To be a serial “tunnel server,” a JACE must have the tunnel module installed, and its station must have a TunnelService (under its Services folder), as well as a child SerialTunnel component.
The following sections provide more details on the “station side” of serial tunneling:
To configure the station for serial tunneling
To configure the station for serial tunneling, do the following:
-
In the palette side bar, open the tunnel palette.
-
Open the JACE station and expand its Services folder.
-
If no TunnelService exists, paste one from the palette into the Services folder.
-
If a TunnelService does exist, go to next step.
Only one TunnelService is needed in a station’s services, and it can hold multiple tunnel components (SerialTunnel and LonTunnel). The TunnelService in the (serial) tunnel module is identical to the TunnelService in the lontunnel module.
-
-
From the palette, paste a SerialTunnel under the station’s TunnelService.
The station should now have a TunnelService and a child SerialTunnel component.
-
In the SerialTunnel’s property sheet, expand the “Serial Port Config container” (Figure 150).
Here, type in the
COMn“Port Name” used by the target driver network, and specify other parameters as defined in the network’s configuration. Port Name should be similar toCOM1orCOM2, and so on.See SerialHelper for details on various properties.
If the JACE has multiple serial-type driver networks (and corresponding COM ports), you can copy the same number of SerialTunnel components under
the TunnelService. You can then associate each SerialTunnel with a particular network (by its COMnport name), and set the other parameters accordingly. -
the TunnelService configuration when done.
A station user requires admin write permissions for the SerialTunnel(s) to allow tunnel client access.
Clients that access the TunnelService (both SerialTunnel and LonTunnel) use “basic authentication” for login access. So in
either of these client connections, the user credentials passed to the station are not encrypted—a potential security issue!
See Best security practices for tunneling. Also, consider disabling the TunnelService (set its Enabled property to false) whenever it is not needed.
Although convenient, serial or Lon tunneling access to a station presents a potential security issue, as a station’s TunnelService uses “basic authentication” for client access to the station. This differs from normal user access (via FoxService and/or WebService), typically using much stronger authentication.
As a workaround, we strongly recommend that you assign the station’s TunnelService to a special category not assigned to any other component in the station, and create a special user that has admin write permissions on only that single category (unlike any other user). That should be the only user used to make tunnel client connections. See To configure for safer tunneling access.
To configure for safer tunneling access
-
In the station’s CategoryService, set up a Category unassigned to any other component.
Assign the station’s TunnelService to that category, as shown above.
-
In the station’s UserService, create a new user that has permissions only on that one category.
Assign this new user admin write permissions to that one category, and that user.
-
From any client to the TunnelService (serial tunnel or Lon tunnel), only use this special user account.
This workaround provides full tunneling capability, but minimizes the security risk in case the credentials for this special user become compromised.
Under any SerialTunnel, only one tunnel connection is supported at any one time—if a tunnel connection is active and another tunnel client (PC) attempts to connect, that remote user sees a popup dialog saying that the “Desired tunnel is busy.”
In the station (tunnel server), any active tunnel connection results in a TunnelConnection child component, named as the remote (client’s) IP address or hostname, with a “#1” suffix (Figure 151).
In the Figure 151 example, the remote host that is currently serial tunneling is “192.168.1.31.” When a tunnel connection is terminated, this Tunnel Connection component is removed.
In addition to its statistical properties, a TunnelConnection has an available Disconnect action. This disconnects the active tunnel connection, removing the parent TunnelConnection component. A popup dialog “Connection closed by remote host” is seen on the client tunnel side.