Purpose

LANDESK administrators are always seeking better methods of managing their devices. For those devices off network, communicating through the Cloud Services Appliance allows these devices to send their inventory results, patch data, etc. to the core. In order to allow for this communication to occur successfully the client needs to be able to successfully obtain the broker certificate from the CSA. This document outlines one of the methods of distributing these broker certificates to clients outside the network. This document will explain how to automatically configure a client for the Cloud Services Appliance, without having to manually enter username and password information.

Details

Configurebroker.exe creates an LNG file which can then be used to automatically authenticate through the Cloud Services Appliance. There are two methods of using this LNG file which are documented below.

Resolution

Configurebroker.exe. (attached to the bottom of this article)

IMPORTANT:It’s strongly recommended to follow all of the steps listed below.  Before implementing the ConfigureBroker.exe, it is recommended to make sure manual retrieval of the certificates using Brokerconfig.exe both internally and externally works.  Configurebroker.exe is NOT a secure method of configuring devices for the Cloud Services Appliance.

NOTE:

It is not necessary to add brokerconfig.exe /r to the configuration. If the agent is installed on network the .lng file will not be used. Once the computer goes out-of-band and attempts an inventory scan or vulscan, the .lng file will be consumed to obtain the certificate.

Using ConfigureBroker.exe

Creating the .lng file

Create a local user account on the core server called configure.broker. (Do not use a domain account)

Add the user account to the local LANDesk Management Suite Group on the core.

User now needs to be added to LANDESK. In LANDESK Management Suite, select Administration from the Toolbox. Then select User Management. Click the black arrow next to the green plus sign. Select "New user or group" from the options. In the new pop-up window, find your new user from the list on the left. Click it once and then click the "Add" button in the right-hand window.

In the LANDesk Console, remove all LANDesk rights from the user.

Remove all Scopes from the configure.broker user.

The user should show the Default No Machines Scope and have no rights present.

NOTE: Only use this user for the ConfigureBroker.exe utility.

Copy the ConfigureBroker.exe (attached to the bottom of this article) to the LANDesk Core Servers ManagementSuite folder.  This folder is shared by default with the share name of LDMain.

Run "ConfigureBroker.exe" and enter in the username and password of the broker.config user that was just created and that is a member of the LANDesk Management Suite user group.

(Do not use a domain account)

Click Save.

The ConfigureBroker.exe creates a folder in the LDMain share/ManagementSuite folder called "noshareLDLogon".

Inside this folder a file is created called "BrokerConfig.lng".

Copy the "BrokerConfig.lng" file to the root of the LDLogon share on the core server.  The LDLogon folder is under the ManagementSuite folder.

NOTE: If using the ConfigureBroker.exe, it is highly recommended that “logon” rights from the local security policy for local users be removed.  This will block non domain users from logging into the LANDesk application.

Including the .lng file in the LANDesk Agent

The following steps will update the default LANDesk Agent Configuration so that all agents will include the .lng file, and automatically retrieve the Gateway Certificate on Agent install.

Browse to the \ManagementSuite\ldlogon folder on the LANDesk Core Server.

Open the ntstacfg.in# file with notepad.  Search for the [Common Base Agent Post Copy] section.

At the end of the [Common Base Agent Post Copy] section add the following line:

FILE10001=BrokerConfig.lng, %ldms_local_dir%\..\..\Shared Files\cbaroot\broker\BrokerConfig.lng

After saving the changes, go to Configure | Services | Inventory and restart the Inventory Service.

After the service restarts, the existing agents must be rebuilt to include the new changes.

In the LANDesk Console, go to Tools | Configuration | Agent Configuration.  Click the Rebuild All button.

To verify that the agents recieved the change, right click on an agent and choose Advanced Edit.

The Agent Configuration.ini file will open for that Agent.

Look under the [Common Base Agent Post Copy] section for the two lines that were added.

Create a self-extracting executable for the configuration by right-clicking on the configuration in the console and choosing Create self-contained client installation package.

Choose the location for the self contained EXE files, and click Save.

NOTE:  After creating the self contained Agent Installer, it is highly recommended to remove the BrokerConfig.lng file from the Ldlogon share and remove/comment out the lines from the IN# file.

Install the self-extracting executable to the remote machine. If the machine is connected to the internet, then a cert will be created on the client during install.

If the machine was not connected to the internet when the agent was installed, When the inventory scanner runs and it will automatically run brokerconfig.exe -r when it realizes it doesn't have a cert.

After the client is configured for the Gateway then the BrokerConfig.lng is deleted

Manually using the .lng file

Run through the steps to create the .lng file.  Manually copy the .lng file to the C:\Program Files\LANDesk\Shared Files\cbaroot\broker folder on an existing client. When the inventory scan executes on the client it will consume the .lng file and the broker certificates will be retrieved.

Macintosh Update: With the release of LANDesk 9 Macintosh clients can now connect through the Cloud Services Appliance. However, the process described below currently is not working. An enhancement request has been submitted to add the functionality in the future. Some other design changes may make this possible as well.