Configuring Endpoints for Discovery

For Ivanti Endpoint Security to discover Windows endpoints, they must have both network discovery and file sharing enabled. Target endpoints without these features enabled will not be discovered.

Note: If your organization uses a third-party firewall:

  • Do not complete the steps in this procedure for creating Windows Firewall exceptions. Your third- party firewall makes them unnecessary.
  • You must create exceptions for Ivanti Endpoint Security within you third-party firewall. For additional information, refer toPort and ICMP Requirements for an Agent Management Job.

You can perform this procedure on endpoints with the following operating systems:

  • Windows 10
  • Windows 8.1
  • Windows 8
  • Windows 7
  • Windows Server 2012 R2
  • Windows Server 2012
  • Windows Server 2008 R2

First, ensure that the services necessary for successful discovery scanning are started.

  1. Open Administrative Tools.
  2. Double-click Services.
    The Services dialog opens.
  3. Ensure the necessary services are started.
    The following list itemizes the services that must be started for job completion.

    In environments that use a third-party firewall, ensure the Windows Firewall service is instead disabled.

    • DCOM Server Process Launcher
    • Remote Procedure Call (RPC)
    • Server
    • Windows Firewall
    • Windows Management Instrumentation

    If all of the listed services required for your configuration purposes have a Server status of Started, continue to the next step. If any of the listed services for your configuration purposes are not started, complete the following sub-steps to start them.

    1. Right-click the applicable service and select Properties.
      The properties dialog for the service opens.
    2. Ensure the Startup type list is set to Automatic. If edits are necessary, click Apply after selecting Automatic from the list.
    3. Click Start.
      The service starts.
    4. Click OK.
      The properties dialog for the service closes.
    5. If necessary, repeat the sub-steps for each unstarted service.
  4. Close the Services dialog and the Administrative Tools dialog.

    Tip: Leave Control Panel open.

    5. Next, ensure your Network and Discovery settings are configured to allow discovery. The discovery setting allows the endpoint to be seen by the Ivanti Endpoint Security server during discovery scanning.

  5. From Control Panel, click Network and Internet.
    Control Panel opens to the Network and Internet options.
  6. Click Network and Sharing Center.
    Control Panel opens to the Network and Sharing Center.
  7. Ensure Network discovery is enabled. Enabling this setting makes the endpoint publicly known within network. Ivanti Endpoint Security uses the information shared by this setting to return more detailed information about the endpoint during discovery scanning.
    Based on the endpoint operating system, complete the applicable sub-steps that follow.

    8. Operating System

    Sub-step

    Windows Server 2008 R2:
    1. Click the arrow icon adjacent to Network discovery.
    2. Ensure the Turn on network discovery option is selected.
    3. If necessary, click Apply.

    Windows 7:
    1. Click Change advanced sharing settings.
    2. Expand one of the following sections:
      • Home or Work
      • Public
      • Domain
    3. Scroll to Network discovery.
    4. Ensure the Turn on network discovery option is selected.
    5. If necessary, click Save Changes.
    6. Repeat these sub-steps for each profile section.

    Windows 8 or Windows Server 2012:
    1. Click Change advanced sharing settings.
    2. Expand one of the following sections:
      • Private
      • Guest or Public
      • Domain
    3. Scroll to Network discovery.
    4. Ensure the Turn on network discovery option is selected.
    5. Ensure the Turn on automatic setup of network connected devices option is cleared.
    6. If necessary, click Save Changes.
    7. Repeat these sub-steps for each profile section.
  8. [Optional] Ensure File sharing is enabled.

    Tip: Completion of this step is optional. However, if you enable File Sharing, you must also create a firewall exception for it.

    9. Based on the endpoint operating system, complete the applicable substeps that follow.

    Operating System

    Steps

    Windows Server 2008 R2:
    1. Click the arrow icon adjacent to File Sharing.
    2. Ensure the Turn on file sharing option is selected.
    3. If necessary, click Apply.

    Windows 7:
    1. Ensure you have clicked Advanced sharing settings.
    2. Expand one of the following sections:
      • Home or Work
      • Public
      • Domain
    3. Scroll to File and printer sharing.
    4. Ensure the Turn on file and printer sharing option is selected.
    5. If necessary, click Save Changes.
    6. Repeat these sub-steps for each profile section.

    Windows 8 or Windows Server 2012:
    1. Click Change advanced sharing settings.
    2. Expand one of the following sections:
      • Private
      • Guest or Public
      • Domain
    3. Scroll to File and printer.
    4. Ensure the Turn on file and printer sharing option is selected.
    5. If necessary, click Save Changes.
    6. Repeat these sub-steps for each profile section.
  9. Close Network and Sharing Center.
    Network and Sharing Center closes.

    10. Next, ensure the Windows Firewall is configured to allow exceptions for discovery scans. A Windows Firewall that does not allow exceptions will blocks pings and other discovery scan processes. Ensure that firewall exceptions are in place for successful discovery scanning.

    Create the firewall exceptions using the Local Group Policy Editor. Create exceptions for both the standard and domain profiles.

    In environments using a third-party firewall, do not complete the steps to create Windows Firewall exceptions. Instead, create exceptions in your third-party firewall. For additional information, refer to Port and ICMP Requirements for an Agent Management Job.

  10. Open a run prompt.

    11. Operating System

    Steps

    Windows 7 and Windows Server 2008 R2:
    1. Select the Start menu.
    2. Type run in the Search field and press ENTER.

    Windows 8 or Windows Server 2012:
    1. Press the Windows Logo key.
    2. Type run and press ENTER.

    The Run prompt opens.

  11. Type gpedit.msc in the Open field and press ENTER.
    The Local Group Policy Editor opens.


    12. Once you have selected the domain profile, you must configure the following firewall exception settings (and their subsettings) for discovery purposes.

    • Windows Firewall: Do not allow exceptions
    • Windows Firewall: Allow inbound file and printer sharing exceptions
    • Windows Firewall: Allow ICMP exceptions

    The following steps fully explain how to configure each setting.

  12. Expand the local computer policy tree to Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profiles. Ensure the Domain Profiles folder is selected.
  13. Disable the Windows Firewall: Do not allow exceptions setting.
    1. From the main pane, right-click Windows Firewall: Do not all exceptions and select Edit (or Properties).The setting dialog opens.
    2. Ensure the Disabled option is selected.
    3. Click OK.

    The Windows Firewall: Do not allow exceptions setting is configured for agent management.

  14. [Optional] Configure the Windows Firewall: Allow inbound file and printer sharing exceptions setting.

    Tip: Enable this setting if you turned on File and Printer Sharing earlier in the procedure.

    1. From the main pane, right-click Windows Firewall: Allow inbound file and printer sharing exceptions and select Edit (or Properties).
      The setting dialog opens.
    2. Ensure the Enabled option is selected.
    3. [Optional] Define an IP range in the Allow unsolicited incoming messages from field. Ivanti recommends defining this field using your Ivanti Endpoint Security Server IP address.

      To define a range, you may use the following syntax. This input is not validated.

      • * (any IP address)
      • 10.3.2.0/24 (specific Class C subnet)
      • localsubnet (for local subnetwork access only)
    4. Click OK.
      The Windows Firewall: Allow inbound file and printer sharing exceptions setting is configured for discovery scanning.
  15. Configure the Windows Firewall: Allow ICMP exception setting.
    1. From the main pane, right-click Windows Firewall: Allow ICMP exceptions setting and select Edit (or Properties).
      The setting dialog opens.
    2. Ensure the Enabled option is selected.
    3. Within Options, ensure the Allow inbound echo request check box is selected.
    4. Within Options, ensure all other check boxes are cleared.
    5. Click OK.
      The Windows Firewall: Allow ICMP exceptions setting is configured for agent management.

    16. After configuring firewall exceptions for the domain profile, you must also complete identical steps to configure firewall exceptions for your standard profile.

    Configure the following settings for discovery purposes:

    • Windows Firewall: Do not allow exceptions
    • Windows Firewall: Allow inbound file and printer sharing exception
    • Windows Firewall: Allow ICMP exceptions

    The following steps fully explain how to configure each setting.

  16. Expand the local computer policy tree to Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Standard Profile. Ensure the Standard Profile folder is selected.
  17. Disable the Windows Firewall: Do not allow exceptions setting.
    1. From the main pane, right-click Windows Firewall: Do not all exceptions and select Edit (or Properties).
      The setting dialog opens.
    2. Ensure the Disabled option is selected.
    3. Click OK.
      The Windows Firewall: Do not allow exceptions setting is configured for agent management.
  18. [Optional] Configure the Windows Firewall: Allow inbound file and printer sharing exceptions setting.

    Tip: Enable this setting if you turned on File and Printer Sharing earlier in the procedure.

    1. From the main pane, right-click Windows Firewall: Allow inbound file and printer sharing exceptions and select Edit (or Properties).
      The setting dialog opens.
    2. Ensure the Enabled option is selected.
    3. [Optional] Define an IP range in the Allow unsolicited incoming messages from field. Ivanti recommends defining this field using your Ivanti Endpoint Security Server IP address.

      To define a range, you may use the following syntax. This input is not validated.

      • * (any IP address)
      • 10.3.2.0/24 (specific Class C subnet)
      • localsubnet (for local subnetwork access only)
      • Click OK.
        The Windows Firewall: Allow inbound file and printer sharing exceptions setting is configured for discovery scanning.
  19. Configure the Windows Firewall: Allow ICMP exception setting.
    1. From the main pane, right-click Windows Firewall: Allow ICMP exceptions setting and select Edit (or Properties).
      The setting dialog opens.
    2. Ensure the Enabled option is selected.
    3. Within Options, ensure the Allow inbound echo request check box is selected.
    4. Within Options, ensure all other check boxes are cleared.
    5. Click OK.
      The Windows Firewall: Allow ICMP exceptions setting is configured for agent management.
  20. Close the Local Group Policy Editor (or the Group Policy Object Editor).

    21. Note: The creation of Windows Firewall exceptions opens the following ports, which are required for job completion:

    • 445/TCP
    • 139/TCP
    • 135/UDP
    • 137/UDP

    Finally, complete configuration of your endpoint by ensuring the C$ and ADMIN$ network shares are shared. Enabling these shares lets the Ivanti Endpoint Security server access your endpoint.

  21. Open the Command Prompt.

    22. Operating System

    Steps

    Windows 7 and Windows Server 2008 R2:
    1. Select the Start menu.
    2. Type cmd in the Search field and press ENTER.

    Windows 8 or Windows Server 2012:
    1. Press the Windows Logo key.
    2. Type cmd and press ENTER.
  22. From the Command Prompt, type net share and press ENTER.
    The endpoint network shares are listed.
  23. Ensure that the following shares are listed in the Share name column.
    • C$
    • ADMIN$

      If they are already listed, proceed to the next step. If these shares are not listed, complete the following sub-steps to enable them. If one of the necessary shares is enabled but not the other, only enable the share that needs to be enabled.

      1. From the Command Prompt , type the necessary command(s) to enable any required network shares.
        • To enable the C$ share, type NET SHARE C$=C and press ENTER.
        • To enable the ADMIN$ share, type NET SHARE ADMIN$ and press ENTER.
          You have enabled the required share(s). All enabled shares remain active until the system reboots.
  24. Close the Command Prompt.
    The Command Prompt closes.

The endpoint is configured for discovery.