...
Everything outlined in this document will require administrative access to the machines you wish to install and configure agents on as well as to the uptime monitoring station.
Agent config example
First we must setup the stunnel configuration file to only allow TLS 1.2.
Modify the stunnel config file located in: C:\Program Files\uptime software\Uptime agent\stunnel\config\stunnel.conf to look like so.
[up.time agent]
...
accept = 9997
connect = 9998
cert = stunnel.pem
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1
...
Firewall modification
Now you will want to create a firewall rule that blocks port 9998 incoming on the agent machine so no insecure connections can be made to the agent. Setting the firewall to notify you when applications are blocked is also a good idea as it aids in configuring it with stunnel.
...
Next, you will want to run stunnel as a service that comes up when windows starts as well so when the agent server is rebooted the connection is re-established. Open a command prompt as administrator. Change directory to where the stunnel config file that we edited in the first step lies.
C:\users\robert>cd\Program Files\uptime software\Uptime agent\stunnel\config
Then execute:
stunnel –install (which lives in stunnel’s bin folder)
like so
C:\Program Files\uptime software\Uptime agent\stunnel\config>..\bin\stunnel.exe –install
Now, open the services control panel, start > run > services.msc, and find the stunnel service and start it. It will be set to automatic, but will not be running just yet. After running, there is a good possibility your windows firewall will ask if it’s ok, so say yes to this.
...
At the end of the file add a section similar to this:
#Agent connection security stuff
clientSocketTlsVersion= TLSv1.2
...
This is opposite from the agent setup where you tell it what certificate versions NOT to use. For our example, we’re only going to allow TLS 1.2, the strongest encryption we offer.
...
The final step in this process is to add the agent based machine or reconfigure it if it already exists, in Uptime. If you plan on having TLS 1.2 (or another version) on all agents, you may as well set that up in the global credentials setting under the config tab available from the top menu in Uptime’s web interface. There is an option for PORT and a checkbox for SSL. For our purposes “SSL” is a blanket terminology for “encryption”… Go ahead and change the PORT from 9998 to 9997 and check the SSL box. There are also options for PSK, not covered in the scope of this guide. NOTE:
| Info |
|---|
If you make these settings changes in the global credentials and there are any already configured agent machines NOT using the settings as we just configured, those will stop working correctly! If you have other agent machines added NOT using global settings, these will continue to work without issue. |
To add a secured agent to Uptime, we do it just like we would normally add an agent based machine except we check the SSL box and use port 9997 (or use the global config settings if you chose to do that earlier in this step). Click “Infrastructure” in Uptime’s top menu, then from the left menu “Add system/network device” and choose the aforementioned options.
...
Contacting IDERA
IDERA employees are proud to work with our clients around the globe to deliver exceptional customer service, including sales expertise, installation help, and support services.
...
Brookhollow Central III
2950 North Loop Freeway West
Suite 700
Houston, Texas 770092
USA
Phone 713.523.4433
Support 713.533.5003
Fax 713.688.1924
Sales [email protected]
Support [email protected] / http://support.uptimesoftware.com
Human Resources IDERA Careers
Copyright © 2016 IDERA, Inc.
IDERA, Inc. considers information included in this documentation to be proprietary. Your use of this information is subject to the terms and conditions of the applicable license agreement.