2.6 Understanding Management by Proxy

Secure Configuration Manager allows you to manage Windows computers without installing an agent on each computer. A single Windows agent can manage several computers by proxy, as long as the computers are members of the domain in which the agent service is installed. This proxy capability greatly simplifies deployment. Most organizations with large Windows environments use management by proxy to reduce the number of Windows agents to a manageable number.

NOTE:If a Windows endpoint is managed by a proxy agent, the agent returns data with qualifiers (for example, HOUWIN2KSRV\Administrator). If a Windows endpoint is not managed by proxy, the agent returns data without qualifiers (for example, Administrator).

2.6.1 Proxy Limitations

If you plan to manage Windows computers by proxy, you should be aware of certain limitations. The Windows agent cannot perform the following functions by proxy:

  • Windows actions and reports

    • List Instant Messenger Applications report

    • Users with Weak Passwords report

    • Users with Password = User Name report

    • Users without a Password report

    • Users with Password Too Short report

    • Set Disk Quota for User action

    • Show User Quota for a Specified Volume report

  • Windows security checks

    • Accounts with Password Equal to Any User Name

    • Accounts with Password Equal to User Name

    • Accounts with Password Equal to Reverse User Name

    • Accounts with Short Passwords

    • Accounts with Blank Passwords

    • Instant Messenger Setting

  • Queries of the Port object

  • Any default port scan reports, such as the Port Scan (TCP/UDP Endpoints) report

  • Queries of the HKLM/Current User registry hive or any reports that rely on that hive

2.6.2 Proxy Requirements

To manage a computer by proxy, the service account by which the Windows agent operates must be a member of the Domain Admins group in the domain of the managed computer, and it must be a member of the Local Admins group on the managed computer.

Consider the following additional requirements when using the Windows agent to manage a computer by proxy:

  • The agent computer must be running the following services:

    • Workstation

    • DHCP Client

  • The Remote Registry Service must be running on all computers being managed by proxy.

  • The Microsoft Remote Procedure Call service must be running on both the agent computer and all computers being managed by proxy.

  • (Conditional) For Secure Configuration Manager to receive and display IPv6 addresses from managed endpoints, the agent must be installed on a computer running a Windows Server 2003 or later operating system. If the endpoint uses only an IPv6 address, the Windows agent must be installed on a system running a Windows Vista, Windows 7, or Windows Server 2008 operating system, at a minimum. Also, the Windows agent must be set up as a dual-stack host to support both IPv4 and IPv6 addresses because the agent uses IPv4 addresses when communicating with Core Services. For more information about agent operating systems, see Section 2.4.1, Windows Agent Computer Requirements.

  • (Conditional) To monitor endpoint computers running IIS version 7.0 or 7.5, you must install the IIS Management Scripts and Tools component on the endpoint. You must also enable NetIQ VBscripts scripts to run on the computer containing the Windows agent monitoring the endpoint. For more information about enabling scripts to run, see Section 6.5, Enabling NetIQ VBscripts.

  • (Conditional) To collect Group Policy Object data from endpoint computers running the Windows Server 2008 Core or 2008 Core R2 operating system, you must mange those endpoints by proxy. The Core operating systems do not support Group Policy Management Console (GPMC) installation, which the agent requires.

2.6.3 Setting Up Proxy Agents

The Secure Configuration Manager console enables you to organize proxy agents and their managed endpoints. Use the following checklist as a guide in setting up proxy agents. For more information about optimizing the agent to efficiently manage endpoints, see Section 2.6.4, Improving Agent Performance when Managing Endpoints by Proxy.

 

Checklist Items

  1. Deploy the Windows agent to the computer that will manage endpoints by proxy. For more information about deployment, see Section 4.0, Installing or Updating Agents on Remote Computers. Alternatively, manually add the agent to a local computer, and register the agent with Core Services. For more information about manual installation, see Section 3.0, Installing or Updating an Agent on a Local Computer.

  1. Verify that the deployed Windows agent computer is a managed system in the Secure Configuration Manager console IT Assets list. For more information about adding managed systems to the console, see the NetIQ Secure Configuration Manager User Guide or the console Help.

  1. In the Secure Configuration Manager console, select the Windows agent and then add the endpoints that you want to manage by proxy.

2.6.4 Improving Agent Performance when Managing Endpoints by Proxy

The Windows agent regularly communicates with both its managed endpoints and Core Services. When the agent manages a large number of endpoints by proxy, the agent consumes valuable resources on the computer. The size of reports and how frequently you run them also affects agent performance. This section provides tips for optimizing the Windows agent performance to reduce CPU usage and ensure accurate report results.

Match Endpoints to Agents

As a best practice, the Windows agent should manage endpoints with operating systems similar to the agent computer’s operating system. As Microsoft improves operating system capabilities, older versions might not have the same features as newer versions. For example, Windows Server 2003 does not have the same advanced Audit settings as Windows 7. If you use a Windows Server 2003 agent to monitor a Windows 7 endpoint, the agent might not report the audit settings accurately.

To optimize agent performance, assign endpoints to agents according to the following table.

Agent Computer

Endpoint Managed by Proxy

  • Windows Server 2012

  • Windows Server 8

  • Windows Server 2008 R2

  • Windows Server 2008

  • Windows 7

  • Windows Vista

  • Windows Server 2012 R2

  • Windows Server 2012

  • Windows Server 8

  • Windows Core Server 2008 R2

  • Windows Core Server 2008

  • Windows Server 2008 R2

  • Windows Server 2008

  • Windows 7

  • Windows Vista

Install an Appropriate Ratio of Agents to Managed Endpoints

For optimal agent performance, limit the number of endpoints in a domain that a single agent manages. A ratio of 50 endpoints to one Windows agent works well in most environments. Agent performance might vary depending on processor speeds, memory, locations, and network bandwidth on the agent and endpoint computers.

Reduce Agent CPU Usage

You can manage the CPU resources the Windows agent requires by adjusting settings in Secure Configuration Manager and on the agent computer. Review the following methods for optimizing the Windows agent.

Schedule Policy Template Runs

When Core Services asks a Windows agent to run a policy template, the agent processes the template for each endpoint the agent manages. If the agent manages 50 endpoints, it is the same as Core Services submitting 50 templates to the agent. The agent then processes the 50 policy templates multiplied by the number of security checks within the template. For example, if the template contains 100 security checks, the agent processes 5,000 checks (50 endpoints x 100 checks). Also, some security checks require more processing time than others. For example, a security check querying a registry value can process more quickly than a check looking at the entitlement for a directory with a large number of files.

By default, the Windows agent must process all policy template queries and respond to Core Services within a two-hour window. If you regularly run large policy templates against a large number of endpoints, you can reduce the likelihood of delays or cancelled policy template runs. In the Secure Configuration Manager console, schedule the date and time for regular policy template runs to occur when the Windows agent computer is least active.

Modify Thread Counts

You can modify the number of threads the Windows agent and any installed agent components use. If the agent or component consumes too much CPU when processing policy templates, particularly for a large number of endpoints, you might consider increasing the thread count. NetIQ recommends synchronizing the thread counts for the agent and the component to ensure that they have equal processing capability. If you plan to adjust the Windows thread count, you should make the agent thread count match the value selected for the Windows component.

To modify thread counts:

  1. Modify the thread count in the SCM GUI:

    1. Go to IT Assets > Agents > OS > Windows.

      All the endpoints running on the Windows agent are displayed.

    2. Right-click the endpoint for which you want to modify the thread count, and then select Properties.

      Agent Component Properties window is displayed.

    3. Modify the value of the Maximum Concurrent Requests field. Default value is 5.

      Click OK.

  2. Modify the thread count value in the registry keys files:

    1. Open the registry editor using the following command:

      regedit

    2. Go to the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\NetIQ\VigilEnt\providers\windows registry.

    3. Modify the value of the threadPoolSize field.

  3. Restart the Windows agent.

Increase the Automatic Polling Interval

The Heartbeat Automatic Polling feature in Secure Configuration Manager ensures Core Services knows whether an agent and its endpoints are active. By default, Core Services sends a heartbeat request every 60 minutes. The agent then forwards the request to all its endpoints to determine their status. If the agent monitors a large number of endpoints, the heartbeat queries can add to the already considerable number of tasks the agent performs at any given moment. For example, the agent might be processing a high volume of queries for a policy template.

To mitigate the number of tasks the agent must perform, you can increase the interval between heartbeat requests. For more information about configuring the Automatic Polling Interval, see the Help for the Core Services Configuration Utility.

Adjust Endpoint Firewall Settings to Ensure Accurate Security Check Reporting

Enable Remote Administration and Windows Remote Management in the Windows firewall settings on all endpoints for inbound and outbound communication. Typically, firewall settings do not include exceptions for the proxy agent, which blocks the agent from gathering data and might cause security checks to report endpoints as Offline. Enabling Remote Administration and Windows Remote Management in the firewall settings for endpoints ensures more accurate security check reporting of your endpoints.