Self-electing subnet services
Ivanti® Endpoint Manager uses a feature called Self-electing subnet services (SESS). With SESS, managed devices:
- Self-organize on the same subnet to provide services, allowing automatic fail-over and avoiding duplication of services.
- Use a smart election process that ranks available devices by configuration and ability to provide the service.
- Trust each other if they report to the same core server.
- Use signed messages for SESS security purposes (to avoid impersonation).
- Use the same client certificates used for CSA access.
SESS is used for the following tools and services. Other services will be supported in the future.
- ARP and WAP extended device discovery
- Multicast
- PXE boot
- Agentless scanner
- Agent state
- Network mapping
- macOS Content Caching control
- Self-electing subnet service agent state on each subnet, either enabled or disabled.
Here's a brief video introducing SESS.
Self-Electing Subnet Services in Ivanti Management and Security (3:09)
Configuring SESS in agent settings
Manage SESS from the client connectivity agent settings (Tools > Configuration > Agent settings, Client connectivity).
These services are enabled by default:
- Self-electing subnet services
- Extended device discovery (ARP)
- Agent state
- Network map
These services are disabled by default:
- Extended device discovery WAP discovery
- Provisioning PXE server
- Agentless scanner service
- macOS Content Caching
Note that for SESS to function, both the deployed SESS agent setting and the desired network state in the Self-electing subnet services tool must both be enabled. If you don't enable the SESS service you want in the deployed agent settings, enabling SESS for that service in the Self-Electing subnet services tool won't have an effect because there won't be electable devices on the subnet.
If for whatever reason you want to make sure a device can't be elected, you can disable SESS in its deployed agent setting.
Managing self-electing subnet services
As elected devices with SESS on them report to the core, the core creates a list of subnets it detected and the status of ARP and WAP device discovery on those subnets. This information is available in the Self-electing subnet services tool (Tools > Configuration > Self-electing subnet services).
Use this tool to:
- Configure default SESS state for newly discovered networks
- View detected subnets
- Enable/Disable SESS on devices or networks
- View the elected device for each subnet
- Specify the Windows credentials the agentless scanner service should use
To configure the default SESS state for newly discovered networks
- In the Self-electing subnet services tool, click the Set default state of new networks toolbar button
. - Enable or disable the state you want for each service.
To change the desired state of an existing network
- In the Self-electing subnet services tool, right-click the network you want to change and Enable or Disable it.
To specify Windows credentials for the agentless scanner
- See this topic: Agentless inventory and vulnerability scanner.