Distributed monitoring network question

Hi everyone!

We would like to monitor a whole network behind a satellite. The issue is that the only connection we can have is from the master to the satellite on port 5665/TCP, but no connection from the satellite to the master (on any port whatsoever).
So it would look a bit like this:

Master -------5665/TCP-> Satellite <---any/any---> Monitored hosts

Is that even possible from a design perspective i.e. would that setup ever work when the satellite isn’t able to connect to the master?



yep, that works by design. The master’s config should hold the Endpoint object for the satellite with the host attribute specified, making it actively connect to the satellite.

Vice versa, the satellite host’s local config doesn’t need the host attribute set for the master endpoint, as it shouldn’t connect to it.

For Icinga, it doesn’t matter which side establishes the connection. Once there is one, configs, check results, etc are exchanged.


1 Like

Hi Michael,

thanks for your reply and good to know!

Only thing to do for us is to get it to work now :sweat_smile:


If you need more help with the setup, let us know.

If you got it working, would you kindly tick the “solution” checkbox in the post that gave the correct answer. This way you give kudos and show others that your problem was solved and they don’t have to read through your whole thread just to find that you don’t need any more help.

Will do! :smile:

Just one quick follow-up question: can the CA proxy be set up in the same way?


CA proxy is a functionality, not a server or host. That being said, a satellite already provides this functionality and forwards signing requests from clients to the master. If the connection to the master is not established yet, these requests are cached and synced on connect. Same goes for signed responses.


For using the icinga2-powershell-module to create a host at the director is it still necessary to direct connect from the client to the master? Or could the satellite act as a “proxy” as well?

Icinga 2 doesn’t know anything about the Director or Icinga Web 2, so for these parts you’d still need your own HTTP proxy to talk to the master. The CA proxy functionality only covers certificate request handling in 3 or more level clusters, on a JSON-RPC level, not HTTP.