Prefer not to host it yourself? Our NetLock RMM Cloud offers a secure and hassle-free solution starting at just €30 per month. Check it out here: NetLock RMM Cloud. Additionally, we provide on-premises installation services for those who prefer that option.
In this guide, we will cover the basic server installation. If you are a larger company, consider opting for the advanced server installation.
The server and web console can be installed either in the cloud or in offline environments, depending on your specific requirements.
The network structure will be as follows:
The agents only perform outgoing connections, so port forwarding is not required on these machines. The web console renders the content server-sided and then sends it to the user’s browser. Therefore, a permanent connection between the web console and user is necessary for operation. The web console communicates either directly with the SQL server or contacts the NetLock remote server through SignalR in cases like using the remote shell and file browser. Ensure the connection between the web console and NetLock remote server is possible. The web console should only be accessible from trusted environments.
¶ Installation under Docker
If you want to deploy NetLock RMM with Docker for Linux, follow the steps below.
¶ Video Tutorial
¶ System Requirements
- Latest version of Docker
- MySQL Server, minimum version 8.0
- 2 Cores (may vary depending on the number of agents you monitor)
- 2 GB RAM (may vary depending on the number of agents you monitor)
- SSD recommended
¶ Tags
The following tags are available:
- latest
- 2.0.0.0
When using the latest tag for your NetLock RMM image, it’s important to first verify whether a new version has been released and check for any critical update instructions. This helps ensure you are aware of potential changes or compatibility requirements before pulling the image in an existing environment.
Alternatively, by selecting a version tag, you can ensure consistency within your environment, keeping your setup on a specific release that will only receive critical hotfixes. This prevents unintentional upgrades to newer major versions and helps maintain operational stability by avoiding any unexpected changes in functionality.
¶ NetLock RMM Web Console
- Create a directory in your Linux environment to store the appsettings.json file.
For example:
mkdir -p /home/netlock/web_console
- Create a directory in your Linux environment to store the Let’s Encrypt accounts.
For example:
mkdir -p /home/netlock/web_console/accounts
- Next, create the appsettings.json file:
nano /home/netlock/web_console/appsettings.json
- Now, fill in the content of appsettings.json with the necessary configuration settings, like database configuration, logging settings, SSL, or other required options. Here’s an example structure to guide you:
{
"Logging": {
"LogLevel": {
"Default": "Warning",
"Microsoft": "Error",
"Microsoft.Hosting.Lifetime": "Warning"
}
},
"AllowedHosts": "*",
"Kestrel": {
"Endpoint": {
"Http": {
"Enabled": false,
"Port": 80
},
"Https": {
"Enabled": true,
"Port": 443,
"Force": true,
"Hsts": {
"Enabled": true
},
"Certificate": {
"Path": "certificates/certificate.pfx",
"Password": "your-cert-password"
}
}
}
},
"NetLock_Remote_Server": {
"Server": "demo.netlockrmm.com",
"Port": 7443,
"UseSSL": true
},
"NetLock_File_Server": {
"Server": "demo.netlockrmm.com",
"Port": 7443,
"UseSSL": true
},
"MySQL": {
"Server": "127.0.0.1",
"Port": 3306,
"Database": "netlock",
"User": "root",
"Password": "Bochum234",
"SslMode": "None",
"AdditionalConnectionParameters": ""
},
"LettuceEncrypt": {
"Enabled": true,
"AcceptTermsOfService": true,
"DomainNames": [ "demo.netlockrmm.com" ],
"EmailAddress": "example@0x101-cyber-security.de",
"AllowedChallengeTypes": "Http01, TlsAlpn01, Dns01"
},
"Webinterface": {
"Title": "Your company name",
"Language": "en-US",
"Membership_Reminder": true,
"Default_Package_Configuration": {
"ssl": true,
"communication_servers": "ip/hostname:port",
"remote_servers": "ip/hostname:port",
"update_servers": "ip/hostname:port",
"trust_servers": "ip/hostname:port",
"file_servers": "ip/hostname:port",
"language": "en-US"
}
}
}
Next, the individual entries in the appsettings.json file need to be customized to suit your environment. This can be done easily by following the guidelines below, which explain the key configurations in appsettings.json and what each setting does. Adjust the values according to your environment’s requirements.
Click here to learn more about the appsettings.json & how to configure it
¶ SSL Encryption
We strongly recommend enabling HTTPS. If you enable HTTPS, disable HTTP, enable HTTPS, and set force to true. Also, enable HSTS.
"Kestrel": {
"Endpoint": {
"Http": {
"Enabled": false,
"Port": 80
},
"Https": {
"Enabled": true,
"Port": 443,
"Force": true,
"Hsts": {
"Enabled": true
},
"Certificate": {
"Path": "certificates/certificate.pfx",
"Password": "your-cert-password"
}
}
}
},
For SSL Encryption, add your own certificate, or use the Let’s Encrypt integration to easily retrieve one.
¶ Using Let’s Encrypt Certificate for SSL (recommended)
- Go to LettuceEncrypt, enable it, and accept the terms of service.
- Enter the domain names through which the Web Console will be available (separate with commas).
- Set your email address and configure the allowed challenge types. By default, all supported challenges are active.
"LettuceEncrypt": {
"Enabled": true,
"AcceptTermsOfService": true,
"DomainNames": [ "demo.netlockrmm.com" ],
"EmailAddress": "nico.mak@0x101-cyber-security.de",
"AllowedChallengeTypes": "Http01, TlsAlpn01, Dns01"
},
¶ MySQL Configuration
Configure your MySQL Server. Ensure that the database exists; the Web Console will create the necessary tables itself. If your MySQL server is on the same machine, you may want to add AllowPublicKeyRetrieval=True; to the AdditionalConnectionParameters to prevent connection issues after your system has rebooted.
"MySQL": {
"Server": "127.0.0.1",
"Port": 3306,
"Database": "netlock",
"User": "root",
"Password": "Bochum234",
"SslMode": "None",
"AdditionalConnectionParameters": ""
},
¶ Prepare the Connection with the NetLock RMM Remote & File Server
Since the web console communicates with the NetLock RMM Server through SignalR, you need to ensure that the web console can connect to the remote & file server. Set UseSSL to true and change the port to the SSL port if the NetLock RMM Server uses SSL.
"NetLock_Remote_Server": {
"Server": "demo.netlockrmm.com",
"Port": 7433,
"UseSSL": true
},
"NetLock_File_Server": {
"Server": "demo.netlockrmm.com",
"Port": 7433,
"UseSSL": true
},
¶ Specify your Language Code
The web console currently supports de-DE (German) and en-US (English). In this example, en-US is configured.
"Webinterface": {
"Title": "Your company name",
"Language": "en-US",
"Membership_Reminder": true,
"Default_Package_Configuration": {
"ssl": true,
"communication_servers": "ip/hostname:port",
"remote_servers": "ip/hostname:port",
"update_servers": "ip/hostname:port",
"trust_servers": "ip/hostname:port",
"file_servers": "ip/hostname:port",
"language": "en-US"
}
}
¶ Firewall Configuration
NetLock RMM automatically adds firewall rules to your Windows Firewall based on your configuration. Ensure that port forwarding on your router or firewall is set up correctly. Use tools like telnet to verify that the ports are open.
¶ Run Container
The container is now ready to be started. Adjust the path to your appsettings.json as needed to match your environment and any specific configurations. You can launch the container using the docker run command, and the application will use your custom settings.
docker run --restart=always -d -p 80:80 -p 443:443 \
-v "/path/to/appsettings.json:/app/appsettings.json" \
-v "/path/to/accounts:/app/accounts" \
nicomak101/netlock-rmm-web-console:latest
Example according the tutorial:
docker run --restart=always -d -p 80:80 -p 443:443 \
-v "/home/netlock/web_console/appsettings.json:/app/appsettings.json" \
-v "/home/netlock/web_console/accounts:/app/accounts" \
nicomak101/netlock-rmm-web-console:latest
¶ Verify Access to Your Web Console
Open your browser and navigate to the Web Console’s IP address, hostname, or domain. You should see the login page that looks something like this:
The default username and password are admin. After logging in, you will be prompted to configure a new password. If you lose your new password for any reason, connect to the database, go to the accounts table, and set reset_password to 1 for the user.
¶ Set package provider URL for the NetLock RMM Server
The package provider URL must be set to enable the NetLock RMM server backend to retrieve agent packages. You can either package and deploy these yourself or use the NetLock Members Portal, which is a faster and recommended option. For more details about the free Members Portal, visit: https://docs.netlockrmm.com/en/members-portal
To set the Package Provider URL, navigate to Settings -> System in the left navigation bar. Scroll down to the bottom of the System settings, where you can enter the Package Provider URL. This setting ensures your server backend can access the necessary packages for managing and updating the NetLock RMM agents.
¶ NetLock RMM Server
Follow the same procedure.
- Create a directory in your Linux environment to store the appsettings.json file.
For example:
mkdir -p /home/netlock/server
- Create a directory in your Linux environment to store the Let’s Encrypt accounts.
For example:
mkdir -p /home/netlock/server/accounts
- Next, create a persistent files directory to enable the backend’s file server functionality. This directory will store all files managed by the server and ensure data persists even if the container is restarted or recreated:
mkdir -p /home/netlock/server/files
- Next, create the appsettings.json file:
nano /home/netlock/server/appsettings.json
- Now, fill in the content of appsettings.json with the necessary configuration settings, like database configuration, logging settings, SSL, or other required options. Here’s an example structure to guide you:
{
"Logging": {
"LogLevel": {
"Default": "Warning",
"Microsoft": "Error",
"Microsoft.Hosting.Lifetime": "Warning",
"Microsoft.AspNetCore.SignalR": "Error",
"Microsoft.AspNetCore.Http.Connections": "Error"
}
},
"AllowedHosts": "*",
"Kestrel": {
"Endpoint": {
"Http": {
"Enabled": false,
"Port": 7080
},
"Https": {
"Enabled": true,
"Port": 7443,
"Force": true,
"Hsts": {
"Enabled": true
},
"Certificate": {
"Path": "certificates/certificate.pfx",
"Password": "your-cert-password"
}
}
},
"Roles": {
"Comm": true,
"Update": true,
"Trust": true,
"Remote": true,
"Notification": true,
"File": true,
"LLM": true
}
},
"MySQL": {
"Server": "127.0.0.1",
"Port": 3306,
"Database": "netlock",
"User": "root",
"Password": "Bochum234",
"SslMode": "None",
"AdditionalConnectionParameters": ""
},
"LettuceEncrypt": {
"Enabled": true,
"AcceptTermsOfService": true,
"DomainNames": [ "demo.netlockrmm.com" ],
"EmailAddress": "nico.mak@0x101-cyber-security.de",
"AllowedChallengeTypes": "Http01, TlsAlpn01, Dns01"
}
}
Next, the individual entries in the appsettings.json file need to be customized to suit your environment. This can be done easily by following the guidelines below, which explain the key configurations in appsettings.json and what each setting does. Adjust the values according to your environment’s requirements.
Click here to learn more about the appsettings.json & how to configure it
¶ SSL Encryption
We strongly recommend enabling HTTPS. If you enable HTTPS, disable HTTP, enable HTTPS, and set force to enabled. Also, enable HSTS.
"Kestrel": {
"Endpoint": {
"Http": {
"Enabled": false,
"Port": 7080
},
"Https": {
"Enabled": true,
"Port": 7443,
"Force": true,
"Hsts": {
"Enabled": true
},
"Certificate": {
"Path": "certificates/certificate.pfx",
"Password": "your-cert-password"
}
}
},
For SSL encryption, add your own certificate or use the Let’s Encrypt integration to easily obtain one.
¶ Using Let’s Encrypt Certificate for SSL (recommended)
- Go to LettuceEncrypt, enable it, and accept the terms of service.
- Enter the domain names through which the Web Console will be accessible (separate with commas).
- Set your email address and configure the allowed challenge types. By default, all supported challenges are active.
"LettuceEncrypt": {
"Enabled": true,
"AcceptTermsOfService": true,
"DomainNames": [ "demo.netlockrmm.com" ],
"EmailAddress": "nico.mak@0x101-cyber-security.de",
"AllowedChallengeTypes": "Http01, TlsAlpn01, Dns01"
},
¶ MySQL Configuration
Configure your MySQL Server. If your MySQL server is on the same machine, you may want to add AllowPublicKeyRetrieval=True; to the AdditionalConnectionParameters to prevent connection issues after your system reboots.
"MySQL": {
"Server": "127.0.0.1",
"Port": 3306,
"Database": "netlock",
"User": "root",
"Password": "Bochum234",
"SslMode": "None",
"AdditionalConnectionParameters": ""
},
¶ Roles
Since the basic server installation covers only one server, ensure that all server roles are set to true.
"Roles": {
"Comm": true,
"Update": true,
"Trust": true,
"Remote": true,
"Notification": true,
"File": true,
"LLM": true
}
¶ Firewall Configuration
NetLock RMM automatically adds firewall rules to your Windows Firewall based on your configuration. Ensure that port forwarding on your router or firewall is correctly set up. Use tools like telnet to verify that the ports are open.
¶ Run Container
The container is now ready to be started. Adjust the path to your appsettings.json as needed to match your environment and any specific configurations. You can launch the container using the docker run command, and the application will use your custom settings.
docker run --restart=always -d -p 7080:7080 -p 7443:7443 \
-v "/path/to/appsettings.json:/app/appsettings.json" \
-v "/path/to/files:/app/www/private/files" \
-v "/path/to/accounts:/app/accounts" \
nicomak101/netlock-rmm-server:latest
Example according the tutorial:
docker run --restart=always -d -p 7080:7080 -p 7443:7443 \
-v "/home/netlock/server/appsettings.json:/app/appsettings.json" \
-v "/home/netlock/server/files:/app/www/private/files" \
-v "/home/netlock/server/accounts:/app/accounts" \
nicomak101/netlock-rmm-server:latest
Check the output logs to verify that the required packages are being set up successfully. Look for specific messages confirming installation steps and any errors that might indicate an issue with the setup. Example output:
2024-11-04 21:58:33 Server role (notification): True
2024-11-04 21:58:33 Server role (file): True
2024-11-04 21:58:33 Microsoft Defender Firewall is disabled. You should enable it for your own safety. NetLock adds firewall rules automatically according to your configuration.
2024-11-04 21:58:33 MySQL connection successful.
2024-11-04 21:58:34 Packages are ready..
Check the web console to confirm that the new NetLock RMM server has appeared, is active, and connected.
¶ Troubleshooting
To view container logs, use:
docker logs CONTAINERID
¶ Let’s Encrypt Challenge Failed
If you encounter an error similar to this:
Server role (notification): True
Server role (file): True
Microsoft Defender Firewall is disabled. You should enable it for your own safety. NetLock adds firewall rules automatically according to your configuration.
MySQL connection successful.
Packages are ready...
fail: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
Failed to validate ownership of domainName 'demo-private.netlockrmm.com'. Reason: urn:ietf:params:acme:error:tls: 159.69.39.48: remote error: tls: no application protocol, Code = BadRequest
fail: LettuceEncrypt.Internal.AcmeStates.ServerStartupState[0]
Failed to automatically create a certificate for demo-private.netlockrmm.com
System.InvalidOperationException: Failed to validate ownership of domainName 'demo-private.netlockrmm.com'
at LettuceEncrypt.Internal.AcmeCertificateFactory.ValidateDomainOwnershipAsync(IAuthorizationContext authorizationContext, CancellationToken cancellationToken)
at LettuceEncrypt.Internal.AcmeCertificateFactory.CreateCertificateAsync(CancellationToken cancellationToken)
at LettuceEncrypt.Internal.AcmeStates.BeginCertificateCreationState.MoveNextAsync(CancellationToken cancellationToken)
fail: LettuceEncrypt.Internal.AcmeCertificateLoader[0]
ACME state machine encountered unhandled error
System.InvalidOperationException: Failed to validate ownership of domainName 'demo-private.netlockrmm.com'
at LettuceEncrypt.Internal.AcmeCertificateFactory.ValidateDomainOwnershipAsync(IAuthorizationContext authorizationContext, CancellationToken cancellationToken)
at LettuceEncrypt.Internal.AcmeCertificateFactory.CreateCertificateAsync(CancellationToken cancellationToken)
at LettuceEncrypt.Internal.AcmeStates.BeginCertificateCreationState.MoveNextAsync(CancellationToken cancellationToken)
at LettuceEncrypt.Internal.AcmeCertificateLoader.ExecuteAsync(CancellationToken stoppingToken)
Server running!
OS: Debian GNU/Linux 12 (bookworm)
Architecture: X64
Framework: .NET 8.0.10
This issue can occur when both the NetLock RMM Web Console and the NetLock RMM Server are hosted on the same server. You can fix this easily by following these steps:
-
Delete the Let’s Encrypt
.jsonfile in the/server/accountsdirectory. In this example, it’s located at:rm /home/netlock/server/accounts/acme-v02.api.letsencrypt.org/directory/RANDOMNUMBER.json -
Copy the Let’s Encrypt
.jsonfile from your NetLock RMM Web Console to the NetLock RMM Server path. For example:cp /home/netlock/web_console/accounts/acme-v02.api.letsencrypt.org/directory/RANDOMNUMBER.json /home/netlock/server/accounts/acme-v02.api.letsencrypt.org/directory -
Restart your NetLock RMM Server container. This should resolve the issue. The System Status page in the web console should now display the NetLock RMM Server as connected.
Everything is now set up! If you encounter any issues, feel free to ask for help on Discord. If you have a membership, we’re happy to assist remotely as well—just get in touch with us.
