This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to Configure Multiple Authentication Credentials on an Inventory Beacon

Summary

Describing what are the minimum permission requirements for each component of the Inventory Beacon

Synopsis

Every enterprise has different security measures and corporate policies. This Knowledge Base Article helps identify the minimum permissions required for each component of your Inventory Beacon to help you apply and plan credentials and permissions accordingly.

Discussion

The Flexera Inventory Beacon has multiple components working together to perform the desired tasks. Each component requires different permission levels, both internal and external. Below are the areas that you need to focus on when designing or changing permissions.

Authentication Group A: Windows Services
The Inventory Beacon has a Windows Service which manages the core functionality of the Beacon, called FlexNet Beacon Engine.
This Service is created during installation using the Windows "Local System" account by default, which is a local admin account that has no credentials and is not directly managed by your Active Directory.

This account can be changed with a domain service account if needed, but the minimum permissions required are:
  1. Admin access to the Inventory Beacon Server itself. The account needs full access to its binaries in "Program Files (x86)\Flexera Software\Inventory Beacon", several folders in "C:\ProgramData\Flexera Software\" and Windows Registry to manage Flexera-related registry keys and read Windows proxy settings.
  2. Network access to the Application Server in case you use a proxy server for internal traffic like DMZ environments, or to the internet in case you are a FNMS Cloud customer or hosting your Application Server in an external cloud. If using a network proxy, the proxy settings need to be distributed as a machine policy through Windows Group Policy when using the Local System account or by logging into the Inventory Beacon and setting the proxy through Internet Options when using the service account.
  3. Access to anything you do not want to manage credentials for individually. This account will also be used as a fallback for example if you have not specified credentials for a third-party Inventory Source or Active Directory import, or when you don't specify credentials in the Beacon's Password Store when performing remote Discovery and Inventory rules like VMware Inventory... etc. Exclusions apply like remote inventory/adoption targeting non-Windows devices.


Authentication Group B: Beacon Engine's Downloads and Uploads
The Inventory Beacon Engine would mainly communicate directly with the Application Server or its Parent Beacon. The Inventory Beacon in an online environment needs access to the Application Server itself or a Parent Beacon to upload inventories and logs coming from Agents, third-party inventory in the shape of IntermediateData packages, and status updates of the Beacon's health status and Inventory Rule task updates for the WebUI's System Tasks. The Inventory Beacon also downloads Beacon and Agent policy packages, upgrade and adoption packages, SAP Landscapes...etc.

These credentials are typed-in every time you Download and Import a Beacon Configuration file using the Parent Connection tab in the Inventory Beacon UI, and an encrypted version is saved in the Windows registry. FNMS Cloud customers do not enter these credentials, as they are included in the configuration file that is downloaded. These credentials need access to:
  1. Application Server/Parent Beacon's ManageSoftDL folder. This Virtual Directory on the Application Server's IIS is managed by the "Flexera Package Repository" Application Pool.
  2. Application Server/Parent Beacon's ManageSoftRL folder. This Virtual Directory on the Application Server's IIS is managed by the "Flexera Imports" Application Pool.
  3. Application Server/Parent Beacon's inventory-beacons folder. This Virtual Directory on the Application Server's IIS is managed by the "Flexera Beacon" Application Pool.
  4. Application Server/Parent Beacon's SAPService folder. This Virtual Directory on the Application Server's IIS is managed by the "SAPServiceAppPool" Application Pool.


Authentication Group C: Windows Task Scheduler
The "Inventory Beacon" folder under the Windows Task Scheduler is created by default during installation, where the Inventory Beacon installer requests to either choose the Local System account or specifying a Service Account instead. Either option would require:
  1. Admin access to the Inventory Beacon Server itself. The account needs full access to its binaries in "Program Files (x86)\Flexera Software\Inventory Beacon", several folders in "C:\ProgramData\Flexera Software\Incoming" and "C:\ProgramData\Flexera Software\Beacon\IntermediateData\" to read and delete uploaded files, and Windows Registry to read Flexera-related registry keys and read Windows proxy settings.
  2. Network access to the Application Server in case you use a proxy server for internal traffic like DMZ environments, or to the internet in case you are a FNMS Cloud customer or hosting your Application Server in an external cloud. If are using a network proxy, the proxy settings need to be distributed as a machine policy through Windows Group Policy when using the Local System account, or by logging into the Inventory Beacon and setting the proxy through Internet Options when using the service account.


Authentication Group 😧 Microsoft Internet Information Services (IIS)
This type of credential is only required when you are using IIS Web Service instead of the Beacon's integrated Local Web Service. When using IIS, it is recommended that the ManageSoftRL and ManageSoftDL virtual directories have Anonymous Authentication on, which allows any device in your domains to upload and download its required Flexera-related files.
This set of credentials are entered in the Application Pools, which require minimum permission to:
  1. Admin access on the Inventory Beacon Server itself. The account needs full access to its binaries in "Program Files (x86)\Flexera Software\Inventory Beacon", and several folders in "C:\ProgramData\Flexera Software\" to read and write files.
  2. Domain user in Active Directory. The user would need to be on a Domain that trusts every machine that will upload or download from this Beacon, or at the minimum a one-way Domain Trust trusting the domains these machines are coming from.


Authentication Group E: Third-party Inventory Sources
When you create a new Inventory Source to read data from third-party data sources in the Inventory Systems, you have the option to choose either of the following to login to the target data source: "Windows Authentication" (using the FlexNet Beacon Engine's login), "Windows (specific account)" (using your desired Windows login), or "SQL Authentication" (using a local SQL login on the target data source).
This credential would only need access to the data source itself, so you can use a separate accounts for each data source if desired.


Authentication Group F: Beacon Password Store
Under Password Management tab of the Beacon UI, you can input a password for each remote Discovery & Inventory Rule this Beacon needs to run. Remember that this Password Store is only for this Beacon so if you have a Rule that is ran on multiple Beacons (based on the assigned IP subnet for each Beacon), you will need to enter these credential on each Beacon that might have targets for these Rules.

Example of access types in the password store are the following, which you can have several credentials for each type to try them all during execution or you can filter them so each credential will only try a sub-set of targets:
  1. Windows domain account: This requires an admin account on Windows targets to either perform a remote Inventory or Adopt/Install a Flexera Agent
  2. SSH Account key-pair/password: This requires root access on non-Windows targets to either perform a remote Inventory or Adopt/Install a Flexera Agent
  3. VMware ESX Server: Requires read only access to the SDK of a target commercial ESX Hosts directly
  4. VMware Virtual Center Server: Requires read only with propagate access to the SDK of a target vCenter to inventory all its ESX Hosts
  5. Account on Oracle Database: Requires read only access on an Oracle Database Instance to perform remote introspection

Workaround

It is the best practice in complex proxy environments to maintain access to most of the above by one Service Account. However, you will need to review the Service Account on the FlexNet Beacon Engine service after each Beacon version upgrade.

You can use different user credentials in each group of authentication based on your corporate security policies, for example, a Windows Task Scheduler can use the Local System account to access its local files and open a network connection, then the credentials for the Application Server's Upload directory (ManageSoftRL) will be used to login and upload the files.

Related KB Articles

How to setup https (SSL/TLS) to secure and encrypt internal FNMS communication between Agents, Beacons and the Application Server

Additional Information

You can troubleshoot the above access issues by searching for ERROR in the following logs:

Authentication Group A: Windows Services
Issues with this credential can normally be found in the Beacon Engine's log file: "C:\ProgramData\Flexera Software\Compliance\Logging\BeaconEngine\BeaconEngine.log"

Authentication Group B: Beacon Engine's Downloads and Uploads
  • Downloading and Importing the Beacon Configuration file allows you to re-populate these credentials.
  • Issues with these credential can be found in the "BeaconEngine.log" for downloads of policies, and downloads of packages are found in "%WINDIR%\Temp\ManageSoft\packageretriever.log" when the FlexNet Beacon Engine Service is using the windows Local System account or "%TEMP%\ManageSoft\packageretriever.log" when using a service account.
  • Upload errors for Flexera-related file uploads can be found in "%WINDIR%\Temp\ManageSoft\uploader.log" when the below Windows Schedule Task is using the windows Local System account or "%TEMP%\ManageSoft\uploader.log" when using a service account.
  • Upload errors for third-party inventory IntermediateData package uploads are found in "C:\ProgramData\Flexera Software\Compliance\Logging\ComplianceUpload\Upload.log"

Authentication Group C: Windows Task Scheduler
These tasks use the same logs as Authentication Group B

Authentication Group 😧 Microsoft Internet Information Services (IIS)
Issues with Agents or Child Beacons uploading to this Application Server can be found in "%SystemDrive%\inetpub\logs\LogFiles" by default.

Authentication Group E: Third-party Inventory Sources
Issues with a third-party inventory source can be found in the associated importer.log from the following default directory "C:\ProgramData\Flexera Software\Compliance\Logging\ComplianceReader\"

Authentication Group F: Beacon Password Store
Issues related to a Discovery and Inventory rule is visible in the WebUI under System Tasks, but you can also check the logs directly on the Inventory Beacon by locating the Folder in this path based on the last modified timestamp: "C:\ProgramData\Flexera Software\Compliance\Logging\InventoryRule\"

‎Jul 03, 2018 04:56 AM

Labels:
Was this article helpful? Yes No
100% helpful (1/1)
Version history
Last update:
‎Jul 03, 2018 04:56 AM
Updated by: