Hi all,
I would like to host GLPI-latest in a larger environment with abt ~250 user and make it accessible via LAN and Internet.
Nethserver will be added to a already existing windows 2019 AD. A firewall appliance also exists… What would be the most secure best practice scenario in this setup?
IMVHO VPN. No internet, only VPN access.
My first thought was reverse-proxy but I do not have any experience with it. VPN would be to much work and a problem on BYOD…
GLPi with Fusion Inventory and Flyve MDM try this leaving out nethserver steps and flyve etc on debian with lamp use nethserver as reverse proxy point DNS record externally (for the glpi url) to nethserver and have nethserver reverse proxy to the glpi server internal ip I currently have this working on proxmox at the moment as for security while I agree with using vpn I also agree about the hassle
Thank you for your answer, I will test it as soon as possible…
Somone here with a working GLPI-latest / Fusioninventory plugin combination?
I try to get the Fusioninventory agent working… I always get this error:
Do you mean the glpi agent or the fusion inventory module
Ignore that I didn’t read the issue properly
What version of windows are you trying to run the agent on also the agent is trying to run on http instead of https
You may have already looked over the manual but Incase someone else comes across this to get the manual from windows cmd run
C:\> fusioninventory-agent_windows-<platform>_<version>.exe /help
additional information can be found here Microsoft Windows installation for Fusioninventory Agent - FusionInventory
I havent tried using the agent without flyve so I’m testing on my macbook looks like it’s a similar setup for all os with minor tweeks
I mean the Windows 64-bit OS: fusioninventory-agent_windows-x64_2.6.exe from here to work with the FusionInventory Plugin installed on GLPI-latest.
on the install page it gives away to do it with a visual basic script see https://raw.githubusercontent.com/fusioninventory/fusioninventory-agent/develop/contrib/windows/fusioninventory-agent-deployment.vbs
but as for your error 2.6 is the latest the error message makes me think two things
it’s trying to connect to http://192.168.100.168:444 instead of https://192.168.100.168 (or if I’m wrong about that it’s working but after being redirected to https it’s getting confused)
Permissions it may be that the agent is working correctly but trying to connect to http://ip/glpi/plugins/fusioninventory it’s getting denied
so just to check a few things is your glpi gui accessable from https://ip/glpi or https://ip
also what are the settings you used during install on windows if your steps were like
did you put https://192.168.100.168/glpi/plugins/fusioninventory/ or http://192.168.100.168/glpi/plugins/fusioninventory/
also some discussion on running glpi on dmz some relevance
also on the pc your trying to make it work with did you select the built in web server option if so make sure you can see the service page at http://localhost:62354/
PS C:\Program Files\FusionInventory-Agent> .\fusioninventory-agent.bat --logger=Stderr --debug --server=http://192.168.100.168/glpi/plugins/fusioninventory/
[debug] Logger backend File initialised
[debug] FusionInventory Agent (2.6)
[debug] Configuration directory: C:\Program Files\FusionInventory-Agent\etc
[debug] Data directory: C:\Program Files\FusionInventory-Agent/share
[debug] Storage directory: C:\Program Files\FusionInventory-Agent/var
[debug] Lib directory: C:\Program Files\FusionInventory-Agent/perl/agent
[debug] [target server0] Next server contact planned for Mon Dec 6 01:40:43 2021
[debug] Available tasks:
[debug] - Maintenance: 1.1
[debug] - WMI: 0.3
[debug] - NetInventory: 4.2
[debug] - NetDiscovery: 4.2
[debug] - Collect: 2.6
[debug] - Inventory: 1.10
[debug] - ESX: 2.6
[debug] - Deploy: 2.8
[debug] - WakeOnLan: 2.2
[debug] target server0: server http://192.168.100.168/glpi/plugins/fusioninventory/
[debug] Planned tasks for server0:
[debug] - WMI: 0.3
[debug] - NetInventory: 4.2
[debug] - NetDiscovery: 4.2
[debug] - Collect: 2.6
[debug] - Inventory: 1.10
[debug] - ESX: 2.6
[debug] - Deploy: 2.8
[debug] - WakeOnLan: 2.2
[debug] target scheduler0: scheduler
[debug] Planned tasks for scheduler0:
[debug] - Maintenance: 1.1
[debug] Provided by Fusioninventory
[debug] Installer built with Appveyor on Fri Nov 27 15:35:24 UTC 2020
[debug] Logger backend File initialised
[debug] Running in foreground mode
[info] target server0: server http://192.168.100.168/glpi/plugins/fusioninventory/
[debug] [http client] Using Compress::Zlib for compression
[info] sending prolog request to server0
[error] [http client] communication error: 500 Can't connect to 192.168.100.168:443 (Bad file descriptor)
[error] No answer from server at http://192.168.100.168/glpi/plugins/fusioninventory/
[info] running task Maintenancemy understanding is it should be set to https://192.168.100.168/glpi/plugins/fusioninventory/
should be able to edit the bat file C:\Program Files\FusionInventory-Agent\fusioninventory-agent.bat
I’m checking to see if permissions are potential issue as the agent AFAIK queries the pc then generates a report in xml format then uploads it to glpi
Ive found a work around I’m testing it now if it works ill post the steps
while testing the work around i tried curl http://host/glpi/plugins/fusioninventory/
and got
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://host/plugins/fusioninventory/">here</a>.</p>
</body></html>
so I’m thinking the agent is trying to querry the server to get instructions but is being met with the redirection notice and giving up try changing the http to https in the bat file and try again and post the results
update:
I was wrong keep the http:// in the batfile and make sure to unhash local = /tmp
in my agent.cfg (it’s mac not windows so bat file would be windows equivilent)
truncated
# send tasks results to a FusionInventory for GLPI server
server = http://ip/glpi/plugins/fusioninventory/
# write tasks results in a directory
local = /tmp
also make sure the permissions on the server have apache user ie www-data (if ubuntu or debian) or httpd (if centos or redhat)
chown www-data:www-data -R path(ie /var/www/html)/glpi/plugins/fusioninventory
restart the machine and run force inventory and in a few minutes it should appear in fusion inventory
Let me know if you have issues with the above advise if so ill try to get access to a windows machine and test
I’ve just successfully tested with the glpi inventory app on my Phone using the above settings
I was able to do it with the portable version of the agent: fusioninventory-agent_windows-x64_2.6-portable.exe
I just changed two things in the /etc/agent.conf:
server = https://192.168.100.168/glpi/plugins/fusioninventory/
no-ssl-check = 1
The full agent.conf is here:
# fusioninventory agent configuration
# all defined values match default
# all commented values are examples
#
# Target definition options
#
# send tasks results to an OCS server
#server = http://server.domain.com/ocsinventory
# send tasks results to a FusionInventory for GLPI server
server = https://192.168.100.168/glpi/plugins/fusioninventory/
# write tasks results in a directory
#local = /tmp
#
# Task definition options
#
# disable software deployment tasks
#no-task = deploy
#tasks = inventory,deploy,inventory
#
# Target scheduling options
#
# maximum delay before first target, in seconds
# Also the maximum delay on network error. Delay on network error starts
# from 60, is doubled at each new failed attempt until reaching delaytime.
delaytime = 3600
# do not contact the target before next scheduled time
lazy = 0
#
# Inventory task specific options
#
# do not list local printers
# no-category = printer
# allow to scan user home directories
scan-homedirs = 0
# allow to scan user profiles
scan-profiles = 0
# save the inventory as HTML
html = 0
# timeout for inventory modules execution
backend-collect-timeout = 180
# always send data to server
force = 0
# additional inventory content file
additional-content =
#
# Package deployment task specific options
#
# do not use peer to peer to download files
no-p2p = 0
#
# Network options
#
# proxy address
proxy =
# user name for server authentication
user =
# password for server authentication
password =
# CA certificates directory
ca-cert-dir =
# CA certificates file
ca-cert-file =
# do not check server SSL certificate
no-ssl-check = 1
# connection timeout, in seconds
timeout = 180
#
# Web interface options
#
# disable embedded web server
no-httpd = 0
# network interface to listen to
httpd-ip = 0.0.0.0
# network port to listen to
httpd-port = 62354
# trust requests without authentication token
httpd-trust = 127.0.0.1/32
#
# Logging options
#
# Logger backend, either Stderr, File or Syslog (Stderr)
logger = File
# log file
logfile = 'C:\Program Files\FusionInventory-Agent\logs\fusioninventory-agent.log'
# maximum log file size, in MB
#logfile-maxsize = 0
# Syslog facility
logfacility = LOG_USER
# Use color in the console
color = 0
#
# Execution mode options
#
# add given tag to inventory results
tag =
# debug mode
debug = 0
# time to wait to reload config (0 means no reload, it's default value)
# conf-reload-interval = 0
# Since 2.4, you can include all .cfg files from a folder or any given file
# For example:
# 1. file "conf.d/tag.cfg" contains "tag = 'entity123'"
# using "include 'conf.d' will set tag to 'entity123'
# 2. file "/etc/production/glpi-tag" contains "tag = 'entity123'"
# using "include '/etc/production/glpi-tag' will set tag to 'entity123'
# Remark:
# 1. Prefer to use full path to avoid confusion, but be aware relative paths are
# relative against current config file folder
# 2. A parameter set in included file can be over-rided if set again after the directive
# 3. *.cfg files are read in order in folder, it's better to prefix them with a number
# 4. Package maintainers are encouraged to use this feature to avoid conflict
# during upgrades after configuration update
#
#include "conf.d/"
#include "agent.local"
include "conf.d/"
I used Powershell with admin-rights with or without debug option:
PS C:\Users\support\Downloads\FusionInventory-Agent> .\fusioninventory-agent.bat --debug
Now lets see HowTo deploy the agent to all clients automatically…
Are they with ad (nethserver or Ms) if so just deploy with group policy should be able to use the bat script instead of exe or make a bat script with parameter to run once and have it call the install in silent mode
I use this startup script now to install the Fusioninventory Agent:
@echo off
if exist "C:\Program Files\FusionInventory-Agent\fusioninventory-agent.bat" (
echo "Installed!"
) else (
\\ad.mydomain.lan\sysvol\ad.mydomain.lan\programs\fusioninventory\fusioninventory-agent_windows-x64_2.6.exe /acceptlicense /execmode=service /installtasks=Collect,Deploy,Inventory,NetDiscovery,NetInventory /runnow /S /httpd /httpd-ip=0.0.0.0 /httpd-port=62354 /httpd-trust='192.168.100.0/24,fe80::/64,127.0.0.0/8,::1/128' /server='https://192.168.100.168/glpi/plugins/fusioninventory' /logfile=64 /no-ssl-check /password=admin /user=admin /scan-homedirs /scan-profiles /tag='mydomain.lan' /tasks=Collect,Deploy,Inventory,NetDiscovery,NetInventory /add-firewall-exception
)