4.2.8 Prerequisites for agentless management
When using agentless management, setup must be completed on both the management server and user computer to collect device information. The range of information that can be acquired depends on the authentication method. The range of information that can be acquired depends on the authentication method. A limited range of information may result in unknown security states and missing data in reports, causing risks to system operation. Select the best authentication method for your security needs.
Setup to collect most of the available device information is easy if you are using Active Directory to manage the computers in your organization. If you are thinking of using agentless management, first make sure that your computers are managed in Active Directory.
For differences between the types of device information that can be collected, see 2.6.2 Collecting device information.
- Important
-
Agentless management is not supported in a NAT environment.
- Important
-
Do not delete the discovery range or authentication information for any agentless managed device discovered in a network search. Likewise, do not delete the Active Directory setting for any agentless managed device discovered by an Active Directory search. Deleting this setting information prevents device information from being collected. If you mistakenly delete the discovery range, authentication information, or Active Directory setting, add them and then re-execute the network search or Active Directory search to discover the devices.
- Important
-
In a DHCP environment, if a device's IP address changes, moving outside the discovery range, no information will be collected about that device.
When using Windows administrative shares to perform agentless management
All the following conditions must be satisfied:
-
Windows firewall is disabled on the user's computer#1.
-
Simple file sharing is disabled on the user's computer.
-
File and Printer Sharing is enabled on the user's computer.
-
Windows Administrative Share (ADMIN$) is enabled on the user's computer.
-
Access to the Interprocess Communications share (IPC$) is enabled on the user's computer.
-
The information used for logging in to the target computer by using Windows administrative shares is set on the management server as authentication information for network searches.#2
#1: Even if Windows Firewall is enabled, the condition is still satisfied if TCP (port 445) is open for traffic.
#2: The authentication information for logging in to the target computer by using Windows administrative shares must satisfy either of the following conditions:
-
The built-in Administrator account and password of the user's computer is used.
-
The UAC function is disabled on the user's computer.
How to make Windows administrative shares accessible to a management server varies depending on the OS on the user's computer. The following settings are required to make Windows administrative shares accessible:
|
OS |
Setting |
|---|---|
|
Windows 10 |
|
|
Windows 8.1 |
|
|
Windows 8 |
|
|
Windows 7 |
|
|
Windows Vista |
|
|
Windows XP#2 |
|
|
Windows Server 2019 |
Enable File sharing or File and Printer Sharing in the Network and Sharing Center window. |
|
Windows Server 2016 |
|
|
Windows Server 2012 |
|
|
Windows Server 2008 |
|
|
Windows Server 2003 |
Setup unnecessary (enabled by default). |
|
Windows 2000 |
Add file shares. |
|
Computer other than Windows |
Not supported (cannot be configured). |
|
Network device |
Not supported (cannot be configured). |
#1: If you are using Windows 8.1 or Windows 8 (no edition), perform this setup by executing the net user command at the command prompt. You cannot enable the Administrator account from the Windows Control Panel.
#2: In Windows XP Home Edition (Service Pack 2 and 3), Windows administrative shares cannot be used.
If these conditions are satisfied, you can acquire most of the available device information. The information collected hardly differs from that collected via agents installed on the managed computers.
When using SNMP to perform agentless management
The following conditions must be satisfied:
-
SNMP can be used.
-
The community name can be authenticated.
The following table describes the setup required to acquire device information using SNMP:
|
OS |
Setting |
|---|---|
|
Windows 10 |
|
|
Windows 8.1 |
|
|
Windows 8 |
|
|
Windows 7 |
|
|
Windows Vista |
|
|
Windows XP |
|
|
Windows Server 2019 |
|
|
Windows Server 2016 |
|
|
Windows Server 2012 |
|
|
Windows Server 2008 |
|
|
Windows Server 2003 |
|
|
Windows 2000 |
|
|
Computer other than Windows |
|
|
Network device |
When using Active Directory to perform agentless management
Both the following conditions must be satisfied:
-
Windows firewall is disabled on the user's computer.#
-
Using the Active Directory linkage feature, the management server can acquire device information managed by Active Directory.
#: If Windows firewall is enabled, the condition is still satisfied if connection via a port number specified in Active Directory settings view accessed from General view in the Settings module is open for traffic.
When using ICMP to perform agentless management
ICMP must be available for use.
The following table describes the setup required to acquire device information using ICMP:
|
OS |
Setting |
|---|---|
|
Windows 10 |
Allow incoming ICMP echo requests.# |
|
Windows 8.1 |
|
|
Windows 8 |
|
|
Windows 7 |
|
|
Windows Vista |
|
|
Windows XP |
|
|
Windows Server 2019 |
|
|
Windows Server 2016 |
|
|
Windows Server 2012 |
|
|
Windows Server 2008 |
|
|
Windows Server 2003 |
|
|
Windows 2000 |
|
|
Computer other than Windows |
|
|
Network device |
#: In Windows XP or later, you must configure the Windows Firewall to allow ICMP traffic or disable Windows Firewall.
Related Topics: