Add Windows Client

This forum was archived to /woltlab and is now in read-only mode.
  • Hi,


    i´d like to add a Windows Client to my icinga2 master.


    I have read the docs and the icinga Client is successfully installed. But in my Terminal i see:


    In Icinga2 Director i have add the Client as Zone.


    What is wrong?


    Please help.


    thx


    Rafael

  • How does you cluster setup look like? Have you setup an endpoint for the Windows client?


    You mentioned that you use the Director, have you used the Powershell script to configure your Windows client?

  • Hi,


    i have create only a Zone first. Endpoint create produce critical error on my master Server (can´t connect).

    The Windows Client connect to satellite Server and can't connect directly to master (VPN Connection).


    How is the properly way?


    Thx


    Rafael

  • Currently you need to have the client connected to the CSR autosigning master once, in order to receive a CA signed client certificate.


    Your error probably comes from a self-signed certificate and the satellite denies to trust the client on TLS handshake.

  • Hi,


    i read the docs but i can´t find chapter for Manual signing my csr.


    Basically what is the correct way to connect a Windows Client across a satellite?

    (Zones and Enpoints)


    Thx


    Rafael

  • Hi,


    now i get:


    [2017-09-28 16:25:23 +0200] warning/ApiListener: Certificate validation failed for endpoint 'olbors001.meinefirma.local': code 7: certificate signature failure
    Context:
    (0) Handling new API client Connection


    The Endpoint is created.


    Please Help.


    Thx


    Rafael

  • ok thx.


    Thx Last questions which is still open:


    - How can i determine für API User from Windows agent? In Linux i can set it!

    - What is the correct instance Name for the Windows agent? satellite or the master? The master is in other network external and connected with vpn to satellite. Satellite and Windows client are in the same network.


    Please help


    Thx


    Rafael

  • 1. The API is on your master server and you can configure the users in the `api-users.conf` file. Already configured users you can query with `icinga2 object list --type ApiUser`. I honestly don't know what you mean with this question, can you please explain it a bit more what you want to achieve with the API on your windows agent?


    2. The instance name where the windows agent should connect to should be the parent node; in your case this is your satellite instance name.

  • "satellite instance name" should read as "the endpoint name for your satellite, which must be same as the common name in its certificate" - if they don't match, you'll get trust errors in the logs. See the docs chapter for "naming conventions".


    Basically look into your satellites' zone.conf and copy the Endpoint and Zone definition. Normally these details should already be asked by the Windows setup wizard and have been written to the client's local zones.conf.

  • Thx


    i still have a question. It is necessary that the Clients added as zone and endpoint on my master? Or is it enough when i add only a host?


    Please Help


    Thx


    Rafael

  • If you have a satellite in the middle, the satellite must know about the zones and endpoints for all clients. This is a matter of a) trust relationship (parent and child zones) and b) connection directions (endpoint port attribute, which side attempts to connect to the other one).


    Look into the documentation, especially for the three level cluster setup.

  • Ok thanks


    In the meantime i have add a windows client successfully.


    But is it normal that i must create manual certificates because the satellite write in the log files certificate failure. Signer is my master server (node wizard).

    When i create manual certificates (from master) then everything is fine.


    Is it possible to correct my zones.conf what supplied from my master server to my windows client? The default file have no "global-director" entry and no master and satellite hierarchy entry (i think it is the constants name not the real name).


    Please help


    Thx


    Rafael

  • The auto-signing mechanism requires, that you are able to establish a connection from your client to your master. If this is not possible you have currently two options 1) create a temporarily connection to your master while you are deploying the client or 2) create the certificates on the manuell way.


    The zones.conf on your windows client is not supplied from your master. The settings in your zones.conf on your windows client are generated during the windows wizard. Which version Icinga 2 version are you using on your windows hosts? In one of the last versions the "global-templates" and "global-director" zones are added to the default zones.conf, so it should not be necessary to add them manually.

  • Hi,


    i use the latest icinga agent 2.7.1 from packages.icinga....


    I have no entry for global-director on the machine.


    have anyone an idea?


    Thx


    Rafael

  • When you used the Windows agent wizard you should have two files named zones.conf and zones.conf.orig. Could you please check if the global zones are defined inside the zones.conf.orig file.


    I guess that the global zones are not written to the "new" zones.conf that is created during the Windows agent wizard.