<div dir="ltr"><div dir="ltr"><div class="gmail_default"><font face="verdana, sans-serif"><a href="https://support.microsoft.com/en-us/help/4019276/update-to-add-support-for-tls-1-1-and-tls-1-2-in-windows">https://support.microsoft.com/en-us/help/4019276/update-to-add-support-for-tls-1-1-and-tls-1-2-in-windows</a> has instructions to make sure TLS is enabled in Windows. You may have to check Apache settings to see what ciphers and/or protocols are enabled on that end.</font><br clear="all"></div><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><p style="background-image:initial;background-position:initial;background-repeat:initial"><font face="comic sans ms, sans-serif" size="4"><b><i>Timothy L. Williams</i></b></font></p><p style="background-image:initial;background-position:initial;background-repeat:initial"><span style="font-family:Arial,sans-serif"><font size="2"><b>Operating Systems Analyst</b><br>Virginia Commonwealth University Computer Center<br>900 East Main St. STE 1141 Richmond VA 23219</font><br><b style="color:rgb(17,85,204)"><font size="2"><a href="tel:(804)%20828-0556" value="+18046282441" style="color:rgb(17,85,204)" target="_blank">804-828-0556</a></font></b></span></p><p style="background-image:initial;background-position:initial;background-repeat:initial"><span style="font-family:Arial,sans-serif"><b style="color:rgb(17,85,204)"><font size="2"><img src="https://docs.google.com/uc?export=download&id=0B2qQ4YudApjzSEtfOGhrMXdLcU0&revid=0B2qQ4YudApjzMnZncGl3bm4yT1E2dkxnZEFzazRvN1dWbFVRPQ"><br></font></b></span></p><p style="background-image:initial;background-position:initial;background-repeat:initial"><span style="font-size:12.8px"> </span><br></p></div></div></div></div></div></div></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Nov 8, 2018 at 12:54 PM Kris Springer <<a href="mailto:kspringer@innovateteam.com">kspringer@innovateteam.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
It's confirmed working great on Windows Server 2012, but not 2008.
Can you point me in a direction to look for a solution to the cipher
issues? I'm not going to reduce things to port 80, I want to keep
things on 443.<br>
<br>
<pre class="m_-2746583202941194313moz-signature" cols="72">Kris Springer
</pre>
<div class="m_-2746583202941194313moz-cite-prefix">On 11/8/18 10:23 AM, Timothy Williams
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default">The red flag that popped out at me
was the 2008 R2. Have you checked the ciphers and protocols?
Try port 80 HTTP and see if it works.</div>
<div>
<div dir="ltr" class="m_-2746583202941194313gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<p><br>
</p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Thu, Nov 8, 2018 at 12:13 PM Kris Springer
<<a href="mailto:kspringer@innovateteam.com" target="_blank">kspringer@innovateteam.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote">
<div> I may have spoken too soon. It's indeed working on
box1, but when I edited the xymonclient_config.xml on box2
and re-entered the password so box2 would re-encrypt it for
it's connection to the server, it's timing out. Does each
client need it's own individual user/pass? That seems
unnecessary. I just tried different credentials and it
still timed out. The difference between box1 and box2 is
the OS. They're on the same network and can both reach the
server via https so I don't think it's a networking issue.<br>
box1 = Windows 10 Pro<br>
box2 = Windows Server 2008 R2 Enterprise<br>
<br>
Apache logs show nothing unusual.<br>
I've looked at all the logs I can find on the server but I'm
not seeing anything that would tip me off as to the issue.
<br>
Ideas?<br>
<br>
<pre class="m_-2746583202941194313m_-3186693113565078430moz-signature" cols="72">Kris Springer
</pre>
<div class="m_-2746583202941194313m_-3186693113565078430moz-cite-prefix">On
11/8/18 2:25 AM, Beck, Zak wrote:<br>
</div>
<blockquote type="cite">
<div class="m_-2746583202941194313m_-3186693113565078430WordSection1">
<p class="MsoNormal"><span>Hi Kris</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>Yes, I have it working. As
you say, the URL needs to include the full path to
xymoncgimsg.cgi.</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>All xymoncgimsg.cgi does as
far as I can tell is relay the message(s) received
over HTTPS via TCP to localhost port 1984 (which is
what the man page says as well). So you need that
listening (which by default it will be).</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>I don’t recall making any
other config changes to make this work (aside from
Apache etc to sort out the authentication).</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>I suspect the time out is
waiting for the response – when you submit data to
Xymon, you normally get the client local config back
from the server. This comes back via the HTTPS
response. There is a timeout setting – sorry I
forgot to document it in the table in the Word doc –
serverHttpTimeoutMs – which defaults to 100000
milliseconds – i.e. 100 seconds. This is the time it
waits for the response from the server. 100 seconds
is pretty generous unless you’re traversing
particularly slow VPNs or saturated connections. You
can override this in the xymonclient_config.xml
file.</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>I’m assuming you’re getting
this message:</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span> " Connecting to $($url),
body length $($body.Length), timeout
$($script:XymonSettings.serverHttpTimeoutMs)ms"</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>And then this one (with a
timeout exception):</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span> " Exception
connecting to $($url):`n$($_)"</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>And not either of these:</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span> " FAILED, HTTP
response code: $($response.StatusCode)
($statusCode)"</span></p>
<p class="MsoNormal"><span>or</span></p>
<p class="MsoNormal"><span> " Received
$($output.Length) bytes from server"</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>Zak </span><span></span></p>
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> Xymon <a class="m_-2746583202941194313m_-3186693113565078430moz-txt-link-rfc2396E" href="mailto:xymon-bounces@xymon.com" target="_blank"><xymon-bounces@xymon.com></a>
<b>On Behalf Of </b><a class="m_-2746583202941194313m_-3186693113565078430moz-txt-link-abbreviated" href="mailto:kspringer@innovateteam.com" target="_blank">kspringer@innovateteam.com</a><br>
<b>Sent:</b> Thursday, 8 November 2018 08:51<br>
<b>To:</b> Xymon MailingList <a class="m_-2746583202941194313m_-3186693113565078430moz-txt-link-rfc2396E" href="mailto:xymon@xymon.com" target="_blank"><xymon@xymon.com></a><br>
<b>Subject:</b> [External] Re: [Xymon] PSclient
sending from intranet</span></p>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">Anyone have xymoncgimsg.cgi
functioning on their server and successfully
receiving PSclient data over HTTPS? The
documentation for this is vague and doesn't specify
how to make it work. Any specifics would be greatly
appreciated. <br>
<br>
Thanks, <br>
Kris Springer<br>
<br>
<br>
-----Original Message-----<br>
From: Timothy Williams <<a href="mailto:tlwilliams4@vcu.edu" target="_blank">tlwilliams4@vcu.edu</a>><br>
To: <a href="mailto:kspringer@innovateteam.com" target="_blank">kspringer@innovateteam.com</a><br>
Cc: <a href="mailto:xymon@xymon.com" target="_blank">xymon@xymon.com</a><br>
Sent: Tue, 06 Nov 2018 2:22 PM<br>
Subject: Re: [Xymon] PSclient sending from intranet</p>
</div>
<div>
<div>
<p class="MsoNormal"><span>Alas, I am unable to help
further, as my InfoSec allows port 1984, and not
80 or 443 to Xymon, so I don't have http
running. </span></p>
</div>
<div>
<p class="MsoNormal"><span> </span></p>
</div>
<div>
<p class="MsoNormal"><span>Tim</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">On Tue, Nov 6, 2018 at 3:29 PM
Kris Springer <<a href="mailto:kspringer@innovateteam.com" target="_blank">kspringer@innovateteam.com</a>>
wrote:</p>
</div>
<blockquote>
<div>
<p class="MsoNormal">I've configured one of my
PSclients to test this HTTPS functionality, and
it indeed does try to send data over port 443.
But the client logs say that my Xymon server is
timing out. Is there a specific server url path
that I need to be using? The documentation
doesn't give any example.<br>
<br>
<br>
</p>
<pre>Kris Springer</pre>
<pre> </pre>
<pre> </pre>
<div>
<p class="MsoNormal">On 11/6/18 7:54 AM, Timothy
Williams wrote:</p>
</div>
<blockquote>
<div>
<div>
<div>
<p class="MsoNormal">The Powershell client
can connect to the Xymon server using
TCP port 1984 as default, but can also
connect using HTTP or HTTPS with/without
user/password. You likely have port 80
or 443 open. Here are Word doc details:</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<div>
<p class="MsoNormal">HTTP is an
alternate method. It can be used if
you have xymoncgimsg.cgi running on
the web server on your Xymon server –
see <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.xymon.com_help_manpages_man8_xymoncgimsg.cgi.8.html&d=DwMGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=-OwMT0n637myRsiGrh2Ey_FyOjBckX9cnzeXB9ID_dw&s=nwg-TdqZw8dbasxkybIMrt8HKpuV-U4Z2HpC5Rbr1BM&e=" target="_blank">
https://www.xymon.com/help/manpages/man8/xymoncgimsg.cgi.8.html</a>. The
web server running the CGI can be
configured for SSL (i.e. HTTPS) and /
or authentication – XymonPSClient
supports basic authentication and SSL.
If you require authentication, the
<serverHttpUsername> and
<serverHttpPassword> elements
should be configured.</p>
</div>
<div>
<p class="MsoNormal">If you are using
HTTP and transmitting over unsecure
networks (e.g. the internet), it is
strongly recommended to enable SSL,
authentication and disallow HTTP
connections.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">ServerHttpPassword
encryption</p>
</div>
<div>
<p class="MsoNormal">If
<serverHttpPassword> is set, the
Xymon client will encrypt the password
if it is not encrypted and remove the
plain text password from the
configuration file, overwriting with
the encrypted password. The Xymon
client will prefix the encrypted
password with ‘{SecureString}’, so it
is easy to tell if the client has
attempted to encrypt the password or
not.</p>
</div>
<div>
<p class="MsoNormal">This is done using
the .NET SecureString functions, which
means that the encryption is unique to
the server and user. This means that
once the password has been encrypted,
you cannot use the same
xymonclient_config.xml on another
server. It also means that if you have
been testing by running XymonPSClient
from a command prompt, and this
encrypts the password, when you run
XymonPSClient as a service it will not
be able to decrypt the password unless
the service is running as the same
user.</p>
</div>
<div>
<p class="MsoNormal">In both scenarios,
replacing the encrypted password with
the plain text password and
re-starting Xymon will cause the
password to be re-encypted.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Tim Williams</p>
</div>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">On Tue, Nov 6, 2018 at
9:37 AM Rolf Schrittenlocher <<a href="mailto:schritte@ub.uni-frankfurt.de" target="_blank">schritte@ub.uni-frankfurt.de</a>>
wrote:</p>
</div>
<blockquote>
<p class="MsoNormal">any possibility to send
something from intranet to the world
outside? <br>
creating webpage, send by sftp or scp?
This could be done by cron and <br>
xymon could analyze this data then.<br>
> Anyone have an idea about how to
collect client server stats using the <br>
> Powershell client on machines that
are on an intranet that blocks port <br>
> 1984, and send it out to our external
xymon server located in a <br>
> different part of the country? The
intranet network doesn't want to <br>
> open any additional ports to allow
the traffic out.<br>
><br>
<br>
-- <br>
Mit freundlichen Grüßen<br>
Rolf Schrittenlocher<br>
<br>
Lokales Bibliothekssystem Frankfurt<br>
Bockenheimer Landstr. 134-138, 60325
Frankfurt<br>
Tel LBS: (49) 69 - 798 28830<br>
Tel persönlich: (49) 69 - 798 28908<br>
LBS: <a href="mailto:lbs@ub.uni-frankfurt.de" target="_blank">lbs@ub.uni-frankfurt.de</a><br>
Persönlich: <a href="mailto:schritte@ub.uni-frankfurt.de" target="_blank">schritte@ub.uni-frankfurt.de</a><br>
<br>
_______________________________________________<br>
Xymon mailing list<br>
<a href="mailto:Xymon@xymon.com" target="_blank">Xymon@xymon.com</a><br>
<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.xymon.com_mailman_listinfo_xymon&d=DwMGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=-OwMT0n637myRsiGrh2Ey_FyOjBckX9cnzeXB9ID_dw&s=F_2sRqz669yemQ4GbrwkTlh6D0HtrNX1wqu7RvAN1WE&e=" target="_blank">http://lists.xymon.com/mailman/listinfo/xymon</a></p>
</blockquote>
</div>
</blockquote>
<p class="MsoNormal"> </p>
</div>
</blockquote>
</div>
</div>
<br>
<hr> <br>
This message is for the designated recipient only and may
contain privileged, proprietary, or otherwise confidential
information. If you have received it in error, please
notify the sender immediately and delete the original. Any
other use of the e-mail by you is prohibited. Where
allowed by local law, electronic communications with
Accenture and its affiliates, including e-mail and instant
messaging (including content), may be scanned by our
systems for the purposes of information security and
assessment of internal compliance with Accenture policy.
Your privacy is important to us. Accenture uses your
personal data only in compliance with data protection
laws. For further information on how Accenture processes
your personal data, please see our privacy statement at <a class="m_-2746583202941194313m_-3186693113565078430moz-txt-link-freetext" href="https://www.accenture.com/us-en/privacy-policy" target="_blank">https://www.accenture.com/us-en/privacy-policy</a>.
<br>
______________________________________________________________________________________<br>
<br>
<a class="m_-2746583202941194313m_-3186693113565078430moz-txt-link-abbreviated" href="http://www.accenture.com" target="_blank">www.accenture.com</a><br>
</blockquote>
<br>
</div>
_______________________________________________<br>
Xymon mailing list<br>
<a href="mailto:Xymon@xymon.com" target="_blank">Xymon@xymon.com</a><br>
<a href="http://lists.xymon.com/mailman/listinfo/xymon" rel="noreferrer" target="_blank">http://lists.xymon.com/mailman/listinfo/xymon</a><br>
</blockquote>
</div>
</blockquote>
<br>
</div>
</blockquote></div>