How to connect MQTT through a DMZ

No access to YouTube? Click here to view locally

Summary

  1. Download and install Cogent DataHub software on three computers: 1) for the MQTT device connection, 2) the MQTT broker connection, and 3) the DMZ.
  2. On the DMZ computer, configure the DataHub to act as a tunnelling Master.
  3. Move to the MQTT device side, and connect the device to the DataHub MQTT Broker as a client.
  4. Configure that same DataHub to act as a tunnelling Slave, and connect it to the DataHub tunnel Master on the DMZ.
  5. Move to the MQTT broker side and configure that DataHub to also act as a tunnelling Slave to the DataHub tunnel Master on the DMZ.
  6. Also configure that DataHub MQTT Client to connect an MQTT broker.
  7. Connect to an MQTT broker.

For more details and options, see the documentation.

DataHub products used: DataHub Smart MQTT Broker, Tunnel/Mirror, DataHub DA Tunneller, DataHub IoT Gateway

Transcript

  1. How to connect MQTT through a DMZ, for segmented networks, to keep your systems secure. This is done using tunnel/mirroring over three computers, the first one connected to MQTT devices, the second one on the DMZ, and the third one connected to the MQTT broker.
  2. First download and install Cogent DataHub software on each of the three computers.
  3. We will start with the DataHub instance on the DMZ machine by configuring it as a Tunnel Master.
  4. On the DMZ computer, start the DataHub, and from the Properties window, select the Tunnel/Mirror option. Make sure “Accept plain-text connections” is configured for port 4502. That port must be opened on this computer to make the connection, but no firewall ports need to be open on either the device side or the MQTT broker side. Click Apply.
  5. Still in the Properties window, select Security and then click the Configure button.
  6. Under Users, click the Add button to add a Built-In User.
  7. Enter a username and password.
  8. Uncheck the Require TOTP Authentication box because this is a non-interactive connection. Then click OK.
  9. In the Roles, check the All Data Full Access box. Then click OK. The DMZ DataHub is now configured as the Tunnel Master.
  10. Next we will connect an MQTT device to the DataHub instance running on the computer inside, behind the DMZ. Switch to that computer.
  11. On the computer inside the DMZ, start the DataHub, and from the Properties window, select the MQTT Broker. Ensure the Enable MQTT Broker option is checked, and that “Listen for connections on port 18 83” is enabled.
  12. In Message Content, select “Interpret messages as JSON data point values” and the Simple message format. Then click the Edit button.
  13. In the Configure Parser dialog window, delete all values in the Per-Point Format entry field.
  14. Type {value}. This will assign the entire content of each MQTT message to be the value of a DataHub point. See the documentation for other options.
  15. Click OK to close this window.
  16. Back in the main configuration, in Options, make sure “Require authentication” and “Use per-topic permissions” are not selected. This will simplify your security requirements for now. See the documentation for enabling security later on. You can keep “Mark data as Not Connected” selected.
  17. Leave all the other options at the default settings, and click Apply.
  18. Connect your device to your DataHub MQTT Broker. We are using an MQTT demo program to simulate a device.
  19. In our simulator, we create an MQTT topic name as a two-part string separated by a slash, like Device1/Msg1”. The first part of the string is for the DataHub domain and the second part is the point name. Your device may use a different naming convention.
  20. Publish a test message to the DataHub MQTT Broker.
  21. Back in your DataHub instance, click View Data to see your data in the Data Browser. The device is now connected.
  22. Now we will configure the tunnel connection to the DMZ.
  23. Still on the device-side computer, select the Tunnel/Mirror option. Make sure the Act as a tunnel/mirror slave option is checked, because this DataHub instance is a tunnel slave. Then click the Add Master button to add a tunnel master.
  24. Enter the IP address or computer name for the primary host, the tunnel Master, which is the DMZ computer where the second DataHub instance is running.
  25. Enter the first part of your MQTT topic name for the Local data domain, as well as for the Remote data domain.
  26. Enter the username and password for the networked user that you created on the Master.
  27. For the Data Flow Direction, choose “Read-write” to send and receive data, or “Write-only” to just send data to the MQTT broker.
  28. When the connection is initiated, when it first starts, you want to override the values on the DMZ with the Slave’s values, the MQTT device data. So choose the Override option.
  29. When the connection is lost, you want to mark the data quality for all points over there on the DMZ Master as “Not Connected”. So choose that option.
  30. You can ignore the rest of the options for now. Click OK and Apply.
  31. Now move to the DMZ computer.
  32. On the DMZ computer, click View Data to see the data, coming across the tunnel from the device. The data is now updating here on this DataHub instance.
  33. Next, we will connect the third DataHub instance to the DMZ.
  34. Move to the third computer, on the MQTT broker side. The DataHub instance on this computer will also be configured as a tunnel Slave, connecting outbound to the tunnel Master on the DMZ.
  35. On this third computer, outside the DMZ on the broker side, start the DataHub instance and select the Tunnel/Mirror option. Make sure the Act as a tunnel/mirror slave option is checked, then click the Add Master button to add a tunnel Master.
  36. Enter the IP address or computer name for the primary host, the tunnel Master, which is the DMZ computer where the second DataHub instance is running.
  37. Enter the first part of your MQTT topic name for the Local data domain, as well as for the Remote data domain.
  38. Enter the username and password for the networked user that you created on the Master.
  39. For the Data Flow Direction, choose “Read-write” to receive and send data, or “Read-only” to just receive data coming from the MQTT device.
  40. When the connection is initiated, when it first starts, you want to get all values from the Master on the DMZ, the MQTT device data. So choose the “Get all values from the Master” option.
  41. When the connection is lost, you want to mark the data quality for all points here on the slave as “Not Connected”. So choose “Mark data quality here as Not Connected.
  42. You can ignore the rest of the options for now. Click OK and Apply.
  43. Click View Data to see the data, coming across the tunnel from the DMZ. The data is now updating here on this DataHub instance.
  44. For the final step, we will connect the DataHub MQTT Client to the MQTT broker.
  45. Still on the computer outside the DMZ, in the DataHub Properties window, select the MQTT Client feature. Check the “Enable MQTT client connections” option, because this DataHub instance will be acting as an MQTT client to the MQTT broker. Then click the Add button to configure an MQTT client connection.
  46. In the Connect to MQTT Broker configuration window we will configure standard MQTT. For Azure IoT Hub, Google IoT, AWS IoT Core, or Sparkplug connections, please see the documentation.
  47. Create a label for this connection. Then enter the host name or IP address for your MQTT broker. Leave the other connection options at the default settings for now.
  48. Select the points whose data you wish to push to the MQTT broker.
  49. You can add a prefix segment to every topic to help identify this connection on the MQTT broker. Leave all the other options at the default settings, and click OK.
  50. Back in the MQTT Client Configuration, you will see the configured connection. Click Apply, and the Status should change to Running.
  51. You can view your data In another MQTT client. Connect that client to the MQTT broker, and you should be able to access the MQTT message coming through the DMZ.
  52. Now you are connected. Data from the MQTT device is being sent through the DMZ to the MQTT broker. No firewalls are open on either the device or broker side, isolating the OT and IT networks.

Background

An MQTT device cannot connect to an MQTT broker through a DMZ very well because MQTT was not designed to support multi-hop connections.

To solve this problem, the DataHub tunnel/mirror approach encapsulates MQTT within a unidirectional transport layer that can pass through the DMZ. The MQTT-enabled device connects to a DataHub Smart MQTT Broker. That DataHub instance has the Tunnel/Mirror featured enabled, and sends the data to the DataHub running on the DMZ.  The data is then tunneled to a third DataHub instance running on the IT system. That DataHub is configured as an MQTT client, and sends the data to the MQTT broker.

Skkynet provides Cogent DataHub secure-by-design software and services to let you acquire, aggregate, monitor, control visualize, and network live process data in-plant or over insecure external networks, making it ideal for OT to IT and cloud connections. You can isolate control networks from cyber attacks and integrate industrial data under a unified namespace, all without compromising the plant.

Cogent DataHub products wheel diagram