[Xymon] PSclient sending from intranet

Thu Nov 8 19:20:02 CET 2018

https://support.microsoft.com/en-us/help/4019276/update-to-add-support-for-tls-1-1-and-tls-1-2-in-windows
has instructions to make sure TLS is enabled in Windows. You may have to
check Apache settings to see what ciphers and/or protocols are enabled on
that end.

*Timothy L. Williams*

*Operating Systems Analyst*
Virginia Commonwealth University Computer Center
900 East Main St. STE 1141 Richmond VA 23219
*804-828-0556 <(804)%20828-0556>*

On Thu, Nov 8, 2018 at 12:54 PM Kris Springer <kspringer at innovateteam.com>
wrote:

> It's confirmed working great on Windows Server 2012, but not 2008.  Can
> you point me in a direction to look for a solution to the cipher issues?
> I'm not going to reduce things to port 80, I want to keep things on 443.
>
> Kris Springer
>
>
>
> On 11/8/18 10:23 AM, Timothy Williams wrote:
>
> The red flag that popped out at me was the 2008 R2. Have you checked the
> ciphers and protocols? Try port 80 HTTP and see if it works.
>
>
>
> On Thu, Nov 8, 2018 at 12:13 PM Kris Springer <kspringer at innovateteam.com>
> wrote:
>
>> I may have spoken too soon.  It's indeed working on box1, but when I
>> edited the xymonclient_config.xml on box2 and re-entered the password so
>> box2 would re-encrypt it for it's connection to the server, it's timing
>> out.  Does each client need it's own individual user/pass?  That seems
>> unnecessary.  I just tried different credentials and it still timed out.
>> The difference between box1 and box2 is the OS.  They're on the same
>> network and can both reach the server via https so I don't think it's a
>> networking issue.
>> box1 = Windows 10 Pro
>> box2 = Windows Server 2008 R2 Enterprise
>>
>> Apache logs show nothing unusual.
>> I've looked at all the logs I can find on the server but I'm not seeing
>> anything that would tip me off as to the issue.
>> Ideas?
>>
>> Kris Springer
>>
>>
>>
>> On 11/8/18 2:25 AM, Beck, Zak wrote:
>>
>> Hi Kris
>>
>>
>>
>> Yes, I have it working. As you say, the URL needs to include the full
>> path to xymoncgimsg.cgi.
>>
>>
>>
>> All xymoncgimsg.cgi does as far as I can tell is relay the message(s)
>> received over HTTPS via TCP to localhost port 1984 (which is what the man
>> page says as well). So you need that listening (which by default it will
>> be).
>>
>>
>>
>> I don’t recall making any other config changes to make this work (aside
>> from Apache etc to sort out the authentication).
>>
>>
>>
>> I suspect the time out is waiting for the response – when you submit data
>> to Xymon, you normally get the client local config back from the server.
>> This comes back via the HTTPS response. There is a timeout setting – sorry
>> I forgot to document it in the table in the Word doc – serverHttpTimeoutMs
>> – which defaults to 100000 milliseconds – i.e. 100 seconds. This is the
>> time it waits for the response from the server. 100 seconds is pretty
>> generous unless you’re traversing particularly slow VPNs or saturated
>> connections. You can override this in the xymonclient_config.xml file.
>>
>>
>>
>> I’m assuming you’re getting this message:
>>
>>
>>
>>     "  Connecting to $($url), body length $($body.Length), timeout
>> $($script:XymonSettings.serverHttpTimeoutMs)ms"
>>
>>
>>
>> And then this one (with a timeout exception):
>>
>>
>>
>>         "  Exception connecting to $($url):`n$($_)"
>>
>>
>>
>> And not either of these:
>>
>>
>>
>>         "  FAILED, HTTP response code: $($response.StatusCode)
>> ($statusCode)"
>>
>> or
>>
>>         "  Received $($output.Length) bytes from server"
>>
>>
>>
>>
>>
>> Zak
>>
>> *From:* Xymon <xymon-bounces at xymon.com> <xymon-bounces at xymon.com> *On
>> Behalf Of *kspringer at innovateteam.com
>> *Sent:* Thursday, 8 November 2018 08:51
>> *To:* Xymon MailingList <xymon at xymon.com> <xymon at xymon.com>
>> *Subject:* [External] Re: [Xymon] PSclient sending from intranet
>>
>>
>>
>> Anyone have xymoncgimsg.cgi functioning on their server and successfully
>> receiving PSclient data over HTTPS?  The documentation for this is vague
>> and doesn't specify how to make it work. Any specifics would be greatly
>> appreciated.
>>
>> Thanks,
>> Kris Springer
>>
>>
>> -----Original Message-----
>> From: Timothy Williams <tlwilliams4 at vcu.edu>
>> To: kspringer at innovateteam.com
>> Cc: xymon at xymon.com
>> Sent: Tue, 06 Nov 2018 2:22 PM
>> Subject: Re: [Xymon] PSclient sending from intranet
>>
>> Alas, I am unable to help further, as my InfoSec allows port 1984, and
>> not 80 or 443 to Xymon, so I don't have http running.
>>
>>
>>
>> Tim
>>
>>
>>
>> On Tue, Nov 6, 2018 at 3:29 PM Kris Springer <kspringer at innovateteam.com>
>> wrote:
>>
>> I've configured one of my PSclients to test this HTTPS functionality, and
>> it indeed does try to send data over port 443.  But the client logs say
>> that my Xymon server is timing out.  Is there a specific server url path
>> that I need to be using?  The documentation doesn't give any example.
>>
>>
>> Kris Springer
>>
>>
>>
>>
>>
>> On 11/6/18 7:54 AM, Timothy Williams wrote:
>>
>> The Powershell client can connect to the Xymon server using TCP port 1984
>> as default, but can also connect using HTTP or HTTPS with/without
>> user/password. You likely have port 80 or 443 open. Here are Word doc
>> details:
>>
>>
>>
>> HTTP is an alternate method. It can be used if you have xymoncgimsg.cgi
>> running on the web server on your Xymon server – see
>> https://www.xymon.com/help/manpages/man8/xymoncgimsg.cgi.8.html
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.xymon.com_help_manpages_man8_xymoncgimsg.cgi.8.html&d=DwMGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=-OwMT0n637myRsiGrh2Ey_FyOjBckX9cnzeXB9ID_dw&s=nwg-TdqZw8dbasxkybIMrt8HKpuV-U4Z2HpC5Rbr1BM&e=>.
>> The web server running the CGI can be configured for SSL (i.e. HTTPS) and /
>> or authentication – XymonPSClient supports basic authentication and SSL. If
>> you require authentication, the <serverHttpUsername> and
>> <serverHttpPassword> elements should be configured.
>>
>> If you are using HTTP and transmitting over unsecure networks (e.g.  the
>> internet), it is strongly recommended to enable SSL, authentication and
>> disallow HTTP connections.
>>
>>
>>
>> ServerHttpPassword encryption
>>
>> If <serverHttpPassword> is set, the Xymon client will encrypt the
>> password if it is not encrypted and remove the plain text password from the
>> configuration file, overwriting with the encrypted password. The Xymon
>> client will prefix the encrypted password with ‘{SecureString}’, so it is
>> easy to tell if the client has attempted to encrypt the password or not.
>>
>> This is done using the .NET SecureString functions, which means that the
>> encryption is unique to the server and user. This means that once the
>> password has been encrypted, you cannot use the same xymonclient_config.xml
>> on another server. It also means that if you have been testing by running
>> XymonPSClient from a command prompt, and this encrypts the password, when
>> you run XymonPSClient as a service it will not be able to decrypt the
>> password unless the service is running as the same user.
>>
>> In both scenarios, replacing the encrypted password with the plain text
>> password and re-starting Xymon will cause the password to be re-encypted.
>>
>>
>>
>>
>>
>> Tim Williams
>>
>>
>>
>> On Tue, Nov 6, 2018 at 9:37 AM Rolf Schrittenlocher <
>> schritte at ub.uni-frankfurt.de> wrote:
>>
>> any possibility to send something from intranet to the world outside?
>> creating webpage, send by sftp or scp? This could be done by cron and
>> xymon could analyze this data then.
>> > Anyone have an idea about how to collect client server stats using the
>> > Powershell client on machines that are on an intranet that blocks port
>> > 1984, and send it out to our external xymon server located in a
>> > different part of the country?  The intranet network doesn't want to
>> > open any additional ports to allow the traffic out.
>> >
>>
>> --
>> Mit freundlichen Grüßen
>> Rolf Schrittenlocher
>>
>> Lokales Bibliothekssystem Frankfurt
>> Bockenheimer Landstr. 134-138, 60325 Frankfurt
>> Tel LBS: (49) 69 - 798 28830
>> Tel persönlich: (49) 69 - 798 28908
>> LBS: lbs at ub.uni-frankfurt.de
>> Persönlich: schritte at ub.uni-frankfurt.de
>>
>> _______________________________________________
>> Xymon mailing list
>> Xymon at xymon.com
>> http://lists.xymon.com/mailman/listinfo/xymon
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.xymon.com_mailman_listinfo_xymon&d=DwMGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=-OwMT0n637myRsiGrh2Ey_FyOjBckX9cnzeXB9ID_dw&s=F_2sRqz669yemQ4GbrwkTlh6D0HtrNX1wqu7RvAN1WE&e=>
>>
>>
>>
>>
>> ------------------------------
>>
>> This message is for the designated recipient only and may contain
>> privileged, proprietary, or otherwise confidential information. If you have
>> received it in error, please notify the sender immediately and delete the
>> original. Any other use of the e-mail by you is prohibited. Where allowed
>> by local law, electronic communications with Accenture and its affiliates,
>> including e-mail and instant messaging (including content), may be scanned
>> by our systems for the purposes of information security and assessment of
>> internal compliance with Accenture policy. Your privacy is important to us.
>> Accenture uses your personal data only in compliance with data protection
>> laws. For further information on how Accenture processes your personal
>> data, please see our privacy statement at
>> https://www.accenture.com/us-en/privacy-policy.
>>
>> ______________________________________________________________________________________
>>
>> www.accenture.com
>>
>>
>> _______________________________________________
>> Xymon mailing list
>> Xymon at xymon.com
>> http://lists.xymon.com/mailman/listinfo/xymon
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20181108/c17f5635/attachment.html>