Problems/Symptoms:

How to automatically configure a client for the Cloud Services Appliance, without manually entering username and password information.

Details:

Configurebroker.exe creates an LNG file which can then be used to automatically authenticate through the Cloud Services Appliance. There are two methods of using this LNG file which are documented below.

Resolution:

Configurebroker.exe. (attached to the bottom of this article)

DISCLAIMER

USE OF THE CONFIGUREBROKER.EXE APPLICATION SOFTWARE IS SOLELY AT THE USER’S AND/OR COMPANY’S OWN RISK.  THIS SOFTWARE APPLICATION IS AVAILABLE “AS IS,” AND LANDESK SPECIFICALLY DISCLAIMS ALL WARRANTIES INCLUDING ANY IMPLIED WARRANTIES. 

THE FILE PRODUCED BY CONFIGUREBROKER.EXE CONTAINS ACCOUNT NAME AND PASSWORD INFORMATION THAT MAY NOT BE FULLY PROTECTED UNDER CURRENT ENCRYPTION STANDARDS. LANDESK SHALL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES, INCLUDING BUT NOT LIMITED TO DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER INTANGIBLE LOSSES (EVEN IF LANDESK HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES), OR COST OF PROCUREMENT OF SUBSTITUTE SERVICES.

IMPORTANT:It’s strongly recommended to follow all of the steps listed below.  Before implementing the ConfigureBroker.exe, it is recommended to make sure manual retrieval of the certificates using Brokerconfig.exe both internally and externally works.  Configurebroker.exe is NOT a secure method of configuring devices for the Cloud Services Appliance.

Using ConfigureBroker.exe

Creating the .lng file

Create a local user account on the core server called configure.broker. (Do not use a domain account)

Add the user account to the local LANDesk Management Suite Group on the core.

In the LANDesk Console, remove all LANDesk rights from the user.

Remove all Scopes from the configure.broker user.

The user should show the Default No Machines Scope and have no rights present.

NOTE: Only use this user for the ConfigureBroker.exe utility.

Copy the ConfigureBroker.exe to the LANDesk Core Servers ManagementSuite folder.  This folder is shared by default with the share name of LDMain.

Run "ConfigureBroker.exe" and enter in the username and password of the broker.config user that was just created and that is a member of the LANDesk Management Suite user group.

(Do not use a domain account)

Click Save.

The ConfigureBroker.exe creates a folder in the LDMain share/ManagementSuite folder called "noshareLDLogon".

Inside this folder a file is created called "BrokerConfig.lng".

Copy the "BrokerConfig.lng" file to the root of the LDLogon share on the core server.  The LDLogon folder is under the ManagementSuite folder.

NOTE: If using the ConfigureBroker.exe, it is highly recommended that “logon” rights from the local security policy for local users be removed.  This will block non domain users from logging into the LANDesk application.

LANDesk 9.0 SP2:Role-based Administration has changed in LANDesk 9.0. The following items must be changed.

1.  The configure.broker user is a part of the Script-Writers Group.

2.  Add "modify" writes for the Script-Writers Group to the C:\Program Files\LANDesk\ManagementSuite\brokerreq folder on the core server

Including the .lng file in the LANDesk Agent

The following steps will update the default LANDesk Agent Configuration so that all agents will include the .lng file, and automatically retrieve the Gateway Certificate on Agent install.

Browse to the \ManagementSuite\ldlogon folder on the LANDesk Core Server.

Open the ntstacfg.in# file with notepad.  Search for the [Common Base Agent Post Copy] section.

At the end of the [Common Base Agent Post Copy] section add the following line:

FILE10001=BrokerConfig.lng, %PROGRAMFILES%\LANDesk\Shared Files\cbaroot\broker\BrokerConfig.lng

LANDesk 9.0 SP2 Update: There are two [Common Base Agent Post Copy] sections in the LANDesk 9.0 SP2 agent.ini file. Be sure to add the previous lines to the larger section that appears first. If this is not done the LNG file will not be inserted in the self-contained agent executable. A good way to check this is to search the log for "brokerconfig.lng" after the self-contained executable is created. You should see a line stating that the brokerconfig.lng file was inserted into the CAB. (This is resolved in SP2 for LDMS 9.0 CR00047107)

After saving the changes, go to Configure | Services | Inventory and restart the Inventory Service.

After the service restarts, the existing agents must be rebuilt to include the new changes.

In the LANDesk Console, go to Tools | Configuration | Agent Configuration.  Click the Rebuild All button.

To verify that the agents recieved the change, right click on an agent and choose Advanced Edit.

The Agent Configuration.ini file will open for that Agent.

Look under the [Common Base Agent Post Copy] section for the two lines that were added.

Create a self-extracting executable for the configuration by right-clicking on the configuration in the console and choosing Create self-contained client installation package.

Choose the location for the self contained EXE files, and click Save.

NOTE:  After creating the self contained Agent Installer, it is highly recommended to remove the BrokerConfig.lng file from the Ldlogon share.

Install the self-extracting executable to the remote machine. If the machine is connected to the internet, then a cert will be created on the client during install.

If the machine was not connected to the internet when the agent was installed, When the inventory scanner runs and it will automatically run brokerconfig.exe -r when it realizes it doesn't have a cert.

After the client is configured for the Gateway then the BrokerConfig.lng is deleted

Manually using the .lng file

Run through the steps to create the .lng file.  Manually copy the .lng file to the C:\Program Files\LANDesk\Shared Files\cbaroot\broker folder on an existing client. When the inventory scan executes on the client it will consume the .lng file and the broker certificates will be retrieved.

Macintosh Update: With the release of LANDesk 9 Macintosh clients can now connect through the Cloud Services Appliance. However, the process described below currently is not working. An enhancement request has been submitted to add the functionality in the future. Some other design changes may make this possible as well.

I have recently upgraded to LDMS 9.5.    In LDMS 9 SP 3 when you right clicked on the remote control icon it would tell you if you were in direct or gateway modes and gave you the ability to switch between the 2.   Now when I perform this operation I see the following window.   It does not say the mode I am in and when I click on "switch mode" it does not appear to do anything.   Any help is appreciated.

Do the Broker certs need sent out again after updateing Landesk to 9.5?

Also on the gateway I click on update and it says can't connect. Is this normal if there are any updates?

Hi,

With the LANDesk Management Gateway, is it possible to have it configured so more than 1 core leveraged to use it?  In our organization, we have two seperate LDMS 9SP3 instances, each with their own managed devices.  One of our LANDesk instances is using the Gateway to manage notebooks that are rarely in the office.  Is it possible to have our 2nd LANDesk instance also leverage the use of the Gateway at the same time?

Thanks,

P.

General:

Subject/Problem/Symptoms:

How to automate Windows agent communication for inventory scans, vulscans, and policy-based tasks through the CSA/gateway without the use of DNS.

Description/Details:

When an agent is out-of-band it will attempt to do a DNS lookup on the core server before directing traffic if the brokerconfig.exe is set to “Dynamically determine connection route”.  If it gets a result other than “Host not found” or “Request could not find host” then it assumes it can communicate with the core server.

The issue that occurs is that many ISPs no longer allow for unlisted DNS entries, a requirement for CSA/gateway usage.  This means when you try to reach core.domain.ext it will redirect you to another host, such as your ISP’s homepage web server.  They assume you miss typed the address you are looking for and provide a re-direct.  This means that the client will never contact the CSA/gateway because it believes it has reached the core.

This also resolves the issue of not being able to have a private and public DNS. (As long as your core is properly firewalled off from global traffic.)

Test Problem:

Set your DNS to use Open DNS while out-of-band – 208.67.222.222 and 208.67.220.220 – if your core is not publicly listed then it likely will experience this issue.

Resolution:

Attached to this document is an ldgatewayassistant.exe and ldgatewayassistant.msi – both will install the LDGatewayAssistant service on your Windows based clients.

The LDGatewayAssistant service can do the following tasks for you:
1. Auto broker your Windows agents to the CSA/gateway.
2. Automatically toggle your inventory scans, vulscans, and policy-based tasks between direct and gateway mode.

3. Automatically enable the issuser heartbeat to automatically reconnect to the CSA/gateway on connection loss.
4. Automatically update core with latest IP when switching between direct and gateway mode.
5. Allow for limited custom in-band and out-of-band remote control permissions.

How it works:

After it is installed on your end-point you will find an LDGatewayAssistant service is running with its events being written to the windows application log.  Every 15 minutes (configurable) the service will quickly run a query to validate that you are still able to communicate with your core server.  It does this by checking the file structure of the cores web services.  If you were previously in-band and the query returns in-band again then no further action is taken.  However if it returns out-of-band then the service will:

1.       Write out the proper connection info for the CSA/gateway to broker.conf.xml. (This is for inventory scans, vulscans, and policy-based tasks.)

2.       Enable the issuser heartbeat so that it will automatically reconnect to the CSA/gateway on connection loss.

3.       Set the issuser service to gateway mode.

4.       Enable the optional remote control configurations for out-of-band. (Prevents vulscan from overwriting these settings.)

5.       Automatically broker the agent if necessary.

6.       Start an inventory scan to sync with the core server.

When the agent returns to being in-band then the service will:

1.       Delete the broker.conf.xml.

2.       Disable the issuser heartbeat.

3.       Set the issuser service to direct mode.

4.       Set remote control configurations back to stricter settings.  (Upon the next vulscan they will be returned to your agent configuration settings.)

5.       Start an inventory scan to sync with the core server.

How do I know if it is working correctly?

Under the event viewer -> windows logs -> application there will be entries made by LDGatewayAssistant.

With in 15 minutes of entering/leaving your network you should see the following events:

- Gateway mode: In network. / Out-of-band.

- Starting sync to core.

- Sync to core has completed.

*Note: If any crashes occur please post them here.

What it works on?

It has been tested on 9.0.2, 9.0.3, and 9.5.

Installation:

Basic Installation:
1. Manually install the LDGatewayAssistant on a client computer: ldgatewayassistant.msi /qn
2. Manually import the attached registry key after customizing it:
32bit: c:\windows\system32\reg.exe import ldgatewayassistant.reg
64bit: c:\windows\syswow64\reg.exe import ldgatewayassistant.reg

Advanced Deployment Options:

1. Advanced Edit of Agent
- Copy ldgatewayassistant.msi into your ldlogon folder on the core server.
- Select the Windows Agent Configuration you wish to include LDGatewayAssistant with.
- Right click and select “Advanced edit”.
- Paste the following lines into the editor just above the “;**** Begin of Remote Control component ****” Section:

;Install LDGatewayAssistant
REG56=HKEY_LOCAL_MACHINE, SOFTWARE\LANDesk\GatewayAssistant\Address, IPAddressOfGatewayHere, , REG_SZ
REG57=HKEY_LOCAL_MACHINE, SOFTWARE\LANDesk\GatewayAssistant\code, HashGoesHereFromLNG or none, , REG_SZ
REG58=HKEY_LOCAL_MACHINE, SOFTWARE\LANDesk\GatewayAssistant\Gateway, gateway.domain.ext, , REG_SZ
REG59=HKEY_LOCAL_MACHINE, SOFTWARE\LANDesk\GatewayAssistant\In, false, , REG_SZ
REG60=HKEY_LOCAL_MACHINE, SOFTWARE\LANDesk\GatewayAssistant\Out, false, , REG_SZ
REG61=HKEY_LOCAL_MACHINE, SOFTWARE\LANDesk\GatewayAssistant\rc, 0 or 1, , REG_SZ
REG62=HKEY_LOCAL_MACHINE, SOFTWARE\LANDesk\GatewayAssistant\Scan, 0 1 2 or 3, , REG_SZ

REG62=HKEY_LOCAL_MACHINE, SOFTWARE\LANDesk\GatewayAssistant\interval, 3, , REG_SZ

REG62=HKEY_LOCAL_MACHINE, SOFTWARE\LANDesk\GatewayAssistant\count, 1, , REG_SZ
FILE10001=ldgatewayassistant.msi, %PROGRAMFILES%\LANDesk\LDClient\ldgatewayassistant.msi
EXEC10002=C:\Windows\System32\msiexec.exe, /qn /i "%PROGRAMFILES%\LANDesk\LDClient\ldgatewayassistant.msi", INSTALLONLY

- Save changes.
- Right click and select “Create self-contained client installation package” – this will contain the LDGatewayAssistant and install it automatically with the rest of the agent.
- Note: I do not have the service start on its own until next reboot with this method in order to prevent it from disrupting the completion of the rest of the agent installation.

2. Custom Vulnerability

- Create a new custom vulnerability.  Fill in the below information:

- Set the description tab to: (or something else fitting.)
  “LANDesk Client Extension that resolves connectivity issues between clients that are out-of-band and the LANDesk gateway.

This extension enforces direct modes when in-band and gateway modes when out-of-band on clients based on scanning the web structure of the core server.  This extension replaces the built-in DNS based detection method that the clients currently have.

*Note: The LANDesk DNS based detection relies on unlisted DNS entries to work correctly.  Many ISP providers do not allow for unlisted DNS entries.  When a client is on a ISP that does not allow unlisted DNS entries it will fail to connect to the gateway.”

- Select Add for a new Detection Rule from the General tab.

Name it "Windows x86".

Windows x86 Rule Info:
                  - Detection Logic - Affected Platforms:
                                  - Windows XP, Windows Vista, Windows 7, Windows 8
                  - Detection Logic - Files:
                                  - C:\Program Files\LANDesk\LDGatewayAssistant\LDGatewayAssistant.exe Must exist
                  - Patch Information:
                                  - This issue can be repaired without downloading a patch
                                  - Requires reboot: No
                                  - Silent Install: Yes
                  - Patch Information – Detecting the Patch – Files:
                                  - C:\Program Files\LANDesk\LDGatewayAssistant\LDGatewayAssistant.exe Must exist
                  - Patch Information – Patch Installation & Removal – Additional Files:
                                  - Include the ldgatewayassistant.msi file from where ever you have it hosted.
                                  - Be sure to generate the hash of the file.
                  - Patch Information – Patch Installation & Removal – Patch Install Commands:
                                  *Note: change PATHTOFILE to be the actually location of the file post download.
                                  - Select Add -> Execute a program
                                                  - PATH: %windir%\system32\msiexec.exe
                                                  - ARGS: /qn /i "C:\Program Files\LANDesk\LDClient\sdmcache\PATHTOFILE\LDGatewayAssistant\ldgatewayassistant.msi"
                                                  - TIMEOUT: %DEFAULTTIMEOUT%
                                                  - WAIT: true
                                  - Select Add -> Write a value to the registry
                                                  - Key: HKLM\SOFTWARE\LANDesk\GatewayAssistant
                                                  - Value name: Address
                                                  - Data type: String
                                                  - Value data: IP Address of gateway goes here
                                  - Select Add -> Write a value to the registry
                                                  - Key: HKLM\SOFTWARE\LANDesk\GatewayAssistant
                                                  - Value name: Gateway
                                                  - Data type: String
                                                  - Value data: gateway.domain.ext
                                  - Select Add -> Write a value to the registry
                                                  - Key: HKLM\SOFTWARE\LANDesk\GatewayAssistant
                                                  - Value name: rc
                                                  - Data type: String
                                                  - Value data: 0 or 1
                                  - Select Add -> Write a value to the registry
                                                  - Key: HKLM\SOFTWARE\LANDesk\GatewayAssistant
                                                  - Value name: code
                                                  - Data type: String
                                                  - Value data: HashFromLNGfile or type “none”
                                  - Select Add -> Write a value to the registry
                                                  - Key: HKLM\SOFTWARE\LANDesk\GatewayAssistant
                                                  - Value name: Scan
                                                  - Data type: String
                                                  - Value data: 0, 1, 2, or 3

                                  - Select Add -> Write a value to the registry

                                                  - Key: HKLM\SOFTWARE\LANDesk\GatewayAssistant

                                                  - Value name: interval

                                                  - Data type: String

                                                  - Value data: 3

                                  - Select Add -> Write a value to the registry

                                                  - Key: HKLM\SOFTWARE\LANDesk\GatewayAssistant

                                                  - Value name: count

                                                  - Data type: String

                                                  - Value data: 1
                                  - Select Add -> Start a Windows service
                                                  - service name: ldgatewayassistant
                                  - Select OK to save.

- Select Add for a new Detection Rule from the General tab again.

Name it "Windows x64".

Windows x64 Rule Info:
                  - Detection Logic - Affected Platforms:
                                  - Windows XP x64, Windows Vista x64, Windows 7 x64, Windows 8 x64
                  - Detection Logic - Files:
                                  - C:\Program Files (x86)\LANDesk\LDGatewayAssistant\LDGatewayAssistant.exe Must exist
                  - Patch Information:
                                  - This issue can be repaired without downloading a patch
                                  - Requires reboot: No
                                  - Silent Install: Yes
                  - Patch Information – Detecting the Patch – Files:
                                  - C:\Program Files (x86)\LANDesk\LDGatewayAssistant\LDGatewayAssistant.exe Must exist
                  - Patch Information – Patch Installation & Removal – Additional Files:
                                  - Include the ldgatewayassistant.msi file from where ever you have it hosted.
                                  - Be sure to generate the hash of the file.
                  - Patch Information – Patch Installation & Removal – Patch Install Commands:
                                  - Select Add -> Execute a program
                                                  - PATH: %windir%\system32\msiexec.exe
                                                  - ARGS: /qn /i "C:\Program Files (x86)\LANDesk\LDClient\sdmcache\PATHTOFILE\LDGatewayAssistant\ldgatewayassistant.msi"
                                                  - TIMEOUT: %DEFAULTTIMEOUT%
                                                  - WAIT: true
                                  - Select Add -> Write a value to the registry
                                                  - Key: HKLM\SOFTWARE\Wow6432Node\LANDesk\GatewayAssistant
                                                  - Value name: Address
                                                  - Data type: String
                                                  - Value data: IP Address of gateway goes here
                                  - Select Add -> Write a value to the registry
                                                  - Key: HKLM\SOFTWARE\Wow6432Node\LANDesk\GatewayAssistant
                                                  - Value name: Gateway
                                                  - Data type: String
                                                  - Value data: gateway.domain.ext
                                  - Select Add -> Write a value to the registry
                                                  - Key: HKLM\SOFTWARE\Wow6432Node\LANDesk\GatewayAssistant
                                                  - Value name: rc
                                                  - Data type: String
                                                  - Value data: 0 or 1
                                  - Select Add -> Write a value to the registry
                                                  - Key: HKLM\SOFTWARE\Wow6432Node\LANDesk\GatewayAssistant
                                                  - Value name: code
                                                  - Data type: String
                                                  - Value data: HashFromLNGfile or type “none”
                                  - Select Add -> Write a value to the registry
                                                  - Key: HKLM\SOFTWARE\Wow6432Node\LANDesk\GatewayAssistant
                                                  - Value name: Scan
                                                  - Data type: String
                                                  - Value data: 0, 1, 2, or 3

                                  - Select Add -> Write a value to the registry 

                                                  - Key: HKLM\SOFTWARE\Wow6432Node\LANDesk\GatewayAssistant

                                                  - Value name: interval

                                                  - Data type: String

                                                  - Value data: 3

                                  - Select Add -> Write a value to the registry

                                                  - Key: HKLM\SOFTWARE\Wow6432Node\LANDesk\GatewayAssistant

                                                  - Value name: count

                                                  - Data type: String

                                                  - Value data: 1
                                  - Select Add -> Start a Windows service
                                                  - service name: ldgatewayassistant
                                  - Select OK to save.
                  - The custom vulnerability is completed.  Be sure to test deploy this before putting it into a production environment.

3. Group Policy
- You may deploy the .msi file via GPO.
- Then set the Registry settings (attached to this document) for the application in the same GPO.  It is advised to have the registry keys write both to the x86 and x64 registry locations to prevent clients from missing the configurations.  You may then configure the client settings based upon OU.

Configuration Options:

Registry Settings:

Address = IP Address of CSA/gateway

code = brokerconfig.lng contents (Please refer to this doc for more assistance: http://community.landesk.com/support/docs/DOC-1888 - only use the lng for its contents, not actually bundled into agent.)

Gateway = hostname.domain.ext of CSA/gateway

In = If the client last was "in-band" (true/false)  *Default is false

Out = If the client last was "out-of-band" (true/false)  *Default is false

rc = 0 or 1
0 = Off – Do not make any changes to client
1 = When device is out-of-band - LDGatewayAssistant turns off remote control permission required on the agent so that you can remotely access the computer without the user having to accept remote control, it also disables the identifiers of remote control.  It automatically turns permission required and remote control identifiers back on when the client is back "in-band".  *This is useful to remotely kick off policy based tasks immediately through the CSA/gateway, but please be aware of the security draw backs when the permission required option is removed.*

Scan = 0, 1, 2, or 3
0 = Off - Do not run any scans.
1 = Sends miniscan updates to core (does not update core when out-of-band)
2 = Sends full inventory scans to core (works through gateway and in-band)
3 = Sends miniscan updates to core when in-band, sends full inventory scans when out-of-band
*Note: If the client is requiring brokering then a full scan will be forced.

logging = 0 or 1
0 = Off
1 = Enables basic logging - currently only turns on display of server responses when checking if the client is properly talking to core.  These will be displayed in the application log.

interval = 1 +  (New in version 1.0.1.1)

1 = 15 minutes

2 = 30 minutes

3 = 45 minutes (recommended)

4 = 1 hour

(and so on)

count = 1 (New in version 1.0.1.1)

# = displays current time in interval process, once this number reaches the value set in interval then it will execute 1 cycle and reset back to 1.

Example:  If interval is set to 3 and count is set to 1, every 15 minutes count will increment by 1 make its values after 15 minutes be 2, 30 minutes be 3, and upon the 45 minutes it will execute and revert count to 1.

Uninstall:

Version 1.0.0.0: *Installers were removed from this doc*
To uninstall the LDGatewayAssistant you must do it from which ever account you installed it with.  If using the advanced options above it is likely it would be the System account.

From the command line execute:
msiexec.exe /x {828e90ea-7672-4453-973c-1b3472f395be}

Version 1.0.1.1  *NEW - find attached below*
This version can be uninstalled by any administrative user.  Bug fixes were added to deal with installing over the old version (1.0.0.0) and handling reinstalls better.
From the command line execute:
msiexec.exe /x {3194c7c0-49b2-4d00-b0fe-94abeaaf0bdc}

New Features:

- Can now configure the time between in-band / out-of-band checks in intervals of 15 minutes.  This is to reduce load on core servers web services from the connections. (v1.0.1.1)

Bug fixes:

- When using Windows NT security (securitytype 3) the reinstall of issuser hangs due to a popup notice regarding adding users to the local group. Prompt has been suppressed. (v1.0.1.1)

- When trying to uninstall from any other account than the one that installed ldgatewayassistant the uninstall fails. Permission has been expanded to all administrative users. (v1.0.1.1)

- When trying to do an upgrade an alert for "service already exists" would occur. The prompt has been suppressed - requires restart in these situations, will prompt. (v1.0.1.1)

DISCLAIMER

THIS SOFTWARE IS NOT A PRODUCT OF LANDESK.  THIS SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMANGES, OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT, OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Recommended Specifications:

- CPU - 1 Processor

- Memory - 2GB RAM

- Storage - 2 x 250GB

- Network - 2 1GB NICs

LANDesk Virtual Cloud Services Appliance (vCSA) FAQ

Q. Where can I download the vCSA?

1. The Virtual Cloud Services Appliance is available for download from the customer license portal at http://www.landesk.com/LicenseDownloads/.

Q. How will customers be able to install the virtual appliance?

1. The vCSA is available as a single download that contains 3 Virtual Machine files.  These files may easily be imported into a VMWare ESX environment

Q. What versions of VMWare ESX are supported?

1. The vCSA underwent validation against VMWare ESX 5.x.  We do not anticipate any issues in ESX 4.x environments.

Q. Are there any new features in the vCSA?

1. No, the vCSA uses the same software implementation as the hardware based appliance.

Q. How will the virtual appliance be updated?

1. Software patches will be provided to customers in an experience similar to the existing hardware appliance. The Virtual Machine will also be fully updated as software patches become available, removing the requirement for new customers to manually update the appliance prior to implementing it in their environment.

Q. Will the vCSA scale to higher capacity if I increase the computer resources available to the Virtual Machine?  Will this enable the vCSA to handle more maximum connections?

1. Customers will see marginal gains with increased resources.  However the amount of memory the vCSA can address is limited by its 32bit implementation. 64bit support will be added in a future release.

Q. Is Microsoft Hyper-V Supported?

  A. No, at this time VMWare ESX is the only supported environment.

Q. If a customer has purchased the hardware appliance will they be entitled to the virtual appliance?

1. Yes, customers who have purchased a hardware appliance will be able to migrate their license to the virtual appliance. Customers are not entitled to use the virtual appliance in addition to their hardware appliance, a single license only allows for a single instance of the appliance

Q. Can a customer evaluate this software as part of a 45-day evaluation?

1. Yes.

Q. Does the virtual appliance license allow for a second instance of the appliance to run in a disaster recovery configuration?

1. If both instances of the appliance are running concurrently, two licenses will be required.  We recommend customers take advantage of VMware’s High Availability and Disaster Recovery features to reduce the need for additional licenses.

Server: Windows 2003

Desktop; Windows 7 Pro

Gateway; release 4.2-1.9

Gateway service version: 8.7.0.3

Management Suite: 9 SP2

When I remote into a desktop from the Management Suite Server everythings seems to work fine.  But when i try and remote in from the console on my desktop I get the this error:

"Failed short session connection to gateway (3)."

I am new to the gateway and we are still trying to get it set up.  Is there some setting i have missed?

General:

Subject/Problem/Symptoms:

How to automate Macintosh agent communication for inventory scans, vulscans, and policy-based tasks through the CSA/gateway without the use of DNS.

Description/Details:

When an agent is out-of-band it will attempt to do a DNS lookup on the core server before directing traffic if the brokerconfig.exe is set to “Dynamically determine connection route”.  If it gets a result other than “Host not found” or “Request could not find host” then it assumes it can communicate with the core server.

The issue that occurs is that many ISPs no longer allow for unlisted DNS entries, a requirement for CSA/gateway usage.  This means when you try to reach core.domain.ext it will redirect you to another host, such as your ISP’s homepage web server.  They assume you miss typed the address you are looking for and provide a re-direct.  This means that the client will never contact the CSA/gateway because it believes it has reached the core.

This also resolves the issue of not being able to have a private and public DNS. (As long as your core is properly firewalled off from global traffic.)

Test Problem:

Set your DNS to use Open DNS while out-of-band – 208.67.222.222 and 208.67.220.220 – if your core is not publicly listed then it likely will experience this issue.

Resolution:

Attached to this document is an ldgatewayassistant.sh – this will install the LDGatewayAssistant daemon on your Macintosh based clients.

The LDGatewayAssistant daemon can do the following tasks for you:
1. Auto broker your Macintosh agents to the CSA/gateway. (in-band and out-of-band)
2. Automatically toggle your inventory scans, vulscans, and policy-based tasks between direct and gateway mode.

3. Automatically update core with latest IP when switching between direct and gateway mode.
4. Allow for limited custom in-band and out-of-band remote control permissions.

How it works:

After it is installed on your end-point you will find an LDGatewayAssistant daemon is running (/Library/LaunchDaemons).  Every 15 minutes (configurable) the daemon will quickly run a query to validate that you are still able to communicate with your core server.  It does this by checking the file structure of the cores web services.  If you were previously in-band and the query returns in-band again then no further action is taken.  However if it returns out-of-band then the daemon will:

1.       Write out the proper connection info for the CSA/gateway to broker.conf.xml. (This is for inventory scans, vulscans, and policy-based tasks.)

2.       Enable the optional remote control configurations for out-of-band. (Prevents vulscan from overwriting these settings.)

3.       Automatically broker the agent if necessary.

4.       Start an inventory scan to sync with the core server.

When the agent returns to being in-band then the service will:

1.       Update the broker.conf.xml to automatic mode.

2.       Set remote control configurations back to stricter settings.  (Upon the next vulscan they will be returned to your agent configuration settings.)

3.       Automatically broker the agent if necessary.

4.       Start an inventory scan to sync with the core server.

How do I know if it is running?

Under /Library/Application Support/LANDesk/data/ there is a file called: ldgatewayassistant.plist.

With in 15 minutes of entering/leaving your network you should see the following events:

- The "count" field in the plist should increment by 1.

*Note: If any crashes occur please post them here.

What it works on?

It has been tested on 9.0.3, and 9.5.

Installation:

Basic Installation:
1. Manually configure the settings in the attached LDGatewayAssistant.sh file.
2. Manually install the LDGatewayAssistant on a client computer: sudo ./ldgatewayassistant.sh or sudo sh ldgatewayassistant.sh

Advanced Deployment Options:

1. Advanced Edit of Agent

- Documentation pending.

2. Custom Vulnerability

- Documentation pending.

3. Deployment package

- The ldgatewayassistant.sh file can be bundled into a LANDesk deployment package and distributed to end points.

Auto Brokering Information:

In order to auto broker on the Macintosh agents you will be required to generate a configbroker.enc file.  The contents of this file will then be used in the LDGatewayAssistant to authenticate the brokering process.

To generate a configbroker.enc file follow the below steps:

1. On a mac run the following commands:

     echo "username,password" > configbroker.txt

     openssl enc -aes-256-cbc -a -salt -in configbroker.txt -out configbroker.enc

     *When prompted enter a phrase to secure the credentials.

     *Replace username and password with the appropriate LANDesk user credentials for your brokering account.

2. Copy the contents of the configbroker.enc (open it in textedit.app) and use them as the "code" in the LDGatewayAssistant.

When the client completes the brokering process it will overwrite the phrase that you provide in the LDGatewayAssistant settings with phrase_overwrite in order to secure the code and prevent it from being available post brokering.  If you wish to have the LDGatewayAssistant be able to rebroker an agent if its certificate is lost then you can replace the contents of phrase_overwrite with the same contents of what you set phrase to.

*DISCLAIMER*
USE OF THE CONFIGBROKER.ENC IS SOLELY AT THE USER'S AND/OR COMPANY'S OWN RISK.  THIS APPLICATION IS AVAILABLE "AS IS", AND THE AUTHOR DISCLAIMS ALL WARRANTIES INCLUDING ANY IMPLIED WARRANTIES.
THE FILE PRODUCED BY RUNNING THE ABOVE COMMANDS CONTAINS ACCOUNT NAME AND PASSWORD INFORMATION THAT MAY NOT BE FULLY PROTECTED UNDER CURRENT ENCRYPTION STANDARDS.  THE AUTHOR SHALL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES, INCLUDING BUT NOT LIMITED TO DAMANGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER INTANGIBLE LOSSES, OR COST OF PROCUREMENT OF SUBSTITUTE SERVICES.

Configuration Options:

PList Settings:

Address = IP Address of CSA/gateway

code = Follow the code generation steps above under "Auto Brokering Information".

phrase = phrase used to encrypt the code

phrase_overwrite = used to replace phrase after brokering is completed *default is "none"

Gateway = hostname.domain.ext of CSA/gateway

In = If the client last was "in-band" (true/false)  *Default is false

Out = If the client last was "out-of-band" (true/false)  *Default is false

rc = 0 or 1
0 = Off – Do not make any changes to client
1 = When device is out-of-band - LDGatewayAssistant turns off remote control permission required on the agent so that you can remotely access the computer without the user having to accept remote control, it also disables the identifiers of remote control.  It automatically turns permission required and remote control identifiers back on when the client is back "in-band".  *This is useful to remotely kick off policy based tasks immediately through the CSA/gateway, but please be aware of the security draw backs when the permission required option is removed.*

Scan = 0, 1
0 = Off - Do not run any scans

1 = Sends full inventory scans to core (works through gateway and in-band)

logging = 0 or 1
0 = Off
1 = Enables basic logging - currently only turns on display of server responses when checking if the client is properly talking to core.  These will be displayed in the application log.

interval = 1 +

1 = 15 minutes

2 = 30 minutes

3 = 45 minutes (recommended)

4 = 1 hour

(and so on)

count = 1

# = displays current time in interval process, once this number reaches the value set in interval then it will execute 1 cycle and reset back to 1.

Example:  If interval is set to 3 and count is set to 1, every 15 minutes count will increment by 1 make its values after 15 minutes be 2, 30 minutes be 3, and upon the 45 minutes it will execute and revert count to 1.

Uninstall:

Version 1.0.0.0:
To uninstall the LDGatewayAssistant you must do it from an administrative account.

From the terminal execute:

sudo rm "/Library/Application Support/LANDesk/data/ldgatewayassistant.sh"

sudo rm "/Library/Application Support/LANDesk/data/ldgatewayassistant.plist"

sudo rm "/Library/LaunchDaemons/com.landesk.ldgatewayassistant.plist"

DISCLAIMER

THIS SOFTWARE IS NOT A PRODUCT OF LANDESK.  THIS SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMANGES, OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT, OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Hello,

We are considering the Cloud Services Appliance, but would need the ability to remote control Macs out in the wild.  I searched around a bit and could not find any information if the current CSA has and on demand Macintosh agent. 

Does the current CSA have a Mac on demand agent and if not, is there plans to have on available.

Thanks.

If the SP3 update which added automatic gateway switching is giving you problems such as switching the device from LAN to Gateway and it should not, please go look at the following ER. http://community.landesk.com/support/ideas/2705#comment-16282

Ever since SP3, devices on my LAN like PCs are switching to gateway mode for some odd reason that I have yet to have discovered why it can't see the core. But when I manually switch them back to LAN, they will stay there for many. But some will switch back to Gateway mode automatically eventually.

This is not an issue of the agent being already set into gateway mode when the agent is updated and the /b on the issuser.exe service. It seems as if it is the new functionality.

So if this is bugging you, please vote on the ER for a change in this feature that does something like:

• It may need to give multiple checks over a time period before the switch.
• A criteria in the agent such as blocking this ability for certain devices or agent.
• Another possible resolution is to have it check later for connection to core and if it can, it changes it back to LAN.

Cloud Services Appliance for LANDesk Management Suite

• This is a list of highly recommended documents for increasing overall knowledge of this component.
• If you want to review additional content regarding this component, please use theCloud Services Appliance Discussion Tab or Cloud Services Appliance Documents Tab

Where do the cables go on the back of the Appliance?

Take a look at the image below for connecting the gateway. Click to expand.

Initial Install and Configuration

• Step by Step install of the Management Gateway
• Best Known Method for Configuring the Management Gateway Appliance
• Recommended Specifications and FAQ for LANDesk Virtual Cloud Services Appliance
• Installation Requirements for the Management Gateway
• Gateway DMZ Install Quick Reference Sheet
• New Management Gateway Service for 9.0 SP1: Enhancements and Configuration Settings
• What steps have been taken to harden the Management Gateway
• Is there a new version of the Management Gateway for LANDesk 9.0 and if so what are the changes?
• Graphical Overview of the LANDesk Management Gateway
• SSL (TLS In-Session) Renegotiation Vulnerability Statement

Additional Options and Information

• Using the Management Gateway
• Gateway Appliance Administrators Guide
• Video:LANDesk® Management Gateway Appliance
• Video:Remote Control using the Gateway Appliance
• Video:How to use the Management Gateway to recover stolen hardware
• Unattended configuration of the client for the Management Gateway
• What ports are used by the Management Gateway?
• How to use Putty to SSH into the LANDesk Management Gateway Appliance
• How to restore the Management Gateway to factory defaults
• How to change the IP address on an established Management Gateway
• Can the GSB Administration Page for the Management Gateway be disabled?
• How to download and patch the Management Gateway Appliance Manually
• How to activate the Management Gateway

Troubleshooting this Component

• How to Troubleshoot a Management Gateway new install
• How to troubleshoot the LANDesk Management Gateway activation
• Management Gateway firewall is blocking all private IP addresses listed in the allowed list
• How to enable verbose logging for Brokerconfig and Proxyhost.exe
• SUMO file system report emails are received every 2 hours
• How to add a persistent static route to the Management Gateway
• The Management Gateway password is lost or certificate won't stay posted on the core
• Devices are not visible when attempting to remote control through the Management Gateway
• After using a restore point on the Management Gateway patching and activation fail
• After reimaging the Management Gateway and using a restore point activation and patching fails
• Management Gateway administration page goes blank or no data is displayed on certain tab

Support Notice: Only the 4.0 and 4.2 versions of the Cloud Services Appliance/LANDesk Management Gateway are currently supported by Landesk Customer Support.

Notice:Any E-Learning content is available by default to Members who have a minimum support agreement at Professional level.

NOTE: This article is not a comprehensive list of documents and issues. You can continue to search the rest of the community or the portion specific to the Cloud Services Appliance if this page hasn't helped.

Hi all, on the new version of Cloud Appliance (appliance updated to the last release, or new Virtula appliance) i noted a change:

-Opening RCviewer via Gateway it asks credentials for gateway (i heard that in the last gateway version this was removed, finally! but it seems it was only a rumor); when it tries to cennect to remote client it starts windows "Searching for matching connections" with a progress bar that never stops; it's right that it happens if remote client is not available but it continues to searching untill you click cancel;

This introduces further delay on the RControl process to remote client over wan, is it not a long process yet ??

I would suggest LANDesk to suppress credential requests for Gateway and to make it show up directly connections table; i mean that is what i expected from new version.

Anyone noted this?

Regards

Description: On rare occasions patching on the Cloud Services Appliance doesn't appear to work correctly. Either patches don't appear (that should) or applying the patches fail with unexpected results.

Resolution: There are several possible causes to the problem.

Name Resolution: The appliance needs to resolve one of the patch servers: patch.landesk.com, patchec.landesk.com, or patchemea.landesk.com.

Ports: The appliance needs both ports 443 and 80 to one of the patch servers in order to download the definitions and install the patches.

Corrupt Patch Cache:

Clear the patch cache. SSH into the Gateway (or use ALT + F2 while at the appliance itself, right-click, and select xterm) and remove all the files under /usr/LANDesk/ldms/LDClient/cache. This is the location of the patch cache which can be corrupted.

Note: If problems are experienced in deleting the files then elevate rights by running "sudo sh" and providing the "admin" password.

Description:

With Landesk Managment Suite 9.5, it is possible to remote control devices simply via a HTML5 compatible browser. It is also available for devices that are connected via the CSA/Gateway.

1.Setting up the CSA/Gateway to support HTML5 remote control

To make the CSA/Gateway compatible, you just need to install the following 2 patchs :

GSBWEB_68

BROKER_22

To install the patchs, go to System > updates tab on the web interface, Scan for Updates and Appply the 2 patchs.

2.How to use HTML5 remote control

To connect to clients via the CSA/gateway, you need to access the web interface of the gateway :

https://<gateway>

You should then see a new link : Remote Control Agents

If you click on that link, you will access a list of clients that you can access via HTML5 remote control

Environment:

Apply to Landesk Cloud Appliance Version 4.2 with patch GSBWEB_68 and  BROKER_22

Apply to Landesk Managment Suite 9.5

I am trying to test the cloud gateway appliance. Does it require a valid SSL cert? or can i use a self signed cert for now?

Overview:

By default clients that connect to the Management Gateway from the internet will use the IP address of the Gateway instead of the domain name. This connection method has both pluses and minuses but if the IP address of the Management Gateway ever changes the clients themselves will be lost and won't be able to connect. Therefore when changing an IP address of an established Management Gateway careful planning must take place.

Client Overview:

When a client starts a connection with the Management Gateway it will retrieve connection information in the following order

1. C:\Program Files\LANDesk\Shared Files\cbaroot\broker\broker.conf.xml (NOTE: This file is not created by default and is usually skipped)
2. Any broker certificates already on the client.
3. The hash.0 file located in C:\Program Files\LANDesk\Shared Files\cbaroot\certs

Resolution:

There are many different possibilities to correcting this problem. One of the best resolutions is to create a broker.conf.xml file on a test client, modify the file to use the domain name of the Management Gateway and then distribute the file along with an updated hash.0 file to clients. This process will minimize client loss as the client will then use the domain name located in the broker.conf.xml file instead of the IP address.

Broker.conf.xml Creation:

The broker.conf.xml file is created when the "Update" button on the "Gateway Information" tab is clicked. The button becomes available when a change is made to the configuration. After creating the file edit the xml and replace the ipaddress in the public domain name for the Management Gateway. Testing this file is recommended. (Note: The broker.conf.xml file is only read when brokerconfig.exe is loaded into memory so reloading brokerconfig.exe is necessary before changes take affect and testing will produce good results)

For computers residing within the DMZ which have neither connection to the Internet or Intranet, it is still possible to manage these devices via the LANDesk Cloud Appliance, using the same 'Broker.conf.xml' work-around.

1. Creating a specific "Broker.conf.xml" file for the devices in the DMZ.  What you'd do is create the "Broker.conf.xml" on one client in the DMZ by running the "BrokerConfig.exe" manually.  This is in the \ldclient directory.

The broker.conf.xml file is created when the "Update" button on the "Gateway Information" tab is clicked. The button becomes available when a change is made to the configuration. You'd want to pick "Connect using the Management Gateway"

The ‘Broker.conf.xml’ that is generated is in the \\Program Files (x86)\LANDesk\Shared Files\cbaroot\broker

2. The 'broker.conf.xml' should be edited so that the  <ipaddress>xxx.xxx.xxx.xxx</ipaddress> reflects the internal network's IP address.  Having this file in the \\Program Files (x86)\LANDesk\Shared Files\cbaroot\broker directory will cause the agent to use that IP address as opposed to using the public facing address.

Remember, the 'broker.conf.xml is only read when BrokerConfig.exe is loaded into memory, so it is necessary to reload BrokerConfig.exe before the devices will use the new address.

Note:  Please make sure to test a few devices to make sure the results are what you expect.

Producing a new hash.0 file:

Open the Configure - Management Gateway option on the core server. Temporarily enter the new public address and click "Ok". You may receive an error concerning communication with the broker. This error is fine and normal. Save the changes anyway. You'll find the new hash.0 file located in C:\Program Files\LANDesk\ManagementSuite\LDLogon folder. (Note: Some cores may have multiple hash.0 files. Open each file and make sure you get the correct one) After the modified hash.0 file is created change the Configure - Management Gateway settings back to what they were before.

Distribute the modified files:

After collecting a broker.conf.xml file and a modified hash.0 file they will need to be distributed to the clients. Configure a policy task through the Management Gateway to replace them.

Summary: It will take some time for all clients to check-in. However once the domain name is being used the clients should be able to connect to the Gateway regardless of it's IP Address. It is recommended to plan and start this task well ahead of the actual IP change to the Gateway so that most (if not all) clients are updated.

I am still on a trial for the cloud gateway and have a few questions.

I manually installed an exported agent to a laptop. I added my laptops public IP to the firewall allow list. I was able to run brokerconfig.exe and request the client certificate.

How can this be automated?

I don't mind manually installing the agent, but i want it to connect and fetch the client certificate on its own.

Also do I need to add 0.0.0.0 to the firewall for all my public laptops? Is this only necessary for the certificate request? Can i block the administrative page to the public?

In terms of policy and groups, i'm assuming i can create some smart group based on public IPs or hostnames? i havent looked at that yet.

i know it says not to, but has anyone tried to put this behind a netscaler load balancer? This would be my backup if I can't block the admin page natively.

I have a test LANDesk 9.5 SP1 core setup and have posted the certificate to our LANDesk Cloud Services Appliance.

The computer is able to do automatic gateway switching and I am able to connect to via LANDesk Gateway or HTML5 for remote control but Inventory Scans and Policies are not working over the LANDesk gateway.

The computer has a broker certificate (I ran brokerconfig -R) and broker.crt, broker.cer and broker.key are present.

broker.conf.xml is probably configured with public IP address and hostname of our LANDesk Gateway appliance.

When I attempt to run an inventory scan or policy scan I get host not found. It doesnt appear to be switching to the LANDesk gatway for communication outside our network.

Any ideas?

I am looking for some people that would be willing to upgrade their 4.2 appliance to the new version that we will be testing.  Who would have interest? We are looking for people using the vCSA and the appliance would need to be one that has been configured with RAID.  If you are interested, leave your name, email, and phone number (optional), as well as city, state, and if not in the us, then city and country. Thanks in advance.

Hello

I am trying to create a CSR on the gateway but I keep getting a Error 500

"The website encountered an error while retrievinghttps://<<corename>>/gsb/ldmgcerts.php/gsb/ldmgcerts.php. It may be down for maintenance or configured incorrectly."

Any ideas on what I may be doing wrong??? I tried adding any alternate names in the additional host section in Gateway Management but that didnt seem to help...