Default language.

Important This documentation space contains information about the SaaS version of BMC Helix Discovery. If you are using the on-premises version of BMC Helix Discovery, see BMC Helix Discovery 25.2 (On-Premises).

FAQ

This section provides answers to frequently asked questions about BMC Helix Discovery.

What is the performance impact of running BMC Helix Discovery?

Running BMC Helix Discovery has a minimal impact on your environment. The discovery techniques used are non-intrusive, lightweight, and agent-free.

What can BMC Helix Discovery discover in the network?

BMC Helix Discovery is IP-based and can discover any host system with an IP connection including servers, workstations, network nodes, printers, wireless access points, and so on. In actuality, though, we aim BMC Helix Discovery at datacenter discovery, and it is optimized to that purpose. For this reason, we do not explicitly support more client-side items, such as wireless access points, workstations, and so on. Any support for those that do exist is a side effect of our support for server-side discovery, and we are unlikely to invest in improving it.

What discovery techniques do you use?

BMC Helix Discovery uses a range of discovery techniques where appropriate. These include:

  • Network scanning (looking for services on well-known TCP and UDP ports on IP-reachable machines).
  • Remote command execution (looking at specific processes running on each node, querying package managers, and querying established inter-process communications mechanisms).
  • SNMP (MIBs provide a rich source of management information).
Will any network security need to be disabled for the discovery process?

Obviously, the BMC Helix Discovery appliance must be able to reach the network in order to discover hosts. However, various methods of providing secure access are possible without disabling firewalls and access control policies, including using VPN tunnels and using Windows proxy for BMC Helix Discovery appliances. Some IDS systems might identify certain activities (such as port scans) as suspicious.

What is the impact of my applications running on platforms that are not supported by BMC Helix Discovery?

The discovery process will identify endpoints on such computers if they are visible from other hosts. You will need to complete details of programs running on them manually, though it might also be possible to categorize some of the components of the applications running on the unsupported platform either by which port it, or its counterpart is listening on.

Can the product introduce any risk into my network or application infrastructure?

To provide a clear picture of your total IT infrastructure, BMC Helix Discovery will actually reduce risk in your network by allowing you to weed out rogue elements that do not meet corporate policy, are out of date, or provide potential security holes. 
The BMC Helix Discovery discovery process uses standard techniques that do not destabilize elements of the infrastructure. 
Since there are always risks with deploying new technology, BMC's implementation plan involves analyzing areas of potential risk and achieving the right balance of risk and reward. BMC's test plan is also aimed at minimizing risk, ideally including testing in the customer's test environment.

Do I need to install any software on other computers?

The BMC Helix Discovery ethos is agent-free management. BMC does not believe the logistical challenges associated with having an agent on every node is justifiable, so no BMC Helix Discovery-specific software needs to be installed on other computers. The BMC Helix Discovery user interface is entirely web-based.

Why is agent-free discovery so important?

Agent-based discovery relies upon a level of control of asset deployment that does not exist in most businesses. It also implies a significant cost overhead to maintain agents on each platform, including approving, testing, and deploying the agents. Finally, agents might not be available for the range of target platforms that your organization uses. We use standard techniques that have individually been authorized and deployed.

Does BMC Helix Discovery integrate with other products?

Yes, BMC Helix Discovery integrates with the following products:

  • BMC Helix CMDB: BMC Helix Discovery can synchronize discovered data to BMC Helix CMDB using CMDB-synchronization.
  • Rest API: The REST API is intended to be used by a script or program that wants to interact with and control a BMC Helix Discovery appliance from a remote machine.
How do I reset the BMC Helix Discovery user password?

If you forget your user interface (UI) password to log in to BMC Helix Discovery, you can reset the password at the command line.

The BMC Helix Discovery Administrator is responsible for setting up details of all the users who are permitted to use the BMC Helix Discovery system. Users are allocated a user name and a password, which they must enter in order to log in to the system. Each user is a member of one or more user groups, which define the parts of the system that user is permitted to access. For example, users defined as members of the Admin group are able to create and edit user details, while members of the Public group cannot access these areas. 

If you are using an instance of BMC Helix Discovery for BMC Helix Portal and BMC Helix AIOps users (commissioned after 1 June 2021), you should manage users and groups in BMC Helix Portal.

The BMC Helix Discovery permissions that you can configure in BMC Helix Portal are described in Roles-and-permissions-using-BMC-Helix-Portal.

Related topics

Managing-users-and-security

Integrating-with-BMC-Helix-Single-Sign-On

Administering

As well as being the means of controlling user security, a user is actually set up on the system as a Person data object, and can subsequently be associated with other objects.

All actions on the system are recorded against a user's ID for audit purposes. Users should always use their own ID and keep their security details safe.

Creating a new user

The BMC Helix Discovery Administrator can set up new users and assign them to groups. Before creating users, you must ensure that you have set up all the groups that you need. For more information, see Managing-groups.

To create a new user

  1. From the Users page, click Add at the bottom of the page.

  2. In the Add User page, enter details for the new user:

     Field Name

    Details

    Template

    Select one of the following user types:
      • User     to create a standard UI login user account.
     • API Access to create a user account only to be used for access to an API.
     • Event Source to create a user account only to be used as an event source.
    The appropriate fields are enabled or disabled to make populating the user details simpler. For example an API user does not require a password, so the password field are disabled.

    Username

    Login ID of the user.

    Full Name

    Full name of the user.

    Local Login

    Permit Local Login. By default, this option is selected to enable the new user to log in using the local login credentials (besides the BMC Helix SSO credentials). You should permit local login access to one or more administrative users to ensure that you maintain access to the system.
    Make sure to deselect this option if you want the user to log in only through BMC Helix SSO.

    Password

    Password to be allocated to this user. Not used for API Access or Event Source users.

    Verify Password

    Verify the password; it must match. Not used for API Access or Event Source users.

    Password Rules

    (Read-only display) Rules that are used to validate the password strength.

    Options

    Force Password Change On First Login. Specifies that users must change their password when they first login. You can deselect this option if you do not want to force new users to change their passwords, though this is not recommended.

    Groups

    One or more groups that this user will be a member of. By default, all new users are members of the public group.

    For API Access users, the api-access and never-deactivate check boxes are automatically selected.

    For Event Source users, the event-source and never-deactivate check boxes are automatically selected.

  3. To save your changes, click OK.

Note

User names are case sensitive. That is, user names with the same spelling but different case are permitted; for example, Johnson and JOHNSON are not recognized as duplicates.

Amending a user's details

You can change a user's name and the groups that they are a member of. The access defined by the group membership will apply the next time this user logs on.

To amend a user's details

  1. From the Users page, select Edit from the Action list for the user.
    The Set Password page is displayed.
  2. Amend or overwrite Full Name field.
  3. Select one or more Groups that this user is to be a member of.
  4. To save the changes, click OK.

Changing a user's password

If users forget their passwords or if a password is not kept secure, you can assign a new password.

To set a new password for a user

  1. From the Users page, select Set Password from the Action list for the user.
    The page is redisplayed, showing blank Password fields. The existing password is not displayed. Enter a new password for this user in the Password field. Confirm the password in the Verify Password field.
  2. To save the changes, click Apply. The new password will apply the next time the user attempts to log on.
    You can also specify that the user changes their password on their next login. To do this, select Must Change Password from the Action list for the user.

Generating an API token for an account

API Access and Event Source accounts do not have passwords, they use a generated token to enable external clients to make API calls using that account. You can also create a token for any other user account, with the exception of the system user, so that API calls can be made using that account.

API Access users can access the REST API using a token.

To generate an API token for a user

  1. From the Users page, select Generate API Token from the Action list for the user.
    A dialog is displayed containing the token.
    API_token.png
  2. Copy the token and save it for use by external clients.

You cannot revoke an API token for an existing user. You must delete the user.

Preventing a user logging in with a username and password

You might want to prevent a user logging in with a username and password, for example, if the user account is authenticated using a single sign-on system. To do this:

From the Users page, select Deny password login from the Action list for the user account.

Reactivating a user account

If a user's account is not used for a specified period of time, their account is deactivated. To reactivate a deactivated user account, you must be logged in as a member of the unlocker group. You can also deactivate a user's account manually.A deactivated account is never automatically reactivated.

To reactivate a locked user account

  • Check that account reactivation is allowed. 
  • From the Users page, select Reactivate from the Action list for the user account to be reactivated.

Unblocking a user account

If a user unsuccessfully attempts to log in to their account more than the account blocking threshold, their account is blocked. You must be logged in as a member of the unlocker group. 

To unblock a locked user account

From the Users page, select Unblock from the Action list for the user account to be reactivated.

Deleting a user

You can delete any existing user except for yourself or the default system-created users.

To delete an existing user

From the Users page, select Delete from the Action list for the user.

User permissions

User permissions in BMC Helix Discovery are additive. When you grant a user an additional permission (through adding the user to another group), that permission is added to the user's existing permissions. For example, if you grant appmodel permissions to a user with discovery permissions, the user gains no additional permissions because all of the appmodel permissions were already granted in the discovery permission set. Similarly, you cannot add readonly permissions to a system user in the hope of achieving a read-only system user.


I'd like a PDF of just selected information. How can I get that?

The BMC Documentation portal gives you the ability to generate PDF and Microsoft Word documents of single pages and to create PDF exports of multiple pages in a space.  

Creating PDF and Word exports

You can create a PDF of a page or a set of pages. (Non-English page exports are not supported.) You can also create a Word document of the current page.

To export to PDF or Word

  1. From the Tools menu in the upper-right, select a format:
    • Export to Word to export the current page to Word format.
    • Export to PDF to export the current page or a set of pages to PDF.
      Tools menu1.png

  2. If exporting to PDF, select what you want to export:

    • Only this page to export the current page.
    • This page and its children to export a set of pages.

For example, selecting This page and its children from the home page exports the entire space to PDF.

Depending on the number of topics included in the export, it might take several minutes to create the PDF. Once the export is complete, you can download the PDF.


BMC Discovery Outpost FAQs 

This section provides answers to frequently asked questions about BMC Discovery Outpost.

BMC Discovery Outpost planning and architecture

How many BMC Discovery Outposts do I need?

This depends on your IT environment. In general, you need one BMC Discovery Outpost per isolated network segment. No specific performance tests have been done in this regard. 

The system can balance the load across multiple BMC Discovery Outposts in a limited or static way. The system initially balances the load, and eventually remembers which endpoints went to which Outpost and tries to send that work to the same Outpost. Because the system does not adjust the balancing, the load will not be processed if an Outpost goes down. Also, a new Outpost will not receive any existing endpoints as work, but only new ones.

To work around this, re-register the Outposts, which resets the balancing. Alternatively, use Outpost or IP range restrictions to control where the workload goes.

How many hosts or devices can I scan from a single BMC Discovery Outpost? For example, I want to replace a scanner currently scanning 10K OSIs with Outpost(s).

The number of hosts and devices that you can scan depends on many variables, including the size of the scanned hosts or devices. Also, a single BMC Discovery Outpost may be sufficient for a small Discovery cluster, but not a large one.

BMC Discovery Outpost usage and configuration

Can I use the BMC Discovery Outpost to scan cloud resources?

Yes, you can use the BMC Discovery Outpost to scan cloud resources provided the appropriate credentials are configured, and the resources to be scanned are available or visible from the Outpost.

How do I configure BMC Discovery Outposts for different scan ranges? What is the difference between specifying which Outpost to use for a particular scan versus setting IP address restrictions on the Outpost itself?

If you specify an Outpost to be used for a particular scan range, BMC Helix Discovery uses only that Outpost. If a scan is directed to a specific Outpost, and that Outpost has IP address restrictions, then the scan of those restricted IPs will fail.

If you specify only IP address restrictions, BMC Helix Discovery directs the scan to an Outpost that does not have those restrictions.

If you are using scopes, specify a particular Outpost. Otherwise, use IP address restrictions where necessary and allow the system to select the Outpost.

Which ports are required to connect BMC Discovery with an Outpost, and is the communication between them uni-directional or bi-directional?

Communication is always from the BMC Discovery Outpost to the BMC Helix Discovery appliance or instance. Communication is never initiated by the BMC Helix Discovery appliance or instance. 

Communication between the BMC Discovery Outpost and the BMC Helix Discovery appliance or instance is always sent over HTTPS, so port 443 must be open on the appliance or instance. All TCP connections are bi-directional because packets flow in both directions.

For a Discovery cluster, the communication must be enabled for each cluster member. If there is a requirement for direct access to the Outpost UI, port 443 must be open on the Outpost.For more information, see Network-ports-used-for-discovery-communications.

Which ports are required for the BMC Discovery Outpost to scan targets, and in which direction?

The BMC Discovery Outpost uses the same ports as a BMC Helix Discovery appliance or instance to scan targets. The BMC Discovery Outpost initiates the connection. All TCP connections are bi-directional because packets flow in both directions.
Like a scanner, the BMC Discovery Outpost, by default, checks port 135 to determine if a target is a Windows server. For more information, see Network-ports-used-for-discovery-communications.

If I install the BMC Discovery Outpost, connect it to my consolidator, and stop scanning from the scanner, will there be any duplicates in the consolidator or in CMDB?

There would be duplicates only if there has been an identity change.

How does the BMC Discovery Outpost installed on BMC Helix Discovery differ from that installed on BMC Discovery?

The BMC Discovery Outpost is the same for BMC Helix Discovery (SaaS version) and BMC Discovery (on-premises version). There is no difference in the UI or the features.

BMC Discovery Outpost administration

How can I take a backup of an Outpost?

BMC Helix Discovery does not provide the facility for backing up the BMC Discovery Outpost. You could backup by using the normal methods that are used for backing up a Windows server, such as a VMWare snapshot. It is strongly recommended to separately export your credential vault on a regular basis.  

How do I create a disaster recovery plan for the BMC Discovery Outpost?

You can simply restore the Windows server backup that you had taken earlier. It is also possible to import a backup of the credential vault if that is all that you require.

Is it possible to create high availability for the BMC Discovery Outpost?

Currently, BMC Helix Discovery does not support high availability for the BMC Discovery Outpost, but it will be considered for a future release.

Is an Outpost API available?

Currently, an Outpost API is not available, but it will be considered for a future release.

BMC Discovery Outpost performance

How can I know if the BMC Discovery Outpost is overloaded?

Scans will run longer and may eventually show timeouts. Also, check Windows to see if the BMC Discovery Outpost is paging. Note that the BMC Discovery Outpost is currently limited to 500 concurrent BMC Helix Discovery requests.

What is the data transfer usage for an Outpost?

The data transfer usage between the BMC Discovery Outpost and its targets will be the same as the usage between a scanning appliance or instance and its targets. The requests passed from the appliance or instance to the Outpost should be relatively small. The results sent from the Outpost to the appliance or instance will vary in size depending on the nature of the discovery.


If you have any other questions about BMC Helix Discovery, contact Customer Support.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*