13 Replies Latest reply on Dec 19, 2008 5:53 PM by carlilek

    Inventory list vs. Juniper IVE SSL VPN

    Apprentice

      We have a very distributed environment; most of our machines use the Juniper IVE SSL VPN product to connect to hq resources. Therefore, when they are not connected, they communicate through the Management Gateway. As the Juniper product actually creates its own virtual NIC (in Windows), when that is activated, the machines run an inventory scan and report their SSL VPN IP address as their primary IP, which is what Landesk uses in the inventory list and to send scripts, push deployments and the like. If we used anything but Management Gateway Remote Control, that would also go to that IP address. This isn't a problem as long as the machines are connected, but once the SSL VPN disconnects, another inventory scan is not automatically run, so our inventory becomes full of machines that aren't listed under the correct IP addresses.

       

      Anyone else have this problem?

       

      Any ideas how to fix it?

       

      My general preference would be for the physical NIC to always remain as the primary IP, but I figure that that's not possible, since once the SSL VPN is up, the machines can communicate directly to the Core over that SSL VPN/virtual NIC.

        • 1. Re: Inventory list vs. Juniper IVE SSL VPN
          Jared Barneck SupportEmployee

          Check your local scheduler tasks.

           

          Are you running a Hardware scan using ldscn32.exe on IP Address change or are you simply running a miniscan on IP Address change?

          • 2. Re: Inventory list vs. Juniper IVE SSL VPN
            Jared Barneck SupportEmployee

            Also, when they are not connected, why does it matter if the IP is not correct?

             

            Everything is pull-based through the gateway, so even if the IP Address in Inventory is not correct, the client will hit the core through the gateway. Our design is that the IP Address in inventory doesn't matter when they are using the gateway.

             

            When the machine connects through your VPN, the miniscan should work and update the inventory so that they are directly manageble again.

             

            Basically, are there symptoms you are seeing that are problematic, or are you just wanting to see the devices IP Address even when it is in gateway mode.

            • 3. Re: Inventory list vs. Juniper IVE SSL VPN
              Apprentice

              A little bit of both, really. Some of our machines are still reachable by their IP address (they're on campuses without firewalls, or that have firewalls we're allowed through) and have routable static IPs (I know, it's bizarre, dangerous and horrid, but it's also the way it is). It's nice to be able to push a restart to those machines over the weekend or after hours if I'm patching. I know I have to use gateway RC for some of them, but the less I have to do it by hand, the better.

               

              Pardon my ignorance, but how do I check the local scheduler tasks?

               

              Cancel that, learned how to google...

               

              Looks like it runs a miniscan, not a full scan.

              • 4. Re: Inventory list vs. Juniper IVE SSL VPN
                Apprentice

                You can view the Local Scheduler tasks in the console on the device in question under LANDesk Management->Local Scheduler->Scheduled Tasks. You can also view the tasks on the device with the following command executed from your ldclient directory "localsch /tasks | more".

                1 of 1 people found this helpful
                • 5. Re: Inventory list vs. Juniper IVE SSL VPN
                  Apprentice

                  I'm not seeing that first option in my console. Probably looking in the wrong place.

                   

                  Nevermind, figured that out too...

                  • 6. Re: Inventory list vs. Juniper IVE SSL VPN
                    Jared Barneck SupportEmployee

                    Yeah, we have some information on Local Scheduler in random documents...

                     

                    Best Known Method for Agent Configuration

                    About Local Scheduler Command Line Parameters

                    About Batch File Distribution Packages

                     

                     

                    ...but we don't really have a good document on Local Scheduler that answers the following questions:

                     

                    • What are the default Local Scheduler tasks in an agent?
                    • When would you want to change them?
                    • How should you change them?
                    • What happens when you change them?

                     

                    What are the default Local Scheduler tasks in an agent?

                    This first question is easy to answer by deploying a Default Agent and then looking at the local scheduler tasks in inventory or from the client's command prompt c:\program files\landesk\ldclient\localsch.exe /tasks |more  (yes you have to pipe to more).

                     

                    When would you want to change them?

                    This is more difficult to answer.  And their are many reason to change them.

                    You may want the default tasks to occur more often, or maybe less often.

                    Or you may want more tasks, even tasks you want clients to run that have nothing to do with LANDesk (such as scheduling a defrag every weekend or something)

                    You may want more task filters such as Time of Day or Day of week or bandwith features.

                     

                    In your case, we reduced resource usage in 8.8 by changing from a Hardware Scan to a Miniscan.  But you really need the Hardware Scan to occur because Miniscans don't go through the gateway and you need a scan that goes through the gateway on IP Address change.  The miniscan is good enough whenever the client has access to the Core Server.

                     

                    How should you change them?

                    Some minor changes can be done in the GUI Agent Configuration.

                    However, sometimes you need more advanced changes, in which case you would add these tasks to the NTSTACFG your self.  There is an example of doing this in the following article:Best Known Method for Agent Configuration

                    Look at the following section: Adding Commands to the Agent INI using Mergeini.exe

                     

                    You can also change the agent configuration, but instead of deploying out a new agent, you make sure the agent works, and then for existing agents you just delete the current Local Scheduler tasks and recreate new ones. There are examples of doing this in this document:About Batch File Distribution Packages

                    And details on the command line parameters to use in this document.

                    About Local Scheduler Command Line Parameters

                    The help file has information.

                    You can also use Custom Scripts to add or change Local Scheduler tasks.

                     

                    The best thing to do is probably:

                    1. Make sure your Agent Configuration deploys the Local Scheduler tasks that you want.
                    2. If you have existing agents that are not correctly configured, either deploy them the new agent, or deploy a batch file that changes them to match the default agent.  If bandwidth and resources and reinstalling agents on workstations are not issues, deploy the agent again.  Otherwise, use a batch file.  A batch file is better than a custom script because it can be a policy where a custom script cannot.

                     

                    What happens when you change them?

                    Well, the short answer is that the local task you schedule will run.  So now you have to think of the impact of having that task run on all your nodes.

                     

                    The default tasks are default for a reason. Changing them could lead to using too much resources and slowing down your network or servers or other resources, and may even lead to overloading somethings such as the network and/or the Core Server, even so far as to taking down the Core Server or Network.

                     

                    So you really need to know what tasks you are adding, why you are adding them, and what resources these tasks will take.  If you have 10,000 nodes, you don't want to have all 10,000 nodes hit the Core at the same time.

                    • 7. Re: Inventory list vs. Juniper IVE SSL VPN
                      Apprentice

                      Excellent information. Thank you very much. We only have about 200 nodes, so I'm not particularly concerned about resources. Those nodes are about to become overpowered, anyway. (we're deploying quadcores to our desktops, and quadcore xeons to our file servers.)

                      • 8. Re: Inventory list vs. Juniper IVE SSL VPN
                        Apprentice

                        OK, I've gotten the batch file to work just fine, but my .ini isn't working properly. It removes the miniscan task, but it does not add in the full inventory task. Here's what it looks like:

                         

                        [Policy Management Post Copy]
                        EXEC10001=%DEST%\LOCALSCH.EXE, /del /taskid=778
                        EXEC10002=%DEST%\LOCALSCH.EXE, /taskid=778 "/exe=%DEST%\LDIScn32.EXE" /cmd="/NTT=<CoreFQDN>:5007 /S=<CoreFQDN> /I=HTTP://<CoreFQDN>/ldlogon/ldappl3.ldz /NOUI" /ipaddr

                         


                        The syntax for the EXEC commands seems to be somewhat fluid; I've tried it both with and without the commas and with different quote positions around /exe.

                         

                        Here's my batch file that does work:

                        @ECHO ON
                        "C:\Program Files\LANDesk\LDClient\localsch.exe" /del /taskid=778
                        "C:\Program Files\LANDesk\LDClient\localsch.exe" /exe="c:\Program Files\LANDesk\LDClient\LDIScn32.EXE" /cmd="/NTT=<CoreFQDN>:5007 /S=<CoreFQDN> /I=HTTP://<CoreFQDN>/ldlogon/ldappl3.ldz /NOUI" /ipaddr /taskid=778

                         

                        Anyone have any ideas?

                        • 9. Re: Inventory list vs. Juniper IVE SSL VPN
                          Employee

                          Hi Ken,

                           

                          what does localsch.exe /tasks | more say was done?

                          • 10. Re: Inventory list vs. Juniper IVE SSL VPN
                            Apprentice

                            Hi Jack,

                             

                            It lists the usual suspects, apart from the miniscan.exe (task 778). But there's no inventory scan of any type on ip address change. There's obviously something I'm doing wrong in the second line, but I'm at a loss. Like I said, the batch file works fine.

                            • 11. Re: Inventory list vs. Juniper IVE SSL VPN
                              Jared Barneck SupportEmployee

                              It is almost always quotes when it doesn't work.

                               

                              Why is there a quote before the /exe?

                               

                              EXEC10002=%DEST%\LOCALSCH.EXE, /taskid=778 /exe="%DEST%\LDIScn32.EXE" /cmd="/NTT=<CoreFQDN>:5007 /S=<CoreFQDN> /I=HTTP://<CoreFQDN>/ldlogon/ldappl3.ldz /NOUI" /ipaddr

                              • 12. Re: Inventory list vs. Juniper IVE SSL VPN
                                Apprentice

                                Oh. Let me fix that and I'll let you know...

                                • 13. Re: Inventory list vs. Juniper IVE SSL VPN
                                  Apprentice

                                  Yeah, that did it. Now I feel like an idjit.