Installing Windows proxies

Proxy changes in version 10.1 and later

In BMC Atrium Discovery 10.1 and later, configuring secure communication with proxies has been improved with the new key and certificate management capabilities in the Windows proxy manager and with automatic registration of the proxy on the appliance. Upgraded proxies continue to use the legacy keys, but we recommend that you switch them to use unique keys as soon as all connected appliances have also been upgraded. For details, see Secure deployment.

Windows proxies and firewalls

The BMC Atrium Discovery appliance opens connections to the Windows proxies. The ports used for the proxies are chosen at installation time, and can be modified using the Proxy Manager. You must modify the proxy host firewall, and any other firewalls between the proxy host and the appliance to permit communication on the necessary ports.

Windows proxy installation

There can only be a single installation of the Windows discovery proxy on a host, which can manage and run multiple instances of the discovery proxy. Installing a newer Windows discovery proxy version will always upgrade all configured instances.

Before you begin

  • Ensure that you have the necessary permissions to download and install the Windows proxies and Window proxy manager.
  • Understand the Windows proxy version and Operating System (OS) compatibility to scan and retrieve IPv6 data.
  • Ensure the minimum recommended specifications for the Windows proxy host.
  • Consider the ports that must be open in any firewall between the appliance and the proxy or proxies, and the proxies and target hosts.

Permissions required

You can download the Windows proxies and Windows proxy manager as installation files from the appliance and install onto the local Windows host. To install Windows proxies:

  • You must be logged in as an administrator. If the software is not installed as this user then you need to grant permissions to write to C:\Program Files\BMC Software\ADDM Proxy.
  • The user that runs the Windows proxy must have necessary permissions to read from and write to the etc, log, and record directories.
  • As a user on the appliance, you must have been granted the admin/software/slave/download permission to download the Windows proxy installers.

Windows proxy version and OS compatibility

To discover IPv6 hosts, the OS of the target hosts must be compatible with the OS of the computer on which the proxy service is running and a suitable discovery method must be used. For more information, see Operating System compatibility.

The following table provides information about the compatibility between Windows proxy types and versions, and the operating systems that the Windows proxy runs on for BMC Atrium Discovery.

Windows Proxy Type

Earliest Compatible Windows Proxy Version

Windows Proxy Available for Supported Operating System

Credential Windows proxy

8.3 — with update to default SSL keys.
9.0 — no actions required.

Windows 2003 SP2 (x86 and x86_64) IPv4 discovery only
Windows 2008 - Service Pack 2 (x86 and x86_64)
Windows 2008 R2
Windows 2012
Windows 2012 R2

Active Directory Windows proxy

8.3 — with update to default SSL keys.
9.0 — no actions required.

Windows 2003 SP2 (x86 and x86_64) IPv4 discovery only
Windows 2008 - Service Pack 2 (x86 and x86_64)
Windows 2008 R2
Windows 2012
Windows 2012 R2

Workgroup Windows proxy

The Workgroup Windows proxy is no longer supported. Running the Active Directory Windows proxy under a Workgroup account provides exactly the same functionality as the old Workgroup Windows proxy.

Minimum host specification

The following are the minimum recommended specifications for the Windows proxy host:

Component

Specification

Operating System

As stated in tables above

CPU

2GHz Intel Pentium® 4 CPU 512k Cache (or equivalent from other manufacturer)

Memory

2GB

Hard disk

60GB

To avoid any impact during resource-intensive periods of discovery, it is strongly recommended not to install the Windows proxy on any host supporting other business services. This is true even if the minimum Windows proxy specification is exceeded, since the Windows proxy will attempt to use what resources are available, in order to optimize scan throughput.

Windows discovery communications

You should also consider the ports that will need to be opened in any firewall between the appliance and the proxy or proxies, and the proxies and target hosts.

Windows discovery metadata

Discovery metadata covers Windows as well as UNIX. This provides information about why sessions failed to be established and why scripts failed to run, including information about what credential or Windows proxy was used.

Downloading the Windows proxy installer

When you download the proxy installer from the appliance user interface (UI), you download a single installer file from which you install the following:

  • Windows proxy manager
  • Active Directory proxy
  • Credential Windows proxy

To download the Windows proxy installer:

  1. From the Tools section of the Discovery page, click the Download installer for Windows Proxy version 10.1.00 link.
  2. Save the installation file to your file system.

Installing the Windows proxy manager and proxies

Installing or upgrading Windows proxies where anti-virus software is installed

Before installing Windows discovery proxies you should either disable the anti-virus software or configure it to exclude RemQuery from triggering a virus alert. You can enable the anti-virus software once the Windows proxy has been installed.

To install the Windows proxy manager and Windows proxies:

  1. Run the installer by double-clicking on the downloaded installer file.
    A welcome screen is displayed.
  2. Click Next.
  3. Click Browse... to select an installation directory, or click Next to accept the default installation directory (C:\Program Files\BMC Software\ADDM Proxy).
    The bottom of the Select Destination Location screen displays the minimum free disk space required in MB.
  4. To create the Windows proxy application's shortcuts, click Browse to select a different folder, or click Next to accept the default folder (BMC Software\ADDM Proxy).
    If you choose Don't create a Start Menu Folder here, ensure that you clear all the start menu option check boxes in the next step.
  5. On the Select Additional Tasks screen, select the options that will be available in the Start menu, and then click Next.
  6. To install an Active Directory Proxy, select the Install Active Directory Proxy check box.
    1. Enter the credentials for the user account that will run the Windows proxy.
      If you do not enter the credentials at this point you can do so later, see Specifying the Account Used to Run the Windows proxy. The Windows proxy will run as the Local System user if credentials are not entered. However, an Active Directory Proxy running as a Local System user will not have the necessary domain credentials to perform any discovery.
    2. Click Next.
  7. To install a Credential Proxy, select the Install Credential Proxy check box.
    1. Enter the credentials for the user account that will run the Windows proxy. You must prefix the user name with localhost (for example, localhost\Administrator). If you do not enter the credentials at this point you can do so later.. The Windows proxy will run as the Local System user if credentials are not entered.

      Credential Windows proxy User

      You should not run the Credential Windows proxy as the Local System user, but as a valid local user account, which should be in the local Administrators group.

    2. Click Next.
  8. Review the details in the Ready to Install window. If the details are incorrect, click Back and navigate through the installer to correct the error. If they are correct, click Install to install the selected components.
  9. The Completing the BMC Atrium Discovery Proxy Setup Wizard is displayed.
    1. (If you have already installed the Active Directory proxies) To register the proxies with the appliance, select Register Active Directory Proxy with ADDM Appliance.
    2. (If you have already installed the Credential proxies) To register the proxies with the appliance, select Register Credential Proxy with ADDM Appliance.
    3. To run the Windows proxy manager immediately after installation, select Run Proxy Manager.
      The BMC Atrium Discovery UI Create Windows proxy page, pre-populated with details of this Windows proxy is displayed when this part of the setup is complete.

      Automatically generated certificate

      The Create Windows proxy page is populated with the certificate of the proxy. This certificate is used for securing communications between the appliance and the proxy. You can verify that the proxy communication has not been intercepted by comparing the certificate fingerprint shown in the appliance UI with the one shown in the Proxy Manager's Key And Certificate Management dialog.

  10. To exit the installer, click Finish.

Service startup failure

Sometimes Windows might refuse the installer permission to start the Windows proxy service, resulting in a dialog box along the lines of service installed but could not be started. This is remedied by manually supplying the credentials directly to the service using the Windows Services control panel. See Specifying the Account Used to Run the Windows proxy.

 

Post installation settings

The following sections detail post installation settings and modifications that might be required for Windows proxies.

To modify the Windows proxy host firewall

By default, the Windows firewall blocks the ports that the Windows proxies use. To enable an appliance to communicate with a Windows proxy, you must amend the firewall rules to permit communication on the ports that each Windows proxy type installed is using. The Proxy Manager displays the port that each proxy is using.

Registering a Windows Proxy from the appliance UI

If the proxy is not able to register with the appliance automatically (due to connectivity issues or to strict security policies), you can instead register the proxy using the appliance UI. When registered this way, the connection from the appliance must be approved in the Known Appliances dialog of the Proxy Manager.

To modify the host firewall, select Windows Firewall from the Windows Control Panel. You can add a Windows proxy as an exception (as a program or a port) on the exceptions tab.

To specify the account used to run the Windows proxy

The Active Directory Windows proxies gain their permissions on the discovery target from the user account that they run as, whereas the Credential proxies gain their permissions on the discovery target from the credentials entered in Discovery > Credentials > Devices > Hosts. The recommended procedure to configure or edit the account used to run the Windows proxy is from the Windows proxy manager. For more information, see specify user account and edit user account .

The alternative method to configure the account used to run the Windows proxy is as follows:

  1. Choose Start > Settings > Control Panel.
  2. Double-click Administrative Tools and then Services.
  3. Right-click the Windows proxy entry in the Services list and choose Properties.
  4. Switch to the Log On tab and select This account.
  5. Depending on the proxy type to be configured, perform the following:
    • For a Credential Proxy, enter the user name and password for a valid local user account, which should be in the local Administrators group.
    • For an Active Directory proxy, enter the user name and password of the Domain account that the service is to run as.
      You may see a dialog saying that the user has been granted the Log on as a Service right.
  6. To apply the changes, click OK.

To start or stop the Windows proxy

The recommended procedure to start or stop the Windows proxy is from the Windows proxy manager. For more information, see start and stop proxy .

The alternative method to start or stop a Windows proxy is as follows:
From the Control Panel, navigate to Administrative Tools and access the Services list. Select the Windows proxy that you want to start or stop. The services panel is refreshed with information and links enabling you to start, restart, or stop the Windows proxy.

  1. To start the Windows proxy, click Start the service.
  2. To restart the Windows proxy, click Restart the service.
  3. To stop the Windows proxy, click Stop the service.

To start the Windows proxy automatically

When you create a new proxy from the Windows proxy manager, you can configure the proxy to start automatically. For more information, see create a new proxy .

The alternative method to set the Windows proxy to start automatically is as follows:

  1. From the Control Panel, navigate to Administrative Tools and access the Services list.
  2. Select the Windows proxy that you want to start automatically and select Properties from the popup menu.
  3. Select Automatic from the Startup type: drop-down list, and click OK.

To specify additional startup options

After you configure a Windows proxy, you can specify additional startup options, such as purge logs, configuration file location, port options, and so on. You can specify many of these options using the Manage Windows Proxy page.

To address specific requirements, you can also enter the startup options described in the table in a registry value. On a 32-bit system, this is:

HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\Atrium Discovery Proxy\<proxyname>\CommandLine

On a 64 bit system this is:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BMC Software\Atrium Discovery Proxy\<proxyname>\CommandLine

Option

Description

--auto-purge-all

You can configure the Windows proxy to automatically purge its log and record data directories. The default behavior is not to purge.
Specifies that log and record data directories will be purged.
Set via UI.

--auto-purge-logs

Specifies that only log directories will be purged.
Set via UI.

--auto-purge-record

Specifies that only record data directories will be purged.
Set via UI.

--auto-purge-max-data-age value

Specify an age above which data is automatically purged. This is set in days and the default is seven.
Set via UI.

--auto-purge-period value

The frequency at which the automatic purge occurs. This is set in hours and the default is 24 (daily).
Set via UI.

--log-soft-limit value

A size limit (in MB) for the log directories. If this limit is exceeded the oldest records will be deleted. The default behavior is not to specify a limit (zero).

--record-soft-limit value

A size limit (in MB) for the record data directories. If this limit is exceeded the oldest data will be deleted. The default behavior is not to specify a limit (zero).

--enable-config-upload
--disable-config-upload

Enable or disable uploading configuration, overriding the setting specified in the configuration file.

--config-file-limit value

The number of backup configuration files to keep. The default is none. If this is exceeded, the oldest file is deleted.

--conf <config file>

Specify a configuration file to use.

--openports
--no-openports

Enable or disable OpenPorts, overriding the setting specified in the configuration file.

--tcpvcon
--no-tcpvcon

Enable or disable Tcpvcon, overriding the setting specified in the configuration file.

--dont-resolve-hostnames

The getInfo method retrieves patch, device, and host information. If no hostname is found then a reverse DNS lookup is performed to determine the hostname. Specify --dont-resolve-hostnames to prevent this.

--remquery
--no-remquery

Enable or disable RemQuery, overriding the setting specified in the configuration file.
Set through the user interface (UI).

--remquery-timeout value

Specify a timeout value (in seconds) for RemQuery calls. The default is 60 seconds.
Set through the UI.

--wmi
--no-wmi

Enable or disable WMI, overriding the setting specified in the configuration file.
Set through the UI.

--wmi-timeout value

Specify a timeout value (in seconds) for WMI queries. The default is 120 seconds.
Set through UI.

To test Windows credentials and communication

You can test the credentials by using it to discover a Windows computer that you know the user can access. To do this, from a command prompt on the Windows proxy, use the runas command to run a Discovery command such as systeminfo as the Domain user:

C:\> runas /user:DOMAIN\username "systeminfo /S TARGET"

Replace DOMAIN with the domain name, for example TIDEWAY, username with the user name, for example discovery, and TARGET with the resolvable hostname or IP address.

Upgrading a Windows proxy

Before upgrading you must ensure that existing Windows proxies are not running. If you do not do this, the install will fail and you will need to reboot the computer.

The upgrade process installs a new proxy and configures it using information taken from the previous proxy. It then uninstalls the previous proxy. As a consequence of this sequence:

  • Upgrading from versions prior to 8.3 SP2 — You should not use the same installation directory as the existing Windows proxy or the installation will fail. Accepting the upgrade default prevents this.
  • Upgrading a Workgroup proxy — The Windows Workgroup proxy is deprecated. If you upgrade a Workgroup proxy it is converted into an AD proxy. See Windows proxy compatibility matrix for more information.

Proxy username/password and upgrading

During the upgrade process you need to enter the Active Directory credentials. Usernames are preserved during the upgrade, but passwords are not.

Running the upgrade

To install the Windows proxy manager and upgrade all Windows proxies:

  1. Run the installer by double-clicking on the downloaded installer file.
    A welcome screen is displayed.
  2. Click Next.
  3. Click Browse to select the installation directory, or click Next to accept the default default installation directory (C:\Program Files\BMC Software\ADDM Proxy). See the upgrade notes above.
  4. To create the Windows proxy application's shortcuts, click Browse to select a different folder, or click Next to accept the default folder (BMC Software\ADDM Proxy).
    If you choose Don't create a Start Menu Folder here, ensure that you clear all the start menu option check boxes in the next step.
  5. On the Select Additional Tasks screen, choose options that will be available in the Start menu, and then click Next.
  6. If an existing Active Directory proxy is found, you are asked to enter credentials. The Account field is pre-populated with the username that the proxy is using. Enter the corresponding password in the Password field. If the proxy is currently running as the local system user, you are prompted for an Active Directory username and password. Although the proxy service will run as the local system user, it will not be able to perform any discovery activities until it is run as an Active Directory user. Select Migrate existing configuration file to migrate any custom changes to the new proxy.
  7. Click Next.
  8. If an existing Workgroup proxy is found, it is converted to an Active Directory proxy. You are asked to enter credentials. The Account field is pre-populated with the username that the proxy is using. Enter the corresponding password in the Password field. If the proxy is currently running as the local system user, you are prompted for an username and password. Although the proxy service will run as the local system user, it will not be able to perform any discovery activities until it is run as a Workgroup user. Select Migrate existing configuration file to migrate any custom changes to the new proxy.
  9. Click Next.
  10. If an existing Credential proxy is found, the default is not to request credentials. BMC recommends that credential proxies are run as local named users with administrator privileges, not the local system user. Select Migrate existing configuration file to migrate any custom changes to the new proxy.
  11. Click Next.
  12. Review the details in the Ready to Install window. If the details are incorrect, click Back and navigate through the installer to correct the error. If they are correct, click Install to install the selected components.
  13. You are asked whether you want to keep the existing configuration for each proxy. Click Yes to keep the configuration.
  14. Check the Run Proxy Manager check box to run the Windows proxy manager immediately after installation.
  15. To exit the installer, click Finish.

Silent installation

The Windows proxy manager and proxy installer uses Inno Setup which provides silent installation capabilities at the command line.

To invoke the installer at the command line:

  1. Using a command prompt, change directory to the directory into which you downloaded the installer file. Enter:

     C:\>cd "Documents and Settings\username\My Documents\Download\"
  2. Run the installer using the Inno Setup options and the additional Windows proxy manager installer options. Enter:

    addmproxy_installer_10.1_xxxxxx.exe /SILENT /ADUSER="username" /ADPASSWORD="password"

The Inno Setup options are described on their website.

Additional Windows proxy manager and proxy installer options are described in the following table:

Option

Description

/ADCREATE=Y|N

Create an AD proxy during the install. The default is Y, that is, create an AD proxy.

/CREDCREATE=Y|N

Create a Credential proxy during the install. The default is N, that is, do not create a Credential proxy.

/ADUSER="username"

The username with which to run an AD proxy. The default is "".

/ADPASSWORD="password"

The corresponding password. The default is "".

/CREDUSER="username"

The username to run a credential proxy. The default is "".

/CREDPASSWORD="password"

The corresponding password. The default is "".

/SILENT

Run a BMC Atrium Discovery Proxy silent installation. For installing AD proxy, the /ADUSER and /ADPASSWORD are mandatory. For installing just a Credentials proxy, Active Directory credentials are not required, as the installer uses system account credentials.

These commands are entered as a space separated list.

For silent installation of the Active Directory proxies, you must provide valid domain credentials. The installation process verifies this, and it fails if default username and password was provided.

Windows proxy downgrade

If you need to downgrade a Windows proxy, you must stop the Windows proxy, uninstall it, and then install the new Windows proxy according to the instructions for that Windows proxy version.

Was this page helpful? Yes No Submitting... Thank you

Comments