Recommended Passive Client - Internet Connected Icinga Satellite Server Setup with Secure Communication

Hello Icinga Community,

I need to evaulate the options for an Internet connected Client Passive Monitoring towards an Internet Facing DMZ Satellite Icinga Server. So the Client can reach the Internet Satellite, but the Internet Satellite cannot reach the Client.
Communication should be secure, so a Icinga API Call with credentials in the Request is not an option. What Setup would you use?
I read about NSClient++ that it can encrypt communication and do passive checks. The counterpart NSCA Server, what can write to the icinga2.cmd pipe file, when running on the Icinga Master Server. But how can I make this Internet DMZ setup work, when the NSCA Server runs on an Internet Connected Server and not on the Icinga Master? Do you have any best practices, recommendations?

Thank you,
Best Regards

Hi & welcome to the icinga community,

For just one host to be monitored I’d install icinga as agent on it. The communication between this agent at the satellite would the be encrypted and certificate based. If you have more than one host I’d install icinga as satellite having the satellite as its parent.

Good Day Mr. Sommer,
thank you for the reply. We would have many 100s of clients to report problems back to the Internet facing Satellite from many locations in a passive way. Setting up a satellite is like expanding the DMZ domain I believe. Can the Icinga agent run as a passive agent? I tried to set it passively with no event handler to not have the satellite in the zones file, but then it never communicates back. So to do passive monitoring and no active checks on the Icinga side, is the Icinga agent sufficient? Or I do need NSClient++ with NSCA Server and somehow connection to the Icinga Master to update the status.
Or to go down the Powershell Icinga API Request path, I need to encrypt the communication in .Net just like the Icinga Agent and NSClient++ does it?
Thank you,

It looks like there are some misunderstandings. Did you read distributed monitoring? This is crucial to understand the possibilities with icinga. You would then also understand that he term passive makes no sense. This belongs more to the “old” world as you have other and better options with icinga.

By default checks executed at an agent are scheduled by its parent (in you case the DMZ satellite). You could configure an agent in a way the hey itself is scheduling the checks but this is tricky and only supported for Linux.