MeshCentral (web remote management)

Meshcentral is a web-based remote monitoring and management tool.

Please see this general demo video

MeshCentral needs a valid certificate to work. You may use a Letsencrypt certificate. To be reachable for users and agents, MeshCentral needs a dedicated virtualhost, an FQDN like mydomain.org. You may use a Dynamic DNS provider.

Install mrmarkuz repo to ease installation/updates.

Install nethserver-meshcentral:

yum -y --enablerepo=mrmarkuz install nethserver-meshcentral

Set the domain to reach the MeshCentral instance.

config setprop meshcentral VirtualHost mydomain.org

IP Filtering can be done for users and agents. By default access is allowed from everywhere for both, users and agents. I recommend to use the IP filter. In this example agents and web users from local network 192.168.0.0/24 are allowed and the external agent with ip 1.2.3.4 is allowed too.

config setprop meshcentral UserAllowedIP 192.168.0.0/24
config setprop meshcentral AgentAllowedIP 192.168.0.0/24,1.2.3.4

MeshCentral supports 2FA. It's fully manageable via the web UI in the “My Account” tab go to “Manage authenticator app”. I recommend 2FA when using MeshCentral over WAN or on a VPS.

It's possible to validate users by email. To enable mail validation:

config setprop meshcentral MailValidation enabled

If you do not use the local mail server or like to edit “From” address

config setprop meshcentral MailHost mail.somehost.tld
config setprop meshcentral MailPort 587
config setprop meshcentral MailFrom user@somehost.tld
config setprop meshcentral MailTLS enabled

To customize the title or the pictures:

config setprop meshcentral Title 'My NethCentral'
config setprop meshcentral Title2 'This is my NethCentral Server'
config setprop meshcentral TitlePicture 'title.png'
config setprop meshcentral LoginPicture 'login.png'

MeshCentral uses internal authentication by default, you can enable AD/LDAP authentication but there's no way to use both auth methods so you have to decide. It's possible to create an internal user, enable AD/LDAP, login with AD/LDAP users, disable AD/LDAP and login with the created internal user. This way you always have an untouched backup admin.

config setprop meshcentral ldap enabled

Meshcentral checks if the used cert on the DC is valid. To use AD you need to either disable strong auth in smb.conf or add the nsdc host to the letsencrypt cert and copy it to the DC.

See NethServer Community for more details.

For VPS it's recommended to disable the LAN mode and just run in WAN mode:

config setprop meshcentral WANOnly enabled

After configuration changes, the new config needs to be applied:

signal-event nethserver-meshcentral-update

Browse to your virtualhost domain and you should see the MeshCentral login page. The first account created or logging in (AD/LDAP) is the administrator.

To upgrade meshcentral to the latest version:

signal-event nethserver-meshcentral-upgrade

MeshCentral supports Intel AMT, it's running on port 4433 but you need to open the port in the firewall or service settings. I did not test AMT yet.

Please raise Issues on NethServer Community

Community threads:

• https://community.nethserver.org/t/meshcentral-web-based-remote-computer-management/15257
• https://community.nethserver.org/t/howto-install-meshcentral-on-nethserver/15331

mrmarkuz | dev@markusneuberger.at | https://www.markusneuberger.at