Environment

LANDESK Management Suite 9.5 SP1 and later
Cloud Service Appliance 4.x

Scenario

You need to change the public IP address used by the remote managed devices, and you want to update their configuration without redeploying the agent or having them connecting to the corporate network.

Rationale

There are several ways to reconfigure your clients in order to have them connecting to a new Cloud Services Appliance or to its new public IP address such as a LANDESK Agent re-deployment or connecting your managed nodes to the corporate network and have them getting the updated agent settings, or configuring your firewall to redirect the traffic of two public IP addresses to the interface of the appliance, or even setting up a second CSA with the new public IP address and update the connectivity settings of the clients making them switching from a CSA to another.

This article let you update your clients when none of the above options are available. If you have only one appliance, and you have to shut down the former IP address and activate the new one sequentially, you can have your remote clients configured without the need to redeploy the LANDESK Agent, its settings, or having the remote clients connecting to the corporate network to communicate with the Core directly, in the simplest possible way.

The idea is to update the remote managed nodes with the new public IP address PRIOR to change it on the appliance, temporarily losing connectivity with them, wait for all of them running a Security Scan so they can update their connectivity settings and then change the IP address of the Cloud Services Appliance, having the managed devices regaining connectivity with it and with the Core Server.

The IP address of the appliance is included in the LANDESK Agent connectivity settings, that are updated automatically on the managed devices that are able to communicate with the core while running a Security Scan.

Solution

Update the Cloud Services Appliance configuration on the Core

Update the .0 file replacing the old IP CSA's address with the new one.

This is achievable in several ways, for example scheduling a PowerShell script via policy

Here is a script sample, where the fields <old ip>, <new ip> and <certname> must be replaced with the relevant data:

(Get-Content "$env:LDMS_LOCAL_DIR\..\..\Shared Files\cbaroot\certs\<certname>.0") | ForEach-Object { $_ -replace "<old ip>", "<new ip>" } | Set-Content "$env:LDMS_LOCAL_DIR\..\..\Shared Files\cbaroot\certs\<certname>.new"

Remove-Item "$env:LDMS_LOCAL_DIR\..\..\Shared Files\cbaroot\certs\<certname>.0"

Rename-Item "$env:LDMS_LOCAL_DIR\..\..\Shared Files\cbaroot\certs\<certname>.new" <certname>.0

    

Open, verify and save the all the Connectivity settings used by the remotely managed devices. This will update the related XML file in the %LDMS_HOME%\ldlogon\AgentBehaviors (C:\Program Files\LANDesk\ManagementSuite\ldlogon\AgentBehaviors) with the new appliance's IP.

For 9.6 and later:

Update client connectivity profile:

Go to Tools > Configuration > Agent settings.
Locate the client connectivity settings that are in use by your agents.
Move the csa to the available section.
Uncheck the box to enable the CSA then click save.
Re open the configuration and then move the CSA to the selected column.

Then click save.
Validate that the settings were updated by checking the client connectivity xml located here: C:\Program Files\LANDesk\ManagementSuite\ldlogon\AgentBehaviors

4) Wait for your managed devices to run a scheduled security scan. This schedule depends on how their Agent is configured in the Security and compliance scan > Patch and compliance scan section. This will update the connectivity settings of the remote clients, making them pointing to the new IP address of the CSA and losing connectivity with it.

As an alternative, you can manually run the following command on the devices, or include it in a software package distributed via policy and downloadable via http (software package configured via UNC don't work via the appliance).

"%LDMS_LOCAL_DIR%\..\vulscan.exe" /changesettings (silent mode)

"%LDMS_LOCAL_DIR%\..\vulscan.exe" /changesettings /showui (showing the user interface)

This will make the client lose the connectivity to the former public IP address making it pointing to the new IP address. The connectivity will be re-established once the new public IP address of the CSA will be configured.

Change the public IP address of the Cloud Services Appliance

Issue: Public IP address reverting back to old IP address

Client verifications

To verify that a client has received the updates, verify that the significant file includes the new IP address of the Cloud Services Appliance:

%LDMS_LOCAL_DIR%\..\..\Shared Files\cbaroot\broker\broker.conf.xml

%LDMS_LOCAL_DIR%\..\..\Shared Files\cbaroot\certs\*.0

If it's too late

If the IP address of the Cloud Services Appliance has already changed and you haven't had the chance to update your clients using the previous IP address, you lost communication with the managed devices outside the CSA.

Some things you can do are:

• Create a powershell script that updates both the .0 file and the broker.conf.xml files
• Upload the script to the CSA using the Software Package Upload section of the appliance, instructing your user on how to download and execute the script

• Have your remote clients connect to the corporate network so they can run a Security Scan being directly connected to the core
  

Other resources

An alternative method to silently update the .0 file on the remote devices:

How To: Silently Update the Management Gateway IP Address in the .0 File

The logic user by a managed device to connect to the Cloud Services Appliance is explained in the following article:

How to change the IP address on an established Management Gatew