How To: Change the Public IP Address of the Cloud Services Appliance Updating the Remote Managed Devices Automatically

Version 12

    Verified Product Versions

    LANDESK Management Suite 9.5LANDESK Management Suite 9.6LANDESK Management Suite 2016.x

    Environment

     

    LANDESK Management Suite 9.5 SP1 and later
    Cloud Service Appliance 4.x

     

    Scenario

     

    You need to change the public IP address used by the remote managed devices, and you want to update their configuration without redeploying the agent or having them connecting to the corporate network.

     

    Rationale

     

    There are several ways to reconfigure your clients in order to have them connecting to a new Cloud Services Appliance or to its new public IP address such as a LANDESK Agent re-deployment or connecting your managed nodes to the corporate network and have them getting the updated agent settings, or configuring your firewall to redirect the traffic of two public IP addresses to the interface of the appliance, or even setting up a second CSA with the new public IP address and update the connectivity settings of the clients making them switching from a CSA to another.


    This article let you update your clients when none of the above options are available. If you have only one appliance, and you have to shut down the former IP address and activate the new one sequentially, you can have your remote clients configured without the need to redeploy the LANDESK Agent, its settings, or having the remote clients connecting to the corporate network to communicate with the Core directly, in the simplest possible way.

    The idea is to update the remote managed nodes with the new public IP address PRIOR to change it on the appliance, temporarily losing connectivity with them, wait for all of them running a Security Scan so they can update their connectivity settings and then change the IP address of the Cloud Services Appliance, having the managed devices regaining connectivity with it and with the Core Server.

     

    The IP address of the appliance is included in the LANDESK Agent connectivity settings, that are updated automatically on the managed devices that are able to communicate with the core while running a Security Scan.

     

    Solution

     

    1) Update the Cloud Services Appliance configuration on the Core

     

    update_csa_public_ip_address.png

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    2) Update the .0 file replacing the old IP CSA's address with the new one.

     

    This is achievable in several ways, for example scheduling a powershell script via policy

    Here is a script sample, where the fields <old ip>, <new ip> and <certname> must be replaced with the relevant data:

     

    (Get-Content "$env:LDMS_LOCAL_DIR\..\..\Shared Files\cbaroot\certs\<certname>.0") | ForEach-Object { $_ -replace "<old ip>", "<new ip>" } | Set-Content "$env:LDMS_LOCAL_DIR\..\..\Shared Files\cbaroot\certs\<certname>.new"

    Remove-Item "$env:LDMS_LOCAL_DIR\..\..\Shared Files\cbaroot\certs\<certname>.0"

    Rename-Item "$env:LDMS_LOCAL_DIR\..\..\Shared Files\cbaroot\certs\<certname>.new" <certname>.0

        


    3) Open, verify and save the all the Connectivity settings used by the remote managed devices. This will update the related XML file in the %LDMS_HOME%\ldlogon\AgentBehaviors (C:\Program Files\LANDesk\ManagementSuite\ldlogon\AgentBehaviors) with the new appliance's IP.

     

    Note: Update the default ClientConnectivityBehavior.xml. Failure to update this, will result in the Brokerconf.xml repeatedly reverting to the old CSA IP.

    There may be several ClientConnectivityBehavior.xml files. Either edit all of them to show the new CSA IP address or verify that you have modified the one that is actually being used as default via LDMS Console > Agent Configuration > Properties > Client connectivity > Configure.

     

    save_connectivity_settings.png

     

    connectivity_settings_xml.png
    For 9.6 and later:

     

    Update client connectivity profile:

     

    Go to Tools > Configuration > Agent settings.
    Locate the client connectivity settings that are in use by your agents.
    Move the csa to the available section.
    Uncheck the box to enable the CSA then click save.
    Re open the configuration and then move the CSA to the selected column.

    Then click save.
    Validate that the settings were updated by checking the client connectivity xml located here: C:\Program Files\LANDesk\ManagementSuite\ldlogon\AgentBehaviors

     


    4) Wait for your managed devices to run a scheduled security scan. This schedule depends on how their Agent is configured in the Security and compliance scan > Patch and compliance scan section. This will update the connectivity settings of the remote clients, making them pointing to the new IP address of the CSA and losing connectivity with it.

     

    vulscan_settings.png

     

    As an alternative, you can manually run the following command on the devices, or include it in a software package distributed via policy and downloadable via http (software package configured via UNC don't work via the appliance).

    "%LDMS_LOCAL_DIR%\..\vulscan.exe" /changesettings (silent mode)

    "%LDMS_LOCAL_DIR%\..\vulscan.exe" /changesettings /showui (showing the user interface)

     

    vulscan_updates_connectivity_settings.png

     

    This will make the client lose the connectivity to the former public IP address making it pointing to the new IP address. The connectivity will be re-established once the new public IP address of the CSA will be configured.

     

    5) Change the public IP address of the Cloud Services Appliance

     

    Client verifications

     

    To verify that a client has received the updates, verify that the significant file includes the new IP address of the Cloud Services Appliance:

     

    %LDMS_LOCAL_DIR%\..\..\Shared Files\cbaroot\broker\broker.conf.xml

    %LDMS_LOCAL_DIR%\..\..\Shared Files\cbaroot\certs\*.0

     

    broker.conf.xml_updated.png

     

    If it's too late

     

    If the IP address of the Cloud Services Appliance has already changed and you haven't had the chance to update your clients using the previous IP address, you lost communication with the managed devices outside the CSA.

     

    Some things you can do are:

     

    • Create a powershell script that updates both the .0 file and the broker.conf.xml files
    • Upload the script to the CSA using the Software Package Upload section of the appliance, instructing your user on how to download and execute the script

     

    package_upload.png

     

    • Have your remote clients connect to the corporate network so they can run a Security Scan being directly connected to the core

     

    Other resources

     

    An alternative method to silently update the .0 file on the remote devices:

    How To: Silently Update the Management Gateway IP Address in the .0 File

     

    The logic user by a managed device to connect to the Cloud Services Appliance is explained in the following article:

    How to change the IP address on an established Management Gateway