Endpoint Security without using Fleet

@blaker

How would one achieve this?

My current setup is as follows:

  • Self-hosted
  • 3-node Elasticsearch cluster (7.15.0)
  • Kibana (7.15.0)

Fleet server URL: https://kibana-dev.mydomain.com:8220
Elasticsearch URL: https://kibana-dev.mydomain.com:9220

A separate hosted environment consisting of two servers:

  • Server-A (Static NAT with ACLs permitting tcp/9200 and tcp/8220 to above URLs)
  • Server-B (Dynamic PAT with no access to above URLs)

A Demo policy has been configured with integration for:

  • Elastic Endpoint Security
  • System

Server-A has been enrolled successfully to the above policy and can see this under both, Fleet > Agents and Security > Endpoints. The agent statuses show as 'Healthy'.
Server-A also has reverse proxy configuration in place for the above mentioned ports and I am able to hit these from Server-B.

When I attempt to enroll Server-B using below install command, the enrollment is successful:

sudo ./elastic-agent install -f --url=https://Server-A-internal-IP:8220 --enrollment-token=xxxxxxx

2021-09-24T07:28:53.704+0100    INFO    cmd/enroll_cmd.go:414   Starting enrollment to URL: https://192.168.15.1:8220/
2021-09-24T07:28:55.227+0100    INFO    cmd/enroll_cmd.go:252   Successfully triggered restart on running Elastic Agent.
Successfully enrolled the Elastic Agent.
Elastic Agent has been successfully installed.

After a couple of minutes, the status of Server-B changes from Healthy to Unhealthy and looking in the logs, I see this attempting to connect to the non-proxy URL which it cannot access (hence the reverse proxy config).

{
  "log.level":"error",
  "@timestamp":"2021-09-24T06:31:42.029Z",
  "log.origin":{
    "file.name":"fleet/fleet_gateway.go",
    "file.line":180
    },
  "message":"failed to dispatch actions, error: fail to communicate with updated API client hosts: Get \"https://kibana-dev.mydomain.com:8220/api/status?\": context deadline exceeded",
  "ecs.version":"1.6.0"
}

Am I doing something wrong or is this not achievable?

Appreciate your input.

Kev