Use the following information to secure an Uptime Infrastructure Monitor Monitoring Station to Windows Agent communication with TLS v1.2. Users must have administrator access to the machines on which you want to install and configure Agents and to the
Everything outlined in this document will require administrative access to the machines you wish to install and configure agents on as well as to the Monitoring Station.
Agent config example
First we must setup the stunnel configuration file to only allow TLS 1.2.
Modify the stunnel config file located in: C:\Program Files\uptime software\Uptime agent\stunnel\config\stunnel.conf to look like so.
[up.time agent]
accept = 9997
connect = 9998
cert = stunnel.pem
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1
Firewall modification
Now you will want to create a firewall rule that blocks port 9998 incoming on the agent machine so no insecure connections can be made to the agent. Setting the firewall to notify you when applications are blocked is also a good idea as it aids in configuring it with stunnel.
Run stunnel as a service on the agent machine
Next, you will want to run stunnel as a service that comes up when windows starts as well so when the agent server is rebooted the connection is re-established. Open a command prompt as administrator. Change directory to where the stunnel config file that we edited in the first step lies.
C:\users\robert>cd\Program Files\uptime software\Uptime agent\stunnel\config
Then execute:
stunnel –install (which lives in stunnel’s bin folder)
like so
C:\Program Files\uptime software\Uptime agent\stunnel\config>..\bin\stunnel.exe –install
Now, open the services control panel, start > run > services.msc, and find the stunnel service and start it. It will be set to automatic, but will not be running just yet. After running, there is a good possibility your windows firewall will ask if it’s ok, so say yes to this.
Monitoring station configuration
It will be necessary to modify Uptime’s configuration to restrict secure agent communications to use the version and ciphers of SSL/TLS that you would like to use. Run notepad as administrator or (pro tip) use Notepad++. The file is located in Uptime’s install directory, for example: C:\uptime or C:\Program Files\uptime software\uptime if you chose the default.
At the end of the file add a section similar to this:
#Agent connection security stuff
clientSocketTlsVersion= TLSv1.2
This is opposite from the agent setup where you tell it what certificate versions NOT to use. For our example, we’re only going to allow TLS 1.2, the strongest encryption we offer.
After modifying the file, save it and you will need to restart the uptime data collector service on the monitoring station to pick up the changes. Open the services control panel, start > run > services.msc, and locate “Uptime Data Collector”. Right click It and select restart. This might take several seconds to complete. If several minutes go by, you can open task manager and kill it, then manually start it.
Adding secured machines to Uptime or reconfiguring existing monitored servers
The final step in this process is to add the agent based machine or reconfigure it if it already exists, in Uptime. If you plan on having TLS 1.2 (or another version) on all agents, you may as well set that up in the global credentials setting under the config tab available from the top menu in Uptime’s web interface. There is an option for PORT and a checkbox for SSL. For our purposes “SSL” is a blanket terminology for “encryption”… Go ahead and change the PORT from 9998 to 9997 and check the SSL box. There are also options for PSK, not covered in the scope of this guide.
If you make these settings changes in the global credentials and there are any already configured agent machines NOT using the settings as we just configured, those will stop working correctly! If you have other agent machines added NOT using global settings, these will continue to work without issue.
To add a secured agent to Uptime, we do it just like we would normally add an agent based machine except we check the SSL box and use port 9997 (or use the global config settings if you chose to do that earlier in this step). Click “Infrastructure” in Uptime’s top menu, then from the left menu “Add system/network device” and choose the aforementioned options.
To modify an existing agent machine you already have in Uptime but have now setup secure communications on, find the agent in Uptime (easiest is to just type the hostname in the search field up top) and in the info tab for that element click the blue “Edit system profile and collection” button on the far right of the UI. In the ensuing pop-up window, ensure it has the proper settings. If you did the global configuration settings mentioned earlier and it is set to use the global settings, you’re good… If it is set to anything other than port 9997 and SSL checked, change it to reflect these settings and hit save. If it is able to communicate the save should be successful.
Last, and always important, is to TEST that everything is working as expected. From this info screen we are on, you should see an option called “poll agent” in the left-hand menu. Click this and wait for a few seconds for the results. If everything is good you shouldn’t see anything complaining in the output on screen. If there is something wrong, it is likely that you may have not specified corresponding ciphers on the monitoring station and agent, or the TLS or SSL versions do not match, or you specified the wrong ports. If you followed this guide exactly, this however should NOT be the case. Of course if you can’t get it working, give us a call!
This information available online at :
http://docs.uptimesoftware.com/display/KB/Securing+the+Windows+Agent+with+SSL
If you would like to use a preshared key, read this:
http://docs.uptimesoftware.com/display/KB/Configuring+PSK+for+Agents
For more info configuring agents for specific levels and ciphers go here:
http://docs.uptimesoftware.com/display/KB/Configuring+Allowed+TLS+Versions+and+Ciphers+for+the+Monitoring+Station+and+Agents
Check out the Idera community forums at: