How to manage and discover WFH endpoints?
The primary step in embracing work from home (WFH) is to identify all the endpoints used by employees for remote work. An unmanaged remote endpoint is the last thing every IT administrator would want, because an unpatched system opens your network to a plethora of cyberattacks, and provides the leeway for users to install malicious applications or uninstall business-critical applications.
Besides the local office, most enterprises will have one or more remote offices to manage as well. With the current WFH situation, it is important to make Endpoint Central server and distribution server accessible to all the remote endpoints, wherever it’s applicable.
Depending on the category you fall under, proceed with the steps provided in that particular category:
Note
- It is highly recommended to download our SGS component to prevent exposing Endpoint Central server to the internet directly. Owing to the current WFH scenario, SGS will be free for the first 30 days, and will be extended, if required. Refer our document for installation and configuration of SGS.
- If all your remote endpoints can access the network through VPN at all times, without encountering any technical hindrances, the communication with Endpoint Central server and distribution server will not be an issue.
- configureDCAgentServerCommunication script is available for Windows, macOS, and Linux.
1.1. LAN agents
The public IP address will be available for all the remote endpoints, and the agents can communicate with the server seamlessly for hassle-free management. (Note: This public IP address of SGS will be mapped to the private IP address of Endpoint Central server).
1.2. Remote office agents
If the remote office agents communicate with Endpoint Central server directly, agent - server communication will not be an issue. However, if the agents communicate with the central server through distribution server (DS), there might be a hindrance to the communication as the DS will not be configured as an edge device (also, it is not recommended to configure DS as an edge device).
- Export the branch office details by executing the query provided in the box.
- Navigate to the Reports tab > Query Reports from the left pane > New Query Report.
- Provide a report name. Copy and paste the query provided in the box.
- Click on Run Report to generate reports based on the executed query.
SELECT BranchOfficeDetails.BRANCH_OFFICE_ID, BranchOfficeDetails.BRANCH_OFFICE_NAME, BranchOfficeDetails.HAS_MASTERAGENT, Resource.RESOURCE_ID, Resource.NAME as "DS Name", Resource.DOMAIN_NETBIOS_NAME, DisServerDetails.DS_IPADDRESS, DisServerDetails.DS_VERSION, DisServerDetails.DS_STATUS, DisServerDetails.LAST_CONTACT_TIME, DisServerDetails.DS_DNS_NAME, DisServerDetails.DS_PORT, DisServerDetails.DS_HTTPS_PORT FROM BranchOfficeDetails INNER JOIN DisServerDetails ON BranchOfficeDetails.BRANCH_OFFICE_ID=DisServerDetails.BRANCH_OFFICE_ID INNER JOIN Resource ON DisServerDetails.RESOURCE_ID=Resource.RESOURCE_ID
- Navigate to Admin tab > Scope of Management under SoM settings > Remote Offices tab.
- Select a remote office > Actions > Modify.
- Change the communication type from Through Distribution Server to Direct Communication.
Note: By doing so, all the remote office endpoints will start contacting the Endpoint Central server directly instead of communicating through the DS. This will increase the load on the central server and cause bandwidth bottleneck issues. However, you can follow the guidance below to reduce bandwidth overload issues.
Best practices to break the bandwidth bottleneck
1.3. Roaming users
In order to avoid the exposure of Endpoint Central server to the internet directly, all the communication from the roaming agents to Endpoint Central server will be routed through the secure gateway server.
How to convert to Roaming agents?
After installation and configuration of SGS, if the same public IP address (as that of Endpoint Central’s) is provided for SGS, there’d be no issues in the agent - server communication. However, if you choose to provide a different IP address, ensure that all the agents communicate with the Endpoint Central server for fetching the new IP address, until which Endpoint Central server should be configured as the edge device. (Note: All the active agents will contact the Endpoint Central server within the 90-minute refresh policy).
How to configure secure gateway server?
2.1. LAN agents and roaming users
If the agents cannot contact the Endpoint Central server to fetch the IP address, here’s what you need to do:
Based on your operating system, download and execute the following script: [Important: In the downloaded script, replace the sample IP address with the new public IP address of SGS]
Windows
Linux
- Download configureDCAgentServerCommunication_linux.sh.
- Execute the commands given below:
chmod +x configureDcAgentServerCommunication_linux.sh
sudo ./configureDcAgentServerCommunication_linux.sh [sgs_fqdn/sgs_ip] [For example: sudo ./configureDcAgentServerCommunication_linux.sh joe.manageengine.com]
Mac
2.2. Remote office agents
- Based on your operating system, download and execute the following script: [Important: In the downloaded script, replace the sample IP address with the new public IP address of SGS]
Windows
Linux
- Download configureDCAgentServerCommunication_linux.sh.
- Execute the commands given below:
chmod +x configureDcAgentServerCommunication_linux.sh
sudo ./configureDcAgentServerCommunication_linux.sh [sgs_fqdn/sgs_ip] [For example: sudo ./configureDcAgentServerCommunication_linux.sh joe.manageengine.com]
Mac
If the remote office agents communicate with Endpoint Central directly, follow the steps mentioned below:
- Export the branch office details by executing the query provided in the box.
- Navigate to the Reports tab > Query Reports from the left pane > New Query Report.
- Provide a report name. Copy and paste the query provided in the box.
- Click on Run Report to generate reports based on the executed query.
SELECT BranchOfficeDetails.BRANCH_OFFICE_ID, BranchOfficeDetails.BRANCH_OFFICE_NAME, BranchOfficeDetails.HAS_MASTERAGENT, Resource.RESOURCE_ID, Resource.NAME as "DS Name", Resource.DOMAIN_NETBIOS_NAME, DisServerDetails.DS_IPADDRESS, DisServerDetails.DS_VERSION, DisServerDetails.DS_STATUS, DisServerDetails.LAST_CONTACT_TIME, DisServerDetails.DS_DNS_NAME, DisServerDetails.DS_PORT, DisServerDetails.DS_HTTPS_PORT FROM BranchOfficeDetails INNER JOIN DisServerDetails ON BranchOfficeDetails.BRANCH_OFFICE_ID=DisServerDetails.BRANCH_OFFICE_ID INNER JOIN Resource ON DisServerDetails.RESOURCE_ID=Resource.RESOURCE_ID
- Navigate to Admin tab > Scope of Management under SoM settings > Remote Offices tab.
- Select a remote office > Actions > Modify.
- Change the communication type from Through Distribution Server to Direct Communication.
Note: By doing so, all the remote office endpoints will start contacting the Endpoint Central server directly instead of communicating through the DS. This will increase the load on the central server and cause bandwidth bottleneck issues. However, you can follow the guidance below to reduce bandwidth overload issues.
Best practices to break the bandwidth bottleneck
Identify WFH endpoints
After ensuring that all your local office endpoints and remote office endpoints can contact Endpoint Central server, identify WFH endpoints for easier management.
With distribution server (DS)
Since it is not recommended to configure your distribution server as an edge device, DS might not be accessible by all the remote endpoints. However, it's possible for the endpoints to contact Endpoint Central server, and not DS. That said, depending on when the Endpoint Central server and the DS were contacted, you can identify the WFH endpoints.
- Execute the query provided in the box:
- Navigate to the Reports tab > Query Reports from the left pane > New Query Report.
- Provide a report name. Copy and paste the query provided in the box.
- Click on Run Report to generate reports based on the executed query.
select Resource.RESOURCE_ID, Resource.NAME, Resource.DOMAIN_NETBIOS_NAME,BranchOfficeDetails.BRANCH_OFFICE_NAME from ManagedComputer inner join BranchMemberResourceRel on ManagedComputer.RESOURCE_ID=BranchMemberResourceRel.RESOURCE_ID inner join BranchOfficeDetails on BranchMemberResourceRel.BRANCH_OFFICE_ID=BranchOfficeDetails.BRANCH_OFFICE_ID inner join AgentContact on ManagedComputer.RESOURCE_ID=AgentContact.RESOURCE_ID inner join Resource on ManagedComputer.RESOURCE_ID=Resource.RESOURCE_ID where BranchOfficeDetails.HAS_MASTERAGENT='true' and AgentContact.LAST_DS_CONTACT_TIME< CurrentTime in millisecond - 172800000 and AgentContact.LAST_CONTACT_TIME >CurrentTime in millisecond - 86400000
- Important!
- AgentContact.LAST_DS_CONTACT_TIME is the last time DS was contacted by the endpoint.
- AgentContact.LAST_CONTACT_TIME is the last time Endpoint Central server was contacted by the endpoint.
- CurrentTime (in millisecond) should be fetched from this link. After fetching the current time, provide this in the query, in the place of 'CurrentTime in millisecond'. You'll have to replace it in two places in the query, before executing it.
- Depending on the communication interval that prevails in your network, choose AgentContact.LAST_DS_CONTACT_TIME and AgentContact.LAST_CONTACT_TIME accordingly. The necessary values can be obtained from the following:
- 24 hours: 86400000
- 2 days: 172800000
- 3 days: 259200000
- 4 days: 345600000
- 5 days: 432000000
- 6 days: 518400000
- 7 days: 604800000
For example, if you think an endpoint should have contacted DS within two days, and Endpoint Central server within a day, then the query should be as follows: AgentContact.LAST_DS_CONTACT_TIME< CurrentTime in millisecond - 172800000 and AgentContact.LAST_CONTACT_TIME >CurrentTime in millisecond - 86400000.
- From the results, you will be able to determine the last time Endpoint Central server was communicated, as opposed to the last time DS was communicated. If the last contacted time of Endpoint Central server is lesser than the last contacted time of DS, this is known as a WFH endpoint.
For example, if an endpoint has last contacted DS two days earlier, but has contacted Endpoint Central server 24 hours earlier, this endpoint is a WFH endpoint.
Without DS/Direct communication
If the endpoints communicate with Endpoint Central server, a custom script needs to be executed to find if the remote endpoint has communicated with the public IP address of Endpoint Central, or the private IP address. You can determine from this, if the endpoint has communicated with the public IP address of Endpoint Central, that it is a WFH endpoint.
- Create a custom script configuration in Endpoint Central, using any one of the following scripts. Based on your operating system, download and execute the corresponding script.
Windows
Linux
- Download configureDCAgentServerCommunication_linux.sh.
- Execute the commands given below:
chmod +x configureDcAgentServerCommunication_linux.sh
sudo ./configureDcAgentServerCommunication_linux.sh [sgs_fqdn/sgs_ip] [For example: sudo ./configureDcAgentServerCommunication_linux.sh joe.manageengine.com]
Mac
- While defining this configuration, pass the argument as the IP address of SGS or public IP address of Endpoint Central server.
- Upon successful execution of this script, execute the query provided in the box.
- Navigate to the Reports tab > Query Reports from the left pane > New Query Report.
- Provide a report name. Copy and paste the query provided in the box.
- Click on Run Report to generate reports based on the executed query.
SELECT Resource.NAME as COMPUTER_NAME, Resource.DOMAIN_NETBIOS_NAME AS DOMAIN_NAME, CASE WHEN CollnToResources.remarks_en like '%True%' THEN 'True' ELSE 'False' END as WFH_Status FROM Collection INNER JOIN CollnToResources ON Collection.COLLECTION_ID=CollnToResources.COLLECTION_ID INNER JOIN Resource ON CollnToResources.RESOURCE_ID =Resource.RESOURCE_ID WHERE Collection.COLLECTION_NAME ='configName'
Note: In the place of “configName”, provide the name of the custom script configuration that was created.