Agent to server connection is a TLS tunnel carrying virtual server to agent connections.

Server Preparation

For TLS tunnel operation server needs certificate (with private key) as well as CA certificate. Take the following steps to prepare server for using agent tunnels:

1. Issue server certificate by your certificate authority. 2. Store CA certificate and server certificate somewhere on server file system. Certificates should be in PEM format, server certificate file should contain private key as well. 3. Add the following lines to netxmsd.conf:

 ServerCACertificate = /path/to/ca.crt
 ServerCertificate = /path/to/server.crt
 ServerCertificatePassword = server_pk_password

4. Restart server.

Agent Configuration

Add the following line to nxagentd.conf:

 ServerConnection = server.hostname

DNS name or IP address can be used. Server listed in ServerConnection parameter will automatically get minimal access to agent as if listed in Servers parameter. If higher access level is required server should be listed in ControlServers or MasterServers as usual.

Server Configuration

When agent establishes connection with the server it will create unbound tunnel (not associated with any node). List of active tunnels can be obtained via server debug console using command

 show tunnels

To associate unbound tunnel with node use command

 tunnel bind tunnel_id_here node_id_here

When tunnel is bound server will issue new certificate to agent and agent will restart tunnel. After bound tunnel is established server will use it for all communications with that agent.

If node expected to be reachable only via agent established tunnel you can set it's IP address to 0.0.0.0 to indicate that direct communications are disabled.