Re: adding parameters to a remote inventory action

jasonlu · ‎Dec 02, 2020

hi,

I have a customer that has separate DNS for production and non-production internal servers, and the same for external prod and non prod, making four different DNS zone.

Beacons are only configured in the production internal.

This means that by default any FNMS agent not installed in the prod internal zone would not be able to resolve the advertised beacons in the beacon policy.

To get around this, I've set the beacons to advertise their IP addresses by editing the beaconengine.config file (NetworkName variable), and setting the agents to CheckServerCertifcate and CheckCertificateRevocation = false. HTTPS on the beacons is enabled.

This all works fine.

However, the problem I'm having is that if I run a Remote Inventory rule to collect inventory on devices that cannot have the inventory agent installed, the inventory fails to upload. This is because the two certificate parameters are not passed in the rule, so when ndtrack tries to upload to the beacon using the IP address, it fails the certificate check because the IP address is not in the certificate.

So, how to successfully run a Remote Inventory in this environment?

a) Can parameters be added to the remote inventory action? Is there somewhere in the database or on the beacon where this the parameters used to execute the remote inventory is configurable? This would obviously be the best and most versatile solution.

b) Can IP addresses be added to the IIS certificates?

c) Is there another way to skin this?

jjensen · ‎Dec 03, 2020

Hello @jasonlu,

You can try amending the ndtrack.ini file on the relevant beacon server(s), located at:

C:\Program Files (x86)\Flexera Software\Inventory Beacon\RemoteExecution\Public\Inventory

Specifically, add the following section:

[ManageSoft\Tracker\CurrentVersion]

CheckServerCertificate=False

CheckCertificateRevocation=False

HTH,

Joseph

If my response answered your question satisfactorily, please click "ACCEPT AS SOLUTION" to heighten visibility for future customers!

jjensen · ‎Dec 03, 2020

Just realised the above will only work for Unix machines... doh!

I'm looking into whether the same is possible for Windows, will follow up here if/when I find anything.

If my response answered your question satisfactorily, please click "ACCEPT AS SOLUTION" to heighten visibility for future customers!

jasonlu · ‎Dec 03, 2020

I did try setting in that ndtrack.ini file, which didn't work.

I also tried setting those values directly in the registry on the target. Again, it didn't work.

For remote inventory to windows it appears that the parameters have to be set directly on the command that the remote inventory action uses, however I can't find the place where those are described.

ChrisG · ‎Dec 03, 2020

I can't think of any way to override/control the options used by remote inventory gathering. The ndtrack command line used is hard-coded in the remote execution logic. (The .ini file approach noted in earlier comments sounded like a hopeful approach to try, but it looks like that doesn't work.)

If you want to do inventory gathering via the built-in remote execution capability and upload to the beacon via HTTPS then I think you will be constrained to doing it in an environment where the following conditions hold:

The beacon name specified in the BeaconEngine.config file matches the name in the certificate that is configured on the beacon.
The target devices can resolve that name to an IP address.
The target devices can connect to any CRL URL that is configured in the certificate.

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

jasonlu · ‎Dec 09, 2020

Chris, yeah that looks to be the constraint.

I guess I'll be entering this into the new 'Ideas' section then!

j