TLS proxy server

A TLS proxy server is a device that acts as a secure intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, webpage, or other resource, available from a different server. The proxy server evaluates the request according to its filtering rules. For example, it may filter traffic by IP address or protocol. If the request is validated by the filter, the proxy provides the resource by connecting to the relevant server and requesting the service on behalf of the client.

When the TLS proxy server function is enabled, the NL200/201 TLS proxy server maintains a secure TLS connection with a remote TLS client and forwards data to a data logger using a standard TCP connection thus enabling communications with TLS clients. The TLS client can be a web browser using HTTPS or another user-supplied TLS client. Any other client program that encrypts a standard TCP connection using TLS may be used to establish a connection with the NL200/201 TLS proxy server, and the NL200/201 will forward unencrypted TCP data to a data logger. In this way, a remote TLS client can establish a TLS connection with a data logger.

The settings found in the TLS Proxy Server and TLS tab in Device Configuration Utility are used to configure the NL200/201 TLS proxy server.

Two physical configurations are possible and the required settings differ depending on the configuration chosen. The possible configurations are shown in the following figure.

To configure the NL200/201 TLS proxy server to communicate with a data logger attached to the CS I/O port or with a data logger over a Ethernet connection, open Device Configuration Utility and configure the following settings.

Settings Editor > TLS Proxy Server tab

Configuration A

In Configuration A, the NL200/201 decrypts TLS traffic and forwards the unencrypted TCP traffic to the data logger over the CS I/O port. The NL200/201 is able to “learn” the IP address of the attached data logger and will open a TCP connection on the “learned” IP address.

  1. Connect to the NL200/201 in Device Configuration Utility (see Configuring the NL200/201).

  2. Select the CS I/O IP tab.

  3. Set the CS I/O Interface IP Address to a static IP address. Use the data logger CS I/O Interface that corresponds to the NL200/201CS I/O IP Interface Identifier setting.

Configuration B

In Configuration B, the NL200/201 decrypts TLS traffic and forwards the unencrypted TCP traffic to the data logger back out on the Ethernet port. The user must specify an IP address and TCP port number for the forwarding TCP connection.

  1. Connect to the NL200/201 in Device Configuration Utility (see Configuring the NL200/201).

  2. Select the TCP/IP tab.
  3. Set the Ethernet Interface IP Address to a static IP address.

  4. Set the TLS Proxy Server setting to enable.

  5. Enter the TLS Proxy Service Port. This is the TCP port number on which the proxy server will listen for incoming connections. The TLS client also needs to be set to communicate on this port number. When TLS communications are received on this port number, the NL200/201 will decrypt the data and attempt to open a TCP connection to the data logger and forward the unencrypted data. In HTTPS communications, web browsers use port 443. The NL200/201 will always listen on port 443 regardless of the value of this setting. Therefore, if HTTPS communications are desired, it is unnecessary to configure this setting.

  6. Set the TLS Proxy Forward Physical Port to CS I/O Port for Configuration A or to Ethernet Port for Configuration B.

  7. For Configuration A, leave the TLS Proxy Forward IP Address set to 0.0.0.0. For Configuration B, enter the data logger IP address in the TLS Proxy Forward IP Address setting. This address must be configured in the data logger. It must be a unique, static IP address on the same subnet as the NL200/201 IP address. For example, if the NL200/201 IP address is 192.168.5.1 with subnet 255.255.255.0, a valid IP address for the data logger would be 192.168.5.2 provided there are no other devices on the subnet with that address.

  8. Set the TLS Proxy Forward Port. This is the TCP port number that the proxy server will use when it opens a TCP connection to the data logger to forward unencrypted data. The data logger TCP server must be set to communicate on this port number. The default value for the data logger PakBus/TCP service port is 6785, so this setting can likely be left at the default. The data logger listens for HTTP traffic on port 80. The NL200/201 will always forward TLS traffic received on port 443 (HTTPS) to port 80 (HTTP) regardless of this setting. Therefore, if HTTPS communications are desired, it is unnecessary to configure this setting.

  9. It is recommended to leave the TLS Proxy Timeout set to 90 seconds, although it can be changed if desired. This will determine how fast the NL200/201 proxy server and client connections will timeout if no activity is detected.

For either configuration, the IP address must not be 0.0.0.0, and it must be unique on the same subnet as the NL200/201 IP address. For example, if the NL200/201 IP address is 192.168.5.1 and subnet mask is 255.255.255.0, the data logger address could be set as 192.168.5.2 provided there are no other devices on the subnet with that address. Also, set the data logger subnet mask to match that of the NL200/201.

The data logger must be listening on the same TCP port that the NL200/201 is configured to forward TCP traffic on (NL200/201 setting: TLS Proxy Forward Port). The data logger always listens on port 80 for HTTP, therefore, no TCP port configuration is necessary for using HTTP.