Firewall-friendly Agent - Server communication

Started by Tursiops, March 02, 2016, 12:55:20 AM

Previous topic - Next topic

Tursiops

Hi,

I couldn't see this being an active Feature Request, but did find an older post (https://www.netxms.org/forum/feature-requests/agent-data-push-%28firewall-friendly%29/) suggesting usage of nxpush for this.
The basic idea being not to have the server poll the agents, but the agents contact the server instead.
This would remove the requirement for port forwards for systems behind a NAT. When you have dozens or even hundreds of different setups like that, it means manually reconfiguring each router/firewall with a port forward. It also means that if the proxy node on site goes down, everything appears to be offline. Having the agents initiate the connection to the server would remove the need for a proxy in a lot of these scenarios (not counting sites with heavy lockdowns on outbound traffic).

The communication could be something the agent initiates but with the connection kept open using keepalives, so the server can push commands down the connection at any time. I guess examples of that kind of connection would be PRTG probes or RMM Agents like Labtech, N-Able or Kaseya.

It would make a roll out easier, more firewall-friendly and allow monitoring of portable nodes moving between networks with private IPs (for example if you want to monitor notebooks which may end up in multiple offices, at home or at an airport) or nodes at a site that has multiple nodes, but none of them being online 24/7.

Are there any plans to implement something like this?
I know the post given above is from 2013 and it didn't sound like there were any.
Maybe not enough users monitoring lots of different firewalled networks? :)

Cheers

Victor Kirhenshtein

Hi,

actually there is increasing demand for such feature. I plan to implement it in next major release.

Best regards,
Victor

Tursiops


lazerusrm

This feature be really nice with our current topology.

We have systems behind customer firewall, and would like to monitor remote networks using the agent installed on one machine behind a firewall, and push all that data to the server.

This is how PRTG's implementation works, and its one feature that i've really enjoyed.

The alternative currently is setting up a VPN Tunnel and going through all those hoops

StanHubble

Add another vote for this.  I am looking to roll out to 400+ networks/sites that are behind firewalled routers.  It would simplify a lot of the deployment tasks.

OIT

Hi,
Any idea when this would be implemented? We too are waiting on it to deploy out.

Thanks

Quote from: Victor Kirhenshtein on March 08, 2016, 10:53:39 PM
Hi,

actually there is increasing demand for such feature. I plan to implement it in next major release.

Best regards,
Victor


Victor Kirhenshtein

Hi,

is is implemented in 2.1-M3 (called agent tunnels), although currently it is a bit complicated to configure and maintain. But ww already have few deployments. Next release will contain tools for simplified agent tunnel management.

Best regards,
Victor