Configuration for Batch Processing

FlexNet Manager Suite 2023 R2 (On-Premises)

Single or multiple servers (and network share)

The batch scheduler service and the batch processor service are implemented on a single server, known as the batch server. (When the implementation is quite small, the batch server may also be combined with the inventory server, and potentially also the web application server; but for the moment, our focus is on batch processing.)

Communications between the batch processor service and the batch scheduler service are local to the batch server, and the staging folder for data incoming from inventory beacons is on the same server. The default location is %ProgramData%\Flexera Software\Beacon\IntermediateData. This default is formed by appending IntermediateData to the value of the base directory saved in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ManageSoft Corp\ManageSoft\Beacon\CurrentVersion\BaseDirectory. This base location is also used by other processes, and should be changed only with care.

Tip: A second folder, a network share, is used for handing off files uploaded through the web interface (such as inventory spreadsheet imports) for processing by the batch server. For this share, the default path is %ProgramData%\FlexNet Manager Platform\DataImport, and the path is saved in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ManageSoft Corp\ManageSoft\Compliance\CurrentVersion\DataImportDirectory. There is also a parallel folder for data export. For implementations that separate the web application server from the batch server, these shares must also be configured and accessible from both servers.

Installation and upgrade

The messaging that drives the batch scheduling and batch processing is implemented using Microsoft Message Queuing (MSMQ). In a multi-server implementation, MSMQ must be enabled on all servers. The MSMQ priority queues exist only on the batch server. For that reason, where other servers are separate, they must know the fully-qualified domain name of the batch server so that they can access the queues. (Where there is only a single, combined application server, localhost may be used in place of the fully-qualified domain name of the server.)

These details of configuration are normally set up by PowerShell scripts during installation or upgrade of FlexNet Manager Suite. If at any stage there are new features installed, the PowerShell scripts should be re-run to update the configuration.
Tip: The name of the batch server is saved in the ComplianceSetting table of the compliance database, as BatchSchedulerHostName.

Authentication and authorization

The batch scheduler and processor services must be executed using a valid account in Active Directory. During installation, through the PowerShell scripts, this same account is made a member of the Operator role (given full operator access to the system data). In a multi-server implementation, it is normal that the same service account runs on all the central servers, simplifying your administration of the message queues in MSMQ.

Authentication between the web application server and the batch server, or between any inventory beacon and the batch server, is handled using Windows authentication managed by MSMQ.

On the batch server (or, in a single server implementation, the application server), the account that runs the batch processor service was set up during implementation (the suggested value was svc-flexnet). This account must have inheritable permission to read the %ProgramData%\FlexNet Manager Platform\DataImport folder and all its sub-folders. (This is the default path: you can confirm the setting for your server by checking the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ManageSoft Corp\ManageSoft\Compliance\CurrentVersion\DataImportDirectory.) Typically these permissions are controlled through Active Directory group memberships, and you can check the permissions like this:
  1. In Windows Explorer, right-click on the DataImport folder, and select Properties from the context menu.
  2. In the DataImport Properties dialog, select the Security tab, and then click Advanced.
  3. In the Advanced Security Settings for DataImport dialog, select the Effective Permissions tab.
  4. Next to the Group or user name field, click Select....
  5. In the Select User, Computer, Service Account, or Group dialog, click Object Types..., ensure that Service Account is selected, and click OK.
  6. In the Enter the object name to select field, enter the name of the account running the batch processor service (the name proposed during implementation was svc-flexnet). You can click Check Names to ensure that the account name is valid and recognized. Then click OK to return to the previous dialog, and display the permissions for this service account on the folder. (Since the service account is the same user context as runs the compliance readers or the Business Importer, the necessary rights are more extensive that required just for messaging.) As a minimum, the following permissions are required:
    • List folder / read data
    • Create files / write data
    • Create folders / append data
    • Delete subfolders and files
    • Delete.
  7. These rights must be inheritable by any child objects (such as subfolders) that are created. In general, check the Permissions tab of the Advanced Security Settings for Folder name dialog. If it shows a checked (ticked) box for Include inheritable permissions from this object's parent, it typically also means that the inheritance property is also inherited. Otherwise, inheritance must be configured within Active Directory.
Tip: Microsoft IIS is configured by default not to use account impersonation. If IIS is reconfigured to use impersonation, MSMQ and folder permissions will need to be adjusted such that all system users have appropriate rights to the folders and the MSMQ incoming queue.

FlexNet Manager Suite (On-Premises)

2023 R2