立即与支持人员聊天
与支持团队交流

InTrust 11.5.1 - Installing Agents Manually

Establishing a Connection with the Server

To establish a connection between an agent and an InTrust server, you should log on to the computer where the agent is installed using an administrative account (Microsoft Windows computers) or the root account (Unix computers) and run one of the following commands:

adcscm.nt_intel -add ServerName Port [password]

for Microsoft Windows computers

./adcscm -add ServerName Port [password]

for Unix computers
where:

  • ServerName specifies the InTrust Server to which you bind the agent. This can be the NetBIOS name, FQDN or IP address.
  • Port specifies the port number at which the server listens to the requests coming from the agent (that is the same as the listening port you specified for InTrust server during setup); the default port number is 900.
  • Password is the password for initial agent-server authentication; it is required if the Use authentication option is enabled on the InTrust server (see Setting Up Authentication). By default this password is the same as the organization password supplied during InTrust Server installation (you can change the agent installation password in InTrust server properties). If you want to use an empty password, supply empty quotation marks (""). If authentication is disabled on the InTrust server, do not specify any password.

To disconnect the agent from the InTrust server, on the target computer run:

adcscm.nt_intel -remove ServerName Port

for Microsoft Windows computers

./adcscm -remove ServerName Port

for Unix computers

Finding Out the Servers that an Agent Responds to

To find out which InTrust server or servers an agent responds to, log on to the computer where the agent is installed using an administrative account (Microsoft Windows computers) or the root account (Unix computers) and run one of the following commands:

adcscm.nt_intel -list

for Microsoft Windows computers

 

./adcscm -list

for Unix computers

The output should look similar to the following:

Name: 10.30.39.254

Port: 900

Name: s8050-w2k3.testorg.local

Port: 900

Name: gz.testorg.local

Port: 900

Name: 10.30.46.108

Port: 900

on Microsoft Windows computers

 

Name: 10.30.37.49

Port: 900

Name: 10.30.37.128

Port: 900

on Unix computers

Setting Up Authentication

The authentication process is two-sided (both server-side and agent-side) and based on the Diffie-Hellman (DH) protocol. In addition to authenticating clients to the server securely, the DH exchanges a cryptographically-strong symmetric key as a byproduct of successful authentication, which enables the two parties to communicate steadily. After initial authentication is successfully performed, the authentication password will automatically be changed every week to secure communication between server and agents. The symmetric key is changed every hour.

For manually installed agents, you first have to specify the password on the server. By default, this is the organization password you specified during setup. The authentication mechanism will use this password only when establishing connection for the first time; then this password will be changed regularly.

If you want to use a password other than the default, take the following steps:

  1. In Quest InTrust Manager | Configuration | Servers, right-click the server name and select Properties.
  2. On the Agent tab, select Use authentication and supply a new password for initial authentication.
  3. Now provide this password to the agent. For that, on the target computer, run:
    adcscm.nt_intel -add ServerName Port Password
    for Microsoft Windows computers
    ./adcscm -add ServerName Port Password
    for Unix computers
    Replace Password with the password that you specified in Step 2.

NOTE:

  • We have updated the Server and agents to use DH algorithm for the authentication in 11.5. Hence if we are adding 11.5 server in existing organization with agents and server with 11.4 or below, the communication and authentication cannot succeed. It is recommended to uninstall all the old servers and agents to use 11.5 for successful authentication and communication between agents/servers.
  • As a workaround, the agent-server communication and authentication can be disabled so that the collection and communication can be continued between agent-server.
  • In 11.5, first collection will take some time to communicate between agent and server.

Setting Up Encryption

You can select to encrypt data communicated between the agent and the server (encryption uses 3DES with a 168-bit key). By default, encryption is enabled.

To enable or disable encryption manually

  1. In Quest InTrust Manager | Configuration | Servers, right-click the server name and select Properties.
  2. On the Agent tab, select or clear the Use encryption check box.
  3. Click Apply and close the dialog box.
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级