Large mission critical infrastructures hosting a wide variety of applications will require a significant number of eG Agents to be deployed and managed. Manual installation of eG agents could prove to be both time-consuming and laborious activity in the larger environment. Apart from eG agent deployment, sometimes starting / stopping / restarting the eG agents are required on individual monitored servers / desktops. In order to simplify this administrative workload, eG Remote Agent Controller (RAC) software can be used mainly in Windows environment for eG Agent installation / uninstallation remotely and control the eGurkha Agent windows service on monitored servers / desktops.
RAC software requirements:
o The primary requirement for RAC is all remote computers should be part of the customer networks.
o RAC should be installed on Windows 2008 and above operating system. Once the software is installed, it should be invoked with “Run as administrator” option.
o In order to connect to all the Windows servers and desktops in a domain, we advise the user to logon to the machine where RAC software is installed with “Domain Administrator” privilege.
o RAC uses Windows hidden administrative shares “ADMIN$” and “IPC$” for remote machine administration.
o Under certain conditions, we can’t connect to above shares on remote computers even though we have the right credentials. As described in MS KB article 951916, Microsoft introduced as part of UAC a little-known feature called “UAC remote restrictions”. It filters the access token for connections made with local user accounts or Microsoft accounts. In other words, it removes the SID for “Administrators”. Connections made with domain accounts remain unchanged. One may like this or not, the solution is luckily pretty simple. UAC remote restrictions can be disabled by setting the registry value LocalAccountTokenFilterPolicy to 1:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Value: LocalAccountTokenFilterPolicy
Data: 1 (to disable, 0 enables filtering)
Type: REG_DWORD (32-bit)
After a reboot access tokens from remote connections are not filtered anymore. On Windows 8 the reboot is not even required anymore.
o Please turn on File and Print sharing under Control Panel->Network Connections on remote computers.
o Please check File and Print sharing is enabled under allowed programs list in Windows firewall and other scanners / firewalls installed on remote computers and in other firewalls in the connectivity path.
o By default, Windows Firewall blocks Network discovery. Network discovery is a network setting that affects whether RAC computer can see (find) other computers and devices on the network and whether other computers on the network can see RAC computer. Go to Start > Control Panel > Network and Internet > Network and Sharing Center > Change advanced sharing settings. Or you can right-click on the network icon on the right-bottom side of the screen, click Open Network and Sharing Center. Then click Change advanced sharing settings. There are three different network profiles Home or work, public and domain. To prevents people on other network computers from seeing your computer all the time. Please turn off Network discovery service on all profiles. Press small triangle button next to the selected network profile to expand the options.
o Network discovery requires the following services are started.
o DNS Client
o Function Discovery Resource Publication
o Function Discovery Provider Host
o SSDP Discovery
o UPnP Device Host
o Server
o Workstation
o Computer Browser
o Registry
o Link-Layer Topology Mapper.
o Windows Firewall exception for network discovery is enabled, and that other firewalls in the connectivity path are not interfacing with network discovery.
o Please enable the following ports in all firewalls
o TCP 2869 (UPnP Device Host)
o TCP 5357 (WSDAPIEvents)
o TCP 5358 (WSDEvents Source)
o TCP 445 (NetBIOS Helper)
o UDP 5355 (LLMNR)
o UDP 3702 (WSD publishing)
o UDP 1900 (SSDP)
o UDP 138 (NetBIOS Datagram)
o UDP 137 (NetBIOS Name)
o TCP 139 (Session Services)
Troubleshooting steps:
Domains are not discovered in RAC console
- Please make sure the RAC software is launched with “Run as administrator” option.
- Please make sure “Computer Browser” windows service is running on all domain controllers.
- Please make sure “Server” windows service is running on all domain controllers.
- Please make sure “Workstation” windows service is running on all domain controllers.
- Please make sure the inbound rule is enabled for “Network Discovery” under windows firewall on remote computers. Please see this link for enabling “Network Discovery” via GPO (http://www.technig.com/enable-network-discovery-via-group-policy/).
- In the case of other firewalls or in connectivity path, you need to open the following ports to allow incoming network discovery traffic
- UDP 3702, 137, 138, 1900
- TCP 5357, 5358, 445, 2869, 139
- The remote computers are visible (find) from the RAC network.
- Please note that backup domains are not discovered.
Remote computers are not discovered in specific domain
- Please make sure the RAC software is launched with “Run as administrator” option.
- Please make sure “Computer Browser” windows service is running on remote computers.
- Please make sure “Server” windows service is running on remote computers.
- We have to connect to the target domain to discover remote computers. Please use “Change Logon Account” option to give the right credentials for connecting to the target domain.
- Please make sure the inbound rule is enabled for “Network Discovery” under windows firewall on remote computers. Please see this link for enabling “Network Discovery” via GPO (http://www.technig.com/enable-network-discovery-via-group-policy/)
- In the case of other firewalls or in connectivity path, you need to open the following ports to allow incoming network discovery traffic
- UDP 3702, 137, 138, 1900
- TCP 5357, 5358, 445, 2869, 139
Unable to install / uninstall eG agents (Start / Stop eGurkhaAgent service)
- Please make sure the RAC software is launched with “Run as administrator” option.
- Please make sure “Computer Browser” windows service is running on remote computers.
- Please make sure “Server” windows service is running on remote computers.
- We have to connect to the target domain to discover remote computers. Please use “Change Logon Account” option to give the right credentials for connecting to the target domain.
- In the case of other firewalls or in connectivity path, you need to open the following ports to allow incoming file and print sharing traffic
- UDP 3702, 137, 138, 1900
- TCP 5357, 5358, 445, 2869, 139
- Make sure appropriate folders are available in RAC folder structure
- Windows 2008 R2 32 bit OS – <RACHome>\ Windows 2008
- Windows 2008 R2 64 bit OS – <RACHome>\Windows_64 2008
- Windows 2012 32 bit OS – <RACHome>\ Windows 2012
- Windows 2012 64 bit OS – <RACHome>\Windows_64 2012
- Make sure the eG Agent software, install and uninstall iss files are available in respective operating system folders as shown above.
- If install / uninstall agent installation is not working, please make sure the remote computers ADMIN$ is accessible from RAC machine. You can try simple steps and verify it works:
- From Start->Run, type \\remotemachine\admin$.
- You should get the folder structure of the remote machine. It shouldn’t ask for any authentication from current logged on user in the RAC machine.
If you go to a session for RAC troubleshooting, please verify that the customer machines are visible from MSP environment or from RAC machine. You can try the following
- Open the windows explorer
- Type “network” from the quick access search bar as shown below
- You should see all the machines including their customer machines here. What it means is the MSP can see all the customer machines from the MSP environment. If the customer machines are not available then RAC can’t detect the customer domains and its machines. This is because those machines are not connected to MSP environment or not accessible from MSP environment.