Agent to server connection is a TLS tunnel carrying virtual server to agent connections.
For TLS tunnel operation server needs certificate (with private key) as well as CA certificate. Take the following steps to prepare server for using agent tunnels:
1. Issue server certificate by your certificate authority. Certificate usage should allow certificate signing (it will be used by server for issuing agent certificates).
2. Store CA certificate and server certificate somewhere on server file system. Certificates should be in PEM format, server certificate file should contain private key as well.
3. Add the following lines to netxmsd.conf:
ServerCACertificate = /path/to/ca.crt ServerCertificate = /path/to/server.crt ServerCertificatePassword = server_pk_password
If certificate chain for server certificate is longer all upper level certificates should be added to configuration file by adding multiple ServerCACertificate entries.
4. Restart server.
Add the following line to nxagentd.conf:
ServerConnection = server.hostname
DNS name or IP address can be used. Server listed in ServerConnection parameter will automatically get minimal access to agent as if listed in Servers parameter. If higher access level is required server should be listed in ControlServers or MasterServers as usual.
When agent establishes connection with the server it will create unbound tunnel (not associated with any node). List of active tunnels can be seen in agent tunnel manager (in management console go to "Configuration" menu and select "Agent Tunnel Manager") or can be obtained via server debug console using command
To associate unbound tunnel with node right click on tunnel entry in agent tunnel manager and choose "Bind" or use debug console command
tunnel bind tunnel_id_here node_id_here
When tunnel is bound server will issue new certificate to agent and agent will restart tunnel. After bound tunnel is established server will use it for all communications with that agent.
If node expected to be reachable only via agent established tunnel you can set it's IP address to 0.0.0.0 to indicate that direct communications are disabled.