This section addresses requirements for the Windows agent, including those for the agent computer, the managed environment, and deployment to remote computers.
The following table lists the system requirements for a Windows agent computer.
|
Category |
Requirement |
|---|---|
|
Processor |
See the NetIQ Secure Configuration Manager Technical Information web page. |
|
Disk Space |
|
|
Memory |
|
|
Operating System |
|
|
Operating System Hotfixes |
NetIQ Corporation highly recommends the Microsoft hotfixes described in the following Microsoft Knowledge Base articles for computers on which you plan to install Windows agents, whether remotely or manually:
|
|
Software |
All of the following products:
|
To ensure a successful installation, you must configure a Windows temporary folder for the environment variable TEMP. If you deleted the Windows temporary folder associated with the environment variable, you must create a new temporary folder. For more information about environment variables, see your Microsoft Windows documentation.
To create a new temporary folder:
Find the Windows environment variable for the temporary folder and make note of the Variable value, such as %USERPROFILE%\Local Settings\Temp.
In most Windows operating systems, you can find the variable in System Properties > Advanced.
Create a new Windows temporary folder, using the directory path and folder you noted from the environment variable’s Variable value field.
When planning the systems you want the Windows agent to manage and where you want to install a Windows agent, consider the following:
Only one agent can be installed on each physical or virtual computer.
At least one agent must be installed per WAN. The agent must reside at the remote end of the network so requests between the service and the managed computers are executed over a local area network.
At least one agent must be installed per domain. The agent can manage computers in the same domain by proxy. For more information, see Section 2.6, Understanding Management by Proxy.
NOTE:For optimal performance, install at least one agent per 50 managed computers in a domain. Performance might vary depending on processor speeds, memory, locations, and network bandwidth. The size of reports and how frequently you run them also affects performance.
Administrative permissions must be set. Configure the Windows agent service to run with full administrative access to the local computer and domain. For more information, see Section 2.4.5, Permissions Requirements.
To successfully run security checks for Windows patch assessments, ensure that the following programs are running on the endpoint computers that you want to assess:
Windows Update or Automatic Updates service, depending on the operating system
Windows Update Agent 7.4 or later
Secure Configuration Manager does not require specific settings for these Windows services.
(Conditional) When installing the agent on a local computer, the Workstation service must be running.
(Conditional) If you want Secure Configuration Manager to receive and display IPv6 addresses from managed endpoints, the agent computer must be running Windows Server 2003 or a later operating system. Also, the Windows agent must be set up as a dual-stack host to support both IPv4 and IPv6 addresses. The agent uses IPv4 addresses when communicating with Core Services. For more information about agent operating systems, see Section 2.4.1, Windows Agent Computer Requirements.
(Conditional) If an endpoint uses only an IPv6 address, that endpoint must be managed by Windows proxy. For more information, see Section 2.6.2, Proxy Requirements.
(Conditional) To use the Effective Policy object to audit Group Policy Object (GPO) settings, ensure that your environment meets the following requirements:
The Windows agent computer should run the same operating system as the endpoint computer that the agent monitors. Using computers that run the same operating systems ensures a consistent name and path convention for the reported GPOs. The names and paths for GPOs vary by Microsoft operating system. For example, if you used a computer running Windows Server 2008 to edit and distribute GPOs to a domain controller, you should query all endpoints in that domain from an agent running on a Windows Server 2008 computer. Otherwise, the names of or paths to reported GPOs on an endpoint computer might not match the names and paths for the same GPOs on the agent computer. For more information, see Match Endpoints to Agents.
The Windows agent computer should run the same operating system as the computer from which you deployed the GPOs to ensure a consistent name and path convention for the reported GPOs.
The Windows agent service account must have Administrative permissions on the endpoint to collect GPO settings information. That is, the service account cannot run as the Local System account on queried endpoints.
The Windows agent uses caching features to enhance performance. The following types of data are persisted in the agent:
Users - Local, Domain, and Active Directory users
Groups - Global groups and Active Directory groups
OUs - Active Directory only
Password Hashes - Local, Domain, and Active Directory user passwords
It is important that you plan for the disk space needed to store this information in the agent. Use the following guide to calculate how much space is needed:
Users - 1 KB per user
Groups - 1 KB per group
OUs - 1 KB per OU
Password Hashes - 1 KB per 4 users
Other factors that affect caching storage space include numbers of events and the types of reports you are running. Additionally, if you manage endpoints by proxy, the number of managed endpoints affects the amount of disk space used.
In addition to the space reserved for caching information, the agent also uses the cache for temporary storage while processing reports and actions. The first time you run reports, the agent may require more time to collect data for the reports. In addition, it may take a few minutes for recently completed actions to be reflected in subsequent reports. The agent automatically cleans up this disk usage during normal processing. Allocate 20 MB of working space for the agent to use for normal processing.
When you use the Deployment feature in the Secure Configuration Manager console to push the agent installation or updates to remote computers, ensure that your environment meets the following requirements:
Your console account must have the following permissions:
Access IT Assets
Remote Deploy and Install
Remote Uninstall
Run Security Checks
For more information about managing console permissions, see the NetIQ Secure Configuration Manager User Guide.
The computer from which you deploy agents, such as the Deployment Agent computer, must be running the following Windows services:
DHCP client (if the computer uses DHCP)
Server service
Workstation service
The target computers to which you are deploying the agent software must be running the Remote Registry service.
The Deployment Agent and target computers must support communication through network and personal computer firewalls. For more information about required firewall settings, see Section 2.5.2, Understanding Firewall Requirements.
Port 700 must be open for outbound communication on the deploying computer, such as the Deployment Agent computer, and for inbound communication on the target computer. For more information about default ports, see Section 2.5.1, Understanding Port Requirements. For more information about the Deployment Agent, see Understanding the Deployment Agent.
If the target computers reside in a domain outside the Core Services computer or in a secure network, such as a demilitarized zone, you must locally install at least one Windows agent in that domain or network. Once registered with Core Services, the locally installed agent becomes the Deployment Agent for that network or domain. For more information about the Deployment Agent, see Understanding the Deployment Agent.
If you are installing agents only on the local computer, you must have Administrator permissions on that computer. You can log on either with a domain administrator account or as a local administrator.
When you install or update agents on remote computers, the Windows agent service account on the Deployment Agent computer must have Administrator permissions for the target computers. The agent service account can either be a member of the Domain Admins group or you can add the account to the Administrators local group of the target computer. You also need remote access to the file system (for example, through the admin share) and remote access to the registry through the Remote Registry Service. For more information about the Deployment Agent, see Section 2.1.2, Installing or Updating Agents on Remote Computers.
To run the Windows agent service, the Log On As service account you specify during installation or update must have the “Log on as a service” permission on the agent computer. If you change the service account to a local account from a domain one, or vice versa, after the installation or update, the Windows agent service might not restart on systems where the new account does not have the required permission by default.