Meshcentral

Introduction¶

In corona time we needed a other helpdesk solution than our Dameware Remote Software to manage our workstations. Money was not an issue but time was.

So I discovererd Meshcentral or Meshcentral Github and just until now and further it served us very well.

Meshcentral Userguide

Some benefits

Easy Install
Scalable
Security
Terminal Use
Reliable

Installation¶

Operating System¶

Windows Server 2025

Downloads¶

NodeJS

MongoDB

Installation¶

NodeJS¶

2025

NodeJS is version 22.20.2

The installation is pretty state forward.

MongoDB¶

2025

MongoDB is version 8.2.1

Folder name

Do not install the database on the Operating System Disk

Meshcentral¶

Open Command Prompt as Administrator

D:
mkdir MeshCentral
cd MeshCentral
npm install meshcentral
node node_modules/meshcentral
node node_modules/meshcentral --install

Stop the service with CRTL+C

1	`https://localhost/`

To open Meshcentral from another workstation in your network

New-NetFirewallRule -DisplayName "Allow Port 443" -Direction inbound -Profile Any -Action Allow -LocalPort 443 -Protocol TCP # (1)!

Open Powershell as Administrator

Create Super user¶

Create a device group¶

Configuration¶

The configuration of MeshCentral is done with a JSON file.

Copy default JSON file.

Copy-Item "D:\MeshCentral\meshcentral-data\config.json" "D:\MeshCentral\meshcentral-data\config.json.original" # (1)!

Open Powershell as Administrator

Tip

You can find simple sample JSON file

You can find advanced sample JSON file

Use jsonlint to validate your JSON file

After you've changed and saved JSON file you'll need to restart Mesh service

Restart-Service -Name Meshcentral

Original¶

The JSON file are in sections.

{ 
  "$schema": "https://raw.githubusercontent.com/Ylianst/MeshCentral/master/meshcentral-config-schema.json",
  "__comment1__": "This is a simple configuration file, all values and sections that start with underscore (_) are ignored. Edit a section and remove the _ in front of the name. Refer to the user's guide for details.",
  "__comment2__": "See node_modules/meshcentral/sample-config-advanced.json for a more advanced example.", 
  "settings": {
    "_cert": "myserver.mydomain.com",
    "_WANonly": true,
    "_LANonly": true,
    "_sessionKey": "MyReallySecretPassword1",           # (1)!
    "_port": 443,
    "_aliasPort": 443,
    "_redirPort": 80,
    "_redirAliasPort": 80
  },

  "domains": {
    "": {
      "_title": "MyServer",
      "_title2": "Servername",
      "_minify": true,                                  # (2)!
      "_newAccounts": true,
      "_userNameIsEmail": true
    }
  },

  "_letsencrypt": {
    "__comment__": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before trying Let's Encrypt.",
    "email": "myemail@mydomain.com",
    "names": "myserver.mydomain.com",
    "skipChallengeVerification": true,
    "production": false
  }
}

Settings Section
Domain Section

Settings¶

Info

To make it mangeable I'm going to categorize the options by Sections

Ports¶

Port

This sets the main web port used by the MeshCentral server and it's the same port that users and mesh agents will connect to. The default port is 443, but if the port is busy, the next available higher port is used (.e.g. 444)

AliasPort

Sets the main port that will be used by the server externally. By default is the same as "Port" above, but can be set to be different when next. See "Server port aliasing" section for more details.

I'll be using Opnsense with HAProxy so I'll change this one to 4333

RedirPort

This is the port for redirecting traffic in the web server. When the server is configured with HTTPS, users that uses HTTP will be redirected to HTTPS. Port 80 is the default port. So, redirection will happen from port 80 to port 443.

{ 
  "settings": {
    "_cert": "myserver.mydomain.com",
    "_WANonly": true,
    "_LANonly": true,
    "_sessionKey": "MyReallySecretPassword1",
    "port": 4333,
    "aliasPort": 443,
    "redirPort": 80,
    "redirAliasPort": 80
  },
}

TLS & URL¶

I run MeshCentral behind HAProxy in OPNSense. I created a Letsencrypt certificate in OPNSense and downloaded it. Then I use OpenSSL to extract the CRT & KEY.

mkdir D:\Certificates
openssl pkcs12 -in "[PATH_TO_Certificate].p12" -nocerts -nodes -out "D:\Certificates\private.key"
openssl rsa -in "D:\Certificates\private.key" -out "D:\Certificates\webserver-cert-private.key"
openssl pkcs12 -in  "[PATH_TO_Certificate].p12" -clcerts -nokeys -out "D:\Certificates\webserver-cert-public.crt"

Copy webserver-cert-private.key and webserver-cert-public.crt to D:\MeshCentral\meshcentral-data

Cert (1)

Sets the DNS name of the server. If this name is not set, the server will run in "LAN mode". When set, the server's web certificate will use this name and the server will instruct agents and browsers to connect to that DNS name. You must set a server DNS name to run in "WAN mode". MeshCentral will not configure your DNS server. The DNS name must be configured separately.

Settings Section

TLSOffload (1)

By default this option is set to 'false'. If set to 'true', server will run both web port and the Intel AMT MPS port without TLS with the assumption that a TLS offloading is taking care of this task. For further details, see the "TLS Offloading" section.This option can also be set to the IP address of the reverse proxy in order to indicate to MeshCental to only trust HTTP XForwarded headers coming from this IP address. See the "Reverse-Proxy Setup" section for an example.

Settings Section

CertUrl (1)

Load the TLS certificate for this domain from this https url. For example "https://127.0.0.1:123". This option is useful when used along with the "TlsOffload" option. When Important: Changes in config.json will NOT take effect until server is restarted. MeshCentral is not doing any TLS but has a reverse-proxy or TLS offload device doing this work in front of the server, you can use this to have MeshCentral load the certificate from the server in front of MeshCentral. This is needed because when agents connect, they need to be told that the certificate they saw upon connecting is the correct one. Using this, MeshCentral will know what certificate the agents are expected to see

Domains Section

{ 
  "settings": {
    "Cert": "meshcentral.jdc19b.be",
    "TLSOffload": true,
    "_WANonly": true,
    "_LANonly": true,
    "_sessionKey": "MyReallySecretPassword1",
    "port": 4333,
    "aliasPort": 443,
    "redirPort": 80,
    "redirAliasPort": 80
  },
    "domains": {
    "": {
        "CertUrl": "https://meshcentral.jdc19b.be/",          
      "title": "JDC19B",
      "title2": "MeshCerntral",
      "minify": true,
      "newAccounts": false,
      "userNameIsEmail": true
    }
}

MongoDB¶

Install¶

Open CMD as Administrator

d:
cd MeshCenteal
node node_modules/meshcentral --mongodb mongodb://127.0.0.1:27017/meshcentral

JSON File

  "settings": {
    "_cert": "myserver.mydomain.com",
    "mongoDb": "mongodb://127.0.0.1:27017",
    "mongoDbName": "meshcentral",
    "_WANonly": true,
    "_LANonly": true,
    "_sessionKey": "MyReallySecretPassword1",
    "port": 4333,
    "aliasPort": 443,
    "redirPort": 80,
    "redirAliasPort": 80,
      "plugins": { "enabled": true }
  },

Backup¶

Download

Unzip and copy monogdump.exe to D:\Program Files\MongoDB\Server\8.2\bin

Create folder D:\Backups

1 2	`D: mkdir Backups`

  "settings": {          # (1)!
    "_cert": "myserver.mydomain.com",
    "mongoDb": "mongodb://127.0.0.1:27017",
    "mongoDbName": "meshcentral",
    "autoBackup": {
      "mongoDumpPath": "D:\\Program Files\\MongoDB\\Server\\8.2\\bin\\mongodump.exe",
      "backupIntervalHours": 24,
      "keepLastDaysBackup": 10,
      "backupPath": "D:\\Backups"
      },
    "_WANonly": true,
    "_LANonly": true,
    "_sessionKey": "MyReallySecretPassword1",
    "port": 4333,
    "aliasPort": 443,
    "redirPort": 80,
    "redirAliasPort": 80,
      "plugins": { "enabled": true }
  },

Settings Section

Plugins¶

General information about plugins.

Warning

This is @ own risk

  "settings": {
    "_cert": "myserver.mydomain.com",
    "mongoDb": "mongodb://127.0.0.1:27017",
    "mongoDbName": "meshcentral",
    "autoBackup": {
      "mongoDumpPath": "D:\\Program Files\\MongoDB\\Server\\8.2\\bin\\mongodump.exe",
      "backupIntervalHours": 24,
      "keepLastDaysBackup": 10,
      "backupPath": "D:\\Backups"
      },
    "_WANonly": true,
    "_LANonly": true,
    "_sessionKey": "MyReallySecretPassword1",
    "port": 4333,
    "aliasPort": 443,
    "redirPort": 80,
    "redirAliasPort": 80,
      "plugins": { "enabled": true }
  },

You find 3th party plugins here.

Copy paste the url from

Example ScriptTask

Domains¶

Troubleshooting¶

"D:\MeshCentral\WinService\daemon\meshcentral.err.log"

"D:\MeshCentral\WinService\daemon\meshcentral.out.log"

npm install --no-audit --no-optional --omit=optional https-proxy-agent@7.0.2

autoAccepOnTimeout and autoAcceptIfNoUser

  "consentMessages": {
    "Title": "MeshCentral",
    "Desktop": "{0} 请求远程桌面访问。是否授权？\n{1} is requesting remote desktop access. Grant access?",
    "Terminal": "{0} 请求终端访问。是否授权？\n{1} is requesting terminal access. Grant access?",
    "Files": "{0} 请求文件系统访问。是否授权？\n{1} is requesting file system access. Grant access?",
    "consentTimeout": 60,
    "autoAcceptOnTimeout": true,
    "autoAcceptIfNoUser": true,
    "oldStyle": true
  },