Installing and Supporting Agents on Internet-Based Machines
This section provides a base recommendation for configuring an agent policy that supports machines outside the network environment. This configuration is ideal for laptop users who are frequently disconnected from the network but who are regularly connected to the internet. It is also useful for standalone sites that do not have direct network connectivity but that do have internet access.
In this solution your agents check in and receive policy updates from the cloud. This is accomplished using an Ivanti Security Controls feature called Security Controls Cloud synchronization. It allows you to manage agents on machines that are not able to communicate directly with the console.
See the following topics for background information on Security Controls Cloud Synchronization:
- Security Controls Cloud Synchronization Overview
- Security Controls Cloud Synchronization Requirements and Usage Notes
- How to Enable Security Controls Cloud Synchronization
Agent Installation
There are two primary options for installing agents on machines that are located outside the network environment.
- You can perform a manual installation of the agent on each target machine
- You can install agents via the cloud using Security Controls Cloud
A manual installation is fine if you only have a small number of machines. If you have a large target base, however, the recommendation is to perform the agent installations via the cloud.
When the process is complete, all of your agents should be able to pull policy updates and roll up results both internally and externally. You can test this by connecting a machine to the internet outside your network, kicking off a scan manually and then watching for the results; repeat this from within your network.
Configuration of the Agent Policy
- On the main menu select New > Agent Policy.
- Name the policy.
- Configure options on the General Settings tab.
- On the Patch tab, click Add a Windows Patch Task, name the task, and configure the task.
- Click Save and update Agents.
You can configure the Allow the user to settings as you see fit. The recommendation is to disable Cancel operations as most users (if they are aware) will stop a scan whenever they know it is running, preventing the agent from performing its task.
In the Check-In interval area the recommendation is to configure frequent check-ins. This will keep the agent responsive to policy changes in your environment.
In the Engine, data, and patch download location area, Vendor over Internet is recommended in this case as the agents are expected to be primarily outside the network. If you are configuring a significant number of agents you may choose to enable Distribution Server and Use vendor as backup source. Agents will check for the latest engines and XML data file on the distribution server first, and they will use the vendor Web sites if the distribution server is not available.
In the Network area, enable the Sync with the Security Controls Cloud check box. This specifies that the agent will have the option to use Security Controls Cloud to retrieve the latest agent policy information, enabling it to perform synchronization via the cloud. This check box is only available if your console is registered with Security Controls Cloud. When you click Save and deploy to agents, a copy of the agent policy and all necessary components will be written to the Security Controls Cloud service.
Agent listens for updates on port can be enabled. If you do, the recommended best security practice is to modify the firewall rules to block the port when outside the network and open the port while inside the network.
This policy is intended to focus on securing the target machine, so on the Scan and deploy options tab we recommend using Security Patch Scan as the patch scan template. You can choose to use a custom template if you wish, but we will stick to the basic security best practice for this example.
Verify that the Deploy patches check box is enabled.
Choose a deployment template that specifies the following on the Post-deploy Reboot tab:
- Reboot when needed
- Scheduled reboot on the next occurrence of specified time
- Specify a time that is after hours so as not to interrupt the end users work day
You can specify All patches detected as missing, which would be the most secure, or you can deploy based on a Patch Group and enable the Plus all vendor critical patches check box. This option ensures that even if you have not applied the latest security patches to the patch group, or the agent has not pulled down an updated list, it will still deploy critical security patches released in the latest XML data files.
Enable the Deploy product levels check box. You can choose to deploy all product levels that are identified as missing by a scan, or you can limit the deployment to only those product levels you define in a product level group. See Product Level and Patch Deployment Process for more information.
On the Schedule tab, choose Daily and specify a time that the machine will commonly be on but when network traffic might be lower (like the lunch hour). You can typically specify one day during the work week. If you choose to do a time of day that is outside normal business hours, it is recommended that you enable the Run on boot if schedule missed check box to ensure that the assessment occurs even if the last scheduled task was missed.
Related Topics
- Console Software and Hardware Recommendations
- Port Requirements and Firewall Configuration
- Distributed Environment Management
- Agentless Patch Management
- Best Approach for Applying Patches in an Agentless Environment
- Automating Patch Management in an Agentless Environment
- Agent-Based Patch Management
- Agent Rollout Options
- Agent-Based Product Level and Patch Deployment Process
- Guide to Surviving Patch Tuesday
- Microsoft SQL Server Database Maintenance
- Performing Patching in a Disconnected Environment