The Agentless Scanner serves to <mark class="searchMarker currSearchItem">inventory</mark> clients without having to run or even install software on the clients. It consists of two parts, AD Import and XML Import. Below is a description of the two parts.
AD Import
The Agentless Scanner serves to inventory clients, without having to run or even installsoftware on these clients. In this case, an active directory serves as a data source for the basic data of a client. The actual inventory is then done by means of a WMI remote scan. This means that it is also possible to inventory clients which cannot be contacted by NetBIOS (e.g. due to certain network policies) and which therefore do not appear in the agent distribution (see Agent distribution). Furthermore, clients which are newly integrated in the AD are inventoried automatically. This eliminates the need for the manual triggering of an inventory. However, the Agentless Scanner provides less data than the ACMP agent, since it cannot read out all the data due to its functioning (reading out of clients via WMI).
The Agentless Scanner consists of three components: the ACMP AD connector, the ACMP AD agent and the ACMP WMI scanner. For example, if a new computer is added to the AD, the resulting AD event triggers the import of the computer by the AD connector. In addition, it also scans the AD at fixed intervals for new clients. The collected data is then forwarded the ACMP AD agent and compared to the ACMP data by the latter. If a new client is detected in the AD, the basic data such as name, description, domain and address are stored in the ACMP database. This means that the client can be tracked in the agent distribution, and can be processed normally (e.g. in Queries or Client Commands). To inventory further data of the client, a scan of the WMI of the client is triggered by the ACMP WMI scanner. These data are then save in ACMP database.
It may happen that no MSI software can be read on Windows Server 2003. This is the case if the Win32_Product WMI class is not installed. It can be installed in the following steps:
| 1. | Control Panel\Software\Add Windows Components |
| 2. | Select Management and Monitoring Programs |
| 3. | Press Details button |
| 4. | Select WMI Suppliers for Windows Installer |
| 5. | Confirm with OK and then restart the system |
Installation Requirements
Before running the installation, you have to check the following requirements:
| ▪ | The services will be installed on the same server where ACMP is installed. |
| ▪ | The .Net Framework version 3.5 is pre-installed. |
| ▪ | Message Queuing is installed. If Message Queuing has not been installed, this can add on the Control Panel via the path Add/Remove Windows Components (for workstation systems) or via the Server Manager, under Features (for server systems). |
Installation
To use the Agentless Scanner, the corresponding services must be installed. To install the scanner, use the installation file ACMP Agentless Scanner_Installer exe located in the folder Installers/AgentlessScan in the installation directory of the ACMP server. Follow the installation instructions and install all four components.
Configuration
To configure the Agentless Scanner, select the Configuration Manager just installed. This tool offers five sections to configure the scanner.
The Connection String to the ACMP database is entered via the section General. To do so, click on Get database connection string from ACMP configuration. The connection string is automatically read from the ACMP and entered here. Now click on Test connection string If you get the message Connection successful, a connection can be established to the database. If you do not get this message, the connection string must be adapted via Edit string connection and then tested again. In case of problems, please use the Aagon support service.
Agentless Scanner: Database Connection String
Specify the information for AD access in the AD Connector section. To do this, enter the name or IP address of the server where the AD is installed in the Domain Controller section. In User Name, enter a user with read authorization for the domain from which the client data are to be read. Also enter the user's password. Make sure that it is not an empty password. Save the name of the domain from which the client data is read in NT Domain Name. In addition, enter the AD path to the clients whose data are to be read in BaseDN. This may be the root directory, but also a certain group (OU) within the AD. With the Ignore Objects option it is possible to filter those clients who have not been in the network for X days and have not logged in with the domain controller.
Agentless Scanner: Active Directory Connector
Apart from the details that you can enter in the configuration interface of the Configuration Manager, you can adjust additional settings in the configuration file. Please open the configuration file Configuration.xml located in the installation path in the Configuration subfolder. Use the 3 Tags OuAllowList, OuDenyList and OuRuleOrder to determine the OUs from which computer objects are to be imported. The OuAllowList tag serves to specify OUs that you want to be read, while the OuDenyList tag allows you to specify OUs from which you do not want to read data. OUs must be entered in the Distinguished Name (DN) notation (see example). When editing the Configuration.xml file, make sure to use this case-sensitive notation. This means that if the list entry "OuAllow" is written as "OUAllow", the entire configuration file will be considered as faulty and the service will stop again right after booting.
The OuRuleOrder tag acts as follows:
| • | The default value of the OuRuleOrder is 0. This means that in principle all OUs are read. All OUs which must not be included must be entered in the OuDenyList. Recursive underlying OUs are then also not considered. If these are to be taken into account, they must be entered in the OuAllowList. |
| • | If the OuRuleOrder is changed to 1, then the sequence in which the OuDenyList and the OuAllowList are analyzed changes. This means that all OUs which are to be included must now be entered in the OuAllowList. If specific underlying OUs are not to be included, these must be entered in the OuDenyList. |
The following example serves to illustrate the procedure: |
|
<OuAllowList> <OuAllow>OU=Aagon,dc=aagon,dc=local</OuAllow> </OuAllowList> <OuDenyList> <OuDeny>OU=Marketing,OU=Aagon,dc=aagon,dc=local</OuDeny> </OuDenyList> <OuRuleOrder>1</OuRuleOrder> |
|
Basically, all OUs are prohibited because the RuleOrder is set to 1. By entering an OU in the OU OuAllowList, the OU "Aagon" and all subordinate OUs are allowed. By entering the OU "Marketing", this particular OU is excluded again.
In the AD Agent section, the path of the message queue and the number of internal IP scanner threads can be changed. These settings are required for the internal procedures of the Agentless Scanner and should be changed only when requested by the Aagon support service.
Agentless Scanner: Active Directory Agent
The WMI Scanner section serves to configure the scanner in more detail. Here you can amend, inter alia, the message queuing path and the number of scanner threads. Again it should be done only after a request by the Aagon support service.
Agentless Scanner: WMI Scanner
Through the Database Request Frequency you can determine the intervals (in hours) at which the ACMP database is to be checked. This test identifies all clients that are detected by the AD (AD Connector section), but which have not yet been scanned. These clients are transmitted to the WMI scanner, which reads the properties of the clients via WMI.
In Domain Credentials, user accounts of users who have administrator rights for the clients to be scanned can be created. At least one user must be entered here. With the Plus button, you can start a corresponding dialog.
Agentless Scanner: Domain Credentials
Under Domain Name, enter the "Fully Qualified Domain Name" (FQDN) of the domain whose clients are to be scanned. Enter the user name according to the rule User@FQDN "User Principal Name" (UPN), and create the password. The domain name first entered and the FQDN of the user do not have to be identical. The domain name represents a filter for the transferred client data. This means that only clients are scanned, which belong, according to the ACMP database to the matching domain. Return to the WMI Scanner by clicking on the OK button and enter other domains with the corresponding user information if necessary.
In the services section, you can start and stop the installed and configured services of the Agentless Scanner by means of the matching buttons.
Note: |
Note that you have to save all changes before you start or stop the service. |
Last change on 12.04.2017