Ad Widget

**BDiE8VNy** · 25-09-2015, 21:34

Yes, this is possible. Although Zabbix server and Zabbix proxy make only use of TCP port 10051.
If it's just about encryption, then be aware that this is going to be solved nicely with Zabbix 3.0. See Encryption.

Code:

## zabbix-proxy-active -- SSH --> zabbix-server
# ssh -L 127.0.0.1:49152:127.0.0.1:10051 zabbix-server

## zabbix-server -- SSH --> zabbix-proxy-active
# ssh -R 127.0.0.1:49152:127.0.0.1:10051 zabbix-proxy-active

**Lazareus** · 28-09-2015, 10:15

Thank you for your answer.

If i understand you, it is not possible to use another port for communication between the server and the proxy? Because even if i use encryption, the 10051 port should stay open in the firewall for the communication, is that correct?

There is no other way to do this properly?

**BDiE8VNy** · 28-09-2015, 12:00

Well, you can configure whatever port number you prefer - in Zabbix as well as for the SSH tunnel.
Finally it depends what you actually want to achieve - what is not obvious to me yet

If Zabbix's native encryption is going to be used, then there will be no dedicated port for encrypted communication. Both, encrypted as well as unencrypted communication share the same port.

**Lazareus** · 28-09-2015, 15:43

Ok, so if i specify my port connection in my conf files (zabbix_server and zabbix_agentd), i'll be able to pass the firewall through this port? The 10050 and 10051 ports will be able to be close?

**BDiE8VNy** · 28-09-2015, 19:35

Yes (if I've understood you correctly). A Zabbix daemon listens resp. opens the port configured in its configuration file only. A firewall between e.g. Zabbix server and Zabbix agent has still to allow traffic to the configured port.

**Lazareus** · 29-09-2015, 11:06

Hum ... That sounds good for me as i'm only able to use SSH 22 connection to run Zabbix in my company.

Last question : Do you know if it is possible to tell Zabbix to initiate connections only from server to proxy/agent? Or maybe it does natively? I have some demilitarized areas in my network and i have only the right to open SSH connection from my LAN to the areas and not from the areas to my LAN.

**BDiE8VNy** · 30-09-2015, 13:45

When you configure a Zabbix proxy for a Zabbix host, then communication happens via proxy only. There will be for instance no direct access from Zabbix server to Zabbix agent. Well, except of remote commands. But that is going to be fixed soon. See: ZBXNEXT-936

In your case just put a Zabbix proxy in your DMZ, decide in which direction the communication should happen (Zabbix server to Zabbix proxy or vice versa) and finally ensure to configure that proxy in Zabbix frontend for respective hosts in your DMZ.
See: Concetp of proxies, Proxy based distributed monitoring and Host configuration.

**Lazareus** · 30-09-2015, 16:15

Ok. I'm not pretty sure the encryption will work in my architecture but for the rest, i will follow your instructions.

When you ask me to:

"decide in which direction the communication should happen (Zabbix server to Zabbix proxy or vice versa)"

Are you talking about proxy mode ? (Passive or Active)

Thanks for your help.

**BDiE8VNy** · 30-09-2015, 16:17

That's exactly what I was referring to, yes.

**Lazareus** · 30-09-2015, 16:31

Excellent !

Now i need only one more answer in another topic i've created and i'll be ready to deploy and test Zabbix in my company.

Thank you very much for your help and support !

PS: in case you can help me in this thread too : https://www.zabbix.com/forum/showthread.php?t=51032

**BDiE8VNy** · 30-09-2015, 16:34

Your welcome.

As for the other thread, let's see whether someone else has something to say first

Ad Widget

SSH connection and log files

SSH connection and log files

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment