Gateway Appliance Administrators Guide - Community - LANDesk

LANDesk® Management Gateway

Administrators Guide to Managing the Management

Gateway Appliance version 4.0 and 4.2

Introduction .......................................................................................................................... 3

Scope .................................................................................................................................... 3

Assumptions ......................................................................................................................... 3

Installation, Configuration, and Usage ................................................................................. 3

Security ................................................................................................................................ 3

User Accounts ................................................................................................. 3

SSH: ................................................................................................................ 4

General Security Information: ......................................................................... 4

Backing up the Gateway ...................................................................................................... 5

Configurebroker.exe ............................................................................................................. 5

Brokerconfig.exe .................................................................................................................. 5

Reports ............................................................................................................................... 10

System Logs .................................................................................................. 10

File System Report ........................................................................................ 14

The Connection Table ................................................................................... 14

System Test ................................................................................................... 15

Software Packages......................................................................................... 15

Gateway Service Configuration ......................................................................................... 15

Patching .............................................................................................................................. 16

Activation ........................................................................................................................... 16

Remote Control and Scopes ............................................................................................... 16

The Management Gateway Root Certificate ...................................................................... 17

Conclusion ......................................................................................................................... 17

About LANDesk Software ................................................................................................. 19

Contents

Introduction

Administration of any network device is crucial to its security and efficient usage. The Management Gateway is no

different. This document will help with interpreting logs, security recommendations, backing up the gateway, and

other administrative tasks. At the end of this document information will be provided on training videos for

configuring clients, how the gateway works, and how to use the gateway to track down stolen hardware.

Scope

The scope of this whitepaper will include general administration tasks in managing the Management Gateway.

These tasks will include security precautions, use of tools, analyzing the logs, etc. Other procedures such as backing

up the gateway, installing and configuring the gateway, and using the gateway are covered as well but most

information will reference pre-established online documents.

This document is primarily designed for the following gateway releases but information in this document may be

helpful to other releases as well:

Assumptions

This white paper assumes that the reader has basic knowledge of the Gateway and has a Gateway to use.

Installation, Configuration, and Usage

In addition to this document two other documents will be available, one for installing the Management Gateway and

one for users of the Management Gateway. These three documents will be listed together on the LANDesk

Community. Administrators are encouraged to read each of the three documents.

Security

Many steps have been taken to harden and secure the Management Gateway. The article in the link below

documents many of the steps. However, as with any device there are many steps that should be taken in

addition to the included security features to protect the device and the environment in which it’s located.

What steps have been taken to harden the Management Gateway:

http://community.landesk.com/support/docs/DOC-4336

User Accounts

Two special user accounts are automatically created on the Management Gateway: ―admin‖ and ―service‖


http://community.landesk.com/support/servlet/JiveServlet/showImage/102-7413-1-14658/8_8_ManagementGatewayVersion.bmp

http://community.landesk.com/support/servlet/JiveServlet/showImage/102-7413-1-14659/9_0_ManagementGatewayVersion.bmp

“admin” – This account functions very similar to the root user on a typical Linux machine. The

management of this account is probably THE MOST IMPORTANT TASK to be performed on the Management

Gateway. Several functions can only be performed by this user (such as logging on when directly at the

Management Gateway). A very strong password is highly recommended and the password should be rotated on a

regular basis. A very strong password is one that includes the following:

- Upper Case Letters

- Lower Case Letters

- Symbols

- Numbers

- At least 6 characters in length

- It doesn’t fit a particular pattern. ―Ex@mp!e‖

“service” – This account is for the service level connections coming from core servers. Although not as

important as the ―admin‖ account a secure password is recommended as well and needs to match the password

entered on each connecting core server.

Two creatable account types are available for users of the Management Gateway: Admin and Non-Admin

Admin Accounts – This account type shouldn’t be confused with the ―admin‖ account documented above.

These accounts have access to the GSB web page on the Management Gateway and can make any and all changes in

the GUI. It is recommended to create these accounts only for users that genuinely have a need for this level of

access. (It’s important to note that currently any administrator can change the password for any other administrator

including the primary ―admin‖ account) For most users a non-admin account will suffice as once the Gateway is

configured and in place the GSB web page is typically only accessed for user management, troubleshooting, and

Gateway Management. These users will not have the ability to log in when directly at the Management Gateway.

Non-Admin Accounts – These standard accounts will only have access to remote control devices

connecting to the Management Gateway and should work for most users. These users cannot access the GSB

Administrator Page or log in when directly at the appliance.

SSH:

By default SSH access is disabled and when not needed we recommend configuring the firewall to block access to

this daemon. This is done simply on the Security page of the Management Gateway Web Console. Just like other

servers SSH access is a common channel for attacks on the Management Gateway. Running the statistics and reports

regularly can show various attacks in progress. For more information on using the built-in reports please see the

―Reports‖ section of this document.

It is important to note that the main ―admin‖ account is the only account that can access a terminal session

on the Management Gateway. This can be done by ALT + F2 and then right-click when you are at the

appliance itself or through established SSH sessions when using a terminal program like Putty.exe

General Security Information:

The ultimate purpose and design of any security structure is to be impenetrable to unauthorized access. In many

cases even outside of the computer industry a slight modification to the design by someone who isn’t familiar with

the entire structure can cause security holes to emerge in other areas. Even with proper changes very thorough

testing must be performed. The Management Gateway is designed to be an appliance and shouldn’t be modified by

anyone outside of the manufacturer. Some steps in this document may show you how to gain access to the OS but it

is strongly recommended that nothing be modified outside of support recommendations.

Backing up the Gateway

Backing up the Gateway on the Appliance is relatively easy to do. In the ―System‖ section of the Management

Console and on the ―Backup and restore‖ tab you can create manual or automatic backups. These backups will

persist through a system reimage. Also, after these backups are created you have further options to export the

backups off the Gateway which can then be imported at a later time. This feature can be very helpful if a lot of users

are configured on the Gateway. Without proper backups each user would need to be recreated manually in the event

that service is needed on the appliance.

Configurebroker.exe

Configurebroker.exe is an application that you may run into when configuring or evaluating the Management

Gateway. This application works great but officially it is unsupported due to possible security problems. As with

many similar applications configurebroker.exe will make certain tasks much easier so it’s advisable to evaluate the

security cost to efficiency ratio. Listed below is a community.landesk.com article that discusses

configurebroker.exe, provides the executable, gives security precautions, and its usage.


Brokerconfig.exe

How brokerconfig.exe works and a detailed process flow is included in the Management Gateway Video referenced

at the end of this document. However, it is a very important process so it will be covered in detail in this document.

Brokerconfig.exe is the application on the client that is used to request certificates from the core server. It is a

common misconception that when running this application we are requesting certificates from the Management

Gateway. The truth is that the Gateway is forwarding the request to the client’s core server. Authentication and

Certificate Management are both handled by the core. The Gateway itself only bridges incoming connections from

the client and core.

When the Management Gateway is configured on the core server the Gateway information is automatically

appended to the .0 certificate file. This certificate file is then installed along with the LANDesk agent. It’s important

to realize that any client that was installed before the Management Gateway was configured will not have this

information. Remote Control will have an option to ―Switch to Gateway Mode‖ if the .0 certificate file has Gateway

information which can then be used to run brokerconfig.exe and request certificates. Once a client has certificates

then Inventory, Security, Policies, etc will be able to contact the core from anywhere on the internet.

When running brokerconfig.exe to request certificates there are a few things to be aware of. The most important

item is the method of connection. Brokerconfig.exe is designed to be run either on the network or while connected to

the internet. No matter where the client is connected it needs to find the core server. Listed below (and in the

screenshots) are the three connection methods along with some additional information:

1- Dynamically determine connection route – This is the default selection. Brokerconfig.exe will attempt to

resolve the core name and if it does so it will stop trying all other methods. It doesn’t matter if

brokerconfig.exe can actually reach the core or not. If the core cannot be resolved then it will attempt a

Management Gateway connection.

2- Connect directly to LDMS core – This option is self-explanatory and seldom used. Typically when the

client is on the network it can resolve the core so the first option will work.

3- Connect using the Management Gateway – This option is a very good option to try if dynamically

determine is having problems. A gateway connection will be attempted using the gateway’s IP address and

skip resolving the core.


The next important item in brokerconfig.exe is the credentials. For windows based systems credentials are not

required if the client is on the network and has a direct connection to the core server. If the client is on the internet

and is connecting to the core through the Management Gateway then a domain\username and password is required

of a valid account on the LANDesk Core server. If the core is version 8.8 then any user in the LANDesk

Management Suite local group will work. If the core is version 9.0 then a user in the LANDesk Administrators

Group will work or a special account may need to be configured. More information on 9.0 users is found in the

previously referenced configurebroker.exe article and in the community.landesk.com. (Note: In LANDesk 9.0 the

account used will need to specifically have read/write access to the …\LANDesk\ManagementSuite\Brokerreq

folder on the core server so that client certificates can be posted)

There are a few other issues that should be noted. When a client is making a connection through the Management

Gateway the request is made with ―hostname.*‖. Afterwards a DNS lookup is performed and a POST is made to

brokerservicerequest.asmx in IIS. Due to the gateway connection and different ways that IIS and DNS are

configured in environments the coreserver name on a client may need to be modified. The coreserver name is

located in the registry under HKLM\Software\Intel\LANDesk\LDWM\Coreserver. Use the following rule as a guide

to follow: ―Most environments will work with the hostname, some will work with the FQDN, but none will work

with the IP address‖.

The ―Test‖ button in brokerconfig.exe is a great way of troubleshooting certificate request problems but the results

need to be understood. The method of connection (as discussed earlier) determines how the connection is established

to the core and will vary the test results. The screens shots below were all performed using the ―Dynamically

determine connection route‖ option. If one of the other options is selected then several steps in the test may not be

performed.

In this particular screenshot I shut down the core server to demonstrate a 404 error. If I were to read the results of

the test it would be as follows: ―Name resolution to the core was attempted and found. A connection directly to the

core was attempted but failed (this is normal if the client is not on the network) Since a connection directly to the

core failed a Management Gateway connection is attempted. A connection to the Gateway is made (not shown) and

a link request through the Gateway is made. During this link request the hostname (as discussed earlier) is passed to

the Gateway which waits for a response. A response was received ―404 description Not Found‖ which means the

core server was not found on the Gateway. This can be typically caused by an incorrect coreserver name in the

registry or a failure of the core to establish SSL Tunnels to the Management Gateway‖.

In this screenshot I turned the core back on to demonstrate the test results of a client on the domain. As you can see

the core server was resolved and a connection made but no connection to the Management Gateway itself was

performed. A POST to IIS is made followed by a 200 response meaning OK.

In this screenshot the test results of a client connecting from the internet are displayed. (Note: An incorrect DNS

entry of 111.111.111.111 was placed in the HOST file on the client to prevent name resolution to the core) As

discussed before the test was unable to connect directly to the core server and began a connection to the

Management Gateway. In this case a ―201 description created‖ was noted indicating that the core server was found

on the Gateway. A long session begins and the message ―Link to core successful‖ is displayed which indicates that a

tunnel was established to the core server. The POST to IIS on the core is made and a 200 OK response is received

by the client.

As you can imagine there are many more possible error results. Some of those errors may be corrected by restarting

IIS and the Management Gateway Service on the core server. Many of these errors can be researched on the internet

as they are common to IIS and other web servers. However a quick summation of errors is noted below:

500 – Internal Server Error = The error message basically indicates that IIS on the core is not configured correctly.

One possible cause is that .NET 1.1 may be registered on the Default Website.

503 – Internal Server Error = This is again a configuration problem in IIS.

402 – Description Payment Required = Reactivate the Management Gateway

400 – Description Bad Request = Modify the default website properties in IIS on the core to not use an IP address.

Make sure the IP address option is set to ―All Unassigned‖.

403 – Forbidden = A username and password is required for the test. This needs to be in domain\username format

and all other previously discussed requirements met.

Important Note: If you are on the domain when running brokerconfig.exe and a message is displayed that you need

to enter credentials then typically the user running brokerconfig.exe won’t have permission to write to the

C:\Program Files\LANDesk\Shared Files\cbaroot\broker folder. During a request brokerconfig.exe will need to write

2 certificate files to this folder. If those files do not appear then local permissions need to be resolved. In summation:

brokerconfig.exe will never ask for credentials and will try the test as instructed.

Reports

Firewall Report – This report was added to the 4.2 version of the Management Gateway. An example of the report is

shown below along with some definitions:

―#‖ = The number of times this entry has been blocked.

―source‖ = The IP address of the packet that was blocked

―destination‖ = The intended recipient…usually the IP address of the Gateway itself.

System Logs

The system logs are very useful and determine several key events on the Management Gateway. Due to the amount

of information being logged a filter should be used. Below is a list of some of the items that you may see in the filter

drop down menu along with some example screen shots. The 4.2 Management Gateway System Logs changed from

the screen shots shown below but messages should be similar.

Note: This will not be a comprehensive list as many programs and other threads may create log entries. Entries such

as: (@ or 0x23428ab) are common but generally mean nothing. Also, some of these examples may not be listed as

they will only log when they are used. Other applications that may appear in the list may be difficult to define as

they have specialized purposes.

- Activate – General information on activation of the Gateway. Below you can see an error in

communication with the licensing server at LANDesk.

- Bootlog – Logs boot information and errors. The warning message logged below is typical when ETH1 is

not configured.

- Broker – On startup the core certificates that the broker daemon loads are recorded here.

- Cron – The local scheduler of Linux. The logs will report when configured hourly, daily, and monthly tasks

are executed. Example below shows an hourly log.

- Dbtool – Database Tool. Events are recorded when database work is performed. The example below shows

repairing and optimizing events as well as a user initiated backup.

- Gateway – Primary connection information: IP address, user account, POST or GET for the web server,

etc. This is perhaps the busiest logger on the Management Gateway and can be difficult to examine through

the GUI.

- Gsb – Logs actions/events that happen in the Web Console (gsb) page on the Management Gateway. The

example below shows the ―test‖ email button that was pressed and a failure message logged when

communication couldn’t be established to the mail server. The example also shows the firewall being

started and the admin user password being changed.

- Init – Linux init and System Initialization. This is a simple log that reflects run level changes within the

Linux OS.

- Kernel – General kernel logging. However, firewall logging also takes place here and will compromise

most of the logging on the Gateway. These logs are denoted as firewall (FW) and anything that touches the

Gateway even if a connection isn’t allowed or established is recorded here.

- Logger – Records the starting and stopping of the firewall. The firewall is designed to start automatically

upon boot up of the Gateway and should remain on as much as possible.

- Passwd – Password change logging from the passwd executable.

- Php-cgi – Web account activities. Example below includes the service account adding certificates, the

admin account changing the number of maximum connections, and account creation and more password

changes.

- Sshd – Logs activity from the ssh daemon. If SSH is never enabled then this log will be blank. If this

account is left enabled then it can be a target for a brute force attack. The screen shot below shows an

example of such an attack and what to look for.

- Sudo – Super User Do (SUDO) logging. This is a standard Linux command.

- Udev – Standard Linux daemon for the /dev directory.

- Useradd – Standard Linux command for adding users.

In summation almost all daemons, executables, and events get logged to some degree. Some of the items on this list

will be on just about every Management Gateway while others will only show up if that daemon or application was

executed.

File System Report

This is a basic report on system files that is produced by the System Update Monitor (SUMO) installed on the

appliance. The report will document hash, size, and other changes. It will also report on new files that were added

and summarize the information at the bottom of the page. This is also the report that you receive when an email is

configured in the Gateway Console. On a typical Gateway this report shouldn’t change much after the initial

configuration. Patches are generally the primary source for changes.

The Connection Table

This table is one of the best tools for troubleshooting connections to the Management Gateway particularly during

install and configuration. Three primary types of connections are shown and explained below. The table refreshes

automatically.

UserAgent:

Broker Service – These are service connections coming from core servers posted to the Gateway. At least 6 of these

are established from each core server at any given time but more connections are opened up as needed. If these

connections are not showing up then the Management Gateway Service on the core needs to be restarted or fixed.

The Management Gateway Service on the core will shut down automatically if these service connections cannot be

established. Typical causes for problems are an incorrect or bad ―service‖ account password or port 443 being

blocked in either direction between the Gateway and the core server. Proxies, DNS, and other related networking

issues can also cause problems.

Mozilla/4.0 etc. – This is a browser connection to the GSB management page on the Gateway. The particular page is

noted under the URL section of the table and the connection used to view this table will also show up.

LANDesk Remote Control Agent/8.6 – This connection is from a managed device. The remote control service on the

managed device is posting itself so that it’s available for remote control.

Gateway Service Status:

This is another summary and statistics page that contains some good information. Some of the information located

on this page includes:

- Current connections and type

- The last failed authentication

- The number of accounts locked out

System Test

This report is a basic test of services, firewall, processes, etc. The test includes a list of the tested items as well as if

they ―passed‖ or ―failed‖. A summary of the results are included at the bottom of the displayed page. On the 4.2

version of the Management Gateway the ―fluxbox‖ and ―firefox-bin‖ processes will fail. This is normal as usually

they fail when running the report from an Internet Explorer window.

Software Packages

This report that is available on the 4.2 version of the Management Gateway is a simple list of software packages that

are included on the gateway. The version and architecture are included as well. As patches are applied and

components updated this page should update as well.

Gateway Service Configuration

The screenshots below were taken from a 4.2 Management Gateway so some of these shots/options may not reflect

the 4.0 appliance. Also, some settings are not explained in detail below as they are self-explanatory.

The Management Gateway by default will log all connections and includes connections that are rejected by the

firewall. Actions are logged as well. The setting above will increase the detail of such logs however it should only

be used when necessary. Increasing the verbosity will greatly increase the size of the logs and the performance

demand on the Management Gateway.

This setting is for clients that do not support 128-bit encryption. Enabling the setting will tell the gateway to respond

to such requests instead of rejecting them. If security is a concern then this setting should be left disabled.

This setting was added to the Management Gateway in version 4.2. It was designed for future use in regards to

increasing security. As older technologies (MD5 for example) experience vulnerabilities and are no longer secure

this setting will allow the encryption level to be changed on the fly. However, Windows 2003 will not accept SHA-

256 connections so the Core and Clients need to be evaluated before this setting is changed.

This setting only needs to be changed if it appears that the client is having problems reaching the Management

Gateway. Typically the default setting will suffice for most installations but increasing this may be necessary

especially if the Management Gateway is supporting multiple core servers.

The Additional Hostnames field is typically one of the most important in regards to initial setup and configuration of

the Management Gateway. As stated in the explanation the rule of thumb is ―anything that the gateway itself can be

resolved to should be entered in this box‖.

Patching

Ports 443 and 80 in both directions are required in order for patching to function correctly. Proper DNS resolution

for the LANDesk patch servers listed below is required. Ports, Firewalls, and name resolution are the most common

cause of problems when attempting to download patches.

Patch.landesk.com

Patchec.landesk.com

Patchemea.landesk.com

Some installations of the Management Gateway will not have the luxury of having port 80 open. For this reason the

following document has been created and will be continually updated as patches are released. This document will

advise on downloading and installing patches manually on the Gateway Appliance. The document will also provide

an updated list of patches that are available to the appliance. As stated in the article manually installing patches to

the Management Gateway is not supported.


Currently the GUI interface for the Management Gateway doesn’t contain a quick and easy way of checking what

patches have been installed. If you are unsure of what patches have been installed on the Management Gateway then

the following log will document each patch installation.

/var/log/rpmupdate.log

Activation

Ports 80 and 443 are also required for Activation. The article listed below can assist with troubleshooting

Management Gateway activation problems. If problems persist then re-image the Management Gateway again and

attempt to activate before using any backup/restore points. Be sure to configure the network settings and firewall

prior attempting activation. Disabling the firewall on the Management Gateway is also a good test for activation.


Remote Control and Scopes

When scopes are used in LANDesk they are applied to the 32-bit console during login and therefore filter out

systems that not in the users scope. This prevents the user from performing tasks or taking remote control of



machines not in their scope. However, at the time of this writing user accounts on the Management Gateway are

different from accounts used on the LANDesk Core. Therefore scopes on the core are technically not applied

through the Gateway. The technical reason for this is due to Integrated Security for remote control. Integrated

Security forces the remote control viewer application to contact the core and request permission. As part of the

permission process a signed rights document is sent to the client system giving access. However, when the

Management Gateway is involved the signed rights document cannot be sent through the gateway and out to the

client. The core can only respond in request coming from the client.

If scopes are required in order to use the gateway another option is available. The ―Organization Setting‖ for each

user on the gateway has the ability to filter out what a person sees for remote control. The default setting of ―*‖ will

allow all devices posted to the gateway to be visible. The LANDesk Community document below will outline the

details on configuring the Organization setting. Certain steps will be required on each client and user in order for it

to function properly.


In addition to Integrated Security other security settings (such as Local Template and NT Security) will also work

through the Gateway. Local Template is basically open security. This is the same thing the On-demand remote

control agent uses. However, NT Security is local to the machine itself so a user must be in the local Remote Control

Operators Group in order for this security type to function. One misconception when using NT Security is the

inclusion of domain accounts. Domain accounts will work fine with NT Security as long as the device is on the

network but if the device is connecting through the Management Gateway then the client will be unable to verify the

domain credentials with a Domain Controler and fail in authentication.

The Management Gateway Root Certificate

By default the Management Gateway uses a self-signed certificate. In some browsers this self-signed certificate can

result in a security warning as shown below:

This warning is bothersome but in general harmless. If clients are concerned about the message then perhaps

creating a self-contained on-demand remote control executable as mentioned previously and hosting it on a different

website may be recommended.

Conclusion

Effective management of the gateway can help with maintaining security and efficient usage. The training video

links below will provide much greater detail on how the gateway works and how to use the gateway to recover

stolen hardware.


Training video on how to install and configure the management gateway as well as information on how it works and

how to request a broker certificate: http://community.landesk.com/support/docs/DOC-5104

How to use the gateway to recover stolen hardware: http://community.landesk.com/support/docs/DOC-6045



About LANDesk Software

The foundation for LANDesk’s leading IT management solutions was laid more than 20 years ago. And LANDesk

has been growing and innovating the systems, security, service and process management spaces ever since. Our

singular focus and our commitment to understanding customers’ real business needs—and to delivering easy-to-use

solutions for those needs—are just a few of the reasons we continue to grow and expand.

LANDesk pioneered the desktop management category back in 1993. That same year, IDC named LANDesk the

category leader. And LANDesk has continued to lead the systems configuration space: pioneering virtual IT

technology in 1999, revolutionizing large-packet distribution with LANDesk® Targeted Multicast™ technology and

LANDesk® Peer Download™ technology in 2001, and delivering secure systems management over the Internet and

hardware-independent network access control capabilities with LANDesk® Management Gateway and LANDesk®

Trusted Access™ Technology in 2005.

In 2006, LANDesk added process management technologies to its product line and began integrating the systems,

security and process management markets. LANDesk also extended into the consolidated service desk market with

LANDesk® Service Desk, and was acquired by Avocent to operate as an independent division.

Today, LANDesk continues to lead the convergence of the systems, security, and process and service management

markets. And our executives, engineers and other professionals work tirelessly to deliver leading solutions to

markets around the globe.

Date post:	12-Feb-2022
Category:	Documents
Upload:	others
View:	6 times
Download:	0 times

Gateway Appliance Administrators Guide - Community - LANDesk

Documents