• ModelerATF – contains information on the models that are needed to locate the model when communicating with the Microsoft SQL Server service.
Those shares are used by the Modeler application to get the appropriate information on how to locate Microsfot SQL Server, databases, and models.
The contents of the database (models) is not exposed in those folders.
Shares use the standard Microsoft SMB network shares that operate on port 445. By default, those folders are publicly shared, but the visibility can be restricted by modifying the sharing configuration through the Windows sharing properties.
The following sharing properties are required:
• ModelerATF – all Modeler users should have Write permissions for the share property, associated folder, subfolders, and files.
By default, Everyone is granted Full Control to the share folder. You should restrict this so that only Integrity Modeler users have access, and only Administrators have Full Control.
Access Rights Management
You can define access rights at database level to define database administrators. Administrators are users that are allowed to perform administrator functions on the Database. For example: Start, Stop, Backup, and Restore.
Using Model Explorer, you can define user access rights at the following levels:
• Database — sets database access permissions for users and groups for a specific database. For example: Read, Write, and Owner.
• Model — sets model access permissions for users and groups for a specific model. For example: Read, Write, and Owner.
• Package — sets package access permissions for users and groups for a specific package. For Example: Write and Owner.
If a user has read access to a model, they can see the contents of the entire model. However, they cannot modify the items without Write permissions for the relevant package.
Modeler Client, Automation Interface and Simulation
The Modeler client interacts with the database through TCP/IP and the user is authenticated using a Trusted Connection (usually the user’s Windows credentials).
The Automation Interface enforces the access rights rules that are defined on databases, models, and packages. For example, if a user does not have read access to a model, they will not be able to access the model information through the Automation Interface.
The Modeler UI uses port 15777 to receive instrumentation from simulation code generated from a model. The sender and receiver are typically on the same machine so access is not required from anywhere else on the network.
FlexLM Server (license)
The license mechanism relies on FlexLM. The following programs or ports need to be set up as firewall exceptions. In each case, the path shown is for a Modeler installation to the default locations. For more information, see
Setting up the Windows Firewall.
You should also ensure that the following ports are open and secure:
• 27000 – for the Integrity Modeler License Server service, which is used by the Floating License Server. The lmgrd port by default is 27000 but can be explicitly specified on the SERVER line.
SERVER myserver.mycompany.com ID 27001
It is necessary to define not only the TCP port that lmgrd will use, but also the port each vendor daemon will use. The vendor daemon port is random but can be explicitly specified on the DAEMON line.
The 'PORT=' entry on the DAEMON line allows explicit selection of both externally available ports. 27001 is the TCP port reserved for use by the lmgrd process while 27002 is the port used by the vendor daemon process idl_lmgrd. Both port numbers must be unused by other processes. For example:
DAEMON ARTSANSW PORT=27002
Integrity Modeler Web Interface
Integrity Modeler Web Interface allows you to view the content of a model through a web browser. By default, Integrity Modeler Web Interface is installed using HTTPS and requires a security certificate to be configured.
The Web Interface is an optional feature.
When you grant a user access to a Web Interface website, they can view all models that are set to Public Read or Public Write in all databases that can be accessed through the website.
When you choose to install Web Interface, the Modeler installation program creates a Windows user account named PTC-IM-WSU, with a default password. You can change the password during the installation process, or after installation has completed. The Web Interface website uses the PTC-IM-WSU user account to access models.
To ensure security, we recommend changing the PTC-IM-WSU user account password.
You can set up how users are authenticated when they log in to a Web Interface website. You can use:
• LDAP authentication,
• Web Interface website account authentication (local accounts created through the Web Interface administration),
• Both LDAP and Web Interface website account authentication
When using LDAP authentication, a user can view the following models through the Web Interface website: models that are Public Read or Public Write; and models for which the user has Modeler Owner, Write or Read access permissions.
The installation program sets up the Web Interface and Model Manager websites as HTTPS. You can configure HTTP for the websites if required. For information on configuring Websites as HTTP, see
Configuring the Web Interface website to use HTTP.
The Web Interface operates on the port 57850 (port must be opened and secured) by default (it can be modified in the Bindings of IIS).
Firewall rules must be added to allow access to the Modeler sites which are configured as follows by default:
