You can choose to install and update the Windows agent on each local computer or use the Deployment wizard in the Secure Configuration Manager console to push the agent installation and updates out to multiple computers concurrently. Each installation provides the capabilities to audit, report, and analyze the following Windows agent components:
|
Component |
Installs support for... |
|---|---|
|
Microsoft IIS |
Managing Microsoft Internet Information Services (IIS) endpoints |
|
Microsoft SQL Server |
Managing Microsoft SQL Server endpoints |
|
Oracle |
Managing an Oracle database running on a Windows system |
|
Windows Agent |
Managing Windows, Active Directory, NAS Server, and network device endpoints |
For more information about the endpoint versions currently supported by the Windows agent, see the NetIQ Secure Configuration Manager Technical Information page.
You can use a LocalSystem account or specify a different account for the NetIQ Security Agent for Windows service (Windows agent service). During installation, when you provide the name or IP address of the Secure Configuration Manager Core Services computer, the installation process automatically registers the installed agent with Core Services. You can also specify the ports used by the agent to communicate with Secure Configuration Manager. For more information about the agent service account, see Section 2.7.1, Changing the Agent Service Account Settings. For more information about ports, see Section 2.5.1, Understanding Port Requirements.
When you install or upgrade Secure Configuration Manager, the setup program automatically includes a Windows agent on the Core Services computer.
The Windows agent installation and update packages include an .msi file from which you can either run a setup wizard or perform a local, silent installation from the command line. The setup wizard walks you through the configuration settings for the Windows agent. The command line option enables you to specify the setting for installing on the local computer without user intervention. For more information about installing with the setup program, see Section 3.1, Using the Setup Program to Install. For more information about silent installation, see Section 3.2, Using the Command Line to Install.
NOTE:
The local installation process does not include the capability for deploying the agent package to remote computers. You must use the Secure Configuration Manager console for remote deployment.
If you want to manage systems in domains other than the domain for the Core Services computer, you must locally install at least one agent in that domain. For more information, see Understanding the Deployment Agent and Deploying to Untrusted or High-Security Domains.
Secure Configuration Manager enables you to install agents on remote computers and push service packs and hotfixes to existing Windows agents. This deployment process minimizes the time required to install and update agents in your environment. By using Deployment Agents you can also install and update agents in untrusted domains or highly secure networks.
NOTE:To use the deployment process for updating an existing Windows agent, the agent must be version 5.9 or later.
For more information about using the deployment feature, see Section 4.3, Installing or Updating an Agent on Remote Computers.
By default, the deployment process uses port 700 and TLS with Diffie-Hellman protocol for communication between Core Services and the target computer. Moreover, Secure Configuration Manager provides the Deployment Agent function to establish a more secure connection between Secure Configuration Manager components during agent installation and updates. When you initiate deployment, Core Services passes instructions securely to the Deployment Agent over the designated ports. Then the Deployment Agent communicates with the target computer over port 700 using TLS with Diffie-Hellman. For more information about ports, see Section 2.5.1, Understanding Port Requirements.
NOTE:If Secure Configuration Manager is in FIPS 140-2 mode, it uses TLS 1.1 for communication with the Windows agent.
Any Windows agent registered with Core Services can be a Deployment Agent. By default, Secure Configuration Manager uses the agent installed on the Core Services computer as the Deployment Agent. However, you can select additional Windows agents to serve as the Deployment Agent by enabling the Is Deployment Agent option in the Agent Component Properties window. You must have a Deployment Agent in each domain where you want to install or update agents. You must also specify a fully qualified host name for the Windows endpoint that represents the Deployment Agent. Otherwise, Core Services cannot use the agent for deployment.
The Deployment Agent also reduces the need for specifying credentials when installing and updating agents on remote computers. During deployment, you must have appropriate permissions, such as Local or Domain Administrator permissions, to modify the target computer. You can use the credentials of the Windows agent service that serves as the Deployment Agent. If a particular Deployment Agent does not have proper permissions, you can specify a separate set of credentials for accessing the remote computers. For more information about permissions, see Section 2.4.5, Permissions Requirements.
Secure Configuration Manager also uses the Deployment Agent to enable discovery of new systems in Active Directory. For more information about system and endpoint discovery, see the NetIQ Secure Configuration Manager User Guide.
If you want to use the deployment process to install or update agents in a high-security network or domain, such as a demilitarized zone, you must locally install and register one agent in that network or domain. Secure Configuration Manager marks that first registered agent as the Deployment Agent for the network or domain. The deployment process then uses the secure connection between the Deployment Agent and Core Services to deploy packages to the target computers in the domain.
You can use the deployment process to uninstall agents on remote computers. You must have a Deployment Agent in the domain where you want to remove the agents. If the Deployment Agent is the only agent in the domain, you must uninstall that agent manually. For more information about uninstalling agents, see Section 3.4, Uninstalling the Windows Agent.