Keep client out of our network

[tanzer]

Hello all,

first time working with OPC so please have patience with me.
our situation is this: we have our LAN with multiple machines, each running its own OPC server. The client needs to access these machines, but we do not want him to be connected directly to our network. So first thing we tried was a router with NAT, where we forward any given public port to its assigned machine, but that did not work out.

Currently I am trying running a PC with 2 network cards and UaGateway installed (demo version). If i dont get it wrong, this tool allows to group all machines into one server, so the pc would have one network port connected to our LAN, and the other one would be available for the client to connect. It would have its own server, that forwards the informations of the specified servers present in our private lan. Is this correct?

If so, how do I configure it? i spent most of the day trying to figure it out, but without success. and once it is set up, how do i connect the the new server that shares all the machines? is it just like tcp.opc://mypublicNetIP:port? where do I define the properties of this given server?

Thank you very much and sorry for the noob questions, but at the time it is all very blurry for me.

best regards

[tanzer]

here is where I am now:

in UA Endpoints Tab:

- In network Configuration i added the host IP of the pc i am running UAGateway on, with port 48050. and network adapter "all".
- In reverse connect URLs i added one of the machines.
- In security i selected "None"
- in security check overrides i selected "accept all certificates".

server is started. On OPC COM ItemIDs i can see the items of the machine.
I tried to search for the server either from localhost or from another pc in the network using UaExpert, but i am not able to find the server.
What am I missing? as far as I understand it is the serverside that is causing me troubles now. an help is greatly appreciated.

Best regards

[tanzer]

the problem was that i did not select a network card. "Any" did not work for me. selecting a specific card solved the problem.

its working now. thank you

[Support Team]

Hi,

The UaGateway is one way to achieve what you try to do.
1) you could block out all Clients and allow only the ones you "trust" to connect
2) you "aggregate" all the servers into one (the UaGateway) and you put this into DMZ

Note: the reverse connect is similar to "reverse sock proxy" a function build into UaGateway that allows fully close the firewall (all inbound prots closed), but let the Server call outside to the Client for initial connection establishment.

Please be aware that UaGateway has 2 (two) tools for condiguration. The "Administration Tool" is for administrative task, The "Configuration Tool" is for configurative task (like configuring the connection to underlying servers). In best case you should NOT (never) use the security overwrite functions, instead better configure correct certificates in trust store.

There is some documentation, HowTo and quickstart guide you should read, plus some simple video toutorial in the "webinar " section of our download page.

[tanzer]

Hello!

thanks for your answer, i watched the videos.

Currently I am facing a problem I cannot understand. i Tried the software here in house and was able to connect to a machine, and share that machine over the aggregation server.

so we bought a license, and installed everything on site.

I see the server and i can connect to the server. i disabled all security (for the time being, for testing purposes to exclude security issues) and added a machine to the reverse client connection list of the UA Endpoints tab. The problem is that the server is not connecting to the clients hence not sharing any client data.

the client is set up to accept any connection and i am able to connect without problems with UaExpert from the same pc.



below is a extract of the Log of the server.

Any help on this is greatly appreciated.

Thank you!

Code: Select all

14:14:14.870Z|4|0358* CALL OpcUa_Endpoint_BeginConnect for URL=opc.tcp://192.168.10.63:4840
14:14:14.870Z|4|0358* [uastack] OpcUa_TcpListener_ConnectionManager_CreateConnection: Connection 032ECA98 now in use. (2 of 100)
14:14:14.870Z|4|0358* [uastack] OpcUa_TcpListener_Connection_Initialize: created 0x032ECA98->1(v1)!
14:14:14.870Z|4|0358* [uastack] OpcUa_P_ParseUrl: Parsing "opc.tcp://192.168.10.63:4840".
14:14:14.870Z|4|0358* [uastack] OpcUa_P_ParseUrl: Testing for IPv4 address or hostname.
14:14:14.870Z|4|0358* [uastack] OpcUa_P_ParseUrl: Numeric IPv4 URL pattern detected; (specific)
14:14:14.870Z|4|0358* [uastack] OpcUa_P_ParseUrl: Trying to resolve host "192.168.10.63" port "4840" to address family 2.
14:14:14.871Z|4|0358* [uastack] OpcUa_P_ParseUrl: 0: Resolved to IPv4 address family.
14:14:14.871Z|4|0358* [uastack] OpcUa_P_ParseUrl: 0: Numeric representation of resolved address is 192.168.10.63.
14:14:14.871Z|4|0358* [uastack] OpcUa_P_Socket_Delete: Closing socket 03330FD8!
14:14:14.872Z|4|0358* [uastack] OpcUa_SecureListener_OnNotify: Pending connect
14:14:14.872Z|4|0358* [uastack] OpcUa_SecureListener_ChannelManager_GetChannelBySecureChannelID: Searched SecureChannel with id 3286216294 NOT found!
14:14:14.872Z|4|0358* [uastack] OpcUa_SecureListener_ChannelManager_AddChannel: SecureChannel 03205AE0 with id 3286216293 added! 2 in list
14:14:14.872Z|4|0358* [uastack] OpcUa_Endpoint_OnSecureChannelEvent: ID 3286216293 connect pending!
14:14:14.872Z|3|0358* UaServer_EndpointCallback: SecureChannel 3286216293 pending! [status=0x0]
14:14:14.872Z|6|0358* --> UaServer::secureChannelPending
14:14:14.872Z|4|1FBC* [uastack]  * OpcUa_TcpListener_EventCallback: Socket(03331104), Port(50171), Data(02448A70), Event(OPCUA_SOCKET_CONNECT_EVENT)
14:14:14.872Z|6|0358* --> SessionManager::secureChannelPending EndpointIndex = 0, SecureChannelId = 3286216293
14:14:14.872Z|4|1FBC* [uastack] OpcUa_TcpListener_ConnectionManager_GetConnectionBySocket: Connection 032ECA98 refcount 1->2.
14:14:14.873Z|7|0358*      Reverse connection started (count=0) for URL=opc.tcp://192.168.10.63:4840
14:14:14.873Z|6|0358* <-- SessionManager::secureChannelPending
14:14:14.873Z|6|0358* <-- UaServer::secureChannelPending
14:14:14.873Z|4|0358* DONE OpcUa_Endpoint_BeginConnect [Result=0x0]
14:14:14.873Z|4|1FBC* [uastack] OpcUa_TcpListener_ConnectEventHandler: Transport connection connected from 192.168.10.63:4840 on socket 03331104!

[tanzer]

Here is the rest of the log.. (max message length reached)

Code: Select all

14:14:14.873Z|6|0358* Object Counts:      Session        =     2
14:14:14.873Z|6|0358* Subscription =     1  Data MonitoredItem =     0   Event MonitoredItem  =     1 
14:14:14.873Z|6|0358* UaNode       =  2152  UaObject           =   180   UaVariable           =  1298 
14:14:14.873Z|6|0358* UaMethod     =   225  UaView             =     0   UaReferenceType      =    45 
14:14:14.873Z|6|0358* UaObjectType =   173  UaVariableType     =    44   UaDataType           =   187 
14:14:14.873Z|4|1FBC* [uastack] OpcUa_TcpStream_Flush: Flush no. 1 with 1 max flushes and final flag 1!
14:14:14.873Z|4|1FBC* [uastack] OpcUa_TcpStream_Flush: Messagelength is 81! Last Call!
14:14:14.874Z|4|1FBC* [uastack] OpcUa_TcpStream_Flush: Buffer emptied!
14:14:14.874Z|4|1FBC* [uastack] OpcUa_SecureListener_OnNotify: Transport Connection Opened
14:14:14.874Z|4|1FBC* [uastack] OpcUa_SecureListener_ChannelManager_GetChannelByTransportConnection: Searched SecureChannel 03205AE0 with id 3286216293 refs 0->1!
14:14:14.874Z|4|1FBC* [uastack] OpcUa_TcpListener_ConnectionManager_GetConnectionByHandle: Connection 032ECA98 refcount 2->3.
14:14:14.874Z|4|1FBC* [uastack] OpcUa_TcpListener_ConnectionManager_ReleaseConnection: Connection 032ECA98 refcount 3->2.
14:14:14.874Z|4|1FBC* [uastack] OpcUa_SecureListener_ChannelManager_ReleaseChannel: SecureChannel 03205AE0 with id 3286216293 refs 1->0!
14:14:14.874Z|4|1FBC* [uastack] OpcUa_TcpListener_ConnectionManager_ReleaseConnection: Connection 032ECA98 refcount 2->1.
14:14:14.874Z|4|1FBC* [uastack]  * OpcUa_TcpListener_EventCallback: Event Handler returned with status 0x00000000.
14:14:14.874Z|4|1FBC* [uastack]  * OpcUa_TcpListener_EventCallback: Socket(03331104), Port(50171), Data(02448A70), Event(OPCUA_SOCKET_READ_EVENT)
14:14:14.875Z|4|1FBC* [uastack] OpcUa_TcpListener_ConnectionManager_GetConnectionBySocket: Connection 032ECA98 refcount 1->2.
14:14:14.875Z|4|1FBC* [uastack] OpcUa_TcpListener_ReadEventHandler: Connection 032ECA98.
14:14:14.875Z|4|1FBC* [uastack] OpcUa_TcpStream_DataReady: Read 0 bytes.
14:14:14.875Z|4|1FBC* [uastack] OpcUa_TcpListener_ReadEventHandler: socket 03331104; status 0x80AD0000 (OpcUa_BadDisconnect)
14:14:14.875Z|4|1FBC* [uastack] OpcUa_TcpListener_ConnectionManager_GetConnectionByHandle: Connection 032ECA98 refcount 2->3.
14:14:14.875Z|4|1FBC* [uastack] OpcUa_TcpListener_CloseConnection: Connection 00010001 (032ECA98) is being closed with status 0x00000000
14:14:14.875Z|4|1FBC* [uastack] OpcUa_TcpListener_CloseConnection: Closing socket 03331104.
14:14:14.875Z|4|1FBC* [uastack] OpcUa_P_Socket_Shutdown: Shutting down socket 03331104 (raw 00000ED8)!
14:14:14.875Z|4|1FBC* [uastack] OpcUa_P_Socket_Shutdown: Socket 03331104 (raw: 00000ED8) closed asynchronously
14:14:14.875Z|4|1FBC* [uastack] OpcUa_TcpListener_CloseConnection: socket closes asynchronously.
14:14:14.875Z|4|1FBC* [uastack] OpcUa_TcpListener_ConnectionManager_ReleaseConnection: Connection 032ECA98 refcount 3->2.
14:14:14.875Z|4|1FBC* [uastack] OpcUa_TcpListener_ConnectionManager_ReleaseConnection: Connection 032ECA98 refcount 2->1.
14:14:14.876Z|4|1FBC* [uastack]  * OpcUa_TcpListener_EventCallback: Event Handler returned with status 0x80AD0000.
14:14:14.876Z|4|1FBC* [uastack] OpcUa_P_Socket_FillFdSet: Socket 03331104 is shut down
14:14:14.876Z|4|1FBC* [uastack] OpcUa_Socket_HandleEvent: Socket shut down; ignoring read event (2)
14:14:14.876Z|4|1FBC* [uastack]  * OpcUa_TcpListener_EventCallback: Socket(03331104), Port(50171), Data(02448A70), Event(OPCUA_SOCKET_CLOSE_EVENT)

[tanzer]

Here is the rest of the log.. (max message length reached)

Code: Select all

14:14:14.876Z|4|1FBC* [uastack] OpcUa_TcpListener_ConnectionManager_GetConnectionBySocket: Connection 032ECA98 refcount 1->2.
14:14:14.876Z|4|1FBC* [uastack] OpcUa_TcpListener_CloseEventHandler: Deleting connection 032ECA98
14:14:14.876Z|4|1FBC* [uastack] OpcUa_TcpListener_ConnectionManager_ReleaseConnection: Connection 032ECA98 refcount 2->1.
14:14:14.876Z|4|1FBC* [uastack] OpcUa_TcpListener_ConnectionManager_GetConnectionByHandle: Connection 032ECA98 refcount 1->2.
14:14:14.876Z|4|1FBC* [uastack] OpcUa_TcpListener_ProcessDisconnect: Connection 032ECA98 reported as lost!
14:14:14.876Z|4|1FBC* [uastack] OpcUa_SecureListener_OnNotify: Transport Connection 00010001 closed
14:14:14.876Z|4|1FBC* [uastack] OpcUa_SecureListener_ChannelManager_GetChannelByTransportConnection: Searched SecureChannel 03205AE0 with id 3286216293 refs 0->1!
14:14:14.876Z|4|1FBC* [uastack] OpcUa_SecureListener_OnNotify: Transport Connection 00010001 lost for SecureChannel 3286216293
14:14:14.876Z|4|1FBC* [uastack] OpcUa_SecureListener_ChannelManager_ReleaseChannel: SecureChannel 03205AE0 with id 3286216293 refs 1->0!
14:14:14.877Z|4|1FBC* [uastack] OpcUa_Endpoint_OnSecureChannelEvent: ID 3286216293 lost transport connection!
14:14:14.877Z|6|1FBC* --> UaServer::secureChannelTransportClosed
14:14:14.877Z|6|1FBC* --> SessionManager::secureChannelTransportClosed SecureChannelId = -1008751003
14:14:14.877Z|7|1FBC*      Reverse connection failed (count=0) for URL=opc.tcp://192.168.10.63:4840
14:14:14.877Z|7|1FBC*      Add reverse connection to pending
14:14:14.877Z|4|1FBC* CALL OpcUa_Endpoint_CloseSecureChannel

[Support Team]

Hi,

just for the understanding:
UaGateway (south port) is connected to some underlying server (aggregation), showing "connected" in ConfigTool
UaGateway itself (north port) is running on 192.168.10.2 and listening on 4850 (being UA Server)
UaGateway "ReverseConnect" is trying to reach an UA-Client running on 192.168.10.63, and listening on 4840

This UA Client (e.g. UaExpert) on 192.168.10.63, was configured to open a listening endpoint on 4840 for ReverseConnect, and is up and running. Now you start the UaGateway and in the background the UaGateway starts (periodically) trying to "reverse" connect to this client (sending a reverse hello message, building up the TCP connection) and thereafter the UA Client uses this connection to continue connection establishment (as if was initiated forward).

All security setting should remain "default" (must trust certificates on both sides), because just the very initial TCP connection wil be build up "reverse", therafter everything is same same as always. By this you can "close Firewall" on 192.168.10.2, because UaGateway will call "outbound" to 192.168.10.63

[tanzer]

Hello!

Thanks for your Reply!

my ultimate goal would be this:
the network will not be connected to the internet, as it is a closed machine network. All machines are old and do not support certificates (coded in TC2. they simply accept everything).
The client has also a small device (unknown brand and make) that according to them also does not work if security is enabled. For these reasons we agreed ona closed no-internet network with no security.

there is a pc, that has 4 lan ports.

first port is in the 192.168.10.X range and has all our machines connected to.
second port is in any range defined by the client (not yet defined, but for the example we can say 192.168.50.X)
third port is the current interent connection for the PC having the aggregation server
fourth port is unused.

what i would need to do is to collect all the machines from the 192.168.10.x range, and present them to the client on the 192.168.50.x port.
(in the sample screenshot above, i used the same network card for both things as a test.)

The part that is not working yet, is the reverse connection. I tried it in house and it worked, but cannot figure out why it is not working remotely. The Server just is not connecting to the machines.

Thank you

[tanzer]

Never Mind, got it sorted now.. finally working as needed.

thank you!

[Support Team]

Hi,

good that you got it working !

The (south bound) underlying connections to your UA servers in an isolated network (without any security) is completely independent form the north bound (where UaGateway presents the aggregated data to others).

With the AdminDialog (UA Endpoints Tab) you configure just the (north bound) UaGateway's UA Server. By selecting a dedicated IP 192.168.10.2 and listening port 4850, you force the UaGateway to be reachable on exactly this (out of four) IPs you have (but not on any other IP). The UaGateway becomes a "security gateway" in this case, hence the security settings (on the north bound) should be enforced (do NOT "accept all client certificates", nor any other checkbox) and switch off the "None" policy. Your insecure underlying servers are now aggregated within the UaGateway and protected by UA security as of UaGateway. You can fully block all inbound ports with your firewall (DMZ).

However, the ReverseConnect must be supported on both sides (UA Client must open an endpoint, and UA server must be able to reverse). UaGateway has this feature built-in, and the UaExpert has this feature built-in. But if your client does not even support security, I doubt that it will be enabled for reverse connections (must check with manufacturer of client-side software).