Configuring Endpoints for Agent Management Jobs
Prior to using an Agent Management Job to install agents on your Windows endpoints, you must first configure your endpoints.
Prerequisites:
Prior to configuring, review the following requirements:
- You can perform these steps on endpoints with the following operating systems:
- Windows 10
- Windows 8.1
- Windows Server 2019
- Windows Server 2012 R2
- Windows Server 2012
- You have gathered and confirmed the information and tasks in the Agent Management Job checklist.
Refer to Agent Management Job Checklist for a description.
If your organization uses a third-party firewall:
- Do not complete the steps for creating Windows Firewall exceptions. Your third-party firewall makes them unnecessary.
- However, you must create exceptions for Ivanti Endpoint Security within you third-party firewall. For additional information, refer to Port and ICMP Requirements for an Agent Management Job.
- Start applicable Windows services.
Tip: There are specific Windows services that are necessary for successful Agent Management Job completion.
- Open Administrative Tools.
- Double-click Services.
The Services dialog opens. - Ensure the necessary Windows services are started for an Agent Management Job.
The following list itemizes the services that must be started for Agent Management Job completion.- DCOM Server Process Launcher
- Remote Procedure Call (RPC)
- Server
- Windows Firewall
- Windows Management Instrumentation
In environments that use a third-party firewall, ensure the Windows Firewall service is instead disabled.
- If all of the listed services required for your configuration purposes have a Server status of Started, continue to the next step. If any of the listed services for your configuration purposes are not started, complete the following:
- Right-click the applicable service and select Properties.
- Ensure Startup type list is set to Automatic. If edits are necessary, click Apply after selecting Automatic from the list.
- Click Start.
- Click OK.
- If necessary, repeat the previous steps for each unstarted service.
- Close the Services dialog and the Administrative Tools dialog.
The applicable Windows services for a successful Agent Management Job are started. - Configure Sharing and Discovery settings.
Tip: The discovery setting allows the endpoint to be seen by the Ivanti Endpoint Security server, while the file sharing setting allows the Ivanti Endpoint Security server to install the agent during agent management. These settings are necessary for a successful Agent Management Job.
- From Control Panel, click Network and Internet.
Control Panel opens to the Network and Internet options. - Click Network and Sharing Center.
Control Panel opens to the Network and Sharing Center. - Click Change advanced sharing settings.
The Change sharing options for different network profiles window opens. - Ensure Network discovery is enabled.
Enabling this setting makes the endpoint publicly known within the network.- Expand one of the following network locations:
- Private
- Guest or Public
- Domain
- Scroll to Network discovery.
- Ensure Turn on network discovery option is selected.
- Ensure Turn on automatic setup of network connected devices option is cleared.
- If necessary, click Save Changes.
- Repeat these steps for each profile section.
Endpoint Security uses the information shared by this setting to return more detailed information about the endpoint during discovery scanning.
- Expand one of the following network locations:
- Ensure File sharing is enabled.
- Expand one of the following sections:
- Private
- Guest or Public
- Domain
- Scroll to File and printer.
- Ensure Turn on file and printer sharing option is selected.
- If necessary, click Save Changes.
Repeat these steps for each profile section.
- Expand one of the following sections:
- Close the Change sharing options for different network profiles window.
The Sharing and Discovery settings have now been configured for the Agent Management Job.
- From Control Panel, click Network and Internet.
- Ensure Windows Firewall is configured to allow exceptions.
Tip: A Windows Firewall that does not allow exceptions will block pings and other agent management processes necessary for a successful Agent Management Job.
- Open a run prompt.
- Type gpedit.msc in the Open field and press ENTER.
The Local Group Policy Editor opens. - Expand the local computer policy tree to Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profiles. Ensure Domain Profiles folder is selected.
The Domain Profile windows opens. - Ensure the following settings (and their subsettings) are configured for the Domain Profile.
Name
Step
Windows Firewall: Do not allow exceptions
- Right-click and select Edit to open the setting dialog.
- Ensure Disabled option is selected.
- Click OK.
Windows Firewall: Allow inbound file and printer sharing exception
- Right-click and select Edit to open the setting dialog.
- Ensure Enabled option is selected.
- Define an IP range in the Allow unsolicited incoming messages from field.
Note: Ivanti recommends defining this field using your Ivanti Endpoint Security Server IP address. This input is not validated. To define a range, you may use the following syntax:
- * (any IP address)
- 10.3.2.0/24 (specific Class C subnet)
- localsubnet (for local subnetwork access only)
- Click OK.
Windows Firewall: Allow ICMP exceptions
- Right-click and select Edit to open the setting dialog.
- Ensure Enabled option is selected.
- Click OK.
Windows Firewall: Allow inbound remote administration exception
- Right-click and select Edit to open the setting dialog.
- Ensure Enabled option is selected.
- Define an IP range in the Allow unsolicited incoming messages from field.
Note: Ivanti recommends defining this field using your Ivanti Endpoint Security Server IP address. This input is not validated. To define a range, you may use the following syntax:
- * (any IP address)
- 10.3.2.0/24 (specific Class C subnet)
- localsubnet (for local subnetwork access only)
- Click OK.
- Expand the local computer policy tree to Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profiles. Ensure Standard Profiles folder is selected.
The Standard Profile windows opens. - Ensure the following settings (and their subsettings) are configured for the Standard Profile.
Tip: These settings will mimic the Domain Profile.
- Right-click and select Edit to open the setting dialog.
- Ensure Disabled option is selected.
- Click OK.
- Right-click and select Edit to open the setting dialog.
- Ensure Enabled option is selected.
- Define an IP range in the Allow unsolicited incoming messages from field.
Note: Ivanti recommends defining this field using your Ivanti Endpoint Security Server IP address. This input is not validated. To define a range, you may use the following syntax:
- * (any IP address)
- 10.3.2.0/24 (specific Class C subnet)
- localsubnet (for local subnetwork access only)
- Click OK.
- Right-click and select Edit to open the setting dialog.
- Ensure Enabled option is selected.
- Click OK.
- Right-click and select Edit to open the setting dialog.
- Ensure Enabled option is selected.
- Define an IP range in the Allow unsolicited incoming messages from field.
Note: Ivanti recommends defining this field using your Ivanti Endpoint Security Server IP address. This input is not validated. To define a range, you may use the following syntax:
- * (any IP address)
- 10.3.2.0/24 (specific Class C subnet)
- localsubnet (for local subnetwork access only)
- Click OK.
- Close the Local Group Policy Editior (or the Group Policy Object Editor).
- 445/TCP
- 139/TCP
- 135/UDP
- 137/UDP
- Complete the configuration of your endpoint by verifying that the C$ and ADMIN$ network shares are enabled.
Tip: The C$ and ADMIN$ network shares are necessary for remote management. This is necessary for a successful Agent Management Job completion.
- From a Command Prompt, type net share and press ENTER.
The endpoint network shares are listed. - Ensure that the following shares are listed in the Share name column.
- C$
- ADMIN$
If these shares are not listed, complete the following steps to enable them. If one of the necessary shares is enabled but not the other, only enable the share that needs to be enabled.
- From the Command Prompt, type the necessary commands to enable the required network shares.
- To enable the C$ share, type NET SHARE C$=C and press ENTER.
- To enable the ADMIN$ share, type NET SHARE ADMIN$ and press ENTER.
You have enabled the required share(s). All enabled shares remain active until the system reboots.
- Close the Command Prompt window.
Name |
Step |
---|---|
Windows Firewall: Do not allow exceptions |
|
Windows Firewall: Allow inbound file and printer sharing exception |
|
Windows Firewall: Allow ICMP exceptions |
|
Windows Firewall: Allow inbound remote administration exception |
|
Note: The creation of Windows Firewall exceptions opens the following ports, which are required for job completion:
The Windows Firewall is configured to allow exceptions for an Agent Management Job.
You have completed the configuration of your endpoint for an Agent Management Job by verifying that the C$ and ADMIN$ network shares are enabled.
You have completed all necessary configuration steps.
After Completing This Task:
Refer to Agent Management Job Checklist prior beginning the Agent Management Job.