Although convenient, Lon or serial tunneling access to a station presents a potential security issue, as a station’s TunnelService uses “basic authentication” for client access to the station. This differs from normal user access (via FoxService and/or WebService), typically using much stronger authentication.
As a workaround, we strongly recommend that you assign the station’s TunnelService to a special category not assigned to any other component in the station, and create a special user that has admin write permissions on only that single category (unlike any other user). That should be the only user used to make tunnel client connections. See To configure for safer tunneling access.
To configure for safer tunneling access
-
In the station’s CategoryService, set up a Category unassigned to any other component.
Assign the station’s TunnelService to that category, as shown above.
-
In the station’s UserService, create a new user that has permissions only on that one category.
Assign this new user admin write permissions to that one category, and that user.
-
From any client to the TunnelService (Lon tunnel or serial tunnel), only use this special user account.
This workaround provides full tunneling capability, but minimizes the security risk in case the credentials for this special user become compromised.