article Monitoring Servers And Services Behind a Firewall

Related Documentation Version of up.time affected Affected Platforms

All All

Article Contents

Overview

up.time can monitor services and servers globally from a single monitoring station. Communicating with servers across global networks can be complex and it can be difficult to monitor servers and serices that are behind firewalls so you may need to apply special settings to address common security policies within your network.

This article provides a brief description of how to configure your firewall and up.time to allow full monitoring of protected servers and services.

Monitoring Publicly Available Services and Servers Behind the Firewall

If a service or server is publicly available to the general network but is behind a firewall, you should not experience problems adding that service or server to up.time for monitoring. To ensure that you are able to monitor all services and servers, follow these rules:

  • Use the same hostname to add your system into up.time as you would to normally access the system.
  • Ensure that a port is open to accept incoming connections from the monitoring station. The default port is 9998; however, you can configure a different port for each agent.
  • Ensure that the common port for any services that you want to monitor is open to accept incoming connections from the monitoring station. For example, to monitor an SMTP service behind your firewall, open port 25 for incoming connections on the firewall.
  • All connections made to agent systems must originate from the monitoring station server.

Monitoring NAT Servers and Services Behind the Firewall

Monitoring Network Address Translation (NAT) addressed servers behind a firewall is slightly more complex. NAT addressed servers are available only to the private network behind the firewall, so you must adjust the firewall settings to allow additional access.

To allow monitoring of privately addressed servers:

  1. Enable port forwarding on your firewall.

    Each server that you wish to monitor from outside the firewall must have a distinct port assigned to forward incoming connections to the correct NAT address. The exact procedure to enable port forwarding will depend on your firewall manufacturer (please contact your firewall vendor for assistance).

  2. Create hostname alias addresses on the monitoring station for each NAT address behind the firewall that you want to monitor.

    For example, if your firewall address is fw with an IP address of 192.168.19.200 and you want to monitor the servers named mailbox and filestore, you must add the two named aliases to the firewall IP address.

    Creating and editing aliases for each server you would like to monitor is done on the monitoring station system by editing a local system file to recognize these aliases. The alias file can be found in the following locations on most common platforms:

    • Linux and Solaris: /etc/hosts
    • Windows: C:WINDOWSsystem32DRIVERSETCHOSTS

    The format for this file is the same across all platforms. The following is an example of the line you would add (or update) in this file to create aliases for the two NAT servers behind the firewall.

    192.168.19.200 fw mailbox filestore


    Ping all three addresses from the monitoring station to verify that the aliases have been properly created. If they have, you should receive a reply.

    NOTE: Choose alias names that do not already exist on your network.

  3. Add your servers into up.time using the web interface.

    When adding each server, enter the alias that you have created in the Host Name field of the up.time Add System window. Set the communications port to the port that you have assigned to be forwarded to the correct server through your firewall.

Related Articles


Adding up.time port exceptions to Windows firewall

RatingViews
article

By: uptime Support | Date Created: 10-25-2005 | Last Modified: 7-13-2011 | Index: 024

  6750

Monitoring services running on a different IP address than the ag...

RatingViews
article

If you have a server with multiple IPs serving different applications you will find that up.time only allows you to create service monitors against the primary IP by default. To monitor services...

By: uptime Support | Date Created: 12-31-1969 | Last Modified: 8-10-2011 | Index: 252

  3179

Monitoring HTTP Services in a Load Balanced Cluster

RatingViews
article

To monitor the web site available on your load balanced cluster we reccomend this approach. 1 - Install the up.time agent on each of your cluster nodes and monitor them with up.time. This will...

By: uptime Support | Date Created: 12-31-1969 | Last Modified: 8-31-2011 | Index: 295

  3177

Required Ports for the up.time Monitoring Station

RatingViews
article

By: uptime Support | Date Created: 10-28-2005 | Last Modified: 6-26-2013 | Index: 021

  8989

Add firewall rule to open port 9998 for Linux agent

RatingViews
article

To add a rule to iptables to allow incoming connections on port 9998: # vi /etc/sysconfig/iptables Add this line: -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9998 -j ACCEPT...

By: uptime Support | Date Created: 10-14-2009 | Last Modified: 8-10-2011 | Index: 431

  3071

User Comments



No comments have been posted.

Copyright © 2021 IDERA, Inc.   Legal   Privacy Statement