Multiplexing Proxy

The WinCC OA Multiplexing Proxy Manager is used to increase the security of your WinCC OA projects.

The main benefits of the Multiplexing Proxy are:
  • A reduction of open network server ports
  • Blocking of denial-of-service attacks
  • Multiplexing Proxy may run under a low-privileged user account compared to other managers if the proxy is used as distributed manager.

The main role of the Multiplexing Proxy is to manage connections between the managers or projects and after the connection is established the proxy only forwards the messages for the current connections. The messages are signed and the content encrypted. When a connection request between client and server is sent over a WinCC OA Multiplexing Proxy the proxy decides, based on the project configuration, whether the connection is declined or accepted.

If a connection over the proxy (client <=> proxy or server <=>- proxy connection) is closed, the proxy automatically closes the corresponding connection to the server/client.

  • e.g. 1: If a client UI is stopped the proxy automatically closes the corresponding TCP connection between proxy and server.
  • e.g. 2: If the server aborts the connection to the proxy (e.g. the server is stopped), the corresponding connection between proxy and client is closed as well.

A further non-security related benefit is, that with reducing the amount of open and visible network ports for external connections the costs and for the complexity of the network management can be reduced.

In scenarios where the proxy is deployed on a separate machine, a proxy could mitigate the impact of DoS attacks (SSL connect attack).

The Multiplexing Proxy doesn’t protect against DoS attacks after a connection is established between client and server (e.g. DataManager).

Usage of Multiplexing Proxy

The Multiplexing Proxy is, similar to other WinCC OA managers, supervised by the process monitor (PMON). The proxy can be used on the same server as the data- or event-manager but can also be used on a different host, e.g. to manage multiple projects with one proxy.

If the proxy manager is active the default value of the config entry localAddress is 127.0.0.1 (IPv4) or ::1 (IPv6) for all managers but the WCCILproxy. Therefore, another host can only access the managers via the Multiplexing Proxy. In case that the proxy manager is disabled the default value of localAddress is undefined and the managers can be accessed by other hosts.

Figure 1. schematic connection picture of proxy deployment

Following points describe a possible usage scenario of the Multiplexing Proxy:

  • The firewall blocks every connection request except the connections to the proxy host on the proxy-port
  • A client project cannot connect directly to the server
  • A client project can only connect to the configured managers through the proxy
  • The client cannot connect to any other server (e.g.: SQL Server)

Usage of Certificates

The Multiplexing Proxy uses SSL certificates for verifying a connection request. Default certificates are delivered with the WinCC OA installation and can be used. It is to consider that these certificates are delivered with every WinCC OA installation and therefore no secure authentication can be granted!

If no secured communication is required (e.g. no external access to the network) no changes must be made to your project configuration. The WinCC OA project communication can be used out-of-the-box. If secured communication is required following notes must be considered:

  • The default certificates are located inside the /config folder of the WinCC OA project and must be replaced with self signed certificates to allow a secure communication (see the config entry sslCertificate for how to define the used SSL certificates).
  • To create new self signed SSL certificates the "Create Certificate" panel can be used (System Management > Communication > SSL Certificates)
  • When using external certificates (e.g., Verisign) for the WinCC OA Multiplexing Proxy, it is important to take precautions. Using the config entry named [all sections] chainPrefix ensures secure communication. This Prefix ensures that not all certificates signed by the external authority are automatically trusted.

Debug Information

To get additional information regarding the in and outbound connections of the Multiplexing Proxy, the option "-report dispatch" can be used for the proxy manager.

The current proxy configuration can be displayed when the proxy is started by using the "-dbg work" flag for the Multiplexing Proxy manager.

Deactivation of the Multiplexing Proxy

To deactivate the secured communication with using the Multiplexing Proxy, the config entry mxProxy="none"must be added to the [general] section in your projects' config file.