About Application Server-Client Communications

Ivanti Device and Application Control is based on standard TCP/IP protocols for all communication between clients and servers.

TCP/IP was chosen due to its pervasive implementation throughout most IT infrastructures. They are the most widely used open-system (non-proprietary) protocols since they are equally well suited for LAN or WAN communication. Using the TCP/IP protocol offers some clear advantages over other protocols, including the following:

  • Allows enterprise networking connectivity between Windows and non-Windows based computers.
  • Can be used to create client-server applications.

Currently Ivanti Device and Application Control uses only two configurable ports for full two-way communication between the client and server components. As with other TCP-based services, Application Servers cannot handle clients connecting through a firewall or proxy unless the required ports are opened. By default:

  • The server uses port 65129 or 65229 (for the TLS protocol) to listen to clients or other Application Server requests.
  • Clients use port 33115 by default to receive information and respond if the Application Server initiated the communication.

These three ports are required for full two-way communication. You can configure these ports as required by your environment.


Application Server Communications

The Application Server consists internally of two distinct subsystems. The first subsystem handles requests from administrative clients and exposes services via a secure, authenticated Remote Procedure Call (RPC). The second subsystem communicates with the clients.

The Application Server RPC is used to expose administrative functionality (the interfaces required to browse and manage the hashes and file groups in the database) and to offer control over driver behavior. Internally, the Application Server uses a thread pool to perform mass updates. It connects to each client individually according to the driver state. The database keeps track of drivers and users that are on-line. This is more than broadcasting, but offers the advantage of guaranteed delivery, a feature not found in broadcast-capable protocols.

The Application Server uses a TCP/IP server based on Microsoft Windows Input Output Completion Ports (IOCP). The most important server tasks are responding to login and log off notification messages from the clients, such as processing start (boot) and stop (shutdown) messages from clients, and creating and dispatching hash-lists requested by clients.

The TCP/IP client built into the Application Server serves primarily to push updates to clients. When an administrator makes changes to options or permissions, clients may need immediate updates. For permission changes, this typically invalidates the existing hash-list cache.

Forced updates create a need for multiple Application Server instances to communicate intra-server. In particular, when an administrator requests an immediate hash-list update, the instruction to flush the hash-list cache must be relayed to every server to keep the caches coherent. Since all servers share a common database, they register themselves in the database. Intra-server notifications are sent through the respective TCP/IP channel.

Changing Licenses for the Application Server

When you need to change the license for the Application Server, you must stop the server, change the license, then restart the server.

  1. Select Start > Run.
  2. Type cmd in the Open: field.
  3. On the command line, type: net stop sxs.
  4. Copy the new Ivanti Device and Application Control license file to the \\Windows\System32 or \\Windows\SysWOW64 folder and rename the file to endpoint.lic.
  5. Select Start > Run.
  6. Type cmd in the Open: field.
  7. On the command line, type: net start sxs.
    The Application Server restarts with the new license information.

Changing the SysLog Server

During the SXS installation you can enter a SysLog server address specify whether you want to log audit events, system events, client events, or some combination thereof. You may change the SysLog server address and specifications after installation.

You can modify the following Application Server registry keys as described by the General Registry Keys section in Managing Registry Keys.

  1. Select Start > Run.
  2. Type regedit in the Open: field.
  3. Select HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > sxs > parameters from the registry keys.
    The Registry Editor window opens.
  4. Select any one or all of the following registry key parameters:
    • SysLogServerAddress - specifies the name of the SysLog server.
    • SysLogGenerateMsg - specifies the type of log event(s) sent to the SysLog server.
  5. Close the Registry Editor window.
    SysLog behavior changes based on the registry key data values that you specify.