This document applies to 9.0 post sp2, 9.5, and 9.6
Problems/Symptoms:
How to automatically configure a client for the Cloud Services Appliance, without manually entering username and password information.
Details:
Configurebroker.exe creates an LNG file which can then be used to automatically authenticate through the Cloud Services Appliance. There are two methods of using this LNG file which are documented below.
Resolution:
Configurebroker.exe. (attached to the bottom of this article)
DISCLAIMER
USE OF THE CONFIGUREBROKER.EXE APPLICATION SOFTWARE IS SOLELY AT THE USER’S AND/OR COMPANY’S OWN RISK. THIS SOFTWARE APPLICATION IS AVAILABLE “AS IS,” AND LANDESK SPECIFICALLY DISCLAIMS ALL WARRANTIES INCLUDING ANY IMPLIED WARRANTIES.
THE FILE PRODUCED BY CONFIGUREBROKER.EXE CONTAINS ACCOUNT NAME AND PASSWORD INFORMATION THAT MAY NOT BE FULLY PROTECTED UNDER CURRENT ENCRYPTION STANDARDS. LANDESK SHALL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES, INCLUDING BUT NOT LIMITED TO DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER INTANGIBLE LOSSES (EVEN IF LANDESK HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES), OR COST OF PROCUREMENT OF SUBSTITUTE SERVICES.
IMPORTANT:It’s strongly recommended to follow all of the steps listed below. Before implementing the ConfigureBroker.exe, it is recommended to make sure manual retrieval of the certificates using Brokerconfig.exe both internally and externally works. Configurebroker.exe is NOT a secure method of configuring devices for the Cloud Services Appliance.
NOTE:
It is not necessary to add brokerconfig.exe /r to the configuration. If the agent is installed on network the .lng file will not be used. Once the computer goes out-of-band and attempts an inventory scan or vulscan, the .lng file will be consumed to obtain the certificate.
Using ConfigureBroker.exe
Creating the .lng file
Create a local user account on the core server called configure.broker. (Do not use a domain account)
Add the user account to the local LANDesk Management Suite Group on the core.
In the LANDesk Console, remove all LANDesk rights from the user.
Remove all Scopes from the configure.broker user.
The user should show the Default No Machines Scope and have no rights present.
NOTE: Only use this user for the ConfigureBroker.exe utility.
Copy the ConfigureBroker.exe (attached to the bottom of this article) to the LANDesk Core Servers ManagementSuite folder. This folder is shared by default with the share name of LDMain.
Run "ConfigureBroker.exe" and enter in the username and password of the broker.config user that was just created and that is a member of the LANDesk Management Suite user group.
(Do not use a domain account)
Click Save.
The ConfigureBroker.exe creates a folder in the LDMain share/ManagementSuite folder called "noshareLDLogon".
Inside this folder a file is created called "BrokerConfig.lng".
Copy the "BrokerConfig.lng" file to the root of the LDLogon share on the core server. The LDLogon folder is under the ManagementSuite folder.
NOTE: If using the ConfigureBroker.exe, it is highly recommended that “logon” rights from the local security policy for local users be removed. This will block non domain users from logging into the LANDesk application.
LANDesk 9.0 SP2:Role-based Administration has changed in LANDesk 9.0. The following items must be changed.
1. The configure.broker user is a part of the Script-Writers Group.
2. Add "modify" writes for the Script-Writers Group to the C:\Program Files\LANDesk\ManagementSuite\brokerreq folder on the core server
Including the .lng file in the LANDesk Agent
The following steps will update the default LANDesk Agent Configuration so that all agents will include the .lng file, and automatically retrieve the Gateway Certificate on Agent install.
Browse to the \ManagementSuite\ldlogon folder on the LANDesk Core Server.
Open the ntstacfg.in# file with notepad. Search for the [Common Base Agent Post Copy] section.
At the end of the [Common Base Agent Post Copy] section add the following line:
FILE10001=BrokerConfig.lng, %ldms_local_dir%\..\..\Shared Files\cbaroot\broker\BrokerConfig.lng
LANDesk 9.0 SP2 Update: There are two [Common Base Agent Post Copy] sections in the LANDesk 9.0 SP2 agent.ini file. Be sure to add the previous lines to the larger section that appears first. If this is not done the LNG file will not be inserted in the self-contained agent executable. A good way to check this is to search the log for "brokerconfig.lng" after the self-contained executable is created. You should see a line stating that the brokerconfig.lng file was inserted into the CAB. (This is resolved in SP2 for LDMS 9.0 CR00047107)
After saving the changes, go to Configure | Services | Inventory and restart the Inventory Service.
After the service restarts, the existing agents must be rebuilt to include the new changes.
In the LANDesk Console, go to Tools | Configuration | Agent Configuration. Click the Rebuild All button.
To verify that the agents recieved the change, right click on an agent and choose Advanced Edit.
The Agent Configuration.ini file will open for that Agent.
Look under the [Common Base Agent Post Copy] section for the two lines that were added.
Create a self-extracting executable for the configuration by right-clicking on the configuration in the console and choosing Create self-contained client installation package.
Choose the location for the self contained EXE files, and click Save.
NOTE: After creating the self contained Agent Installer, it is highly recommended to remove the BrokerConfig.lng file from the Ldlogon share.
Install the self-extracting executable to the remote machine. If the machine is connected to the internet, then a cert will be created on the client during install.
If the machine was not connected to the internet when the agent was installed, When the inventory scanner runs and it will automatically run brokerconfig.exe -r when it realizes it doesn't have a cert.
After the client is configured for the Gateway then the BrokerConfig.lng is deleted
Manually using the .lng file
Run through the steps to create the .lng file. Manually copy the .lng file to the C:\Program Files\LANDesk\Shared Files\cbaroot\broker folder on an existing client. When the inventory scan executes on the client it will consume the .lng file and the broker certificates will be retrieved.
Macintosh Update: With the release of LANDesk 9 Macintosh clients can now connect through the Cloud Services Appliance. However, the process described below currently is not working. An enhancement request has been submitted to add the functionality in the future. Some other design changes may make this possible as well.