Use this Knowledge Script to check for and configure agent restrictions for communicating with management servers. By default, this script raises an event if an agent is configured to allow communication with anonymous management servers.
You should restrict the management servers from which an AppManager agent will accept job requests to ensure that only authorized management servers communicate with the agent.
An anonymous management server is a management server with which the agent has not explicitly authorized communication.
The list of management servers with which the agent communicates is stored in the following registry key:
\HKEY_LOCAL_MACHINE\SOFTWARE\NetIQ\4.0\NetIQMC\Security\AllowMS
If the value of this key is * (asterisk), the agent allows anonymous communication.
Windows 2003 Server or later
The default interval for this script is Run once.
When you upgrade the agent to AppManager 7.x, the upgrade process allows you to automatically restrict the authorized servers to the designated primary and secondary, or keep the current configuration until you change the agent’s designated primary and secondary management server using the SetPrimaryMS script. If you do not change the management server designation during the upgrade, you can use this script after you upgrade to restrict the authorized management servers.
AppManager 7.0 (or later) agents by default are configured to authorize communication with their designated primary and secondary management servers. If you did not designate the primary and secondary management server during installation, you can use this script after installation to restrict the authorized management servers.
If you are managing a client computer from a single AppManager site (repository), you should restrict the authorized management servers to the agent’s designated primary and secondary management server.
Within a site, after you designate an agent’s primary and secondary management server, the agent receives job information and sends events and data only to its designated primary or secondary management server. However, if you have more than one AppManager site, you may want to allow the agent to accept job requests from another site. To do so, you can use this script to authorize the management servers from each site.
When allowing the agent to accept communication from additional management servers, make sure you choose the Append option to add the management servers to the authorized list (instead of replacing the existing list of authorized management servers). This will allow you to run the SetPrimaryMS script on the agent from the other site and properly configure the agent to accept communication from management servers in both sites.
If you are unsure of the agent settings, view the current configuration by choosing Read configuration from the Select operation parameter and selecting an option to raise an event:
If an insecure configuration is detected -- The event message indicates the agent’s configuration allows anonymous management server communication. If you choose this option, you can also set the event severity level, from 1 to 40, to indicate the importance of the event. The default is 10.
To report current configuration -- The event message indicates the agent configuration. If you choose this option, you can also set the event severity level, from 1 to 40, to indicate the importance of the event. The default is 25.
When reading the current configuration, by default this script raises an event of severity level 10 if an insecure configuration is detected.
This script always raises an event if the job fails.
This script raises an event for each agent to report the agent’s configuration. To view the results, click the Message tab.
The event message contains the following sections:
Current configuration -- Indicates whether the agent allows anonymous communication (that is, communication with management servers with which the agent has not explicitly authorized communication).
|
Result |
What It Means |
|---|---|
|
Never allow anonymous MS |
The agent is configured to restrict anonymous management server communication. You must run this script to allow anonymous management server communication. This result only applies to version 7.0 (or later) agents. |
|
Do not allow anonymous MS at this time |
The agent is configured to restrict anonymous communication. |
|
Allow anonymous MS until Primary/Secondary MS is set |
The agent is configured to allow anonymous communication until you designate a primary management server. If the agent that has not been configured to have a designated primary server, select this option to secure management server communication after the primary management server is designated. |
|
Allow anonymous MS at this time |
The agent is configured to remove restrictions on anonymous management server communication. This setting is not recommended. |
Specified management servers currently allowed to communicate with this agent -- Lists the management servers that are authorized to communicate with the agent.
If this section lists the value as [Blank], the agent does not have an authorized list of management servers with which to communicate. In this case, the agent can still communicate with its designated primary and secondary management server. We recommend that you authorize the agent to communicate with its primary and secondary management server.
To change the current configuration, choose Write configuration from the Select operation parameter and specify the following parameters. By default, this script reads the configuration.
This script always raises an event if the job fails.
Set or change the following parameters as needed:
|
Parameter |
How to Set It |
|---|---|
|
Select operations... |
|
|
Read Options |
|
|
Raise Event |
Set this script to raise an event:
|
|
Write Options |
|
|
Restrict management server communication |
Select an option to restrict management server communication:
|
|
List of authorized management servers |
Specify the management servers you want to authorize:
|
|
Event notification |
Set this script to raise an event and specify the severity if:
|
If you use this script to remove or replace the list of authorized management servers and the agent is configured to never allow anonymous management server communication, make sure you authorize at least one valid management server. If the agent is configured to never allow anonymous management server communication and the agent is not configured to authorize a management server, the agent cannot be managed by AppManager.
To resolve this problem, manually edit the registry on the managed client computer to specify an authorized management server list in \HKEY_LOCAL_MACHINE\SOFTWARE\NetIQ\4.0\NetIQMC\Security\AllowMS.