I have a customer that has separate DNS for production and non-production internal servers, and the same for external prod and non prod, making four different DNS zone.
Beacons are only configured in the production internal.
This means that by default any FNMS agent not installed in the prod internal zone would not be able to resolve the advertised beacons in the beacon policy.
To get around this, I've set the beacons to advertise their IP addresses by editing the beaconengine.config file (NetworkName variable), and setting the agents to CheckServerCertifcate and CheckCertificateRevocation = false. HTTPS on the beacons is enabled.
This all works fine.
However, the problem I'm having is that if I run a Remote Inventory rule to collect inventory on devices that cannot have the inventory agent installed, the inventory fails to upload. This is because the two certificate parameters are not passed in the rule, so when ndtrack tries to upload to the beacon using the IP address, it fails the certificate check because the IP address is not in the certificate.
So, how to successfully run a Remote Inventory in this environment?
a) Can parameters be added to the remote inventory action? Is there somewhere in the database or on the beacon where this the parameters used to execute the remote inventory is configurable? This would obviously be the best and most versatile solution.
b) Can IP addresses be added to the IIS certificates?
I did try setting in that ndtrack.ini file, which didn't work.
I also tried setting those values directly in the registry on the target. Again, it didn't work.
For remote inventory to windows it appears that the parameters have to be set directly on the command that the remote inventory action uses, however I can't find the place where those are described.
I can't think of any way to override/control the options used by remote inventory gathering. The ndtrack command line used is hard-coded in the remote execution logic. (The .ini file approach noted in earlier comments sounded like a hopeful approach to try, but it looks like that doesn't work.)
If you want to do inventory gathering via the built-in remote execution capability and upload to the beacon via HTTPS then I think you will be constrained to doing it in an environment where the following conditions hold:
The beacon name specified in the BeaconEngine.config file matches the name in the certificate that is configured on the beacon.
The target devices can resolve that name to an IP address.
The target devices can connect to any CRL URL that is configured in the certificate.
(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)
