Multiplexing Proxy
The WinCC OA Multiplexing Proxy Manager is used to increase the security of your WinCC OA projects. The main benefits of the Multiplexing Proxy are:
-
A reduction of open network server ports
-
Blocking of denial-of-service attacks
-
Multiplexing Proxy may run under a low-privileged user account compared to other managers if the proxy is used as distributed manager.
The main role of the Multiplexing Proxy is to manage connections between the managers or projects and after the connection is established the proxy only forwards the messages for the current connections. The messages are signed and the content encrypted. When a connection request between client and server is sent over a WinCC OA Multiplexing Proxy the proxy decides, based on the project configuration, whether the connection is declined or accepted.
If a connection over the proxy (client <=> proxy or server <=>- proxy connection) is closed, the proxy automatically closes the corresponding connection to the server/client.
-
e.g. 1: If a client UI is stopped the proxy automatically closes the corresponding TCP connection between proxy and server.
-
e.g. 2: If the server aborts the connection to the proxy (e.g. the server is stopped), the corresponding connection between proxy and client is closed as well.
A further non-security related benefit is, that with reducing the amount of open and visible network ports for external connections the costs and for the complexity of the network management can be reduced.
In scenarios where the proxy is deployed on a separate machine, a proxy could mitigate the impact of DoS attacks (SSL connect attack).
The Multiplexing Proxy doesn’t protect against DoS attacks after a connection is established between client and server (e.g. DataManager).
Usage of Multiplexing Proxy
The Multiplexing Proxy is, similar to other WinCC OA managers, supervised by the process monitor (PMON). The proxy can be used on the same server as the data- or event-manager but can also be used on a different host, e.g. to manage multiple projects with one proxy.
If the proxy manager is active the default value of the config entry localAddress is 127.0.0.1 (IPv4) or ::1 (IPv6) for all managers but the WCCILproxy. Therefore, another host can only access the managers via the Multiplexing Proxy. In case that the proxy manager is disabled the default value of localAddress is undefined and the managers can be accessed by other hosts.
Following points describe a possible usage scenario of the Multiplexing Proxy:
-
The firewall blocks every connection request except the connections to the proxy host on the proxy-port
-
A client project cannot connect directly to the server
-
A client project can only connect to the configured managers through the proxy
-
The client cannot connect to any other server (e.g.: SQL Server)
Usage of Certificates
The Multiplexing Proxy uses SSL certificates for verifying a connection request. Default certificates are delivered with the WinCC OA installation and can be used. It is to consider that these certificates are delivered with every WinCC OA installation and therefore no secure authentication can be granted!
-
The default certificates are located inside the /config folder of the WinCC OA project and must be replaced with self signed certificates to allow a secure communication (see the config entry sslCertificate for how to define the used SSL certificates).
-
To create new self signed SSL certificates the "Create Certificate" panel can be used (System Management > Communication > SSL Certificates)
-
External certificates (e.g. Verisign) must not be used for the WinCC OA Multiplexing Proxy! Every certificate from the certificate provider would be accepted and no secure communication can be granted!
If no secured communication is required (e.g. no external access to the network) no changes must be made to your project configuration. The WinCC OA project communication can be used out-of-the-box. If secured communication is required following notes must be considered:
Debug Information
To get additional information regarding the in and outbound connections of the Multiplexing Proxy, the option "-report dispatch" can be used for the proxy manager.
The current proxy configuration can be displayed when the proxy is started by using the "-dbg work" flag for the Multiplexing Proxy manager.
Deactivation of the Multiplexing Proxy
To deactivate the secured communication with using the Multiplexing Proxy, the config entry mxProxy="none"must be added to the [general] section in your projects' config file.
Chapter Overview
Chapter | Description |
Multiplexing Proxy, Basics | Overview over the Multiplexing Proxy and links to further information |
Requirements and Installation | Requirements for the usage of the Multiplexing Proxy |
Possible config entries of the Multiplexing Proxy | List of all available config entries for the Multiplexing Proxy |
Configuration of the Multiplexing Proxy | Configuration scenarios for the Multiplexing Proxy, e.g. for redundant or distributed projects |