How to Manually Request a Broker Certificate with BrokerConfig.exe

Version 17

    Verified Product Versions

    Endpoint Manager 9.5Endpoint Manager 9.6Endpoint Manager 2016.x


    Leveraging the LANDESK Cloud Services Appliance (CSA) is critical for many LANDESK Management Suite administrators. The CSA, once configured properly allows clients on laptops or workstations located off the core servers network, to securely relay vital information from the LDMS client to the core server. This can help administrators keep track of their devices and their location, ensure they are being patched, remotely controlled, and much more.


    Once the CSA has been configured properly (For help with this: Quick Gateway (Cloud Service Appliance) Configuration), in order to allow for the client to communicate with the core through the CSA, the broker certificate has to be distributed to the client machines. This document provides step-by-step directions on how to manually request and pull down the broker certificate on to a client machine so that this device can communicate with the core through the CSA.


    What is BrokerConfig.exe?

    Windows Client installations include the brokerconfig.exe file. This executable is used to request and obtain the broker certificate from the CSA to client machines. This file can also be helpful in troubleshooting issues with the CSA. This file is located by default in the following location on the client:

    C:\Program Files (x86)\LANDesk\LDClient





    Detailed Instructions

    Run BrokerConfig.exe as Admin


    First, we'll need to open up the BrokerConfig.exe as an administrator (to avoid potential issues involving rights). To do so:

    1. Log in to the client machine as a local administrator
    2. -Go to C:\Program Files (x86)\LANDesk\LDClient
    3. Right-click on BrokerConfig.exe and "Run as administrator"
    4. You should see the above interface- before requesting the certificate, we will need to configure brokerconfig.exe to point to the right CSA device.


    Configure CSA Information

    1. Click the "CSA Information" tab at the top
    2. Fill in the fields with the proper CSA name/IP address

      Use the same information configured on the core in Configure > Manage Cloud Services Appliance, select the CSA and click Edit. The example below shows what this should look like:
      (Optional) If you would like to use multiple CSA devices- enter each CSA name with a comma following to separate.
      (Optional) If using multiple CSAs and you would like to specify the CSA Failover Policy, either select "Use Ordered List" to inherit the ordered list from the agent configuration, or select "Use random" to use a random CSA device to communicate.
      (Optional) If you use a proxy and would like to override the proxy settings in Internet Explorer, update the proxy settings in the field below.
      By default the broker request should be set to "Dynamically determine connection route". This is the recommended setting for clients. The other settings are mainly for testing purposes or unique environments.

    3. Click Update to finalize changes. This will save the configuration for all future broker requests unless specified otherwise.

    Specify Credentials

    1. Select the "Certificate Request" task
      (For on-network clients) No credentials are needed.
    2. (For off-network clients) Enter account credentials.
      The LANDESK user account needs to be a member of the LANDESK Management Suite group but does not need to have a scope or any rights.


    Test Connection

    After completing the previous steps- using the test feature can help verify the connection/credentials are correct.


    Test connectivity by clicking the "Test" button.


    A successful result should show a success at the top of the window, and should look like the following example:

    test connection.PNG

    If instead a "failure" status is returned, it may indicate a network error or a misconfiguration of the CSA or the brokerconfig settings.


    Request the Broker Certificate

    Once the brokerconfig.exe has been properly configured and a test completed to verify the connection, you are ready to request the broker certificate. To do so:


    Click the Send button at the left-center of the interface.

    After clicking this, you may need to wait for a few seconds for the certificate request to be posted to the CSA/core, processed and the certificate to be pulled down to the client.

    Once this process has completed successfully, you will receive the following pop-up notification:


    You will now note, after re-opening brokerconfig.exe that the interface says "The client certificate is already present."


    This indicates that the broker request was successful. Your client should now be fully able to communicate with the CSA.


    Troubleshooting Resources

    If any issues are encountered in requesting this certificate, please see the following article:

    Unable to obtain a broker certificate with BrokerConfig.exe (IIS Troubleshooting)

    How to troubleshoot the Cloud Services Appliance ( CSA ) / Management Gateway

    Troubleshooting brokerconfig.exe "Send Request" and "Test" failures from client connecting through CSA


    Related Articles

    How to Configure a Gateway (Cloud Service Appliance) - Quick Guide