How to set up a dark network Core Server (without outside network access)

Version 50

    Verified Product Versions

    Endpoint Manager 2018.x

    How to set up your Dark Network Core: Step by step

     

     

    Description

    This document details the procedure for copying definitions from a "light core" (A core that is connected to outside networks) and a "Dark Core" (a core that is not connected to outside networks)  This is often done for security purposes or lack of connectivity.

     

     

    Assumptions

     

    • The user has a familiarity with Ivanti Endpoint Manager and associated files and functions
    • The user has 2 servers, one "Light" and one "Dark" (One with Internet connectivity and one without internet connectivity)
    • The user has Ivanti Endpoint Manager installed with default parameters, file and drive locations, etc.
    • The user has Activated both "Light" and the "Dark" Cores.

    Process

     

    Compatibility of Ivanti EMP is being constantly reviewed by our Development team and more updates regarding Dark Core setup will follow.

     

    Step one: Prepare both core servers to have accurate data

     

    In order to make correct Patch data transfer from the"Light" Core to "Dark" Core, the Database tables related to Patch Manager must be reset.

     

    This can be done on both core servers by doing the following:

     

    1. On each core server, open a command prompt on the server and go to the C:\Program Files\LANDESK\ManagementSuite folder.
    2. Run "CoreDbUtil.exe /patchmanager".
    3. Open the process list in Task Manager (right-click the taskbar and select "Task Manager) and watch for CoreDbUtil.exe to drop from the list to make sure it has finished.

                     (The log for CoreDBUtil.exe is located in the main log location at \Program Files\LANDESK\ManagementSuite\Log)

       

      Step two: Prepare the Dark Core folder structure

       

      On the "Dark" Core (Without Network), you will need to have a location for the vulnerability XML files and a location for the actual patches themselves to be stored in.
      We recommend using the already by default created "\Program files\LANDESK\ManagementSuite\LDLogon\patch" patch folder structure that is set up when you install Ivanti EPM.

      (If patches have not been downloaded on the "Light" Core to "Dark" Core previously the patch folder may not have been created. On the "Dark" Core it should be manually created.)

      If a different location is desired this article can be used to set up the alternative location.

       

      Step three: Retrieve content on the "Light Core"

       

        1. Within Security and Patch and Compliance open the Download Updates window and select all of the categories you want to download.
        2. In addition select "Download patches for definitions selected above and also the radio button for "for all downloaded definitions" and click "Apply" and then "Close".
          SelectCategories.gif
        3. From a Command prompt, go to the LANDESK\ManagementSuite folder.
        4. From a Command prompt, type "vaminer /noprompt /copy" and hit enter.  (If scripting this action to run regularly please add the "/noui" switch to the vaminer command line switches)

       

      (Vaminer.exe is the executable that runs to download content from the Ivanti patch content servers).

       

      The first time this is run it will take quite a while as it will not only be downloading vulnerability definitions but also all patches. 

      (Due to this you will need a large amount of storage space on the dark core server). 

      This will download updates and store them to a to the patch directory.  The default patch directory is \Program Files\LANDESK\ManagementSuite\LDLOGON\patch.

       

      To verify further that this process has completed correctly, in \Program Files\LANDESK\Managementsuite\ldlogon\patch and it's subdirectories you should have.XML files that were generated by the Ivanti Content download to represent your vulnerability definitions. Do not change the folder structure or files.

       

      Step four: Copy PatchSources file to patch directory on Source (Light) Core

       

                Copy *ENU_PatchSourcesXXX.xml from \Program Files\LANDESK\ManagementSuite\LDMAIN

                 to \Program Files\LANDESK\ManagementSuite\LDLOGON\PATCH on the source core. 
                This step is necessary because Vaminer.exe expects that file to be in that location.
                This needs to match the version you are running: 9.5 (ENU_PatchSources95.xml), 9.6 (ENU_PatchSource96.xml, 2016.3 (ENU_PatchSources101.xml) and so on.

                Modification of the file is not necessary, it just needs to exist in that location. *(XXX equals the current LDMS version)

       

                     (On LDMS 2017.3 SU3 the file needs to be renamed from ENU_PatchSources1013.xml to ENU_PatchSources10132.xml)

       

      Step five: Prepare the *ENU_PatchSourcesXXX.xml on the Dark Core
      *(XXX equals the current LDMS version)

       

                     In the \Program Files\LANDESK\ManagementSuite\LDMAIN folder there will be several files called *ENU_PatchSourcesXXX.xml. *(XXX equals the current LDMS version)

                     Choose the one that is the latest and matches your version on your core server. To check correct version of your Core server please refer to this article.

       

      For example: On a 2017.3 Core server you will likely see three ENU_PATCHSOURCESXXX files:

          • ENU_PatchSources951.xml
          • ENU_PatchSources961.xml
          • ENU_PatchSources101.xml
          • ENU_PatchSources1013.xml

       

      We would select ENU_PatchSources1013.xml as this corresponds to LDMS 2017.3 and begin editing it.

       

      If your core is not running in the English language you will want to select the XML file that matches your language prefix (ESP, JPN, etc)

       

      Modify the Enu_PatchSourcesXXX.xml as modeled below:

      Line #3 in the .XML will contain ‘/LDPM8/ldvul.php?%Credentials%KEYWORD=filename&FILENAME=’.  Replace it with  /ldlogon/Patch (or whatever directory you have defined as your patch storage directory).

      Before:

      PatchesSrcRelativePath>/LDPM8/ldvul.php?%Credentials%KEYWORD=filename&amp;FILENAME=patches</PatchesSrcRelativePath>
      <LDAVRelativePath>/kvirus-8.0/mirror</LDAVRelativePath>
      <CVEMoreInfo>http://cve.mitre.org/cgi-bin/cvename.cgi?name=%CVE_ID%</CVEMoreInfo>


      After:

      <PatchesSrcRelativePath>/LDLOGON/PATCH</PatchesSrcRelativePath>
      <LDAVRelativePath>/kvirus-8.0/mirror</LDAVRelativePath>
      <CVEMoreInfo>http://cve.mitre.org/cgi-bin/cvename.cgi?name=%CVE_ID%</CVEMoreInfo>
      1. Next you will need to change the URL's for each Patch Content Server location.    These will be listed under the <Sites> tag.  Search for <Sites> and you will see 3 sites, West Coast, East Coast, and EMEA.

        Delete two out of three sites leaving just one site. 

        You will change the hostname listed in the <URL> field and then the Description.

        epm_darkcore_EditXML.gif

      If you are using content that will be manually copied to the core server, put the name of your Dark Core server.  If there will be constant or periodic network connection between your light core and dark core, put the name of your light core here.


      In the following section, you will select the definition download category that you want to download to the dark core and you will edit that entry in the .XML.  We will replace the string that normally works with the Ivanti Patch server and replace it with a local path.

       

      The following example is for the vulnerability definition category Windows Vulnerabilities  Again, you will modify the path from the patch server location to a local directory.

      Search for /LDPM8/ldvul.php?%Credentials%KEYWORD=filename&amp;FILENAME=Windows2 the correct section by searching for "Windows2".  Modify the section within the <URL> tags

       

      The resulting line will be <URL>/LDLOGON/PATCH/Windows2</URL>. 

       

      You also will add the tag <Enabled>true</Enabled>. This is the same as ticking the checkbox next to the vulnerabilities category when bringing up the Download Updates tool.  Without adding the <Enabled> tag you will need to select the categories every time Download Updates is opened.

      epm_darkcore_EditXML2.gif

       

       

      When renaming these sections per component you wish to download, FILENAME=Windows2 will use the subdirectory name of "Windows2" under the Patch directory after you modify it. 
      For example, if I wanted to change the source for Ivanti Data Analytics updates, you would search for that category by searching for just that - "LANDESK Data Analytics Updates".

       

      You would then modify the <URL>/LDPM8/ldvul.php?%Credentials%KEYWORD=filename&amp;FILENAME=LDDA</URL> to <URL>/LDLOGON/PATCH/LDDA</URL>.

       

           Before:
           <Source>

                           <URL>/LDPM8/ldvul.php?%Credentials%KEYWORD=filename&amp;FILENAME=LDDA</URL>

                         <Description>LANDESK Data Analytics Updates</Description>

                         <ShowInLDSM>true</ShowInLDSM>

                         <ShowInLSM>true</ShowInLSM>

                  </Source>

       

           After:
           <Source>

                              <URL>/LDLOGON/PATCH/LDDA</URL>

                              <Description>LANDESK Data Analytics Updates</Description>

                              <ShowInLDSM>true</ShowInLDSM>

                              <ShowInLSM>true</ShowInLSM>

                              <Enabled>true</Enabled>

                  </Source>

       

      Once all of the edits have been made do a "Save as" and save it as "Patchsourcestemp.xml" and mark it as a read-only file.  (Right-click, go to properties and check the box "Read Only")

      After you have marked it as read-only, rename it to "patchsources.xml".  Remember, all of this is taking place in the LDMAIN folder.

       

      If you are using a 2016.5 or newer you will need to import the Landesk Secure Token Server from the light core to the dark core

           1. On the light Core run Certlm.msc to open the Local Computer Certificates store.

           2. Open the Personal Certificates, locate the certificate with the Light Core server name (also has the Friendly Name LANDESK Secure Token Server)

      LightCoreCert.PNG

           3. Export this certificate.

           4. Import this certificate into the Dark Cores  Local Computer Certificates store into the Trusted Root Certification Authorities certificate store.

      CertImportedToDarkCore.PNG

       

       

      Step six: Import the vulnerability definitions into the "Dark Core"

       

      1. Now you will need to move the data to the dark core for insertion into the database.   Copy the following to an external hard drive, flash drive, or whatever method you prefer to transfer using.
        • The entire Patch directory and all subdirectories of that folder
        • The entire LDLOGON\Timber folder
        • The following files from the LDLOGON folder on the light core to the LDLOGON directory on the dark core, once at first, but the copying procedure should include copying these files if newer files are detected.
          • Office365Utility (folder)
          • O365Util.dll
          • SCSDiscovery_11.1.0.75.exe
          • LanddeskScanData.zip
          • Mpsychk.exe
      2. These files will need to be copied to the same directories on the dark core server.  If the light core will have access to the dark core this can be done automatically through a file transfer process, automated or otherwise.
      3. The key is to download content on the light core server regularly using the "vaminer /noprompt /noui /copy" switch and then copy the updated data to the Dark Core.
      4. When copying the Patch Directory from your Light Core to your Patch Directory on your Dark Network Core, ensure the directories look the same.
      5. Run Download Updates on the Dark Core Server, if running via script simply run "VAMINER.EXE" from the main ManagementSuite folder.

       

       

           Additional important notice:

       

           If your Dark Core will never have any internet connection and you will see the following error during download of Updates:

       

           vaminer.details.log example:

           01/08/2019 13:44:50 INFO 3064:LoadingPatchSources : Error 1

           01/08/2019 13:44:50 INFO 3064:LoadingPatchSources : Status: OfflineRevocation

           01/08/2019 13:44:50 INFO 3064:LoadingPatchSources : Status Info: The revocation function was unable to check revocation because the revocation server was offline.

          
           Copy the '%USERPROFILE%\AppData\LocalLow\Microsoft\CryptnetUrlCache' folder from your Light Core to your Dark Core.

       

       

       

      If automating the copying of Data from the light core to the dark core:

       

      If you are automating the copying of the vulnerability data from the light core to the dark core, ensure the following steps are taking place:

       

        1. "Vaminer /copy /noprompt /noui" is run on the light core server.
        2. All files from the Patch directory, its subdirectories, the LDLOGON\Timber folder and the listed files above in step 6 from the LDLOGON folder are copied to the Patch folder on the dark core.  This can be done using content replication, robocopy or other preferred methods.
        3. Vaminer.exe is run on the dark core (without switches).

       

      This should be done on an automated schedule so that these steps take place in sequence and that there is enough time for each step to complete before the next one starts.