Difference between revisions of "How to configure agent to server connection"
(Created page with "Agent to server connection is a TLS tunnel carrying virtual server to agent connections. = Server Preparation = For TLS tunnel operation server needs certificate (with priva...") |
m (Text replacement - "^" to "{{deprecated}}") |
||
(2 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
Agent to server connection is a TLS tunnel carrying virtual server to agent connections. | {{deprecated}}Agent to server connection is a TLS tunnel carrying virtual server to agent connections. | ||
= Server Preparation = | = Server Preparation = | ||
Line 5: | Line 5: | ||
For TLS tunnel operation server needs certificate (with private key) as well as CA certificate. Take the following steps to prepare server for using agent tunnels: | For TLS tunnel operation server needs certificate (with private key) as well as CA certificate. Take the following steps to prepare server for using agent tunnels: | ||
1. Issue server certificate by your certificate authority. | 1. Issue server certificate by your certificate authority. Certificate usage should allow certificate signing (it will be used by server for issuing agent certificates). | ||
2. Store CA certificate and server certificate somewhere on server file system. Certificates should be in PEM format, server certificate file should contain private key as well. | 2. Store CA certificate and server certificate somewhere on server file system. Certificates should be in PEM format, server certificate file should contain private key as well. | ||
3. Add the following lines to netxmsd.conf: | 3. Add the following lines to netxmsd.conf: | ||
ServerCACertificate = /path/to/ca.crt | ServerCACertificate = /path/to/ca.crt | ||
ServerCertificate = /path/to/server.crt | ServerCertificate = /path/to/server.crt | ||
ServerCertificatePassword = server_pk_password | ServerCertificatePassword = server_pk_password | ||
If certificate chain for server certificate is longer all upper level certificates should be added to configuration file by adding multiple ServerCACertificate entries. | |||
4. Restart server. | 4. Restart server. | ||
Line 21: | Line 26: | ||
= Server Configuration = | = Server Configuration = | ||
When agent establishes connection with the server it will create unbound tunnel (not associated with any node). List of active tunnels can be obtained via server debug console using command | When agent establishes connection with the server it will create unbound tunnel (not associated with any node). List of active tunnels can be seen in agent tunnel manager (in management console go to "Configuration" menu and select "Agent Tunnel Manager") or can be obtained via server debug console using command | ||
show tunnels | show tunnels | ||
To associate unbound tunnel with node use command | To associate unbound tunnel with node right click on tunnel entry in agent tunnel manager and choose "Bind" or use debug console command | ||
tunnel bind tunnel_id_here node_id_here | tunnel bind tunnel_id_here node_id_here | ||
Latest revision as of 18:13, 13 September 2022
This Wiki is deprecated and we are are currrently migrating remaining pages into product documentation (Admin Guide, NXSL Guide) |
Agent to server connection is a TLS tunnel carrying virtual server to agent connections.
Server Preparation
For TLS tunnel operation server needs certificate (with private key) as well as CA certificate. Take the following steps to prepare server for using agent tunnels:
1. Issue server certificate by your certificate authority. Certificate usage should allow certificate signing (it will be used by server for issuing agent certificates).
2. Store CA certificate and server certificate somewhere on server file system. Certificates should be in PEM format, server certificate file should contain private key as well.
3. Add the following lines to netxmsd.conf:
ServerCACertificate = /path/to/ca.crt ServerCertificate = /path/to/server.crt ServerCertificatePassword = server_pk_password
If certificate chain for server certificate is longer all upper level certificates should be added to configuration file by adding multiple ServerCACertificate entries.
4. Restart server.
Agent Configuration
Add the following line to nxagentd.conf:
ServerConnection = server.hostname
DNS name or IP address can be used. Server listed in ServerConnection parameter will automatically get minimal access to agent as if listed in Servers parameter. If higher access level is required server should be listed in ControlServers or MasterServers as usual.
Server Configuration
When agent establishes connection with the server it will create unbound tunnel (not associated with any node). List of active tunnels can be seen in agent tunnel manager (in management console go to "Configuration" menu and select "Agent Tunnel Manager") or can be obtained via server debug console using command
show tunnels
To associate unbound tunnel with node right click on tunnel entry in agent tunnel manager and choose "Bind" or use debug console command
tunnel bind tunnel_id_here node_id_here
When tunnel is bound server will issue new certificate to agent and agent will restart tunnel. After bound tunnel is established server will use it for all communications with that agent.
If node expected to be reachable only via agent established tunnel you can set it's IP address to 0.0.0.0 to indicate that direct communications are disabled.