Technical Reference

In this section:

• Services

• Websites

• Securing Communications Using SSL

• Environment Manager/Management Center Secure SQL Server Connections

Services

There are four associated services with the Management Server:

• Ivanti Alerts Service - responsible for creating alerts based on events for the Management Server, and dispatches associated actions.
• Ivanti Events Dispatcher Service - responsible for monitoring for new event files being uploaded and adds the events to the Management Server database.
• Ivanti Scheduler Service - responsible for managing all scheduled tasks associated with the Management Server. This includes discovery and offline machine detection.
• Ivanti Deployment Service - responsible for managing the installation of the Deployment Agent when chosen by the user from the Management Console.

To generate diagnostic logs for Management Server Services set Logging to Enabled on the Instance Detail page in the Server Configuration portal. The log files are stored in %ProgramData%\AppSense\Management_[Instancename]

There is one associated service with the Personalization Server:

AppSense Personalization Background Service - performs batch operations requested by the Personalization Operations console and does daily archiving and cleanup on the database.

Websites

Management Server

The ManagementServer root web directory hosts the Downloads web page for downloading the Management Console, Deployment Agent, User Workspace Manager products, and documentation.

A diagnostics log can also be generated from this page. It is stored at %ProgramData%\AppSense\Management_[Instancename] by default.

ManagementServer/Deployment

The ManagementServer/Deployment web directory provides the Management Server web services that the Deployment Agent uses to access the Management Center database. These hosted web services are:

• Polling - Managed endpoints receive settings such as poll periods and installation schedule during a poll.
• Prerequisite checking & installation - Managed endpoints download agents, configurations, and prerequisites using BITS.
• Event Collection - Managed endpoints upload the majority of events using BITS.
• Server Diagnostics - Managed endpoints send high priority events.

A diagnostics log, DeploymentDirectory.log, can also be generated from this page which is stored at %ProgramData%\AppSense\Management_[Instancename]

ManagementServer/Data Access

The ManagementServer/DataAccess web directory provides the interface to the Data Access Services. All communication from the Management Console comes here.

ManagementServer/PackageManagement

The ManagementServer/PackageManagement web directory provides an interface to the Package Management Services. All communication from the Application Control, Environment Manager and Performance Manager consoles come here.

Securing Communications Using SSL

You can optionally configure the Management Server website to support Secure Socket Layers (SSL) to provide secure communications using Active Directory.

SSL provides confidentiality and integrity of communications to ensure sensitive data is accessible only by authorized users, including:

• Event data
• Agents and agent configuration data

If you are setting up SSL certificates on web servers using other supported operating systems and other versions of Microsoft SQL Server, see the following for further information:
http://msdn.microsoft.com/library/

Setup SSL on IIS

This section provides information about setting up the website for SSL by creating a self-signed certificate.

Other types of certificate issued by a trusted Certification Authority are also supported.

1. In Start > All Programs > Administrative Tools > Internet Information Services (IIS) Manager, select the [ServerName] node and in the IIS section click Server Certificates.
2. Ensure a suitable certificate is listed. If not, create or import a certificate using the options in the Actions panel.
3. Select the Website for the product and click Edit Bindings in the shortcut menu.
4. Click Add and in the Type drop-down list select HTTPS.
5. In the SSL Certificate drop-down list, select the certificate.
6. Click OK and Close.

Environment Manager/Management Center Secure SQL Server Connections

The Server Configuration Portal (SCP) now has the ability to create SQL Connections (from PS and MS) with the connection string values Encrypt and TrustServerCertificate set to True and False respectively.This applies to web applications and services, and is implemented in a straightforward way by adding the parameters to the SqlConnectionString application setting in the web.configs and .exe.configs of the servers.

The SCP Database Connection page shows two checkbox options:

• Encrypt Connection: When selected, all data are encrypted on the connection using the SQL server's certificate. When set to False, only sign in transactions are encrypted. Because all SQL servers have a certificate when installed, no further configuration is required.

  Encrypted data connections impact performance.

• Validate Server Certificate: When selected, the SCP checks for a valid certificate. This option can be selected only if Encrypt Connection also is selected and requires that:

  • PS and MS are configured to trust the SQL Server certificate.

  • The generated SQL Server certificate must either be signed by a Trusted Root in the Trusted Root Certification Authorities store of PS and MS or be stored in the Trusted Root Certification Authorities store.

SCP Implementation

When setting up a secure connection, the SQL Server name must match the DNS name on the certificate. This may require a fully qualified domain name. If Validate Server Certificate is selected, the SCP attempts to sign in with an invalid name and password, and it examines the return status to learn whether the failure was due to an invalid certificate or an invalid sign in. SCP will not use real credentials until it validates the certificate.

Certificate for Testing

Complete the following steps to generate and set up a certificate for testing:

1. Run the following powershell script on the SQL Server machine to create a certificate in the local machine store and save a .cert file in the current directory:

   $3years = [DateTime]::UtcNow.AddYears(3)
   $enhancedKeyUsageServerAuthentication = @("2.5.29.37={text}1.3.6.1.5.5.7.3.1")
   $name = $env:COMPUTERNAME
   $fqdn = [System.Net.Dns]::GetHostByName($name).HostName
   $cert = New-SelfSignedCertificate

   -CertStoreLocation 'cert:\LocalMachine\My'
   -DnsName $fqdn,$name,"localhost"
   -FriendlyName "$($name)-sql-server"
   -Hash 'SHA256'
   -KeyAlgorithm 'RSA'
   -KeyExportPolicy ExportableEncrypted
   -KeySpec KeyExchange
   -KeyFriendlyName "$($name)-sql-server"
   -KeyLength 2048
   -KeyUsage DigitalSignature,KeyEncipherment,DataEncipherment
   -NotAfter $3years
   -Provider 'Microsoft RSA SChannel Cryptographic Provider'
   -Subject $name
   -TextExtension $enhancedKeyUsageServerAuthentication
   -Type SSLServerAuthentication 

   $cert | Export-Certificate -Type CERT -FilePath $name-sql-server.cer

2. Run certlm.msc, and navigate to the new certificate in the Personal store.
3. Right click on the certificate and select All Tasks > Manage Private Keys.
4. Find the private key, and give read access to the account running SQL Server.

   The account is usually NT Service\MSSQLSERVER on the local machine.

5. Run SQL Server Configuration Manager, and navigate to SQL Server Network Configuration > Protocols for MSSQLServer.
6. Right click and select Properties > Certificate tab. Select the certificate from the dropdown menu.
7. Restart the SQL Server service.

8. On the PS/MS machine, import the .cer file created in step 1 into the local machine's Trusted Root Certification Authorities Store using certlm.msc or by right-clicking and selecting Install Certificate.

Related topics

User Workspace Manager Server Component Websites

Database Accounts