|
|
Toll Free: (866) 407-5279 Direct: (651) 407-5279 |
|
|
|
Toll Free: (866) 407-5279 Direct: (651) 407-5279 |
|
It depends on whether the target machine uses a Leaf-Agent or not. This article summarizes the basic requirements for Agentless and Leaf-Agent targets.
For additional detail on Leaf-Agents, and a detailed table comparison between Leaf-Agents & Agentless, see:
When Should I Deploy Leaf-Agents.
Machines that rely on standard Microsoft networking services to communicate (most of your network) use ports 135, 139 and 445 for network communication, and require specific services to be running on each UpdateEXPERT target, such as "Remote Procedure Call", "Server", "Remote Registry Access", and "NetLogon". These ports and services, taken together, allow UpdateEXPERT to enumerate the network, query or inventory the target machines, and deploy patches to the target machines, without the need for installing client-side software, which is felt to be advantageous in many network environments as there is no client-side software to install, configure and maintain.
Port 135 - Supports RPC (inter-process) communications between machines, using the "Remote Procedure Call" service mentioned above. Blocking this port largely stops one machine from communicating with another remotely.
Port 139 - Supports NetBIOS name resolution. NetBIOS allows discovery of machines in a network. Blocking this port prevents NetBIOS from discovering (seeing) certain hosts.
Port 445 - Supports Active Directory/DNS name resolution. DNS allows discovery of machines in a network. Blocking this port prevents NetBIOS from discovering (seeing) certain hosts.
Machines that are in secured environments where some or all of the ports above are blocked, or where some services have been disabled, require installation of client-side software called a Leaf-Agent. Machines with a Leaf-Agent communicate with the UpdateEXPERT machine over a user-configurable port number with fully encrypted communications. Essentially, the Master to Leaf communication path is NOT "well-known", is proprietary, and is secure and encrypted (port 9968 by default). In opposition to this, standard Microsoft ports (135, 139, 445) are very "well-known" (hackers probe these ports), and un-encrypted. Leaf-Agents allow UpdateEXPERT users to support secured machines, usually in a DMZ.
Lastly, Leafs need the "Remote Procedure Call" service, as most Microsoft services do, to support local inter-process communications. Blocking port 135 inhibits the networking support normally provided by the RPC service. Below is a screen shot of the UEAgent service dependency on the RPC service.
Note: By design, you cannot change the UEAgent login account from the default "LocalSystem" setting. If you change it, lets say, to "Administrator" and try to start the service, the service will not start.
