How to Connect a Siemens S7-1500 to SCADA Using KEPServerEX: Step-by-Step Tutorial

Connecting a Siemens S7-1500 PLC to a SCADA, MES, or historian is one of the most common starting points for an industrial connectivity project — and one of the most common places engineers get stuck. The S7-1500 is a modern, secure controller with several features (optimized data blocks, protection levels, PUT/GET access control) that did not exist on the older S7-300 and S7-400 platforms, and the default settings will block KEPServerEX from reading anything until you change them.

This tutorial walks through the full procedure: configuring the S7-1500 in TIA Portal, installing and configuring KEPServerEX, adding the device with the correct rack and slot, validating the connection, and exposing tags to a SCADA or any OPC UA client. It is the procedure our engineers use every week on real customer sites across Singapore, Malaysia, and Vietnam. No screenshots — just the settings, the values, and the reasons.

If you are at the procurement stage and have not yet purchased KEPServerEX, see our KEPServerEX product page or read our broader guide to Kepware industrial connectivity first.

What you will need before you start

• A Siemens S7-1500 CPU with an Ethernet interface (any current firmware). The procedure is identical for S7-1200; the only difference is which CPU model you select inside KEPServerEX.
• TIA Portal V14 or later with administrative access to the PLC project. You need to upload the project, change protection settings, and download. If you only have read access, stop here and get the right credentials.
• KEPServerEX V6.0 or later with either the Siemens TCP/IP Ethernet driver (Siemens Suite) or the Siemens S7 Plus Ethernet driver (Siemens Plus Suite). For a new S7-1500 project using optimized blocks, prefer the Plus driver — see the optimized-blocks section below.
• A Windows server or industrial PC for KEPServerEX. Production deployments should be Windows Server 2019 or 2022, joined to a domain, with antivirus exclusions configured for the KEPServerEX install folder. A laptop running Windows 10/11 is fine for bench testing.
• IP connectivity from the KEPServerEX host to the PLC, on TCP port 102 (the S7 communication port). If a firewall sits between them — even a Windows host firewall — open port 102 outbound from the server to the PLC.

Step 1: Configure the S7-1500 in TIA Portal

The S7-1500 will refuse external reads until three protection settings are changed. Open your PLC project in TIA Portal, double-click the CPU in the device view, and open the Properties tab.

1.1 Set the protection level

In Protection & Security → Access level, select Full access (no protection) for the test phase, or Read access if you only need KEPServerEX to read tags. The Siemens TCP/IP Ethernet driver does not support a PLC-side password, so a higher protection level will block the connection. For production, the recommended path is to leave the PLC at “Read access” and rely on segmenting the OT network instead of a PLC password.

1.2 Enable PUT/GET communication

In the same Protection & Security section, scroll to Connection mechanisms and check “Permit access with PUT/GET communication from remote partner.” This is the single most common reason a first-time connection fails. It is unchecked by default on every new S7-1500 project.

1.3 Mark data blocks as accessible

For every Data Block (DB) you want KEPServerEX to read or write, right-click the DB, choose Properties → Attributes, and make sure “Accessible from HMI/OPC UA/Web API” is checked. If it is not, the DB exists in the PLC but is invisible to KEPServerEX.

1.4 Decide on optimized block access

This is the decision that drives which Kepware driver you use:

• If you uncheck “Optimized block access” on a DB, the DB lays out as a fixed memory image with absolute offsets — the same way DBs work on S7-300/400. The classic Siemens TCP/IP Ethernet driver in the Siemens Suite can then read it.
• If you leave “Optimized block access” checked (Siemens’s default and recommended setting for new projects), the DB uses symbolic addressing and the classic driver cannot reach it. You need the Siemens S7 Plus Ethernet driver, sold as part of the Siemens Plus Suite, which speaks S7 Comm Plus and supports symbolic reads and writes.

For greenfield S7-1500 projects, the Plus Suite is almost always the right answer — you keep optimized blocks (faster, more memory-efficient, the way TIA Portal wants you to work), and you avoid the temptation to disable optimization just for connectivity. The Siemens Suite (classic driver) is fine for brownfield plants where DBs were already laid out the old way.

Save the project and download to the PLC after making these changes. A “cold restart” is not required.

Step 2: Install KEPServerEX and create the channel

Install KEPServerEX on the Windows host using a domain or local administrator account. During the install:

• Choose “Custom” and select only the Siemens drivers you have licensed. Installing every driver wastes disk and complicates the configuration tree.
• Enable the OPC UA Server component (selected by default in modern installers).
• Skip the Quick Client only if you have a strong reason — it is the easiest way to validate the connection in the next step.

After install, open the KEPServerEX Configuration tool. The tree on the left is your project: Channels → Devices → Tags.

Right-click Connectivity → Click to add a channel. Walk the wizard:

1. Device driver: choose Siemens TCP/IP Ethernet (classic, non-optimized blocks) or Siemens S7 Plus Ethernet (optimized blocks and symbolic addressing). This is locked once the channel is created — if you pick wrong, you will delete the channel and start over.
2. Channel name: use a descriptive name like Siemens_PlantA. Avoid spaces.
3. Network adapter: select the physical NIC that connects to the OT network, not the default “0.0.0.0”. Pinning the adapter avoids surprises when the host has multiple NICs.
4. Write optimizations: leave the default (latest value for non-Boolean tags, all values for Boolean). This is correct for SCADA use.

Step 3: Add the Siemens device

Right-click the new channel and choose Click to add a device. The driver-specific settings start here.

3.1 Pick the model

In the Model dropdown, select S7-1500 (not S7-300 or S7-400). The model selection affects how the driver formats S7 read/write requests; picking S7-300 against an S7-1500 will sometimes work but will silently truncate certain data types.

3.2 Set the IP address

Use the PLC’s Ethernet interface IP address as configured in TIA Portal under PROFINET interface → Ethernet addresses. Validate with a ping from the KEPServerEX host first — if ping fails, the issue is the network, not Kepware.

3.3 Set rack and CPU slot

This is the second most common configuration mistake. For an S7-1500:

• Rack: 0
• CPU Slot: 1

The S7-1500 is always Rack 0, Slot 1, regardless of whether you wire into port X1 or X2 of the same CPU. Older KEPServerEX builds had a quirk that did not accept “1” as a slot value — if you are on a very old V5.x build and see a validation error, use Slot 2 as a workaround and upgrade KEPServerEX. On any V6.0 or later install this is no longer required.

3.4 Communication parameters

Defaults are correct for almost all S7-1500 deployments:

• Port: 102
• Connection type: PG
• Request timeout: 1,000 ms (raise to 3,000 ms if the PLC is across a WAN link or behind a slow firewall)
• Fail after 3 successive timeouts

Step 4: Validate the connection before adding tags

Right-click the new device and choose Diagnostics → Display Diagnostics (or open the Event Log at the bottom of the configuration window). You should see lines like:

Siemens TCP/IP Ethernet | Siemens_PlantA.PLC1 | 'PLC1' is now responding

If you see “Unable to read tag PLC1 — reference is invalid” or “Device ‘PLC1’ is not responding”, walk this checklist in order:

1. Can you ping the PLC from the KEPServerEX host? If not, fix routing first.
2. Is “Permit access with PUT/GET communication from remote partner” checked in TIA Portal and downloaded to the PLC? (90% of first-attempt failures.)
3. Is the access level set to Full access or Read access (not Complete protection)?
4. Are the DBs you are trying to read marked “Accessible from HMI/OPC UA/Web API”?
5. If using the classic Siemens TCP/IP Ethernet driver, is “Optimized block access” unchecked on the DBs?
6. Is anything in the path — Windows host firewall, OT switch ACL, OT firewall — blocking outbound TCP 102 from the KEPServerEX host to the PLC?

Step 5: Add tags and expose them via OPC UA

With the device responding, right-click it and choose New Tag for each PLC variable you want to expose. Examples for an S7-1500:

• DB block: DB10,DBD0 for a 32-bit floating-point value at offset 0 of DB10 (classic driver), or DB10.MyVariable using symbolic addressing (Plus driver).
• Memory bit: M10.0 — bit 0 of memory byte 10.
• Input: I0.0 — first digital input.
• Output: Q0.0 — first digital output.
• Timer: T1. Counter: C1.

For large projects, do not type tags manually. Use Automatic Tag Database Generation — right-click the device, choose Properties → Tag Generation → Create Tags on Device Startup, then either point KEPServerEX at the TIA Portal symbol export or let the Plus driver browse symbols directly. A 5,000-tag plant takes about three seconds.

To validate the tags, launch the bundled OPC Quick Client from the toolbar. Tags show their values and quality (Good, Bad, Uncertain). Anything with quality “Bad” usually means a typed address that does not exist on the PLC or a data type mismatch — double-check the DB declaration in TIA Portal.

Step 6: Connect your SCADA, historian, or OPC UA client

KEPServerEX exposes the tag set as an OPC UA endpoint by default at opc.tcp://<kepserverex-host>:49320. To consume the tags:

• SCADA (Proficy iFIX, Wonderware InTouch, Ignition, AVEVA InTouch, etc.): add a new OPC UA Client connection, point it at the endpoint URL, accept the server certificate, and browse the address space.
• Historian (Proficy Historian, OSIsoft PI, AVEVA Historian): same pattern — the historian’s OPC UA interface points at the same endpoint.
• MES or analytics platform: use the platform’s OPC UA connector. Our own Proficy Plant Applications MES consumes KEPServerEX tags natively.
• Cloud or MQTT: enable the IoT Gateway plug-in inside KEPServerEX and publish tags to AWS IoT, Azure IoT Hub, or any Sparkplug B / MQTT broker.

On the KEPServerEX side, secure the OPC UA endpoint properly before exposing it beyond the OT network:

• Disable the “None” security policy. Allow only Basic256Sha256 with sign-and-encrypt.
• Generate or import a real X.509 server certificate and copy the trusted client certificate into the KEPServerEX trust list.
• Set OPC UA user authentication to username/password or certificate-based, not anonymous.

The four mistakes that account for most failed S7-1500 connections

1. PUT/GET not enabled. The single biggest one. Always re-check Connection mechanisms in TIA Portal.
2. Wrong slot. Engineers used to S7-300 sometimes set Slot 2; on S7-1500 it is always Slot 1.
3. Optimized blocks + classic driver. Either uncheck Optimized block access on the DB, or switch to the Siemens S7 Plus Ethernet driver.
4. DB not marked accessible from HMI. The DB exists in the PLC but the driver gets “reference is invalid” on every tag inside it.

Security best practices for S7-1500 + KEPServerEX deployments

• Segment the OT network. KEPServerEX should sit in an OT/DMZ zone, not on the corporate LAN. The PLC should sit on a Level 1 control network with no direct corporate access.
• Pin the PLC IP. Use a static IP for the S7-1500 and reserve the corresponding address on the OT DHCP scope (or run the OT VLAN statically).
• Restrict OPC UA endpoints. Only the SCADA, historian, and MES that actually need tags should be allowed to authenticate. Use a host-based firewall on the KEPServerEX server to limit inbound TCP 49320 to specific source IPs.
• Layer in OT cybersecurity. For regulated plants (pharma, food & beverage, semiconductor), pair KEPServerEX with OPSWAT OTfuse for inline OT traffic inspection and MetaDefender Kiosk for USB media control on engineering laptops.
• Patch the PLC firmware. Siemens publishes S7-1500 firmware updates regularly. A KEPServerEX deployment is only as secure as the controllers it talks to.

What about S7-1200, S7-300, S7-400, and LOGO!?

The procedure above is for S7-1500. Quick notes on the rest of the family:

• S7-1200: identical procedure. Set Model = S7-1200 in KEPServerEX. PUT/GET and optimized-block decisions are the same as S7-1500.
• S7-300 / S7-400: simpler — no PUT/GET access toggle, no optimized-block concept. Use the classic Siemens TCP/IP Ethernet driver, set Model = S7-300 or S7-400, set Rack and Slot to match the actual hardware (commonly Rack 0, Slot 2).
• LOGO! 0BA7/0BA8: use the Siemens LOGO! driver in the Siemens Suite. Not S7 TCP/IP.
• S7-1500 with TIA Portal-based OPC UA server enabled: as of TIA Portal V15.1+, the S7-1500 CPU itself has a built-in OPC UA server. You can connect SCADA directly without KEPServerEX. But KEPServerEX still wins when (a) you have multi-vendor PLCs, (b) you need IoT Gateway for MQTT/cloud, or (c) you want a single OPC UA address space across the plant.

Buying KEPServerEX and the Siemens (Plus) Suite in Singapore, Malaysia, and Vietnam

For a new Siemens S7-1500 connectivity project, the typical license bundle is the Siemens Plus Suite (covers S7-1200, S7-1500 with optimized blocks, plus the classic S7-300/400 driver and the LOGO! driver). For pure S7-300/400 brownfield, the Siemens Suite is sufficient.

Allied Solutions Global is an authorized Kepware (PTC) distributor across Southeast Asia. We support license sizing, deployment, and ongoing support from offices in:

• Singapore — regional headquarters, 23 New Industrial Road. Call +65 6484 4050.
• Kuala Lumpur and Penang for Malaysian deployments.
• Ho Chi Minh City for Vietnam projects.

Frequently asked questions

Do I need the Siemens Plus Suite or the Siemens Suite for an S7-1500?

If you want to keep TIA Portal’s default Optimized block access setting on your data blocks (recommended for new projects), you need the Siemens Plus Suite and the Siemens S7 Plus Ethernet driver. If you are willing to disable optimized blocks on every DB the OPC server reads, the standard Siemens Suite with the classic Siemens TCP/IP Ethernet driver is enough.

What port does KEPServerEX use to talk to the S7-1500?

TCP port 102, the standard S7 communication port. Open it outbound from the KEPServerEX host to the PLC. The OPC UA endpoint that SCADA/historian/MES clients use is a separate listener — TCP 49320 by default on the KEPServerEX side.

Can KEPServerEX write to an S7-1500, not just read?

Yes, provided the PLC protection level is set to Full access (no read-only restriction) and PUT/GET is permitted. Writes use the same S7 communication mechanism as reads. For safety-critical writes, route them through structured PLC interlocks rather than direct DB writes.

Can I connect KEPServerEX to multiple S7-1500 PLCs on the same channel?

Yes. Add multiple devices under the same Siemens channel, each with its own IP and Rack/Slot. KEPServerEX serializes requests across devices on a channel, so for high-tag-count plants you can also split PLCs across multiple channels in parallel for throughput.

How do I expose S7-1500 tags as MQTT instead of OPC UA?

Install the KEPServerEX IoT Gateway plug-in. It adds MQTT and REST agents that publish any KEPServerEX tag to a broker (AWS IoT Core, Azure IoT Hub, HiveMQ, Mosquitto, or any Sparkplug B broker). Configure the agent with the broker URL, topic template, and the tags you want to publish.

Does Kepware support Siemens SIMATIC HMI panels?

Siemens HMI panels (KTP/TP/MP series) are themselves OPC clients — they don’t need KEPServerEX between themselves and the PLC. But if you want to historize HMI alarms in OSIsoft PI or Proficy Historian, KEPServerEX can pull data from the same PLC the HMI is talking to without affecting HMI performance.

Is the procedure different for the Allen-Bradley equivalent (ControlLogix / CompactLogix)?

The high-level pattern is the same — install KEPServerEX, add a channel, add a device, add tags, expose via OPC UA — but the specifics differ. We have a separate tutorial planned for connecting Allen-Bradley ControlLogix and CompactLogix PLCs to KEPServerEX. For now, see the KEPServerEX product page for the supported Allen-Bradley driver families.

Next steps

1. If you already own KEPServerEX, validate that you have the right Siemens driver licensed. Open the License Manager — if you see “Siemens TCP/IP Ethernet” but not “Siemens S7 Plus Ethernet”, you have the classic suite and will need to either disable optimized blocks or upgrade to the Plus Suite.
2. If you do not yet own KEPServerEX, contact us with your PLC list (vendor + model + count) and target SCADA / historian / MES. We will return a sized Kepware Suite recommendation within one business day.
3. For a wider view of where KEPServerEX fits in a plant architecture, read our guide to Kepware industrial connectivity.

Allied Solutions Global is an authorized Kepware (PTC) distributor across Southeast Asia. KEPServerEX, Kepware, and the Siemens Plus Suite are products of PTC Inc. SIMATIC, S7-1500, S7-1200, S7-300, S7-400, LOGO!, and TIA Portal are trademarks of Siemens AG.