Nagios Support Forum

We've been playing around with Microsoft's Threat Management Gateway 2010 just to use as a web proxy for IT staff and I'm having a little trouble creating an access rule to allow traffic from Nagios.

Initially when we set it up, ping wasn't even working. I could ping the TMG server from any domain computer, but not from the Nagios server. (The Nagios server is not on our domain.) I was able to create an access rule to allow ping from the Nagios server, so that's working, but I can't seem to get it to work for the services being monitored.

I created an access rule that allows TCP and UDP traffic on ports 5666 through 12489 from the Nagios server IP address to localhost (the TMG Server) by all users, but all I get is Critical Socket Timeout after 10 Seconds on all the services.

Anyone familiar on setting access rules on TMG 2010 (or IAS for that matter) for Nagios XI?

Since this isn't *strictly* a Nagios question, shall we move this to the General forum? It will get more visibility there from the community at large.

Sure, no problem.

Thanks

What do the nsclient/nrpe logs show?
If you have an intermediary device, the port could be closed there as well.

It's been some time since I've touched TMG / IAS so this is all coming from the top of my head.

In TMG you can able to watch the live traffic, filtering to the client IP it is coming from (watching the logs I think).

When watching the live traffic the trick is to watch what rules are being matched. If the traffic is being denied but it's not the special rule you created then that rule is not being matched. Either move that rule closer to the top or make it less restrictive.

Also, pay close attention who the rule applies to. The traffic is going to be coming from an unauthenticated source.

The best test to ensure nagios can talk to your remote server is to simply run: If this works, then your problem has nothing to do with the firewall.

Thanks gents, sorry been covered up with some other stuff.

Check nrpe gives me the same socket timeout.

Interesting that Nagios is working on our old IAS server and the only rule on that old server is allowing traffic on a user defined protocol defined as TCP Outbound on port 1391. (We're not quite sure why this is working since that was the rule set up for our old Nagios system.)

I've been using TCP outbound on port 5666, am I using the wrong port or protocol. To keep it simple, just to get check_nrpe to work, what should I be using for port and protocol?

mahalo

I got the check_nrpe to work by reinstalling the client and checking the box to allow nrpe (in the past I generally didn't check that box, just checked allow nt)

Anyway, the check is working but the service checks for the drive, memory, etc still fail. I'll keep playing around with it, has to be something with not getting the access rule set right.

Click on enough stuff and eventually you'll get what you want.

Changed the rule to allow all outbound traffic from all users between the Nagios server and the localhost and we're good.

Thanks, please close this one out.

Mahalo

toleolu wrote:Click on enough stuff and eventually you'll get what you want.

I'd exercise a little caution with this though

Closing out.