Unattended configuration of client for the Cloud Services Appliance

Version 37

    Verified Product Versions

    LANDESK Management Suite 9.5LANDESK Management Suite 9.6

    Purpose

    LANDESK administrators are always seeking better methods of managing their devices. For those devices off network, communicating through the Cloud Services Appliance allows these devices to send their inventory results, patch data, etc. to the core. In order to allow for this communication to occur successfully the client needs to be able to successfully obtain the broker certificate from the CSA. This document outlines one of the methods of distributing these broker certificates to clients outside the network. This document will explain how to automatically configure a client for the Cloud Services Appliance, without having to manually enter username and password information.

     

    Details

    Configurebroker.exe creates an LNG file which can then be used to automatically authenticate through the Cloud Services Appliance. There are two methods of using this LNG file which are documented below.

     

    Resolution

    Configurebroker.exe. (attached to the bottom of this article)

     

    IMPORTANT: It’s strongly recommended to follow all of the steps listed below.  Before implementing the ConfigureBroker.exe, it is recommended to make sure manual retrieval of the certificates using Brokerconfig.exe both internally and externally works.  Configurebroker.exe is NOT a secure method of configuring devices for the Cloud Services Appliance.

    NOTE:

    It is not necessary to add brokerconfig.exe /r to the configuration. If the agent is installed on network the .lng file will not be used. Once the computer goes out-of-band and attempts an inventory scan or vulscan, the .lng file will be consumed to obtain the certificate.

     

    Using ConfigureBroker.exe

     

    Creating the .lng file

     

    Create a local user account on the core server called configure.broker. (Do not use a domain account)

     

    Pic1.jpg

     

    Add the user account to the local LANDesk Management Suite Group on the core.

     

    Pic2.jpg

     

    User now needs to be added to LANDESK. In LANDESK Management Suite, select Administration from the Toolbox. Then select User Management. Click the black arrow next to the green plus sign. Select "New user or group" from the options. In the new pop-up window, find your new user from the list on the left. Click it once and then click the "Add" button in the right-hand window.

     

    In the LANDesk Console, remove all LANDesk rights from the user.

     

    Pic4.jpg

     

    Remove all Scopes from the configure.broker user.

     

    Pic5.JPG

     

    The user should show the Default No Machines Scope and have no rights present.

     

    Pic6.JPG

     

    NOTE: Only use this user for the ConfigureBroker.exe utility.

     

    Copy the ConfigureBroker.exe (attached to the bottom of this article) to the LANDesk Core Servers ManagementSuite folder.  This folder is shared by default with the share name of LDMain.

     

    Pic7.jpg

    Run "ConfigureBroker.exe" and enter in the username and password of the broker.config user that was just created and that is a member of the LANDesk Management Suite user group.

     

    Pic8.jpg

     

    (Do not use a domain account)

     

    Click Save.

     

    The ConfigureBroker.exe creates a folder in the LDMain share/ManagementSuite folder called "noshareLDLogon".

     

    Pic9.jpg

    Inside this folder a file is created called "BrokerConfig.lng".

     

    Pic10.jpg

     

    Copy the "BrokerConfig.lng" file to the root of the LDLogon share on the core server.  The LDLogon folder is under the ManagementSuite folder.

     

    Pic11.jpg

     

     

    NOTE: If using the ConfigureBroker.exe, it is highly recommended that “logon” rights from the local security policy for local users be removed.  This will block non domain users from logging into the LANDesk application.

     

    Including the .lng file in the LANDesk Agent

     

    The following steps will update the default LANDesk Agent Configuration so that all agents will include the .lng file, and automatically retrieve the Gateway Certificate on Agent install.

     

    Browse to the \ManagementSuite\ldlogon folder on the LANDesk Core Server.

     

    Pic12.JPG

     

    Open the ntstacfg.in# file with notepad.  Search for the [Common Base Agent Post Copy] section.

     

    Pic13.jpg

     

    Right before the [Begin of Remote Control component] section paste the following:

     

    FILE10001=BrokerConfig.lng, %ldms_local_dir%\..\..\Shared Files\cbaroot\broker\BrokerConfig.lng

     

     

    9e4c5c4133.png

     

     

    After saving the changes, go to Configure | Services | Inventory and restart the Inventory Service.

     

    Pic15.jpg

     

    After the service restarts, the existing agents must be rebuilt to include the new changes.

    In the LANDesk Console, go to Tools | Configuration | Agent Configuration.  Click the Rebuild All button.

     

    Pic16.jpg

     

    To verify that the agents recieved the change, right click on an agent and choose Advanced Edit.

     

    The Agent Configuration.ini file will open for that Agent.

     

    Look under the [Common Base Agent Post Copy] section for the two lines that were added.

     

    Pic17.JPG

    Create a self-extracting executable for the configuration by right-clicking on the configuration in the console and choosing Create self-contained client installation package.

     

    Pic18.jpg

     

    Choose the location for the self contained EXE files, and click Save.

     

     

    NOTE:  After creating the self contained Agent Installer, it is highly recommended to remove the BrokerConfig.lng file from the Ldlogon share and remove/comment out the lines from the IN# file.

     

    Install the self-extracting executable to the remote machine. If the machine is connected to the internet, then a cert will be created on the client during install.

     

    If the machine was not connected to the internet when the agent was installed, When the inventory scanner runs and it will automatically run brokerconfig.exe -r when it realizes it doesn't have a cert.

     

    After the client is configured for the Gateway then the BrokerConfig.lng is deleted

     

    Manually using the .lng file

     

    Run through the steps to create the .lng file.  Manually copy the .lng file to the C:\Program Files\LANDesk\Shared Files\cbaroot\broker folder on an existing client. When the inventory scan executes on the client it will consume the .lng file and the broker certificates will be retrieved.

     

     

     

     

    Macintosh Update: With the release of LANDesk 9 Macintosh clients can now connect through the Cloud Services Appliance. However, the process described below currently is not working. An enhancement request has been submitted to add the functionality in the future. Some other design changes may make this possible as well.