Apparently there is no way to get requested data back to the OPC DA client from the server when using OPC DA over a VPN connection. This is because OPC DA is designed using Microsoft's Component Object Model (COM) and uses Distributed COM (DCOM) for remote connectivity. When a connection is established to a remote server, and data requests are made by the client, the server will send callbacks to the IP address that made the connection. When connected to a VPN, it will broker a local IP address on that network. In conclusion a machine running a OPC DA client using a VPN tunnel to connect to a remote OPC DA server is able to discover the server but not to run it. My question is: there is a way to use a different tunneling mechanism compatible with the OPC DA protocol? Alternatively there is a way to route all callbacks to the client from the server to the IP of the PC with the OPC DA server instead of the brokered IP?
3 Answers
Are you sure that the VPN is the problem? If you are able to "discover" the server, but can't launch it that means your dcom settings are incorrect.
Create a new local user account on the client and the server (same name and password). On the server change the dcom settings for the opc server:
- Run dcomcnfg
- Find you opc server, select properties.
- On the security tab add the new account everywhere (you may try to skip this, sometimes not needed)
- On the identity tab, select "this user", fill the new account
On the client, log in with the new account, connect the VPN.
The above dcom settings is the easiest to maintain/set up/debug for remote connections. Any other combination (interactive user/launching user/domain account etc.) is a pain and in 99% time won't work. If you need to use domain users (not recommended at all!), you need to connect the VPN before login in the client (good luck with this)
This is a few years later, but in case anyone unearths this:
- Use a tap-interface VPN, rather than a tunnel. In other words, use a layer-2 VPN which behaves like an Ethernet interface on the remote LAN. You (the VPN client) are given an IP address on the remote network that is connected directly to your machine. It behaves exactly as though there is a very long Ethernet cable from your machine to the site. For all practical purposes, you become local to the OPC server.
or...
- As suggested by @KevinHeron above, use an OPC Gateway. Prosys OPC make one and have a diagram of your situation on their product page: https://www.prosysopc.com/products/opc-ua-gateway/