s_name%
set s_name=WZCSVC
sc stop %s_name%
echo finish.

Appendix A.12 Starting the MMC Console

How to start the MMC console is described in the following.
1 From the Start menu, choose [Run...] and enter “mmc” to start the MMC console.
Figure A-11 Run MMC
2 From the menu bar, select [File] - [Add/Remove Snap-in...].
Figure A-12 MMC console

3 In the [Add/Remove Snap-in] dialog box, click [Add] button.
Figure A-13 Add/Remove Snap-in
4 From the [Available Standalone snap-ins:] list, select [Security Templates], and then click
[Add] button, [Close] button, and finally click [OK] button.
Figure A-14 Add Standalone snap-in

Appendix A.13 IT Security Detail Information

In this Section the details of individual security measures are described.
Appendix A.13.1 Access control
To restrict unauthorized access, to, or the leakage of important data in Exaquantum, a

minimum of individual user account is required. The access control function of Windows is
used to control access to files registry and various program execution rights.
User account access control can be managed through account membership of Groups named
in Access Control Lists granting access to the data or program in question.
Appendix A.13.1.1 Access user group
The following table shows the group created for standard, strengthened, and legacy models
and their roles.
Table A-4 Access user group of standard or strengthened model
User
User and Group Name or Location
group where Privilege
Description
Object is Group
Standard/ Created
Legacy (*2)
Strengthened
Users/Do User group for users needing to

QTM_DATA_
QUserGroup Group TypeA main read data from Exaquantum
READ
Users
Users/Do User group for users requiring to

QTM_DATA_ QDataWriteGro
Group TypeA main write data to the Exaquantum
WRITE up
Users system
Users/Do User group that can

QTM_EXPLO QExplorerDesig
Group TypeA main make/modify/delete Exaquantum
RER_DESIGN nGroup
Users Explorer documents

User
Description
Object is Group
Standard/ Created
Legacy (*2)
Strengthened
User group for user that will

make configuration changes to
the Exaquantum system or
Administr
perform maintenance. Users in
QTM_MAINT QAdministrator ators/Dom
Group TypeA this group should also be
ENANCE Group ain
members of the Local
Admins
administrators group (either
directly or through being a
Domain Administrator). (*1)
This group is only created for a

Standard/Strengthened Domain
implementation and by default
QTM includes the local Administrator
Administr
_MAINTENAN - Group TypeC account. This is the equivalent of
ators
CE_LCL "QTM _MAINTENANCE", but
is accessible and checked if the
Domain Controller is
unavailable(*1)
User group for users that

perform EXA package common
maintenance and install other
Administr
EXA package. Members of this
EXA_MAINTE ators/Dom
- Group TypeA group should also be members of
NANCE ain
the local Administrator group
Admins
(either directly or through
membership of the domain
administrator group). (*1)
This group is only created for a

Standard/Strengthened Domain
implementation and by default
includes the local Administrator
EXA_MAINTE Administr
- Group TypeC account; This is the equivalent of
NANCE_LCL ators
"EXA_MAINTENANCE". But
is accessible and checked if the
Domain Controller is
unavailable. (*1)

User
Description
Object is Group
Standard/ Created
Legacy (*2)
Strengthened
Group for authentication when

accessing to DCOM from
outside the Exaquantum system.
Users/Do
The execution user of Exaopc
QTM_OPC - Group TypeA main
and Exapilot are placed in this
Users
group. (Exaopc connection and
Exaquantum Link Unit
Procedure, etc.)
The privilege is the same

QTM_OPC_LC
- Group TypeC Users "QTM_OPC", and a local user
L
can be available.
This is the Exaquantum

Users/Do
QTM Windows Service User, This
Quantumuser User TypeB main
_PROCESS user does not have Windows
Users
login rights.
This is the Windows Service

Users/Do
EXA_PROCES Users for common EXA
EXA User TypeB main
S services. This user does not have
Users
Windows log in rights.
This is the SQL Server Service

users for the Exaquantum
Server.
TypeB Users/Do
QTM_SQLSER
- User main The details are a reference as for
VER
Users "Change in SQL server service
account".

Table A-5 Legacy Model Users and Groups
User and Group User Making Privilege

Description
Name group Location Group
User group for users reading data from

QUserGroup Group TypeB Users
Exaquantum
User group that can write data to

QDataWriteGroup Group TypeB Users
Exaquantum
QExplorerDesign User group that can make/modify/delete

Group TypeB Users
Group Exaquantum Explorer documents
User for users that will make configuration

changes to the Exaquantum system or
QAdministratorGr Administrat perform maintenance. Users in this group
Group TypeB
oup ors should also be members of the Local
administrators group (either directly or
through being a Domain Administrator)
User to execute Exaquantum process

Quantumuser User TypeB Users
(Windows service)
User to execute EXA common process

EXA User TypeB Users
(Windows service)
< Location where Object is created >
TypeA – For Domain User Management this is a Domain Group. For Workgroup
Management, this is a Local Group.
TypeB - This is always a Local Group.
TypeC :- This is always a Local Group but is only created when implementing Domain User
Management.
*1: When you add a user to an administrator’s group, in workgroup management,

Register with the local “Administrators” group. For a domain environment, please
register with the “DomainAdmins” group or the local “Administrators” group on the
local PC.
*2: The user groups or users applicable in the legacy model are shown for reference.

Caution
In a Workgroup User Management configuration client users must have a corresponding

local user set up on the server with a matching password. The local membership of the server
access control groups by the server user will determine the client user’s access rights.
Appendix A.13.1.2 Registry configuration and access rights
To enable collaboration between Exaquantum and the other coexisting packages, full access
control right is given to access control groups and accounts as follows.
Table A-6 Registry configuration and access rights
[1] [2] [3] [4] [5] [6] [7] [8] [9]
Registry below HKEY_LOCAL_MACHINE –

F F F F - F F - -
SOFTWARE – Quantum
Registry below [HKEY_CURRENT_USER]-

F F - F - F - F -
[SOFTWARE]-[Quantum]
Registry below HKEY_LOCAL_MACHINE -

F F - F - F - F -
SOFTWARE - Yokogawa - PKGCOM
Registry below HKEY_LOCAL_MACHINE -

F F - F - F - F -
SOFTWARE - Yokogawa - Exaopc
Registry below [HKEY_LOCAL_MACHINE]-

- - - - - - F - -
[SOFTWARE]-[Microsoft] -[MSSQLServer] -[Setup]
< access user group >
[1]: QTM_DATA_READ
[2]: QTM_DATA_WRITE
[3]: QTM_EXPLORER_DESIGN
[4]: QTM_MAINTENANCE
[5]: QTM_OPC
[6]: EXA_MAINTENANCE
[7]: System (QTM _PROCESS)
[8]: System (EXA_PROCESS)

[9]: System (QTM_SQLSERVER)
< type of access authority >
F: full access control
Appendix A.13.1.3 DCOM Access authority for standard model model
A DCOM component is added by installing Exaquantum. By setting up access authority for

every access group, each component is protected from impersonation, vandalism or theft via
DCOM.
Appendix A.13.1.4 Local Security Access Permissions
For each access user group, the following Local Security privileges are assigned besides
Windows standard privileges.
Table A-7 Local security access permissions
Access User Group

Local security
[1] [6] [7] [8] [9]
Logon as a service - Y Y Y
Logon as batch job - Y Y Y
Deny logon local - Y Y Y
< Access user group >
[1]: QTM_ DATA_READ
[2]: QTM_DATA_WRITE
[3]: QTM_EXPLORER_DESIGN
[4]: QTM_MAINTENANCE
[5]: QTM_OPC
[6]: EXA_MAINTENANCE
[7]: System (QTM_PROCESS)
[8]: System (EXA_PROCESS)
[9]: System (QTM_SQLSERVER)

Y: Implemented
TIP: To display local security policies, use the following procedure.
1 Choose [Control Panel] - [Administrative Tools] - [Local Security Policy].
2 In Local Security Settings window, select [Local Policies] - [User Rights Assignment].
Among various local security policies displayed here, the above three access privileges are the
minimum necessary requirements for operating the Exaquantum system.
Appendix A.13.1.5 Access User Group Control
The following two user/group control methods that make use of access control on an access
user group basis are available.
Table A-8 Access user group control
Configuration Operation Other
Register the
Consists of
accounts of the
Workgroup control Exaquantum
users in all the
terminals only.
terminals.
Consolidating the
Requires a domain users reduces
Register the
server to be human errors,
accounts of the
Domain control established besides which can be an
users on the domain
Exaquantum advantage with
server.
terminals. respect to the
security.
3 For more information on access user group management, refer to Appendix A.6
Workgroup Management and Domain Management.

Appendix A.13.2 Personal Firewall Tuning
To cope with attacks from an unknown area, network access to a terminal is minimized.
Caution
When installing Exaquantum R2.60 or later, you can configure Windows Firewall to
comply with the Standard model by using the Security Setting Tool. If using a Personal
Firewall made by a third-party, it is the user’s responsibility to setup and operate it.
TIP: Most of the third-party Personal Firewall products have initial settings, so some of them
may conflict with the settings in the following description.
Before setting up, make sure you remove the initial settings, and ensure that unexpected
services are not started after setting up.
Personal Firewall Settings (for Standard Model)
In the case of the Standard model, Exaquantum-related DCOM processes are set up as
exceptions so that Exaquantum functions can run without any changes in the settings. These
settings are common to all terminals. There is no restriction to the communication target.
Table A-9 Personal Firewall settings
Exaquantum server Exaquantum client
Standard Exception Setting (see below) Exception Setting (see below)

settings
Table A-10 Exception Setting for PIMS Server or Combined Server
Port Port Number
HTTP 80/TCP (Web Server only)
EPMAP 135/TCP
MSSQL 1433/TCP
Remote Desktop 3389/TCP

Table A-11
Application Path
mmc.exe WINDOWS¥system32¥mmc.exe
Exaquantum Quantum Module <Exaquantum installation folder>¥System¥Quantum.exe
Exaquantum Explorer <Exaquantum installation folder >¥Explorer¥QExplore.exe
Exaquantum LiveXplore <Exaquantum installation folder >¥Developer Tools¥LiveXplore.exe
Exaquantum System Event Viewer <Exaquantum installation folder >¥Developer Tools¥SysEventsViewer.exe
Microsoft Excel <Microsoft Office installation folder >Excel.exe
- In case of Office 2010
C:¥Program Files¥Microsoft Office¥OFFICE14¥
In case of Office 2007
ExaQuantumExecutive.exe <Exaquantum installation folder >¥System¥ExaQuantumExecutive.exe
QRBNSServerBrowse.exe <Exaquantum installation folder >¥System¥QRBNSServerBrowse.exe
QNameSpaceBrowser.exe <Exaquantum installation folder >¥System¥QNameSpaceBrowser.exe
QHistorian.exe <Exaquantum installation folder >¥System¥QHistorian.exe
QBuilder.exe <Exaquantum installation folder >¥System¥QBuilder.exe
QAnalyse.exe <Exaquantum installation folder >¥System¥QAnalyse.exe
QFBRetriever.exe <Exaquantum installation folder >¥Product Tools¥QFBRetriever.exe
QOPCDAMgr.exe <Exaquantum installation folder >¥System¥QOPCDAMgr.exe
QOPCAEPump.exe <Exaquantum installation folder >¥System¥QOPCAEPump.exe
QOPCPropertyAccess.exe <Exaquantum installation folder >¥System¥QOPCPropertyAccess.exe
QZOPCAECatchup.exe <Exaquantum installation folder >¥System¥QZOPCAECatchup.exe

Table A- 12 Exception Setting for Web Server or Client
Port Port Number
HTTP 80/TCP (Web Server only)
EPMAP 135/TCP
Table A-13
Application Path
mmc.exe WINDOWS¥system32¥mmc.exe
Exaquantum Quantum Module <Exaquantum installation folder>¥System¥Quantum.exe
Exaquantum Explorer <Exaquantum installation folder >¥Explorer¥QExplore.exe
Exaquantum LiveXplore <Exaquantum installation folder >¥Developer Tools¥LiveXplore.exe
Exaquantum System Event Viewer <Exaquantum installation folder >¥Developer Tools¥SysEventsViewer.exe
Microsoft Excel <Microsoft Office installation folder >Excel.exe
- In case of Office 2010
In case of Office 2007
Personal Firewall Settings (for Strengthened model)
For further Setting details, please contact YMX.

Appendix A.13.3 Change in SQL server service account
The service for SQL Server which operates in the local System account has been changed for
SQL server Account..
The list of SQL services running are listed below.
Table A-14 SQL server service account
Service User group Minimum Permissions Required
SQL Predetermined instance : log on as the service

Server SQLServerMSSQLUser$ComputerName$M (SeServiceLogonRight)
SSQLSERVER
The process level Token is replaced
(SeAssignPrimaryTokenPrivilege)
The Scan is not checked
(SeChangeNotifyPrivilege)
Tuning up the memory quarter to the
process (SeIncreaseQuotaPrivilege)
Privilege that starts SQL Server Active
Directory Helper
Privilege that starts SQL writer
Privilege that reads event log service
Privilege that reads Remote Procedure
Call service
SQL Predetermined instance: log on as the service

Server SQLServerSQLAgentUser$ComputerName$ (SeServiceLogonRight)
agent MSSQLSERVER
The process level Token is replaced
(SeAssignPrimaryTokenPrivilege)
The Scan is not checked
(SeChangeNotifyPrivilege)
The tuning works the memory quarter to
the process (SeIncreaseQuotaPrivilege)

Setting of standard model
An account for SQL server service is made for the Exaquantum server for the standard model.
All accounts of the above-mentioned SQL server service are changed to SQL server account
for the Exaquantum server.
Caution
Manually set SQL Server services other than the target services (SQL Server, SQL Server
agent) not to start.
Table A-15 SQL server service account (Standard model)
User name Target service Belonging user group
QTM_SQLSERVER SQL Server SQLServerMSSQLUser$
SQL Server agent ComputerName$MSSQLSERVER
Appendix A.13.4 Stopping of unnecessary Windows services (Strengthened Model

target)
For further Setting details, please contact your local Yokogawa representative.

Appendix A.13.5 Changing IT Environment Settings
This section provides an introduction to the Windows security functions that run in the IT
environment and are applicable to the Exaquantum. When implementing these security
functions, consider their suitability for use with Exaquantum.
Table A-16 Relationship between IT Environment Setting items and Security models
Standard Strengthened
Setting items
model model
Changing or Disabling the Account Name of “Administrator” Y
Hiding the Last Logon User Name Y Y
Software Restriction Policies Y
Restriction on AutoRun Y Y
Applying the StorageDevicePolicies function Y Y
Disabling NetBIOS over TCP/IP Y
Changing the LAN Manager Authentication Level Y
Applying the Password Policy Y
Disabling USB storage device Y Y
Applying the Audit Policy Y
Note: set manually about all of IT Security Environment Settings.
For further Strengthened Model Setting details, please contact YMX.

Appendix A.13.5.1 Restriction on AutoRun
This operation prevents an illegal program from being launched automatically from a medium
such as a CD-ROM inserted into a drive. This is an effective measure specially for countering
virus infections (USB worms) in a computer caused by means of USB flash memories.
Restriction
Standard Model
Disable autorun on specified Drives (removable drive, Network Drive, unknown type
Drive)
Strengthened Model
Disable autorun on all Drives
Setting method
1 Log on user with Administrator privilege.
2 Install Microsoft .NET Framework 3.5 Service Pack 1. (If already installed, go to step 3).
To install, double click the following file on the Exaquantum DVD :
<Exaquantum DVD>\Misc\dotnetfx35.exe
3 Double click the following file.
Standard Model or Strengthened Model

<Exaquantum installation folder>\Exaopc\PKGCOM\tool \ PMCDisableAutoRun.reg.
4 Reboot the PC.
If you want to enable the autorun, double click the following file.
<Exaquantum installation folder>\Exaopc\PKGCOM\tool \ PMCEnableAutoRun.reg.
<Exaquantum installation folder> is as follows.
(Default C:\Program Files\Yokogawa\Exaquantum PIMS)
Notes
Even if Exaquantum installation DVD is inserted, the installation menu will not stand up
if autorun is disabled for CD-ROM drives. (In case of Strengthened Model)
In the domain environment, according to domain controller policy, autorun setting may be
overwritten on domain controller setting. When overwriting, change domain controller
setting manually.

Appendix A.13.5.2 Application of StorageDevicePolicies function
Writing to USB storage device may be disabled globally by using the StorageDevicePolicies
setting in Windows, thus stopping a user copying off Exaquantum data. It is possible to
restore writing privilege temporarily by using the StorageDeviceCTL tool.
This setting makes USB disk usage disable. Due to system maintenance management, if
engineer would like to make USB device enable temporary, StorageDeviceCTL tool will be
provided.
Note 2. For Windows 7, Windows Server 2008, Windows Server 2008 R2, after executing
StorageDeviceCTL, the“Portable Device Enumerator Service” service need to be re-started.
This is to enble the new settings to take effect.
Note 3. If StorageDeviceCTL is executed on Windows Server 2008, above service(Step 3

above) stop confirmation dialog may be displayed.
In this case, click [Close] button.
Note 4. For Windows Server 2008 R2, as Portable Device Enumerator Service may not be
active, an OS restart may be required for settings to take effect.
Caution
If you use a USB Removable HDD as an Auto Archiving destination folder, and change the
removable media to read only using StorageDevicePolicies, the next archive operation will
fail. You need to change your confirmation, for example set the archive folder to an internal
HDD.
Setting StorageDevicePolicies
1. Login the user with Administrative privilege.
2. Double click the following file.
In case of Standard Model
<Exaquantum Installation
folder>\Exaopc\PKGCOM\tool\PMCEnableStorageDevicePolicies.reg
3. Restart Windows.
If the restriction needs to be released, double click the following file.
<Exaquantum Installation
folder>\Exaopc\PKGCOM\tool\PMCDisableStorageDevicePolicies.reg

Setting the writing privilege
On StorageDevicePolicies, in case write privilege to storage device (USB memory) was

deleted, StorageDeviceCTL performs on write privilege needful timing, write feature can be
available on execution.
After executing this tool, when putting USB memory on PC, write procedure can be
performed.
This tool can be available on PC which set Storage Device Policies.
In case this tool executed on PC which does not set Storage Device Policies, set Storage
Device Policies automatically, and Storage Device can only read.
Note: After executing this tool, Storage Device needs to be recognized.
Storage Device CTL Executing method
Execute the following procedure.
1 Open the following program folder.
(In case of 32bit OS
C:¥Program Files\YOKOGAWA\IA\iPCS\Products\SECURITY\PROGRAM\)
(In case of 64bit OS
C:\Program Files (x86)\Yokogawa\Exaquantum PIMS\Exaopc\PKGCOM\tool)
2 Double click the following file on folder.
Yokogawa.IA.iPCS.Platform.Security.StorageDeviceCTL.exe
After executing, task will be displayed on only Task bar.
3 Put Storage Device on PC.
4 Read / Write of needful data to Storage Device.
5 Remove Storage Device.
Note: In case USB memory removes, right click on "Safety Remove Hardware and Eject
Media" icon, select "Safety Remove Hardware and Eject Media".
6 Click [StorageDeviceCTL] from Task bar, and click [WriteStop].

Appendix A.13.5.3 Hiding the Last Logon User Name
The last logon user name, normally shown on the logon dialog box, can be hidden to prevent general display
of user names.
Setting method
Modify the Local Security Policy setting as follows:
1. Open Local Security Policy from control panel - Administrative Tools.
2. Select [Security Settings] - [Local Policies] - [Security Options] in the left hand panel.
3. Double click [Interactive logon: Do not display last user name Properties]
4. Select [Enable] and click [Apply] button
Note
You must enter a user name on every logon attempt if you apply this security measure
Appendix A.13.5.4 Disabling USB Storage Devices

This function disables the use of USB storage devices such as USB memory sticks. You can use this function
to prevent theft of data by unauthorized users.
You can use the StorageDeviceCTL utility of Exaquantum to temporarily grant write permissions to users.
Setting method
1. Log on as a user with Administrator privilege.
2. Install Microsoft .NET Framework 3.5 Service Pack 1. (If already installed, go to step 3). To
install, double click the following file on the Exaquantum DVD :
<Exaquantum DVD>\Misc\dotnetfx35.exe
3. Double click on the following file:
(Standard Model or Strengthened Model)
<Exaquantum installation folder>\Exaopc\PKGCOM\tool\PMCDisablingUSBStorageDevice.exe.
4. Reboot the PC.
If you want to enable the USB Storage Devices, double click the following file.
<Exaquantum installation folder>\Exaopc\PKGCOM\tool\PMCEnablingUSBStorageDevice.exe.
<Exaquantum installation folder> is as follows.

(Default C:\Program Files\Yokogawa\Exaquantum PIMS)
Note
If this function is applied to Windows Server 2008 R2, you cannot use StorageDeviceCTL to temporarily
cancel the effect of disabling USB storage devices. To cancel, you need to double click the
"PMCEnablingUSBStorageDevice.reg". (Refer to the Setting method)
.
Note that, to disable taking out of data using removable storage media without using this function, you need
to take security measures such as putting a cover on USB ports.

Appendix A.13.6 Security of Web server (Standard or Strengthened model)
The Web server might be installed in Exaquantum. It is necessary to pay close attention to
security when connecting the Web server to the Internet or Intranet.
Table A-17 Security of Web server
Setting item Standard

model
Only the necessary IIS components are installed. Y
Only the necessary Web extension services are made Y

valid.
The IIS logging is set. Y
Note: Set All of Security Server manually.

Appendix A.13.6.1 Installing Only the Necessary IIS Components
Do not enable components such as FTP, NNTP, and SMTP or any other unused service.
For further installation details, refer to Chapter 8 Installing IIS in the Exaquantum Installation
Guide (IM36J04A13-01E).
For Windows Server 2008
1 Choose “Roles” from [Administrative Tools] – [Service Manager] in the [Start] menu.
2 Click Add Roles, and then click the [Next] button.
3 Select required component.
Components required for the Exaquantum Web Server are as follows:
Roles
Web Service (IIS)
Roles Services
Web Server
Common HTTP Features
Static Content
Default Document
Directory Browsing
HTTP Errors
HTTP Redirection
Application Development
ASP .NET
.NET Extensibility
ASP
ISAPI Extensions
ISAPI Filters

Health and Diagnostics
HTTP Logging
Logging Tools
Request Monitor
Tracing
Security
Basic Authentication
Windows Authentication
Digest Authentication
Client Certificate Mapping Authentication
IIS Client Certificate mapping Authentication
URL Authorization
Request Filtering
IP and Domain Restrictions
Performance
Static Content Compression
Management Tools
IIS Management Console
IIS Management Scripts and Tools
IIS 6 Management Compatibility
IIS 6 Metabase Compatibility
IIS 6 WMI Compatibility
IIS 6 Management Console

Appendix A.13.6.2 Enabling Only Necessary Web Service Extensions
The dynamic content function and extension with an IIS server are achieved by using Web
service extensions.
The IIS 6.0 extended security function enables or disables individual Web service extensions
separately. An IIS server after being newly installed transmits only static contents. To enable
the dynamic content function, the user can use the Web Service Extensions node of IIS
Manager. These extensions include ASP.NET, SSI, WebDAV, FrontPage Server, and others.
Disable unnecessary Web service extensions to reduce the risk of attack to the IIS server.
Windows Server 2008
1 Choose the [Internet Information Service (IIS) Manager] menu from [Administrative
Tools] in the [Start] menu.
2 Select Web Server Name from Left Window.
3 Select ISAPI and CGI Restrictions in the IIS Manager window.
Table A-18 Web Service Extensions
Allowed/
Web Service Extensions Extension Required Condition
Prohibited
ASP contents are included in one or more Web sites

Active Server Pages Allowed
and applications which are run with an IIS server.
ASP.NET contents are included in one or more Web

ASP.NET v2.0.50727 Allowed sites and applications which are run with an IIS server.
.NET Framework3.0 is installed.
Appendix A.13.6.3 Configuring IIS Log
A log can be created for each Web site and application separately. An IIS log includes
information about who accessed a site, what was referred to, when its information was most
recently referred to, and so on. The use of an IIS log allows the administrator to evaluate the
frequency of contents access and grasp the bottle neck of information. The log can also be
used as a resource to investigate attacks on the site.
If using the [IIS Manager] MMC snap-in, the user can configure a log file format, log
schedule, and information to be recorded in the log. To restrict the size of a log, it is necessary
to carefully set up which fields to be recorded in the log. To configure an IIS log, select the
Web site properties from the “Internet Information Service (IIS) Manager” window.

Appendix A.14. Installation on HIS

In order to install Exaquantum Client on CENTUM VP R4.03 or later, the following
procedure is needed. Details describes as follows.
Appendix A.14.1 Installation Procedure
■ Preparation
When you set [Auto logon setting] including HIS type SSO, follows the procedures below.
(1) Reset [Auto logon setting] and restart PC.
(2) Log on from the same account which was used at CENTUMVP security setting.
When the account which was used for the security setting was used for HIS reboot, reset the
HIS start setting and restart PC.
■ Preparation for IT security setting

On CENTUM VP R4.03 or later, Legacy model or Standard Standalone model can coexist.
● Standard Standalone model:
Execute Session 2.1 [IT Security Setting preparation] from the administrator account belonging to [CTM_
MAINTENACE] group.
● Standard Domain model:
Work for Domain Server PC:
♦ Execute Section 2.23 User Group Generation before Installation.
♦ Add the user accounts belonging to [EXA_MAINTENANCE] to

[CTM_MAINTENANCE], domain user account.
Work for PCs where Exaquantum is installed:
♦ Execute Session 2.23 User Group Generation before Installation from the administrator
account, belonging to [CTM_ MAINTENACE] group.
● Legacy model:
Preparation for IT security setting is not required.
■ Exaquantum Client Installation
Exaquantum R2.70 client installation is not supported on CENTUM CS 3000. When installing Exaquantum
client on CENTUM CS 3000, please install Exaquantum client on Exaquantum R2.60.

For details about Exaquantum client installation procedure of Exaquantum R2.60, Please refer to the
following file in Exaquantum DVD.
<DVD>\Client\Support\ReadmeEn.txt
Execute the Web client installation in the same way as Section 4.5 Exaquantum/PIMS Server Installation or
4.7 Exaquantum Client Installation from the account for IT Security Setting
Appendix A.14.2 Settings after Installation in case of HIS type SSO
In case of HIS type SSO, please do not assign OFFUSER the authentication to access from
the security point of view.
So you cannot call each Exaquantum application from the start menu on the auto logon
environment. To call Exaquantum applications, the following preparation is necessary.
Refer to CENTUM VP Instruction Manual in detail.
Security setting of user account to user in
Setting of Function key preset menu
■ Security Setting of User Account to User In
For user accounts defined when Exaquantum is installed, execute the following setting. Refer to CENTUM
VP Instruction manual.
(1) Register the above user accounts to [CENTUM VP] group.
(2) Define to make user in.
■ Setting of Function Key Preset Menu
Assign each APC tool to the function key from [Run] in the preset menu, if necessary.
● How to assign Exaquantum tools
The acquiring method of the tool path name registered in the start menu is as follows.
(1) Log on using accounts registered in either QTM_MAINTENANCE or QTM_DATA_READ.
(2) Right-click the Exaquantum tool name which exists in the start menu, and select property.
(3) Link address of the tool appears.
The correspondence of APC tools in the start menu and the pass names are as follows.

Table A-19 Exaquantum Client (Explorer)
Menu Path
Exaquantum Explorer <Exaquantum Installation Path>\Explorer\QExplorer.exe
Item Selector <Exaquantum Installation Path>\System\QItemSelector.exe
Query Wizard <Exaquantum Installation Path>\QQueryWizard.exe
Graphic Editor <Exaquantum Installation Path>\Graphics Editor\GraphicsEditor.exe
Cross Reference Tool <Exaquantum Installation Path>\Developer Tools\ExaquantumXRef.exe
Server Manager <Exaquantum Installation Path>\System\ServerManager.exe
System Event Viewer <Exaquantum Installation Path>\Developer Tools\SysEventsViewer.exe
Administration Tool <Exaquantum Installation Path>\Product Tools\Exaquantum.msc
Tag Configuration Viewer <Exaquantum Installation Path>\Developer Tools\TagConfigViewer.exe
Admin Tool Server <Exaquantum Installation Path>\Product Tools\AdminToolsServer.exe
TrendAnalyze <Exaquantum Installation Path>\Explorer\QExplore.exe /R <Exaquantum

Installation Path>\Explorer\TrendAnalyze\Explorer\WorkBook\TrendAnalyze.pxw
Table A-20 Exaquantum Web Client
Menu Path
Web Server Manager <Exaquantum Installation Path>\System\WebServerManager.exe
Note 1) When the Windows system drive is not C drive, modify the drive name.
Assign Function key to APC application call
From the function key assign of CENTUM builder, select the function, following to the
procedure in CENTUM VP Instruction Manual.
Preset Menu Settings
From HIS setting window, select [Preset Settings], following to the procedures in
CENTUM VP Instruction Manual.

Appendix A.15 Security setting of Windows Server domain controller
This section applies to the following configuration:
• Standard domain security model
• Windows 2003 or Windows 2008 Domain Controller
• One of the following operating systems
o Windows Server 2003 Standard SP2 (32Bit)

o Windows Server 2003 R2 Standard SP2 (32Bit)
o Windows Server 2008 Standard SP2 (32Bit)
o Windows Server 2008 R2 Standard SP1 (64Bit)
The procedure is as follows.

1. Login to domain controller as a user who is a Member of a ‘Domain Admins’ group.
2. Insert the Exaquantum DVD media into the Domain Controller PC.
3. Open the folder <DVD>\Tools\DCSecurityBatch
4. Run the batch file DomainServerSecuritySetting.bat. For Windows 2008(including R2)

you will need to right click on the file, and select Run as Administrator
5. For Windows 2003 : Double click DomainServerSecuritySetting.bat

6. Check the following message is displayed:
"The IT security setting of the domain server succeeded."
"!Please Reboot!"
7. Restart the domain controller.
The following settings are modified by the batch file.

• File folder access control : Windows Folder
• Registry access control : DCOM Registry Key
• Registry access control : Windows Registry Key
• OPC(DCOM) access control
• Local security
• Personal Firewall tuning : for DCOM communication
• Personal Firewall tuning : for Windows
The following domain groups are also added by the batch file:
• QTM_DATA_READ
• QTM_DATA_WRITE
• QTM_EXPLORER_DESIGN
• QTM_MAINTENANCE
• EXA_MAINTENANCE
• QTM_OPC

For IT Environment Settings, refer to Engineering guide Vol.2 Appendix A.13.5 "Changing
IT Environment Settings".


Exaquantum Engineering Guide Vol 2

Uploaded by

Copyright:

Available Formats

You might also like

Exaquantum Engineering Guide Vol 2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Exaquantum Engineering Guide Vol 2

Uploaded by

Copyright:

Available Formats

Instruction Exaquantum Engineering Guide

Manual Volume 2 – Network Configuration

Copyright and Trademark Notices

© 2012 Yokogawa Electric Corporation

All Rights Reserved

Exaquantum, Exaopc and CENTUM are trademarks of Yokogawa.

Ethernet is a registered trademark of XEROX Corporation.

We do not use TM or ® to indicate trademarks or registered trademarks in this manual.

IM 36J04A15-02E 12th Edition Issue 1 March 5 2012

This is the 12th Edition of the document.

The changes are as follows.

IM 36J04A15-02E 12th Edition Issue 1 March 5 2012

Exaquantum Document Set

The documents available for Exaquantum are:

Exaquantum General Specification (GS 36J04A10-01E)

Exaquantum Technical Information (TI 36J04A10-01E)

Exaquantum/PIMS User's Manual (IM 36J04A11-01E)

Exaquantum/Explorer User's Manual Volume 1

Exaquantum/Explorer User's Manual Volume 2

Exaquantum/Explorer User's Manual Volume 3

Exaquantum/Explorer User's Manual Volume 4

Exaquantum Installation Guide (IM 36J04A13-01E)

Exaquantum API Reference Manual (IM 36J04A14-01E)

Exaquantum Engineering Guide Volume 1

Exaquantum Engineering Guide Volume 2

Exaquantum Engineering Guide Volume 3

Exaquantum Engineering Guide Volume 4

Exaquantum Engineering Guide Volume 5

IM 36J04A15-02E 12th Edition Issue 1 March 5 2012

Copyright and Trademark Notices ...................................................................................i

IM 36J04A15-02E 12th Edition Issue 1 March 5 2012

Chapter 5 Network Diagnostic Tool ......................................................................................5-1

IM 36J04A15-02E 12th Edition Issue 1 March 5 2012

7.1.6 Installing “time synchronization” on a Exaquantum server .......................... 7-4

IM 36J04A15-02E 12th Edition Issue 1 March 5 2012

Appendix A.13.4 Stopping of unnecessary Windows services

IM 36J04A15-02E 12th Edition Issue 1 March 5 2012

This page intentionally left blank

IM 36J04A15-02E 12th Edition Issue 1 March 5 2012

1.1 Document Purpose

1.2 Intended Audience

 Windows Domain security (Users, Groups, Permissions etc.)

 Configuring Networking components.

IM 36J04A15-02E 12th Edition Issue 1 March 5 2012

The Engineering Guide summarizes what is considered by Yokogawa as to be the 'good or

Volume 2: Network Configuration

Chapter 2: Exaquantum Network Administration

Chapter 3: Specifying Your Configuration During Installation (Legacy Model)

Chapter 4: DCOM and Network Security in Exaquantum(Legacy Model)

Chapter 5: Network Diagnostic Tool

Chapter 7: Time Synchronization

Volume 3: Support Tools

Volume 4: Web Authoring

IM 36J04A15-02E 12th Edition Issue 1 March 5 2012

An intranet that does not include PCN.

A system constructed with CENTUM DCS components.

OPC Server to Exaquantum Server

Exaquantum Server to Exaquantum Client

Domain (Windows 2003 or Windows 2008)

Windows Domain security (Users, Groups, Permissions etc.)

Configuring Networking components.

DCOM port count

Exaquantum Explorer, Excel Add in and API access

Exaquantum Administration Tool