Hi PRTG, can remote probe on branches site to HQ site via normal internet due to our site branch has no vpn connection. is that secure?
Remote Probe: Multi-site
Votes:
0
4 Replies
Votes:
0
Hi Dean92,
According to How Probes Work section on https://www.paessler.com/manuals/prtg/remote_probes_and_multiple_probes,
The connection between probe and core is initiated by the probe, secured using Transport Layer Security (TLS). This means that the data sent back and forth between core and probe is not visible to someone capturing data packets.
I've leveraged this in situations like yours to connect a probe back to the core. I would recommend allowing only the whitelisted source IP of the probe(s) to connect to the NAT you open to expose the core.
According to https://kb.paessler.com/en/topic/69754-remote-probe-connection,
Probes use dynamic high ports to connect to their PRTG Core Server. Only on the core side it is fixed to port 23560, as the target TCP Port. A Probe does not need to use the same port for its outgoing connection, so it opens a dynamic high port.
Hope this answers your question!
Thanks,
Randolfini
Votes:
0
Hello Randolfini,
Thank you very much for your answer, there is nothing left to be added.
Regards,
Sebastian
Votes:
0
and how about connection between branch and HQ with two different VPN connection. for example, HQ using VPN cloud A and branches using VPN cloud B, how the connection remote probe with core server(at HQ) establish?
Votes:
0
Hello dean92,
Of course, Remote Probe and Core Server must be able to "see" each other.
See: PRTG Manual Remote Probes and multiple Probes:
Because the probe initiates the connection, you must ensure that a connection can be established from the outside world to your core server. For example, you may need to open any necessary ports in your firewall and you may need to specify a Network Address Translation (NAT) rule for your network. The process is the same as if you wanted to allow access to the web server provided by the PRTG core server via port 443, for example. Usually it is sufficient to open or forward TCP port 23560 (default) on the machine that runs the core server; on probe side it is not necessary to open any port in most cases. |
Best regards,
Sebastian
Add comment