What is the best pratices considering the gateway will act as historian and the user that will access the historian can be on the business lan (and can ask for big quantities of data).
Should the gateway be installed on the business lan? Or on the control lan?
You’re missing an important section in your Architecture.
There should be a DMZ between the business firewall and the Control Firewall
Business LAN >>> Business Firewall >>> DMZ >>> Control Firewall >>> Control LAN
Servers which require access to both networks should be located inside of the DMZ, this is where your gateway should exist as well as other things like Data Base servers etc.
Edit:
Also, if you do not feel like opening a hole in the Control Firewall for your control devices then one option is to have a second gateway which exists inside of the Control Network and is a remote tag provider to the Gateway in the DMZ, this way the ACL only need be modified to allow traffic between the two gateways.