I am new to this, I have managed to install OpenZiti on an AWS instance through the quick guide with Docker Compose.
I am creating my first service through ZAC but I cannot make my client computer have access to port 3389 of my Windows server.
I have done it with the OpenZiti guide and through the quick option in the ZAC. From NetFoundry I managed to connect to the server via RDP but on my own server I can't get it to work. I don't know if it's a problem with the server that doesn't allow it to work or if I'm configuring it incorrectly.
Thanks in advance, I hope you can help me, I am stuck with this and I don't know what else to do.
Hi @AnthonyBasdfg welcome to the community and to OpenZiti.
Do I understand you correctly, you setup cloudziti and were successful with rdp, now you're looking to host your own OpenZiti instance but you're not successful with rdp?
Are you using the ziti admin console to manage your overlay or are you using the ziti cli? Are you able to enroll an identity in your desktop edge? Have you looked at all the logs to see if there are any errors reported?
We'll need a bit more information from you to really know where and how to troubleshoot next
Hello TheLumberjack, thank you for your prompt response,
Yes, you understood me correctly.
I am using the web administration console and I have registered my client and server computers as entities.
I just saw the logs and in ziti-ziti-controller-1 it tells me what following:
[ 14.572] INFO ziti/controller/network.(*Network).Run: {routerId=[IAtJ4O8.r]} changed router
[ 851.018] ERROR transport/v2/tls.(*sharedListener).processConn [tls:0.0.0.0:1280]: {remote=[34.193.85.224:40814] error=[tls: first record does not look like a TLS handshake ]} handshake failed
[ 860.551] ERROR transport/v2/tls.(*sharedListener).processConn [tls:0.0.0.0:1280]: {remote=[34.193.85.224:45030] error=[tls: first record does not look like a TLS handshake ]} handshake failed
[ 865.200] ERROR transport/v2/tls.(*sharedListener).processConn [tls:0.0.0.0:1280]: {error=[tls: first record does not look like a TLS handshake] remote=[34.193.85.224:45040 ]} handshake failed
[ 868.339] ERROR transport/v2/tls.(*sharedListener).processConn [tls:0.0.0.0:1280]: {remote=[34.193.85.224:45048] error=[tls: first record does not look like a TLS handshake ]} handshake failed
And in the container ziti-ziti-edge-router-1:
[ 6.397] INFO ziti/router/enroll.(*RestEnroller).Enroll: registration complete
[ 0.016] INFO ziti/ziti/router.run: {build-date=[2024-02-10T05:53:17Z] revision=[7c53aa006529] version=[v0.32.2] configFile=[/persistent/ziti-edge-router.yaml] go-version=[go1.21.6] os=[linux] routerId=[IAtJ4O8.r] arch=[amd64]} starting ziti-router
[ 0.017] INFO ziti/common/metrics.ConfigureGoroutinesPoolMetrics.GoroutinesPoolMetricsConfigF.func1.1: {idleTime=[30s] maxQueueSize=[1000] minWorkers=[0] poolType=[pool.link.dialer] maxWorkers=[32]} starting goroutine pool
[ 0.022] INFO ziti/common/metrics.ConfigureGoroutinesPoolMetrics.GoroutinesPoolMetricsConfigF.func1.1: {maxQueueSize=[1000] maxWorkers=[128] idleTime=[30s] minWorkers=[0] poolType=[pool.route.handler]} starting goroutine pool
[ 0.027] INFO ziti/router/forwarder.(*Faulter).run: started
[ 0.027] INFO ziti/router/forwarder.(*Scanner).run: started
[ 0.027] WARNING ziti/router/internal/edgerouter.(*Config).LoadConfigFromMap: Invalid heartbeat interval [0] (min: 60, max: 10), setting to default [60]
[ 0.029] INFO ziti/router.(*Router).showOptions: ctrl = {"OutQueueSize":4,"MaxQueuedConnects":1,"MaxOutstandingConnects":16,"ConnectTimeout":5000000000,"DelayRxStart":false,"WriteTimeout":0}
[ 0.029] INFO ziti/router.(*Router).showOptions: metrics = {"ReportInterval":60000000000,"IntervalAgeThreshold":0,"MessageQueueSize":10}
[ 0.030] INFO ziti/common/metrics.ConfigureGoroutinesPoolMetrics.GoroutinesPoolMetricsConfigF.func1.1: {maxWorkers=[15] idleTime=[30s] poolType=[pool.rate_limiter] minWorkers=[0] maxQueueSize=[5000]} starting goroutine pool
[ 0.030] INFO ziti/router.(*Router).initializeHealthChecks: starting health check with ctrl ping initially after 15s, then every 30s, timing out after 15s
[ 0.031] INFO ziti/router.(*Router).startXlinkDialers: started Xlink dialer with binding [transport]
[ 0.031] WARNING ziti/router/xlink_transport.loadListenerConfig: {error=[no network interface found for 0.0.0.0] addr=[tls:0.0.0.0:10080]} unable to get interface for address
[ 0.032] INFO ziti/router/xlink_transport.(*listener).Listen.GoroutinesPoolMetricsConfigF.func1.1: {maxQueueSize=[1] idleTime=[10s] poolType=[pool.listener.link] minWorkers=[1] maxWorkers=[16]} starting goroutine pool
[ 0.032] INFO ziti/router.(*Router).startXlinkListeners: started Xlink listener with binding [transport] advertising [tls:ziti-edge-router:10080]
[ 0.032] INFO ziti/router/xgress_edge.(*listener).Listen: {address=[tls:0.0.0.0:3022]} starting channel listener
[ 0.032] INFO ziti/router/xgress_edge.(*listener).Listen.GoroutinesPoolMetricsConfigF.func1.1: {poolType=[pool.listener.xgress_edge] minWorkers=[1] maxQueueSize=[1] maxWorkers=[16] idleTime=[10s]} starting goroutine pool
[ 0.033] INFO ziti/router.(*Router).startXgressListeners: created xgress listener [edge] at [tls:0.0.0.0:3022]
[ 0.033] INFO ziti/router.(*Router).startXgressListeners: created xgress listener [tunnel] at []
[ 0.033] INFO ziti/router.(*Router).getInitialCtrlEndpoints: controller endpoints file [/persistent/endpoints] doesn't exist. Using initial endpoints from config
[ 0.033] INFO ziti/router.(*Router).startControlPlane: router configured with 1 controller endpoints
[ 0.036] INFO ziti/router/xgress_edge.(*Acceptor).Run: starting
[ 0.037] INFO ziti/router/env.(*networkControllers).UpdateControllerEndpoints: {endpoint=[map[tls:connect.barrezueta.me:6262:{}]]} adding new ctrl endpoint
[ 0.037] INFO ziti/router/env.(*networkControllers).connectToControllerWithBackoff: {endpoint=[tls:connect.barrezueta.me:6262]} starting connection attempts
[ 0.092] INFO ziti/router/env.(*networkControllers).connectToControllerWithBackoff.func3: {endpoint=[tls:connect.barrezueta.me:6262]} successfully connected to controller
[ 0.092] INFO ziti/router/link.(*linkRegistryImpl).NotifyOfReconnect: {ctrlId=[connect.barrezueta.me]} resending link states after reconnect
[ 0.093] INFO ziti/router/xgress_edge.(*Factory).NotifyOfReconnect: control channel reconnected, re-establishing hosted services
[ 0.093] INFO ziti/router/xgress_edge_tunnel.(*Factory).NotifyOfReconnect: control channel reconnected, re-establishing hosted services
[ 0.107] INFO ziti/router/handler_edge_ctrl.(*helloHandler).HandleReceive.func1: received server hello, replying
[ 0.107] INFO ziti/router/fabric.(*StateManagerImpl).AddSignerPublicCert: {added=[1] ignored=[0] received=[1]} received signer public certificates
[ 0.111] INFO ziti/router/fabric.(*StateManagerImpl).StartHeartbeat: heartbeat starting
[ 0.111] INFO ziti/router/xgress_edge_tunnel.(*tunneler).Start: {mode=[host]} creating interceptor
[ 0.111] WARNING ziti/tunnel/dns.flushDnsCaches: {error=[exec: "resolvectl": executable file not found in $PATH]} unable to find systemd-resolve or resolvectl in path, consider adding a dns flush to your restart process
[ 0.123] INFO ziti/router/xgress_edge.(*CertExpirationChecker).Run: waiting 8615h59m59.08834358s to renew certificates
[ 0.124] INFO ziti/router/handler_edge_ctrl.(*apiSessionAddedHandler).instantSync: {strategy=[instant]} first api session syncId [clssc3h4a000howphcgrftku1], starting
[ 0.124] INFO ziti/router/handler_edge_ctrl.(*apiSessionSyncTracker).Add: received api session sync chunk 0, isLast=true
[ 1.234] INFO ziti/router/handler_edge_ctrl.(*apiSessionAddedHandler).applySync: finished synchronizing api sessions [count: 2, syncId: clssc3h4a000howphcgrftku1, duration: 144.123µs]
[ 1.246] INFO ziti/tunnel/intercept.SetDnsInterceptIpRange: dns intercept IP range: 100.64.0.1 - 100.127.255.254
The first logs about the "first record does not"... are standard messages from port hits against the port on the controller. Since it has to be open to be reachable, port scans and all sorts of garbage requests are common, those are meaningless unless you see a ton of them from a single source you might want to block.
I would start with the policy advisor. From the controller CLI, you can issue the command as below.
ziggy@ip-10-19-253-128:~$ ziti edge policy-advisor services -h
checks policies/connectivity between services and identities
Usage:
ziti edge policy-advisor services <service name or id>? <identity name or id>? [flags]
Flags:
-i, --cli-identity string Specify the saved identity you want the CLI to use when connect to the controller with
-h, --help help for services
-j, --output-json Output the full JSON response from the Ziti Edge Controller
--output-request-json Output the full JSON request to the Ziti Edge Controller
-q, --quiet Minimize output by hiding header
--timeout int Timeout for REST operations (specified in seconds) (default 5)
--verbose Enable verbose logging
This will help you make sure the policies are setup correctly for your endpoint to reach the service and have common edge routers.
If that is all OK, or if you find and fix something and it still isn't working, make sure your controller is logging events and take a look at the fabric.circuit events. This will tell you why the dial is failing, or if it is even happening.