3 Replies Latest reply on Aug 2, 2016 11:26 AM by phoffmann

    LANDesk with CSA for MSP environment

    Apprentice

      Hi Everyone !

       

      Does anyone here utilizing power of LANDesk specifically for patching / software distribution in MSP environment?

       

      Of course if it is MSP environment then you must be using LANDesk with CSA (Management Gateway).

       

      Could you please give me a brief idea that how you are utilizing it? I ask this because I feel CSA has more limitations and it totally negates the wonderful features offered by LANDesk.

       

      I mean that if you have CSA and almost all your servers / desktops checking in to core server through the CSA then in that case we can not use below mentioned features:

      1) Cannot use Push

      2) Can not push update to agent settings

      3) Can not update agents easily

      4) Can not push agent deployment

      5) Can not use any of Diagnostics option when right click a device

      6) Can not use any right click features available per device like run security and compliance scan / reboot / shutdown etc.

      7) Can not cancel a task / or kill a process immediately (must wait for policy sync to happen, meaning you need to wait for task to run / sometimes we may require a task to run immediately)

      8) Can not use Linux agent (CSA does not support it)

      9) Etc

       

      All I would like to know is that, how you use it effectively even with above mentioned limitations due to CSA? Do you have any workaround related to above mentioned points.

       

      Kindly guide me on this, your experience in utilizing LANDesk with CSA in MSP environment would really help.

       

      Thank you for your attention on this.

       

      Thank you,

      Neeraj Kumar

        • 1. Re: LANDesk with CSA for MSP environment
          phoffmann SupportEmployee

          So a couple of these are "self-induced" if they're problems & can be resolved through configuration items. If you're in a CSA-environment situation, you do have limitations (based on the fact that you rely on clients reaching out to the Core - as the Core usually has no idea where in the world the clients are).

           

          So - let's look at your points one at a time & see what we can do.

           

          1) Cannot use Push

          >> Correct - you can't. Which is why you will need to think on / decide what makes for a sensible policy check interval. By default, that's only ever 4 hours, but if you deal with "urgent stuff" you may want to bring that down to every 1 hour, or even every 30 minutes. Keep an eye on how many clients you've got connecting though,

           

          2) Can not push update to agent settings

          Correct - which is why you should use policies. Vulscan will automatically check for any updated versions of its assigned behaviours any time it runs.

           

          You shouldn't have to update agent behaviour files often though? A bit more context here would be useful.

           

          3) Can not update agents easily

          That depends on what you're talking about. You can use Agent Health for this, for instance. You can use the Advanced Agent as well - which is pretty easy.

           

          Where exactly do you see / expect problems?

           

          4) Can not push agent deployment

          True - but again, you can do so easily enough through policies (if you have a LD agent out). If you don't have a presence and are doing a "first deployment" type situation - then yes, this will be more of a headache.

           

          For situations like that, you may want to create a separate Advanced Agent (that you can host at a named address at the sub-environment) and get the customer to deploy the Advanced Agent MSI through a GPO. If this is new to you, here's an older document that explains the basics of it - How to: Deploy an Agent using a Group Policy.  - by and large, not much will have changed .

           

          5) Can not use any of Diagnostics option when right click a device

          Correct - this requires the Core to be able to connect to the device. This is a limitation of the "only one side can see the other" - if you can use a VPN (and don't need a CSA) for instance, this wouldn't be a problem.

           

          The Technology isn't perfect, but it DOES allow for "clients anywhere" to talk to the Core. Unfortunately I'm not aware of someone having come up with a better technological crystall ball & be able to track its clients "somewhere on the internet" without this sort of compromise (shy of CONSTANTLY having connections open & that will come with other issues).

           

          6) Can not use any right click features available per device like run security and compliance scan / reboot / shutdown etc.

          Same as above - any "push" task can be handled as a policy, if those policies are checked reasonably regularly. You'd just need to wrap it into packages (I see a fair few single-line batch-files for utility functions as you mentioned).

           

          7) Can not cancel a task / or kill a process immediately (must wait for policy sync to happen, meaning you need to wait for task to run / sometimes we may require a task to run immediately)

          True - this is something that would need to be addressed by process. Essentially, put checks & balances in place so that you only roll out what you intend to roll out & that there's sign-off for it. That way any "I accidentally formatted X many devices" type situations should be preventable.

           

          This is a compromise - CSA type communications come with limitations. You can't have the full range of capability if only one side sees the other, as it were.

           

          So the way to handle this is through agreed process and putting in checks & balances.

           

          8) Can not use Linux agent (CSA does not support it)

          ... technically it's not so much that the CSA doesn't support it, but rather that the Linux agent doesn't have / make use of the CSA at all so far. That will probably come at some point in the future, just wasn't a priority (since the vast majority of "stuff" connecting through the CSA are Windows & MAC clients - not Linux Servers).

           

          This is a client-side limitation that you could potentially work around via NAT / VPN or so, though that'd defeat the point of having a CSA for the respective environment. If the Linux server(s) are in a separate network, that may not be as big a deal ... depends.

          • 2. Re: LANDesk with CSA for MSP environment
            ecoidan Specialist

            We are also a MSP and use the CSA for managing multiple companies with the Core servers we have. We have been using LANDESK for the last 6 years along side another MSP RMM toolset.  Between the two products everything works well.  It would be nice to perform pushes and on demand functions but LANDESK just isn't designed to work that way through the CSA, yet....

            • 3. Re: LANDesk with CSA for MSP environment
              phoffmann SupportEmployee

              Enabling "push" type stuff would require constant, 24x7 connections from the clients via the CSA to the Core (as otherwise, the Core can't just "guess" where on the internet a device is). I can also see this sort of behaviour causing certain legal concerns (ranging from "bandwidth usage" / "link insomnia" to other, more privacy related items).

               

              You could reduce the impact of this (to a certain degree) by just reducing the policy check interval (though this would still mean that CUSTJOB type tasks probably wouldn't work, as that's not designed for that sort of comms).

               

              If you check for "stuff to do" every 4 hours (for instance) via the CSA, you have at most a 3:59 minute window around stuff. If you check every 15 minutes (assuming your connections & CSA can take the # of clients), you may be faster. Scaling will vary based on your hardware / environment to some degree, but it's a thought to help you along a bit?