The OPC UA connector enables the MetaDefender Security Gateway (USG/BSG) (hereinafter Security Gateway) to retrieve OPC UA data from a customer-owned OPC UA server in the BLUE zone, transfer the data across the Security Gateway, and replicate the data to customer-owned clients in the RED zone. The OPC UA Connector resides on the Security Gateway BLUE and RED nodes.
On Security Gateway BLUE, the OPC UA Connector acts as a client. It extracts data from a customer-owned OPC UA server in the BLUE zone and transfers that information to the Security Gateway RED. On Security Gateway RED, the OPC UA Connector acts as a server. It receives information from the Security Gateway BLUE and makes the information available to customer-owned OPC UA clients in the RED zone. The OPC UA connector supports connecting to up to 5 OPC UA servers simultaneously, in a 1:1 relationship.
OPC UA Connector on MetaDefender Security Gateway BLUE
A security dongle should be inserted in order to perform any configuration change.
This procedure configures MetaDefender Security Gateway BLUE to communicate with the customer’s OPC UA server in the BLUE zone.
Initial Configuration
On the OPC UA section, click on Edit and fill in the following fields:
- UA Server IP: Type the IP address of the customer’s OPC UA server in the UA Server IP box.
- Port: Type the port number of the customer’s OPC UA server in the Port Number box.
- Click the Browse button. MetaDefender Security Gateway BLUE connects to the OPC UA server and displays the security mode and policy supported by that server in the boxes below.
- Select a security mode. The value populates the Security Mode and (if applicable), the Security Policy boxes.
- Type a value in the Statistics Rate box to generate OPC UA statistics. This value determines how often statistics are output to the Events log. If you type 0, statistics will not be generated.
- Type a value in the Publish Rate box to determine the rate (in milliseconds) the OPC UA client on MetaDefender Security Gateway BLUE can receive data from the customer-owned OPC UA server in the BLUE zone. A value of 0 means the client can receive data at the maximum rate configured on the OPC UA server. Default value is 1000.
- Authentication Mode: Select Anonymous to allow all users. Select Username to allow a specific user. If you select Username, the Username and Password fields enable. Type the username and associated password you want to allow.
- If you want to replicate data from only certain nodes on the OPC UA server in the BLUE zone, type one or more node names in the Root Node Filter box. Data will be retrieved from each typed node, and all of their child nodes, for replication in the RED zone.If you leave the box blank (default), OPC UA data is retrieved from all nodes on the server.
- If you want to track data transfer on an individual node, type the name of the node in the Trace Node box. This field is not mandatory and can be empty.
- All filter values are case-insensitive.
- You can type multiple node names in the Root Node Filter box.
- You can type only one node name in the Trace Node box.
- Separate multiple node names with a semi-colon.
- Changing filter information restarts MetaDefender Security Gateway BLUE. This process takes about one minute.
For example, if a tag on the OPC UA server changes 10 times/second (100 ms), and the Publish Rate is 1000 ms, the client receives one value/second. If the Publish Rate is 50 ms, the client could receive 20 values/second. However, since the tag only changes 10 times/second, the client receives 10 values/second.
Click the Submit button to send the changes. After you click Submit, if all connections are correct, the boxes in the OPC UA Status area should populate after about one minute and the certificate will be available to download.
Trusted Certificates
You must install trusted certificates on both the OPC UA client on MetaDefender Security Gateway BLUE and on the OPC UA server in the BLUE zone. Refer to Pages 27 and 28 of the OPC Unified Architecture document, authored by the OPC Foundation, for information on management and transfer of certificate information between the OPC UA server and OPC UA client.
The BLUE Client Certificate is generated by OPSWAT and located on MetaDefender Security Gateway BLUE. You must place this certificate on the OPC UA server. Click the Export button to locate the certificate on MetaDefender Security Gateway BLUE and save it to your desktop. Then, transfer the certificate to the OPC UA server.
You must generate the UA Server Certificate and place it on MetaDefender Security Gateway BLUE. After generating the certificate and saving it to your desktop, click the Import button to locate the certificate and place it on MetaDefender Security Gateway BLUE.
Click to enable the Allow Untrusted Server Certificates checkbox if you want to allow untrusted certificates on the OPC UA server. The default is disabled.
Configure Multiple OPC UA Servers BLUE
On BLUE, navigate to the OPC UA menu item under the Connectors menu, Select Add Configuration from the Action menu.
Repeat the steps outlined in the Initial BLUE Configuration section above to add additional OPC UA servers.
A maximum of 5 OPC UA servers can be configured on rack mount server form factors.
Refresh Tags
When names of the tags are changed on the BLUE side customer-owned OPC UA server, the tags need to be refreshed so that the OPC UA BLUE client can collect data for the changed tags. Click on the Refresh Tags button to clear the cache allowing the correct transfer of tag information.
OPCUA on MetaDefender Security Gateway RED
A security dongle should be inserted in order to perform any configuration change.
This section describes configuration of the Optical Diode OPC UA RED server to transfer OPC UA data to the customer-owned OPC UA client(s) in the RED zone.
Initial configuration
Navigate to the OPC UA section under the Connectors menu. On the right hand side "Action" menu select "Add Configuration".
Fill in the following fields:
- Channel Number: Assign a Channel Number for the configured data flow. Note that the OPC UA channel number must be the same on BLUE and RED.
- Name: Assign a friendly name (not mandatory)
- IP Address: IP Address dropdown. Lets a user choose which IP address the OPC-UA server will listen on RED side. Or ANY to allow connections on any interface/IP.
- Server Port: Type the Optical Diode RED port number in the Port box. The customer-owned OPC UA clients will connect to this node.
- Statistics Rate: Type a value in the Statistics Rate box if you want to generate OPC UA statistics. If you type 0, statistics will not be generated.
- Trace Node: if you want to trace data generated from an individual node, type the name of a node on the OPC UA server in the BLUE zone in the Trace Node box. This field is not mandatory and can be empty.
- Preserve Node ID Structure: Click the Preserve Node ID Structure checkbox if you want to preserve the Node ID structure for each tag on the customer-owned OPC UA server in the BLUE zone. If you do not click this checkbox, the OPC UA server on the Optical Diode RED will create its own Node ID references for each tag.
Trusted certificate
You must install a trusted certificate on the MetaDefender Security Gateway RED OPC UA server. Generate the certificate on your OPC UA client and transfer it to your desktop.
Click the Import button to locate the certificate on your desktop and transfer it to MetaDefender Security Gateway RED.
Configure Multiple OPC UA Servers RED
- On Optical Diode RED, navigate to the OPC UA menu item under the Connectors menu.
- Select Add Configuration from the Action menu.
- Repeat the steps outlined in the Initial RED Configuration section above to add additional OPC UA servers.
A maximum of 5 OPC UA servers can be configured on rack mount server form factors.
