Endpoints
The TwinCAT OPC UA Server makes various endpoints available for OPC UA Clients via the default port 4840/tcp. The endpoints define the connection type between client and server and whether it should be secured or unsecured.
 | Standard port Note that the standard port 4840 may be used by other OPC UA servers, such as the Local Discovery Server (LDS) from the OPC Foundation, which is used by some vendors with OPC UA software packages. |
| Relationship of trust Note that in order to use the secure endpoints, a trust relationship must be established between server and client, which is usually done via their certificates. The configuration of such a trust relationship on the server side is explained here. |
| Deprecated endpoints Please note that the security profiles currently available in the endpoints may be classified as potentially insecure over time and will be replaced by newer ones. In this case, an update of the TwinCAT OPC UA Server is recommended. A configuration switch (<AllowDeprecatedSecurityPolicies>) can be used to reactivate security policies that are deprecated and classified as insecure. |
List of endpoints
The following list summarizes the endpoints of the TwinCAT OPC UA Server. This includes endpoints that have already been discontinued. By default, the TwinCAT OPC UA Server only offers endpoints that are currently considered secure. Since setup version 4.3.28, the unencrypted endpoint has also been disabled by default for security and certification reasons.
Security profile | Security mode | Short description |
|---|---|---|
None | None | No encryption or signing of messages is carried out at this endpoint. Authentication, on the other hand, is possible. |
Basic128Rsa15 (deprecated) | Sign Sign & Encrypt | This endpoint has been classified as deprecated from a security perspective and is disabled by default. If necessary, the endpoint can be enabled again. |
Basic256 (deprecated) | Sign Sign & Encrypt | This endpoint has been classified as deprecated from a security perspective and is disabled by default. If necessary, the endpoint can be enabled again. |
Basic256Sha256 | Sign Sign & Encrypt | Endpoint currently present in the server for secure signing and encryption. Additional authentication is possible. |
Aes256_Sha256_RsaPss | Sign Sign & Encrypt | Endpoint currently present in the server for secure signing and encryption. Additional authentication is possible. |
Aes256_Sha256_RsaOaep | Sign Sign & Encrypt | Endpoint currently present in the server for secure signing and encryption. Additional authentication is possible. |
All endpoints in the list can be enabled or disabled via the server configuration. In the following figure, all endpoints are enabled.
