In this setup, the edge is not directly connected to the data source but instead to its OPC Classic server through an OPC Classic client, as shown in the following diagram:

The only way to secure this scenario is to place the edge device in a DMZ by means of two firewalls, the first one controlling the interface toward the outside and the second one controlling the interface toward OPC Classic. This is shown in the following diagram:

In this scenario, DCOM traffic occurs between the edge device and the OPC Classic device. The DCOM traffic is not as easy to manage by means of a firewall, since the DCOM communication is based on the opening of dynamic TCP ports. Since the OPC server might use any port number between 1024 and 65535, any firewall placed between OPC Classic and the edge must necessarily allow the traffic through all those ports, making the firewall useless. Therefore, in order to keep the DCOM traffic under effective control, we have the following two options:

• Follow the Microsoft suggestion of limiting the range of port numbers that are dynamically allocated, modifying the settings of the Windows registries of the Windows box where the OPC Classic server runs. Unfortunately, this solution makes the configuration more complex for the system administrator, because each OPC host needs to have its Windows registry adjusted. Furthermore, subsequent testing has indicated that this technique is not applicable to some OPC Classic server products that don't work properly.
• Use the port number and protocol limitation provided by some OPC Classic implementations. Unfortunately, not all vendors of OPC products offer this option.

To isolate the edge device from OPC Classic effectively, a DPI firewall for OPC Classic must be used. Since the DPI firewall provides deep-packet inspection at the application level, it can really understand the meaning of OPC Classic packets passing through it. The difficulties in managing this scenario are basically the same as those mentioned in the previous Securing edge on fieldbus. We should also consider the constraints and limitations related to the use of DCOM communications. In general, the edge on OPC DCOM is not an easy setup to deal with, so it is advisable to introduce an OPC Proxy.