Reverse Connect

The TwinCAT OPC UA Server supports the ReverseConnect function of OPC UA to establish a backward communication connection from the server to the client. To activate this function, a list of client addresses must be stored in the server. Then the server establishes an OPC UA TCP connection for each client in the list. This type of connection setup is often used when an OPC UA client needs to establish connections with servers that are located behind a firewall or NAT device. The following figure illustrates this relationship.

Reverse Connect 1:

In this example, there is an OPC UA client that needs to connect to two servers, each of which is behind a firewall. The firewall blocks all incoming communication traffic and does not open any ports in the internal network. The client is now configured for ReverseConnect and opens its own network port under the client endpoint URL opc.tcp://172.17.1.1:48061. Each of the lower-level servers has also been set up for ReverseConnect and has entered the client endpoint URL as the ReverseConnect URL. The server now opens and maintains a TCP connection to the client using this URL. The actual OPC UA client communication with the server is tunneled through this TCP connection. From the firewall's point of view, this is an "outgoing" communication due to the initially established TCP connection. Only the outgoing communication port (48061 in this example) needs to be enabled in the firewall.

Reverse Connect 2:

Client compatibility

Please note that the OPC UA client must also support this function and be accessible via its Client Endpoint URL.

Configuration in the server

A list of OPC UA Clients can be configured in the TcUaServerConfig.xml within the <UaEndpoint>. The Client Endpoint URL under which the respective clients can be reached is entered here.

<ReverseConnect>
  <Url>opc.tcp://172.17.1.1:48061</Url>
</ReverseConnect>

Configuration in the OPC UA Client

The following screenshot shows an example of the configuration of a ReverseConnect connection in the OPC UA client software "UA Expert" from Unified Automation. ReverseConnect is enabled in the connection settings and the client endpoint URL is entered under which the client can be reached by the server. In the EndpointURL field, the Server Endpoint URL is entered which the client should use as soon as a ReverseConnect TCP connection has been established by the server. Referring to our figure above, opc.tcp://CX-12345:4840 or opc.tcp://CX-98765:4840 is entered here, for example. The settings for Security Settings, Message Security Mode and the authentication parameters then also apply to this connection.

Please note that you may still need to import the server certificate. This is the server's public key, which is stored in the corresponding application directory.

Reverse Connect 3:

Communication history

The following Wireshark trace shows an example of a connection setup based on ReverseConnect. The only difference to the above figure is that the client used in this recording was configured for the Client Endpoint URL opc.tcp://172.30.3.86:48061. The server is located behind a NAT device, which in turn has the IP address 178.200.200.59.

Reverse Connect 4:

When the TCP connection is established from the server to the client, a so-called "Reverse Hello" message is sent. In this, the server informs the client under which Server Endpoint URL it can be reached. This is the same Server Endpoint URL that you configured in the client (see above). The client uses this Server Endpoint URL for the further connection to the server.