Ad Widget

Collapse

Windows zabbix agent 2 encrypted using certs

Collapse
This topic has been answered.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • itimanuf
    Junior Member
    • Dec 2024
    • 11
    #1

    Windows zabbix agent 2 encrypted using certs

    Hello,


    First of all, I'm lost when it comes down to certs and want to learn!

    I'm using Zabbix cloud and have the certificate based encryption between the proxy(s) and frontend setup and working.
    There for, I have the CA, CRT and key files on stored on the proxy and only accessible by the Zabbix admin on the proxy.

    I now would like to setup encryption for the agents I'm installing on our windows VM's.
    At this point I'm a bit lost. According to the documentation, I have to copy over the CA, CRT and Key file to all my VM's or store them on a shared location (not recommended due to issues at boot?).
    Am I supposed to create folders on all my VM's that have specific NTFS rights to secure those certificate files?

    How do you guys do this? What's best practice for this?
    I want to do it right the first time instead of getting an ISO audit and having to install a couple of hundreds of agents anew.

    Thanks for any feedback!
    Please take in account that my knowledge of certs is very limited and might need a bit more explanation when it gets technical.

    kr,

    -M
    Tags: None
    • Answer selected by itimanuf at 10-02-2025, 16:27.
      itimanuf
      Junior Member
      • Dec 2024
      • 11
      To close this one down:

      I ended up doing the following.
      Via endpoint central, I push the installer to our servers and add a preconfigured conf file that is copied over. In this configuration file I use the value TLSConnect=unencrypted (Among all other settings).
      I also use a script to create a folder for the certs and change the NTFS permissions to only allow access to the account running the service.
      When the agent installs, it auto registers into Zabbix as unencrypted.
      Another script then replaces the value TLSConnect=unencrypted to TLSConnect=cert on a 2 minute delay.

      I don't sit around waiting for this. As soon as I see my newly added host pop up as unavailable in Zabbix, I change the settings to encrypted and it comes back online.

      It's a whole lot of steps for something stupid, but this is working and it's the easiest method I could find that automates the install as much as possible.
        • Selected Answer

        Comment

        • itimanuf
          Junior Member
          • Dec 2024
          • 11
          #2
          To close this one down:

          I ended up doing the following.
          Via endpoint central, I push the installer to our servers and add a preconfigured conf file that is copied over. In this configuration file I use the value TLSConnect=unencrypted (Among all other settings).
          I also use a script to create a folder for the certs and change the NTFS permissions to only allow access to the account running the service.
          When the agent installs, it auto registers into Zabbix as unencrypted.
          Another script then replaces the value TLSConnect=unencrypted to TLSConnect=cert on a 2 minute delay.

          I don't sit around waiting for this. As soon as I see my newly added host pop up as unavailable in Zabbix, I change the settings to encrypted and it comes back online.

          It's a whole lot of steps for something stupid, but this is working and it's the easiest method I could find that automates the install as much as possible.
            • Selected Answer

            Comment

            • cyber
              Senior Member
              Zabbix Certified SpecialistZabbix Certified Professional
              • Dec 2006
              • 4807
              #3
              Originally posted by itimanuf
              I don't sit around waiting for this. As soon as I see my newly added host pop up as unavailable in Zabbix, I change the settings to encrypted and it comes back online.
              You could create a script, that does this over API for you and add it as autoreg action...

                Comment

                • Brambo
                  Senior Member
                  • Jul 2023
                  • 245
                  #4
                  Maybe I'm thinking to easy
                  Why not use the windows task scheduler to start up the agent after X time after boot..
                  Set the Zabbix Service to manual, and do the start of the service by the task schedular. Or make the service delayed start and depending on a certain service which you know of is ready when the certs are available.

                    Comment

                    Previous template Next
                    Working...