node-opcua-server 2.164.2 → 2.165.1

package/source/server_end_point.ts

@@ -3,42 +3,39 @@
  * @module node-opcua-server
  */
 // tslint:disable:no-console
-import { EventEmitter } from "events";
-import net from "net";
-import { Server, Socket } from "net";
+
+import { EventEmitter } from "node:events";
+import net, { type Server, type Socket } from "node:net";
 import chalk from "chalk";
-import async from "async";
 
 import { assert } from "node-opcua-assert";
-import { OPCUACertificateManager } from "node-opcua-certificate-manager";
-import { Certificate, PrivateKey, makeSHA1Thumbprint, split_der } from "node-opcua-crypto/web";
+import type { OPCUACertificateManager } from "node-opcua-certificate-manager";
+import { type Certificate, makeSHA1Thumbprint, type PrivateKey, split_der } from "node-opcua-crypto/web";
 import { checkDebugFlag, make_debugLog, make_errorLog, make_warningLog } from "node-opcua-debug";
 import { getFullyQualifiedDomainName, resolveFullyQualifiedDomainName } from "node-opcua-hostname";
 import {
     fromURI,
+    type IServerSessionBase,
+    type Message,
     MessageSecurityMode,
     SecurityPolicy,
     ServerSecureChannelLayer,
-    ServerSecureChannelParent,
-    toURI,
-    IServerSessionBase,
-    Message
+    type ServerSecureChannelParent,
+    toURI
 } from "node-opcua-secure-channel";
-import { UserTokenType } from "node-opcua-service-endpoints";
-import { EndpointDescription } from "node-opcua-service-endpoints";
-import { ApplicationDescription } from "node-opcua-service-endpoints";
-import { UserTokenPolicyOptions } from "node-opcua-types";
-import { IHelloAckLimits } from "node-opcua-transport";
+import { ApplicationDescription, EndpointDescription, UserTokenType } from "node-opcua-service-endpoints";
+import type { IHelloAckLimits } from "node-opcua-transport";
+import type { UserTokenPolicyOptions } from "node-opcua-types";
 
-import { IChannelData } from "./i_channel_data";
-import { ISocketData } from "./i_socket_data";
+import type { IChannelData } from "./i_channel_data";
+import type { ISocketData } from "./i_socket_data";
 
 const debugLog = make_debugLog(__filename);
 const errorLog = make_errorLog(__filename);
 const warningLog = make_warningLog(__filename);
 const doDebug = checkDebugFlag(__filename);
 
-const default_transportProfileUri = "http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary";
+const UATCP_UASC_UABINARY = "http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary";
 
 function extractSocketData(socket: net.Socket, reason: string): ISocketData {
     const { bytesRead, bytesWritten, remoteAddress, remoteFamily, remotePort, localAddress, localPort } = socket;
@@ -57,14 +54,7 @@ function extractSocketData(socket: net.Socket, reason: string): ISocketData {
 }
 
 function extractChannelData(channel: ServerSecureChannelLayer): IChannelData {
-    const {
-        channelId,
-        clientCertificate,
-        securityMode,
-        securityPolicy,
-        timeout,
-        transactionsCount
-    } = channel;
+    const { channelId, clientCertificate, securityMode, securityPolicy, timeout, transactionsCount } = channel;
 
     const channelData: IChannelData = {
         channelId,
@@ -95,6 +85,7 @@ function dumpChannelInfo(channels: ServerSecureChannelLayer[]): void {
         console.log("        sessions      = ", Object.keys(channel.sessionTokens).length);
         console.log(Object.values(channel.sessionTokens).map(d).join("\n"));
 
+        // biome-ignore lint/suspicious/noExplicitAny: accessing internal transport for debug dump
         const socket = (channel as any).transport?._socket;
         if (!socket) {
             console.log(" SOCKET IS CLOSED");
@@ -108,6 +99,7 @@ function dumpChannelInfo(channels: ServerSecureChannelLayer[]): void {
 }
 
 const emptyCertificate = Buffer.alloc(0);
+// biome-ignore lint/suspicious/noExplicitAny: deliberate null→PrivateKey sentinel
 const emptyPrivateKey = null as any as PrivateKey;
 
 let OPCUAServerEndPointCounter = 0;
@@ -152,7 +144,7 @@ export interface OPCUAServerEndPointOptions {
 
     serverInfo: ApplicationDescription;
 
-    objectFactory?: any;
+    objectFactory?: unknown;
 
     transportSettings?: IServerTransportSettings;
 }
@@ -167,10 +159,74 @@ export interface EndpointDescriptionParams {
     resourcePath?: string;
     alternateHostname?: string[];
     hostname: string;
+    /**
+     * Override the port used in the endpoint URL.
+     * When set, the endpoint URL uses this port instead of the
+     * server's listen port. The server does NOT listen on this port.
+     * Useful for Docker port-mapping, reverse proxies, and NAT.
+     */
+    advertisedPort?: number;
     securityPolicies: SecurityPolicy[];
     userTokenTypes: UserTokenType[];
 }
 
+/**
+ * Per-URL security overrides for advertised endpoints.
+ *
+ * When `advertisedEndpoints` contains a config object, the endpoint
+ * descriptions generated for that URL use the overridden security
+ * settings instead of inheriting from the main endpoint.
+ *
+ * Any field that is omitted falls back to the main endpoint's value.
+ *
+ * @example
+ * ```ts
+ * advertisedEndpoints: [
+ *     // Public: SignAndEncrypt only, no anonymous
+ *     {
+ *         url: "opc.tcp://public.example.com:4840",
+ *         securityModes: [MessageSecurityMode.SignAndEncrypt],
+ *         allowAnonymous: false
+ *     },
+ *     // Internal: inherits everything from main endpoint
+ *     "opc.tcp://internal:48480"
+ * ]
+ * ```
+ */
+export interface AdvertisedEndpointConfig {
+    /** The full endpoint URL, e.g. `"opc.tcp://public.example.com:4840"` */
+    url: string;
+    /** Override security modes (default: inherit from main endpoint) */
+    securityModes?: MessageSecurityMode[];
+    /** Override security policies (default: inherit from main endpoint) */
+    securityPolicies?: SecurityPolicy[];
+    /** Override anonymous access (default: inherit from main endpoint) */
+    allowAnonymous?: boolean;
+    /** Override user token types (default: inherit from main endpoint) */
+    userTokenTypes?: UserTokenType[];
+}
+
+/**
+ * An advertised endpoint entry — either a plain URL string (inherits
+ * all settings from the main endpoint) or a config object with
+ * per-URL security overrides.
+ */
+export type AdvertisedEndpoint = string | AdvertisedEndpointConfig;
+
+/**
+ * Normalize any `advertisedEndpoints` input into a uniform
+ * `AdvertisedEndpointConfig[]`.
+ *
+ * This coercion is done early so that all downstream code
+ * (endpoint generation, IP/hostname extraction) only deals
+ * with one type.
+ */
+export function normalizeAdvertisedEndpoints(raw?: AdvertisedEndpoint | AdvertisedEndpoint[]): AdvertisedEndpointConfig[] {
+    if (!raw) return [];
+    const arr = Array.isArray(raw) ? raw : [raw];
+    return arr.map((entry) => (typeof entry === "string" ? { url: entry } : entry));
+}
+
 export interface AddStandardEndpointDescriptionsParam {
     allowAnonymous?: boolean;
     disableDiscovery?: boolean;
@@ -183,15 +239,61 @@ export interface AddStandardEndpointDescriptionsParam {
     hostname?: string;
     securityPolicies?: SecurityPolicy[];
     userTokenTypes?: UserTokenType[];
+
+    /**
+     * Additional endpoint URL(s) to advertise.
+     *
+     * Use when the server is behind Docker port-mapping,
+     * a reverse proxy, or a NAT gateway.
+     *
+     * Each entry can be a plain URL string (inherits all security
+     * settings from the main endpoint) or an
+     * `AdvertisedEndpointConfig` object with per-URL overrides.
+     *
+     * The server still listens on `port` — these are purely
+     * advertised aliases.
+     *
+     * @example Simple string (inherits main settings)
+     * ```ts
+     * advertisedEndpoints: "opc.tcp://localhost:48481"
+     * ```
+     *
+     * @example Mixed array with per-URL security overrides
+     * ```ts
+     * advertisedEndpoints: [
+     *     "opc.tcp://internal:48480",
+     *     {
+     *         url: "opc.tcp://public.example.com:4840",
+     *         securityModes: [MessageSecurityMode.SignAndEncrypt],
+     *         allowAnonymous: false
+     *     }
+     * ]
+     * ```
+     */
+    advertisedEndpoints?: AdvertisedEndpoint | AdvertisedEndpoint[];
+}
+
+/**
+ * Parse an `opc.tcp://hostname:port` URL and extract hostname and port.
+ * @internal
+ */
+export function parseOpcTcpUrl(url: string): { hostname: string; port: number } {
+    // URL class doesn't understand opc.tcp://, so swap to http://
+    const httpUrl = url.replace(/^opc\.tcp:\/\//i, "http://");
+    const parsed = new URL(httpUrl);
+    return {
+        hostname: parsed.hostname,
+        port: parsed.port ? Number.parseInt(parsed.port, 10) : 4840
+    };
 }
 
 function getUniqueName(name: string, collection: { [key: string]: number }) {
     if (collection[name]) {
         let counter = 0;
-        while (collection[name + "_" + counter.toString()]) {
+        while (collection[`${name}_${counter.toString()}`]) {
             counter++;
         }
-        name = name + "_" + counter.toString();
+        name = `${name}_${counter.toString()}`;
         collection[name] = 1;
         return name;
     } else {
@@ -224,12 +326,12 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
     public transactionsCountOldChannels: number;
     public securityTokenCountOldChannels: number;
     public serverInfo: ApplicationDescription;
-    public objectFactory: any;
+    public objectFactory: unknown;
 
     public _on_new_channel?: (channel: ServerSecureChannelLayer) => void;
     public _on_close_channel?: (channel: ServerSecureChannelLayer) => void;
-    public _on_connectionRefused?: (socketData: any) => void;
-    public _on_openSecureChannelFailure?: (socketData: any, channelData: any) => void;
+    public _on_connectionRefused?: (socketData: ISocketData) => void;
+    public _on_openSecureChannelFailure?: (socketData: ISocketData, channelData: IChannelData) => void;
 
     private _certificateChain: Certificate;
     private _privateKey: PrivateKey;
@@ -307,7 +409,6 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
     }
 
     public toString(): string {
-    
         const txt =
             " end point" +
             this._counter +
@@ -316,7 +417,7 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
             " l = " +
             this._endpoints.length +
             " " +
-            makeSHA1Thumbprint(this.getCertificateChain()).toString("hex")          
+            makeSHA1Thumbprint(this.getCertificateChain()).toString("hex");
         return txt;
     }
 
@@ -392,7 +493,8 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
         assert(resourcePath.length === 0 || resourcePath.charAt(0) === "/", "resourcePath should start with /");
 
         const hostname = options.hostname || getFullyQualifiedDomainName();
-        const endpointUrl = `opc.tcp://${hostname}:${this.port}${resourcePath}`;
+        const effectivePort = options.advertisedPort ?? this.port;
+        const endpointUrl = `opc.tcp://${hostname}:${effectivePort}${resourcePath}`;
 
         const endpoint_desc = this.getEndpointDescription(securityMode, securityPolicy, endpointUrl);
 
@@ -421,6 +523,7 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
                     restricted: !!options.restricted,
                     securityPolicies: options.securityPolicies || [],
 
+                    advertisedPort: options.advertisedPort,
                     userTokenTypes
                 },
                 this
@@ -431,7 +534,7 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
     public addRestrictedEndpointDescription(options: EndpointDescriptionParams): void {
         options = { ...options };
         options.restricted = true;
-        return this.addEndpointDescription(MessageSecurityMode.None, SecurityPolicy.None, options);
+        this.addEndpointDescription(MessageSecurityMode.None, SecurityPolicy.None, options);
     }
 
     public addStandardEndpointDescriptions(options?: AddStandardEndpointDescriptionsParam): void {
@@ -487,6 +590,65 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
                 }
             }
         }
+
+        // ── Advertised endpoints (virtual — no TCP listener) ──────
+        // Normalize to AdvertisedEndpointConfig[] so downstream code
+        // only deals with one type.
+        const advertisedList = normalizeAdvertisedEndpoints(options.advertisedEndpoints);
+
+        // Main endpoint defaults (guaranteed non-null — assigned above)
+        const mainSecurityModes = options.securityModes || defaultSecurityModes;
+        const mainSecurityPolicies = options.securityPolicies || defaultSecurityPolicies;
+        const mainUserTokenTypes = options.userTokenTypes || defaultUserTokenTypes;
+
+        for (const config of advertisedList) {
+            const { hostname: advHostname, port: advPort } = parseOpcTcpUrl(config.url);
+            // Skip if this hostname+port combo was already covered
+            // by the regular hostname loop (same hostname, same port)
+            if (hostnames.some((h) => h.toLowerCase() === advHostname.toLowerCase()) && advPort === this.port) {
+                continue;
+            }
+
+            // Per-URL security overrides — fall back to main settings
+            const entrySecurityModes = config.securityModes ?? mainSecurityModes;
+            const entrySecurityPolicies = config.securityPolicies ?? mainSecurityPolicies;
+            let entryUserTokenTypes = config.userTokenTypes ?? mainUserTokenTypes;
+
+            // Handle allowAnonymous override: if explicitly false,
+            // filter out Anonymous even if the main config allows it
+            if (config.allowAnonymous === false) {
+                entryUserTokenTypes = entryUserTokenTypes.filter((t) => t !== UserTokenType.Anonymous);
+            }
+
+            const optionsE: EndpointDescriptionParams = {
+                hostname: advHostname,
+                advertisedPort: advPort,
+                securityPolicies: entrySecurityPolicies,
+                userTokenTypes: entryUserTokenTypes,
+                allowUnsecurePassword: options.allowUnsecurePassword,
+                alternateHostname: options.alternateHostname,
+                resourcePath: options.resourcePath
+            };
+
+            if (entrySecurityModes.indexOf(MessageSecurityMode.None) >= 0) {
+                this.addEndpointDescription(MessageSecurityMode.None, SecurityPolicy.None, optionsE);
+            } else {
+                if (!options.disableDiscovery) {
+                    this.addRestrictedEndpointDescription(optionsE);
+                }
+            }
+            for (const securityMode of entrySecurityModes) {
+                if (securityMode === MessageSecurityMode.None) {
+                    continue;
+                }
+                for (const securityPolicy of entrySecurityPolicies) {
+                    if (securityPolicy === SecurityPolicy.None) {
+                        continue;
+                    }
+                    this.addEndpointDescription(securityMode, securityPolicy, optionsE);
+                }
+            }
+        }
     }
 
     /**
@@ -502,14 +664,19 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
         assert(typeof callback === "function");
         assert(!this._started, "OPCUAServerEndPoint is already listening");
 
+        if (!this._server) {
+            callback(new Error("Server is not initialized"));
+            return;
+        }
+
         this._listen_callback = callback;
 
-        this._server!.on("error", (err: Error) => {
-            debugLog(chalk.red.bold(" error") + " port = " + this.port, err);
+        this._server.on("error", (err: Error) => {
+            debugLog(`${chalk.red.bold(" error")} port = ${this.port}`, err);
             this._started = false;
             this._end_listen(err);
         });
-        this._server!.on("listening", () => {
+        this._server.on("listening", () => {
             debugLog("server is listening");
         });
 
@@ -518,7 +685,7 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
             host: this.host
         };
 
-        this._server!.listen(
+        this._server.listen(
             listenOptions,
             /*"::",*/ (err?: Error) => {
                 // 'listening' listener
@@ -526,8 +693,8 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
                 assert(!err, " cannot listen to port ");
                 this._started = true;
                 if (!this.port) {
-                    const add = this._server!.address()!;
-                    this.port = typeof add !== "string" ? add.port : this.port;
+                    const add = this._server?.address();
+                    this.port = typeof add !== "string" ? add?.port || 0 : this.port;
                 }
                 this._end_listen();
             }
@@ -536,8 +703,10 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
 
     public killClientSockets(callback: (err?: Error) => void): void {
         for (const channel of this.getChannels()) {
-            const hacked_channel = channel as any;
-            if (hacked_channel.transport && hacked_channel.transport._socket) {
+            const hacked_channel = channel as unknown as {
+                transport: { _socket: { destroy: () => void; emit: (event: string, err: Error) => void } };
+            };
+            if (hacked_channel.transport?._socket) {
                 // hacked_channel.transport._socket.close();
                 hacked_channel.transport._socket.destroy();
                 hacked_channel.transport._socket.emit("error", new Error("EPIPE"));
@@ -547,8 +716,9 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
     }
 
     public suspendConnection(callback: (err?: Error) => void): void {
-        if (!this._started) {
-            return callback(new Error("Connection already suspended !!"));
+        if (!this._started || !this._server) {
+            callback(new Error("Connection already suspended !!"));
+            return;
         }
 
         // Stops the server from accepting new connections and keeps existing connections.
@@ -557,9 +727,9 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
         // The optional callback will be called once the 'close' event occurs.
         // Unlike that event, it will be called with an Error as its only argument
         // if the server was not open when it was closed.
-        this._server!.close(() => {
+        this._server.close(() => {
             this._started = false;
-            debugLog("Connection has been closed !" + this.port);
+            debugLog(`Connection has been closed !${this.port}`);
         });
         this._started = false;
         callback();
@@ -585,20 +755,30 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
             this.suspendConnection(() => {
                 // shutdown all opened channels ...
                 const _channels = Object.values(this._channels);
-                async.each(
-                    _channels,
-                    (channel: ServerSecureChannelLayer, callback1: (err?: Error) => void) => {
-                        this.shutdown_channel(channel, callback1);
-                    },
-                    (err?: Error | null) => {
+                const promises = _channels.map(
+                    (channel) =>
+                        new Promise<void>((resolve, reject) => {
+                            this.shutdown_channel(channel, (err?: Error) => {
+                                if (err) {
+                                    reject(err);
+                                } else {
+                                    resolve();
+                                }
+                            });
+                        })
+                );
+                Promise.all(promises)
+                    .then(() => {
                         /* c8 ignore next */
                         if (!(Object.keys(this._channels).length === 0)) {
                             errorLog(" Bad !");
                         }
                         assert(Object.keys(this._channels).length === 0, "channel must have unregistered themselves");
-                        callback(err || undefined);
-                    }
-                );
+                        callback();
+                    })
+                    .catch((err) => {
+                        callback(err);
+                    });
             });
         } else {
             callback();
@@ -657,10 +837,10 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
     }
 
     private _dump_statistics() {
-        this._server!.getConnections((err: Error | null, count: number) => {
+        this._server?.getConnections((_err: Error | null, count: number) => {
             debugLog(chalk.cyan("CONCURRENT CONNECTION = "), count);
         });
-        debugLog(chalk.cyan("MAX CONNECTIONS = "), this._server!.maxConnections);
+        debugLog(chalk.cyan("MAX CONNECTIONS = "), this._server?.maxConnections);
     }
 
     private _setup_server() {
@@ -672,11 +852,11 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
 
         this._listen_callback = undefined;
         this._server
-            .on("connection", (socket: NodeJS.Socket) => {
+            .on("connection", (socket: Socket) => {
                 // c8 ignore next
                 if (doDebug) {
                     this._dump_statistics();
-                    debugLog("server connected  with : " + (socket as any).remoteAddress + ":" + (socket as any).remotePort);
+                    debugLog(`server connected  with : ${socket.remoteAddress}:${socket.remotePort}`);
                 }
             })
             .on("close", () => {
@@ -710,7 +890,7 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
                         "The maximum number of connection has been reached - Connection is refused"
                 )
             );
-            const reason = "maxConnections reached (" + this.maxConnections + ")";
+            const reason = `maxConnections reached (${this.maxConnections})`;
             const socketData = extractSocketData(socket, reason);
             this.emit("connectionRefused", socketData);
 
@@ -725,7 +905,7 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
                     " nbConnections ",
                     nbConnections,
                     " self._server.maxConnections",
-                    this._server!.maxConnections,
+                    this._server?.maxConnections,
                     this.maxConnections
                 );
                 deny_connection();
@@ -741,7 +921,7 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
                 timeout: this.timeout,
                 adjustTransportLimits: this.transportSettings?.adjustTransportLimits
             });
-     
+
             debugLog("channel Timeout = >", channel.timeout);
 
             socket.resume();
@@ -752,7 +932,7 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
                 this._un_pre_registerChannel(channel);
                 debugLog(chalk.yellow.bold("Channel#init done"), err);
                 if (err) {
-                    const reason = "openSecureChannel has Failed " + err.message;
+                    const reason = `openSecureChannel has Failed ${err.message}`;
                     const socketData = extractSocketData(socket, reason);
                     const channelData = extractChannelData(channel);
                     this.emit("openSecureChannelFailure", socketData, channelData);
@@ -804,7 +984,7 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
         delete this._channels[channel.hashKey];
         const channelPriv = <ServerSecureChannelLayerPriv>channel;
         if (typeof channelPriv._unpreregisterChannelEvent === "function") {
-            channel.removeListener("abort", channelPriv._unpreregisterChannelEvent!);
+            channel.removeListener("abort", channelPriv._unpreregisterChannelEvent);
             channelPriv._unpreregisterChannelEvent = undefined;
         }
     }
@@ -870,8 +1050,7 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
 
     private _end_listen(err?: Error) {
         if (!this._listen_callback) return;
-        assert(typeof this._listen_callback === "function");
-        this._listen_callback!(err);
+        this._listen_callback(err);
         this._listen_callback = undefined;
     }
 
@@ -900,17 +1079,18 @@ export class OPCUAServerEndPoint extends EventEmitter implements ServerSecureCha
 
         if (nbConnections >= this.maxConnections) {
             // c8 ignore next
-            errorLog(chalk.bgRed.white("PREVENTING DDOS ATTACK => maxConnection =" + this.maxConnections));
+            errorLog(chalk.bgRed.white(`PREVENTING DDOS ATTACK => maxConnection =${this.maxConnections}`));
 
             const unused_channels: ServerSecureChannelLayer[] = this.getChannels().filter((channel1: ServerSecureChannelLayer) => {
                 return !channel1.hasSession;
             });
             if (unused_channels.length === 0) {
-                doDebug && console.log(
-                    this.getChannels()
-                        .map(({ status, isOpened, hasSession }) => `${status} ${isOpened} ${hasSession}\n`)
-                        .join(" ")
-                );
+                doDebug &&
+                    console.log(
+                        this.getChannels()
+                            .map(({ status, isOpened, hasSession }) => `${status} ${isOpened} ${hasSession}\n`)
+                            .join(" ")
+                    );
                 // all channels are in used , we cannot get any
                 errorLog(`All channels are in used ! we cannot cancel any ${this.getChannels().length}`);
                 // c8 ignore next
@@ -990,6 +1170,12 @@ interface MakeEndpointDescriptionOptions {
     securityPolicies: SecurityPolicy[];
 
     userTokenTypes: UserTokenType[];
+    /**
+     * Override the port used in the dynamic endpointUrl getter.
+     * When set, the endpoint URL advertises this port instead of
+     * the parent's listen port.
+     */
+    advertisedPort?: number;
     /**
      *
      * default value: false;
@@ -1031,7 +1217,6 @@ function estimateSecurityLevel(securityMode: MessageSecurityMode, securityPolicy
             return 7 + offset;
 
         default:
-        case SecurityPolicy.None:
             return 1;
     }
 }
@@ -1052,7 +1237,7 @@ function _makeEndpointDescription(options: MakeEndpointDescriptionOptions, paren
         options.securityLevel === undefined
             ? estimateSecurityLevel(options.securityMode, options.securityPolicy)
             : options.securityLevel;
-    assert(isFinite(options.securityLevel), "expecting a valid securityLevel");
+    assert(Number.isFinite(options.securityLevel), "expecting a valid securityLevel");
 
     const securityPolicyUri = toURI(options.securityPolicy);
 
@@ -1175,14 +1360,15 @@ function _makeEndpointDescription(options: MakeEndpointDescriptionOptions, paren
         userIdentityTokens,
 
         securityLevel: options.securityLevel,
-        transportProfileUri: default_transportProfileUri
+        transportProfileUri: UATCP_UASC_UABINARY
     }) as EndpointDescriptionEx;
     endpoint._parent = parent;
 
     // endpointUrl is dynamic as port number may be adjusted
     // when the tcp socket start listening
+    // biome-ignore lint/suspicious/noExplicitAny: __defineGetter__ not in standard typings
     (endpoint as any).__defineGetter__("endpointUrl", () => {
-        const port = endpoint._parent.port;
+        const port = options.advertisedPort ?? endpoint._parent.port;
         const resourcePath = options.resourcePath || "";
         const hostname = options.hostname;
         const endpointUrl = `opc.tcp://${hostname}:${port}${resourcePath}`;
@@ -1212,7 +1398,7 @@ function matching_endpoint(
 ): boolean {
     assert(endpoint instanceof EndpointDescription);
     const endpoint_securityPolicy = fromURI(endpoint.securityPolicyUri);
-    if (endpointUrl && endpoint.endpointUrl! !== endpointUrl) {
+    if (endpointUrl && endpoint.endpointUrl !== endpointUrl) {
         return false;
     }
     return endpoint.securityMode === securityMode && endpoint_securityPolicy === securityPolicy;
@@ -1220,9 +1406,7 @@ function matching_endpoint(
 
 const defaultSecurityModes = [MessageSecurityMode.None, MessageSecurityMode.Sign, MessageSecurityMode.SignAndEncrypt];
 
-
 const defaultSecurityPolicies = [
-
     // now deprecated  Basic128Rs15 shall be disabled by default
     // see https://profiles.opcfoundation.org/profile/1532
     // SecurityPolicy.Basic128Rsa15,
@@ -1230,10 +1414,10 @@ const defaultSecurityPolicies = [
     // now deprecated Basic256 shall be disabled by default
     // see https://profiles.opcfoundation.org/profile/2062
     // SecurityPolicy.Basic256,
-    
+
     // xx UNUSED!!  SecurityPolicy.Basic192Rsa15,
     // xx UNUSED!!  SecurityPolicy.Basic256Rsa15,
-    
+
     SecurityPolicy.Basic256Sha256,
     SecurityPolicy.Aes128_Sha256_RsaOaep,
     SecurityPolicy.Aes256_Sha256_RsaPss