Configuring Your Collector for Use with HTTP Proxies
IN THIS ARTICLE:
- Modifying a Collector's Configuration File from LogicMonitor
- Modifying a Collector's Configuration File from the Collector Computer
- New SSL and Proxy Settings
- Troubleshooting Collector Proxy Configuration
If your environment does not allow the Collector to directly connect with the LogicMonitor data centers, you can configure the Collector to communicate through a proxy.
This requires that you make a couple of changes to the configuration file (agent.conf) for your Collector. It is highly recommended that this is done via the LogicMonitor UI since there are safeguards in place to prevent errors. Although both methods are discussed in this support article, you should only modify the configuration files on the Collector computer itself if absolutely necessary.
Modifying a Collector's Configuration File from LogicMonitor
To edit the agent.conf configuration file for a Collector within LogicMonitor, follow these steps:
- Navigate to Settings | Collectors.
- From the Collectors page, find the Collector you wish to configure and click the corresponding cogwheel icon from the Manage column to display its settings.
- From the Support button's drop-down menu, select "Collector Configuration," as shown next.
- On the Agent Config tab, tap the "Edit agent.config manually" slider to enable manual configuration of the file.
- Scroll down to the "#SSL & Proxy settings" area (shown next) and modify these settings as discussed in the New SSL and Proxy Settings section of this support article.
- Click the Save and Restart button to restart the Collector and apply the changes to the agent.conf file.
Modifying a Collector's Configuration File from the Collector Computer
As stated previously, you should only modify the configuration files on the Collector computer itself if absolutely necessary. To edit the agent.conf configuration file for a Collector from the Collector computer, follow these steps:
- Locate the agent.conf file (default path: /logicmonitor/agent/conf/agent.conf).
- Open the file and modify the "#SSL & Proxy settings" as discussed in the New SSL and Proxy Settings section of this support article.
- Restart the Collector services to ensure that changes to the agent.conf are applied:
- Windows. Restart the LogicMonitor Collector and LogicMonitor Collector Watchdog services from the Services control panel.
- Linux. Execute /usr/local/logicmonitor/agent/bin/sbshutdown, then /etc/init.d/logicmonitor-watchdog start.
New SSL and Proxy Settings
Whether updating the agent.conf file from within LogicMonitor or from the Collector computer, the new SSL and proxy settings should look as follows once the edits are complete.
These new settings designate the follow:
- ssl.enable=true. Designates that the Collector will make the outbound connection using SSL
- proxy.enable=true. Designates that the Collector will use these settings
- proxy.host=. Designates the IP address of the proxy server
- proxy.port=. Designates the port the proxy server uses
- proxy.user=. Designates the username the Collector uses when connecting to the proxy
- proxy.pass. Designates the password the Collector uses when connecting to the proxy
Note: the settings specified above reflect a Windows-based proxy requiring authentication. Linux Collectors support only basic authentication. Windows Collectors support NTLM and other native windows authentication methods.
Troubleshooting Collector Proxy Configuration
Next we've highlighted some common issues experienced (and how to resolve them) when configuring Collectors to be used with HTTP proxies.
Issue: Proxy Authentication Required
When the Collector is configured to use a proxy that requires basic authentication, the Collector may throw the following exception:
[MSG] [WARN] [main::controller:main] [Controller2._initConfiguration:461] Unexpected status encountered from server. Will retry., CONTEXT=retry=30s, statusCode= 500, errMsg=Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required"
In this case, you will want to add the following configuration to the Collector's wrapper.conf:
Issue: Invalid SSL Certificate
If a Collector does not get a valid SSL certificate issued directly from LogicMonitor, it will fail to properly start. In the below example, all SSL certificates in the client environment were being intercepted and reissued using special security software (e.g. Blue Coat Proxy).
[03-26 15:53:03.222 EDT] [MSG] [INFO] [statusmonitor:::] [StatusListener$1.run:106] Receive peer request, CONTEXT=command=keepalive, charset=windows-1252, peer=/***.***.***.***:****** [03-26 15:53:03.268 EDT] [MSG] [WARN] [statusmonitor::scheduler:] [PropertyFilePersistentHandler._load:94] task file not found, CONTEXT=filename=C:\Program Files (x86)\LogicMonitor\Agent\conf\persistent_task.conf, EXCEPTION=C:\Program Files (x86)\LogicMonitor\Agent\conf\persistent_task.conf (The system cannot find the file specified)
java.io.FileNotFoundException: C:\Program Files (x86)\LogicMonitor\Agent\conf\persistent_task.conf (The system cannot find the file specified)
at java.io.FileInputStream.open0(Native Method)
at com.santaba.agent.agentmonitor.StatusListener$1.run(StatusListener.java:117) /
[03-26 15:53:03.947 EDT] [INFO]  [default] [controller] [Controller2._initHttpService:469] Agent starting with ID - 00baae57-3971-4239-9610-b512aae9c21csbagent
[03-26 15:53:04.232 EDT] [MSG] [INFO] [main::controller:main] [SSLUtilities.checkCertificates:160] Invalid or wrong SSL Certificates found, CONTEXT=info=Found total 2 certificates:
Subject: CN=*.logicmonitor.com, OU=Domain Control Validated
Valid from: 2017-04-19 10:02:01 -0400
Valid to: 2020-06-18 17:33:09 -0400Subject: CN=SSLInterception3
Issuer: CN=BillyBob's-CA, DC=slhn, DC=org
Valid from: 2017-08-09 15:08:18 -0400
Valid to: 2021-10-03 08:53:12 -0400 */
[03-26 15:53:04.232 EDT] [MSG] [WARN] [main::controller:main] [Controller2._initConfiguration:322] SANTABA SERVER ceriticates not trusted, CONTEXT=Host=generic-customer.logicmonitor.com, port=443
Solution A (Preferred)
Have the local administrator white list the SSL certificate so that it comes into the network unmodified by a proxy/firewall. This is the preferred option because it preserves security.
Change the Collector configuration setting from:
Removing SSL enforcement lowers the security of the connection between your Collector and LogicMonitor and, for this reason, should be carefully considered before implementing.