1- on Tunnel Server

Tunnel Setup:

The decision has to be made which side of the hubs will act as tunnel server (receiving the connection) and tunnel client (making the connections). All in all, only one por will need to be opened on tunnel server end: default is 48003 but any available port can be used e.g 443. Please note that tunnel traffic is NOT an https traffic, if using port 443.

Following are high level steps, please refer to Installation Guide for detailed information on tunnel concepts and detailed steps.

1- On Tunnel Server:

I-Setup CA(Certificate Authority):

a-Enable Tunneling (if it is not already enabled)

1.  In hub probe GUI, in General section, select the checkox next to "Enable Tunneling". It will enable "Tunnels" tab.

2.  In Tunnels section, select "Active" checkbox in "Server Configuration".

3.  In the "Certificate Authority Setup" window, fill out the field accordingly.

4.  Select "Security Settings" as desired. Note that if you choose Medium and above, the encryption will be stronger but on the cost of processing resources

5.  Click Apply button and restart the hub probe

b-Create Tunnel Client Certificate:

1.  In hub probe GUI, go to "Tunnels->Server Configuration" section

2.  Click on New button under "Issued Certificates" section

3.  In "Client Certificate Setup" Window, fill out "Who", "Where"fields accordingly. The fields under "Authentication" should be filled out as:

Common Name: The tunnel client's connection IP address. If client is NAT'ed i-e its external IP address is different than internal IP, then use client's external IP address in this field.

You can also use wild-card i-e either one asterisk '*' or four asterisks '*.*.*.*' (without quotes) to setup only one certificate which can then be used for multiple tunnel clients

Password: Make note of this password, as you will use it on client side of the hub when installing the certificate.

Expire days: The default is 365 days, depending on the requirements and the length of the client tunnel's life, this can be increased to avoid re-generating tunnel certificate and reset the tunnel client

c-Copy Tunnel Client License:

1.  In hub probe GUI, in "Tunnels->Server Configuration" section, click View under "Issued Certificates" section

2.  Click Copy button , it will copy the Certificate to your clipboard

3.  Open Notepad application and do a CTRL+v or right-click Paste

4.  Save the file, name it accordingly and make sure that no extra character is inserted in to the file

5.  Now, copy the file to tunnel client or have it available so that you can copy/paste on tunnel client side

2- On Tunnel Client:

Note 1: During hub installation, you are given an option to "initialize Security", which creates a local copy of security.cfg file and sets up Nimsoft 'administrator' user password. This is a required step on tunnel clients as you need to login to hub as 'administrator' user to setup tunneling

Note 2: Normally, Infrastructure Manager will not be installed/available on tunnel client side. You can use "Nimsoft Using DMZ Tunnel Setup Wizard":

("Nimsoft Monitoring->Tools" application group)

I-Using Infrastructure Manager:

1.  Login to tunnel client hub

2.  In hub probe GUI, enable "Tunneling" option in General section

3.  Switch to Tunnels tab and then to "Client Configuration"

4.  Click New button

5.  Deselect "Check Server Common Name" if Tunnel Server is NAT'ed

6.  Fill out fields accordingly. Use the Password which you setup in step 3 of "Create Tunnel Client Certificate"

7.  Paste client certificate in "Certificate" field, you created in step 3 of "Create Tunnel Client Certificate" and copied in step 5 of "Copy Tunnel Client License"

8.  Click on OK and then Apply and restart the hub probe

Now, if all goes well, your tunnel client will connect to tunnel server. If you get errors accessing new hub, refer to Troubleshooting section.

II-Using "Nimsoft DMZ Tunnel Wizard”:

1.  Open up "Nimsoft DMZ Tunnel Wizard" from Program's menu

2.  Select "Client" in first screen

3.  You will be prompter for administrator password

4.  Fill in the fields appropriately and tunnel certificate

5.  After finishing up, do not login to new hub till the Enabled status shows up in Security column of Infrastructure Manager

6.  If you get errors accessing new hub, refer to Troubleshooting section

Troubleshooting

Scenario 1: Hub appears but when I click it turns red

Since, a tunnel setup on a newly installed hub requires to initialize security, security.cfg file on new hub is not able to sync up with the rest of the infrastructure. Verify by checking “version” value on primary hub and the new hub – new hub's version value will be lower than the primary (or any other existing hub). If that is the case, take following steps to resolve it:

1.  Stop Nimsoft service

2.  Go to $NIMROOT\hub folder (where $NIMROOT=Nimsoft install location)

3.  Delete all files named security (security.cfg, security.dat, security.bak)

4.  Start Nimsoft service and wait, During this time, even when the hub appears in Infrastructure Manager, don't login to the new hub.

To check if security.cfg file has been synced up, in Infrastructure Manager click on Nimsoft domain (e.g Enterprise, whatever Nimsoft domain was configured) and check under Security column on the right hand view where all hubs are listed; the value should be Enabled. You can also verify by checking “version” value in security.cfg file on new hub.

Now open any probe (controller, hub) on the new hub to verify access to new hub.

Scenario 2: Tunnel Cannot Connect to Tunnel Server

ñ  Check if there is any firewall rule blocking access to tunnel server port (443, 48003 whatever is tunnel server port)

ñ  Do a simple telnet socket connect test:

From tunnel client, open a command like tool and type following;
telnet <tunnel server IP> <tunnel Port>
e.g

telnet 10.1.0.2 48003

◦  If it fails on trying to connect and times out, that means connection to tunnel port is blocked and/or wrong IP address is used

▪  Check for any firewall on tunnel server side of the network

▪  Check tunnel server IP is correct

ñ  If you get a blank screen and you get dropped to telnet prompt after you hit CTRL-[ , you can connect to tunnel server port

ñ  Check tunnel client connection appears on tunnel server using netstat on tunnel server:
netstat -an | find “443” Windows
netstat -an |grep 443 UNIX
Note: change port accordingly
You should see an ESTABLISHED connection from tunnel client IP in the output of above command. If you don't, then verify that correct IP is used for tunnel server and retest

Scenario 3: I get Illegal SID or “Illegal SID: You must login to the appropriate domain to access the probe”

This is another case of mismatching security.cfg files. Please refer to Scenario 1 & 3 (if needed) for the resolution

Scenario 4: SSL certificate commonName(xxx.xxx.xxx.xxx) doesn't match peer

ñ  This is the condition where tunnel client IP doesn't match with tunnel client certificate's “Common Name”. This can be resolved by:

ñ 

ñ  Un-checking “Disable IP Validation” in hub GUI on tunnel server

ñ  Using hub probe call back “hubsec_setup_put” on tunnel server and adding “ignore_ip = yes” (key=ignore_ip , value=yes)

ñ  On tunnel client's hub.cfg, add “check_cn = no” under tunnel entry or using hub GUI un-check “Check Server common name” in tunnel client entry

Top View