Secure, authenticated gateway service that fronts a FrameworX runtime (TServer) for multi-site and edge deployments.

Reference  InstallationFolders | Licensing | Updates | SecureGateway | Web Server 

Secure communication gateways for multi-site deployments.

What TSecureGateway does

TSecureGateway (TSecureGatewayService.exe) is a Windows service that sits in front of a FrameworX runtime (TServer) and relays authorized runtime traffic to it. It listens on a local TCP port and forwards each accepted connection to a TServer at a configured RemoteIP:RemotePort, optionally authenticating the caller first. In short: a hardened, authenticating reverse-proxy for the FrameworX client–server protocol, used to connect projects and sites across network boundaries while controlling exactly what may talk to what.

What it carries — and what it does NOT

TSecureGateway forwards FrameworX runtime traffic to a TServer: Rich Client and Smart Client sessions, remote Device channels, and Dataset database connections.
It is not a VPN, and not a field-protocol proxy — it does not speak Modbus, S7, EtherNet/IP, or any device protocol. To reach a PLC across a boundary, run a TServer near the device (it polls the controller locally) and let TSecureGateway secure the TServer hop. See Remote Channels.

Architecture patterns

Pattern

Description

1-to-1

A single remote site connects to a single TServer.

1-to-many

Many remote sites aggregate to one master / central project.

Traffic control

Only the source/destination pairs you configure are forwarded.

Site isolation

Remote sites see only the gateway — never each other, nor the topology behind it.

Typical deployment — edge gateway in front of a cell

A common layout puts TSecureGateway on an edge computer in front of a production cell:

  1. A TServer inside the cell polls the field device locally (read-only) using its protocol driver.
  2. TSecureGateway, on the edge computer, forwards the FrameworX hop to that in-cell TServer (RemoteIP = the in-cell TServer).
  3. A central FrameworX server, or a Rich / Smart Client, connects to the gateway's LocalPort.

Only the FrameworX protocol crosses the boundary; the device protocol stays inside the cell. You get traffic control, site isolation, and optional Windows-Authentication / RuntimeUsers validation on the hop — without ever exposing the controller.

Installation

Location

The service ships with the product and is not installed by default. Both files are in the install root:

  • C:\Program Files\Tatsoft\FrameworX\fx-10\TSecureGatewayService.exe
  • C:\Program Files\Tatsoft\FrameworX\fx-10\TSecureGatewayService.exe.config

Install / uninstall the service

TSecureGateway registers as a Windows service through the standard .NET installer. From an elevated command prompt, using the .NET Framework v4 InstallUtil.exe:

Install
cd "C:\Program Files\Tatsoft\FrameworX\fx-10"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe TSecureGatewayService.exe
Uninstall
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /u TSecureGatewayService.exe

After installation the service appears in services.msc as TWebGateway Service and logs to the Windows Event Viewer. (On a 32-bit install, use the Framework path instead of Framework64.)

Change the configuration

  1. Edit TSecureGatewayService.exe.config (see Configuration below).
  2. Restart the service so it re-reads the file.

The configuration is read only at startup, so every change requires a service restart.

Configuration

All settings live in the <appSettings> section of TSecureGatewayService.exe.config as <add key="..." value="..."/> entries. Keys are case-insensitive.

Core parameters

Key

Description

Notes

LocalPort

TCP port the gateway listens on.

Set 0 to use Windows Authentication only.

LocalPortWA

Listening port for Windows-Authenticated connections.

Set 0 if not used.

RemoteIP

IP / host of the target TServer.exe computer.

The runtime the gateway forwards to.

RemotePort

TServer port (without Windows Authentication).


RemotePortWA

TServer port for Windows-Authenticated connections.

Alternative to RemotePort.

WA

Authentication mode.

true = Windows Authentication only.

Optional parameters

Key

Description

Usage

RuntimeUsersProject

Path to a solution whose RuntimeUsers table validates connecting users.

Cannot be combined with CheckRuntimeUsersWA.

CheckRuntimeUsersWA

Validate connecting users via Windows Authentication.

Cannot be combined with RuntimeUsersProject.

TargetCF

Enable .NET Compact Framework client support.

Windows CE deployments.

Multiple redirections

A single gateway can forward several local ports to several TServers. Set ExtraCount to the number of additional redirections, then number each key starting at 2:

<add key="ExtraCount" value="2"/>      <!-- number of extra redirects; unlimited -->

<add key="LocalPort2" value="3200"/>   <!-- numbering starts at 2 -->
<add key="RemoteIP2"  value="site1.local"/>
<add key="RemotePort2" value="3101"/>

<add key="LocalPort3" value="3300"/>
<add key="RemoteIP3"  value="site2.local"/>
<add key="RemotePort3" value="3101"/>

The pattern continues for LocalPort, RemoteIP, RemotePort.

Windows Authentication and multi-port redirection are mutually exclusive — enabling WA disables the extra redirections.

Configuration examples

Single-site gateway

<add key="LocalPort"  value="3101"/>
<add key="RemoteIP"   value="192.168.1.100"/>
<add key="RemotePort" value="3101"/>

Multi-site with Windows Authentication

<add key="LocalPortWA" value="3102"/>
<add key="WA"          value="true"/>
<add key="ExtraCount"  value="2"/>

<add key="LocalPort2" value="3200"/>
<add key="RemoteIP2"  value="site1.local"/>
<add key="RemotePort2" value="3101"/>

<add key="LocalPort3" value="3300"/>
<add key="RemoteIP3"  value="site2.local"/>
<add key="RemotePort3" value="3101"/>

Edge gateway in front of a cell

The gateway forwards inbound FrameworX connections to an in-cell TServer that owns the device channel and polls the PLC locally:

<add key="LocalPort"  value="3101"/>
<add key="RemoteIP"   value="10.100.0.40"/>   <!-- in-cell TServer; it holds the PLC channel -->
<add key="RemotePort" value="3101"/>
<add key="RuntimeUsersProject" value="C:\FrameworX\Cell1.dbsln"/>

Service management

Start / stop
net start "TWebGateway Service"
net stop  "TWebGateway Service"

(Use the exact name shown in services.msc after install.)

Verify

On start, the service writes its redirection table to the Windows Event Viewer:

First redirect :: LocalPort: 3101, RemoteIP: localhost, RemotePort: 3101
Extra Redirection Table:
Listen on ipv4:     Connect to ipv4:
Address    Port     Address         Port
0.0.0.0    3100     192.168.80.129  3100
0.0.0.0    3102     192.168.80.129  3101

Monitor

  • Windows Event Viewer — startup, redirect table, authentication results
  • Performance Monitor — connection / traffic counters
  • Network traces — connection-level debugging

Limitations

  • Windows Authentication disables multi-port redirection.
  • Configuration changes require a service restart.
  • Each redirection needs a unique LocalPort.
  • The same RemotePort may be reused across different RemoteIP targets.
  • Forwards the FrameworX runtime protocol only — not device / field protocols.

Troubleshooting

Symptom

Check

Service won't start

Event Viewer for the startup error; confirm the .config is valid XML.

Port conflict

netstat -ano to find the process already holding the port.

Connection refused

Firewall rules on both the gateway and the TServer hosts.

Authentication fails

The WA setting, and the RuntimeUsersProject / CheckRuntimeUsersWA pairing.

Redirects not applied

Restart the service after editing the .config.

In this section...