Is it safe to replace the hostname of endpoint URL returned by the OPC UA server?|OPC UA Standard|Forum|OPC Foundation

Hi,

I have an OPC UA client that has trouble connecting to an OPC UA servers that is behind a NAT/Firewall. This happens because the hostname in the endpoint URL, returned by the server in the `GetServerEndpointResponse`, is different/unreachable from the hostname in the discovery URL used in the `GetEndpointRequest`.

Should I configure my OPC UA client to allow replacing the hostname in the endpoint URL with the hostname of the discovery URL like other OPC UA clients do? Are there things to consider from a security perspective if I decide to enable this feature in my OPC UA client?

• While Section 5.4.4 of the OPC Foundation - UA Part 4: Services - 5.4.4 GetEndpoints (opcfoundation.org) says:

A Server may have multiple HostNames. For this reason, the Client shall pass the URL it used to connect to the Endpoint to this Service. The implementation of this Service shall use this information to return responses that are accessible to the Client via the provided URL.

• Section A.1 UA Part 12: Discovery and Global Services - A.1 Firewalls and Discovery (opcfoundation.org) says:

Note that Servers may not be aware of all HostNames which can be used to access the Server (i.e. a NAT firewall) so Clients need to handle the case where the URL used to access the Server is different from the HostNames in the Certificate.

I am not sure what approach to take based on the above two points in the OPC Foundation doc.

Thanks,
Srijith