Difference between revisions of "Pandora: Documentation en: RemoteManagement"
(→Using integrated VNC under Pandora FMS)
(→Using Integrated VNC under Pandora FMS)
|Line 74:||Line 74:|
<i>Appearance of the VNC flap (first one on the left)</i>
<i>Appearance of the VNC flap (first one on the left)</i>
Revision as of 15:50, 13 June 2014
1 Remote Systems Management by Pandora FMS
Pandora FMS is a monitoring tool and it doesn't use agents in order to establish a connection to the systems. It isn't useful to control the monitored systems remotely in this way. Some systems, such as routers and switches could be managed by using Telnet or SSH. In order to have access to them you're only required to fire the appropriate command.
Pandora FMS includes a Java plug in by default to be able to establish a connection from the web console via VNC to the remote servers by using the IP configured within them. This could be easy if we're in the same local network segment and have a direct connection. It's more complicated in some other cases.
We're distinguishing between complex and simple environments. These would be e.g. the characteristics of a simple environment:
- The server's IP doesn't change.
- The access (paths and firewalls) from the operator's PC to the servers has open ports and it knows how to connect by using normal TCP/IP.
- We're able to install a remote control software within the server's host system or it already has one.
The characteristics we consider to be the ones of a complex environment are the following:
- The server's IP changes (it's dynamic).
- There is no direct access from the operator's PC to the server we intend to monitor.
- We're unable to install any remote control software on the remote system.
There are also intermediate cases, e.g. the machines have a fixed IP, but we don't have direct remote access from the operator's PC to the server via TCP/IP. In any case, there are three possible ways to acquire remote access to these systems:
It's possible to install e.g. an SSH server, to activate the remote desktop or to install a VNC server on the host system. From the perspective of the operator's PC, it's completely sufficient if we're inserting the remote system's IP into the client program which is running on it and it's ready. For the 'simple' environments, this is the appropriate way to go. We strongly recommend to use UltraVNC if you decide to use this method.
2. By using an inverse System:
We're referring to remote control systems which connect by using a server on the internet which allows to connect both computers so they can 'talk' if the operator's PC communicates with the same server on the internet, instead of just waiting to connect with an open TCP port. The internal network wouldn't communicate with them in this way at all. This system, although useful in complex environments, has many disadvantages such as the speed or the fact that if the server we're required to control doesn't have access to the internet. In this case, we wouldn't be able to communicate with it. We strongly recommend to use TeamViewer here.
3. By using a Direct Connection System:
UltraVNC allows to configure one proxy, so it's going to be the one which connects to the remote server. We're going to connect with the intermediate server (proxy) and connect this one to the end server. This is called 'Ultra VNC Repeater'. You can find more information about this method on the UVNC Repeater page.
On the picture below, you're looking at a basic working sketch of this system.
The UltraVNC tool itself allows you to conduct the setup graphically:
The connection to the VNC server utilizes the proxy to connect to the destination server, as we can see on the picture below.
1.2 Using Integrated VNC under Pandora FMS
By the Pandora FMS 'VNC' extension it's possible to have access from the web console itself, without having to install additional software or doing besides that.
The only requirements are the following:
- Having a VNC server that includes the Java applet installed which listens on port 5800 of each server we intend to manage remotely.
- Having the Java plug in installed on its browser.
- Having direct connection from the PC on which the operator is connected to the Pandora FMS console and to the monitored server we intend to manage remotely. The connection is required to grant access via port 5800 TCP.
If we fulfill these requirements, we only have to click on the flap with the 'VNC' extension within the 'Operation' view of an agent. We're going to see the following there:
When the communication is reestablished, it's required to introduce a password which is configured in the moment the VNC server is installed on the machine.
Once we have introduced the password, we have access to the server "as if we were on site".
We recommend the use of UltraVNC. Besides being very strong, supporting connection coding and allowing file transfer from one machine to another, it's a GPLv2 licensed free software.
However, the limitations of this system are mainly the following:
- It requires a connection between your PC and the machine you intend to monitor remotely. If it's behind a firewall, a router or in the internet, it won't be able to connect.
- It requires to know the IP. With Pandora FMS, it could tell the agent which notifies the current IP to it, which is going to know the appropriate IP, but sometimes it doesn't work very well. If it has several network adapters, if it doesn't update the IP by default or due to other possible causes.
- It requires the installation of the UltraVNC software, which you're might not allowed to install due to certain security policies in your location.
In cases in which the first mentioned point is the problem, we recommend to use the direct connection method by using a proxy. If the methods shown here aren't working, you're required to download a client program and execute it manually from your PC in order to connect with your remote system.
1.3 Using TeamViewer with Pandora FMS
TeamViewer is one of the best remote management systems available. Teamviewer can use intermediate servers in Internet to connect with their equipments, regardless of changes in the IP, firewalls or other problems we've previously mentioned. You will only need three things:
- Internet connection in both ends (the server to monitor and the operator's PC).
- Take note of the machine ID and remember the password.
- Install the TeamViewer software in the remote server.
Once it has been installed, you'll assign an ID to this machine and you'll have the chance to configure a password for permanent access. The TeamViewer IDs has the format "XXX XXX XXX" (nine digits). This is the ID you need to connect to a server. For this, we use the Enterprise feature "Customized fields" to create this field in all the agents and write there the ID of each machine.
I create the custom field (Configuration -> Agents -> Manage customized fields -> Create)
Once created, I can store there the ID of this machine, in this case 623 596 886
Now, I only have to go to the TeamViewer page,  introduce my ID and go to the system:
1.3.1 Technical details about Teamviewer
TeamViewer is extremely powerful and it also allows to transfer files from one system to other one.
These tools are connected with remote servers, and the security could be a "problem" if we are specially " demanding" with these concepts (due to legal questions and/or privacy of data. With the commercial version there are, obviously, some advantages regarding this point.
This is a list of the connections fixed in the server managed remotely with a fixed TeamViewer connection:
TCP desktop:1379 server530.teamviewer.com:http ESTABLISHED TCP desktop:1380 master4.teamviewer.com:http ESTABLISHED TCP desktop:1381 server311.teamviewer.com:http ESTABLISHED TCP desktop:1382 server311.teamviewer.com:http ESTABLISHED
Teamviewer also supports direct connection between the client and the server.
We strongly recomment to all enterprise users to buy a licence of TeamViewer to manage their servers. VNC is nice, but Teamviewer has a very efficient on the fly compression, and you will experience an incredible remote access experience managing remote hosts.
1.4 Connecting remote systems using SSH/Telnet from Pandora FMS
Since 4.0.2 version, Pandora FMS has a new extension to let users connect directly with devices by telnet or SSH. This is done with the Remote Gateway extension. You need to do a special setup for this component, not usually installed "by default". This is an opensource feature, based on anytermd software, published under GPL2 licence.
Pandora FMS uses a tool called "anytermd" to create a "proxy" between user browser and remote destination. This tool launches as a daemon, listeting in a port, and executing a command, forwarding all output to the user browser. That means all the connections are done FROM the pandora server and it has to be installed the telnet and ssh client. This is a basic architecture schema:
1.4.1 Install and setup
Sources are placed in extras/anytermd.
Make sure you have installed gnu c++ compiler (gcc-c++), make, boost-devel and zlib-devel.
Later, install manually the binary to /usr/bin
cp anytermd /usr/bin
To run the server daemons, you need to do manually, Pandora FMS server / console doesn't start up automatically. Pandora FMS SSH/Telnet extension will search for a different instance of anyterd running in 8023 for Telnet connections and 8022 for SSH connections.
You have a start/stop daemon in contrib/anytermd. Copy to /etc/init.d/anytermd and execute it like this:
By default uses "pandora" user for execution, if you want to change it, alter the script file for any other httpd based user your system may have.
This will use ports 8023 and 8022, be sure that ports are "open and clear" from the user browser to the console webserver system. No firewalls there
Now you're free to use the extension and connect remote servers by telnet or SSH.