Management and Security
Self-electing subnet services
Ivanti® Endpoint Manager 10 introduced a new feature called Self-electing subnet services (SESS). With SESS, managed devices:
- Self-organize on the same subnet to provide services, allowing automatic fail-over and avoiding duplication of services.
- Use a smart election process that ranks available devices by configuration and ability to provide the service.
- Trust each other if they report to the same core server.
- Use signed messages for SESS security purposes (to avoid impersonation).
- Use the same client certificates used for CSA access.
Click the link below if you want to see a brief video that describes where SESS is configured.
With Endpoint Manager 2019.1, SESS is used for the following tools and services. Other services will be supported in the future.
- Unmanaged device discovery tool
- PXE boot
- Agentless scanner
- Self-electing subnet service agent state on each subnet, either enabled or disabled.
Here's a brief video introducing SESS.
Configuring SESS in agent settings
Manage SESS from the client connectivity agent settings (Tools > Configuration > Agent settings, Client connectivity).
The multicast service is always enabled. The Extended device discovery service for ARP is also enabled by default, though you can disable it if necessary.
These services are disabled by default:
Note that for SESS to function, both the deployed SESS agent setting and the desired network state in the Self-electing subnet services tool must both be enabled. If you don't enable the SESS service you want in the deployed agent settings, enabling SESS for that service in the Self-Electing subnet services tool won't have an effect because there won't be electable devices on the subnet.
If for whatever reason you want to make sure a device can't be elected, you can disable SESS in its deployed agent setting.
As elected devices with SESS on them report to the core, the core creates a list of subnets it detected and the status of ARP and WAP device discovery on those subnets. This information is available in the Self-electing subnet services tool (Tools > Configuration > Self-electing subnet services).
Use this tool to:
- Configure default SESS state for newly discovered networks
- View detected subnets
- Enable/Disable SESS on devices or networks
- View the elected device for each subnet
- Specify the Windows credentials the agentless scanner service should use
To configure the default SESS state for newly discovered networks
- In the Self-electing subnet services tool, click the Set default state of new networks toolbar button .
- Enable or disable the state you want for each service.
To change the desired state of an existing network
- In the Self-electing subnet services tool, right-click the network you want to change and Enable or Disable it.
To specify Windows credentials for the agentless scanner
- See this topic: Agentless inventory and vulnerability scanner.
Was this article useful?
The topic was:
Not what I expected
Copyright © 2019, Ivanti. All rights reserved.