Looking for clarification on Xymon client / server hierarchy.
Hi Grant
The xymonnet process needs to be able to send probe packets (eg ping, web requests, and whatever you're trying to monitor) to the clients. If the firewall is blocking the probe traffic, then it's not going to work. The xymon proxy only proxies xymon messages, such as the ones sent by the xymonnet process to the xymond process when reporting the status of the probes (success or failure, and round-trip times).
It seems to me that you need a xymonnet process running on the client side of the firewall. For example, if you can run xymonnet on one of the clients, then the firewall only needs to allow xymon traffic from the client to the Xymon server, so that xymonnet can report the status of its probes.
You can run xymonnet stand-alone, and set environment variables to tell it where to send its messages. If you already have a xymon client installed on the client host, you can execute xymonnet from clientlaunch.cfg and it should then know where to send packets due to the environment that is setup.
The only thing I'm not certain of, is how xymonnet knows which hosts to probe and what probes to send to them. When xymonnet is running on the Xymon server, it has access to the hosts.cfg file that's there. When running elsewhere, I'm not sure. I know that there's a way to fetch the hosts.cfg contents using xymon messages, so my guess is that xymonnet can do that too, but might need to be told to do so. And if so, you would only want that xymonnet instance to probe devices inside the client network, so you might need to make use of the "NET:" tags in hosts.cfg.
J
On Tue, 17 Oct 2023 at 02:51, Grant Taylor via Xymon <xymon at xymon.com> wrote:
---------- Forwarded message ---------- From: Grant Taylor <gtaylor at tnetconsulting.net> To: xymon at xymon.com Cc: Bcc: Date: Mon, 16 Oct 2023 10:49:42 -0500 Subject: Looking for clarification on Xymon client / server hierarchy. Hi,
Would someone help me understand the Xymon client / server / proxy hierarchy a little bit better?
My scenario is I have two locations separated by a firewall wherein clients inside can send things out to the larger network, but the xymonnet can't reach in to probe clients in the private LAN.
I had thought that an Xymon proxy might be the answer for this. -- I did get internal clients to relay updates out through the xymonproxy to the Xymon (display) server. However xymonnet seems to not utilize the xymonproxy to initiate tests therefrom.
What is the recommended way to have Xymon monitor internal clients that can't be directly reached from the Xymon (display) server?
Aside: It seems as if the xymonproxy might be for the other way around, to have clients in the wild get messages into a protected Xymon server which can reach out and touch the clients.
Thank you and have a good day.
-- Grant. . . . unix || die
---------- Forwarded message ---------- From: Grant Taylor via Xymon <xymon at xymon.com> To: xymon at xymon.com Cc: Bcc: Date: Mon, 16 Oct 2023 10:49:42 -0500 Subject: [Xymon] Looking for clarification on Xymon client / server hierarchy.
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
On 10/16/23 7:08?PM, Jeremy Laidman wrote:
Hi Grant
Hi Jeremy,
The xymonnet process needs to be able to send probe packets (eg ping, web requests, and whatever you're trying to monitor) to the clients. If the firewall is blocking the probe traffic, then it's not going to work.
ACK
The xymon proxy only proxies xymon messages, such as the ones sent by the xymonnet process to the xymond process when reporting the status of the probes (success or failure, and round-trip times).
That's what I've deduced. I'm hoping this (new) thread helps confirm or clarify my deductions.
It seems to me that you need a xymonnet process running on the client side of the firewall. For example, if you can run xymonnet on one of the clients, then the firewall only needs to allow xymon traffic from the client to the Xymon server,?so that xymonnet can report the status of its probes.
ACK
The scenario that I'm working with can be described as a primary Xymon (display) server in one network with a small lab network behind a NATing / SPI firewall. Clients on the inside side / opposite of the Xymon server are free to send outgoing packets. It's just that xymonnet running on the Xymon server can't send probes into the clients.
You can run xymonnet stand-alone, and set environment variables to tell it where to send its messages. If you already have a xymon client installed on the client host, you can execute xymonnet from clientlaunch.cfg and it should then know where to send packets due to the environment that is setup.
Oh! This is promising.
I misinterpreted comments in the tasks.cfg file to mean that xymonnet depended on xymond. Now it sounds like xymonnet can be satisified by the xymon client.
Running xymonproxy + xymonnet + xymonclient on a system inside of the firewall might do what I'm wanting to do.
The only thing I'm not certain of, is how xymonnet knows which hosts to probe and what probes to send to them. When xymonnet is running on the Xymon server, it has access to the hosts.cfg file that's there. When running elsewhere, I'm not sure. I know that there's a way to fetch the hosts.cfg contents using xymon messages, so my guess is that xymonnet can do that too, but might need to be told to do so.
I currently have a full Xymon (display) server running inside the firewalled network. But I think that having the full server is complicating things.
I'm guessing that running only the three daemons; xymonclient + xymonproxy + xymonnet inside the firewall, would make my life simpler and wouldn't complicate things with multiple Xymon (display) servers that need to share state.
I'm quite okay with '${XYMON} ${XYMSRV} "config hosts.cfg" > hosts.cfg' on the internal system running xymonnet.
And if so, you would only want that xymonnet instance to probe devices inside the client network, so you might need to make use of the "NET:" tags in hosts.cfg.
I currently have NET: tags and XYMONNETWORK parameters on the systems running xymonnet.
It's working. But I'm needing to run a xymonproxy on 1984 and distributing messages to xymond on 1985 on localhost and xymond on 1984 on the main Xymon (display) server.
Hence this thread inquiring about a cleaner method of having a topology.
Thank you again Jeremy.
-- Grant. . . . unix || die
participants (2)
-
gtaylor@tnetconsulting.net
-
jeremy@laidman.org