FAQs and additional resources
This section provides answers to frequently asked questions about BMC Discovery.
Running BMC Discovery has a minimal impact on your environment. The discovery techniques used are non-intrusive, lightweight, and agent-free.
BMC Discovery is IP-based and can discover any host system with an IP connection including servers, workstations, network nodes, printers, wireless access points, and so on. In actuality, though, we aim BMC Discovery at datacenter discovery, and it is optimized to that purpose. For this reason, we do not explicitly support more client-side items, such as wireless access points, workstations and so on. Any support for those that does exist is a side effect of our support for server-side discovery, and we are unlikely to invest in improving it.
BMC Discovery uses a range of discovery techniques where appropriate. These include:
- Network scanning (looking for services on well-known TCP and UDP ports on IP-reachable machines).
- Remote command execution (looking at specific processes running on each node, querying package managers, and querying established inter-process communications mechanisms).
- SNMP (MIBs provide a rich source of management information).
Obviously, the BMC Discovery appliance must be able to reach the network in order to discover hosts. However, various methods of providing secure access are possible without disabling firewalls and access control policies, including using VPN tunnels and using Windows proxy for BMC Discovery appliances. Some IDS systems might identify certain activities (such as port scans) as suspicious.
The discovery process will identify endpoints on such computers if they are visible from other hosts. You will need to complete details of programs running on them manually, though it might also be possible to categorize some of the components of the applications running on the unsupported platform either by which port it, or its counterpart, is listening on.
To provide a clear picture of your total IT infrastructure, BMC Discovery will actually reduce risk in your network by allowing you to weed out rogue elements that do not meet corporate policy, are out of date, or provide potential security holes.
The BMC Discovery discovery process uses standard techniques that do not de-stabilize elements of the infrastructure.
Since there are always risks with deploying new technology, BMC's implementation plan involves analyzing areas of potential risk and achieving the right balance of risk and reward. BMC's test plan is also aimed at minimizing risk, ideally including testing in the customer's test environment.
The BMC Discovery ethos is agent-free management. BMC does not believe the logistical challenges associated with having an agent on every node is justifiable, so no BMC Discovery-specific software needs to be installed on other computers. The BMC Discovery user interface is entirely web-based.
Agent-based discovery relies upon a level of control of asset deployment that does not exist in most businesses. It also implies a significant cost overhead to maintain agents on each platform, including approving, testing and deploying the agents. Finally, agents might not be available for the range of target platforms that your organization uses. We use standard techniques that have individually been authorized and deployed.
Yes, BMC Discovery integrates with the following products:
- Rest APIs: The REST API is intended to be used by a script or program that wants to interact with and control a BMC Discovery appliance from a remote machine.
- Export APIs (CSV and XML): The BMC Discovery Exporting discovered data using the CSV and XML APIs enable users to interrogate the datastore by using a script or program, and receive data back as a stream of text, an empty string, or a return code.
- CyberArk Enterprise Password Vault: CyberArk Enterprise Password Vault (CyberArk Vault) is a third-party application, which enables you to centrally manage credentials for the various systems that are installed in your environment. BMC Discovery provides an integration with CyberArk Vault to obtain credentials that are required to perform scans.
- BMC CMDB: BMC Discovery can synchronize discovered data to BMC CMDB by using CMDB synchronization.
- BMC Remedy Single Sign-On: BMC Remedy Single Sign-On (BMC Remedy SSO) is an authentication system that supports various authentication protocols such as LDAP and provides single sign-on for users of BMC products.
If you forget your user interface (UI) password to log in to BMC Discovery, you can reset the password at the command line.
tw_passwd utility enables you to change the password of a specified user interface user. To use the utility, enter the following command at command prompt:
where username is the name of the UI user to change.
tw_passwd utility is for changing UI users' passwords. To change the passwords for command line users, as the root user, use the Linux command
passwd. This is described in Changing the root and user passwords
BMC Discovery Outpost FAQs
This section provides answers to frequently asked questions about BMC Discovery Outpost.
BMC Discovery Outpost planning and architecture
It is not mandatory to use the BMC Discovery Outpost after upgrading from BMC Discovery version 11.x to 20.x (12.x). We recommend that you complete the upgrade and confirm that BMC Discovery is working as expected. You can then evaluate if using the BMC Discovery Outpost makes discovery more efficient in your environment.
The proxy functionality is embedded in the BMC Discovery Outpost. You need not always replace the proxy with the BMC Discovery Outpost. Windows proxies will continue to be available even after you upgrade your version of BMC Discovery. In some cases, it may be appropriate to replace a proxy with the BMC Discovery Outpost.
The BMC Discovery Outpost includes all the front-end functionality of a scanning appliance, so in some cases it can be used to replace a scanner. However, the BMC Discovery Outpost does not perform back-end functions, such as reasoning. BMC Discovery Outpost must be connected to an appliance (scanner or consolidator) for performing these functions.
The most common use of the BMC Discovery Outpost is within an isolated network segment. The BMC Discovery Outpost has only a single connection to its connected appliance through port 443, so only one port needs to be opened on the firewall. Also, you can configure a BMC Discovery Outpost to use a web proxy.
The BMC Discovery Outpost does not perform consolidation and so you cannot replace a consolidator with the BMC Discovery Outpost. However, BMC Discovery Outposts can connect to and provide data to a consolidator.
No, the BMC Discovery Outpost creates its own Windows proxies as needed.
This depends on your IT environment. In general, you need one BMC Discovery Outpost per isolated network segment. No specific performance tests have been done in this regard.
The system can balance the load across multiple BMC Discovery Outposts in a limited or static way. The system initially balances the load, and eventually remembers which endpoints went to which Outpost and tries to send that work to the same Outpost. Because the system does not adjust the balancing, the load will not be processed if an Outpost goes down. Also, a new Outpost will not receive any existing endpoints as work, but only new ones.
To work around this, re-register the Outposts, which resets the balancing. Alternatively, use Outpost or IP range restrictions to control where the workload goes.
The number of hosts and devices that you can scan depends on many variables, including the size of the scanned hosts or devices. Also, a single BMC Discovery Outpost may be sufficient for a small Discovery cluster, but not a large one.
BMC Discovery Outpost usage and configuration
Yes, you can scan from the appliance, but the scan will fail if the appropriate credentials are not present on the appliance.
Yes, you can use the BMC Discovery Outpost to scan cloud resources provided the appropriate credentials are configured, and the resources to be scanned are available or visible from the Outpost.
If you specify an Outpost to be used for a particular scan range, BMC Discovery uses only that Outpost. If a scan is directed to a specific Outpost, and that Outpost has IP address restrictions, then the scan of those restricted IPs will fail.
If you specify only IP address restrictions, BMC Discovery directs the scan to an Outpost that does not have those restrictions.
If you are using scopes, specify a particular Outpost. Otherwise, use IP address restrictions where necessary and allow the system to select the Outpost.
Communication is always from the BMC Discovery Outpost to the BMC Discovery appliance or instance. Communication is never initiated by the BMC Discovery appliance or instance.
Communication between the BMC Discovery Outpost and the BMC Discovery appliance or instance is always sent over HTTPS, so port 443 must be open on the appliance or instance. All TCP connections are bi-directional because packets flow in both directions.
For a Discovery cluster, the communication must be enabled for each cluster member. If there is a requirement for direct access to the Outpost UI, port 443 must be open on the Outpost.For more information, see System communications and network ports.
The BMC Discovery Outpost uses the same ports as a BMC Discovery appliance or instance to scan targets. The BMC Discovery Outpost initiates the connection. All TCP connections are bi-directional because packets flow in both directions.
Like a scanner, the BMC Discovery Outpost, by default, checks port 135 to determine if a target is a Windows server. For more information, see Network ports used for discovery communications.
There would be duplicates only if there has been an identity change.
The BMC Discovery Outpost is the same for BMC Helix Discovery (SaaS version) and BMC Discovery (on-premises version). There is no difference in the UI or the features.
The ENABLED setting indicates that a scan is allowed to run on the appliance while the DISABLED setting indicates that a scan is not allowed to run on the appliance.
BMC Discovery Outpost administration
If the Auto Update feature is enabled on the BMC Discovery Outpost, the BMC Discovery Outpost is automatically upgraded when you apply the monthly TKU. For more information, see Upgrading the BMC Discovery Outpost.
BMC Discovery does not provide the facility for backing up the BMC Discovery Outpost. You could backup by using the normal methods that are used for backing up a Windows server, such as a VMWare snapshot. It is strongly recommended to separately export your credential vault on a regular basis.
You can simply restore the Windows server backup that you had taken earlier. It is also possible to import a backup of the credential vault if that is all that you require.
Currently, BMC Discovery does not support high availability for the BMC Discovery Outpost, but it will be considered for a future release.
Currently, an Outpost API is not available, but it will be considered for a future release.
BMC Discovery Outpost performance
Scans will run longer and may eventually show timeouts. Also, check Windows to see if the BMC Discovery Outpost is paging. Note that the BMC Discovery Outpost is currently limited to 500 concurrent BMC Discovery requests.
The data transfer usage between the BMC Discovery Outpost and its targets will be the same as the usage between a scanning appliance or instance and its targets. The requests passed from the appliance or instance to the Outpost should be relatively small. The results sent from the Outpost to the appliance or instance will vary in size depending on the nature of the discovery.
The following BMC sites provide information outside of the BMC Discovery documentation that you might find helpful:
If you have any other questions about BMC Discovery, contact Customer Support.