4.2.7 Prerequisites for agentless management
When using agentless management, setup must be completed on both the management server and user computer to collect device information. The range of information that can be acquired depends on the authentication method. The range of information that can be acquired depends on the authentication method. A limited range of information may result in unknown security states and missing data in reports, causing risks to system operation. Select the best authentication method for your security needs.
Setup to collect most of the available device information is easy if you are using Active Directory to manage the computers in your organization. If you are thinking of using agentless management, first make sure that your computers are managed in Active Directory.
- Important note
-
Agentless management is not supported in a NAT environment.
- Important note
-
Do not delete the discovery range or authentication information for any agentless managed device discovered in a network search. Likewise, do not delete the Active Directory setting for any agentless managed device discovered by an Active Directory search. Deleting this setting information prevents device information from being collected. If you mistakenly delete the discovery range, authentication information, or Active Directory setting, add them and then re-execute the network search or Active Directory search to discover the devices.
- Important note
-
In a DHCP environment, if a device's IP address changes, moving outside the discovery range, no information will be collected about that device.
Security management (collecting most of the available device information)
On the user's computer, the following conditions must all be satisfied:
-
Windows Firewall is disabled.#
-
Simple file sharing is disabled.
-
File and Printer Sharing is enabled.
-
Windows Administrative Share (ADMIN$) is enabled.
-
Access to the Interprocess Communications share (IPC$) is enabled.
#: With Windows Firewall enabled, the condition is still satisfied if TCP port 445 is open for traffic.
In addition, authentication information that allows you to log on to managed computers via Windows Administrative Share must be configured on the management server for network searches. However, if you are using Windows 7, Windows Vista, or Windows Server 2008, set up the managed computers to allow logon without UAC authentication.
The following table describes the setup required to acquire device information when Windows Administrative Share is enabled:
OS |
Setting |
---|---|
Windows 8 |
|
Windows 7 |
|
Windows Vista |
|
Windows XP |
|
Windows Server 2012 |
Enable File sharing or File and Printer Sharing in the Network and Sharing Center window. |
Windows Server 2008 |
|
Windows Server 2003 |
Setup unnecessary (enabled by default). |
Windows 2000 |
Add file shares. |
OS other than Windows |
Not supported (cannot be configured for agentless management) |
Network device |
Not supported (cannot be configured for agentless management) |
#: If you are using Windows 8 (no edition), perform this setup by executing the net user command at the command prompt. You cannot enable the Administrator account from the Windows Control Panel.
If these conditions are satisfied, you can acquire most of the available device information. The information collected hardly differs from that collected via agents installed on the managed computers.
Device management (collecting some device information)
- Using Active Directory
-
The following conditions must both be satisfied:
-
Windows Firewall is disabled on the user's computer.#
-
Device information can be collected on the management server by searching Active Directory.
#: With Windows Firewall enabled, the condition is still satisfied if connection is allowed through the port specified in the Active Directory view under General in the Settings module.
-
- Using SNMP
-
The following condition must be satisfied:
-
SNMP can be used.
-
The community name can be authenticated.
The following table describes the setup required to acquire device information using SNMP:
OS
Setting
Windows 8
-
Install an SNMP agent.
-
Set up the SNMP agent.
Windows 7
Windows Vista
Windows XP
Windows Server 2012
Windows Server 2008
Windows Server 2003
Windows 2000
OS other than Windows
Network device
If these conditions are satisfied, you can acquire some device information such as the device type and computer name. Devices can be managed using this method when security management is unnecessary.
-
Checking device presence on the network
Check for device presence on the network using ICMP.
The following table describes the setup required to acquire device information using ICMP:
OS |
Setting |
---|---|
Windows 8 |
Allow incoming ICMP echo requests.# |
Windows 7 |
|
Windows Vista |
|
Windows XP |
|
Windows Server 2012 |
|
Windows Server 2008 |
|
Windows Server 2003 |
|
Windows 2000 |
|
OS other than Windows |
|
Network device |
#: In Windows XP or later, you must configure the Windows Firewall to allow ICMP traffic or disable Windows Firewall.
Related Topics: