OPC UA Client

See purchasing information for more details
Download Free Demo

Product Overview

Kepware's OPC tunneling solution includes the KEPServerEX connectivity platform with the OPC UA Client driver. The OPC Unified Architecture (UA) open standard is used to provide an ideal tunnel for device communications between two instances of KEPServerEX: one instance that functions as the tunnel client and another instance that functions as the tunnel server. The OPC UA Client driver pairs with the UA Server interface of a KEPServerEX implementation to transfer data securely and reliably.

OPC Tunneling

The tunneling solution uses a client/server architecture for secure and reliable real-time data tunneling through firewalls and across the internet, WAN, or LAN. It also allows for easy remote communications between devices, data sources, and applications by eliminating the reliance on Microsoft COM and DCOM technology.



  • Supports OPC tunneling for OPC DA 1.0 and 2.05a
  • Works within the corporate network, over VPNs, through firewalls, and across the internet, WAN, or LAN
  • Provides remote access for OPC, native interfaces, and DDE
  • Supports Media Level Redundancy, including the ability to configure secondary tunnels and triggering conditions
  • Includes data encryption via RSA Standards
  • Offers endpoint authentication through x509 certificates
  • Features automatic discovery of OPC UA servers
  • Supports structured data for communication and storage optimizations
  • Supports the Nano profile to allow OPC UA access to data produced by embedded devices
  • Features automatic tag database generation
  • Has the ability to set OPC UA server priorities
  • Supports Poll or Report by Exception (on data change)
  • Offers endpoint management on a per connection basis
  • Has the ability to integrate third-party server data with all KEPServerEX drivers
  • Offers Keep Alive and Watchdog features to ensure reliable connectivity


  • OPC Unified Architecture (UA)

Available Languages

  • English
  • German
  • Japanese
  • Simplified Chinese

Application Support

  • DDE Format CF_Text and AdvancedDDE
  • NIO Interface for iFIX
  • OPC Alarms and Events (OPC AE) Version 1.10
  • OPC Data Access (OPC DA) Versions 1.0a, 2.0, 2.05a, and 3.0
  • OPC Unified Architecture (OPC UA) Clients
  • SuiteLink and FastDDE for Wonderware

Release Notes



  • Fixed an issue where the driver would clear the values of tags with uncertain quality.
  • Fixed an issue where the driver was unable to write to tags with an initial quality of uncertain.



  •   Added support for importing and reading the following OPC UA nodes:  
    • ApplicationDescription
    • EnumValueType
    • EUInformation
    • Range
    • ServiceCounterDataType
    • TimeZone
  • Added ability to read value attributes within extension objects of supported data types (see product help file for list of supported types).
  • Enhanced support for reading additional members of Server Diagnostics, ServerDiagnosticsSummary, SessionDiagnostics, SessionSecurityDiagnostics, and SubscriptionDiagnostics.
  • Fixed an issue where the interface would always report the value of elements in Boolean arrays as FALSE.



  • Fixed an issue where the driver would not set the _Error and related system tags when unable to establish a connection to a UA Server.



  • Fixed a memory leak that could occur when a subscription request to monitor an item was rejected by the OPC UA Server. This issue was most apparent with a frequent high volume of "Attempt to add item failed” messages posted in the Event Log. 
  • Added new OPC UA Security Policy (Basic256Sha256) for client configuration. 
  • Updated the default Security Policy to use most secure (Basic256Sha256) and to use the message mode “Sign and Encrypt”. 
  • Updated icons in server browse property to display secure Policies (Green lock icon), deprecated Policies (Yellow lock icon), and insecure Policies (red open-lock icon). 



  • Improved performance when collapsing/expanding/importing items using the Browse Import Items dialog.
  • Increased supported of password length up to 512 characters.


  • Fixed an issue where consecutive writes of the same value could result in bad tag quality in the OPC client drivers.
  • Fixed an issue where clients that set AnonymousIdentityToken with a NULL PolicyId were rejected with a status of Status_BadIdentityTokenInvalid.
  • Increased the maximum channel limit from 128 to 256.



  • Increased the maximum channel limit from 128 to 256.



  • Added Chinese language support.



  • Localized custom dialog boxes for German and Japanese cultures.



  • Fixed German/Japanese localization defects.



  • Enhanced the UA Client tag browser to import the components of complex variables. During import, the driver automatically imports components of complex variables when their data type derives from a supported built-in type or enumeration.
  • Enhanced browsing to allow importing all items as default data type.
  • Escaped spaces in OPC UA URLs caused issues for certain servers when connecting with security. Upgrading from KEPServerEX V6.0 to V6.1 requires re-issuing certificates to fix. Upgrading from V5.X to V6.1 re-issues the certificate automatically.
  • Resolved an issue where the driver did not re-subscribe to subscriptions that had timed out.
  • Resolved issue where the server could crash, resulting in "Invalid or missing user information" error messages until the server was re-installed or repaired. The issue could occur if there were multiple OPC UA Client driver channels attempting to connect simultaneously.
  • Transport layer disconnects are detected by the session watchdog, the timeout of which is now configurable. Enhanced reconnect logic to attempt to re-use sessions, subscriptions, and republish any missed data after a transport-layer disconnect.
  • Added support for UA Nano, Micro, and Micro Embedded UA Server profiles by eliminating the creation of monitored items for devices in 'Polled' mode. Devices in 'Polled' mode can now be configured to use registered or unregistered reads.



  • Fixed an issue with read-after-write behavior in polled mode to properly verify the target address received the new value.



  • Added support for Asymmetric Key Size of up to 2048 bit.
  • Fixed an issue with connecting with a router using port forwarding.
  • Fixed a failure to connect to a server that doesn't support certificates or password security.
  • Fixed an issue with the user not being prompted to trust a certificate from the Channel Properties of the UA server when attempting to connect to an untrusted server.
  • Added notification for connected OPC DA clients when a write failed.
  • Fixed an issue with the MLR Switch on Failure not switching back to the primary OPC server correctly.
  • Added a property to control whether an explicit read occurs after a write.
  • Added German language support.
  • Added Japanese language support.


  • Added a checkbox to control whether an explicit read occurs after a write.
  • Parsed the _InternalTags group name from UA tag addresses to allow them to be readable and writeable.
  • Fixed an issue with read-after-write behavior in polled mode to properly verify the target address received the new value.


  • Fixed an issue where consecutive writes of the same value could result in bad tag quality.
  • Added a property to control whether an explicit read occurs after a write.
  • Resolved an issue where the UA Client driver did not correctly resolve internal tags like _System tags.
  • Fixed an issue where the server could crash which would result in "Invalid or missing user information" error messages until the server was re-installed or repaired. The issue could occur if there were multiple OPC UA Client driver channels attempting to connect simultaneously.


  • Fixed a buffer overflow that could result in a crash.
  • Fixed an issue where the driver could delete monitored items immediately after creating them.
  • Fixed an issue in Polled Mode where all items were set to “Bad” quality if a keep-alive or data change was not received within the watchdog timeout. These only apply to Exception Mode and are not required for Polled Mode.



  • Added support for 64-bit data types (LLong, QWord).
  • Fixed a race condition that could result in a runtime crash in limited scenarios.
  • Improved driver to prompt the user to trust a connection to the UA server when creating an initial connection using security if the certificate is not yet trusted.



  • Enhanced Automatic Tag Generation for a device object while one or more clients are actively connected.
  • Resolved an issue that could cause the client to receive a newly written value, then a stale cached value, before receiving the new value again.
  • Resolved an issue where the posted error message was not representative of the actual cause of the error.
  • Resolved an issue that caused tag import to hang while loading large branches of tags.



  • Upgraded OpenSSL (open source library) to version 1.0.2d to address security vulnerabilities pertaining to certificate validation.



  • The driver no longer creates subscriptions and monitored items for inactive tags. This allows the driver to act in a cold redundancy mode when used with the Media Level Redundancy plug-in.
  • Increased time for UA clients to disconnect when shutting down to allow for proper shutdowns.
  • Changed the driver to request both the server and source timestamps from the UA server. The driver uses the source timestamp supplied by the UA server if it is available. If it is not available, the driver uses the UA server timestamp. If that is not available, the driver sets the timestamp to the current system time.
  • Fixed an issue to allow importing a tag branch containing a tag with an unsupported data type.



  • Enhanced the driver to reconnect the UA session after encountering an invalid Session ID error.
  • The Device _Error flag is now set if the driver is unable to connect on the initial connection.



  • Changed the driver to pass through source timestamp to tags instead of server timestamp. The timestamp will not be updated if the source timestamp is not provided.



  • The driver now passes the source timestamp instead of the server timestamp to tags.



  • Enhanced the driver to support Media Level Redundancy.
  • Modified the self-signed certificate to make the AppURI and SubjectAltName fields equal for OPC UA Compliance.



  • Fixed a memory leak caused by unremoved items in a subscription. The leak occurred for Subscriptions using the "Poll" Update Mode.


  • Resolved an issue where the driver failed to import tags if the data type returned by the target server was VT_EMPTY.



  • Fixed an issue where the Default data type on a Static Tag using a dynamic address had Bad Quality.
  • Fixed an exception that would occur when invalidating tags while unloading the driver.



  • Fixed an issue where tags containing the "GUID" Node ID type were not being validated correctly.
  • Fixed an issue in the Tag Import Browser where parent node tags would be imported even when only a child node was selected.


  • Fixed the failure to decrypt persisted password information stored in projects that were created before 5.6.


  • Added support for two-dimensional arrays.
  • Added support for Certificate Validation when importing or trusting certificates.


  • Fixed an issue wherein the initial update was not passed on to client applications.
  • Improved the browse code to report a single failure instead of multiple failures per browse request.
  • Added support for the browseNext method, allowing clients to browse and import nodes from a server that limits the max returned nodes.
  • Fixed a deadband issue wherein we were not correctly passing in the client item handle for the item to which deadband was applied.
  • Removed the driver tag address limit of 1024.
  • Fixed duplicate browse entries when performing a full refresh through the context menu in the server browser.


  • The driver now reports a value, quality, and timestamp for invalid tags (tags that can't be added to the remote server). Previously we would keep attempting to read the tags, expecting an initial update. In the case that the tag is invalid we won't receive an update, and should report the tag is BAD.
  • Fixed issue where the requested data type was not being honored when providing tag updates on monitored items.
  • Fixed a bug where the password was not cleared in the decryption logic if the password was empty. This caused the runtime and the configuration to get out of sync with channel passwords.
  • The performance of Auto Tag Generation has been enhanced.
  • Fixed an issue where we fail to connect to our own UA server if we are using a username/password and no security.
  • The client driver now places the server certificate in the rejected store if it fails to connect with security. In the configuration we also display a message box that allows the user to trust an untrusted endpoint.
  • Added synchronization and error checking for session read and write callbacks. It was possible to get an invalid subscription handle in the callback.
  • The driver now removes all items from the underlying server when the UA Client's device is configured as disabled.
  • Fixed an issue where the UA Client Driver returned an invalid read value when an item did not receive an update from the UA Server. We now continue to process the read request until we have a valid return value.


  • New Driver


  • Easier setup and configuration than DCOM
  • Firewall-friendly
  • Robust portfolio of client interfaces and devices
  • Secure and reliable data transfer using 256-bit AES message signing and encryption
  • Multi-threaded architecture and non-blocking asynchronous messaging for performance, scalability, and reliability
  • Easy troubleshooting through diagnostic tools

What Is a Driver?

KEPServerEX is more than an OPC server—it's a connectivity platform for industrial automation and IoT. Simply download KEPServerEX, and then select from Kepware's library of more than 150 device drivers, client drivers, and advanced plug-ins to fit the communication requirements unique to your industrial control system.

A driver is a software component that enables KEPServerEX to meet the connectivity requirements of a specific device, system, or other data source. The driver handles all proprietary communications to the data source for KEPServerEX; the client interfaces handle all supported OPC, proprietary, and open standards connectivity to applications that monitor or control the devices.

Drivers may be licensed individually or in suites. Additional drivers can be licensed on demand as connectivity needs evolve.