Security Controls

Installing and Supporting Agents on Internet-Based Machines

This section provides a base recommendation for configuring an agent policy that supports machines outside the network environment. This configuration is ideal for laptop users who are frequently disconnected from the network but who are regularly connected to the internet. It is also useful for standalone sites that do not have direct network connectivity but that do have internet access.

In this solution your agents check in and receive policy updates from the cloud. This is accomplished using an Ivanti Security Controls feature called Protect Cloud synchronization. It allows you to manage agents on machines that are not able to communicate directly with the console.

See the following topics for background information on Protect Cloud Synchronization:

Protect Cloud Synchronization Overview

Protect Cloud Synchronization Requirements and Usage Notes

How to Enable Protect Cloud Synchronization

Agent Installation

There are two primary options for installing agents on machines that are located outside the network environment.

You can perform a manual installation of the agent on each target machine

You can install agents via the cloud using Protect Cloud

A manual installation is fine if you only have a small number of machines. If you have a large target base, however, the recommendation is to perform the agent installations via the cloud.

When the process is complete, all of your agents should be able to pull policy updates and roll up results both internally and externally. You can test this by connecting a machine to the internet outside your network, kicking off a scan manually and then watching for the results; repeat this from within your network.

Configuration of the Agent Policy

1.On the main menu select New > Agent Policy.

2.Name the policy.

3.Configure options on the General Settings tab.

You can configure the Allow the user to settings as you see fit. The recommendation is to disable Cancel operations as most users (if they are aware) will stop a scan whenever they know it is running, preventing the agent from performing its task.

In the Check-In interval area the recommendation is to configure frequent check-ins. This will keep the agent responsive to policy changes in your environment.

In the Engine, data, and patch download location area, Vendor over Internet is recommended in this case as the agents are expected to be primarily outside the network. If you are configuring a significant number of agents you may choose to enable Distribution Server and Use vendor as backup source. Agents will check for the latest engines and XML data file on the distribution server first, and they will use the vendor Web sites if the distribution server is not available.

In the Network area, enable the Sync with the Protect Cloud check box. This specifies that the agent will have the option to use Protect Cloud to retrieve the latest agent policy information, enabling it to perform synchronization via the cloud. This check box is only available if your console is registered with Protect Cloud. When you click Save and update Agents, a copy of the agent policy and all necessary components will be written to the Protect Cloud service.

Agent listens for updates on port can be enabled. If you do, the recommended best security practice is to modify the firewall rules to block the port when outside the network and open the port while inside the network.

4.On the Patch tab, click Add a Windows Patch Task, name the task, and configure the task.

This policy is intended to focus on securing the target machine, so on the Scan and deploy options tab we recommend using Security Patch Scan as the patch scan template. You can choose to use a custom template if you wish, but we will stick to the basic security best practice for this example.

Verify that the Deploy patches check box is enabled.

Choose a deployment template that specifies the following on the Post-deploy Reboot tab:
- Reboot when needed
- Scheduled reboot on the next occurrence of specified time
- Specify a time that is after hours so as not to interrupt the end users work day

You can specify All patches detected as missing, which would be the most secure, or you can deploy based on a Patch Group and enable the Plus all vendor critical patches check box. This option ensures that even if you have not applied the latest security patches to the patch group, or the agent has not pulled down an updated list, it will still deploy critical security patches released in the latest XML data files.

Enable the Deploy product levels check box. You can choose to deploy all product levels that are identified as missing by a scan, or you can limit the deployment to only those product levels you define in a product level group. See Product Level and Patch Deployment Process for more information.

On the Schedule tab, choose Daily and specify a time that the machine will commonly be on but when network traffic might be lower (like the lunch hour). You can typically specify one day during the work week. If you choose to do a time of day that is outside normal business hours, it is recommended that you enable the Run on boot if schedule missed check box to ensure that the assessment occurs even if the last scheduled task was missed.

5.Click Save and update Agents.

Related Topics

Console Software and Hardware Recommendations

Port Requirements and Firewall Configuration

Distributed Environment Management

Configuring Agentless Patch Management

Best Approach for Applying Patches in an Agentless Environment

Automating Patch Management in an Agentless Environment

Agent-Based Patch Management

Agent Rollout Options

Agent-Based Product Level and Patch Deployment Process

Guide to Surviving Patch Tuesday

Microsoft SQL Server Database Maintenance

Performing Patching in a Disconnected Environment


Was this article useful?