Data Diode Client Tag

The data diode client tag is paired with Data Diode Publisher Tag to establish communication across a Data Diode device. This tag is configured on the Data Diode client side, outside of the secured network. The Data Diode Client tag must have a port number receiving data from Data Diode. At least one historian tag must be linked to the Data Diode Client tag.

Your Data Diode configuration may resemble the above diagram. The publishing tags and widgets belong in a secured network. The data is transmitted out, to a client tag on the receiving application. There is no means to transmit data into the secured network, effectively isolating it.

A Data Diode configuration requires two VTScada applications, one app on the secured network (publishing side), and one on an external network (client side).

The historian tags and I/O tags must be the same on both applications and have the same Unique IDs. The easiest way to do this is to create the publishing application first and clone it to reconfigure as the client application. Cloning is the only way to copy over the same assets with the same Unique IDs on an application outside of the secured network.

You must link the Historian tag(s) to the Publisher tag and Client tag by inserting custom properties in the Application Configuration.

First, find the Unique IDs of the Historian tag and either the full name or UniqueID of the Data Diode Publisher/Client tag. You can find this by locating them in the tag browser and hovering over them with your cursor. Write these down.

Next go to the Application Configuration > Edit Properties in Advanced Mode and Insert a new property.

The property name will be (The unique ID of the Historian tag)"DDPublisherID" or "DDClientID" and it's value will be (The full name or unique ID of the Data Diode Publisher/Client tag).

ex. To link a Historian tag with a unique ID of "123ztg-y\y" to a Data Diode Publisher tag with a full name of Station 1\DDP_01 you must insert 123ztg-y\yDDPublisherID = Station 1\DDP_01

To link a Historian tag with a unique ID of "4561#3_yg" to a Data Diode Client tag with a unique ID of "8_6ynG-0" you must insert 4561#3_ygDDClientID = 8_6ynG-0

If you have more than one Historian tag, repeat the process for all tags you wish to publish to Data Diode. The client-side Historian tags must have identical Unique IDs to the publisher-side Historian tags.

The global unique ID of the default system historian found in every VTScada application is "SystemHistorian"

After configuring the client application (historian and I/O tags are ready), you must refresh the historian storage location. There are two ways to do this. The easiest way is to set a new historian storage location. Alternatively, you can find the "History" folder and delete it. It will be located under VTScada > YourApplicationName > Data. When you begin receiving historian data, VTScada will create a fresh History folder.

There can only be one client server. The server list of the Data Diode Client tag must only contain one machine. If the client server fails, the client application would not be able to receive data. Data Diode can only send data to a specific IP address. It cannot automatically failover to a backup machine.

To switch to a new machine, you must reconfigure the server list to only have the new machine in it and update the IP and port number in the Data Diode. If the server has failed, the publisher will continue to transmit data. There is no way to signal to the publishing application directly that an error has occurred on the client application. Once the issue has been resolved, use Start from Date/Time on the publishing application to re-transmit data that was not replicated in the client application during the down-time.

Data Diode Client Tag Properties Settings Tab

Link the port tag, set the security privilege or opt to reset the published state.

The settings tab of the Data Diode Client Properties.

TCP/IP Port Number

The TCP/IP Port Number field refers to the port number on the host address through which communications are enabled. The port number configured in the client tag can be any port that isn't used by other services. You must set up the Data Diode device with the same destination port. Refer to your hardware specification for more information.

The Data Diode Client Tag will act as a listener. That is why only a port number is required and not a TCP/IP Address. We strongly recommend your IT department set firewall rules for the port used by the Data Diode Client tag to ensure it only accepts connections from the Data Diode device.