Working with Gateways

Service Manager powered by HEAT

Home

Working with Gateways

•About Gateways

•Standard Gateway System Prerequisites

•Working with Gateways

•Installing a Gateway

•Setting Up the Gateway Proxy Server with SSL

•Uninstalling the Gateway

•FAQ for Upgrading the HEAT Discovery Gateway from Earlier Versions

•Service Manager powered by HEAT

About Gateways

Gateways are part of ISM Discovery and allow you to use a single point from which to manage your assets and other discovery tasks. You can install more than one gateway but if so, one gateway must be designated as a central gateway. There are two types of gateways: the standard gateway and a data center edition gateway. Both gateways allow you to do the following:

•Enter default administrator credentials to run tasks for computers on the network.

•Deploy client agents to computers on the network.

•Create and run specific tasks such as running active directory scans.

•Assign client tasks to the gateway based on the client IP and subnets that are specified on subnet entries on the Client Task Subnets tab.

•Deploy settings to the gateway.

You can do the following with a data center edition gateway:

•Create new IP ranges to use with NetScan.

•Enter Netscan SNMP protocols to run SNMP queries.

•Create new VMHA (virtual machine host auditor) configurations.

•Use a proxy server to relay messages to the server.

See Standard Gateway System Prerequisites for the installation requirements for the gateway computer.

If you are migrating from ISM Discovery Release 9.x to ISM Discovery, we recommend that you install a gateway before you run the migration tool. If you create a gateway after running the migration tool, you may need to rerun the migration tool or manually relink the data to the gateway.

Before starting the installation, you can specify a default organizational unit to associate with your gateway. All clients deployed by the gateway are associated with that organizational unit by default, although this can be changed later.

When you specify a default organizational unit during installation, ensure that the computer you are using to install the gateway does not already have a configuration item record in Ivanti Service Manager. If it does, you can delete it before you begin.

After installation, the gateway runs the ISM Discovery client to generate a unique client ID. A registration message is then sent to the Ivanti Service Manager server.

When the registration message has been received and processed by the server, the gateway computer appears in the Gateway workspace.

Gateways process messages sent to them by the client agents. Administrators can access the Integration Queue and Message Queue Journal workspaces to view and track messages.

Standard Gateway System Prerequisites

Ensure that you have the following information before you begin installing the gateway:

•The name of the gateway (this is usually populated automatically).

•The name of the domain on which the gateway will install clients.

•Any associated subnets.

•The local path of the Ivanti Service Manager agent deployment share.

• The account name and password on the computers to which the gateway deploys. The account must have administrative privileges on the client computers.

•The client access key. The Ivanti Service Manager gateway installer package contains a unique client access key used to authenticate incoming data from the customer. (This is provided automatically during the installation.)

The following operating systems can be used to install Ivanti Service Manager standard gateways:

•Windows 7 and later operating systems.

•Domain administrator rights or local administrator rights for each machine that will be audited.

•For on-premise installations, turn off or disable user access control.

•Open ports to facilitate network access.

Before performing the inventory management activities, open the appropriate network ports for the gateway to communicate effectively with the domain controller. In your firewall settings for the service, enter the appropriate port and select the protocol option (see the following table).

To properly deploy multiple processes with heavy CPU usage (such as ISM Discovery imports or daily user synchronization), and to balance resource utilization, we recommend a separate dedicated machine for the gateway.

HEAT Discovery Applications, Ports, and Protocols

The following port and protocol requirements are used for set up, discovery, and audit activities in ISM Discovery:

Application	Process	Activity	Port	Protocol	Endpoint
Gateway and client installation	setup.exe	Installation	80	http	SaaS web server
SaaS IM Gateway	Active directory scan	Discovery	389	LDAP	Active directory server in the local domain
SaaS IM Client	LanProbe	Discovery	161	SNMP	Devices on the network
SaaS IM Client	Audit message transport	Audit	443	SOAP messages over https	SaaS IM service
MDI Server	Bind SSL certificate	Discovery	443	HTTPS
SaaS IM Gateway	WMI Scan	Audit	135	RPC	Selected computer
SaaS IM Client	Proxy	Audit	8097	http	Proxy
Gateway Installation	IP address with the URL of the gateway	Discovery	8097		Proxy
MDI Server	iOS inbound communications	Discovery	8734
Telnet	Checks net.tcp configuration	Check IP address or domain	7100		IP address or domain
Gateway	Communicate	Discovery	53	UDP (for DNS) or TCP	Domain Controller
MDI Server	Communicate	Discovery	1433		HEAT Discovery app server

Installing a Gateway

The Ivanti Service Manager gateway can be installed on Windows 7 and later operating systems. See Standard Gateway System Prerequisites for the other requirements for the gateway computer.

To install the gateway on a server that does not belong to a domain, you must specify a valid local administrator user and . (dot) for the domain name. If you are using that gateway to deploy an agent to another computer in the same workgroup, the Active Directory scan does not work. It works only if the administrator user is common for the domain; however, in a work group, although the users might have the same login credentials, they are still considered two different users. To deploy an agent in this instance, use the client agent installer. See Service Manager powered by HEAT for installation options.

After installation, the gateway runs the ISM Discovery client to generate a unique client ID. A registration message is then sent to the Ivanti Service Manager server.

When the registration message has been received and processed by the server, the gateway computer appears in the Gateway workspace. Once the gateway is listed, you can configure it and begin to audit machines, create records, and upload the data.

The ADScan function is run on a gateway and does the following:

1.Calls the Windows ADsOpenObject API with the credentials specified during installation to get an IDirectorySearch COM object for the Active Directory domain (for example, LDAP://DC=EMEA, DC=FRS).

2.Calls IDirectorySearch.ExecuteSearch with the filter (objectCategory = computer). This uses LDAP to return all computer objects in the domain.

To perform the search, the user must be assigned permission to list content.

For more information on how to run an active directory scan, see Running an Active Directory Scan.

Setting Up the Gateway Proxy Server with SSL

Use the following process when you need to use a secure proxy server. You must have an SSL certificate installed prior to creating the new binding. A self-signed certificate may work for testing purposes.

Do the following to ensure that the server works as expected:

1.Open a browser window and paste in the following URL where Disco_Server_I_Port_Name is the IP address or name of the server where ISM Discovery is installed. This should be the same as the base URL (for the tenant) in the Ivanti Service Manager configuration database: http://Disco_Server_/_Port_Name/AgentTaskWs/AgentTaskWS.asmx.

2.Press Enter to ensure that you receive the proper response.

You should see an AgentTaskWebService window that confirms that the get client tasks and get client update agent tasks are supported.

Do the following to ensure that the proxy server redirects traffic correctly:

1. Replace the IP address with the URL of the gateway and add port 8097 as seen in the following example: http://Gateway_I_Port_Name:8097/AgentTaskWs/AgentTaskWS.asmx. You should receive the same response from the agent task web service.

2.If both URLs are working correctly, change the binding of the proxy to use SSL and port 443.

Do the following to set SSL and port 443:

1.On the gateway server, open Computer Management > Services and Applications > IIS.

2.Right-click GatewayProxy and select Edit Bindings.... You should see only one binding configured with HTTP and port 8097.

3.Click Add... and create a new HTTPS binding with port 443.

4.Select the SSL certificate that you installed.

5.Repeat the proxy server test seen above, this time using HTTPS instead of HTTP, and port 443 instead of 8097, to ensure that you receive the same responses. You may need to reset Microsoft IIS first.

Uninstalling the Gateway

To uninstall the gateway, do one of the following:

•Rerun the gateway installer and follow the wizard instructions to uninstall it.

•From the Windows control panel, select Uninstall.

When you uninstall the gateway, the system removes both the Ivanti Service Manager Cloud gateway and the Ivanti Service Manager agent from the local computer. The Ivanti Service Manager Cloud gateway is unable to inform the Ivanti Service Manager server that it has been uninstalled.

FAQ for Upgrading the HEAT Discovery Gateway from Earlier Versions

Does the ISM Discovery gateway need to be reinstalled or upgraded?

•Yes. The ISM Discovery gateway needs to be reinstalled manually. The newer gateway (version 2.0) is backward compatible and does support the client version 1.9.

How does the new agent get deployed via the gateway?

•Gateway older than Version 2.0, cannot support the newer versions of the client agent and must first be upgraded.

Do I need to uninstall the old version of the client agent? Initial testing shows that the old ISM Discovery agent does not get cleanly removed when manually uninstalled, leaving behind folders and files.

•No, you do not have to uninstall the existing client prior to installing version 2.0. The residual folders and files have no side effects when the newer client agent is installed.

You have the following options to install the newer client agent:

•If the previous client agent was manually installed by an installer (Windows/Mac/OSX/Linux/Unix), first uninstall the older client agent and then manually reinstall the new client agent

•For Windows machines only, regardless of whether the client agent was installed manually or by the gateway, you can upgrade the clients automatically by using the following procedure:

Uninstall the previous version of the gateway and install the new version of the gateway.

The previous version of the client agent checks the version of the gateway. If the gateway is still the older version, it does not upgrade the client agent. If the gateway is the newer version, all Windows client agents related to the new gateway execute a task called a binary update. This automatically upgrades the client agent to the new version.

How do I determine if a client agent is affected by a gateway?

•Check the client task subnets of the gateway to see if the IP address of the computer belongs in that range.

Do I need to remove the agent via the configuration item business object or can this be rolled out via an SCCM package?

•No, you can simply run the new installer and it upgrades the agent.

Was this article useful?

The topic was:

Inaccurate

Incomplete

Not what I expected

Other