I have a customer that has separate DNS for production and non-production internal servers, and the same for external prod and non prod, making four different DNS zone.
Beacons are only configured in the production internal.
This means that by default any FNMS agent not installed in the prod internal zone would not be able to resolve the advertised beacons in the beacon policy.
To get around this, I've set the beacons to advertise their IP addresses by editing the beaconengine.config file (NetworkName variable), and setting the agents to CheckServerCertifcate and CheckCertificateRevocation = false. HTTPS on the beacons is enabled.
This all works fine.
However, the problem I'm having is that if I run a Remote Inventory rule to collect inventory on devices that cannot have the inventory agent installed, the inventory fails to upload. This is because the two certificate parameters are not passed in the rule, so when ndtrack tries to upload to the beacon using the IP address, it fails the certificate check because the IP address is not in the certificate.
So, how to successfully run a Remote Inventory in this environment?
a) Can parameters be added to the remote inventory action? Is there somewhere in the database or on the beacon where this the parameters used to execute the remote inventory is configurable? This would obviously be the best and most versatile solution.
b) Can IP addresses be added to the IIS certificates?
c) Is there another way to skin this?
Dec 02, 2020 09:32 PM
You can try amending the ndtrack.ini file on the relevant beacon server(s), located at:
C:\Program Files (x86)\Flexera Software\Inventory Beacon\RemoteExecution\Public\Inventory
Specifically, add the following section:
[ManageSoft\Tracker\CurrentVersion] CheckServerCertificate=False CheckCertificateRevocation=False
Dec 03, 2020 03:34 AM
Just realised the above will only work for Unix machines... doh!
I'm looking into whether the same is possible for Windows, will follow up here if/when I find anything.
Dec 03, 2020 04:23 AM
I did try setting in that ndtrack.ini file, which didn't work.
I also tried setting those values directly in the registry on the target. Again, it didn't work.
For remote inventory to windows it appears that the parameters have to be set directly on the command that the remote inventory action uses, however I can't find the place where those are described.
Dec 03, 2020 05:52 PM
I can't think of any way to override/control the options used by remote inventory gathering. The ndtrack command line used is hard-coded in the remote execution logic. (The .ini file approach noted in earlier comments sounded like a hopeful approach to try, but it looks like that doesn't work.)
If you want to do inventory gathering via the built-in remote execution capability and upload to the beacon via HTTPS then I think you will be constrained to doing it in an environment where the following conditions hold:
Dec 03, 2020 06:51 PM
Chris, yeah that looks to be the constraint.
I guess I'll be entering this into the new 'Ideas' section then!
Dec 09, 2020 06:38 PM