Prerequisites for IT Asset Management Inventory Beacons
To be used as an inventory beacon, a computer meets these requirements:
Access to the Internet
Access to the Internet is required, including security settings that allow trusted access to IT Asset Management (as described during set-up). If you have multiple inventory beacons, at least one must have Internet access to reach the central application server, and others may be linked as children, organized in a hierarchy.
LAN-Speed Access to Systems
LAN-speed access to the systems from which it will gather and deliver information is required. These may include:
|
•
|
Third-party inventory systems such as Microsoft Endpoint Configuration Manager (previously Microsoft SCCM), IBM ILMT, and others that have already collected inventory from multiple computers |
|
•
|
Particular systems or devices from which IT Asset Management is gathering additional information, such as Oracle databases, VMware vCenter and the like |
|
•
|
Individual computers from which the inventory beacon will gather inventory directly by remote execution or by delegating the inventory gathering to a dedicated inventory agent available through IT Asset Management. |
Supported Operating Systems
It is required that one of the following supported operating systems is installed:
|
•
|
Windows Server Core 2008 R2 SP1 x64 |
|
•
|
Windows Server 2008 R2 SP1 x64 |
|
•
|
Windows Server Core 2008 SP2 |
|
•
|
Windows Server Core 2008 SP2 x64 |
|
•
|
Windows Server 2008 SP2 |
|
•
|
Windows Server 2008 SP2 x64 |
Prerequisite Software
The following prerequisite software is also installed (most of the following are installed by default with the operating systems listed above, and so will be present unless particular action has been taken to remove them):
PowerShell
PowerShell 5.1 or later
Browser
A supported web browser, such as Microsoft Internet Explorer 8 (or later)
IIS
IIS 7.0 (or later), with ASP.NET 4.5 (or later) installed (.NET v 4.6.2 or later is recommended)
Tip:If you are collecting inventory for Microsoft Office 365, the minimum requirement is .NET 4.5.2.
Note:If it is not possible to run IIS on the inventory beacon server, the FlexNet Beacon software offers a limited, self-hosted web service. This is sufficient for inventory gathering, but it does not support any authentication, nor HTTPS, nor access to SAP. This will only be suitable for those whose requirements are met by anonymous access over HTTP. For a list of the differences between IIS and the self-hosted web server, see Configuring Inventory Collection.
.NET
The security protocol for .NET must be appropriately configured, depending on the purpose of each inventory beacon:
|
•
|
For an inventory beacon connecting to an Oracle VM Manager release earlier than 3.4, enable TLS 1.0 only. Earlier versions of Oracle VM Manager have a TLS version intolerance defect that may cause inventory upload to fail if later versions of TLS are available. Oracle VM Manager version 3.4 or later successfully supports TLS 1.1 and 1.2. |
Tip:Where an inventory beacon requires an early version of the TLS protocol, consider making it a child beacon entirely within the protection of your enterprise firewalls. It can communicate to a parent inventory beacon which has more mature protocol(s) and faces the central application server across the Internet.
|
•
|
If the inventory beacon runs the Business Adapter Studio, or runs imports through the Business Importer, the resulting uploads of business data use the default security protocol set in the operating system. Ensure that the default is appropriate for your implementation. |
|
•
|
Top-level inventory beacons (those facing a Flexera cloud instance of IT Asset Management) must enable TLS 1.2 and/or 1.3. |
Tip:For guidance on configuring TLS protocols on your inventory beacons, see Transport Layer Security (TLS) Configuration.
Business Adapter Requirements
If you plan to use a business adapter, driven by the Business Importer, to import xslx, xls, or csv files through this inventory beacon, you must ensure that the 32-bit version of the Microsoft ACE OLEDB 12.0 Provider is installed (check in Add/remove Programs). If required, you may obtain this provider at:
https://www.aspsnippets.com/Articles/Download-MicrosoftACEOLEDB120-provider-for-32bit-and-64bit.aspx
Be sure to select the 32-bit version.
Tip:This requirement applies only to imports through the Business Importer. While an inventory beacon may also be used to schedule imports of inventory captured in spreadsheets, this separate process uses the standard .NET driver and does not require any provider installation.
Oracle-Related Inventory Data Requirements
If you want this inventory beacon to gather Oracle-related inventory data, you must separately install the appropriate Oracle Provider for OLE DB driver. The inventory beacon requires that this is a 32-bit driver, and the driver must support the specific version of each database instance that this inventory beacon will access. Please read the supported platform details, and download the appropriate driver, from:
https://www.oracle.com/database/technologies/provider-ole-db.html
Note:If your Oracle estate includes different database versions so that you require more than one of the Oracle drivers, you must install each Oracle driver on a separate inventory beacon.
IBM License Metric Tool (ILMT) Requirements
If this inventory beacon will import inventory from IBM License Metric Tool (ILMT), a connection to the ILMT database is required. This database may be a Microsoft SQL database, or an IBM DB2 database. For DB2, an appropriate driver must be installed on the inventory beacon. Depending on your environment and requirements, either of the following is appropriate:
|
•
|
Microsoft OLE DB Provider for DB2 Version 2.0 or later. For example, you may already have version 3 of the Microsoft OLE DB Provider which is supplied as part of the Microsoft SQL Server 2008 RS Feature Pack, or you can download it at: |
https://www.microsoft.com/en-us/download/details.aspx?id=100917
Be aware that this driver may require that you license Microsoft SQL Server on the inventory beacon, so this option is useful only in particular circumstances.
|
•
|
The OLE DB driver in the IBM Data Server Driver Package, which you can find thus: |
|
b.
|
Scroll down the Support page that appears, to the Download fix pack images per operating system section. |
|
c.
|
As well as matching the operating system of your inventory beacon, be sure to match the platform: a 64-bit driver on a 64-bit platform, or a 32-bit driver on a 32-bit platform. Clicking the + above the appropriate headline expands additional links for that operating system and platform. |
Note:Integration with ILMT normally requires that you hold a commercial (paid) license for the underlying DB2 database. Your license from IBM has to be sufficient to allow third-party access to the database. Suitable examples include DB2 Workgroup Server Edition, or (for advanced features of DB2) DB2 Enterprise Server Edition, or Advanced Enterprise Server Edition. The free, bundled DB2 license for ILMT does not include these third-party access rights.
IIS Role Requirements
When you are using IIS as your web service on the inventory beacon, ensure that the following IIS roles/services are configured. You may access these settings on a Windows Server OS as follows:
To configure IIS roles/services:
|
1.
|
From the Control Panel for Administrative Tools, run the Server Manager. |
|
2.
|
From the Dashboard, select Add roles and features. |
|
3.
|
In the Add Roles and Features Wizard, select Server Roles. |
|
4.
|
Scroll through and expand the list of Roles as required to ensure that all of the following items are selected: |
|
•
|
Web Server > Application Development > .NET Extensibility 4.5 |
|
•
|
Web Server > Application Development > ASP.NET 4.5.+ |
|
•
|
Web Server > Application Development > ISAPI Extensions |
|
•
|
Web Server > Common HTTP Features > Directory Browsing |
|
•
|
Web Server > Common HTTP Features > HTTP Errors |
|
•
|
Web Server > Common HTTP Features > Static Content |
|
•
|
Web Server > Health and Diagnostics > HTTP Logging |
|
•
|
Web Server > Performance > Dynamic Content Compression |
|
•
|
Web Server > Performance > Static Content Compression |
|
•
|
Web Server > Security > Basic Authentication |
|
•
|
Web Server > Security > Windows Authentication. |
Tip:If you choose to also enable Web Server > Security > Request Filtering, ensure that you do not filter out any file extensions that the Inventory Agent expects to download, such as .osd, .npl, .nds, and .ini.
Administrator Privileges
Accessing the user interface for the inventory beacon requires an account with administrator privileges on the inventory beacon server.
Microsoft IIS Anonymous Authentication on Inventory Beacons
Wherever possible, Microsoft IIS on inventory beacons should be configured for anonymous authentication, so that Inventory Agents installed on other target devices can freely access the web service on the inventory beacon. This is because of the following logic:
|
•
|
Each installed Inventory Agent initiates all communications with inventory beacons, for both uploads and downloads. |
|
•
|
For each set of communications, the Inventory Agent chooses its currently-preferred inventory beacon from a list of available ones that is downloaded as part of its policy (this list is often called the "failover list"). The failover list is prepared on demand by each inventory beacon from a main, primary list that is downloaded regularly from the central application server to all inventory beacons. |
|
•
|
So that no credentials are distributed in the failover list, it includes only those inventory beacons that are configured for anonymous authentication. It is therefore important that several inventory beacons are configured for anonymous authentication. |
|
•
|
Although some configuration is possible, it is not possible to prevent the Inventory Agent choosing the most responsive inventory beacon from its target set. Nor should you want to, since this behavior provides a degree of load balancing across the system, as well as protection against temporary unavailability of a particular inventory beacon. |
Tip:It is possible to configure each Inventory Agent, on installation, to have one set of credentials for its bootstrap inventory beacon (the one it contacts first after installation). The algorithm used for selection of an inventory beacon may also bias the Inventory Agent towards reuse of its bootstrap inventory beacon for future communications, as long as that one remains responsive. However, it is neither possible nor desirable to permanently 'bind' an instance of the Inventory Agent to a specific inventory beacon. After the initial download of its policy, the Inventory Agent freely selects an inventory beacon for each subsequent communication.
As a follow-on, the fact that an installed Inventory Agent may hold the credentials for one inventory beacon that uses Basic Authentication creates a single exception to the general rule that the failover list contains only inventory beacons configured for anonymous authentication. Given that each inventory beacon prepares a failover list on demand to meet each received policy request, a secured inventory beacon inserts itself in the requested failover list, since it is clear that the installed Inventory Agent already possesses the credentials needed to access this secured inventory beacon (because it just requested policy from here). In contrast, the failover lists prepared by any other inventory beacons to satisfy requests from other installed instances of Inventory Agent do not include the secured inventory beacon, since it is not clear that those other instances of Inventory Agent already hold the necessary credentials.
There is a further implication here: if some installed Inventory Agents have been preferring a secured inventory beacon to which they hold the credentials (because this was their bootstrap inventory beacon), and as part of later security maintenance, you change the password on that secured inventory beacon (but forget to run around and update all those target devices), future requests and uploads to the ex-bootstrap inventory beacon now fail because of the outdated credentials held on the target inventory devices. This is another scenario where it is crucial to have other inventory beacons configured for anonymous authentication in the failover list. Without these, the installed Inventory Agents may become 'orphaned' and unable to upload any inventory, update policy, or self-update for new versions.
In general, the preferred first step to increase the security of inventory beacons is to configure them for access using the HTTPS protocol. Adding Basic Authentication should be reserved for configurations where it is considered critical.