Closed FriedZhopa closed 3 years ago
vitko-bg
commented
3 years ago I am using different port for agents and is working fine for me.
here is my config: "Port": 4422, "AliasPort": 443, "RedirPort": 813, "RedirAliasPort": 80, "AgentPort": 4999, "AgentPortTls": true, "TlsOffload": "127.0.0.1", "MpsPort": 44333, "MpsTlsOffload": true,
I can suggest to you to try to get rid of "AgentAlisPort" as it is the same as the "AgentPort", one it is done, restart meshcentral and see how it goes
FriedZhopa
commented
3 years ago I am using different port for agents and is working fine for me.
here is my config: "Port": 4422, "AliasPort": 443, "RedirPort": 813, "RedirAliasPort": 80, "AgentPort": 4999, "AgentPortTls": true, "TlsOffload": "127.0.0.1", "MpsPort": 44333, "MpsTlsOffload": true,
I can suggest to you to try to get rid of "AgentAlisPort" as it is the same as the "AgentPort", one it is done, restart meshcentral and see how it goes
Thanks! I will try again with your config again. I tried both add and remove ALIAS but nothing works. Maybe I have different version?
vitko-bg
commented
3 years ago P. S. Just now saw the real question :) You can use "_userAllowedIP": "127.0.0.1,192.168.1.0/24", "_userBlockedIP": "127.0.0.1,::1,192.168.0.100", "_agentAllowedIP": "192.168.0.100/24", "_agentBlockedIP": "127.0.0.1,::1", In the domain section, check sample-config-advanced file on github. Hope that will help
vitko-bg
commented
3 years ago I will test my setup with blocking web port 443 on the NAT to replicate your setup and will let you know.
cristianadrielbraun
commented
3 years ago I would say your pfsense is blocking something, because the configs you are showing are just fine. Except for this one: "cert": "MY-IP-HERE", It should be a DNS Name there.
But I don't think it has anything to do with this. It looks like the port forwarding in the pfsense is maybe misconfigured at some point
Plus, you can block external access using the userAllowedIP and agentAllowedIP like @vitko-bg said right before me
Ylianst
commented
3 years ago Like @yomono said, I strongly recommend using a DNS name for the server, not an IP address in "cert". I get emails from people having used an IP address that are toast because their server changes IP and agents are not connecting anymore.
One suggestion is to do this:
{
"settings": {
"cert": "dns.server.com",
"wanonly": true,
"allowlogintoken": true,
"allowframing": true,
"redirport": 80,
"port": 888,
"agentPort": 443
}
}You put the agent port on 443 and so, agents should be able to connect from outside. In the config above, you will can still access the user interface on port HTTPS 888. I am guessing that will work.
Other minor notes:
"_minify": true, <-- Duplicate, remove
"minify": true,
"clickonce": true, <-- This feature does not exist anymore, remove
"webrtc": true, <-- WebRTC on the agent on not great, Bryan needs to debug. May want to keep disabled.
"allowlogintoken": true,
"allowframing": true,
"allowHighQualityDesktop": true,
"redirport": 80,
"port": 443,
"agentPort": 347,
"AgentAliasPort": 347 <-- You don't need to specify the alias port if it's the same.@FriedZhopa - tested on my environment with no NAT to web MC2 GUI - all agents are connecting fine through the NATed port 4999 and all is working as expected. So looks like @Ylianst is right :) - the problem should be in your firewall. Please investigate further
FriedZhopa
commented
3 years ago Like @yomono said, I strongly recommend using a DNS name for the server, not an IP address in "cert". I get emails from people having used an IP address that are toast because their server changes IP and agents are not connecting anymore.
One suggestion is to do this:
{ "settings": { "cert": "dns.server.com", "wanonly": true, "allowlogintoken": true, "allowframing": true, "redirport": 80, "port": 888, "agentPort": 443 } }You put the agent port on 443 and so, agents should be able to connect from outside. In the config above, you will can still access the user interface on port HTTPS 888. I am guessing that will work.
Other minor notes:
"_minify": true, <-- Duplicate, remove "minify": true, "clickonce": true, <-- This feature does not exist anymore, remove "webrtc": true, <-- WebRTC on the agent on not great, Bryan needs to debug. May want to keep disabled. "allowlogintoken": true, "allowframing": true, "allowHighQualityDesktop": true, "redirport": 80, "port": 443, "agentPort": 347, "AgentAliasPort": 347 <-- You don't need to specify the alias port if it's the same.
Thanks! Today I will try it with HTTPS port changed and other settings in your list. What about IP-address and DNS-name - we've bought a static IP-address.
FriedZhopa
commented
3 years ago @FriedZhopa - tested on my environment with no NAT to web MC2 GUI - all agents are connecting fine through the NATed port 4999 and all is working as expected. So looks like @Ylianst is right :) - the problem should be in your firewall. Please investigate further
But the paradox is that if I leave the same port both agent and web, I need it to be NATted too in firewall and it works. I change just port in that rule and port in the config file of MC.
FriedZhopa
commented
3 years ago Thanks a lot for your help, people! Everything works fine now. It seems that the problem was hidden in my config file. Made as you recommended and problem gone.
Hello! As we know, MeshCentral server has one port 433 both web interface and agent connections. We use server behind pFsense router and made NAT rule for this port - everything works. But we don't wanna have possibility to enter our site from outside. It's just more secure. I found that info - https://www.reddit.com/r/MeshCentral/comments/gctucc/different_ports_for_site_and_agent_connections/ Made as described, here's my "config.json":
Forwarded 347 port on my NAT, downloaded agent, installed it but there's no connection. If I comment "agentPort" in config and change port in agent config (MeshAgent.msh), everything works. If I turn back that - agent connection error. So where i can to dig?