Chapter 5. Tunnel/Mirror Connections
Prev Cogent DataHub software Next

Chapter 5. Tunnel/Mirror Connections

Table of Contents
5.1. Why Tunnelling?
5.2. How-To Scenarios
5.2.1. Both Firewalls Open, Inbound
5.2.2. One Firewall Closed, Outbound
5.2.3. Both Firewalls Closed, with DMZ
5.3. Configuring the Tunnel Master
5.4. Configuring the Tunnel Slave
5.5. Endpoints - Sources and Users
5.5.1. Supported Protocols
5.5.2. OPC UA
5.5.3. OPC DA
5.5.4. OPC A&E
5.5.5. MQTT
5.5.6. Modbus
5.5.7. ODBC
5.5.8. DDE
5.5.9. External Historian
5.5.10. DataHub service for Azure
5.6. Combinations
5.6.1. Multiple connections
5.6.2. Bridging
5.6.3. Partial data sets
5.7. TCP Ports and DataHub Tunnelling

For data networks, tunnelling means to encapsulate one protocol inside another, to allow it to be sent more easily and/or securely across the network. Mirroring means to replicate the data from one side to the other, so that both sides have identical data sets. DataHub tunnel/mirroring offers some unique advantage for data networking.

Watch this video to see how to configure Secure Tunnel Mirroring.

5.1. Why Tunnelling?

Avoiding DCOM

Connecting OPC Classic servers and clients across a network requires DCOM. DCOM has always been difficult to configure, and not very secure. Now, with the mandatory application of the KB5004442 security patch from Microsoft, only the two highest levels of DCOM authorization are permitted. Any connections from OPC clients with lower security settings will fail.

DataHub tunnel/mirroring makes only local OPC connections, and passes the data across the network over TCP, with optional SSL if needed. This eliminates the need for DCOM and solves the KB5004442 security patch problem.

Outbound connections

Unlike most industrial data protocols, DataHub tunnel/mirroring can make outbound-only connections from the plant to the cloud, IT department, or a DMZ. It keeps all inbound firewall ports closed and uses no VPNs, for zero attack surface. SSL is fully supported for all networked protocols.

Flexible data flow

DataHub tunnel/mirroring can be configured for one-way or bidirectional data flow. It supports OPC UA, OPC DA, A&E, MQTT, Modbus, ODBC, and external historian connections—converting between them if necessary in real-time within the DataHub unified namespace.

Traversing a DMZ

The NIS2 Directive, NIST CSF 2.0, and leading security experts all agree that network segmentation using a DMZ is critical for securing access to operations data. Unlike OPC UA or MQTT, DataHub tunnel/mirroring can pass data securely along the multiple daisy-chained connections that are necessary for DMZ support.

Data diode mode

Data diode mode provides an extra layer of security, ensuring that absolutely no data passes into the OT system. This feature can be used to support data diode hardware, or as a software-only option.

Prev Up Next
4.9. Service Manager Home 5.2. How-To Scenarios