hi,
we’re running one icinga2 master in our working LAN and now we want to place a satellite in our DMZ to monitor some endpoints. For security reasons only the connection from the secure network (worklan) to the insecure network (dmz) is allowed, not the other way around. the firewall between these two networks just allows master > satellite:5665.
i know that this setup is possible with icinga2 but i’m a little bit confused how i do it exactly!? 
first step: installation of satellite > done
(icinga2 node wizard without connection to the parent)
second step: manual certificate request/sign > done
(via “pki new-cert” & "pki sign-csr on the master and manual copy of the cert-files to the satellite)
third step: configuration mode (top down, config sync etc…) > todo
I’m not sure which direction to take in the third step. which variants are possible with this setup (local checks on the satellite, remote checks from the master and so on)?
