PSclient sending from intranet
list Kris Springer
Anyone have an idea about how to collect client server stats using the Powershell client on machines that are on an intranet that blocks port 1984, and send it out to our external xymon server located in a different part of the country? The intranet network doesn't want to open any additional ports to allow the traffic out. -- Kris Springer Innovate! Inc. Systems Admin & Support
list Rolf Schrittenlocher
any possibility to send something from intranet to the world outside? creating webpage, send by sftp or scp? This could be done by cron and xymon could analyze this data then.
Anyone have an idea about how to collect client server stats using the Powershell client on machines that are on an intranet that blocks port 1984, and send it out to our external xymon server located in a different part of the country? The intranet network doesn't want to open any additional ports to allow the traffic out.
-- Mit freundlichen Grüßen Rolf Schrittenlocher Lokales Bibliothekssystem Frankfurt Bockenheimer Landstr. 134-138, 60325 Frankfurt Tel LBS: (49) 69 - 798 28830 Tel persönlich: (49) 69 - 798 28908 LBS: user-7d592aff76ba@xymon.invalid Persönlich: user-4b3b4051a09b@xymon.invalid
list Timothy Williams
The Powershell client can connect to the Xymon server using TCP port 1984 as default, but can also connect using HTTP or HTTPS with/without user/password. You likely have port 80 or 443 open. Here are Word doc details: HTTP is an alternate method. It can be used if you have xymoncgimsg.cgi running on the web server on your Xymon server – see https://www.xymon.com/help/manpages/man8/xymoncgimsg.cgi.8.html. The web server running the CGI can be configured for SSL (i.e. HTTPS) and / or authentication – XymonPSClient supports basic authentication and SSL. If you require authentication, the <serverHttpUsername> and <serverHttpPassword> elements should be configured. If you are using HTTP and transmitting over unsecure networks (e.g. the internet), it is strongly recommended to enable SSL, authentication and disallow HTTP connections. ServerHttpPassword encryption If <serverHttpPassword> is set, the Xymon client will encrypt the password if it is not encrypted and remove the plain text password from the configuration file, overwriting with the encrypted password. The Xymon client will prefix the encrypted password with ‘{SecureString}’, so it is easy to tell if the client has attempted to encrypt the password or not. This is done using the .NET SecureString functions, which means that the encryption is unique to the server and user. This means that once the password has been encrypted, you cannot use the same xymonclient_config.xml on another server. It also means that if you have been testing by running XymonPSClient from a command prompt, and this encrypts the password, when you run XymonPSClient as a service it will not be able to decrypt the password unless the service is running as the same user. In both scenarios, replacing the encrypted password with the plain text password and re-starting Xymon will cause the password to be re-encypted. Tim Williams On Tue, Nov 6, 2018 at 9:37 AM Rolf Schrittenlocher <
▸
user-4b3b4051a09b@xymon.invalid> wrote:
any possibility to send something from intranet to the world outside? creating webpage, send by sftp or scp? This could be done by cron and xymon could analyze this data then.Anyone have an idea about how to collect client server stats using the Powershell client on machines that are on an intranet that blocks port 1984, and send it out to our external xymon server located in a different part of the country? The intranet network doesn't want to open any additional ports to allow the traffic out.-- Mit freundlichen Grüßen Rolf Schrittenlocher Lokales Bibliothekssystem Frankfurt Bockenheimer Landstr. 134-138, 60325 Frankfurt Tel LBS: (49) 69 - 798 28830 Tel persönlich: (49) 69 - 798 28908 LBS: user-7d592aff76ba@xymon.invalid Persönlich: user-4b3b4051a09b@xymon.invalid
list Kris Springer
Thanks for this info. From reading the man page it seems like this is enabled by default. Looking at the XymonPSClient.doc it says to change the <servers> element to <serverUrl> in order for the client to send over HTTP(s). Do I simply put *https://*servername.com in the xymonclient_config.xml if my intent is to use port 443? Kris Springer
▸
On 11/6/18 7:54 AM, Timothy Williams wrote:The Powershell client can connect to the Xymon server using TCP port 1984 as default, but can also connect using HTTP or HTTPS with/without user/password. You likely have port 80 or 443 open. Here are Word doc details: HTTP is an alternate method. It can be used if you have xymoncgimsg.cgi running on the web server on your Xymon server – see https://www.xymon.com/help/manpages/man8/xymoncgimsg.cgi.8.html. The web server running the CGI can be configured for SSL (i.e. HTTPS) and / or authentication – XymonPSClient supports basic authentication and SSL. If you require authentication, the <serverHttpUsername> and <serverHttpPassword> elements should be configured. If you are using HTTP and transmitting over unsecure networks (e.g. the internet), it is strongly recommended to enable SSL, authentication and disallow HTTP connections. ServerHttpPassword encryption If <serverHttpPassword> is set, the Xymon client will encrypt the password if it is not encrypted and remove the plain text password from the configuration file, overwriting with the encrypted password. The Xymon client will prefix the encrypted password with ‘{SecureString}’, so it is easy to tell if the client has attempted to encrypt the password or not. This is done using the .NET SecureString functions, which means that the encryption is unique to the server and user. This means that once the password has been encrypted, you cannot use the same xymonclient_config.xml on another server. It also means that if you have been testing by running XymonPSClient from a command prompt, and this encrypts the password, when you run XymonPSClient as a service it will not be able to decrypt the password unless the service is running as the same user. In both scenarios, replacing the encrypted password with the plain text password and re-starting Xymon will cause the password to be re-encypted. Tim Williams On Tue, Nov 6, 2018 at 9:37 AM Rolf Schrittenlocher <user-4b3b4051a09b@xymon.invalid <mailto:user-4b3b4051a09b@xymon.invalid>> wrote: any possibility to send something from intranet to the world outside? creating webpage, send by sftp or scp? This could be done by cron and xymon could analyze this data then.Anyone have an idea about how to collect client server stats using the Powershell client on machines that are on an intranet that blocks port 1984, and send it out to our external xymon server located in a different part of the country? The intranet network doesn't want to open any additional ports to allow the traffic out.-- Mit freundlichen Grüßen Rolf Schrittenlocher Lokales Bibliothekssystem Frankfurt Bockenheimer Landstr. 134-138, 60325 Frankfurt Tel LBS: (49) 69 - 798 28830 Tel persönlich: (49) 69 - 798 28908
LBS: user-7d592aff76ba@xymon.invalid <mailto:user-7d592aff76ba@xymon.invalid>
Persönlich: user-4b3b4051a09b@xymon.invalid
list Kris Springer
I've configured one of my PSclients to test this HTTPS functionality, and it indeed does try to send data over port 443. But the client logs say that my Xymon server is timing out. Is there a specific server url path that I need to be using? The documentation doesn't give any example.
▸
Kris Springer
On 11/6/18 7:54 AM, Timothy Williams wrote:The Powershell client can connect to the Xymon server using TCP port 1984 as default, but can also connect using HTTP or HTTPS with/without user/password. You likely have port 80 or 443 open. Here are Word doc details: HTTP is an alternate method. It can be used if you have xymoncgimsg.cgi running on the web server on your Xymon server – see https://www.xymon.com/help/manpages/man8/xymoncgimsg.cgi.8.html. The web server running the CGI can be configured for SSL (i.e. HTTPS) and / or authentication – XymonPSClient supports basic authentication and SSL. If you require authentication, the <serverHttpUsername> and <serverHttpPassword> elements should be configured. If you are using HTTP and transmitting over unsecure networks (e.g. the internet), it is strongly recommended to enable SSL, authentication and disallow HTTP connections. ServerHttpPassword encryption If <serverHttpPassword> is set, the Xymon client will encrypt the password if it is not encrypted and remove the plain text password from the configuration file, overwriting with the encrypted password. The Xymon client will prefix the encrypted password with ‘{SecureString}’, so it is easy to tell if the client has attempted to encrypt the password or not. This is done using the .NET SecureString functions, which means that the encryption is unique to the server and user. This means that once the password has been encrypted, you cannot use the same xymonclient_config.xml on another server. It also means that if you have been testing by running XymonPSClient from a command prompt, and this encrypts the password, when you run XymonPSClient as a service it will not be able to decrypt the password unless the service is running as the same user. In both scenarios, replacing the encrypted password with the plain text password and re-starting Xymon will cause the password to be re-encypted. Tim Williams On Tue, Nov 6, 2018 at 9:37 AM Rolf Schrittenlocher <user-4b3b4051a09b@xymon.invalid <mailto:user-4b3b4051a09b@xymon.invalid>> wrote: any possibility to send something from intranet to the world outside? creating webpage, send by sftp or scp? This could be done by cron and xymon could analyze this data then.Anyone have an idea about how to collect client server stats using the Powershell client on machines that are on an intranet that blocks port 1984, and send it out to our external xymon server located in a different part of the country? The intranet network doesn't want to open any additional ports to allow the traffic out.-- Mit freundlichen Grüßen Rolf Schrittenlocher Lokales Bibliothekssystem Frankfurt Bockenheimer Landstr. 134-138, 60325 Frankfurt Tel LBS: (49) 69 - 798 28830 Tel persönlich: (49) 69 - 798 28908 LBS: user-7d592aff76ba@xymon.invalid <mailto:user-7d592aff76ba@xymon.invalid> Persönlich: user-4b3b4051a09b@xymon.invalid
list Timothy Williams
Alas, I am unable to help further, as my InfoSec allows port 1984, and not 80 or 443 to Xymon, so I don't have http running. Tim On Tue, Nov 6, 2018 at 3:29 PM Kris Springer <user-c2caa0a7a8d5@xymon.invalid>
▸
wrote:
I've configured one of my PSclients to test this HTTPS functionality, and it indeed does try to send data over port 443. But the client logs say that my Xymon server is timing out. Is there a specific server url path that I need to be using? The documentation doesn't give any example. Kris Springer On 11/6/18 7:54 AM, Timothy Williams wrote: The Powershell client can connect to the Xymon server using TCP port 1984 as default, but can also connect using HTTP or HTTPS with/without user/password. You likely have port 80 or 443 open. Here are Word doc details: HTTP is an alternate method. It can be used if you have xymoncgimsg.cgi running on the web server on your Xymon server – see https://www.xymon.com/help/manpages/man8/xymoncgimsg.cgi.8.html. The web server running the CGI can be configured for SSL (i.e. HTTPS) and / or authentication – XymonPSClient supports basic authentication and SSL. If you require authentication, the <serverHttpUsername> and <serverHttpPassword> elements should be configured. If you are using HTTP and transmitting over unsecure networks (e.g. the internet), it is strongly recommended to enable SSL, authentication and disallow HTTP connections. ServerHttpPassword encryption If <serverHttpPassword> is set, the Xymon client will encrypt the password if it is not encrypted and remove the plain text password from the configuration file, overwriting with the encrypted password. The Xymon client will prefix the encrypted password with ‘{SecureString}’, so it is easy to tell if the client has attempted to encrypt the password or not. This is done using the .NET SecureString functions, which means that the encryption is unique to the server and user. This means that once the password has been encrypted, you cannot use the same xymonclient_config.xml on another server. It also means that if you have been testing by running XymonPSClient from a command prompt, and this encrypts the password, when you run XymonPSClient as a service it will not be able to decrypt the password unless the service is running as the same user. In both scenarios, replacing the encrypted password with the plain text password and re-starting Xymon will cause the password to be re-encypted. Tim Williams On Tue, Nov 6, 2018 at 9:37 AM Rolf Schrittenlocher < user-4b3b4051a09b@xymon.invalid> wrote:any possibility to send something from intranet to the world outside? creating webpage, send by sftp or scp? This could be done by cron and xymon could analyze this data then.Anyone have an idea about how to collect client server stats using the Powershell client on machines that are on an intranet that blocks port 1984, and send it out to our external xymon server located in a different part of the country? The intranet network doesn't want to open any additional ports to allow the traffic out.-- Mit freundlichen Grüßen Rolf Schrittenlocher Lokales Bibliothekssystem Frankfurt Bockenheimer Landstr. 134-138, 60325 Frankfurt Tel LBS: (49) 69 - 798 28830 Tel persönlich: (49) 69 - 798 28908 LBS: user-7d592aff76ba@xymon.invalid Persönlich: user-4b3b4051a09b@xymon.invalid
list Kris Springer
Thanks anyway. I'm working on a how-to right now. The documentation on this feature is practically nonexistent, but I think I'm about to get it figured out. Kris Springer
▸
On 11/6/18 2:22 PM, Timothy Williams wrote:Alas, I am unable to help further, as my InfoSec allows port 1984, and not 80 or 443 to Xymon, so I don't have http running. Tim On Tue, Nov 6, 2018 at 3:29 PM Kris Springer <user-c2caa0a7a8d5@xymon.invalid <mailto:user-c2caa0a7a8d5@xymon.invalid>> wrote: I've configured one of my PSclients to test this HTTPS functionality, and it indeed does try to send data over port 443. But the client logs say that my Xymon server is timing out. Is there a specific server url path that I need to be using? The documentation doesn't give any example. Kris Springer On 11/6/18 7:54 AM, Timothy Williams wrote:The Powershell client can connect to the Xymon server using TCP port 1984 as default, but can also connect using HTTP or HTTPS with/without user/password. You likely have port 80 or 443 open. Here are Word doc details: HTTP is an alternate method. It can be used if you have xymoncgimsg.cgi running on the web server on your Xymon server – see https://www.xymon.com/help/manpages/man8/xymoncgimsg.cgi.8.html. The web server running the CGI can be configured for SSL (i.e. HTTPS) and / or authentication – XymonPSClient supports basic authentication and SSL. If you require authentication, the <serverHttpUsername> and <serverHttpPassword> elements should be configured. If you are using HTTP and transmitting over unsecure networks (e.g. the internet), it is strongly recommended to enable SSL, authentication and disallow HTTP connections. ServerHttpPassword encryption If <serverHttpPassword> is set, the Xymon client will encrypt the password if it is not encrypted and remove the plain text password from the configuration file, overwriting with the encrypted password. The Xymon client will prefix the encrypted password with ‘{SecureString}’, so it is easy to tell if the client has attempted to encrypt the password or not. This is done using the .NET SecureString functions, which means that the encryption is unique to the server and user. This means that once the password has been encrypted, you cannot use the same xymonclient_config.xml on another server. It also means that if you have been testing by running XymonPSClient from a command prompt, and this encrypts the password, when you run XymonPSClient as a service it will not be able to decrypt the password unless the service is running as the same user. In both scenarios, replacing the encrypted password with the plain text password and re-starting Xymon will cause the password to be re-encypted. Tim Williams On Tue, Nov 6, 2018 at 9:37 AM Rolf Schrittenlocher <user-4b3b4051a09b@xymon.invalid <mailto:user-4b3b4051a09b@xymon.invalid>> wrote: any possibility to send something from intranet to the world outside? creating webpage, send by sftp or scp? This could be done by cron and xymon could analyze this data then.Anyone have an idea about how to collect client server stats using the Powershell client on machines that are on an intranet that blocks port 1984, and send it out to our external xymon server located in a different part of the country? The intranet network doesn't want to open any additional ports to allow the traffic out.-- Mit freundlichen Grüßen Rolf Schrittenlocher Lokales Bibliothekssystem Frankfurt Bockenheimer Landstr. 134-138, 60325 Frankfurt Tel LBS: (49) 69 - 798 28830 Tel persönlich: (49) 69 - 798 28908 LBS: user-7d592aff76ba@xymon.invalid <mailto:user-7d592aff76ba@xymon.invalid> Persönlich: user-4b3b4051a09b@xymon.invalid
list Kris Springer
So I'm pretty sure I have the client configured correctly. It's trying to connect to my server url with the correct user/pass and it's encrypting, but it's getting a timeout. The URL I'm using is https://myservername.com/xymon-cgi/xymoncgimsg.cgi On the server: I've copied the xymoncgimsg.cgi from ~/xymon/server/bin/ to ~/xymon/cgi-bin/ I then chown'd it so xymon is the owner and group and executable, just like the other files in that directory. I think the server needs to be told that the xymoncgimsg.cgi is ok to process. Do I need to define something in the xymonserver.cfg? What am I missing here?
▸
Kris Springer
On 11/6/18 2:22 PM, Timothy Williams wrote:Alas, I am unable to help further, as my InfoSec allows port 1984, and not 80 or 443 to Xymon, so I don't have http running. Tim On Tue, Nov 6, 2018 at 3:29 PM Kris Springer <user-c2caa0a7a8d5@xymon.invalid <mailto:user-c2caa0a7a8d5@xymon.invalid>> wrote: I've configured one of my PSclients to test this HTTPS functionality, and it indeed does try to send data over port 443. But the client logs say that my Xymon server is timing out. Is there a specific server url path that I need to be using? The documentation doesn't give any example. Kris Springer On 11/6/18 7:54 AM, Timothy Williams wrote:The Powershell client can connect to the Xymon server using TCP port 1984 as default, but can also connect using HTTP or HTTPS with/without user/password. You likely have port 80 or 443 open. Here are Word doc details: HTTP is an alternate method. It can be used if you have xymoncgimsg.cgi running on the web server on your Xymon server – see https://www.xymon.com/help/manpages/man8/xymoncgimsg.cgi.8.html. The web server running the CGI can be configured for SSL (i.e. HTTPS) and / or authentication – XymonPSClient supports basic authentication and SSL. If you require authentication, the <serverHttpUsername> and <serverHttpPassword> elements should be configured. If you are using HTTP and transmitting over unsecure networks (e.g. the internet), it is strongly recommended to enable SSL, authentication and disallow HTTP connections. ServerHttpPassword encryption If <serverHttpPassword> is set, the Xymon client will encrypt the password if it is not encrypted and remove the plain text password from the configuration file, overwriting with the encrypted password. The Xymon client will prefix the encrypted password with ‘{SecureString}’, so it is easy to tell if the client has attempted to encrypt the password or not. This is done using the .NET SecureString functions, which means that the encryption is unique to the server and user. This means that once the password has been encrypted, you cannot use the same xymonclient_config.xml on another server. It also means that if you have been testing by running XymonPSClient from a command prompt, and this encrypts the password, when you run XymonPSClient as a service it will not be able to decrypt the password unless the service is running as the same user. In both scenarios, replacing the encrypted password with the plain text password and re-starting Xymon will cause the password to be re-encypted. Tim Williams On Tue, Nov 6, 2018 at 9:37 AM Rolf Schrittenlocher <user-4b3b4051a09b@xymon.invalid <mailto:user-4b3b4051a09b@xymon.invalid>> wrote: any possibility to send something from intranet to the world outside? creating webpage, send by sftp or scp? This could be done by cron and xymon could analyze this data then.Anyone have an idea about how to collect client server stats using the Powershell client on machines that are on an intranet that blocks port 1984, and send it out to our external xymon server located in a different part of the country? The intranet network doesn't want to open any additional ports to allow the traffic out.-- Mit freundlichen Grüßen Rolf Schrittenlocher Lokales Bibliothekssystem Frankfurt Bockenheimer Landstr. 134-138, 60325 Frankfurt Tel LBS: (49) 69 - 798 28830 Tel persönlich: (49) 69 - 798 28908 LBS: user-7d592aff76ba@xymon.invalid <mailto:user-7d592aff76ba@xymon.invalid> Persönlich: user-4b3b4051a09b@xymon.invalid
list Kris Springer
Anyone have xymoncgimsg.cgi functioning on their server and successfully receiving PSclient data over HTTPS? The documentation for this is vague and doesn't specify how to make it work. Any specifics would be greatly appreciated. Thanks, Kris Springer
▸
-----Original Message-----
From: Timothy Williams <user-1a5482fb085e@xymon.invalid>
To: user-c2caa0a7a8d5@xymon.invalid
Cc: xymon at xymon.com
Sent: Tue, 06 Nov 2018 2:22 PM
Subject: Re: [Xymon] PSclient sending from intranet
Alas, I am unable to help further, as my InfoSec allows port 1984, and not
80 or 443 to Xymon, so I don't have http running.
Tim
On Tue, Nov 6, 2018 at 3:29 PM Kris Springer <user-c2caa0a7a8d5@xymon.invalid>
wrote:
I've configured one of my PSclients to test this HTTPS functionality, and it indeed does try to send data over port 443. But the client logs say that my Xymon server is timing out. Is there a specific server url path that I need to be using? The documentation doesn't give any example. Kris Springer On 11/6/18 7:54 AM, Timothy Williams wrote: The Powershell client can connect to the Xymon server using TCP port 1984 as default, but can also connect using HTTP or HTTPS with/without user/password. You likely have port 80 or 443 open. Here are Word doc details: HTTP is an alternate method. It can be used if you have xymoncgimsg.cgi running on the web server on your Xymon server – see https://www.xymon.com/help/manpages/man8/xymoncgimsg.cgi.8.html. The web server running the CGI can be configured for SSL (i.e. HTTPS) and / or authentication – XymonPSClient supports basic authentication and SSL. If you require authentication, the <serverHttpUsername> and <serverHttpPassword> elements should be configured. If you are using HTTP and transmitting over unsecure networks (e.g. the internet), it is strongly recommended to enable SSL, authentication and disallow HTTP connections. ServerHttpPassword encryption If <serverHttpPassword> is set, the Xymon client will encrypt the password if it is not encrypted and remove the plain text password from the configuration file, overwriting with the encrypted password. The Xymon client will prefix the encrypted password with ‘{SecureString}’, so it is easy to tell if the client has attempted to encrypt the password or not. This is done using the .NET SecureString functions, which means that the encryption is unique to the server and user. This means that once the password has been encrypted, you cannot use the same xymonclient_config.xml on another server. It also means that if you have been testing by running XymonPSClient from a command prompt, and this encrypts the password, when you run XymonPSClient as a service it will not be able to decrypt the password unless the service is running as the same user. In both scenarios, replacing the encrypted password with the plain text password and re-starting Xymon will cause the password to be re-encypted. Tim Williams On Tue, Nov 6, 2018 at 9:37 AM Rolf Schrittenlocher < user-4b3b4051a09b@xymon.invalid> wrote:any possibility to send something from intranet to the world outside? creating webpage, send by sftp or scp? This could be done by cron and xymon could analyze this data then.Anyone have an idea about how to collect client server stats using the Powershell client on machines that are on an intranet that blocks port 1984, and send it out to our external xymon server located in a different part of the country? The intranet network doesn't want to open any additional ports to allow the traffic out.-- Mit freundlichen Grüßen Rolf Schrittenlocher Lokales Bibliothekssystem Frankfurt Bockenheimer Landstr. 134-138, 60325 Frankfurt Tel LBS: (49) 69 - 798 28830 Tel persönlich: (49) 69 - 798 28908 LBS: user-7d592aff76ba@xymon.invalid Persönlich: user-4b3b4051a09b@xymon.invalid
list Zak Beck
Hi Kris
Yes, I have it working. As you say, the URL needs to include the full path to xymoncgimsg.cgi.
All xymoncgimsg.cgi does as far as I can tell is relay the message(s) received over HTTPS via TCP to localhost port 1984 (which is what the man page says as well). So you need that listening (which by default it will be).
I don’t recall making any other config changes to make this work (aside from Apache etc to sort out the authentication).
I suspect the time out is waiting for the response – when you submit data to Xymon, you normally get the client local config back from the server. This comes back via the HTTPS response. There is a timeout setting – sorry I forgot to document it in the table in the Word doc – serverHttpTimeoutMs – which defaults to 100000 milliseconds – i.e. 100 seconds. This is the time it waits for the response from the server. 100 seconds is pretty generous unless you’re traversing particularly slow VPNs or saturated connections. You can override this in the xymonclient_config.xml file.
I’m assuming you’re getting this message:
" Connecting to $($url), body length $($body.Length), timeout $($script:XymonSettings.serverHttpTimeoutMs)ms"
And then this one (with a timeout exception):
" Exception connecting to $($url):`n$($_)"
And not either of these:
" FAILED, HTTP response code: $($response.StatusCode) ($statusCode)"
or
" Received $($output.Length) bytes from server"
Zak
▸
From: Xymon <xymon-bounces at xymon.com> On Behalf Of user-c2caa0a7a8d5@xymon.invalid
Sent: Thursday, 8 November 2018 08:51
To: Xymon MailingList <xymon at xymon.com>
Subject: [External] Re: [Xymon] PSclient sending from intranet
Anyone have xymoncgimsg.cgi functioning on their server and successfully receiving PSclient data over HTTPS? The documentation for this is vague and doesn't specify how to make it work. Any specifics would be greatly appreciated.
Thanks,
Kris Springer
-----Original Message-----
From: Timothy Williams <user-1a5482fb085e@xymon.invalid<mailto:user-1a5482fb085e@xymon.invalid>>
To: user-c2caa0a7a8d5@xymon.invalid<mailto:user-c2caa0a7a8d5@xymon.invalid>
Cc: xymon at xymon.com<mailto:xymon at xymon.com>
Sent: Tue, 06 Nov 2018 2:22 PM
Subject: Re: [Xymon] PSclient sending from intranet
Alas, I am unable to help further, as my InfoSec allows port 1984, and not 80 or 443 to Xymon, so I don't have http running.
Tim
On Tue, Nov 6, 2018 at 3:29 PM Kris Springer <user-c2caa0a7a8d5@xymon.invalid<mailto:user-c2caa0a7a8d5@xymon.invalid>> wrote:
I've configured one of my PSclients to test this HTTPS functionality, and it indeed does try to send data over port 443. But the client logs say that my Xymon server is timing out. Is there a specific server url path that I need to be using? The documentation doesn't give any example.
Kris Springer
On 11/6/18 7:54 AM, Timothy Williams wrote:
The Powershell client can connect to the Xymon server using TCP port 1984 as default, but can also connect using HTTP or HTTPS with/without user/password. You likely have port 80 or 443 open. Here are Word doc details:
HTTP is an alternate method. It can be used if you have xymoncgimsg.cgi running on the web server on your Xymon server – see https://www.xymon.com/help/manpages/man8/xymoncgimsg.cgi.8.html<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.xymon.com_help_manpages_man8_xymoncgimsg.cgi.8.html&d=DwMGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=-OwMT0n637myRsiGrh2Ey_FyOjBckX9cnzeXB9ID_dw&s=nwg-TdqZw8dbasxkybIMrt8HKpuV-U4Z2HpC5Rbr1BM&e=>;. The web server running the CGI can be configured for SSL (i.e. HTTPS) and / or authentication – XymonPSClient supports basic authentication and SSL. If you require authentication, the <serverHttpUsername> and <serverHttpPassword> elements should be configured.
▸
If you are using HTTP and transmitting over unsecure networks (e.g. the internet), it is strongly recommended to enable SSL, authentication and disallow HTTP connections.
ServerHttpPassword encryption
If <serverHttpPassword> is set, the Xymon client will encrypt the password if it is not encrypted and remove the plain text password from the configuration file, overwriting with the encrypted password. The Xymon client will prefix the encrypted password with ‘{SecureString}’, so it is easy to tell if the client has attempted to encrypt the password or not.
This is done using the .NET SecureString functions, which means that the encryption is unique to the server and user. This means that once the password has been encrypted, you cannot use the same xymonclient_config.xml on another server. It also means that if you have been testing by running XymonPSClient from a command prompt, and this encrypts the password, when you run XymonPSClient as a service it will not be able to decrypt the password unless the service is running as the same user.
In both scenarios, replacing the encrypted password with the plain text password and re-starting Xymon will cause the password to be re-encypted.
Tim Williams
On Tue, Nov 6, 2018 at 9:37 AM Rolf Schrittenlocher <user-4b3b4051a09b@xymon.invalid<mailto:user-4b3b4051a09b@xymon.invalid>> wrote:
any possibility to send something from intranet to the world outside?
creating webpage, send by sftp or scp? This could be done by cron and
xymon could analyze this data then.Anyone have an idea about how to collect client server stats using the Powershell client on machines that are on an intranet that blocks port 1984, and send it out to our external xymon server located in a different part of the country? The intranet network doesn't want to open any additional ports to allow the traffic out.
-- Mit freundlichen Grüßen Rolf Schrittenlocher Lokales Bibliothekssystem Frankfurt Bockenheimer Landstr. 134-138, 60325 Frankfurt Tel LBS: (49) 69 - 798 28830 Tel persönlich: (49) 69 - 798 28908
LBS: user-7d592aff76ba@xymon.invalid<mailto:user-7d592aff76ba@xymon.invalid> Persönlich: user-4b3b4051a09b@xymon.invalid<mailto:user-4b3b4051a09b@xymon.invalid> Xymon at xymon.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.xymon.com_mailman_listinfo_xymon&d=DwMGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=-OwMT0n637myRsiGrh2Ey_FyOjBckX9cnzeXB9ID_dw&s=F_2sRqz669yemQ4GbrwkTlh6D0HtrNX1wqu7RvAN1WE&e=>; This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. www.accenture.com
list Kris Springer
Thanks for the reply Zak. After my brain chewed on the problem for a day I woke up at 2am and was able to figure it out. I did some Googling regarding Apache and CGI scripts and all I needed to do was to edit the default cgi-bin path in one of apache's conf files and restart Apache. /etc/apache2/conf-enabled/serve-cgi-bin.conf defines /usr/lib/cgi-bin/ which is an empty directory on my server. I pointed it to my /xymon/cgi-bin/ directory where the scripts live and everything suddenly worked. I'm writing up my own how-to now. This feature is great for sending remote system data over 443. I'll be using it a lot moving forward. Thanks for the PSclient! Kris Springer
▸
On 11/8/18 2:25 AM, Beck, Zak wrote:Hi Kris Yes, I have it working. As you say, the URL needs to include the full path to xymoncgimsg.cgi. All xymoncgimsg.cgi does as far as I can tell is relay the message(s) received over HTTPS via TCP to localhost port 1984 (which is what the man page says as well). So you need that listening (which by default it will be). I don’t recall making any other config changes to make this work (aside from Apache etc to sort out the authentication). I suspect the time out is waiting for the response – when you submit data to Xymon, you normally get the client local config back from the server. This comes back via the HTTPS response. There is a timeout setting – sorry I forgot to document it in the table in the Word doc – serverHttpTimeoutMs – which defaults to 100000 milliseconds – i.e. 100 seconds. This is the time it waits for the response from the server. 100 seconds is pretty generous unless you’re traversing particularly slow VPNs or saturated connections. You can override this in the xymonclient_config.xml file. I’m assuming you’re getting this message: " Connecting to $($url), body length $($body.Length), timeout $($script:XymonSettings.serverHttpTimeoutMs)ms" And then this one (with a timeout exception): " Exception connecting to $($url):`n$($_)" And not either of these: " FAILED, HTTP response code: $($response.StatusCode) ($statusCode)" or " Received $($output.Length) bytes from server" Zak
*From:*Xymon <xymon-bounces at xymon.com> *On Behalf Of *user-c2caa0a7a8d5@xymon.invalid
▸
*Sent:* Thursday, 8 November 2018 08:51 *To:* Xymon MailingList <xymon at xymon.com> *Subject:* [External] Re: [Xymon] PSclient sending from intranet Anyone have xymoncgimsg.cgi functioning on their server and successfully receiving PSclient data over HTTPS? The documentation for this is vague and doesn't specify how to make it work. Any specifics would be greatly appreciated. Thanks, Kris Springer -----Original Message----- From: Timothy Williams <user-1a5482fb085e@xymon.invalid <mailto:user-1a5482fb085e@xymon.invalid>> To: user-c2caa0a7a8d5@xymon.invalid <mailto:user-c2caa0a7a8d5@xymon.invalid> Cc: xymon at xymon.com <mailto:xymon at xymon.com> Sent: Tue, 06 Nov 2018 2:22 PM Subject: Re: [Xymon] PSclient sending from intranet Alas, I am unable to help further, as my InfoSec allows port 1984, and not 80 or 443 to Xymon, so I don't have http running. Tim On Tue, Nov 6, 2018 at 3:29 PM Kris Springer <user-c2caa0a7a8d5@xymon.invalid <mailto:user-c2caa0a7a8d5@xymon.invalid>> wrote: I've configured one of my PSclients to test this HTTPS functionality, and it indeed does try to send data over port 443. But the client logs say that my Xymon server is timing out. Is there a specific server url path that I need to be using? The documentation doesn't give any example. Kris Springer On 11/6/18 7:54 AM, Timothy Williams wrote: The Powershell client can connect to the Xymon server using TCP port 1984 as default, but can also connect using HTTP or HTTPS with/without user/password. You likely have port 80 or 443 open. Here are Word doc details: HTTP is an alternate method. It can be used if you have xymoncgimsg.cgi running on the web server on your Xymon server – see https://www.xymon.com/help/manpages/man8/xymoncgimsg.cgi.8.html
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.xymon.com_help_manpages_man8_xymoncgimsg.cgi.8.html&d=DwMGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=-OwMT0n637myRsiGrh2Ey_FyOjBckX9cnzeXB9ID_dw&s=nwg-TdqZw8dbasxkybIMrt8HKpuV-U4Z2HpC5Rbr1BM&e=>;.
▸
The web server running the CGI can be configured for SSL (i.e. HTTPS) and / or authentication – XymonPSClient supports basic authentication and SSL. If you require authentication, the <serverHttpUsername> and <serverHttpPassword> elements should be configured. If you are using HTTP and transmitting over unsecure networks (e.g. the internet), it is strongly recommended to enable SSL, authentication and disallow HTTP connections. ServerHttpPassword encryption If <serverHttpPassword> is set, the Xymon client will encrypt the password if it is not encrypted and remove the plain text password from the configuration file, overwriting with the encrypted password. The Xymon client will prefix the encrypted password with ‘{SecureString}’, so it is easy to tell if the client has attempted to encrypt the password or not. This is done using the .NET SecureString functions, which means that the encryption is unique to the server and user. This means that once the password has been encrypted, you cannot use the same xymonclient_config.xml on another server. It also means that if you have been testing by running XymonPSClient from a command prompt, and this encrypts the password, when you run XymonPSClient as a service it will not be able to decrypt the password unless the service is running as the same user. In both scenarios, replacing the encrypted password with the plain text password and re-starting Xymon will cause the password to be re-encypted. Tim Williams On Tue, Nov 6, 2018 at 9:37 AM Rolf Schrittenlocher <user-4b3b4051a09b@xymon.invalid <mailto:user-4b3b4051a09b@xymon.invalid>> wrote: any possibility to send something from intranet to the world outside? creating webpage, send by sftp or scp? This could be done by cron and xymon could analyze this data then.Anyone have an idea about how to collect client server stats using the Powershell client on machines that are on an intranet that blocks port 1984, and send it out to our external xymon server located in a different part of the country? The intranet network doesn't want to open any additional ports to allow the traffic out.-- Mit freundlichen Grüßen Rolf Schrittenlocher Lokales Bibliothekssystem Frankfurt Bockenheimer Landstr. 134-138, 60325 Frankfurt Tel LBS: (49) 69 - 798 28830 Tel persönlich: (49) 69 - 798 28908 LBS: user-7d592aff76ba@xymon.invalid <mailto:user-7d592aff76ba@xymon.invalid> Persönlich: user-4b3b4051a09b@xymon.invalid
<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.xymon.com_mailman_listinfo_xymon&d=DwMGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=-OwMT0n637myRsiGrh2Ey_FyOjBckX9cnzeXB9ID_dw&s=F_2sRqz669yemQ4GbrwkTlh6D0HtrNX1wqu7RvAN1WE&e=>;
▸
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. www.accenture.com
list Kris Springer
I may have spoken too soon. It's indeed working on box1, but when I edited the xymonclient_config.xml on box2 and re-entered the password so box2 would re-encrypt it for it's connection to the server, it's timing out. Does each client need it's own individual user/pass? That seems unnecessary. I just tried different credentials and it still timed out. The difference between box1 and box2 is the OS. They're on the same network and can both reach the server via https so I don't think it's a networking issue. box1 = Windows 10 Pro box2 = Windows Server 2008 R2 Enterprise Apache logs show nothing unusual. I've looked at all the logs I can find on the server but I'm not seeing anything that would tip me off as to the issue. Ideas?
▸
Kris Springer
On 11/8/18 2:25 AM, Beck, Zak wrote:Hi Kris Yes, I have it working. As you say, the URL needs to include the full path to xymoncgimsg.cgi. All xymoncgimsg.cgi does as far as I can tell is relay the message(s) received over HTTPS via TCP to localhost port 1984 (which is what the man page says as well). So you need that listening (which by default it will be). I don’t recall making any other config changes to make this work (aside from Apache etc to sort out the authentication). I suspect the time out is waiting for the response – when you submit data to Xymon, you normally get the client local config back from the server. This comes back via the HTTPS response. There is a timeout setting – sorry I forgot to document it in the table in the Word doc – serverHttpTimeoutMs – which defaults to 100000 milliseconds – i.e. 100 seconds. This is the time it waits for the response from the server. 100 seconds is pretty generous unless you’re traversing particularly slow VPNs or saturated connections. You can override this in the xymonclient_config.xml file. I’m assuming you’re getting this message: " Connecting to $($url), body length $($body.Length), timeout $($script:XymonSettings.serverHttpTimeoutMs)ms" And then this one (with a timeout exception): " Exception connecting to $($url):`n$($_)" And not either of these: " FAILED, HTTP response code: $($response.StatusCode) ($statusCode)" or " Received $($output.Length) bytes from server" Zak *From:*Xymon <xymon-bounces at xymon.com> *On Behalf Of *user-c2caa0a7a8d5@xymon.invalid *Sent:* Thursday, 8 November 2018 08:51 *To:* Xymon MailingList <xymon at xymon.com> *Subject:* [External] Re: [Xymon] PSclient sending from intranet Anyone have xymoncgimsg.cgi functioning on their server and successfully receiving PSclient data over HTTPS? The documentation for this is vague and doesn't specify how to make it work. Any specifics would be greatly appreciated. Thanks, Kris Springer -----Original Message----- From: Timothy Williams <user-1a5482fb085e@xymon.invalid <mailto:user-1a5482fb085e@xymon.invalid>> To: user-c2caa0a7a8d5@xymon.invalid <mailto:user-c2caa0a7a8d5@xymon.invalid> Cc: xymon at xymon.com <mailto:xymon at xymon.com> Sent: Tue, 06 Nov 2018 2:22 PM Subject: Re: [Xymon] PSclient sending from intranet Alas, I am unable to help further, as my InfoSec allows port 1984, and not 80 or 443 to Xymon, so I don't have http running. Tim On Tue, Nov 6, 2018 at 3:29 PM Kris Springer <user-c2caa0a7a8d5@xymon.invalid <mailto:user-c2caa0a7a8d5@xymon.invalid>> wrote: I've configured one of my PSclients to test this HTTPS functionality, and it indeed does try to send data over port 443. But the client logs say that my Xymon server is timing out. Is there a specific server url path that I need to be using? The documentation doesn't give any example. Kris Springer On 11/6/18 7:54 AM, Timothy Williams wrote: The Powershell client can connect to the Xymon server using TCP port 1984 as default, but can also connect using HTTP or HTTPS with/without user/password. You likely have port 80 or 443 open. Here are Word doc details: HTTP is an alternate method. It can be used if you have xymoncgimsg.cgi running on the web server on your Xymon server – see https://www.xymon.com/help/manpages/man8/xymoncgimsg.cgi.8.html <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.xymon.com_help_manpages_man8_xymoncgimsg.cgi.8.html&d=DwMGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=-OwMT0n637myRsiGrh2Ey_FyOjBckX9cnzeXB9ID_dw&s=nwg-TdqZw8dbasxkybIMrt8HKpuV-U4Z2HpC5Rbr1BM&e=>;. The web server running the CGI can be configured for SSL (i.e. HTTPS) and / or authentication – XymonPSClient supports basic authentication and SSL. If you require authentication, the <serverHttpUsername> and <serverHttpPassword> elements should be configured. If you are using HTTP and transmitting over unsecure networks (e.g. the internet), it is strongly recommended to enable SSL, authentication and disallow HTTP connections. ServerHttpPassword encryption If <serverHttpPassword> is set, the Xymon client will encrypt the password if it is not encrypted and remove the plain text password from the configuration file, overwriting with the encrypted password. The Xymon client will prefix the encrypted password with ‘{SecureString}’, so it is easy to tell if the client has attempted to encrypt the password or not. This is done using the .NET SecureString functions, which means that the encryption is unique to the server and user. This means that once the password has been encrypted, you cannot use the same xymonclient_config.xml on another server. It also means that if you have been testing by running XymonPSClient from a command prompt, and this encrypts the password, when you run XymonPSClient as a service it will not be able to decrypt the password unless the service is running as the same user. In both scenarios, replacing the encrypted password with the plain text password and re-starting Xymon will cause the password to be re-encypted. Tim Williams On Tue, Nov 6, 2018 at 9:37 AM Rolf Schrittenlocher <user-4b3b4051a09b@xymon.invalid <mailto:user-4b3b4051a09b@xymon.invalid>> wrote: any possibility to send something from intranet to the world outside? creating webpage, send by sftp or scp? This could be done by cron and xymon could analyze this data then.Anyone have an idea about how to collect client server stats using the Powershell client on machines that are on an intranet that blocks port 1984, and send it out to our external xymon server located in a different part of the country? The intranet network doesn't want to open any additional ports to allow the traffic out.-- Mit freundlichen Grüßen Rolf Schrittenlocher Lokales Bibliothekssystem Frankfurt Bockenheimer Landstr. 134-138, 60325 Frankfurt Tel LBS: (49) 69 - 798 28830 Tel persönlich: (49) 69 - 798 28908 LBS: user-7d592aff76ba@xymon.invalid <mailto:user-7d592aff76ba@xymon.invalid> Persönlich: user-4b3b4051a09b@xymon.invalid <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.xymon.com_mailman_listinfo_xymon&d=DwMGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=-OwMT0n637myRsiGrh2Ey_FyOjBckX9cnzeXB9ID_dw&s=F_2sRqz669yemQ4GbrwkTlh6D0HtrNX1wqu7RvAN1WE&e=>; This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. www.accenture.com
list Timothy Williams
The red flag that popped out at me was the 2008 R2. Have you checked the ciphers and protocols? Try port 80 HTTP and see if it works. On Thu, Nov 8, 2018 at 12:13 PM Kris Springer <user-c2caa0a7a8d5@xymon.invalid>
▸
wrote:
I may have spoken too soon. It's indeed working on box1, but when I edited the xymonclient_config.xml on box2 and re-entered the password so box2 would re-encrypt it for it's connection to the server, it's timing out. Does each client need it's own individual user/pass? That seems unnecessary. I just tried different credentials and it still timed out. The difference between box1 and box2 is the OS. They're on the same network and can both reach the server via https so I don't think it's a networking issue. box1 = Windows 10 Pro box2 = Windows Server 2008 R2 Enterprise Apache logs show nothing unusual. I've looked at all the logs I can find on the server but I'm not seeing anything that would tip me off as to the issue. Ideas? Kris Springer On 11/8/18 2:25 AM, Beck, Zak wrote: Hi Kris Yes, I have it working. As you say, the URL needs to include the full path to xymoncgimsg.cgi. All xymoncgimsg.cgi does as far as I can tell is relay the message(s) received over HTTPS via TCP to localhost port 1984 (which is what the man page says as well). So you need that listening (which by default it will be). I don’t recall making any other config changes to make this work (aside from Apache etc to sort out the authentication). I suspect the time out is waiting for the response – when you submit data to Xymon, you normally get the client local config back from the server. This comes back via the HTTPS response. There is a timeout setting – sorry I forgot to document it in the table in the Word doc – serverHttpTimeoutMs – which defaults to 100000 milliseconds – i.e. 100 seconds. This is the time it waits for the response from the server. 100 seconds is pretty generous unless you’re traversing particularly slow VPNs or saturated connections. You can override this in the xymonclient_config.xml file. I’m assuming you’re getting this message: " Connecting to $($url), body length $($body.Length), timeout $($script:XymonSettings.serverHttpTimeoutMs)ms" And then this one (with a timeout exception): " Exception connecting to $($url):`n$($_)" And not either of these: " FAILED, HTTP response code: $($response.StatusCode) ($statusCode)" or " Received $($output.Length) bytes from server" Zak *From:* Xymon <xymon-bounces at xymon.com> <xymon-bounces at xymon.com> *On Behalf Of *user-c2caa0a7a8d5@xymon.invalid *Sent:* Thursday, 8 November 2018 08:51 *To:* Xymon MailingList <xymon at xymon.com> <xymon at xymon.com> *Subject:* [External] Re: [Xymon] PSclient sending from intranet Anyone have xymoncgimsg.cgi functioning on their server and successfully receiving PSclient data over HTTPS? The documentation for this is vague and doesn't specify how to make it work. Any specifics would be greatly appreciated. Thanks, Kris Springer -----Original Message----- From: Timothy Williams <user-1a5482fb085e@xymon.invalid> To: user-c2caa0a7a8d5@xymon.invalid Cc: xymon at xymon.com Sent: Tue, 06 Nov 2018 2:22 PM Subject: Re: [Xymon] PSclient sending from intranet Alas, I am unable to help further, as my InfoSec allows port 1984, and not 80 or 443 to Xymon, so I don't have http running. Tim On Tue, Nov 6, 2018 at 3:29 PM Kris Springer <user-c2caa0a7a8d5@xymon.invalid> wrote: I've configured one of my PSclients to test this HTTPS functionality, and it indeed does try to send data over port 443. But the client logs say that my Xymon server is timing out. Is there a specific server url path that I need to be using? The documentation doesn't give any example. Kris Springer On 11/6/18 7:54 AM, Timothy Williams wrote: The Powershell client can connect to the Xymon server using TCP port 1984 as default, but can also connect using HTTP or HTTPS with/without user/password. You likely have port 80 or 443 open. Here are Word doc details: HTTP is an alternate method. It can be used if you have xymoncgimsg.cgi running on the web server on your Xymon server – see https://www.xymon.com/help/manpages/man8/xymoncgimsg.cgi.8.html <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.xymon.com_help_manpages_man8_xymoncgimsg.cgi.8.html&d=DwMGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=-OwMT0n637myRsiGrh2Ey_FyOjBckX9cnzeXB9ID_dw&s=nwg-TdqZw8dbasxkybIMrt8HKpuV-U4Z2HpC5Rbr1BM&e=>;. The web server running the CGI can be configured for SSL (i.e. HTTPS) and / or authentication – XymonPSClient supports basic authentication and SSL. If you require authentication, the <serverHttpUsername> and <serverHttpPassword> elements should be configured. If you are using HTTP and transmitting over unsecure networks (e.g. the internet), it is strongly recommended to enable SSL, authentication and disallow HTTP connections. ServerHttpPassword encryption If <serverHttpPassword> is set, the Xymon client will encrypt the password if it is not encrypted and remove the plain text password from the configuration file, overwriting with the encrypted password. The Xymon client will prefix the encrypted password with ‘{SecureString}’, so it is easy to tell if the client has attempted to encrypt the password or not. This is done using the .NET SecureString functions, which means that the encryption is unique to the server and user. This means that once the password has been encrypted, you cannot use the same xymonclient_config.xml on another server. It also means that if you have been testing by running XymonPSClient from a command prompt, and this encrypts the password, when you run XymonPSClient as a service it will not be able to decrypt the password unless the service is running as the same user. In both scenarios, replacing the encrypted password with the plain text password and re-starting Xymon will cause the password to be re-encypted. Tim Williams On Tue, Nov 6, 2018 at 9:37 AM Rolf Schrittenlocher < user-4b3b4051a09b@xymon.invalid> wrote: any possibility to send something from intranet to the world outside? creating webpage, send by sftp or scp? This could be done by cron and xymon could analyze this data then.Anyone have an idea about how to collect client server stats using the Powershell client on machines that are on an intranet that blocks port 1984, and send it out to our external xymon server located in a different part of the country? The intranet network doesn't want to open any additional ports to allow the traffic out.-- Mit freundlichen Grüßen Rolf Schrittenlocher Lokales Bibliothekssystem Frankfurt Bockenheimer Landstr. 134-138, 60325 Frankfurt Tel LBS: (49) 69 - 798 28830 Tel persönlich: (49) 69 - 798 28908 LBS: user-7d592aff76ba@xymon.invalid Persönlich: user-4b3b4051a09b@xymon.invalid <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.xymon.com_mailman_listinfo_xymon&d=DwMGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=-OwMT0n637myRsiGrh2Ey_FyOjBckX9cnzeXB9ID_dw&s=F_2sRqz669yemQ4GbrwkTlh6D0HtrNX1wqu7RvAN1WE&e=>; This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. www.accenture.com
list Kris Springer
It's confirmed working great on Windows Server 2012, but not 2008. Can you point me in a direction to look for a solution to the cipher issues? I'm not going to reduce things to port 80, I want to keep things on 443. Kris Springer
▸
On 11/8/18 10:23 AM, Timothy Williams wrote:The red flag that popped out at me was the 2008 R2. Have you checked the ciphers and protocols? Try port 80 HTTP and see if it works. On Thu, Nov 8, 2018 at 12:13 PM Kris Springer <user-c2caa0a7a8d5@xymon.invalid <mailto:user-c2caa0a7a8d5@xymon.invalid>> wrote: I may have spoken too soon. It's indeed working on box1, but when I edited the xymonclient_config.xml on box2 and re-entered the password so box2 would re-encrypt it for it's connection to the server, it's timing out. Does each client need it's own individual user/pass? That seems unnecessary. I just tried different credentials and it still timed out. The difference between box1 and box2 is the OS. They're on the same network and can both reach the server via https so I don't think it's a networking issue. box1 = Windows 10 Pro box2 = Windows Server 2008 R2 Enterprise Apache logs show nothing unusual. I've looked at all the logs I can find on the server but I'm not seeing anything that would tip me off as to the issue. Ideas? Kris Springer On 11/8/18 2:25 AM, Beck, Zak wrote:Hi Kris Yes, I have it working. As you say, the URL needs to include the full path to xymoncgimsg.cgi. All xymoncgimsg.cgi does as far as I can tell is relay the message(s) received over HTTPS via TCP to localhost port 1984 (which is what the man page says as well). So you need that listening (which by default it will be). I don’t recall making any other config changes to make this work (aside from Apache etc to sort out the authentication). I suspect the time out is waiting for the response – when you submit data to Xymon, you normally get the client local config back from the server. This comes back via the HTTPS response. There is a timeout setting – sorry I forgot to document it in the table in the Word doc – serverHttpTimeoutMs – which defaults to 100000 milliseconds – i.e. 100 seconds. This is the time it waits for the response from the server. 100 seconds is pretty generous unless you’re traversing particularly slow VPNs or saturated connections. You can override this in the xymonclient_config.xml file. I’m assuming you’re getting this message: " Connecting to $($url), body length $($body.Length), timeout $($script:XymonSettings.serverHttpTimeoutMs)ms" And then this one (with a timeout exception): " Exception connecting to $($url):`n$($_)" And not either of these: " FAILED, HTTP response code: $($response.StatusCode) ($statusCode)" or " Received $($output.Length) bytes from server" Zak *From:*Xymon <xymon-bounces at xymon.com>
<mailto:xymon-bounces at xymon.com> *On Behalf Of *user-c2caa0a7a8d5@xymon.invalid <mailto:user-c2caa0a7a8d5@xymon.invalid>
▸
*Sent:* Thursday, 8 November 2018 08:51 *To:* Xymon MailingList <xymon at xymon.com> <mailto:xymon at xymon.com> *Subject:* [External] Re: [Xymon] PSclient sending from intranet Anyone have xymoncgimsg.cgi functioning on their server and successfully receiving PSclient data over HTTPS? The documentation for this is vague and doesn't specify how to make it work. Any specifics would be greatly appreciated. Thanks, Kris Springer -----Original Message----- From: Timothy Williams <user-1a5482fb085e@xymon.invalid To: user-c2caa0a7a8d5@xymon.invalid <mailto:user-c2caa0a7a8d5@xymon.invalid> Cc: xymon at xymon.com <mailto:xymon at xymon.com> Sent: Tue, 06 Nov 2018 2:22 PM Subject: Re: [Xymon] PSclient sending from intranet Alas, I am unable to help further, as my InfoSec allows port 1984, and not 80 or 443 to Xymon, so I don't have http running. Tim On Tue, Nov 6, 2018 at 3:29 PM Kris Springer <user-c2caa0a7a8d5@xymon.invalid <mailto:user-c2caa0a7a8d5@xymon.invalid>> wrote: I've configured one of my PSclients to test this HTTPS functionality, and it indeed does try to send data over port 443. But the client logs say that my Xymon server is timing out. Is there a specific server url path that I need to be using? The documentation doesn't give any example. Kris Springer On 11/6/18 7:54 AM, Timothy Williams wrote: The Powershell client can connect to the Xymon server using TCP port 1984 as default, but can also connect using HTTP or HTTPS with/without user/password. You likely have port 80 or 443 open. Here are Word doc details: HTTP is an alternate method. It can be used if you have xymoncgimsg.cgi running on the web server on your Xymon server – see https://www.xymon.com/help/manpages/man8/xymoncgimsg.cgi.8.html <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.xymon.com_help_manpages_man8_xymoncgimsg.cgi.8.html&d=DwMGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=-OwMT0n637myRsiGrh2Ey_FyOjBckX9cnzeXB9ID_dw&s=nwg-TdqZw8dbasxkybIMrt8HKpuV-U4Z2HpC5Rbr1BM&e=>;. The web server running the CGI can be configured for SSL (i.e. HTTPS) and / or authentication – XymonPSClient supports basic authentication and SSL. If you require authentication, the <serverHttpUsername> and <serverHttpPassword> elements should be configured. If you are using HTTP and transmitting over unsecure networks (e.g. the internet), it is strongly recommended to enable SSL, authentication and disallow HTTP connections. ServerHttpPassword encryption If <serverHttpPassword> is set, the Xymon client will encrypt the password if it is not encrypted and remove the plain text password from the configuration file, overwriting with the encrypted password. The Xymon client will prefix the encrypted password with ‘{SecureString}’, so it is easy to tell if the client has attempted to encrypt the password or not. This is done using the .NET SecureString functions, which means that the encryption is unique to the server and user. This means that once the password has been encrypted, you cannot use the same xymonclient_config.xml on another server. It also means that if you have been testing by running XymonPSClient from a command prompt, and this encrypts the password, when you run XymonPSClient as a service it will not be able to decrypt the password unless the service is running as the same user. In both scenarios, replacing the encrypted password with the plain text password and re-starting Xymon will cause the password to be re-encypted. Tim Williams On Tue, Nov 6, 2018 at 9:37 AM Rolf Schrittenlocher <user-4b3b4051a09b@xymon.invalid <mailto:user-4b3b4051a09b@xymon.invalid>> wrote: any possibility to send something from intranet to the world outside? creating webpage, send by sftp or scp? This could be done by cron and xymon could analyze this data then.Anyone have an idea about how to collect client server stats using the Powershell client on machines that are on an intranet that blocks port 1984, and send it out to our external xymon server located in a different part of the country? The intranet network doesn't want to open any additional ports to allow the traffic out.-- Mit freundlichen Grüßen Rolf Schrittenlocher Lokales Bibliothekssystem Frankfurt Bockenheimer Landstr. 134-138, 60325 Frankfurt Tel LBS: (49) 69 - 798 28830 Tel persönlich: (49) 69 - 798 28908 LBS: user-7d592aff76ba@xymon.invalid Persönlich: user-4b3b4051a09b@xymon.invalid <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.xymon.com_mailman_listinfo_xymon&d=DwMGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=-OwMT0n637myRsiGrh2Ey_FyOjBckX9cnzeXB9ID_dw&s=F_2sRqz669yemQ4GbrwkTlh6D0HtrNX1wqu7RvAN1WE&e=>; This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
www.accenture.com <http://www.accenture.com>;
list Timothy Williams
https://support.microsoft.com/en-us/help/4019276/update-to-add-support-for-tls-1-1-and-tls-1-2-in-windows has instructions to make sure TLS is enabled in Windows. You may have to check Apache settings to see what ciphers and/or protocols are enabled on that end. *Timothy L. Williams* *Operating Systems Analyst* Virginia Commonwealth University Computer Center XXX East Main St. STE XXXX Richmond VA XXXXX *XXX-XXX-XXXX <(804)%20828-0556>* On Thu, Nov 8, 2018 at 12:54 PM Kris Springer <user-c2caa0a7a8d5@xymon.invalid>
▸
wrote:
It's confirmed working great on Windows Server 2012, but not 2008. Can you point me in a direction to look for a solution to the cipher issues? I'm not going to reduce things to port 80, I want to keep things on 443. Kris Springer On 11/8/18 10:23 AM, Timothy Williams wrote: The red flag that popped out at me was the 2008 R2. Have you checked the ciphers and protocols? Try port 80 HTTP and see if it works. On Thu, Nov 8, 2018 at 12:13 PM Kris Springer <user-c2caa0a7a8d5@xymon.invalid> wrote:I may have spoken too soon. It's indeed working on box1, but when I edited the xymonclient_config.xml on box2 and re-entered the password so box2 would re-encrypt it for it's connection to the server, it's timing out. Does each client need it's own individual user/pass? That seems unnecessary. I just tried different credentials and it still timed out. The difference between box1 and box2 is the OS. They're on the same network and can both reach the server via https so I don't think it's a networking issue. box1 = Windows 10 Pro box2 = Windows Server 2008 R2 Enterprise Apache logs show nothing unusual. I've looked at all the logs I can find on the server but I'm not seeing anything that would tip me off as to the issue. Ideas? Kris Springer On 11/8/18 2:25 AM, Beck, Zak wrote: Hi Kris Yes, I have it working. As you say, the URL needs to include the full path to xymoncgimsg.cgi. All xymoncgimsg.cgi does as far as I can tell is relay the message(s) received over HTTPS via TCP to localhost port 1984 (which is what the man page says as well). So you need that listening (which by default it will be). I don’t recall making any other config changes to make this work (aside from Apache etc to sort out the authentication). I suspect the time out is waiting for the response – when you submit data to Xymon, you normally get the client local config back from the server. This comes back via the HTTPS response. There is a timeout setting – sorry I forgot to document it in the table in the Word doc – serverHttpTimeoutMs – which defaults to 100000 milliseconds – i.e. 100 seconds. This is the time it waits for the response from the server. 100 seconds is pretty generous unless you’re traversing particularly slow VPNs or saturated connections. You can override this in the xymonclient_config.xml file. I’m assuming you’re getting this message: " Connecting to $($url), body length $($body.Length), timeout $($script:XymonSettings.serverHttpTimeoutMs)ms" And then this one (with a timeout exception): " Exception connecting to $($url):`n$($_)" And not either of these: " FAILED, HTTP response code: $($response.StatusCode) ($statusCode)" or " Received $($output.Length) bytes from server" Zak *From:* Xymon <xymon-bounces at xymon.com> <xymon-bounces at xymon.com> *On Behalf Of *user-c2caa0a7a8d5@xymon.invalid *Sent:* Thursday, 8 November 2018 08:51 *To:* Xymon MailingList <xymon at xymon.com> <xymon at xymon.com> *Subject:* [External] Re: [Xymon] PSclient sending from intranet Anyone have xymoncgimsg.cgi functioning on their server and successfully receiving PSclient data over HTTPS? The documentation for this is vague and doesn't specify how to make it work. Any specifics would be greatly appreciated. Thanks, Kris Springer -----Original Message----- From: Timothy Williams <user-1a5482fb085e@xymon.invalid> To: user-c2caa0a7a8d5@xymon.invalid Cc: xymon at xymon.com Sent: Tue, 06 Nov 2018 2:22 PM Subject: Re: [Xymon] PSclient sending from intranet Alas, I am unable to help further, as my InfoSec allows port 1984, and not 80 or 443 to Xymon, so I don't have http running. Tim On Tue, Nov 6, 2018 at 3:29 PM Kris Springer <user-c2caa0a7a8d5@xymon.invalid> wrote: I've configured one of my PSclients to test this HTTPS functionality, and it indeed does try to send data over port 443. But the client logs say that my Xymon server is timing out. Is there a specific server url path that I need to be using? The documentation doesn't give any example. Kris Springer On 11/6/18 7:54 AM, Timothy Williams wrote: The Powershell client can connect to the Xymon server using TCP port 1984 as default, but can also connect using HTTP or HTTPS with/without user/password. You likely have port 80 or 443 open. Here are Word doc details: HTTP is an alternate method. It can be used if you have xymoncgimsg.cgi running on the web server on your Xymon server – see https://www.xymon.com/help/manpages/man8/xymoncgimsg.cgi.8.html <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.xymon.com_help_manpages_man8_xymoncgimsg.cgi.8.html&d=DwMGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=-OwMT0n637myRsiGrh2Ey_FyOjBckX9cnzeXB9ID_dw&s=nwg-TdqZw8dbasxkybIMrt8HKpuV-U4Z2HpC5Rbr1BM&e=>;. The web server running the CGI can be configured for SSL (i.e. HTTPS) and / or authentication – XymonPSClient supports basic authentication and SSL. If you require authentication, the <serverHttpUsername> and <serverHttpPassword> elements should be configured. If you are using HTTP and transmitting over unsecure networks (e.g. the internet), it is strongly recommended to enable SSL, authentication and disallow HTTP connections. ServerHttpPassword encryption If <serverHttpPassword> is set, the Xymon client will encrypt the password if it is not encrypted and remove the plain text password from the configuration file, overwriting with the encrypted password. The Xymon client will prefix the encrypted password with ‘{SecureString}’, so it is easy to tell if the client has attempted to encrypt the password or not. This is done using the .NET SecureString functions, which means that the encryption is unique to the server and user. This means that once the password has been encrypted, you cannot use the same xymonclient_config.xml on another server. It also means that if you have been testing by running XymonPSClient from a command prompt, and this encrypts the password, when you run XymonPSClient as a service it will not be able to decrypt the password unless the service is running as the same user. In both scenarios, replacing the encrypted password with the plain text password and re-starting Xymon will cause the password to be re-encypted. Tim Williams On Tue, Nov 6, 2018 at 9:37 AM Rolf Schrittenlocher < user-4b3b4051a09b@xymon.invalid> wrote: any possibility to send something from intranet to the world outside? creating webpage, send by sftp or scp? This could be done by cron and xymon could analyze this data then.Anyone have an idea about how to collect client server stats using the Powershell client on machines that are on an intranet that blocks port 1984, and send it out to our external xymon server located in a different part of the country? The intranet network doesn't want to open any additional ports to allow the traffic out.-- Mit freundlichen Grüßen Rolf Schrittenlocher Lokales Bibliothekssystem Frankfurt Bockenheimer Landstr. 134-138, 60325 Frankfurt Tel LBS: (49) 69 - 798 28830 Tel persönlich: (49) 69 - 798 28908 LBS: user-7d592aff76ba@xymon.invalid Persönlich: user-4b3b4051a09b@xymon.invalid <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.xymon.com_mailman_listinfo_xymon&d=DwMGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=-OwMT0n637myRsiGrh2Ey_FyOjBckX9cnzeXB9ID_dw&s=F_2sRqz669yemQ4GbrwkTlh6D0HtrNX1wqu7RvAN1WE&e=>; This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. www.accenture.com
list Kris Springer
Thanks for the info. I check the cipher/protocols on the 2008 box and they're all the defaults. I've enabled the latest that match what my Xymon server is configured with and now I'm just waiting until after hours to reboot my box and hope it connects. Here's what I use. https://www.nartac.com/Products/IISCrypto/ Kris Springer
▸
On 11/8/18 11:20 AM, Timothy Williams wrote:https://support.microsoft.com/en-us/help/4019276/update-to-add-support-for-tls-1-1-and-tls-1-2-in-windows has instructions to make sure TLS is enabled in Windows. You may have to check Apache settings to see what ciphers and/or protocols are enabled on that end. */Timothy L. Williams/* *Operating Systems Analyst* Virginia Commonwealth University Computer Center XXX East Main St. STE XXXX Richmond VA XXXXX
*XXX-XXX-XXXX <tel:(804)%20828-0556>*
▸
• * On Thu, Nov 8, 2018 at 12:54 PM Kris Springer <user-c2caa0a7a8d5@xymon.invalid <mailto:user-c2caa0a7a8d5@xymon.invalid>> wrote: It's confirmed working great on Windows Server 2012, but not 2008. Can you point me in a direction to look for a solution to the cipher issues? I'm not going to reduce things to port 80, I want to keep things on 443. Kris Springer On 11/8/18 10:23 AM, Timothy Williams wrote:The red flag that popped out at me was the 2008 R2. Have you checked the ciphers and protocols? Try port 80 HTTP and see if it works. On Thu, Nov 8, 2018 at 12:13 PM Kris Springer <user-c2caa0a7a8d5@xymon.invalid <mailto:user-c2caa0a7a8d5@xymon.invalid>> wrote: I may have spoken too soon. It's indeed working on box1, but when I edited the xymonclient_config.xml on box2 and re-entered the password so box2 would re-encrypt it for it's connection to the server, it's timing out. Does each client need it's own individual user/pass? That seems unnecessary. I just tried different credentials and it still timed out. The difference between box1 and box2 is the OS. They're on the same network and can both reach the server via https so I don't think it's a networking issue. box1 = Windows 10 Pro box2 = Windows Server 2008 R2 Enterprise Apache logs show nothing unusual. I've looked at all the logs I can find on the server but I'm not seeing anything that would tip me off as to the issue. Ideas? Kris Springer On 11/8/18 2:25 AM, Beck, Zak wrote:Hi Kris Yes, I have it working. As you say, the URL needs to include the full path to xymoncgimsg.cgi. All xymoncgimsg.cgi does as far as I can tell is relay the message(s) received over HTTPS via TCP to localhost port 1984 (which is what the man page says as well). So you need that listening (which by default it will be). I don’t recall making any other config changes to make this work (aside from Apache etc to sort out the authentication). I suspect the time out is waiting for the response – when you submit data to Xymon, you normally get the client local config back from the server. This comes back via the HTTPS response. There is a timeout setting – sorry I forgot to document it in the table in the Word doc – serverHttpTimeoutMs – which defaults to 100000 milliseconds – i.e. 100 seconds. This is the time it waits for the response from the server. 100 seconds is pretty generous unless you’re traversing particularly slow VPNs or saturated connections. You can override this in the xymonclient_config.xml file. I’m assuming you’re getting this message: " Connecting to $($url), body length $($body.Length), timeout $($script:XymonSettings.serverHttpTimeoutMs)ms" And then this one (with a timeout exception): " Exception connecting to $($url):`n$($_)" And not either of these: " FAILED, HTTP response code: $($response.StatusCode) ($statusCode)" or " Received $($output.Length) bytes from server" Zak *From:*Xymon <xymon-bounces at xymon.com> <mailto:xymon-bounces at xymon.com> *On Behalf Of *user-c2caa0a7a8d5@xymon.invalid <mailto:user-c2caa0a7a8d5@xymon.invalid> *Sent:* Thursday, 8 November 2018 08:51 *To:* Xymon MailingList <xymon at xymon.com> <mailto:xymon at xymon.com> *Subject:* [External] Re: [Xymon] PSclient sending from intranet Anyone have xymoncgimsg.cgi functioning on their server and successfully receiving PSclient data over HTTPS? The documentation for this is vague and doesn't specify how to make it work. Any specifics would be greatly appreciated. Thanks, Kris Springer -----Original Message----- From: Timothy Williams <user-1a5482fb085e@xymon.invalid To: user-c2caa0a7a8d5@xymon.invalid Cc: xymon at xymon.com <mailto:xymon at xymon.com> Sent: Tue, 06 Nov 2018 2:22 PM Subject: Re: [Xymon] PSclient sending from intranet Alas, I am unable to help further, as my InfoSec allows port 1984, and not 80 or 443 to Xymon, so I don't have http running. Tim On Tue, Nov 6, 2018 at 3:29 PM Kris Springer <user-c2caa0a7a8d5@xymon.invalid <mailto:user-c2caa0a7a8d5@xymon.invalid>> wrote: I've configured one of my PSclients to test this HTTPS functionality, and it indeed does try to send data over port 443. But the client logs say that my Xymon server is timing out. Is there a specific server url path that I need to be using? The documentation doesn't give any example. Kris Springer On 11/6/18 7:54 AM, Timothy Williams wrote: The Powershell client can connect to the Xymon server using TCP port 1984 as default, but can also connect using HTTP or HTTPS with/without user/password. You likely have port 80 or 443 open. Here are Word doc details: HTTP is an alternate method. It can be used if you have xymoncgimsg.cgi running on the web server on your Xymon server – see https://www.xymon.com/help/manpages/man8/xymoncgimsg.cgi.8.html <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.xymon.com_help_manpages_man8_xymoncgimsg.cgi.8.html&d=DwMGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=-OwMT0n637myRsiGrh2Ey_FyOjBckX9cnzeXB9ID_dw&s=nwg-TdqZw8dbasxkybIMrt8HKpuV-U4Z2HpC5Rbr1BM&e=>;. The web server running the CGI can be configured for SSL (i.e. HTTPS) and / or authentication – XymonPSClient supports basic authentication and SSL. If you require authentication, the <serverHttpUsername> and <serverHttpPassword> elements should be configured. If you are using HTTP and transmitting over unsecure networks (e.g. the internet), it is strongly recommended to enable SSL, authentication and disallow HTTP connections. ServerHttpPassword encryption If <serverHttpPassword> is set, the Xymon client will encrypt the password if it is not encrypted and remove the plain text password from the configuration file, overwriting with the encrypted password. The Xymon client will prefix the encrypted password with ‘{SecureString}’, so it is easy to tell if the client has attempted to encrypt the password or not. This is done using the .NET SecureString functions, which means that the encryption is unique to the server and user. This means that once the password has been encrypted, you cannot use the same xymonclient_config.xml on another server. It also means that if you have been testing by running XymonPSClient from a command prompt, and this encrypts the password, when you run XymonPSClient as a service it will not be able to decrypt the password unless the service is running as the same user. In both scenarios, replacing the encrypted password with the plain text password and re-starting Xymon will cause the password to be re-encypted. Tim Williams On Tue, Nov 6, 2018 at 9:37 AM Rolf Schrittenlocher <user-4b3b4051a09b@xymon.invalid <mailto:user-4b3b4051a09b@xymon.invalid>> wrote: any possibility to send something from intranet to the world outside? creating webpage, send by sftp or scp? This could be done by cron and xymon could analyze this data then.Anyone have an idea about how to collect client server stats using the Powershell client on machines that are on an intranet that blocks port 1984, and send it out to our external xymon server located in a different part of the country? The intranet network doesn't want to open any additional ports to allow the traffic out.-- Mit freundlichen Grüßen Rolf Schrittenlocher Lokales Bibliothekssystem Frankfurt Bockenheimer Landstr. 134-138, 60325 Frankfurt Tel LBS: (49) 69 - 798 28830 Tel persönlich: (49) 69 - 798 28908 LBS: user-7d592aff76ba@xymon.invalid Persönlich: user-4b3b4051a09b@xymon.invalid <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.xymon.com_mailman_listinfo_xymon&d=DwMGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=-OwMT0n637myRsiGrh2Ey_FyOjBckX9cnzeXB9ID_dw&s=F_2sRqz669yemQ4GbrwkTlh6D0HtrNX1wqu7RvAN1WE&e=>; This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. www.accenture.com <http://www.accenture.com>;
list Zak Beck
Hi Just to confirm, you can use the same username / password across multiple servers and I see you are using the correct process of re-editing the config file for different servers. As mentioned by Timothy, on the Win 2008 server, you need to make sure the client SCHANNEL settings are correct (not the server ones) – they should be under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols. Pretty sure your Apache TLS settings will be OK as the other server is working. Good luck 🙂 Zak
▸
From: Kris Springer <user-c2caa0a7a8d5@xymon.invalid>
Sent: Thursday, 8 November 2018 19:04
To: Timothy Williams <user-1a5482fb085e@xymon.invalid>
Cc: Beck, Zak <user-aada0fa38bf8@xymon.invalid>; xymon at xymon.com
Subject: [External] Re: [Xymon] PSclient sending from intranet
Thanks for the info. I check the cipher/protocols on the 2008 box and they're all the defaults. I've enabled the latest that match what my Xymon server is configured with and now I'm just waiting until after hours to reboot my box and hope it connects.
Here's what I use.https://www.nartac.com/Products/IISCrypto/<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.nartac.com_Products_IISCrypto_&d=DwMDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=QaSBBimA4bigNeC6yCu8cHEfCFMPMfmXj6YQmrS6I90&s=-mFg-B6jZUolwiwTe89MM6rfF_Buv9fpRvFHHWV1tW8&e=>; Kris Springer On 11/8/18 11:20 AM, Timothy Williams wrote: https://support.microsoft.com/en-us/help/4019276/update-to-add-support-for-tls-1-1-and-tls-1-2-in-windows<https://urldefense.proofpoint.com/v2/url?u=https-3A__support.microsoft.com_en-2Dus_help_4019276_update-2Dto-2Dadd-2Dsupport-2Dfor-2Dtls-2D1-2D1-2Dand-2Dtls-2D1-2D2-2Din-2Dwindows&d=DwMDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=QaSBBimA4bigNeC6yCu8cHEfCFMPMfmXj6YQmrS6I90&s=FlKznvR5OpO8x4Ehf9Vc-l82jVuqQrUJS3JbsgexEWo&e=>; has instructions to make sure TLS is enabled in Windows. You may have to check Apache settings to see what ciphers and/or protocols are enabled on that end.
▸
Timothy L. Williams
Operating Systems Analyst
Virginia Commonwealth University Computer Center
XXX East Main St. STE XXXX Richmond VA XXXXX
XXX-XXX-XXXX<tel:(804)%20828-0556>
▸
On Thu, Nov 8, 2018 at 12:54 PM Kris Springer <user-c2caa0a7a8d5@xymon.invalid<mailto:user-c2caa0a7a8d5@xymon.invalid>> wrote: It's confirmed working great on Windows Server 2012, but not 2008. Can you point me in a direction to look for a solution to the cipher issues? I'm not going to reduce things to port 80, I want to keep things on 443. Kris Springer On 11/8/18 10:23 AM, Timothy Williams wrote: The red flag that popped out at me was the 2008 R2. Have you checked the ciphers and protocols? Try port 80 HTTP and see if it works. On Thu, Nov 8, 2018 at 12:13 PM Kris Springer <user-c2caa0a7a8d5@xymon.invalid<mailto:user-c2caa0a7a8d5@xymon.invalid>> wrote: I may have spoken too soon. It's indeed working on box1, but when I edited the xymonclient_config.xml on box2 and re-entered the password so box2 would re-encrypt it for it's connection to the server, it's timing out. Does each client need it's own individual user/pass? That seems unnecessary. I just tried different credentials and it still timed out. The difference between box1 and box2 is the OS. They're on the same network and can both reach the server via https so I don't think it's a networking issue. box1 = Windows 10 Pro box2 = Windows Server 2008 R2 Enterprise Apache logs show nothing unusual. I've looked at all the logs I can find on the server but I'm not seeing anything that would tip me off as to the issue. Ideas? Kris Springer On 11/8/18 2:25 AM, Beck, Zak wrote: Hi Kris Yes, I have it working. As you say, the URL needs to include the full path to xymoncgimsg.cgi. All xymoncgimsg.cgi does as far as I can tell is relay the message(s) received over HTTPS via TCP to localhost port 1984 (which is what the man page says as well). So you need that listening (which by default it will be). I don’t recall making any other config changes to make this work (aside from Apache etc to sort out the authentication). I suspect the time out is waiting for the response – when you submit data to Xymon, you normally get the client local config back from the server. This comes back via the HTTPS response. There is a timeout setting – sorry I forgot to document it in the table in the Word doc – serverHttpTimeoutMs – which defaults to 100000 milliseconds – i.e. 100 seconds. This is the time it waits for the response from the server. 100 seconds is pretty generous unless you’re traversing particularly slow VPNs or saturated connections. You can override this in the xymonclient_config.xml file. I’m assuming you’re getting this message: " Connecting to $($url), body length $($body.Length), timeout $($script:XymonSettings.serverHttpTimeoutMs)ms" And then this one (with a timeout exception): " Exception connecting to $($url):`n$($_)" And not either of these: " FAILED, HTTP response code: $($response.StatusCode) ($statusCode)" or " Received $($output.Length) bytes from server" Zak From: Xymon <xymon-bounces at xymon.com><mailto:xymon-bounces at xymon.com> On Behalf Of user-c2caa0a7a8d5@xymon.invalid<mailto:user-c2caa0a7a8d5@xymon.invalid> Sent: Thursday, 8 November 2018 08:51 To: Xymon MailingList <xymon at xymon.com><mailto:xymon at xymon.com> Subject: [External] Re: [Xymon] PSclient sending from intranet Anyone have xymoncgimsg.cgi functioning on their server and successfully receiving PSclient data over HTTPS? The documentation for this is vague and doesn't specify how to make it work. Any specifics would be greatly appreciated. Thanks, Kris Springer -----Original Message----- From: Timothy Williams <user-1a5482fb085e@xymon.invalid<mailto:user-1a5482fb085e@xymon.invalid>> To: user-c2caa0a7a8d5@xymon.invalid<mailto:user-c2caa0a7a8d5@xymon.invalid> Cc: xymon at xymon.com<mailto:xymon at xymon.com> Sent: Tue, 06 Nov 2018 2:22 PM Subject: Re: [Xymon] PSclient sending from intranet Alas, I am unable to help further, as my InfoSec allows port 1984, and not 80 or 443 to Xymon, so I don't have http running. Tim On Tue, Nov 6, 2018 at 3:29 PM Kris Springer <user-c2caa0a7a8d5@xymon.invalid<mailto:user-c2caa0a7a8d5@xymon.invalid>> wrote: I've configured one of my PSclients to test this HTTPS functionality, and it indeed does try to send data over port 443. But the client logs say that my Xymon server is timing out. Is there a specific server url path that I need to be using? The documentation doesn't give any example. Kris Springer On 11/6/18 7:54 AM, Timothy Williams wrote: The Powershell client can connect to the Xymon server using TCP port 1984 as default, but can also connect using HTTP or HTTPS with/without user/password. You likely have port 80 or 443 open. Here are Word doc details: HTTP is an alternate method. It can be used if you have xymoncgimsg.cgi running on the web server on your Xymon server – see https://www.xymon.com/help/manpages/man8/xymoncgimsg.cgi.8.html<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.xymon.com_help_manpages_man8_xymoncgimsg.cgi.8.html&d=DwMGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=-OwMT0n637myRsiGrh2Ey_FyOjBckX9cnzeXB9ID_dw&s=nwg-TdqZw8dbasxkybIMrt8HKpuV-U4Z2HpC5Rbr1BM&e=>;. The web server running the CGI can be configured for SSL (i.e. HTTPS) and / or authentication – XymonPSClient supports basic authentication and SSL. If you require authentication, the <serverHttpUsername> and <serverHttpPassword> elements should be configured. If you are using HTTP and transmitting over unsecure networks (e.g. the internet), it is strongly recommended to enable SSL, authentication and disallow HTTP connections. ServerHttpPassword encryption If <serverHttpPassword> is set, the Xymon client will encrypt the password if it is not encrypted and remove the plain text password from the configuration file, overwriting with the encrypted password. The Xymon client will prefix the encrypted password with ‘{SecureString}’, so it is easy to tell if the client has attempted to encrypt the password or not. This is done using the .NET SecureString functions, which means that the encryption is unique to the server and user. This means that once the password has been encrypted, you cannot use the same xymonclient_config.xml on another server. It also means that if you have been testing by running XymonPSClient from a command prompt, and this encrypts the password, when you run XymonPSClient as a service it will not be able to decrypt the password unless the service is running as the same user. In both scenarios, replacing the encrypted password with the plain text password and re-starting Xymon will cause the password to be re-encypted. Tim Williams On Tue, Nov 6, 2018 at 9:37 AM Rolf Schrittenlocher <user-4b3b4051a09b@xymon.invalid<mailto:user-4b3b4051a09b@xymon.invalid>> wrote: any possibility to send something from intranet to the world outside? creating webpage, send by sftp or scp? This could be done by cron and xymon could analyze this data then.
Anyone have an idea about how to collect client server stats using the Powershell client on machines that are on an intranet that blocks port 1984, and send it out to our external xymon server located in a different part of the country? The intranet network doesn't want to open any additional ports to allow the traffic out.
-- Mit freundlichen Grüßen Rolf Schrittenlocher Lokales Bibliothekssystem Frankfurt Bockenheimer Landstr. 134-138, 60325 Frankfurt Tel LBS: (49) 69 - 798 28830 Tel persönlich: (49) 69 - 798 28908 LBS: user-7d592aff76ba@xymon.invalid<mailto:user-7d592aff76ba@xymon.invalid> Persönlich: user-4b3b4051a09b@xymon.invalid<mailto:user-4b3b4051a09b@xymon.invalid> Xymon at xymon.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.xymon.com_mailman_listinfo_xymon&d=DwMGaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=S-aLwpx-PHBTBMIG_c2JczRC0SfuZCmsiH9Iams25FI&m=-OwMT0n637myRsiGrh2Ey_FyOjBckX9cnzeXB9ID_dw&s=F_2sRqz669yemQ4GbrwkTlh6D0HtrNX1wqu7RvAN1WE&e=>; This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.