<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Thanks for the info. I check the cipher/protocols on the 2008 box
and they're all the defaults. I've enabled the latest that match
what my Xymon server is configured with and now I'm just waiting
until after hours to reboot my box and hope it connects.<br>
<br>
Here's what I use.<br>
<a class="moz-txt-link-freetext" href="https://www.nartac.com/Products/IISCrypto/">https://www.nartac.com/Products/IISCrypto/</a><br>
<br>
<pre class="moz-signature" cols="72">Kris Springer
</pre>
<div class="moz-cite-prefix">On 11/8/18 11:20 AM, Timothy Williams
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAMVnr4O0gQhgGFG67EhEziwEAG9nvwtN+tdprMsT0BRoOM+95w@mail.gmail.com">
<div dir="ltr">
<div dir="ltr">
<div class="gmail_default"><a
href="https://support.microsoft.com/en-us/help/4019276/update-to-add-support-for-tls-1-1-and-tls-1-2-in-windows"
moz-do-not-send="true">https://support.microsoft.com/en-us/help/4019276/update-to-add-support-for-tls-1-1-and-tls-1-2-in-windows</a>
has instructions to make sure TLS is enabled in Windows. You
may have to check Apache settings to see what ciphers and/or
protocols are enabled on that end.<br>
</div>
<div>
<div dir="ltr" class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<p><b><i>Timothy L. Williams</i></b></p>
<p><span><b>Operating Systems Analyst</b><br>
Virginia Commonwealth University
Computer Center<br>
900 East Main St. STE 1141 Richmond VA
23219<br>
<b><a href="tel:(804)%20828-0556"
value="+18046282441"
target="_blank"
moz-do-not-send="true">804-828-0556</a></b></span></p>
<p><span><b><img moz-do-not-send="true"><br>
</b></span></p>
<p><span> </span><br>
</p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Thu, Nov 8, 2018 at 12:54 PM Kris Springer
<<a href="mailto:kspringer@innovateteam.com"
moz-do-not-send="true">kspringer@innovateteam.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote">
<div> It's confirmed working great on Windows Server 2012, but
not 2008. Can you point me in a direction to look for a
solution to the cipher issues? I'm not going to reduce
things to port 80, I want to keep things on 443.<br>
<br>
<pre class="m_-2746583202941194313moz-signature" cols="72">Kris Springer
</pre>
<div class="m_-2746583202941194313moz-cite-prefix">On
11/8/18 10:23 AM, Timothy Williams wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default">The red flag that popped out
at me was the 2008 R2. Have you checked the ciphers
and protocols? Try port 80 HTTP and see if it works.</div>
<div>
<div dir="ltr"
class="m_-2746583202941194313gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<p><br>
</p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Thu, Nov 8, 2018 at 12:13 PM Kris
Springer <<a
href="mailto:kspringer@innovateteam.com"
target="_blank" moz-do-not-send="true">kspringer@innovateteam.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote">
<div> I may have spoken too soon. It's indeed working
on box1, but when I edited the
xymonclient_config.xml on box2 and re-entered the
password so box2 would re-encrypt it for it's
connection to the server, it's timing out. Does
each client need it's own individual user/pass?
That seems unnecessary. I just tried different
credentials and it still timed out. The difference
between box1 and box2 is the OS. They're on the
same network and can both reach the server via https
so I don't think it's a networking issue.<br>
box1 = Windows 10 Pro<br>
box2 = Windows Server 2008 R2 Enterprise<br>
<br>
Apache logs show nothing unusual.<br>
I've looked at all the logs I can find on the server
but I'm not seeing anything that would tip me off as
to the issue. <br>
Ideas?<br>
<br>
<pre class="m_-2746583202941194313m_-3186693113565078430moz-signature" cols="72">Kris Springer
</pre>
<div
class="m_-2746583202941194313m_-3186693113565078430moz-cite-prefix">On
11/8/18 2:25 AM, Beck, Zak wrote:<br>
</div>
<blockquote type="cite">
<div
class="m_-2746583202941194313m_-3186693113565078430WordSection1">
<p class="MsoNormal"><span>Hi Kris</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>Yes, I have it
working. As you say, the URL needs to
include the full path to xymoncgimsg.cgi.</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>All xymoncgimsg.cgi
does as far as I can tell is relay the
message(s) received over HTTPS via TCP to
localhost port 1984 (which is what the man
page says as well). So you need that
listening (which by default it will be).</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>I don’t recall making
any other config changes to make this work
(aside from Apache etc to sort out the
authentication).</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>I suspect the time
out is waiting for the response – when you
submit data to Xymon, you normally get the
client local config back from the server.
This comes back via the HTTPS response.
There is a timeout setting – sorry I forgot
to document it in the table in the Word doc
– serverHttpTimeoutMs – which defaults to
100000 milliseconds – i.e. 100 seconds. This
is the time it waits for the response from
the server. 100 seconds is pretty generous
unless you’re traversing particularly slow
VPNs or saturated connections. You can
override this in the xymonclient_config.xml
file.</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>I’m assuming you’re
getting this message:</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span> " Connecting to
$($url), body length $($body.Length),
timeout
$($script:XymonSettings.serverHttpTimeoutMs)ms"</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>And then this one
(with a timeout exception):</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span> " Exception
connecting to $($url):`n$($_)"</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>And not either of
these:</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span> " FAILED,
HTTP response code: $($response.StatusCode)
($statusCode)"</span></p>
<p class="MsoNormal"><span>or</span></p>
<p class="MsoNormal"><span> " Received
$($output.Length) bytes from server"</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>Zak </span><span></span></p>
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Xymon <a
class="m_-2746583202941194313m_-3186693113565078430moz-txt-link-rfc2396E"
href="mailto:xymon-bounces@xymon.com"
target="_blank" moz-do-not-send="true"><xymon-bounces@xymon.com></a>
<b>On Behalf Of </b><a
class="m_-2746583202941194313m_-3186693113565078430moz-txt-link-abbreviated"
href="mailto:kspringer@innovateteam.com"
target="_blank" moz-do-not-send="true">kspringer@innovateteam.com</a><br>
<b>Sent:</b> Thursday, 8 November 2018 08:51<br>
<b>To:</b> Xymon MailingList <a
class="m_-2746583202941194313m_-3186693113565078430moz-txt-link-rfc2396E"
href="mailto:xymon@xymon.com"
target="_blank" moz-do-not-send="true"><xymon@xymon.com></a><br>
<b>Subject:</b> [External] Re: [Xymon]
PSclient sending from intranet</span></p>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">Anyone have
xymoncgimsg.cgi functioning on their server
and successfully receiving PSclient data
over HTTPS? The documentation for this is
vague and doesn't specify how to make it
work. Any specifics would be greatly
appreciated. <br>
<br>
Thanks, <br>
Kris Springer<br>
<br>
<br>
-----Original Message-----<br>
From: Timothy Williams <<a
href="mailto:tlwilliams4@vcu.edu"
target="_blank" moz-do-not-send="true">tlwilliams4@vcu.edu</a>><br>
To: <a
href="mailto:kspringer@innovateteam.com"
target="_blank" moz-do-not-send="true">kspringer@innovateteam.com</a><br>
Cc: <a href="mailto:xymon@xymon.com"
target="_blank" moz-do-not-send="true">xymon@xymon.com</a><br>
Sent: Tue, 06 Nov 2018 2:22 PM<br>
Subject: Re: [Xymon] PSclient sending from
intranet</p>
</div>
<div>
<div>
<p class="MsoNormal"><span>Alas, I am unable
to help further, as my InfoSec allows
port 1984, and not 80 or 443 to Xymon,
so I don't have http running. </span></p>
</div>
<div>
<p class="MsoNormal"><span> </span></p>
</div>
<div>
<p class="MsoNormal"><span>Tim</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">On Tue, Nov 6, 2018 at
3:29 PM Kris Springer <<a
href="mailto:kspringer@innovateteam.com"
target="_blank" moz-do-not-send="true">kspringer@innovateteam.com</a>>
wrote:</p>
</div>
<blockquote>
<div>
<p class="MsoNormal">I've configured one
of my PSclients to test this HTTPS
functionality, and it indeed does try to
send data over port 443. But the client
logs say that my Xymon server is timing
out. Is there a specific server url
path that I need to be using? The
documentation doesn't give any example.<br>
<br>
<br>
</p>
<pre>Kris Springer</pre>
<pre> </pre>
<pre> </pre>
<div>
<p class="MsoNormal">On 11/6/18 7:54 AM,
Timothy Williams wrote:</p>
</div>
<blockquote>
<div>
<div>
<div>
<p class="MsoNormal">The
Powershell client can connect to
the Xymon server using TCP port
1984 as default, but can also
connect using HTTP or HTTPS
with/without user/password. You
likely have port 80 or 443 open.
Here are Word doc details:</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<div>
<p class="MsoNormal">HTTP is an
alternate method. It can be
used if you have
xymoncgimsg.cgi running on the
web server on your Xymon
server – see <a
href="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.xymon.com_help_manpages_man8_xymoncgimsg.cgi.8.html&d=DwMGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=-OwMT0n637myRsiGrh2Ey_FyOjBckX9cnzeXB9ID_dw&s=nwg-TdqZw8dbasxkybIMrt8HKpuV-U4Z2HpC5Rbr1BM&e="
target="_blank"
moz-do-not-send="true">
https://www.xymon.com/help/manpages/man8/xymoncgimsg.cgi.8.html</a>. The
web server running the CGI can
be configured for SSL (i.e.
HTTPS) and / or authentication
– XymonPSClient supports basic
authentication and SSL. If you
require authentication, the
<serverHttpUsername> and
<serverHttpPassword>
elements should be configured.</p>
</div>
<div>
<p class="MsoNormal">If you are
using HTTP and transmitting
over unsecure networks (e.g.
the internet), it is strongly
recommended to enable SSL,
authentication and disallow
HTTP connections.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">ServerHttpPassword
encryption</p>
</div>
<div>
<p class="MsoNormal">If
<serverHttpPassword> is
set, the Xymon client will
encrypt the password if it is
not encrypted and remove the
plain text password from the
configuration file,
overwriting with the encrypted
password. The Xymon client
will prefix the encrypted
password with
‘{SecureString}’, so it is
easy to tell if the client has
attempted to encrypt the
password or not.</p>
</div>
<div>
<p class="MsoNormal">This is
done using the .NET
SecureString functions, which
means that the encryption is
unique to the server and user.
This means that once the
password has been encrypted,
you cannot use the same
xymonclient_config.xml on
another server. It also means
that if you have been testing
by running XymonPSClient from
a command prompt, and this
encrypts the password, when
you run XymonPSClient as a
service it will not be able to
decrypt the password unless
the service is running as the
same user.</p>
</div>
<div>
<p class="MsoNormal">In both
scenarios, replacing the
encrypted password with the
plain text password and
re-starting Xymon will cause
the password to be
re-encypted.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Tim Williams</p>
</div>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">On Tue, Nov 6,
2018 at 9:37 AM Rolf
Schrittenlocher <<a
href="mailto:schritte@ub.uni-frankfurt.de"
target="_blank"
moz-do-not-send="true">schritte@ub.uni-frankfurt.de</a>>
wrote:</p>
</div>
<blockquote>
<p class="MsoNormal">any possibility
to send something from intranet to
the world outside? <br>
creating webpage, send by sftp or
scp? This could be done by cron
and <br>
xymon could analyze this data
then.<br>
> Anyone have an idea about how
to collect client server stats
using the <br>
> Powershell client on machines
that are on an intranet that
blocks port <br>
> 1984, and send it out to our
external xymon server located in a
<br>
> different part of the
country? The intranet network
doesn't want to <br>
> open any additional ports to
allow the traffic out.<br>
><br>
<br>
-- <br>
Mit freundlichen Grüßen<br>
Rolf Schrittenlocher<br>
<br>
Lokales Bibliothekssystem
Frankfurt<br>
Bockenheimer Landstr. 134-138,
60325 Frankfurt<br>
Tel LBS: (49) 69 - 798 28830<br>
Tel persönlich: (49) 69 - 798
28908<br>
LBS: <a
href="mailto:lbs@ub.uni-frankfurt.de"
target="_blank"
moz-do-not-send="true">lbs@ub.uni-frankfurt.de</a><br>
Persönlich: <a
href="mailto:schritte@ub.uni-frankfurt.de"
target="_blank"
moz-do-not-send="true">schritte@ub.uni-frankfurt.de</a><br>
<br>
_______________________________________________<br>
Xymon mailing list<br>
<a href="mailto:Xymon@xymon.com"
target="_blank"
moz-do-not-send="true">Xymon@xymon.com</a><br>
<a
href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.xymon.com_mailman_listinfo_xymon&d=DwMGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=-OwMT0n637myRsiGrh2Ey_FyOjBckX9cnzeXB9ID_dw&s=F_2sRqz669yemQ4GbrwkTlh6D0HtrNX1wqu7RvAN1WE&e="
target="_blank"
moz-do-not-send="true">http://lists.xymon.com/mailman/listinfo/xymon</a></p>
</blockquote>
</div>
</blockquote>
<p class="MsoNormal"> </p>
</div>
</blockquote>
</div>
</div>
<br>
<hr> <br>
This message is for the designated recipient only
and may contain privileged, proprietary, or
otherwise confidential information. If you have
received it in error, please notify the sender
immediately and delete the original. Any other use
of the e-mail by you is prohibited. Where allowed
by local law, electronic communications with
Accenture and its affiliates, including e-mail and
instant messaging (including content), may be
scanned by our systems for the purposes of
information security and assessment of internal
compliance with Accenture policy. Your privacy is
important to us. Accenture uses your personal data
only in compliance with data protection laws. For
further information on how Accenture processes
your personal data, please see our privacy
statement at <a
class="m_-2746583202941194313m_-3186693113565078430moz-txt-link-freetext"
href="https://www.accenture.com/us-en/privacy-policy" target="_blank"
moz-do-not-send="true">https://www.accenture.com/us-en/privacy-policy</a>.
<br>
______________________________________________________________________________________<br>
<br>
<a
class="m_-2746583202941194313m_-3186693113565078430moz-txt-link-abbreviated"
href="http://www.accenture.com" target="_blank"
moz-do-not-send="true">www.accenture.com</a><br>
</blockquote>
<br>
</div>
_______________________________________________<br>
Xymon mailing list<br>
<a href="mailto:Xymon@xymon.com" target="_blank"
moz-do-not-send="true">Xymon@xymon.com</a><br>
<a
href="http://lists.xymon.com/mailman/listinfo/xymon"
rel="noreferrer" target="_blank"
moz-do-not-send="true">http://lists.xymon.com/mailman/listinfo/xymon</a><br>
</blockquote>
</div>
</blockquote>
<br>
</div>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>