Server aggregation with UaGateway

Questions regarding installing, running and configuring UaGateway.

Moderator: uagateway

Post Reply
SnorreAH
Jr. Member
Jr. Member
Posts: 3
Joined: 10 May 2022, 14:24

Server aggregation with UaGateway

Post by SnorreAH »

Hi,
We are planning to use UaGateway (testing v1.5.9 trial) to reach an external OPC UA server with certificate and username/password authentication. Its contents will be published by UaGateway locally for internal OPC UA clients.
The use of certificates between the external server and our clients should become simplified, as our clients only need to be authenticated by UaGateway, and not the external server (that we have no control over).
Some questions regarding this server aggregation:
  1. I noticed when connecting to a test server that the server certificate is not added in the certificate store in the administrative tool of UaGateway. Is certificates of servers that UaGateway connects to handled automatically and not configurable, such as for clients connecting to UaGateway?
  2. We may aggregate multiple external servers from different partners. If the certificate of an underlying server is trusted by UaGateway, could it connect to UaGateway as a client? I suspect not since it is not visible in the certificate store, and I assume the client and server part of UaGateway is separate in this regard. However, the external certificate seems to be valid for both client and server usage.
  3. How do you configure logon to UaGateway UA endpoints with username/password? Can a client connecting to UaGateway only access some of the aggregated servers there by using username/password as part of the authentication, or will all underlying servers be available for all connected clients?
The last point would not be a deal-breaker for us, but we initially wanted to segregate what is available through UaGateway so that different users would have access to different underlying servers.

Thank you for all answers!

User avatar
Support Team
Hero Member
Hero Member
Posts: 3056
Joined: 18 Mar 2011, 15:09

Re: Server aggregation with UaGateway

Post by Support Team »

Hi,

the aggregation of UA Servers is one of the uses cases the UaGateway is made for. The UaGateway has two sides, on the south-pole it is a UA client and can connect up to 50 underlying UA servers. On the north-pole the UaGateway is UA server and can (transparently) represent all the (max 50) UA servers, each address space will show up in separate folder under the "objects" within UaGateway's address space, to up to 50 UA Clients connected at the north end. In total the UaGateway can handle 64.000 per each underlying connection, but 100.000 max in total.

1) the UaGateway has two separate certificate stores, one for its own serverside (north-pole) and another one for its own client side (south-pole). With the AdminTool in the Certificates tab you can see (and administrate) the serverside cert-store (north-pole). The client side store has no extra andinistrative tool, because when you create the underlying connection the certificate of the underlying server is automatically trusted on first use (because that is what you have configured, and the condiguration is already done within a configuration permission context).

2) NO, because this are separate trust stores. If the external Client want to connect (to northpole) of UaGateway, the certificate gets "rejected" until an administrator opens the AdminTool and goes to the Certificates tab and explicitely trusts this one Client. Even it the external certificate is valid for both client and server use, in UaGateway it will reside in two different trust stores.

3) UaGateway has no separate user list, instead it uses the Windows user store. In the AdminTool goto UA Endpoints tab and see the 4 check boxes at the top. You enable usr/pwd only and UaGateway will verify against local users (Windows accounts) on your PC. Not nice, but better than nothing. However the underlying UA servers are acessed with their (different) user/pwd as configured with the underlying connection. From the viewpoint of UaGateway these are just "data sources". In that sense you could see the UaGateway as single-sign-on when doing the aggregation. But there is no "pass trough" of user credentials, you have user credentials between client and UaGateway, and you have (other) user credentials between UaGateway and underlying server.
Best regards
Unified Automation Support Team

SnorreAH
Jr. Member
Jr. Member
Posts: 3
Joined: 10 May 2022, 14:24

Re: Server aggregation with UaGateway

Post by SnorreAH »

Hi again,
Thank you for the informative and quick response.

1+2) This behavior is what we hoped for and aligns well with our use case.

3) Now we understand better how the username/password logon option works. Since the server is transparent and all underlying data sources are available, we will probably not use this feature. Certificate authentication should be security enough. Are you planning on expanding the username/password feature so that custom user lists could be generated in UaGateway itself? Or is there perhaps limitations due to older OPC standards requiring Windows users for compatibility?

Best regards!

User avatar
Support Team
Hero Member
Hero Member
Posts: 3056
Joined: 18 Mar 2011, 15:09

Re: Server aggregation with UaGateway

Post by Support Team »

Hi,

the UaGateway (somewhat) has already a feature, called Tagfile & Cache, where you can configure (map) the underlying tags onto some self created addresspace that is loaded into the UaGateway's UA Server. In this Tagfile you can again set/configure user rights for each mapped node. By this you can also "hide" underlying tags and "reduce" the visible address space. In that sense the UaGateway is not transparent anymore, but has own address space. But again you still don't have a custom user list, which you can map on roll-based tag configuration. We just attached the Windows User store because it was somewhat simple, and has already GUI for management of users that comes with Windows. On the long term we will probably add our own user (and Role) management.

As long as you "hardening" a system, I can see no problem, however if the underlying UA Server has "admin-only" tags and you configure the underlying connection to connect as "admin", but on the north pole of UaGateway you allow "anonymous" access, than you have "weakend" the original approach of the source server, which might be a problem. However, in most cases it will be opposit, the underlying server has no user rights, and with the UaGateway's aggregation you "add" security to the system.
Best regards
Unified Automation Support Team

SnorreAH
Jr. Member
Jr. Member
Posts: 3
Joined: 10 May 2022, 14:24

Re: Server aggregation with UaGateway

Post by SnorreAH »

Hi again,
It has been some time, but we did elect to utilize UaGateway and is in the process of implementing it in a project.

I have a question that was asked of our networking group: Is it possible to control which source port the client side of UaGateway uses out of the Windows host to connect to underlying UA servers? Multiple firewalls will be passed in connecting to this server, and this question came up in regard to tightening the security further. We have the source and destination IP-addresses, the destination port of the server and the type of traffic that will be passed through. By looking at the traffic between UaGateway and the server we observe that the client tries to send TCP packets out of seemingly random ports until a connection gets established. Once they are connected, the source port stays static.

Perhaps the UA client of UaGateway has a set range of source ports to use?
This is not an issue if it is not controllable, or the behavior is not deterministic, but would be a nice to have feature.

Best regards!

User avatar
Support Team
Hero Member
Hero Member
Posts: 3056
Joined: 18 Mar 2011, 15:09

Re: Server aggregation with UaGateway

Post by Support Team »

Hi,

what you describe is typical TCP/IP behavior, i can't see any issue in that, the "outgoing" firewall is typically not the issue (because is outgoing), however the incoming port is controlled by the serverside configuration.
However, in some cases server lives behind the wall and all incoming ports are closed. In that case you can use "ReverseConnect" function as implemented in UaGateway, assuming that the client is capable of reverse connection establishment.

UaGateway is capable of "Reverse Connect". (see Admindialog -> UA Endpoint tab for configuration)
Best regards
Unified Automation Support Team

Post Reply