Reverse Connect 

Available from firmware version 2022.9

What problem should be solved

In some automation applications the PLCnext device is connected to the internet. In this case, a basic security requirement is to reduce the open ports to prevent attacks from the internet.

The Reverse Connect feature solves this for OPC UA by reversing the connection establishment: The server connects to the client.

When this is set up, the port (usually 4840) of the OPC UA server can be blocked by the firewall of the PLCnext device or by a dedicated firewall that connects the PLCnext device to the internet.

How does it work

For Reverse Connect an OPC UA client needs to listen on a TCP port for connections from one or more OPC UA servers.

An OPC UA server on the other side continuously tries to establish a communication channel to a list of known OPC UA clients that are identified by an URL with IP address and port.

Based on such a channel, the client can create a session using the same services as it does in the normal case. After the session is established, it can be used as if it was established from client to server.

Since the server is continuously trying and the client is continuously waiting, the order, in which client and server are started is not important.

Configuration of the PLCnext device

In PLCnext Engineer a list of Reverse Connect URLs can be specified.

The URL is specified in the following form:

opc.tcp://<address>:<port> 

<address> is the IP address or host name of the client and <port> is the port on that the client waits for the connection.
Ensure that the port is not used by other applications on the PC (port 4840 might be used by other OPC UA servers or an LDS running on the PC).

Firewall configuration

Controller

The firewall can be activated via the WBM of the controller and be configured to block all ports that are not used (see WBM - Firewall configuration).

PC

When testing this with a PC these connections are often blocked by the firewall of the PC. If this is the case, the used port need to be opened in the firewall configuration.

Example work through with UA Expert

  1. Configure a reverse discovery in UA Expert
    1. Press + to add a new connection.
      ReverseConnect-Plus.png
    2. Double click on Reverse Discovery.
    3. Enter the URL that the client should listen on. 
      ReverseConnect-UAExpert-Discovery.png

Note: In the screenshot above the address is the localhost so that the client listens on all Ethernet interfaces and the port is set to 4844, since 4840 may already be used by e.g. a local LDS server on the PC.

With this configuration the UA Expert is already waiting for incoming server connections.


  1. Configure the eUAServer using PLCnext Engineer
    1. Open a project in PLCnext Engineer and select the editor for the OPC UA configuration.
    2. Enter the URL of the UA Expert as Reverse Discovery URL (in this case the IP address of the PC and the port chosen in UA Expert).
    3. Check that the correct IP address of the device is entered in the DNS name / IP address input field.
      ReverseConnect-DNS_IP.png
    4. Transfer the changed project to the device and start and start the execution.

  1. Get connected

If everything is configured correctly, the OPC UA server of the PLCnext firmware should already connect to the UA Expert. This is indicated by the small chevron on the remote discovery entry.

ReverseConnect-UAExpert-Chevron.png

Now an endpoint can be selected and a connection can be established, similar to the client initiated procedure:
ReverseConnect-UAExpert-SelectEndpoint.png
ReverseConnect-UAExpert-Connected.png

Note: If the connection is not established, a common reason is the firewall of the PC. Find Windows Defender Firewall and disable it.
ReverseConnect-Firewall.png

Another common reason for connection issues is a port conflict on the PC. A different port might fix the problem.

Also the identity of the OPC UA server needs to be correct. Check that the OPC UA configuration of the PLCnext Engineer project contains the correct IP address of the device. Alternatively, if a DNS service is available to resolve DNS names, the host name of the device can be used.


  1. Enable the firewall of the PLCnext device
    1. If everything works as expected, enable the PLCnext firewall via the WBM of your controller (see WBM - Firewall configuration). After that the normal connect should not work anymore, Reverse Connect however should still be possible.ReverseConnect-PLCnextx-Firewall.png

 


•  Web browser recommendation: Chrome/Edge 88 or newer, Firefox ESR 90 or neweror Safari • 
• Published/reviewed: 2022-11-25 • Revision 048 •