MeshCentral (web remote management)
Description
Meshcentral is a web-based remote monitoring and management tool.
Please see this general demo video
Installation
Valid Certificate and Virtualhost needed
MeshCentral needs a valid certificate to work. You may use a Letsencrypt certificate. To be reachable for users and agents, MeshCentral needs a dedicated virtualhost, an FQDN like mydomain.org. You may use a Dynamic DNS provider.
mrmarkuz repo
Install mrmarkuz repo to ease installation/updates.
NethServer MeshCentral
Install nethserver-meshcentral:
yum -y --enablerepo=mrmarkuz install nethserver-meshcentral
Virtualhost
Set the domain to reach the MeshCentral instance.
config setprop meshcentral VirtualHost mydomain.org
Security
IP Filter
IP Filtering can be done for users and agents. By default access is allowed from everywhere for both, users and agents. I recommend to use the IP filter. In this example agents and web users from local network 192.168.0.0/24 are allowed and the external agent with ip 1.2.3.4 is allowed too.
config setprop meshcentral UserAllowedIP 192.168.0.0/24 config setprop meshcentral AgentAllowedIP 192.168.0.0/24,1.2.3.4
2FA
MeshCentral supports 2FA. It's fully manageable via the web UI in the “My Account” tab go to “Manage authenticator app”. I recommend 2FA when using MeshCentral over WAN or on a VPS.
Mail Validation
It's possible to validate users by email. To enable mail validation:
config setprop meshcentral MailValidation enabled
If you do not use the local mail server or like to edit “From” address
config setprop meshcentral MailHost mail.somehost.tld config setprop meshcentral MailPort 587 config setprop meshcentral MailFrom user@somehost.tld config setprop meshcentral MailTLS enabled
Customize MeshCentral
To customize the title or the pictures:
config setprop meshcentral Title 'My NethCentral' config setprop meshcentral Title2 'This is my NethCentral Server' config setprop meshcentral TitlePicture 'title.png' config setprop meshcentral LoginPicture 'login.png'
AD/LDAP
MeshCentral uses internal authentication by default, you can enable AD/LDAP authentication but there's no way to use both auth methods so you have to decide. It's possible to create an internal user, enable AD/LDAP, login with AD/LDAP users, disable AD/LDAP and login with the created internal user. This way you always have an untouched backup admin.
config setprop meshcentral ldap enabled
Meshcentral checks if the used cert on the DC is valid. To use AD you need to either disable strong auth in smb.conf or add the nsdc host to the letsencrypt cert and copy it to the DC.
See NethServer Community for more details.
VPS configuration
For VPS it's recommended to disable the LAN mode and just run in WAN mode:
config setprop meshcentral WANOnly enabled
Apply configuration change
After configuration changes, the new config needs to be applied:
signal-event nethserver-meshcentral-update
Admin user
Browse to your virtualhost domain and you should see the MeshCentral login page. The first account created or logging in (AD/LDAP) is the administrator.
Upgrade MeshCentral
To upgrade meshcentral to the latest version:
signal-event nethserver-meshcentral-upgrade
Intel AMT
MeshCentral supports Intel AMT, it's running on port 4433 but you need to open the port in the firewall or service settings. I did not test AMT yet.
Issues
Please raise Issues on NethServer Community
Links
Community threads:
Maintainer
mrmarkuz | dev@markusneuberger.at | https://www.markusneuberger.at