[Xymon] PSclient sending from intranet
Kris Springer
kspringer at innovateteam.com
Thu Nov 8 18:54:08 CET 2018
It's confirmed working great on Windows Server 2012, but not 2008. Can
you point me in a direction to look for a solution to the cipher
issues? I'm not going to reduce things to port 80, I want to keep
things on 443.
Kris Springer
On 11/8/18 10:23 AM, Timothy Williams wrote:
> The red flag that popped out at me was the 2008 R2. Have you checked
> the ciphers and protocols? Try port 80 HTTP and see if it works.
>
>
>
> On Thu, Nov 8, 2018 at 12:13 PM Kris Springer
> <kspringer at innovateteam.com <mailto:kspringer at innovateteam.com>> wrote:
>
> I may have spoken too soon. It's indeed working on box1, but when
> I edited the xymonclient_config.xml on box2 and re-entered the
> password so box2 would re-encrypt it for it's connection to the
> server, it's timing out. Does each client need it's own
> individual user/pass? That seems unnecessary. I just tried
> different credentials and it still timed out. The difference
> between box1 and box2 is the OS. They're on the same network and
> can both reach the server via https so I don't think it's a
> networking issue.
> box1 = Windows 10 Pro
> box2 = Windows Server 2008 R2 Enterprise
>
> Apache logs show nothing unusual.
> I've looked at all the logs I can find on the server but I'm not
> seeing anything that would tip me off as to the issue.
> Ideas?
>
> Kris Springer
>
>
> On 11/8/18 2:25 AM, Beck, Zak wrote:
>>
>> Hi Kris
>>
>> Yes, I have it working. As you say, the URL needs to include the
>> full path to xymoncgimsg.cgi.
>>
>> All xymoncgimsg.cgi does as far as I can tell is relay the
>> message(s) received over HTTPS via TCP to localhost port 1984
>> (which is what the man page says as well). So you need that
>> listening (which by default it will be).
>>
>> I don’t recall making any other config changes to make this work
>> (aside from Apache etc to sort out the authentication).
>>
>> I suspect the time out is waiting for the response – when you
>> submit data to Xymon, you normally get the client local config
>> back from the server. This comes back via the HTTPS response.
>> There is a timeout setting – sorry I forgot to document it in the
>> table in the Word doc – serverHttpTimeoutMs – which defaults to
>> 100000 milliseconds – i.e. 100 seconds. This is the time it waits
>> for the response from the server. 100 seconds is pretty generous
>> unless you’re traversing particularly slow VPNs or saturated
>> connections. You can override this in the xymonclient_config.xml
>> file.
>>
>> I’m assuming you’re getting this message:
>>
>> " Connecting to $($url), body length $($body.Length),
>> timeout $($script:XymonSettings.serverHttpTimeoutMs)ms"
>>
>> And then this one (with a timeout exception):
>>
>> " Exception connecting to $($url):`n$($_)"
>>
>> And not either of these:
>>
>> " FAILED, HTTP response code: $($response.StatusCode)
>> ($statusCode)"
>>
>> or
>>
>> " Received $($output.Length) bytes from server"
>>
>> Zak
>>
>> *From:*Xymon <xymon-bounces at xymon.com>
>> <mailto:xymon-bounces at xymon.com> *On Behalf Of
>> *kspringer at innovateteam.com <mailto:kspringer at innovateteam.com>
>> *Sent:* Thursday, 8 November 2018 08:51
>> *To:* Xymon MailingList <xymon at xymon.com> <mailto:xymon at xymon.com>
>> *Subject:* [External] Re: [Xymon] PSclient sending from intranet
>>
>> Anyone have xymoncgimsg.cgi functioning on their server and
>> successfully receiving PSclient data over HTTPS? The
>> documentation for this is vague and doesn't specify how to make
>> it work. Any specifics would be greatly appreciated.
>>
>> Thanks,
>> Kris Springer
>>
>>
>> -----Original Message-----
>> From: Timothy Williams <tlwilliams4 at vcu.edu
>> <mailto:tlwilliams4 at vcu.edu>>
>> To: kspringer at innovateteam.com <mailto:kspringer at innovateteam.com>
>> Cc: xymon at xymon.com <mailto:xymon at xymon.com>
>> Sent: Tue, 06 Nov 2018 2:22 PM
>> Subject: Re: [Xymon] PSclient sending from intranet
>>
>> Alas, I am unable to help further, as my InfoSec allows port
>> 1984, and not 80 or 443 to Xymon, so I don't have http running.
>>
>> Tim
>>
>> On Tue, Nov 6, 2018 at 3:29 PM Kris Springer
>> <kspringer at innovateteam.com <mailto:kspringer at innovateteam.com>>
>> wrote:
>>
>> I've configured one of my PSclients to test this HTTPS
>> functionality, and it indeed does try to send data over port
>> 443. But the client logs say that my Xymon server is timing
>> out. Is there a specific server url path that I need to be
>> using? The documentation doesn't give any example.
>>
>>
>> Kris Springer
>>
>>
>>
>>
>>
>> On 11/6/18 7:54 AM, Timothy Williams wrote:
>>
>> The Powershell client can connect to the Xymon server
>> using TCP port 1984 as default, but can also connect
>> using HTTP or HTTPS with/without user/password. You
>> likely have port 80 or 443 open. Here are Word doc details:
>>
>> HTTP is an alternate method. It can be used if you have
>> xymoncgimsg.cgi running on the web server on your Xymon
>> server – see
>> https://www.xymon.com/help/manpages/man8/xymoncgimsg.cgi.8.html
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.xymon.com_help_manpages_man8_xymoncgimsg.cgi.8.html&d=DwMGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=-OwMT0n637myRsiGrh2Ey_FyOjBckX9cnzeXB9ID_dw&s=nwg-TdqZw8dbasxkybIMrt8HKpuV-U4Z2HpC5Rbr1BM&e=>.
>> The web server running the CGI can be configured for SSL
>> (i.e. HTTPS) and / or authentication – XymonPSClient
>> supports basic authentication and SSL. If you require
>> authentication, the <serverHttpUsername> and
>> <serverHttpPassword> elements should be configured.
>>
>> If you are using HTTP and transmitting over unsecure
>> networks (e.g. the internet), it is strongly recommended
>> to enable SSL, authentication and disallow HTTP connections.
>>
>> ServerHttpPassword encryption
>>
>> If <serverHttpPassword> is set, the Xymon client will
>> encrypt the password if it is not encrypted and remove
>> the plain text password from the configuration file,
>> overwriting with the encrypted password. The Xymon client
>> will prefix the encrypted password with ‘{SecureString}’,
>> so it is easy to tell if the client has attempted to
>> encrypt the password or not.
>>
>> This is done using the .NET SecureString functions, which
>> means that the encryption is unique to the server and
>> user. This means that once the password has been
>> encrypted, you cannot use the same xymonclient_config.xml
>> on another server. It also means that if you have been
>> testing by running XymonPSClient from a command prompt,
>> and this encrypts the password, when you run
>> XymonPSClient as a service it will not be able to decrypt
>> the password unless the service is running as the same user.
>>
>> In both scenarios, replacing the encrypted password with
>> the plain text password and re-starting Xymon will cause
>> the password to be re-encypted.
>>
>> Tim Williams
>>
>> On Tue, Nov 6, 2018 at 9:37 AM Rolf Schrittenlocher
>> <schritte at ub.uni-frankfurt.de
>> <mailto:schritte at ub.uni-frankfurt.de>> wrote:
>>
>> any possibility to send something from intranet to
>> the world outside?
>> creating webpage, send by sftp or scp? This could be
>> done by cron and
>> xymon could analyze this data then.
>> > Anyone have an idea about how to collect client
>> server stats using the
>> > Powershell client on machines that are on an
>> intranet that blocks port
>> > 1984, and send it out to our external xymon server
>> located in a
>> > different part of the country? The intranet
>> network doesn't want to
>> > open any additional ports to allow the traffic out.
>> >
>>
>> --
>> Mit freundlichen Grüßen
>> Rolf Schrittenlocher
>>
>> Lokales Bibliothekssystem Frankfurt
>> Bockenheimer Landstr. 134-138, 60325 Frankfurt
>> Tel LBS: (49) 69 - 798 28830
>> Tel persönlich: (49) 69 - 798 28908
>> LBS: lbs at ub.uni-frankfurt.de
>> <mailto:lbs at ub.uni-frankfurt.de>
>> Persönlich: schritte at ub.uni-frankfurt.de
>> <mailto:schritte at ub.uni-frankfurt.de>
>>
>> _______________________________________________
>> Xymon mailing list
>> Xymon at xymon.com <mailto:Xymon at xymon.com>
>> http://lists.xymon.com/mailman/listinfo/xymon
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.xymon.com_mailman_listinfo_xymon&d=DwMGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=-OwMT0n637myRsiGrh2Ey_FyOjBckX9cnzeXB9ID_dw&s=F_2sRqz669yemQ4GbrwkTlh6D0HtrNX1wqu7RvAN1WE&e=>
>>
>>
>> ------------------------------------------------------------------------
>>
>> This message is for the designated recipient only and may contain
>> privileged, proprietary, or otherwise confidential information.
>> If you have received it in error, please notify the sender
>> immediately and delete the original. Any other use of the e-mail
>> by you is prohibited. Where allowed by local law, electronic
>> communications with Accenture and its affiliates, including
>> e-mail and instant messaging (including content), may be scanned
>> by our systems for the purposes of information security and
>> assessment of internal compliance with Accenture policy. Your
>> privacy is important to us. Accenture uses your personal data
>> only in compliance with data protection laws. For further
>> information on how Accenture processes your personal data, please
>> see our privacy statement at
>> https://www.accenture.com/us-en/privacy-policy.
>> ______________________________________________________________________________________
>>
>> www.accenture.com <http://www.accenture.com>
>
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com <mailto:Xymon at xymon.com>
> http://lists.xymon.com/mailman/listinfo/xymon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20181108/ee4d0eff/attachment.html>
More information about the Xymon
mailing list