PAD Deployment and Discovery Configuration Requirements
This lesson outlines key system requirements for PAD deployment and Asset Vision device and service discovery.
NOTE: The PAD installer should never be shared to anyone other than System Administrators as it contains sensitive, customer-specific information. The PAD should only be installed on a device with restricted access.
Proxy Adapter Discovery (PAD) Server Requirements
The PAD is a Windows Service, which resides within the customer’s network. It performs tasks such as Discovery, Inventory, Integration, etc.
The PAD server uses TLS1.2 protocol for connection security.
Supported PAD Operating Systems
Visit the Supported Platforms and Technologies lesson to view the supported PAD operating systems.
PAD Hardware (Physical or Virtual) Minimum Requirements
- Dual core CPU
- 2 GB RAM
- 2 GB free disk space
- Permanent network connection to the Internet
Java Requirements
- Java is installed at time of PAD installation via bundled redistributable. No prior installation of the JRE is required.
Proxy Support
The PAD can work through a proxy and supports authentication. Proxy name, port, and optionally any credentials are entered during installation.
PAD Network Overhead
The PAD uses multiple agentless discovery mechanisms to facilitate detailed hardware/software inventory across a range of different operating system platforms and network devices. As there is no agent deployed, network traffic can be higher than with traditional agent based discovery approaches. Below are some rules of thumb in terms of expected network consumption based on a typical PAD discovery job within a Windows environment.
PAD <-> Target Device(s)
- Up to 1.1 Mb/s during discovery
Note: Using the deepest scan techniques may result in increased network traffic up to 10Mb/s during the scanning period. It is recommended that WAN sites with a T1 or slower connection deploy a PAD at each WAN site or discovery jobs be scheduled during non-business hours.
PAD <-> Asset Vision Server Instance
- 64Kb/s average per machine during discovery. Up to 256Kb/s per PAD during discovery
Discovery Throughput
- 30-120 seconds per machine (NMAP + WMI / SSH / SNMP / ESX)*
Maximum Concurrent Scan Jobs
- This depends on the available CPU cores and RAM on the machine hosting the PAD. It’s automatically set during installation.*
*Dependent on target machine speed/load, network conditions and PAD machine load.
Access Credentials
In order to remotely inventory a device access credentials are required.
PAD - Windows Client Network Access Requirements
- User Account should be a member of the local administrators groups and have remote WMI privileges
PAD - macOS / SSH Access Requirements
- Remote Login must be enabled on the target device via Network Sharing in system preferences. Setting can be remotely configured via LDAP.
- The account used must be listed as enabled for remote login.
PAD - Unix/Linux/SSH Access Requirements
- User Account must be able to logon remotely via SSH using basic authentication or pre-shared keys.
- User Account must be listed in the local sudoers file on the target SSH machines or equivalent security group (i.e. Wheel, etc.).
PAD - ESX Credentials, Protocols and Account Rights Requirements
- vCenter / vSphere management center runs on Windows and has a security management component that allows the registration of Windows accounts as vClient / vSphere administrators.
- ESX has a similar arrangement but being the OS it allows direct account creation.
- Both have an HTTPS based API that the PAD users to access them.
- To access the ESX server put the chosen account details into the ESX Credentials type.
- To access the vCenter / vSphere management console, put the chosen Windows credentials registered with the vClient / vSphere management center into the ESX Credentials type.
The following privileges are required for the account(s) in order for the PAD to scan either one:
- System.Anonymous
- System.View
- Global.Licenses
- System.Read
PAD - SNMP Access Requirements
- SNMP V1/V2 remotely.
- SNMP V3 credentials.
PAD - SQL Server Access Requirements
- The SQL Server Database probe supports SQL Server authentication (e.g. ‘sa’), and also integrated authentication.
- The account used to access the instances requires read-only access to the master database in the instance, and to get complete inventory information, read-only access to any databases in the instance.
- The probe will still work without access to databases other than master, but only partial data will be returned (name and database ID).
PAD - Oracle Access Requirements
The WMI account used must be able to run the Oracle tool “lsnrctl status” from the command line.
The Oracle account used must have the following rights;
- The user must be able to connect to the database.
- The user must have access to the temporary tablespace and be able to create temporary tables.
- The user must be granted read access to dictionary tables (to get Oracle version, Edition, etc.).
- The user must be granted read access to management tables to obtain all installed DB options and their states (in use, etc.).
PAD - DB2 Credentials
- Used for connections to the ILMT (DB2) database.
- The new DB2 credential type is used by the probes. The DB2 user needs read/only access to the TLMA database, and specifically the ADM and SWCAT schemas.
PAD Client Network Ports
PAD and Asset Vision Server Access;
- HTTPS outbound
- Proxy Server support includes:
- - Squid based proxy appliances
- - NTLM V1 and V2 authentication support for SSO proxy appliances
PAD to target Device Access;
- ICMP local network subnets only
- SSH TCP port 22
- SNMP UDP 161/162
- vCenter / vSphere HTTPS 443
- ESX HTTPS 443
- WMI Ports 135 and 137 TCP / UDP and ports 1024-65535 TCP
Remote WMI connections may need to be enabled via the DCOMCNFG tool and also enabled at the Windows firewall level. Both settings can be managed via Group Policy or manually.
Group Policy Settings
WMI Security
Computer Configuration>Policies>Windows Settings>Security Settings>Local Policies>Security Options>DCOM: Machine Access - Allow remote access to the PAD service account
Note: DCOM also needs to be enabled - by default DCOM is enabled on all Windows based machines.
Firewall rule exception
Computer Configuration>Administrative Templates>Network>Network Connections>Windows Firewall>Domain/Standard Profile>Allow inbound remote admin exception
Note: Referenced GPO settings may not be included in legacy domain controllers. Please review this linked Microsoft article (http://www.microsoft.com/en-us/download/details.aspx?id=6955) for information on updating the group policy management console.
Network Configuration Verification
Prior to installing the PAD, Scalable recommends that you run several diagnostics on your network to ensure all required configuration changes are in place prior to PAD deployment;
- Identify target range(s) of IP addresses to scan
- Execute the supplied WMICheck tool against the IP ranges from the identified PAD server, see https://s3.amazonaws.com/help.live.scalable.com/Tools/WMICheck.exe.
- Reconcile firewall/WMI configuration errors by reviewing Anti-Virus settings, Firewall rules and WMI remote connection settings
PAD Deployment
Please refer to the lesson on PAD installation for step by step instructions on how to install a PAD.
Note: The PAD allows operation through authenticating and non-authenticating proxies. It has been tested with Squid and proxies supporting both NTLM v1 and v2.
Note: After installing the PAD, ensure that the PAD can communicate via the host firewall (if one is enabled). Also ensure that any exception rules are added to the local Anti-Virus client software as required.
Firewall/Proxy bypass settings for allowing PAD communication:
- Outbound TCP 443 (communication back to Asset Vision® instance) -> ANY Outbound ANY (network discovery) -> Local Network
AV exception rules:
- Allow wrapper.exe
- Allow Java.exe
Support
Remote Access via GotoAssist is the preferred method of troubleshooting and reviewing onsite issues. The session will only require access to the device running the PAD Java client. By allowing direct access through a remote control system, Scalable will be able to readily identify root cause issues and minimize customer time. Please contact Scalable Support by emailing [email protected].
WMI Troubleshooting Links:
http://technet.microsoft.com/en-us/library/ee692772.aspx#EEAA
http://msdn.microsoft.com/en-us/library/aa393266%28v=VS.85%29.aspx