Page History

Use the following information to secure an Uptime Infrastructure Monitor Monitoring Station to Windows Agent communication with TLS v1.2. Users must have administrator access to the machines on which you want to install and configure Agents and to the Monitoring Station.

Stunnel configuration

First, set Begin by setting up the stunnel configuration file to allow only allow TLS 1.2.

Next, modify the stunnel config file located at at:

C:\Program Files\uptime software\Uptime agent\stunnel\config\stunnel.conf

using the following information:

[up.time agent]
accept = 9997
connect = 9998
cert = stunnel.pem
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1

Firewall modification

Create a firewall rule that blocks port 9998 incoming on the Agent machine so that no insecure connections can be made to the Agent. Setting It is a good idea to set the firewall to notify you when applications are blocked is also a good idea as it aids in configuring it with stunnel.

Run stunnel as a service on the Agent machine

Run stunnel as a service that comes up starts when Windows starts so when the Agent server is rebooted, that the connection is re-established once the Agent server is rebooted. Open a command prompt as administrator. Change directory to where an administrator, and then change the directory path to the stunnel config file that we edited in the first step lies.previous Stunnel configuration section, for example:

C:\users\robert>cd\Program Files\uptime software\Uptime agent\stunnel\config

Then executeExecute from stunnel's bin folder:

stunnel –install (which lives in stunnel’s bin folder)

For example:like so

C:\Program Files\uptime software\Uptime agent\stunnel\config>..\bin\stunnel.exe –install

Now, open the services Services control panel , start (Start > run Run > services.msc), and find the stunnel service and start it. It will be . Although the service is set to automatic, but will not be running just yet. After running, there is a good possibility your windows firewall will ask if it’s ok, so say yes to thisautomatically start, it is not yet running so you must manually start the service. If your windows firewall asks for confirmation, click Yes.

Monitoring station configuration

It will be necessary to modify Uptime’s In this step, you must modify the Uptime Infrastructure Monitor configuration to restrict secure agent communications to use the version and ciphers of SSL/TLS that you would like want to use. Run notepad as administrator or (pro tip) It is important that you run Notepad as an administrator or use Notepad++ to make these changes. The file is located in Uptime’s install directory, for examplethe Uptime Infrastructure Monitor installation directory. If you used the default installation, it is located at: C:\uptime or C:\Program Files\uptime software\uptime if you chose the default.

At the end of the file, add a section similar to thisthe following lines:

#Agent connection security stuff
clientSocketTlsVersion= TLSv1.2

This Note that this step is opposite from the agent Agent setup where you tell it specify what certificate versions NOT to use. For our this example, we’re we only going to allow TLS 1.2, the strongest encryption we offercurrently offered by IDERA.

After modifying making the filechanges, save it and you will need to restart the uptime data collector service on the monitoring station be sure to save the file. Restart the Uptime Data Collector Service on the Monitoring Station to pick up the changes. Open the services Services control panel, start > run > services. msc, and locate “Uptime Data Collector”. Right click It and select restart. This might Right-click Uptime Data Collector, and then select Restart. The restart may take several seconds to complete. If several minutes go bypass, you can open task manager and kill it, then manually start itTask Manager and stop the process, and then attempt to manually start the service.

Adding secured machines to Uptime Infrastructure Monitor or reconfiguring existing monitored servers

The final step in this process is to add the agent-based machine or reconfigure it if it already exists , in Uptime Infrastructure Monitor. If you plan on having want to have TLS 1.2 (or another version) on all agents, you may as well it is easy to set that up in the global credentials setting Uptime Agent Global Configuration located under the config tab available from the top menu in Uptime’s web interface. There is an option for PORT and a checkbox for SSL. For our purposes “SSL” is a blanket terminology for “encryption”… Go ahead and change the PORT Config tab. The Agent Port Number field and Use SSL (HTTPS) checkbox allow you to make these changes. Change the port number from 9998 to 9997, and then check the SSL box. There are also options for PSK, not covered in the scope of this guide.

To add a secured agent to Uptime, we do it just like we would normally add an agent based machine except we check the SSL box and use port 9997 (or use the global config settings if you chose to do that earlier in this step). Click “Infrastructure” in Uptime’s top menu, then from the left menu “Add system/network device” and choose You can use these same steps to add a secured agent to Uptime Infrastructure Monitor followed by clicking Infrastructure > Add system/network device, and then choosing the aforementioned options.

To modify an existing agent machine you already have in Uptime Infrastructure Monitor but have now setup includes secure communications on, find the agent in Uptime (easiest is to just type Infrastructure Monitor by typing the hostname in the search field up top) and available in the info menu bar. In the Info tab for that element, click the blue “Edit Edit system profile and collection” button on the far right of the UI. In the ensuing pop-up window, ensure it has the proper settingscollection. Verify the correct settings in the displayed window. If you did the global configuration settings updated the Global Configuration Settings mentioned earlier and , verify that it is set to use the global settings, you’re good… . If it is set to anything other than port 9997 and Use SSL checked, change it to reflect these settings, and hit save. If it is able to communicate the save should be successful.then click Save.

The final step in this process is to test that the settings are Last, and always important, is to TEST that everything is working as expected. From this info screen we are on, you should see an option called “poll agent” While on the Info window, click the poll agent option in the left-hand menu. Click this , and then wait for a few seconds for the results. If everything is good you shouldn’t see anything complaining in the output on screen. If there is something wrongall of your settings are correct, the output should be clear. If the settings are incorrect, it is likely that you may have not specified corresponding ciphers on the monitoring station and agent, or the TLS or SSL versions do not match, or you specified the wrong ports. If you followed this guide exactly, this however should NOT be the case. Of course if you can’t get it working, give us a call!

Review your settings. Contact support if you continue to have an issue.

This information is This information available online at:
http://docs.uptimesoftware.com/display/KB/Securing+the+Windows+Agent+with+SSL

If you would like to use a preshared key , read this(PSK), refer to the following topic:
http://docs.uptimesoftware.com/display/KB/Configuring+PSK+for+Agents

For more info information about configuring agents for specific levels and ciphers go here, please see:
http://docs.uptimesoftware.com/display/KB/Configuring+Allowed+TLS+Versions+and+Ciphers+for+the+Monitoring+Station+and+Agents

Check out the Idera community forums at :http://community.idera.com 

Save

Save