Architecture
The Ivanti Automation architecture model can be represented as follows:
Process
When you deploy, repair or remove a Console, Dispatcher or Agent, the Console that you are logged on to extracts the necessary data from the Datastore and then connects directly to the target computer to deploy, repair or remove the requested component.
When you create Modules, Projects or Run Books, the Console stores all data in the Datastore, including the Tasks and Resources involved. When you schedule Jobs with these Modules, Projects or Run Books, the Console (or Management Portal) stores this schedule in the Datastore.
A Dispatcher manages all communication between the Datastore and an Agent. If a new Job is available for the Agent, the Dispatcher will download all necessary data from the Datastore and store it.
- If a master caching Dispatcher is configured, the Dispatcher will download the Resources from the master caching Dispatcher, not from the Datastore directly.
In turn, the Agent checks (polls) the Dispatcher at regular intervals for relevant changes to Job schedules, Agent properties, global settings, etc. In case of the Agent+, the Dispatcher notifies the Agent+ if there are any changes. Once the push connection has been established, the Dispatcher sends a push notification to the Agent+, so polling is no longer necessary. When a new Job is available, the Agent or Agent+ will download all necessary data from the Dispatcher and perform the Job. If a Dispatcher is too busy, the Agent or Agent+ will try to contact a different Dispatcher.
Ports
The Ivanti Automation components use the following default ports to communicate:
TCP Port |
Description |
---|---|
443 |
Used by the web browser of the administrator or user to connect to the web server that hosts the Management Portal if SSL is used. |
<vendor default> |
The following components connect to the Datastore:
Microsoft SQL Server, Microsoft Azure SQL, and IBM DB2 use different default ports. See the vendor documentation for the correct port numbers. |
3163 |
Used for poll communication between Dispatchers and Agent(s) or Agent(s)+. This port is fixed and cannot be changed.
|
3162* |
Used for push communication between Dispatchers and Agent(s)+. *This port number can be changed. |
3165 |
Used for https encryption between Dispatchers and Agent(s)+. This port is fixed and cannot be changed. |
To secure communication between a Datastore based on Microsoft SQL Server and the components that connect to it (Consoles and Dispatchers), you can use Database protocol encryption.
Certificates
Ivanti Automation uses a self-signed certificate to secure communication between the Dispatcher and agents. The life span of this certificate is set to two years. In versions older than 2020.2.1, the only way to change it is by running the Upgrade Pack again and generating a new one. This also requires a repair of all agents in the environment.
In versions 2020.2.1 and newer, this certificate can be changed from the Console without needing to repair any agents. For more information, see the Certificate option in Other settings.
To view the dispatcher certificate
- On the computer hosting the dispatcher, click start and type "Manage computer certificates". Select that Control Panel applet and launch it.
- Click Personal > Certificates.
The dispatcher certificate name is based on the Windows computer fully-qualified domain name. When Automation generates a self-signed certificate, the Issued By field will be "Ivanti Self Signed Root". With self-signed certificates, separate multiple dispatcher DNS names with a semicolon.
When you deploy agents, a Dispatcher environment certificate is part of the agent installation. When an agent communicates with the Dispatcher, the agent uses the deployed environment certificate to secure the connection. Devices with the agent store this environment certificate under Trusted Root Certification Authorities > Certificates.
In a Dispatcher-only installation, the Root Self-Signed certificate is not deployed. Consequently, the certificate chain for the Personal Self-Signed certificate will appear broken. This broken chain does not affect the functionality of Automation. To avoid the appearance of a broken chain, you can deploy the Agent on the same machine.