Fox Tunneling and HTTP Tunneling

This document describes Fox Tunneling and HTTP Tunneling in the following main sections:

Using NiagaraAX-3.3, or later version, a client can establish a workbench connection to one or more JACE hosts using a "tunnel" connection that is established using a NiagaraAX Web Supervisor proxy station. Two methods are provided. Both methods employ addressing schemes that require the following:

specific ("fox" and "http") additional licensing on a Web Supervisor proxy station
an appropriate network connection
NiagaraAX-3.3, or later, on all platforms

Starting in NiagaraAX-3.5, platform tunneling is available as described in Appendix C, NiagaraAX-3.5 Platform Guide. In versions prior to NiagaraAX-3.5, tunneling is a Station-to-Station communication only; Platform tunneling is not available.

Fox tunneling and HTTP tunneling use the Fox and HTTP communication protocols, respectively, to communicate with NiagaraAX stations. The key benefit that the tunneling feature provides is the ability to establish a workbench session with one or more JACEs that would normally be hidden from public access. This is done by allowing the requesting station (client) to communicate (or "tunnel") through a Supervisor station that has a connection to the targeted JACEs and acts as a proxy server for those targeted hosts.

Starting in NiagaraAX-3.4, the following properties are available to increase tunneling security options:

Only Tunnel Known Stations

This property (located under the NiagaraNetwork > Fox Services component) affects the functioning and required syntax of both Fox and HTTP tunneling. It is an option to restrict both types of tunneling to only stations that are visible under the proxy station’s NiagaraNetwork.
Proxy Authentication When Tunneling

This property (enabled under the “Services > Web Services” component) forces authentication before allowing HTTP traffic to be tunneled to the target station. This can lead to multiple logins (one login at the proxy level and one login at the target level) unless login credentials are consistent on both the proxy and target. If credentials are identical, the login credentials at the proxy level are "shared" (for cookie", not "cookie-digest") and used for the login to the target, thus giving the effect of single sign on.
See About 2013 Security updates for information related to this property and 2013 Security Updates. This property must be set to true for tunneling to a cookie-digest station if:
- the supervisor (proxy) station fox port is not the default port, OR
- the target station's NiagaraAX version is earlier than AX-3.5u4, 3.6u4, or 3.7u1

NiagaraAX stations serve in the following roles to comprise the typical points of reference in a tunneling scenario:

Client

This is the initiating party that sends a communication request using the "Fox Tunneling" or "HTTP Tunneling" syntax to open a special session with the proxy server.
Proxy

This is the tunneling proxy server station that recognizes the tunnel syntax and routes the message on to the tunneled host.
Host

This is the target host that is typically on a protected network that is not directly accessible to the client.

Figure 1. Example of Fox tunneling communications

The following sections describe the unique characteristics of each type of tunneling: