NetXMS Support Forum

Hello,
I have been successfully using NetXMS for over ten years—thank you for an excellent tool!!

However, I have a couple locations where my NetXMS agents are located behind a firewall that I cannot control—and the firewall is blocking self-signed SSL certificates.  When I try to set up an agent to server tunnel, the agent traffic is blocked from traversing across the firewall to my NetXMS server.

It seems I need to use a commercial Certificate Authority—something I believe is cost prohibitive...and not sure what type of certificate to even ask for.  Has anyone used tunnels without using self-signed certificates?

And, based on how I understand this all working, I also understand the Organizational Unit field has been depreciated in the SSL specs....so, can I even get a commercial CA that will support the requirements of agent to server communication?

Thank you for any insight!!!

Hi!

Currently server uses one certificate for TLS connection and to issue agent certificates. To use this workflow you'd need a certificate from Certificate Authority with CA flag set - this might be problematic or expensive.

I've created an issue in our bug tracker with the idea to have two separate certificates on the server: https://track.radensolutions.com/issue/NX-2256
Until this is implemented, you theoretically can just obtain a certificate without CA flag and put it as ServerCertificate in server config. And you can put your current server certificate into TrustedCertificate parameter. This way your current agents would be able to connect and work, but server won't be able to issue new agent certificates when they expire.

The other approach could be some sort of VPN between agent and server.

By the way, do you have some information on how exactly this firewall does the checking - it works as man-in-the-middle or establishes a second connection to the server to get the certificate?

Excellent, thank you for confirming how this works. 

I am thinking about a SSH tunnel--(it is a windows server on the client side...so not 100% how to maintain/restart automatically the tunnel...). I am glad to hear I can use my own SSL (that might be OK)

I have seen this issue with sites using Palo Alto firewalls.  The firewall vendor claims they are using "deep packet" inspection technology, but I do not think they are terminating SSL, but rather it is just a SSL certificate rule that is rejecting self-signed and expired certificates. 

Thank you again!

Just to mention - agent log parser policies (this stuff in configured in templates) can execute actions directly on agent, even without communication to the server. So theoretically agent can watch some log file of ssh client and call some script to reestablish connection. I doubt that this is the best way, but might be convenient from deployment standpoint.