This Servicereturns the Endpointssupported by a Serverand all of the configuration information required to establish a SecureChannel and a Session.

This Serviceshall not require message security but it may require transport layer security.

A Clientmay reduce the number of results returned by specifying filter criteria based on LocaleIdsand Transport ProfileURIs. The Serverreturns an empty list if no Endpointsmatch the criteria specified by the client. The filter criteria supported by this Serviceare described in

A Servermay support multiple security configurations for the same Endpoint. In this situation, the Servershall return separate EndpointDescriptionrecords for each available configuration. Clientsshould treat each of these configurations as distinct Endpointseven if the physical URL happens to be the same.

The security configuration for an Endpointhas four components:

Server Application Instance Certificate

Message Security Mode

Security Policy

Supported User Identity Tokens

The ApplicationInstanceCertificateis used to secure the OpenSecureChannelrequest (see 5.5.2). The MessageSecurityModeand the SecurityPolicy tell the Clienthow to secure messages sent via the SecureChannel. The UserIdentityTokenstell the Clientwhich type of user credentials shall be passed to the Serverin the ActivateSessionrequest (see 5.6.3).

If the securityPolicyUriis NONE and none of the UserTokenPoliciesrequires encryption, the Clientshall ignore the ApplicationInstanceCertificate.

Each EndpointDescriptionalso specifies a URI for the Transport Profilethat the Endpointsupports. TheTransport Profilesspecify information such as message encoding format and protocol version and are defined in OPC 10000-7.

Messages are secured by applying standard cryptography algorithms to the messages before they are sent over the network. The exact set of algorithms used depends on the SecurityPolicyfor the Endpoint. OPC 10000-7defines Profilesfor common SecurityPolicies and assigns a unique URI to them. It is expected that applications have built in knowledge of the SecurityPolicies that they support, as a result, only the Profile URI for the SecurityPolicy is specified in the EndpointDescription. A Clientcannot connect to an Endpointthat does not support a SecurityPolicy that it recognizes.

An EndpointDescriptionmay specify that the message security mode is NONE. This configuration is not recommended unless the applications are communicating on a physically isolated network where the risk of intrusion is extremely small. If the message security is NONE then it is possible for Clientsto deliberately or accidentally hijack Sessionscreated by other Clients.

A Servermay have multiple HostNames. For this reason, the Clientshall pass the URL it used to connect to the Endpointto this Service. The implementation of this Serviceshall use this information to return responses that are accessible to the Clientvia the provided URL.

This Servicecan be used without security and it is therefore vulnerable to Denial of Service (DOS) attacks. A Servershould minimize the amount of processing required to send the response for this Service. This can be achieved by preparing the result in advance. The Servershould also add a short delay before starting processing of a request during high traffic conditions.

Some of the EndpointDescriptionsreturned in a response shall specify the Endpointinformation for a Gateway Serverthat can be used to access another Server. In these situations, the gatewayServerUriis specified in the EndpointDescriptionand all security checks used to verify Certificatesshall use the gatewayServerUri(see 6.1.3) instead of the serverUri.

To connect to a Servervia the gateway the Clientshall first establish a SecureChannelwith the Gateway Server. Then the Clientshall call the CreateSessionservice and pass the serverUrispecified in the EndpointDescriptionto the Gateway Server. The Gateway Servershall then connect to the underlying Serveron behalf of the Client. The process of connecting to a Servervia a Gateway Serveris illustrated in Figure 10.


Figure 10– Using a Gateway Server

Table 5defines the parameters for the Service.

Table 5– GetEndpoints Service Parameters







Common request parameters.

The authenticationTokenis always null. The authenticationTokenshall be ignored if it is provided.

The type RequestHeaderis defined in 7.28.



The network address that the Clientused to access the DiscoveryEndpoint.

The Serveruses this information for diagnostics and to determine what URLs to return in the response.

The Servershould return a suitable default URL if it does not recognize the HostNamein the URL.

localeIds []


List of locales to use.

Specifies the locale to use when returning human readable strings.

This parameter is described in

profileUris []


List of Transport Profilethat the returned Endpointsshall support. OPC 10000-7defines URIs for the Transport Profiles.

All Endpointsare returned if the list is empty.

If the URI is a URL, this URL may have a query string appended. The Transport Profilesthat support query strings are defined in OPC 10000-7.




Common response parameters.

The ResponseHeadertype is defined in 7.29.

Endpoints []


List of Endpointsthat meet criteria specified in the request.

This list is empty if no Endpointsmeet the criteria.

The EndpointDescriptiontype is defined in 7.10.

Common StatusCodesare defined in Table 177.