Icinga behind firewall

Icinga 2
1

Hello,
I have one Icinga core(r2.13.6-1) and one endpoint behind a firewall with port TCP 5665 opened. I was able to copy the ca.crt and configure the endpoint and the zone.
In the same subnet as the endpoint I have different Linux/Windows servers. How can I configure this servers without opening port to Icinga core?
I have tried with icinga2 node wizard but not working as expected. I don’t know if in icinga2 node wizard should I put the Icinga core hostname or only the Icinga endpoint hostname.

Thanks,
Adrian

2

Hello,
I have one Icinga core(r2.13.6-1) and one endpoint behind a firewall with
port TCP 5665 opened. I was able to copy the ca.crt and configure the
endpoint and the zone. In the same subnet as the endpoint I have different
Linux/Windows servers. How can I configure this servers without opening
port to Icinga core? I have tried with icinga2 node wizard but not working
as expected.

Please explain what you did when “trying with the icinga2 node wizard” and
also exactly what happened instead of it “working as expected”.

I don’t know if in icinga2 node wizard should I put the Icinga core hostname
or only the Icinga endpoint hostname.

Have you read
Distributed Monitoring - Icinga 2 ?

It sounds to me as though you want to have a satellite which is able to
communicate with your master through the firewall, and which in turn can
communicate with the other machines on the local subnet.

Antony.

1 Like
3

If I understand correctly you have:

  • A Icinga2 master server
  • a icinga2 endpoint (meaning satellite?) in a different network, but it is successfully connected to the master

And now you want the agents installed (or to be installed) on the Linux/Windows hosts in said network to be connected?

Then you connect the agents to the existing satellite.
Example for windows

# configure agent
	& 'C:\Program Files\ICINGA2\sbin\icinga2.exe' pki save-cert --host <parent host endpoint name like in zones.conf> --trustedcert "C:\ProgramData\icinga2\var\lib\icinga2\certs\trusted-parent.crt"
	& 'C:\Program Files\ICINGA2\sbin\icinga2.exe' node setup --cn <agent host name (default: fqdn)> --zone <same as --cn> --parent_zone <parent Zone> --parent_host <parent host endpoint name like in zones.conf> --endpoint <parent host endpoint name like in zones.conf,parent host ip,5665 --trustedcert "C:\ProgramData\icinga2\var\lib\icinga2\certs\trusted-parent.crt" --accept-commands --accept-config --disable-confd

(if you leave out the --ticket parameter like in the example you need to manually sign the cert request on the master)

The icinga2 node wizard on Linux should guide you through. As well as the GUI on Windows installations.

Also read Endpoint Connection Direction to determine if the agent connects to its parent or vice versa.

1 Like
4

Thanks! I think for the first linux server I did to many configurations :slight_smile:
I tried on another host and worked.
The commands I used for Linux:

icinga2 pki new-cert --cn linux_host --key /var/lib/icinga2/certs/linux_host.key --cert /var/lib/icinga2/certs/linux_host.crt

icinga2 pki save-cert --key /var/lib/icinga2/certs/linux_host.key --cert /var/lib/icinga2/certs/linux_host.crt --trustedcert /var/lib/icinga2/certs/trusted-master.crt --host linux_satellite --port 5665

icinga2 node setup --cn linux_host --endpoint linux_satellite --zone linux_host.key --parent_zone “ZONE_NAME” --parent_host linux_satellite --trustedcert /var/lib/icinga2/certs/trusted-master.crt --accept-commands --accept-config --disable-confd

Thanks for the quick help!