Zabbix agent over internet

#1

Opinions please.

I’m rebuilding my Zabbix environment. I want to monitor my clients servers over the internet to my Zabbix server here at HQ.

Now, mostly, my clients servers are Windows. So I’m trying to come up with a simpler way to get systems under monitoring without having to install a whole heap of programs, obviously I’ll install the Zabbix agent.

I’m thinking of opening the ports on pFsense, but filtering those ports only to the Static IPs of my clients sites. I could use VPN like I have in the last, but as we grow, I don’t want to have multiple VPNs to maintain as I would most likely use OpenVPN per client site.

I think this would be the best way forward and simpler, without having to install things other than Zabbix agent for monitoring purposes.

#2

I’m not super familiar with Zabbix, but wouldn’t you need to punch a hole in the client side firewall for the monitoring port for the Zabbix agent? That’s where I’d whitelist your main IPs. If they work on a push model then ignore me :stuck_out_tongue:

Probably wouldn’t hurt to whitelist inbound requests only to client IPs. I’d probably just leave the port open because there’s typically some additional authentication… but take that with a grain of salt, see: name on my forum profile, lol.

#3

if the agent is operating in Passive mode (default) then you need to open/forward ports to it on the client side firewall, and you would protect those firewall/PAT entries with an ACL limited to just your public IP. in the Zabbix Agent config you would also set it to only accept your central static IP.

If the agent is operating in Active mode, then on the client firewall side it only needs to allow outbound connections (default for most situations on most firewalls) and on your server side you would open/forward the port to your zabbix server, but the ACL on this would be all of your client’s static IPs - but this only works if you can rely on all of your clients having a static IP. If you have any clients with dynamic IPs, then I recommend a VPN tunnel created from the client network to yours.

1 Like
#4

Operating in Active mode at the moment, all my clients have static IPs. I also didn’t realize that in Passive mode I’d need to open ports at the client side, makes sense though.

Thanks both for the opinion. Much appreciated. I think I may open the port my side and add my clients IPs as an Alias in pFsense and lock the port down to those and have Zabbix Agent locked down to only accepting my static IP. I didn’t know you could do that so will, definately.

Thanks chaps.

#5

In the agent config file, it will only accept connections (in passive mode) and make connections (in active mode) to the IP that you put there. Note that actually an agent can be both passive and active at the same time, and the two server lists are separate.

#6

I understand that, but even when the IP of server is specified, an MITM is still possible I guess at the agent side.

#7

You could sping up a little vm at the client site which acts as the zabbix proxy (if you got multiple servers at each site) and let the zabbix proxy send the data to your site.
If you got PFsense on the remote sites, you could also install the Proxy on the pfsense.
In the Zabbix-agent.conf you have to set the “Server=” and “ServerActive=” to your Zabbix Proxy.
You should set up the Proxy to send the Data encrypted.
https://www.zabbix.com/documentation/current/manual/encryption

1 Like