New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

200.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


Can PRTG monitor https sites that are protected with SSL client certificates

Votes:

0

Your Vote:

Up

Down

We want to monitor a web site that is requesting SSL Client certificates. Is this possible?

client-certificates https monitor prtg ssl

Created on Jan 29, 2015 3:05:25 PM by  joostv68 (200) 1 3



Best Answer

Accepted Answer

Votes:

8

Your Vote:

Up

Down

Here is the final script I'am using with correct exit codes for the custom sensors: (http://www.paessler.com/manuals/prtg7/api_for_custom_exe_sensors)

$TypeDefinition_ClientCertWebClient = @"
public class ClientCertWebClient : System.Net.WebClient
{
    System.Net.HttpWebRequest request = null;
    System.Security.Cryptography.X509Certificates.X509CertificateCollection certificates = null;

    protected override System.Net.WebRequest GetWebRequest(System.Uri address)
    {
        request = (System.Net.HttpWebRequest)base.GetWebRequest(address);
        if (certificates != null)
        {
            request.ClientCertificates.AddRange(certificates);
        }
        return request;
    }

    public void AddCerts(System.Security.Cryptography.X509Certificates.X509Certificate[] certs)
    {
        if (certificates == null)
        {
            certificates = new System.Security.Cryptography.X509Certificates.X509CertificateCollection();
        }
        if (request != null)
        {
            request.ClientCertificates.AddRange(certs);
        }
        certificates.AddRange(certs);
   }
}
"@

Try
{
    Add-Type -TypeDefinition $TypeDefinition_ClientCertWebClient
}
Catch
{
}

Function Test-Portal
{
    $WebClient = New-Object -TypeName ClientCertWebClient
    $Certificate = Get-ChildItem -Path Cert:\LocalMachine\My\447FA04BC24F469XXXXXXXX234F7D54501
    $WebClient.AddCerts($Certificate)
    $WebClient.Headers.Add("Cookie","[email protected]")
    Try
    {
        $WebClient.DownloadString("https://xxxxx.xxxxxxxx.xx")
    }
    Catch
    {
        if ($_.Exception.ErrorRecord.Exception.Message.Contains("The remote server returned an error: (401) Unauthorized."))
        {
            write-host "1:UP"
            exit 0
        }
    }
    write-host "0:DOWN"
    exit 2
}
Test-Portal

Created on Feb 6, 2015 1:46:35 PM by  joostv68 (200) 1 3

Last change on Feb 6, 2015 2:01:51 PM by  Torsten Lindner [Paessler Support]



6 Replies

Votes:

0

Your Vote:

Up

Down

What are you looking to monitor on the site? If the site has an API where you can pull XML values from then you should be able to monitor quite a bit but it really depends on how the site is set up and what you want to monitor.

Created on Jan 30, 2015 12:04:56 PM by  Greg Campion [Paessler Support]



Votes:

0

Your Vote:

Up

Down

I want to monitor the uptime of a site. For security in front of the web server there is a reverse proxy. A Client SSL Certificate is used authenticate to the proxy. Checks the attributes of the certificate and Sets a cookie. Before it forces a reload of the site. When the site reloads with the cookie the proxy passes the request to the web server. The website returns a 401 error to the PRTG server. This is a valid response for the monitor because the response is coming from the web server. So the web server must be up and running. For legal reasons we do not want real access to the website.

It is possible to insert an invalid cookie in the request to bypass the reload of the site. This will make the web server respond with 401. But the client certificate is needed for all connections to the site.

Created on Jan 30, 2015 4:33:03 PM by  joostv68 (200) 1 3



Votes:

0

Your Vote:

Up

Down

If your question is if a sensor in PRTG can provide client certificates to web sites, you can at least do so with a custom sensor: the PowerShell cmdlet Invoke-WebRequests supports client certificates using the -Certificate option. The return value in an object representing the requested web site (HtmlWebResponseObject), which makes paring easier as with plain text.

Created on Feb 2, 2015 2:43:41 PM by  ages (977) 5 1



Votes:

0

Your Vote:

Up

Down

It's unfortunately not possible to send a cookie with a web request in PRTG at this time.

Created on Feb 2, 2015 4:07:12 PM by  Greg Campion [Paessler Support]



Votes:

7

Your Vote:

Up

Down

Thanks Ages,

I have a powershell script which can handle client certificates and cookies. At this moment it Returns True or False. I have to change this to something the custom sensor can handle. I will look in to this tomorrow.

The current script:

$TypeDefinition_ClientCertWebClient = @"
public class ClientCertWebClient : System.Net.WebClient
{
    System.Net.HttpWebRequest request = null;
    System.Security.Cryptography.X509Certificates.X509CertificateCollection certificates = null;

    protected override System.Net.WebRequest GetWebRequest(System.Uri address)
    {
        request = (System.Net.HttpWebRequest)base.GetWebRequest(address);
        if (certificates != null)
        {
            request.ClientCertificates.AddRange(certificates);
        }
        return request;
    }

    public void AddCerts(System.Security.Cryptography.X509Certificates.X509Certificate[] certs)
    {
        if (certificates == null)
        {
            certificates = new System.Security.Cryptography.X509Certificates.X509CertificateCollection();
        }
        if (request != null)
        {
            request.ClientCertificates.AddRange(certs);
        }
        certificates.AddRange(certs);
   }
}
"@

Try
{
    Add-Type -TypeDefinition $TypeDefinition_ClientCertWebClient
}
Catch
{
}

Function Test-Portal
{
    $WebClient = New-Object -TypeName ClientCertWebClient
    $Certificate = Get-ChildItem -Path Cert:\CurrentUser\My\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    $WebClient.AddCerts($Certificate)
    Try
    {
        $WebClient.DownloadString("https://XXXXXX.XXXXXX.XX")
    }

    Catch
    {
        if ($_.Exception.ErrorRecord.Exception.Message.Contains("Too many automatic redirections were attempted."))
        {
            $WebClient.Headers.Add("Cookie","XXXXXXXXX=YYYYYYYYYYYYYYYYYY")
            Try
            {
                $WebClient.DownloadString("https://XXXXXX.XXXXXX.XX")
            }

            Catch
            {
                return ($_.Exception.ErrorRecord.Exception.Message.Contains("The remote server returned an error: (401) Unauthorized."))
            }
        }
        else
        {
            return $false
        }
    }
}

(Measure-Command -Expression {$TestResult = Test-Portal}).TotalMilliseconds
$TestResult

Created on Feb 2, 2015 5:33:47 PM by  joostv68 (200) 1 3

Last change on Feb 3, 2015 9:37:46 AM by  Torsten Lindner [Paessler Support]



Accepted Answer

Votes:

8

Your Vote:

Up

Down

Here is the final script I'am using with correct exit codes for the custom sensors: (http://www.paessler.com/manuals/prtg7/api_for_custom_exe_sensors)

$TypeDefinition_ClientCertWebClient = @"
public class ClientCertWebClient : System.Net.WebClient
{
    System.Net.HttpWebRequest request = null;
    System.Security.Cryptography.X509Certificates.X509CertificateCollection certificates = null;

    protected override System.Net.WebRequest GetWebRequest(System.Uri address)
    {
        request = (System.Net.HttpWebRequest)base.GetWebRequest(address);
        if (certificates != null)
        {
            request.ClientCertificates.AddRange(certificates);
        }
        return request;
    }

    public void AddCerts(System.Security.Cryptography.X509Certificates.X509Certificate[] certs)
    {
        if (certificates == null)
        {
            certificates = new System.Security.Cryptography.X509Certificates.X509CertificateCollection();
        }
        if (request != null)
        {
            request.ClientCertificates.AddRange(certs);
        }
        certificates.AddRange(certs);
   }
}
"@

Try
{
    Add-Type -TypeDefinition $TypeDefinition_ClientCertWebClient
}
Catch
{
}

Function Test-Portal
{
    $WebClient = New-Object -TypeName ClientCertWebClient
    $Certificate = Get-ChildItem -Path Cert:\LocalMachine\My\447FA04BC24F469XXXXXXXX234F7D54501
    $WebClient.AddCerts($Certificate)
    $WebClient.Headers.Add("Cookie","[email protected]")
    Try
    {
        $WebClient.DownloadString("https://xxxxx.xxxxxxxx.xx")
    }
    Catch
    {
        if ($_.Exception.ErrorRecord.Exception.Message.Contains("The remote server returned an error: (401) Unauthorized."))
        {
            write-host "1:UP"
            exit 0
        }
    }
    write-host "0:DOWN"
    exit 2
}
Test-Portal

Created on Feb 6, 2015 1:46:35 PM by  joostv68 (200) 1 3

Last change on Feb 6, 2015 2:01:51 PM by  Torsten Lindner [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.