14.7. Using a DMZ


14.7. Using a DMZ
Prev	Chapter 14. Using the External Historian	Next

To maximize security for both the sender and receiver, you can use a DMZ to keep firewalls on both sides closed.

On the DMZ computer

The DataHub instance on the DMZ both receives and sends data. Data comes in via a Tunnel (Push) connection from the sending side DataHub instance. Data goes out via a Tunnel (Pull) connection from the receiving side.

To receive these inbound connections, you need to ensure that this DataHub instance's Tunnel/Mirror Master is enabled. This time we will use port 4504 for the plain-text Tunnel(Push) connection coming from the sending side to keep it separate from our previous example, and port 4506 for the SSL Tunnel(Pull) connection coming from the receiving side.
You will need to configure an InfluxDB database with this DataHub instance's External Historian for receiving, storing and forwarding data. Here's what you need to do:
1. In the External Historian option click the Add button.
2. Select InfluxDB, label this historian connection InfluxDMZ and configure a new, local database named DataHubDMZ.
  As mentioned previously, if you don't have a user name or password for InfluxDB, you can leave those fields blank. If you have previously installed InfluxDB independently of the DataHub program installation, then you'll need to use your existing InfluxDB URL.
3. In Forwarding Strategies, click the Add button and configure a Transfer named FwdFromDMZ and choose the InfluxDMZ historian that you just created.
  When finished, click OK and Apply. This forwarding strategy will be used by the Tunnel(Pull) connection from the receiving side.

On the Sending Side

The sending side DataHub instance is configured for a Tunnel (Push) connection, but with a new tunnel and sending to the DMZ historian.

Create a new Tunnel Slave connection that uses the name or IP address of the DMZ computer. Label this connection TUN002, use port 4504 to match the DMZ DataHub instance, and leave SSL unselected.
Create a new External Historian Tunnel(Push) connection.
1. In Write data to Historians click the Add button and choose Tunnel (Push). Configure it as follows:
  - The Label can be PushToDMZ.
  - For the Tunnel connection name select TUN002.
  - The Remote historian label should be InfluxDMZ
2. For the Forwarding strategy, you can continue using FwdByTunnel as configured previously:
  When finished, click OK and Apply.

On the Receiving Side

Configure this DataHub instance as you did for Tunnel (Pull) On the Receiving Side, but this time for the DataHub instance running on the DMZ.

Create a new Tunnel Slave connection that uses the name or IP address of the DMZ computer. Label this connection TUN003, use port 4506 to match the DMZ DataHub instance, and check the SSL option.
Create a new External Historian Tunnel(Pull) connection.
1. In Write data to Historians click the Add button and choose Tunnel (Pull). Configure it as follows:
  - The Label can be PullFromDMZ.
  - For the Tunnel connection name select TUN003.
  - For the Local historian label select Influx3
2. For the Remote System options, you should set the Remote forwarding strategy to FwdFromDMZ
  When finished, click OK and Apply.

Data from the sending side DataHub instance should now be flowing to the DataHub instance on the DMZ, and from there onwards to the receiving side DataHub instance. You can verify this in the respective Event Logs and/or Chronograf, as explained in the Connectingsection.

Prev	Up	Next
14.6. Tunnel (Pull)	Home	Chapter 15. Security