Pandora: Documentation en: RemoteManagement
- 1 Remote Systems Management by Pandora FMS
1 Remote Systems Management by Pandora FMS
Pandora FMS is a monitoring tool and it doesn't use agents in order to establish a connection to the systems. It isn't useful to control the monitored systems remotely in this way. Some systems, such as routers and switches could be managed by using Telnet or SSH. In order to have access to them you're only required to fire the appropriate command.
Pandora FMS includes a Java plug in by default to be able to establish a connection from the web console via VNC to the remote servers by using the IP configured within them. This could be easy if we're in the same local network segment and have a direct connection. It's more complicated in some other cases.
We're distinguishing between complex and simple environments. These would be e.g. the characteristics of a simple environment:
- The server's IP doesn't change.
- The access (paths and firewalls) from the operator's PC to the servers has open ports and it knows how to connect by using normal TCP/IP.
- We're able to install a remote control software within the server's host system or it already has one.
The characteristics we consider to be the ones of a complex environment are the following:
- The server's IP changes (it's dynamic).
- There is no direct access from the operator's PC to the server we intend to monitor.
- We're unable to install any remote control software on the remote system.
There are also intermediate cases, e.g. the machines have a fixed IP, but we don't have direct remote access from the operator's PC to the server via TCP/IP. In any case, there are three possible ways to acquire remote access to these systems:
It's possible to install e.g. an SSH server, to activate the remote desktop or to install a VNC server on the host system. From the perspective of the operator's PC, it's completely sufficient if we're inserting the remote system's IP into the client program which is running on it and it's ready. For the 'simple' environments, this is the appropriate way to go. We strongly recommend to use UltraVNC if you decide to use this method.
2. By using an inverse System:
We're referring to remote control systems which connect by using a server on the internet which allows to connect both computers so they can 'talk' if the operator's PC communicates with the same server on the internet, instead of just waiting to connect with an open TCP port. The internal network wouldn't communicate with them in this way at all. This system, although useful in complex environments, has many disadvantages such as the speed or the fact that if the server we're required to control doesn't have access to the internet. In this case, we wouldn't be able to communicate with it. We strongly recommend to use TeamViewer here.
3. By using a Direct Connection System:
UltraVNC allows to configure one proxy, so it's going to be the one which connects to the remote server. We're going to connect with the intermediate server (proxy) and connect this one to the end server. This is called 'Ultra VNC Repeater'. You can find more information about this method on the UVNC Repeater page.
On the picture below, you're looking at a basic working sketch of this system.
The UltraVNC tool itself allows you to conduct the setup graphically:
The connection to the VNC server utilizes the proxy to connect to the destination server, as we can see on the picture below.
1.2 Using Integrated VNC under Pandora FMS
By the Pandora FMS 'VNC' extension it's possible to have access from the web console itself, without having to install additional software or doing besides that.
The only requirements are the following:
- Having a VNC server that includes the Java applet installed which listens on port 5800 of each server we intend to manage remotely.
- Having the Java plug in installed on its browser.
- Having direct connection from the PC on which the operator is connected to the Pandora FMS console and to the monitored server we intend to manage remotely. The connection is required to grant access via port 5800 TCP.
If we fulfill these requirements, we only have to click on the flap with the 'VNC' extension within the 'Operation' view of an agent. We're going to see the following there:
When the communication is reestablished, it's required to introduce a password which is configured in the moment the VNC server is installed on the machine.
Once we have introduced the password, we have access to the server "as if we were on site".
We recommend the use of UltraVNC. Besides being very strong, supporting connection coding and allowing file transfer from one machine to another, it's a GPLv2 licensed free software.
However, the limitations of this system are mainly the following:
- It requires a connection between your PC and the machine you intend to monitor remotely. If it's behind a firewall, a router or in the internet, it won't be able to connect.
- It requires to know the IP. With Pandora FMS, it could tell the agent which notifies the current IP to it, which is going to know the appropriate IP, but sometimes it doesn't work very well. If it has several network adapters, if it doesn't update the IP by default or due to other possible causes.
- It requires the installation of the UltraVNC software, which you're might not allowed to install due to certain security policies in your location.
In cases in which the first mentioned point is the problem, we recommend to use the direct connection method by using a proxy. If the methods shown here aren't working, you're required to download a client program and execute it manually from your PC in order to connect to your remote system.
1.3 Using TeamViewer under Pandora FMS
TeamViewer is one of the best remote management systems available. TeamViewer is able to use intermediate servers on the internet to connect to its equipment, regardless of changes in the IP, firewalls or other problems we've previously mentioned.
You only require three things:
- An internet connection on both ends (the server you intend to monitor and the operator's PC).
- To take a note of the machine's ID and to remember the password.
- To install the TeamViewer software on the remote server.
Once it has been installed, you're required to assign an ID to the machine. You're also able to configure a password for permanent access. The TeamViewer IDs have the format "XXX XXX XXX" (nine digits). This is the required ID to connect to the server. We use the Enterprise feature called 'Customized Fields' to create this field within all agents and to insert the ID of each machine for this.
Please click on 'Configuration' -> 'Agents' and 'Manage customized Fields' in order to create a custom field. Once the creation process is finished, please click on 'Create' button.
Once the field is created, you're able to store the machine's ID there. It's '623 596 886' in this case.
In this moment, you're required to go to the TeamViewer page, insert my ID and login to the system as shown on the picture below.
1.3.1 Technical Details about TeamViewer
TeamViewer is quite powerful. It allows to transfer files from one system to another.
These tools are connected to remote servers. The security could be a problem in cases we're very demanding related to these concepts, e.g. legal questions and privacy of data. If you're using the commercial version, there are some advantages regarding the above mentioned security issues.
This is a list of fixed connections within the remotely managed server in the moment of using a fixed TeamViewer connection:
TCP desktop:1379 server530.teamviewer.com:http ESTABLISHED TCP desktop:1380 master4.teamviewer.com:http ESTABLISHED TCP desktop:1381 server311.teamviewer.com:http ESTABLISHED TCP desktop:1382 server311.teamviewer.com:http ESTABLISHED
TeamViewer also supports direct connections between client and server.
We strongly recommend to buy a license of TeamViewer to manage their servers to all Pandora FMS Enterprise users. VNC is quite nice, but TeamViewer has a very efficient on the fly compression, and you will experience an incredible remote access level when managing remote hosts with it.
1.4 Connecting remote systems using SSH/Telnet from Pandora FMS
Since the 4.0.2 version, Pandora FMS comes with a new extension which was designed to directly connect to their devices by telnet or SSH. This feature is conducted by the 'Remote Gateway' extension. You're required to conduct a special setup for this component, because it's not going to be installed by default. This is an open-source feature, based on the 'anytermd' software, published under GPL2 license.
Pandora FMS uses a tool called 'anytermd' to create a 'proxy' between the user's browser and its remote destination. This tool launches as a daemon which listens on a port. It executes a command which forwards all output to the user's browser. That means all the connections are conducted by the Pandora FMS Server and it has to be installed onto the telnet and SSH client.
You're looking at the the architecture's basic schema on the picture below.
1.4.1 Setup and Installation
All sources are contained in the directory called 'extras/anytermd'.
Please make sure you have the gnu c++ compiler ('gcc-c++'), 'make', 'boost-devel' and 'zlib-devel' installed.
Then install the binary to the directory called '/usr/bin' manually by executing the following command:
cp anytermd /usr/bin
In order to run the server daemons, you're required to start them manually, since the Pandora FMS Server or the console don't start up automatically. The Pandora FMS SSH / telnet extension is going to look for a different instance of 'anytermd', running on port 8023 for telnet and port 8022 for SSH connections.
You also have a start and stop daemon in the directory called 'contrib/anytermd'. Please copy it to '/etc/init.d/anytermd' and execute it in the following way:
It's going to use the 'pandora' user for execution by default. If you intend to change it, please alter the script file for any other HTTPD-based user your system may have.
This script is going to use the ports 8023 and 8022. Please make sure these ports are 'open and clear' from the user browser to the console's web-server system.
You're now free to use the extension and connect to remote servers by telnet or SSH.
1.5 Using eHorus with Pandora FMS
eHorus is a SaaS-based remote device management tool. Being cloud oriented, it can connect to devices disregarding IP changes, firewalls or other issues mentioned previously.
In order to enable it, we'll need to activate the integration on the corresponding settings section.
After this it'll be necessary to introduce a valid login from a user on the service. This username will be used to authorize the remote connection to the provided agents.
It's possible, although probably unnecessary, to use another eHorus provider by editing the API Hostname (i.e. switch.ehorus.com by default) and API Port (18080 by default).
Once the connection is configured, you'll be able to see that there is a new custom field under the agent settings view called eHorus ID. This field must have the eHorus ID for the agent we wish to manage. You can find this ID in many places, like the eHorus agent already running on the device, or on the eHorus Portal (see image below).
The eHorus agent that is to be managed must be viewable by the user configured in the settings for the integration
When the Pandora FMS agent has the eHorus agent ID defined in its custom fields, admin users or those users with permissions for agent management will see a new tab in the agent menu from which they can use the eHorus platform without leaving the Pandora FMS console.