|
|
Toll Free: (866) 407-5279 Direct: (651) 407-5279 |
|
|
|
Toll Free: (866) 407-5279 Direct: (651) 407-5279 |
|
Agentless machines can be patched and managed without installing client-side software (the Leaf-Agent), which many Administrators find desirable. Many if not most machines can be managed as Agentless machines.
However, Leaf-Agents are very useful for hardened machines that disallow RPC ports (135, 139, or 445), or disallow services like NetLogon, Remote Registry Access, Server (IPC$ share), or File and Print Services. Under these conditions, a Leaf-Agent will be mandatory since you can't treat the target as an "Agentless" candidate.
Even if the target has not been hardened, you may want to take advantage of the Leaf-Agent for encryption services, disconnected machine support, or patch deployment performance advantages. Many environments do best with a well thought out mix of Agentless and Leaf-Agent machines.
Leaf-Agents are preferred when you want one or more of the following features:
Security
Secured Master/Leaf connections & Encrypted packet traffic (secure communications)
User-definable Leaf-Agent/Master-Agent ports (secure communication, administrative flexibility)
Whether using the Agent-Installer screens or the Command Line Agent Installer switches, you can specify the port number you want the Master-Agent and Leaf-Agent to "listen" on. This port number is typically set to 9968 (default) for both Master and Leaf(s), but the port number can be any value between 1025 and 65535.
Reduced Network Load
Independent patch downloading (takes advantage of local internet connection)
Select the appropriate Leaf-Agent, the click the Radio Button "Get files from the Internet" to configure the Leaf-Agent to get it's own patches.
Leaf-Agent Query and Validation (reduces workload on Master-Agent/Network)
Agentless queries are more expensive that Leaf-Agent queries in terms of Network I/O. In an Agentless query, for each possible patch, the Master-Agent must probe the target for the existence of an individual patch. This results in a flurry of network requests ... "Do you have Patch-A, do you have Patch-B, do you have Patch-C" etc. An agentless query may produce approximately 6MB of traffic (less or more depending on the target machine)
For a Leaf-Agent, the Master-Agent sends a simple request ... "Tell me what patches you have" ... and the Leaf-Agent does all the work itself, sending back a list when finished and greatly reducing the network transactions. A Leaf-Agent query may produce approximately 6KB of traffic.
Bandwidth Control (control network I/O over slow links with Leaf-Agents)
Bandwidth Control is set for a Master-Agent and applies to all the Leaf-Agents belonging to the Master-Agent. The rate of packet traffic is controllable to prevent overwhelming a slow physical link.
Go to File > Agent > Settings and set "Maximum transfer bandwidth usage" to a lower number if needed.
Disconnected Machine Support
Laptops, and other "transient" machines
Mobile users and users who frequently shutdown their machines can use Leaf-Agents to contact the Master-Agent to see if there are patches queued up for installation.
A user can request that the UpdateEXPERT admin uncheck "Allow UpdateEXPERT to download patches to this computer" prior to a trip (for example) to prevent unwanted patching activity. Users with administrative privileges can also stop the UEAgent service so that communication between Leaf and Master is suspended temporarily.
Wake-on-Lan (added in UpdateEXPERT Premium 7.0)
Mobile users and users who frequently shutdown their machines can use Leaf-Agents to contact the Master-Agent to see if there are patches queued up for installation.
A user can request that the UpdateEXPERT admin uncheck "Allow UpdateEXPERT to download patches to this computer" prior to a trip (for example) to prevent unwanted patching activity. Users with administrative privileges can also stop the UEAgent service so that communication between Leaf and Master is suspended temporarily.
Here's a table comparing the attributes of an Agentless (RPC) machine versus a Leaf-Agent machine.
Tip-1: Remotely installing a Leaf-Agent requires that the target is NOT already hardened. In other words, if you can query the machine as an Agentless machine, it is likely able to accept a remote install of a Leaf-Agent. Once the Leaf-Agent is installed, then you may harden the target. If the machine is already hardened, you either need to do a local Leaf-Agent install, or perhaps temporarily return the machine to an un-hardened state to allow for a remote install.
Tip-2: In UpdateEXPERT Premium 7.0, you can supply valid target machine credentials during the Agent Installation dialogue. In UpdateEXPERT 6.3 and earlier current logon credentials are used for Leaf installation, meaning that your current login must be an administrative account that matches an existing local administrator account on the target machine. In UpdateEXPERT 6.3 and earler, after installation, Alternate Credentials can be set so that it is easy to repeatedly query and deploy patches to the Leaf. See "Leaf-Agent Credentials" section, below.
Tip-3: When running the Agent-Installer (GUI or command line), you must configure the Leaf-Agent with a port assignment of 1025 to 65535, with the default being 9968.
Tip-4: The Agent-Installer allows the Master and Leaf to be identified by Hostname or IP address. If installing Leafs to machines with static IP addresses, especially in a DMZ, you will probably want to use IP addresses in the installation dialogue. This is efficient and avoids name resolution issues. If the target machines get their IP address using DHCP (for example, mobile users taking advantage of disconnected machine support) you will probably want to use Hostname to allow for possible IP address reassignments made by the DHCP server.
Leaf Agents can be installed using several different methods:
Using the Console, which calls an Agent-Installer GUI that is used to perform a remote or local install. (In a DMZ, you'll probably want to do local installs). Using the UpdateEXPERT GUI is the most common way to install Leaf-Agents.
Using the Command Line Agent Installer in your own batch file.
On the Master-Agent, using an MLF (Machine List File exported from UpdateEXPERT) and a VB script (example provided) to build a batch file that runs the Command-Line Agent Installer for multiple target machines. The Command-Line Agent Installer runs on the Master-Agent and pushes Leaf-Agents.
Using Active Directory Group Policies
Note that there are several ways you can determine if a Leaf-Agent is already installed on a system.
Install troubles are usually due to misunderstanding Leaf-Agent credentials, trying to remotely install to a hardened machine that won't allow the install, and using hostnames instead of IP addresses across a firewall. See the articles below:
A symptom of failed Leaf-Agent name resolution is that the local Leaf-Agent install succeeds, but the query later fails.
A symptom of bad Leaf-Agent credentials is that your machine query succeeds, but your remote Leaf-Agent install fails
The ability of Leaf-Agents to download their own patches, and reduce network I/O for tasks like querying and validation is supported by the fact that Leaf-Agents have their own local database.
Leaf-Agents are especially useful for patching machines in a DMZ environment because the Leaf-Agents can communicate with the Master Agent over a single administrator specified TCP port number, thus not requiring Microsoft networking ports & services, and uses encrypted communications, making it ideal for secure environments.
It is recommended that Master/Leaf communications be bidirectional over the configured port. However, it is possible to utilize one-way communications between Master & Leaf Agents, as long as you understand the limitations.
Operationally, for a DMZ, it may work best to open the port number on your firewall first (9968 by default), then do "local" Leaf Agent installs on each DMZ machine, identifying the Master Agent and Leaf Agent by IP address (to avoid reliance on name resolution assuming static IP addresses) during the Agent Installer dialogue.
At the end of each Leaf install, the Leaf registers with the Master Agent through the firewall port, which you opened already. As you complete Leaf installs, a "head" icon should appear on the enumerated Leaf in the Console interface. Here is a summary of the steps for performing a local Leaf-Agent install, or more detail if you prefer.
Once a Leaf is installed, Alternate Credentials can be set to make repeated queries and patch deployment easy. Here is a comparison of Agentless vs. Leaf-Agent credentials.
In addition to Leaf-Agents, there are other features that are security related.
When Leaf-Agents are deployed, they "belong" to a Master-Agent. If at a later point in time, you want to uninstall/re-install the Master-Agent, the existing Leaf-Agent connections will be lost unless you use AgentUtil.exe as a backup tool. This means you will be required to re-install the Leaf-Agents.
If you want to uninstall a Leaf-Agent, do so from the UpdateEXPERT GUI, which is recommended. It is possible, but not recommended unless necessary, to uninstall a Leaf-Agent from the command-line.
In UpdateEXPERT 6.3 or earlier, if Leaf-Agent machines are going to be removed from the network, uninstall Leaf-Agents first to remove them from the Master-Agent. If you do not do this, then you will have "orphaned" Leaf-Agents on the Master-Agent that will need to be removed.
