Icinga for Windows behind a Firewall or a Router

Hello all,

First of all I would like to thank everyone who has helped me so far or will help me in the future ;).
I am facing the challenge of running several Windows clients behind a firewall.
I have already successfully implemented a script for Ifw with the Powershell on clients that are accessible to me via VPN.
But unfortunately this is not an option, there are simply too many clients in the field.
Do I have to install and configure the agent so that the client talks to my server? ?
I think I need the API Check Forwarder and have to activate it. I have already done that once. But I still haven’t managed to get the Clienet to log on to the server.
Creating the client on the server as a purely passive client without active checks is also clear.
How do I configure the checks on the client?

Does anyone have a tutorial on how I can best do this? Can we perhaps create something like this together in the community?
Am I completely barking up the wrong tree?


you can look into a icinga satellite setup. the satellite for example connects to the icinga master node via vpn and all the “clients” behind the firewall connect to the satellite.

If there are several different firewalls, something like multiple homeoffice setups, laptops, I would recommend passive checks and send them in via icingaweb2 passive check result api (agentless)

It would be good to know what the requirements are exactly…

Hello Mehramazingnick,

I’ll put the requirement in more concrete terms.
The monitoring is to take place at different locations, with up to 100 clients per location.
The availability and hardware of the clients must be monitored.
Unfortunately, the client is not necessarily willing to allow additional clients (satellite rents). This still requires some convincing - you don’t have to understand that ;). So the first step is to monitor the individual clients. Since these are only Windows systems, I wanted to connect the clients to the server via “Icinga for Windows” and carry out passive checks.
The client was connected to the server via Powershellscript, which also works.
According to the documentation it is possible to do this. I have already made several attempts to solve this, but so far with moderate success.
I have basically followed the documentation and I think that it basically works.
I have the points:
Background Daemons - Installation
Collect Metrics over Time - Installation
API Check Forwarder
carried out.
I have switched off the active check.
However, the check is only executed once and then I had to start it manually again and again.

What am I doing wrong, or what do I need to change?
I will have to think about the implementation later :wink:

Hello Merkel,

You have to explain a little bit more ablout the infrastucture, open ports, etc.

If your icinga can trigger checks via icingaweb2, your connection is working.

  • an active check gets scheduled by the icinga instance,

  • a passive check is something you send in via icinga2 api or icingaweb2-api (passive-check-result)


  • switch back to active checks
  • introduce dependency (host-down-> Disable checks, host-down-> Disable notifications,)


  • create checks with the command dummy
  • trigger checks via taskscheduler/cron and send them in via passive check result
  • the dummy command tells icinga the state is alway ok, except there is some other information via passive check result

Hello everyone,

I have, by and large, a normal network.
In other words, there are no obstacles for monitoring that I could not have overcome.
The server listens publicly on the default port 5665.
In principle, I can also register clients, which also works.
Attached is the Powershell script I use.

[Net.ServicePointManager]::SecurityProtocol = ‘tls12, tls11’;
$ProgressPreference = ‘SilentlyContinue’;
[string]$ScriptFile = ‘C:\Users\Public\IcingaForWindows.ps1’;

Invoke-WebRequest -UseBasicParsing
-Uri ‘https://packages.icinga.com/IcingaForWindows/IcingaForWindows.ps1’ `
-OutFile $ScriptFile;

& $ScriptFile -IcingaReposytory 'https://packages.icinga.com/IcingaForWindows/stable/ifw.repo.json'
-ModuleDirectory 'C:\Program Files\WindowsPowerShell\Modules' -AllowUpdate

Install-Icinga -InstallCommand ‘{“IfW-InstallService”:{“Selection”:“0”},“IfW-InstallPlugins”:{“Selection”:“0”},“IfW-DirectorSelfServiceKey”:{“Values”:[“12345678xxxxxxxx”]},“IfW-DirectorUrl”:{“Values”:[“https://urltoicinga/icingaweb2/director/”]}}’;

I have a host template that does a dummy check and is set to passive.

template Host “icinga_passive” {
check_command = “passive”
max_check_attempts = “3”
check_interval = 1m
retry_interval = 30s
check_timeout = 3m
enable_notifications = true
enable_active_checks = false
enable_passive_checks = true
enable_flapping = false
enable_perfdata = true

What else do I have to adjust to ensure communication that I can communicate behind a router/firewall.
As I said, in order to establish a satellite, I first have to show success :wink:

Hi @Murkel, we have Active Checks with satellite nodes - this sounds like what you need.

We have two masters in HA that are publicly reachable, and customer satellites connect to our masters.

Windows/Linux machines behind NAT at a customer site connect to the satellite at the customer site.

This allows us to talk to local addresses from the satellite to the Icinga agents.

The traffic flow looks like for service checks looks like:

Icinga Agent ------> Satellite -----> Master

And host checks are executed like:

Icinga Agent <------ Satellite < ----- Master

Configuration is managed by Icinga Director.

We monitor around ~120 sites with ~5000 hosts and ~20000 services.

Hello Liam,
yes, that with the satellites can be a possibility in the 2nd step.
I have at locations from one to XXX clients.
If there are several clients, I’ll go with you to install satellites there, but for now I have to connect clients directly.
So far I haven’t had any success with Ifw.
As I said, I can connect the player via the script, but what am I doing wrong that the client and the server are not communicating properly?