All rights reserved. No part of this document shall be reproduced, stored in a retrieval system, or transmitted by any means, electronic,

mechanical, photocopying, recording, or otherwise, without permission from 1E. No patent liability is assumed with respect to the use of the

information contained herein. Although every precaution has been taken in the preparation of this document, 1E and the authors assume no

responsibility for errors or omissions. Neither is liability assumed for damages resulting from the information contained herein. The 1E name is a

registered trademark of 1E in the UK, US and EC. The 1E logo is a registered trademark of 1E in the UK, EC and under the Madr id protocol.

NightWatchman is a registered trademark in the US and EU.

AGENT OR AGENTLESS?

WHAT ARE THE APPROACHES, ADVANTAGES AND CHALLENGES OF DEPLOYING TECHNOLOGIES THAT USE

AGENTS VERSUS AGENTLESS ONES?

SU KENT

RAJPAL SINGH

1E

SEPTEMBER 2011

ABSTRACT: We discuss the issues around deploying either agent-based or agentless technologies for successful IT

operations. Companies need to understand the values of both and the operational ability of each approach. The

decision reached is usually dependent on the data that needs to be collected, how often it is collected and what you

want to do with the data. Purchasing decisions need to be determined by your data needs and the way your network

is architected.

© 1E 2011

2

Contents

Introduction .............................................................................................................................................................. 3

Why you want an agent working for you .................................................................................................................... 3

Why does running an agent lend itself to power management? ......................................................................... 3

Avoiding dependence on the network connection .............................................................................................. 3

Centralized security model ................................................................................................................................. 4

Minimize network hassle ................................................................................................................................... 4

High scalability ................................................................................................................................................... 5

Precision ............................................................................................................................................................ 5

Actions are taken almost immediately................................................................................................................ 5

How to avoid common issues when deploying agents ........................................................................................ 5

Platform specific agents are required ................................................................................................................. 5

Human intervention and objections ................................................................................................................... 6

Myth busting ............................................................................................................................................................. 6

Agents usually place additional load on the network .......................................................................................... 6

Interference with the operating system and applications ................................................................................... 6

Opening up the machines to security vulnerabilities ........................................................................................... 6

Summary ................................................................................................................................................................... 7

Telescope or spy? .............................................................................................................................................. 7

References ................................................................................................................................................................ 7

© 1E 2011

3

Introduction

1E efficient IT solutions, specifically NightWatchman Enterprise and NightWatchman Server Edition, require IT

departments to install a software agent (which resides on a workstation or server) and collects data based on a

centrally set policy. Agents collect, aggregate and process local data and only communicate changes when necessary.

Many other software solutions on the market adopt an agentless approach, relying instead on a central service that

interrogates systems remotely to retrieve data, without having a locally installed agent on each client.

We look at the pros and cons of each approach and debunk the myths around installing agents. According to Gartner

there is already a consensus that neither approach to monitoring is absolutely superior. Each has its strengths in

different contexts.

“An agent is like a spy in the ranks, giving you

a lot more information than you would get from just

looking through a telescope (agentless)”

Why you want an agent working for you

Why does running an agent lend itself to power management?

An agent running on the system is capable of local data collection, correlation and processing. Taking PC power

management as an example, the agent can make better decisions based on activity that happens locally, for example

whether the user is active before prompting to power off the system.

An agent running on the machine can query the operating system to check when the user last used the machine and

whether he is logged on locally or remotely in order to defer or force the low power state. With multiple users

logged on, each user’s documents can be saved before logging off. In summary, user productivity is not disrupted.

Using an agent for a server power management solution is the only way to identify whether useful work is being

carried out on a server. This is the only way to accurately determine if a server is being used, enabling you to easily

discover and decommission the 15% of servers doing no useful work.

With agentless technology, there is reliance on remote methods to find interactive user sessions which have a

dependency on specific remote accessible APIs that cannot return whether the sessions are really active i.e. user

logged on and working. There is also no solution for true useful work detection with an agentless approach as this

data is not exposed remotely.

Avoiding dependence on the network connection

Agentless solutions are entirely dependent on network connectivity to obtain any information from clients.. For

example, if there is a network problem it may make the assumption that a workstation is in a low power state when

© 1E 2011

4

it is not. Conversely, without the ability to probe the system for more data, an agentless approach could potentially

power down a machine when a user is using it.

An agent has a degree of IT autonomy and can cache data and execute actions based on an existing policy even if the

management server or its connection fails. It can send the data back to the management server when

communication is restored.

Centralized security model

The agentless scenario inherently needs higher access rights. The server has to query the client which means that the

local security policy on each machine has to be set up to enable access to the central account that can connect to the

machine. An account that has access to local administrator privileges on every machine is required. This account will

have almost every right that a domain administrator has and therefore if compromised would allow access to a large

proportion of the IT assets of an organization.

An agent requires administrative rights only on the machine it is installed on. Authentication and authorization rules

are only setup at the server end for policy and reporting. Neither account has access to any more than it absolutely

needs.

Minimize network hassle

In an agent-based scenario policies are retrieved and state is reported via outbound HTTP or SSL. Here the agent is

sending data to the central server and, as it is the initiator, is inherently trusted. As HTTP is stateless and ubiquitous,

network devices and edge firewalls do not have to be configured to allow traffic. A route back to the server is all that

is needed which means reliance on the existing DNS/ DHCP/ proxy infrastructure. Since the agents only need to be

aware of the server, they can be configured and can report over the internet. An agent on a subnet is responsible for

waking its neighbors which means that magic packets are sent via local broadcast.

With an agentless solution, there is reliance on incoming connections and the administrator has to set up security on

each machine and allow inbound connections. In most cases, the server would be probing a Microsoft Windows

machine using WMI (Windows Management Instrumentation) that relies on DCOM (Distributed COM) and RPC, the

Service Control Manager, the event log, Perfmon, ADSI, etc. This requires Kerberos authentication and enabling

inbound firewall connections. ICMP would be used to query the state of the machine and hence the ICMP firewall

rules would need to be modified. SNMP would be used for network devices – centralized management of SNMP

devices has its own issues.

Advances in networking technologies, particularly fault tolerant, dynamic (policy-based) routing make prediction of

end-to-end path availability and characteristics exceedingly difficult. This is exacerbated when only a limited part of

the network is visible – for example, across WAN links or within tunneling protocols.

In an agentless environment where the server connects to agents from a central point and in environments where a

limited part of the network is visible centrally, you may require the setup of multiple servers which then introduces

another challenge of managing roaming machines. Configuration or reporting over the internet is impossible.

Routers have to be enabled for subnet directed broadcast which is the only way agentless wakeups can work.

© 1E 2011

5

High scalability

Agentless solutions have to ping/ investigate/ poll data from a large number of monitored systems, so there is a

natural limit (number of metrics per number of systems at a given polling interval) a server can process. This also

adds additional strain to the network.

An agent-based approach to management is very scalable. Events are sent asynchronously after local processing and

the agent can take decisions to enhance scalability such as only sending up data when it changes, sending

differences, randomized time of sending or batching data based on server load all which enable scalability through

less server resources.

Using stateless configuration and reporting over HTTP allows load balancing the server environment. Numerous

architectural patterns exist for scaling HTTP and HTTPs environments and making them highly available.

Precision

Agentless generally means ‘polling’. As the polling frequency is increased you get a better understanding of what is

happening on the network. An agent doesn’t need to poll at all. It simply subscribes to operating system notifications

and is informed of any state changes. Reporting can be initialized even before the machine has been allocated an IP

address and can be accurate to the millisecond. The state of the machine can be validated through querying multiple

data sources before a report is generated.

An agent can collect and process data locally and generate a behavior model to make certain intelligent decisions

such as powering the machine down when a user has not logged on or if the machine has not been used for a while.

The agent can also probe the operating system to model the behavior of the system’s idle timers and use intelligent

logic to force the machine to sleep saving even more power.

Actions are taken almost immediately

Simple actions such as reporting IP address or subnet changes for wakeups or complex decisions on automatically

fixing a failed computer health test can only be done immediately through operating system notification. The agent

can ask the operating system to inform it of state changes for example, of the network address, so that the server

database can be kept up to date.

In an agentless scenario, DNS querying or actively scanning the system would need to be depended upon. By the

time a user executes an action from the server, the data could be stale.

How to avoid common issues when deploying agents

Most organizations already have a systems management solution which can be used to install agents. Systems

Management best practice can avoid anticipated expenses sometimes attributed to agents, such as the cost of

deploying them. In a server environment simple tools can be employed to address the one time installation of a

server based power management agent.

Platform specific agents are required

An agent is required for each targeted set of platforms, for example, Windows 32-bit/64-bit, Linux, Unix, Macs.

© 1E 2011

6

An agentless solution has its own equivalent though, for instance having to support multiple protocols and methods

of remote querying, for example, WMI or SNMP.

Human intervention and objections

In general there are more ‘human’ objections against deploying agents and these complications can be more political

than operational. Some IT administrators see a risk in adding an agent which could potentially impact their current

service. However risks are managed by following operational best practice of thoroughly testing agents before

deploying them. Agentless methods are not immune to impacting performance or availability of systems since a

poorly written or buggy remote script still has the capability to damage IT services.

Myth busting

Agents usually place additional load on the network

Agents can employ intelligent data caching and spooling to send up less data than an agentless solution would. The

agent can send up data when the status changes or differences only. Reports are batched up and sent up at random

intervals, which means that the load on the network is minimized.

Agentless servers create data requests centrally to remotes devices, which then reply with data. This bi-directional

chatter will generally consume far more network bandwidth.

Interference with the operating system and applications

A low level agent running in the background listening to operating system events has less of an effect on a machine

than executing a remote query. Posting data back to the server using HTTP is very cheap. Low resource consumption

is claimed for agentless environments – which is not strictly true as the server is using technology (WMI, SNMP) on

the machine to execute similar queries which causes resource utilization. An advantage of having an agent in this

case is that queries can be targeted to the native operating system API and hence can result in less overall resources

utilization.

Opening up the machines to security vulnerabilities

A carefully developed agent that considers security in its design (NightWatchman is Common Criteria certified)

presents no additional attack surface. Proprietary agent communications are encrypted and use configurable ports,

making them far more secure with less effort

Most agentless protocols have no additional security, relying on the security of the underlying remote connectivity

protocols. However, requiring an account with administrative privileges across all machines is a much bigger security

issue.

© 1E 2011

7

Summary

Telescope or spy?

So what does agentless really mean? Agentless generally means that you will not have to install a software agent to

perform any power monitoring. While this might be technically true for a moment, agentless is really a misnomer.

Agentless implies that since there is no software to install, it is therefore easier to deploy, manage and maintain. In

most cases, the supposed agentless solution simply uses the agents that come with another vendor's product

instead, such as: Windows WMI or SNMP Service. The Windows SNMP service is not fully configured or enabled by

default in Windows XP and above; you have to manually configure it which is not easy to do. Configuring security for

WMI namespaces and enabling DCOM remote access is not trivial either. Although you don't have to install an agent,

you may have to spend an almost equal amount of time configuring the built in one.

Agent-based technologies are like having a spy in the ranks – giving you a lot more information than you would get

from just looking through a telescope (agentless). With an agent-based approach you get greater command and

control capabilities, more granular information gathering and much less impact on the network. There are the

additional benefits in real-time reporting (detecting which workstations are no longer in use or servers that are not

being useful) which brings the sought for benefits of Power Management (by powering them down).

References

Further Reading: How to Choose between Agent-based and Agentless Monitoring, Gartner Research,

by David Williams 12 July 2010