PSclient sending from intranet

Thanks for the info.  I check the cipher/protocols on the 2008 box and 
they're all the defaults.  I've enabled the latest that match what my 
Xymon server is configured with and now I'm just waiting until after 
hours to reboot my box and hope it connects.

Here's what I use.
https://www.nartac.com/Products/IISCrypto/

Kris Springer


On 11/8/18 11:20 AM, Timothy Williams wrote:

https://support.microsoft.com/en-us/help/4019276/update-to-add-support-for-tls-1-1-and-tls-1-2-in-windows 
has instructions to make sure TLS is enabled in Windows. You may have 
to check Apache settings to see what ciphers and/or protocols are 
enabled on that end.

*/Timothy L. Williams/*

*Operating Systems Analyst*
Virginia Commonwealth University Computer Center
XXX East Main St. STE XXXX Richmond VA XXXXX
*XXX-XXX-XXXX <tel:(804)%20828-0556>*

• *


On Thu, Nov 8, 2018 at 12:54 PM Kris Springer 
<user-c2caa0a7a8d5@xymon.invalid <mailto:user-c2caa0a7a8d5@xymon.invalid>> wrote:

    It's confirmed working great on Windows Server 2012, but not
    2008.  Can you point me in a direction to look for a solution to
    the cipher issues?  I'm not going to reduce things to port 80, I
    want to keep things on 443.

    Kris Springer


    On 11/8/18 10:23 AM, Timothy Williams wrote:

    The red flag that popped out at me was the 2008 R2. Have you
    checked the ciphers and protocols? Try port 80 HTTP and see if it
    works.


    On Thu, Nov 8, 2018 at 12:13 PM Kris Springer
    <user-c2caa0a7a8d5@xymon.invalid <mailto:user-c2caa0a7a8d5@xymon.invalid>>
    wrote:

        I may have spoken too soon.  It's indeed working on box1, but
        when I edited the xymonclient_config.xml on box2 and
        re-entered the password so box2 would re-encrypt it for it's
        connection to the server, it's timing out.  Does each client
        need it's own individual user/pass? That seems unnecessary. 
        I just tried different credentials and it still timed out. 
        The difference between box1 and box2 is the OS.  They're on
        the same network and can both reach the server via https so I
        don't think it's a networking issue.
        box1 = Windows 10 Pro
        box2 = Windows Server 2008 R2 Enterprise

        Apache logs show nothing unusual.
        I've looked at all the logs I can find on the server but I'm
        not seeing anything that would tip me off as to the issue.
        Ideas?

        Kris Springer


        On 11/8/18 2:25 AM, Beck, Zak wrote:

        Hi Kris

        Yes, I have it working. As you say, the URL needs to include
        the full path to xymoncgimsg.cgi.

        All xymoncgimsg.cgi does as far as I can tell is relay the
        message(s) received over HTTPS via TCP to localhost port
        1984 (which is what the man page says as well). So you need
        that listening (which by default it will be).

        I don’t recall making any other config changes to make this
        work (aside from Apache etc to sort out the authentication).

        I suspect the time out is waiting for the response – when
        you submit data to Xymon, you normally get the client local
        config back from the server. This comes back via the HTTPS
        response. There is a timeout setting – sorry I forgot to
        document it in the table in the Word doc –
        serverHttpTimeoutMs – which defaults to 100000 milliseconds
        – i.e. 100 seconds. This is the time it waits for the
        response from the server. 100 seconds is pretty generous
        unless you’re traversing particularly slow VPNs or saturated
        connections. You can override this in the
        xymonclient_config.xml file.

        I’m assuming you’re getting this message:

            "  Connecting to $($url), body length $($body.Length),
        timeout $($script:XymonSettings.serverHttpTimeoutMs)ms"

        And then this one (with a timeout exception):

                "  Exception connecting to $($url):`n$($_)"

        And not either of these:

                "  FAILED, HTTP response code:
        $($response.StatusCode) ($statusCode)"

        or

                "  Received $($output.Length) bytes from server"

        Zak

        *From:*Xymon <xymon-bounces at xymon.com>
        <mailto:xymon-bounces at xymon.com> *On Behalf Of
        *user-c2caa0a7a8d5@xymon.invalid <mailto:user-c2caa0a7a8d5@xymon.invalid>
        *Sent:* Thursday, 8 November 2018 08:51
        *To:* Xymon MailingList <xymon at xymon.com>
        <mailto:xymon at xymon.com>
        *Subject:* [External] Re: [Xymon] PSclient sending from intranet

        Anyone have xymoncgimsg.cgi functioning on their server and
        successfully receiving PSclient data over HTTPS?  The
        documentation for this is vague and doesn't specify how to
        make it work. Any specifics would be greatly appreciated.

        Thanks,
        Kris Springer


        -----Original Message-----
        From: Timothy Williams <user-1a5482fb085e@xymon.invalid
        To: user-c2caa0a7a8d5@xymon.invalid
        Cc: xymon at xymon.com <mailto:xymon at xymon.com>
        Sent: Tue, 06 Nov 2018 2:22 PM
        Subject: Re: [Xymon] PSclient sending from intranet

        Alas, I am unable to help further, as my InfoSec allows port
        1984, and not 80 or 443 to Xymon, so I don't have http running.

        Tim

        On Tue, Nov 6, 2018 at 3:29 PM Kris Springer
        <user-c2caa0a7a8d5@xymon.invalid
        <mailto:user-c2caa0a7a8d5@xymon.invalid>> wrote:

            I've configured one of my PSclients to test this HTTPS
            functionality, and it indeed does try to send data over
            port 443.  But the client logs say that my Xymon server
            is timing out.  Is there a specific server url path that
            I need to be using?  The documentation doesn't give any
            example.


            Kris Springer

              
            On 11/6/18 7:54 AM, Timothy Williams wrote:

                The Powershell client can connect to the Xymon
                server using TCP port 1984 as default, but can also
                connect using HTTP or HTTPS with/without
                user/password. You likely have port 80 or 443 open.
                Here are Word doc details:

                HTTP is an alternate method. It can be used if you
                have xymoncgimsg.cgi running on the web server on
                your Xymon server – see
                https://www.xymon.com/help/manpages/man8/xymoncgimsg.cgi.8.html
                <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.xymon.com_help_manpages_man8_xymoncgimsg.cgi.8.html&d=DwMGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=-OwMT0n637myRsiGrh2Ey_FyOjBckX9cnzeXB9ID_dw&s=nwg-TdqZw8dbasxkybIMrt8HKpuV-U4Z2HpC5Rbr1BM&e=>;.
                The web server running the CGI can be configured for
                SSL (i.e. HTTPS) and / or authentication –
                XymonPSClient supports basic authentication and SSL.
                If you require authentication, the
                <serverHttpUsername> and <serverHttpPassword>
                elements should be configured.

                If you are using HTTP and transmitting over unsecure
                networks (e.g. the internet), it is strongly
                recommended to enable SSL, authentication and
                disallow HTTP connections.

                ServerHttpPassword encryption

                If <serverHttpPassword> is set, the Xymon client
                will encrypt the password if it is not encrypted and
                remove the plain text password from the
                configuration file, overwriting with the encrypted
                password. The Xymon client will prefix the encrypted
                password with ‘{SecureString}’, so it is easy to
                tell if the client has attempted to encrypt the
                password or not.

                This is done using the .NET SecureString functions,
                which means that the encryption is unique to the
                server and user. This means that once the password
                has been encrypted, you cannot use the same
                xymonclient_config.xml on another server. It also
                means that if you have been testing by running
                XymonPSClient from a command prompt, and this
                encrypts the password, when you run XymonPSClient as
                a service it will not be able to decrypt the
                password unless the service is running as the same user.

                In both scenarios, replacing the encrypted password
                with the plain text password and re-starting Xymon
                will cause the password to be re-encypted.

                Tim Williams

                On Tue, Nov 6, 2018 at 9:37 AM Rolf Schrittenlocher
                <user-4b3b4051a09b@xymon.invalid
                <mailto:user-4b3b4051a09b@xymon.invalid>> wrote:

                    any possibility to send something from intranet
                    to the world outside?
                    creating webpage, send by sftp or scp? This
                    could be done by cron and
                    xymon could analyze this data then.

Anyone have an idea about how to collect
                    client server stats using the
Powershell client on machines that are on an
                    intranet that blocks port
1984, and send it out to our external xymon
                    server located in a
different part of the country?  The intranet
                    network doesn't want to
open any additional ports to allow the traffic
                    out.

                    -- 
                    Mit freundlichen Grüßen
                    Rolf Schrittenlocher

                    Lokales Bibliothekssystem Frankfurt
                    Bockenheimer Landstr. 134-138, 60325 Frankfurt
                    Tel LBS: (49) 69 - 798 28830
                    Tel persönlich: (49) 69 - 798 28908
                    LBS: user-7d592aff76ba@xymon.invalid
                    Persönlich: user-4b3b4051a09b@xymon.invalid

                    
                    <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.xymon.com_mailman_listinfo_xymon&d=DwMGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=-OwMT0n637myRsiGrh2Ey_FyOjBckX9cnzeXB9ID_dw&s=F_2sRqz669yemQ4GbrwkTlh6D0HtrNX1wqu7RvAN1WE&e=>;


        This message is for the designated recipient only and may
        contain privileged, proprietary, or otherwise confidential
        information. If you have received it in error, please notify
        the sender immediately and delete the original. Any other
        use of the e-mail by you is prohibited. Where allowed by
        local law, electronic communications with Accenture and its
        affiliates, including e-mail and instant messaging
        (including content), may be scanned by our systems for the
        purposes of information security and assessment of internal
        compliance with Accenture policy. Your privacy is important
        to us. Accenture uses your personal data only in compliance
        with data protection laws. For further information on how
        Accenture processes your personal data, please see our
        privacy statement at
        https://www.accenture.com/us-en/privacy-policy.

        www.accenture.com <http://www.accenture.com>;