NetXMS Support Forum

Hi all.  Looking at the agent tunnel functions and wondering how have some of you deployed them operationally? 

I can see their utility for allowing hole-punching out of a proxy site back to the server, but how do you do this securely?

Are you placing the NetXMS server on the public internet to receive the tunnels? 

Or are some of you using an extra NetXMS server in a DMZ and forwarding events/alarms to a primary server behind the firewall?  using a SSL proxy like nginx to unwrap and forward to the server behind the firewall?

Just curious of any deployment recommendations that can avoid directly placing the server online?  Or is the SSL code sufficiently isolated from the rest of the server and I'm being paranoid?

Cheers.

Hi,

Our server is on the public internet. Of course there is a firewall in front of it (i.e. it is in a DMZ), but the port to allow agent tunnels in is open.
If you know the IPs that tunnels come from, you can obviously lock that down on the firewall.
Similar to other monitoring or RMM solutions that use agents, e.g. PRTG, Solarwinds, Kaseya, Labtech, N-Able, ...

Other options I can think of:
If you want to ensure there are no ports open to the internet, you may be able to use a VPN from the NetXMS Server to each site or, if all you care about are events, a separate NetXMS Server at each site for that particular network, forwarding events to the main server (you'd still need to allow for that communication though) which will handle alerting.
Assuming that your sites don't all have unique requirements, you'd also need to keep the config between servers in sync, probably via some scripting.

Not sure what others are doing, there may be other options.

Cheers

Hi,

from my experience it's usually done via VPNs to remote sites. In many cases we seen Raspberry Pi or similar devices acting as both VPN gateway and proxy agent for remote site.

Best regards,
Victor