VMware Cloud Community
esammer
Contributor
Contributor
‎12-07-2009 03:15 PM

Registering agents behind firewall w/ port forwarding

All:

I have the following scenario:

HQ Server running on hq.domain.com:7080.
Host x running HQ Agent on x.domain.com:2144 (default port)
Firewall fw forwarding fw.domain.com:2145 to x.domain.com:2144

x.domain.com is non-routable.
hq.domain.com is in another data center.

All communication between hq and x properly passes through fw (which is x's default gateway).

(I'm using hostnames only for example clarity. Everything is configured by IP.)

From fw, I can telnet to x.domain.com 2144 - works. From hq I can telnet to fw.domain.com 2145 - works. In other words, port forwarding works.

When attempting to register the agent, Here's what happens:

./agent-4.2.0/bin/hq-agent.sh start
Starting HQ Agent...
[ Running agent setup ]
What is the HQ server IP address: hq.domain.com
Should Agent communications to HQ always be secure [default=no]: no
What is the HQ server port [default=7080]: 7080
- Testing insecure connection ... Success
What is your HQ login [default=hqadmin]: *****
What is your HQ password: **Not echoing value**
What IP should HQ use to contact the agent [default=x.domain.com]: fw.domain.com
What port should HQ use to contact the agent [default=2144]: 2145
- To setup agent port to 2145, Stop the agent, Update agent properties for agent.listenPort and start the agent again
- Now Agent uses the default port:2144
- Received temporary auth token from agent
- Registering agent with HQ
- Unable to register agent: Failed to connect to agent: Unable to connect to fw.domain.com:2144: Connection refused

Of course, the connection is refused - fw.domain.com wants to see the connection to 2145 (which is properly specified during setup) but the setup process seems to ignore the fact that 2145 is specified for communication. I've also tried simply setting the properties file but I get the same results.

The fact there is configuration for listenPort and setup.agentPort leads me to believe this type of network configuration is expected and supported but seems to be completely ignored. Surely listening on one port and talking to another has to be supported, no? The warning message only makes sense if the two must always match. Needless to say registration fails.

As you can probably figure out from the command line, this is HQ 4.2.0. This server is properly monitoring other hosts / services already (although those agents are listening / communicating on the same port, 2144).

Am I missing something?

Any help greatly appreciated.
0 Kudos
3 Replies
mcmesser
Hot Shot
Hot Shot
‎12-07-2009 04:17 PM

Unfortunately there is a known bug in the agent interactive setup:

http://jira.hyperic.com/browse/HHQ-2128

Try hard coding these values in agent.properties and restart the agent.
0 Kudos
esammer
Contributor
Contributor
‎12-07-2009 04:54 PM

It sounds like, from the last comment in that ticket, that there is no work around for this. I've tried hard coding both in agent.properties and I get the same result.

Just to confirm, this means that one can not have an agent bound to one port and accessed via another. In my specific case, I'm listening on the default and trying to connect via default+1 and it fails with the behavior documented in the ticket.

I appreciate the response but with unidirectional not being an option in the community version, it's back to Nagios, I suppose. This is definitely something that should be well documented. The documentation in fact says the opposite (that this is possible). The whole thing is really unfortunate.

Thanks anyway.
0 Kudos
mcmesser
Hot Shot
Hot Shot
‎12-08-2009 07:45 AM

Hmm, yes. It seems that feature has been inadvertently broken. I'm not sure there's a good short term answer here...
0 Kudos