Configuring Control Compliance Suite (CCS) Bv-Control for Windows to work across firewalls

Article:TECH114032  |  Created: 2008-01-25  |  Updated: 2011-10-07  |  Article URL http://www.symantec.com/docs/TECH114032
Article Type
Technical Solution

Product(s)

Issue



How do you query computers that are located in a demilitarized zone (DMZ)?

 


Solution



PREREQUISITE CHECKLIST
 

  • A functioning Enterprise Configuration Service (ECS) is required for any query engine installation.
  • A Master Query Engine (MQE) must be installed in each reporting domain or workgroup.
  • A special service account with administrative rights is needed to query domains OR workgroups. The account must be a member of the domain admins group to query domain computers. Or, the account must be a member of the local administrators group to query workgroup computers.
  • A high end TCP port must be reserved for communication between QEs across the firewall. Port number 5525 is used in this scenario.
  • If you are going to use the Bv-config utility to manage your Master Query Engine across your firewall you will also have to open the NetBIOS ports 135-139 through the firewall. Alternately, each MQE has by default the Bv-config utility loaded locally and this can be used instead, however that requires direct access to the MQE machine.
  • The high end TCP port must be configured to allow bidirectional communication between the ECS and the MQE. If you have decided to use the Bv-config utility remotely, the NetBIOS ports must also be opened bi-directionally between where the Bv-config utility is run and the MQE. Consult with your firewall administrators to put these rules in place. Firewall administrators can consider using the telnet command to test firewall rules between the computers. The syntax is telnet {target_IP} {TCP_Port_Num}.


INSTALL THE QUERY ENGINE(S)
 

  1. On the computer hosting the ECS, run regedit. Modify the following key: HLKM\Software\Bindview\Enterprise Configuration Service\ECSRPCServer\ProtocolSequences\ncacn_ip_tcp\Endpoint Value: 5525 (specified port)
  2. On the computer hosting the ECS, right-click My Computer and select Manage. Click Services on the left, then restart the ECS Service on the right.
  3. Copy the QE installation files to the target computer in the DMZ. Double click Setup.exe on the target computer to start the installation.
    • NOTE: The QE installation files are located in the installation set under CCS_Data Collection\Support_Installs\bv_Control_for_Windows\QE.
  4. The QE installation wizard guides you through the install process. When you are prompted that the ECS computer cannot be contacted, click OK then type the name or IP Address of the ECS. Continue with the installation, being sure to uncheck the box Use defaults. Instead, click Next then enter the specified port 5525 for communication with the ECS.
  5. Enter the service account name and password to be used for the QE service. Refer to the prerequisite checklist for additional information.
  6. When you are prompted, set the network caching options. Specify the port number 5525 again to be used for communication.
  7. Enter the destination installation directory, then click Next.
  8. Review the summary information that is provided and conclude the setup. Click Finish.



CONFIGURE THE CONNECTION DATABASE
 

  1. Launch the CCS Data Collection console.
  2. In the left column, click bv-Control for Windows > Configuration.
  3. Modify the default Connection Database.
  4. Highlight the new MQE(s) at the bottom, then click Add. Verify that the status is "Connected".
  5. Click Save and exit.


ADDITIONAL NOTES

If the DMZ environment is composed only of Workgroup computers, there are two options for reporting:
 

  • An MQE must be installed on each workgroup computer -OR-
  • A scope file needs to be created to query the computers that do not have an MQE installed.



Testing bi-directional port communications

1. On the RMS/ECS console
Start - run - cmd (to open a cmd window)
Enter the following syntex;
telnet ipaddress port (use the ip address of the MQE experiancing issues)
If a blank screen appears with no errors a telnet session has been established.

Note: report any errors to the network admin to resolve issues.

2. Logon to the MQE console experiancing issues.

Start - run - cmd (to open a cmd window)
Enter the following syntex;
telnet ipaddress port (use the ip address of the RMS and or ECS experiancing issues)
If a blank screen appears with no errors a telnet session has been established.

Note: report any errors to the network admin to resolve issues.



For more information about workgroups, see "How to query workgroup computers" at http://www.symantec.com/docs/TECH113909

For more information about configuring CCS for Windows, see "How to configure Control Compliance Suite for Windows" at  http://www.symantec.com/docs/TECH114026 




 



Legacy ID



2008012511343053


Article URL http://www.symantec.com/docs/TECH114032


Terms of use for this information are found in Legal Notices