Some users may experience issues accessing the case portal. For more information, please click here.

This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
flexeranoob
Level 7
‎Nov 04, 2019 02:25 AM

Agent authenticating with Beacon server

Dear All,

Presently, Flexera agents connect to the Beacon server without any authentication.   Can this connection be made with an authentication? This is to preserve the integrity of the information received by the beacon. 

Please help. 

This thread has been automatically locked due to inactivity.

To continue the discussion, please start a new thread.
8 Replies
kclausen
Flexera Alumni
‎Nov 04, 2019 07:08 AM

The Beacon runs on Windows and uses IIS for authentication.  Therefore, the Beacon/IIS will use Windows Authentication when the FlexNet Agent is installed on a Windows Devices when uploading to the Beacon.

 

When the FlexNet Agent is installed on Linux/UNIX, Windows Authentication is not possible, which is why IIS must be configured for Anonymous Authentication.

 

With some work, the communication between the Agent and the Beacon can be configured to use HTTPS.  This requires you to supply your own Certificate, and the Certificate must be installed on each non-Windows Devices where the agent is installed.

 

Kirk

SenthilNathan
Level 4
In response to kclausen
‎Nov 24, 2021 12:35 AM

@kclausen: Do you have a document or reference notes, as the client wants Flexera agents to connect the Beacon server with authentication using client/end device level certificates.  The following message is from the client.

"The Agent needs to understand Client Authentication certificates and be able to use such a certificate in the Windows certificate store. Also, the FNMS endpoint service must be able to verify such a certificate once an agent presents it as the basis for authentication – including the trust with the Client company PKI/CA"

0 Kudos
jpreuss
Level 3
In response to SenthilNathan
‎Nov 29, 2021 01:04 PM

Hallo Nathan,

with some luck we convinced our customers to check only our beacon IIS certificate with CRL valididity. So they trust our beacon and we trust every client for delivery. It was not easy to get communication with PKI/CA (Port 80 !) from every client  environment. You have to bolster your client keystores with public keys of the signing key chain. But it is exactly no authentication. You will have to choose, which parts of foreign keys are representative. And what should be the benefits of the customer for the requested authentication? 

Possibly your customer will see your enduring efforts on his bill... For one time implementation and daily run seperated.

With kind regards, Juergen.

ChrisG
Community Manager Community Manager
Community Manager
‎Nov 23, 2021 08:43 PM

This is an old thread, but for anybody finding this info here are some references which contain details and guidance on working with mTLS authentication with the FlexNet inventory agent:

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)
0 Kudos
kclausen
Flexera Alumni
‎Nov 24, 2021 07:17 AM

In addition to the excellent links that Chris provided, here is a recent KB Article on this topic:

https://community.flexera.com/t5/FlexNet-Manager-Knowledge-Base/Configure-Client-Certificate-Authentication-for-FlexNet/ta-p/207382

 

0 Kudos
SenthilNathan
Level 4
In response to kclausen
‎Nov 28, 2021 06:09 AM

@kclausenCan we use an existing certificate in the client to authenticate the FlexNet Beacon connection or we should have a new certificate?

0 Kudos
kclausen
Flexera Alumni
In response to SenthilNathan
‎Nov 29, 2021 06:06 AM

@SenthilNathan - The certificate checking/acceptance is performed by IIS, not the beacon.  Please follow the documentation in the above links provided by Chris.  The answer to your question is that the Certificate installed on the client must be accepted by IIS installed and enabled on the Beacon Server.

0 Kudos
peter_osang
Level 4
‎Nov 29, 2021 06:37 PM

Hey @kclausen, Senthil's question stems from a customer who already has a client certificate pair installed in the Trusted Root Certification Authorities on their end user Windows devices that is used for client authentication of another app.    The question is whether the agent can be configured to use that certificate.  This would remove the necessity to deploy a new cert to all end user devices.     

My guess is the answer is no.  Reading between the lines in the documentation, it looks like the agent expects the certificate to be named after the inventory beacon as that seems to be the only way that the agent would know which certificate in the local cert store to use to authenticate itself.

0 Kudos