Given these 2 installations:
A machine with 3 OPC UA servers.
A machine with 3 OPC UA servers and a LDS.
What is the difference in functionality? In particular, I would like to know:
Is the installation of a LDS mandatory?
What is the practical difference between discovering a server, then connecting to it, and directly connecting to the endpoint of the server without discovery?
What does installing an LDS enable to do?
(All this, with proper OPC UA specification references where applicable, please)
Is the installation of a LDS mandatory?
No, the installation of an LDS is purely optional. Especially on small / embedded devices you might not even be able to install anything else than the OPC UA server.
What is the practical difference between discovering a server, then connecting to it, and directly connecting to the endpoint of the server without discovery?
With the LDS running on a standarized port (4840) it is possible to discover all servers on the computer without knowing their endpoint URLs. Without an
LDS there is no way to connect to a server without knowing the URL.
As already commented, having the LDS makes discovery (very) slightly slower, as a connection to both LDS and server has to be established.
If only one server is running on the computer one might want to set the port of this server to 4840, so clients discovering on the computer find the server without needing to know a custom port.
What does installing an LDS enable to do?
It simply allows to discover all servers running on the computer without knowing all their different endpoint URLs.
Future versions will contain enhancements, broadcasting this information via Zeroconf, so every LDS would have the list of all OPC UA servers on the local network.
Related
Has anyone seen anything on Windows Server 2019 that would prevent browsing the network in a Active Directory domain environment to find available OPC servers on remote hosts when all other OPC communications seem to be functioning normally and file share browsing seems to also be functioning?
There is something I'm missing here, but I cannot find it. Since the core OPC functions are working, tools like OPC Expert are not showing any errors and guides for DCOM settings from OSIsoft, KEPware, and OSI Institute are all being used to no avail. None of the DCOM settings seem to be addressing the CLSID network browsing. If a client has the ability to supply a remote host and query that host, the OPC services enumeration works just fine. The problem is that we are attempting to use clients that do not have any features to manually define the servers and solely relies on the network browsing functions.
Please tell me someone else has seen this behavior. I suspect that it is some network security feature of Windows Server 2019, but I can't find any documentation that points to what might be causing this function to fail. Worse, the function is completing normally, but with zero results, so I don't even have error messages to track the issue down with.
It really depends on the application you are using. There are many ways for an OPC Client to find the remote OPC Server. Most clients will use a combination of the folowing:
OPCEnum. In particular the heavy lifting is done using EnumClassesOfCategories which is part of Component categories Manager. Does not crawl through registry.
GetOPCServers(). This is a method is available as part of an interface called IOPCAutoServer which comes from the OPC foundation itself (via OPCDAAuto.dll)
CLSIDFromProgID() first to get the CLSID and then does the CoCreateInstanceEx().
When CLSIDFromProgID() fails, it falls back to using OPCEnum to list all OPC servers before making a connection.
That means that you would first need to find out what your client application is using to list the OPC Servers.
Then, on the Windows Security side of things, depending on the OS version of both nodes, you may need to disable Simple File Sharing mode (that is the case for Windows XP and older)
If it uses OPCEnum, you will need to configure DCOM for OPCEnum as well, which is the recommended method to list remote OPC Servers.
If the application only supports remote registry lookup to find the OPC Server, then you will need to grant access to the account connecting from the client to the Server
I have an Ubuntu VM installed on a client's VMware system. Recently, the client's IT informed us that his firewall has been detecting consistent potential port scans to our VM's internal IP address (coming from 87.238.57.227). He asked if this was part of a known package update process on our VM.
He sent us a firewall output where we can see several instances of the port scan, but there are also instances of our Ubuntu VM trying to communicate back to the external server on port 37258 (this is dropped by the firewall).
Based on a google lookup, the hostname of the external IP address is "feris.postgresql.org", with the ASN pointing to a European company called Redpill-Linpro. As far as I can tell, they offer IT consulting services, specializing in open source software (like PostgreSQL, which is installed on our VM). I have never heard of them before though and have no idea why our VM would be communicating with them or vice-versa. I'm also not sure if I'm interpreting the IP lookup information correctly: https://ipinfo.io/87.238.57.227
I'm looking for a way to confirm or disprove that this is just our VM pinging for a standard postgres update. If that's the case I'd like to restrict this behaviour. We would prefer to do these types of updates manually and limit the communication outside of the VM to what is strictly necessary for the functionality of our application.
Update
I sent an email to Redpill's abuse account. They responded quickly saying that the server should not be port scanning anyone and if it appears that way, something is wrong.
The server is part of a cluster of machines that serves apt.postgresql.org among other postgres download sites. I don't think we have anything like ansible or puppet installed that would automatically check for updates but I will look into that to make sure. I'm wondering if Ubuntu reaching out to update the MOTD with the number of available packages would explain why our VM is trying to reach out to the external postgres server?
The abuse rep said in any case there should only be outgoing connections from the VM, not incoming. He asked for some additional info so I will keep communicating with him and try to update this post accordingly
My communication with the client's IT dropped off so I did not get a definitive answer on this, but I'll provide some new details:
I reached out to the abuse email for Redpill-Linpro. He got back to me and confirmed the server corresponding to the detected IP address is part of a cluster that hosts postgres download sites, including apt.postgresql.org. He was surprised to learn we had detected a port scan from their server and seems eager to figure out why that is happening.
He asked if the client IT could pass along some necessary info for them to set up tracking on that server. But the client IT never got back to me. I think he was satisfied that it wasn't malicious and stopped pursuing it.
Here's one of the messages the abuse rep sent me that may be relevant:
That does look a lot like the tcp to the apt download server yes. It's
strange that your firewall reports that many incoming connections, but
they could be fallout from some connection tracking that's not
operating as intended. The timing appears to be matching up more or
less perfectly. And there should definitely not be any ping-back
connections from it.
Since you appear to be using the http version of the server (and not https) bringing the data in cleartext, they should be able to just
dump the TCP connection contents and verify exactly what it does. But
I bet they are going to see a number of http requests initiated by the
apt client that is checking for updates.
I am trying to make sense of the Global discovery mechanism observed in OPC UA.
1)Now, specification says, it is useful to find servers in an administrative domain. Just to clarify, here administrative domain means the top level of the automation pyramid? At the office level? Or does it mean that it can be used to find Servers across different networks?
2)I understand, GDS provides facilities for certificate management. Just ignoring the certificate manegement benefits of GDS for now, I would like to know how different of a discovery from multicast subnet discovery would it be?
because, according toGDS Overview, all of it is happening inside a single LAN.
In the same link, does it mean like there are 3 hosts existing? Where Host A has the LDS ME and the server which registers to its local LDS ME. Another host, Host B, has only a LDS ME running on it. So now Host A and Host B communicate via mDNS and each others cache is updated with records. Now GDS which is on Host C, is also on the same LAN. The LDS ME of host B registers to GDS. GDS, then calls for findServersOnNetwork with the LDSME, thus enabling to find details of all the servers.
How will an external client be able to see the records of the GDS? I understand specification says use of a service("Query Servers").
How will it be different from the LDS ME?
We get the same result from multicast subnet discovery as well.
Please let me know. Looking forward for any guidance.
Regards,
Rakshan
Ad 1. The administrative domain can be just about anything. It can be all the things you mentioned, or something else. It depends on the requirements there are for the system.
Ad 2. No, the GDS clients do not have to be on the same LAN.
Ad 3. In most general case, the picture you are referring to has 4 hosts (the 3 you have listed, plus the 4th one for the Client). Your description is otherwise correct except for this part: "Now GDS which is on Host C, is also on the same LAN." The GDS can be on a different LAN. There will be multiple "Host B"-s, one for each LAN that is "served" by the GDS.
Ad 4. An external client connects to a public endpoint of the GDS using normal OPC UA, and calls GDS and CM-related UA methods (not services) described in Part 12 of the UA specification, such as, yes, QueryServers, and more. The main difference from the LDS is that the client can get information about all servers in the administrative domain, not just those that are on its own LAN (or on the LAN it specifically connects to).
I have Analyzer which connects to a computer with cat5 cables . This Computer reads the data through a software called ComVisioner .ComVisioner has two Modes, one is Server Mode and Other is Client Mode A Server software acts as the engine in the system, providing one or more clients with information.
Server version is installed on a single computer . Once Server version is installed it collects data, performs calculations, produce reports and so on.
The ComVisioner client runs in the same computer as the server. Other clients can access the same single server through a network, providing that the software license allows more than one client at the same time
so there is Two client computers who access the as mentioned above .this all connection is done by Network cables . This part is fine
As License of Client is very expensive our company wants to add a OPC software so that more user can acquire data .As i have no knowledge on Opc part please suggest me How can i do it ?. what sort of software should i use ?. Can i install this software different pc with is connected in same network
There is also one more software installed in that computer which pushes the data as Modbus protocol
First, you need to make sure that the ComVisioner can give OPC data. (work like opc server). This should be indicated in the documentation.
Download the free OPC client, and make sure you can read the data (for example you can use, matrikon opc explorer or kepware quick client (I like it more, it goes together with KepServerEx, to download them you need to register)
If you can connect and see the data, then there will be no problems with access to the data. Next you need to find a solution for which Opc client suits you. Probably some SCADA system, but some good SCADA also cost a lot, and require a lot of development time.
I don't recommend you try to use modbus if there is opc. If you will use modbus you will have many problem with addressing and value format.
ps
We had a problem with expensive licenses. As a result, we solved the problem by give access for programm for clients via RDP (remote desktop connection)
Should I imagine server as a physical device like router? Or is it just a program that is on a computer? I'm confused. Please let me know. Thanks in advance
A server is a computer that provides data to other computers. It may serve data to systems on a local area network (LAN) or a wide area network (WAN) over the Internet.
Many types of servers exist, including web servers, mail servers, and file servers. Each type runs software specific to the purpose of the server. For example, a Web server may run Apache HTTP Server or Microsoft IIS, which both provide access to websites over the Internet. A mail server may run a program like Exim or iMail, which provides SMTP services for sending and receiving email. A file server might use Samba or the operating system's built-in file sharing services to share files over a network.
More about server