Try to take a look at this project:

(I have not tested it myself).
Br
Erik

Like Gopher, I'm looking exactly for something able to do this.
So it is possible with Zabbix as of today?

remotely monitor with active agents

This is done by using active agents and works really well.. Just put in the active server address or host name in the client config, set the client IP to 0.0.0.0 and make sure the client name on the server matches exactly the same in the client config. Also, open up the firewall on the Zabbix server and have your firewall ports open and sending traffic to your Zabbix server. It works amazingly well. I have over 20 remote devices / servers I'm monitoring. Also, I suggest cloning the template you plan to use for the active clients. Name it like template_windows_active and do a mass update on the items and set them to active agent types

Monitoring via Internet

Gopher,

What I did in simplified without the security bit:

Main site:
publish my server port to the outside: 10051 (port NAT)


Remote Site:
Give every agent(machine you want to monitor) a different port: 10052, 10053, 10054 etc.etc..

publish those ports on an external ip and port NAT them to the internal hosts.
Now the zabbix server can reach each machine via a different port on the other side.
In the host config in zabbix you make the remote host to monitor with the external ip of the remote site and with the predefined port for that machine.

that's the basic.

Good luck

Your config sounds like a lot of extra work... You had to open up extra ports on the firewall, create NAT rules for each port, and then edit every client config to the new specified port. This is more work and much harder to manage for now each client has a static port. Why go through this extra work? I have over 20 clients I monitor on one customer's network alone and I'm using a single port. I think you're creating a ton of extra work and getting no benefit at all.

Yes, one option is having the agents in active mode, meaning that you only need a single port open back in to your server. That wasn't an option until fairly recent versions (in the last year, give or take).

I had built my infrastructure prior to the active agent capability and I have a setup of proxies at each decent-sized remote site. I use Intel Atom x86 Mini-ITX systems to run the proxies with great success in any site with more than 5 or so monitored devices. (See http://www.logicsupply.com for the vendor that I chose). My proxies have 2 GB RAM and 160+GB SATA hard drives in each and also handle other tasks beyond just the Zabbix proxy. With the proxy you can also monitor SNMP and IPMI devices, for example, that do not get an agent installed. The proxy offers a great deal more than a standard Windoes agent if you need to monitor switches, routers, SAN, vmWare, etc.

As another member posted, either solution works very well. I suspect you've tried doing what you wish via various other programs. I had tried all before I landed on Zabbix. It matters not if your remote sites have overlapping or conflicting IP ranges. Monitoring is based on an assigned hostname, and Zabbix beats the others hands-down with this functionality.

Yes if you are talking about 20 clients it is. if it is only 4 it isn't worth putting a proxy over there.
So then you go with the official option of putting a proxy over there as you dont have a routable connection, but it means an other machine at the customer. It's your call

I never mentioned using a proxy.. When I first posted this thread I didn't know about active agents.. I later read and studied about active agents. Your post mentions a method that is no where near as good as active agents. It's a very messy config and really should not be followed when monitoring remote servers.

If I'm only monitoring servers whether it's 20 servers or 4 servers using active agents only makes sense for many reasons... I don't need a layer 3 routed network.. I only need an internet connection and two ports open on the Zabbix server's network... That's it.. I can use the same config on all servers.. The only difference will be the client hostname configured in each config.. That's it.. All clients will report back to the server via active agents and the server itself takes more of the load versus the Zabbix server.. And.. I simply open a couple of ports on the Zabbix side. It couldn't be any easier. Distributed configurations with proxies makes sense when needing the ability to monitor remote SNMP and IPMI devices... Or... If the remote side needs some other feature of the proxy... To me it's really silly to open up a bunch of ports and having each config statically assigned a port dedicated to each server. This is why they developed active agents. That's the whole point of active agents... You open the two ports up and that's it. You could have hundreds of remote clients reporting back to the Zabbix server without the need of statically assigning ports and messy firewall configs... This of course is assuming you're just monitoring servers and not SNMP and IPMI devices... And assuming you're running v1.8 and later for I believe earlier versions of Zabbix did not support active agents...

I also suggest creating passive and active template accordingly..

I will do some reseach. I havent touched my installation for more than 18 mnths. It is defenite a better solution as I have to implement an other site. It worked, but seems superseeded now

Thnx.

Tekkell

I think you'll really like the active agents. They are perfect for what we're trying to accomplish.... Until you get into monitoring SNMP and IPMI the active agent config reporting back to the remote Zabbix server is really efficient and easy to manage. I'm running v1.8 and have over 20 active agents reporting back to me and it's been a really rock solid solution. I also downloaded the MobileOp app for my iphone... It's amazing to have all of these remote agents reporting back to me and being able to instantly see current and historical information.... The MobileOp app in conjunction with active agents allows you to easily and efficiently monitor remote servers without having to deal with layer 3 routed networks or VPN's... And having the reporting of both the historical and current data is just awesome.

Also,

I suggest cloning your existing templates (full clone) and naming template_windows_active (example) and then doing a mass update on the items and set all items to type 'Zabbix Active Agent'. You'll need a dedicated template for active agents... The full clone feature and the mass update feature makes this so easy.

Zabbix is truly amazing.

works with FortiGate 60C

Hi,

I managed to get it work with FortiGate 60C.

Assuming you have a "zabbix" server behind the Fortigate, you can create a VIP to it (on port 10050-10051) from outside going in. (I am assuming this is what you want.)

1. Create a custom service for ports 10050-10051.
2. Create a VIP to internal IP address of server.
3. Create a Firewall Policy using the above.

NOTE:
if the windows firewall is up on the host, you should create inbound/outbound rules for the port TCP 10050,10051.





good luck!

I had a very similar need, except I'm using mostly UNIX/Linux servers and found a very simple solution.

I used stunnel: https://www.stunnel.org

I did not need to use active agents, I use the default passive agent. Basically I set up stunnel client on the Zabbix server to listen on a local port 12000 and then forward to my internet host host1.internet.com at port 12000. On the internet host, I run stunnel server which listens at port 12000 and forwards the connection to zabbix agent localhost:10050. I use the service provider firewall to limit connections to my host at port 12000 by IP address. With v5 of stunnel you can take your pick of using certificates or pre-shared keys to set up the encryption. In the host configuration side, I simply create a new host which connects to localhost:12000 and then the stunnels take care of forwarding the connection as needed.

stunnel is available for windows, linux, unix. Very likely you could do something similar with the windows version. If you don't have a service provider firewall to protect inbound connections, I think windows firewall can be set up with rules to do similar.

Using this system I have several hosts that I monitor in secure and encrypted connection between Zabbix server and agent.