We have strict security rules in place so it is not possible to open ports from the CheckMK host to the CheckMK server.
Open the ports 443 and 8000 just temporarly would be possible. So we open the ports to register the agents and after successful registration we close the open ports again.
The question:
Is this supported and fine? Communication to the CheckMK server is only needed once for the registration and then never again?
What happens when we deinstall the agent from the host? Deregistration is not possible then. Is this a problem? Does the configuration on the CheckMK server gets messed up when all the old hosts cant deregistrate their agents?
We also saw that there is the option to register the hosts per proxy:
Does that mean we open the ports to the CheckMK server and register one host. Then we close the ports again and can register all other hosts from all other sites and networks with the .json file? So no open ports needed anymore?
My understanding of registering via proxy is that it allows you to register a monitored host that does not have direct access to the Checkmk server. Each host still needs to be registered individually, but it is only necessary that the host on which the registration is done have access to the Checkmk server. Since the Checkmk agent is likely installed on the Checkmk server itself, this makes the Checkmk server a good candidate for proxy registration.
I think the JSON file includes the server’s certificate information, so there should be no need to open port 8000 on the Checkmk server when doing the import on the monitored host.
I have only ever done proxy registration for hosts that actually have connectivity to the Checkmk server, though, so I could be missing a key piece of the puzzle there.
Most important question is are these ports only required for agent registration process and can be closed afterwards or is there more communication over these ports after registration process?
Port 443 you need all the time for your web interface and i don’t think it is practical to open and close a port like the 8000 for every single registration.
If you have a small static system you can register all agents and then it’s fine but in systems where are changes every day you need to keep this port available.
We are monitoring our customer networks with a central CheckMK server.
Port 443 (WebUI) is only open internal for the admins.
The problem are security concerns.
The CheckMK server can reach all the customer networks on the needed ports but in the reverse direction from the customer networks to our CheckMK server no open ports are allowed.
Not even port 8000 is allowed.
Would cause a big discussion if we need to open port 443 and 8000 to our network from customer site…
So its really important if the ports are just needed once for the registration process
Would cause a big discussion if we need to open port 443 and 8000 to our network from customer site…
In this case use the proxy registration as mentioned above. We are absolutely aware of the fact that in many environments the CMK server only should pull by accessing the port 6556 on the host to be monitored.
However, especially in cloud environments or in constellations where a CMK server is not run on premise but as SaaS the opposite direction might be prefered: the hosts to be monitored push all monitoring data to the CMK server. If you closely followed the roadmap talks at the conference, you probably noticed that this is currently worked on as a new feature set.
Yes, this is what we implemented already for the big customers and the others are on the roadmap.
For some customers it may be not affordable cause they are hosted in cloud environments. So then we will open the ports temporarly for registration purpose cause as you said this is possible.
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.