We are now in a position where we want to monitor remote nodes (outside of our domain/LAN). Initially we were able to setup port forwarding on the remote network to allow traffic IN from our server to the agent on port 4700 (remembering to configure the windows firewall too). Then we hit a limitation with NetXMS server not allowing multiple nodes configured with the same ip/hostname (hopefully this will be resolved in a future release).

So we tried to flip the configuration so the remote agent connects in to our server. This proved a little challenging so i’ve documented how we got it working and some of the troubleshooting tips.

Enabling Logging

On the server server modify netxmsd.conf (on our server this was located at C:\NetXmsServer\etc). On the agent modify nxagentd.conf (on our agent this was found in C:\NetXMS\etc). Add;

LogFile = C:\path\to\log\log.txt
DebugLevel = 9

Then restart the NetXMS Core service (on the server) or NetXMS Agent service (on the agent).

**Make sure you change it back to 1 or remove it completely when you are done as the log file will grow very large, very quickly**

Creating the CA / Server Certificate

We wanted to do this with the bare minimum (most of the guides online were pages long). I was surprised there wasn’t an online tool to generate the certificate (perhaps I will build one sometime).

openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -sha256 -days 10240 -out ca.pem

When prompted for Country, State, Organization etc we just hit enter to accept the default value. We then need to combine the key and certificate (we just used Notepad++)

-----BEGIN CERTIFICATE-----
MIIDYDCCAkigAwIBAgIJAPmfsLYXzwABMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTgwNjA2MTI1OTUyWhcNNDYwNjE5MTI1OTUyWjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAnRDoS4m4YV4ePquEUkmSHMIr40mgtJIFzTj4bIZ8UySaZpfw1LLaXUVP
eck0xZM5q4GnOS8fVQfzZv5uwKs76cy3VLl/kJlBnyFSRdZsLnbqTJI7LT5qOkK7
C5ryDNymA+6UcvBGmq/+hyht4zFwM3GB0EA/BfpmpiEtyzOu327VjCWh5LWGa1E5
grUUAdFqLvKfUb0vIY6BDiFoGso8YjkY3n1V0BLIOqH/AyZeCODZxC5E9zH5teka
QLsEEVzQ87fgmyQz89vxxCyejODxU5HcLdo62BN38LytZhiQPI366KOAvrS/k44y
SDNa7oinvv2cE3X6T3s49P05QfcT4QIDAQABo1MwUTAdBgNVHQ4EFgQU77bOpRE5
RcbeYhJbHIqGPXaBsbswHwYDVR0jBBgwFoAU77bOpRE5RcbeYhJbHIqGPXaBsbsw
DwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAY+Vt/zwrMS8l5B+D
zuZ3awRKe2olD8zmLlxcKNbj5csf9ivCCjHc8WWmuF0wqkMwTst7caNSdVjQozV0
UNUBVe1X3fQ8o2qRutwnT4FqYSEuD+nzXEdj+n7opJKqiNBMkvJzimIUlEoQwdJB
X6LDrJaF5WCtcbX57CvkFrLo8p9efM1pWi62q4oynp+Uyr4mEWMzMT82mnz2mbV/
Djio7aZ5nh6g0453tEhaQXmAWvDdbfReIy/TnPG7RiHoUWuBigE2pEB8HXdrYP7o
+lHIuQUhH2Ah4obIJxy48DokMriNL8rv7rj1pEpVzg4au+Nk6K0CFx5T/c1xuHud
CrBTrw==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAnRDoS4m4YV4ePquEUkmSHMIr40mgtJIFzTj4bIZ8UySaZpfw
1LLaXUVPeck0xZM5q4GnOS8fVQfzZv5uwKs76cy3VLl/kJlBnyFSRdZsLnbqTJI7
LT5qOkK7C5ryDNymA+6UcvBGmq/+hyht4zFwM3GB0EA/BfpmpiEtyzOu327VjCWh
5LWGa1E5grUUAdFqLvKfUb0vIY6BDiFoGso8YjkY3n1V0BLIOqH/AyZeCODZxC5E
9zH5tekaQLsEEVzQ87fgmyQz89vxxCyejODxU5HcLdo62BN38LytZhiQPI366KOA
vrS/k44ySDNa7oinvv2cE3X6T3s49P05QfcT4QIDAQABAoIBAQCV7JafzBT4tBtQ
nO3QkjNrShkUeqpw0lXBYBkZloHD51OOjIgwr4xqrYdAa8P4uCC7SiYyGn3g75bx
//n95TVqZaO1tt9CSlfuKqNa0GMxMwdREeB0vngtppbebAeSKWg6ppiC4kGy1D20
C+5giEdeg4FzJHBEJ5GmEFOi/HF3CdjynZkp0Exyur0NyFBNzt/5SA3g1/UVHu/l
FzxwzYhL5no8WagQyWzStMs577GkerFebv7vFqJhz/hrk8YZCT7WIZS+RW6xJKl5
ICClDColpOojPkEnEPzxnp8+RjKFjf29Z/hIF+Pd86gSyzDk+aH5kSOcXjuyyh/o
CbAJzPPxAoGBAMkkB+Lrn6kfj7o5zNMbe8P+9Q5IkmwOZSiOtwdQ3aONJWAdjpLY
eOk762RJTwOxVARfycvpgCS1MGReULtOU9vBFBdrKGblTxiusgu3q7/8RVREj3Ot
XP4Eqq3wHIQfAPS8d3iQs18OQ8vMnKkyredMkm4UhXjE6VXyFpUMhRotAoGBAMfn
gqZijKhmLtXWlYpNYIw6xPhGpVaH/dhGSoFc8XEcayC9Jt+BPhMt1U8YACNernwi
m5cR5z0Bh8Uld1gPPWNyMOVfGeuVMlY2y6vFOWLywXn+K1PJwyZkc0JnEg5uw5CN
C5w1hKDlk1D1ri1OrccmNkUfj0DEzsKvk2qrY3UFAoGAP1fwf98SXfGJku0m+wi5
tmSxifkC27LA2r/vFge6dQo7TgSg5M/1bAYpwGBx2Mjcm7AK3gPADk9dWQ52wDYP
pLIugJ2HkLgAa9aATb5fAUwSDVK2FojvMzQHCFYItPcKlwhPW5G+W14jrafXYlWK
fMAZkT83NWxVy3I8+F2EAVUCgYBI4sFBFxd/4tnav8WASpwUJO1iNKfd9/F25JIP
vqqNejYZFr5QqZfPeFuY3gBW5ROrURb3quBr3t345KMx6USRuLXZO6aAvcI/qvTx
qRQ2Xppqd2CmyR6tJdzcbiYoOvx0/OgpyV2VKH9g+mLKRDCaNvV8mHgrvlZAp7GR
J/I4XQKBgQCLkeHDNRO15TjqBBfTxzZFjoq7lYoj966QVhFONpG+seXsbGcswR2m
nVb1zInlKcpH9sSh7juMlOHvLKlCEwyPqNb00VBQH7XD4CgjdjsJ3kdaM57p0CFN
gRIb8XxxG6v5Q7AtgKYXyTqB4nn7lIPh/C4fuC5vXk2PdIKLGsukEw==
-----END RSA PRIVATE KEY-----

Make sure you have a blank line at the end of the file (and the certificate comes before the private key). You can download the pre-built certificate here https://tickett.net/downloads/netxms_ca.pem

Configuring the Certificate

  • Drop the ca.pem file anywhere on the NetXMS server
  • Modify netxmsd.conf and add the following lines;
ServerCACertificate = C:\NetXmsServer\etc\cert\ca.pem
ServerCertificate = C:\NetXmsServer\etc\cert\ca.pem
ServerCertificatePassword = netxms

Notice both the CACertificate and Certifcate path point to the same file. I don’t think the password is needed at all.

  • Restart the NetXMS Core service

Creating a Tunnel / Adding a WAN Node

  • Ensure your router is configured to forward traffic received on port 4703 to your NetXMS server
  • Ensure your NetXMS server firewall is configured to allow traffic in on port 4703
  • Modify your nxagentd.conf and add the following linse;
ServerConnection = server_wan_fqdn_or_ip
  • Restart NetXMS Agent service
  • In the NetXMS server, look under Configuration, Agent Tunnel Manager
  • You should see a red entry (if you don’t, something above went wrong)
  • Right click and select Create node and bind
  • Name your node and enter 0.0.0.0 for the ip/hostname and save (if the tunnel vanishes at this point, something above went wrong)

Good luck!