14 Replies Latest reply on Aug 7, 2018 6:34 PM by karlehenry

    Best methods for testing your CSA functionality

    karlehenry Apprentice

      About 3 months ago our CSA Windows box was compromised and our Systems department rebuilt a linux box and just confirmed it was functioning.  I do not believe it is functioning properly as I get CSA errors when trying to Remote Control PCs not on the network.

       

      My question is, what is a simple way to test for proper CSA functionality when you have no access to the Core or CSA box?   Thanks in advance for all your help.

        • 1. Re: Best methods for testing your CSA functionality
          phoffmann SupportEmployee

          Why don't you have access to the Core? (I'm confused more than anything).

           

          Generally speaking, most of the useful logs will be on the Core (as it talks to the CSA & such) and/or on the CSA itself.

           

          You can run things like "policy sync" from the client over the CSA & check the Proxyhost log & such but ... I'd expect clientside stuff mostly amount to "well - couldn't talk to the Core successfully" in varying shades, as the most useful data would be held & logged on the 2 parts you don't seem to have access to ?

          1 of 1 people found this helpful
          • 2. Re: Best methods for testing your CSA functionality
            carlos Expert

            Can you ping your CSA?

            • 3. Re: Best methods for testing your CSA functionality
              karlehenry Apprentice

              Wanted to reply to give some understanding about core access.

               

              Our Systems and Security felt it was a security risk giving us access to the core and setup a remote console on a separate server with a console.  We do not have access to the CSA or to the SQL database so our troubleshooting is limited.

               

              When ever we try to remote control a machine not on the University network, we get an error about the CSA.  I cant get the error righ tnow as our core is being upgraded to 2018.1 as i type this.

              • 4. Re: Best methods for testing your CSA functionality
                karlehenry Apprentice

                Yes, I am able to ping our CSA.

                • 5. Re: Best methods for testing your CSA functionality
                  carlos Expert

                  Without the error or logs will be very hard to get a solution.

                  Once you are able to get some more info we can try to help out.

                   

                  Best.

                  • 6. Re: Best methods for testing your CSA functionality
                    karlehenry Apprentice

                    once it comes back up from the upgrade, I will look for some logs and post them here.  Probably wont be until tomorrow.

                    • 7. Re: Best methods for testing your CSA functionality
                      phoffmann SupportEmployee

                      karlehenry wrote:

                       

                      Wanted to reply to give some understanding about core access.

                       

                      Our Systems and Security felt it was a security risk giving us access to the core and setup a remote console on a separate server with a console. We do not have access to the CSA or to the SQL database so our troubleshooting is limited.

                       

                      When ever we try to remote control a machine not on the University network, we get an error about the CSA. I cant get the error righ tnow as our core is being upgraded to 2018.1 as i type this.

                      I'm a little (more) confused.

                       

                      They *DO* know that at some point you're going to need to be able to "admin something" right? Or do they "do all the doing" via LDAPI / MBSDK like automation (stuff like mentioned here -- Getting Started with the MBSDK (Example Scripts Included) )?

                       

                      But even so "if something goes wrong at some point" (and I've yet to find an environment where that's not the case) you're (I'm assuming you're the application admin) going to need access to the Core for simple logs if nothing else.

                       

                      "Not having access to the DB" I can understand from a separation point of view (it's not great, and I can usually convince DBA people over to our side of perspective), but that's an "OK" security constraint ... just makes life harder (and involves having a DBA whose shoulder to hover over if that's needed).

                       

                      But I'm not sure what their beef with a remote console is (which doesn't require a server btw - you COULD install one on a Win-10 laptop for instance ... just needs to be able to TALK to the Core).

                       

                      How do you even get anything done without access to the console / Core ...? Shy of having "everything" scripted already (which seems unlikely) ?

                      • 8. Re: Best methods for testing your CSA functionality
                        karlehenry Apprentice

                        Believe me I share your views and the decision was simply from someone who was a micro-managing, security buff who didnt trust anyone in fear of compromising his empire.

                         

                        This is something that we are negotiating and hope to have within the next month or two.

                         

                        The error we get is:

                         

                        "Unable to contact device.  Device is not registered on a configured CSA."

                        • 9. Re: Best methods for testing your CSA functionality
                          carlos Expert

                          Just to be clear, you are logged in to your CSA, you can see the device (in the remote control section) and when you click the connect, you get that error?

                          Does that happens with all your devices?

                          • 10. Re: Best methods for testing your CSA functionality
                            karlehenry Apprentice

                            Oh, yes, i know we can run the console from any system but that is not alowed for the reasons listed above.  We must remote desktop in to a server in the data center to do anything UEPM related.  I have already had to request for additional resources (memory, CPU  and storage several times)......

                            • 11. Re: Best methods for testing your CSA functionality
                              karlehenry Apprentice

                              It happens with all devices that are not on the same network as us.  so any device on a home network pretty much.  This use to work.

                               

                              I unfortunately do not have access to the CSA so I want to get a list of things to check and then request access.  I will work on the logs in a few minutes as I think I can get some of those.  We just upgraded to 2018.1 so testing a few things.

                              • 12. Re: Best methods for testing your CSA functionality
                                carlos Expert

                                I think that without you having access to the core of the csa its a lost cause.

                                If your superior doesn't want you to have this access, then they are the ones who need to have this "just working" for you.

                                 

                                Best.

                                • 13. Re: Best methods for testing your CSA functionality
                                  phoffmann SupportEmployee

                                  OK - so "micro managing" is generally a bad sign of people having trust issues, and is NEVER a good thing. My sympathies of having quite such spanners thrown at you whilst just trying to get things done.

                                   

                                  If it *CAN* help, feel free to point them to the community and ask the question if it's "acceptable" / "smart" or whatnot to do what they do. The short answer is "let admins be admins" ... if you have an application (especially one as powerful and potentially complex as EPM) then you're not doing yourself any favours by hobbling the admins ... even with something as simple as "remote console" access not being granted.

                                   

                                  Just seems "really badly thought out" -- it's the kind of security thinking that would deem a PC wrapped up in chains, inside a safe, at the bottom of the lake to be "safe" ... it might be, but it also won't get anything DONE.

                                   

                                  We *do* have things like Auditing options and so on ... and the best counter to an event like Emory University happening (under-trained SCCM admin had an "oops" and re-formatted the entire estate with a fresh Win 7 image, servers and all) is to TRAIN staff (and/or restrict staff with roles & scopes who aren't trained) and to have policies & procedures in place. But oh well.

                                   

                                  So ... the first thing that comes to mind somehow really is ... "are you accepting client certs" to begin with? As of 2016, every client generates a separate cert upon install, which needs to be individually accepted Core-side (or "Bulk accepted" during roll-out). Those can be revoked if need be individually (kind of the point), if a device were to go walkies / become untrusted.

                                   

                                  At that point, those devices wouldn't be able to really do much of anything except potentially send in inventory -- no policies or such (assuming you make use of this). Here's how you get to the relevant menu ...

                                  ... and here's a screenshot with the key options (including to "auto-accept" which is NOT RECOMMENDED outside of roll-outs - I just use it in my lab !). Click on the pictures to see the full-size version.

                                   

                                  Other than that ... yeah - you'll need access to the Core first, POTENTIALLY the CSA (depending on what the logs on the Core say) - to see where the logs will lead you.

                                   

                                  There's only so much crystal ball we/anyone can do without looking at logs. ... and that stuff can have a LOT of moving parts & get somewhat complicated.

                                   

                                  We're not running a "Hello World" server here . "Security by no one accessing their tool" is a less than ideal solution very mildly put.

                                  2 of 2 people found this helpful
                                  • 14. Re: Best methods for testing your CSA functionality
                                    karlehenry Apprentice

                                    Thank you to all who contributed, everything was very helpful but considering my current access, access I am planning to get, I was able to determine that our CSA appears to be configured and working properly.  I was able to get to the webconsole of the CSA and see many system communicating via the CSA.

                                     

                                    Also since this post, I have been able to connect through remote control and deploy "policy" based software to laptops off our network.

                                     

                                    Thank you again for all who replied.