Release Notes
FactoryTalk® Linx Gateway permits 3rd-party OPC software to access data from FactoryTalk® Linx data server(s)
Version 6.31.00 (released 1/2023)
Catalog Number FactoryTalk Linx Gateway
Requirements
This release has the following requirements.
For the latest compatibility information, refer to the Product Compatibility and Download Center.
Hardware requirements
FactoryTalk Linx Gateway recommends the following hardware for applications with typical data acquisition needs:
- Intel® Core™ i5 Standard Power processor
- Total processor cores are recommended to be no less than 4 for virtual machines
- 4 GB of memory
Lower level x86-based CPUs will also work in standalone configurations with reduced data acquisition needs.
For small applications, the following configuration was also evaluated:
- Intel® Atom™ CPU E3845 @ 1.91 GHz (4 CPUs)
- 4 GB of memory
- 1500 data points
It is recommended to run a performance validation test on the planned computer hardware to ensure that the desired capacity and performance can be achieved.
 |
Tip: When FactoryTalk Linx Gateway is operating on Windows® 10 IOT
Enterprise (for example, the Windows core of a CompactLogix™ 5480 controller),
it is limited to a FactoryTalk Directory and FactoryTalk Linx data server running in
the same environment (a remote directory and data server are not supported).
|
Operating systems
FactoryTalk Linx Gateway was tested on the following operating systems:
- Windows 10* (v2004, v20H2, v21H1, and v21H2)
FactoryTalk Linx Gateway adopts .NET 4.8 which is only supported in Windows 10 v1803 and later.
- Windows 10 IoT Enterprise 2019 Long-Term Servicing Channel (LTSC)
- Windows 10 IoT Enterprise 2021 Long-Term Servicing Channel (LTSC)
- Windows 11
If you use FactoryTalk Linx Gateway on Windows 11, you must update Windows 11 with patch KB5008215.
- Windows Server® 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
*For additional information about Windows 10 Support for the FactoryTalk Suite of Rockwell Software® products, refer to Knowledgebase Document ID: IN4493 - Windows 10 Support for the FactoryTalk Suite of Rockwell Software products.
Software compatibility
FactoryTalk Linx Gateway version 6.31.00 is compatible with these Rockwell Software products:
- FactoryTalk Activation Manager version 5.00.11
- FactoryTalk Services Platform version 6.31.00
- FactoryTalk View version 13.00.00
- FactoryTalk Linx version 6.31.00
High Resolution Display Support
Windows 10 v1803 or later is the recommended operating system if running this software with a 2K or 4K High Resolution Display with scaling up to 125%.
Rockwell Automation Test Environment
Rockwell Automation tests software products under a standard configuration of operating systems and antivirus software. For additional information, see the Knowledgebase Document ID: PN24 - Rockwell Software Products and Antivirus Software.
Supported browsers
The following web browsers have been tested and are supported for use with this release:
- Google® Chrome™ browser
- Microsoft® Edge™
- Mozilla® Firefox®
Security requirements
To help meet secure system design requirements, review these publications:
- Configure System Security Features User Manual (publication SECURE-UM001)
- System Security Design Guidelines Reference Manual (publication SECURE-RM001)
- Converged Plantwide Ethernet (CPwE) Design and Implementation Guide (publication ENET-TD001)
To learn about implementing CIP Security, see CIP Security with Rockwell Automation Products Application Technique (publication SECURE-AT001).
Features
This release includes the following system features.
FactoryTalk Linx Gateway version 6.31.00 has the following new features:
- FactoryTalk Linx Gateway version 6.31.00 adds a Reversed Connection option to enable a server to initiate the connection to an OPC UA client.
- FactoryTalk Linx Gateway version 6.31.00 adds support for DDE and Excel RTD protocols.
- FactoryTalk Linx Gateway version 6.31.00 adds Remote Proxy service that permits FactoryTalk Linx or RSLinx Classic on one computer to bridge through a central FactoryTalk Linx Gateway Professional workstation to communicate with automation system devices on a different network.
- FactoryTalk Linx Gateway version 6.31.00 adds a Software Development Kit (SDK) that provides a collection of software development tools that permit custom-built software to communicate with automation equipment using an Application Program Interface (API) in FactoryTalk Linx.
- FactoryTalk Linx Gateway version 6.31.00 adds support for a custom OPC UA namespace to create tag definitions for the OPC UA interfaces and bind or map them to system data points to provide consistent names for different components or to organize the data to comply with an industry standard.
- FactoryTalk Linx Gateway version 6.31.00 adds support for a custom RTD/DDE namespace to create tag definitions for the DDE and Excel RTD interfaces and bind or map them to system data points to provide consistent names for different components or to limit the data an external DDE/RTD client can access.
 |
Note: FactoryTalk Linx and the FactoryTalk Linx OPC UA connector include new
capabilities that can be utilized by external clients connected to FactoryTalk Linx
Gateway. Review each product’s Release Notes and documentation to determine
the full set of capabilities.
|
Known Anomalies in This Release
This release has the following known anomalies.
- Some data types from the PLC or SLC controller return incorrect data types when added to a FactoryTalk
Linx Gateway custom namespace, for example, a BOOL tag is returned as an INT16. This will cause the
data type mismatch error in the custom namespace. First identified in FactoryTalk Linx Gateway version
6.31.00. [Jira 1442309]
To resolve this problem, use the UA or RTD/DDE custom namespace configuration editor to manually change the data type to BOOL.
- The RTD formula sample in the FactoryTalk Linx Gateway Help is not correct. First identified in
FactoryTalk Linx Gateway version 6.31.00. [Jira 2117443]
Corrected in FactoryTalk Linx Gateway version 6.40.00.
- If FactoryTalk Linx Gateway and Remote Gateway were installed on the same computer, after
uninstalling Remote Gateway, the local OPC DA Clients can connect to FactoryTalk Linx Gateway, but
remote OPC DA Clients cannot connect to FactoryTalk Linx Gateway. First identified in FactoryTalk
Linx Gateway version 6.00.00. [Jira 1747981]
To solve this problem, repair Remote Gateway or FactoryTalk Linx Gateway.
- Bits delivered from the FactoryTalk Linx Gateway’s OPC UA interface are defined with an INT16
datatype. However, when the value is delivered, it is assigned a BOOL type. Some OPC UA clients are
unable to handle this difference (FactoryTalk Linx OPC UA Connector included) and will not be able to
access the value. First identified in FactoryTalk Linx Gateway version 6.30.00. [Jira 1442309]
There is no workaround for this anomaly.
- When opening FactoryTalk Linx Gateway the first time and adding tags to a "Custom Namespace" for the
OPC UA service, an OPC UA client may not see the tags in the namespace. First identified in
FactoryTalk Linx Gateway version 6.31.00. [Jira 1922445]
Corrected in FactoryTalk Linx Gateway version 6.50.00.
Known Anomalies from Previous Releases
These anomalies are from previous releases but are still known in this release.
- FactoryTalk Linx Gateway retains connection after OPC UA clients disconnect
impacting efficiency and blocking new client connections. First identified in
FactoryTalk Linx Gateway version 6.30.00. [Jira 3376052]
Corrected in FactoryTalk Linx Gateway version 6.50.00. Install patch 1150515 to resolve the problem in versions 6.31.00 and 6.40.00.
-
OPC UA clients cannot get data changes via FactoryTalk Linx Gateway when the OPC UA server or HMI server is configured with the local FactoryTalk Directory and the OPC UA Server is configured with Folders with scalar data or Tag list and structures/array access. First identified in FactoryTalk Linx Gateway version 6.30.00. [Jira 3677403]
To resolve this problem, do the following:
Perform the following modifications to DCOM
- Press Windows + R.
- In the Run dialog, enter DCOMCNFG.
- In the Console Root pane of the Component Services Window, go to Component Services > Computers > My Computer > DCOM Config > FTLinxGatewayUA.
- Right-click FTLinxGatewayUA, and then select Properties.
- In the FTLinxGatewayUA Properties dialog, select the Security tab.
- In the Access Permissions box, select Customize, and then select Edit.
- In the Access Permission dialog,
- Select Add to open the Select Users or Groups dialog, add ANONYMOUS LOGON and Everyone, and then select OK.
- Allow Remote Access for ANONYMOUS LOGON and Everyone, and then select OK.
- Select Apply to save the changes.
- Restart the PC after the changes are made.
-
Migrate to using a Network Station application, which will eliminate the need to configure DCOM as listed above.
- Unable to create the Certificate Signing Request (CSR) if its output path or file name contains wide characters (for example, Chinese characters). First identified in FactoryTalk Linx Gateway version 6.30.00. [Jira 1498486] To solve this problem, avoid having wide characters in the file name or path.
- The tag list folder doesn’t work for OPC DA data servers. You will fail to monitor the array tags if
you:
- Add an array folder from an OPC DA data server to a tag group and directly open an OPC UA client.
- Open an OPC UA client and add sub-elements on the monitor tab and restart FactoryTalk Linx Gateway. First identified in FactoryTalk Linx Gateway version 6.30.00. [Jira 1443874]
- When the Enable configuration of OPC UA namespace index checkbox is selected, all tags that originate from OPC DA servers are grouped together under a common namespace index (10). If a tag ID starts with “[xxx]” in OPC DA Server (for example, tags that originate from RSLinx Classic), it will have an individual OPC UA namespace index not common index as 10. First identified in FactoryTalk Linx Gateway version 6.30.00. [Jira 1388128] There is no workaround for this anomaly.
- Tag Browser is not synchronized when the data type in the controller is changed. If the data type of tag in the project is updated and different from before, the data type is not updated successfully. First identified in FactoryTalk Linx Gateway version 6.21.00. [Jira 994870] To solve this issue, select the refresh button in Tag Browser.
- When a client asks to verify the tag, the FactoryTalk Linx Gateway will check if the format is correct and the shortcut exists but does not verify if the tag actually exists. When the client subscribes or reads the tag, it will then verify if the tag actually exists or not. So, a verify may succeed but a subsequent request will fail. First identified in FactoryTalk Linx Gateway version 6.20.00. [Jira 445987] There is no workaround for this anomaly.
- Data requests from UA clients include parameter values for PublishingInterval and SamplingRate to specify the desired data delivery speeds. FactoryTalk Linx Gateway will return the RevisedPublishInterval and RevisedSamplingRate used to request data from FactoryTalk Live Data servers (for example, FactoryTalk Linx, OPC UA and OPC DA servers). The actual delivery rates may be different from the reported setting because of communications limitations from the data source. First identified in FactoryTalk Linx Gateway version 6.21.00. [Jira 1051130] There is no workaround for this anomaly.
- If you maximize or resize the FactoryTalk Linx Gateway Configuration window on
an 8K monitor, the window may stop responding and disappear. First identified in FactoryTalk Linx Gateway Configuration version 6.30.00. [Jira 1388099]
Corrected in FactoryTalk Linx Gateway version 6.50.00.
Functional Changes
This release has the following functional changes from the previous release.
FactoryTalk Linx Gateway version 6.31.00 has no changes in functionality since the last release.
Application Notes
This release has the following application notes.
The following are the application notes for FactoryTalk Linx Gateway version 6.31.00.
Tag’s data type limitation in Custom Namespace
If you do not use the Tag Browser to add or edit a tag in the Custom UA Namespace or Custom RTD/DDE Namespace editor, you must ensure that the tag’s data type is the same as the data source, such as the Logix controller, or OPC UA server connected via the FactoryTalk Linx OPC UA Connector.
If you change a tag’s data type in a controller, you must ensure that the tag's data type in the Custom UA Namespace or Custom RTD/DDE Namespace editor is the same as that in the controller. Otherwise, an error message “BadTypeMisMatch” appears in the UA clients.
Remote Proxy service
The Remote Proxy service does not support FactoryTalk View ME Transfer Utility.
The Remote Proxy service supports Ethernet and Backplane drivers from the FactoryTalk Linx Network Browser.
CIS Benchmarks test results
Rockwell Automation conducts tests using domain-joined computers configured according to CIS Benchmarks to help assure that software products perform as expected on computers that are hardened to industry best practices.
For more information about the guidelines and which products were tested against which CIS Benchmarks, see the Knowledgebase Document ID: QA63609 - Recommended guidelines for hardening software, computer, device, and network systems and infrastructure (CIS Benchmarks).
 |
Note: If a product compliance with the benchmark is less than 100%, a link to a
detailed spreadsheet is available. Download the spreadsheet to assist you in
determining whether additional compensating controls are necessary.
|
FactoryTalk Linx Gateway version 6.31.00 has been tested on CIS Microsoft Windows 10 Enterprise (Release 21H1) Benchmark v1.12.0, CIS Microsoft Windows 10 Enterprise (Release 21H2) Benchmark v1.12.0, CIS Microsoft Windows Server 2019 Domain Server Benchmark v1.3.0, and CIS Microsoft Windows Server 2019 Domain Controller Benchmark v1.3.0.
Exceptions settings for FactoryTalk Linx Gateway version 6.31.00 are listed.
CIS Microsoft Windows 10 Enterprise (Release 21H1) Benchmark v1.12.0 and CIS Microsoft Windows 10 Enterprise (Release 21H2) Benchmark v1.12.0
- 2.2.16 (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account' - Add local account. The client can't connect to the server. Remove the local account, then it can connect to the server.
- 9.3.5 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' - When 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to ‘No’, it can't connect to the server. And when 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'Not configured', it can connect to the server.
- 18.2.1 (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed - Use local system to test. Can’t set this option, no impact for products.
CIS Microsoft Windows Server 2019 Domain Server Benchmark v1.3.0
- 1.1.6 (L1) Ensure 'Relax minimum password length limits' is set to 'Enabled' - This setting is only available within the built-in OS security template of Windows 10 Release 2004 and Server 2022 (or newer), and is not available via older versions of the OS, or via downloadable Administrative Templates (ADMX/ADML). Therefore, you must use a Windows 10 Release 2004 or Server 2022 system (or newer) to view or edit this setting with the Group Policy Management Console (GPMC) or Group Policy Management Editor (GPME).
- 1.2.2 (L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0' - This policy can't be set. This setting is set by the domain (Value is 10). The domain (member server) can't set it. But it will not affect the product.
- 18.3.5 (L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' - This Group Policy path does not exist by default. An additional Group Policy template SecGuide.admx/adml is required - it is available from Microsoft at this link.
- 18.5.4.1 (L1) Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher - This Group Policy path may not exist by default. It is provided by the Group Policy template DnsClient.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer).
- 18.8.3.1 (L1) Ensure 'Include command line in process creation events' is set to 'Enabled' - This Group Policy path may not exist by default. It is provided by the Group Policy template AuditSettings.admx/adml that is included with the Microsoft Windows 8.1 and Server 2012 R2 Administrative Templates (or newer).
- 18.9.14.1 (L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled' - This Group Policy path may not exist by default. It is provided by the Group Policy template CloudContent.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer).
- 18.9.17.3 (L1) Ensure 'Disable OneSettings Downloads' is set to 'Enabled' - This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer).
- 18.9.17.5 (L1) Ensure 'Enable OneSettings Auditing' is set to 'Enabled' - This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer).
- 18.9.17.6 (L1) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled' - This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer).
- 18.9.17.7 (L1) Ensure 'Limit Dump Collection' is set to 'Enabled' - This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer).
- 18.9.47.9.4 (L1) Ensure 'Turn on script scanning' is set to 'Enabled' - This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer).
- 18.9.100.1 (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled' - This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
CIS Microsoft Windows Server 2019 Domain Controller Benchmark v1.3.0
- 1.2.2 (L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0' - This policy can't be set. This setting is set by the domain (Value is 10). The domain (member server) can't set it. But it will not affect the product.
- 5.1 (L1) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (DC only) - This policy does not exist in this OS (Group Policy). So it can't be set to 'Disabled'.
- 18.3.5 (L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' - This Group Policy path does not exist by default. An additional Group Policy template SecGuide.admx/adml is required - it is available from Microsoft at this link.
- 18.5.4.1 (L1) Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher - This Group Policy path may not exist by default. It is provided by the Group Policy template DnsClient.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer).
- 18.8.3.1 (L1) Ensure 'Include command line in process creation events' is set to 'Enabled' - This Group Policy path may not exist by default. It is provided by the Group Policy template AuditSettings.admx/adml that is included with the Microsoft Windows 8.1 and Server 2012 R2 Administrative Templates (or newer).
- 18.8.40.1 (L1) Ensure 'Configure validation of ROCA-vulnerable WHfB keys during authentication' is set to 'Enabled: Audit' or higher (DC only) - This Group Policy path may not exist by default. It is provided by the Group Policy template Sam.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer).
- 18.9.14.1 (L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled' - This Group Policy path may not exist by default. It is provided by the Group Policy template CloudContent.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer).
- 18.9.17.3 (L1) Ensure 'Disable OneSettings Downloads' is set to 'Enabled' - This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer).
- 18.9.17.5 (L1) Ensure 'Enable OneSettings Auditing' is set to 'Enabled' - This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer).
- 18.9.17.6 (L1) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled' - This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer).
- 18.9.17.7 (L1) Ensure 'Limit Dump Collection' is set to 'Enabled' - This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer).
- 18.9.47.9.4 (L1) Ensure 'Turn on script scanning' is set to 'Enabled' - This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer).
- 18.9.100.1 (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled' - This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
- 18.9.108.4.1 (L1) Ensure 'Manage preview builds' is set to 'Disabled' - This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsUpdate.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
Array Data Request
When an OPC UA Client makes a subsequent request to an array beyond the last element previously requested, FactoryTalk Linx Gateway’s OPC UA service will initially return a "BadIndexRangeNoData" error. If the array is defined to accommodate the requested elements, the initial error response is replaced with the appropriate array data.
Certificate
When a user regenerates a certificate in FactoryTalk Linx Gateway version 6.21.00 or later, and then uninstall it with "Keep configuration when uninstall" selected, FactoryTalk Linx Gateway installed on the same computer later may not work. To avoid this problem, delete all the files in folder <C:\ProgramData\Rockwell\FactoryTalk Linx Gateway\PKI\own>, restart FactoryTalk Linx Gateway, and then regenerate an outgoing certificate.
The following certificates are installed while installing Rockwell Automation software.
- Use Microsoft Management Console (MMC) to view the certificates in Console Root > Certificates
(Local Computer) > Trusted Root Certification Authorities > Certificates.
- 2016-Rockwell-Driver-SHA1.cer
- 2016-Rockwell-SHA256.cer
- DriverCodeSigning2012-1.cer
- Drivers-10-10-2018.cer
- Drivers-11-03-2017.cer
- Drivers-12-06-2016.cer
- DriversSHA1-10-10-2018.cer
- Drivers-SHA1-11-27-2017.cer
- Logix-11-04-2016.cer
- Rockwell_2013.cer
- Rockwell_2014.cer
- Rockwell_2015.cer
- rockwellcert2010.cer
- rockwellcert2013.cer
- VeriSign Class 3 Public Primary Certification Authority -G5 2036.cer
- Use Microsoft Management Console (MMC) to view the certificates in Console Root > Certificates
(Local Computer) > Trusted Publishers > Certificates.
- MicRooCerAut2011_2011_03_22.cer
- RA - Enterprise Root Certification Authority.cer
- VeriSign Universal Root Certification Authority.cer
FactoryTalk Linx Gateway unsupported data types
FactoryTalk Linx Gateway natively supports most but not all data types defined in a Logix controller. FactoryTalk Linx Gateway does not support accessing these types through DA, UA, DDE or RTD services:
- Logix 5000® Extended Tag Attributes (Meta Data)
- Direct access to configured alarm members
- Logix L8 Time types (TIME, LTIME, TIME32, LDT, DT)
Tested FactoryTalk Linx Gateway OPC DA service update rates
CPU and memory requirements for the FactoryTalk Linx Gateway OPC DA server increase as tags are set to active (up to the activation tag capacity) or as more clients connect to the server (up to the 20 connected client capacity). Rockwell Automation tests with the following update rates for a number of active tags.
|
Processor
|
Number
of tags
|
Scan rate of all tags
|
Total CPU
utilization
|
|
Single
|
70,000
|
Controller data values changing at 250 msec
|
75%
|
|
Dual-core
|
70,000
|
Controller data values changing at 250 msec
|
50%
|
|
Dual-core
|
70,000
|
Controller data values changing at 1000 msec
|
20%
|
 |
Note: Many of the FactoryTalk services use change of state processing. The high
data value change rate used in this test was selected to place a high processing load
on the system to evaluate the computer’s CPU impact. Because each system has
different operational requirements, testing should be performed to determine how a
proposed system will operate.
|
These values are tested on a computer with a dual-core Intel® Core™ i3-2120 processor, 3.3 GHz, with 4G of RAM. The single core test is run using only one of the cores to provide a basis for comparison. FactoryTalk Linx Gateway and FactoryTalk Linx are installed and configured on the same computer for the test.
The largest impact on CPU utilization is the rate that the data is changing even if the data server (in this case, FactoryTalk Linx) is local or remote to the FactoryTalk Linx Gateway.
The total amount of memory used for the runtime tests was approximately 700 MB. Additional memory would be used if browsing occurred.
Tested FactoryTalk Linx Gateway OPC UA update rates
Rockwell Automation tests with the following update rates for a number of active tags. This data is captured in FactoryTalk Linx Gateway version 6.31.00 with security disabled.
CPU and memory requirements for the FactoryTalk Linx Gateway OPC UA server increase as tags are set to active (up to the activation tag capacity) or as more clients connect to the server.
- Example test for OPC UA using folders with scalar data:
|
Number of Active Tags
|
Requested Rate (s)
|
Achieved Update Rate (s)
|
|
50,000
|
0.5
|
0.561
|
|
100,000
|
0.5
|
0.759
|
|
150,000 | 0.5 |
1.023
|
|
200,000
|
0.5
|
1.287
|
|
250,000
|
0.5
|
1.635
|
|
300,000
|
0.5
|
1.996
|
|
350,000
|
0.5
|
2.403
|
|
400,000
|
0.5
|
2.777
|
|
450,000
|
0.5
|
3.192
|
|
500,000
|
0.5
|
3.327
|
 |
Note: This data was based on tests with the Folder with scalar data enabled in the
UA server. This data is provided as an example to show how tag quantity will
impact the speed that data can be delivered. The test did not verify all value changes
that were delivered. Because each system has different operational requirements,
testing should be performed to determine how a proposed system will operate.
|
- Example test for OPC UA using tag list:
|
Number of Active Tags
|
Requested Rate (s)
|
Achieved Update Rate (s)
|
|
10,000
|
0.5
|
0.5
|
|
50,000
|
0.5
|
0.5
|
|
100,000
|
0.5
|
0.5
|
|
150,000
|
0.5
|
1
|
|
200,000
|
0.5
|
2
|
|
250,000
|
0.5
|
2
|
|
300,000
|
0.5
|
2
|
|
350,000
|
0.5
|
2
|
|
400,000
|
0.5
|
2.5
|
|
450,000
|
0.5
|
3
|
|
500,000
|
0.5
|
4
|
 |
Note: This data was based on tests with the UA tag list enabled. This data is
provided as an example to show how tag quantity will impact the speed that data
can be delivered. The test did not verify all value changes that were delivered.
Because each system has different operational requirements, testing should be
performed to determine how a proposed system will operate.
|
- Example test for OPC UA using custom namespace:
|
Number of Active Tags
|
Requested Rate (s)
|
Achieved Update Rate (s)
|
|
10,000
|
0.5
|
0.5
|
|
50,000
|
0.5
|
0.57
|
|
100,000
|
0.5
|
1.003
|
|
150,000
|
0.5
|
1.335
|
|
200,000
|
0.5
|
1.977
|
|
250,000
|
0.5
|
2.257
|
|
300,000
|
0.5
|
2.557
|
|
350,000
|
0.5
|
2.885
|
|
400,000
|
0.5
|
2.351
|
|
450,000
|
0.5
|
3.433
|
|
500,000
|
0.5
|
4.006
|
 |
Note: This data was based on tests with the Custom namespace enabled. This data is
provided as an example to show how tag quantity will impact the speed that data
can be delivered. The test did not verify all value changes that were delivered.
Because each system has different operational requirements, testing should be
performed to determine how a proposed system will operate.
|
These values are tested on a computer with Win 10 enterprise 64 bit, 8G RAM, Intel® Xeon® CPU, E5-2699A v4 @ 2.40 GHz 2.39 GHz 4v CPU.
Requestor’s subscription rate recommendation
In a FactoryTalk system, data moves from a source like a controller connected to FactoryTalk Linx to a software client when a data item’s value has changed. Once, changes are detected, the data values are transferred between multiple components or services. The services use the subscription rate from the requestor to initiate a processing thread to transfer the data to its next destination in the system. Small processing delays by components, network delivery time, a high number of values changing at once, or a heavily loaded system can cause data to be processed and delivered slower than the requested rate. If the source data value changes faster than twice the subscription rate, a newer data value could likely overwrite a previous data value as it travels between the services.
In some cases, sampling at a rate faster than half of the speed of the value changes can help to ensure that data value changes are detected by the requester. Also balancing the data subscriptions across multiple computers and services can reduce processing and delivery delays.
FactoryTalk Linx Gateway Security Certificate
When an OPC UA client connects to FactoryTalk Linx Gateway, FactoryTalk Linx Gateway provides a self-signed security certificate to the client as identification. Depending on the OPC UA client used in the system, you may need to manually approve the FactoryTalk Linx Gateway security certificate in the client to complete the connection.
Read service
When an OPC UA client subscription is in the process of being updated and a read request for the same item interrupts the delivery, the subscription request could deliver an older value after the results of the read request are delivered. Subsequent subscription responses will deliver updated values.
Security considerations
- For information on the security considerations when using Rockwell Automation products, including
- File extensions created by Rockwell Automation software, firewall rules, and service dependencies, see Rockwell Automation Knowledgebase Document ID: PN826 - Security considerations when using Rockwell Automation Software Products.
- TCP/UDP ports used by Rockwell Automation products, see Rockwell Automation Knowledgebase Document ID: BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.
Service log on option
- In FactoryTalk Linx Gateway, if the FactoryTalk Directory Scope path is set to an application containing
an OPC DA server, the OPC UA clients connecting to FactoryTalk Linx Gateway can browse the tags
defined in the OPC DA server but cannot communicate to tags (read or write).
To solve this problem, in Windows Services Manager, select FactoryTalk Linx Gateway OPC UA Server > Properties > Log on, change the log on option from Local Service to Local System account. Then restart the FactoryTalk Linx Gateway OPC UA Server service.
Unattended or silent install
Use command-line parameters to perform an unattended or silent installation of the software.
Installation Command-line parameters
The following table identifies the installation command-line parameters. Command-line parameters are case-insensitive. However, if a specified value includes a space, be sure to enclose the value in quotation marks (for example, "value with spaces").
|
Parameter
|
Description
|
|
/?
|
Displays the usage options for installation parameters.
|
|
/Q
|
Silent Install, install runs in a quiet mode without any user interface.
This parameter is recommended when deploying the software installation using an IT
tool or script, and don’t expect any error or restart messages. When using this
parameter, check the error codes, and respond as needed. For example, if the
installation returns error code 1641, then the IT tool or script should restart the
computer and relaunch the installation after restart.
This parameter is required if /QS is not specified.
|
|
/QS
|
Unattended Install, install runs in a quiet simple mode and shows progress through
the UI, it does not accept any input but still shows errors or restart messages.
When using this parameter, the installation will stop and display a prompt if there are
errors or restart messages. For example, if an immediate restart is required to
complete the install, a restart message will be displayed to confirm the restart.
Installation resumes automatically from the point of interruption after restart.
This parameter is required if /Q is not specified.
|
|
/IAcceptAllLicenseTerms
|
Acknowledges acceptance of the license terms.
This parameter is required for /Q or /QS parameters.
|
|
/AutoRestart
|
Automatically restarts the computer after the installation is complete. Used when a
restart is required to complete the installation.
This parameter is optional. If this parameter is not used silent install (/Q) will return
either error code 1641 or 3010 if a restart is required, and unattended install (/QS)
will result in a confirmation prompt that must be agreed to before the installation is
completed.
|
|
/Record
|
Records the installation options chosen to a recording file.
This parameter is optional.
|
|
/Playback
|
Plays back a recording file to specify the installation options.
This parameter is optional.
|
|
/SetupLanguage="value"
|
Specifies which language will be displayed during the install process.
The value must be one of the following:
This parameter is optional. If this parameter is not used, the default language is the
current user or operating system user interface language.
|
|
/IgnoreWarning
|
Specifies that the setup ignores warnings and continues.
This parameter is optional. If it is not specified, the setup exits when a warning
occurs.
|
|
/ftsp-s
|
Specifies the FactoryTalk directory scope for restore. Only "Global" and "Local"
scopes are supported.
This parameter is optional.
|
|
/ftsp-bak
|
Specifies the location where the restore file can be found.
This parameter is optional.
|
|
/ftsp-pp
|
Specifies the plain text used to decrypt the backup file.
This parameter is optional.
|
|
/ftsp-value=enable/disable
|
Specifies to enable or disable the option Require computer accounts for all client
machines in Security Policy. The option is used to determine whether or not a client
computer account must exist in the directory to log in.
This parameter is optional.
|
|
/FTSPWebAuth="value"
|
Specifies that the installation includes the FactoryTalk Web Authentication Server.
This parameter is optional.
The value must be one of the following:
If the value is Yes, the FactoryTalk Web Authentication Server will be installed. The
FactoryTalk Reverse Proxy will also be installed as it is required for operation of the
FactoryTalk Web Authentication Server.
If the value is No, the FactoryTalk Web Authentication Server will not be installed.
|
|
/ReverseProxy="value"
|
Specifies that the installation includes the FactoryTalk Reverse Proxy.
This parameter is optional.
The value must be one of the following:
If the value is Yes, the FactoryTalk Reverse Proxy will be installed.
If the value is No, the FactoryTalk Reverse Proxy will not be installed.
|
|
/FTSPWebEventServer="value"
|
Specifies that the installation includes the FactoryTalk Web Event Server.
This parameter is optional.
The value must be one of the following:
If the value is Yes, the FactoryTalk Web Event Server will be installed.
If the value is No, the FactoryTalk Web Event Server will not be installed.
|
|
/DirectoryServer
|
Specifies the directory server name.
This parameter is optional. If it is not specified, the setup turns on HTTPS for
communication, and a TLS certificate must be configured after installation.
|
|
/NoHTTPS
|
Specifies that the setup turns off HTTPS.
This parameter is optional. If it is not specified, the setup turns on HTTPS for
communication, and a TLS certificate must be configured after installation.
|
|
/Repair
|
Runs a repair operation on the installed products.
This parameter is optional.
|
|
/InstallDrive="value"
|
Specifies the install drive.
This parameter is optional. If this parameter is not used, the default install location is
"C:\Program Files (x86)\Rockwell Software".
Some software restricts the installer to only change the drive the software is installed
on. Use /? to determine which parameter is supported.
|
|
/Uninstall
|
Use to uninstall the product. This parameter is optional.
|
Examples
The following examples show how to use the installation commands.
- To install the software with no user interface using the default settings during the installation process.
(Silent install)
Setup.exe /Q /IAcceptAllLicenseTerms - To install the software with Chinese displayed during the install process and restart the computer if necessary.
(Unattended install)
Setup.exe /QS /IAcceptAllLicenseTerms /AutoRestart /SetupLanguage=CHS - To install the software with FactoryTalk security policy value specified.
Setup.exe /Q /IAcceptAllLicenseTerms /ftsp-value=enable - To perform a restore during the install process.
Setup.exe /Q /IAcceptAllLicenseTerms /ftsp-bak="C:\aa.bak" - To specify the FactoryTalk Directory machine.
Setup.exe /Q /IAcceptAllLicenseTerms /DirectorySever=severname
Error codes
The following table identifies the error codes that can be returned by an installation.
|
Error Code
|
Value
|
Description
|
|
ERROR_SUCCESS
|
0
|
The installation completed successfully.
|
|
ERROR_INVALID_PARAMETER
|
87
|
One of the parameters was invalid.
|
|
ERROR_INSTALL_USEREXIT
|
1602
|
The installation was canceled by the user.
|
|
ERROR_INSTALL_FAILURE
|
1603
|
A fatal error occurred during installation.
|
|
ERROR_BAD_CONFIGURATION
|
1610
|
The configuration data for this product is corrupt. Contact your
support personnel.
|
|
ERROR_REBOOT_CONTINUE
|
1641
|
A restart is required to continue the installation.
|
|
ERROR_SUCCESS_REBOOT_REQUIRED
|
3010
|
A restart is required to complete the installation. After restarting, the
product is successfully installed.
|
|
ERROR_REBOOT_PENDING
|
3012
|
Restart is pending. Restart the computer to continue the installation.
|
|
ERROR_SUCCESS_NOT_APPLICABLE
|
3013
|
The installation cannot proceed because the products are already
installed.
|
|
ERROR_SUCCESS_WARNING_REBOOT
|
3014
|
The installation succeeded with warnings. Check the installation log
file for details. To complete the installation, restart the computer.
|
VeriSign Universal Root Certification Authority certificate
If the VeriSign Universal Root Certification Authority certificate does not exist on the local computer, the certificate is installed while installing Rockwell Automation software. Use Microsoft Management Console (MMC) to view the certificate in Console Root > Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates.
Mitigation for Microsoft DCOM Hardening patch
In response to Microsoft Distributed Component Object Model (DCOM) Hardening patch (MS KB5004442), the minimum DCOM authentication level used by Rockwell Automation products was raised to Packet Integrity.
|
IMPORTANT
|
Installing this product’s latest version with earlier unpatched versions of
other FactoryTalk products or products using Classic OPC DA
connections may cause a loss of connectivity due to the difference in
DCOM authentication level used. For additional information, see the
Knowledgebase Document ID: IN39461 - Microsoft DCOM Hardening
Information TOC.
|
Microsoft releases the DCOM Hardening patch in response to CVE-2021-26414. This patch elevates the minimum DCOM authentication level that is required to establish a DCOM connection. DCOM is used by many Rockwell Automation products and may be affected by the change that is made by the Microsoft patch. For additional information about the affected Rockwell Automation products, see the Knowledgebase Document ID: PN1581 - Product Notification 2022-01-001 - Rockwell Automation products unable to establish proper DCOM connection after installing Microsoft DCOM Hardening patch (MS KB5004442).
"Meltdown" and "Spectre" Vulnerabilities
On January 3, 2018, a set of new hardware kernel-level vulnerabilities, named "Meltdown" and "Spectre", were announced by researchers. Both Spectre and Meltdown are vulnerabilities that affect modern microprocessors allowing malicious processes to access the contents of restricted memory and therefore affect multiple generations of Central Processing Units (CPUs).
For an up-to-date briefing on how Meltdown and Spectre affect Rockwell Automation products, see Rockwell Automation Knowledgebase Document ID: PN1011 - Rockwell Automation Briefing on "Meltdown" and "Spectre" vulnerabilities.
Copyright © 2025 Rockwell Automation, Inc. All rights reserved.
Rockwell Automation, Allen-Bradley, and FactoryTalk are trademarks of Rockwell Automation, Inc.
To view a complete list of Rockwell Automation trademarks please click here.
Trademarks not belonging to Rockwell Automation are property of their respective companies.