How to tunnel OPC UA – outbound

No access to YouTube? Click here to view locally

Summary

  1. Download and install Cogent DataHub software on the OPC server and OPC client machines.
  2. On the OPC client side, configure the DataHub to act as a tunnelling Master.
  3. Switch to the OPC server side, and connect that DataHub to the OPC server.
  4. Then configure it so act as a tunnelling Slave, and connect it to the tunnelling Master on the DataHub on the OPC client side.
  5. Switch back to the DataHub on the OPC client side and configure it to act as an OPC server.
  6. Connect your OPC client.

For more details and options, see the documentation.

DataHub product used: DataHub UA Tunneller.

Transcript

  1. How to tunnel OPC UA outbound, that is by connecting outbound through a firewall from the OPC server to the OPC client.
  2. First download and install Cogent DataHub software on both the server and client computers.
  3. We will start with the DataHub instance on the OPC UA client machine by configuring it as a Tunnel Master.
  4. On the OPC client computer, start the DataHub, and from the Properties window,, select the Tunnel/Mirror option. Make sure “Accept plain-text connections” is configured for port 4502. That port must be opened on this computer to make the connection, but no firewall ports need to be open on the OPC server computer.  Click Apply. The OPC client side is now configured as the Tunnel Master.
  5. Still n the Properties window, select Security and then click the Configure button.
  6. Under Users, click the Add button to add a Built-In User.
  7. Enter a username and password.
  8. Uncheck the Require TOTP Authentication box because this is a non-interactive connection.  Then click OK.
  9. In the Roles, check the All Data Full Access box.  Then click OK. The OPC client side is now configured as the Tunnel Master.
  10. Next we will connect to the OPC UA server on the OPC server computer.  Switch to that computer.
  11. On the OPC server computer, start the DataHub, and from the Properties window, select the OPC UA option and click the Add button.
  12. Choose or enter a Discovery Domain.
  13. Choose or enter the endpoint URL for the OPC server.
  14. Leave the other fields at the default settings and click the Connection Test button.
  15. The connection should succeed. Close the window.
  16. Leave the Data Transfer options at the default settings.
  17. Manually select the nodes you want to connect to.
  18. Or choose Load All Nodes on Server.
  19. Enter a meaningful name for the data domain. Let’s call it “OPC UA server.”
  20. Click OK, make sure the “Act as an OPC UA Client” and the “On” button are checked, then click Apply.
  21. Click View Data to see your data in the Data Browser.
  22. Now we will connect the tunnel outbound through the firewall from the DataHub on this computer to the DataHub on the OPC client computer.
  23. Still on the OPC server computer, select the Tunnel/Mirror option. Make sure the Act as a tunnel/mirror slave option is checked, because this DataHub instance is the tunnel slave. Then click the Add Master button to add a tunnel master.
  24. Enter the IP address or computer name for the primary host., the tunnel Master, which is the OPC client computer where the other DataHub instance is running.
  25. Enter “OPC UA server” for the local data domain here on the Slave, and the same for the remote data domain on the Master.
  26. Enter the username and password for the networked user that you created on the Master.
  27. For the Data Flow Direction, choose “Read-write” to send data and receive data, or “Write-only” to just send data to the OPC client.  Don’t choose “Read-only” because you will be writing data to the Master from the OPC server,
  28. When the connection is initiated, when it first starts, you want to override the OPC client values with the Slave’s values, the OPC server data.  So choose the Override option.
  29. When the connection is lost, you want to mark the data quality for all points over there on the Master as “Not Connected”.  So choose that option.
  30. You can ignore the rest of the options for now.  Click OK and Apply.
  31. Now switch back to the OPC client computer.
  32. On the OPC client computer, click View Data to see the data, coming across the tunnel from the OPC server. The data is now updating here on this DataHub instance..
  33. For the final step, we will connect the OPC UA client.
  34. In the DataHub Properties window on the OPC client machine, select OPC UA and make sure the box for Act as an OPC UA Server is checked, and that the protocols you need are also checked.  Then click Apply.
  35. In your OPC UA client, add the Cogent DataHub server.  Then select your nodes.
  36. Now you are connected.  OPC UA server data is being sent via an outbound connection, tunnelled through the firewall and across the network to the OPC UA client. This is how to tunnel OPC UA outbound.

Background

OPC UA networks well, but it requires the client to connect inbound to the server. To keep all firewalls closed on the server side, you can OPC UA tunnelling, as described above. The tunnel recovers quickly from network outages, and keeps all OPC servers and clients connected during that time.

Skkynet provides Cogent DataHub secure-by-design software and services to let you acquire, aggregate, monitor, control visualize, and network live process data in-plant or over insecure external networks, making it ideal for OT to IT and cloud connections.  You can isolate control networks from cyber attacks and integrate industrial data under a unified namespace, all without compromising the plant.

Cogent DataHub products wheel diagram