How to connect OPC UA through a DMZ

No access to YouTube? Click here to view locally

Tutorial summary

  1. Download and install Cogent DataHub software on three computers, for the OPC UA server, the OPC UA client, and the DMZ.
  2. On the DMZ computer, configure the DataHub to act as a tunnelling Master.
  3. Move to the OPC UA server side, and connect that DataHub to the OPC server.
  4. Configure that same DataHub to act as a tunnelling Slave, and connect it to the DataHub tunnel Master on the DMZ.
  5. Move to the OPC UA client side and configure that DataHub to also act as a tunnelling Slave to the DataHub tunnel Master on the DMZ.
  6. Also configure that DataHub to act as an OPC server.
  7. Connect your OPC UA client.

For more details and options, see the documentation.

DataHub product used: DataHub UA Tunneller.

Step-by-step guide

  1. How to connect OPC UA through a DMZ, to isolate your OT and IT networks and keep your systems secure. This is done using tunnel/mirroring over three computers, the first one at the OPC UA server, the second one on the DMZ, and the third one for the OPC UA client.
  2. First download and install Cogent DataHub software on each of the three computers.
  3. We will start with the DataHub instance on the DMZ machine by configuring it as a Tunnel Master.
  4. On the DMZ computer, start the DataHub, and from the Properties window,, select the Tunnel/Mirror option. Make sure “Accept plain-text connections” is configured for port 4502. That port must be opened on this computer to make the connection, but no firewall ports need to be open on either the OPC server or OPC client computers. Click Apply.
  5. Still n the Properties window, select Security and then click the Configure button.
  6. Under Users, click the Add button to add a Built-In User.
  7. Enter a username and password.
  8. Uncheck the Require TOTP Authentication box because this is a non-interactive connection. Then click OK.
  9. In the Roles, check the All Data Full Access box. Then click OK. The DMZ DataHub is now configured as the Tunnel Master.
  10. Next we will connect to the OPC UA server on the OPC server computer. Switch to that computer.
  11. On the OPC server computer, start the DataHub, and from the Properties window, select the OPC UA option and click the Add button.
  12. Choose or enter a Discovery Domain.
  13. Choose or enter the endpoint URL for the OPC server.
  14. Leave the other fields at the default settings and click the Connection Test button.
  15. The connection should succeed. Close the window.
  16. Leave the Data Transfer options at the default settings.
  17. Manually select the nodes you want to connect to.
  18. Or choose Load All Nodes on Server.
  19. Enter a meaningful name for the data domain. Let’s call it “OPC UA server.”
  20. Click OK, make sure the “Act as an OPC UA Client” and the “On” button are checked, then click Apply.
  21. Click View Data to see your data in the Data Browser.
  22. Now we will configure the tunnel connection to the DMZ.
  23. Still on the OPC server computer, select the Tunnel/Mirror option. Make sure the Act as a tunnel/mirror slave option is checked, because this DataHub instance is a tunnel slave. Then click the Add Master button to add a tunnel master.
  24. Enter the IP address or computer name for the primary host., the tunnel Master, which is the DMZ computer where the second DataHub instance is running.
  25. Enter “OPC UA server” for the local data domain here on the Slave, and the same for the remote data domain on the Master.
  26. Enter the username and password for the networked user that you created on the Master.
  27. For the Data Flow Direction, choose “Read-write” to send and receive data, or “Write-only” to just send data to the OPC client.
  28. When the connection is initiated, when it first starts, you want to override the values on the DMZ with the Slave’s values, the OPC server data. So choose the Override option.
  29. When the connection is lost, you want to mark the data quality for all points over there on the DMZ Master as “Not Connected”. So choose that option.
  30. You can ignore the rest of the options for now. Click OK and Apply.
  31. Now move to the DMZ computer.
  32. On the DMZ computer, click View Data to see the data, coming across the tunnel from the OPC server. The data is now updating here on this DataHub instance..
  33. For the final step, we will connect the OPC UA client.
  34. Move to the third computer, the OPC client computer. This DataHub instance on this computer will be configured as a tunnel Slave, connecting outbound to the tunnel Master on the DMZ.,
  35. On the OPC client computer, start the DataHub instance and select the Tunnel/Mirror option. Make sure the Act as a tunnel/mirror slave option is checked, then click the Add Master button to add a tunnel Master.
  36. Enter the IP address or computer name for the primary host., the tunnel Master, which is the DMZ computer where the second DataHub instance is running.
  37. Enter “OPC UA server” for the local data domain here on the Slave, and the same for the remote data domain on the Master.
  38. Enter the username and password for the networked user that you created on the Master.
  39. For the Data Flow Direction, choose “Read-write” to send data and receive data, or “Read-only” to just receive data coming from the OPC server.
  40. When the connection is initiated, when it first starts, you want to get all values from the Master on the DMZ, the OPC server data. So choose the “Get all values from the Master” option.
  41. When the connection is lost, you want to mark the data quality for all points here on the slave as “Not Connected”. So choose “Mark data quality here as Not Connected.
  42. You can ignore the rest of the options for now. Click OK and Apply.
  43. Click View Data to see the data, coming across the tunnel from the DMZ. The data is now updating here on this DataHub instance..
  44. Still on the OPC client machine, in the DataHub Properties window, select OPC UA. Make sure the box for Act as an OPC UA Server is checked, and that the protocols you need are also checked. Then click Apply.
  45. In your OPC UA client, add the Cogent DataHub server. Then select your nodes.
  46. Now you are connected. OPC UA server data is being sent through the DMZ to the OPC UA client. No firewalls are open on either the server or client side, isolating the OT and IT networks.

Background

An OPC UA client cannot connect to an OPC UA server through a DMZ very well because OPC UA was not designed to support multi-hop connections.

To solve this problem, the DataHub tunnel/mirror approach encapsulates OPC UA within a unidirectional transport layer that can pass through the DMZ. A DataHub instance acting as an OPC UA client connects to the OPC server, and using the Tunnel/Mirror feature, sends the data to a second DataHub running on the DMZ. The data is then tunnelled to a third DataHub instance configured as an OPC UA server. The OPC UA client connects and receives the data.

Skkynet provides Cogent DataHub secure-by-design software and services to let you acquire, aggregate, monitor, control visualize, and network live process data in-plant or over insecure external networks, making it ideal for OT to IT and cloud connections.  You can isolate control networks from cyber attacks and integrate industrial data under a unified namespace, all without compromising the plant.

Cogent DataHub products wheel diagram