Because the methods that are used to access Windows hosts are only available from Windows systems, Windows discovery requires a Windows proxy host. Windows discovery is handled in one of the following ways:
- Credential Windows proxy – a BMC Atrium Discovery application that runs on a customer-provided Windows host and uses credentials supplied by the BMC Atrium Discovery appliance to perform Windows discovery.
- Active Directory Windows proxy – a BMC Atrium Discovery application that runs on a customer-provided Windows host that is part of an Active Directory domain or Workgroup. The user that the discovery service runs as, is configured after the Windows proxy is installed. Where that user is configured on hosts in the domain, the Windows proxy can log in and run discovery commands. The Active Directory Windows proxy does not use any credentials entered using the BMC Atrium Discovery user interface.
The Active Directory Windows proxies gain their permissions on the discovery target from the user account that they run as, whereas the Credential proxies gain their permissions on the discovery target from the credentials entered in Discovery > Credentials > Devices > Hosts.
The Windows proxy scans Windows hosts on behalf of the discovery service on the BMC Atrium Discovery appliance. Benefits and limitations of these approaches are described in the following sections.
Windows proxy benefits
When the Active Directory Windows proxy is installed by the customer (as the Windows domain administrator), BMC Atrium Discovery is able to use it to discover all Windows hosts in that domain, without requiring the domain administrator credentials to be entered on the BMC Atrium Discovery appliance. The Active Directory Windows proxy can only discover Windows hosts on the domain it is a member of, or other domains trusted by that domain. To discover other domains which are not trusted, you must configure another Windows proxy with the appropriate domain permissions.
When using all Windows proxies, customers have full access to the Windows host that it runs on. The Windows proxy runs as a Windows service. On this host, software updates, hotfixes, antivirus software, credentials management, and so forth, can be controlled by customers as prescribed by their company IT policies.
The Discovery service can manage multiple Active Directory Windows proxies. Active Directory Windows proxies can communicate with multiple BMC Atrium Discovery appliances.
One Active Directory proxy and one Credential Windows proxy can run concurrently on the same host. While this is possible, it is not recommended. If both proxies are being used intensively then discovery performance would be impacted.
Credential Windows proxy user
Credential Windows proxy user
You should not run the Credential Windows proxy as the Local System user, but as a valid local user account, which should be in the local Administrators group. Using a local system account on a domain network may result in system problems.
Windows proxy operations
The appliance and Windows proxies run CORBA services to communicate with each other. The appliance and Windows proxies are automatically configured to communicate over SSL using the supplied keys when the Windows proxy is installed. If your organization's security policies do not allow keys to be supplied by a third party such as BMC, you will need to replace the keys with your own.
Any Windows host that is to be discovered by the Active Directory Windows proxy must be visible from the BMC Atrium Discovery appliance and the Windows proxy. The discovery engine on the appliance attempts to use ssh (or telnet/rlogin) to access the host, performs connectivity checks on known ports, and uses SNMP to get information from the host before requesting the Windows proxy to log on and run discovery commands.
Windows proxies can also be configured with the details of the appliances permitted to connect to it. Authentication of incoming requests is handled by the standard CORBA connection handling features.
Windows proxy deployments
In typical deployments a single appliance is used to scan a large range of IP addresses. Multiple appliances are used to scan multiple ranges of IP addresses.
Generally, a single Active Directory Windows proxy is used per Active Directory domain. In some circumstances, for example, if no communication is possible between the two Data Centers shown below, a second Active Directory Windows proxy could be installed in Data Center 1.
The main discovery service uses the Active Directory Windows proxies in preference to a Credential Windows proxy. This includes the initial heuristics processing.
The following steps describe the initial discovery sequence for a Windows host. This process assumes that one appliance, two Active Directory Windows proxies, and a Credential Windows proxy are present. It also assumes that the only detail known about the scan target is the IP address.
- An IP address is passed to the discovery service to scan.
- The discovery service performs initial diagnostics such as SNMP, HTTP HEAD requests, and port scan to determine the type of operating system.
- The operating system is determined to be Windows.
- If the Windows host is part of a domain, then the IP address is passed to the those Active Directory Windows proxies first.
- The Active Directory Windows proxy attempts to log in to the host. If it is unsuccessful, it informs the discovery service.
Thereafter, Windows proxies are used in the order defined in the Windows proxy management page.