General:
Subject/Problem/Symptoms:
How to automate Windows agent communication for inventory scans, vulscans, and policy-based tasks through the CSA/gateway without the use of DNS.
Description/Details:
When an agent is out-of-band it will attempt to do a DNS lookup on the core server before directing traffic if the brokerconfig.exe is set to “Dynamically determine connection route”. If it gets a result other than “Host not found” or “Request could not find host” then it assumes it can communicate with the core server.
The issue that occurs is that many ISPs no longer allow for unlisted DNS entries, a requirement for CSA/gateway usage. This means when you try to reach core.domain.ext it will redirect you to another host, such as your ISP’s homepage web server. They assume you miss typed the address you are looking for and provide a re-direct. This means that the client will never contact the CSA/gateway because it believes it has reached the core.
This also resolves the issue of not being able to have a private and public DNS. (As long as your core is properly firewalled off from global traffic.)
Test Problem:
Set your DNS to use Open DNS while out-of-band – 208.67.222.222 and 208.67.220.220 – if your core is not publicly listed then it likely will experience this issue.
Resolution:
Attached to this document is an ldgatewayassistant.exe and ldgatewayassistant.msi – both will install the LDGatewayAssistant service on your Windows based clients.
The LDGatewayAssistant service can do the following tasks for you:
1. Auto broker your Windows agents to the CSA/gateway.
2. Automatically toggle your inventory scans, vulscans, and policy-based tasks between direct and gateway mode.
3. Automatically enable the issuser heartbeat to automatically reconnect to the CSA/gateway on connection loss.
4. Automatically update core with latest IP when switching between direct and gateway mode.
5. Allow for limited custom in-band and out-of-band remote control permissions.
How it works:
After it is installed on your end-point you will find an LDGatewayAssistant service is running with its events being written to the windows application log. Every 15 minutes (configurable) the service will quickly run a query to validate that you are still able to communicate with your core server. It does this by checking the file structure of the cores web services. If you were previously in-band and the query returns in-band again then no further action is taken. However if it returns out-of-band then the service will:
1. Write out the proper connection info for the CSA/gateway to broker.conf.xml. (This is for inventory scans, vulscans, and policy-based tasks.)
2. Enable the issuser heartbeat so that it will automatically reconnect to the CSA/gateway on connection loss.
3. Set the issuser service to gateway mode.
4. Enable the optional remote control configurations for out-of-band. (Prevents vulscan from overwriting these settings.)
5. Automatically broker the agent if necessary.
6. Start an inventory scan to sync with the core server.
When the agent returns to being in-band then the service will:
1. Delete the broker.conf.xml.
2. Disable the issuser heartbeat.
3. Set the issuser service to direct mode.
4. Set remote control configurations back to stricter settings. (Upon the next vulscan they will be returned to your agent configuration settings.)
5. Start an inventory scan to sync with the core server.
How do I know if it is working correctly?
Under the event viewer -> windows logs -> application there will be entries made by LDGatewayAssistant.
With in 15 minutes of entering/leaving your network you should see the following events:
- Gateway mode: In network. / Out-of-band.
- Starting sync to core.
- Sync to core has completed.
*Note: If any crashes occur please post them here.
What it works on?
It has been tested on 9.0.2, 9.0.3, and 9.5.
Installation:
Basic Installation:
1. Manually install the LDGatewayAssistant on a client computer: ldgatewayassistant.msi /qn
2. Manually import the attached registry key after customizing it:
32bit: c:\windows\system32\reg.exe import ldgatewayassistant.reg
64bit: c:\windows\syswow64\reg.exe import ldgatewayassistant.reg
Advanced Deployment Options:
1. Advanced Edit of Agent
- Copy ldgatewayassistant.msi into your ldlogon folder on the core server.
- Select the Windows Agent Configuration you wish to include LDGatewayAssistant with.
- Right click and select “Advanced edit”.
- Paste the following lines into the editor just above the “;**** Begin of Remote Control component ****” Section:
;Install LDGatewayAssistant
REG56=HKEY_LOCAL_MACHINE, SOFTWARE\LANDesk\GatewayAssistant\Address, IPAddressOfGatewayHere, , REG_SZ
REG57=HKEY_LOCAL_MACHINE, SOFTWARE\LANDesk\GatewayAssistant\code, HashGoesHereFromLNG or none, , REG_SZ
REG58=HKEY_LOCAL_MACHINE, SOFTWARE\LANDesk\GatewayAssistant\Gateway, gateway.domain.ext, , REG_SZ
REG59=HKEY_LOCAL_MACHINE, SOFTWARE\LANDesk\GatewayAssistant\In, false, , REG_SZ
REG60=HKEY_LOCAL_MACHINE, SOFTWARE\LANDesk\GatewayAssistant\Out, false, , REG_SZ
REG61=HKEY_LOCAL_MACHINE, SOFTWARE\LANDesk\GatewayAssistant\rc, 0 or 1, , REG_SZ
REG62=HKEY_LOCAL_MACHINE, SOFTWARE\LANDesk\GatewayAssistant\Scan, 0 1 2 or 3, , REG_SZ
REG62=HKEY_LOCAL_MACHINE, SOFTWARE\LANDesk\GatewayAssistant\interval, 3, , REG_SZ
REG62=HKEY_LOCAL_MACHINE, SOFTWARE\LANDesk\GatewayAssistant\count, 1, , REG_SZ
FILE10001=ldgatewayassistant.msi, %PROGRAMFILES%\LANDesk\LDClient\ldgatewayassistant.msi
EXEC10002=C:\Windows\System32\msiexec.exe, /qn /i "%PROGRAMFILES%\LANDesk\LDClient\ldgatewayassistant.msi", INSTALLONLY
- Save changes.
- Right click and select “Create self-contained client installation package” – this will contain the LDGatewayAssistant and install it automatically with the rest of the agent.
- Note: I do not have the service start on its own until next reboot with this method in order to prevent it from disrupting the completion of the rest of the agent installation.
2. Custom Vulnerability
- Create a new custom vulnerability. Fill in the below information:
- Set the description tab to: (or something else fitting.)
“LANDesk Client Extension that resolves connectivity issues between clients that are out-of-band and the LANDesk gateway.
This extension enforces direct modes when in-band and gateway modes when out-of-band on clients based on scanning the web structure of the core server. This extension replaces the built-in DNS based detection method that the clients currently have.
*Note: The LANDesk DNS based detection relies on unlisted DNS entries to work correctly. Many ISP providers do not allow for unlisted DNS entries. When a client is on a ISP that does not allow unlisted DNS entries it will fail to connect to the gateway.”
- Select Add for a new Detection Rule from the General tab.
Name it "Windows x86".
Windows x86 Rule Info:
- Detection Logic - Affected Platforms:
- Windows XP, Windows Vista, Windows 7, Windows 8
- Detection Logic - Files:
- C:\Program Files\LANDesk\LDGatewayAssistant\LDGatewayAssistant.exe Must exist
- Patch Information:
- This issue can be repaired without downloading a patch
- Requires reboot: No
- Silent Install: Yes
- Patch Information – Detecting the Patch – Files:
- C:\Program Files\LANDesk\LDGatewayAssistant\LDGatewayAssistant.exe Must exist
- Patch Information – Patch Installation & Removal – Additional Files:
- Include the ldgatewayassistant.msi file from where ever you have it hosted.
- Be sure to generate the hash of the file.
- Patch Information – Patch Installation & Removal – Patch Install Commands:
*Note: change PATHTOFILE to be the actually location of the file post download.
- Select Add -> Execute a program
- PATH: %windir%\system32\msiexec.exe
- ARGS: /qn /i "C:\Program Files\LANDesk\LDClient\sdmcache\PATHTOFILE\LDGatewayAssistant\ldgatewayassistant.msi"
- TIMEOUT: %DEFAULTTIMEOUT%
- WAIT: true
- Select Add -> Write a value to the registry
- Key: HKLM\SOFTWARE\LANDesk\GatewayAssistant
- Value name: Address
- Data type: String
- Value data: IP Address of gateway goes here
- Select Add -> Write a value to the registry
- Key: HKLM\SOFTWARE\LANDesk\GatewayAssistant
- Value name: Gateway
- Data type: String
- Value data: gateway.domain.ext
- Select Add -> Write a value to the registry
- Key: HKLM\SOFTWARE\LANDesk\GatewayAssistant
- Value name: rc
- Data type: String
- Value data: 0 or 1
- Select Add -> Write a value to the registry
- Key: HKLM\SOFTWARE\LANDesk\GatewayAssistant
- Value name: code
- Data type: String
- Value data: HashFromLNGfile or type “none”
- Select Add -> Write a value to the registry
- Key: HKLM\SOFTWARE\LANDesk\GatewayAssistant
- Value name: Scan
- Data type: String
- Value data: 0, 1, 2, or 3
- Select Add -> Write a value to the registry
- Key: HKLM\SOFTWARE\LANDesk\GatewayAssistant
- Value name: interval
- Data type: String
- Value data: 3
- Select Add -> Write a value to the registry
- Key: HKLM\SOFTWARE\LANDesk\GatewayAssistant
- Value name: count
- Data type: String
- Value data: 1
- Select Add -> Start a Windows service
- service name: ldgatewayassistant
- Select OK to save.
- Select Add for a new Detection Rule from the General tab again.
Name it "Windows x64".
Windows x64 Rule Info:
- Detection Logic - Affected Platforms:
- Windows XP x64, Windows Vista x64, Windows 7 x64, Windows 8 x64
- Detection Logic - Files:
- C:\Program Files (x86)\LANDesk\LDGatewayAssistant\LDGatewayAssistant.exe Must exist
- Patch Information:
- This issue can be repaired without downloading a patch
- Requires reboot: No
- Silent Install: Yes
- Patch Information – Detecting the Patch – Files:
- C:\Program Files (x86)\LANDesk\LDGatewayAssistant\LDGatewayAssistant.exe Must exist
- Patch Information – Patch Installation & Removal – Additional Files:
- Include the ldgatewayassistant.msi file from where ever you have it hosted.
- Be sure to generate the hash of the file.
- Patch Information – Patch Installation & Removal – Patch Install Commands:
- Select Add -> Execute a program
- PATH: %windir%\system32\msiexec.exe
- ARGS: /qn /i "C:\Program Files (x86)\LANDesk\LDClient\sdmcache\PATHTOFILE\LDGatewayAssistant\ldgatewayassistant.msi"
- TIMEOUT: %DEFAULTTIMEOUT%
- WAIT: true
- Select Add -> Write a value to the registry
- Key: HKLM\SOFTWARE\Wow6432Node\LANDesk\GatewayAssistant
- Value name: Address
- Data type: String
- Value data: IP Address of gateway goes here
- Select Add -> Write a value to the registry
- Key: HKLM\SOFTWARE\Wow6432Node\LANDesk\GatewayAssistant
- Value name: Gateway
- Data type: String
- Value data: gateway.domain.ext
- Select Add -> Write a value to the registry
- Key: HKLM\SOFTWARE\Wow6432Node\LANDesk\GatewayAssistant
- Value name: rc
- Data type: String
- Value data: 0 or 1
- Select Add -> Write a value to the registry
- Key: HKLM\SOFTWARE\Wow6432Node\LANDesk\GatewayAssistant
- Value name: code
- Data type: String
- Value data: HashFromLNGfile or type “none”
- Select Add -> Write a value to the registry
- Key: HKLM\SOFTWARE\Wow6432Node\LANDesk\GatewayAssistant
- Value name: Scan
- Data type: String
- Value data: 0, 1, 2, or 3
- Select Add -> Write a value to the registry
- Key: HKLM\SOFTWARE\Wow6432Node\LANDesk\GatewayAssistant
- Value name: interval
- Data type: String
- Value data: 3
- Select Add -> Write a value to the registry
- Key: HKLM\SOFTWARE\Wow6432Node\LANDesk\GatewayAssistant
- Value name: count
- Data type: String
- Value data: 1
- Select Add -> Start a Windows service
- service name: ldgatewayassistant
- Select OK to save.
- The custom vulnerability is completed. Be sure to test deploy this before putting it into a production environment.
3. Group Policy
- You may deploy the .msi file via GPO.
- Then set the Registry settings (attached to this document) for the application in the same GPO. It is advised to have the registry keys write both to the x86 and x64 registry locations to prevent clients from missing the configurations. You may then configure the client settings based upon OU.
Configuration Options:
Registry Settings:
Address = IP Address of CSA/gateway
code = brokerconfig.lng contents (Please refer to this doc for more assistance: http://community.landesk.com/support/docs/DOC-1888 - only use the lng for its contents, not actually bundled into agent.)
Gateway = hostname.domain.ext of CSA/gateway
In = If the client last was "in-band" (true/false) *Default is false
Out = If the client last was "out-of-band" (true/false) *Default is false
rc = 0 or 1
0 = Off – Do not make any changes to client
1 = When device is out-of-band - LDGatewayAssistant turns off remote control permission required on the agent so that you can remotely access the computer without the user having to accept remote control, it also disables the identifiers of remote control. It automatically turns permission required and remote control identifiers back on when the client is back "in-band". *This is useful to remotely kick off policy based tasks immediately through the CSA/gateway, but please be aware of the security draw backs when the permission required option is removed.*
Scan = 0, 1, 2, or 3
0 = Off - Do not run any scans.
1 = Sends miniscan updates to core (does not update core when out-of-band)
2 = Sends full inventory scans to core (works through gateway and in-band)
3 = Sends miniscan updates to core when in-band, sends full inventory scans when out-of-band
*Note: If the client is requiring brokering then a full scan will be forced.
logging = 0 or 1
0 = Off
1 = Enables basic logging - currently only turns on display of server responses when checking if the client is properly talking to core. These will be displayed in the application log.
interval = 1 + (New in version 1.0.1.1)
1 = 15 minutes
2 = 30 minutes
3 = 45 minutes (recommended)
4 = 1 hour
(and so on)
count = 1 (New in version 1.0.1.1)
# = displays current time in interval process, once this number reaches the value set in interval then it will execute 1 cycle and reset back to 1.
Example: If interval is set to 3 and count is set to 1, every 15 minutes count will increment by 1 make its values after 15 minutes be 2, 30 minutes be 3, and upon the 45 minutes it will execute and revert count to 1.
Uninstall:
Version 1.0.0.0: *Installers were removed from this doc*
To uninstall the LDGatewayAssistant you must do it from which ever account you installed it with. If using the advanced options above it is likely it would be the System account.
From the command line execute:
msiexec.exe /x {828e90ea-7672-4453-973c-1b3472f395be}
Version 1.0.1.1 *NEW - find attached below*
This version can be uninstalled by any administrative user. Bug fixes were added to deal with installing over the old version (1.0.0.0) and handling reinstalls better.
From the command line execute:
msiexec.exe /x {3194c7c0-49b2-4d00-b0fe-94abeaaf0bdc}
New Features:
- Can now configure the time between in-band / out-of-band checks in intervals of 15 minutes. This is to reduce load on core servers web services from the connections. (v1.0.1.1)
Bug fixes:
- When using Windows NT security (securitytype 3) the reinstall of issuser hangs due to a popup notice regarding adding users to the local group. Prompt has been suppressed. (v1.0.1.1)
- When trying to uninstall from any other account than the one that installed ldgatewayassistant the uninstall fails. Permission has been expanded to all administrative users. (v1.0.1.1)
- When trying to do an upgrade an alert for "service already exists" would occur. The prompt has been suppressed - requires restart in these situations, will prompt. (v1.0.1.1)
DISCLAIMER
THIS SOFTWARE IS NOT A PRODUCT OF LANDESK. THIS SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMANGES, OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT, OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.